Authenticated Encryption with Key Identification

Len, Julia; Grubbs, Paul; Ristenpart, Thomas

doi:10.1007/978-3-031-22969-5_7

Cited by 4 publications

(4 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Related to robustness, Len, Grubbs and Ristenpart [30] consider AEAD with key identification, where the decryptor has a list of keys and must identify which one decrypts a given ciphertext.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Flexible Password-Based Encryption: Securing Cloud Storage and Provably Resisting Partitioning-Oracle Attacks

Bellare

Shea

2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

We introduce flexible password-based encryption (FPBE), an extension of traditional password-based encryption designed to meet the operational and security needs of contemporary applications like end-to-end secure cloud storage. Operationally, FPBE supports nonces, associated data and salt reuse. Security-wise, it strengthens the usual privacy requirement, and, most importantly, adds an authenticity requirement, crucial because end-to-end security must protect against a malicious server. We give an FPBE scheme called DtE that is not only proven secure, but with good bounds. The challenge, with regard to the latter, is in circumventing partitioning-oracle attacks, which is done by leveraging key-robust (also called key-committing) encryption and a notion of authenticity with corruptions. DtE can be instantiated to yield an efficient and practical FPBE scheme for the target applications.

show abstract

Section: Related Workmentioning

confidence: 99%

“…If the execution of A with G 1 sets win, then win will also be set in the execution of A SE with G auth SE,qs+qv , which justifies Eq. (30). The count of q s + q v for the number of users for SE arises as an upper bound for the counter v.…”

Section: A Proofs Of Authenticity Lemmasmentioning

confidence: 99%

Flexible Password-Based Encryption: Securing Cloud Storage and Provably Resisting Partitioning-Oracle Attacks

Bellare

Shea

2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…The conventional AE security notions do not imply key-committing security, and there are attacks on popular schemes, including GCM [GLR17, DGRW18], GCM-SIV [LGR21], CCM [Dwo07,MLGR23], and ChaCha20-Poly1305 [GLR17,NL18]. These attacks even lead to application-level attacks, e.g., the multi-recipient integrity attack that targets a specific user and sends malicious content to them and the partitioning oracle attack that effectively performs password brute-force attacks [LGR21]. Researchers are studying AE schemes with committing security to address the issue [GLR17, DGRW18, LGR21, ADG + 22].…”

Section: Introductionmentioning

confidence: 99%

Committing Security of Ascon: Cryptanalysis on Primitive and Proof on Mode

Naito,

Sasaki,

Sugawara

2023

ToSC

View full text Add to dashboard Cite

Context-committing security of authenticated encryption (AE) that prevents ciphertexts from being decrypted with distinct decryption contexts, (K,N,A) comprising a key K, a nonce N, and associate data A is an active research field motivated by several real-world attacks. In this paper, we study the context-committing security of Ascon, the lightweight permutation-based AE selected by the NIST LWC in 2023, for cryptanalysis on primitive and proof on mode. The attacker’s goal is to find a collision of a ciphertext and a tag with distinct decryption contexts in which an attacker can control all the parameters including the key. First, we propose new attacks with primitives that inject differences in N and A. The new attack on Ascon-128 improves the number of rounds from 2 to 3 and practically generates distinct decryption contexts. The new attack also works in a practical complexity on 3 rounds of Ascon-128a. Second, we prove the context-committing security of Ascon with zero padding, namely Ascon-zp, in the random permutation model. Ascon-zp achieves min {t+z/2 , n+t−k−ν/2 , c/2}-bit security with a t-bit tag, a z-bit padding, an n-bit state, a ν-bit nonce, and a c-bit inner part. This bound corresponds to min {64 + z/2 , 96} with Ascon-128 and Ascon-128a, and min {64 + z/2 , 80} with Ascon-80pq. The original Ascon (z = 0) achieves 64-bit security bounded by a generic birthday attack. By appending zeroes to the plaintext, the security can be enhanced up to 96 bits for Ascon-128 and Ascon-128a and 80 bits for Ascon-80pq.

show abstract

“…Robustness is also important for maintaining consistency in searchable encryption [1] and ensuring auction bid correctness [36]. Various robustness notions for PKE were studied in [2], while stronger notions were introduced in [17]; the symmetric setting was treated in [18,22,16,29].…”

Section: Introductionmentioning

confidence: 99%

Anonymous, Robust Post-quantum Public Key Encryption

Grubbs

Maram

Paterson

2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

A core goal of the NIST PQC competition is to produce public-key encryption (PKE) schemes which, even if attacked with a large-scale quantum computer, maintain the security guarantees needed by applications. The main security focus in the NIST PQC context has been IND-CCA security, but other applications demand that PKE schemes provide anonymity (Bellare et al., ASIACRYPT 2001), and robustness (Abdalla et al., TCC 2010). Examples of such applications include anonymous communication systems, cryptocurrencies, anonymous credentials, searchable encryption, and auction protocols. Almost nothing is known about how to build post-quantum PKE schemes offering these security properties. In particular, the status of the NIST PQC candidates with respect to anonymity and robustness is unknown. This paper initiates a systematic study of anonymity and robustness for post-quantum PKE schemes. Firstly, we identify implicit rejection as a crucial design choice shared by most post-quantum KEMs, show that implicit rejection renders prior results on anonymity and robustness for KEM-DEM PKEs inapplicable, and transfer prior results to the implicit-rejection setting where possible. Secondly, since they are widely used to build post-quantum PKEs, we examine how the Fujisaki-Okamoto (FO) transforms (Fujisaki and Okamoto, Journal of Cryptology 2013) confer robustness and enhance weak anonymity of a base PKE. We then leverage our theoretical results to study the anonymity and robustness of three NIST KEM finalists-Saber, Kyber, and Classic McEliece-and one alternate, FrodoKEM. Overall, our findings for robustness are definitive: we provide positive robustness results for Saber, Kyber, and FrodoKEM, and a negative result for Classic McEliece. Our negative result stems from a striking property of KEM-DEM PKE schemes built with the Classic McEliece KEM: for any message m, we can construct a single hybrid ciphertext c which decrypts to the chosen m under any Classic McEliece private key. Our findings for anonymity are more mixed: we identify barriers to proving anonymity for Saber, Kyber, and Classic McEliece. We also found that in the case of Saber and Kyber, these barriers lead to issues with their IND-CCA security claims. We have worked with the Saber and Kyber teams to fix these issues, but they remain unresolved. On the positive side, we were able to prove anonymity for FrodoKEM and a variant of Saber introduced by D'Anvers et al. (AFRICACRYPT 2018). Our analyses of these two schemes also identified technical gaps in their IND-CCA security claims, but we were able to fix them.strong robustness property (XROB, from [18]), but where the PKE scheme resulting from composing this KEM and DEM is not ANO-CCA secure.Anonymity and robustness from FO transforms. Since all the NIST finalists are KEMs of the implicit rejection type and we have a strong negative result there, we must dig deeper if we wish to assure ourselves that anonymity and robustness will be obtained for PKEs built from those KEMs. This introduces our second main contribution, w...

show abstract

Authenticated Encryption with Key Identification

Cited by 4 publications

References 16 publications

Flexible Password-Based Encryption: Securing Cloud Storage and Provably Resisting Partitioning-Oracle Attacks

Flexible Password-Based Encryption: Securing Cloud Storage and Provably Resisting Partitioning-Oracle Attacks

Committing Security of Ascon: Cryptanalysis on Primitive and Proof on Mode

Anonymous, Robust Post-quantum Public Key Encryption

Contact Info

Product

Resources

About