skip to main content
10.1145/3243734.3243816acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article
Public Access

The Multi-user Security of GCM, Revisited: Tight Bounds for Nonce Randomization

Published: 15 October 2018 Publication History
  • Get Citation Alerts
  • Abstract

    Multi-user (mu) security considers large-scale attackers (e.g., state actors) that given access to a number of sessions, attempt to compromise at least one of them. Mu security of authenticated encryption (AE) was explicitly considered in the development of TLS 1.3. This paper revisits the mu security of GCM, which remains to date the most widely used dedicated AE mode. We provide new concrete security bounds which improve upon previous work by adopting a refined parameterization of adversarial resources that highlights the impact on security of (1) nonce re-use across users and of (2) re-keying. As one of the main applications, we give tight security bounds for the nonce-randomization mechanism adopted in the record protocol of TLS 1.3 as a mitigation of large-scale multi-user attacks. We provide tight security bounds that yield the first validation of this method. In particular, we solve the main open question of Bellare and Tackmann (CRYPTO '16), who only considered restricted attackers which do not attempt to violate integrity, and only gave non-tight bounds.

    Supplementary Material

    MP4 File (p1429-tessaro.mp4)

    References

    [1]
    M. Baugher, D. McGrew, M. Naslund, E. Carrara, and K. Norrman. 2004. The Secure Real-time Transport Protocol (SRTP). Internet-Draft. Internet Engineering Task Force. https://tools.ietf.org/html/rfc3711
    [2]
    Mihir Bellare, Daniel J. Bernstein, and Stefano Tessaro. 2016. Hash-Function Based PRFs: AMAC and Its Multi-User Security. In EUROCRYPT 2016, Part I (LNCS), Marc Fischlin and Jean-Sé bastien Coron (Eds.), Vol. 9665. Springer, Heidelberg, 566--595.
    [3]
    Mihir Bellare, Alexandra Boldyreva, and Silvio Micali. 2000. Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements. In EUROCRYPT 2000 (LNCS ), Bart Preneel (Ed.), Vol. 1807. Springer, Heidelberg, 259--274.
    [4]
    Mihir Bellare and Viet Tung Hoang. 2017. Identity-Based Format-Preserving Encryption. In ACM CCS 17, Bhavani M. Thuraisingham, David Evans, Tal Malkin, and Dongyan Xu (Eds.). ACM Press, 1515--1532.
    [5]
    Mihir Bellare and Björn Tackmann. 2016. The Multi-user Security of Authenticated Encryption: AES-GCM in TLS 1.3. In CRYPTO 2016, Part I (LNCS ), Matthew Robshaw and Jonathan Katz (Eds.), Vol. 9814. Springer, Heidelberg, 247--276.
    [6]
    Eli Biham. 2002. How to Decrypt or Even Substitute DES-Encrypted Messages in $2^28$ Steps. Inf. Process. Lett. (2002), 117--124.
    [7]
    Priyanka Bose, Viet Tung Hoang, and Stefano Tessaro. 2018. Revisiting AES-GCM-SIV: Multi-user Security, Faster Key Derivation, and Better Bounds. In EUROCRYPT 2018 .
    [8]
    Shan Chen and John P. Steinberger. 2014. Tight Security Bounds for Key-Alternating Ciphers. EUROCRYPT 2014 (LNCS ), Phong Q. Nguyen and Elisabeth Oswald (Eds.), Vol. 8441. Springer, Heidelberg, 327--350.
    [9]
    Shafi Goldwasser and Mihir Bellare. 1999. Lecture notes on cryptography. Summer Course "Cryptography and Computer Security" at MIT. (1999).
    [10]
    Viet Tung Hoang and Stefano Tessaro. 2016. Key-Alternating Ciphers and Key-Length Extension: Exact Bounds and Multi-user Security. In CRYPTO 2016, Part I (LNCS), Matthew Robshaw and Jonathan Katz (Eds.), Vol. 9814. Springer, Heidelberg, 3--32.
    [11]
    Viet Tung Hoang and Stefano Tessaro. 2017. The Multi-user Security of Double Encryption. In EUROCRYPT 2017, Part II (LNCS), Jean-Sé bastien Coron and Jesper Buus Nielsen (Eds.), Vol. 10211. Springer, Heidelberg, 381--411.
    [12]
    Tetsu Iwata, Keisuke Ohashi, and Kazuhiko Minematsu. 2012. Breaking and Repairing GCM Security Proofs. In CRYPTO 2012 (LNCS), Reihaneh Safavi-Naini and Ran Canetti (Eds.), Vol. 7417. Springer, Heidelberg, 31--49.
    [13]
    Atul Luykx, Bart Mennink, and Kenneth G. Paterson. 2017. Analyzing Multi-key Security Degradation. In ASIACRYPT 2017, Part II (LNCS ), Tsuyoshi Takagi and Thomas Peyrin (Eds.), Vol. 10625. Springer, Heidelberg, 575--605.
    [14]
    Ueli M. Maurer. 2002. Indistinguishability of Random Systems. In EUROCRYPT 2002 (LNCS ), Lars R. Knudsen (Ed.), Vol. 2332. Springer, Heidelberg, 110--132.
    [15]
    David A. McGrew. 2013. Generation of Deterministic Initialization Vectors (IVs) and Nonces. Internet-Draft draft-mcgrew-iv-gen-03. Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/draft-mcgrew-iv-gen-03 Work in Progress.
    [16]
    David A. McGrew and Scott R. Fluhrer. 2001. Attacks on Additive Encryption of Redundant Plaintext and Implications on Internet Security. In SAC 2000 (LNCS), Douglas R. Stinson and Stafford E. Tavares (Eds.), Vol. 2012. Springer, Heidelberg, 14--28.
    [17]
    David A. McGrew and John Viega. 2004. The Security and Performance of the Galois/Counter Mode (GCM) of Operation. In INDOCRYPT 2004 (LNCS), Anne Canteaut and Kapalee Viswanathan (Eds.), Vol. 3348. Springer, Heidelberg, 343--355.
    [18]
    Nicky Mouha and Atul Luykx. 2015. Multi-key Security: The Even-Mansour Construction Revisited. In CRYPTO 2015, Part I (LNCS), Rosario Gennaro and Matthew J. B. Robshaw (Eds.), Vol. 9215. Springer, Heidelberg, 209--223.
    [19]
    Jacques Patarin. 2009. The "Coefficients H" Technique (Invited Talk). SAC 2008 (LNCS ), Roberto Maria Avanzi, Liam Keliher, and Francesco Sica (Eds.), Vol. 5381. Springer, Heidelberg, 328--345.
    [20]
    E. Rescorla. 2018. The Transport Layer Security (TLS) Protocol Version 1.3. Internet-Draft. Internet Engineering Task Force. https://tools.ietf.org/html/draft-ietf-tls-tls13--28 Work in Progress.
    [21]
    Phillip Rogaway and Thomas Shrimpton. 2006. A Provable-Security Treatment of the Key-Wrap Problem. In EUROCRYPT 2006 (LNCS ), Serge Vaudenay (Ed.), Vol. 4004. Springer, Heidelberg, 373--390.
    [22]
    Joseph Salowey, Abhijit Choudhury, and David A. McGrew. 2008. AES Galois Counter Mode (GCM) Cipher Suites for TLS. RFC, Vol. 5288 (2008), 1--8.
    [23]
    Stefano Tessaro. 2015. Optimally Secure Block Ciphers from Ideal Primitives. In ASIACRYPT 2015, Part II (LNCS), Tetsu Iwata and Jung Hee Cheon (Eds.), Vol. 9453. Springer, Heidelberg, 437--462.

    Cited By

    View all
    • (2024)Robust Channels: Handling Unreliable Networks in the Record Layers of QUIC and DTLS 1.3Journal of Cryptology10.1007/s00145-023-09489-937:2Online publication date: 30-Jan-2024
    • (2024)The Exact Multi-user Security of 2-Key Triple DESTopics in Cryptology – CT-RSA 202410.1007/978-3-031-58868-6_5(112-135)Online publication date: 6-May-2024
    • (2024)The Multi-user Security of MACs via Universal Hashing in the Ideal Cipher ModelTopics in Cryptology – CT-RSA 202410.1007/978-3-031-58868-6_3(51-77)Online publication date: 6-May-2024
    • Show More Cited By

    Index Terms

    1. The Multi-user Security of GCM, Revisited: Tight Bounds for Nonce Randomization

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
      October 2018
      2359 pages
      ISBN:9781450356930
      DOI:10.1145/3243734
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 15 October 2018

      Permissions

      Request permissions for this article.

      Check for updates

      Qualifiers

      • Research-article

      Funding Sources

      Conference

      CCS '18
      Sponsor:

      Acceptance Rates

      CCS '18 Paper Acceptance Rate 134 of 809 submissions, 17%;
      Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

      Upcoming Conference

      CCS '24
      ACM SIGSAC Conference on Computer and Communications Security
      October 14 - 18, 2024
      Salt Lake City , UT , USA

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)104
      • Downloads (Last 6 weeks)11

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)Robust Channels: Handling Unreliable Networks in the Record Layers of QUIC and DTLS 1.3Journal of Cryptology10.1007/s00145-023-09489-937:2Online publication date: 30-Jan-2024
      • (2024)The Exact Multi-user Security of 2-Key Triple DESTopics in Cryptology – CT-RSA 202410.1007/978-3-031-58868-6_5(112-135)Online publication date: 6-May-2024
      • (2024)The Multi-user Security of MACs via Universal Hashing in the Ideal Cipher ModelTopics in Cryptology – CT-RSA 202410.1007/978-3-031-58868-6_3(51-77)Online publication date: 6-May-2024
      • (2024)Computational Security Analysis of the Full EDHOC ProtocolTopics in Cryptology – CT-RSA 202410.1007/978-3-031-58868-6_2(25-48)Online publication date: 6-May-2024
      • (2024)The Exact Multi-user Security of (Tweakable) Key Alternating Ciphers with a Single PermutationAdvances in Cryptology – EUROCRYPT 202410.1007/978-3-031-58716-0_4(97-127)Online publication date: 29-Apr-2024
      • (2023)We really need to talk about session ticketsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620510(4877-4894)Online publication date: 9-Aug-2023
      • (2023)GCM-SIV1.5: Optimal Tradeoff between GCM-SIV1 and GCM-SIV2Entropy10.3390/e2501010725:1(107)Online publication date: 4-Jan-2023
      • (2023)Hidden Stream Ciphers and TMTO Attacks on TLS 1.3, DTLS 1.3, QUIC, and SignalCryptology and Network Security10.1007/978-981-99-7563-1_12(251-267)Online publication date: 30-Oct-2023
      • (2023)When Messages Are Keys: Is HMAC a Dual-PRF?Advances in Cryptology – CRYPTO 202310.1007/978-3-031-38548-3_22(661-693)Online publication date: 20-Aug-2023
      • (2023)Memory-Tight Multi-challenge Security of Public-Key EncryptionAdvances in Cryptology – ASIACRYPT 202210.1007/978-3-031-22969-5_16(454-484)Online publication date: 25-Jan-2023
      • Show More Cited By

      View Options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Get Access

      Login options

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media