Cryptology ePrint Archive: Report 2020/1491

Partitioning Oracle Attacks

Julia Len and Paul Grubbs and Thomas Ristenpart

Abstract: In this paper we introduce partitioning oracles, a new class of decryption error oracles which, conceptually, take a ciphertext as input and output whether the decryption key belongs to some known subset of keys. We introduce the first partitioning oracles which arise when encryption schemes are not committing with respect to their keys. We detail novel adaptive chosen ciphertext attacks that exploit partitioning oracles to efficiently recover passwords and de-anonymize anonymous communications. The attacks utilize efficient key multi-collision algorithms --- a cryptanalytic goal that we define --- against widely used authenticated encryption with associated data (AEAD) schemes, including AES-GCM, XSalsa20/Poly1305, and ChaCha20/Poly1305.

We build a practical partitioning oracle attack that quickly recovers passwords from Shadowsocks proxy servers. We also survey early implementations of the OPAQUE protocol for password-based key exchange, and show how many could be vulnerable to partitioning oracle attacks due to incorrectly using non-committing AEAD. Our results suggest that the community should standardize and make widely available committing AEAD to avoid such vulnerabilities.

Category / Keywords: applications / authenticated encryption, committing AEAD, robustness, key commitment, AES-GCM, chosen ciphertext attack

Original Publication (with major differences): USENIX Security 2021

Date: received 28 Nov 2020, last revised 11 Dec 2020

Contact author: jlen at cs cornell edu

Available format(s): PDF | BibTeX Citation

Note: We updated our work to include a better discussion of prior work and incorporate miscellaneous feedback.

Version: 20201211:214322 (All versions of this report)

Short URL: ia.cr/2020/1491