International Association
for Cryptologic Research

This talk will propose a new approach for building the next generation of AEAD. In the last few years, researchers and practitioners have discovered that widely deployed AEAD schemes, designed almost two decades ago, have many limitations. These range from uncomfortably small security margins to outright security vulnerabilities. We will discuss foundational theory and concrete designs for the next generation of AEAD schemes. Our designs better support real-world workloads while retaining performance.

This talk will discuss a simple approach to “encrypt forever” with a single AES-GCM key. It is called Double-Nonce-Derive-Key AES-GCM (DNDK-GCM) and is based on extending the 96-bit nonce length to any s-bit nonce length for s < 256 (e.g., 192). The security of the resulting AEAD can be proven under the same assumptions that base the security of AES-GCM because no additional cryptographic primitive is involved. The talk will discuss these security margins and explain why it is possible to use DNDK-GCM for processing even a total of 264 bytes under one key and remain withing the NIST specified 2^(-32) margins. This implies that the cryptoperiod of a key is not limited by the cryptographic bounds that indicate key wear-out. As a bonus, we will also toss in a key commitment string. By now, DNDK-GCM has become the default encryption mode on Meta infrastructure. The talk will provide a detailed performance analysis to show the cost of DNDK-GCM, relative to AES-GCM, and to some other AEADs that are being used at Meta. It will explain some considerations and challenges associated with defining and migrating to a new default on live cloud systems, discuss the standards compliance aspect, and provide some numbers on the scale at which this mode operates.

TLS 1.3 allows two parties to establish a shared session key from an out-of-band agreed pre-shared key (PSK). The PSK is used to mutually authenticate the parties, under the assumption that it is not shared with others. This allows the parties to skip the certificate verification steps, saving bandwidth, communication rounds, and latency. In this paper, we identify a vulnerability in this specific TLS 1.3 option by showing a new “reflection attack” that we call “ Selfie .” This attack uses the fact that TLS does not mandate explicit authentication of the server and the client, and leverages it to break the protocol’s mutual authentication property. We explain the root cause of this TLS 1.3 vulnerability, provide a fully detailed demonstration of a Selfie  attack using the TLS implementation of OpenSSL, and propose mitigation. The Selfie  attack is the first attack on TLS 1.3 after its official release in 2018. It is surprising because it uncovers an interesting gap in the existing TLS 1.3 models that the security proofs rely on. We explain the gap in these model assumptions and show how it affects the proofs in this case.