Backtracking resistance

AndAlBo / draft-irtf-cfrg-aead-properties

Properties of AEAD algorithms

5 stars 1 forks source link

Backtracking resistance #6

Closed jedisct1 closed 9 months ago

jedisct1 commented 11 months ago

Hi,

I'd like to suggest additional properties related to backtracking resistance.

Backtracking resistance: the state is non-invertible; leaking a state doesn't reveal any information about previous states, including the initial state or key schedule.
Key backtracking resistance: leaking a state doesn't reveal any information about the initial state (for example due to key whitening) or key schedule.

Backtracking resistance implies key backtracking resistance.

These properties are useful. In particular, ephemeral keys can be wiped even before any message block has been encrypted. This improves resistance against cold boot attacks and other forms of state leakage.

AndAlBo commented 9 months ago

Hi Frank,

There is a problem I've encountered with that property—I can't find any AE-specific reference or relevant security notion. It is clearly closely connected with the forward security of PRNGs and stream ciphers, but those have states explicitly defined, in contrast to AEADs. Perhaps you are aware of some AE-specific research on backtracking/FS?

On the other hand, it feels like it can be defined in terms of leakage resistance, but that would be rather unusual and still lacks references.

jedisct1 commented 9 months ago

Yes, this is a common property, originally introduced by NIST for DRBGs, but unfortunately I'm not aware of research focused on that property in the context of AEADs.

The closest I can think of is https://eprint.iacr.org/2017/1137.pdf that considers the invertibility of the state in different AEADs.

If you feel like a reference is necessary for all properties, forget about these, even though I think they are useful.

AndAlBo commented 9 months ago

I also think that these properties are useful. I've been considering for the last few days that it would be a cool topic to write a paper on (there should be some interesting connections with leakage resistance notions, too). However, I feel it is important to have references for security properties in the draft.

jedisct1 commented 9 months ago

I'd be up for writing a paper on that topic, too. Let me know if this is something you think we could collaborate on!

In the meantime, I guess that issue can be closed.