Robust Authenticated-Encryption AEZ and the Problem That It Solves

  • Viet Tung HoangEmail author
  • Ted Krovetz
  • Phillip Rogaway
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9056)


With a scheme for robust authenticated-encryption a user can select an arbitrary value \(\lambda \!\ge 0\) and then encrypt a plaintext of any length into a ciphertext that’s \(\lambda \) characters longer. The scheme must provide all the privacy and authenticity possible for the requested \(\lambda \). We formalize and investigate this idea, and construct a well-optimized solution, AEZ, from the AES round function. Our scheme encrypts strings at almost the same rate as OCB-AES or CTR-AES (on Haswell, AEZ has a peak speed of about 0.7 cpb). To accomplish this we employ an approach we call prove-then-prune: prove security and then instantiate with a scaled-down primitive (e.g., reducing rounds for blockcipher calls).


AEZ Authenticated encryption CAESAR competition Misuse resistance Modes of operation Nonce reuse Prove-then-prune Robust AE 


  1. 1.
    Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: How to securely release unverified plaintext in authenticated encryption. Cryptology ePrint report 2014/144, February 25, 2014Google Scholar
  2. 2.
    Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: Parallelizable and authenticated online ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 424–443. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Boldyreva, A., Knudsen, L.R., Namprempre, C.: Online ciphers and the hash-CBC construction. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 292–309. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Rogaway, P.: On the construction of variable-input-length ciphers. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 231–244. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Encode-then-encipher encryption: how to exploit nonces or redundancy in plaintexts for efficient cryptography. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317–330. Springer, Heidelberg (2000) CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Rogaway, P., Spies, T.: The FFX mode of operation for format-preserving encryption. Draft 1.1. Submission to NIST, February 20, 2010Google Scholar
  7. 7.
    Bernstein, D.: Cryptographic competitions: CAESAR call for submissions, final, January 27, 2014.
  8. 8.
    Black, J., Cochran, M.: MAC reforgeability. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 345–362. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  9. 9.
    Black, J.A., Rogaway, P.: Ciphers with arbitrary finite domains. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 114–130. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  10. 10.
    Boldyreva, A., Degabriele, J., Paterson, K., Stam, M.: On symmetric encryption with distinguishable decryption failures. Cryptology ePrint Report 2013/433 (2013)Google Scholar
  11. 11.
    Chakraborty, D., Nandi, M.: An improved security bound for HCTR. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 289–302. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  12. 12.
    Chakraborty, D., Sarkar, P.: HCH: A new tweakable enciphering scheme using the hash-encrypt-hash approach. IEEE Transactions on Information Theory 54(4), 1683–1699 (2008)CrossRefzbMATHMathSciNetGoogle Scholar
  13. 13.
    Chakraborty, D., Sarkar, P.: A new mode of encryption providing a tweakable strong pseudo-random permutation. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 293–309. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  14. 14.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer-Verlag, Heidelberg (2002) CrossRefGoogle Scholar
  15. 15.
    Daemen, J., Rijmen, V.: A new MAC construction ALRED and a specific instance ALPHA-MAC. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 1–17. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  16. 16.
    Daemen, J., Rijmen, V.: The Pelican MAC function. Cryptology ePrint report 2005/088 (2005)Google Scholar
  17. 17.
    Dworkin, M.: Recommendation for block cipher modes of operation: methods for format-preserving encryption. NIST Special Publication 800–38G: Draft, July 2013Google Scholar
  18. 18.
    Ferguson, N.: Authentication weaknesses in GCM. Manuscript, May 20, 2005Google Scholar
  19. 19.
    Fisher, R., Yates, F.: Statistical tables for biological, agricultural and medical research. Oliver & Boyd, London (1938)zbMATHGoogle Scholar
  20. 20.
    Fleischmann, E., Forler, C., Lucks, S.: McOE: a family of almost foolproof on-line authenticated encryption schemes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 196–215. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  21. 21.
    Fouque, P., Joux, A., Martinet, G., Valette, F.: Authenticated on-line encryption. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 145–159. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  22. 22.
    Halevi, S.: EME*: extending EME to handle arbitrary-length messages with associated data. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 315–327. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  23. 23.
    Halevi, S.: Invertible universal hashing and the TET encryption mode. Cryptology ePrint report 2007/014Google Scholar
  24. 24.
    Halevi, S., Rogaway, P.: A parallelizable enciphering mode. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 292–304. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  25. 25.
    Halevi, S., Rogaway, P.: A tweakable enciphering mode. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 482–499. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  26. 26.
    Hoang, V.T., Krovetz, T., Rogaway, P.: AEZ v3: authenticated encryption by enciphering. CAESAR submission (2014)Google Scholar
  27. 27.
    Katz, J., Yung, M.: Unforgeable encryption and chosen ciphertext secure modes of operation. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 284–299. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  28. 28.
    Hoang, V.T., Krovetz, T., Rogaway, P.: Robust authenticated-encryption: AEZ and the problem that it solves. Cryptology ePrint report 2014/793, January 2015 (Full version of this paper)Google Scholar
  29. 29.
    IEEE. 1619.2-2010 - IEEE standard for wide-block encryption for shared storage media. IEEE press (2010)Google Scholar
  30. 30.
    Kaliski Jr., B.S., Rivest, R.L., Sherman, A.T.: Is DES a Pure Cipher? (Results of more cycling experiments on DES). In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 212–226. Springer, Heidelberg (1986) Google Scholar
  31. 31.
    Keliher, L., Sui, J.: Exact maximum expected differential and linear probability for two-round Advanced Encryption Standard. IET Information Security 1(2), 53–57 (2007)CrossRefGoogle Scholar
  32. 32.
    Krovetz, T., Rogaway, P.: The software performance of authenticated-encryption modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 306–327. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  33. 33.
    Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  34. 34.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  35. 35.
    McGrew, D.A., Fluhrer, S.R.: The security of the extended codebook (XCB) mode of operation. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 311–327. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  36. 36.
    Minematsu, K.: Parallelizable rate-1 authenticated encryption from pseudorandom functions. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 275–292. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  37. 37.
    Minematsu, K., Tsunoo, Y.: Provably secure MACs from differentially-uniform permutations and AES-based implementations. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 226–241. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  38. 38.
    Nandi, M.: Improving upon HCTR and matching attacks for Hash-Counter-Hash approach. Cryptology ePrint report 2008/090, February 28, 2008Google Scholar
  39. 39.
    Naor, M., Reingold, O.: On the construction of pseudo-random permutations: Luby-Rackoff revisited. Journal of Cryptology 12(1), 29–66 (1999)CrossRefzbMATHMathSciNetGoogle Scholar
  40. 40.
    Naor, M., Reingold, O.: The NR mode of operation. Undated manuscript realizing the mechanism of [39]Google Scholar
  41. 41.
    Patarin, J.: Generic attacks on feistel schemes. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 222–238. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  42. 42.
    Patel, S., Ramzan, Z., Sundaram, G.S.: Efficient constructions of variable-input-length block ciphers. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 326–340. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  43. 43.
    Patarin, J.: Security of balanced and unbalanced Feistel schemes with linear non equalities. Cryptology ePrint report 2010/293, May 2010Google Scholar
  44. 44.
    Patarin, J.: Security of random feistel schemes with 5 or more rounds. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 106–122. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  45. 45.
    Patarin, J., Gittins, B., Treger, J.: Increasing block sizes using feistel networks: the example of the AES. In: Naccache, D. (ed.) Cryphtography and Security: From Theory to Applications. LNCS, vol. 6805, pp. 67–82. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  46. 46.
    Percival, C.: Stronger key derivation via sequential memory-hard functions. The BSD Conference (BSDCan), May 2009Google Scholar
  47. 47.
    Reyhanitabar, R., Vizár, D.: Careful with misuse resistance of online AEAD. Unpublished manuscript distributed on the crypto-competitions mailing list. August 24, 2014Google Scholar
  48. 48.
    Rogaway, P.: Authenticated-encryption with associated-data. In: ACM CCS 2002, pp. 98–107. ACM Press (2002)Google Scholar
  49. 49.
    Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  50. 50.
    Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: A block-cipher mode of operation for efficient authenticated encryption. In: ACM CCS, pp. 196–205 (2001)Google Scholar
  51. 51.
    Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  52. 52.
    Sarkar, P.: Efficient tweakable enciphering schemes from (block-wise) universal hash functions. Cryptology ePrint report 2008/004Google Scholar
  53. 53.
    Sarkar, P.: Improving upon the TET mode of operation. In: Nam, K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 180–192. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  54. 54.
    Sarkar, P.: Tweakable enciphering schemes using only the encryption function of a block cipher. Cryptology ePrint report 2009/216Google Scholar
  55. 55.
    Schroeppel, R.: Hasty Pudding Cipher Specification. AES candidate submitted to NIST, June 1998. (revised May 1999)
  56. 56.
    Shrimpton, T., Terashima, R.S.: A modular framework for building variable-input-length tweakable ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 405–423. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  57. 57.
    Simplício, M., Barbuda, P., Barreto, P., Carvalho, T., Margi, C.: The MARVIN message authentication code and the LETTERSOUP authenticated encryption scheme. Security and Communications Networks 2(2), 165–180 (2009)CrossRefGoogle Scholar
  58. 58.
    Struik, R.: AEAD ciphers for highly constrained networks. DIAC 2013 presentation, August 13, 2013Google Scholar
  59. 59.
    Wang, P., Feng, D., Lin, C., Wu, W.: Security of truncated MACs. In: Yung, M., Liu, P., Lin, D. (eds.) Inscrypt 2008. LNCS, vol. 5487, pp. 96–114. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  60. 60.
    Wang, P., Feng, D., Wu, W.: HCTR: a variable-input-length enciphering mode. In: Feng, D., Lin, D., Yung, M. (eds.) CISC 2005. LNCS, vol. 3822, pp. 175–188. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  61. 61.
    Yao, F., Yin, Y.L.: Design and analysis of password-based key derivation functions. IEEE Trans. on Information Theory 51(9), 3292–3297 (2005)CrossRefzbMATHMathSciNetGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Viet Tung Hoang
    • 1
    • 2
    Email author
  • Ted Krovetz
    • 3
  • Phillip Rogaway
    • 4
  1. 1.Department of Computer ScienceUniversity of MarylandCollege ParkUSA
  2. 2.Department of Computer ScienceGeorgetown UniversityWashington DCUSA
  3. 3.Department of Computer ScienceCalifornia State UniversitySacramentoUSA
  4. 4.Department of Computer ScienceUniversity of CaliforniaDavisUSA

Personalised recommendations