research-article

The Security of ChaCha20-Poly1305 in the Multi-User Setting

Authors:

Jean Paul Degabriele,

Jérôme Govinden,

Felix Günther,

Kenneth G. PatersonAuthors Info & Claims

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Pages 1981 - 2003

https://doi.org/10.1145/3460120.3484814

Published: 13 November 2021 Publication History

Get Access

Abstract

The ChaCha20-Poly1305 AEAD scheme is being increasingly widely deployed in practice. Practitioners need proven security bounds in order to set data limits and rekeying intervals for the scheme. But the formal security analysis of ChaCha20-Poly1305 currently lags behind that of AES-GCM. The only extant analysis (Procter, 2014) contains a flaw and is only for the single-user setting. We rectify this situation. We prove a multi-user security bound on the AEAD security of ChaCha20-Poly1305 and establish the tightness of each term in our bound through matching attacks. We show how our bound differs both qualitatively and quantitatively from the known bounds for AES-GCM, highlighting how subtle design choices lead to distinctive security properties. We translate our bound to the nonce-randomized setting employed in TLS 1.3 and elsewhere, and we additionally improve the corresponding security bounds for GCM. Finally, we provide a simple yet stronger variant of ChaCha20-Poly1305 that addresses the deficiencies highlighted by our analysis.

Supplementary Material

MP4 File (CCS21-fp593.mp4)

The ChaCha20-Poly1305 AEAD scheme is being increasingly widely deployed in practice. Practitioners need proven security bounds in order to set data limits and rekeying intervals for the scheme. But the formal security analysis of ChaCha20-Poly1305 currently lags behind that of AES-GCM. The only extant analysis (Procter, 2014) contains a flaw and is only for the single-user setting. In this presentation, we will show how we rectified this situation by proving a tight multi-user security bound on the AEAD security of ChaCha20-Poly1305 and, in the process, how we additionally improved the security bounds for GCM, when used in a nonce-randomized setting as in TLS 1.3 and elsewhere. We also show how our bound differs both qualitatively and quantitatively from the known bounds for AES-GCM, highlighting how subtle design choices lead to distinctive security properties.

Download
32.89 MB

References

[1]

Mohamed Ahmed Abdelraheem, Peter Beelen, Andrey Bogdanov, and Elmar Tischhauser. 2015. Twisted Polynomials and Forgery Attacks on GCM. In EUROCRYPT 2015, Part I (LNCS, Vol. 9056), Elisabeth Oswald and Marc Fischlin (Eds.). Springer, Heidelberg, 762--786. https://doi.org/10.1007/978--3--662--46800--5_29

Abstract

Supplementary Material

References

Cited By

Index Terms

Recommendations

Multi-User Security of CCM Authenticated Encryption Mode

Tighter Security Proofs for Post-quantum Key Encapsulation Mechanism in the Multi-challenge Setting

Tightly CCA-secure encryption scheme in a multi-user setting with corruptions

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations