Abstract
This paper investigates what sort of security can be retained by the most efficient (namely, rate-one) AE schemes like OCB under the release of unverified plaintext (RUP). At CT-RSA 2016, Chakraborti et al. have presented an impossibility result, which says that any rate-one AE scheme cannot ensure INT-RUP, a strong integrity requirement under RUP. In this paper we show that any rate-one AE scheme cannot satisfy PA2 (plaintext awareness 2) either, a strong privacy requirement under RUP introduced by Andreeva et al. at Asiacrypt 2014. Given these impossibility results, we relax the security requirements and identify new notions of tag-PA and tag-INT. The new notions are strictly weaker than PA2 and INT-RUP yet have considerable significance in the practical sense. In particular, tag-PA is strictly stronger than PA1 defined by Andreeva et al. at Asiacrypt 2014. Unfortunately, OCB is neither tag-PA nor tag-INT. We present a new rate-one AE scheme which is both tag-PA and tag-INT. The new scheme is essentially as efficient as OCB, consuming just one extra call to a block cipher.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Abed, F., Forler, C., List, E., Lucks, S., Wenzel, J.: RIV for robust authenticated encryption. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 23–42. Springer, Heidelberg (2016). doi:10.1007/978-3-662-52993-5_2
Andreeva, E., Bilgin, B., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: APE: authenticated permutation-based encryption for lightweight cryptography. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 168–186. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46706-0_9
Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: How to securely release unverified plaintext in authenticated encryption. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 105–125. Springer, Heidelberg (2014). doi:10.1007/978-3-662-45611-8_6
Bernstein, D.: CAESAR Competition (2013). http://competitions.cr.yp.to/caesar.html
Bernstein, D.: Re: secret message numbers. Posted to CAESAR Mailing List (2013). https://groups.google.com/forum/#!topic/crypto-competitions/n5ECGwYr6Vk
Chakraborti, A., Datta, N., Nandi, M.: INT-RUP analysis of block-cipher based authenticated encryption schemes. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 39–54. Springer, Cham (2016). doi:10.1007/978-3-319-29485-8_3
Hoang, V.T., Krovetz, T., Rogaway, P.: Robust authenticated-encryption AEZ and the problem that it solves. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 15–44. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5_2
Krovetz, T., Rogaway, P.: The software performance of authenticated-encryption modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 306–327. Springer, Heidelberg (2011). doi:10.1007/978-3-642-21702-9_18
McGrew, D.A., Viega, J.: The security and performance of the Galois/counter mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004). doi:10.1007/978-3-540-30556-9_27
Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM CCS 2002, pp. 98–107. ACM (2002)
Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004). doi:10.1007/978-3-540-30539-2_2
Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–358. Springer, Heidelberg (2004). doi:10.1007/978-3-540-25937-4_22
Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: Reiter, M.K., Samarati, P. (eds.) ACM CCS 2001, pp. 196–205. ACM (2001)
Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). doi:10.1007/11761679_23
Shrimpton, T., Terashima, R.S.: A modular framework for building variable-input-length tweakable ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8269, pp. 405–423. Springer, Heidelberg (2013). doi:10.1007/978-3-642-42033-7_21
Whiting, D., Housley, R., Ferguson, N.: Counter with CBC-MAC (CCM). Internet Engineering Task Force (IETF), RFC 3610 (2003)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Appendices
Appendix
A Rational of Associated Data Computation in \(\mathrm {\Theta }\mathrm {CB}\mathrm {t}\)
In Sect. 4, we presented \(\mathrm {\Theta }\mathrm {CB}\mathrm {t}\) as an instantiation of the tag-feedback, where A is processed with PMAC and the result is used as a part of tweak. We stress that identifying the best construction for incorporating A is non-trivial. Here, we explain the rational behind \(\mathrm {\Theta }\mathrm {CB}\mathrm {t}\) especially about the incorporation of A.
1.1 A.1 Synthetic Approach
We incorporate associated data A into the tag feedback. One can immediately notice that associated data A cannot be just input to the underlying \(\mathrm {\Theta }\)CB, even if it accepts associated data. This is because we need to make \({ FV }{\!}\) dependent directly on A, not via tag T, to achieve \(({ FV }{\!},T,A)\)-robust decryption.
So we use a keyed function \(F_{K}\) to “hash” associated data \(A\in \mathbb {A}\). By following the design of OCB2, we use PMAC as \(F_{K}\). Write \(U\leftarrow \mathsf {PMAC}_K(A)\). Write W the tag output of the underlying \(\mathrm {\Theta }\)CB. Then we make the tweak input, tw, and the final tag, T, by using or combining U and W. There are four possibilities: U, W, \(U\oplus W\) and \(U\mathbin {\Vert }W\), and thus 16 combinations as shown in Fig. 3.
The analysis for those sixteen cases is summarized in Table 2.
In Fig. 4, ‘−’ represents that the construction is not suitable with respect to efficiency or security, and superscript numbers indicate the reasons as follows.
- \(-^1\)::
-
The new tag size |T| increases from the original |W|.
- \(-^2\)::
-
By using U as new tag T, only A is authorized. Integrity can be violated.
- \(-^3\)::
-
Recovering \({ IV }{\!}\) from \({ FV }{\!}\) during decryption is not dependent on T, thus correct M for invalid T is leaked by querying invalid T (violating confidentiality). This clearly illustrates the fact that the tag feedback is essential for \(({ FV }{\!},T,A)\)-robust decryption.
- \(-^4\)::
-
U is not used anywhere, which is obviously insecure.
- \(-^5\)::
-
T is directly used as tweak, thus recovering \({ IV }{\!}\) from \({ FV }{\!}\) during decryption is not dependent on U, which is insufficient for \(({ FV }{\!},T,A)\)-robust decryption.
In the end, we have four secure constructions. Among them TF is more advantageous on the simplicity of the security proof. To simply describe the concept of our construction, we chose TF to build \(\mathrm {\Theta }\mathrm {CB}\mathrm {t}\).
B Authenticity against Adversaries Asking Old Triplets
In this section, we show that some sort of authenticity still remains even against adversaries asking old triplets (FV, T, A). For an old triplet (FV, T, A), if adversary \({\varvec{A}}\) makes a \(\mathcal {D}\)-query \(({ FV }{\!},T,A,C)\), then we call the triplet corrupted. We want that all uncorrupted triplets \(({ FV }{\!},A,T)\) remain secure. This motivates us to define the \(\ddot{\mathrm {auth}}\)-advantage of \({\varvec{A}}\) as
where by “forges with uncorrupted” we mean \({\varvec{A}}\) being able to make the \(\mathcal {V}\)-oracle return \(\top \) for a query \(({ FV }{\!},T,A,C)\) such that \(({ FV }{\!},T,A)\) is uncorrupted.
Theorem 4
Let \({\varvec{A}}\) be any adversary against authenticity of \(\mathrm {\Theta }\mathrm {CB}\mathrm {t}\). Suppose that \({\varvec{A}}\) makes at most \(q_{\mathrm {e}}\), \(q_{\mathrm {g}}\), \(q_{\mathrm {v}}\) and \(q_{\mathrm {d}}\) queries to \(\mathrm {\Theta }\mathsf {t}.\mathcal {E}\), \(\mathrm {\Theta }\mathsf {t}.\mathcal {G}\), \(\mathrm {\Theta }\mathsf {t}.\mathcal {V}\) and \(\mathrm {\Theta }\mathsf {t}.\mathcal {D}\), respectively. Let \(q=q_{\mathrm {e}}+q_{\mathrm {g}}+q_{\mathrm {v}}+q_{\mathrm {d}}\). Then,
The proof is omitted due to the page limit.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Hirose, S., Sasaki, Y., Yasuda, K. (2017). Rate-One AE with Security Under RUP. In: Nguyen, P., Zhou, J. (eds) Information Security. ISC 2017. Lecture Notes in Computer Science(), vol 10599. Springer, Cham. https://doi.org/10.1007/978-3-319-69659-1_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-69659-1_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-69658-4
Online ISBN: 978-3-319-69659-1
eBook Packages: Computer ScienceComputer Science (R0)