With a scheme for \textit{robust} authenticated-encryption a user can select an arbitrary value $\lambda \ge 0$ and then encrypt a plaintext of any length into a ciphertext that's $\lambda$ characters longer. The scheme must provide all the privacy and authenticity possible for the requested~$\lambda$. We formalize and investigate this idea, and construct a well-optimized solution, AEZ, from the AES round function. Our scheme encrypts strings at almost the same rate as OCB-AES or CTR-AES (on Haswell, AEZ has a peak speed of about 0.7 cpb). To accomplish this we employ an approach we call \textit{prove-then-prune}: prove security and then instantiate with a \textit{scaled-down}
primitive (e.g., reducing rounds for blockcipher calls).
↧