Boosting Authenticated Encryption Robustness with Minimal Modifications

Secure and highly efficient authenticated encryption (AE) algorithms which achieve data confidentiality and authenticity in the symmetric-key setting have existed for well over a decade. By all conventional measures, AES-OCB seems to be the AE algorithm of choice on any platform with AES-NI: it has a proof showing it is secure assuming AES is, and it is one of the fastest out of all such algorithms. However, algorithms such as AES-GCM and ChaCha20+Poly1305 have seen more widespread adoption, even though they will likely never outperform AES-OCB on platforms with AES-NI. Given the fact that changing algorithms is a long and costly process, some have set out to maximize the security that can be achieved with the already deployed algorithms, without sacrificing efficiency: ChaCha20+Poly1305 already improves over GCM in how it authenticates, GCM-SIV uses GCM’s underlying components to provide nonce misuse resistance, and TLS1.3 introduces a randomized nonce in order to improve GCM’s multi-user security. We continue this line of work by looking more closely at GCM and ChaCha20+Poly1305 to see what robustness they already provide over algorithms such as OCB, and whether minor variants of the algorithms can be used for applications where defense in depth is critical. We formalize and illustrate how GCM and ChaCha20+Poly1305 offer varying degrees of resilience to nonce misuse, as they can recover quickly from repeated nonces, as opposed to OCB, which loses all security. More surprisingly, by introducing minor tweaks such as an additional XOR, we can create a GCM variant which provides security even when unverified plaintext is released.

[1]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.

[2]  Mihir Bellare,et al.  On the Construction of Variable-Input-Length Ciphers , 1999, FSE.

[3]  Morris J. Dworkin,et al.  SP 800-38D. Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC , 2007 .

[4]  Mihir Bellare,et al.  Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography , 2000, ASIACRYPT.

[5]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[6]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode of Operation (Full Version) , 2004, IACR Cryptol. ePrint Arch..

[7]  Thomas Shrimpton,et al.  Tweakable Blockciphers with Beyond Birthday-Bound Security , 2012, IACR Cryptol. ePrint Arch..

[8]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[9]  Paul F. Syverson,et al.  Anonymous connections and onion routing , 1998, IEEE J. Sel. Areas Commun..

[10]  Andrey Bogdanov,et al.  Parallelizable and Authenticated Online Ciphers , 2013, IACR Cryptol. ePrint Arch..

[11]  S. Griffis EDITOR , 1997, Journal of Navigation.

[12]  Shai Halevi,et al.  A Parallelizable Enciphering Mode , 2004, CT-RSA.

[13]  Mihir Bellare,et al.  The Multi-user Security of Authenticated Encryption: AES-GCM in TLS 1.3 , 2016, CRYPTO.

[14]  Stefan Lucks,et al.  RIV for Robust Authenticated Encryption , 2016, FSE.

[15]  Martijn Stam,et al.  Rogue Decryption Failures: Reconciling AE Robustness Notions , 2015, IMACC.

[16]  Kenneth G. Paterson,et al.  On Symmetric Encryption with Distinguishable Decryption Failures , 2013, FSE.

[17]  A. Joux Authentication Failures in NIST version of GCM , 2006 .

[18]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[19]  Tetsu Iwata,et al.  Integrity analysis of authenticated encryption based on stream ciphers , 2016, International Journal of Information Security.

[20]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, Journal of Cryptology.

[21]  Stefan Lucks,et al.  The Skein Hash Function Family , 2009 .

[22]  Phillip Rogaway,et al.  Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[23]  Alex Biryukov,et al.  Improved Time-Memory Trade-Offs with Multiple Data , 2005, Selected Areas in Cryptography.

[24]  Tetsu Iwata,et al.  Tweak-Length Extension for Tweakable Blockciphers , 2015, IMACC.

[25]  Jean-Sébastien Coron,et al.  A Domain Extender for the Ideal Cipher , 2010, TCC.

[26]  Daniel J. Bernstein,et al.  The Poly1305-AES Message-Authentication Code , 2005, FSE.

[27]  Stefan Lucks,et al.  McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes , 2012, FSE.

[28]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[29]  Tetsu Iwata,et al.  Breaking and Repairing GCM Security Proofs , 2012, IACR Cryptol. ePrint Arch..

[30]  Gordon Procter A Security Analysis of the Composition of ChaCha20 and Poly1305 , 2014, IACR Cryptol. ePrint Arch..

[31]  Adam Langley,et al.  ChaCha20 and Poly1305 for IETF Protocols , 2018, RFC.

[32]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[33]  Phillip Rogaway,et al.  The OCB Authenticated-Encryption Algorithm , 2014, RFC.

[34]  Antoine Joux,et al.  Multi-user Collisions: Applications to Discrete Logarithm, Even-Mansour and PRINCE , 2014, ASIACRYPT.

[35]  Gordon Procter,et al.  The design and analysis of symmetric cryptosystems , 2015 .

[36]  Yehuda Lindell,et al.  GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte , 2015, CCS.

[37]  Tetsu Iwata,et al.  GCM Security Bounds Reconsidered , 2015, FSE.

[38]  Yu Sasaki,et al.  Message-Recovery MACs and Verification-Unskippable AE , 2017, IACR Cryptol. ePrint Arch..

[39]  Bart Preneel,et al.  Key-Recovery Attacks on Universal Hash Function Based MAC Algorithms , 2008, CRYPTO.

[40]  Serge Vaudenay,et al.  Authenticated Encryption with Variable Stretch , 2016, ASIACRYPT.

[41]  Phillip Rogaway,et al.  Robust Authenticated-Encryption AEZ and the Problem That It Solves , 2015, EUROCRYPT.

[42]  Juraj Somorovsky,et al.  Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS , 2016, WOOT.

[43]  Thomas Peyrin,et al.  Tweaks and Keys for Block Ciphers: The TWEAKEY Framework , 2014, ASIACRYPT.

[44]  Sanjit Chatterjee,et al.  Another Look at Tightness , 2011, IACR Cryptol. ePrint Arch..

[45]  Kazuhiko Minematsu,et al.  Beyond-Birthday-Bound Security Based on Tweakable Block Cipher , 2009, FSE.

[46]  Bart Mennink,et al.  Optimally Secure Tweakable Blockciphers , 2015, FSE.

[47]  Andrey Bogdanov,et al.  How to Securely Release Unverified Plaintext in Authenticated Encryption , 2014, ASIACRYPT.

[48]  Eli Biham,et al.  How to decrypt or even substitute DES-encrypted messages in 228 steps , 2002, Inf. Process. Lett..

[49]  Aaas News,et al.  Book Reviews , 1893, Buffalo Medical and Surgical Journal.

[50]  Damian Vizár,et al.  Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance , 2015, CRYPTO.

[51]  Adam Langley,et al.  ChaCha20 and Poly1305 for IETF Protocols , 2018, RFC.

[52]  Shay Gueron,et al.  AES-GCM software performance on the current high end CPUs as a performance baseline for CAESAR competition , 2013 .

[53]  Thomas Shrimpton,et al.  A Modular Framework for Building Variable-Input-Length Tweakable Ciphers , 2013, ASIACRYPT.