Paper 2018/128

Authenticated Encryption Mode IAPM using SHA-3's Public Random Permutation

Charanjit S. Jutla


We study instantiating the random permutation of the block-cipher mode of operation IAPM (Integrity-Aware Parallelizable Mode) with the public random permutation of Keccak, on which the draft standard SHA-3 is built. IAPM and the related mode OCB are single-pass highly parallelizable authenticated-encryption modes, and while they were originally proven secure in the private random permutation model, Kurosawa has shown that they are also secure in the public random permutation model assuming the whitening keys are uniformly chosen with double the usual entropy. In this paper, we show a general composability result that shows that the whitening key can be obtained from the usual entropy source by a key-derivation function which is itself built on Keccak. We stress that this does not follow directly from the usual indifferentiability of key-derivation function constructions from Random Oracles. We also show that a simple and general construction, again employing Keccak, can also be used to make the IAPM scheme key-dependent-message secure. Finally, implementations on modern AMD-64 architecture supporting 128-bit SIMD instructions, and not supporting the native AES instructions, show that IAPM with Keccak runs three times faster than IAPM with AES.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Contact author(s)
csjutla @ us ibm com
2018-02-05: received
Short URL
Creative Commons Attribution


      author = {Charanjit S.  Jutla},
      title = {Authenticated Encryption Mode {IAPM} using {SHA}-3's Public Random Permutation},
      howpublished = {Cryptology ePrint Archive, Paper 2018/128},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.