Internet-Draft Encrypt-then-MAC for Committing AEAD (cA December 2024
Lucas Expires 17 June 2025 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-lucas-generalised-committing-aead-latest
Published:
Intended Status:
Informational
Expires:
Author:
S. Lucas
Individual Contributor

Encrypt-then-MAC for Committing AEAD (cAEAD)

Abstract

This document describes how to construct a committing authenticated encryption with associated data (cAEAD) algorithm by combining an unauthenticated cipher and collision-resistant, hash-based message authentication code (MAC).

Discussion Venues

This note is to be removed before publishing as an RFC.

Source for this draft and an issue tracker can be found at https://github.com/samuel-lucas6/draft-lucas-generalised-committing-aead.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 17 June 2025.

Table of Contents

1. Introduction

Authenticated encryption with associated data (AEAD) schemes provide confidentiality and authenticity. However, research has revealed that if keys can be adversarial, these properties are not enough. Instead, AEADs also need to be committing, meaning the ciphertext is a binding commitment of all the AEAD inputs. This requires collision resistance [BH22].

Unfortunately, many existing AEAD schemes, such as AES-GCM [GCM] and ChaCha20-Poly1305 [RFC8439], are not committing. This means it is possible for authentication to pass for multiple different keys. Thus, a ciphertext can be successfully decrypted to different plaintexts [ADGKLS22]. Furthermore, an attacker who knows the key can find different messages that lead to the same authentication tag.

This has led to practical attacks, such as the partitioning oracle attack [LGR21], which can allow an attacker to guess many encryption passwords at once by repeatedly providing a ciphertext that successfully decrypts under different keys to an oracle (e.g. a server that knows the encryption key). Such a ciphertext that potentially decrypts under thousands of keys can quickly be computed by an attacker, although the complexity and scalability of attacks depends on the AEAD. This exploits a lack of key commitment.

Another type of attack was demonstrated on Facebook Messenger’s message franking scheme [DGRW18], which exploited a lack of message commitment. Due to end-to-end encryption, Facebook does not know a recipient’s key. Therefore, when reporting a received message as abusive, the recipient must send their key for verification. However, a fake key could be used by the recipient to transform a harmless message from the sender into an abusive one.

Whilst such attacks only apply in certain scenarios, developers intuitively expect an AEAD to be committing, increasing the risk of falling prey to this type of protocol vulnerability. Moreover, certain mitigations require changes to primitives and cryptographic libraries, and many naive mitigations may leak information. For example, the padding fix and generic UtC transform [ADGKLS22] may lead to timing differences during decryption, and prepending an unsalted hash of the key leaks its identity.

However, Encrypt-then-MAC with the encryption key and authentication key derived from the same input keying material and a 256-bit or greater authentication tag from a collision-resistant, hash-based MAC is committing [GLR17]. This combination has been widely used, well analysed [BN00], provides additional security against forgeries, and can sometimes be more performant than certain existing AEAD schemes.

The partitioning oracle attack authors recommend using a committing AEAD (cAEAD) by default when non-committing AEAD vulnerabilities cannot be ruled out [LGR21]. Therefore, this document introduces a simple Encrypt-then-MAC cAEAD scheme that can be implemented using an unauthenticated cipher and collision-resistant, hash-based MAC from a cryptographic library. For instance, ChaCha20 [RFC8439] and BLAKE2b [RFC7693].

2. Conventions and Definitions

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

Operations:

Internals:

Inputs and outputs:

The meanings of these parameters are defined in [RFC5116], Section 4.

3. The Generalised cAEAD Scheme

This scheme combines two primitives:

  1. An unauthenticated stream cipher or block cipher. The key size MUST be 256 bits.

  2. A collision-resistant keyed hash function or collision-resistant hash function used within HMAC [RFC2104]. The output length MUST be 256 bits or truncated to 256 bits.

Importantly, the MAC MUST be hash-based and collision resistant. This ensures the ciphertext is a commitment of all the inputs, corresponding to security notion CMT-4 [BH22]. This provides the best security and ease of use by default.

3.1. Authenticated Encryption

Encrypt(plaintext, nonce, key, associatedData)

The Encrypt function encrypts a plaintext message, authenticates the ciphertext and associated data, and returns the ciphertext concatenated with the authentication tag.

Inputs:

  • plaintext: the plaintext to be encrypted (length MUST be less than P_MAX).

  • nonce: the public nonce (length MUST be N_MIN).

  • key: the secret key (length MUST be K_LEN).

  • associatedData: the associated data to authenticate (length MUST be less than A_MAX).

Distinct associated data inputs, as described in [RFC5116], Section 3, will be unambiguously encoded as a single input. The application MUST create a structure in the associated data input if needed.

Outputs:

  • The ciphertext concatenated with the authentication tag or an error if the inputs do not meet the length criteria above.

Steps:

encryptionKey = MAC(UTF8(ENCRYPTION_CONTEXT), key, K_LEN)
macKey = MAC(UTF8(MAC_CONTEXT) || nonce, key, K_LEN)

ciphertext = Encrypt(plaintext, nonce, encryptionKey)

tag = MAC(associatedData || ciphertext || LE64(associatedData.Length) || LE64(ciphertext.Length), macKey, T_LEN)

ZeroMemory(encryptionKey)
ZeroMemory(macKey)

return ciphertext || tag

3.2. Authenticated Decryption

Decrypt(ciphertext, nonce, key, associatedData)

The Decrypt function verifies that the authentication tag is correct for the given inputs and returns the decrypted ciphertext on success or an error if verification fails.

Inputs:

  • ciphertext: the ciphertext and appended tag to be authenticated and decrypted (length MUST be less than C_MAX).

  • nonce: the public nonce (length MUST be N_MIN).

  • key: the secret key (length MUST be K_LEN).

  • associatedData: the associated data to authenticate (length MUST be less than A_MAX).

Outputs:

  • Either the decrypted plaintext or an error indicating that the authentication tag is invalid for the given inputs.

Steps:

tag = ciphertext.Slice(ciphertext.Length - T_LEN, T_LEN)

ciphertextNoTag = ciphertext.Slice(0, ciphertext.Length - T_LEN)

encryptionKey = MAC(UTF8(ENCRYPTION_CONTEXT), key, K_LEN)
macKey = MAC(UTF8(MAC_CONTEXT) || nonce, key, K_LEN)

computedTag = MAC(associatedData || ciphertextNoTag || LE64(associatedData.Length) || LE64(ciphertextNoTag.Length), macKey, T_LEN)

ZeroMemory(macKey)

if (ConstantTimeEquals(tag, computedTag) is false)
    ZeroMemory(encryptionKey)
    return "authentication failed" error
else
    plaintext = Decrypt(ciphertextNoTag, nonce, encryptionKey)
    ZeroMemory(encryptionKey)
    return plaintext

4. ChaCha20-BLAKE2b

This algorithm is an instantiation of the generalised cAEAD scheme discussed above using ChaCha20 [RFC8439] as the cipher and BLAKE2b [RFC7693] as the MAC.

The context strings are:

The ChaCha20 specific input and output lengths are:

The rest of the lengths remain the same for all instantiations of this generalised cAEAD scheme.

5. Security Considerations

The security of this generalised scheme depends on the unauthenticated cipher and collision-resistant, hash-based MAC used. For instance, ChaCha20 should provide 256-bit security against plaintext recovery, and HMAC-SHA256 should provide at least 128-bit security against forgery attacks. A 256-bit tag provides 128-bit security against collisions. This collision resistance should make it infeasible for a ciphertext to be decrypted under multiple keys and for two messages to have the same tag.

The nonce MUST NOT be repeated or reused for a given key. Doing so is catastrophic for security. For example, it results in identical keystreams with stream ciphers, which leaks the XOR of the plaintexts.

The authentication tag comparison MUST be done in constant time to avoid leaking information via timing.

If authentication fails, the ciphertext MUST NOT be decrypted.

A larger MAC output length (e.g. 512 bits) that gets truncated to 256 bits MAY be used as long as the MAC_CONTEXT string is specified as instructed. However, the MAC output length MUST NOT be less than or truncated below 256 bits as this would affect the collision resistance, which is needed for this scheme to be committing.

Every key MUST be randomly chosen from a uniform distribution. This means randomly generated using a cryptographically secure pseudorandom number generator (CSPRNG) or the output of a key derivation function (KDF).

The nonce MAY be public and/or predictable. It can be a counter, the output of a KDF by deriving the nonce alongside the key, or randomly generated using a CSPRNG. However, care MUST be taken to ensure that the likelihood of two randomly generated nonces colliding is low by frequently rotating the key being used.

The internally derived encryptionKey and macKey SHOULD be erased from memory before returning an output. However, this may not be possible in some programming languages.

6. IANA Considerations

IANA is requested to assign an entry for AEAD_ChaCha20_BLAKE2b in the AEAD Registry with this document as the reference.

7. References

7.1. Normative References

[RFC2104]
Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, , <https://www.rfc-editor.org/rfc/rfc2104>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC5116]
McGrew, D., "An Interface and Algorithms for Authenticated Encryption", RFC 5116, DOI 10.17487/RFC5116, , <https://www.rfc-editor.org/rfc/rfc5116>.
[RFC7693]
Saarinen, M., Ed. and J. Aumasson, "The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC)", RFC 7693, DOI 10.17487/RFC7693, , <https://www.rfc-editor.org/rfc/rfc7693>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8439]
Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF Protocols", RFC 8439, DOI 10.17487/RFC8439, , <https://www.rfc-editor.org/rfc/rfc8439>.

7.2. Informative References

[ADGKLS22]
Albertini, A., Duong, T., Gueron, S., Kölbl, S., Luykx, A., and S. Schmieg, "How to Abuse and Fix Authenticated Encryption Without Key Commitment", 31st USENIX Security Symposium (USENIX Security 22), , <https://www.usenix.org/conference/usenixsecurity22/presentation/albertini>.
[BH22]
Bellare, M. and V. T. Hoang, "Efficient Schemes for Committing Authenticated Encryption", EUROCRYPT 2022. Lecture Notes in Computer Science, vol 13276, pp. 845-875, DOI 10.1007/978-3-031-07085-3_29, , <https://eprint.iacr.org/2022/268>.
[BN00]
Bellare, M. and C. Namprempre, "Authenticated encryption: Relations among notions and analysis of the generic composition paradigm", ASIACRYPT 2000. Lecture Notes in Computer Science, vol 1976, pp. 531-545, DOI 10.1007/3-540-44448-3_41, , <https://eprint.iacr.org/2000/025>.
[DGRW18]
Dodis, Y., Grubbs, P., Ristenpart, T., and J. Woodage, "Fast Message Franking: From Invisible Salamanders to Encryptment", CRYPTO 2018. Lecture Notes in Computer Science, vol 10991, pp. 155-186, DOI 10.1007/978-3-319-96884-1_6, , <https://eprint.iacr.org/2019/016.pdf>.
[GCM]
Dworkin, M., "NIST Special Publication 800-38D: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC", U.S. National Institute of Standards and Technology, , <https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf>.
[GLR17]
Grubbs, P., Lu, J., and T. Ristenpart, "Message Franking via Committing Authenticated Encryption", CRYPTO 2017. Lecture Notes in Computer Science, vol 10403, pp. 66-97, DOI 10.1007/978-3-319-63697-9_3, , <https://eprint.iacr.org/2017/664>.
[LGR21]
Len, J., Grubbs, P., and T. Ristenpart, "Partitioning Oracle Attacks", 30th USENIX Security Symposium (USENIX Security 21), pp. 195–212, , <https://www.usenix.org/conference/usenixsecurity21/presentation/len>.

Appendix A. Test Vectors

A.1. ChaCha20-BLAKE2b

A.1.1. Test Vector 1

plaintext: 5468657265277320736f6d6520676f6f6420696e207468697320776f726c642c204d722e2046726f646f2c20616e64206974277320776f727468206669676874696e6720666f722e

nonce: 000000000000000000000000

key: 1001000000000000000000000000000000000000000000000000000000000000

associatedData:

ciphertext: 18337327ef02753bf8d996db218a3697c18943ea6efc86a7e449cb67a7592b9e1715a07771797c93789350528e2e7a8d25b4ca7a7d2968776d50577946cb5da693f1e09309236b7bdb04001a8feeab7de48946f08df1cfd0ce03a719232ea7106efb8706e40d7cb6

A.1.2. Test Vector 2

plaintext:

nonce: 000000000000000000000000

key: 1001000000000000000000000000000000000000000000000000000000000000

associatedData:

ciphertext: a1ad6c7c4a9bb8201cf72904ebea1fed709c75ded85adaea7034bdbba1b5ec4f

A.1.3. Test Vector 3

plaintext:

nonce: 000000000000000000000000

key: 1001000000000000000000000000000000000000000000000000000000000000

associatedData: 76312e302e30

ciphertext: c0deb4501fe4cc651687cff8c9f5377072d4788cfe2d0f51dd97fab7b16fab84

A.1.4. Test Vector 4

plaintext: 5468657265277320736f6d6520676f6f6420696e207468697320776f726c642c204d722e2046726f646f2c20616e64206974277320776f727468206669676874696e6720666f722e

nonce: 010000000000000000000000

key: 1001000000000000000000000000000000000000000000000000000000000000

associatedData:

ciphertext: db685e0ff12fafd611a832c90e6c7905598ed65babdf6d8cf7057d07b5168673727dda3ef3d6ed2520332c8036e2ce0f72c413290bc4ae41d2d398e4cb2d1f6e906e232ae471ca0ea4ade513d685a4fab9a886fa885b6f6b54ff04d66612cfdde669bd0dbda23f54

A.1.5. Test Vector 5

plaintext: 5468657265277320736f6d6520676f6f6420696e207468697320776f726c642c204d722e2046726f646f2c20616e64206974277320776f727468206669676874696e6720666f722e

nonce: 000000000000000000000000

key: 1002000000000000000000000000000000000000000000000000000000000000

associatedData:

ciphertext: 308319762a72faf302e6d34c2f882c27addc1b2130549e55a084bcdc189c2da0497fdbab20989f24a25f2d3934ac825caaf46ec61a853a06eb97b14c2ced147b94c2223506862d32af0be2b1f658597412e65d77560844eee38a190063300c8e8a8c62ea25b943b3

A.1.6. Test Vector 6

This test MUST return an “authentication failed” error.

ciphertext: 408319762a72faf302e6d34c2f882c27addc1b2130549e55a084bcdc189c2da0497fdbab20989f24a25f2d3934ac825caaf46ec61a853a06eb97b14c2ced147b94c2223506862d32af0be2b1f658597412e65d77560844eee38a190063300c8e8a8c62ea25b943b3

nonce: 000000000000000000000000

key: 1002000000000000000000000000000000000000000000000000000000000000

associatedData:

A.1.7. Test Vector 7

This test MUST return an “authentication failed” error.

ciphertext: 308319762a72faf302e6d34c2f882c27addc1b2130549e55a084bcdc189c2da0497fdbab20989f24a25f2d3934ac825caaf46ec61a853a06eb97b14c2ced147b94c2223506862d32af0be2b1f658597412e65d77560844eee38a190063300c8e8a8c62ea25b943b4

nonce: 000000000000000000000000

key: 1002000000000000000000000000000000000000000000000000000000000000

associatedData:

A.1.8. Test Vector 8

This test MUST return an “authentication failed” error.

ciphertext: 308319762a72faf302e6d34c2f882c27addc1b2130549e55a084bcdc189c2da0497fdbab20989f24a25f2d3934ac825caaf46ec61a853a06eb97b14c2ced147b94c2223506862d32af0be2b1f658597412e65d77560844eee38a190063300c8e8a8c62ea25b943b3

nonce: 000000000000000000000001

key: 1002000000000000000000000000000000000000000000000000000000000000

associatedData:

A.1.9. Test Vector 9

This test MUST return an “authentication failed” error.

ciphertext: 308319762a72faf302e6d34c2f882c27addc1b2130549e55a084bcdc189c2da0497fdbab20989f24a25f2d3934ac825caaf46ec61a853a06eb97b14c2ced147b94c2223506862d32af0be2b1f658597412e65d77560844eee38a190063300c8e8a8c62ea25b943b3

nonce: 000000000000000000000000

key: 1003000000000000000000000000000000000000000000000000000000000000

associatedData:

A.1.10. Test Vector 10

This test MUST return an “authentication failed” error.

ciphertext: 308319762a72faf302e6d34c2f882c27addc1b2130549e55a084bcdc189c2da0497fdbab20989f24a25f2d3934ac825caaf46ec61a853a06eb97b14c2ced147b94c2223506862d32af0be2b1f658597412e65d77560844eee38a190063300c8e8a8c62ea25b943b3

nonce: 000000000000000000000000

key: 1002000000000000000000000000000000000000000000000000000000000000

associatedData: 76312e302e30

Acknowledgments

Thank you to Viet Tung Hoang, Julia Len, and Paul Grubbs for their excellent presentations on the topic of committing authenticated encryption.

ChaCha20 and Poly1305 were designed by Daniel J. Bernstein.

BLAKE2 was designed by Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O’Hearn, and Christian Winnerlein.

HMAC was designed by Mihir Bellare, Ran Canetti, and Hugo Krawczyk.

Author's Address

Samuel Lucas
Individual Contributor