Are there any authenticated encryption methods that combine encryption and authentication, rather than useing a separate cipher and MAC?
Asked
Active
Viewed 266 times
2 Answers
3
Yes. If you are looking for AEAD ciphers wrapped around a single primitive, there are several in the CEASAR competition for authenticated encryption.
AEAD ciphers based on sponge constructions notably use only a single primitive, the F-function of the sponge permutation. These include NORX, Keyak, PRIMATEs-APE, and ICEPOLE, which are the 4 I find most interesting.
All of these use a central permutation, which generates a stream to encrypt the plaintext, accepts the plaintext to change the stream generation state, and finally generates the authentication tag.
Keyak also offers the ability to generate intermediate tags, so a ciphertext error can be caught before transmission is complete. NORX, ICEPOLE, and Keyak offer a parallel sponge mode to improve performance, and PRIMATEs-APE and ICEPOLE offer a secret message number to make them nonce misuse resistant under certain conditions. I believe Keyak has been modified to offer incremental addition of associated data, which PRIMATEs-APE also offers.
I have not looked at the permutation based ciphers, but they may also be built from a single primitive.
It is possible to build a block cipher mode to create a single primitive AEAD cipher, but it would have a performance deficit against purpose built ciphers. I built one over AES, and it is reasonably fast, almost as fast as OCB per block with longer startup and finalization. Making it purpose built around the AES round function makes it even faster than OCB with hardware acceleration, but as a mode it can be used with any 128-bit block cipher. My motivation was the complexity of generating the OCB offsets in 32-bit code.
Richie Frame
- 13,278
- 1
- 26
- 42
0
Whether the algorithms are "separate" or not is a matter of definition. E.g. in TLS, unlike non-AEAD ciphersuites the GCM and ChaCha-Poly suites use a single key for both encryption and decryption because they have structure beyond just encrypt-then-MAC. You can quite naturally take that to mean they are a single algorithm.
There are some algorithms where it would be quite difficult to argue that they are not a single algorithm. In particular, those asynchronous stream ciphers that also authenticate. Examples of this are the (somewhat broken) Helix cipher as well as the encryption mode suggested for Keccak/SHA-3 or the sponge-construction in general.
However, even in those cases you can define a separate encryption and authentication function by keeping different parts of the ciphertext. They just "happen to" be computed in nearly the same time together as separately.
otus
- 32,462
- 5
- 75
- 167