A Blockcipher Based Authentication Encryption

. Authentication encryption ( AE ) is a procedure that satisﬁes both privacy and authenticity on the data. It has many applications in the ﬁeld of secure data communication such as digital signatures, ip-security, data-authentication, e-mail security, and security of pervasive computing. Additionally, the AE is a potential primitive of security solution for IoT-end device, RfID, and constrained device. Though there are many constructions of AE, but the most important ar-gument is whether the AE is secure under nonce-reuse or nonce-respect. As far our understanding, the McOE is the pioneer construction of nonce-reuse AE. Following that, many schemes have been proposed such as APE, PoE, TC, COPA, ElmE, ElmD, COBRA, and Minalphar. However, Hoang et. al. ( OAE 1) claimed that the concept of nonce-reuse in the AE is not secure and proper. Hence, a door is re-opened for the nonce-respect AE. Moreover, the construction of AE should satisﬁes the properties of efﬁciency and upper security bound due to limitation of power and memory for the constrained device. Therefore, we propose a blockci-pher based AE that satisﬁes upper privacy security bound (cid:16) Priv = O (cid:16) 2 2 n/ 3 (cid:17)(cid:17) and it operates in parallel mode. It doesn’t need decryption oracle in the symmetric encryption module of the AE. The proposed construction satisﬁes padding free encryption. Furthermore, the efﬁciency-rate of the proposed scheme is 1 .


Introduction
Authentication encryption (AE) is a procedure, where a sender sends data to a receiver in such a way that the receiver can identify whether the data is altered or not [1][2][3]. Additionally, the AE checks the originality of the sender including message. There are many applications of AE in the field of secure communication such as digital signatures, ip-security, data-authentication, e-mail security, and IoT [18][19][20][21]. Furthermore, the AE is a potential primitive of cryptographic solutions for resource constrained device, and IoT-end device [36][37][38]. For example, there are numerous bunch of senders and receivers in the domain of data communication [4][5][6][7][8]. Hence, it is infeasible and expensive to establish private network for all parties [2,3,[6][7][8]. Under this circumstance, the only way is to implement such a security solution under public network that ensures the privacy and authenticity of the data. Generally, the AE has two components such as symmetric encryption (SE) and message authentication code (M AC) [1][2][3]7]. The grammar of SE is SE (K, M ) → C, where K, M , and C means key, message and ciphertext respectively [2,3,9,10,30]. Moreover, the MAC inherits tag (T ) and verification such as M AC (K, C) → T and Verf (K, C, T ) → M or ⊥. Usually, the symmetric encryption ensures the privacy of data. In addition, the authenticity of the data is preserved by MAC [2,3,30]. For example, a doctor D 1 needs to send medical report of a patient (P) to doctor D 2 for consulting (Fig. 1). Under this circumstance, it is mandatory to protect the confidentiality of the patient's report and record. Moreover, the originality of doctor D 1 is also needed to verify as a valid sender. The combined form of the two different components of AE can achieve both the goals. Therefore, the summery of the functions of AE are: -receiver can perceive the altered data -infeasible for adversary to get success in forgery -infeasible for adversary to retrieve the entire message    The AE is constructed through a scratch or blockcipher [2,3,[16][17][18][19]. Usually, the blockcipher based AE is more suitable than the scratch based AE because of direct implementation of blockcipher rather than the encryption function [20][21][22][23]. Now-a-days, the applications of IoT-end device, RfID, and resource constrained device are increasing exponentially [11][12][13][14][15]. However, these devices have certain drawbacks of limited memory, power, and processor [7,12,12,20,21]. Therefore, the blockcipher based AE is more relevant due to light operation [21,24,36,37]. On the contrary, there are certain ISO standards of cryptographic primitive for IoT-end device or resource constrained device such as ISO/IEC29192-1, ISO/IEC29192-2, ISO/IEC29192-3, ISO/IEC29192-4 [31][32][33]. In addition, the ISO standard of ISO/IEC29192-2 directs the blockcipher as a core cryptographic primitive for low-resource devices. Furthermore, a certain size of 3 blockciphers, security parameters, and resource utilizations have been emphasized according to the above standardizations. Later, the standard of ISO/IEC 29192-5 emphasized the encrypted length as 80, 128, 160, 256 bits for IoT-end device and resource constrained device [32,33]. Usually, the traditional blockcipher and lightweight-cipher satisfies the above encryption size [31][32][33]. Thus, an efficient and upper security bounded construction of blockcipher based authentication encryption is required. Table 1. Comparison study of the proposed scheme and others [18][19][20][21][22][23][24][25][26][35][36][37][38] Scheme Name Mode D.O. FME Padding r PRF. Security #E blockciphers FME: Flexible size of message encryption per iteration, r: Efficiency-rate P, S: Parallel or Serial operational mode, D.O.: Decryption oracle #E: total number of used blockciphers, a, m: each block of associate data and message Y: Yes, N: No

Motivation
There are many schemes of authentication encryption (AE) such as McOE, OCB, OTR, COPE, PoE, OAE1,2, COBRA, CLOC, and SILC [18][19][20][21][22][23][24][34][35][36][37]. Among these, the OCB is one of the pioneer construction. It is based on blockcipher also [22]. The strong features of the OCB are parallel and efficiency (r = 1). The privacy security of this scheme is bounded by O 2 n/2 . However, the OCB needs decryption oracle which increases the overhead-cost of authentication encryption process [38]. Hence, the actual efficiency of the OCB has been decreased [38]. On the evaluation of OCB, Minematsu proposed a scheme of OTR [38] that overcomes the above drawback (decryption oracle) of the OCB. Furthermore, the OTR satisfies an upper efficiency-rate (r = 1) including a reasonable privacy security bound Priv = O 2 n/2 . In addition, the OCB and OTR follows none-respecting construction. On the other hand, the McOE scheme brings a breakthrough in the domain of nonce reusing AE [21]. Thereafter, a bunch of schemes have been proposed based on the properties of the McOE such as COPA, PoE, APE, and ELmE [20,35]. However, Hoang et. al. showed that the concept of nonce reusing is no more secure for any online authentication scheme [35]. In addition, Hoang et. 4 al. claimed that the online characteristic is a parameter of efficiency [35]. Therefore, a window is re-opened for off-line and nonce respecting AE. Furthermore, the McOE needs decryption oracle and it's privacy security is bounded by O 2 n/2 . Most recently, there are two more proposals such as CLOC and SILK [36,37]. The constructions of CLOC and SILK are good for short message. Additionally, these two schemes are free of decryption oracle. However, the operation mode of CLOC and SILK is serial. According to Table 1 and the above discussions, the most of the authentication scheme's privacy security are bounded by O 2 n/2 . Furthermore, many schemes need decryption oracle. Additionally, a padding mechanism is necessary for symmetric encryption module of AE when message and blocklength is not equal. However, the padding technology itself has certain dis-advantages [2,3]. Usually, there is a common attack that is called length extension attack [2,3,26,27]. Therefore, we outline our motivations in the following way: • higher efficiency and upper security bound • competitive mode • free of decryption oracle in encryption and decryption module • allowed flexible size of message encryption • no padding • minimization of blockcipher calling • efficient and low-cost primitive

Contribution
In this paper, we present a construction of authentication encryption. Our proposed scheme is based on blockcipher based compression function. Furthermore, our scheme is nonce respecting authentication encryption including associate data. The symmetric encryption module of the proposed scheme is a variant of OCB. Furthermore, the module of MAC follows a variant of PMAC plus. The achievements of the proposed scheme are listed below: efficiency-rate = 1 parallel mode free of decryption oracle in encryption and decryption module allowed flexible size of message encryption (FME) no padding Priv = O 2 2n/3 supports less call of blockcipher calling blockcipher based compression function nonce respecting including associate data

Organization
We define preliminaries in section 2. The propose scheme's definition and corresponding security notions are available in section 3. We mention the security proof of the proposed construction in section 4. Furthermore, the summaries are given in section 5. 5 2 Preliminaries including security notions

Fundamental Notations
Let X and Y are finite length of strings under the set of X and Y. Additionally, C, T are set of uniform distribution for the strings of ciphertext (C) and MAC (T : tag). Let N , AD, and M direct the space for Nonce, Associate data, and Message. Furthermore, K and n means key and block-length. In addition, there are certain operators used in the proposed authentication encryption such as ⊕ (XOR). Additionally, we use a defined function operator CS (·) in encryption and decryption module. The operation of CS (·) is complement including bitwise left-shift. For example, we generate α and β before encryption or decryption (Fig. 2). The value of α and β need to use in each iteration of encryption or decryption module. Furthermore, these values should be different in every iteration for tight security bound [18,19,22,38]. Thus, it can be used as counter or unique nonce and associate data. Literally, the function operator of CS (·) takes the value of α and returns one bit left-shift after complement when i = 1|i : number of iteration. If i increases then left-shift also will be increased bitwise according to the value of i. In each iteration, the output of CS i (α) and CS i (β) are defined as p i and q i , where i ≤ l (Fig. 2). Our defined another parameter is τ , which is created as a by-product of encryption/decryption module. Generally, the τ i is created in each iteration. Thereafter, the XOR values of all τ i are used for tag generation (Fig. 3).

Blockcipher
A blockcipher (n, k) consists of a pair of algorithm such as n (n, k : block and key length). Usually, query of blockcipher is (m, k) and output is c, where key is randomly permuted. Hence, a triplet is the combine form of m, k, and c as (m, k, c). Additionally, the blockcipher oracle doesn't permit for similar query or triplet in principle. For example, if (m 1 , k 1 ) = c 1 is queried to oracle then (c 1 , k 1 ) = m 1 is not permitted for asking to oracle. Let block (n, k) is the set of all blockciphers of (n, k) according to the ICM [28,29]. Generally, adversary A tries to explore encrypted plaintext under a given key. However, to retrieve the information of the desire plaintext using different key set is infeasible for adversary. Moreover, to find an actual plaintext or message is infeasible for A if blockcipher changes [28][29][30]. Usually, a PRP security comes from the property of blockcipher [22][23][24]. Hence, the PRP-security of a blockcipher block (n, k) is defined as the success probability of adversary, where A tries to distinguish between the output of blockcipher oracle and random permutation oracle [22][23][24][28][29][30]].

Authentication Encryption
The authentication encryption is noted as AE. Generally, there are two algorithms of encryption and decryption (MAC included for both the algorithms) under the AE. Furthermore, algorithm 1 is noted as E-AE and E-DE. In addition, the algorithm of E-AE consists of nonce and associate data including message and returns ciphertext. Moreover, the message exploration and tag verification process are executed under the module of D-AE. If verification process is valid then return message or ⊥. In this section, 6 we define the basic encryption and decryption module only. Later, the modified version of E-AE and D-AE (Algorithm 1) will be used in symmetric encryption module of the proposed construction.
secret key space. On the contrary, a random function is defined as F R , which is chosen randomly and uniquely from all functions of X → Y according to the similar domainrange of F K . The PRF security is defined as the success probability of distinguishing between F K and F R . For example, there is a distinguish-er Dt that can can interplay with both the oracle of F K and F R . Hence, the advantage of PRF security of F K over F R is defined as follows: The first probability of (1) is based on K→ $ {0, 1} k and the second probability is taken over F R : X→ $ Y . Thus, F K is PRF secure iff the advantage of Dt is small. Moreover, F K and F R are respectively considered as real and ideal world.

PRP Security
Let blockcipher block (n, k) is a pseudo-random permutation, where blockcipher. On the other hand, there is a random permutation RP s. t. RP ← $ Pm (n) |Pm : Permutation. Therefore, the PRP security means the winning probability of differentiating between block (n, k) and RP . We assume that dT is a distinguish-er that can interact with the oracle of block (n, k) and RP . Thus, the advantage of PRP security is defined as follows: The first probability depends on {0, 1} k ← $ K E and later one is based on RP ← $ Pm (n).

Proposed Authentication Encryption Scheme
We define our proposed construction of blockcipher based authentication encryption as AE P T (P: parallel, T : tag). The proposed AE p T has three modules of M 1 , M 2 , and M 3 . The informal definition of M 1 , M 2 , and M 3 are respectively initialization of nonce and associate data, encryption including tag generation, and decryption including verification. Formally, the proposed scheme looks AE p T = (M 1 | Initialization, E-AE p T , D-AE p T ). Furthermore, the key, nonce, associate data, message, ciphertext, and tag are respectively come from the spaces of On the contrary, our scheme is a variant of OCB, where symmetric key encryption module follows CTR mode using unique nonce and AD. Moreover, the tag generation or MAC function follows the variation of a PMAC plus construction.
We use three algorithms of 2, 3, and 4 for the formal definition of M 1 , M 2 , and M 3 . Additionally, the basic of encryption and decryption module comes from the Algorithm 1. In addition, we use two key sets of K 1 and K 2 for encryption and decryption module. Thereafter, K 3 and K 4 key sets are used in tag generation and verification process. Though, the decryption oracle doesn't need in the entire procedure of the proposed AE, but it needs for verification process of re-tag generation only.
|M |+T . Therefore, the privacy advantage is defined as follows: Adv priv where the first probability comes from K← $ K AE p T and second one is based on randombits oracle including randomness of A. Furthermore, adversary is based on unique nonce and associate data. In principle, adversary can't make duplicate query.

Authenticity notion of AE p T
The authenticity notion is based on AE p T = (E-AE p T , D-AE p T ). Let adversary A has access on encryption and decryption oracle of E-AE p T and D-AE p T . The input of encryption oracle is (N, A, M (N, A, M ). Furthermore, the decryption oracle invokes (N, The advantage of authenticity is defined as follows: where the probability is taken from K← $ K AE p T and randomness of A. Furthermore, A forges if decryption oracle returns message strings for a query (N, A, C, T ), when (C, T ) didn't part of encryption oracle. More specifically, adversary gets success for the condition of (N i , A i , C i , T i ) = (N j , A j , C j , T j ). In principle, adversary doesn't make query (N , A , C , T ) to decryption oracle if (C , T ) ← (N , A , M ) was feedback of encryption oracle. Additionally, adversary is based on unique nonce and AD.

Privacy Security Analysis
Privacy of AE p T is defined as the success probability of distinguish between the ciphertext and uniform distribution of string by adversary A. Furthermore, A is based on unique nonce and associated data. The privacy security is formalized through a set of games. Thereafter, we take a pair of games for each segment. Gradually, we forward by taking pair of games and find the success probability of distinguish between two games. Thus we will show that the difference between two oracles are nominal. Let A be an adversary that makes q queries such as (N 1 , A 1 , M 1 ) . . (N l , A l , M l ). Moreover, A is nonce-respecting and unique AD based adversary. The total length of message is σ 2l , where l is the number of iteration (two blocks message/iteration). In principle, we follow the proof technique of [22][23][24]39] according to our scheme properties. Theorem 1. Let AE p T be the proposed authenticated encryption including encryption algorithm E-AE p T , where n ≥ 1. An adversary A is allowed to access random-bits oracle and E-AE p T . Furthermore, adversary A can query upto q. The total message length is σ 2l . Thus the advantage of A is to distinguish between E-AE p T from random oracle-bits and $. Hence, the advantage is of adversary is bounded as follows: Adv priv AE p T (A) ≤ σ (σ + 1) 2 2n +3/2 n Proof. We use certain sequential games that have different targets and goals. In addition, the final goal is to locate the advantage of adversary for privacy of the proposed AE. Our approach is very simple such as to implement a game G A , which performs the proposed scheme AE p T . Moreover, our final game is G E . The task of G E is to inherit random oracle. We move forward by taking pair of consecutive games. Our target is to distinguish the pair of games. The success probability of distinguishing the two consecutive games is defined as the advantage of adversary. In this way, we reach into the final game of G E . Thus, we show that the adversarial advantage of distinguishing the most recent game and the last game is nominal. Moreover, we take the all probability 11 values of success. Thereafter, we calculate the union bound of these values and get the provable privacy security bound of the proposed scheme.
Our construction is based on blockcipher compression function. Therefore, the output of each iteration including input should be unique. If current output collides with previous entry then the adversary wins. Furthermore, an event is created as WIN in the aspect of adversarial win. Moreover, the new and fresh value comes from the random oracle if WIN occurs. In addition, the collide data/value needs to eliminate from the oracle of the proposed scheme AE p T . Thereafter, the success probability of the event (WIN ) indicates the advantage of adversary for distinguishing the consecutive pair of games. Additionally, we use PRF/PRP switch method in the given security proof [34].
On the contrary, we use a variant of PMAC-plus for MAC generation [23]. Therefore, two blockciphers are used to generate a tag (T ). For better security, we actually use two sets of key under two blockciphers. The generation of MAC depends on the exor values of all ciphertext (C i ) and XOR values of all τ i . Actually, these two are used as input of blockcipher. Thereafter, the output (size: 2n-bits) is produced and XOR with the most recent values of CS (·). Thus, the security can be achieved better than the birthday bound. Generally, the collision resistance of blockcipher is defined as to find a similar output for different two input is infeasible for adversary [1][2][3]. Under this section, we play with the games through pairwise. Furthermore, the success probability of the adversary is given by the event of WIN . At first, we take the proposed scheme and game G A . GAME G A . G A inherits the proposed scheme AE p T . Moreover, G A invokes N, A, M as parameter of input. Thus, the corresponding responses are C, T . On the contrary, the queries of AE p T uses random function. Therefore, GAME G B . Let the queries of RP belongs to random function. Thus, the game G B provides random output. However, the uniqueness of output can't be confirmed due to random function. Furthermore, if any collision occurs with previous any response then an event WIN is called. Therefore, the advantage of adversary is to distinguish between the game G B and G A . The success probability of the event WIN is the advantage of adversary. All queries of RP for AE p T are stored in the database of D AE p T , where RP is queried by σ times by AE p T . Therefore, the advantage of adversary is: GAME G C . In this section, the proposed scheme AE p T inherits random function. Furthermore, the database D AE p T is updated and synchronized. Therefore, the game G C and G B are in-distinguishable in the aspect of adversary. As a result, the advantage of adversary is as follows: GAME G D . We will use PRF/PRP switch theme [34] in this section. The ciphertext should be indistinguishable in respect of random oracle. According to our AE construction definition, the ciphertext is created by the ex-or values of blockcipher compression output and message. Though, adversary can control message, but it can't control the output of blockcipher output. In addition, the nonce and associate data are unique. Therefore, there are four cases for collision occurred (Fig. 4, 5). If collision occurs then an event (WIN ) is re-called in the respect of adversary.  Case-1. In this section, we evaluate the probability of collision under blockcipher output. For example, the pair of output is X i and Y i (i ≤ l). Thus, two types of collision can be occurred such as query of double and single query.
• SubCase-1 (query of double). The requirements of collision under this Sub-Case are two different queries for the iteration of i, j (i ≥ j) and similar output for input of any two queries. For example, the output are X i and Y i for the iteration of i. In addition, X j and Y j are the output of j-th iteration. Thus, there is a chance to collide with X i = X j , Y j or Y i = X j , Y j (Fig. 4). If collision occurs then an event is called. Moreover, the random and uniform values come from the set of X and Y. Thereafter, these new values are replaced by collide values. The success probability of the event WIN is: • SubCase-2 (single query). The output of i-th iteration are X i and Y i . Therefore, there is a chance to make a collision between X i = Y i . Thereafter, an event WIN is called in the aspect of adversarial success. Moreover, the collide 13 values are replaced by the random and uniform values (Fig. 4). For example, The success probability of WIN under this SubCase is : Case-2. According to our construction definition, the nonce is unique for each iteration. Thus, the ex-or values blockcipher output and nonce is random. However, there is a chance to occur collision such as τ 1 i = τ 1 j , τ 2 j and τ 2 i = τ 1 j , τ 2 j . The event WIN is defined if collision occurs. Thereafter, the collide values are replaced by random and uniform distribution of U (τ ) (Fig. 4)  Case-3. This section is responsible for evaluation of tag collision. Generally, two different blockciphers including two unique key sets are used to generate tag. For example, the random value of ciphertext (C) and most recent CS (·) value are used to generate tag. Therefore, there is a chance to collide between t 1 and t 2 (Fig. 5).
If collision occurs then an event is defined as WIN . The advantage of adversary is to find the probability of the event WIN . Therefore, the advantage is: Pr [WIN ] = 2/2 n (9) 14 Case-4. The final tag is produced by the ex-or values of t 1 , t 2 and (α ⊕ β). If t 1 and t 2 are random then the ex-or output of T is also random. However, there is a chance to make collision such as T = T . Hence, the probability of the event WIN is: Adding the value of 6, 7, 8. 9 and 10, we get the advantage of distinguishing the game of G C and G D .
GAME G E . The G E simulates the random oracle model. The database D AE p T is updated and synchronized after the operation of game G D . Therefore, the current all entries are random and uniformly distributed. Hence, the game of G D and G E are identical in the aspect of adversary. So, the advantage of the adversary to distinguish the game of G E and G D is: Therefore, taking the union bound of 4, 6, 7, 8, 9, and 10, Theorem 1 satisfies.

Authenticity Security Analysis
The authenticity of AE p T scheme is based on both oracle of encryption and decryption. The authenticity is said to be broken when adversary can inject under the condition of N , A , C , T (N , A , C , T ) = (N, A, C, T ). For example, encryption queries are (N 1 , A 1 , M 1 ) , . . . ., (N q , A q , M q ). Moreover, list of decryption queries are (N 1 , A 1 , C 1 , T 1 ) . . . (N q , A q , C q , T q ). The total length of message for encryption and decryption are respectively σ 2l and σ 2l . Let there is an experiment EX P p auth , which outputs 1 iff the adversary successfully forges N , A , C , T for M |M = M . Therefore, Theorem 2. Let AE sim T be the proposed authenticated encryption, where E-AE sim T and D-AE sim T be the encryption and decryption algorithm. Furthermore, adversary A is allowed to access both the oracles. Thus the advantage of A is success probability of injecting false data instead of valid data through the defined experiment EX P. Therefore, the advantage of adversary is bounded as follows: Adv auth AE p T (A) ≤ σ (σ + 1) 2 2n +5 2 n + σ 2 2 n+1

Conclusion
In this paper, we have studied the familiar constructions of authentication encryption (AE). Moreover, the applications of AE have been evaluated. Recently, the AE has been considered as an important cryptographic tool/primitive for the security solution of IoT-end device, RfID, and resource constrained device. Thus, the AE should satisfies the properties of efficiency and better security. Though there are many constructions such as OCB, OTR, CLOC, SILK, APE, McOE, PoE, COPA, and COBRA but most