The POET Family of On-Line Authenticated Encryption Schemes

POET (Pipelineable On-line Encryption with authentication Tag) is an on-line authenticated encryption scheme designed by Farzaneh Abed, Scott Fluhrer, Scott Fluhrer, Christian Forler, Eik List, Stefan Lucks, David McGrew, and Jakob Wenzel.

POET is submitted to the Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR).

Current version: poet.pdf, version 2.01 from 15 September 2015

Software reference implementation: https://github.com/medsec/poet

Hardware implementations:

Previous versions:


  • Version 2.01:
    • Corrected benchmark figures and removed test vectors (can be found in the reference implementation).
  • Version 2.0:
    • Added support for intermediate tags.
    • Unified the keys of the top and bottom hash-function layers.
    • Simplified the processing of the final block of associated data.
    • Simplified the tag-generation step.
    • Updated recommendations to include the parameters for intermediate tags.
    • Revised the notions for clarity.
    • Revised the integrity proof to the new specification and moved from the INT-CTXT to the stronger INT-RUP notion.
    • Revised the privacy proof to the new specification.
    • Added privacy and integrity proofs for POET with intermediate tags.
    • Added performance figures for software implementation on Haswell.
  • Version 1.3:
    • Clarified the security goals as pointed out by Yu Sasaki.
  • Version 1.2:
    • Removed version of POET instantiated with Galois-Field multiplication in GF(2^128) due to higher risk of weak keys.
    • Removed argumentations concerning Galois-Field multiplications.
    • Acknowledged Abdelraheem et al. for their study of weak keys when using POET with multiplications in GF(2^128).
  • Version 1.1:
    • Removed POET-m .
    • Updated test vectors (Appendix A).
    • Added encoding conventions (Section 8.1).
    • Updated assumptions of Theorem 7.1 and 7.2 (Section 71 and 7.2).
    • Acknowledged Mridul Nandi for his observations on POET and POET-m.
  • Version 1.02: Added correct consent and prioritized list of recommended parameter sets.
  • Version 1.01: Minor changes.


There is a compelling need for On-Line Authenticated Encryption (OAE) schemes that are fast, secure, flexible, and robust against misuse all at the same time. POET is a family of OAE schemes which satisfies all the mentioned properties. At its core, POET grounds on the POE (Piplineable On-line Encryption) family of on-line ciphers.

POET is fast. Its throughput is comparable to that of reference authenticated ciphers, such as OCB3 or AES-GCM, which lack the robustness provided by POET. Moreover, POET introduces a minimal overhead of only two additional block-cipher calls to generate the authentication tag. For an efficient transmission, POET only transfers the additional tag, avoiding any overhead at the message.

POET is robust. The standard security notions for AE schemes – which POET satisfies up to the birthday bound – assume adversaries to behave “nonce-respectingly”, and to ignore decrypted ciphertexts if the authentication fails. Almost all previous AE schemes are insecure whenever these assumptions are violated. This is a highly relevant and greatly underestimated practical issue. POET addresses it by providing security even under both “nonce misuse” and “decryption misuse”.

POET is provably secure. POET bases on well-studied primitives, which simplifies the formal analysis greatly. We provide a security proof, making standard assumptions on the block cipher’s security.

POET is flexible. POE and POET are ready-to-use for a variety of applications. We provide a fully generic specification to allow programmers to choose primitives that are tailored to their use case. As a recommendation, we propose the AES as block cipher, and either four-round or the full AES for universal hashing. As a desirable side effect of our recommendation, we are convinced that POET can be standardized seamlessly.

POET is efficient on a variety of platforms. POET is well-suited for low-end applications, especially when the AES is used for both encryption and universal hashing, which reduces code size and chip space. Mid-range and high-end devices can run POET efficiently thanks to pipelining. In general, software implementations benefit from the wide availability of AES native instructions on current platforms.