Abstract
Secure and highly efficient authenticated encryption (AE) algorithms which achieve data confidentiality and authenticity in the symmetric-key setting have existed for well over a decade. By all conventional measures, AES-OCB seems to be the AE algorithm of choice on any platform with AES-NI: it has a proof showing it is secure assuming AES is, and it is one of the fastest out of all such algorithms. However, algorithms such as AES-GCM and ChaCha20+Poly1305 have seen more widespread adoption, even though they will likely never outperform AES-OCB on platforms with AES-NI. Given the fact that changing algorithms is a long and costly process, some have set out to maximize the security that can be achieved with the already deployed algorithms, without sacrificing efficiency: ChaCha20+Poly1305 already improves over GCM in how it authenticates, GCM-SIV uses GCM’s underlying components to provide nonce misuse resistance, and TLS1.3 introduces a randomized nonce in order to improve GCM’s multi-user security. We continue this line of work by looking more closely at GCM and ChaCha20+Poly1305 to see what robustness they already provide over algorithms such as OCB, and whether minor variants of the algorithms can be used for applications where defense in depth is critical. We formalize and illustrate how GCM and ChaCha20+Poly1305 offer varying degrees of resilience to nonce misuse, as they can recover quickly from repeated nonces, as opposed to OCB, which loses all security. More surprisingly, by introducing minor tweaks such as an additional XOR, we can create a GCM variant which provides security even when unverified plaintext is released.
Original language | English |
---|---|
Title of host publication | Advances in Cryptology – CRYPTO 2017 - 37th Annual International Cryptology Conference, Proceedings |
Editors | Jonathan Katz, Hovav Shacham |
Publisher | Springer Verlag |
Pages | 3-33 |
Number of pages | 31 |
ISBN (Print) | 9783319636962 |
DOIs | |
State | Published - 2017 |
Event | 37th Annual International Cryptology Conference, CRYPTO 2017 - Santa Barbara, United States Duration: 20 Aug 2017 → 24 Aug 2017 |
Publication series
Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
---|---|
Volume | 10403 LNCS |
ISSN (Print) | 0302-9743 |
ISSN (Electronic) | 1611-3349 |
Conference
Conference | 37th Annual International Cryptology Conference, CRYPTO 2017 |
---|---|
Country/Territory | United States |
City | Santa Barbara |
Period | 20/08/17 → 24/08/17 |
Bibliographical note
Publisher Copyright:© International Association for Cryptologic Research 2017.
Keywords
- AES
- Authenticated encryption
- ChaCha20
- OCB
- Poly1305 GCM
- RUP
- Robust
ASJC Scopus subject areas
- Theoretical Computer Science
- General Computer Science