Rogue Decryption Failures: Reconciling AE Robustness Notions

Guy Barwell; Daniel Page; Martijn Stam

doi:10.1007/978-3-319-27239-9_6

Rogue Decryption Failures: Reconciling AE Robustness Notions

Guy Barwell, Daniel Page, Martijn Stam

Research output: Chapter in Book/Report/Conference proceeding › Conference Contribution (Conference Proceeding)

21 Citations (Scopus)

Abstract

An authenticated encryption scheme is deemed secure (AE) if ciphertexts both look like random bitstrings and are unforgeable. AE is a much stronger notion than the traditional IND--CCA. One shortcoming of AE as commonly understood is its idealized, all-or-nothing decryption: if decryption fails, it will always provide the same single error message and nothing more. Reality often turns out differently: encode-then-encipher schemes often output decrypted ciphertext before verification has taken place whereas pad-then-MAC-then-encrypt schemes are prone to distinguishable verification failures due to the subtle interaction between padding and the MAC-then-encrypt concept. Three recent papers provided what appeared independent and radically different definitions to model this type of decryption leakage.

We reconcile these three works by providing a reference model of security for authenticated encryption in the face of decryption leakage from invalid queries. Having tracked the development of AE security games, we provide a single expressive framework allowing us to compare and contrast the previous notions. We find that at their core, the notions are essentially equivalent, with their key differences stemming from definitional choices independent of the desire to capture real world behaviour.

Original language	English
Title of host publication	Cryptography and Coding - IMACC 2015
Subtitle of host publication	15th IMA International Conference, IMACC 2015, Oxford, UK, December 15-17, 2015. Proceedings
Editors	Jens Groth
Publisher	Springer
Pages	94-111
Volume	9496
ISBN (Electronic)	978-3-319-27239-9
ISBN (Print)	978-3-319-27238-2
DOIs	https://doi.org/10.1007/978-3-319-27239-9_6
Publication status	Published - Dec 2015

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer

Access to Document

10.1007/978-3-319-27239-9_6

https://eprint.iacr.org/eprint-bin/getfile.pl?entry=2015/895&version=20150915:070210&file=895.pdfLicence: Other

Handle.net

Persistent link

Cite this

@inproceedings{ef59491c5f714f4195656e6c75b9348a,

title = "Rogue Decryption Failures: Reconciling AE Robustness Notions",

abstract = "An authenticated encryption scheme is deemed secure (AE) if ciphertexts both look like random bitstrings and are unforgeable. AE is a much stronger notion than the traditional IND--CCA. One shortcoming of AE as commonly understood is its idealized, all-or-nothing decryption: if decryption fails, it will always provide the same single error message and nothing more. Reality often turns out differently: encode-then-encipher schemes often output decrypted ciphertext before verification has taken place whereas pad-then-MAC-then-encrypt schemes are prone to distinguishable verification failures due to the subtle interaction between padding and the MAC-then-encrypt concept. Three recent papers provided what appeared independent and radically different definitions to model this type of decryption leakage. We reconcile these three works by providing a reference model of security for authenticated encryption in the face of decryption leakage from invalid queries. Having tracked the development of AE security games, we provide a single expressive framework allowing us to compare and contrast the previous notions. We find that at their core, the notions are essentially equivalent, with their key differences stemming from definitional choices independent of the desire to capture real world behaviour. ",

author = "Guy Barwell and Daniel Page and Martijn Stam",

year = "2015",

month = dec,

doi = "10.1007/978-3-319-27239-9_6",

language = "English",

isbn = " 978-3-319-27238-2",

volume = "9496",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "94--111",

editor = "Jens Groth",

booktitle = "Cryptography and Coding - IMACC 2015",

}

Rogue Decryption Failures: Reconciling AE Robustness Notions. / Barwell, Guy; Page, Daniel; Stam, Martijn.
Cryptography and Coding - IMACC 2015: 15th IMA International Conference, IMACC 2015, Oxford, UK, December 15-17, 2015. Proceedings. ed. / Jens Groth. Vol. 9496 Springer, 2015. p. 94-111 (Lecture Notes in Computer Science).

Research output: Chapter in Book/Report/Conference proceeding › Conference Contribution (Conference Proceeding)

TY - GEN

T1 - Rogue Decryption Failures: Reconciling AE Robustness Notions

AU - Barwell, Guy

AU - Page, Daniel

AU - Stam, Martijn

PY - 2015/12

Y1 - 2015/12

N2 - An authenticated encryption scheme is deemed secure (AE) if ciphertexts both look like random bitstrings and are unforgeable. AE is a much stronger notion than the traditional IND--CCA. One shortcoming of AE as commonly understood is its idealized, all-or-nothing decryption: if decryption fails, it will always provide the same single error message and nothing more. Reality often turns out differently: encode-then-encipher schemes often output decrypted ciphertext before verification has taken place whereas pad-then-MAC-then-encrypt schemes are prone to distinguishable verification failures due to the subtle interaction between padding and the MAC-then-encrypt concept. Three recent papers provided what appeared independent and radically different definitions to model this type of decryption leakage. We reconcile these three works by providing a reference model of security for authenticated encryption in the face of decryption leakage from invalid queries. Having tracked the development of AE security games, we provide a single expressive framework allowing us to compare and contrast the previous notions. We find that at their core, the notions are essentially equivalent, with their key differences stemming from definitional choices independent of the desire to capture real world behaviour.

AB - An authenticated encryption scheme is deemed secure (AE) if ciphertexts both look like random bitstrings and are unforgeable. AE is a much stronger notion than the traditional IND--CCA. One shortcoming of AE as commonly understood is its idealized, all-or-nothing decryption: if decryption fails, it will always provide the same single error message and nothing more. Reality often turns out differently: encode-then-encipher schemes often output decrypted ciphertext before verification has taken place whereas pad-then-MAC-then-encrypt schemes are prone to distinguishable verification failures due to the subtle interaction between padding and the MAC-then-encrypt concept. Three recent papers provided what appeared independent and radically different definitions to model this type of decryption leakage. We reconcile these three works by providing a reference model of security for authenticated encryption in the face of decryption leakage from invalid queries. Having tracked the development of AE security games, we provide a single expressive framework allowing us to compare and contrast the previous notions. We find that at their core, the notions are essentially equivalent, with their key differences stemming from definitional choices independent of the desire to capture real world behaviour.

U2 - 10.1007/978-3-319-27239-9_6

DO - 10.1007/978-3-319-27239-9_6

M3 - Conference Contribution (Conference Proceeding)

SN - 978-3-319-27238-2

VL - 9496

T3 - Lecture Notes in Computer Science

SP - 94

EP - 111

BT - Cryptography and Coding - IMACC 2015

A2 - Groth, Jens

PB - Springer

ER -

Rogue Decryption Failures: Reconciling AE Robustness Notions

Abstract

Publication series

Access to Document

Handle.net

Fingerprint

Cite this