Dear subscribers of the NIST Lightweight Cryptography mailing list,
LWC algorithm call specifies a minimum tag length of 64 bits.
I would argue that this tag length is inadequate to guarantee 112 bit confidentiality for algorithms without nonce misuse protection under adaptative forgery scenario.
LWC call for algorithm only specifies integrity attacks in the adaptative forgery scenario and confidentiality attacks in the adaptative chosen-plaintext scenario.
I show below that a failure of authentification can be exploited to mount a Nonce misuse attack.
In most LWC algorithm, this nonce misuse attack is catastrophic and leads to loss of confidentiality.
Attack description
Attacker scenario :
Adaptive forgery scenario : Eve can call the decryptor with any message except the one sent by Alice. If the message sent to the decryptor has the correct tag, Eve gets the associated plaintext.
Attack :
Eve forges a message with nonce Na, ciphertex Ca, and candidate Tag Ta. Eve sends it to the decryptor. By chance or brute force, Eve manages to find a valid tag Ta.
By providing this message to the decryptor, Eve gain access to the full information Nonce, Plaintext, Ciphertext and Tag for this nonce Na.
At another moment, the legitimate user Alice uses this same Nonce Na to encrypt a new message (it is her first message sent with this nonce, so she respect the nonce single use requirement).
Alice sends the legitimate ciphered message (Nonce Nl = Na, Ciphertext Cl, Tag Tl) and it is intercepted by Eve.
With those two messages, Eve has access to enough information to mount a nonce ‘misuse’ attack.
For an algorithm without nonce misuse security, the first plaintext block or the complete plaintext can be recovered by Eve.
Conclusion
The tag size effectively limits the confidentiality security of LWC algorithm not protected against nonce misuse in the adaptative forgery scenario.
For algorithms without nonce misuse protection, 64 bit tags limit the confidentiality security to 64 bits in this scenario.
Best regards,
Alexandre Mège
For the authenticated
encryption schemes in the NIST submissions you have not required
support for intermediate tags, nor do you mention it in your
requirements document. Support for intermediate tags was
identified as something useful in discussions during the CAESAR
competition. Another way of seeing it is that messages form a
session, where a valid tag on each message authenticates the
full sequence of messages. I think this is relevant in
lightweight applications as it helps keeping messages short by
authenticating the context in the form of previous messages in
the session.
Therefore, I think it would be beneficial if NIST would make a statement on whether support for sessions is seen as an interesting feature.
On top of being a useful feature from a functional point of view, with the Keccak team we have been arguing for a long time that it also helps protecting against side channel and fault attacks. Let me explain, as inspired by the presentation of Francois-Xavier Standaert at the NIST lightweight workshop in Gaithersburg. In duplex-based authenticated encryption as we defined it at SAC 2011, the only moment that the key is used is at the beginning of the session and the security of the remainder is based on the secrecy of an evolving state that depends on the sequence of all messages.Hi Joan and all,
Sorry, I am not sure I fully understood the subtlety of what is a session, but I was wondering: why not simply reusing a new nonce to define your new session (maybe allow part of the nonce to encore your session ID)? This would allow to use the API everyone is currently using. I guess sessions are interesting mostly for sponge-based or stream cipher-based designs, because the cost of initialisation in these designs makes it generally less attractive for the typical lightweight use-case of small messages (so you want to define “sessions” so you can maintain the internal secret state for early release, without having to pay again for initialisation … something the current API wouldn’t allow).
I also note that the example you mention with sessions keys can also apply to non-permutation designs (see for example TEDT design https://eprint.iacr.org/2019/137.pdf also from FX Standaert et al.).
In any case, while I understand that each design can have some features not mentioned by the NIST call, I would like to mention that it is a bit unfair to ask NIST for new feature statements one year after the competition started. Alternatively, should we start a process where every team can propose what they believe should be a clear use-case feature in the NIST competition ?
Regards,
Thomas.
De : 'Joan Daemen' via lwc-forum <lwc-...@list.nist.gov>
Envoyé : Monday, 2 December 2019 6:57 PM
À : lwc-...@list.nist.gov
Objet : [lwc-forum] Support for AE sessions AKA intermediate tags
--
To unsubscribe from this group, send email to
lwc-forum+...@list.nist.gov
Visit this group at
https://groups.google.com/a/list.nist.gov/d/forum/lwc-forum
---
To unsubscribe from this group and stop receiving emails from it, send an email to
lwc-forum+...@list.nist.gov.