Advertisement

Indifferentiable Authenticated Encryption

  • Manuel Barbosa
  • Pooya FarshimEmail author
Conference paper
First Online:
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10991)

Abstract

We study Authenticated Encryption with Associated Data (AEAD) from the viewpoint of composition in arbitrary (single-stage) environments. We use the indifferentiability framework to formalize the intuition that a “good” AEAD scheme should have random ciphertexts subject to decryptability. Within this framework, we can then apply the indifferentiability composition theorem to show that such schemes offer extra safeguards wherever the relevant security properties are not known, or cannot be predicted in advance, as in general-purpose crypto libraries and standards.

We show, on the negative side, that generic composition (in many of its configurations) and well-known classical and recent schemes fail to achieve indifferentiability. On the positive side, we give a provably indifferentiable Feistel-based construction, which reduces the round complexity from at least 6, needed for blockciphers, to only 3 for encryption. This result is not too far off the theoretical optimum as we give a lower bound that rules out the indifferentiability of any construction with less than 2 rounds.

Keywords

Authenticated encryption Indifferentiability Composition Feistel Lower bound CAESAR 
This is a preview of subscription content, log in to check access.

Notes

Acknowledgments

The authors would like to thank Phillip Rogaway, Martijn Stam, and Stefano Tessaro for their comments. Barbosa was supported in part by Project NORTE-01-0145-FEDER-000020, financed by the North Portugal Regional Operational Programme (NORTE 2020) under the PORTUGAL 2020 Partnership Agreement, and through the European Regional Development Fund (ERDF). Farshim was supported in part by the European Research Council under the European Community’s Seventh Framework Programme (FP7/2007-2013 Grant Agreement no. 339563 - CryptoCloud). This work was initiated during a short-term scientific mission sponsored by the COST CryptoAction (IC1306).

References

  1. 1.
    Barbosa, M., Farshim, P.: Indifferentiable Authenticated Encryption. Cryptology ePrint Archive (2018)Google Scholar
  2. 2.
    Abed, F., Forler, C., List, E., Lucks, S., Wenzel, J.: RIV for robust authenticated encryption. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 23–42. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-52993-5_2CrossRefzbMATHGoogle Scholar
  3. 3.
    Albrecht, M.R., Farshim, P., Paterson, K.G., Watson, G.J.: On cipher-dependent related-key attacks in the ideal-cipher model. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 128–145. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-21702-9_8CrossRefGoogle Scholar
  4. 4.
    Andreeva, E., Bogdanov, A., Dodis, Y., Mennink, B., Steinberger, J.P.: On the indifferentiability of key-alternating ciphers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 531–550. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40041-4_29CrossRefGoogle Scholar
  5. 5.
    Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: How to securely release unverified plaintext in authenticated encryption. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 105–125. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45611-8_6CrossRefzbMATHGoogle Scholar
  6. 6.
    Ashur, T., Dunkelman, O., Luykx, A.: Boosting authenticated encryption robustness with minimal modifications. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 3–33. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63697-9_1CrossRefGoogle Scholar
  7. 7.
    Bellare, M., Keelveedhi, S.: Authenticated and misuse-resistant encryption of key-dependent data. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 610–629. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22792-9_35CrossRefGoogle Scholar
  8. 8.
    Bellare, M., Kohno, T.: A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-39200-9_31CrossRefGoogle Scholar
  9. 9.
    Barwell, G., Martin, D.P., Oswald, E., Stam, M.: Authenticated encryption in the face of protocol and side channel leakage. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 693–723. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70694-8_24CrossRefzbMATHGoogle Scholar
  10. 10.
    Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-44448-3_41CrossRefGoogle Scholar
  11. 11.
    Bellare, M., Rogaway, P.: Encode-then-encipher encryption: how to exploit nonces or redundancy in plaintexts for efficient cryptography. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317–330. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-44448-3_24CrossRefzbMATHGoogle Scholar
  12. 12.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006).  https://doi.org/10.1007/11761679_25CrossRefGoogle Scholar
  13. 13.
    Bellare, M., Rogaway, P., Wagner, D.: The EAX mode of operation. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 389–407. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-25937-4_25CrossRefGoogle Scholar
  14. 14.
    Bernstein, D.J.: Cryptographic competitions (2014). https://competitions.cr.yp.to/index.html
  15. 15.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78967-3_11CrossRefGoogle Scholar
  16. 16.
    Bellare, M., Bernstein, D.J., Tessaro, S.: Hash-function based PRFs: AMAC and its multi-user security. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 566–595. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49890-3_22CrossRefGoogle Scholar
  17. 17.
    Black, J., Cochran, M., Shrimpton, T.: On the impossibility of highly-efficient blockcipher-based hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 526–541. Springer, Heidelberg (2005).  https://doi.org/10.1007/11426639_31CrossRefGoogle Scholar
  18. 18.
    Black, J., Rogaway, P., Shrimpton, T.: Encryption-scheme security in the presence of key-dependent messages. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 62–75. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36492-7_6CrossRefzbMATHGoogle Scholar
  19. 19.
    Bellare, M., Tackmann, B.: The multi-user security of authenticated encryption: AES-GCM in TLS 1.3. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 247–276. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53018-4_10CrossRefzbMATHGoogle Scholar
  20. 20.
    Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: FOCS 2001. IEEE Computer Society Press (2001)Google Scholar
  21. 21.
    Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård revisited: how to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005).  https://doi.org/10.1007/11535218_26CrossRefGoogle Scholar
  22. 22.
    Coron, J.-S., Dodis, Y., Mandal, A., Seurin, Y.: A domain extender for the ideal cipher. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 273–289. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-11799-2_17CrossRefGoogle Scholar
  23. 23.
    Coron, J.-S., Holenstein, T., Künzler, R., Patarin, J., Seurin, Y., Tessaro, S.: How to build an ideal cipher: the indifferentiability of the Feistel construction. J. Cryptol. 29(1), 61–114 (2016)MathSciNetCrossRefGoogle Scholar
  24. 24.
    Coron, J.-S., Patarin, J., Seurin, Y.: The random Oracle model and the ideal cipher model are equivalent. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 1–20. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-85174-5_1CrossRefGoogle Scholar
  25. 25.
    Dachman-Soled, D., Katz, J., Thiruvengadam, A.: 10-round Feistel is indifferentiable from an ideal cipher. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 649–678. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49896-5_23CrossRefGoogle Scholar
  26. 26.
    Dai, Y., Seurin, Y., Steinberger, J., Thiruvengadam, A.: Indifferentiability of iterated Even-Mansour ciphers with non-idealized key-schedules: five rounds are necessary and sufficient. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 524–555. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63697-9_18CrossRefGoogle Scholar
  27. 27.
    Dai, Y., Steinberger, J.: Indifferentiability of 10-round Feistel networks. Cryptology ePrint Archive, Report 2015/874Google Scholar
  28. 28.
    Dai, Y., Steinberger, J.: Indifferentiability of 8-round Feistel networks. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 95–120. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53018-4_4CrossRefGoogle Scholar
  29. 29.
    Demay, G., Gaži, P., Hirt, M., Maurer, U.: Resource-restricted indifferentiability. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 664–683. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38348-9_39CrossRefGoogle Scholar
  30. 30.
    Dodis, Y., Reyzin, L., Rivest, R.L., Shen, E.: Indifferentiability of permutation-based compression functions and tree-based modes of operation, with applications to MD6. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 104–121. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03317-9_7CrossRefGoogle Scholar
  31. 31.
    Dodis, Y., Ristenpart, T., Shrimpton, T.: Salvaging Merkle-Damgård for practical applications. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 371–388. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-01001-9_22CrossRefGoogle Scholar
  32. 32.
    Dodis, Y., Ristenpart, T., Steinberger, J., Tessaro, S.: To hash or not to hash again? (In)differentiability results for H2 and HMAC. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 348–366. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32009-5_21CrossRefzbMATHGoogle Scholar
  33. 33.
    Dodis, Y., Stam, M., Steinberger, J., Liu, T.: Indifferentiability of confusion-diffusion networks. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 679–704. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49896-5_24CrossRefGoogle Scholar
  34. 34.
    Farshim, P., Orlandi, C., Roşie, R.: Security of symmetric primitives under incorrect usage of keys. IACR Trans. Symm. Cryptol. 2017(1), 449–473 (2017)Google Scholar
  35. 35.
    Farshim, P., Procter, G.: The related-key security of iterated Even–Mansour ciphers. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 342–363. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48116-5_17CrossRefGoogle Scholar
  36. 36.
    Forler, C., List, E., Lucks, S., Wenzel, J.: Reforgeability of authenticated encryption schemes. In: Pieprzyk, J., Suriadi, S. (eds.) ACISP 2017. LNCS, vol. 10343, pp. 19–37. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-59870-3_2CrossRefGoogle Scholar
  37. 37.
    Gennaro, R., Trevisan, L.: Lower bounds on the efficiency of generic cryptographic constructions. In: 41st FOCS. IEEE (2000)Google Scholar
  38. 38.
    Gueron, S., Lindell, Y.: GCM-SIV: full nonce misuse-resistant authenticated encryption at under one cycle per byte. In: ACM CCS 2015. ACM (2015)Google Scholar
  39. 39.
    Grubbs, P., Lu, J., Ristenpart, T.: Message franking via committing authenticated encryption. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 66–97. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63697-9_3CrossRefGoogle Scholar
  40. 40.
    Halevi, S., Krawczyk, H.: Security under key-dependent inputs. In: ACM CCS 2007. ACM Press (2007)Google Scholar
  41. 41.
    Hoang, V.T., Krovetz, T., Rogaway, P.: Robust authenticated-encryption AEZ and the problem that it solves. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 15–44. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_2CrossRefGoogle Scholar
  42. 42.
    Hoang, V.T., Krovetz, T., Rogaway, P.: AEZ v5: authenticated encryption by enciphering (2017). https://competitions.cr.yp.to/round3/aezv5.pdf
  43. 43.
    Hoang, V.T., Reyhanitabar, R., Rogaway, P., Vizár, D.: Online authenticated-encryption and its nonce-reuse misuse-resistance. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 493–517. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_24CrossRefGoogle Scholar
  44. 44.
    Holenstein, T., Künzler, R., Tessaro, S.: The equivalence of the random oracle model and the ideal cipher model, revisited. In: 43rd ACM STOC. ACM (2011)Google Scholar
  45. 45.
    Jean, J., Nikolić, I., Peyrin, T., Seurin, Y.: Deoxys v1.41 (2016). https://competitions.cr.yp.to/round3/deoxysv141.pdf
  46. 46.
    Kiltz, E., Pietrzak, K., Szegedy, M.: Digital signatures with minimal overhead from indifferentiable random invertible functions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 571–588. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40041-4_31CrossRefGoogle Scholar
  47. 47.
    Küsters, R., Tuengerthal, M.: Universally composable symmetric encryption. In: CSF 2009. IEEE Computer Society (2009)Google Scholar
  48. 48.
    Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-24638-1_2CrossRefGoogle Scholar
  49. 49.
    Micciancio, D., Warinschi, B.: Soundness of formal encryption in the presence of active adversaries. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 133–151. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-24638-1_8CrossRefzbMATHGoogle Scholar
  50. 50.
    Namprempre, C., Rogaway, P., Shrimpton, T.: AE5 security notions: definitions implicit in the CAESAR call. Cryptology ePrint Archive, Report 2013/242Google Scholar
  51. 51.
    Namprempre, C., Rogaway, P., Shrimpton, T.: Reconsidering generic composition. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 257–274. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-55220-5_15CrossRefGoogle Scholar
  52. 52.
    Peyrin, T., Seurin, Y.: Counter-in-tweak: authenticated encryption modes for tweakable block ciphers. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 33–63. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53018-4_2CrossRefzbMATHGoogle Scholar
  53. 53.
    Ristenpart, T., Shacham, H., Shrimpton, T.: Careful with composition: limitations of the indifferentiability framework. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 487–506. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-20465-4_27CrossRefGoogle Scholar
  54. 54.
    Rogaway, P.: Authenticated-encryption with associated-data. In: ACM CCS 2002. ACM (2002)Google Scholar
  55. 55.
    Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: ACM CCS 2001. ACM (2001)Google Scholar
  56. 56.
    Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006).  https://doi.org/10.1007/11761679_23CrossRefGoogle Scholar
  57. 57.
    Reyhanitabar, R., Vaudenay, S., Vizár, D.: Authenticated encryption with variable stretch. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 396–425. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_15CrossRefGoogle Scholar
  58. 58.
    Stam, M.: Beyond uniformity: better security/efficiency tradeoffs for compression functions. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 397–412. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-85174-5_22CrossRefGoogle Scholar
  59. 59.
    Unruh, D.: Programmable encryption and key-dependent messages. Cryptology ePrint Archive, Report 2012/423Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.INESC TEC and FC University of PortoPortoPortugal
  2. 2.DI/ENS, CNRS, PSL UniversityParisFrance
  3. 3.InriaParisFrance

Personalised recommendations

Cite paper

Buy options