Next Article in Journal
Dual Toeplitz Operators on the Orthogonal Complement of the Generalized Fock Space
Next Article in Special Issue
Lattice-Based Revocable Certificateless Public Key Encryption for Team Score Orienteering
Previous Article in Journal
Solving the Advection Diffusion Reaction Equations by Using the Enhanced Higher-Order Unconditionally Positive Finite Difference Method
Previous Article in Special Issue
Key Backup and Recovery for Resilient DID Environment
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Polynomial Intermediate Checksum for Integrity under Releasing Unverified Plaintext and Its Application to COPA

School of Computer Science, Nanjing University of Posts and Telecommunications, Nanjing 210023, China
Mathematics 2024, 12(7), 1011; https://doi.org/10.3390/math12071011
Submission received: 4 March 2024 / Revised: 20 March 2024 / Accepted: 26 March 2024 / Published: 28 March 2024
(This article belongs to the Special Issue Trends in Cryptography and Information Security)

Abstract

:
COPA, introduced by Andreeva et al., is the first online authenticated encryption (AE) mode with nonce-misuse resistance, and it is covered in COLM, which is one of the final CAESAR portfolios. However, COPA has been proven to be insecure in the releasing unverified plaintext (RUP) setting. This paper mainly focuses on the integrity under RUP (INT-RUP) defect of COPA. Firstly, this paper revisits the INT-RUP security model for adaptive adversaries, investigates the possible factors of INT-RUP insecurity for “Encryption-Mix-Encryption”-type checksum-based AE schemes, and finds that these AE schemes with INT-RUP security vulnerabilities utilize a common poor checksum technique. Then, this paper introduces an improved checksum technique named polynomial intermediate checksum (PIC) for INT-RUP security and emphasizes that PIC is a sufficient condition for guaranteeing INT-RUP security for “Encryption-Mix-Encryption”-type checksum-based AE schemes. PIC is generated by a polynomial sum with full terms of intermediate internal states, which guarantees no information leakage. Moreover, PIC ensures the same level between the plaintext and the ciphertext, which guarantees that the adversary cannot obtain any useful information from the unverified decryption queries. Again, based on PIC, this paper proposes a modified scheme COPA-PIC to fix the INT-RUP defect of COPA. COPA-PIC is proven to be INT-RUP up to the birthday-bound security if the underlying primitive is secure. Finally, this paper discusses the properties of COPA-PIC and makes a comparison for AE modes with distinct checksum techniques. The proposed work is of good practical significance. In an interactive system where two parties communicate, the receiver can effectively determine whether the information received from the sender is valid or not, and thus perform the subsequent operation more effectively.

1. Introduction

1.1. Background

With the increasing demand for lightweight sensors in the development of space–aerial–ground–sea cooperative information networks, and the scalability, timeliness, and security of the network, lightweight cryptography has been deeply explored in academia and industry. To solve the practical application problems, authenticated encryption (AE) has been extended to lightweight AE, which provides both privacy and authenticity on resource-constrained devices. In conventional security models of AE, the decrypted plaintext must be released after integrity is successfully verified. However, in lightweight devices, there are not enough resources to store the whole decrypted plaintext. Moreover, there exist side channel attacks to obtain the properties of the plaintext indirectly. Thus, releasing the decrypted plaintext before verification (releasing unverified plaintext, RUP) is often desirable and can contribute effectively to the improvement of efficiency in lightweight devices [1,2,3,4].
Andreeva et al. introduced stronger security models in the RUP setting [1]. For privacy, they proposed a new notion called PA (Plaintext Awareness). PA, in fact, is a plaintext extractor which tries to deceive adversaries by simulating the decryption oracle. An AE scheme is PA if it is infeasible to distinguish the decryption oracle from the plaintext extractor. For authenticity, they proposed a new notion called INT-RUP (Integrity under Releasing Unverified Plaintext). INT-RUP is a stronger security metric than INT-CTXT (Integrity of Ciphertext). An AE scheme is INT-RUP if an adversary can not generate a fresh valid ciphertext–tag pair given the additional power of access to an unverified decryption oracle, after the encryption oracle. This paper is only interested in INT-RUP security of various AE schemes.
OCB [5,6,7] and COPA [8] are not INT-RUP. Andreeva et al. presented a forgery attack under the INT-RUP security model and left fixing OCB and COPA to be INT-RUP in an efficient way as an open problem [1]. Zhang et al. focused on the weakness of the checksum processing, described a new generalized checksum technique—PCC (Plaintext and Ciphertext Checksum)—and proved that all AE schemes with PCC are insecure under the INT-RUP security model [9]. To fix the weakness of PCC, they provided an intermediate checksum (IC) technique to generate the authentication tag. Based on the IC technique, they proposed a modified OCB scheme with IC, called OCB-IC, to settle the INT-RUP security of OCB [9,10]. Chakraborti et al. focused on the rate (which means the number of message blocks processed per block of cipher invocation) of block-cipher-based AE schemes to find the cause of INT-RUP insecurity [11]. They considered the weakness during the tag processing, showed a generic INT-RUP attack on a “rate-1” block-cipher-based affine AE mode, described an INT-RUP attack on CPFB (rate-3/4), and presented a variant mCPFB (rate-3/4) which supports INT-RUP security. Zhang and Wu focused on the security of online AE schemes in a RUP setting and looked for the reason of the INT-RUP insecurity of the schemes [12]. They found that if the encryption part of AE schemes has a CCJP (Control Ciphertext to Jump between two Plaintexts) property and the input of the authentication part is built by linear combinations of all plaintext blocks (i.e., the authentication tag is generated by the plaintext checksum), it is easy to make an INT-RUP forgery attack. Datta et al. investigated the integrity of the COLM structure in an RUP setting, rewrote a nonce-respecting INT-RUP forgery attack against COPA’s XOR mixing, and presented nonce-respecting and nonce-misusing INT-RUP forgery attacks for any mixing functions [13]. They demonstrated that its security highly depends on the choice of mixing function. Hirose et al. focused on the security of rate-1 AE schemes under RUP [14]. They showed that any rate-1 AE scheme cannot satisfy strong security requirements under RUP and then introduced new strictly weaker security notions of tag-PA and tag-INT by relaxing the security requirements; finally, they presented a new rate-1 AE scheme OCBt which is both tag-PA and tag-INT. They considered the efficiency by rate-1 and full parallelizability and security by robustness against decryption misuse. Chakraborti et al. considered the INT-RUP security of AE schemes under the lightweight application and proposed two lightweight AE modes: LOCUS and LOTUS with higher security and lighter primitives [15]. They utilized the intermediate checksum technique to generate the final authentication tag. In addition to the one-pass AE schemes with INT-RUP security, there exist two-pass AE modes with INT-RUP security. Andreeva et al. considered the INT-RUP security of SIV, HBS, and BTM and proved their INT-RUP security [1]. Chang et al. proposed a lightweight deterministic AE mode ANYDAE and proved that ANYDAE achieves INT-RUP security [16]. Recently, Andreeva et al. focused on the rate-1 online fork AE mode SAEF and showed that SAEF is INT-RUP secure up to the birthday bound by the H-coefficient technique [17]. Datta et al. considered SAEB and TinyJAMBU and presented their integrity security in the setting of a releasing unverified plaintext model [18].
This paper revisits the possible causes which result in INT-RUP insecurity, investigates almost all of the one-pass checksum-based AE schemes [5,6,7,8,11,13,19,20,21,22,23,24,25,26,27], and finds that these AE schemes with INT-RUP security defects utilize a common checksum technique. This paper focuses on the weakness of the checksum technique and tries to introduce an improved checksum technique to settle the INT-RUP security of COPA.

1.2. Problem Statement

For almost all of the one-pass AE schemes, their checksum is generated by the XOR-sum of all plaintext blocks, which results in INT-RUP insecurity. Andreeva et al. presented a forgery attack with a high probability by making one encryption query and two decryption queries under the INT-RUP security model, and they left fixing COPA to be INT-RUP in an efficient way as an open problem [1].
The IC technique [9,10] is a good technique for settling the INT-RUP security defect of OCB. However, the IC technique cannot be directly applied to COPA. COPA is an authenticated online cipher, which means that the i-block ciphertext just relies on the first i plaintext blocks. In other words, the intermediate checksum in this case only relates to the last ciphertext block. Even if you utilize the encrypted internal states to generate the intermediate checksum, the adversary just needs to keep the last ciphertext block the same to make a successful forgery. In addition, the intermediate parity checksum (IPC) technique [10] was utilized to try to settle the INT-RUP security defect of COPA, but it ultimately failed. The i-block plaintext can be recovered by the ( i 1 ) -block ciphertext and the i-block ciphertext, which can be used by adversaries to launch forgery attacks. Therefore, it is necessary to propose a new improved intermediate checksum technique for settling the INT-RUP security defect of COPA.

1.3. Our Contributions

This paper mainly considers the INT-RUP insecurity of COPA and focuses on the weakness of the checksum processing. This paper first revisits the INT-RUP security model which allows for an adaptive adversary to make queries in any order and then introduces a new improved checksum technique: polynomial intermediate checksum (PIC), which is a generalization of IC. In the PIC technique, the intermediate internal states generated by either an encryption or a decryption algorithm are hidden from the adversaries, and PIC is generated by a polynomial sum with full terms of intermediate internal states, which guarantees no information leakage. Moreover, PIC maintains the same level between the plaintext and the ciphertext, which guarantees that the adversary cannot obtain any useful information from the unverified decryption queries. This technique is very effective in solving the INT-RUP security of checksum-based AE schemes. Finally, based on the PIC technique, a modified scheme called COPA-PIC is proposed to fix the INT-RUP security defect of COPA. COPA-PIC retains the main structure and the advantages of COPA.
From the perspective of the design idea, at the beginning, COPA-PIC is designed in terms of tweakable blockciphers (TBCs), as TBC-based AE modes have more advantages than AE modes based on other primitives; particularly, their structure is clear and their proof is simple [19,22,28,29,30,31]. In addition, TBCs can also be constructed by distinct primitives. Therefore, a TBC-based COPA-PIC is first illustrated, and then a blockcipher-based TBC and a permutation-based TBC are utilized to further instantiate COPA-PIC.
From the perspective of the security guarantee, COPA-PIC is proven INT-RUP up to the birthday bound of n / 2 -bit security if the underlying primitive (including TBC, block cipher, and permutation) is secure, where n is the block size of the underlying primitive.
From the perspective of the efficiency, the number of underlying primitive invocations of COPA-PIC is less than that of COPA. To be specific, let a be the number of blocks of the associated data and l be the number of blocks of the plaintext. Then, the encryption, decryption, and verification algorithms of COPA-PIC invoke a + 2 l + 2 , a + 2 l + 2 , and a + l + 2 underlying primitives, respectively, while the encryption, decryption, and verification algorithms of COPA invoke a + 2 l + 2 underlying primitives. In other words, the encryption and decryption costs of COPA-PIC are the same as those of COPA, but the verification cost of COPA-PIC is close to half of COPA. In practical scenarios, such as an interactive system where two parties communicate, the receiver can first effectively determine whether the information received from the sender is valid or not, and then perform the decryption operation more effectively to obtain the correct plaintext. Therefore, the efficiency of COPA-PIC is significantly improved in practical applications. The comparison between COPA and COPA-PIC is shown in Table 1.
The proposed work is of high significance to both theoretical investigations and practical applications. This work supports Zhang and Wu’s view that it is easy to make an INT-RUP forgery attack if the encryption part of the AE schemes has a CCJP property and the input of the authentication part is mainly subject to linear combinations of all plaintext blocks [12]. The PIC technique is essentially an improvement of Chakraborti et al.’s technique and covers the IC technique. The PIC technique aims to settle the problem of INT-RUP security for “Encryption-Mix-Encryption”-type checksum-based AE schemes. Moreover, the proposed work also meets the requirements of strong security and high efficiency in lightweight devices in the next-generation network. In particular, it is of good practical significance to establish the rapid feedback mechanism of third-party error authentication.

1.4. Organization of This Paper

Some preliminaries are presented in Section 2. A new polynomial intermediate checksum (PIC) technique is described in Section 3. Section 4 provides a modified scheme COPA-PIC to fix the INT-RUP security defect of COPA and derives its security proof. Finally, this paper concludes with some discussions and a mention of future works in Section 5.

2. Preliminaries

The basic notations and concepts closely follow [9,10]. Some of the important symbols are described in Abbreviations.
  • Block ciphers. Block cipher is an important part of symmetric-key ciphers, and its standardized algorithms, such as AES or SM4, have been widely used in practice.
Let E : K × { 0 , 1 } n { 0 , 1 } n be a block cipher, where K is a key space and n is the block size. For any K K , E K ( · ) = E ( K , · ) is an n-bit permutation. Let A be an adversary with access to the encryption oracle or encryption and decryption oracles; then, the pseudorandom permutation (PRP) and strong pseudorandom permutation (SPRP) advantages of A against E are, respectively, defined as
A d v E p r p ( A ) = | P r [ K $ K : A E K 1 ] P r [ π $ P e r m ( n ) : A π 1 ] | , A d v E s p r p ( A ) = | P r [ K $ K : A E K ± 1 1 ] P r [ π $ P e r m ( n ) : A π ± 1 1 ] | .
  • Tweakable blockciphers (TBCs). As the generalization of block ciphers, TBCs have been widely used in the fields of disk encryption, length-preserving encryption, storage encryption, etc. Related works about TBCs include [30,32,33,34,35,36,37,38,39].
Let E ˜ : K × Γ × { 0 , 1 } n { 0 , 1 } n be a TBC, where K is a key space and Γ is a tweak space. For any K K , t Γ , E ˜ K t ( · ) = E ˜ ( K , t , · ) is an n-bit permutation. Let A be an adversary with access to the tweakable encryption oracle or tweakable encryption and tweakable decryption oracles, then the tweakable PRP (TPRP) and strong TPRP (STPRP) advantages of A against E ˜ are, respectively, defined as
A d v E ˜ p r p ˜ ( A ) = | P r [ K $ K : A E ˜ K 1 ] P r [ π ˜ $ P e r m ( Γ , n ) : A π ˜ 1 ] | , A d v E ˜ s p r p ˜ ( A ) = | P r [ K $ K : A E ˜ K ± 1 1 ] P r [ π ˜ $ P e r m ( Γ , n ) : A π ˜ ± 1 1 ] | .
The above adversary is just allowed to query the encryption oracle in the tweak space Γ for TPRP, while it is allowed to query both encryption and decryption oracles in the tweak space Γ for STPRP. However, in real life, the encryption part of some cryptographic schemes is allowed to query both encryption and decryption oracles in a subset of tweaks and the authentication part of an associated data is just allowed to query the encryption oracle in another subset of tweaks, such as COPA. Granger et al. introduced a mixed security notion to settle this problem [22]. Consider a partition Γ 0 Γ 1 = Γ of the tweak space into encryption-only tweaks Γ 0 and encryption-and-decryption tweaks Γ 1 ; then, the mixed TPRP (MTPRP) advantage of A against E ˜ is defined as
A d v E ˜ m p r p ˜ ( A ) = | P r [ K $ K : A E ˜ K , E ˜ K ± 1 1 ] P r [ π ˜ $ P e r m ( Γ , n ) : A π ˜ , π ˜ ± 1 1 ] | .
Note that, here, A is not allowed to query E ˜ K 1 or π ˜ 1 for tweaks from Γ 0 . In fact, MTPRP covers TPRP if ( Γ 0 , Γ 1 ) = ( Γ , ) and STPRP if ( Γ 0 , Γ 1 ) = ( , Γ ) .
  • Construction of TBCs. TBCs can be constructed from primitives that are widely used today, such as block ciphers and permutations. In these constructions, since the tweak is an important component of TBCs, it must be instantiated in advance when implementing with block ciphers and permutations. Moreover, considering the application of TBC in the actual modes of operations, the update of the tweak is as simple as possible. In practice, due to the wide application of nonce-based encryption, authentication, and authenticated encryption modes of operations, using a nonce to instantiate a tweak has become a common technical means. Here, we consider a nonce-based instantiation of a tweak space Γ = N × I × J , where N is a nonce space, I is a large-integer set, and J is a small-integer set, and we give two general methods for constructing TBCs as follows.
Method 1: Let E : K × { 0 , 1 } n { 0 , 1 } n be a block cipher. By the XEX* construction [6], a blockcipher-based TBC E ˜ : K × Γ × { 0 , 1 } n { 0 , 1 } n is built as follows:
E ˜ K N , i , j ( x ) = E K ( x Δ ) a n d E ˜ K N , i , j ( x ) = E K ( x Δ ) Δ ,
where K K , ( N , i , j ) Γ 0 , ( N , i , j ) Γ 1 , Γ 0 Γ 1 = , Γ 0 Γ 1 Γ , Δ = 2 i 3 j L , Δ = 2 i 3 j L , and  L = E K ( N ) .
Method 2: Let π : { 0 , 1 } n { 0 , 1 } n be a public n-bit permutation. By the MEM construction [22], a permutation-based TBC E ˜ : K × Γ × { 0 , 1 } n { 0 , 1 } n is built as follows:
E ˜ K N , i , j ( x ) = π ( x Δ ) a n d E ˜ K N , i , j ( x ) = π ( x Δ ) Δ ,
where K K , ( N , i , j ) Γ 0 , ( N , i , j ) Γ 1 , Γ 0 Γ 1 = , Γ 0 Γ 1 Γ , Δ = 2 i 3 j L , Δ = 2 i 3 j L , and  L = π ( N | | K ) .
The security of these two general methods for constructing TBCs is shown in the following lemmas.
Lemma 1
(XEX* [6]). Assume that the adversary makes q construction queries to E ˜ and E ˜ 1 and 2 i 3 j 1 for all ( i , j ) I × J . Let E ˜ = X E X * [ E , 2 I 3 J ] ; then,
A d v E ˜ m p r p ˜ ( q ) A d v E s p r p ( 2 q ) + 9.5 q 2 / 2 n .
Lemma 2
(MEM [22]). Assume that the adversary makes q construction queries to E ˜ and E ˜ 1 and p primitive queries to π and π 1 and 2 i 3 j 1 for all ( i , j ) I × J . Let E ˜ = M E M [ π , 2 I 3 J ] ; then,
A d v E ˜ , π m p r p ˜ ( q , p ) 4.5 q 2 / 2 n + 3 q p / 2 n + p / 2 k .
  • Syntax of AE. In the RUP setting, Andreeva et al. introduced a new syntax for AE modes [1]. They divided the conventional decryption algorithm into a decryption algorithm and a verification algorithm so that the decryption algorithm always releases plaintext and the verification algorithm only performs integrity verification. The new syntax of nonce-based AE schemes Π = ( E , D , V ) consists of an encryption algorithm E : K × N × H × M C × T , a decryption algorithm D : K × N × H × C × T M , and a verification algorithm V : K × N × H × C × T / , which is described as follows:
    E K ( N , A , M ) = ( C , T ) , D K ( N , A , C , T ) = M , V K ( N , A , C , T ) = / ,
    where K K , N N , A H , M M , C C , T T , and the symbols ⊤ and ⊥ indicate the success and failure of integrity verification, respectively.
  • INT-RUP security model of AE. Let Π = ( E , D , V ) be a nonce-based AE scheme. Let K K and A be an adversary which makes at most q queries to E K ( · , · , · ) and D K ( · , · , · , · ) , and at most q v queries to V K ( · , · , · , · ) . Assume that A is an adaptive adversary which can perform encryption and decryption oracle queries in any order. In other words, A can perform the interleaved queries to E K ( · , · , · ) and D K ( · , · , · , · ) . A forges if at least one forgery attempt in all q v forgery attempts succeeds. Then, the INT-RUP-advantage of A against Π = ( E , D , V ) is defined as
    A d v Π i n t r u p ( A ) = P r [ K $ K : A E K , D K , V K f o r g e s ] .
Let A d v Π i n t r u p ( t , q , l , σ ) be the INT-RUP-advantage of the adversary A against the nonce-based AE scheme Π under the limited running time t, queries q, block length l, query complexity σ , and other resources.

3. Polynomial Intermediate Checksum (PIC) Technique

This paper investigates almost all of the “Encryption-Mix-Encryption”-type checksum-based AE schemes with INT-RUP insecurity, focuses on the weakness of their checksum technique, and tries to introduce an improved checksum technique to settle the INT-RUP insecurity of COPA. This section first introduces a polynomial intermediate checksum (PIC) technique for supporting INT-RUP security and then presents the INT-RUP security of “Encryption-Mix-Encryption”-type AE modes with PIC.

3.1. PIC Technique

The checksum technique used in the previous “Encryption-Mix-Encryption”-type AE modes includes the plaintext checksum (PC), the plaintext and ciphertext checksum (PCC), intermediate checksum (IC), and intermediate parity checksum (IPC). However, these checksum techniques do not always guarantee INT-RUP security for “Encryption-Mix-Encryption”-type AE modes. To always guarantee INT-RUP security for “Encryption-Mix-Encryption”-type AE modes, here, we introduce a new polynomial intermediate checksum (PIC) technique, which is a generalization of IC. As the name suggests, PIC is a full-term polynomial XOR-sum of intermediate internal states. The intermediate internal states are generated by encrypting all of the plaintext blocks or decrypting all of the ciphertext blocks, which make them hidden from the adversaries. In other words, PIC guarantees no information leakage.
To always guarantee the INT-RUP security, PIC must satisfy the following two conditions simultaneously:
Condition 1. It is generated by all of the plaintext blocks.
Condition 2. It is generated by all of the ciphertext blocks.
The above two conditions are indispensable. Conditions 1 and 2 show that PIC is constructed by polynomials with full terms and provides the same level for the plaintext and the ciphertext to resist the releasing unverified plaintext attack. What calls for special attention is that PIC must be a polynomial function with full terms of the plaintext blocks, and it must also be a polynomial function with full terms of the ciphertext blocks. Otherwise, leaving the missing term unchanged makes it easy to make a successful forgery. Having the same level between the plaintext and the ciphertext ensures that the adversary cannot obtain any useful information from the unverified decryption queries. In other words, PIC can resist the unverified decryption queries. For “Encryption-Mix-Encryption”-type checksum-based AE schemes, PIC is a sufficient condition for guaranteeing the INT-RUP security.

3.2. INT-RUP Security of “Encryption-Mix-Encryption”-Type AE Modes with PIC

The following mathematical model is utilized to formally describe “Encryption-Mix-Encryption”-type AE modes with PIC.
Let E ˜ : K × Γ × { 0 , 1 } n { 0 , 1 } n be a TBC, where K is a key space, Γ = N × I × J is a tweak space, N is a nonce space, I is a large-integer set, and  J is a small-integer set. Let N be a nonce, M be a plaintext, C be a ciphertext, and T be an authentication tag. The overview of “Encryption-Mix-Encryption”-type nonce-based AE modes with PIC is described in Figure 1.
Let X 1 , X 2 , , X l be the encrypted internal states of the plaintext M = ( M 1 , M 2 , , M l ) and Y 1 , Y 2 , , Y l be the decrypted internal states of the ciphertext C = ( C 1 , C 2 , , C l ) . There exists some invertible mathematical relationship R between X 1 , X 2 , , X l and Y 1 , Y 2 , , Y l , i.e.,  ( Y 1 , Y 2 , , Y l ) = R ( X 1 , X 2 , , X l ) and for each Y i , the following equation holds:
Y i = A i 1 A i 2 A i l X 1 X 2 X l B i = A i 1 X 1 A i 2 X 2 A i l X l B i
where A i i 0 for 1 i l and B i for 1 i l are arbitrary constants.
Let P I C = a 0 a 1 X 1 a l X l = b 0 b 1 Y 1 b 2 Y 2 b l Y l be a polynomial intermediate checksum, where a i , b i 0 for 1 i l and a 0 , b 0 are arbitrary constants. Then,
P I C = g ( Y 1 , Y 2 , , Y l ) = b 0 b 1 Y 1 b 2 Y 2 b l Y l = b 0 i = 1 l b i Y i = b 0 i = 1 l b i ( A i 1 X 1 A i 2 X 2 A i l X l B i ) = b 0 i = 1 l b i B i i = 1 l b i A i 1 X 1 i = 1 l b i A i l X l = a 0 a 1 X 1 a l X l = f ( X 1 , X 2 , , X l ) ,
where a i and b i ( 0 i l ) satisfy the following relationship:
( I ) a 0 = b 0 j = 1 l b j B j , i = 0 a i = j = 1 l b j A j i , 1 i l
In particular, if  A i j = 0 for any j i , then Y i = A i i X i B i , where 1 i l . It follows that the relationship (I) degenerates to
( I I ) a 0 = b 0 j = 1 l b j B j , i = 0 a i = b i A i i , 1 i l
OCB-IC [9] is a typical example when A i i = 1 and B i = 0 . In this case, Y i = X i for 1 i l and PIC degrades to IC (i.e., P I C = f ( X 1 , X 2 , , X l ) = g ( Y 1 , Y 2 , , Y l ) = X 1 X 2 X l = I C ).
If A i j = 0 for any j > i , then ( Y 1 , Y 2 , , Y l ) = R ( X 1 , X 2 , , X l ) is an online function (i.e., Y i just depends on the first i inputs X 1 , X 2 , , X i , where 1 i l ). It follows that, the relationship (I) degenerates to
( I I I ) a 0 = b 0 j = 1 l b j B j , i = 0 a i = j = i l b j A j i , 1 i l
In this case, authenticated encryption schemes are also called authenticated online ciphers. The typical authenticated online ciphers include ELmE [25], ELmD [24], and COLM [13]. Similar checksum techniques are actually used in their design. To take it one step further, if  A i 1 = = A i i = 1 , B i = c , then Y i = X 1 X 2 X i c for 1 i l , where c is an arbitrary constant. In this case, PIC must satisfy the following equation:
P I C = f ( X 1 , , X l ) = a 0 a 1 X 1 a l X l = g ( Y 1 , , Y l ) = b 0 b 1 Y 1 b l Y l ,
where a i and b i ( 0 i l ) satisfy the following relationship:
( I V ) a 0 = b 0 j = 1 l b j c , i = 0 a i = j = i l b j = b i b l , 1 i l
Theorem 1.
For “Encryption-Mix-Encryption”-type AE modes with PIC, if PIC is generated by all terms of the plaintext blocks and it can also be generated by all terms of the ciphertext blocks, then the INT-RUP security can be guaranteed.
Proof. 
Let Π = ( E K , D K , V K ) be “Encryption-Mix-Encryption”-type AE modes with PIC. Assume that the adversary A makes q e encryption queries { ( N i , M i ) } i = 1 q e to the encryption oracle E K ( · , · ) and receives ( C i , T i ) = E K ( N i , M i ) , where 1 i q e , and makes q d decryption queries { ( N * j , C * j , T * j ) } j = 1 q d to the decryption oracle D K ( · , · , · ) and obtains the unverified plaintext M * j = D K ( N * j , C * j , T * j ) , where 1 j q d . Note that ( N * j , C * j , T * j ) ( N i , C i , T i ) , 1 i q e , 1 j q d and q e + q d = q . Then, A forges q v challenge queries { ( N 1 , C 1 , T 1 ) , ( N 2 , C 2 , T 2 ) , , ( N q v , C q v , T q v ) } { ( N 1 , C 1 , T 1 ) , , ( N q e , C q e , T q e ) } to the verification oracle V K ( · , · , · ) , where C k = C 1 k C 2 k C l k k , C i = C 1 i C 2 i C l i i , 1 k q v , 1 i q e .
All TBCs of Π are replaced with tweakable random permutations to obtain Π [ π ˜ ] , where π ˜ $ P e r m ( Γ , n ) and Γ is a tweak space. Then the INT-RUP-advantage of A is
A d v Π i n t r u p ( A ) = P r [ K $ K : A E K , D K , V K f o r g e s ] | P r [ K $ K : A E K , D K , V K f o r g e s ] P r [ π ˜ $ P e r m ( Γ , n ) : A E , D , V f o r g e s ] | + P r [ π ˜ $ P e r m ( Γ , n ) : A E , D , V f o r g e s ] = A d v E ˜ m p r p ˜ ( B ) + P r [ π ˜ $ P e r m ( Γ , n ) : A E , D , V f o r g e s ] = A d v E ˜ m p r p ˜ ( B ) + A d v Π [ π ˜ ] i n t r u p ( A ) ,
where B is an MTPRP adversary against E ˜ .
Let F be an event that at least one forgery attempt in all q v forgery attempts succeeds. Then, the INT-RUP-advantage of A is
A d v Π [ π ˜ ] i n t r u p ( A ) = P r [ A E , D , V f o r g e s ] = P r [ A E , D , V s e t s F ] = P r [ F ] .
Define a collision as the same output from distinct inputs. Let T be the event that a collision of the authentication tag occurs for the encryption queries.
With the total probability formula and the probability inequality, one has
P r [ F ] = P r [ F ¬ T ] + P r [ F T ] = P r [ F | ¬ T ] P r [ ¬ T ] + P r [ F | T ] P r [ T ] P r [ F | ¬ T ] + P r [ T ] .
Step 1: Bound the probability of event T occurring: P r [ T ] q 2 2 n .
Step 2: Evaluate the upper bound of the probability that event F occurs under the condition ¬ T : P r [ F | ¬ T ] . For simplicity, a single forgery attempt ( N , C , T ) { ( N 1 , C 1 , T 1 ) , , ( N q e , C q e , T q e ) } is first considered, where C is divided into l blocks and C i is divided into l i blocks for 1 i q e . Let T e = { T 1 , T 2 , , T q e } be a set of the authentication tags generated by the encryption oracle (Under the condition ¬ T , T 1 , T 2 , , T q e are distinct from each other).
Case 1:  T is new, i.e.,  T T e . In this case, the adversary A already knows the value of T i , where 1 i q e , and with this knowledge, the adversary tries to guess the preimage of another new tag. Therefore, the probability that the adversary A correctly guesses this value is at most 1 / ( 2 n q e ) , which is also the probability that the adversary’s forgery attempt succeeds.
Case 2:  T is old, i.e.,  T T e . Let us say T = T u , where u { 1 , , q e } . According to the last two tweaks ( N , l , 3 ) and ( N , l , 4 ) of the authentication tag generation, a further analysis is discussed as follows.
Case 2-1: If N N u , the last two tweaks ( N , l , 3 ) and ( N , l , 4 ) are new. The adversary tries to forge an identical tag ( T = T u ) using a new nonce N . The image of a single point under a tweakable random permutation is uniform, so the generated tag is an independent and uniform random value. Thus, the probability that the adversary correctly forges an identical tag ( T = T u ) is 1 / 2 n .
Case 2-2: If N = N u and l l u , the last two tweaks ( N , l , 3 ) and ( N , l , 4 ) are new. The adversary tries to forge an identical tag ( T = T u ) using a new block-length l . The image of a single point under a tweakable random permutation is uniform, so the generated tag is an independent and uniform random value. Thus, the probability that the adversary correctly forges an identical tag ( T = T u ) is 1 / 2 n .
Case 2-3: If N = N u and l = l u , the last two tweaks ( N , l , 3 ) and ( N , l , 4 ) in this case are the same as those of previous query–response pairs ( N u , M u , C u , T u ) . According to P I C = b 0 b 1 Y 1 b 2 Y 2 b l Y l , where Y i = ( π ˜ N , i , 2 ) 1 ( C i ) for all 1 i l , a further discussion is shown as follows.
  • C is new and P I C is new, i.e.,  P I C P I C u . The probability that this case occurs is about 1 1 / 2 n . The adversary tries to forge an identical tag ( T = T u ) using a new checksum P I C . Thus, the probability that the adversary’s forgery attempt succeeds is 1 / 2 n .
  • C is new and P I C is old, i.e.,  P I C = P I C u . According to the fact that P r [ b 1 Y 1 b 2 Y 2 b l Y l = c ] = 1 / 2 n for any Y 1 , Y 2 , , Y l { 0 , 1 } n , where c is a constant from { 0 , 1 } n , the probability that P I C is old is at most 1 / 2 n . Therefore, the probability that the adversary can guess the correct value in this case is the probability that P I C is old, which is at most 1 / 2 n .
  • C is old. This contradicts ( N , C , T ) { ( N 1 , C 1 , T 1 ) , , ( N q e , C q e , T q e ) } .
Summarizing all cases above, the successful probability of the single forgery attempt is upper-bounded by
m a x { 1 / ( 2 n q e ) , 1 / 2 n } 2 / 2 n .
Therefore, for  q v forgery attempts, it is easy to bound the probability that event F occurs under the condition ¬ T :
P r [ F | ¬ T ] 2 q v / 2 n .
The INT-RUP advantage of A , after q encryption and decryption queries, and  q v forgery queries, is
A d v Π i n t r u p ( A ) A d v E ˜ m p r p ˜ ( B ) + q 2 2 n + 2 q v 2 n ,
where B is an MTPRP adversary against E ˜ . If  E ˜ is a secure MTPRP, then Π with PIC guarantees the INT-RUP security.    □
Here, PIC just focuses on the authentication of the plaintext. The authentication of the associated data should be included in the verification algorithm. This paper directly utilizes PMAC1 algorithm [6] to generate the authentication of the associated data A, i.e.,  c = T A = P M A C 1 ( A ) . In addition, the associated data can also be treated in a similar way to messages, just saving the final output as its authentication tag.

4. COPA-PIC: COPA with Polynomial Intermediate Checksum for INT-RUP Security

To solve the INT-RUP security defect of COPA, the PIC technique is applied to COPA, and an improved variant, COPA-PIC, is proposed. In this section, the top-level design of COPA-PIC is first described from the angle of TBCs, and then blockcipher-based and permutation-based COPA-PIC instances are presented.

4.1. TBC-Based COPA-PIC: COPA-PIC[ E ˜ ]

At the beginning of the design, the idea was to retain as much of the COPA structure as possible. Therefore, the mainly structure of COPA-PIC is the same as that of COPA except that the plaintext checksum used in the encryption and verification algorithms is replaced with PIC. For PIC, a polynomial sum with full terms of internal intermediate states is utilized to ensure INT-RUP security. Therefore, the verification algorithm and the decryption algorithm of COPA-PIC share parts of computing resources such that the cost of the authentication tag is minimal.
Let E ˜ : K × Γ × { 0 , 1 } n { 0 , 1 } n be a TBC, where K is a key space, Γ = N × I × J is a tweak space, N is a nonce space, I is a large-integer set, and  J is a small-integer set. We assume that COPA-PIC takes a key K, a nonce N, associated data A, and a plaintext M = M 1 | | M 2 | | | | M l as input and returns the corresponding ciphertext C = C 1 | | C 2 | | | | C l and an authentication tag T. Then, the checksum of COPA-PIC is P I C = 2 l 1 X 1 2 l 2 X 2 2 X l 1 X l = g ( Y 1 , Y 2 , , Y l ) , where X i = E ˜ K N , i , 1 ( M i ) and Y i = D ˜ K N , i , 2 ( C i ) for all 1 i l , and g is a full-term polynomial function. It is essential to call two extra TBCs in the tag-generating process (let N = N and M = M ; then, P I C = P I C ; for two distinct associated data A A , if the final authentication tag is generated by calling once extra primitive, we can get the difference in the authentication tag of associated data and the difference in the final authentication tag, which can be easily used to obtain a forgery attack).
The overview of COPA-PIC[ E ˜ ] is shown in Figure 2, and its authentication component of the associated data is depicted in Figure 3. The authentication of associated data utilizes the TBC-based PMAC1 algorithm, which is shown in Algorithm 1. COPA-PIC[ E ˜ ] consists of an encryption algorithm E , a decryption algorithm D , and a verification algorithm V , which are shown in Algorithms 2–4.
Algorithm 1 PMAC1 algorithm P M A C 1 K N ( A )
Input: 
Key K, nonce N, associated data A;
Output: 
Tag of associated data T A ;
1:
 Partition A into A 1 A a , | A i | = n , 1 i a 1 , 0 < | A a | n ;
2:
 for  i = 1 to i = a 1  do
3:
     S i E ˜ K N , i , 5 ( A i ) ;
4:
 end for
5:
 if  | A a | = n   then
6:
     Σ S 1 S 2 S a 1 A a ;
7:
     T A = E ˜ K N , a , 6 ( Σ ) ;
8:
 else
9:
     Σ S 1 S 2 S a 1 A a 10 * ;
10:
   T A = E ˜ K N , a , 7 ( Σ ) ;
11:
end if
12:
return  T A
Algorithm 2 Encryption algorithm C O P A P I C . E K N ( A , M )
Input: 
Key K, nonce N, associated data A, and plaintext M;
Output: 
Ciphertext C and authentication tag T;
1:
 Partition M into M 1 M l , | M i | = n , 1 i l ;
2:
  Y 0 = T A ;
3:
 for  i = 1 to i = l  do
4:
    X i E ˜ K N , i , 1 ( M i ) ;
5:
    Y i = Y i 1 X i ;
6:
    C i E ˜ K N , i , 2 ( Y i ) ;
7:
 end for
8:
  P I C 2 l 1 X 1 2 l 2 X 2 2 X l 1 X l ;
9:
  Σ = E ˜ K N , l , 3 ( P I C ) ;
10:
T = E ˜ K N , l , 4 ( Σ Y l ) ;
11:
return  ( C 1 | | C 2 | | | | C l , T )
Algorithm 3 Decryption algorithm C O P A P I C . D K N ( A , C , T )
Input: 
Key K, nonce N, associated data A, ciphertext C, and authentication tag T;
Output: 
Plaintext M;
1:
Partition C into C 1 C l , | C i | = n , 1 i l ;
2:
Y 0 = T A ;
3:
for  i = 1 to i = l  do
4:
    Y i D ˜ K N , i , 2 ( C i ) ;
5:
    X i = Y i 1 Y i ;
6:
    M i D ˜ K N , i , 1 ( X i ) ;
7:
end for
8:
return  M = M 1 | | M 2 | | | | M l
Algorithm 4 Verification algorithm C O P A P I C . V K N ( A , C , T )
Input: 
Key K, nonce N, associated data A, ciphertext C, and authentication tag T;
Output: 
Success or failure / ;
1:
 Partition C into C 1 C l , | C i | = n , 1 i l ;
2:
  Y 0 = T A ;
3:
 for  i = 1 to i = l  do
4:
      Y i D ˜ K N , i , 2 ( C i ) ;
5:
 end for
6:
  P I C = 2 l 1 Y 0 3 · 2 l 2 Y 1 3 · 2 l 3 Y 2 3 Y l 1 Y l ;
7:
  Σ = E ˜ K N , l , 3 ( P I C ) ;
8:
  T = E ˜ K N , l , 4 ( Σ Y l ) ;
9:
 if  T = T  then
10:
    return ⊤;
11:
else
12:
    return ⊥;
13:
end if
For COPA-PIC, we check the correctness as follows:
P I C = f ( X 1 , X 2 , , X l ) = 2 l 1 X 1 2 l 2 X 2 X l = 2 l 1 ( T A Y 1 ) 2 l 2 ( Y 1 Y 2 ) ( Y l 1 Y l ) = 2 l 1 T A 3 · 2 l 2 Y 1 3 Y l 1 Y l = g ( Y 1 , Y 2 , , Y l ) .
Thus, PIC is both a polynomial function with full terms of the plaintext blocks and a polynomial function with full terms of the ciphertext blocks, which meets Conditions 1 and 2. Therefore, according to Theorem 1, COPA-PIC[ E ˜ ] ensures INT-RUP security.
Next, the strict INT-RUP security of COPA-PIC[ E ˜ ] is given in the following theorems.
Theorem 2
(INT-RUP security of COPA-PIC based on ideal TBCs). For COPA-PIC[ E ˜ ], real TBCs are replaced with tweakable random permutations π ˜ $ P e r m ( Γ , n ) to obtain COPA-PIC[ π ˜ ]. Let A be a nonce-misusing adversary with q encryption and decryption queries and q v forgery attempts. Then, one has
A d v C O P A P I C [ π ˜ ] i n t r u p ( A ) q 2 2 n + ( l + 2 ) ( q 1 ) 2 2 n + 2 q v 2 n .
Proof. 
Similar to the proof of Theorem 1, assume that A makes q e encryption queries { ( N i , A i , M i ) } i = 1 q e to E ( · , · , · ) and receives ( C i , T i ) = E ( N i , A i , M i ) , where 1 i q e , and makes q d decryption queries { ( N * j , A * j , C * j , T * j ) } j = 1 q d to D ( · , · , · , · ) and obtains the unverified plaintext M * j = D ( N * j , A * j , C * j , T * j ) , where 1 j q d . Note that ( N * j , A * j , C * j , T * j ) ( N i , A i , C i , T i ) , 1 i q e , 1 j q d and q e + q d = q . Then, A forges q v challenge queries { ( N 1 , A 1 , C 1 , T 1 ) , ( N 2 , A 2 , C 2 , T 2 ) , , ( N q v , A q v , C q v , T q v ) } { ( N 1 , A 1 , C 1 , T 1 ) , , ( N q e , A q e , C q e , T q e ) } to V ( · , · , · , · ) , where C k = C 1 k C 2 k C l k k , C i = C 1 i C 2 i C l i i , 1 k q v , 1 i q e .
Let F be an event that at least one forgery attempt in all q v forgery attempts succeeds. Then, the INT-RUP-advantage of A is
A d v C O P A P I C [ π ˜ ] i n t r u p ( A ) = P r [ A E , D , V f o r g e s ] = P r [ A E , D , V s e t s F ] = P r [ F ] .
Denote variables Y α of internal state values as Y α = i = 1 α π ˜ N , i , 1 ( M i ) T A , which is also equal to ( π ˜ N , α , 2 ) 1 ( C α ) , where 1 α l and T A is the authentication of the associated data A. Define a collision as the same value Y α from different prefixes A M 1 M 2 M α and A M 1 M 2 M α . More precisely, Y α 1 Y α 1 and Y α = Y α , which means M α M α . Let C be the event that a collision of Y α occurs for some α . Similarity, let T be the event that a collision of the tag occurs for the encryption queries. Let A be the event that a collision of T A occurs for two different associated data. Let E be the union of events C , T , and  A ; then, E = A C T .
With the total probability formula and the probability inequality, one has
P r [ F ] = P r [ F | ¬ E ] P r [ ¬ E ] + P r [ F | E ] P r [ E ] P r [ F | ¬ E ] + P r [ E ] .
Step 1: Bound the probability of event E occurring: P r [ E ] . As COPA-PIC and COPA have the same encryption and decryption structures, the events E , A , and  C are exactly the same as those of COPA. Moreover, COPA-PIC and COPA use different methods for generating tags, but their authentication tags are all generated through the randomization of the checksum and the last ciphertext block. The only difference is whether the checksum has been randomized before. This does not make much difference in authentication processing, but it needs to be carefully considered in verification processing. Therefore, the event T is exactly the same as that of COPA.
According to two claims P r [ A ] q 2 / 2 n and P r [ C T | ¬ A ] ( l + 2 ) ( q 1 ) 2 / 2 n in COPA and the total probability formula, one has
P r [ E ] = P r [ A C T ] P r [ A ] + P r [ C T | ¬ A ] q 2 / 2 n + ( l + 2 ) ( q 1 ) 2 / 2 n .
Step 2: Evaluate the upper bound of the probability that event F occurs under the condition ¬ E : P r [ F | ¬ E ] . For simplicity, a single forgery attempt ( N , A , C , T ) { ( N 1 , A 1 , C 1 , T 1 ) , , ( N q e , A q e , C q e , T q e ) } is considered, where C is divided into l blocks and C i is divided into l i blocks for 1 i q e . Let T e = { T 1 , T 2 , , T q e } be a set of the authentication tags generated by the encryption oracle.
Case 1:  T is new, i.e.,  T T e . In this case, the adversary A already knows the value of T i , where 1 i q e , and with this knowledge, the adversary tries to guess the preimage of another new tag. Therefore, the probability that the adversary A correctly guesses this value is at most 1 / ( 2 n q e ) , which is also the probability that the adversary’s forgery attempt succeeds.
Case 2:  T is old, i.e.,  T T e . Let us say T = T u , where u { 1 , , q e } . According to the last two tweaks ( N , l , 3 ) and ( N , l , 4 ) of generating the authentication tag, a further analysis should be discussed as follows.
Case 2-1: If N N u , the last two tweaks ( N , l , 3 ) and ( N , l , 4 ) are new. The adversary tries to forge an identical tag ( T = T u ) using a new nonce N . The image of a single point under a tweakable random permutation is uniform, so the generated tag is an independent and uniform random value. Thus, the probability that the adversary correctly forges an identical tag ( T = T u ) is 1 / 2 n .
Case 2-2: If N = N u and l l u , the last two tweaks ( N , l , 3 ) and ( N , l , 4 ) are new. The adversary tries to forge an identical tag ( T = T u ) using a new block length l . The image of a single point under a tweakable random permutation is uniform, so the generated tag is an independent and uniform random value. Thus, the probability that the adversary correctly forges an identical tag ( T = T u ) is 1 / 2 n .
Case 2-3: If N = N u and l = l u , the last two tweaks ( N , l , 3 ) and ( N , l , 4 ) in this case are the same as those of the previous query–response pair ( N u , A u , M u , C u , T u ) . According to P I C = 2 l 1 T A 3 · 2 l 2 Y 1 3 · 2 l 3 Y 2 3 Y l 1 Y l , where T A = P M A C 1 ( A ) and Y i = ( π ˜ N , i , 2 ) 1 ( C i ) for all 1 i l , a further discussion should be considered as follows.
  • A A u . Let T A i = P M A C 1 ( A i ) , where 1 i q e . Under the condition that ¬ E ( ¬ A ), T A 1 , T A 2 , , T A q e are distinct from each other. According to T A = P M A C 1 ( A ) , we consider the following two cases.
    (a)
    T A is new, i.e.,  T A T A u . The probability that this case occurs is 1 1 / 2 n .
    • C l is new. Then, Y l is new. The adversary tries to forge an identical tag ( T = T u ) using a new ciphertext block C l . Therefore, the probability that the adversary correctly forges an identical tag ( T = T u ) is 1 / 2 n .
    • C l is old and C is new. Then, Y l is old and there exists at least one more fresh value in Y 1 , Y 2 , , Y l 1 { 0 , 1 } n . According to whether P I C = 2 l 1 T A 3 · 2 l 2 Y 1 3 · 2 l 3 Y 2 3 Y l 1 Y l is new or not, the following subcases are discussed.
      • P I C is new, i.e.,  P I C P I C u . The probability that this case occurs is about 1 1 / 2 n . The adversary tries to forge an identical tag ( T = T u ) using a new checksum P I C . Thus, the probability that the adversary’s forgery attempt succeeds is ( 1 1 / 2 n ) × 1 / 2 n 1 / 2 n .
      • P I C is old, i.e.,  P I C = P I C u . According to the fact that P r [ 2 l 1 T A 3 · 2 l 2 Y 1 3 Y l 1 = c ] = 1 / 2 n for any T A , Y 1 , Y 2 , , Y l 1 { 0 , 1 } n , where c is a constant from { 0 , 1 } n , the probability that P I C is old is at most 1 / 2 n . As  P I C , Y l , and ( N , l ) are old, the probability of obtaining an identical tag ( T = T u ) is 1. Therefore, the probability that the adversary can guess the correct value in this case is the probability that P I C is old, which is at most 1 / 2 n .
    • C is old. Then, Y i is old, where 1 i l . According to P I C = 2 l 1 T A 3 · 2 l 2 Y 1 3 · 2 l 3 Y 2 3 Y l 1 Y l ; then, P I C is a fresh random value. The adversary tries to forge an identical tag ( T = T u ) using new associated data A (or a new checksum P I C ). Therefore, the probability that the adversary can guess the correct value is 1 / 2 n .
    Summarizing the cases of (a), the probability that the adversary can guess the correct value is at most ( 1 1 / 2 n ) × 1 / 2 n 1 / 2 n .
    (b)
    T A is old, i.e.,  T A = T A u . The probability that this case occurs is 1 / 2 n .
    • C l is new. Then, Y l is new. The adversary tries to forge an identical tag ( T = T u ) using a new ciphertext block C l . Therefore, the probability that the adversary correctly forges an identical tag ( T = T u ) is 1 / 2 n .
    • C l is old and C is new. Then, Y l is old and there exists at least one more fresh value in Y 1 , Y 2 , , Y l 1 { 0 , 1 } n . If there only exists one fresh value in Y 1 , Y 2 , , Y l 1 { 0 , 1 } n , according to P I C = 2 l 1 T A 3 · 2 l 2 Y 1 3 · 2 l 3 Y 2 3 Y l 1 Y l , then P I C is new. Therefore, the probability that the adversary’s forgery attempt succeeds is 1 / 2 n . If there exist at least two more fresh values in Y 1 , Y 2 , , Y l 1 { 0 , 1 } n , according to whether P I C is new or not, the following subcases are discussed.
      • P I C is new, i.e.,  P I C P I C u . The probability that this case occurs is about 1 1 / 2 n . The adversary tries to forge an identical tag ( T = T u ) using a new checksum P I C . Thus, the probability that the adversary’s forgery attempt succeeds is ( 1 1 / 2 n ) × 1 / 2 n 1 / 2 n .
      • P I C is old, i.e.,  P I C = P I C u . According to the fact that P r [ 3 · 2 l 2 Y 1 3 · 2 l 3 Y 2 3 Y l 1 = c ] = 1 / 2 n for any Y 1 , Y 2 , , Y l 1 { 0 , 1 } n , where c is a constant from { 0 , 1 } n , the probability that P I C is old is at most 1 / 2 n . As  P I C , Y l and ( N , l ) are old, the probability of obtaining an identical tag ( T = T u ) is 1. Therefore, the probability that the adversary can guess the correct value in this case is the probability that P I C is old, which is at most 1 / 2 n .
    • C is old. Then, Y i is old, where 1 i l . As  P I C , Y l , and ( N , l ) are old, the probability that the adversary can guess the correct value is 1.
    Summarizing the cases of (b), the probability that the adversary can guess the correct value is at most 1 / 2 n × max { 1 / 2 n , 1 } 1 / 2 n .
  • A = A u ; then, T A = T A u . As  ( N , A , C , T ) { ( N i , A i , C i , T i ) } i = 1 q e ; therefore, C must be new.
    (a)
    C l is new. Then, Y l is new. The adversary tries to forge an identical tag ( T = T u ) using a new ciphertext block C l . Therefore, the probability that the adversary correctly forges an identical tag ( T = T u ) is 1 / 2 n .
    (b)
    C l is old and C is new. Then, Y l is old and there exists at least one more fresh value in Y 1 , Y 2 , , Y l 1 { 0 , 1 } n .
    • If there only exists one fresh value in Y 1 , Y 2 , , Y l 1 { 0 , 1 } n , according to P I C = 2 l 1 T A 3 · 2 l 2 Y 1 3 · 2 l 3 Y 2 3 Y l 1 Y l , then P I C is new. The adversary tries to forge an identical tag ( T = T u ) using a new checksum P I C . Therefore, the probability that the adversary’s forgery attempt succeeds is 1 / 2 n .
    • If there exist at least two more fresh values in Y 1 , Y 2 , , Y l 1 { 0 , 1 } n , according to whether P I C is new or not, the following subcases are discussed.
      • P I C is new, i.e.,  P I C P I C u . The probability that this case occurs is about 1 1 / 2 n . The adversary tries to forge an identical tag ( T = T u ) using a new checksum P I C . Thus, the probability that the adversary’s forgery attempt succeeds is ( 1 1 / 2 n ) × 1 / 2 n 1 / 2 n .
      • P I C is old, i.e.,  P I C = P I C u . According to the fact that P r [ 3 · 2 l 2 Y 1 3 · 2 l 3 Y 2 3 Y l 1 = c ] = 1 / 2 n for any Y 1 , Y 2 , , Y l 1 { 0 , 1 } n , where c is a constant from { 0 , 1 } n , the probability that P I C is old is at most 1 / 2 n . As  P I C , Y l , and ( N , l ) are old, the probability of obtaining T = T u is 1. Therefore, the probability that the adversary can guess the correct value in this case is the probability that P I C is old, which is at most 1 / 2 n .
Summarizing all cases above, the successful probability of the single forgery attempt is upper-bounded by
m a x { 1 / ( 2 n q e ) , 1 / 2 n } 2 / 2 n .
Therefore, for  q v forgery attempts, the probability that event F occurs under the condition ¬ E is
P r [ F | ¬ E ] 2 q v / 2 n .
Combining Equations (1)–(4), the INT-RUP advantage of A , after q encryption and decryption queries, and  q v forgery queries, is
A d v C O P A P I C [ π ˜ ] i n t r u p ( A ) q 2 2 n + ( l + 2 ) ( q 1 ) 2 2 n + 2 q v 2 n .
The proof of Theorem 2 is finished.    □
Theorem 3
(INT-RUP security of COPA-PIC based on TBCs). Let E ˜ : K × Γ × { 0 , 1 } n { 0 , 1 } n be a TBC, where Γ = N × I × J is a tweak space, N is a nonce space, I is a large-integer set, and  J is a small-integer set. Let A be a nonce-misusing adversary with q encryption and decryption queries and q v forgery attempts. For COPA-PIC[ E ˜ ], one has
A d v C O P A P I C [ E ˜ ] i n t r u p ( t , q + q v , l , σ ) A d v E ˜ m p r p ˜ ( t , 2 σ ) + q 2 2 n + ( l + 2 ) ( q 1 ) 2 2 n + 2 q v 2 n ,
where t = t + c n σ for some absolute constant c, and l is the maximum block length.
Proof. 
For COPA-PIC[ E ˜ ], all TBCs are replaced with tweakable random permutations to obtain COPA-PIC[ π ˜ ], where π ˜ $ P e r m ( Γ , n ) and Γ is a tweak space.
Let σ be the total query complexity of message blocks for ( q + q v ) queries. According to the MTPRP advantage, COPA-PIC[ E ˜ ] can be replaced with COPA-PIC[ π ˜ ], which together cost at most A d v E ˜ m p r p ˜ ( t , 2 σ ) (here, 2 σ comes from the queries of TBCs in the upper and lower layers; in other words, 2 σ is the query complexity of TBCs), i.e.,
A d v C O P A P I C [ E ˜ ] i n t r u p ( t , q + q v , l , σ ) A d v E ˜ m p r p ˜ ( t , 2 σ ) + A d v C O P A P I C [ π ˜ ] i n t r u p ( t , q + q v , l , σ ) .
Therefore, combining Equation (5) and Theorem 2, it is easy to obtain the bound of Theorem 3.    □

4.2. Blockcipher-Based COPA-PIC Instance: COPA-PIC[E]

Let E : K × { 0 , 1 } n { 0 , 1 } n be a block cipher and E ˜ : K × Γ × { 0 , 1 } n { 0 , 1 } n be a TBC, where K is a key space and Γ is a tweak space. This section presents a blockcipher-based instance of COPA-PIC[ E ˜ ] by the XEX* construction E ˜ = X E X * [ E , 2 I 3 J ]  [6] and renames it as COPA-PIC[E].
The overviews of COPA-PIC[E] and blockcipher-based PMAC1 are depicted in Figure 4 and Figure 5, respectively. The blockcipher-based PMAC1 algorithm, and an encryption algorithm E K , a decryption algorithm D K , and a verification algorithm V K of COPA-PIC[E] are shown in Algorithms 5, 6, 7, and 8, respectively.
Algorithm 5 Blockcipher-based PMAC1 algorithm P M A C 1 [ E ] K N ( A )
Input: 
Key K, nonce N, associated data A;
Output: 
Tag of associated data T A ;
1:
 Partition A into A 1 A a , | A i | = n , 1 i a 1 , 0 < | A a | n ;
2:
  L = E K ( N ) ;
3:
 for  i = 1 to i = a 1  do
4:
     S i E K ( A i 2 i 1 · 3 3 L ) ;
5:
 end for
6:
 if  | A a | = n   then
7:
     Σ S 1 S 2 S a 1 A a ;
8:
     T A = E K ( Σ 2 a 1 · 3 4 L ) ;
9:
 else
10:
    Σ S 1 S 2 S a 1 A a 10 * ;
11:
    T A = E K ( Σ 2 a 1 · 3 5 L ) ;
12:
end if
13:
return  T A
Algorithm 6 Encryption algorithm C O P A P I C [ E ] . E K N ( A , M )
Input: 
Key K, nonce N, associated data A, and plaintext M;
Output: 
Ciphertext C and authentication tag T;
1:
 Partition M into M 1 M l , | M i | = n , 1 i l ;
2:
  L = E K ( N ) and y 0 = T A L ;
3:
 for  i = 1 to i = l  do
4:
     x i E K ( M i 2 i 1 · 3 L ) and X i = x i 2 i 1 · 3 L ;
5:
     y i = y i 1 x i and Y i = y i 2 i L ;
6:
     C i E K ( y i ) 2 i L ;
7:
 end for
8:
  P I C 2 l 1 X 1 2 l 2 X 2 2 X l 1 X l ;
9:
  Σ = E K ( P I C 2 l 1 · 3 2 L ) ;
10:
T = E K ( Σ y l ) 2 l 1 · 7 L ;
11:
return  ( C 1 | | C 2 | | | | C l , T )
Algorithm 7 Decryption algorithm C O P A P I C [ E ] . D K N ( A , C , T )
Input: 
Key K, nonce N, associated data A, ciphertext C, and authentication tag T;
Output: 
Plaintext M;
1:
Partition C into C 1 C l , | C i | = n , 1 i l ;
2:
L = E K ( N ) and y 0 = T A L ;
3:
for  i = 1 to i = l  do
4:
    y i D K ( C i 2 i L ) ;
5:
    x i = y i 1 y i ;
6:
    M i D K ( x i ) 2 i 1 · 3 L ;
7:
end for
8:
return  M = M 1 | | M 2 | | | | M l
Theorem 4
(INT-RUP security of COPA-PIC based on block ciphers). Let E : K × { 0 , 1 } n { 0 , 1 } n be a block cipher and E ˜ : K × Γ × { 0 , 1 } n { 0 , 1 } n be a TBC, where K is a key space, Γ = N × I × J is a tweak space, N is a nonce space, I is a large-integer set, and  J is a small-integer set. Let E ˜ = X E X * [ E , 2 I 3 J ] and assume that 2 i 3 j 1 for all ( i , j ) I × J . Then, for a nonce-misusing adversary A , one has
A d v C O P A P I C [ E ] i n t r u p ( A ) A d v E s p r p ( B ) + 39 ( σ + q ) 2 2 n + ( l + 2 ) ( q 1 ) 2 2 n + 2 q v 2 n ,
where a new adversary B has an additional running time equal to the time needed to process the queries from A .
Proof. 
The security proof includes two steps. First, COPA-PIC[E] is converted to COPA-PIC[ E ˜ ]. The dummy masks { 3 L , 2 · 3 L , , 2 l 1 · 3 L , 2 l 1 · 3 2 L } and { 2 L , 2 2 L , , 2 l · L , 2 l 1 · 7 L } are introduced to the upper and lower layers of COPA-PIC[E], respectively, in terms of the XEX* construction, where L = E K ( N ) . Therefore, distinct TBCs E ˜ K N , i , 1 , E ˜ K N , i , 2 , E ˜ K N , l , 3 , and  E ˜ K N , l , 4 are utilized to replace the block ciphers with distinct masks, where i = 1 , , l . For the blockcipher-based PMAC1, distinct TBCs E ˜ K N , i , 5 , E ˜ K N , a , 6 , and  E ˜ K N , a , 7 are utilized to replace the block ciphers with distinct masks, where i = 1 , , a 1 . According to Lemma 1 and the blockcipher-based PMAC1 [6], COPA-PIC[E] can be replaced with COPA-PIC[ E ˜ ], which together cost
9.5 ( 2 σ + 2 q ) 2 2 n + A d v E s p r p ( t , 2 · 2 ( σ + q ) ) + σ 2 2 n
Then, combining Equation (6) and Theorem 3, the bound of Theorem 4 is obtained.    □
Algorithm 8 Verification algorithm C O P A P I C [ E ] . V K N ( A , C , T )
Input: 
Key K, nonce N, associated data A, ciphertext C, and authentication tag T;
Output: 
Success or failure / ;
1:
 Partition C into C 1 C l , | C i | = n , 1 i l ;
2:
  L = E K ( N ) and Y 0 = T A ;
3:
 for  i = 1 to i = l  do
4:
      y i D K ( C i 2 i L ) and Y i = y i 2 i L ;
5:
 end for
6:
  P I C = 2 l 1 Y 0 3 · 2 l 2 Y 1 3 · 2 l 3 Y 2 3 Y l 1 Y l ;
7:
  Σ = E K ( P I C 2 l 1 · 3 2 L ) ;
8:
  T = E K ( Σ y l ) 2 l 1 · 7 L ;
9:
 if  T = T  then
10:
   return ⊤;
11:
else
12:
   return ⊥;
13:
end if

4.3. Permutation-Based COPA-PIC Instance: COPA-PIC[ π ]

Let π : { 0 , 1 } n { 0 , 1 } n be a public n-bit permutation, K = { 0 , 1 } k be a set of k-bit keys, T = { 0 , 1 } n k × I × J be a tweak space, I be a set of large integers, and  J be a set of small integers, we reload COPA-PIC[ E ˜ ] by E ˜ = M E M [ π , 2 I 3 J ]  [22] to obtain an instance called COPA-PIC[ π ].
Let K , N , A , M , C , and T be the key, the nonce, the associated data, the plaintext, the ciphertext, and the authentication tag, respectively. The overviews of COPA-PIC[ π ] and PMAC1 are depicted in Figure 6 and Figure 7, respectively. The PMAC1 algorithm and an encryption algorithm E K , a decryption algorithm D K , and a verification algorithm V K of COPA-PIC[ π ] are shown in Algorithms 9, 10, 11, and 12, respectively.
Algorithm 9 Permutation-based PMAC1 algorithm P M A C 1 [ π ] K N ( A )
Input: 
Key K, nonce N, associated data A;
Output: 
Tag of associated data T A ;
1:
 Partition A into A 1 A a , | A i | = n , 1 i a 1 , 0 < | A a | n ;
2:
  L = π ( N | | K ) ;
3:
 for  i = 1 to i = a 1  do
4:
     S i π ( A i 2 i 1 · 3 3 L ) ;
5:
 end for
6:
 if  | A a | = n   then
7:
     Σ S 1 S 2 S a 1 A a ;
8:
     T A = π ( Σ 2 a 1 · 3 4 L ) ;
9:
 else
10:
    Σ S 1 S 2 S a 1 A a 10 * ;
11:
    T A = π ( Σ 2 a 1 · 3 5 L ) ;
12:
end if
13:
return  T A
Algorithm 10 Encryption algorithm C O P A P I C [ π ] . E K N ( A , M )
Input: 
Key K, nonce N, associated data A, and plaintext M;
Output: 
Ciphertext C and authentication tag T;
1:
 Partition M into M 1 M l , | M i | = n , 1 i l ;
2:
  L = π ( N | | K ) and y 0 = T A L ;
3:
 for  i = 1 to i = l  do
4:
     x i π ( M i 2 i 1 · 3 L ) and X i = x i 2 i 1 · 3 L ;
5:
     y i = y i 1 x i and Y i = y i 2 i L ;
6:
     C i π ( y i ) 2 i L ;
7:
 end for
8:
  P I C 2 l 1 X 1 2 l 2 X 2 2 X l 1 X l ;
9:
  Σ = π ( P I C 2 l 1 · 3 2 L ) ;
10:
T = π ( Σ y l ) 2 l 1 · 7 L ;
11:
return  ( C 1 | | C 2 | | | | C l , T )
Algorithm 11 Decryption algorithm C O P A P I C [ π ] . D K N ( A , C , T )
Input: 
Key K, nonce N, associated data A, ciphertext C, and authentication tag T;
Output: 
Plaintext M;
1:
Partition C into C 1 C l , | C i | = n , 1 i l ;
2:
L = π ( N | | K ) and y 0 = T A L ;
3:
for  i = 1 to i = l  do
4:
    y i π 1 ( C i 2 i L ) ;
5:
    x i = y i 1 y i ;
6:
    M i π 1 ( x i ) 2 i 1 · 3 L ;
7:
end for
8:
return  M = M 1 | | M 2 | | | | M l
Algorithm 12 Verification algorithm C O P A P I C [ π ] . V K N ( A , C , T )
Input: 
Key K, nonce N, associated data A, ciphertext C, and authentication tag T;
Output: 
Success or failure / ;
1:
 Partition C into C 1 C l , | C i | = n , 1 i l ;
2:
  L = π ( N | | K ) and Y 0 = T A ;
3:
 for  i = 1 to i = l  do
4:
      y i π 1 ( C i 2 i L ) and Y i = y i 2 i L ;
5:
 end for
6:
  P I C = 2 l 1 Y 0 3 · 2 l 2 Y 1 3 · 2 l 3 Y 2 3 Y l 1 Y l ;
7:
  Σ = π ( P I C 2 l 1 · 3 2 L ) ;
8:
  T = π ( Σ y l ) 2 l 1 · 7 L ;
9:
 if  T = T  then
10:
   return ⊤;
11:
else
12:
   return ⊥;
13:
end if
For an INT-RUP security model with a permutation, the adversary is allowed to make π ± 1 queries in addition to the previous oracle queries; then, the INT-RUP-advantage of A against Π = ( E , D , V ) is defined as
A d v Π i n t r u p ( A ) = P r [ K $ K : A E K , D K , V K ; π ± 1 f o r g e s ] .
Theorem 5
(INT-RUP security of COPA-PIC based on permutations). Let π : { 0 , 1 } n { 0 , 1 } n be a public n-bit permutation and E ˜ : K × Γ × { 0 , 1 } n { 0 , 1 } n be a TBC, where K = { 0 , 1 } k is a key space, Γ = N × I × J is a tweak space, N = { 0 , 1 } n k is a nonce space, I is a large-integer set, and J is a small-integer set. Assume that 2 i 3 j 1 for all ( i , j ) I × J . Let E ˜ = M E M [ π , 2 I 3 J ] . For a nonce-misusing adversary A , one has
A d v C O P A P I C [ π ] i n t r u p ( A ) 19 ( σ + q ) 2 2 n + 6 ( σ + q ) p 2 n + p 2 k + ( l + 2 ) ( q 1 ) 2 2 n + 2 q v 2 n .
Proof. 
Similar to the proof of Theorem 4, the security proof includes two steps. First, COPA-PIC[ π ] is converted to COPA-PIC[ E ˜ ]. The dummy masks { 3 L , 2 · 3 L , , 2 l 1 · 3 L , 2 l 1 · 3 2 L } and { 2 L , 2 2 L , , 2 l · L , 2 l 1 · 7 L } are introduced to the upper and lower layers of COPA-PIC[ π ], respectively, in terms of the MEM construction, where L = π ( N | | K ) . Therefore, distinct TBCs E ˜ K N , i , 1 , E ˜ K N , i , 2 , E ˜ K N , l , 3 , and E ˜ K N , l , 4 are utilized to replace permutations with distinct masks, where i = 1 , , l . For the permutation-based PMAC1, distinct TBCs E ˜ K N , i , 5 , E ˜ K N , a , 6 , and E ˜ K N , a , 7 are utilized to replace permutations with distinct masks, where i = 1 , , a 1 . According to Lemma 2 and the permutation-based PMAC1 [6], COPA-PIC[ π ] can be replaced with COPA-PIC[ E ˜ ], which together cost
4.5 ( 2 σ + 2 q ) 2 2 n + 3 ( 2 σ + 2 q ) p 2 n + p 2 k + σ 2 2 n = 18 ( σ + q ) 2 2 n + 6 ( σ + q ) p 2 n + p 2 k + σ 2 2 n .
Then, combining Equation (7) and Theorem 3, the bound of Theorem 5 is obtained. □

5. Discussions and Future Works

COPA-PIC is a secure “rate-1/2” parallelizable delayed authenticated online cipher with nonce-misuse resistance. The structure of COPA-PIC is the same as that of COPA except that the authentication checksum is replaced with PIC. Therefore, COPA-PIC inherits all the advantages of COPA and calculates the authentication tag ahead of time in the verification oracle. It can be viewed as an instance of the generic B1 scheme introduced by Namprempre et al. [40]. At the beginning of the design, TBCs are used to improve COPA from the perspective of a top-level design, and the updating of the tweaks is as simple as possible. Then, by using the XEX* construction [6] and the MEM construction [22], provably secure block-cipher-based and permutation-based instances are presented. For the update of tweaks, a simple and efficient technique—point doubling is used to update tweaks. This technique follows the framework of the XEX* and MEM constructions, which makes proposed instances and proofs very simple. This paper considers the message whose length is a positive multiple of the block size n. In fact, for any length message, it also works.
There have been many studies on COPA in recent years [1,13,41,42]. Among them, the INT-RUP security is one of the most important research contents. COPA-PIC enjoys INT-RUP security up to the birthday bound in the nonce-misuse setting if the underlying primitive (including TBC, block cipher, and permutation) is secure. Of course, COPA-PIC just settles the problem of INT-RUP in the nonce-misuse setting, while the problem of privacy in the RUP setting still exists. It is left as an open problem to settle the privacy of COPA-PIC in the RUP setting.
COPA-PIC utilizes a new checksum technique—polynomial intermediate checksum (PIC)—to fix the INT-RUP security. PIC is a very vital technique which guarantees no information leakage and the same level between the plaintext and the ciphertext. In the AE schemes with PIC, the adversary cannot obtain any useful information to make a successful forgery even if given the additional power of access to an unverified decryption oracle. mCPFB with INT-RUP security combines a distance 4 error correcting code and delayed dislocation technique which is essentially a similar PIC technique. LOCUS and LOTUS are based on OCB and OTR, and their final checksum utilizes IC, which is a degenerated version of PIC. Table 2 shows the comparison of AE modes with distinct checksum techniques. Our work finds a new technique, PIC, and we believe that PIC can settle the INT-RUP security defects of any “rate < 1” and “Encryption-Mix-Encryption”-type checksum-based AE schemes. In addition, the mixing function of COLM (ELmE/ELmD) essentially provides an implementation of PIC for the authentication part, but COLM (ELmE/ELmD) also utilizes PCC in the authentication part. In fact, COLM (ELmE/ELmD) could have been designed entirely using PIC.
The proposed work is of high practical significance to establish a rapid feedback mechanism for third-party error authentication. The computational costs of COPA-PIC’s encryption and decryption algorithms are about the same as those of COPA, but the verification cost is close to one half of COPA (see Table 1). Thus, in practical applications, the receiver first verifies whether the received message is valid or not, and then determines whether to perform the next action (decrypt and obtain the correct plaintext or reject and return an error symbol). The proposed work supports Chakraborti et al.’s works and Zhang and Wu’s views, introduces a new intermediate checksum technique, PIC, and gives a possible direction for settling the security of all one-pass checksum-based AE schemes in the RUP setting. Recently, Andreeva et al. focused on SAEF which is a rate-1 online AE mode using a forkcipher as a building block, and they showed that SAEF is INT-RUP-secure up to the birthday bound by the H-coefficient technique [17]. Therefore, forkcipher is a hot future research direction. Additionally, there have been some achievements in RUP security for two-pass AE schemes in recent years, such as GCM-RUP [43] and its variant [44]. This is also a direction to watch in the future.

Funding

This work was supported by National Natural Science Foundation of China (Grant Nos. 61902195, 62272238 and U23B2002) and NUPTSF (Grant Nos. NY219131 and NY2019004).

Data Availability Statement

The data used to support the findings of the study are available within the article.

Acknowledgments

I am grateful to Peng Wang and Honggang Hu et al. for providing some good suggestions on PIC and COPA-PIC. I would also like to express my sincere thanks to the editors and the anonymous reviewers for the valuable comments and suggestions.

Conflicts of Interest

The author declares no conflicts of interest.

Abbreviations

The following abbreviations are used in this manuscript:
K the nonempty set of keys (the key space)
Γ the nonempty set of tweaks (the tweak space)
N the nonempty set of nonces (the nonce space)
H the nonempty set of associated data (the associated data space)
M the nonempty set of plaintexts (the plaintext space)
C the nonempty set of ciphertexts (the ciphertext space)
T the nonempty set of authentication tags (the authentication tag space)
E K the encryption of block ciphers with a key K
D K , E K 1 the decryption of block ciphers with a key K
E K ± 1 the encryption and decryption oracles of block ciphers with a key K
E ˜ K the encryption of tweakable blockciphers with a key K
D ˜ K , E ˜ K 1 the decryption of tweakable blockciphers with a key K
E ˜ K ± 1 the encryption and decryption oracles of tweakable blockciphers with a key K
P e r m ( n ) the set of all n-bit permutations
π ± 1 the permutation and its inverse
P e r m ( Γ , n ) the set of all n-bit tweakable permutations with the tweak space Γ
π ˜ ± 1 the tweakable permutation and its inverse
{ 0 , 1 } * the set containing all finite bit strings (including the empty string)
{ 0 , 1 } n the nonempty set containing all n-bit strings
A O 1 the adversary A outputs 1 after interacting with the oracle O
x $ X the value x randomly chosen from the set X
P r [ A ] the probability of the event A
E the encryption algorithm
D the decryption algorithm
V the verification algorithm
| x | the bit length of the finite string x
x y or x y the concatenation of two finite strings x and y
the XOR/addition operation over the finite field G F ( 2 n )
·the multiplication operation over the finite field G F ( 2 n )
I a set of large integers, such as I = { 0 , 1 , 2 , , 2 n 1 }
J a set of small integers, such as J = { 0 , 1 , , 10 }

References

  1. Andreeva, E.; Bogdanov, A.; Luykx, A.; Mennink, B.; Mouha, N.; Yasuda, K. How to Securely Release Unverified Plaintext in Authenticated Encryption. In Proceedings of the Advances in Cryptology-ASIACRYPT 2014-20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, 7–11 December 2014; Sarkar, P., Iwata, T., Eds.; Springer: Berlin/Heidelberg, Germany, 2014; Volume 8873, pp. 105–125. [Google Scholar] [CrossRef]
  2. Vaudenay, S. Security Flaws Induced by CBC Padding-Applications to SSL, IPSEC, WTLS. In Proceedings of the Advances in Cryptology-EUROCRYPT 2002, International Conference on the Theory and Applications of Cryptographic Techniques, Amsterdam, The Netherlands, 28 April–2 May 2002; Knudsen, L.R., Ed.; Springer: Berlin/Heidelberg, Germany, 2002; Volume 2332, pp. 534–546. [Google Scholar] [CrossRef]
  3. Canvel, B.; Hiltgen, A.P.; Vaudenay, S.; Vuagnoux, M. Password Interception in a SSL/TLS Channel. In Proceedings of the Advances in Cryptology-CRYPTO 2003, 23rd Annual International Cryptology Conference, Santa Barbara, CA, USA, 17–21 August 2003; Boneh, D., Ed.; Springer: Berlin/Heidelberg, Germany, 2003; Volume 2729, pp. 583–599. [Google Scholar] [CrossRef]
  4. AlFardan, N.J.; Paterson, K.G. Lucky Thirteen: Breaking the TLS and DTLS Record Protocols. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, CA, USA, 19–22 May 2013; pp. 526–540. [Google Scholar] [CrossRef]
  5. Rogaway, P.; Bellare, M.; Black, J. OCB: A block-cipher mode of operation for efficient authenticated encryption. ACM Trans. Inf. Syst. Secur. 2003, 6, 365–403. [Google Scholar] [CrossRef]
  6. Rogaway, P. Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC. In Proceedings of the Advances in Cryptology-ASIACRYPT 2004, 10th International Conference on the Theory and Application of Cryptology and Information Security, Jeju Island, Republic of Korea, 5–9 December 2004; Lee, P.J., Ed.; Springer: Berlin/Heidelberg, Germany, 2004; Volume 3329, pp. 16–31. [Google Scholar] [CrossRef]
  7. Krovetz, T.; Rogaway, P. The Software Performance of Authenticated-Encryption Modes. In Proceedings of the Fast Software Encryption-18th International Workshop, FSE 2011, Lyngby, Denmark, 13–16 February 2011; Joux, A., Ed.; Springer: Berlin/Heidelberg, Germany, 2011; Volume 6733, pp. 306–327. [Google Scholar] [CrossRef]
  8. Andreeva, E.; Bogdanov, A.; Luykx, A.; Mennink, B.; Tischhauser, E.; Yasuda, K. Parallelizable and Authenticated Online Ciphers. In Proceedings of the Advances in Cryptology-ASIACRYPT 2013-19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, 1–5 December 2013; Sako, K., Sarkar, P., Eds.; Springer: Berlin/Heidelberg, Germany, 2013; Volume 8269, pp. 424–443. [Google Scholar] [CrossRef]
  9. Zhang, P.; Wang, P.; Hu, H.; Cheng, C.; Kuai, W. INT-RUP Security of Checksum-Based Authenticated Encryption. In Proceedings of the Provable Security-11th International Conference, ProvSec 2017, Xi’an, China, 23–25 October 2017; Okamoto, T., Yu, Y., Au, M.H., Li, Y., Eds.; Springer: Berlin/Heidelberg, Germany, 2017; Volume 10592, pp. 147–166. [Google Scholar] [CrossRef]
  10. Zhang, P.; Wang, P.; Hu, H. The INT-RUP Security of OCB with Intermediate (Parity) Checksum. IACR Cryptol. ePrint Arch. 2016, 1059. Available online: https://eprint.iacr.org/2016/1059 (accessed on 25 March 2024).
  11. Chakraborti, A.; Datta, N.; Nandi, M. INT-RUP Analysis of Block-cipher Based Authenticated Encryption Schemes. In Proceedings of the Topics in Cryptology-CT-RSA 2016-The Cryptographers’ Track at the RSA Conference 2016, San Francisco, CA, USA, 29 February–4 March 2016; Sako, K., Ed.; Springer: Berlin/Heidelberg, Germany, 2016; Volume 9610, pp. 39–54. [Google Scholar] [CrossRef]
  12. Zhang, J.; Wu, W. Security of Online AE Schemes in RUP Setting. In Proceedings of the Cryptology and Network Security-15th International Conference, CANS 2016, Milan, Italy, 14–16 November 2016; Foresti, S., Persiano, G., Eds.; 2016; Volume 10052, pp. 319–334. [Google Scholar] [CrossRef]
  13. Datta, N.; Luykx, A.; Mennink, B.; Nandi, M. Understanding RUP Integrity of COLM. IACR Trans. Symmetric Cryptol. 2017, 2017, 143–161. [Google Scholar] [CrossRef]
  14. Hirose, S.; Sasaki, Y.; Yasuda, K. Rate-One AE with Security Under RUP. In Proceedings of the Information Security-20th International Conference, ISC 2017, Ho Chi Minh City, Vietnam, 22–24 November 2017; Nguyen, P.Q., Zhou, J., Eds.; Springer: Berlin/Heidelberg, Germany, 2017; Volume 10599, pp. 3–20. [Google Scholar] [CrossRef]
  15. Chakraborti, A.; Datta, N.; Jha, A.; Mancillas-López, C.; Nandi, M.; Sasaki, Y. INT-RUP Secure Lightweight Parallel AE Modes. IACR Trans. Symmetric Cryptol. 2019, 2019, 81–118. [Google Scholar] [CrossRef]
  16. Chang, D.; Datta, N.; Dutta, A.; Mennink, B.; Nandi, M.; Sanadhya, S.; Sibleyras, F. Release of Unverified Plaintext: Tight Unified Model and Application to ANYDAE. IACR Trans. Symmetric Cryptol. 2019, 2019, 119–146. [Google Scholar] [CrossRef]
  17. Andreeva, E.; Bhati, A.S.; Vizár, D. RUP Security of the SAEF Authenticated Encryption mode. IACR Cryptol. ePrint Arch. 2021, 2021, 103. [Google Scholar]
  18. Datta, N.; Dutta, A.; Ghosh, S. INT-RUP Security of SAEB and TinyJAMBU. In Proceedings of the Progress in Cryptology-INDOCRYPT 2022-23rd International Conference on Cryptology in India, Kolkata, India, 11–14 December 2022; Isobe, T., Sarkar, S., Eds.; Springer: Berlin/Heidelberg, Germany, 2022; Volume 13774, pp. 146–170. [Google Scholar] [CrossRef]
  19. Bao, Z.; Guo, J.; Iwata, T.; Minematsu, K. ZOCB and ZOTR: Tweakable Blockcipher Modes for Authenticated Encryption with Full Absorption. IACR Trans. Symmetric Cryptol. 2019, 2019, 1–54. [Google Scholar] [CrossRef]
  20. Inoue, A.; Iwata, T.; Minematsu, K.; Poettering, B. Cryptanalysis of OCB2: Attacks on Authenticity and Confidentiality. In Proceedings of the Advances in Cryptology-CRYPTO 2019-39th Annual International Cryptology Conference, Santa Barbara, CA, USA, 18–22 August 2019; Boldyreva, A., Micciancio, D., Eds.; Springer: Berlin/Heidelberg, Germany, 2019; Volume 11692, pp. 3–31. [Google Scholar] [CrossRef]
  21. Chakraborty, D.; Nandi, M. Attacks on the Authenticated Encryption Mode of Operation PAE. IEEE Trans. Inf. Theory 2015, 61, 5636–5642. [Google Scholar] [CrossRef]
  22. Granger, R.; Jovanovic, P.; Mennink, B.; Neves, S. Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption. In Proceedings of the Advances in Cryptology-EUROCRYPT 2016 - 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, 8–12 May 2016; Fischlin, M., Coron, J., Eds.; Springer: Berlin/Heidelberg, Germany, 2016; Volume 9665, pp. 263–293. [Google Scholar] [CrossRef]
  23. Jutla, C.S. Encryption Modes with Almost Free Message Integrity. In Proceedings of the Advances in Cryptology-EUROCRYPT 2001, International Conference on the Theory and Application of Cryptographic Techniques, Innsbruck, Austria, 6–10 May 2001; Pfitzmann, B., Ed.; Springer: Berlin/Heidelberg, Germany, 2001; Volume 2045, pp. 529–544. [Google Scholar] [CrossRef]
  24. Bossuet, L.; Datta, N.; Mancillas-López, C.; Nandi, M. ELmD: A Pipelineable Authenticated Encryption and Its Hardware Implementation. IEEE Trans. Comput. 2016, 65, 3318–3331. [Google Scholar] [CrossRef]
  25. Datta, N.; Nandi, M. ELmE: A Misuse Resistant Parallel Authenticated Encryption. In Proceedings of the Information Security and Privacy-19th Australasian Conference, ACISP 2014, Wollongong, NSW, Australia, 7–9 July 2014; Susilo, W., Mu, Y., Eds.; Springer: Berlin/Heidelberg, Germany, 2014; Volume 8544, pp. 306–321. [Google Scholar] [CrossRef]
  26. Abed, F.; Fluhrer, S.R.; Forler, C.; List, E.; Lucks, S.; McGrew, D.A.; Wenzel, J. Pipelineable On-line Encryption. In Proceedings of the Fast Software Encryption-21st International Workshop, FSE 2014, London, UK, 3–5 March 2014; Cid, C., Rechberger, C., Eds.; Springer: Berlin/Heidelberg, Germany, 2014; Volume 8540, pp. 205–223. [Google Scholar] [CrossRef]
  27. Fleischmann, E.; Forler, C.; Lucks, S. McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes. In Proceedings of the Fast Software Encryption-19th International Workshop, FSE 2012, Washington, DC, USA, 19–21 March 2012; Canteaut, A., Ed.; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7549, pp. 196–215. [Google Scholar] [CrossRef]
  28. Naito, Y.; Sasaki, Y.; Sugawara, T. Lightweight Authenticated Encryption Mode Suitable for Threshold Implementation. In Proceedings of the Advances in Cryptology-EUROCRYPT 2020 - 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zagreb, Croatia, 10–14 May 2020; Canteaut, A., Ishai, Y., Eds.; Springer: Berlin/Heidelberg, Germany, 2020; Volume 12106, pp. 705–735. [Google Scholar] [CrossRef]
  29. Naito, Y.; Sugawara, T. Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020, 2020, 66–94. [Google Scholar] [CrossRef]
  30. Naito, Y. Tweakable Blockciphers for Efficient Authenticated Encryptions with Beyond the Birthday-Bound Security. IACR Trans. Symmetric Cryptol. 2017, 2017, 1–26. [Google Scholar] [CrossRef]
  31. Peyrin, T.; Seurin, Y. Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers. In Proceedings of the Advances in Cryptology-CRYPTO 2016-36th Annual International Cryptology Conference, Santa Barbara, CA, USA, 14–18 August 2016; Robshaw, M., Katz, J., Eds.; Springer: Berlin/Heidelberg, Germany, 2016; Volume 9814, pp. 33–63. [Google Scholar] [CrossRef]
  32. Mennink, B. XPX: Generalized Tweakable Even-Mansour with Improved Security Guarantees. In Proceedings of the Advances in Cryptology-CRYPTO 2016-36th Annual International Cryptology Conference, Santa Barbara, CA, USA, 14–18 August 2016; Robshaw, M., Katz, J., Eds.; Springer: Berlin/Heidelberg, Germany, 2016; Volume 9814, pp. 64–94. [Google Scholar] [CrossRef]
  33. Cogliati, B.; Lampe, R.; Seurin, Y. Tweaking Even-Mansour Ciphers. In Proceedings of the Advances in Cryptology-CRYPTO 2015-35th Annual Cryptology Conference, Santa Barbara, CA, USA, 16–20 August 2015; Gennaro, R., Robshaw, M., Eds.; Springer: Berlin/Heidelberg, Germany, 2015; Volume 9215, pp. 189–208. [Google Scholar] [CrossRef]
  34. Cogliati, B.; Seurin, Y. Beyond-Birthday-Bound Security for Tweakable Even-Mansour Ciphers with Linear Tweak and Key Mixing. In Proceedings of the Advances in Cryptology-ASIACRYPT 2015-21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, 29 November–3 December 2015; Iwata, T., Cheon, J.H., Eds.; Springer: Berlin/Heidelberg, Germany, 2015; Volume 9453, pp. 134–158. [Google Scholar] [CrossRef]
  35. Landecker, W.; Shrimpton, T.; Terashima, R.S. Tweakable Blockciphers with Beyond Birthday-Bound Security. In Proceedings of the Advances in Cryptology-CRYPTO 2012-32nd Annual Cryptology Conference, Santa Barbara, CA, USA, 19–23 August 2012; Safavi-Naini, R., Canetti, R., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7417, pp. 14–30. [Google Scholar] [CrossRef]
  36. Liskov, M.D.; Rivest, R.L.; Wagner, D.A. Tweakable Block Ciphers. J. Cryptol. 2011, 24, 588–613. [Google Scholar] [CrossRef]
  37. Minematsu, K. Beyond-Birthday-Bound Security Based on Tweakable Block Cipher. In Proceedings of the Fast Software Encryption, 16th International Workshop, FSE 2009, Leuven, Belgium, 22–25 February 2009; Dunkelman, O., Ed.; Springer: Berlin/Heidelberg, Germany, 2009; Volume 5665, pp. 308–326. [Google Scholar] [CrossRef]
  38. Chakraborty, D.; Sarkar, P. A General Construction of Tweakable Block Ciphers and Different Modes of Operations. IEEE Trans. Inf. Theory 2008, 54, 1991–2006. [Google Scholar] [CrossRef]
  39. Liskov, M.D.; Rivest, R.L.; Wagner, D.A. Tweakable Block Ciphers. In Proceedings of the Advances in Cryptology-CRYPTO 2002, 22nd Annual International Cryptology Conference, Santa Barbara, CA, USA, 18–22 August 2002; Yung, M., Ed.; Springer: Berlin/Heidelberg, Germany, 2002; Volume 2442, pp. 31–46. [Google Scholar] [CrossRef]
  40. Namprempre, C.; Rogaway, P.; Shrimpton, T. Reconsidering Generic Composition. In Proceedings of the Advances in Cryptology-EUROCRYPT 2014-33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, 11–15 May 2014; Nguyen, P.Q., Oswald, E., Eds.; Springer: Berlin/Heidelberg, Germany, 2014; Volume 8441, pp. 257–274. [Google Scholar] [CrossRef]
  41. Xu, Y.; Liu, W.; Yu, W. Quantum forgery attacks on COPA, AES-COPA and marble authenticated encryption algorithms. Quantum Inf. Process. 2021, 20, 131. [Google Scholar] [CrossRef]
  42. Bossuet, L.; Mancillas-López, C.; Ovilla-Martinez, B. Pipelined Hardware Implementation of COPA, ELmD, and COLM. IEEE Trans. Comput. 2020, 69, 1533–1543. [Google Scholar] [CrossRef]
  43. Ashur, T.; Dunkelman, O.; Luykx, A. Boosting Authenticated Encryption Robustness with Minimal Modifications. In Proceedings of the Advances in Cryptology-CRYPTO 2017-37th Annual International Cryptology Conference, Santa Barbara, CA, USA, 20–24 August 2017; Katz, J., Shacham, H., Eds.; Springer: Berlin/Heidelberg, Germany, 2017; Volume 10403, pp. 3–33. [Google Scholar] [CrossRef]
  44. Li, Y.; Leurent, G.; Wang, M.; Wang, W.; Zhang, G.; Liu, Y. Universal Forgery Attack Against GCM-RUP. In Proceedings of the Topics in Cryptology-CT-RSA 2020-The Cryptographers’ Track at the RSA Conference 2020, San Francisco, CA, USA, 24–28 February 2020; Jarecki, S., Ed.; Springer: Berlin/Heidelberg, Germany, 2020; Volume 12006, pp. 15–34. [Google Scholar] [CrossRef]
Figure 1. “Encryption-Mix-Encryption”-type nonce-based authenticated encryption modes with polynomial intermediate checksum (PIC).
Figure 1. “Encryption-Mix-Encryption”-type nonce-based authenticated encryption modes with polynomial intermediate checksum (PIC).
Mathematics 12 01011 g001
Figure 2. TBC-based COPA-PIC: COPA-PIC[ E ˜ ], where E ˜ is a TBC and T A is the authentication of associated data A, i.e., T A = P M A C 1 [ E ˜ ] ( A ) . If there are no associated data, then set T A = 0 .
Figure 2. TBC-based COPA-PIC: COPA-PIC[ E ˜ ], where E ˜ is a TBC and T A is the authentication of associated data A, i.e., T A = P M A C 1 [ E ˜ ] ( A ) . If there are no associated data, then set T A = 0 .
Mathematics 12 01011 g002
Figure 3. TBC-based PMAC1: PMAC1[ E ˜ ].
Figure 3. TBC-based PMAC1: PMAC1[ E ˜ ].
Mathematics 12 01011 g003
Figure 4. Blockcipher-based COPA-PIC: COPA-PIC[E], where T A = P M A C 1 ( A ) and L = E K ( N ) .
Figure 4. Blockcipher-based COPA-PIC: COPA-PIC[E], where T A = P M A C 1 ( A ) and L = E K ( N ) .
Mathematics 12 01011 g004
Figure 5. Blockcipher-based PMAC1: T A = P M A C 1 ( A ) , where L = E K ( N ) .
Figure 5. Blockcipher-based PMAC1: T A = P M A C 1 ( A ) , where L = E K ( N ) .
Mathematics 12 01011 g005
Figure 6. Permutation-based COPA-PIC: COPA-PIC[ π ], where T A = P M A C 1 [ π ] ( A ) and L = π ( N | | K ) .
Figure 6. Permutation-based COPA-PIC: COPA-PIC[ π ], where T A = P M A C 1 [ π ] ( A ) and L = π ( N | | K ) .
Mathematics 12 01011 g006
Figure 7. Permutation-based PMAC1: T A = P M A C 1 [ π ] ( A ) , where L = π ( N | | K ) .
Figure 7. Permutation-based PMAC1: T A = P M A C 1 [ π ] ( A ) , where L = π ( N | | K ) .
Mathematics 12 01011 g007
Table 1. Comparison between COPA and COPA-PIC for a-block associated data and l-block plaintext, where # Encryption, # Decryption, and # Verification, respectively, stand for the number of invoking underlying primitives in the encryption, decryption, and verification algorithms, and n is the block size.
Table 1. Comparison between COPA and COPA-PIC for a-block associated data and l-block plaintext, where # Encryption, # Decryption, and # Verification, respectively, stand for the number of invoking underlying primitives in the encryption, decryption, and verification algorithms, and n is the block size.
SchemesChecksum Technique# Encryption# Decryption# Verification
COPAPCC a + 2 l + 2 a + 2 l + 2 a + 2 l + 2
COPA-PICPIC a + 2 l + 2 a + 2 l + 2 a + l + 2
SchemesSecuritySecurity BoundRateReference
COPAINT-CTXT O ( 2 n / 2 ) 1/2 [8]
COPA-PICINT-RUP O ( 2 n / 2 ) 1/2This paper
Table 2. Comparison of AE modes with distinct checksum techniques.
Table 2. Comparison of AE modes with distinct checksum techniques.
SchemeSecurityChecksum TechniqueRateReference
OCBINT-CTXTPCC1 [5,6,7]
CPFBINT-CTXTPCC3/4 [11]
COPAINT-CTXTPCC1/2 [8]
OCBttag-INTPCC1 [14]
OCB-ICINT-RUPIC1/2 [9]
mCPFBINT-RUPsimilar PIC3/4 [11]
COLMINT-RUPPIC1/2 [13]
LOCUSINT-RUPIC1/2 [15]
LOTUSINT-RUPIC1/2 [15]
COPA-PICINT-RUPPIC1/2This paper
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Zhang, P. Polynomial Intermediate Checksum for Integrity under Releasing Unverified Plaintext and Its Application to COPA. Mathematics 2024, 12, 1011. https://doi.org/10.3390/math12071011

AMA Style

Zhang P. Polynomial Intermediate Checksum for Integrity under Releasing Unverified Plaintext and Its Application to COPA. Mathematics. 2024; 12(7):1011. https://doi.org/10.3390/math12071011

Chicago/Turabian Style

Zhang, Ping. 2024. "Polynomial Intermediate Checksum for Integrity under Releasing Unverified Plaintext and Its Application to COPA" Mathematics 12, no. 7: 1011. https://doi.org/10.3390/math12071011

APA Style

Zhang, P. (2024). Polynomial Intermediate Checksum for Integrity under Releasing Unverified Plaintext and Its Application to COPA. Mathematics, 12(7), 1011. https://doi.org/10.3390/math12071011

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop