Paper 2013/628

Parallelizable Rate-1 Authenticated Encryption from Pseudorandom Functions

Kazuhiko Minematsu


This paper proposes a new scheme for authenticated encryption (AE) which is typically realized as a blockcipher mode of operation. The proposed scheme has attractive features for fast and compact operation. When it is realized with a blockcipher, it requires one blockcipher call to process one input block (i.e. rate-1), and uses the encryption function of the blockcipher for both encryption and decryption. Moreover, the scheme enables one-pass, parallel operation under two-block partition. The proposed scheme thus attains similar characteristics as the seminal OCB mode, without using the inverse blockcipher. The key idea of our proposal is a novel usage of two-round Feistel permutation, where the round functions are derived from the theory of tweakable blockcipher. We also provide basic software results, and describe some ideas on using a non-invertible primitive, such as a keyed hash function.

Note: Added a new variant of OTR (called OTRC) reusing decryption core for AD processing in Appendix D.

Available format(s)
Publication info
A major revision of an IACR publication in EUROCRYPT 2014
Authenticated EncryptionBlockcipher ModePseudorandom FunctionOCB
Contact author(s)
k-minematsu @ ah jp nec com
2017-06-05: last of 3 revisions
2013-09-30: received
See all versions
Short URL
Creative Commons Attribution


      author = {Kazuhiko Minematsu},
      title = {Parallelizable Rate-1 Authenticated Encryption from Pseudorandom Functions},
      howpublished = {Cryptology ePrint Archive, Paper 2013/628},
      year = {2013},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.