Context Discovery and Commitment Attacks

Menda, Sanketh; Len, Julia; Grubbs, Paul; Ristenpart, Thomas

doi:10.1007/978-3-031-30634-1_13

Cited by 4 publications

(1 citation statement)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…1. (C, (K 1 , N 1 , AD 1 ), (K 2 , N 2 , AD 2 )) CMT-3 security implies CMT-1, which in turn implies the FROB game [BH22,MLGR23].…”

Section: Cmt-4(a)mentioning

confidence: 99%

Key Committing Attacks against AES-based AEAD Schemes

Derbez,

Fouque,

Isobe

et al. 2024

ToSC

View full text Add to dashboard Cite

Recently, there has been a surge of interest in the security of authenticated encryption with associated data (AEAD) within the context of key commitment frameworks. Security within this framework ensures that a ciphertext chosen by an adversary does not decrypt to two different sets of key, nonce, and associated data. Despite this increasing interest, the security of several widely deployed AEAD schemes has not been thoroughly examined within this framework. In this work, we assess the key committing security of several AEAD schemes. First, the AEGIS family, which emerged as a winner in the Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR), and has been proposed to standardization at the IETF. A now outdated version of the draft standard suggested that AEGIS could qualify as a fully committing AEAD scheme; we prove that it is not the case by proposing a novel attack applicable to all variants, which has been experimentally verified. We also exhibit a key committing attack on Rocca-S. Our attacks are executed within the FROB game setting, which is known to be one of the most stringent key committing frameworks. This implies that they remain valid in other, more relaxed frameworks, such as CMT-1, CMT-4, and so forth. Finally, we show that applying the same attack techniques to Rocca and Tiaoxin-346 does not compromise their key-committing security. This observation provides valuable insights into the design of such secure round update functions for AES-based AEAD schemes.

show abstract

“…1. (C, (K 1 , N 1 , AD 1 ), (K 2 , N 2 , AD 2 )) CMT-3 security implies CMT-1, which in turn implies the FROB game [BH22,MLGR23].…”

Section: Cmt-4(a)mentioning

confidence: 99%