论文信息 - Don ’ t Panic ! The Cryptographers ’ Guide to Robust Authenticated ( On-line ) Encryption Draft , March 11 , 2015

Don ’ t Panic ! The Cryptographers ’ Guide to Robust Authenticated ( On-line ) Encryption Draft , March 11 , 2015

In [13], Hoang et al. discuss the security definitions for nonce-misuse-resistant authenticated on-line encryption. They argue that (1) all on-line authenticated encryption schemes are vulnerable to the chosen-prefix secret-suffix (CPSS) attack; therefore, none deserves to be called “misuse-resistant” unlike misuse-resistant authenticated encryption (MRAE) schemes, which are off-line and invulnerable to that attack, and (2) if on-line encryption is required, then the OAE1 notion as defined by [10] is too weak for its claimed purpose. Therefore, the authors of [13] propose OAE2 as a putatively stronger alternative. This work addresses their arguments in three directions. Firstly, we show that all AE schemes – including MRAE schemes – are vulnerable to an attack which we call chosen-plaintext overwrite-secret (CPOS), which is structurally similar to the CPSS attack. Secondly, while there is a clear need for AE schemes that limit the damage in the case of a nonce reuse, the phrase “misuse resistance” has always promised more than it can hold. Thus, we propose to replace it by “robustness” or “damage limitation”. Thirdly, we discuss the differences between OAE1 and OAE2. While the latter is an interesting security notion of its own, we argue that it solves a different problem than OAE1. We show that the combination of decryption robustness and OAE1 security (called OAE1) implies OAE2 security, i.e., an OAE2 scheme may be vulnerable to decryption-misuse, but any decryption-robust OAE1 scheme can be transformed into a decryption-robust OAE2 scheme. Moreover, we introduce the notion OAE2 for a decryption-robust OAE2 scheme. Finally, we argue that POET satisfies the properties of an OAE1 scheme and show how it can be transformed into an OAE2 scheme.

[1] Stefan Lucks,et al. McOE: A Foolproof On-Line Authenticated Encryption Scheme , 2011, IACR Cryptol. ePrint Arch..

[2] Phillip Rogaway,et al. Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[3] Thomas Shrimpton,et al. Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[4] Stefan Lucks,et al. McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes , 2012, FSE.

[5] Chanathip Namprempre,et al. Online Ciphers and the Hash-CBC Construction , 2001, CRYPTO.

[6] Chanathip Namprempre,et al. Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[7] Damian Vizár,et al. Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance , 2015, CRYPTO.

[8] Stefan Lucks,et al. The POET Family of On-Line Authenticated Encryption Schemes Submission to the CAESAR competition , 2014 .

[9] Andrey Bogdanov,et al. How to Securely Release Unverified Plaintext in Authenticated Encryption , 2014, ASIACRYPT.

[10] Phillip Rogaway,et al. Robust Authenticated-Encryption AEZ and the Problem That It Solves , 2015, EUROCRYPT.

[11] Stefan Lucks,et al. Pipelineable On-line Encryption , 2014, FSE.

[12] Sean W. Smith,et al. Authenticated Streamwise On-line Encryption , 2009 .