Boosting Authenticated Encryption Robustness with Minimal Modifications

Ashur, Tomer; Dunkelman, Orr; Luykx, Atul

doi:10.1007/978-3-319-63697-9_1

Cited by 37 publications

(33 citation statements)

References 44 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this paper we describe a universal forgery attack against GCM-RUP with time and data complexity close to 2 n/2 , where n denotes the block size of the underlying block cipher. This attack matches the security proof given in [2], showing that it is tight. However, our main result is not only about tightness of the (birthday) security bound, but rather about how badly the construction of GCM-RUP breaks when the bound is reached: a universal forgery attack is much stronger than a distinguishing attack.…”

Section: Contributionssupporting

confidence: 82%

“…This paper shows a birthday-bound attack against GCM-RUP [2] using inner collisions to recover the output difference of the function GHASH K2 . Hence, K 2 can be retrieved by solving a polynomial equation, and this directly leads to a universal forgery attack against GCM-RUP.…”

Section: Resultsmentioning

confidence: 99%

“…Ashur, Dunkelman and Luykx proposed a generic construction of an efficient separated AE scheme at CRYPTO'17 [2]. Their construction uses an encryption scheme and a TBC, and achives security in the RUP setting, assuming that the encryption scheme is strongly indistinguishable-from-random-bits (SRND) [13,30], and the TBC is a strong pseudorandom permutation (SPRP) [30].…”

Section: Brief Description Of Gcm-rup [2]mentioning

confidence: 99%

“…In 2015, Gueron et al presented GCM-SIV [12] combining GCM's underlying components with the SIV paradigm designed by Rogaway and Shrimpton [29], to provide nonce-misuse resistance. Later, at CRYPTO'17, Ashur et al introduced a generic construction of AE scheme using a tweakable block cipher (TBC), which resists attacks in the RUP setting [2] (with Release of Unverified Plaintext). Based on the generic AE scheme, an instantiation GCM-RUP with highefficiency is put forward using AES-GCM's components.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Universal Forgery Attack Against GCM-RUP

Li¹,

Leurent²,

Wang³

et al. 2020

Topics in Cryptology – CT-RSA 2020

View full text Add to dashboard Cite

Authenticated encryption (AE) schemes are widely used to secure communications because they can guarantee both confidentiality and authenticity of a message. In addition to the standard AE security notion, some recent schemes offer extra robustness, i.e. they maintain security in some misuse scenarios. In particular, Ashur, Dunkelman and Luykx proposed a generic AE construction at CRYPTO'17 that is secure even when releasing unverified plaintext (the RUP setting), and a concrete instantiation, GCM-RUP. The designers proved that GCM-RUP is secure up to the birthday bound in the nonce-respecting model. In this paper, we perform a birthday-bound universal forgery attack against GCM-RUP, matching the bound of the proof. While there are simple distinguishing attacks with birthday complexity on GCM-RUP, our attack is much stronger: we have a partial key recovery leading to universal forgeries. For reference, the best known universal forgery attack against GCM requires 2 2n/3 operations, and many schemes do not have any known universal forgery attacks faster than 2 n. This suggests that GCM-RUP offers a different security trade-off than GCM: stronger protection in the RUP setting, but more fragile when the data complexity reaches the birthday bound. In order to avoid this attack, we suggest a minor modification of GCM-RUP that seems to offer better robustness at the birthday bound.

show abstract

Section: Contributionssupporting

confidence: 82%

Section: Resultsmentioning

confidence: 99%

Section: Brief Description Of Gcm-rup [2]mentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Universal Forgery Attack Against GCM-RUP

Li¹,

Leurent²,

Wang³

et al. 2020

Topics in Cryptology – CT-RSA 2020

View full text Add to dashboard Cite

show abstract

“…In the model of RUP security, the adversary turns out to have significantly more power: since the introduction of the model, various schemes have been forged in the RUP model [CDN16,DLMN17,IMI18], and schemes that have been proven to achieve RUP authenticity often come at a cost [ZWH + 17, HSY17,ADL17]. For plaintext awareness, the situation is even more poignant: the model is often ignored, which arguably comes from the fact that the model is more complicated (it requires the description of a simulator).…”

Section: Release Of Unverified Plaintextmentioning

confidence: 99%

Release of Unverified Plaintext: Tight Unified Model and Application to ANYDAE

Chang

Datta

Dutta

et al. 2020

ToSC

View full text Add to dashboard Cite

Authenticated encryption schemes are usually expected to offer confidentiality and authenticity. In case of release of unverified plaintext (RUP), an adversary gets separated access to the decryption and verification functionality, and has more power in breaking the scheme. Andreeva et al. (ASIACRYPT 2014) formalized RUP security using plaintext awareness, informally meaning that the decryption functionality gives no extra power in breaking confidentiality, and INT-RUP security, covering authenticity in case of RUP. We describe a single, unified model, called AERUP security, that ties together these notions: we prove that an authenticated encryption scheme is AERUP secure if and only if it is conventionally secure, plaintext aware, and INT-RUP secure. We next present ANYDAE, a generalization of SUNDAE of Banik et al. (ToSC 2018/3). ANYDAE is a lightweight deterministic scheme that is based on a block cipher with block size n and arbitrary mixing functions that all operate on an n-bit state. It is particularly efficient for short messages, it does not rely on a nonce, and it provides maximal robustness to a lack of secure state. Whereas SUNDAE is not secure under release of unverified plaintext (a fairly simple attack can be mounted in constant time), ANYDAE is. We make handy use of the AERUP security model to prove that ANYDAE achieves both conventional security as RUP security, provided that certain modest conditions on the mixing functions are met. We describe two simple instances, called MONDAE and TUESDAE, that conform to these conditions and that are competitive with SUNDAE, in terms of efficiency and optimality.

show abstract