Parallelizable Authenticated Encryption with Small State Size

Abstract

Authenticated encryption (AE) is a symmetric-key encryption function that provides confidentiality and authenticity of a message. One of the evaluation criteria for AE is state size, which is memory size needed for encryption. State size is especially important when cryptosystem is implemented in constrained devices, while trivial reduction by using a small primitive is not generally acceptable as it leads to a degraded security.

In these days, the state size of AE has been very actively studied and a number of small-state AE schemes have been proposed, but they are inherently serial. It would be a natural question if we come up with a parallelizable AE with a smaller state size than the state-of-the-art.

In this paper, we study the seminal OCB mode for parallelizable AE and propose a method to reduce its state size without losing the bit security of it. More precisely, while (the most small-state variant of) OCB has 3n-bit state, by carefully treating the checksum that is halved, we can achieve 2.5n-bit state, while keeping the n/2-bit security as original. We also propose an inverse-free variant of it based on OTR. While the original OTR has 4n-bit state, ours has 3.5n-bit state. To our knowledge these numbers are the smallest ones achieved by the blockcipher modes for parallel AE and inverse-free parallel AE.

Appendices

A Proof of Security of \(\mathbb {P}\)hash-hc

We here show the proof of Lemma 3. Note that the underlying TURP \(\widetilde{{\mathsf {P}}}\) has the same arguments as XE in Lemma 3, however we here write \(\widetilde{{\mathsf {P}}}\) with the arguments of \({\mathrm {XEX}}^{*}\) following Fig. 7. Thus we always use \(\widetilde{{\mathsf {P}}}^{*, 0, *, *}\) in this proof.

Proof

We define \(\mathrm {XorColl}_{\delta } := \Pr \left[ \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}_{\widetilde{{\mathsf {P}}}}(A) \oplus \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}_{\widetilde{{\mathsf {P}}}}(A') = \delta \right] \).

1. 1.

   Let \(A = \varepsilon \) and \(A'\ne \varepsilon \).

   (i) We first consider the case of \(|A'|_n = 1\). Suppose \(\mathrm {ifPad}(A') = 0\) without loss of generality. In this case,

   $$\begin{aligned} \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}_{\widetilde{{\mathsf {P}}}}(A) \oplus \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}_{\widetilde{{\mathsf {P}}}}(A')&= \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}_{\widetilde{{\mathsf {P}}}}(A') \\&= \mathtt {msb}_{n/2}(\widetilde{{\mathsf {P}}}^{0^n,0,1,0}(\mathtt {ozp}(A'[1]))) \end{aligned}$$

   holds. Thus we obtain \(\mathrm {XorColl}_{\forall \delta } \le 1/2^{n/2}\).

   (ii) Let \(|A'|_n > 1\). \(\mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}(A')\) is a sum of the most (or least) significant n/2 bits of message blocks encrypted by TURPs which are invoked with respective different tweaks. Thus \(\mathrm {XorColl}_{\forall \delta } = \Pr \left[ \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}_{\widetilde{{\mathsf {P}}}}(A') = \delta \right] \le 1/2^{n/2}\). This discussion can be applied to the case that \(A \ne \varepsilon \) and \(A' = \varepsilon \). In following cases, we suppose \(A \ne \varepsilon \) and \(A' \ne \varepsilon \).

2. 2.

   Let \(|A|_n = |A'|_n\) and \(\mathrm {ifPad}(A) = \mathrm {ifPad}(A')\). Suppose \(|A|_n = |A'|_n = a\). Without loss of generality, we suppose \(\mathrm {ifPad}(A) = \mathrm {ifPad}(A') = 0\). Since \(A \ne A'\), there exists \(u \in \{1, \ldots , a\}\) such that \(A[u] \ne A'[u]\). For \(\exists \gamma \in \{0, 1\}^{n/2}\), \(\mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}_{\widetilde{{\mathsf {P}}}}(A) \oplus \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}_{\widetilde{{\mathsf {P}}}}(A') = \mathtt {msb}_{n/2}\left( \widetilde{{\mathsf {P}}}^{0^n,0,u,0}(\mathtt {ozp}(A[u])\right) \oplus \mathtt {msb}_{n/2}\left( \widetilde{{\mathsf {P}}}^{0^n,0,u,0}(\mathtt {ozp}(A'[u]))\right) \oplus \gamma \) holds. Then we obtain

   $$\begin{aligned}&\mathrm {XorColl}_{\delta } \\&= \Pr \left[ \mathtt {msb}_{n/2}\left( \widetilde{{\mathsf {P}}}^{0^n,0,u,0}(\mathtt {ozp}(A[u])) \oplus \widetilde{{\mathsf {P}}}^{0^n,0,u,0}(\mathtt {ozp}(A'[u]))\right) = \delta \oplus \gamma \right] \\&\le 2^{n/2}/(2^n-1) \le 2/2^{n/2}. \end{aligned}$$
3. 3.

   Let \(|A|_n = |A'|_n\) and \(\mathrm {ifPad}(A) \ne \mathrm {ifPad}(A')\). Suppose \(|A|_n = |A'|_n = a\). Without loss of generality, we suppose \(\mathrm {ifPad}(A)=0\). Since \(\mathrm {ifPad}(A) \ne \mathrm {ifPad}(A')\) holds, the case which satisfies \(A[a] \ne A'[a]\) and \(A[a] = \mathtt {ozp}(A'[a])\) can occur. When \(A[a] = \mathtt {ozp}(A'[a])\), we obtain the following evaluation.

   $$\begin{aligned}&\mathrm {XorColl}_{\forall \delta } \\&= \Pr \left[ \mathtt {msb}_{n/2}\left( \widetilde{{\mathsf {P}}}^{0^n,0,a,0}(A[a])\right) \oplus \mathtt {lsb}_{n/2}\left( \widetilde{{\mathsf {P}}}^{0^n,0,a,0}(\mathtt {ozp}(A'[a]))\right) = \delta \oplus \gamma \right] \\&\le 1/2^{n/2}, \end{aligned}$$

   where \(\gamma = \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}(A) \oplus \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}(A') \oplus \mathtt {msb}_{n/2}\left( \widetilde{{\mathsf {P}}}^{0^n,0,a,0}(A[a])\right) \oplus \mathtt {lsb}_{n/2} \left( \widetilde{{\mathsf {P}}}^{0^n,0,a,0}(\mathtt {ozp}(A'[a]))\right) \). When \(A[a] \ne \mathtt {ozp}(A'[a])\), we also obtain

   $$\begin{aligned}&\mathrm {XorColl}_{\forall \delta } \\&= \Pr \left[ \mathtt {msb}_{n/2}\left( \widetilde{{\mathsf {P}}}^{0^n,0,a,0}(A[a])\right) \oplus \mathtt {lsb}_{n/2}\left( \widetilde{{\mathsf {P}}}^{0^n,0,a,0}(\mathtt {ozp}(A'[a]))\right) = \delta \oplus \gamma \right] \\&\le 2^{n/2}/(2^n-1)\le 2/2^{n/2}. \end{aligned}$$

   From these discussions, \(\mathrm {XorColl}_{\forall \delta } \le 2/2^{n/2}\) holds.

4. 4.

   Let \(|A|_n \ne |A'|_n\). Suppose \(|A|_n = a\) and \(|A'|_n = a'\). We also suppose \(|A|_n < |A'|_n\) and \(\mathrm {ifPad}(A')=0\) without loss of generality. There exists \(u \in \mathbb {N}\) such that \(a+1 \le u \le a'\) and we obtain the following evaluation.

   $$\begin{aligned} \mathrm {XorColl}_{\forall \delta } = \Pr \left[ \mathtt {msb}_{n/2}\left( \widetilde{{\mathsf {P}}}^{0^n,0,u,0}(\mathtt {ozp}(A'[u]))\right) = \delta \oplus \gamma \right] \le 1/2^{n/2}, \end{aligned}$$

   where \(\gamma = \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}(A) \oplus \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}(A') \oplus \mathtt {msb}_{n/2}\left( \widetilde{{\mathsf {P}}}^{0^n,0,u,0}(\mathtt {ozp}(A'[u]))\right) \).

From above four cases, \(\max _{\forall \delta \in \{0,1\}^{n/2}}\Pr \!\left[ \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}_{\widetilde{{\mathsf {P}}}}(A) \oplus \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}_{\widetilde{{\mathsf {P}}}}(A') = \delta \right] \!\le 2/2^{n/2}\) holds.

Fig. 8.

The algorithm of \({\mathrm {Phash}\text {-}\mathrm {hc}}_{E_K}\), where \(E_K\) is any blockcipher.

B Proof of the Security of OCB-hc-AD

We here show the proof of Theorem 3.

Proof

We obtain the following evaluations using hybrid argument.

$$\begin{aligned} {\mathbf {Adv}}^{{\mathrm {priv}}}_{{\mathrm {OCB}\text {-}\mathrm {hc}\text {-}\mathrm {AD}}_{\mathsf {P}}}(\mathcal {A})&\le {\mathbf {Adv}}^{\text {cpa-nr}}_{{\mathrm {OCB}\text {-}\mathrm {hc}\text {-}\mathrm {AD}}_{\mathsf {P}}, \mathrm {\Theta }\mathrm {CB}\text {-}\mathrm {hc}\text {-}\mathrm {AD}_{\widetilde{{\mathsf {P}}}}}(\mathcal {A}) + {\mathbf {Adv}}^{{\mathrm {priv}}}_{\mathrm {\Theta }\mathrm {CB}\text {-}\mathrm {hc}\text {-}\mathrm {AD}_{\widetilde{{\mathsf {P}}}}}(\mathcal {A})\nonumber \\&= {\mathbf {Adv}}^{\text {tprp}}_{{\mathrm {XEX}}^{*}_{{\mathsf {P}}}}(\mathcal {B}) + {\mathbf {Adv}}^{{\mathrm {priv}}}_{\mathrm {\Theta }\mathrm {CB}\text {-}\mathrm {hc}\text {-}\mathrm {AD}_{\widetilde{{\mathsf {P}}}}}(\mathcal {A})\nonumber \\&\le \frac{4.5\sigma ^2_{{\mathrm {priv}}}}{2^n} + 0, \end{aligned}$$

(5)

$$\begin{aligned} {\mathbf {Adv}}^{{\mathrm {auth}}}_{{\mathrm {OCB}\text {-}\mathrm {hc}\text {-}\mathrm {AD}}_{\mathsf {P}}}(\mathcal {A}^\pm )&\le {\mathbf {Adv}}^{\text {cca-nr}}_{{\mathrm {OCB}\text {-}\mathrm {hc}\text {-}\mathrm {AD}}_{\mathsf {P}}, \mathrm {\Theta }\mathrm {CB}\text {-}\mathrm {hc}\text {-}\mathrm {AD}_{\widetilde{{\mathsf {P}}}}}(\mathcal {A}^\pm ) + {\mathbf {Adv}}^{{\mathrm {auth}}}_{\mathrm {\Theta }\mathrm {CB}\text {-}\mathrm {hc}\text {-}\mathrm {AD}_{\widetilde{{\mathsf {P}}}}}(\mathcal {A}^\pm )\nonumber \\&= {\mathbf {Adv}}^{\text {tsprp}}_{{\mathrm {XEX}}^{*}_{{\mathsf {P}}}}(\mathcal {B}^\pm ) + {\mathbf {Adv}}^{{\mathrm {auth}}}_{\mathrm {\Theta }\mathrm {CB}\text {-}\mathrm {hc}\text {-}\mathrm {AD}_{\widetilde{{\mathsf {P}}}}}(\mathcal {A}^\pm )\nonumber \\&\le \frac{4.5\sigma ^2_{{\mathrm {auth}}}}{2^n} + \frac{4q_d}{2^{n/2}}, \end{aligned}$$

(6)

where \(\mathcal{B}\) (resp. \(\mathcal{B}^{\pm }\)) is the adversary which can simulate \(\mathcal{A}\) (resp. \(\mathcal{A}^{\pm }\)). The first terms of (5), (6) are derived from [38], [33]. The second terms of (5), (6) are described below.

Privacy. Similarly to \(\mathrm {\Theta }\mathrm {CB}\text {-}\mathrm {hc}\) and \(\mathrm {\Theta }\mathrm {TR}\text {-}\mathrm {hc}\), \({\mathbf {Adv}}^{{\mathrm {priv}}}_{\mathrm {\Theta }\mathrm {CB}\text {-}\mathrm {hc}\text {-}\mathrm {AD}_{\widetilde{{\mathsf {P}}}}}(\mathcal {A}) = 0\) holds since the adversary follows nonce-respecting.

Authenticity. For simplicity, we suppose that the adversary can query to the decryption oracle only once. Without loss of generality, the adversary performs decryption query after all encryption queries. Suppose that she obtains the transcript \(z = \{ (N_1, M_1, A_1, C_1, T_1), \ldots , (N_q, M_q, A_q, C_q, T_q) \}\) in encryption query, and she queries \((N', A', C', T')\) in decryption query. Let Z be the set of all transcripts, and \(T^{*}\) be the valid tag for \((N', A', C')\). Then we define FP\(_z:=\Pr [T'=T^{*} \mid Z=z]\) and evaluate \(\max _z\) FP\(_z\) as below.

1. 1.

   Let \(N' \ne N_i\), \(1 \le \forall i \le q\). As in the proof of \(\mathrm {\Theta }\mathrm {CB}\text {-}\mathrm {hc}\), FP\(_{z} \le 1/2^{n/2}\) holds.

2. 2.

   Let \(N' = N_{\alpha }\), \(\alpha \in \{1, 2, \ldots , q\}\), \(A' = A_{\alpha }\), \(C' \ne C_{\alpha }\). In this case, we can evaluate FP\(_{z}\) in the same manner as the proof of \(\mathrm {\Theta }\mathrm {CB}\text {-}\mathrm {hc}\). Thus FP\(_{z} \le 4/2^{n/2}\) holds.

3. 3.

   Let \(N' = N_{\alpha }\), \(\alpha \in \{1, 2, \ldots , q\}\), \(A' \ne A_{\alpha }\). We suppose that \({\mathtt {Checksum}}^{*}\) is the valid checksum corresponding to \((N', A', C')\) and that \({\mathtt {Checksum}}_{\alpha }\) is the value of the checksum corresponding to \((N_{\alpha }, A_{\alpha }, C_{\alpha })\). Let \(e_1\) is the event which \({\mathtt {Checksum}}^{*} = {\mathtt {Checksum}}_{\alpha }\) holds. Recall that

   $$ {\mathtt {Checksum}}= \left( \Bigl (\mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}(A) \oplus \bigoplus _{i=1}^{m-1} \mathtt {msb}_{n/2}(M[i])\Bigr ) \,\Vert \,0^{n/2} \right) \oplus \mathtt {ozp}(M[m]). $$

   From the property of \(\mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}\) mentioned in Lemma 3, we obtain the following evaluation.

   $$\begin{aligned} \Pr [e_1 \mid Z=z]&= \Pr [ \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}(A') \,\Vert \,0^{n/2} \oplus \mathrm {\mathbb {P}}\mathrm {hash}\text {-}\mathrm {hc}(A_{\alpha }) \,\Vert \,0^{n/2} = \gamma \mid Z=z]\\ {}&\le \frac{2}{2^{n/2}}, \end{aligned}$$

   where \(\gamma = \left( \bigoplus _{i=1}^{m'-1} \mathtt {msb}_{n/2}(M^{*}[i])) \,\Vert \,0^{n/2} \right) \oplus \left( \bigoplus _{i=1}^{m_{\alpha }-1} \mathtt {msb}_{n/2}(M_{\alpha }[i])) \,\Vert \,\right. \left. 0^{n/2} \right) \oplus \mathtt {ozp}(M^{*}[m']) \oplus \mathtt {ozp}(M_{\alpha }[m_{\alpha }])\). Then we can evaluate a forgery probability as follows:

   $$\begin{aligned} \text {FP}_z&\le \Pr [T'=T^{*} \mid \bar{e_1}, Z=z]\Pr [e_1 \mid Z=z]\\&\le \frac{2^{n/2}}{2^n-1} + \frac{2}{2^{n/2}} \le \frac{4}{2^{n/2}}. \end{aligned}$$

From the evaluations of above cases, we obtain

$$\begin{aligned} {\mathbf {Adv}}^{{\mathrm {auth}}}_{\mathrm {\Theta }\mathrm {CB}\text {-}\mathrm {hc}\text {-}\mathrm {AD}}(\mathcal{A}^\pm ) \le \sum _{z} \max _z\text {FP}_z \cdot {\mathrm {Pr}}[Z=z] \le \frac{4}{2^{n/2}}. \end{aligned}$$

When the adversary queries to the decryption oracle \(q_d\) times, we obtain

$$ {\mathbf {Adv}}^{{\mathrm {auth}}}_{\mathrm {\Theta }\mathrm {CB}\text {-}\mathrm {hc}\text {-}\mathrm {AD}}(\mathcal{A}^\pm ) \le \frac{4q_d}{2^{n/2}} $$

by using a technique from [10].