-3

Proposed Cipher suite:

aes-ctr(key, ++iv, sha-1(plainText + aes-ctr(key,iv,0^128))+(plainText + aes-ctr(key,iv,0^128)));

Security targets achieved:

  1. Encryption of the plain text.
  2. Integrity of the plain text.
  3. Authenticity of the plain text.

Used components and reason behind using them:

  1. sha-1: For checking integrity of the plaintext.
  2. aes-ctr: Used for encryption of the plaintext.
  3. aes-ctr(sha-1): sha-1's output is encrypted with aes-ctr to provide authenticity of the plaintext.

Reasons, I think it is secure:

  1. As aes-ctr is secure encryption algorithm we can't predict the key-stream.
  2. To generate a new ciphertext the attacker need to have knowledge about message encrypted. Here the message is sha-1(plainText + aes-ctr(key,iv,0^128))+(plainText + aes-ctr(key,iv,0^128)), which would be unique for every message because of using the key stream aes-ctr(key,iv,0^128). Hence it is not attackable by chosen plaintext attack.
  3. We also can't predict sha-1 value because everytime a new sha-1 would be generated because the text used to generate is plainText + aes-ctr(key,iv,0^128), which contains the unpredictable key stream aes-ctr(key,iv,0^128).
  4. Hence the encrypted message can be authenticated and checked for integrity.

This method is improved version derived from the method proposed in this question.

distinguishedUser
  • 1
  • 4
  • 2
    It's almost certainly not. But your notation is very unclear. "aes-ctr" gets two inuts in one case and only one input in other cases. What does "iv(0)" mean? You should (a) learn some standard notation. (b) If you think you have a secure construction attempt to give a security proof yourself and if you are stuck but still think it's secure ask specific questions. We are not an oracle for half-baked authenticated encryption ideas. – Maeher Dec 13 '18 at 09:18
  • 1
    Why don't you just use AES in GCM mode? – forest Dec 13 '18 at 09:24
  • @forest may be due to some of these. (https://crypto.stackexchange.com/questions/18420/aes-gcm-disadvantage) or what if GCM's polynomial H point gets cracked in future. So I am trying to generate a cipher suite which would be totally dependent on aes-crt. Until aes-crt is not broken, we can stay in peace. – distinguishedUser Dec 13 '18 at 09:50
  • 1
    @distinguishedUser GCM is not going to get "cracked" in the future. It is proven secure. – forest Dec 13 '18 at 10:00
  • @forest This would lead us to know basic working principle of GCM. – distinguishedUser Dec 13 '18 at 10:03
  • @forest it means what part of gcm can be replaced with other similar algorithms? – distinguishedUser Dec 13 '18 at 10:06
  • @distinguishedUser But that's not what your question is asking. Your question is proposing a (broken) authentication scheme that is nothing like GCM. – forest Dec 13 '18 at 10:07
  • @forest it is similar to gcm in the sense, in gcm the output of GHASHH (X) is encrypted by aes-ctr like sha-1 is encrypted. The other thing is the key-dependent point H whose key is generated by some_function(aes-key,0^128). like here aes-ctr(key,iv,0^128). – distinguishedUser Dec 13 '18 at 10:32
  • @distinguishedUser That is not what happens in GCM... – forest Dec 13 '18 at 10:34
  • @forest Agree, but similar. – distinguishedUser Dec 13 '18 at 10:35
  • @forest my reasoning also proves this method as proven secure. Do you find any of my reasoning wrong? – distinguishedUser Dec 13 '18 at 10:36
  • Your method is most certainly not proven secure... Simply arguing that something is secure is not a formal proof of security of the kind that authentication algorithms like GCM or Poly1305 have. – forest Dec 13 '18 at 10:37
  • is not the reasons are enough, until someone gives an flaw in the reasonings? – distinguishedUser Dec 13 '18 at 10:38
  • @forest somewhat true. – distinguishedUser Dec 13 '18 at 10:40
  • But people have already pointed out that it is not secure. Not to mention your lack of design rational and the like which make it difficult to audit. If you want a free audit, at least put some work in. – forest Dec 13 '18 at 10:44
  • But people have already pointed out that it is not secure. can you please point out the reasonings of them, this new method is different than the one was proposed in the derived question. which make it difficult to audit. would you be more elaborative, I am unable to understand your lack of design rational and the like which make it difficult to audit. would you please be more specific? a free audit I have no intention to make a patent on it. It is in the open source. – distinguishedUser Dec 13 '18 at 10:51
  • You may want to note that the chart of GCM on wikipedia is quite missleading in that $H$ (a key parameter to the polynomial hash) is secret as it's derived immediately from the key. Therefore one cannot publicly evaluate the polynomial hash unlike with SHA1. – SEJPM Dec 13 '18 at 13:16
  • @SEJPM Noted. This was confusing. Thanks for clarification. – distinguishedUser Dec 13 '18 at 13:18

1 Answers1

3

I run a chosen plaintext attack against the authenticity of the scheme as follows:

I request a ciphertext for message $0^{96}\mathbin\|0^{128}\mathbin\|0^{128}\mathbin\|0^{128}\mathbin\|0^{128} = 0^{608}$. A fresh $IV$ will be chosen and a key stream $k_0\mathbin\|k_1\mathbin\|k_2\mathbin\|k_3\mathbin\|k_4\mathbin\|k_5\mathbin\|k_6\mathbin\|k_7$ will be derived from key $k$ and $IV$.

I will receive the $IV$ and a ciphertext \begin{align}c=&(H(0^{608}\mathbin\|k_0)\mathbin\|0^{96})\oplus (k_1\mathbin\|k_2)\mathbin\|0^{128}\oplus k_3\mathbin\|0^{128}\oplus k_4\mathbin\|0^{128}\oplus k_5\mathbin\|0^{128}\oplus k_6\mathbin\|k_0\oplus k_7\\ =&(H(0^{608}\mathbin\|k_0)\mathbin\|0^{96})\oplus (k_1\mathbin\|k_2)\mathbin\|k_3\mathbin\|k_4\mathbin\|k_5\mathbin\|k_6\mathbin\|k_0\oplus k_7\end{align}

I now choose an arbitrary message $m \in \{0,1\}^{96}$ and compute the ciphertext \begin{align} c' = (H(m\mathbin\|k_3)\mathbin\|m)\oplus(k_4\mathbin\|k_5)\mathbin\|k_3\oplus k_6 \end{align} and output $c'$ together with $IV'=IV+3$.

$(IV',c')$ is now a valid ciphertext for $m$. This works, because CTR mode with $IV+3$ will result in a keystream $k'_0\mathbin\|k'_1\mathbin\|k'_2\mathbin\|k'_3 = k_3\mathbin\|k_4\mathbin\|k_5\mathbin\|k_6$

kelalaka
  • 48,443
  • 11
  • 116
  • 196
Maeher
  • 6,818
  • 1
  • 33
  • 44
  • @Maecher This is possible. But how you would get aes-ctr(key,iv,0^128)? aes-ctr(key,iv,0^128) would get dissolved. or I am doing some mistake? – distinguishedUser Dec 13 '18 at 11:49
  • I don't understand your question. $\operatorname{AES-CTR}(k,IV',0^{128})=\operatorname{AES-CTR}(k,IV+3,0^{128})=k_3$. So the original ciphertext $c$ just leaks that information. – Maeher Dec 13 '18 at 11:59
  • I don't understood your answer. What I understood is, you are sending bit of zeros to get a key stream which can be used for generating cipher text but the first 128 bits of key stream let k0 would not be available to you. as that key stream is going to be XORed by other key steam of 128 bits. – distinguishedUser Dec 13 '18 at 12:05
  • The other thing is how you are going able to give input of your desired massage? – distinguishedUser Dec 13 '18 at 12:12
  • 1
    Which is why, when constructing $c'$ I'm skipping $k_0,k_1,k_2$ and using $k_3$ as my new $k'_0$ by using the initialization vector $IV+3$. – Maeher Dec 13 '18 at 12:12
  • Awesome it is a pleasure to get this type of intelligent answer. But this is only possible if you have access to get ciphertext for your desired message. Which is rare. – distinguishedUser Dec 13 '18 at 12:15
  • It is also not necessary. I chose $0^{608}$ for convenience. Any known message of at least $608$ bits is fine. – Maeher Dec 13 '18 at 12:18
  • @Maeher So you are saying that the massage need not be consist of only zero bits? – distinguishedUser Dec 13 '18 at 12:20
  • 4
    Security against chosen plaintext attacks is the absolute minimum required of any modern encryption scheme. And as I said this is not even necessary. Any known (as opposed to chosen) message of sufficient length is fine. You can reconstruct the keystream by simply xoring the message with the ciphertext. – Maeher Dec 13 '18 at 12:24
  • 1
    @distinguishedUser We have a Q&A regarding how to obtain encryptions of chosen messages, you may want to read it. – SEJPM Dec 13 '18 at 12:26
  • @Maeher Fantastic answer for me. I would propose one more method soon which would be the last one. – distinguishedUser Dec 13 '18 at 13:01
  • @Maeher This is the last proposed method. (https://crypto.stackexchange.com/questions/64841/ciphertext-aes-ctrkey-iv-plaintext-authtag-aes-ctrkey-iv-aes-ec)- – distinguishedUser Dec 13 '18 at 14:11