On Symmetric Encryption with Distinguishable Decryption Failures

We propose to relax the assumption that decryption failures are indistinguishable in security models for symmetric encryption. Our main purpose is to build models that better reflect the reality of cryptographic implementations, and to surface the security issues that arise from doing so. We systematically explore the consequences of this relaxation, with some surprising consequences for our understanding of this basic cryptographic primitive. Our results should be useful to practitioners who wish to build accurate models of their implementations and then analyse them. They should also be of value to more theoretical cryptographers proposing new encryption schemes, who, in an ideal world, would be compelled by this work to consider the possibility that their schemes might leak more than simple decryption failures.

[1]  Russell Impagliazzo,et al.  One-way functions are essential for complexity based cryptography , 1989, 30th Annual Symposium on Foundations of Computer Science.

[2]  Kenneth G. Paterson,et al.  Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol , 2011, ASIACRYPT.

[3]  Kenneth G. Paterson,et al.  Plaintext-Recovery Attacks Against Datagram TLS , 2012, NDSS.

[4]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[5]  Thai Duong,et al.  Cryptography in the Web: The Case of Cryptographic Design Flaws in ASP.NET , 2011, 2011 IEEE Symposium on Security and Privacy.

[6]  Kenneth G. Paterson,et al.  Authenticated-Encryption with Padding: A Formal Security Treatment , 2012, Cryptography and Security.

[7]  James Manger,et al.  A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0 , 2001, CRYPTO.

[8]  Bruce Schneier,et al.  Reaction Attacks against several Public-Key Cryptosystems , 1999, ICICS.

[9]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[10]  Kenneth G. Paterson,et al.  On the (in)security of IPsec in MAC-then-encrypt configurations , 2010, CCS '10.

[11]  Hugo Krawczyk,et al.  The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?) , 2001, CRYPTO.

[12]  Phillip Rogaway,et al.  Nonce-Based Symmetric Encryption , 2004, FSE.

[13]  Tibor Jager,et al.  How to break XML encryption , 2011, CCS '11.

[14]  Kenneth G. Paterson,et al.  Plaintext Recovery Attacks against SSH , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[15]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[16]  Serge Vaudenay,et al.  Password Interception in a SSL/TLS Channel , 2003, CRYPTO.

[17]  Jean-Sébastien Coron,et al.  On The Broadcast and Validity-Checking Security of PKCS \#1 v1.5 Encryption , 2010, IACR Cryptol. ePrint Arch..

[18]  Kenneth G. Paterson,et al.  Attacking the IPsec Standards in Encryption-only Configurations , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[19]  Kenneth G. Paterson,et al.  Plaintext-Dependent Decryption: A Formal Security Treatment of SSH-CTR , 2010, IACR Cryptol. ePrint Arch..

[20]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[21]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[22]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[23]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[24]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[25]  Mihir Bellare,et al.  The Power of Verification Queries in Message Authentication and Authenticated Encryption , 2004, IACR Cryptol. ePrint Arch..

[26]  Chanathip Namprempre,et al.  Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm , 2004, TSEC.