Accordion: Security properties
52 views
Skip to first unread message
John Preuß Mattsson
May 14, 2024, 4:07:04 AMMay 14
to ciphermodes-forum
Hi,
NIST writes in [1]: "The security definition proposed in Section 2 (i.e., VIL-SPRP in the single user setting) automatically promises some important security properties". It would be very good if NIST could describe which these important security properties are. Preferably before or during the workshop. Automatically promised not so important security properties would also be good to summarize.
Section 2 cannot provide any security properties concerning integrity or nonces but it seems to us that Section 2 and Section 3.1 together automatically promises several additional security properties. It would be good if NIST describes these as well.
Some notable security properties not discussed in [1] but that we think should be discussed are:
- Security against release of unverified plaintext (RUP). The importance of this property was mentioned at the Third NIST Workshop on Block Cipher Modes of Operation 2023. It is also listed as a high priority be UK government in [2]. We agree that this is an important property. It seems likely that the AEAD construction in Section 3.1 [1] provides good RUP security as any bit flips results in a completely random unverified plaintext.
- Resistance to side-channel and fault attacks. We think something similar to what NIST wrote in [3] should be be a goal. I.e. "the ability to provide it easily and at low cost is highly desired".
- Reforgeability Resilience / Robust Authenticated Encryption (RAE). We think it should be a requirement that after a successful forgery it is still hard to find subsequent forgeries. Optimally, finding one or more forgeries should not increase the adversary’s ability to make further forgeries. It seems likely that the construction in Section 3.1 has good reforgeability resistance properties.
- Concealment of plaintext length. See https://groups.google.com/a/list.nist.gov/g/ciphermodes-forum/c/63sK8oIl674
- Replay protection. See https://groups.google.com/a/list.nist.gov/g/ciphermodes-forum/c/40VYoHRVit0
[1] "Proposal of Requirements for an Accordion Mode"
https://csrc.nist.gov/files/pubs/other/2024/04/10/proposal-of-requirements-for-an-accordion-mode-dis/iprd/docs/proposal-of-requirements-for-an-accordion-mode-discussion-draft.pdf
[2] "GLEVIAN and VIGORNIAN: Robust beyond-birthday AEAD modes"
https://eprint.iacr.org/2023/1379.pdf
[3] Status Report on the Final Round of the NIST Lightweight Cryptography Standardization Process
https://nvlpubs.nist.gov/nistpubs/ir/2023/NIST.IR.8454.pdf
NIST writes in [1]: "The security definition proposed in Section 2 (i.e., VIL-SPRP in the single user setting) automatically promises some important security properties". It would be very good if NIST could describe which these important security properties are. Preferably before or during the workshop. Automatically promised not so important security properties would also be good to summarize.
Section 2 cannot provide any security properties concerning integrity or nonces but it seems to us that Section 2 and Section 3.1 together automatically promises several additional security properties. It would be good if NIST describes these as well.
Some notable security properties not discussed in [1] but that we think should be discussed are:
- Security against release of unverified plaintext (RUP). The importance of this property was mentioned at the Third NIST Workshop on Block Cipher Modes of Operation 2023. It is also listed as a high priority be UK government in [2]. We agree that this is an important property. It seems likely that the AEAD construction in Section 3.1 [1] provides good RUP security as any bit flips results in a completely random unverified plaintext.
- Resistance to side-channel and fault attacks. We think something similar to what NIST wrote in [3] should be be a goal. I.e. "the ability to provide it easily and at low cost is highly desired".
- Reforgeability Resilience / Robust Authenticated Encryption (RAE). We think it should be a requirement that after a successful forgery it is still hard to find subsequent forgeries. Optimally, finding one or more forgeries should not increase the adversary’s ability to make further forgeries. It seems likely that the construction in Section 3.1 has good reforgeability resistance properties.
- Concealment of plaintext length. See https://groups.google.com/a/list.nist.gov/g/ciphermodes-forum/c/63sK8oIl674
- Replay protection. See https://groups.google.com/a/list.nist.gov/g/ciphermodes-forum/c/40VYoHRVit0
[1] "Proposal of Requirements for an Accordion Mode"
https://csrc.nist.gov/files/pubs/other/2024/04/10/proposal-of-requirements-for-an-accordion-mode-dis/iprd/docs/proposal-of-requirements-for-an-accordion-mode-discussion-draft.pdf
[2] "GLEVIAN and VIGORNIAN: Robust beyond-birthday AEAD modes"
https://eprint.iacr.org/2023/1379.pdf
[3] Status Report on the Final Round of the NIST Lightweight Cryptography Standardization Process
https://nvlpubs.nist.gov/nistpubs/ir/2023/NIST.IR.8454.pdf
Reply all
Reply to author
Forward
0 new messages