Integrity Analysis of Authenticated Encryption Based on Stream Ciphers

Abstract

We study the security of authenticated encryption based on a stream cipher and a universal hash function. We consider ChaCha20-Poly1305 and generic constructions proposed by Sarkar, where the generic constructions include 14 AEAD (authenticated encryption with associated data) schemes and 3 DAEAD (deterministic AEAD) schemes. In this paper, we analyze the integrity of these schemes both in the standard INT-CTXT notion and in the RUP (releasing unverified plaintext) setting called INT-RUP notion. We present INT-CTXT attacks against 3 out of the 14 AEAD schemes and 1 out of the 3 DAEAD schemes. We then show INT-RUP attacks against 1 out of the 14 AEAD schemes and the 2 remaining DAEAD schemes. We next show that ChaCha20-Poly1305 is provably secure in the INT-RUP notion. Finally, we show that 4 out of the remaining 10 AEAD schemes are provably secure in the INT-RUP notion.

A Proof of Theorem 1

We evaluate following the game playing proof technique in [5]. Without loss of generality, we assume that \(\mathcal {A}\) is deterministic and makes exactly q encryption queries, \(q'\) decryption queries, and \(q''\) verification queries. Let \((N_i, A_i, M_i)\) for \(i = 1, \dots , q\), \((N'_{i'}, A'_{i'}, C'_{i'}, T'_{i'})\) for \(i' = 1, \dots , q'\), and \((N''_j, A''_j, C''_j, T''_j)\) for \(j = 1, \dots , q''\) denote the queries.

Fig. 9.

Game \(G_0\) for the proof of Theorem 1

Fig. 10.

Game \(G_1\). Keystreams and authentication keys are generated at random.

We define Game \(G_0\) in Fig. 9. In Fig. 9, Game \(G_0\) simulates the real oracles of ChaCha20-Poly1305 based on the random function F. Then we have

We next define Game \(G_1\) in Fig. 10. Game \(G_1\) simulates the oracles using the lazy sampling of F, where F is regarded as an array, and the array F(X, Y) is initially undefined for all \((X, Y) \in \{0, 1\}^{32} \times \{0, 1\}^{96}\). Now since the function F produces the random values and the values are perfectly indistinguishable between Game \(G_0\) and Game \(G_1\), these games are identical. Hence

$$\begin{aligned} \Pr [\mathcal {A}^{G_0}~\text {sets}\, \mathsf {forge}] = \Pr [\mathcal {A}^{G_1}~\text {sets}\, \mathsf {forge}] \text {.} \end{aligned}$$

(7)

We consider \(\Pr [\mathcal {A}^{G_1}\,\text {sets}\, \mathsf {forge}]\). In Fig. 9, the authentication keys in verification queries are generated independently of the keystreams in decryption queries, and hence there are two cases to consider. We denote the polynomial hash function in Poly1305  [7] by \(H_r\). If for the j-th verification query, it holds that for all i, then is uniformly distributed and independent of \((r_i, s_i)\). Hence

Suppose that for the j-th verification query, we have \(N''_j = N_i\) for some i. Then it follows that . The event \(T^*_j = T''_j\) is equivalent to

(8)

Now if , then we necessarily have and hence (8) cannot hold. Therefore let . Then, since \(H_r\) is \(\epsilon \)-A\(\varDelta \)U [7, Sect. 3], meaning that it has a small differential probability with respect to modulo \(2^{128}\), we have

Therefore, for each \(j = 1, \dots , q''\), we have \(\Pr [T^*_j = T''_j] \le \epsilon \). Following [7, Sect. 3], \(\epsilon = (8\lceil {\ell _{\max } / 16}\rceil ) / 2^{106}\). Hence we have

$$\begin{aligned} \Pr [\mathcal {A}^{G_1}~\text {sets}\, \mathsf {forge}] \le q'' \frac{8\lceil {\ell _{\max } / 16}\rceil }{2^{106}} \text {.} \end{aligned}$$

(9)

The claimed bound is obtained from (7) and (9).    \(\square \)