One embodiment of the present invention provides a system that decrypts downstream data in an Ethernet passive optical network (EPON). During operation, the system receives a data frame which is encrypted based on a remote input block and a session key, wherein the remote input block is constructed based on a remote cipher counter and a remote block counter. The system adjusts a local cipher counter based on a received checksum located in a preamble of the data frame, wherein the local cipher counter is substantially synchronized with the remote cipher counter. In addition, the system truncates the local cipher counter by discarding n least significant bits thereof. The system then constructs a local input block based on the truncated cipher counter and a local block counter for the received data frame. Next, the system decrypts the data frame based on the local input block and the session key.