Paper 2018/916

Forking a Blockcipher for Authenticated Encryption of Very Short Messages

Elena Andreeva, Reza Reyhanitabar, Kerem Varici, and Damian Vizár


Highly efficient encryption and authentication of short messages has been identified as an essential requirement for enabling security in constrained computation and communication scenarios such as the CAN FD in automotive systems (with maximum message length of 64 bytes), massive IoT and critical communication domains of 5G, and Narrowband IoT (NB-IoT), to mention some. Accordingly, NIST has specified, as a design requirement in the lightweight cryptography project, that AEAD submissions shall be “optimized to be efficient for short messages (e.g., as short as 8 bytes)”. We propose AEAD schemes that exceed in efficiency over all previous general-purpose modular AEAD designs at processing (very) short inputs. The main ingredient in our solution is a new low-level primitive, called a tweakable forkcipher, which we introduce and formalize in this paper. We give an instance of the tweakable forkcipher and dub it ForkAES. It is based on the tweakable blockcipher KIASU, which relies on the round function of AES and uses the TWEAKEY framework to derive round keys from a 128-bit secret key and a 64-bit tweak. Finally, we demonstrate the applicability of a tweakable forkcipher by designing several provably secure nonce-based AEAD modes of operation, optimized to be efficient for short messages. Considering the AES block size (16 bytes) as a reference, our new AE schemes can beat all known schemes for single-block messages while still performing better than majority of the existing schemes for combined message and associated data lengths up to 4 blocks. While ForkAES as a concrete instantiation for a forkcipher is based on KIASU, we note that our solution provides a general recipe for lightweight AEAD for short messages, even for very resource-constrained scenarios in which AES may not be considered a lightweight option. In those environments, our schemes can be instantiated using a forkcipher that is realized based on the best off-the-shelf lightweight blockcipher, following the TWEAKEY framework.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Authenticated encryptionshort messageslightweight cryptographyforkcipherForkAES
Contact author(s)
elean @ dtu dk
damian vizar @ csem ch
2019-11-08: last of 3 revisions
2018-09-26: received
See all versions
Short URL
Creative Commons Attribution


      author = {Elena Andreeva and Reza Reyhanitabar and Kerem Varici and Damian Vizár},
      title = {Forking a Blockcipher for Authenticated Encryption of Very Short Messages},
      howpublished = {Cryptology ePrint Archive, Paper 2018/916},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.