News archives 2020

  • We often receive questions as to whether Deck-SANSE can be used in a stateless way; that is, for a single message. A common use case for this is a UDP-based VPN. In such an application, sessions are not feasible due to the lossy/unordered nature of UDP. Thanks to its versatility, Deck-SANSE can be used in such applications with virtually no overhead. Deck-SANSE provides the following features:

    • Nonce reuse resistance.
    • If a nonce is present in the associated data, then a t-bit tag gives t-bit security.
    • Thanks to frame bits, it collapses to a simple MAC if plaintext is not present.
    • Thanks to frame bits, the associated data string is also optional (so for e.g. key wrapping, the mode is efficient).
    • Both the key schedule and static associated data contribution can be precomputed and reused across multiple messages.
    • Fully parallelizable in absorption of associated data and plaintext, expansion of keystream and encryption of plaintext.

    Deck-SANSE wrap function, taking associated data A and plaintext P, and returning ciphertext C and tag T:

    if |A| > 0 and |P| > 0 then
      T ← 0^t + F(P||010 ∘ A||00)
      CP   + F(T||110 ∘ A||00)
    else if |P| > 0 then
      T ← 0^t + F(P||010)
      CP   + F(T||110)
      T ← 0^t + F(A||00)
    return (C,T)