The AEM Authenticated-Encryption Mode

This note specifies AEM, a mode of operation giving authenticated encryption. AEM is a refinement to Rogaway, Bellare, and Black’s OCB mode [10], while OCB was, in turn, a refinement to Jutla’s IAPM [5]. AEM is also a successor to the work of Gligor and Donescu’s [4] and to the broader line of research that has defined and investigated authenticated encryption [1, 2, 6–8]. The acronym AEM stands for authenticatedencryption mode and advanced encryption mode. Prominent characteristics of AEM are: (1) AEM is a mode of operation parameterized by an n-bit block cipher E and a tag length τ ∈ [0 .. n]. (2) Encryption and decryption depend on an n-bit nonce N , which must be selected as a new value for each encryption. The nonce need not be random or secret. (3) AEM allows an arbitrary header H to be specified when one encrypts or decrypts a string. (4) The message M and header H can have any bit length, and the ciphertext C one gets by encrypting M in the presence of H will always have τ bits more than M . (5) AEM encryption protects the privacy and authenticity of M and the authenticity of H and N . (6) AEM uses ‖M‖ + ‖H‖ + 2 block-cipher calls, where ‖·‖ is the length of the specified string measured in n-bit blocks. (7) If the header H is fixed during a session then, after preprocessing, there is effectively no cost to have H authenticated—the mode will use ‖M‖ + 2 block-cipher calls regardless of ‖H‖. (8) AEM uses a single key K for the underlying block cipher, and all block-cipher calls are keyed by K. (9) AEM is on-line: one need not know the length of H or M to proceed with encryption, and one need not know the length of H or C to proceed with decryption. (10) AEM is parallelizable: the bulk of its block-cipher calls may be performed simultaneously. (11) The main computational work beyond the block-cipher calls consists of one doubling operation and three xors for each n-bit block. Doubling consists of one shift and one conditional xor. (12) If the header H is empty, no key setup is necessary or useful for AEM. If the header H is nonempty, key setup is a single block-cipher call. (13) AEM enjoys provable security. One must assume that the block cipher E is secure in the customary (strong PRP) sense. Security falls off in σ/2 where σ is the total number of blocks one acts on. Like all authenticated-encryption modes discussed in the literature, AEM becomes completely insecure if one acts on a total number of blocks approaching σ = 2. Care must be taken to re-key well before then. Security is also sacrificed if a nonce is re-used. Two major factors differentiate AEM from its predecessor OCB: the first is the presence of the header H, an issue discussed in [8], and the second is the simpler way in which AEM computes offsets, which no longer involves counting the number-of-trailing-zero bits in a counter or doing any other non-constant-time