International Association
for Cryptologic Research

With a scheme for \\textit{robust} authenticated-encryption a user can select an arbitrary value $\\lambda \\ge 0$ and then encrypt a plaintext of any length into a ciphertext that\'s $\\lambda$ characters longer. The scheme must provide all the privacy and authenticity possible for the requested~$\\lambda$. We formalize and investigate this idea, and construct a well-optimized solution, AEZ, from the AES round function. Our scheme encrypts strings at almost the same rate as OCB-AES or CTR-AES (on Haswell, AEZ has a peak speed of about 0.7 cpb). To accomplish this we employ an approach we call \\textit{accelerated} provable security: the scheme is designed and proven secure in the provable-security tradition, but, to improve speed, one instantiates by scaling down most instances of the underlying primitive.