2021. Security Analysis of SFrame Examples of messaging apps and video conference systems n Signal Protocol u adopted by WhatsApp, Facebook Messenger, Signal n SFrame (Secure Frame) u adopted by Google Duo, Cisco Webex, Jitsi Meet n Others u iMessage (Apple), LINE, Zoom End-to-End Encryption (E2EE) 2 A technology for a secure communication scheme n Only communicating parties can send and read the messages n Nobody except each communicating party, not even the service provider, has access to the encryption keys that are used to encrypt the messages n The Snowdenโs revelation: even honest server may be compromised by a powerful intelligence organization, e.g., NSA Background
2021. Security Analysis of SFrame Examples of messaging apps and video conference systems n Signal Protocol u adopted by WhatsApp, Facebook Messenger, Signal n SFrame (Secure Frame) u adopted by Google Duo, Cisco Webex, Jitsi Meet n Others u iMessage (Apple), LINE, Zoom End-to-End Encryption (E2EE) 3 A technology for a secure communication scheme n Only communicating parties can send and read the messages n Nobody except each communicating party, not even the service provider, has access to the encryption keys that are used to encrypt the messages n The Snowdenโs revelation: even honest server may be compromised by a powerful intelligence organization, e.g., NSA Background
2021. Security Analysis of SFrame SFrame 4 An E2EE mechanism for real-time communication traffic n proposed by a team of Google and CoSMo software n designed to suppress communication overheads by encrypting the entire media frame instead of per media packet n specified in the Internet draft u defines a cryptographic protocol (authenticated encryptions, hash functions, and signature algorithms), but not a key exchange protocol. u Our target: draft-omara-sframe-01* SFrame *Based on our security analysis, the SFrame designers updated the draft version to draft-omara-sframe-02.
2021. Security Analysis of SFrame SFrame 5 An E2EE mechanism for real-time communication traffic n proposed by a team of Google and CoSMo software n designed to suppress communication overheads by encrypting the entire media frame instead of per media packet n specified in the Internet draft u defines a cryptographic protocol (authenticated encryptions, hash functions, and signature algorithms), but not a key exchange protocol. u Our target: draft-omara-sframe-01* SFrame *Based on our security analysis, the SFrame designers updated the draft version to draft-omara-sframe-02.
2021. Security Analysis of SFrame Cryptographic Protocol 6 No. Name Key length Nonce length Tag length 1 AES_CM_128_HMAC_SHA256_8 16 bytes 12 bytes 8 bytes 2 AES_CM_128_HMAC_SHA256_4 16 bytes 12 bytes 4 bytes 3 AES_GCM_128_SHA256 16 bytes 12 bytes N/A 4 AES_GCM_256_SHA512 32 bytes 12 bytes N/A *CM: Counter Mode n An authenticated encryption with associated data (AEAD) u AES-GCM or AES-CM-HMAC (a generic composition of AES-CTR and HMAC) n A hash function u SHA256 or SHA512 n An optional signature algorithm u EdDSA over Ed25519 or ECDSA over P-521 u computed from a list of AEAD tags SFrame Ciphersuites
2021. Security Analysis of SFrame Cryptographic Protocol 7 No. Name Key length Nonce length Tag length 1 AES_CM_128_HMAC_SHA256_8 16 bytes 12 bytes 8 bytes 2 AES_CM_128_HMAC_SHA256_4 16 bytes 12 bytes 4 bytes 3 AES_GCM_128_SHA256 16 bytes 12 bytes N/A 4 AES_GCM_256_SHA512 32 bytes 12 bytes N/A *CM: Counter Mode n An authenticated encryption with associated data (AEAD) u AES-GCM or AES-CM-HMAC (a generic composition of AES-CTR and HMAC) n A hash function u SHA256 or SHA512 n An optional signature algorithm u EdDSA over Ed25519 or ECDSA over P-521 u computed from a list of AEAD tags SFrame Ciphersuites
2021. Security Analysis of SFrame Our Contributions 8 Security Analysis Result 1: Security of AEAD under SFrame n provably secure in the context of standard AEAD Result 2: Security of AES-CM-HMAC with short tags n an impersonation attack by a malicious group member n exploits a vulnerability of very short tag length Result 3: Security of AES-CM-HMAC with long tags n considered as the second-ciphertext unforgeability (SCU) secure AEAD Result 4: Security of AES-GCM with any long tags n an impersonation attack by a malicious group member n exploits a vulnerability of the linearity of GHASH in the known key setting Result 5: Security of AES-GCM with short tags n an authentication key recovery attack n exploits the fact that there is no restriction for the usage of GCM with short tags
2021. Security Analysis of SFrame Our Contributions 9 Security Analysis Result 1: Security of AEAD under SFrame n provably secure in the context of standard AEAD Result 2: Security of AES-CM-HMAC with short tags n an impersonation attack by a malicious group member n exploits a vulnerability of very short tag length Result 3: Security of AES-CM-HMAC with long tags n considered as the second-ciphertext unforgeability (SCU) secure AEAD Result 4: Security of AES-GCM with any long tags n an impersonation attack by a malicious group member n exploits a vulnerability of the linearity of GHASH in the known key setting Result 5: Security of AES-GCM with short tags n an authentication key recovery attack n exploits the fact that there is no restriction for the usage of GCM with short tags
2021. Security Analysis of SFrame Result 1: Security of AEAD under SFrame 10 Security Analysis Algorithm 2 AEAD encryption by AES-CM-HMAC Input: ๐, aad, ๐พ! "#$, ๐พ% "#$, ๐ Output: ๐ถ, ๐ 1: procedure AEAD.Encryption(๐พ! "#$, ๐พ% "#$, ๐, aad, ๐) 2: ๐ถ = AES-CTR.Encryption(๐พ! "#$, ๐, ๐) 3: ๐ = Tag.Generation(๐พ% "#$, aad, ๐ถ) Tag.Generation(๐ฒ๐ ๐ฒ๐ฐ๐ซ, ๐ต, ๐๐๐, ๐ช) 4: end procedure Secure under the standard assumptions n AES is a pseudorandom permutation n HMAC is a pseudorandom function AES-CM-HMAC n The lack of ๐ is not a problem since aad contains CTR as well as ๐ n Alg. 2 itself is not generally secure AEAD as it ignores ๐ in the tag generation
2021. Security Analysis of SFrame Result 1: Security of AEAD under SFrame 11 Security Analysis Algorithm 2 AEAD encryption by AES-CM-HMAC Input: ๐, aad, ๐พ! "#$, ๐พ% "#$, ๐ Output: ๐ถ, ๐ 1: procedure AEAD.Encryption(๐พ! "#$, ๐พ% "#$, ๐, aad, ๐) 2: ๐ถ = AES-CTR.Encryption(๐พ! "#$, ๐, ๐) 3: ๐ = Tag.Generation(๐พ% "#$, aad, ๐ถ) Tag.Generation(๐ฒ๐ ๐ฒ๐ฐ๐ซ, ๐ต, ๐๐๐, ๐ช) 4: end procedure Secure under the standard assumptions n AES is a pseudorandom permutation n HMAC is a pseudorandom function AES-CM-HMAC n The lack of ๐ is not a problem since aad contains CTR as well as ๐ n Alg. 2 itself is not generally secure AEAD as it ignores ๐ in the tag generation
2021. Security Analysis of SFrame Result 1: Security of AEAD under SFrame 12 Security Analysis Algorithm 2 AEAD encryption by AES-CM-HMAC Input: ๐, aad, ๐พ! "#$, ๐พ% "#$, ๐ Output: ๐ถ, ๐ 1: procedure AEAD.Encryption(๐พ! "#$, ๐พ% "#$, ๐, aad, ๐) 2: ๐ถ = AES-CTR.Encryption(๐พ! "#$, ๐, ๐) 3: ๐ = Tag.Generation(๐พ% "#$, aad, ๐ถ) Tag.Generation(๐ฒ๐ ๐ฒ๐ฐ๐ซ, ๐ต, ๐๐๐, ๐ช) 4: end procedure Secure under the standard assumptions n AES is a pseudorandom permutation n HMAC is a pseudorandom function AES-CM-HMAC n The lack of ๐ is not a problem since aad contains CTR as well as ๐ n Alg. 2 itself is not generally secure AEAD as it ignores ๐ in the tag generation
2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 13 An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags Security Analysis Offline phase 1. chooses the encryption input tuple ๐, aad, ๐ 2. computes a ciphertext ๐ถ and a ๐-bit tag ๐ for ๐, aad, ๐ 3. stores a set of ๐, ๐ถ, ๐ into the precomputation table 4. repeats Step 1-3 2* times with different messages Target member Other members Malicious member
2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 14 An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags Security Analysis Offline phase 1. chooses the encryption input tuple ๐ต, ๐๐๐, ๐ด 2. computes a ciphertext ๐ถ and a ๐-bit tag ๐ for ๐, aad, ๐ 3. stores a set of ๐, ๐ถ, ๐ into the precomputation table 4. repeats Step 1-3 2* times with different messages Target member Other members Malicious member
2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 15 An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags Security Analysis Offline phase 1. chooses the encryption input tuple ๐, aad, ๐ 2. computes a ciphertext ๐ช and a ๐-bit tag ๐ป for ๐ต, ๐๐๐, ๐ด 3. stores a set of ๐, ๐ถ, ๐ into the precomputation table 4. repeats Step 1-3 2* times with different messages Target member Other members Malicious member
2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 16 An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags Security Analysis Offline phase 1. chooses the encryption input tuple ๐, aad, ๐ 2. computes a ciphertext ๐ถ and a ๐-bit tag ๐ for ๐, aad, ๐ 3. stores a set of ๐ด, ๐ช, ๐ป into the precomputation table 4. repeats Step 1-3 2* times with different messages Target member Other members Malicious member ๐ถ ๐ โฎ โฎ ๐ถโ ๐โ โฎ โฎ
2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 17 An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags Security Analysis Offline phase 1. chooses the encryption input tuple ๐, aad, ๐ 2. computes a ciphertext ๐ถ and a ๐-bit tag ๐ for ๐, aad, ๐ 3. stores a set of ๐, ๐ถ, ๐ into the precomputation table 4. repeats Step 1-3 ๐๐ times with different messages Target member Other members Malicious member ๐ถ ๐ โฎ โฎ ๐ถโ ๐โ โฎ โฎ
2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 18 Target member An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags ๐, aad, ๐ช!, ๐ป!, Sig Security Analysis Other members Malicious member Online phase 1. intercepts a target frame ๐ต, ๐๐๐, ๐ช,, ๐ป,, ๐๐ข๐ sent by the target member 2. searches a tuple ๐โ, ๐ถโ, ๐โ in the table such that ๐โ = ๐, and ๐ถโ โ ๐ถ, 3. finds such a tuple, replaces ๐ถ, with ๐ถโ in the target frame, and sends ๐, aad, ๐ถโ, ๐โฒ, Sig to other group members ๐ถ ๐ โฎ โฎ ๐ถโ ๐โ โฎ โฎ
2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 19 Target member An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags ๐, aad, ๐ช!, ๐ป!, Sig ๐ถ ๐ โฎ โฎ ๐ชโ ๐ปโ โฎ โฎ = ๐ปโฒ Security Analysis Other members Malicious member Online phase 1. intercepts a target frame ๐, aad, ๐ถ,, ๐,, Sig sent by the target member 2. searches a tuple ๐ดโ, ๐ชโ, ๐ปโ in the table such that ๐ปโ = ๐ป, and ๐ชโ โ ๐ช, 3. finds such a tuple, replaces ๐ถ, with ๐ถโ in the target frame, and sends ๐, aad, ๐ถโ, ๐โฒ, Sig to other group members
2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 20 Target member An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags ๐, aad, ๐ช!, ๐ป!, Sig ๐, aad, ๐ชโ, ๐ปโฒ, Sig ๐ถ ๐ โฎ โฎ ๐ถโ ๐โ โฎ โฎ = ๐ปโฒ Security Analysis Other members Malicious member Online phase 1. intercepts a target frame ๐, aad, ๐ถ,, ๐,, Sig sent by the target member 2. searches a tuple ๐โ, ๐ถโ, ๐โ in the table such that ๐โ = ๐, and ๐ถโ โ ๐ถ, 3. finds such a tuple, replaces ๐ช, with ๐ชโ in the target frame, and sends ๐ต, ๐๐๐, ๐ชโ, ๐ปโฒ, ๐๐ข๐ to other group members
2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 21 Target member An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags ๐, aad, ๐ช!, ๐ป!, Sig ๐, aad, ๐ชโ, ๐ปโฒ, Sig ๐ถ ๐ โฎ โฎ ๐ถโ ๐โ โฎ โฎ = ๐ปโฒ Security Analysis Other members Malicious member Online phase 1. intercepts a target frame ๐, aad, ๐ถ,, ๐,, Sig sent by the target member 2. searches a tuple ๐โ, ๐ถโ, ๐โ in the table such that ๐โ = ๐, and ๐ถโ โ ๐ถ, 3. finds such a tuple, replaces ๐ถ, with ๐ถโ in the target frame, and sends ๐, ๐๐๐, ๐ถโ, ๐โฒ, Sig to other group members When the tag length is 4 bytes, if the adversary prepares 232 tuples in the table, the success probability is almost one.
2021. Security Analysis of SFrame Result 3: Security of AES-CM-HMAC with Long Tags 22 Security Analysis Theorem 1. Let ๐ be a SCU adversary against AES-CM-HMAC with the target encryption output being at most โ bits. Then, SCU advantage of ๐ against AES-CM-HMAC is bounded as ๐๐๐ฏ๐๐๐.๐๐.๐๐๐๐ ๐๐๐ ๐ < ๐๐๐๐ฏ ๐ฏ ๐๐๐๐ 6 โ! ๐8 for some eSec adversary ๐8 against ๐ป, which denotes the underlying SHA256 hash function, where โ8 = โ+512 (i.e., one block larger). SCU security [DGRW18] n security notion for an unforgeability goal in the known key setting Second-ciphertext Unforgeability (SCU) Secure AEAD [DGRW18] Y. Dodis et al. Fast Message Franking: From Invisible salamanders to encryptment. In CRYPTO 2018. [RS04] P. Rogaway and T. Shrimpton. Cryptographic Hash Function Basics. In FSE 2004. Everywhere Second-Preimage (eSec) Resistance [RS04] n a slight extension of a strong form of second-preimage resistance
2021. Security Analysis of SFrame Result 4: Security of AES-GCM with Any Long Tags 23 Security Analysis An impersonation attack by a malicious group member n exploits a vulnerability of the linearity of GHASH in the known key setting n caused by the digital signature computed only (a list of) AEAD tags Example of GCM encryption n 2-block ciphertext C = (C1 , C2 ) and 1-block aad = aad1 ๐ป = GHASH ๐ฟ, aad โฅ ๐ถ โฅ Len aad, ๐ถ โ ๐ธ" ๐ โฅ 1 = ๐๐๐๐ J ๐ณ๐ โ ๐ช๐ J ๐ณ๐ โ ๐ช๐ J ๐ณ๐ โ ๐๐๐ง ๐๐๐๐, ๐ช J ๐ณ โ ๐ฌ๐ฒ ๐ต โฅ ๐ ๐ถ2 = ๐ธ" ๐ โฅ ๐ + 1 โ ๐2 *Authentication key: ๐ฟ = ๐ธ" 0345 ๐ช๐ , J ๐ณ๐ = ๐ป โ ๐๐๐๐ , J ๐ณ๐ โ ๐ช๐ , J ๐ณ๐ โ ๐๐๐ง ๐๐๐๐ , , ๐ช, J ๐ณ โ ๐ฌ๐ฒ ๐ต, โฅ ๐ Attack procedure 1. arbitrary chooses ๐ต,, ๐๐๐๐ , , and the fake message block ๐ด๐ , to compute ๐ช๐ , 2. sets the final ciphertext block ๐ช๐ , so that the following equation holds
2021. Security Analysis of SFrame Result 4: Security of AES-GCM with Any Long Tags 24 Security Analysis An impersonation attack by a malicious group member n exploits a vulnerability of the linearity of GHASH in the known key setting n caused by the digital signature computed only (a list of) AEAD tags Example of GCM encryption n 2-block ciphertext C = (C1 , C2 ) and 1-block aad = aad1 ๐ป = GHASH ๐ฟ, aad โฅ ๐ถ โฅ Len aad, ๐ถ โ ๐ธ" ๐ โฅ 1 = ๐๐๐๐ J ๐ณ๐ โ ๐ช๐ J ๐ณ๐ โ ๐ช๐ J ๐ณ๐ โ ๐๐๐ง ๐๐๐๐, ๐ช J ๐ณ โ ๐ฌ๐ฒ ๐ต โฅ ๐ ๐ถ2 = ๐ธ" ๐ โฅ ๐ + 1 โ ๐2 *Authentication key: ๐ฟ = ๐ธ" 0345 ๐ช๐ , J ๐ณ๐ = ๐ป โ ๐๐๐๐ , J ๐ณ๐ โ ๐ช๐ , J ๐ณ๐ โ ๐๐๐ง ๐๐๐๐ , , ๐ช, J ๐ณ โ ๐ฌ๐ฒ ๐ต, โฅ ๐ Attack procedure 1. arbitrary chooses ๐ต,, ๐๐๐๐ , , and the fake message block ๐ด๐ , to compute ๐ช๐ , 2. sets the final ciphertext block ๐ช๐ , so that the following equation holds
2021. Security Analysis of SFrame Result 4: Security of AES-GCM with Any Long Tags 25 Security Analysis An impersonation attack by a malicious group member n exploits a vulnerability of the linearity of GHASH in the known key setting n caused by the digital signature computed only (a list of) AEAD tags Example of GCM encryption n 2-block ciphertext C = (C1 , C2 ) and 1-block aad = aad1 ๐ป = GHASH ๐ฟ, aad โฅ ๐ถ โฅ Len aad, ๐ถ โ ๐ธ" ๐ โฅ 1 = ๐๐๐๐ J ๐ณ๐ โ ๐ช๐ J ๐ณ๐ โ ๐ช๐ J ๐ณ๐ โ ๐๐๐ง ๐๐๐๐, ๐ช J ๐ณ โ ๐ฌ๐ฒ ๐ต โฅ ๐ ๐ถ2 = ๐ธ" ๐ โฅ ๐ + 1 โ ๐2 *Authentication key: ๐ฟ = ๐ธ" 0345 ๐ช๐ , J ๐ณ๐ = ๐ป โ ๐๐๐๐ , J ๐ณ๐ โ ๐ช๐ , J ๐ณ๐ โ ๐๐๐ง ๐๐๐๐ , , ๐ช, J ๐ณ โ ๐ฌ๐ฒ ๐ต, โฅ ๐ Attack procedure 1. arbitrary chooses ๐ต,, ๐๐๐๐ , , and the fake message block ๐ด๐ , to compute ๐ช๐ , 2. sets the final ciphertext block ๐ช๐ , so that the following equation holds
2021. Security Analysis of SFrame Result 4: Security of AES-GCM with Any Long Tags 26 Security Analysis An impersonation attack by a malicious group member n exploits a vulnerability of the linearity of GHASH in the known key setting n caused by the digital signature computed only (a list of) AEAD tags Example of GCM encryption n 2-block ciphertext C = (C1 , C2 ) and 1-block aad = aad1 ๐ป = GHASH ๐ฟ, aad โฅ ๐ถ โฅ Len aad, ๐ถ โ ๐ธ" ๐ โฅ 1 = ๐๐๐๐ J ๐ณ๐ โ ๐ช๐ J ๐ณ๐ โ ๐ช๐ J ๐ณ๐ โ ๐๐๐ง ๐๐๐๐, ๐ช J ๐ณ โ ๐ฌ๐ฒ ๐ต โฅ ๐ ๐ถ2 = ๐ธ" ๐ โฅ ๐ + 1 โ ๐2 *Authentication key: ๐ฟ = ๐ธ" 0345 ๐ช๐ , J ๐ณ๐ = ๐ป โ ๐๐๐๐ , J ๐ณ๐ โ ๐ช๐ , J ๐ณ๐ โ ๐๐๐ง ๐๐๐๐ , , ๐ช, J ๐ณ โ ๐ฌ๐ฒ ๐ต, โฅ ๐ Attack procedure 1. arbitrary chooses ๐ต,, ๐๐๐๐ , , and the fake message block ๐ด๐ , to compute ๐ช๐ , 2. sets the final ciphertext block ๐ช๐ , so that the following equation holds
2021. Security Analysis of SFrame Result 5: Security of AES-GCM with Short Tags 27 t 32 64 L q 21 222 22 220 23 218 24 215 25 213 26 211 211 232 213 229 215 226 217 223 219 220 221 217 c 262 262 261 265 266 267 275 274 273 272 271 270 [MW16] J. Mattson et al. Authentication key recovery on galois/counter mode (GCM). In AFRICACRYPT 2016. l t๏ผtag length (bits) l L๏ผmaximum combined length of aad and C l q๏ผmaximum number of invocations of the authentication decryption function l c๏ผdata complexity for the authentication key recovery under each restriction of (L, q) Security Analysis An authentication key recovery attack n exploits the fact that there is no restriction for the usage of GCM with short tags NIST requirements for the use of GCM with short tags [MW16] The specification does not mention the restrictions of (L, q) n The attack is practically feasible with a data complexity of 26 (e.g., 4-byte tag).
2021. Security Analysis of SFrame Summary 28 Conclusion SFrame is not E2EE-secure when using the following ciphersuites n AES-CM-HMAC with short tags, especially 4-byte tag n AES-GCM with any long tags SFrame is E2EE-secure when using AES-CM-HMAC with long tags n The SCU security of it depends on the security of underlying hash function Communication with the SFrame designers n They acknowledged our findings and quickly revised its specification u remove the signature mechanism u extend tag calculation to cover nonces n draft-omara-sframe-01 โ draft-omara-sframe-02 (current version)
2021. Security Analysis of SFrame Summary 29 Conclusion SFrame is not E2EE-secure when using the following ciphersuites n AES-CM-HMAC with short tags, especially 4-byte tag n AES-GCM with any long tags SFrame is E2EE-secure when using AES-CM-HMAC with long tags n The SCU security of it depends on the security of underlying hash function Communication with the SFrame designers n They acknowledged our findings and quickly revised its specification u remove the signature mechanism u extend tag calculation to cover nonces n draft-omara-sframe-01 โ draft-omara-sframe-02 (current version) Thank you!
2021. Security Analysis of SFrame Recommendations 30 Appendix From the vulnerabilities shown in Results 2-5, we recommend the followings: 1. For AES-CM-HMAC, short tags, especially 4-byte tag, should not be used 2. For AES-GCM, a signature should be computed over a whole frame, not only tags 3. For AES-GCM, the specification should be clearly forbit short tags, or refer to the NIST requirements on the usage of GCM with short tags 4. Switch to other ciphersuite that works as a secure encryptment scheme, such as HFC [DGRW18], with a sufficiently long tag is another option [DGRW18] Dodis et al. Fast message franking: From invisible salamanders to encryptment. In CRYPTO 2018
2021. Security Analysis of SFrame Theorem 1: Security of AES-CM-HMAC with Long Tags 31 Theorem 1. Let ๐ be a SCU adversary against AES-CM-HMAC with the target encryption output being at most โ bits. Then, SCU advantage of ๐ against AES-CM-HMAC is bounded as ๐๐๐ฏ๐๐๐.๐๐.๐๐๐๐ ๐๐๐ ๐ < ๐๐๐๐ฏ ๐ฏ ๐๐๐๐ 6 โ! ๐8 for some eSec adversary ๐8 against ๐ป, which denotes the underlying SHA256 hash function, where โ8 = โ+512 (i.e., one block larger). SCU security [DGRW18] n security notion for an unforgeability goal in the known key setting Second-ciphertext Unforgeability (SCU) Secure AEAD [DGRW18] Y. Dodis et al. Fast Message Franking: From Invisible salamanders to encryptment. In CRYPTO 2018. [RS04] P. Rogaway and T. Shrimpton. Cryptographic Hash Function Basics. In FSE 2004. Everywhere Second-Preimage (eSec) Resistance [RS04] n a slight extension of a strong form of second-preimage resistance Appendix
itorym
gatheluck
.png){kind=avatar}
satai
yoshioshingyouji
hkefka385
masakat0
keio_smilab
rpc
smly
kurita
nagase
sugarenia
jcasabona
stephaniewalter
thekraken
deanohume
tammyeverts
matthewcrist
jonrohan
pedronauck
eileencodes
denniskardys
