ZOCB and ZOTR: Tweakable Blockcipher Modes for Authenticated Encryption with Full Absorption

Authors

  • Zhenzhen Bao Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore, Singapore; Strategic Centre for Research in Privacy-Preserving Technologies and Systems, Nanyang Technological University, Singapore, Singapore
  • Jian Guo Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore, Singapore
  • Tetsu Iwata Nagoya University, Nagoya, Japan
  • Kazuhiko Minematsu NEC corporation, Tokyo, Japan

DOI:

https://doi.org/10.13154/tosc.v2019.i2.1-54

Keywords:

ZOCB, ZOTR, Authenticated encryption, Associated data, Tweakable, blockcipher, Provable security

Abstract

We define ZOCB and ZOTR for nonce-based authenticated encryption with associated data, and analyze their provable security. These schemes use a tweakable blockcipher (TBC) as the underlying primitive, and fully utilize its input to process a plaintext and associated data (AD). This property is commonly referred to as full absorption, and this has been explored for schemes based on a permutation or a pseudorandom function (PRF). Our schemes improve the efficiency of TBC-based counterparts of OCB and OTR called OCB3 (Krovetz and Rogaway, FSE 2011) and OTR (Minematsu, EUROCRYPT 2014). Specifically, ΘCB3 and OTR have an independent part to process AD, and our schemes integrate this process into the encryption part of a plaintext by using the tweak input of the TBC. Up to a certain length of AD, ZOCB and ZOTR completely eliminate the independent process for it. Even for longer AD, our schemes process it efficiently by fully using the tweak input of the TBC. For this purpose, based on previous tweak extension schemes for TBCs, we introduce a scheme called XTX*. To our knowledge, ZOCB and ZOTR are the first efficiency improvement of ΘCB3 and OTR in terms of the number of TBC calls. Compared to Sponge-based and PRF-based schemes, ZOCB and ZOTR allow fully parallel computation of the underlying primitive, and have a unique design feature that an authentication tag is independent of a part of AD. We present experimental results illustrating the practical efficiency gain and clarifying the efficiency cost for it with a concrete instantiation. The results show that for long input data, our schemes have gains, while we have efficiency loss for short input data.

Published

2019-06-11

Issue

Section

Articles

How to Cite

ZOCB and ZOTR: Tweakable Blockcipher Modes for Authenticated Encryption with Full Absorption. (2019). IACR Transactions on Symmetric Cryptology, 2019(2), 1-54. https://doi.org/10.13154/tosc.v2019.i2.1-54