Generic Attack on Duplex-Based AEAD Modes Using Random Function Statistics

Abstract: Duplex-based authenticated encryption modes with a sufficiently large key length are proven to be secure up to the birthday bound 2 c 2 , where c is the capacity. However this bound is not known to be tight and the complexity of the best known generic attack, which is based on multicollisions, is much larger: it reaches 2 c α where α represents a small security loss factor. There is thus an uncertainty on the true extent of security beyond the bound 2 c 2 provided by such constructions. In this paper, we descr… Show more

“…Recently, Gilbert et al [GBKR23] mounted an attack against duplex-based authenticated encryption schemes, and particularly broke the claim of the designers of Xoodyak [DHP + 20, DHP + 19]. Their attack concretely relates to Theorem 7, first line, second fraction of (32)/(33).…”

“…To wit, the security bound of Daemen et al [DMV17] was defined in terms of 6 adversarial complexity parameters, and the one of Dobraunig and Mennink [DM19a] even in 7 parameters, some of which were rather obscure and required deep understanding of the construction to judge whether they were relevant or not in a specific use case. This issue has sometimes led to incorrect security claims [DHP + 20, DHP + 19] and given rise to generic attacks [GBKR23] (see also Section 9.3). More generally, this has led to the fact that we have not seen many applications of the security bounds of Daemen et al [DMV17] and of Dobraunig and Mennink [DM19a], despite that the full-state keyed duplex has been present, in disguise, in many applications over the years.…”

Understanding the Duplex and Its Security

“…Recently, Gilbert et al [GBKR23] mounted an attack against duplex-based authenticated encryption schemes, and particularly broke the claim of the designers of Xoodyak [DHP + 20, DHP + 19]. Their attack concretely relates to Theorem 7, first line, second fraction of (32)/(33).…”

“…To wit, the security bound of Daemen et al [DMV17] was defined in terms of 6 adversarial complexity parameters, and the one of Dobraunig and Mennink [DM19a] even in 7 parameters, some of which were rather obscure and required deep understanding of the construction to judge whether they were relevant or not in a specific use case. This issue has sometimes led to incorrect security claims [DHP + 20, DHP + 19] and given rise to generic attacks [GBKR23] (see also Section 9.3). More generally, this has led to the fact that we have not seen many applications of the security bounds of Daemen et al [DMV17] and of Dobraunig and Mennink [DM19a], despite that the full-state keyed duplex has been present, in disguise, in many applications over the years.…”

Understanding the Duplex and Its Security

Improving Generic Attacks Using Exceptional Functions

Exact Security Analysis of ASCON