CryptoDB
Jérôme Govinden
Publications
Year
Venue
Title
2024
CRYPTO
The Committing Security of MACs with Applications to Generic Composition
Abstract
Message Authentication Codes (MACs) are ubiquitous primitives
deployed in multiple flavours through standards such as HMAC,
CMAC, GMAC, LightMAC and many others. Its versatility makes it
an essential building block in applications necessitating message authentication
and integrity check, in authentication protocols, authenticated
encryption schemes, or as a pseudorandom or key derivation function.
Its usage in this variety of settings makes it susceptible to a broad range
of attack scenarios. The latest attack trends leverage a lack of commitment
or context-discovery security in AEAD schemes and these attacks
are mainly due to the weakness in the underlying MAC part. However,
these new attack models have been scarcely analyzed for MACs themselves.
This paper provides a thorough treatment of MACs committing
and context-discovery security. We reveal that commitment and context-discovery
security of MACs have their own interest by highlighting real-world
vulnerable scenarios. We formalize the required security notions for
MACs, and analyze the security of standardized MACs for these notions.
Additionally, as a constructive application, we analyze generic AEAD
composition and provide simple and efficient ways to build committing
and context-discovery secure AEADs.
2023
ASIACRYPT
The Indifferentiability of the Duplex and its Practical Applications
Abstract
The Duplex construction, introduced by Bertoni~\emph{et al.} (SAC 2011), is the Swiss Army knife of permutation-based cryptography. It can be used to realise a variety of cryptographic objects---ranging from hash functions and MACs, to authenticated encryption and symmetric ratchets. Testament to this is the STROBE protocol framework which is a software cryptographic library based solely on the Duplex combined with a rich set of function calls. While prior works have typically focused their attention on specific uses of the Duplex, our focus here is its \emph{indifferentiability}. More specifically, we consider the indifferentiability of the Duplex construction from an \emph{online random oracle}---an idealisation which shares its same interface. As one of our main results we establish the indifferentiability of the Duplex from an online random oracle. However indifferentiability only holds for the standard Duplex construction and we show that the full-state variant of the Duplex cannot meet this notion. Our indifferentiability theorem provides the theoretical justification for the security of the Duplex in a variety of scenarios, amongst others, its use as a general-purpose cryptographic primitive in the STROBE framework. Next we move our attention to AEAD schemes based on the Duplex, namely SpongeWrap, which is the basis for NIST's Lightweight Cryptography standard Ascon. We harness the power of indifferentiability by establishing that SpongeWrap offers security against key-dependent message inputs, related-key attacks, and is also committing.
Coauthors
- Ritam Bhaumik (1)
- Bishwajit Chakraborty (1)
- Wonseok Choi (1)
- Jean Paul Degabriele (1)
- Avijit Dutta (1)
- Marc Fischlin (1)
- Jérôme Govinden (2)
- Yaobin Shen (1)