The Multi-user Security of Authenticated Encryption: AES-GCM in TLS 1.3

We initiate the study of multi-user mu security of authenticated encryption AE schemes as a way to rigorously formulate, and answer, questions about the "randomized nonce" mechanism proposed for the use of the AE scheme GCM in TLSi¾?1.3. We 1 Give definitions of mu ind indistinguishability and mu kr key recovery security for AE 2 Characterize the intent of nonce randomization as being improved mu security as a defense against mass surveillance 3 Cast the method as a new AE scheme RGCM 4 Analyze and compare the mu security of both GCM and RGCM in the model where the underlying block cipher is ideal, showing that the mu security of the latter is indeed superior in many practical contexts to that of the former, and 5 Propose an alternative AE scheme XGCM having the same efficiency as RGCM but better mu security and a more simple and modular design.

[1]  Maurizio Kliban Boyarsky,et al.  Public-key cryptography and password protocols: the multi-user case , 1999, CCS '99.

[2]  Phillip Rogaway,et al.  Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[3]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[4]  Atul Luykx,et al.  Multi-key Security: The Even-Mansour Construction Revisited , 2015, CRYPTO.

[5]  Hugo Krawczyk,et al.  Pseudorandom functions revisited: the cascade construction and its concrete security , 1996, Proceedings of 37th Conference on Foundations of Computer Science.

[6]  Joe Kilian,et al.  How to Protect DES Against Exhaustive Key Search (an Analysis of DESX) , 2015, Journal of Cryptology.

[7]  Kenneth G. Paterson,et al.  Data Is a Stream: Security of Stream-Based Channels , 2015, CRYPTO.

[8]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[9]  Tetsu Iwata,et al.  GCM Security Bounds Reconsidered , 2015, FSE.

[10]  Morris J. Dworkin,et al.  Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality [including updates through 7/20/2007] , 2004 .

[11]  Hugo Krawczyk,et al.  LFSR-based Hashing and Authentication , 1994, CRYPTO.

[12]  Tetsu Iwata,et al.  Breaking and Repairing GCM Security Proofs , 2012, IACR Cryptol. ePrint Arch..

[13]  Silvio Micali,et al.  Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements , 2000, EUROCRYPT.

[14]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[15]  Antoine Joux,et al.  Multi-user Collisions: Applications to Discrete Logarithm, Even-Mansour and PRINCE , 2014, ASIACRYPT.

[16]  Stefano Tessaro,et al.  Optimally Secure Block Ciphers from Ideal Primitives , 2015, ASIACRYPT.

[17]  Stefano Tessaro,et al.  The Multi-user Security of Double Encryption , 2017, EUROCRYPT.

[18]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[19]  Chanathip Namprempre,et al.  Reconsidering Generic Composition , 2014, IACR Cryptol. ePrint Arch..

[20]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[21]  Morris J. Dworkin SP 800-38C. Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality , 2004 .

[22]  Ueli Maurer,et al.  Augmented Secure Channels and the Goal of the TLS 1.3 Record Layer , 2015, ProvSec.

[23]  Ueli Maurer,et al.  Indistinguishability of Random Systems , 2002, EUROCRYPT.

[24]  Phillip Rogaway,et al.  The Software Performance of Authenticated-Encryption Modes , 2011, FSE.

[25]  Eike Kiltz,et al.  Optimal Security Proofs for Signatures from Identification Schemes , 2016, CRYPTO.

[26]  Mihir Bellare,et al.  Hash-Function Based PRFs: AMAC and Its Multi-User Security , 2016, EUROCRYPT.

[27]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[28]  Morris J. Dworkin,et al.  SP 800-38B. Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication , 2005 .

[29]  Daniel J. Bernstein Multi-user Schnorr security, revisited , 2015, IACR Cryptol. ePrint Arch..

[30]  Kenneth G. Paterson,et al.  Analyzing Multi-key Security Degradation , 2017, ASIACRYPT.

[31]  Yevgeniy Dodis,et al.  Optimistic Fair Exchange in a Multi-user Setting , 2007, J. Univers. Comput. Sci..

[32]  Morris J. Dworkin,et al.  SP 800-38D. Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC , 2007 .

[33]  Aaas News,et al.  Book Reviews , 1893, Buffalo Medical and Surgical Journal.

[34]  Steven D. Galbraith,et al.  Public key signatures in the multi-user setting , 2002, Inf. Process. Lett..

[35]  Tibor Jager,et al.  Multi-key Authenticated Encryption with Corruptions: Reductions Are Lossy , 2017, TCC.

[36]  Mihir Bellare,et al.  Robust computational secret sharing and a unified account of classical secret-sharing goals , 2007, CCS '07.

[37]  Guomin Yang,et al.  Efficient Optimistic Fair Exchange Secure in the Multi-user Setting and Chosen-Key Model without Random Oracles , 2008, CT-RSA.

[38]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.