# Deterministic Authenticated Encryption Scheme for Memory Constrained Devices

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

## 2. Related Work

## 3. Preliminaries

**Definition**

**1**

**(DAE).**

**Definition**

**2**

**(Deterministic Privacy (detPriv)).**

**Definition**

**3**

**(Deterministic Authenticity (detAuth)).**

**Definition**

**4**

**(PRF**

**Advantage).**

**Definition**

**5**

**(rka-ind-advantage).**

## 4. Specifications of dAELM

#### 4.1. An Operational Scenario for the Proposed Scheme

#### 4.2. Description

Algorithm 1: Encryption ${\mathcal{E}}_{K}(A,M)$ |

Algorithm 2: Decryption ${\mathcal{D}}_{K}$$(A,C,T)$ |

## 5. Security Results for the New Construction dAELM

#### 5.1. Privacy

**Theorem**

**1.**

**Proof.**

**Adversary ${\mathcal{B}}_{A}$**: In this game, the challenger chooses the key K, and the adversary ${\mathcal{B}}_{A}$ is provided with the oracles $\mathcal{O}\left(RK\right(*,K),\xb7)$, which are simply a related key oracle and $\pi $ oracle. For each $(A,M)$, query adversary $\mathcal{B}$ internally calls oracle $\mathcal{O}$ and replies to adversary A with answer $(C,T)$.

**Lemma**

**1.**

**Adversary ${D}_{A}$**: In this game, the challenger chooses the key K, and the adversary ${D}_{A}$ is provided with the oracles $\mathcal{O}(\xb7)$, which is either a $MA{C}^{g(K,\xb7)}(\xb7)$ or $\$(\xb7)$ oracle. For each $(A,M)$, query adversary D internally calls oracle $\mathcal{O}$ and replies to adversary A with answer $(C,T)$.

**Lemma**

**2.**

#### 5.2. Authenticity

- Adversary A can query encryption oracle $\mathcal{E}$ and decryption oracle $\mathcal{D}$ at most ${q}_{enc}and\phantom{\rule{4pt}{0ex}}{q}_{dec}$ times, respectively.
- All the query responses of encryption oracle $\mathcal{E}$ are stored in a set, say, R. This set contains an $(A,C,T)$ tuple, which has been returned by an encryption query.
- If adversary A is able to generate a new $(A,C,T)$ pair ∉R that produces valid message M, then he wins and output is 1; otherwise, output is 0, after trying ${q}_{dec}$ number of queries.

**Theorem**

**2.**

**Proof.**

- An adversary generates a forgery pair $({A}^{\prime},{C}^{\prime},{T}^{\prime})$ which produces a valid ${M}^{\prime}$ such that $(\ast ,\ast ,{T}^{\prime})\in R$; i.e., he chooses a new ($A,C$) pair, which corresponds to the same tag ${T}_{i}\phantom{\rule{3.33333pt}{0ex}}(={T}^{\prime})$ that has been previously used for some other $({A}_{i},{C}_{i})$, where $1\le i\le {q}_{enc}$. T and ${T}^{\prime}$ will correspond to the same session key ${K}^{*}$ for a given key K. This same ${K}^{*}$ will result in the same output for further block cipher calls. This can be divided into cases.
- (a)
- ${C}^{\prime}={C}_{i}$: In this case, necessarily ${A}^{\prime}\ne {A}_{i}$. As all block cipher outputs are the same, XORing them with $C(={C}_{i})$ will produce the same $M(={M}_{i})$. For a successful forgery, we need at least one parameter to be different in the $({A}^{\prime},{C}^{\prime},{T}^{\prime})$ tuple. Since ${C}^{\prime}={C}_{i}$ and ${T}^{\prime}={T}_{i}$, ${A}^{\prime}$ should be different from ${A}_{i}$. Therefore, the probability of happening this case will be same as the birthday bound on the MAC output.
- (b)
- ${C}^{\prime}\ne {C}_{i}$: In this case, for ${T}_{i}\phantom{\rule{3.33333pt}{0ex}}(={T}^{\prime})$, ${C}^{\prime}\ne {C}_{i}$ will result in ${M}^{\prime}\ne {M}_{i}$. Therefore, the probability of this case will again become the same as the birthday bound on the MAC output.

Therefore, the overall probability of this case will be given by $\frac{{q}_{dec}^{2}}{{2}^{n}}$. - An adversary generates a forgery pair $({A}^{\prime},{C}^{\prime},{T}^{\prime})$, where ${T}^{\prime}$ is new, i.e. $(\ast ,\ast ,{T}^{\prime})\notin R$. This case is further possible in two scenarios:
- (a)
- An adversary is able to guess the key K correctly; i.e. he has access to the system and can generate any number of valid queries. The probability of this case will be equivalent to guessing the key, which is $\frac{1}{{2}^{n}}$.
- (b)
- Suppose adversary guesses the tag ${T}^{\prime}$ correctly for a given key K and $({A}^{\prime},{M}^{\prime})$ pair. Then, for further calculations of ciphertext, he also needs to guess the session key ${K}^{\prime}$. Then only he can generate the forgery. Therefore, the probability of happening this case will be the product of the probability of guessing the tag ${T}^{\prime}$ and session key ${K}^{\prime}$ that is equal to $\frac{1}{{2}^{2n}}$.

Therefore, the overall probability of this case will be $\frac{1}{{2}^{n}}$.

## 6. Comparison

## 7. Software Implementation

Algorithm 3: Decryption ${\mathcal{D}}_{K}(A,C,T)$ |

Algorithm 4:$AES\_CTR\_DEC\_4BLOCKS(K,C,CTR)$ |

$C={C}_{1}\left|\right|{C}_{2}\left|\right|{C}_{3}\left|\right|{C}_{4}$ where $|{C}_{i}|=128$ for $i=1,2,3,4$ ${M}_{1}={C}_{1}\oplus AE{S}_{K}\left(CTR\right)$ ${M}_{2}={C}_{2}\oplus AE{S}_{K}(CTR+1)$ ${M}_{3}={C}_{3}\oplus AE{S}_{K}(CTR+2)$ ${M}_{4}={C}_{4}\oplus AE{S}_{K}(CTR+3)$ $M={M}_{1}\left|\right|{M}_{2}\left|\right|{M}_{3}\left|\right|{M}_{4}$ Return M |

## 8. Discussion

## 9. Conclusions

## Author Contributions

## Funding

## Conflicts of Interest

## Appendix A. Games for Security Proof

#### Appendix A.1. Games for Privacy and Authenticity Proofs for dAELM

## References

- CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness. 2014. Available online: http://competitions.cr.yp.to/caesar.html (accessed on 30 November 2018 ).
- Bellare, M.; Namprempre, C. Authenticated Encryption: Relations Among Notions and Analysis of the Generic Composition Paradigm. J. Cryptol.
**2008**, 21, 469–491. [Google Scholar] [CrossRef] - Bellare, M.; Rogaway, P. Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography. In ASIACRYPT; Okamoto, T., Ed.; Springer: Berlin, Germany, 2000; Volume 1976, pp. 317–330. [Google Scholar]
- Jutla, C.S. Encryption Modes with Almost Free Message Integrity. In Advances in Cryptology—EUROCRYPT 2001; Pfitzmann, B., Ed.; Springer: Berlin, Germany, 2001; Volume 2045, pp. 529–544. [Google Scholar]
- Rogaway, P.; Bellare, M.; Black, J. OCB: A block-cipher mode of operation for efficient authenticated encryption. ACM Trans. Inf. Syst. Secur.
**2003**, 6, 365–403. [Google Scholar] [CrossRef] - Rogaway, P. Authenticated-encryption with associated-data. In Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, Washington, DC, USA, 18–22 November 2002; pp. 98–107. [Google Scholar] [CrossRef]
- Gligor, V.D.; Donescu, P. Fast Encryption and Authentication: XCBC Encryption and XECB Authentication Modes. In Fast Software Encryption; Matsui, M., Ed.; Springer: Berlin, Germany, 2001; Volume 2355, pp. 92–108. [Google Scholar]
- Rogaway, P.; Shrimpton, T. Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem. In Advances in Cryptology—EUROCRYPT 2006; Springer: Berlin, Germany, 2006; Volume 2006, p. 221. [Google Scholar]
- Fouque, P.A.; Joux, A.; Martinet, G.; Valette, F. Authenticated On-Line Encryption. In Selected Areas in Cryptography; Matsui, M., Zuccherato, R.J., Eds.; Springer: Berlin, Germany, 2003; Volume 3006, pp. 145–159. [Google Scholar]
- Agrawal, M.; Chang, D.; Sanadhya, S. sp-AELM: Sponge Based Authenticated Encryption Scheme for Memory Constrained Devices. In Information Security and Privacy; Foo, E., Stebila, D., Eds.; Springer: Berlin, Germany, 2015; Volume 9144, pp. 451–468. [Google Scholar]
- Engels, D.W.; Saarinen, M.O.; Schweitzer, P.; Smith, E.M. The Hummingbird-2 Lightweight Authenticated Encryption Algorithm. In RFID, Security and Privacy; Revised Selected Papers; Juels, A., Paar, C., Eds.; Springer: Berlin, Germany, 2011; Volume 7055, pp. 19–31. [Google Scholar]
- Bogdanov, A.; Mendel, F.; Regazzoni, F.; Rijmen, V.; Tischhauser, E. ALE: AES-Based Lightweight Authenticated Encryption. In Fast Software Encryption; Moriai, S., Ed.; Springer: Berlin/Heidelberg, Germany, 2014. [Google Scholar]
- Dobraunig, C.; Eichlseder, M.; Mendel, F.; Schlaffer, M. Ascon v1. Available online: http://competitions.cr.yp.to/round1/asconv1.pdf (accessed on 30 November 2018).
- Aumasson, J.P.; Philipp Jovanovic, S.N. NORX: Parallel and Scalable AEAD. 2014. Available online: https://norx.io/ (accessed on 30 November 2018).
- Bertoni, G.; Daemen, J.; Peeters, M.; van Assche, G.; van Keer, R. Ketje v1. Available online: http://competitions.cr.yp.to/round1/ketjev11.pdf (accessed on 30 November 2018).
- Hwang, T.; Gope, P. PFX: An essence of authencryption for block-cipher security. Secur. Commun. Netw.
**2016**, 9, 1186–1197. [Google Scholar] [CrossRef] - Hwang, T.; Gope, P. IAR-CTR and IAR-CFB: Integrity aware real-time based counter and cipher feedback modes. Secur. Commun. Netw.
**2015**, 8, 3939–3952. [Google Scholar] [CrossRef] - Hoang, V.T.; Reyhanitabar, R.; Rogaway, P.; Vizár, D. Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance. In Advances in Cryptology—CRYPTO 2015; Gennaro, R., Robshaw, M., Eds.; Springer: Berlin/Heidelberg, Germany, 2015; pp. 493–517. [Google Scholar]
- Bellare, M.; Rogaway, P. Code-Based Game-Playing Proofs and the Security of Triple Encryption. In Advances in Cryptology—Eurocrypt 2006; Springer: Berlin/Heidelberg, Germany, 2006; Volume 2004, p. 331. [Google Scholar]

**Figure 1.**sp-AELM construction [10].

**Figure 6.**A graph showing memory usage by the cryptomodule during the decryption process, where the x-axis represents the length of message and the y-axis represents the memory usage in bytes. This is the case when we used HMAC-SHA1 as a MAC function, which processes the message in 512 bit blocks.

**Table 1.**Results of a comparison of dEALM with sp-AELM, OAE2, and SIV, where $\tau $ represents the tag length.

Parameters | sp-AELM [10] | OAE2 [18] | SIV [8] | dAELM [This Paper] |
---|---|---|---|---|

Type of AE | Randomized | Randomized | Deterministic | Deterministic |

Online Encryption | Yes | Yes | No | No |

Online Decryption | No | Yes | No | No |

Low memory support | Yes | Yes | No | Yes |

Misuse-resistant | No | No | Yes | yes |

Segmentation | Fixed size block | Variable size segment | Fixed size block | Fixed size block |

Ciphertext expansion | $\tau $ bits | $\tau $ bits per segment | $\tau $ bits | $\tau $ bits |

© 2018 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Agrawal, M.; Chang, D.; Kang, J.
Deterministic Authenticated Encryption Scheme for Memory Constrained Devices. *Cryptography* **2018**, *2*, 37.
https://doi.org/10.3390/cryptography2040037

**AMA Style**

Agrawal M, Chang D, Kang J.
Deterministic Authenticated Encryption Scheme for Memory Constrained Devices. *Cryptography*. 2018; 2(4):37.
https://doi.org/10.3390/cryptography2040037

**Chicago/Turabian Style**

Agrawal, Megha, Donghoon Chang, and Jinkeon Kang.
2018. "Deterministic Authenticated Encryption Scheme for Memory Constrained Devices" *Cryptography* 2, no. 4: 37.
https://doi.org/10.3390/cryptography2040037