Parallel authenticated encryption with the duplex construction

The authentication encryption (AE) scheme based on the duplex construction can no be paralellized at the algorithmic level. To be competitive with some block cipher based modes like OCB (Offset CodeBook) or GCM (Galois Counter Mode), a scheme should allow parallel processing. In this note we show how parallel AE can be realized within the framework provided by the duplex construction. The first variant, pointed by the duplex designers, is a tree-like structure. Then we simplify the scheme replacing the final node by the bitwise xor operation and show that such a scheme has the same security level. 1 Duplex construction In 2010 Bertoni et al. introduced the duplex construction which provides the framework for an authenticated encryption scheme [3]. In this section we briefly discuss the construction with focus on the authenticated encryption. The duplex construction can be seen as a particular way to use the sponge construction [2], hence it inherits its security properties. The construction is based on the fixed permutation (or transformation) and allows the alternation of input and output blocks at the same rate as the sponge construction. Figure 1 shows the duplex construction. Similarly as in the sponge construction, there are two parameters: r (bitrate) and c (capacity). The sum of those two parameters makes the state size. Different values for bitrate and capacity give trade-offs between speed and security. A higher bitrate gives a faster construction at the expense of a lower security. Upon initialization all the bits of the state are set to zero. The duplex construction accepts input calls (denoted by in in Figure 1) to the underlying permutation f . The padded input strings have the size of r bits. After a call to the permutation f , an output r-bit string is returned (denoted by zn in Figure 1). Please note that the capacity part of the state is never directly manipulated by an input string in, nor is included in output strings zn. The authentication encryption scheme with associated data (AEAD) can be realized with the duplex construction. A secret key K, and message blocks Bi (optionally with associated data Ai) are processed as follows. Fig. 1. Duplex construction r f c pad i0 z0 pad i1