Security Analysis of SFrame Takanori Isobe1,2,3, Ryoma Ito2, Kazuhiko Minematsu4 1 University of Hyogo, 2 NICT, 3 JST PRESTO, 4 NEC ESORICS 2021 October 7, 2021

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Examples of messaging apps and video conference systems n Signal Protocol u adopted by WhatsApp, Facebook Messenger, Signal n SFrame (Secure Frame) u adopted by Google Duo, Cisco Webex, Jitsi Meet n Others u iMessage (Apple), LINE, Zoom End-to-End Encryption (E2EE) 2 A technology for a secure communication scheme n Only communicating parties can send and read the messages n Nobody except each communicating party, not even the service provider, has access to the encryption keys that are used to encrypt the messages n The Snowden’s revelation: even honest server may be compromised by a powerful intelligence organization, e.g., NSA Background

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Examples of messaging apps and video conference systems n Signal Protocol u adopted by WhatsApp, Facebook Messenger, Signal n SFrame (Secure Frame) u adopted by Google Duo, Cisco Webex, Jitsi Meet n Others u iMessage (Apple), LINE, Zoom End-to-End Encryption (E2EE) 3 A technology for a secure communication scheme n Only communicating parties can send and read the messages n Nobody except each communicating party, not even the service provider, has access to the encryption keys that are used to encrypt the messages n The Snowden’s revelation: even honest server may be compromised by a powerful intelligence organization, e.g., NSA Background

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame SFrame 4 An E2EE mechanism for real-time communication traffic n proposed by a team of Google and CoSMo software n designed to suppress communication overheads by encrypting the entire media frame instead of per media packet n specified in the Internet draft u defines a cryptographic protocol (authenticated encryptions, hash functions, and signature algorithms), but not a key exchange protocol. u Our target: draft-omara-sframe-01* SFrame *Based on our security analysis, the SFrame designers updated the draft version to draft-omara-sframe-02.

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame SFrame 5 An E2EE mechanism for real-time communication traffic n proposed by a team of Google and CoSMo software n designed to suppress communication overheads by encrypting the entire media frame instead of per media packet n specified in the Internet draft u defines a cryptographic protocol (authenticated encryptions, hash functions, and signature algorithms), but not a key exchange protocol. u Our target: draft-omara-sframe-01* SFrame *Based on our security analysis, the SFrame designers updated the draft version to draft-omara-sframe-02.

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Cryptographic Protocol 6 No. Name Key length Nonce length Tag length 1 AES_CM_128_HMAC_SHA256_8 16 bytes 12 bytes 8 bytes 2 AES_CM_128_HMAC_SHA256_4 16 bytes 12 bytes 4 bytes 3 AES_GCM_128_SHA256 16 bytes 12 bytes N/A 4 AES_GCM_256_SHA512 32 bytes 12 bytes N/A *CM: Counter Mode n An authenticated encryption with associated data (AEAD) u AES-GCM or AES-CM-HMAC (a generic composition of AES-CTR and HMAC) n A hash function u SHA256 or SHA512 n An optional signature algorithm u EdDSA over Ed25519 or ECDSA over P-521 u computed from a list of AEAD tags SFrame Ciphersuites

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Cryptographic Protocol 7 No. Name Key length Nonce length Tag length 1 AES_CM_128_HMAC_SHA256_8 16 bytes 12 bytes 8 bytes 2 AES_CM_128_HMAC_SHA256_4 16 bytes 12 bytes 4 bytes 3 AES_GCM_128_SHA256 16 bytes 12 bytes N/A 4 AES_GCM_256_SHA512 32 bytes 12 bytes N/A *CM: Counter Mode n An authenticated encryption with associated data (AEAD) u AES-GCM or AES-CM-HMAC (a generic composition of AES-CTR and HMAC) n A hash function u SHA256 or SHA512 n An optional signature algorithm u EdDSA over Ed25519 or ECDSA over P-521 u computed from a list of AEAD tags SFrame Ciphersuites

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Our Contributions 8 Security Analysis Result 1: Security of AEAD under SFrame n provably secure in the context of standard AEAD Result 2: Security of AES-CM-HMAC with short tags n an impersonation attack by a malicious group member n exploits a vulnerability of very short tag length Result 3: Security of AES-CM-HMAC with long tags n considered as the second-ciphertext unforgeability (SCU) secure AEAD Result 4: Security of AES-GCM with any long tags n an impersonation attack by a malicious group member n exploits a vulnerability of the linearity of GHASH in the known key setting Result 5: Security of AES-GCM with short tags n an authentication key recovery attack n exploits the fact that there is no restriction for the usage of GCM with short tags

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Our Contributions 9 Security Analysis Result 1: Security of AEAD under SFrame n provably secure in the context of standard AEAD Result 2: Security of AES-CM-HMAC with short tags n an impersonation attack by a malicious group member n exploits a vulnerability of very short tag length Result 3: Security of AES-CM-HMAC with long tags n considered as the second-ciphertext unforgeability (SCU) secure AEAD Result 4: Security of AES-GCM with any long tags n an impersonation attack by a malicious group member n exploits a vulnerability of the linearity of GHASH in the known key setting Result 5: Security of AES-GCM with short tags n an authentication key recovery attack n exploits the fact that there is no restriction for the usage of GCM with short tags

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Result 1: Security of AEAD under SFrame 10 Security Analysis Algorithm 2 AEAD encryption by AES-CM-HMAC Input: 𝑀, aad, 𝐾! "#$, 𝐾% "#$, 𝑁 Output: 𝐶, 𝑇 1: procedure AEAD.Encryption(𝐾! "#$, 𝐾% "#$, 𝑁, aad, 𝑀) 2: 𝐶 = AES-CTR.Encryption(𝐾! "#$, 𝑁, 𝑀) 3: 𝑇 = Tag.Generation(𝐾% "#$, aad, 𝐶) Tag.Generation(𝑲𝒂 𝑲𝑰𝑫, 𝑵, 𝐚𝐚𝐝, 𝑪) 4: end procedure Secure under the standard assumptions n AES is a pseudorandom permutation n HMAC is a pseudorandom function AES-CM-HMAC n The lack of 𝑁 is not a problem since aad contains CTR as well as 𝑁 n Alg. 2 itself is not generally secure AEAD as it ignores 𝑁 in the tag generation

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Result 1: Security of AEAD under SFrame 11 Security Analysis Algorithm 2 AEAD encryption by AES-CM-HMAC Input: 𝑀, aad, 𝐾! "#$, 𝐾% "#$, 𝑁 Output: 𝐶, 𝑇 1: procedure AEAD.Encryption(𝐾! "#$, 𝐾% "#$, 𝑁, aad, 𝑀) 2: 𝐶 = AES-CTR.Encryption(𝐾! "#$, 𝑁, 𝑀) 3: 𝑇 = Tag.Generation(𝐾% "#$, aad, 𝐶) Tag.Generation(𝑲𝒂 𝑲𝑰𝑫, 𝑵, 𝐚𝐚𝐝, 𝑪) 4: end procedure Secure under the standard assumptions n AES is a pseudorandom permutation n HMAC is a pseudorandom function AES-CM-HMAC n The lack of 𝑁 is not a problem since aad contains CTR as well as 𝑁 n Alg. 2 itself is not generally secure AEAD as it ignores 𝑁 in the tag generation

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Result 1: Security of AEAD under SFrame 12 Security Analysis Algorithm 2 AEAD encryption by AES-CM-HMAC Input: 𝑀, aad, 𝐾! "#$, 𝐾% "#$, 𝑁 Output: 𝐶, 𝑇 1: procedure AEAD.Encryption(𝐾! "#$, 𝐾% "#$, 𝑁, aad, 𝑀) 2: 𝐶 = AES-CTR.Encryption(𝐾! "#$, 𝑁, 𝑀) 3: 𝑇 = Tag.Generation(𝐾% "#$, aad, 𝐶) Tag.Generation(𝑲𝒂 𝑲𝑰𝑫, 𝑵, 𝐚𝐚𝐝, 𝑪) 4: end procedure Secure under the standard assumptions n AES is a pseudorandom permutation n HMAC is a pseudorandom function AES-CM-HMAC n The lack of 𝑁 is not a problem since aad contains CTR as well as 𝑁 n Alg. 2 itself is not generally secure AEAD as it ignores 𝑁 in the tag generation

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 13 An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags Security Analysis Offline phase 1. chooses the encryption input tuple 𝑁, aad, 𝑀 2. computes a ciphertext 𝐶 and a 𝜏-bit tag 𝑇 for 𝑁, aad, 𝑀 3. stores a set of 𝑀, 𝐶, 𝑇 into the precomputation table 4. repeats Step 1-3 2* times with different messages Target member Other members Malicious member

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 14 An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags Security Analysis Offline phase 1. chooses the encryption input tuple 𝑵, 𝐚𝐚𝐝, 𝑴 2. computes a ciphertext 𝐶 and a 𝜏-bit tag 𝑇 for 𝑁, aad, 𝑀 3. stores a set of 𝑀, 𝐶, 𝑇 into the precomputation table 4. repeats Step 1-3 2* times with different messages Target member Other members Malicious member

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 15 An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags Security Analysis Offline phase 1. chooses the encryption input tuple 𝑁, aad, 𝑀 2. computes a ciphertext 𝑪 and a 𝝉-bit tag 𝑻 for 𝑵, 𝐚𝐚𝐝, 𝑴 3. stores a set of 𝑀, 𝐶, 𝑇 into the precomputation table 4. repeats Step 1-3 2* times with different messages Target member Other members Malicious member

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 16 An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags Security Analysis Offline phase 1. chooses the encryption input tuple 𝑁, aad, 𝑀 2. computes a ciphertext 𝐶 and a 𝜏-bit tag 𝑇 for 𝑁, aad, 𝑀 3. stores a set of 𝑴, 𝑪, 𝑻 into the precomputation table 4. repeats Step 1-3 2* times with different messages Target member Other members Malicious member 𝐶 𝑇 ⋮ ⋮ 𝐶∗ 𝑇∗ ⋮ ⋮

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 17 An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags Security Analysis Offline phase 1. chooses the encryption input tuple 𝑁, aad, 𝑀 2. computes a ciphertext 𝐶 and a 𝜏-bit tag 𝑇 for 𝑁, aad, 𝑀 3. stores a set of 𝑀, 𝐶, 𝑇 into the precomputation table 4. repeats Step 1-3 𝟐𝝉 times with different messages Target member Other members Malicious member 𝐶 𝑇 ⋮ ⋮ 𝐶∗ 𝑇∗ ⋮ ⋮

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 18 Target member An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags 𝑁, aad, 𝑪!, 𝑻!, Sig Security Analysis Other members Malicious member Online phase 1. intercepts a target frame 𝑵, 𝐚𝐚𝐝, 𝑪,, 𝑻,, 𝐒𝐢𝐠 sent by the target member 2. searches a tuple 𝑀∗, 𝐶∗, 𝑇∗ in the table such that 𝑇∗ = 𝑇, and 𝐶∗ ≠ 𝐶, 3. finds such a tuple, replaces 𝐶, with 𝐶∗ in the target frame, and sends 𝑁, aad, 𝐶∗, 𝑇′, Sig to other group members 𝐶 𝑇 ⋮ ⋮ 𝐶∗ 𝑇∗ ⋮ ⋮

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 19 Target member An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags 𝑁, aad, 𝑪!, 𝑻!, Sig 𝐶 𝑇 ⋮ ⋮ 𝑪∗ 𝑻∗ ⋮ ⋮ = 𝑻′ Security Analysis Other members Malicious member Online phase 1. intercepts a target frame 𝑁, aad, 𝐶,, 𝑇,, Sig sent by the target member 2. searches a tuple 𝑴∗, 𝑪∗, 𝑻∗ in the table such that 𝑻∗ = 𝑻, and 𝑪∗ ≠ 𝑪, 3. finds such a tuple, replaces 𝐶, with 𝐶∗ in the target frame, and sends 𝑁, aad, 𝐶∗, 𝑇′, Sig to other group members

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 20 Target member An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags 𝑁, aad, 𝑪!, 𝑻!, Sig 𝑁, aad, 𝑪∗, 𝑻′, Sig 𝐶 𝑇 ⋮ ⋮ 𝐶∗ 𝑇∗ ⋮ ⋮ = 𝑻′ Security Analysis Other members Malicious member Online phase 1. intercepts a target frame 𝑁, aad, 𝐶,, 𝑇,, Sig sent by the target member 2. searches a tuple 𝑀∗, 𝐶∗, 𝑇∗ in the table such that 𝑇∗ = 𝑇, and 𝐶∗ ≠ 𝐶, 3. finds such a tuple, replaces 𝑪, with 𝑪∗ in the target frame, and sends 𝑵, 𝐚𝐚𝐝, 𝑪∗, 𝑻′, 𝐒𝐢𝐠 to other group members

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 21 Target member An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags 𝑁, aad, 𝑪!, 𝑻!, Sig 𝑁, aad, 𝑪∗, 𝑻′, Sig 𝐶 𝑇 ⋮ ⋮ 𝐶∗ 𝑇∗ ⋮ ⋮ = 𝑻′ Security Analysis Other members Malicious member Online phase 1. intercepts a target frame 𝑁, aad, 𝐶,, 𝑇,, Sig sent by the target member 2. searches a tuple 𝑀∗, 𝐶∗, 𝑇∗ in the table such that 𝑇∗ = 𝑇, and 𝐶∗ ≠ 𝐶, 3. finds such a tuple, replaces 𝐶, with 𝐶∗ in the target frame, and sends 𝑁, 𝑎𝑎𝑑, 𝐶∗, 𝑇′, Sig to other group members When the tag length is 4 bytes, if the adversary prepares 232 tuples in the table, the success probability is almost one.

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Result 3: Security of AES-CM-HMAC with Long Tags 22 Security Analysis Theorem 1. Let 𝒜 be a SCU adversary against AES-CM-HMAC with the target encryption output being at most ℓ bits. Then, SCU advantage of 𝒜 against AES-CM-HMAC is bounded as 𝐀𝐝𝐯𝐀𝐄𝐒.𝐂𝐌.𝐇𝐌𝐀𝐂 𝐒𝐂𝐔 𝓐 < 𝟐𝐀𝐝𝐯 𝑯 𝐞𝐒𝐞𝐜 6 ℓ! 𝓐8 for some eSec adversary 𝒜8 against 𝐻, which denotes the underlying SHA256 hash function, where ℓ8 = ℓ+512 (i.e., one block larger). SCU security [DGRW18] n security notion for an unforgeability goal in the known key setting Second-ciphertext Unforgeability (SCU) Secure AEAD [DGRW18] Y. Dodis et al. Fast Message Franking: From Invisible salamanders to encryptment. In CRYPTO 2018. [RS04] P. Rogaway and T. Shrimpton. Cryptographic Hash Function Basics. In FSE 2004. Everywhere Second-Preimage (eSec) Resistance [RS04] n a slight extension of a strong form of second-preimage resistance

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Result 4: Security of AES-GCM with Any Long Tags 23 Security Analysis An impersonation attack by a malicious group member n exploits a vulnerability of the linearity of GHASH in the known key setting n caused by the digital signature computed only (a list of) AEAD tags Example of GCM encryption n 2-block ciphertext C = (C1 , C2 ) and 1-block aad = aad1 𝑻 = GHASH 𝐿, aad ∥ 𝐶 ∥ Len aad, 𝐶 ⊕ 𝐸" 𝑁 ∥ 1 = 𝐚𝐚𝐝𝟏 J 𝑳𝟒 ⊕ 𝑪𝟏 J 𝑳𝟑 ⊕ 𝑪𝟐 J 𝑳𝟐 ⊕ 𝐋𝐞𝐧 𝐚𝐚𝐝𝟏, 𝑪 J 𝑳 ⊕ 𝑬𝑲 𝑵 ∥ 𝟏 𝐶2 = 𝐸" 𝑁 ∥ 𝑖 + 1 ⊕ 𝑀2 *Authentication key: 𝐿 = 𝐸" 0345 𝑪𝟐 , J 𝑳𝟐 = 𝑻 ⊕ 𝐚𝐚𝐝𝟏 , J 𝑳𝟒 ⊕ 𝑪𝟏 , J 𝑳𝟑 ⊕ 𝐋𝐞𝐧 𝐚𝐚𝐝𝟏 , , 𝑪, J 𝑳 ⊕ 𝑬𝑲 𝑵, ∥ 𝟏 Attack procedure 1. arbitrary chooses 𝑵,, 𝐚𝐚𝐝𝟏 , , and the fake message block 𝑴𝟏 , to compute 𝑪𝟏 , 2. sets the final ciphertext block 𝑪𝟐 , so that the following equation holds

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Result 4: Security of AES-GCM with Any Long Tags 24 Security Analysis An impersonation attack by a malicious group member n exploits a vulnerability of the linearity of GHASH in the known key setting n caused by the digital signature computed only (a list of) AEAD tags Example of GCM encryption n 2-block ciphertext C = (C1 , C2 ) and 1-block aad = aad1 𝑻 = GHASH 𝐿, aad ∥ 𝐶 ∥ Len aad, 𝐶 ⊕ 𝐸" 𝑁 ∥ 1 = 𝐚𝐚𝐝𝟏 J 𝑳𝟒 ⊕ 𝑪𝟏 J 𝑳𝟑 ⊕ 𝑪𝟐 J 𝑳𝟐 ⊕ 𝐋𝐞𝐧 𝐚𝐚𝐝𝟏, 𝑪 J 𝑳 ⊕ 𝑬𝑲 𝑵 ∥ 𝟏 𝐶2 = 𝐸" 𝑁 ∥ 𝑖 + 1 ⊕ 𝑀2 *Authentication key: 𝐿 = 𝐸" 0345 𝑪𝟐 , J 𝑳𝟐 = 𝑻 ⊕ 𝐚𝐚𝐝𝟏 , J 𝑳𝟒 ⊕ 𝑪𝟏 , J 𝑳𝟑 ⊕ 𝐋𝐞𝐧 𝐚𝐚𝐝𝟏 , , 𝑪, J 𝑳 ⊕ 𝑬𝑲 𝑵, ∥ 𝟏 Attack procedure 1. arbitrary chooses 𝑵,, 𝐚𝐚𝐝𝟏 , , and the fake message block 𝑴𝟏 , to compute 𝑪𝟏 , 2. sets the final ciphertext block 𝑪𝟐 , so that the following equation holds

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Result 4: Security of AES-GCM with Any Long Tags 25 Security Analysis An impersonation attack by a malicious group member n exploits a vulnerability of the linearity of GHASH in the known key setting n caused by the digital signature computed only (a list of) AEAD tags Example of GCM encryption n 2-block ciphertext C = (C1 , C2 ) and 1-block aad = aad1 𝑻 = GHASH 𝐿, aad ∥ 𝐶 ∥ Len aad, 𝐶 ⊕ 𝐸" 𝑁 ∥ 1 = 𝐚𝐚𝐝𝟏 J 𝑳𝟒 ⊕ 𝑪𝟏 J 𝑳𝟑 ⊕ 𝑪𝟐 J 𝑳𝟐 ⊕ 𝐋𝐞𝐧 𝐚𝐚𝐝𝟏, 𝑪 J 𝑳 ⊕ 𝑬𝑲 𝑵 ∥ 𝟏 𝐶2 = 𝐸" 𝑁 ∥ 𝑖 + 1 ⊕ 𝑀2 *Authentication key: 𝐿 = 𝐸" 0345 𝑪𝟐 , J 𝑳𝟐 = 𝑻 ⊕ 𝐚𝐚𝐝𝟏 , J 𝑳𝟒 ⊕ 𝑪𝟏 , J 𝑳𝟑 ⊕ 𝐋𝐞𝐧 𝐚𝐚𝐝𝟏 , , 𝑪, J 𝑳 ⊕ 𝑬𝑲 𝑵, ∥ 𝟏 Attack procedure 1. arbitrary chooses 𝑵,, 𝐚𝐚𝐝𝟏 , , and the fake message block 𝑴𝟏 , to compute 𝑪𝟏 , 2. sets the final ciphertext block 𝑪𝟐 , so that the following equation holds

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Result 4: Security of AES-GCM with Any Long Tags 26 Security Analysis An impersonation attack by a malicious group member n exploits a vulnerability of the linearity of GHASH in the known key setting n caused by the digital signature computed only (a list of) AEAD tags Example of GCM encryption n 2-block ciphertext C = (C1 , C2 ) and 1-block aad = aad1 𝑻 = GHASH 𝐿, aad ∥ 𝐶 ∥ Len aad, 𝐶 ⊕ 𝐸" 𝑁 ∥ 1 = 𝐚𝐚𝐝𝟏 J 𝑳𝟒 ⊕ 𝑪𝟏 J 𝑳𝟑 ⊕ 𝑪𝟐 J 𝑳𝟐 ⊕ 𝐋𝐞𝐧 𝐚𝐚𝐝𝟏, 𝑪 J 𝑳 ⊕ 𝑬𝑲 𝑵 ∥ 𝟏 𝐶2 = 𝐸" 𝑁 ∥ 𝑖 + 1 ⊕ 𝑀2 *Authentication key: 𝐿 = 𝐸" 0345 𝑪𝟐 , J 𝑳𝟐 = 𝑻 ⊕ 𝐚𝐚𝐝𝟏 , J 𝑳𝟒 ⊕ 𝑪𝟏 , J 𝑳𝟑 ⊕ 𝐋𝐞𝐧 𝐚𝐚𝐝𝟏 , , 𝑪, J 𝑳 ⊕ 𝑬𝑲 𝑵, ∥ 𝟏 Attack procedure 1. arbitrary chooses 𝑵,, 𝐚𝐚𝐝𝟏 , , and the fake message block 𝑴𝟏 , to compute 𝑪𝟏 , 2. sets the final ciphertext block 𝑪𝟐 , so that the following equation holds

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Result 5: Security of AES-GCM with Short Tags 27 t 32 64 L q 21 222 22 220 23 218 24 215 25 213 26 211 211 232 213 229 215 226 217 223 219 220 221 217 c 262 262 261 265 266 267 275 274 273 272 271 270 [MW16] J. Mattson et al. Authentication key recovery on galois/counter mode (GCM). In AFRICACRYPT 2016. l t：tag length (bits) l L：maximum combined length of aad and C l q：maximum number of invocations of the authentication decryption function l c：data complexity for the authentication key recovery under each restriction of (L, q) Security Analysis An authentication key recovery attack n exploits the fact that there is no restriction for the usage of GCM with short tags NIST requirements for the use of GCM with short tags [MW16] The specification does not mention the restrictions of (L, q) n The attack is practically feasible with a data complexity of 26 (e.g., 4-byte tag).

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Summary 28 Conclusion SFrame is not E2EE-secure when using the following ciphersuites n AES-CM-HMAC with short tags, especially 4-byte tag n AES-GCM with any long tags SFrame is E2EE-secure when using AES-CM-HMAC with long tags n The SCU security of it depends on the security of underlying hash function Communication with the SFrame designers n They acknowledged our findings and quickly revised its specification u remove the signature mechanism u extend tag calculation to cover nonces n draft-omara-sframe-01 → draft-omara-sframe-02 (current version)

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Summary 29 Conclusion SFrame is not E2EE-secure when using the following ciphersuites n AES-CM-HMAC with short tags, especially 4-byte tag n AES-GCM with any long tags SFrame is E2EE-secure when using AES-CM-HMAC with long tags n The SCU security of it depends on the security of underlying hash function Communication with the SFrame designers n They acknowledged our findings and quickly revised its specification u remove the signature mechanism u extend tag calculation to cover nonces n draft-omara-sframe-01 → draft-omara-sframe-02 (current version) Thank you!

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Recommendations 30 Appendix From the vulnerabilities shown in Results 2-5, we recommend the followings: 1. For AES-CM-HMAC, short tags, especially 4-byte tag, should not be used 2. For AES-GCM, a signature should be computed over a whole frame, not only tags 3. For AES-GCM, the specification should be clearly forbit short tags, or refer to the NIST requirements on the usage of GCM with short tags 4. Switch to other ciphersuite that works as a secure encryptment scheme, such as HFC [DGRW18], with a sufficiently long tag is another option [DGRW18] Dodis et al. Fast message franking: From invisible salamanders to encryptment. In CRYPTO 2018

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Theorem 1: Security of AES-CM-HMAC with Long Tags 31 Theorem 1. Let 𝒜 be a SCU adversary against AES-CM-HMAC with the target encryption output being at most ℓ bits. Then, SCU advantage of 𝒜 against AES-CM-HMAC is bounded as 𝐀𝐝𝐯𝐀𝐄𝐒.𝐂𝐌.𝐇𝐌𝐀𝐂 𝐒𝐂𝐔 𝓐 < 𝟐𝐀𝐝𝐯 𝑯 𝐞𝐒𝐞𝐜 6 ℓ! 𝓐8 for some eSec adversary 𝒜8 against 𝐻, which denotes the underlying SHA256 hash function, where ℓ8 = ℓ+512 (i.e., one block larger). SCU security [DGRW18] n security notion for an unforgeability goal in the known key setting Second-ciphertext Unforgeability (SCU) Secure AEAD [DGRW18] Y. Dodis et al. Fast Message Franking: From Invisible salamanders to encryptment. In CRYPTO 2018. [RS04] P. Rogaway and T. Shrimpton. Cryptographic Hash Function Basics. In FSE 2004. Everywhere Second-Preimage (eSec) Resistance [RS04] n a slight extension of a strong form of second-preimage resistance Appendix

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Proof Sketch of Theorem 1 32 𝑓 𝑓 𝑓 ⋯ 𝐾 ⊕ 𝑖𝑝𝑎𝑑 IV 𝑫𝟎 𝑫𝒍$𝟏 𝑻 𝑓 𝑓 𝐾 ⊕ 𝑜𝑝𝑎𝑑 IV 𝑺 𝑓 𝑓 𝑓 ⋯ 𝐾 ⊕ 𝑖𝑝𝑎𝑑 IV 𝑫𝟎 ∗ 𝑫𝒍$𝟏 ∗ 𝑻∗ 𝑓 𝑓 𝐾 ⊕ 𝑜𝑝𝑎𝑑 IV 𝑺∗ 𝐷 = aad𝐿𝑒𝑛 ∥ aad ∥ 𝐶 Appendix 𝐷∗ = aad𝐿𝑒𝑛 ∥ aad ∥ 𝐶∗

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Proof Sketch of Theorem 1 33 𝑓 𝑓 𝑓 ⋯ 𝐾 ⊕ 𝑖𝑝𝑎𝑑 IV 𝑫𝟎 𝑫𝒍$𝟏 𝑻 𝑓 𝑓 𝐾 ⊕ 𝑜𝑝𝑎𝑑 IV 𝑺 𝑓 𝑓 𝑓 ⋯ 𝐾 ⊕ 𝑖𝑝𝑎𝑑 IV 𝑫𝟎 ∗ 𝑫𝒍$𝟏 ∗ 𝑻∗ 𝑓 𝑓 𝐾 ⊕ 𝑜𝑝𝑎𝑑 IV 𝑺∗ 𝑺 = 𝑺∗ ? Case 1: 𝒜 finds 𝑆 = 𝑆∗ Appendix

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Proof Sketch of Theorem 1 34 𝑻 = 𝑻∗ ? 𝑓 𝑓 𝑓 ⋯ 𝐾 ⊕ 𝑖𝑝𝑎𝑑 IV 𝑫𝟎 𝑫𝒍$𝟏 𝑻 𝑓 𝑓 𝐾 ⊕ 𝑜𝑝𝑎𝑑 IV 𝑺 𝑓 𝑓 𝑓 ⋯ 𝐾 ⊕ 𝑖𝑝𝑎𝑑 IV 𝑫𝟎 ∗ 𝑫𝒍$𝟏 ∗ 𝑻∗ 𝑓 𝑓 𝐾 ⊕ 𝑜𝑝𝑎𝑑 IV 𝑺∗ 𝑺 ≠ 𝑺∗ Case 2: 𝒜 finds 𝑆 ≠ 𝑆∗ and 𝑇 = 𝑇∗ Appendix

Takanori Isobe, Ryoma Ito, Kazuhiko Minemastu ESORICS 2021, October 7, 2021. Security Analysis of SFrame Proof Sketch of Theorem 1 35 𝑻 = 𝑻∗ ? 𝑓 𝑓 𝑓 ⋯ 𝐾 ⊕ 𝑖𝑝𝑎𝑑 IV 𝑫𝟎 𝑫𝒍$𝟏 𝑻 𝑓 𝑓 𝐾 ⊕ 𝑜𝑝𝑎𝑑 IV 𝑺 𝑓 𝑓 𝑓 ⋯ 𝐾 ⊕ 𝑖𝑝𝑎𝑑 IV 𝑫𝟎 ∗ 𝑫𝒍$𝟏 ∗ 𝑻∗ 𝑓 𝑓 𝐾 ⊕ 𝑜𝑝𝑎𝑑 IV 𝑺∗ 𝑺 = 𝑺∗ ? Case 1: 𝒜 finds 𝑆 = 𝑆∗ Case 2: 𝒜 finds 𝑆 ≠ 𝑆∗ and 𝑇 = 𝑇∗ Appendix 𝐀𝐝𝐯𝐀𝐄𝐒$𝐂𝐌$𝐇𝐌𝐀𝐂 𝐒𝐂𝐔 𝓐 ≤ 𝐀𝐝𝐯 𝑯 𝐞𝐒𝐞𝐜 0 ℓ! 𝓐2 + 𝐀𝐝𝐯𝑯 𝐞𝐒𝐞𝐜 0𝟏𝟎𝟐𝟒 𝓐2 𝐀𝐝𝐯𝐀𝐄𝐒$𝐂𝐌$𝐇𝐌𝐀𝐂 𝐒𝐂𝐔 𝓐 < 𝟐𝐀𝐝𝐯 𝑯 𝐞𝐒𝐞𝐜 0 ℓ! 𝓐2 ① ②