Abstract
We study the security of authenticated encryption based on a stream cipher and a universal hash function. We consider ChaCha20-Poly1305 and generic constructions proposed by Sarkar, where the generic constructions include 14 AEAD (authenticated encryption with associated data) schemes and 3 DAEAD (deterministic AEAD) schemes. In this paper, we analyze the integrity of these schemes both in the standard INT-CTXT (integrity of ciphertext) notion and in the RUP (releasing unverified plaintext) setting called INT-RUP notion. We present INT-CTXT attacks against 3 out of the 14 AEAD schemes and 1 out of the 3 DAEAD schemes. We then show INT-RUP attacks against 1 out of the 14 AEAD schemes and the 2 remaining DAEAD schemes. Next, we consider ChaCha20-Poly1305 and show that it is provably secure in the INT-RUP notion. Finally, we show that the remaining 10 AEAD schemes are provably secure in the INT-RUP notion.
Similar content being viewed by others
Notes
We remark that there is a minor gap in the proof in [14]. The proof introduces a hybrid \((E^1,D^1)\) where the keystream is the output of a random function taking a nonce, and another hybrid \((E^2,D^2)\) where the keystream is completely random for both encryption and decryption, and claims both hybrids are equivalent. This does not hold true in general since the keystream in a decryption query can be determined by an encryption query made before. However, as far as we see, the theorem statement stands.
Since the first n bits of \(F(\mathsf {H}_L(A, N))\) is R, there is no harm that F is replaced with \(F_R\).
References
Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: How to securely release unverified plaintext in authenticated encryption. In: Iwata, T., Sarkar, P. (eds.) ASIACRYPT 2014 (1). LNCS, vol. 8873, pp. 105–125. Springer, NewYork (2014)
Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci. 61(3), 362–399 (2000)
Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, New York (2000)
Bellare, M., Rogaway, P.: Encode-then-encipher encryption: how to exploit nonces or redundancy in plaintexts for efficient cryptography. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317–330. Springer, New York (2000)
Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, New York (2006)
Bellare, M., Rogaway, P., Wagner, D.: The EAX mode of operation. In: Roy, B.K., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 389–407. Springer, New York (2004)
Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, NewYork (2005)
Bernstein, D.J.: ChaCha, a variant of Salsa20 (2008). http://cr.yp.to/papers.html#chacha, Document ID: 4027b5256e14b6796842e6d0f68b0b5e
Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: fast and secure message authentication. In: Wiener, M. (ed.) CRYPTO ’99. LNCS, vol. 1666, pp. 216–233. Springer, NewYork (1999)
Imamura, K., Minematsu, K., Iwata, T.: Integrity analysis of authenticated encryption based on stream ciphers. In: Chen, L., Han, J. (eds.) ProvSec 2016. LNCS, vol. 10005, pp. 257–276. Springer, New York (2016)
McGrew, D.A., Viega, J.: The security and performance of the galois/counter mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, New York (2004)
Namprempre, C., Rogaway, P., Shrimpton, T.: Reconsidering generic composition. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 257–274. Springer, New York (2014)
Nir, Y., Langley, A.: ChaCha20 and Poly1305 for IETF protocols. IRTF RFC 7539 (2015). https://tools.ietf.org/html/rfc7539
Procter, G.: A security analysis of the composition of ChaCha20 and Poly1305. Cryptology ePrint Archive, Report 2014/613 (2014). http://eprint.iacr.org/
Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM Conference on Computer and Communications Security, pp. 98–107. ACM (2002)
Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B.K., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–359. Springer, New York (2004)
Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, New York (2006)
Sarkar, P.: Modes of operations for encryption and authentication using stream ciphers supporting an initialisation vector. Cryptogr. Commun. 6(3), 189–231 (2014)
Whiting, D., Housley, R., Ferguson, N.: Counter with CBC-MAC (CCM). Submission to NIST (2002). http://csrc.nist.gov/
Acknowledgements
We thank Palash Sarkar for feedback and the anonymous ProvSec 2016 reviewers and participants of Early Symmetric Crypto (ESC) 2015 for helpful comments on an earlier version of this paper. We also would like to thank the anonymous IJIS reviewers for constructive comments. The work by Tetsu Iwata was supported in part by JSPS KAKENHI, Grant-in-Aid for Scientific Research (B), Grant Number 26280045, and was carried out in part while visiting Nanyang Technological University, Singapore.
Author information
Authors and Affiliations
Corresponding author
Additional information
This is a revised and extended version of the paper appears in ProvSec 2016 [10]. Analyses of AEAD-\(\{5, 6, 6\mathrm{a}, 7, 8, 8\mathrm{a}\}\) are added.
Appendix A: Definitions of decryption and verification algorithms of AEAD and DAEAD schemes
Appendix A: Definitions of decryption and verification algorithms of AEAD and DAEAD schemes
AEAD in [18]. Decryption algorithms of AEAD schemes are defined in Fig. 18. In each scheme, the mask R generated from the output of \(\mathsf {SC}\) is never used, and the tag T, which is a part of the input, is not used. The associated data A is not used in \(\mathsf {AEAD}\)-\(\{\mathrm {1, 2, 2a, 2b, 3, 4, 4a, 4b}\}\).
Verification algorithms of AEAD schemes are defined in Fig. 19. Since the hash function takes input a plaintext in \(\mathsf {AEAD}\)-\(\{\mathrm {3, 4, 4a, 4b, 7, 8, 8a}\}\), we use both R and Z.
ChaCha20-Poly1305 [13]. The decryption and verification algorithms are defined in Fig. 20. The functions \(\mathsf {KsGen}_K\) and \(\mathsf {Tag}_K\) are defined in Fig. 3.
DAEAD in [18]. Decryption and verification algorithms of DAEAD schemes are defined in Fig. 21. The keystream Z is generated by using the tag T. The associated data A is never used for the decryption.
Rights and permissions
About this article
Cite this article
Imamura, K., Minematsu, K. & Iwata, T. Integrity analysis of authenticated encryption based on stream ciphers. Int. J. Inf. Secur. 17, 493–511 (2018). https://doi.org/10.1007/s10207-017-0378-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-017-0378-9