Japan

サイト内の現在位置

OTR Mode of Operation for Authenticated Encryption

November 28, 2019

Introduction

The key idea of OTR
The key idea of OTR

Authenticated encryption (AE) is a symmetric-key cryptographic function achieving both confidentiality and integrity. OTR, which stands for Offset Two-Round, is an AE based on a blockcipher presented at Eurocrypt 2014.
OTR is parallelizable, rate-1, and on-line for both encryption and decryption, and requires only the blockcipher encryption function. OTR thus essentially achieves the minimum additional cost from the ordinal encryption-only modes, such as counter mode. The key idea of OTR is the use of two-round Feistel permutation with blockcipher-based round function.

OTR with AES blockcipher, called AES-OTR, is a candidate of new window CAESAR, a cryptographic competition on AE organized by leading professionals in the field and funded by National Institute of Standards and Technology, NIST.

Designer

Kazuhiko Minematsu (NEC)

Specifications

In principle OTR can be defined with n-bit blockcipher, or more generally any n-bit keyed (non-invertible) function, for any n.
AES-OTR specifies the case n=128 with the underlying blockcipher as AES-128 or AES-256.

Specification document of AES-OTR is available from new window the submission list of CAESAR.

Features

  • Encryption rate is 1 : one blockcipher call to process one-block input
  • On-line and parallelizable for both encryption and decryption
  • Uses blockcipher encryption function, no need for the inverse
  • Standard nonce-based provable security

Implementation Figures

(To be presented)

お問い合わせ