Paper 2020/1491

Partitioning Oracle Attacks

Julia Len, Paul Grubbs, and Thomas Ristenpart


In this paper we introduce partitioning oracles, a new class of decryption error oracles which, conceptually, take a ciphertext as input and output whether the decryption key belongs to some known subset of keys. We introduce the first partitioning oracles which arise when encryption schemes are not committing with respect to their keys. We detail novel adaptive chosen ciphertext attacks that exploit partitioning oracles to efficiently recover passwords and de-anonymize anonymous communications. The attacks utilize efficient key multi-collision algorithms --- a cryptanalytic goal that we define --- against widely used authenticated encryption with associated data (AEAD) schemes, including AES-GCM, XSalsa20/Poly1305, and ChaCha20/Poly1305. We build a practical partitioning oracle attack that quickly recovers passwords from Shadowsocks proxy servers. We also survey early implementations of the OPAQUE protocol for password-based key exchange, and show how many could be vulnerable to partitioning oracle attacks due to incorrectly using non-committing AEAD. Our results suggest that the community should standardize and make widely available committing AEAD to avoid such vulnerabilities.

Note: We updated our work to include a better discussion of prior work and incorporate miscellaneous feedback.

Available format(s)
Publication info
Published elsewhere. MAJOR revision.USENIX Security 2021
authenticated encryptioncommitting AEADrobustnesskey commitmentAES-GCMchosen ciphertext attack
Contact author(s)
jlen @ cs cornell edu
2020-12-11: revised
2020-11-29: received
See all versions
Short URL
Creative Commons Attribution


      author = {Julia Len and Paul Grubbs and Thomas Ristenpart},
      title = {Partitioning Oracle Attacks},
      howpublished = {Cryptology ePrint Archive, Paper 2020/1491},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.