ELmE : A Misuse Resistant Parallel Authenticated Encryption Nilanjan Datta and Mridul Nandi Cryptology Research Group Applied Statistics Unit Indian Statistical Institute 203, B.T. Road, Kolkata, India 700108 nilanjan isi jrf@yahoo.com, mridul.nandi@gmail.com Abstract. The authenticated encryptions which resist misuse of initial value (or nonce) at some desired level of privacy are two-pass or Mac- then-Encrypt constructions (inherently inefficient but provide full pri- vacy) and online constructions, e.g., McOE, sponge-type authenticated encryptions (such as duplex, AEGIS) and COPA. Only the last one is almost parallelizable with some bottleneck in processing associated data. In this paper, we design a new online secure authenticated encryption, called ELmE or Encrypt-Linear mix-Encrypt, which is completely (two- stage) parallel (even in associated data) and pipeline implementable. It also provides full privacy when associated data (which includes initial value) is not repeated. The basic idea of our construction and COPA are based on EME, an Encrypt-Mix-Encrypt type SPRP constructions (se- cure against chosen plaintext and ciphertext). Unlike EME, we consider online computable efficient linear mixing. Our construction optionally supports intermediate tags, which can be verified faster with less buffer size to provide security against block-wise adversaries which is meaning- ful in low-end device implementation. Keywords: Authenticated Encryption, Privacy, Misuse Resistant, EME. 1 Introduction The common application of cryptography is to implement a secure channel be- tween two or more users and then exchanging information over that channel. These users can initially set up their one-time shared key. Otherwise, a typical implementation first calls a key-exchange protocol for establishing a shared key or a session key (used only for the current session). Once the users have a shared key, either through the initial key set-up or key-exchange, they use this key to au- thenticate and encrypt the transmitted information using efficient symmetric-key algorithms such as a message authentication code Mac(·) and (symmetric-key) encryption Enc(·). The encryption provides privacy or confidentiality (hiding the sensitive data M , we call it plaintext or message) resulting a ciphertext C , whereas a message authentication code provides data-integrity (authenticating