Integrity Analysis of Authenticated Encryption Based on Stream Ciphers
We study the security of authenticated encryption based on a stream cipher and a universal hash function. We consider ChaCha20-Poly1305 and generic constructions proposed by Sarkar, where the generic constructions include 14 AEAD (authenticated encryption with associated data) schemes and 3 DAEAD (deterministic AEAD) schemes. In this paper, we analyze the integrity of these schemes both in the standard INT-CTXT notion and in the RUP (releasing unverified plaintext) setting called INT-RUP notion. We present INT-CTXT attacks against 3 out of the 14 AEAD schemes and 1 out of the 3 DAEAD schemes. We then show INT-RUP attacks against 1 out of the 14 AEAD schemes and the 2 remaining DAEAD schemes. We next show that ChaCha20-Poly1305 is provably secure in the INT-RUP notion. Finally, we show that 4 out of the remaining 10 AEAD schemes are provably secure in the INT-RUP notion.
KeywordsAuthenticated encryption Stream cipher Universal hash function Provable security Integrity Releasing unverified plaintext
We thank the anonymous ProvSec 2016 reviewers and participants of Early Symmetric Crypto (ESC) 2015 for helpful comments. We also thank Palash Sarkar for insightful feedback on an earlier version of this paper. The work by Tetsu Iwata was supported in part by JSPS KAKENHI, Grant-in-Aid for Scientific Research (B), Grant Number 26280045.
- 1.Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: How to securely release unverified plaintext in authenticated encryption. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 105–125. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-45611-8_6 Google Scholar
- 8.Bernstein, D.J.: ChaCha, a variant of Salsa20 (2008). DocumentID: 4027b5256e14b6796842e6d0f68b0b5e. http://cr.yp.to/papers.html#chacha
- 10.Imamura, K., Minematsu, K., Iwata, T.: Integrity Analysis of Authenticated Encryption Based on Stream Ciphers (Full version of this paper). Cryptology ePrint Archive, Report 2016 (2016). http://eprint.iacr.org/
- 13.Nir, Y., Langley, A.: ChaCha20 and Poly1305 for IETF protocols. IRTF RFC 7539. https://tools.ietf.org/html/rfc7539
- 14.Procter, G.: A Security Analysis of the Composition of ChaCha20 and Poly1305. Cryptology ePrint Archive, Report 2014/613 (2014). http://eprint.iacr.org/
- 15.Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.), ACM Conference on Computer and Communications Security, pp. 98–107. ACM (2002)Google Scholar
- 19.Whiting, D., Housley, R., Ferguson, N.: Counter with CBC-MAC (CCM). Submission to NIST (2002). http://csrc.nist.gov/