Integrity Analysis of Authenticated Encryption Based on Stream Ciphers

  • Kazuya Imamura
  • Kazuhiko Minematsu
  • Tetsu Iwata
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10005)


We study the security of authenticated encryption based on a stream cipher and a universal hash function. We consider ChaCha20-Poly1305 and generic constructions proposed by Sarkar, where the generic constructions include 14 AEAD (authenticated encryption with associated data) schemes and 3 DAEAD (deterministic AEAD) schemes. In this paper, we analyze the integrity of these schemes both in the standard INT-CTXT notion and in the RUP (releasing unverified plaintext) setting called INT-RUP notion. We present INT-CTXT attacks against 3 out of the 14 AEAD schemes and 1 out of the 3 DAEAD schemes. We then show INT-RUP attacks against 1 out of the 14 AEAD schemes and the 2 remaining DAEAD schemes. We next show that ChaCha20-Poly1305 is provably secure in the INT-RUP notion. Finally, we show that 4 out of the remaining 10 AEAD schemes are provably secure in the INT-RUP notion.


Authenticated encryption Stream cipher Universal hash function Provable security Integrity Releasing unverified plaintext 



We thank the anonymous ProvSec 2016 reviewers and participants of Early Symmetric Crypto (ESC) 2015 for helpful comments. We also thank Palash Sarkar for insightful feedback on an earlier version of this paper. The work by Tetsu Iwata was supported in part by JSPS KAKENHI, Grant-in-Aid for Scientific Research (B), Grant Number 26280045.

Supplementary material


  1. 1.
    Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: How to securely release unverified plaintext in authenticated encryption. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 105–125. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-45611-8_6 Google Scholar
  2. 2.
    Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci. 61(3), 362–399 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). doi: 10.1007/3-540-44448-3_41 CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Encode-then-encipher encryption: how to exploit nonces or redundancy in plaintexts for efficient cryptography. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317–330. Springer, Heidelberg (2000). doi: 10.1007/3-540-44448-3_24 CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). doi: 10.1007/11761679_25 CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Rogaway, P., Wagner, D.: The EAX mode of operation. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 389–407. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-25937-4_25 CrossRefGoogle Scholar
  7. 7.
    Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005). doi: 10.1007/11502760_3 CrossRefGoogle Scholar
  8. 8.
    Bernstein, D.J.: ChaCha, a variant of Salsa20 (2008). DocumentID: 4027b5256e14b6796842e6d0f68b0b5e.
  9. 9.
    Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: fast and secure message authentication. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 216–233. Springer, Heidelberg (1999). doi: 10.1007/3-540-48405-1_14 CrossRefGoogle Scholar
  10. 10.
    Imamura, K., Minematsu, K., Iwata, T.: Integrity Analysis of Authenticated Encryption Based on Stream Ciphers (Full version of this paper). Cryptology ePrint Archive, Report 2016 (2016).
  11. 11.
    McGrew, D.A., Viega, J.: The security and performance of the galois/counter mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30556-9_27 CrossRefGoogle Scholar
  12. 12.
    Namprempre, C., Rogaway, P., Shrimpton, T.: Reconsidering generic composition. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 257–274. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-55220-5_15 CrossRefGoogle Scholar
  13. 13.
    Nir, Y., Langley, A.: ChaCha20 and Poly1305 for IETF protocols. IRTF RFC 7539.
  14. 14.
    Procter, G.: A Security Analysis of the Composition of ChaCha20 and Poly1305. Cryptology ePrint Archive, Report 2014/613 (2014).
  15. 15.
    Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.), ACM Conference on Computer and Communications Security, pp. 98–107. ACM (2002)Google Scholar
  16. 16.
    Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–358. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-25937-4_22 CrossRefGoogle Scholar
  17. 17.
    Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). doi: 10.1007/11761679_23 CrossRefGoogle Scholar
  18. 18.
    Sarkar, P.: Modes of operations for encryption and authentication using stream ciphers supporting an initialisation vector. Crypt. Commun. 6(3), 189–231 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Whiting, D., Housley, R., Ferguson, N.: Counter with CBC-MAC (CCM). Submission to NIST (2002).

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Kazuya Imamura
    • 1
  • Kazuhiko Minematsu
    • 2
  • Tetsu Iwata
    • 1
  1. 1.Nagoya UniversityNagoyaJapan
  2. 2.NEC CorporationKawasakiJapan

Personalised recommendations