π-Cipher with Intermediate Tags

Hristina Mihajloska1, Bart Mennink2, and Danilo Gligoroski3

1Faculty of Computer Science and Engineering, University ”Ss.Cyril and Methodius”, Skopje, Macedonia

2Dept. Electrical Engineering, ESAT/COSIC, KU Leuven, andiMinds, Belgium

3Dept. of Telematics, NTNU, Norwegian University of Science andTechnology, Trondheim, Norway

May 13, 2016

Abstract

We introduce a new mode of operation for π-Cipher that supportsintermediate tags. π-Cipher is one of the ciphers that participate in thesecond round of Competition for Authenticated Encryption: Security, Ap-plicability, and Robustness - CAESAR. This mode allows π-Cipher to doa tag verification for a long message even on devices with limited mem-ory capacities without releasing unverified plaintext. The mode is parallel,supports online encryption and decryption and gives an intermediate levelof nonce-misuse resistance as an extra robustness feature of the cipher.This robustness is achieved by using the secret message number (SMN)as a part of the nonce. Also in this paper we provide a complete secu-rity proof for the privacy and integrity of the newly introduced mode ofoperation with intermediate tags.

Keywords: cryptography, on-line algorithms, authenticated encryp-tion with associated data AEAD, intermediate tags, secret message num-ber SMN.

1 Introduction

An authenticated encryption is a secret key technique that combines encryp-tion and message authentication for simultaneously achieving both privacy andauthenticity of the data. Additionally, by essentially providing them togetherin one mode of operation, where usually the same key and crypto primitive areused, it promotes efficiency and compactness. In [2], Bellare and Namprem-pre proved that the generic way to construct a secure authenticated encryptionscheme is to first encrypt the data and then to compute the MAC, known as the“Encrypt-then-MAC” (EtM) paradigm. This paradigm is present in the most

1

known modes of operation for authenticated encryption, CCM [9], GCM [18],OCB [21], and EAX [3], where encryption and authentication are combinedin single-pass or two-pass, fully parallelizable or sequential, with or withoutdecryption function, online or offline modes of operation.

Nowadays, in the latest and still ongoing competition for authenticated en-cryption CAESAR [4], many questions about the onlineness and misuse resis-tance have revived. Most of the candidates in the second round of the competi-tion are online, which means that encryption and authentication can be done onthe fly. Instead of the encrypt-then-authenticate process from the sender side,from the receiver point of view, this process can be translated as verify-then-decrypt. So the way to transform verification and decryption to be done on thefly is getting more complex. It can be achieved in two different ways. The firstone is done in two phases. In the first phase, only the tag is verified, and thesecond phase releases the decrypted blocks online. This approach is preferred forthe memory constrained devices, where the memory of the device is not enoughto collect all of the decrypted blocks before the tag is verified. The other wayfor secure online verification and decryption is by the use of intermediate tags.In this case, verification and decryption of the blocks is done on the fly withoutany special requirements of device memory or additional invocations.

In [22], Rogaway and Shrimpton defined a stronger authenticated encryption(AE) notion, which they called misuse-resistant AE (MRAE). They claimed thatthe price to create such a scheme is that the scheme can’t be online. In [14],Hoang et al. give new definitions for online authenticated encryption and callthem (corrected) OAE1 and OAE2. With these definitions in mind, none of theCAESAR candidates which are online, can be at the same time resist on therepetition of the nonce. This is due to the fact that the longest common prefixleakage cannot be avoided.

1.1 Related Work

No pre-CAESAR authenticated encryption schemes that could handle long mes-sages without keeping the whole plaintext in memory have appeared, with thesingle exception of the duplex construction by Bertoni et al. [5], which turnsan AE scheme into a single pass online authenticated encryption scheme. Theyproposed a mode with intermediate tags where a sequence of (header, message)pairs can be processed. There are many candidates in the CAESAR competi-tion that are following the duplex construction such as ASCON [7], ICEPOLE[20], NORX [15], Keyak [13], STRIBOB [17], PRIMATEs [11] and π-Cipher [8].Most of them are sequential and without option for online decryption.

There is another group of candidates, block cipher based, that are advertisedas single pass, online, misuse resistant schemes, like COPA [10], ELmD [19] andPOET [12]. All of them are characterized with parallelizability and two calls tothe underlying primitive per block during the encryption process (in the case ofPOET it is one call of a block cipher and two calls to a hash function). Moreover,all of these schemes require the inverse primitive calls for decryption. Havingin mind their specifications, POET and ELmD can also support intermediate

2

tags.

1.2 Our Contribution

In this paper, we introduce a new mode of operation for π-Cipher that supportsintermediate tags. Without releasing unverified plaintext this technique allowsus to do a tag verification for a long message even on devices with limited mem-ory settings. This new mode is parallel, supports online encryption and decryp-tion and gives an intermediate level of nonce-misuse resistance which manifestsan extra feature of the robustness of the cipher. This robustness is achievedby using the secret message number (SMN) as a part of the nonce. Insteadof the other online and parallel ciphers that support intermediate tags (ELmDand POET), our scheme does not make inverse primitive calls, so with just sin-gle implementation of the permutation function both encryption/authenticationand decryption/verification are done.

1.3 Outline

We give a brief description of π-Cipher in Section 2. A formal definition of thenew mode of π-Cipher with intermediate tags is presented in Section 3. Somepreliminaries about the security model are given in Section 4. We provide asecurity proof of the privacy of the mode in Section 5 and in Section 6 we proveits integrity. The work is concluded in Section 7.

2 Brief Description of π-Cipher

We introduce π-Cipher at a level necessary to understand the proposal of thenew mode of operation, and refer to [8] for the detailed and formal specifica-tion. π-Cipher is a permutation based scheme where the permutation function,denoted as π-function, plays the main role. As other sponge based permuta-tion functions, this function has a b-bit internal state that consists of r-bit ratepart (public one) and c-bit capacity part (secret one). Because of the nature ofconstruction of the π-function, the rate and capacity parts are of the same size.

The encryption/authentication procedure of π-Cipher accepts key K of klenbytes, associated data AD with adlen bytes and message M with mlen bytes.The cipher uses a public message number PMN and secret message numberSMN . The output of the encryption/authentication procedure is a ciphertextC of clen bytes and a tag T of τ bytes. The length of the ciphertext C is asum of the byte length of the message, the authentication tag and the encryptedsecret message number. The decryption/verification procedure accepts key K,associated data AD, ciphertext C, public message number PMN and tag T ,and returns the decrypted pair pSMN,Mq if the tag has been verified or Kotherwise.

The main building element in the operations of encryption/authenticationand decryption/verification is our new construction related to the duplex sponge,

3

called triplex component. It uses the permutation function π twice, injects acounter into the internal state and digests an input string. The triplex com-ponent always outputs a tag. Optionally after the first call of the permutationfunction it can output a string (that can be a ciphertext block or a messageblock). Because of the differences in the encryption/authentication and de-cryption/verification procedures, there are two different variants of the triplexcomponent. We call them e-triplex (for the phase of encryption) and d-triplex(for the phase of decryption). The only difference in these two components ishow the input string is treated after the first call of the permutation function.They are shown in Figure 1.

Figure 1: Triplex component

π-Cipher starts with the initialization phase, where by padding function,pK,PMNq is mapped to pK||PMN ||10˚q and processed by the π-function. Asa result of this phase the counter and common internal state (CIS) becomeinitialized.

Unlike other sponge-based schemes, π-Cipher offers parallelism both in thephase of processing the associated data and in the encryption phase. The num-ber of parallel threads depends on the number of data blocks that every phasehas (a threads in the phase of the associated data and m threads in the phase ofthe encryption). After the initialization phase, the state CIS is branched intoa copies and associated data is processed. These a states are merged into onenew state, that updates the CIS state and the newly obtained state CIS1 isbranched into m new copies where message blocks are encrypted and authenti-cated. After the computation of every block of ciphertext there is a productionof a tag, called intermediate tag. At the end, all of these intermediate tags aresummed into the final tag.

3 Mode of Operation of π-Cipher With Inter-mediate Tags

An authenticated encryption scheme with associated data (AEAD) providesencryption for a message M and authentication for M and associated data AD.

4

In the CAESAR competition [4], the traditional use of nonces has beenmodified to have two parts: a public message number (PMN) and a secretmessage number (SMN) i.e., the nonce N is represented as the pair N “

pPMN,SMNq. The value of SMN is secret, and needs to be encrypted. InCAESAR, the use of an SMN was optional, and in fact, only two candidateshave opted to facilitate it: π-Cipher [8] and ICEPOLE [20].

A precise formalization of the new variant of the authenticated encryptionthat uses the nonce as N “ pPMN,SMNq alongside the other argumentssuch as the key, the associated data and the message is given by Namprempre,Rogaway and Shrimpton in [6].

Definition 1 (AEAD with SMN). An authenticated encryption scheme withassociated data (AEAD) and secret message number SMN is a tuple Π “

pK, E ,Dq with E as a deterministic encryption algorithm that takes a key K P

K “ t0, 1uk, public message number P P P “ t0, 1up, associated data A P

A “ t0, 1u˚, secret message number S P S “ t0, 1us, and message M P M “

t0, 1u˚, and returns a string C “ EP,AK pS,Mq. The decryption algorithm D takesstrings K,P,A and C Ď t0, 1u˚ and returns either a string pair in (S,M) or

the distinguished symbol K, DP,AK pCq “ pS,Mq or DP,A

K pCq “K. We require that

DP,AK pEP,AK pS,Mqq “ pS,Mq for all K P K, P P P, A P A, S P S and M PM.

Thus, |EP,AK pS,Mq| “ lp|M |q for some linear-time computable length function l.Encryption and decryption functions can also be written as follows:

E : K ˆ P ˆAˆ S ˆMÑ t0, 1u˚,

D : K ˆ P ˆAˆ t0, 1u˚ Ñ pS ˆMq Y K .

Hoang et al. [14] defined a segmented AE scheme with constant segment-expansion τ defined as follows:

Definition 2 (Segmented-AEAD scheme). A segmented-AEAD scheme is atuple Π “ pK, E ,Dq where the key space K is a nonempty set with an associ-ated distribution and both encryption E “ pE .init, E .next, E .lastq and decryptionD “ pD.init,D.next,D.lastq specified by triples of deterministic algorithms.Associated to Π are its associated data space A Ď t0, 1u˚, its nonce spaceN Ď t0, 1u˚, its state space S and its segment-expansion τ . These parame-ters appear in the formal presentation of the components of E and D:

E.init : KˆN ˆAÑ S

E.next : Kˆ S ˆ t0, 1u˚˚ Ñ t0, 1u˚˚ˆ S

E.last : Kˆ S ˆ t0, 1u˚ Ñ t0, 1u˚

D.init : KˆN ˆAÑ S

D.next : Kˆ S ˆ t0, 1u˚˚ Ñ pt0, 1u˚˚ˆ Sq

D.last : Kˆ S ˆ t0, 1u˚ Ñ t0, 1u˚Y K,

where t0, 1u˚˚ “ pt0, 1u˚q˚ denotes the set of segmented-strings where eachcomponent of a segmented-string is a string.

The number of components in a segmented-string M is denoted as |M | “ m,while the i-th component of M , i P r1..ms, is denoted as M i. Note that indexingbegins at 1. Thus, M “ pM1,M2, . . .Mmq P t0, 1u

˚˚. Here M gets transformedinto a segmented ciphertext C “ pC1, C2, . . . , Cmq “ EpK,N,A,M q where

5

|Ci| “ |Mi| ` τ for all i P r1..ms, and encryption algorithm is given with atriplet of algorithms as in the Definition 2.

π-Cipher “ pK, E ,Dq is an AEAD scheme with SMN and it complies with theDefinition 1. It relies on a permutation function π : t0, 1ub Ñ t0, 1ub and corre-spondingly K-key, PMN -public message number, AD-associated data, SMN -secret message number, M -message and C-ciphertext. π-Cipher can work indifferent modes depending on the purpose of its use as it is described in itsdocumentation [8]. Since one of the essential properties of π-Cipher is that itis online and parallel, it can be used in a mode of operation where the problemwith secure release of unverified plaintext is addressed [1]. In order to preciselyand mathematically define this mode of operation we naturally join the modelsof AEAD with SMN of Definition 1 and Segmented-AEAD scheme of Definition2 into Segmented-AEAD with SMN where the authenticated segmentation isachieved by computing intermediate tags. With the model of intermediate tags,π-Cipher provides security against block-wise adversaries. In this model adver-saries are allowed to send messages block-by-block to the cipher and receive thecorresponding ciphertext blocks on-the-fly, authenticated.

The basic idea is for a message M P t0, 1umn, π-Cipher to generate a cipher-text C P t0, 1un`mn`mτ`τ , where m ě 0 is the number of message/ciphertextblocks, n ě 0 is the length of one block in bits and τ “ k is the length of the tagin bits. In this case the ciphertext has an extension of n`mτ ` τ -bits, where nbits correspond to the encrypted SMN, mτ represents the tag of every encryptedmessage block Mi and τ is reserved for the final tag. Processing the messagepart remains the same and also calculation of the ciphertext is the same. Theintermediate tags tj are generated and released after every block message. Thefinal tag T is computed at the end of the entire message and it consists of thesum of the tag generated after the associated data phase T 1, the tag generatedafter SMN phase t0 and all released intermediate tags of the message blocks tj .

T “ T 1ð

t0

mð

j“1

tj .

The encryption and decryption functions can be described as follows:

EpK,PMN,AD,SMN,Mq Ñ pC, IT, T q and

DpK,PMN,AD,C, IT, T q Ñ pSMN,Mq Y K,

where IT “ pλ, λ, . . . , λloooomoooon

a`1

, t1, t2, . . . , tmq represents the sequence of intermediate

tags. Here, we denote by λ the empty string, and in our model we do not releaseintermediate tags neither for the associated data nor for SMN. Thus, the totalnumber of released intermediate tags is m (the same as the number of messageblocks). The bit length of each intermediate tag is |tj | “ k (as the length of thekey).

The formal definition for this mode of π-Cipher can be formulated as follow-ing:

6

Definition 3 (Segmented-AEAD scheme with SMN). π-Cipher “ pK, E ,Dq is asegmented AEAD scheme with constant segment-expansion and secret messagenumber SMN , where the key space K is a nonempty set with an associateddistribution and both encryption E “ pE .init, E .smn, E .msgq and decryptionD “ pD.init,D.smn,D.msgq specified by triples of deterministic algorithms.Associated to π-Cipher are its AD space A Ď t0, 1u˚, its pubic message numberPMN space P Ď t0, 1u˚, its secret message number SMN space S, commoninternal state CIS space IS and its segment-expansion τ . These parametersappear in the formal presentation of the components of E and D as follows:

E .init : K ˆ P ˆAÑ ISE .smn : IS ˆ S Ñ t0, 1u˚ ˆ ISE .msg : IS ˆ t0, 1u˚˚ Ñ t0, 1u˚˚

D.init : K ˆ P ˆAÑ ISD.smn : IS ˆ S Ñ pt0, 1u˚ ˆ ISqD.msg : IS ˆ t0, 1u˚˚ Ñ t0, 1u˚˚ Y K .

The encryption algorithm (with authentication) operates on SMN and seg-mented plaintext M “ pM1,M2, . . . ,Mmq P t0, 1u

˚˚ and produces the seg-mented ciphertext C “ pC0, C1, . . . , Cmq “ EpK,PMN,AD,SMN,M q. Thereis a corresponding decryption algorithm D such as DpK,PMN,AD,C q “pSMN,M q or K if decryption algorithm together with the verification fail onsome of the segments. The algorithms are defined in Figure 2.

Algorithm 1: EpK,PMN,AD,SMN,M q

1: mÐ |M |

2: if m “ 0 then3: return λ4: end if5: pM1,M2, . . . ,Mmq ÐM6: CIS Ð E .initpK,PMN,ADq7: pC0, CIS

1q Ð E .smnpCIS, SMNq

8: for iÐ 1 to m do9: Ci Ð E .msgpCIS1,Miq

10: end for11: return pC0, C1, . . . , Cmq

Algorithm 2: DpK,PMN,AD,C q

1: mÐ |C | ´ 12: if m “ 0 then3: return λ4: end if5: pC0, C1, . . . , Cmq Ð C6: CIS Ð D.initpK,PMN,ADq7: pSMN,CIS1q Ð D.smnpCIS,C0q

8: for iÐ 1 to m do9: if D.msgpCIS1, Ciq “K then

10: if m “ 1 then11: return λ12: else13: return pM1, . . . ,Mi´1q

14: end if15: else16: Mi Ð D.msgpCIS1, Ciq

17: end if18: end for19: return pM1, . . . ,Mmq

Figure 2: Two algorithms for encryption and decryption of segmented AEADscheme with SMN - π-Cipher

7

4 Security Notions

The security proof of this mode of π-Cipher is based on the detailed proof forthe sponge based authenticated ciphers and is given by Jovanovic, Luykx andMennink in the ASIACRYPT 2014 paper [16]. In this paper, the authors haveshown that several candidates of CAESAR may achieve the significantly higherbound than the traditional one of mint2c{2, 2ku. They have left out π-Cipherfor some future analysis because of its structural difference in the way how itmaintains the states.

In this paper, in order to prove the security of the mode of operation withintermediate tags of π-Cipher, we made a model with two games both being bychoosing a random key K from the space K. In the real game an oracle O asksa query to E as it is defined in Definition 3 and is answered with real values. Onthe other hand, in the ideal game an oracle asks a query to $ which is an idealpermutation model of E and is answered with uniformly random bit strings.The main role in these games plays an adversary A, which is a probabilisticalgorithm that has access to some of the oracles O. By AO ñ 1 we denote theevent that adversary A running with its oracle O, outputs 1. Moreover, theadversary has unbounded computational power, and its complexity is measuredby the number of queries made to the oracles.

For this security proof, we consider an adversary A that makes qp permu-tation queries and qε encryption queries of total length λε blocks. By EK wedenote an encryption query, consisting of a associated data blocks, and m mes-sage blocks. According to the design of π-Cipher we will define a state value sas an input to exactly one call to the permutation function, π-function. Notethat sinit is a state value for the first call to the π-function in the initializationphase. After that there are a parallel threads in the associated data phase. Wedenote with sADl,0 the first input to the permutation function, and with sADl,1 the

second call to each of the branches l “ 1, a. sCIS is a state value for updatingthe common internal state, that is done at the end of the AD phase. The nextstate values are two inputs to the π-function into the SMN phase, sSMN

0 andsSMN1 . At the end, in the message phase the state values are distributed in the

same way as in the AD phase, so they are denoted as sMl,0 and sMl,1 for l “ 1,m.Hence, the corresponding state values can be represented as:

¨

˚

˝

sinit;

»

—

–

sAD1,0 sAD1,1...

...sADa,0 sADa,1

fi

ffi

fl

; sCIS ; sSMN0 ; sSMN

1 ;

»

—

–

sM1,0 sM1,1...

...sMm,0 sMm,1

fi

ffi

fl

˛

‹

‚

.

Here, if the j-th encryption query is of length a`m blocks, then the number ofstate values σε,j is 2a` 2m` 4. So, the total number of π-function evaluationsvia the encryption queries is:

σε :“qεÿ

j“1

σε,j ď qεp2a` 2m` 4q “ 2λε ` 4qε. (1)

8

Also for decryption queries the number is the same and is denoted as σD andσD,j analogously.

5 Privacy of π-Cipher With Intermediate Tags

Theorem 1. Let Π “ pK, E ,Dq be the proposed π-Cipher with intermediatetags, where the permutation function π is replaced with an ideal permutation pwhich operates on b bits. Then,

AdvprivΠ pAq ď2pqp ` σεq

2

2b`qp ` σε

2k`qpr

2c`qεa

2b{2`

c

8eσεqp2b

,

where σε is defined in (1), qp is the maximum number of calls to ideal permuta-tion p˘, qε is the maximum number of encryption queries of total length of λεblocks and a is the maximum number of associated data blocks.

Proof. For the privacy proof we need to obtain an upper bound for the advantageof an adversary who can distinguish the output of the proposed scheme with arandom oracle in the ideal permutation model.

AdvprivΠ pAq “ |PrpAp˘,EK ñ 1q ´PrpAp

˘,$ ñ 1q| “ ∆App˘, EK ; p˘, $q. (2)

With replacing the permutation function p with two-directional function f fromt0, 1ub to t0, 1ub and using the PRP/PRF Switching Lemma [23], we have:

∆App˘, EK ; p˘, $q ´∆Apf

˘, EK ; f˘, $q ďpqp ` σεqpqp ` σε ´ 1q

2b`1

ďpqp ` σεq

2

2b. (3)

Now we will restrict our attention to an adversary with oracle access to pf˘, tEK , $uq.The function f˘ maintains a list F of all query/response tuples px, yq. This listinitially is empty. For the forward query fpxq, if px, yq P F, the correspondingvalue y “ fpxq is returned. For a new forward query fpxq, and y randomlydrown from t0, 1ub, if px, yq is in the list F then the primitive aborts, otherwisethe tuple px, yq is added to it. The description for the query f´1pyq is similar.

Also, for this proof we assume that the adversary is nonce respecting andonly queries full blocks where no padding rules are involved.

To aim the goal we have two main collision events, guess and hit. Theevent guess is a way of how a primitive call in an encryption query hits a directprimitive query, or the opposite. On the other side, the event hit is set whentwo independent states collide in the encryption query. For two states we saythat they are independent if they come from different previous state values. Soevent is set to bad, if some of the events guess or hit occur:

∆Apf˘, EK ; f˘, $q ď PrpAf

˘,EK sets eventq. (4)

9

The probability of event is set according to [16] is as follows:

Prpguess_ hitq “ Prpguess_ hit| pkey_multiqq `Prpkey_multiq. (5)

Note that there are two more additional events, key and multi. The event keycorresponds to all primitive queries hitting the key. The event multi is usedto bound the number of states that collide in the rate part. Let ρ ě 1 be anythreshold, for which the following is satisfied:

maxαPt0,1ur |tj1 ď j, 1 ă k1 ď k : αtrsj1,k1s

r, rfpsj1,k1qsruu| ą ρ,

for j P t1, . . . , qεu and k P t1, . . . , σε,ju.Event guess. This event may occur in the i-th primitive query (for i “

1, ¨ ¨ ¨ , qp) or in any state evaluation of the j-th encryption query (for j “1, ¨ ¨ ¨ , qε). Denote that the state values of the j-th encryption query are asfollows:¨

˚

˝

sinitj ;

»

—

–

sADj,1,0 sADj,1,1...

...sADj,a,0 sADj,a,1

fi

ffi

fl

; sCISj ; sSMNj,0 ; sSMN

j,1 ;

»

—

–

sMj,1,0 sMj,1,1...

...sMj,m,0 sMj,m,1

fi

ffi

fl

˛

‹

‚

.

(6)We assume that event pguess_hit_key_multiq has not been set before and

also event pkey_multiq has not been set by this query before. From the furtheranalysis we will exclude sinitj from guess event because that case belongs to thekey event. For i “ 1, ¨ ¨ ¨ , qp let ji P t1, ¨ ¨ ¨ , qεu be the number of encryptionqueries made before the i-th permutation query. And for j “ 1, ¨ ¨ ¨ , qε letij P t1, ¨ ¨ ¨ , qpu be the number of permutation queries made before the j-thencryption query. Here we have two games, the first one is when we play withthe permutation queries, and the other with encryption queries.

� In the first one the bad event occurs when input to the f˘ pxi, yiq col-lide with the elements in set F. So for the forward query xi there are atmost ρ state values that have the same rate part, thus the capacity is un-known to the adversary and the bad event occurs with probability at mostρ{2c. For the inverse query the situation is more complicated. We takeyi from the set of all encryption queries made before the i-th permutationquery. Therefore the probability that guess is set via a direct query to theprimitive is at most

qpρ2c `

řqpi“1

řjij“1

σε,j2b

.

� In the second one, bad event is set in the j-th encryption query for j P1, ¨ ¨ ¨ , qε. In this case we consider the probability that some of the statesfrom (6) sets guess, assuming that it has not been set before. Thus wehave 3 subcases here.

1. The state value sADj,l,0 for l “ t1, . . . , au, equals fpsinitj q ‘ pctr ` lqwhere ctr is some secret value not determined by the adversarial in-put. By assumption that fpsinitj q is randomly drawn from t0, 1ub, the

10

probability to guess the state is at mostaij2b

(where ij is the numberof permutation queries made before the j-th encryption query). Thestate value sADj,l,1 for l “ 1, ¨ ¨ ¨ , a, equals fpsADj,l,0q ‘ ADl where ADl

is a value determined by the adversarial input. The probability toguess the state is at most

aij2b

.

2. sCISj “ fpsinitj q ‘ T 1 and is guessed with probability at most ij{2b

3. The same is situation in sSMNj,0 and sSMN

j,1 , probability is bound to

ij{2b.

4. For the last branching (processing the message) we have the samesituation as in the associated data part.

Concluding, the j-th encryption query sets guess with probability at mostaij2b

+aij2b

+ 3ij2b

+mij2b

+mij2b

. Or summing over all qε encryption queries,we get

qεÿ

j“1

aij2b`aij2b` 3

ij2b`mij2b

`mij2b

“

qεÿ

j“1

ijp2a` 2m` 3q

2bď

qεÿ

j“1

ijσε,j2b

.

Here we use thatřqpi“1

řjij“1 σε,j ď qpσε as ji always has its maximum value

qε andřqεj“1 ijσε,j “

řqεj“1

řσε,jk“1 ij ď qpσε as ij always has its maximum value

qp.Concluding,

Prpguess| pkey_multiqq ďqpρ

2c`

qpÿ

i“1

jiÿ

j“1

σε,j2b

`

qεÿ

j“1

ijσε,j2b

ďqpρ

2c`

2qpσε2b

. (7)

Event hit. We need to find whether the event hit is set, or whether twoindependent states (with different parents) collide in the encryption queries. Itis clear that for the initialization state sinit stands: sinitj ‰ sinitj1 because of theuniqueness of the nonce. So here any state value sj,l hits an initial state valuesj1,1 only if rsj,ls

k “ K which happens with probability σε{2k. In the other

states (σε ´ qε) for any two states sj,l, sj1,l1 we have the following:

� sADj,l,0 “ fpsinitj q ‘ pctr` lq, l “ t1, . . . , au. Because of the fact that sinitj is

always fresh, collision between sADj,l,0 and some older state will happen with

probability no more than a{2b for all l’s. Note that sADj,l,0 can never collidewith a state from the same query because of the incremental counter’svalue. If sADj,l,0 is a new state, then also it is a new input to f and sADj,l,1 is a

new one too. It hits a certain older state with probability 1{2b. If sADj,l,1 isnew for all l’s, then the output of the function f is random, and the tagT 1 generated from the associated data phase is random too.

11

� sCISj “ fpsinitj q ‘ T 1 hits a state from an older query with probability at

most 1{2b. Here we have a special case. The state sCISj can collide with

some of the states sADj,l,0 from this query if and only if rpctr` lq||0˚sr collide

with T 1 (they have the same parent state sinitj q). Probability for this isno more than a{2r.

� sSMNj,0 “ fpsCISj q ‘ pctr ` a ` 1q. This state is new, so it can hit some

older state with probability 1{2b, and the same is for sSMNj,1 .

� sMj,l,0 “ fpsSMNj,1 q ‘ pctr ` a ` 1 ` lq, so it is a new state for all parallel

instances l and can collide with some other state from an older query withprobability at most m{2b. However, if sMj,l,0 is a new state, also new states

are sMj,l,1 for all l’s and the output of the function f is random. This proofsthat the intermediate tags tj are random values, and also the generatedfinal tag is a random value too.

In total, the j-th encryption query sets event hit with probability at most:p2a`3`2mq

2bpσε,1 ` σε,2 ` . . .` σε,j´1q `

a2r .

Summing over all queries,

Prphit| pkey_multiqq ďσε2k`

qεÿ

j“1

p2a` 3` 2mq

2bpσε,1 ` . . .` σε,j´1q `

a

2r

ďσε2k`qεa

2r`pσε´qε2 q

2b

ďσε2k`qεa

2r`pσε ´ qεq

2

2b`1. (8)

Event key. This event is used to bound the collision between the key Kand the k leftmost bits of xi from the i-th primitive query where i P t1, . . . qpu.An adversary makes at most qp attempts, and hence Prpkeyq ď qp{2

k.Event multi. This event is used to bound the number of states that collide

in the rate part. So, consider a new state value sj,l´1; then for a fixed statevalue x P t0, 1ub it satisfies fpsj,l´1q “ x or sj,l “ fpsj,l´1q ‘ w “ x forsome predetermined value w with probability 2{2b. Now, let α P t0, 1ur, morethan ρ state values hit α with probability at most pσερ qp2{2rqρ. According tothe Stirling’s approximation for factorials (n! „

?2πnpne q

n ě pne qn), we have

pσερ qp2{2rqρ ď p

2eσερ2r q

ρ. Considering any possible choice of α we obtain that

Prpmultiq “ 2rˆ

2eσερ2r

˙ρ

. (9)

So at the end, to complete the proof we need to make a sum of the previously

12

computed four bounds as follows:

Prpguess_ hitq “ Prpguess_ hit| pkey_multiqq `Prpkey_multiq

“ Prpguess| pkey_multiqq `Prphit| pkey_multiqq

`Prpkeyq `Prpmultiq

ďqp ` σε

2k`pσε ´ qεq

2

2b`1`qpρ

2c`qεa

2r`

2qpσε2b

` 2rˆ

2eσερ2r

˙ρ

.

(10)

To simplify previous evaluation and also substitute ρ with some known val-

ues, we put ρ ě maxtr,b

2eσε2c

qp2ru, so simply we put ρ “ r `

b

2eσε2c

qp2rand get

the following:

Prpguess_ hitq ďqp ` σε

2k`pσε ´ qεq

2

2b`1`qpr

2c`qεa

2r`

2qpσε2b

`

c

8eσεqp2b

.

(11)

At the end, we have the final bound for privacy of π-Cipher:

AdvprivΠ pAq ďpqp ` σεq

2

2b`

2qpσε2b

`qp ` σε

2k`pσε ´ qεq

2

2b`1`qpr

2c`qεa

2r`

c

8eσεqp2b

.

(12)

We assume that2qpσε`pσε´qεq

2{2

2bďpqp`σεq

2

2b. Also, aqε

2r “aqε2b{2

according to thedesign of the permutation function and get the following bound for the privacyof π-Cipher with intermediate tags, that completes the proof:

AdvprivΠ pAq ď2pqp ` σεq

2

2b`qp ` σε

2k`qpr

2c`qεa

2b{2`

c

8eσεqp2b

.

�

6 Authenticity of π-Cipher With IntermediateTags

Theorem 2. Let Π “ pK, E ,Dq be the proposed π-Cipher with intermediatetags, where the permutation function π is replaced with an ideal permutation pthat operates on b bits. Then,

AdvauthΠ pAq ďpqp ` σε ` σDq

2

2b`1`σDpqp ` σε ` σDq

2c`qpr

2c`

apqε ` qDq

2b{2`qp ` σε ` σD

2k`m2q2D `mqD

2k`

c

8eσεqp2b

,

where σε and σD are defined in (1), qp is the maximum number of calls to idealpermutation p˘, qε is the maximum number of encryption queries of total lengthof λε blocks, qD is the maximum number of decryption queries of total length ofλD blocks and a is the maximum number of associated data blocks.

13

Proof. A forgery of an AEAD scheme is defined as the ability of an adversaryA to generate a valid (N, AD, C, T) tuple, without directly querying it tothe encryption oracle. Stated differently, an adversary attempts to make adecryption query that does not result in K.

Let Π “ tK, E ,Du be π-Cipher defined with Definition 3 with ideal permu-tation (π-function) which operates on b “ pr` cq bits. The adversary A is givenaccess to an encryption oracle EK , decryption oracle DK , ideal permutationfunction p and its inverse p´1 function. Our goal is to bound the adversary’sadvantage to forge the scheme Π “ tK, E ,Du:

AdvAuthΠ pAq “ PrpAp

˘,EK ,DK forgesq. (13)

By replacing the ideal permutation function p with two-directional functionf : t0, 1ub Ñ t0, 1ub and using the PRP/PRF Switching Lemma [23], alsoknowing that adversary can ask no more than qp ` σε ` σD evaluations to thefunction f , we have the following bound:

PrpAp˘,EK ,DK forgesq ´PrpAf

˘,EK ,DK forgesq ďpqp ` σε ` σDqpqp ` σε ` σD ´ 1q

2b`1

ďpqp ` σε ` σDq

2

2b`1.

We will focus on adversary A to have an oracle access to pf˘, EK ,DKq andonly to make full-block queries. Also we assume that adversary A is nonce-respecting, which means that it never makes two queries to EK with the samenonce, but it is allowed to repeat nonces in decryption queries.

For this proof we need the same setting as in the privacy proof, about theguess and hit events, but here extended with new D-related collision eventsDguess and Dhit. The state values are the same as in (6) with a δ appended tothe subscript, where δ P tE ,Du.

We observe that:

PrpAf˘,EK ,DK forgesq ď PrpAf

˘,EK ,DK forges| eventq `

PrpAf˘,EK ,DK sets eventq. (14)

A bound on the probability that A forges when event does not happen isthe same with the case where A can guess some of the intermediate tags ti,jfor some decryption query j. In this case, the j-th forgery attempt is successfulwith probability at most m{2τ . Summing over all decryption queries qD we get:

PrpAf˘,EK ,DK forges| eventq ď

mqD2τ

.

The length of the intermediate tags is the same as the key length as westated in Section 3, so freely we can write that probability of the adversary toforge the scheme when event does not happen is mqD

2k.

14

Next we need to explain what is the bound on the probability when adversarysets event. Here, event “ guess_ hit_Dguess _Dhit and

PrpAf˘,EK ,DK sets eventq ď Prpguess_ hit_Dguess _Dhitq ď

Prpguess_ hit_Dguess _Dhit| pkey_multiqq `Prpkey_multiq. (15)

Event Dguess. Note that the adversary may freely choose the rate part indecryption queries and primitive queries (the ciphertext and intermediate tagsare known for the adversary). Dguess sets bad as soon as there is a primitivestate and a decryption state whose capacity parts are equal. We write this as,Dguesspi; j, kq ” xi “ sδ,j,k, where δ “ D which means that an adversary A isnot able to ask a query E . This happens with probability at most qpσD{2

c,

PrpDguess| pkey_multiqq ď qpσD{2c.

Event Dhit. In this case an adversary has an ability to reuse nonce in thedecryption queries. Note that just the public part of the nonce can be reused,PMN . In this case SMN is still private and unknown to the adversary. Anydecryption state can hit the initial one (where just the key is unknown) withprobability at most σD{2

k. For the rest we have several sub-cases:

1. pPMN ;AD,Cq “ pPMNδ,j ;ADδ,j , Cδ,jq but T ‰ Tδ,j . This case is infea-sible and probability is 0, because intermediate tags and also the final tagare the same only if PMN, AD, SMN and plaintext pairs up to that arethe same too.

2. pPMN ;ADq “ pPMNδ,j ;ADδ,jq but C ‰ Cδ,j . Let ciphertexts C ‰

Cδ,j are different in all their blocks, then sSMNj,0 “ sSMN

δ,j,0 and sSMNj,1 “

C0||rsSMNδ,j,1 sc ‰ sSMN

δ,j,1 . This means that the state is fresh and can be hitwith some older state with probability 1{2c. In total, the j-th decryption

query sets event hit with probability at most:σEσD,j`σD,jpσD,1`...`σD,j´1q

2c .

Here we have one subcase, or if SMN is the same. This means that C0 “

Cδ,j,0 and CIS for the message phase is the same fpsSMNj,1 q “ fpsSMN

δ,j,1 q.So the reasoning carries over the case where the rest of the ciphertext isdifferent or it has longest common prefix.

Let we say that Cδ,j shares the longest common prefix l with C and l ă m.In this case sCj,l,0 “ sCδ,j,l,0 and sCj,l,1 “ Cl||rs

Cδ,j,l,1sc ‰ sCδ,j,l,1, thus sCj,l,1

is a new state and new input to f . It can hit a certain older state withprobability 1{2c, and the same bound holds as previous.

Because we are working with intermediate tags, where after every blockmessage, the tag is released, we have the following scenario. Let cipher-texts C ‰ Cδ,j are different in all their blocks, then sCj,i,1 ‰ sCδ,j,i,1, and

rfpsCj,i,1qsτ “ tj,i. The probability to hit the tag tj,i with some older state

rfpsCδ,j,i,1qsτ -bits can be done with probability 1{2τ . In total for all decryp-

tion queries event is set with probability at most pmqD2 q{2τ . The length of

the intermediate tags is the same as the key length, so we can write forthe probability: pmqD2 q{2

k.

15

3. PMN “ PMNδ,j but AD ‰ ADδ,j . The analysis is the same as in theciphertext case, except the case where inner collision can be done betweenthe state where CIS is updated and states from the associated data (a{2r).In the rest the reasoning carries over for all new future states.

4. PMN ‰ PMNδ,j . The nonce is new so always sinit is fresh by construc-tion and all future states in this query will be new.

Summing over all queries we get:

PrpDhit| pkey_multiqq ďqDÿ

j“1

σEσD,j ` σD,jpσD,1 ` . . .` σD,j´1q

2c

`pmqD2 q

2k`qDa

2r`σD2k

ďσDσε ` σ

2D{2

2c`qDa

2r`σD `m

2q2D2k

.

Together with all the bounds from the privacy proof via (15) we get:

Prpeventq ďqp ` σε

2k`pqp ` σεq

2

2b`qpr

2c`qεa

2r`

c

8eσεqp2b

`

qpσD2c

`σDσε ` σ

2D{2

2c`qDa

2b{2`σD `m

2q2D2k

. (16)

At the end, we have the final bound for integrity of π-Cipher with interme-diate tags, that completes the proof:

AdvAuthΠ pAq ď

pqp ` σε ` σDq2

2b`1`σDpqp ` σε ` σDq

2c`qpr

2c`apqε ` qDq

2b{2`

qp ` σε ` σD2k

`m2q2D `mqD

2k`

c

8eσεqp2b

.

�

7 Conclusion

In this paper we propose a new mode of operation of the second round candidateof the CAESAR competition, π-Cipher. It supports intermediate tags. Themain idea behind this mode is to achieve an online property even in the phaseof decryption and verification. Also with it, the cipher can be used on deviceswith limited memory storage without releasing unverified plaintext.

We proved that the privacy and authenticity of π-Cipher with intermediatetags are approximately mint2k, 2c, 2b{2u and with this π-Cipher can be putamong the other CAESAR candidates and sponge based designs as ICEPOLE,Keyak, NORX and PRIMATEs [16].

16

References

[1] Elena Andreeva, Andrey Bogdanov, Atul Luykx, Bart Mennink, NickyMouha, and Kan Yasuda. Advances in Cryptology – ASIACRYPT 2014:20th International Conference on the Theory and Application of Cryptol-ogy and Information Security, Kaoshiung, Taiwan, R.O.C., December 7-11, 2014. Proceedings, Part I, chapter How to Securely Release UnverifiedPlaintext in Authenticated Encryption, pages 105–125. Springer BerlinHeidelberg, Berlin, Heidelberg, 2014.

[2] Mihir Bellare and Chanathip Namprempre. Advances in Cryptology —ASIACRYPT 2000: 6th International Conference on the Theory and Ap-plication of Cryptology and Information Security Kyoto, Japan, Decem-ber 3–7, 2000 Proceedings, chapter Authenticated Encryption: Relationsamong Notions and Analysis of the Generic Composition Paradigm, pages531–545. Springer Berlin Heidelberg, Berlin, Heidelberg, 2000.

[3] Mihir Bellare, Phillip Rogaway, and David Wagner. Fast Software En-cryption: 11th International Workshop, FSE 2004, Delhi, India, February5-7, 2004. Revised Papers, chapter The EAX Mode of Operation, pages389–407. Springer Berlin Heidelberg, Berlin, Heidelberg, 2004.

[4] D. J. Bernstein. Caesar: Competition for authenticated encryption: Se-curity, applicability, and robustness. CAESAR web page, 2013. http:

//competitions.cr.yp.to/index.html.

[5] Guido Bertoni, Joan Daemen, Michael Peeters, and Gilles Assche. SelectedAreas in Cryptography: 18th International Workshop, SAC 2011, Toronto,ON, Canada, August 11-12, 2011, Revised Selected Papers, chapter Du-plexing the Sponge: Single-Pass Authenticated Encryption and Other Ap-plications, pages 320–337. Springer Berlin Heidelberg, Berlin, Heidelberg,2012.

[6] Chanathip Namprempre, Phillip Rogaway, and Thomas Shrimpton. AE5Security Notions. Definitions Implicit in the CAESAR Call. CryptologyePrint Archive, 2013. https://eprint.iacr.org/2013/242.pdf.

[7] Christoph Dobraunig, Maria Eichlseder, Florian Mendel, and MartinSchlaffer. Ascon v1.1. CAESAR web page, 2015. https://competitions.cr.yp.to/round2/asconv11.pdf.

[8] Danilo Gligoroski, Hristina Mihajloska, Simona Samardjiska, Hakon Ja-cobsen, Mohamed El-Hadedy, Rune Erlend Jensen, and Daniel Otte. π-Cipher v2.0. CAESAR web page, 2015. https://competitions.cr.yp.

to/round2/picipherv20.pdf.

[9] Morris J. Dworkin. Sp 800-38c. recommendation for block cipher modes ofoperation: The ccm mode for authentication and confidentiality. Technicalreport, Gaithersburg, MD, United States, 2004.

17

[10] Elena Andreeva, Andrey Bogdanov, Atul Luykx, Bart Mennink, ElmarTischhauser, and Kan Yasuda. AES-COPA v2.0. CAESAR web page,2015. https://competitions.cr.yp.to/round2/aescopav2.pdf.

[11] Elena Andreeva, Begul Bilgin, Andrey Bogdanov, Atul Luykx, FlorianMendel, Bart Mennink, Nicky Mouha, Qingju Wang, and Kan Yasuda.PRIMATEs v1.02. CAESAR web page, 2015. https://competitions.

cr.yp.to/round2/primatesv102.pdf.

[12] Abed Farzaneh, Scott Fluhrer, John Foley, Christian Forler, Eik List, Ste-fan Lucks, David McGrew, and Jakob Wenzel. The POET Family of On-Line Authenticated Encryption Schemes v2.0. CAESAR web page, 2015.https://competitions.cr.yp.to/round2/poetv20.pdf.

[13] Guido Bertoni, Joan Daemen, Michael Peeters, Gilles Van Assche, andRonny Van Keer. Keyak v2. CAESAR web page, 2015. https://

competitions.cr.yp.to/round2/keyakv2.pdf.

[14] Viet Tung Hoang, Reza Reyhanitabar, Phillip Rogaway, and Damian Vizar.Advances in Cryptology – CRYPTO 2015: 35th Annual Cryptology Con-ference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, PartI, chapter Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance, pages 493–517. Springer Berlin Heidelberg, Berlin, Heidelberg,2015.

[15] Jean-Philippe Aumasson, Philipp Jovanovic, and Samuel Neves. NORXv2.0. CAESAR web page, 2015. https://competitions.cr.yp.to/

round2/norxv20.pdf.

[16] Philipp Jovanovic, Atul Luykx, and Bart Mennink. Beyond 2c2 securityin sponge-based authenticated encryption modes. In Palash Sarkar andTetsu Iwata, editors, Advances in Cryptology ASIACRYPT 2014, volume8873 of Lecture Notes in Computer Science, pages 85–104. Springer BerlinHeidelberg, 2014.

[17] Markku-Juhani O. Saarinen and Billy B. Brumley. STRIBOBr2: WHIRL-BOB. CAESAR web page, 2015. https://competitions.cr.yp.to/

round2/stribobr2.pdf.

[18] David A. McGrew and John Viega. Progress in Cryptology - INDOCRYPT2004: 5th International Conference on Cryptology in India, Chennai, India,December 20-22, 2004. Proceedings, chapter The Security and Performanceof the Galois/Counter Mode (GCM) of Operation, pages 343–355. SpringerBerlin Heidelberg, Berlin, Heidelberg, 2005.

[19] Nilanjan Datta and Mridul Nandi. ELmD v2.0. CAESAR web page, 2015.https://competitions.cr.yp.to/round2/elmdv20.pdf.

18

[20] Pawel Morawiecki, Kris Gaj, Ekawat Homsirikamol, Krystian Matusiewicz,Josef Pieprzyk, Marcin Rogawski, Marian Srebrny, and Marcin Wojcik.ICPOLE v2. CAESAR web page, 2015. https://competitions.cr.yp.

to/round2/icepolev2.pdf.

[21] Phillip Rogaway. Advances in Cryptology - ASIACRYPT 2004: 10th In-ternational Conference on the Theory and Application of Cryptology andInformation Security, Jeju Island, Korea, December 5-9, 2004. Proceed-ings, chapter Efficient Instantiations of Tweakable Blockciphers and Refine-ments to Modes OCB and PMAC, pages 16–31. Springer Berlin Heidelberg,Berlin, Heidelberg, 2004.

[22] Phillip Rogaway and Thomas Shrimpton. Advances in Cryptology - EURO-CRYPT 2006: 24th Annual International Conference on the Theory andApplications of Cryptographic Techniques, St. Petersburg, Russia, May 28- June 1, 2006. Proceedings, chapter A Provable-Security Treatment of theKey-Wrap Problem, pages 373–390. Springer Berlin Heidelberg, Berlin,Heidelberg, 2006.

[23] Phillip Rogaway and Thomas Shrimpton. Advances in Cryptology - EURO-CRYPT 2006: 24th Annual International Conference on the Theory andApplications of Cryptographic Techniques, St. Petersburg, Russia, May 28- June 1, 2006. Proceedings, chapter A Provable-Security Treatment of theKey-Wrap Problem, pages 373–390. Springer Berlin Heidelberg, Berlin,Heidelberg, 2006.

19