Indifferentiable Authenticated Encryption [chapter]

Manuel Barbosa, Pooya Farshim
2018 Lecture Notes in Computer Science  
We study Authenticated Encryption with Associated Data (AEAD) from the viewpoint of composition in arbitrary (single-stage) environments. We use the indifferentiability framework to formalize the intuition that a "good" AEAD scheme should have random ciphertexts subject to decryptability. Within this framework, we can then apply the indifferentiability composition theorem to show that such schemes offer extra safeguards wherever the relevant security properties are not known, or cannot be
more » ... ted in advance, as in general-purpose crypto libraries and standards. We show, on the negative side, that generic composition (in many of its configurations) and well-known classical and recent schemes fail to achieve indifferentiability. On the positive side, we give a provably indifferentiable Feistel-based construction, which reduces the round complexity from at least 6, needed for blockciphers, to only 3 for encryption. This result is not too far off the theoretical optimum as we give a lower bound that rules out the indifferentiability of any construction with less than 2 rounds. Authenticated-Encryption with Associated-Data (AEAD) [Rog02, BN00] is a fundamental building block in cryptographic protocols, notably those enabling secure communication over untrusted networks. The syntax, security, and constructions of AEAD have been studied in numerous works. Recent, ongoing standardization processes, such as the CAESAR competition [Ber14] and TLS 1.3, have revived interest in this direction. Security notions such as misuse-resilience [PS16, GL15, HRRV15, RS06], robustness [ADL17, AFL + 16, HKR15], multi-user security [BT16], reforgeability [FLLW17], and unverified plaintext release [ABL + 14], as well as syntactic variants such as online operation [HRRV15] and variable stretch [HKR15, RVV16] have been studied in recent works. Building on these developments, and using the indifferentiability framework of Maurer, Renner, and Holenstein [MRH04], we propose new definitions that bring a new perspective to the design of AEAD schemes. In place of focusing on specific property-based definitions, we formalize when an AEAD behaves like a random one. A central property of indifferentiable schemes is that they offer security with respect to a wide class of games. This class includes all the games above plus many others, including new unforeseen ones. Indifferentiability has been used to study the security of hash functions [CDMP05, BDPV08] and blockciphers [CPS08, HKT11, ABD + 13, DSSL16], where constructions have been shown to behave like random oracles or ideal ciphers respectively. We investigate this question for authenticated encryption and ask if, and how efficiently, can indifferentiable AEAD schemes be built. Our contributions are as follows.
doi:10.1007/978-3-319-96884-1_7 fatcat:r7x75bhhkbfzvdbwexayieynq4