Abstract
Misuse-resistant AE (MRAE) is a class of authenticated encryption (AE) that has a resistance against a potential misuse (repeat) of nonce. MRAE has received significant attention from the initial proposal by Rogaway and Shrimpton. They showed a generic MRAE construction called SIV. SIV becomes a de-facto scheme for MRAE, however, one notable drawback is its two-pass operation for both encryption and decryption. This implies that MRAE built on SIV is slower than the integrated nonce-based AE schemes, such as OCB.In this paper, we propose a new method to improve this situation. Particularly, our MRAE proposal (decryption-fast SIV or DFV) allows to decrypt as fast as a plain decryption, hence theoretically doubles its speed from the original SIV, while keeping the encryption speed equivalent to SIV. We present several generic compositions for DFV and their instantiations.
Highlights
Authenticated encryption (AE) is a symmetric-key cryptographic function for simultaneously providing confidentiality and integrity of plaintexts/ciphertexts
It is observed that the two-pass encryption structure is unavoidable for any Misuse-resistant AE (MRAE), since every ciphertext bit must depend on the whole input (A, M ) to ensure confidentiality
We observe that DFV2∗R can be interpreted as an instance of DFV1 with nonce-based AE (NAE) derived by the ciphertext translation (CT) [Rog02] applied to pNAEK
Summary
Authenticated encryption (AE) is a symmetric-key cryptographic function for simultaneously providing confidentiality and integrity of plaintexts/ciphertexts. Vaudenay and Vizár [VV18] showed a thorough study of robustness of the 3rd-round candidates of CAESAR competition [CAE14], including the security against nonce misuse To overcome this weakness of NAE, Rogaway and Shrimpton [RS06] introduced the notion of Misuse-resistant AE (MRAE) and proposed a generic MRAE scheme called SIV. It hides the plaintext up to a repetition of whole input and protects the integrity of the ciphertext, even if nonce repeats It comes with a drawback in its computation because it needs two passes over the input for both encryption and decryption. It is observed that the two-pass encryption structure is unavoidable for any MRAE, since every ciphertext bit must depend on the whole input (A, M ) to ensure confidentiality This implies that, our proposal achieves the best-possible total efficiency of MRAE in the sense that its computation cost cannot be substantially improved for both directions.
Sign-in/Register to view highlights & summary 
Published Version (
Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call