Standard form of authenticated encryption (AE) requires the ciphertext to be expanded by
the nonce and the authentication tag. These expansions can be problematic
when messages are relatively short and communication cost is high.
This paper studies a form of AE scheme whose ciphertext is only expanded by
nonce, with the help of stateful receiver which also enables detection of replays.
While there is a scheme having this feature, called AERO, proposed by McGrew and Foley,
there is no formal treatment based on the provable security framework.
We propose a provable security framework for such AE schemes, which we call MiniAE, and
show several secure schemes using standard symmetric crypto primitives.
Most notably, one of our schemes
has a similar structure as OCB mode of operation and uses only one blockcipher call
to process one input block, thus the computation cost is comparable to the
nonce-based encryption-only schemes.
↧
Authenticated Encryption without Tag Expansion (or, How to Accelerate AERO), by Kazuhiko Minematsu
↧