Advertisement

Nonces Are Noticed: AEAD Revisited

  • Mihir BellareEmail author
  • Ruth Ng
  • Björn Tackmann
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11692)

Abstract

We draw attention to a gap between theory and usage of nonce-based symmetric encryption, under which the way the former treats nonces can result in violation of privacy in the latter. We bridge the gap with a new treatment of nonce-based symmetric encryption that modifies the syntax (decryption no longer takes a nonce), upgrades the security goal (asking that not just messages, but also nonces, be hidden) and gives simple, efficient schemes conforming to the new definitions. We investigate both basic security (holding when nonces are not reused) and advanced security (misuse resistance, providing best-possible guarantees when nonces are reused).

Notes

Acknowledgements

We thank the anonymous reviewers for their feedback and suggestions. Bellare was supported in part by NSF grants CNS-1526801 and CNS-1717640, ERC Project ERCC FP7/615074 and a gift from Microsoft. Ng was supported by DSO National Labs. Tackmann was supported in part by the Swiss National Science Foundation (SNF) via Fellowship No. P2EZP2_155566 and NSF grant CNS-1228890.

References

  1. 1.
    CakePHP: Using the IV as the key. http://www.cryptofails.com/post/70059594911/cakephp-using-the-iv-as-the-key. Accessed 12 Feb 2019
  2. 2.
    Abed, F., et al.: Pipelineable on-line encryption. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 205–223. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46706-0_11CrossRefGoogle Scholar
  3. 3.
    Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: How to securely release unverified plaintext in authenticated encryption. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, pp. 105–125. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45611-8_6CrossRefzbMATHGoogle Scholar
  4. 4.
    Ashur, T., Dunkelman, O., Luykx, A.: Boosting authenticated encryption robustness with minimal modifications. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part III. LNCS, vol. 10403, pp. 3–33. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63697-9_1CrossRefGoogle Scholar
  5. 5.
    Aumasson, J., et al.: CHAE: challenges in authenticated encryption. ECRYPT-CSA D1.1, Revision 1.05, March 2017. https://chae.cr.yp.to/whitepaper.html
  6. 6.
    Barbosa, M., Farshim, P.: Indifferentiable authenticated encryption. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part I. LNCS, vol. 10991, pp. 187–220. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-96884-1_7CrossRefGoogle Scholar
  7. 7.
    Barwell, G., Martin, D.P., Oswald, E., Stam, M.: Authenticated encryption in the face of protocol and side channel leakage. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part I. LNCS, vol. 10624, pp. 693–723. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70694-8_24CrossRefzbMATHGoogle Scholar
  8. 8.
    Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-45539-6_18CrossRefzbMATHGoogle Scholar
  9. 9.
    Bellare, M., Canetti, R., Krawczyk, H.: Pseudorandom functions revisited: the cascade construction and its concrete security. In: 37th FOCS. IEEE Computer Society Press, October 1996Google Scholar
  10. 10.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: 38th FOCS. IEEE Computer Society Press, October 1997Google Scholar
  11. 11.
    Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-44448-3_41CrossRefGoogle Scholar
  12. 12.
    Bellare, M., Ng, R., Tackmann, B.: Nonces are noticed: AEAD revisited. Cryptology ePrint Archive Report 2019/624 (2019). http://eprint.iacr.org/2019/624
  13. 13.
    Bellare, M., Rogaway, P.: On the construction of variable-input-length ciphers. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 231–244. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48519-8_17CrossRefGoogle Scholar
  14. 14.
    Bellare, M., Rogaway, P.: Encode-then-encipher encryption: how to exploit nonces or redundancy in plaintexts for efficient cryptography. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317–330. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-44448-3_24CrossRefzbMATHGoogle Scholar
  15. 15.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006).  https://doi.org/10.1007/11761679_25CrossRefGoogle Scholar
  16. 16.
    Bellare, M., Tackmann, B.: The multi-user security of authenticated encryption: AES-GCM in TLS 1.3. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part I. LNCS, vol. 9814, pp. 247–276. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53018-4_10CrossRefzbMATHGoogle Scholar
  17. 17.
    Bernstein, D.: CAESAR call for submissions, final, 27 January 2014. https://competitions.cr.yp.to/caesar-call.html
  18. 18.
    Bose, P., Hoang, V.T., Tessaro, S.: Revisiting AES-GCM-SIV: multi-user security, faster key derivation, and better bounds. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part I. LNCS, vol. 10820, pp. 468–499. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-78381-9_18CrossRefGoogle Scholar
  19. 19.
    CAESAR Committee: Cryptographic competitions: Caesar call for submissions, final, 27 January 2014. https://competitions.cr.yp.to/caesar-call.html. Accessed 23 July 2018
  20. 20.
    Checkoway, S., et al.: A systematic analysis of the juniper dual EC incident. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS (2016)Google Scholar
  21. 21.
    Dodis, Y., Grubbs, P., Ristenpart, T., Woodage, J.: Fast message franking: from invisible salamanders to encryptment. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part I. LNCS, vol. 10991, pp. 155–186. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-96884-1_6 CrossRefGoogle Scholar
  22. 22.
    Dworkin, M.: Recommendation for block cipher modes of operation: Galois/Counter Mode (GCM) and GMAC. NIST Special Publication 800–38D, November 2007Google Scholar
  23. 23.
    Fleischmann, E., Forler, C., Lucks, S.: McOE: a family of almost foolproof on-line authenticated encryption schemes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 196–215. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34047-5_12CrossRefzbMATHGoogle Scholar
  24. 24.
    Grubbs, P., Lu, J., Ristenpart, T.: Message franking via committing authenticated encryption. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part III. LNCS, vol. 10403, pp. 66–97. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63697-9_3CrossRefGoogle Scholar
  25. 25.
    Gueron, S., Langley, A., Lindell, Y.: AES-GCM-SIV: specification and analysis. Cryptology ePrint Archive, Report 2017/168 (2017). http://eprint.iacr.org/2017/168
  26. 26.
    Gueron, S., Lindell, Y.: GCM-SIV: full nonce misuse-resistant authenticated encryption at under one cycle per byte. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS (2015)Google Scholar
  27. 27.
    Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: detection of widespread weak keys in network devices. In: USENIX Security Symposium, vol. 8, p. 1 (2012)Google Scholar
  28. 28.
    Hoang, V.T., Krovetz, T., Rogaway, P.: Robust authenticated-encryption AEZ and the problem that it solves. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 15–44. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_2CrossRefGoogle Scholar
  29. 29.
    Hoang, V.T., Reyhanitabar, R., Rogaway, P., Vizár, D.: Online authenticated-encryption and its nonce-reuse misuse-resistance. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 493–517. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_24CrossRefGoogle Scholar
  30. 30.
    Hoang, V.T., Tessaro, S., Thiruvengadam, A.: The multi-user security of GCM, revisited: tight bounds for nonce randomization. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS (2018)Google Scholar
  31. 31.
    Iwata, T., Ohashi, K., Minematsu, K.: Breaking and repairing GCM security proofs. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 31–49. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32009-5_3CrossRefGoogle Scholar
  32. 32.
    Joux, A.: Authentication failures in NIST version of GCM (2006). Comments submitted to NIST modes of operation process. https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/800-38-series-drafts/gcm/joux_comments.pdf
  33. 33.
    Katz, J., Yung, M.: Unforgeable encryption and chosen ciphertext secure modes of operation. In: Goos, G., Hartmanis, J., van Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 284–299. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44706-7_20CrossRefzbMATHGoogle Scholar
  34. 34.
    Krawczyk, H.: LFSR-based hashing and authentication. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 129–139. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48658-5_15CrossRefGoogle Scholar
  35. 35.
    Krovetz, T., Rogaway, P.: The software performance of authenticated-encryption modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 306–327. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-21702-9_18CrossRefzbMATHGoogle Scholar
  36. 36.
    Kurosawa, K., Iwata, T.: TMAC: two-key CBC MAC. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 33–49. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36563-X_3CrossRefGoogle Scholar
  37. 37.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. J. Cryptol. 24(3), 588–613 (2011)MathSciNetCrossRefGoogle Scholar
  38. 38.
    Luykx, A., Mennink, B., Paterson, K.G.: Analyzing multi-key security degradation. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part II. LNCS, vol. 10625, pp. 575–605. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70697-9_20CrossRefGoogle Scholar
  39. 39.
    McGrew, D.: An interface and algorithms for authenticated encryption. IETF Network Working Group, RFC 5116, January 2008Google Scholar
  40. 40.
    McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter Mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-30556-9_27CrossRefGoogle Scholar
  41. 41.
    Meyer, C.H., Matyas, S.M.: CRYPTOGRAPHY: A New Dimension in Computer Data Security: A Guide for the Design and Implementation of Secure Systems. Wiley, New York (1982)zbMATHGoogle Scholar
  42. 42.
    Minematsu, K.: Authenticated encryption with small stretch (or, how to accelerate AERO). In: Liu, J.K., Steinfeld, R. (eds.) ACISP 2016, Part II. LNCS, vol. 9723, pp. 347–362. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-40367-0_22CrossRefGoogle Scholar
  43. 43.
    Namprempre, C., Rogaway, P., Shrimpton, T.: Reconsidering generic composition. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 257–274. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-55220-5_15CrossRefGoogle Scholar
  44. 44.
    Namprempre, C., Rogaway, P., Shrimpton, T.: AE5 security notions: definitions implicit in the CAESAR call. Cryptology ePrint Archive, Report 2013/242 (2013). http://eprint.iacr.org/2013/242
  45. 45.
    Reddit: Hash of message as nonce? (2015). https://redd.it/3c504m
  46. 46.
    Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM CCS (2002)Google Scholar
  47. 47.
    Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-30539-2_2CrossRefGoogle Scholar
  48. 48.
    Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–358. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-25937-4_22CrossRefzbMATHGoogle Scholar
  49. 49.
    Rogaway, P.: The evolution of authenticated encryption. Real World Cryptography Workshop, Stanford, January 2013. https://crypto.stanford.edu/RealWorldCrypto/slides/phil.pdf
  50. 50.
    Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: Reiter, M.K., Samarati, P. (eds.) ACM CCS (2001)Google Scholar
  51. 51.
    Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006).  https://doi.org/10.1007/11761679_23CrossRefGoogle Scholar
  52. 52.
    Vaudenay, S., Vizár, D.: Under pressure: security of Caesar candidates beyond their guarantees. Cryptology ePrint Archive, Report 2017/1147 (2017). https://eprint.iacr.org/2017/1147
  53. 53.
    Wu, H., Preneel, B.: AEGIS: a fast authenticated encryption algorithm. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 185–201. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43414-7_10CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.Department of Computer Science and EngineeringUniversity of California San DiegoSan DiegoUSA
  2. 2.IBM Research – ZurichRüschlikonSwitzerland

Personalised recommendations