International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Key Committing Attacks against AES-based AEAD Schemes

Authors:
Patrick Derbez , Univ Rennes, Inria, Centre National de la Recherche Scientifique (CNRS), Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Rennes, France
Pierre-Alain Fouque , Univ Rennes, Inria, Centre National de la Recherche Scientifique (CNRS), Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Rennes, France
Takanori Isobe , University of Hyogo, Kobe, Japan
Mostafizar Rahman , University of Hyogo, Kobe, Japan
André Schrottenloher , Univ Rennes, Inria, Centre National de la Recherche Scientifique (CNRS), Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Rennes, France
Download:
DOI: 10.46586/tosc.v2024.i1.135-157
URL: https://tosc.iacr.org/index.php/ToSC/article/view/11404
Search ePrint
Search Google
Abstract: Recently, there has been a surge of interest in the security of authenticated encryption with associated data (AEAD) within the context of key commitment frameworks. Security within this framework ensures that a ciphertext chosen by an adversary does not decrypt to two different sets of key, nonce, and associated data. Despite this increasing interest, the security of several widely deployed AEAD schemes has not been thoroughly examined within this framework. In this work, we assess the key committing security of several AEAD schemes. First, the AEGIS family, which emerged as a winner in the Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR), and has been proposed to standardization at the IETF. A now outdated version of the draft standard suggested that AEGIS could qualify as a fully committing AEAD scheme; we prove that it is not the case by proposing a novel attack applicable to all variants, which has been experimentally verified. We also exhibit a key committing attack on Rocca-S. Our attacks are executed within the FROB game setting, which is known to be one of the most stringent key committing frameworks. This implies that they remain valid in other, more relaxed frameworks, such as CMT-1, CMT-4, and so forth. Finally, we show that applying the same attack techniques to Rocca and Tiaoxin-346 does not compromise their key-committing security. This observation provides valuable insights into the design of such secure round update functions for AES-based AEAD schemes.
BibTeX
@article{tosc-2024-34013,
  title={Key Committing Attacks against AES-based AEAD Schemes},
  journal={IACR Transactions on Symmetric Cryptology},
  publisher={Ruhr-Universität Bochum},
  volume={024 No. 1},
  pages={135-157},
  url={https://tosc.iacr.org/index.php/ToSC/article/view/11404},
  doi={10.46586/tosc.v2024.i1.135-157},
  author={Patrick Derbez and Pierre-Alain Fouque and Takanori Isobe and Mostafizar Rahman and André Schrottenloher},
  year=2024
}