Viet Tung Hoang
ABSTRACT
Multi-user (mu) security considers large-scale attackers (e.g., state actors) that given access to a number of sessions, attempt to compromise at least one of them. Mu security of authenticated encryption (AE) was explicitly considered in the development of TLS 1.3. This paper revisits the mu security of GCM, which remains to date the most widely used dedicated AE mode. We provide new concrete security bounds which improve upon previous work by adopting a refined parameterization of adversarial resources that highlights the impact on security of (1) nonce re-use across users and of (2) re-keying. As one of the main applications, we give tight security bounds for the nonce-randomization mechanism adopted in the record protocol of TLS 1.3 as a mitigation of large-scale multi-user attacks. We provide tight security bounds that yield the first validation of this method. In particular, we solve the main open question of Bellare and Tackmann (CRYPTO '16), who only considered restricted attackers which do not attempt to violate integrity, and only gave non-tight bounds.
Supplemental Material
- M. Baugher, D. McGrew, M. Naslund, E. Carrara, and K. Norrman. 2004. The Secure Real-time Transport Protocol (SRTP). Internet-Draft. Internet Engineering Task Force. https://tools.ietf.org/html/rfc3711 Google Scholar
Digital Library
- Mihir Bellare, Daniel J. Bernstein, and Stefano Tessaro. 2016. Hash-Function Based PRFs: AMAC and Its Multi-User Security. In EUROCRYPT 2016, Part I (LNCS), Marc Fischlin and Jean-Sé bastien Coron (Eds.), Vol. 9665. Springer, Heidelberg, 566--595.Google ScholarCross Ref
- Mihir Bellare, Alexandra Boldyreva, and Silvio Micali. 2000. Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements. In EUROCRYPT 2000 (LNCS ),, Bart Preneel (Ed.), Vol. 1807. Springer, Heidelberg, 259--274. Google ScholarDigital Library
- Mihir Bellare and Viet Tung Hoang. 2017. Identity-Based Format-Preserving Encryption. In ACM CCS 17, Bhavani M. Thuraisingham, David Evans, Tal Malkin, and Dongyan Xu (Eds.). ACM Press, 1515--1532. Google ScholarDigital Library
- Mihir Bellare and Björn Tackmann. 2016. The Multi-user Security of Authenticated Encryption: AES-GCM in TLS 1.3. In CRYPTO 2016, Part I (LNCS ),, Matthew Robshaw and Jonathan Katz (Eds.), Vol. 9814. Springer, Heidelberg, 247--276. Google ScholarDigital Library
- Eli Biham. 2002. How to Decrypt or Even Substitute DES-Encrypted Messages in $2^28$ Steps. Inf. Process. Lett. (2002), 117--124. Google ScholarDigital Library
- Priyanka Bose, Viet Tung Hoang, and Stefano Tessaro. 2018. Revisiting AES-GCM-SIV: Multi-user Security, Faster Key Derivation, and Better Bounds. In EUROCRYPT 2018 .Google ScholarCross Ref
- Shan Chen and John P. Steinberger. 2014. Tight Security Bounds for Key-Alternating Ciphers. EUROCRYPT 2014 (LNCS ), Phong Q. Nguyen and Elisabeth Oswald (Eds.), Vol. 8441. Springer, Heidelberg, 327--350.Google Scholar
- Shafi Goldwasser and Mihir Bellare. 1999. Lecture notes on cryptography. Summer Course "Cryptography and Computer Security" at MIT. (1999).Google Scholar
- Viet Tung Hoang and Stefano Tessaro. 2016. Key-Alternating Ciphers and Key-Length Extension: Exact Bounds and Multi-user Security. In CRYPTO 2016, Part I (LNCS), Matthew Robshaw and Jonathan Katz (Eds.), Vol. 9814. Springer, Heidelberg, 3--32.Google ScholarDigital Library
- Viet Tung Hoang and Stefano Tessaro. 2017. The Multi-user Security of Double Encryption. In EUROCRYPT 2017, Part II (LNCS), Jean-Sé bastien Coron and Jesper Buus Nielsen (Eds.), Vol. 10211. Springer, Heidelberg, 381--411.Google ScholarCross Ref
- Tetsu Iwata, Keisuke Ohashi, and Kazuhiko Minematsu. 2012. Breaking and Repairing GCM Security Proofs. In CRYPTO 2012 (LNCS), Reihaneh Safavi-Naini and Ran Canetti (Eds.), Vol. 7417. Springer, Heidelberg, 31--49. Google ScholarDigital Library
- Atul Luykx, Bart Mennink, and Kenneth G. Paterson. 2017. Analyzing Multi-key Security Degradation. In ASIACRYPT 2017, Part II (LNCS ), Tsuyoshi Takagi and Thomas Peyrin (Eds.), Vol. 10625. Springer, Heidelberg, 575--605.Google Scholar
- Ueli M. Maurer. 2002. Indistinguishability of Random Systems. In EUROCRYPT 2002 (LNCS ),, Lars R. Knudsen (Ed.), Vol. 2332. Springer, Heidelberg, 110--132. Google ScholarDigital Library
- David A. McGrew. 2013. Generation of Deterministic Initialization Vectors (IVs) and Nonces. Internet-Draft draft-mcgrew-iv-gen-03. Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/draft-mcgrew-iv-gen-03 Work in Progress.Google Scholar
- David A. McGrew and Scott R. Fluhrer. 2001. Attacks on Additive Encryption of Redundant Plaintext and Implications on Internet Security. In SAC 2000 (LNCS), Douglas R. Stinson and Stafford E. Tavares (Eds.), Vol. 2012. Springer, Heidelberg, 14--28. Google ScholarDigital Library
- David A. McGrew and John Viega. 2004. The Security and Performance of the Galois/Counter Mode (GCM) of Operation. In INDOCRYPT 2004 (LNCS), Anne Canteaut and Kapalee Viswanathan (Eds.), Vol. 3348. Springer, Heidelberg, 343--355. Google ScholarDigital Library
- Nicky Mouha and Atul Luykx. 2015. Multi-key Security: The Even-Mansour Construction Revisited. In CRYPTO 2015, Part I (LNCS), Rosario Gennaro and Matthew J. B. Robshaw (Eds.), Vol. 9215. Springer, Heidelberg, 209--223.Google Scholar
- Jacques Patarin. 2009. The "Coefficients H" Technique (Invited Talk). SAC 2008 (LNCS ),, Roberto Maria Avanzi, Liam Keliher, and Francesco Sica (Eds.), Vol. 5381. Springer, Heidelberg, 328--345.Google Scholar
- E. Rescorla. 2018. The Transport Layer Security (TLS) Protocol Version 1.3. Internet-Draft. Internet Engineering Task Force. https://tools.ietf.org/html/draft-ietf-tls-tls13--28 Work in Progress.Google Scholar
- Phillip Rogaway and Thomas Shrimpton. 2006. A Provable-Security Treatment of the Key-Wrap Problem. In EUROCRYPT 2006 (LNCS ), Serge Vaudenay (Ed.), Vol. 4004. Springer, Heidelberg, 373--390. Google ScholarDigital Library
- Joseph Salowey, Abhijit Choudhury, and David A. McGrew. 2008. AES Galois Counter Mode (GCM) Cipher Suites for TLS. RFC, Vol. 5288 (2008), 1--8.Google Scholar
- Stefano Tessaro. 2015. Optimally Secure Block Ciphers from Ideal Primitives. In ASIACRYPT 2015, Part II (LNCS), Tetsu Iwata and Jung Hee Cheon (Eds.), Vol. 9453. Springer, Heidelberg, 437--462. Google ScholarDigital Library
Index Terms
- The Multi-user Security of GCM, Revisited: Tight Bounds for Nonce Randomization
Recommendations
Multi-key FHE from LWE, Revisited
Proceedings, Part II, of the 14th International Conference on Theory of Cryptography - Volume 9986Traditional fully homomorphic encryption FHE schemes only allow computation on data encrypted under a single key. López-Alt, Tromer, and Vaikuntanathan STOC 2012 proposed the notion of multi-key FHE, which allows homomorphic computation on ciphertexts ...
Optimal Security Proofs for Full Domain Hash, Revisited
RSA Full Domain Hash (RSA-FDH) is a digital signature scheme, secure against chosen message attacks in the random oracle model. The best known security reduction from the RSA assumption is non-tight, i.e., it loses a factor of $$q_s$$qs, where $$q_s$$qs ...
On the Multi-user Security of LWE-Based NIKE
Theory of CryptographyAbstractNon-interactive key exchange (NIKE) schemes like the Diffie-Hellman key exchange are a widespread building block in several cryptographic protocols. Since the Diffie-Hellman key exchange is not post-quantum secure, it is important to investigate ...
Comments