Skip to main content
Springer Nature Link
Log in

Reconsidering Generic Composition: The Modes A10, A11 and A12 are Insecure

  • Conference paper
  • First Online:
Information Security and Privacy (ACISP 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13915))

Included in the following conference series:

  • 857 Accesses

Abstract

Authenticated Encryption (\(\textsf{AE}\)) achieves privacy and authenticity with a single scheme. It is possible to obtain an \(\textsf{AE}\) scheme gluing together an encryption scheme (privacy secure) and a Message Authentication Code (authenticity secure). This approach is called generic composition and its security has been studied by Namprempre et al. [20]. They looked into all the possible gluings of an encryption scheme with a secure \(\textsf{MAC}\) to obtain a nonce-based \(\textsf{AE}\)-scheme. The encryption scheme is either \(\textsf{IV}\)-based (that is, with an additional random input, the initialization vector [\(\textsf{IV}\)]) or nonce-based (with an input to be used once, the nonce). Nampremepre et al. assessed the security/insecurity of all possible composition combinations except for 4 (N4, A10, A11 and A12). Berti et al. [9] showed that N4 is insecure and that the remaining modes (A10, A11, and A12) are either all secure or insecure.

Here, we prove that these modes are all insecure with a counterexample.

F. Berti–Work done when this author was at TU Darmstadt, Germany, CAC - Applied Cryptography.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Tweakable block ciphers (\(\textsf{TBC}\)s) were introduced by Liskov et al. [19]. They are block-ciphers (\(\textsf{BC}\)s) with an additional input, the tweak, to add flexibility.

  2. 2.

    A probabilistic encryption scheme is a triple \(\varPi =(\textsf{Gen},\textsf{Enc},\textsf{Dec})\) s.t. the output of \(\textsf{Enc}\) is probabilistic. For all its other requirements, see [17].

  3. 3.

    The only problem is if the adversary can do an encryption query (Nm) with \(N=1\) and \(m_{l-1}=v^*\), but this cannot happen since \(v^*\) is random and leaked only during a query with \(N=1\).

  4. 4.

    Note that this misuse-resistant definition is weaker then the standard one (see [26] for the original definition), where the adversary can do also decryption queries.

References

  1. Abed, F., Forler, C., Lucks, S.: General classification of the authenticated encryption schemes for the CAESAR competition. Comput. Sci. Rev. 22, 13–26 (2016). https://doi.org/10.1016/j.cosrev.2016.07.002

    Article  MathSciNet  Google Scholar 

  2. Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: 38th Annual Symposium on Foundations of Computer Science, FOCS 1997, Miami Beach, Florida, USA, 19–22 October 1997, pp. 394–403. IEEE Computer Society (1997). https://doi.org/10.1109/SFCS.1997.646128

  3. Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_41

    Chapter  Google Scholar 

  4. Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. J. Cryptol. 21(4), 469–491 (2008). https://doi.org/10.1007/s00145-008-9026-x

    Article  MathSciNet  MATH  Google Scholar 

  5. Bellare, M., Ng, R., Tackmann, B.: Nonces are noticed: AEAD revisited. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part I. LNCS, vol. 11692, pp. 235–265. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_9

    Chapter  Google Scholar 

  6. Bellare, M., Rogaway, P.: Encode-then-encipher encryption: how to exploit Nonces or redundancy in plaintexts for efficient cryptography. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317–330. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_24

    Chapter  MATH  Google Scholar 

  7. Bernstein, D.J.: Caesar call for submissions, final. Technical report (2014). http://competitions.cr.yp.to/caesar.html

  8. Berti, F.: Reconsidering generic composition: the modes A10, A11 and A12 are insecure, Cryptology ePrint Archive, Paper 2023/590 (2023). https://eprint.iacr.org/2023/590

  9. Berti, F., Pereira, O., Peters, T.: Reconsidering generic composition: the tag-then-encrypt case. In: Chakraborty, D., Iwata, T. (eds.) INDOCRYPT 2018. LNCS, vol. 11356, pp. 70–90. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-05378-9_4

    Chapter  Google Scholar 

  10. Berti, F., Pereira, O., Peters, T.: Reconsidering generic composition: the tag-then-encrypt case. In: IACR Cryptol. ePrint Arch., p. 991 (2018). https://eprint.iacr.org/2018/991

  11. Bertoni, G., Daemen, J., Hoffert, S., Peeters, M., Assche, G.V., Keer, R.V.: Farfalle: parallel permutation-based cryptography. IACR Trans. Symmetric Cryptol. 2017(4), 1–38 (2017). https://tosc.iacr.org/index.php/ToSC/article/view/801

  12. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28496-0_19

    Chapter  Google Scholar 

  13. Bronchain, O., Momin, C., Peters, T., Standaert, F.: Improved leakage-resistant authenticated encryption based on hardware AES coprocessors. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2021(3), 641–676 (2021). https://doi.org/10.46586/tches.v2021.i3.641-676

  14. Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: ASCON v1.2: lightweight authenticated encryption and hashing. J. Cryptol. 34(3), 33 (2021). https://doi.org/10.1007/s00145-021-09398-9

  15. Hoang, V.T., Krovetz, T., Rogaway, P.: Robust authenticated-encryption AEZ and the problem that it solves. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 15–44. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_2

    Chapter  Google Scholar 

  16. Jimale, M.A., et al.: Authenticated encryption schemes: a systematic review. IEEE Access 10, 14739–14766 (2022). https://doi.org/10.1109/ACCESS.2022.3147201

  17. Katz, J., Lindell, Y.: Introduction to Modern Cryptography, 2nd edn. CRC Press, Boca Raton (2014). https://www.crcpress.com/Introduction-to-Modern-Cryptography-Second-Edition/Katz-Lindell/p/book/9781466570269

  18. Krawczyk, H.: The order of encryption and authentication for protecting communications (or: how secure is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_19

    Chapter  Google Scholar 

  19. Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_3

    Chapter  Google Scholar 

  20. Namprempre, C., Rogaway, P., Shrimpton, T.: Reconsidering generic composition. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 257–274. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_15

    Chapter  Google Scholar 

  21. NIST: Submission requirements and evaluation criteria for the lightweight cryptography standardization process. Technical report (2018). https://csrc.nist.gov/projects/lightweight-cryptography

  22. NIST: Lightweight cryptography - finalists. Technical report (2021). http://csrc.nist.gov/Projects/lightweight-cryptography/finalists

  23. Peyrin, T., Seurin, Y.: Counter-in-tweak: authenticated encryption modes for tweakable block ciphers. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part I. LNCS, vol. 9814, pp. 33–63. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_2

    Chapter  MATH  Google Scholar 

  24. Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, Washington, DC, USA, 18–22 November 2002, pp. 98–107. ACM (2002). https://doi.org/10.1145/586110.586125

  25. Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: Reiter, M.K., Samarati, P. (eds.) CCS 2001, Proceedings of the 8th ACM Conference on Computer and Communications Security, Philadelphia, Pennsylvania, USA, 6–8 November 2001, pp. 196–205. ACM (2001). https://doi.org/10.1145/501983.502011

  26. Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_23

    Chapter  Google Scholar 

Download references

Acknowledgements

This work was partly supported by the German Federal Ministry of Education and Research and the Hessen State Ministry for Higher Education, Research and the Arts within their joint support of the National Research Center for Applied Cybersecurity ATHENE. F. Berti was partly funded by the Israel Science Foundation (ISF) grant 2569/21.

Author information

Authors and Affiliations

  1. Bar-Ilan University, 529002, Ramat-Gan, Israel

    Francesco Berti

Authors
  1. Francesco Berti
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Francesco Berti .

Editor information

Editors and Affiliations

  1. Queensland University of Technology, Brisbane, QLD, Australia

    Leonie Simpson

  2. Queensland University of Technology, Brisbane, QLD, Australia

    Mir Ali Rezazadeh Baee

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Berti, F. (2023). Reconsidering Generic Composition: The Modes A10, A11 and A12 are Insecure. In: Simpson, L., Rezazadeh Baee, M.A. (eds) Information Security and Privacy. ACISP 2023. Lecture Notes in Computer Science, vol 13915. Springer, Cham. https://doi.org/10.1007/978-3-031-35486-1_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-35486-1_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-35485-4

  • Online ISBN: 978-3-031-35486-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics