12
$\begingroup$

In an interesting paper called "Partitioning Oracle Attacks" by Julia Len, Paul Grubbs & Thomas Ristenpart an attack is presented on 1.5 pass AEAD schemes that utilize GMAC (GCM, AES-GCM, AES-GCM-SIV) and Poly1305 which is often used with a ChaCha/Salsa variant.

In the paper they mention that older schemes based on HMAC authentication are not vulnerable against this attack because they provide the key commitment property.

Do CCM with CBC-MAC and EAX with AES-CMAC provide key commitment as well? Or is - for instance - the output size of the MAC constructions too small? If they don't provide full key commitment, are they susceptible to this attack?

Improve this question
$\endgroup$
1
  • 5
    $\begingroup$ Hey, coauthor of the paper here. The committing security of either CCM or EAX is officially an open problem. Unofficially, I think the answers are "yes, but with crappy bounds" and "no", respectively, but that's just my intuition. $\endgroup$
    – pg1989
    Commented Jan 26, 2021 at 1:03

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.