The Multi-User Security of Authenticated Encryption: AES-GCM in TLS 1.3

Mihir Bellare and Bjoern Tackmann

Abstract

We initiate the study of multi-user (mu) security of authenticated encryption (AE) schemes as a way to rigorously formulate, and answer, questions about the "randomized nonce" mechanism proposed for the use of the AE scheme GCM in TLS 1.3. We (1) Give definitions of mu ind (indistinguishability) and mu kr (key recovery) security for AE (2) Characterize the intent of nonce randomization as being improved mu security as a defense against mass surveillance (3) Cast the method as a (new) AE scheme RGCM (4) Analyze and compare the mu security of both GCM and RGCM in the model where the underlying block cipher is ideal, showing that the mu security of the latter is indeed superior in many practical contexts to that of the former, and (5) Propose an alternative AE scheme XGCM having the same efficiency as RGCM but better mu security and a more simple and modular design.

Note: Added numerical comparison between the schemes. Expanded and corrected the proof of RGCM security.

Available format(s)
Category
Secret-key cryptography
Publication info
A minor revision of an IACR publication in CRYPTO 2016
Keywords
authenticated encryptionTLS 1.3multi-user securitymass surveillance
Contact author(s)
bjoern tackmann @ ieee org
History
2017-11-27: last of 4 revisions
See all versions
Short URL
https://ia.cr/2016/564

CC BY

BibTeX

@misc{cryptoeprint:2016/564,
author = {Mihir Bellare and Bjoern Tackmann},
title = {The Multi-User Security of Authenticated Encryption: AES-GCM in TLS 1.3},
howpublished = {Cryptology ePrint Archive, Paper 2016/564},
year = {2016},
note = {\url{https://eprint.iacr.org/2016/564}},
url = {https://eprint.iacr.org/2016/564}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.