This is the top of the page.
Displaying present location in the site.
Main content starts here.

OTR Mode of Operation for Authenticated Encryption


The key idea of OTRThe key idea of OTR

Authenticated encryption (AE) is a symmetric-key cryptographic function achieving both confidentiality and integrity. OTR, which stands for Offset Two-Round, is an AE based on a blockcipher presented at Eurocrypt 2014.
OTR is parallelizable, rate-1, and on-line for both encryption and decryption, and requires only the blockcipher encryption function. OTR thus essentially achieves the minimum additional cost from the ordinal encryption-only modes, such as counter mode. The key idea of OTR is the use of two-round Feistel permutation with blockcipher-based round function.

OTR with AES blockcipher, called AES-OTR, is a candidate of CAESAR, a cryptographic competition on AE organized by leading professionals in the field and funded by National Institute of Standards and Technology, NIST.


Kazuhiko Minematsu (NEC)


In principle OTR can be defined with n-bit blockcipher, or more generally any n-bit keyed (non-invertible) function, for any n.
AES-OTR specifies the case n=128 with the underlying blockcipher as AES-128 or AES-256.

Specification document of AES-OTR is available from the submission list of CAESAR.


  • Encryption rate is 1 : one blockcipher call to process one-block input
  • On-line and parallelizable for both encryption and decryption
  • Uses blockcipher encryption function, no need for the inverse
  • Standard nonce-based provable security

Features are also summarized at Eurocrypt 2014 slides.

Implementation Figures

(To be presented)

Top of this page