Abstract
Authenticated encryption (AE) is a symmetric-key encryption function that provides confidentiality and authenticity of a message. One of the evaluation criteria for AE is state size, which is memory size needed for encryption. State size is especially important when cryptosystem is implemented in constrained devices, while trivial reduction by using a small primitive is not generally acceptable as it leads to a degraded security.
In these days, the state size of AE has been very actively studied and a number of small-state AE schemes have been proposed, but they are inherently serial. It would be a natural question if we come up with a parallelizable AE with a smaller state size than the state-of-the-art.
In this paper, we study the seminal OCB mode for parallelizable AE and propose a method to reduce its state size without losing the bit security of it. More precisely, while (the most small-state variant of) OCB has 3n-bit state, by carefully treating the checksum that is halved, we can achieve 2.5n-bit state, while keeping the n/2-bit security as original. We also propose an inverse-free variant of it based on OTR. While the original OTR has 4n-bit state, ours has 3.5n-bit state. To our knowledge these numbers are the smallest ones achieved by the blockcipher modes for parallel AE and inverse-free parallel AE.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
- 2.
References
The OCB Authenticated-Encryption Algorithm. IRTF RFC 7253 (2014)
NIST Lightweight Cryptography Standardization (2019). https://csrc.nist.gov/Projects/Lightweight-Cryptography
Andreeva, E., et al.: COLM v1. Submission to CAESAR competition (2015)
Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: How to securely release unverified plaintext in authenticated encryption. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 105–125. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_6
Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: Parallelizable and authenticated online ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8269, pp. 424–443. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42033-7_22
Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: AES-COPA vol 2. Submission to CAESAR competition (2015)
Aoki, K., Yasuda, K.: The security of the OCB mode of operation without the SPRP assumption. In: Susilo, W., Reyhanitabar, R. (eds.) ProvSec 2013. LNCS, vol. 8209, pp. 202–220. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41227-1_12
Ashur, T., Dunkelman, O., Luykx, A.: Boosting authenticated encryption robustness with minimal modifications. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 3–33. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_1
Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: FOCS, pp. 394–403. IEEE Computer Society (1997)
Bellare, M., Goldreich, O., Mityagin, A.: The power of verification queries in message authentication and authenticated encryption. Cryptology ePrint Archive, Report 2004/309 (2004). https://eprint.iacr.org/2004/309
Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_41
Benadjila, R., Guo, J., Lomné, V., Peyrin, T.: Implementing lightweight block ciphers on x86 architectures. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 324–351. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43414-7_17
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28496-0_19
Bhaumik, R., Nandi, M.: Improved security for OCB3. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 638–666. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_22
Bost, R., Sanders, O.: Trick or tweak: on the (In)security of OTR’s tweaks. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 333–353. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_12
Chakraborti, A., Iwata, T., Minematsu, K., Nandi, M.: Blockcipher-based authenticated encryption: how small can we go? In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 277–298. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_14
Datta, N., Nandi, M.: ELmE: a misuse resistant parallel authenticated encryption. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 306–321. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08344-5_20
Datta, N., Nandi, M.: ELMD v2.0. Submission to CAESAR competition (2015)
Dworkin, M.: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC. NIST-SP 800–38D (2007)
Dworkin, M.: Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality. NIST-SP 800–38C (2007)
Ferguson, N.: Collision attacks on OCB. Comments to NIST (2002)
Granger, R., Jovanovic, P., Mennink, B., Neves, S.: Improved masking for tweakable blockciphers with applications to authenticated encryption. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 263–293. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_11
Inoue, A., Iwata, T., Minematsu, K., Poettering, B.: Cryptanalysis of OCB2: attacks on authenticity and confidentiality. Cryptology ePrint Archive, Report 2019/311 (2019). https://eprint.iacr.org/2019/311
Iwata, T., Kurosawa, K.: OMAC: one-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-39887-5_11
Iwata, T., Minematsu, K., Guo, J., Morioka, S.: CLOC: authenticated encryption for short input. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 149–167. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46706-0_8
Iwata, T., Minematsu, K., Guo, J., Morioka, S., Kobayashi, E.: CLOC and SILC v3. Submission to the CAESAR competition (2016)
Krovetz, T., Rogaway, P.: The software performance of authenticated-encryption modes. In: Fast Software Encryption - 18th International Workshop, FSE 2011, Lyngby, Denmark, 13–16 February 2011, Revised Selected Papers, pp. 306–327 (2011). https://doi.org/10.1007/978-3-642-21702-9_18
Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_3
Matsuda, S., Moriai, S.: Lightweight cryptography for the cloud: exploit the power of bitslice implementation. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 408–425. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33027-8_24
Minematsu, K.: Improved security analysis of XEX and LRW modes. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 96–113. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74462-7_8
Minematsu, K.: Parallelizable rate-1 authenticated encryption from pseudorandom functions. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 275–292. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_16
Minematsu, K.: AES-OTR v3. Submission to CAESAR competition (2016)
Minematsu, K., Matsushima, T.: Generalization and extension of XEX\({}^{\text{*}}\) mode. IEICE Trans. 92-A(2), 517–524 (2009). http://search.ieice.org/bin/summary.php?id=e92-a_2_517&category=A&year=2009&lang=E&abst=
Naito, Y.: Improved XKX-based AEAD scheme: removing the birthday terms. In: Lange, T., Dunkelman, O. (eds.) LATINCRYPT 2017. LNCS, vol. 11368, pp. 228–246. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25283-0_13
Naito, Y.: Tweakable blockciphers for efficient authenticated encryptions with beyond the birthday-bound security. IACR Trans. Symmetric Cryptol. 2017(2), 1–26 (2017)
Naito, Y., Matsui, M., Sugawara, T., Suzuki, D.: SAEB: a lightweight blockcipher-based AEAD mode of operation. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(2), 192–217 (2018). https://doi.org/10.13154/tches.v2018.i2.192-217
Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446 (2018). https://doi.org/10.17487/RFC8446, https://rfc-editor.org/rfc/rfc8446.txt
Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Advances in Cryptology - ASIACRYPT 2004, 10th International Conference on the Theory and Application of Cryptology and Information Security, Jeju Island, Korea, 5–9 December 2004, pp. 16–31 (2004). https://doi.org/10.1007/978-3-540-30539-2_2
Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: CCS 2001, Proceedings of the 8th ACM Conference on Computer and Communications Security, Philadelphia, Pennsylvania, USA, 6–8 November 2001, pp. 196–205 (2001). https://doi.org/10.1145/501983.502011
T. Dierks, E.R.: The Transport Layer Security (TLS) Protocol Version 1.2. IETF, RFC 5246 (2008)
Ueno, R., Homma, N., Iida, T., Minematsu, K.: High throughput/gate FN-based hardware architectures for AES-OTR. In: 2019 IEEE International Symposium on Circuits and Systems (ISCAS), pp. 1–4 (2019)
Acknowledgements
We would like to thank the anonymous reviewers for their comments and suggestions.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Appendices
A Proof of Security of \(\mathbb {P}\)hash-hc
We here show the proof of Lemma 3. Note that the underlying TURP \(\widetilde{{\mathsf {P}}}\) has the same arguments as XE in Lemma 3, however we here write \(\widetilde{{\mathsf {P}}}\) with the arguments of \({\mathrm {XEX}}^{*}\) following Fig. 7. Thus we always use \(\widetilde{{\mathsf {P}}}^{*, 0, *, *}\) in this proof.
Proof
We define \(\mathrm {XorColl}_{\delta } := \Pr \left[ \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}_{\widetilde{{\mathsf {P}}}}(A) \oplus \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}_{\widetilde{{\mathsf {P}}}}(A') = \delta \right] \).
-
1.
Let \(A = \varepsilon \) and \(A'\ne \varepsilon \).
(i) We first consider the case of \(|A'|_n = 1\). Suppose \(\mathrm {ifPad}(A') = 0\) without loss of generality. In this case,
$$\begin{aligned} \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}_{\widetilde{{\mathsf {P}}}}(A) \oplus \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}_{\widetilde{{\mathsf {P}}}}(A')&= \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}_{\widetilde{{\mathsf {P}}}}(A') \\&= \mathtt {msb}_{n/2}(\widetilde{{\mathsf {P}}}^{0^n,0,1,0}(\mathtt {ozp}(A'[1]))) \end{aligned}$$holds. Thus we obtain \(\mathrm {XorColl}_{\forall \delta } \le 1/2^{n/2}\).
(ii) Let \(|A'|_n > 1\). \(\mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}(A')\) is a sum of the most (or least) significant n/2 bits of message blocks encrypted by TURPs which are invoked with respective different tweaks. Thus \(\mathrm {XorColl}_{\forall \delta } = \Pr \left[ \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}_{\widetilde{{\mathsf {P}}}}(A') = \delta \right] \le 1/2^{n/2}\). This discussion can be applied to the case that \(A \ne \varepsilon \) and \(A' = \varepsilon \). In following cases, we suppose \(A \ne \varepsilon \) and \(A' \ne \varepsilon \).
-
2.
Let \(|A|_n = |A'|_n\) and \(\mathrm {ifPad}(A) = \mathrm {ifPad}(A')\). Suppose \(|A|_n = |A'|_n = a\). Without loss of generality, we suppose \(\mathrm {ifPad}(A) = \mathrm {ifPad}(A') = 0\). Since \(A \ne A'\), there exists \(u \in \{1, \ldots , a\}\) such that \(A[u] \ne A'[u]\). For \(\exists \gamma \in \{0, 1\}^{n/2}\), \(\mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}_{\widetilde{{\mathsf {P}}}}(A) \oplus \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}_{\widetilde{{\mathsf {P}}}}(A') = \mathtt {msb}_{n/2}\left( \widetilde{{\mathsf {P}}}^{0^n,0,u,0}(\mathtt {ozp}(A[u])\right) \oplus \mathtt {msb}_{n/2}\left( \widetilde{{\mathsf {P}}}^{0^n,0,u,0}(\mathtt {ozp}(A'[u]))\right) \oplus \gamma \) holds. Then we obtain
$$\begin{aligned}&\mathrm {XorColl}_{\delta } \\&= \Pr \left[ \mathtt {msb}_{n/2}\left( \widetilde{{\mathsf {P}}}^{0^n,0,u,0}(\mathtt {ozp}(A[u])) \oplus \widetilde{{\mathsf {P}}}^{0^n,0,u,0}(\mathtt {ozp}(A'[u]))\right) = \delta \oplus \gamma \right] \\&\le 2^{n/2}/(2^n-1) \le 2/2^{n/2}. \end{aligned}$$ -
3.
Let \(|A|_n = |A'|_n\) and \(\mathrm {ifPad}(A) \ne \mathrm {ifPad}(A')\). Suppose \(|A|_n = |A'|_n = a\). Without loss of generality, we suppose \(\mathrm {ifPad}(A)=0\). Since \(\mathrm {ifPad}(A) \ne \mathrm {ifPad}(A')\) holds, the case which satisfies \(A[a] \ne A'[a]\) and \(A[a] = \mathtt {ozp}(A'[a])\) can occur. When \(A[a] = \mathtt {ozp}(A'[a])\), we obtain the following evaluation.
$$\begin{aligned}&\mathrm {XorColl}_{\forall \delta } \\&= \Pr \left[ \mathtt {msb}_{n/2}\left( \widetilde{{\mathsf {P}}}^{0^n,0,a,0}(A[a])\right) \oplus \mathtt {lsb}_{n/2}\left( \widetilde{{\mathsf {P}}}^{0^n,0,a,0}(\mathtt {ozp}(A'[a]))\right) = \delta \oplus \gamma \right] \\&\le 1/2^{n/2}, \end{aligned}$$where \(\gamma = \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}(A) \oplus \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}(A') \oplus \mathtt {msb}_{n/2}\left( \widetilde{{\mathsf {P}}}^{0^n,0,a,0}(A[a])\right) \oplus \mathtt {lsb}_{n/2} \left( \widetilde{{\mathsf {P}}}^{0^n,0,a,0}(\mathtt {ozp}(A'[a]))\right) \). When \(A[a] \ne \mathtt {ozp}(A'[a])\), we also obtain
$$\begin{aligned}&\mathrm {XorColl}_{\forall \delta } \\&= \Pr \left[ \mathtt {msb}_{n/2}\left( \widetilde{{\mathsf {P}}}^{0^n,0,a,0}(A[a])\right) \oplus \mathtt {lsb}_{n/2}\left( \widetilde{{\mathsf {P}}}^{0^n,0,a,0}(\mathtt {ozp}(A'[a]))\right) = \delta \oplus \gamma \right] \\&\le 2^{n/2}/(2^n-1)\le 2/2^{n/2}. \end{aligned}$$From these discussions, \(\mathrm {XorColl}_{\forall \delta } \le 2/2^{n/2}\) holds.
-
4.
Let \(|A|_n \ne |A'|_n\). Suppose \(|A|_n = a\) and \(|A'|_n = a'\). We also suppose \(|A|_n < |A'|_n\) and \(\mathrm {ifPad}(A')=0\) without loss of generality. There exists \(u \in \mathbb {N}\) such that \(a+1 \le u \le a'\) and we obtain the following evaluation.
$$\begin{aligned} \mathrm {XorColl}_{\forall \delta } = \Pr \left[ \mathtt {msb}_{n/2}\left( \widetilde{{\mathsf {P}}}^{0^n,0,u,0}(\mathtt {ozp}(A'[u]))\right) = \delta \oplus \gamma \right] \le 1/2^{n/2}, \end{aligned}$$where \(\gamma = \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}(A) \oplus \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}(A') \oplus \mathtt {msb}_{n/2}\left( \widetilde{{\mathsf {P}}}^{0^n,0,u,0}(\mathtt {ozp}(A'[u]))\right) \).
From above four cases, \(\max _{\forall \delta \in \{0,1\}^{n/2}}\Pr \!\left[ \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}_{\widetilde{{\mathsf {P}}}}(A) \oplus \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}_{\widetilde{{\mathsf {P}}}}(A') = \delta \right] \!\le 2/2^{n/2}\) holds.
B Proof of the Security of OCB-hc-AD
We here show the proof of Theorem 3.
Proof
We obtain the following evaluations using hybrid argument.
where \(\mathcal{B}\) (resp. \(\mathcal{B}^{\pm }\)) is the adversary which can simulate \(\mathcal{A}\) (resp. \(\mathcal{A}^{\pm }\)). The first terms of (5), (6) are derived from [38], [33]. The second terms of (5), (6) are described below.
Privacy. Similarly to \(\mathrm {\Theta }\mathrm {CB}\text {-}\mathrm {hc}\) and \(\mathrm {\Theta }\mathrm {TR}\text {-}\mathrm {hc}\), \({\mathbf {Adv}}^{{\mathrm {priv}}}_{\mathrm {\Theta }\mathrm {CB}\text {-}\mathrm {hc}\text {-}\mathrm {AD}_{\widetilde{{\mathsf {P}}}}}(\mathcal {A}) = 0\) holds since the adversary follows nonce-respecting.
Authenticity. For simplicity, we suppose that the adversary can query to the decryption oracle only once. Without loss of generality, the adversary performs decryption query after all encryption queries. Suppose that she obtains the transcript \(z = \{ (N_1, M_1, A_1, C_1, T_1), \ldots , (N_q, M_q, A_q, C_q, T_q) \}\) in encryption query, and she queries \((N', A', C', T')\) in decryption query. Let Z be the set of all transcripts, and \(T^{*}\) be the valid tag for \((N', A', C')\). Then we define FP\(_z:=\Pr [T'=T^{*} \mid Z=z]\) and evaluate \(\max _z\) FP\(_z\) as below.
-
1.
Let \(N' \ne N_i\), \(1 \le \forall i \le q\). As in the proof of \(\mathrm {\Theta }\mathrm {CB}\text {-}\mathrm {hc}\), FP\(_{z} \le 1/2^{n/2}\) holds.
-
2.
Let \(N' = N_{\alpha }\), \(\alpha \in \{1, 2, \ldots , q\}\), \(A' = A_{\alpha }\), \(C' \ne C_{\alpha }\). In this case, we can evaluate FP\(_{z}\) in the same manner as the proof of \(\mathrm {\Theta }\mathrm {CB}\text {-}\mathrm {hc}\). Thus FP\(_{z} \le 4/2^{n/2}\) holds.
-
3.
Let \(N' = N_{\alpha }\), \(\alpha \in \{1, 2, \ldots , q\}\), \(A' \ne A_{\alpha }\). We suppose that \({\mathtt {Checksum}}^{*}\) is the valid checksum corresponding to \((N', A', C')\) and that \({\mathtt {Checksum}}_{\alpha }\) is the value of the checksum corresponding to \((N_{\alpha }, A_{\alpha }, C_{\alpha })\). Let \(e_1\) is the event which \({\mathtt {Checksum}}^{*} = {\mathtt {Checksum}}_{\alpha }\) holds. Recall that
$$ {\mathtt {Checksum}}= \left( \Bigl (\mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}(A) \oplus \bigoplus _{i=1}^{m-1} \mathtt {msb}_{n/2}(M[i])\Bigr ) \,\Vert \,0^{n/2} \right) \oplus \mathtt {ozp}(M[m]). $$From the property of \(\mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}\) mentioned in Lemma 3, we obtain the following evaluation.
$$\begin{aligned} \Pr [e_1 \mid Z=z]&= \Pr [ \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}(A') \,\Vert \,0^{n/2} \oplus \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}(A_{\alpha }) \,\Vert \,0^{n/2} = \gamma \mid Z=z]\\ {}&\le \frac{2}{2^{n/2}}, \end{aligned}$$where \(\gamma = \left( \bigoplus _{i=1}^{m'-1} \mathtt {msb}_{n/2}(M^{*}[i])) \,\Vert \,0^{n/2} \right) \oplus \left( \bigoplus _{i=1}^{m_{\alpha }-1} \mathtt {msb}_{n/2}(M_{\alpha }[i])) \,\Vert \,\right. \left. 0^{n/2} \right) \oplus \mathtt {ozp}(M^{*}[m']) \oplus \mathtt {ozp}(M_{\alpha }[m_{\alpha }])\). Then we can evaluate a forgery probability as follows:
$$\begin{aligned} \text {FP}_z&\le \Pr [T'=T^{*} \mid \bar{e_1}, Z=z]\Pr [e_1 \mid Z=z]\\&\le \frac{2^{n/2}}{2^n-1} + \frac{2}{2^{n/2}} \le \frac{4}{2^{n/2}}. \end{aligned}$$
From the evaluations of above cases, we obtain
When the adversary queries to the decryption oracle \(q_d\) times, we obtain
by using a technique from [10].
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Inoue, A., Minematsu, K. (2020). Parallelizable Authenticated Encryption with Small State Size. In: Paterson, K., Stebila, D. (eds) Selected Areas in Cryptography – SAC 2019. SAC 2019. Lecture Notes in Computer Science(), vol 11959. Springer, Cham. https://doi.org/10.1007/978-3-030-38471-5_25
Download citation
DOI: https://doi.org/10.1007/978-3-030-38471-5_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-38470-8
Online ISBN: 978-3-030-38471-5
eBook Packages: Computer ScienceComputer Science (R0)