9 March 2020

Stateless deck-based modes

We often receive questions as to whether Deck-SANSE can be used in a stateless way; that is, for a single message. A common use case for this is a UDP-based VPN. In such an application, sessions are not feasible due to the lossy/unordered nature of UDP. Thanks to its versatility, Deck-SANSE can be used in such applications with virtually no overhead. Deck-SANSE provides the following features:

  • Nonce reuse resistance.
  • If a nonce is present in the associated data, then a t-bit tag gives t-bit security.
  • Thanks to frame bits, it collapses to a simple MAC if plaintext is not present.
  • Thanks to frame bits, the associated data string is also optional (so for e.g. key wrapping, the mode is efficient).
  • Both the key schedule and static associated data contribution can be precomputed and reused across multiple messages.
  • Fully parallelizable in absorption of associated data and plaintext, expansion of keystream and encryption of plaintext.

Deck-SANSE wrap function, taking associated data A and plaintext P, and returning ciphertext C and tag T:

if |A| > 0 and |P| > 0 then
  T ← 0^t + F(P||010 ∘ A||00)
  CP   + F(T||110 ∘ A||00)
else if |P| > 0 then
  T ← 0^t + F(P||010)
  CP   + F(T||110)
  T ← 0^t + F(A||00)
return (C,T)