Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers.

We propose the Synthetic Counter-in-Tweak $$\\mathsf {SCT}$$ mode, which turns a tweakable block cipher into a nonce-based authenticated encryption scheme with associated data. The $$\\mathsf {SCT}$$ mode combines in a SIV-like manner a Wegman-Carter MAC inspired from $$\\mathsf {PMAC}$$ for the authentication part and a new counter-like mode for the encryption part, with the unusual property that the counter is applied on the tweak input of the underlying tweakable block cipher rather than on the plaintext input. Unlike many previous authenticated encryption modes, $$\\mathsf {SCT}$$ enjoys provable security beyond the birthday bound and even up﾿to roughly $$2^n$$ tweakable block cipher calls, where n is the block length, when the tweak length is sufficiently large in the nonce-respecting scenario where nonces are never repeated. In addition, $$\\mathsf {SCT}$$ ensures security up﾿to the birthday bound even when nonces are reused, in the strong nonce-misuse resistance sense MRAE of Rogaway and Shrimpton EUROCRYPT﾿2006. To the best of our knowledge, this is the first authenticated encryption mode that provides at the same time close-to-optimal security in the nonce-respecting scenario and birthday-bound security for the nonce-misuse scenario. While two passes are necessary to achieve MRAE-security, our mode enjoys a number of desirable features: it is simple, parallelizable, it requires the encryption direction only, it is particularly efficient for small messages compared to other nonce-misuse resistant schemes no precomputation is required and it allows incremental update of associated data.