The Security of ChaCha20-Poly1305 in the Multi-User Setting

The ChaCha20-Poly1305 AEAD scheme is being increasingly widely deployed in practice. Practitioners need proven security bounds in order to set data limits and rekeying intervals for the scheme. But the formal security analysis of ChaCha20-Poly1305 currently lags behind that of AES-GCM. The only extant analysis (Procter, 2014) contains a flaw and is only for the single-user setting. We rectify this situation. We prove a multi-user security bound on the AEAD security of ChaCha20-Poly1305 and establish the tightness of each term in our bound through matching attacks. We show how our bound differs both qualitatively and quantitatively from the known bounds for AES-GCM, highlighting how subtle design choices lead to distinctive security properties. We translate our bound to the nonce-randomized setting employed in TLS 1.3 and elsewhere, and we additionally improve the corresponding security bounds for GCM. Finally, we provide a simple yet stronger variant of ChaCha20-Poly1305 that addresses the deficiencies highlighted by our analysis.

[1]  Daniel J. Bernstein,et al.  The Poly1305-AES Message-Authentication Code , 2005, FSE.

[2]  Eric Rescorla,et al.  The Datagram Transport Layer Security (DTLS) Protocol Version 1.3 , 2020, RFC.

[3]  Carlos Cid,et al.  On Weak Keys and Forgery Attacks Against Polynomial-Based MAC Schemes , 2013, Journal of Cryptology.

[4]  Stefano Tessaro,et al.  The Multi-user Security of GCM, Revisited: Tight Bounds for Nonce Randomization , 2018, CCS.

[5]  Divesh Aggarwal,et al.  Improved Algorithms for the Shortest Vector Problem and the Closest Vector Problem in the Infinity Norm , 2018, ISAAC.

[6]  Adam Langley,et al.  ChaCha20 and Poly1305 based Cipher Suites for TLS , 2013 .

[7]  Alex Biryukov,et al.  Improved Time-Memory Trade-Offs with Multiple Data , 2005, Selected Areas in Cryptography.

[8]  Alex Biryukov,et al.  Selected Areas in Cryptography - 17th International Workshop, SAC 2010, Waterloo, Ontario, Canada, August 12-13, 2010, Revised Selected Papers , 2011, Selected Areas in Cryptography.

[9]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[10]  Eli Biham,et al.  How to decrypt or even substitute DES-encrypted messages in 228 steps , 2002, Inf. Process. Lett..

[11]  Tetsu Iwata,et al.  GCM Security Bounds Reconsidered , 2015, FSE.

[12]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.

[13]  Gordon Procter A Security Analysis of the Composition of ChaCha20 and Poly1305 , 2014, IACR Cryptol. ePrint Arch..

[14]  Kenneth G. Paterson,et al.  Limits on Authenticated Encryption Use in TLS , 2024, IACR Cryptol. ePrint Arch..

[15]  Mihir Bellare,et al.  The Multi-user Security of Authenticated Encryption: AES-GCM in TLS 1.3 , 2016, CRYPTO.

[16]  Stefano Tessaro,et al.  Revisiting AES-GCM-SIV: Multi-user Security, Faster Key Derivation, and Better Bounds , 2018, IACR Cryptol. ePrint Arch..

[17]  Marc Fischlin,et al.  Robust Channels: Handling Unreliable Networks in the Record Layers of QUIC and DTLS 1.3 , 2020, IACR Cryptol. ePrint Arch..

[18]  Shafi Goldwasser,et al.  Complexity of lattice problems - a cryptographic perspective , 2002, The Kluwer international series in engineering and computer science.

[19]  陈平,et al.  Balls into bins分配器算法 , 2005 .

[20]  Shay Gueron,et al.  The Advantage of Truncated Permutations , 2016, CSCML.

[21]  Shay Gueron,et al.  The advantage of truncated permutations , 2021, Discret. Appl. Math..

[22]  John P. Steinberger,et al.  Tight Security Bounds for Key-Alternating Ciphers , 2014, EUROCRYPT.

[23]  Andrey Bogdanov,et al.  Twisted Polynomials and Forgery Attacks on GCM , 2015, EUROCRYPT.

[24]  Shafi Goldwasser,et al.  Complexity of lattice problems , 2002 .

[25]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[26]  Adam Langley,et al.  ChaCha20 and Poly1305 for IETF Protocols , 2018, RFC.

[27]  Kenneth G. Paterson,et al.  Analyzing Multi-key Security Degradation , 2017, ASIACRYPT.

[28]  Tetsu Iwata,et al.  Breaking and Repairing GCM Security Proofs , 2012, IACR Cryptol. ePrint Arch..

[29]  Martin Raab,et al.  "Balls into Bins" - A Simple and Tight Analysis , 1998, RANDOM.