KIVR: Committing Authenticated Encryption Using Redundancy and Application to GCM, CCM, and More

Abstract

Constructing a committing authenticated encryption (AE) satisfying the CMT-4 security notion is an ongoing research challenge. We propose a new mode KIVR, a black-box conversion for adding the CMT-4 security to existing AEs. \(\textsf {KIVR}\) is a generalization of the Hash-then-Enc (HtE) [Bellare and Hoang, EUROCRYPT 2022] and uses a collision-resistant hash function to generate an initial value (or nonce) and a mask for redundant bits, in addition to a temporary key. We obtain a general bound \(r/2 + \textsf{tag}\text {-}\textsf{col}\) with r-bit redundancy for a large class of CTR-based AEs, where \(\textsf{tag}\text {-}\textsf{col}\) is the security against tag-collision attacks. Unlike HtE, the security of KIVR linearly increases with r, achieving beyond-birthday-bound security. With a t-bit tag, \(\textsf{tag}\text {-}\textsf{col}\) lies \(0 \le \textsf{tag}\text {-}\textsf{col}\le t/2\) depending on the target AE. We set \(\textsf{tag}\text {-}\textsf{col}=0\) for GCM, GCM-SIV, and CCM, and the corresponding bound r/2 is tight for GCM and GCM-SIV. With \(\textsf{CTR}\text{- }\textsf{HMAC}\), \(\textsf{tag}\text {-}\textsf{col}= t/2\), and the bound \((r+t)/2\) is tight.

Appendices

A Multi-user Security for AE

Multi-user-AE (\(\textbf{mu}\text {-}\textbf{AE}\)) security is the indistinguishability between the real and ideal worlds. Let \(\varPi =(\varPi _\textsf{Enc}, \varPi _\textsf{Dec})\) be an AE scheme that has encryption and decryption algorithms. Let \(u\) be the number of users. In the \(\textbf{mu}\text {-}\textbf{AE}\)-security game, an adversary \(\textbf{A}\) has access to either real-world oracles \((\varPi _{K_1},\ldots ,\varPi _{K_u})\) or ideal-world ones \(((\$_1,\perp ),\ldots ,(\$_u,\perp ))\). \(K_1, \ldots , K_u\) are user’s keys defined as \(K_i \xleftarrow {\$}\mathcal {K}\) where \(i \in [u]\). \(\$_\xi \) is a random-bit oracle of the \(\xi \)-th user that takes an input tuple \((N, A, M)\) of nonce, AD, and plaintext, and returns a pair of random ciphertext and tag defined as \((C, T) \xleftarrow {\$}\{0,1\}^{|\varPi _\textsf{Enc}[E](K, N, A, M)|}\). \(\perp \) is a reject oracle that returns \({\textbf {reject}}\) for each query. At the end of this game, \(\textbf{A}\) return a decision bit in \(\{0,1\}\). If the underlying primitive is ideal, then \(\textbf{A}\) has access to the ideal primitive. Let \(\textbf{A}^{\mathcal {O}} \in \{0,1\}\) be an output of \(\textbf{A}\) with access to a set of oracles \(\mathcal {O}\). Then, the \(\textbf{mu}\text {-}\textbf{AE}\)-security advantage function of \(\textbf{A}\) is defined as \(\textbf{Adv}^{\textbf{mu}\text {-}\textbf{ae}}_\varPi (\textbf{A}) := \textrm{Pr}\left[ \textbf{A}^{\varPi _{K_1},\ldots ,\varPi _{K_u}} = 1 \right] - \textrm{Pr}\left[ \textbf{A}^{(\$_1,\perp ),\ldots ,(\$_u,\perp )} = 1 \right] \). We consider nonce-respecting adversaries where for each user, all nonces in queries to the encryption oracle are distinct. In this game, making a trivial query \((\xi , N, A, C, T^\prime )\) to the decryption oracle is forbidden, which was received by some previous query to the encryption one.

B Multi-user PRF Security

The \(\textbf{mu}\text {-}\textbf{AE}\) security of \(\textsf {KIVR}\)-based schemes relies on multi-user pseudo-random-function (\(\textsf{mu}\text{- }\textsf{PRF}\)) security. Let \(\textsf{F}_K:\mathcal {M}\rightarrow \{0,1\}^s\) be a keyed function with a key \(K\in \mathcal {K}_\textsf{F}\) where \(\mathcal {M}\subseteq \{0,1\}^*\) is the input space, \(s\) is the output length, and \(\mathcal {K}_\textsf{F}\) is the key space. Let \(u\) be the number of users. Let \(\textsf{Func}\) be the set of all functions from \(\mathcal {M}\) to \(\{0,1\}^s\). In the \(\textsf{mu}\text{- }\textsf{PRF}\)-security game, an adversary \(\textbf{A}\) has access to either real-world oracles \((\textsf{F}_{K_1},\ldots ,\textsf{F}_{K_u})\) or ideal-world ones \((\mathcal {R}_1, \ldots , \mathcal {R}_u)\), where \(K_i\) is the i-th user’s key defined as \(K_i \xleftarrow {\$}\{0,1\}^\mathcal {K}\) and \(\mathcal {R}_i\) is a random function of the i-th user defined as \(\mathcal {R}_i \xleftarrow {\$}\textsf{Func}\). At the end of this game, \(\textbf{A}\) return a decision bit. Let \(\textbf{A}^{\mathcal {O}_1, \ldots , \mathcal {O}_u}\) be an output of \(\textbf{A}\) with access to oracles \((\mathcal {O}_1, \ldots , \mathcal {O}_u)\). Then, the \(\textsf{mu}\text{- }\textsf{PRF}\)-security advantage function of \(\textbf{A}\) is defined as \(\textbf{Adv}^{\textsf{mu}\text{- }\textsf{prf}}_{\textsf{F}}(\textbf{A}) := \textrm{Pr}\left[ \textbf{A}^{\textsf{F}_{K_1},\ldots , \textsf{F}_{K_u}} = 1 \right] - \textrm{Pr}\left[ \textbf{A}^{\mathcal {R}_1, \ldots , \mathcal {R}_{u}} = 1 \right] \).

C \(\textbf{mu}\text {-}\textbf{AE}\) Security of AE Schemes with \(\textsf {KIVR}\)

The following theorem shows that the \(\textbf{mu}\text {-}\textbf{AE}\) security of an AE scheme \(\varPi \) with \(\textsf {KIVR}\) is reduced to the \(\textbf{mu}\text {-}\textbf{AE}\)-security of the underlying AE scheme \(\varPi \) and the \(\textsf{mu}\text{- }\textsf{PRF}\) security of \(\textsf {F}_{\textsf {KIVR}}\). Note that in the theorem, \(\textsf {F}_{\textsf {KIVR}}\) is a keyed function.

Theorem 4

Let \(\varPi \) be an AE scheme. Let \(R\) be redundancy and \(\textsf{Mix}_\textsf{rc}\) a \((\omega , n)\)-mixing function. For any \(\textbf{mu}\text {-}\textbf{AE}\) adversary \(\textbf{A}\) against \(\textsf {KIVR}[\varPi ]\) making at most \(q\) queries and running in time T, there exists an \(\textbf{mu}\text {-}\textbf{AE}\) adversary \(\textbf{A}_1\) against \(\varPi \) and a \(\textsf{mu}\text{- }\textsf{PRF}\) adversary \(\textbf{A}_2\) against \(\textsf {F}_{\textsf {KIVR}}\) such that \(\textbf{Adv}^{\textbf{mu}\text {-}\textbf{ae}}_{\textsf {KIVR}[\varPi ]}(\textbf{A}) \le \textbf{Adv}^{\textbf{mu}\text {-}\textbf{ae}}_{\varPi }(\textbf{A}_1) + \textbf{Adv}^{\textsf{mu}\text{- }\textsf{prf}}_{\textsf {F}_{\textsf {KIVR}}}(\textbf{A}_2)\), where \(\textbf{A}\) makes at most \(q\) construction queries and runs in time T, and \(\textbf{A}_1\) and \(\textbf{A}_2\) respectively make at most \(q\) construction queries and runs in time \(T+O(q)\).

Proof. Firstly, the keyed functions \(\textsf {F}_{\textsf {KIVR}}(K_1, \cdot , \cdot ),\ldots ,\textsf {F}_{\textsf {KIVR}}(K_u, \cdot , \cdot )\) are replaced with random functions \(\mathcal {R}_1,\ldots ,\mathcal {R}_u\). Then, the \(\textsf{mu}\text{- }\textsf{PRF}\)-advantage function of \(\textbf{A}_2\) is introduced in the \(\textbf{mu}\text {-}\textbf{AE}\)-security bound.

We next consider the \(\textbf{mu}\text {-}\textbf{AE}\)-security of \(\textsf {KIVR}[\varPi ]\) where \(\textsf {F}_{\textsf {KIVR}}\) is a random function \(\mathcal {R}_i\). By random functions, for each of tuples of a key, nonce, and AD, the temporary key is chosen uniformly at random from \(\mathcal {K}\), the \(\textbf{mu}\text {-}\textbf{AE}\)-security of \(\textsf {KIVR}[\varPi ]\) is reduced to the \(\textbf{mu}\text {-}\textbf{AE}\)-security of \(\varPi \), i.e., for any adversary breaking the \(\textbf{mu}\text {-}\textbf{AE}\)-security of \(\textsf {KIVR}[\varPi ]\), there exists an adversary \(\textbf{A}_1\) breaking the \(\textbf{mu}\text {-}\textbf{AE}\)-security of \(\varPi \).

Hence, we have \(\textbf{Adv}^{\textbf{mu}\text {-}\textbf{ae}}_{\textsf {KIVR}[\varPi ]}(\textbf{A}) \le \textbf{Adv}^{\textbf{mu}\text {-}\textbf{ae}}_{\varPi }(\textbf{A}_1) + \textbf{Adv}^{\textsf{mu}\text{- }\textsf{prf}}_{\textsf {F}_{\textsf {KIVR}}}(\textbf{A}_2)\).    \(\square \)

D Proof of Theorem 2 for \(\textsf {KIVR}[\textsf{GCM}\text{- }\textsf{SIV}]\)

Fix redundancy \(R\in \{0,1\}^r\). We consider the mixing function: \(\textsf{Mix}_\textsf{rc}(R\Vert M_\textsf{origin}) = R\Vert M_\textsf{origin}\) for each core data \(M_\textsf{origin}\). We then define two adversaries \(\textbf{A}_1\) and \(\textbf{A}_2\) that offer the terms \(\frac{p^2}{2^r}\) and \(\frac{p^2}{2^{k+\nu +{r_\textsf{T}}}}\), respectively.

Adversary \(\textbf{A}_1\). \(\textbf{A}_1\) breaking the \(\textbf{CMT}\text{- }1\)-security of \(\textsf {KIVR}[\textsf{GCM}\text{- }\textsf{SIV}]\) is given in Algorithm 10. \(\textbf{A}_1\) returns a pair \(((K^{(\alpha )},N, A, M^{(\alpha )}),(K^{(\beta )},N, A, M^{(\beta )}))\) such that \(K^{(\alpha )} \ne K^{(\beta )}\). We explain the algorithm below.

• Steps 2 and 3 define \(p_1\) tuples of a key, a nonce, and AD, where the keys are all distinct. In Steps 4-7, \(\textbf{A}\) calculates key streams for the input tuples.

• Step 8 searches a pair \((\alpha , \beta )\) with the following conditions: \(\textsf{msb}_1(X^{(\alpha )}) = \textsf{msb}_1(X^{(\beta )}) = 0\) and \(\textsf{msb}_r\left( KS^{(\alpha )} \oplus KS^{(\beta )}\right) = \texttt{zp}_r(R_\textsf{T}^{(\alpha )} \oplus R_\textsf{T}^{(\beta )})\). The second condition is a sufficient one to obtain a ciphertext collision due to Lemma 1. For each pair \((\alpha , \beta )\), \(KS^{(\alpha )}\) and \(KS^{(\beta )}\) are (almost) \(r\)-bit random values, and thus the probability that the relation is satisfied is \(O(\frac{1}{2^r})\). Summing the bound for each pair, we have the bound \(O\left( \frac{p^2}{2^r}\right) \) of the probability that the relation is satisfied.

• If such pair is found, then \(\textbf{A}\) can find a pair \(((K^{(\alpha )},N, A, M^{(\alpha )}),(K^{(\beta )},N, A, M^{(\beta )}))\) such that \((C^{(\alpha )},T^{(\alpha )}) = (C^{(\beta )},T^{(\beta )})\) by solving the equations: \(\textsf{msb}_r(M^{(\alpha )}) = \textsf{msb}_r(M^{(\beta )}) = R\), \(C^{(\alpha )} = C^{(\beta )}~(\Leftrightarrow M^{(\alpha )} \oplus M^{(\beta )} = KS^{(\alpha )} \oplus KS^{(\beta )})\), \(\textsf{GHASH}(L^{(\alpha )}, \varepsilon , M^{(\alpha )}) = H^{(\alpha )}\), and \(\textsf{GHASH}(L^{(\beta )}, \varepsilon , M^{(\beta )}) = H^{(\beta )}\). Since Step 8 ensures that the ciphertext collision occurs, this step searches the pair that yields the tag collision. In the equations, there are \(2(\omega +2)\) plaintext blocks and there are \(\omega +4\) equations for the blocks. Fixing the \(2\omega \) message blocks with redundancy such that \(\textsf{msb}_{\omega n}(C^{(\alpha )}) = \textsf{msb}_{\omega n}(C^{(\beta )})\), the remaining 4 message blocks are uniquely determined from the equations \(\textsf{lsb}_{2n}(C^{(\alpha )}) = \textsf{lsb}_{2n}(C^{(\beta )})\), \(\textsf{lsb}_{n-1}(\textsf{GHASH}(L_{\textsf{T}}^{(\alpha )}, A^{(\alpha )}, M^{(\alpha )})) = \textsf{lsb}_{n-1}(H^{(\alpha )})\), and \(\textsf{lsb}_{n-1}(\textsf{GHASH}(L_{\textsf{T}}^{(\beta )}, A^{(\beta )}, M^{(\beta )})) = \textsf{lsb}_{n-1}(H^{(\beta )})\). Then, we have a pair with the output collision.

Hence, the probability that \(\textbf{A}\) win the \(\textbf{CMT}\text{- }1\) game is \(O\left( \frac{p^2}{2^r} \right) \).

Adversary \(\textbf{A}_2\). The second adversary \(\textbf{A}_2\) that breaks the \(\textbf{CMT}\text{- }1\)-security of \(\textsf {KIVR}[\textsf{GCM}\text{- }\textsf{SIV}]\) by using a collision of \(\textsf {F}_{\textsf{K}_{\textsf{bc}}IVR}\). If \(\textsf {F}_{\textsf{K}_{\textsf{bc}}IVR}(K^{(\alpha )}, N^{(\alpha )}, A^{(\alpha )}) = \textsf {F}_{\textsf{K}_{\textsf{bc}}IVR}(K^{(\beta )}, N^{(\beta )}, A^{(\beta )})\) such that \(K^{(\alpha )} \ne K^{(\beta )}\) and \((N^{(\alpha )}, A^{(\alpha )}) = (N^{(\beta )}, A^{(\beta )})\), then by choosing the same plaintexts \(M^{(\alpha )}\) and \(M^{(\beta )}\) such that \(\textsf{msb}_r(M^{(\alpha )}) = \textsf{msb}_r(M^{(\beta )}) = R\) and the tag collision occurs, we obtain the output collision \((C^{(\alpha )}, T^{(\alpha )}) = (C^{(\beta )},T^{(\beta )})\). The collision probability is \(O \left( \frac{p^2}{2^{k+\nu +{r_\textsf{T}}}} \right) \). Note that the plaintexts with the tag collision can be found by the same procedure as \(\textbf{A}_1\) that finds ciphertexts with the tag collision by making use of the linearity of \(\textsf{GHASH}\).    \(\square \)

E Proof of Theorem 3

In this proof, we assume that \(\textsf{HMAC}\) is a random oracle \(\textsf{RO}\) which is an ideal hash function. Let \(R\in \{0,1\}^r\) be redundancy. We consider the following mixing function: \(\textsf{Mix}_\textsf{rc}(R\Vert M_\textsf{origin}) = R\Vert M_\textsf{origin}\) for each core data \(M_\textsf{origin}\). We then define two adversaries \(\textbf{A}_1\) and \(\textbf{A}_2\) that offer the terms \(\frac{p^2}{2^{r+t}}\) and \(\delta _{\textsf{coll}}(p)\), respectively.

Adversary \(\textbf{A}_1\). The adversary \(\textbf{A}_1\) breaking the \(\textbf{CMT}\text{- }1\)-security of \(\textsf {KIVR}[\textsf{CTR}\text{- }\textsf{HMAC}]\) is defined in Algorithm 11. The adversary returns a pair \(((K^{(\alpha )},N^{(\alpha )}, A^{(\alpha )}, M^{(\alpha )})\) \((K^{(\beta )},N^{(\beta )}, A^{(\beta )}, M^{(\beta )}))\) such that \((N^{(\alpha )}, A^{(\alpha )}) = (N^{(\beta )}, A^{(\beta )})\), \(K^{(\alpha )} \ne K^{(\beta )}\), and \(M^{(\alpha )} \ne M^{(\beta )}\). We explain the algorithm below.

• Steps 2 and 3 define \(p_1\) tuples of a key, a nonce, and AD, where the keys are all distinct. Steps 4-7 calculates the key streams of these input tuples.

• Step 8 searches a pair \((\alpha , \beta )\) with the following relations: \(\textsf{msb}_1(X^{(\alpha )}) = \textsf{msb}_1(X^{(\beta )}) = 0\) and \(\textsf{msb}_r\left( KS^{(\alpha )} \oplus KS^{(\beta )}\right) = \texttt{zp}_r(R_\textsf{T}^{(\alpha )} \oplus R_\textsf{T}^{(\beta )})\), which is the sufficient condition to obtain a ciphertext collision from Lemma 1. For each pair \((\alpha , \beta )\), \(KS^{(\alpha )}\) and \(KS^{(\beta )}\) are (almost) \(r\)-bit random values, and thus the probability that the relation is satisfied is \(O(\frac{1}{2^r})\).

• For such pair, Steps 10 and 11 calculate a pair of plaintexts \((M^{(\alpha )}, M^{(\beta )})\) that yield the same ciphertext \(C\), and Step 12 calculates the tags. Step 13 checks the equality of the tags. If the tag collision occurs, \(\textbf{A}_1\) breaks the \(\textbf{CMT}\text{- }1\)-security of \(\textsf{CTR}\text{- }\textsf{HMAC}\). The probability that the tag collision occurs is at most \(\frac{1}{2^t}\).

• Summing the bound \(\frac{1}{2^r} \cdot \frac{1}{2^t}\) for each pair \((\alpha , \beta )\), we have the bound \(O\left( \frac{p^2}{2^{r+t}}\right) \).

Hence, the probability that \(\textbf{A}_1\) breaks the \(\textbf{CMT}\text{- }1\)-security of \(\textsf {KIVR}[\textsf{GCM}]\) is at least \(O\left( \frac{p^2}{2^{r+t}}\right) \).

Adversary \(\textbf{A}_2\). The second adversary \(\textbf{A}_2\) that breaks the \(\textbf{CMT}\text{- }1\)-security of \(\textsf {KIVR}[\textsf{CTR}\text{- }\textsf{HMAC}]\) by using a collision of \(\textsf {F}_{\textsf {KIVR}}\). If the collision is found: \(\textsf {F}_{\textsf {KIVR}}(K^{(\alpha )}, N^{(\alpha )}, A^{(\alpha )}) = \textsf {F}_{\textsf {KIVR}}(K^{(\beta )}, N^{(\beta )}, A^{(\beta )})\) such that \(K^{(\alpha )} \ne K^{(\beta )}\) and \((N^{(\alpha )}, A^{(\alpha )}) = (N^{(\beta )}, A^{(\beta )})\), then by choosing the same plaintexts \(M^{(\alpha )} = M^{(\beta )}\), we obtain the output collision \((C^{(\alpha )}, T^{(\alpha )}) = (C^{(\beta )},T^{(\beta )})\). The collision probability is \(\delta _{\textsf{coll}}(p)\).    \(\square \)