Paper 2023/924

Generalized Initialization of the Duplex Construction

Christoph Dobraunig, Intel (United States)
Bart Mennink, Radboud University Nijmegen

The duplex construction is already well analyzed with many papers proving its security in the random permutation model. However, so far, the first phase of the duplex, where the state is initialized with a secret key and an initialization vector ($\mathit{IV}$), is typically analyzed in a worst case manner. More detailed, it is always assumed that the adversary is allowed to choose the $\mathit{IV}$ on its will. In this paper, we analyze how the security changes if restrictions on the choice of the $\mathit{IV}$ are imposed, varying from the global nonce case over the random $\mathit{IV}$ case to the $\mathit{IV}$ on key case. The last one, in particular, is the duplex analogue of the use of a nonce masked with a secret in AES-GCM in TLS 1.3. We apply our findings to duplex-based encryption and authenticated encryption, and discuss the practical applications of our results.

Available format(s)
Secret-key cryptography
Publication info
symmetric cryptographyduplex constructioninitialization vectornonce
Contact author(s)
christoph dobraunig @ intel com
b mennink @ cs ru nl
2023-06-14: approved
2023-06-13: received
See all versions
Short URL
Creative Commons Attribution


      author = {Christoph Dobraunig and Bart Mennink},
      title = {Generalized Initialization of the Duplex Construction},
      howpublished = {Cryptology ePrint Archive, Paper 2023/924},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.