Abstract
We study the security of authenticated encryption based on a stream cipher and a universal hash function. We consider ChaCha20-Poly1305 and generic constructions proposed by Sarkar, where the generic constructions include 14 AEAD (authenticated encryption with associated data) schemes and 3 DAEAD (deterministic AEAD) schemes. In this paper, we analyze the integrity of these schemes both in the standard INT-CTXT notion and in the RUP (releasing unverified plaintext) setting called INT-RUP notion. We present INT-CTXT attacks against 3 out of the 14 AEAD schemes and 1 out of the 3 DAEAD schemes. We then show INT-RUP attacks against 1 out of the 14 AEAD schemes and the 2 remaining DAEAD schemes. We next show that ChaCha20-Poly1305 is provably secure in the INT-RUP notion. Finally, we show that 4 out of the remaining 10 AEAD schemes are provably secure in the INT-RUP notion.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
We remark that there is a minor gap in the proof in [14]. The proof introduces a hybrid \((E^1,D^1)\) where the keystream is the output of a random function taking a nonce, and another hybrid \((E^2,D^2)\) where the keystream is completely random for both encryption and decryption, and claims both hybrids are equivalent. This does not hold true in general since the keystream in a decryption query can be determined by an encryption query made before. However, as far as we see, the theorem statement stands.
References
Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: How to securely release unverified plaintext in authenticated encryption. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 105–125. Springer, Heidelberg (2014). doi:10.1007/978-3-662-45611-8_6
Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci. 61(3), 362–399 (2000)
Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). doi:10.1007/3-540-44448-3_41
Bellare, M., Rogaway, P.: Encode-then-encipher encryption: how to exploit nonces or redundancy in plaintexts for efficient cryptography. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317–330. Springer, Heidelberg (2000). doi:10.1007/3-540-44448-3_24
Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). doi:10.1007/11761679_25
Bellare, M., Rogaway, P., Wagner, D.: The EAX mode of operation. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 389–407. Springer, Heidelberg (2004). doi:10.1007/978-3-540-25937-4_25
Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005). doi:10.1007/11502760_3
Bernstein, D.J.: ChaCha, a variant of Salsa20 (2008). DocumentID: 4027b5256e14b6796842e6d0f68b0b5e. http://cr.yp.to/papers.html#chacha
Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: fast and secure message authentication. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 216–233. Springer, Heidelberg (1999). doi:10.1007/3-540-48405-1_14
Imamura, K., Minematsu, K., Iwata, T.: Integrity Analysis of Authenticated Encryption Based on Stream Ciphers (Full version of this paper). Cryptology ePrint Archive, Report 2016 (2016). http://eprint.iacr.org/
McGrew, D.A., Viega, J.: The security and performance of the galois/counter mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004). doi:10.1007/978-3-540-30556-9_27
Namprempre, C., Rogaway, P., Shrimpton, T.: Reconsidering generic composition. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 257–274. Springer, Heidelberg (2014). doi:10.1007/978-3-642-55220-5_15
Nir, Y., Langley, A.: ChaCha20 and Poly1305 for IETF protocols. IRTF RFC 7539. https://tools.ietf.org/html/rfc7539
Procter, G.: A Security Analysis of the Composition of ChaCha20 and Poly1305. Cryptology ePrint Archive, Report 2014/613 (2014). http://eprint.iacr.org/
Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.), ACM Conference on Computer and Communications Security, pp. 98–107. ACM (2002)
Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–358. Springer, Heidelberg (2004). doi:10.1007/978-3-540-25937-4_22
Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). doi:10.1007/11761679_23
Sarkar, P.: Modes of operations for encryption and authentication using stream ciphers supporting an initialisation vector. Crypt. Commun. 6(3), 189–231 (2014)
Whiting, D., Housley, R., Ferguson, N.: Counter with CBC-MAC (CCM). Submission to NIST (2002). http://csrc.nist.gov/
Acknowledgments
We thank the anonymous ProvSec 2016 reviewers and participants of Early Symmetric Crypto (ESC) 2015 for helpful comments. We also thank Palash Sarkar for insightful feedback on an earlier version of this paper. The work by Tetsu Iwata was supported in part by JSPS KAKENHI, Grant-in-Aid for Scientific Research (B), Grant Number 26280045.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proof of Theorem 1
A Proof of Theorem 1
We evaluate following the game playing proof technique in [5]. Without loss of generality, we assume that \(\mathcal {A}\) is deterministic and makes exactly q encryption queries, \(q'\) decryption queries, and \(q''\) verification queries. Let \((N_i, A_i, M_i)\) for \(i = 1, \dots , q\), \((N'_{i'}, A'_{i'}, C'_{i'}, T'_{i'})\) for \(i' = 1, \dots , q'\), and \((N''_j, A''_j, C''_j, T''_j)\) for \(j = 1, \dots , q''\) denote the queries.
We define Game \(G_0\) in Fig. 9. In Fig. 9, Game \(G_0\) simulates the real oracles of ChaCha20-Poly1305 based on the random function F. Then we have
We next define Game \(G_1\) in Fig. 10. Game \(G_1\) simulates the oracles using the lazy sampling of F, where F is regarded as an array, and the array F(X, Y) is initially undefined for all \((X, Y) \in \{0, 1\}^{32} \times \{0, 1\}^{96}\). Now since the function F produces the random values and the values are perfectly indistinguishable between Game \(G_0\) and Game \(G_1\), these games are identical. Hence
We consider \(\Pr [\mathcal {A}^{G_1}\,\text {sets}\, \mathsf {forge}]\). In Fig. 9, the authentication keys in verification queries are generated independently of the keystreams in decryption queries, and hence there are two cases to consider. We denote the polynomial hash function in Poly1305 [7] by \(H_r\). If for the j-th verification query, it holds that for all i, then is uniformly distributed and independent of \((r_i, s_i)\). Hence
Suppose that for the j-th verification query, we have \(N''_j = N_i\) for some i. Then it follows that . The event \(T^*_j = T''_j\) is equivalent to
Now if , then we necessarily have and hence (8) cannot hold. Therefore let . Then, since \(H_r\) is \(\epsilon \)-A\(\varDelta \)U [7, Sect. 3], meaning that it has a small differential probability with respect to modulo \(2^{128}\), we have
Therefore, for each \(j = 1, \dots , q''\), we have \(\Pr [T^*_j = T''_j] \le \epsilon \). Following [7, Sect. 3], \(\epsilon = (8\lceil {\ell _{\max } / 16}\rceil ) / 2^{106}\). Hence we have
The claimed bound is obtained from (7) and (9). \(\square \)
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Imamura, K., Minematsu, K., Iwata, T. (2016). Integrity Analysis of Authenticated Encryption Based on Stream Ciphers. In: Chen, L., Han, J. (eds) Provable Security. ProvSec 2016. Lecture Notes in Computer Science(), vol 10005. Springer, Cham. https://doi.org/10.1007/978-3-319-47422-9_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-47422-9_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-47421-2
Online ISBN: 978-3-319-47422-9
eBook Packages: Computer ScienceComputer Science (R0)