On the Key-Commitment Properties of Forkcipher-based AEADs
Authors
Mostafizar Rahman, Samir Kundu, Takanori Isobe
Abstract
Forkcipher-based AEADs have emerged as lightweight and efficient cryptographic modes, making them suitable for resource-constrained environments such as IoT devices and distributed decryption through MPC. These schemes, including prominent examples like Eevee (Jolteon, Espeon, and Umbreon), PAEF, RPAEF, and SAEF, leverage the properties of forkciphers to achieve enhanced performance. However, their security in terms of key commitment, a critical property for certain applications such as secure cloud services, as highlighted by Albertini et al. (USENIX 2022), has not been comprehensively analyzed until now.
In this work, we analyze the key-commitment properties of forkcipher-based AEADs. We found that some of the forkcipher-based AEAD schemes lack key-commitment properties, primarily due to the distinctive manner in which they process associated data and plaintext. For two different keys and the same nonce, an adversary can identify associated data and plaintext blocks that produce identical ciphertext-tags with a complexity of $O(1)$. Our findings apply to various forkcipher-based AEADs, including Eevee, PAEF, and SAEF, and naturally extend to less strict frameworks, such as CMT-1 and CMT-4.
These findings highlight a significant limitation in the robustness of forkcipher-based AEADs. While these modes are attractive for their lightweight design and efficiency, their deployment should be restricted in scenarios where explicit robustness or key-commitment security is required.
References
[ABPV21]
Elena Andreeva, Amit Singh Bhati, Bart Preneel, and Damian Vizár. 1, 2, 3, Fork: Counter Mode Variants based on a Generalized Forkcipher. IACR Trans. Symmetric Cryptol., 2021(3):1–35, 2021. DOI: 10.46586/TOSC.V2021.I3.1-35
[ADG+22]
Ange Albertini, Thai Duong, Shay Gueron, Stefan Kölbl, Atul Luykx, and Sophie Schmieg. How to Abuse and Fix Authenticated Encryption Without Key Commitment. In Kevin R. B. Butler and Kurt Thomas, editors, 31st USENIX Security Symposium, USENIX Security 2022, Boston, MA, USA, August 10-12, 2022, pages 3291–3308. 2022. USENIX Association.
[ALP+19]
Elena Andreeva, Virginie Lallemand, Antoon Purnal, Reza Reyhanitabar, Arnab Roy, and Damian Vizár. Forkcipher: A New Primitive for Authenticated Encryption of Very Short Messages. In Advances in Cryptology - ASIACRYPT 2019 - 25th International Conference on the Theory and Application of Cryptology and Information Security, Kobe, Japan, December 8-12, 2019, Proceedings, Part II, volume 11922 of Lecture Notes in Computer Science, pages 153–182. 2019. Springer. DOI: 10.1007/978-3-030-34621-8_6
[ARVV18]
Elena Andreeva, Reza Reyhanitabar, Kerem Varici, and Damian Vizár. Forking a Blockcipher for Authenticated Encryption of Very Short Messages. IACR Cryptol. ePrint Arch., 2018.
[AW23]
Elena Andreeva and Andreas Weninger. A Forkcipher-Based Pseudo-Random Number Generator. In Mehdi Tibouchi and Xiaofeng Wang, editors, Applied Cryptography and Network Security - 21st International Conference, ACNS 2023, Kyoto, Japan, June 19-22, 2023, Proceedings, Part II, volume 13906 of Lecture Notes in Computer Science, pages 3–31. 2023. Springer. DOI: 10.1007/978-3-031-33491-7_1
[BH22]
Mihir Bellare and Viet Tung Hoang. Efficient Schemes for Committing Authenticated Encryption. In Orr Dunkelman and Stefan Dziembowski, editors, Advances in Cryptology - EUROCRYPT 2022 - 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Trondheim, Norway, May 30 - June 3, 2022, Proceedings, Part II, volume 13276 of Lecture Notes in Computer Science, pages 845–875. 2022. Springer. DOI: 10.1007/978-3-031-07085-3_29
[BH24]
Mihir Bellare and Viet Tung Hoang. Succinctly-Committing Authenticated Encryption. In Leonid Reyzin and Douglas Stebila, editors, Advances in Cryptology - CRYPTO 2024 - 44th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2024, Proceedings, Part IV, volume 14923 of Lecture Notes in Computer Science, pages 305–339. 2024. Springer. DOI: 10.1007/978-3-031-68385-5_10
[BJK+16]
Christof Beierle, Jérémy Jean, Stefan Kölbl, Gregor Leander, Amir Moradi, Thomas Peyrin, Yu Sasaki, Pascal Sasdrich, and Siang Meng Sim. The SKINNY Family of Block Ciphers and Its Low-Latency Variant MANTIS. In Matthew Robshaw and Jonathan Katz, editors, Advances in Cryptology - CRYPTO 2016 - 36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2016, Proceedings, Part II, volume 9815 of Lecture Notes in Computer Science, pages 123–153. 2016. Springer. DOI: 10.1007/978-3-662-53008-5_5
[BPA+23]
Amit Singh Bhati, Erik Pohle, Aysajan Abidin, Elena Andreeva, and Bart Preneel. Let's Go Eevee! A Friendly and Suitable Family of AEAD Modes for IoT-to-Cloud Secure Computation. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, CCS 2023, Copenhagen, Denmark, November 26-30, 2023, pages 2546–2560. 2023. ACM. DOI: 10.1145/3576915.3623091
[CFI+23]
Yu Long Chen, Antonio Flórez-Gutiérrez, Akiko Inoue, Ryoma Ito, Tetsu Iwata, Kazuhiko Minematsu, Nicky Mouha, Yusuke Naito, Ferdinand Sibleyras, and Yosuke Todo. Key Committing Security of AEZ and More. IACR Trans. Symmetric Cryptol., 2023(4):452–488, 2023. DOI: 10.46586/TOSC.V2023.I4.452-488
[CR22]
John Chan and Phillip Rogaway. On Committing Authenticated-Encryption. In Vijayalakshmi Atluri, Roberto Di Pietro, Christian Damsgaard Jensen, and Weizhi Meng, editors, Computer Security - ESORICS 2022 - 27th European Symposium on Research in Computer Security, Copenhagen, Denmark, September 26-30, 2022, Proceedings, Part II, volume 13555 of Lecture Notes in Computer Science, pages 275–294. 2022. Springer. DOI: 10.1007/978-3-031-17146-8_14
[DDLM24]
Nilanjan Datta, Avijit Dutta, Eik List, and Sougata Mandal. FEDT: Forkcipher-based Leakage-resilient Beyond-birthday-secure AE. IACR Commun. Cryptol., 1(2):21, 2024. DOI: 10.62056/AKGYL86BM
[DFI+24]
Patrick Derbez, Pierre-Alain Fouque, Takanori Isobe, Mostafizar Rahman, and André Schrottenloher. Key Committing Attacks against AES-based AEAD Schemes. IACR Trans. Symmetric Cryptol., 2024(1):135–157, 2024. DOI: 10.46586/TOSC.V2024.I1.135-157
[DGRW18]
Yevgeniy Dodis, Paul Grubbs, Thomas Ristenpart, and Joanne Woodage. Fast Message Franking: From Invisible Salamanders to Encryptment. In Hovav Shacham and Alexandra Boldyreva, editors, Advances in Cryptology - CRYPTO 2018 - 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2018, Proceedings, Part I, volume 10991 of Lecture Notes in Computer Science, pages 155–186. 2018. Springer. DOI: 10.1007/978-3-319-96884-1_6
[Fac16]
Facebook. Messenger Secret Conversations technical whitepaper. https://fbnewsroomus.files.wordpress 2016.
[FOR17]
Pooya Farshim, Claudio Orlandi, and Razvan Rosie. Security of Symmetric Primitives under Incorrect Usage of Keys. IACR Trans. Symmetric Cryptol., 2017(1):449–473, 2017. DOI: 10.13154/tosc.v2017.i1.449-473
[GLR17]
Paul Grubbs, Jiahui Lu, and Thomas Ristenpart. Message Franking via Committing Authenticated Encryption. In Jonathan Katz and Hovav Shacham, editors, Advances in Cryptology - CRYPTO 2017 - 37th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 20-24, 2017, Proceedings, Part III, volume 10403 of Lecture Notes in Computer Science, pages 66–97. 2017. Springer. DOI: 10.1007/978-3-319-63697-9_3
[JKX18]
Stanislaw Jarecki, Hugo Krawczyk, and Jiayu Xu. OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-computation Attacks. In Jesper Buus Nielsen and Vincent Rijmen, editors, Advances in Cryptology - EUROCRYPT 2018 - 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, April 29 - May 3, 2018 Proceedings, Part III, volume 10822 of Lecture Notes in Computer Science, pages 456–486. 2018. Springer. DOI: 10.1007/978-3-319-78372-7_15
[KLL20]
Hwigyeom Kim, Yeongmin Lee, and Jooyoung Lee. Forking Tweakable Even-Mansour Ciphers. IACR Trans. Symmetric Cryptol., 2020(4):71–87, 2020. DOI: 10.46586/TOSC.V2020.I4.71-87
[LGR21]
Julia Len, Paul Grubbs, and Thomas Ristenpart. Partitioning Oracle Attacks. In Michael Bailey and Rachel Greenstadt, editors, 30th USENIX Security Symposium, USENIX Security 2021, August 11-13, 2021, pages 195–212. 2021. USENIX Association.
[Man24]
Sougata Mandal. Tweakable ForkCipher from Ideal Block Cipher. IACR Commun. Cryptol., 1(3):42, 2024. DOI: 10.62056/AEY4FBN2HD
[Mil17]
Jon Millican. Challenges of E2E Encryption in Facebook Messenger. Real World Cryptography conference 2017.
[MLGR23]
Sanketh Menda, Julia Len, Paul Grubbs, and Thomas Ristenpart. Context Discovery and Commitment Attacks - How to Break CCM, EAX, SIV, and More. In Carmit Hazay and Martijn Stam, editors, Advances in Cryptology - EUROCRYPT 2023 - 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, April 23-27, 2023, Proceedings, Part IV, volume 14007 of Lecture Notes in Computer Science, pages 379–407. 2023. Springer. DOI: 10.1007/978-3-031-30634-1_13
[NSS23]
Yusuke Naito, Yu Sasaki, and Takeshi Sugawara. Committing Security of Ascon: Cryptanalysis on Primitive and Proof on Mode. IACR Trans. Symmetric Cryptol., 2023(4):420–451, 2023. DOI: 10.46586/TOSC.V2023.I4.420-451
PDF
History
Submitted: 2024-10-09
Accepted: 2024-12-03
Published: 2025-01-13
Accepted: 2024-12-03
Published: 2025-01-13
How to cite
Mostafizar Rahman, Samir Kundu, and Takanori Isobe, On the Key-Commitment Properties of Forkcipher-based AEADs. IACR Communications in Cryptology, vol. 1, no. 4, Jan 13, 2025, doi: 10.62056/ayfhp2fgx.
License
Copyright is held by the author(s)
This work is licensed under a Creative Commons Attribution (CC BY) license.