Analyzing Multi-key Security Degradation

The multi-key, or multi-user, setting challenges cryptographic algorithms to maintain high levels of security when used with many different keys, by many different users. Its significance lies in the fact that in the real world, cryptography is rarely used with a single key in isolation. A folklore result, proved by Bellare, Boldyreva, and Micali for public-key encryption in EUROCRYPT 2000, states that the success probability in attacking any one of many independently keyed algorithms can be bounded by the success probability of attacking a single instance of the algorithm, multiplied by the number of keys present. Although sufficient for settings in which not many keys are used, once cryptographic algorithms are used on an internet-wide scale, as is the case with TLS, the effect of multiplying by the number of keys can drastically erode security claims. We establish a sufficient condition on cryptographic schemes and security games under which multi-key degradation is avoided. As illustrative examples, we discuss how AES and GCM behave in the multi-key setting, and prove that GCM, as a mode, does not have multi-key degradation. Our analysis allows limits on the amount of data that can be processed per key by GCM to be significantly increased. This leads directly to improved security for GCM as deployed in TLS on the Internet today.

[1]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[2]  Atul Luykx,et al.  Multi-key Security: The Even-Mansour Construction Revisited , 2015, CRYPTO.

[3]  Andrey Bogdanov,et al.  Bicliques with Minimal Data and Time Complexity for AES , 2014, ICISC.

[4]  Carlos Cid,et al.  On Weak Keys and Forgery Attacks Against Polynomial-Based MAC Schemes , 2013, Journal of Cryptology.

[5]  Daniel J. Bernstein,et al.  Stronger Security Bounds for Wegman-Carter-Shoup Authenticators , 2005, EUROCRYPT.

[6]  Hongjun Wu,et al.  Improving the Biclique Cryptanalysis of AES , 2015, ACISP.

[7]  Hugo Krawczyk,et al.  Pseudorandom functions revisited: the cascade construction and its concrete security , 1996, Proceedings of 37th Conference on Foundations of Computer Science.

[8]  Bart Preneel,et al.  Key-Recovery Attacks on Universal Hash Function Based MAC Algorithms , 2008, CRYPTO.

[9]  Eli Biham,et al.  How to decrypt or even substitute DES-encrypted messages in 228 steps , 2002, Inf. Process. Lett..

[10]  Yu Sasaki,et al.  Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs , 2016, IACR Trans. Symmetric Cryptol..

[11]  Alfred Menezes,et al.  Key Agreement Protocols and Their Security Analysis , 1997, IMACC.

[12]  Hugo Krawczyk,et al.  LFSR-based Hashing and Authentication , 1994, CRYPTO.

[13]  Thomas Shrimpton,et al.  Salvaging Weak Security Bounds for Blockcipher-Based Constructions , 2016, ASIACRYPT.

[14]  Stefano Tessaro,et al.  Optimally Secure Block Ciphers from Ideal Primitives , 2015, ASIACRYPT.

[15]  Larry Carter,et al.  New Hash Functions and Their Use in Authentication and Set Equality , 1981, J. Comput. Syst. Sci..

[16]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[17]  Tetsu Iwata,et al.  Breaking and Repairing GCM Security Proofs , 2012, IACR Cryptol. ePrint Arch..

[18]  Phillip Rogaway,et al.  Bucket Hashing and Its Application to Fast Message Authentication , 1995, Journal of Cryptology.

[19]  Daniel J. Bernstein Stronger security bounds for permutations , .

[20]  Sanjit Chatterjee,et al.  Another Look at Tightness II: Practical Issues in Cryptography , 2016, IACR Cryptol. ePrint Arch..

[21]  Jung Hee Cheon,et al.  Advances in Cryptology - ASIACRYPT 2015: 21st International Conference on the Theory and Application of Cryptology and Information Security Auckland, New Zealand, November 29 - December 3, 2015 Proceedings, Part I , 2015 .

[22]  Mihir Bellare,et al.  Hash-Function Based PRFs: AMAC and Its Multi-User Security , 2016, EUROCRYPT.

[23]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[24]  Alfred Menezes,et al.  Security of Signature Schemes in a Multi-User Setting , 2004, Des. Codes Cryptogr..

[25]  Bart Mennink,et al.  Security of Keyed Sponge Constructions Using a Modular Proof Approach , 2015, FSE.

[26]  Mihir Bellare,et al.  Code-Based Game-Playing Proofs and the Security of Triple Encryption , 2004, IACR Cryptol. ePrint Arch..

[27]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[28]  Ping Zhang,et al.  On the Provable Security of the Tweakable Even-Mansour Cipher Against Multi-Key and Related-Key Attacks , 2016, IACR Cryptol. ePrint Arch..

[29]  Tibor Jager,et al.  On the Impossibility of Tight Cryptographic Reductions , 2016, IACR Cryptol. ePrint Arch..

[30]  Carlos Cid,et al.  On Weak Keys and Forgery Attacks Against Polynomial-Based MAC Schemes , 2013, FSE.

[31]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[32]  Ueli Maurer,et al.  Free-Start Distinguishing: Combining Two Types of Indistinguishability Amplification , 2009, ICITS.

[33]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.

[34]  Ueli Maurer,et al.  Indistinguishability Amplification , 2007, CRYPTO.

[35]  Silvio Micali,et al.  Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements , 2000, EUROCRYPT.

[36]  Ueli Maurer Conditional equivalence of random systems and indistinguishability proofs , 2013, 2013 IEEE International Symposium on Information Theory.

[37]  Antoine Joux,et al.  Multi-user Collisions: Applications to Discrete Logarithm, Even-Mansour and PRINCE , 2014, ASIACRYPT.

[38]  Stefano Tessaro,et al.  Key-Alternating Ciphers and Key-Length Extension: Exact Bounds and Multi-user Security , 2016, CRYPTO.

[39]  Wenling Wu,et al.  Multi-key Analysis of Tweakable Even-Mansour with Applications to Minalpher and OPP , 2017, IACR Trans. Symmetric Cryptol..

[40]  Gregor Leander,et al.  Fast Software Encryption , 2015, Lecture Notes in Computer Science.

[41]  Gregory M. Zaverucha Hybrid Encryption in the Multi-User Setting , 2012, IACR Cryptol. ePrint Arch..

[42]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[43]  Ueli Maurer,et al.  Indistinguishability of Random Systems , 2002, EUROCRYPT.

[44]  Stefano Tessaro,et al.  The Multi-user Security of Double Encryption , 2017, EUROCRYPT.

[45]  Chanathip Namprempre,et al.  Reconsidering Generic Composition , 2014, IACR Cryptol. ePrint Arch..

[46]  Andrey Bogdanov,et al.  Biclique Cryptanalysis of the Full AES , 2011, ASIACRYPT.

[47]  Markku-Juhani O. Saarinen Cycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes , 2012, FSE.

[48]  Tetsu Iwata,et al.  GCM Security Bounds Reconsidered , 2015, FSE.

[49]  Ueli Maurer,et al.  Optimality of non-adaptive strategies: The case of parallel games , 2014, 2014 IEEE International Symposium on Information Theory.

[50]  Alex Biryukov,et al.  Improved Time-Memory Trade-Offs with Multiple Data , 2005, Selected Areas in Cryptography.

[51]  Mihir Bellare,et al.  The Multi-user Security of Authenticated Encryption: AES-GCM in TLS 1.3 , 2016, CRYPTO.

[52]  Kyoji Shibutani,et al.  Midori: A Block Cipher for Low Energy , 2015, ASIACRYPT.

[53]  Donghoon Chang,et al.  A Short Proof of the PRP/PRF Switching Lemma , 2008, IACR Cryptol. ePrint Arch..

[54]  Sanjit Chatterjee,et al.  Another Look at Tightness , 2011, IACR Cryptol. ePrint Arch..