Reforgeability of Authenticated Encryption Schemes

Abstract

This work pursues the idea of multi-forgery attacks as introduced by Ferguson in 2002. We recoin reforgeability for the complexity of obtaining further forgeries once a first forgery has succeeded. First, we introduce a security notion for the integrity (in terms of reforgeability) of authenticated encryption schemes: \(j\text {-}\textsc {Int}\text {-}\textsc {CTXT}\), which is derived from the notion INT-CTXT. Second, we define an attack scenario called \(j\text {-IV-Collision Attack}\) (\(j\text {-IV-CA}\)), wherein an adversary tries to construct j forgeries provided a first forgery. The term collision in the name stems from the fact that we assume the first forgery to be the result from an internal collision within the processing of the associated data and/or the nonce. Next, we analyze the resistance to \(j\text {-IV-CAs}\) of classical nonce-based AE schemes (CCM, CWC, EAX, GCM) as well as all 3rd-round candidates of the CAESAR competition. The analysis is done in the nonce-respecting and the nonce-ignoring setting. We find that none of the considered AE schemes provides full built-in resistance to \(j\text {-IV-CAs}\). Based on this insight, we briefly discuss two alternative design strategies to resist \(j\text {-IV-CAs}\).

Appendices

A Classification of NRS’14 Schemes

This section shows the eleven “favored” nAE schemes considered by [38] and how we map them according to our classification. From Table 3, one can observe that the classes (A1, A7) and (A2, A8) have pairwise the same class according to our generic nAE scheme. That stems from the fact that we do not follow the distinction of nAE schemes from [38] regarding to whether the message/ciphertext can be processed in parallel or if the tag can be truncated. For the scheme N3, it holds that \(\mathcal {E} \) gets the two separate inputs \(F_L(A,N,M)\) and the nonce \(N \). Since there is no segregated tag generation for N3 (the tag is part of the ciphertext), we interpreted \(F_L\) as \(F_{IV}\) and consider \(F_{IV}\) to additionally hand over the nonce \(N \) to the encryption \(\mathcal {E} \) internally in plain.

Table 3. The eleven “favored” nAE schemes considered by the authors of [38] according to our classification.

Table 4. Claimed INT-CTXT bounds. NR = nonce-respecting adversary, NI = nonce-ignoring adversary, where \(\tau \) denotes the length of the tag, n the size of the internal state (usually the block size of the internally used block cipher), and c the capacity for sponge-based designs.

B Security Claims

In Table 4, we state the security as claimed by the authors of the corresponding scheme. We denote by \(\tau ,n,c\), and r the tag length, block length, capacity, and the rate, respectively.

C Concrete Instantiations of \(\mathcal {C} _{1}\) and \(\mathcal {C} _{0}\)

The resistance of the classes in \(\mathcal {C} _{1}\) to \(j\text {-IV-CA}\) regarding to our generalized AE scheme stems from the fact that the message, and/or a chaining value, and/or the ciphertext affect the generation of the IV or the tag, i.e., is input to \(F_{IV}\) and/or \(F_{T}\). However, if we move from our generalized approach to concrete instantiations of these classes, i.e., to existing AE schemes whose structure is defined by a class in \(\mathcal {C} _{1}\), we will see that some of those classes do not provide resistance to \(j\text {-IV-CAs}\). However, AE schemes whose classes belong to \(\mathcal {C} _{0}\) are vulnerable to \(j\text {-IV-CAs}\) in both the NI and the NR setting. In Table 5, we give an overview of the resistance the considered AE schemes to \(j\text {-IV-CAs}\) and we additionally provide a brief discussion for those cases that are not trivially observable. In addition to the generic \(j\text {-IV-CAs}\) in this section, we recall stronger multi-forgery attacks on OCB, AES-OTR, and COLM from the literature in the full version of this work [19].

Table 5. \(j\text {-IV-CA}\)-Resistance of the third-round CAESAR candidates and considered classical AE schemes, in the nonce-ignoring (NI) and the nonce-respecting (NR) setting. ‘\(\bullet \) ’ indicates resistance, ‘\(\circ \) ’ vulnerability under certain requirements (e.g., the scheme employs a wide state), and ‘– ’ vulnerability. AES-OTR (ser.) means the serial and (par.) the parallel mode.

AEGIS, MORUS, and Tiaoxin . These schemes provide semi-resistance to \(j\text {-IV-CAs}\) in the nonce-respecting and the nonce-ignoring setting. This stems from the fact that they employ very wide states, which are initialized by nonce and associated data, and which are more than twice as large as the final ciphertext stretch; therefore, the search for state collisions is at best a task of sophisticated cryptanalysis, and at worst by magnitudes less efficient than the trivial search by querying many forgery attempts. As a side effect, the search for state collisions is restricted to associated data and messages of equal lengths since their lengths are used in \(F_{T}\) (for that reason, we set the bit \(x_6\)).

CWC and GCM. In the nonce-ignoring setting, forgeries for CWC and GCM can be obtained with a few queries. The tag-generation procedures of both modes employ a Carter-Wegman MAC consisting of XORing the encrypted nonce with an encrypted hash of associated data and ciphertext. The employed hash are polynomial hashes in both cases, which is well-known to lead to a variety of forgeries after a few queries when nonces are repeated.

In the nonce-respecting setting, both CWC and GCM possess security proofs that show that they provide forgery resistance up to the birthday bound (Iwata et al. [25] invalidated those for GCM and presented revised bounds which still are bound by the birthday paradox). However, a series of works from the past five years [1, 41, 46] illustrated that the algebraic structure of polynomial hashing may allow to retrieve the hashing key from forgery polynomials with many roots. The most recent work by Abdelraheem et al. [1] proposes universal forgery attacks that work on a weak key set. Thus, a nonce-respecting adversary could find the hash key and possess the power to derive universal forgeries for those schemes, even with significantly less time than our nonce-respecting attack.

AES-OTR and OCB. In the nonce-ignoring setting, these schemes are trivially insecure, as has been clearly stated by their respective authors. We consider OCB as an example, a similar attack can be performed on AES-OTR if nonces are reused. A nonce-ignoring adversary simply performs the following steps:

1. 1.

   Choose (A, N, M) such that M consists of at least three blocks: \(M = (M_1, M_2, \ldots )\), and ask for their authenticated ciphertext \((C_1, C_2, \ldots , T)\).

2. 2.

   Choose \(\varDelta \ne 0^n\), and derive \(M'_1 = M_1 \oplus \varDelta \) and \(M'_2 = M_2 \oplus \varDelta \). For \(M' = M'_1, M'_2\) and \(M'_i = M_i\), for \(i \ge 3\), ask for the authenticated ciphertext \((C'_1, C'_2, \ldots , T)\) that corresponds to \((A, N, M')\).

3. 3.

   Given the authenticated ciphertext \((C'', T'')\) for any further message (A, N, \(M'')\) with \(M'' = (M_1, M_2, \ldots )\), the adversary can forge the ciphertext by replacing \((C''_1, C''_2) = (C_1, C_2)\) with \((C'_1, C'_2)\).

Therefore, the complexities for j forgeries under nonce-ignoring adversaries are only \(t_1 \) (and not \(t_1 + j\), see Table 1). Because of their structure, there exist nonce-respecting forgery attacks on AES-OTR and OCB that are stronger than our generic \(j\text {-IV-CA}\). Those can be found in the full version of this work [19].

AEZv4. Since AEZv4 does not separate the domains of \((A _i, N _i)\) for IV and tag generation, our \(j\text {-IV-CAs}\) work out-of-the box here. More detailed, nonce and associated data are parsed into a string \(T_1, \ldots , T_t\) of n-bit strings \(T_i\), and simply hashed in a PHASH-like manner inside AEZ-hash: \(\varDelta \leftarrow \bigoplus _{i = 1}^{t} E _K^{i+2,1}(T_i)\), where E denotes a variant of four-round AES. The adversary can simply ask for the encryption of approximately \(2^{64}\) tuples \((A_i, N_i, M)\) for fixed M. Obtaining a collision for this hash (requiring birthday-bound complexity) can be easily detected when the message is kept constant over all queries. Given such a hash collision for \((A_i, N_i)\) and \((A_k, N_k)\), the adversary can directly construct subsequent forgeries by asking for the encryption of \((A_i, N_i, M')\) and the same ciphertext will be valid for \((A_k, N_k, M')\) for arbitrary \(M'\).

Deoxys. The nonce-requiring variant of Deoxys, i.e., Deoxys-I, possesses a similar structure as OCB. Hence, there are trivial multi-forgery attacks with few queries if nonces repeat:

1. 1.

   Choose (A, N, M) arbitrarily and ask for (C, T).

2. 2.

   Choose \(A' \ne A\), leave N and M constant and ask for \((C' = C, T')\). Since the tag is computed by the XOR of \(\text {Hash}(A)\) with the encrypted checksum under the nonce as tweak, the adversary sees the difference in the hash outputs in the tags: \(\text {Hash}(A) \oplus \text {Hash}(A') = T \oplus T'\).

3. 3.

   Choose \((A, N', M')\) and ask for \((C'', T'')\). It instantly follows that for \((A',N',M')\), \((C'',T''' = T \oplus T' \oplus T'')\) will be valid.

However, in the nonce-respecting setting, the use of a real tweaked block cipher that employs the nonce in tweak (instead of the XEX construction as in AES-OTR and OCB) prevents the attacks shown in [19]; the tag generation seems surprisingly strong in the sense that an adversary can not detect collisions between two associated data since the hash is XORed with an output of a fresh block cipher (because of the nonce is used as tweak) for every query. Therefore, we indicate that Deoxys-I provides resistance in the nonce-respecting setting.

Deoxys-II is a two-pass mode, i.e., the message is processed twice (1) once for the encryption process and (2) for the authentication process. In the nonce-ignoring setting, an adversary can simply fix \(N _i\) and vary \(A _i\) for finding a collision for Auth, which renders the scheme vulnerable to \(j\text {-IV-CAs}\). Therefore, that kind of two-pass scheme (in comparison to SIV, where the message is used as input to \(F_{IV}\)), does not implicitly provide resistance to \(j\text {-IV-CAs}\).

NORX. The authors of NORX presented a nonce-misuse resistant version of their scheme in Appendix D of [5]. NR-NORX follows the MAC-then-Encrypt paradigm, which yields a two-pass scheme similar to SIV. Therefore, NR-NORX provides at the least resistance to \(j\text {-IV-CAs}\) in the NR setting, which renders it stronger than NORX. However, this security comes at the cost of being off-line and two-pass.

CCM, EAX, CLOC and SILC. The resistance to \(j\text {-IV-CAs}\) in the nonce-respecting setting provided by CCM, EAX, CLOC, and SILC stems from similar reasons as for Deoxys-II; the tag is generated by the XOR of the MAC of the nonce with the MAC of the ciphertext and the MAC of the associated data. Hence, collisions in ciphertext or header can not be easily detected since the MAC of a fresh nonce is XORed to it.