research-article

Public Access

The Multi-user Security of GCM, Revisited: Tight Bounds for Nonce Randomization

Authors:

Viet Tung Hoang,

Stefano Tessaro, and

Aishwarya ThiruvengadamAuthors Info & Claims

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

October 2018

Pages 1429 - 1440

https://doi.org/10.1145/3243734.3243816

Published: 15 October 2018 Publication History

Abstract

Multi-user (mu) security considers large-scale attackers (e.g., state actors) that given access to a number of sessions, attempt to compromise at least one of them. Mu security of authenticated encryption (AE) was explicitly considered in the development of TLS 1.3. This paper revisits the mu security of GCM, which remains to date the most widely used dedicated AE mode. We provide new concrete security bounds which improve upon previous work by adopting a refined parameterization of adversarial resources that highlights the impact on security of (1) nonce re-use across users and of (2) re-keying. As one of the main applications, we give tight security bounds for the nonce-randomization mechanism adopted in the record protocol of TLS 1.3 as a mitigation of large-scale multi-user attacks. We provide tight security bounds that yield the first validation of this method. In particular, we solve the main open question of Bellare and Tackmann (CRYPTO '16), who only considered restricted attackers which do not attempt to violate integrity, and only gave non-tight bounds.

Supplementary Material

MP4 File (p1429-tessaro.mp4)

Download
346.12 MB

References

[1]

M. Baugher, D. McGrew, M. Naslund, E. Carrara, and K. Norrman. 2004. The Secure Real-time Transport Protocol (SRTP). Internet-Draft. Internet Engineering Task Force. https://tools.ietf.org/html/rfc3711

Digital Library

[2]

Mihir Bellare, Daniel J. Bernstein, and Stefano Tessaro. 2016. Hash-Function Based PRFs: AMAC and Its Multi-User Security. In EUROCRYPT 2016, Part I (LNCS), Marc Fischlin and Jean-Sé bastien Coron (Eds.), Vol. 9665. Springer, Heidelberg, 566--595.

[3]

Mihir Bellare, Alexandra Boldyreva, and Silvio Micali. 2000. Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements. In EUROCRYPT 2000 (LNCS ), Bart Preneel (Ed.), Vol. 1807. Springer, Heidelberg, 259--274.

Digital Library

[4]

Mihir Bellare and Viet Tung Hoang. 2017. Identity-Based Format-Preserving Encryption. In ACM CCS 17, Bhavani M. Thuraisingham, David Evans, Tal Malkin, and Dongyan Xu (Eds.). ACM Press, 1515--1532.

Digital Library

[5]

Mihir Bellare and Björn Tackmann. 2016. The Multi-user Security of Authenticated Encryption: AES-GCM in TLS 1.3. In CRYPTO 2016, Part I (LNCS ), Matthew Robshaw and Jonathan Katz (Eds.), Vol. 9814. Springer, Heidelberg, 247--276.

Digital Library

[6]

Eli Biham. 2002. How to Decrypt or Even Substitute DES-Encrypted Messages in $2^28$ Steps. Inf. Process. Lett. (2002), 117--124.

Digital Library

[7]

Priyanka Bose, Viet Tung Hoang, and Stefano Tessaro. 2018. Revisiting AES-GCM-SIV: Multi-user Security, Faster Key Derivation, and Better Bounds. In EUROCRYPT 2018 .

[8]

Shan Chen and John P. Steinberger. 2014. Tight Security Bounds for Key-Alternating Ciphers. EUROCRYPT 2014 (LNCS ), Phong Q. Nguyen and Elisabeth Oswald (Eds.), Vol. 8441. Springer, Heidelberg, 327--350.

[9]

Shafi Goldwasser and Mihir Bellare. 1999. Lecture notes on cryptography. Summer Course "Cryptography and Computer Security" at MIT. (1999).

[10]

Viet Tung Hoang and Stefano Tessaro. 2016. Key-Alternating Ciphers and Key-Length Extension: Exact Bounds and Multi-user Security. In CRYPTO 2016, Part I (LNCS), Matthew Robshaw and Jonathan Katz (Eds.), Vol. 9814. Springer, Heidelberg, 3--32.

Digital Library

[11]

Viet Tung Hoang and Stefano Tessaro. 2017. The Multi-user Security of Double Encryption. In EUROCRYPT 2017, Part II (LNCS), Jean-Sé bastien Coron and Jesper Buus Nielsen (Eds.), Vol. 10211. Springer, Heidelberg, 381--411.

[12]

Tetsu Iwata, Keisuke Ohashi, and Kazuhiko Minematsu. 2012. Breaking and Repairing GCM Security Proofs. In CRYPTO 2012 (LNCS), Reihaneh Safavi-Naini and Ran Canetti (Eds.), Vol. 7417. Springer, Heidelberg, 31--49.

Digital Library

[13]

Atul Luykx, Bart Mennink, and Kenneth G. Paterson. 2017. Analyzing Multi-key Security Degradation. In ASIACRYPT 2017, Part II (LNCS ), Tsuyoshi Takagi and Thomas Peyrin (Eds.), Vol. 10625. Springer, Heidelberg, 575--605.

[14]

Ueli M. Maurer. 2002. Indistinguishability of Random Systems. In EUROCRYPT 2002 (LNCS ), Lars R. Knudsen (Ed.), Vol. 2332. Springer, Heidelberg, 110--132.

Digital Library

[15]

David A. McGrew. 2013. Generation of Deterministic Initialization Vectors (IVs) and Nonces. Internet-Draft draft-mcgrew-iv-gen-03. Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/draft-mcgrew-iv-gen-03 Work in Progress.

[16]

David A. McGrew and Scott R. Fluhrer. 2001. Attacks on Additive Encryption of Redundant Plaintext and Implications on Internet Security. In SAC 2000 (LNCS), Douglas R. Stinson and Stafford E. Tavares (Eds.), Vol. 2012. Springer, Heidelberg, 14--28.

Digital Library

[17]

David A. McGrew and John Viega. 2004. The Security and Performance of the Galois/Counter Mode (GCM) of Operation. In INDOCRYPT 2004 (LNCS), Anne Canteaut and Kapalee Viswanathan (Eds.), Vol. 3348. Springer, Heidelberg, 343--355.

Digital Library

[18]

Nicky Mouha and Atul Luykx. 2015. Multi-key Security: The Even-Mansour Construction Revisited. In CRYPTO 2015, Part I (LNCS), Rosario Gennaro and Matthew J. B. Robshaw (Eds.), Vol. 9215. Springer, Heidelberg, 209--223.

[19]

Jacques Patarin. 2009. The "Coefficients H" Technique (Invited Talk). SAC 2008 (LNCS ), Roberto Maria Avanzi, Liam Keliher, and Francesco Sica (Eds.), Vol. 5381. Springer, Heidelberg, 328--345.

[20]

E. Rescorla. 2018. The Transport Layer Security (TLS) Protocol Version 1.3. Internet-Draft. Internet Engineering Task Force. https://tools.ietf.org/html/draft-ietf-tls-tls13--28 Work in Progress.

[21]

Phillip Rogaway and Thomas Shrimpton. 2006. A Provable-Security Treatment of the Key-Wrap Problem. In EUROCRYPT 2006 (LNCS ), Serge Vaudenay (Ed.), Vol. 4004. Springer, Heidelberg, 373--390.

Digital Library

[22]

Joseph Salowey, Abhijit Choudhury, and David A. McGrew. 2008. AES Galois Counter Mode (GCM) Cipher Suites for TLS. RFC, Vol. 5288 (2008), 1--8.

[23]

Stefano Tessaro. 2015. Optimally Secure Block Ciphers from Ideal Primitives. In ASIACRYPT 2015, Part II (LNCS), Tetsu Iwata and Jung Hee Cheon (Eds.), Vol. 9453. Springer, Heidelberg, 437--462.

Digital Library

Cited By

Fischlin MGünther FJanson C(2024)Robust Channels: Handling Unreliable Networks in the Record Layers of QUIC and DTLS 1.3Journal of Cryptology10.1007/s00145-023-09489-937:2Online publication date: 30-Jan-2024
https://doi.org/10.1007/s00145-023-09489-9
Naito YSasaki YSugawara T(2024)The Exact Multi-user Security of 2-Key Triple DESTopics in Cryptology – CT-RSA 202410.1007/978-3-031-58868-6_5(112-135)Online publication date: 6-May-2024
https://doi.org/10.1007/978-3-031-58868-6_5
Naito Y(2024)The Multi-user Security of MACs via Universal Hashing in the Ideal Cipher ModelTopics in Cryptology – CT-RSA 202410.1007/978-3-031-58868-6_3(51-77)Online publication date: 6-May-2024
https://doi.org/10.1007/978-3-031-58868-6_3
Show More Cited By

Index Terms

The Multi-user Security of GCM, Revisited: Tight Bounds for Nonce Randomization
1. Security and privacy
  1. Cryptography
    1. Symmetric cryptography and hash functions

Recommendations

Multi-key FHE from LWE, Revisited
Proceedings, Part II, of the 14th International Conference on Theory of Cryptography - Volume 9986

Traditional fully homomorphic encryption FHE schemes only allow computation on data encrypted under a single key. López-Alt, Tromer, and Vaikuntanathan STOC 2012 proposed the notion of multi-key FHE, which allows homomorphic computation on ciphertexts ...
Read More
Optimal Security Proofs for Full Domain Hash, Revisited

RSA Full Domain Hash (RSA-FDH) is a digital signature scheme, secure against chosen message attacks in the random oracle model. The best known security reduction from the RSA assumption is non-tight, i.e., it loses a factor of $$q_s$$qs, where $$q_s$$qs ...
Read More
On the Multi-user Security of LWE-Based NIKE
Theory of Cryptography
Abstract
Non-interactive key exchange (NIKE) schemes like the Diffie-Hellman key exchange are a widespread building block in several cryptographic protocols. Since the Diffie-Hellman key exchange is not post-quantum secure, it is important to investigate ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

October 2018

2359 pages

ISBN:9781450356930

DOI:10.1145/3243734

General Chairs:
David Lie
University of Toronto
,
Mohammad Mannan
Concordia University
,
Program Chairs:
Michael Backes
CISPA Helmholtz Center i.G.
,
XiaoFeng Wang
Indiana University

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 October 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Conference

CCS '18

Sponsor:

SIGSAC

CCS '18: 2018 ACM SIGSAC Conference on Computer and Communications Security

October 15 - 19, 2018

Toronto, Canada

Acceptance Rates

CCS '18 Paper Acceptance Rate 134 of 809 submissions, 17%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
538
Total Downloads

Downloads (Last 12 months)104
Downloads (Last 6 weeks)11

Other Metrics

View Author Metrics

Citations

Cited By

Fischlin MGünther FJanson C(2024)Robust Channels: Handling Unreliable Networks in the Record Layers of QUIC and DTLS 1.3Journal of Cryptology10.1007/s00145-023-09489-937:2Online publication date: 30-Jan-2024
https://doi.org/10.1007/s00145-023-09489-9
Naito YSasaki YSugawara T(2024)The Exact Multi-user Security of 2-Key Triple DESTopics in Cryptology – CT-RSA 202410.1007/978-3-031-58868-6_5(112-135)Online publication date: 6-May-2024
https://doi.org/10.1007/978-3-031-58868-6_5
Naito Y(2024)The Multi-user Security of MACs via Universal Hashing in the Ideal Cipher ModelTopics in Cryptology – CT-RSA 202410.1007/978-3-031-58868-6_3(51-77)Online publication date: 6-May-2024
https://doi.org/10.1007/978-3-031-58868-6_3
Ferreira L(2024)Computational Security Analysis of the Full EDHOC ProtocolTopics in Cryptology – CT-RSA 202410.1007/978-3-031-58868-6_2(25-48)Online publication date: 6-May-2024
https://doi.org/10.1007/978-3-031-58868-6_2
Naito YSasaki YSugawara T(2024)The Exact Multi-user Security of (Tweakable) Key Alternating Ciphers with a Single PermutationAdvances in Cryptology – EUROCRYPT 202410.1007/978-3-031-58716-0_4(97-127)Online publication date: 29-Apr-2024
https://doi.org/10.1007/978-3-031-58716-0_4
Hebrok SNachtigall SMaehren MErinola NMerget RSomorovsky JSchwenk JCalandrino JTroncoso C(2023)We really need to talk about session ticketsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620510(4877-4894)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620510
Zhang P(2023)GCM-SIV1.5: Optimal Tradeoff between GCM-SIV1 and GCM-SIV2Entropy10.3390/e2501010725:1(107)Online publication date: 4-Jan-2023
https://doi.org/10.3390/e25010107
Preuß Mattsson J(2023)Hidden Stream Ciphers and TMTO Attacks on TLS 1.3, DTLS 1.3, QUIC, and SignalCryptology and Network Security10.1007/978-981-99-7563-1_12(251-267)Online publication date: 30-Oct-2023
https://dl.acm.org/doi/10.1007/978-981-99-7563-1_12
Backendal MBellare MGünther FScarlata M(2023)When Messages Are Keys: Is HMAC a Dual-PRF?Advances in Cryptology – CRYPTO 202310.1007/978-3-031-38548-3_22(661-693)Online publication date: 20-Aug-2023
https://dl.acm.org/doi/10.1007/978-3-031-38548-3_22
Jaeger JKumar A(2023)Memory-Tight Multi-challenge Security of Public-Key EncryptionAdvances in Cryptology – ASIACRYPT 202210.1007/978-3-031-22969-5_16(454-484)Online publication date: 25-Jan-2023
https://doi.org/10.1007/978-3-031-22969-5_16
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents