Authenticated encryption is said to be achievable with either of these three things:
- Use a separate algorithm that ensures authentications such as HMAC.
- Use one of the several block cipher modes of operation that generate/verify an authentication tag like OCB, CCM, or GCM.
- Use a cipher that is dedicated to authentication (in addition to confidentiality, that is).
Some of the entries in the CAESAR competition are of the second solution while the rest are of the third. My trouble is that, after looking at the specifications of the entries that fall into the third category, I'm left wondering a dedicated authenticated encryption algorithm is. Except for possibly the ones based on sponges, in the ones that I looked over, it seemed to me as if the authentication and encryption mechanisms are easily untangled and that you could use one without using the other, just like how block ciphers and block cipher modes of operation are interchangeable. The only ciphers I can think of that I can undoubtedly say are dedicated are Helix and Phelix. I'm unsure as to whether or not to classify sponge-based schemes as dedicated ones, but if I were to decide that they are dedicated schemes, then it would be with less certainty than for Phelix and Helix. Aside from a block cipher that maintains a state that is updated between successively encrypted/decrypted blocks, I can't think of anything else.
So, what would a cipher dedicated to authenticated encryption look like to the cryptographic community at large?