ETH Zurich

mail@felixguenther.info

Mozilla

mt@lowentropy.net

Cloudflare

caw@heapingbits.net

Internet-Draft An Authenticated Encryption with Associated Data (AEAD) algorithm provides confidentiality and integrity. Excessive use of the same key can give an attacker advantages in breaking these properties. This document provides simple guidance for users of common AEAD functions about how to limit the use of keys in order to bound the advantage given to an attacker. Discussion Venues Source for this draft and an issue tracker can be found at https://github.com/chris-wood/draft-wood-cfrg-aead-limits.

Introduction An Authenticated Encryption with Associated Data (AEAD) algorithm provides confidentiality and integrity. specifies an AEAD as a function with four inputs - secret key, nonce, plaintext, and optional associated data - that produces ciphertext output and error code indicating success or failure. The ciphertext is typically composed of the encrypted plaintext bytes and an authentication tag. The generic AEAD interface does not describe usage limits. Each AEAD algorithm does describe limits on its inputs, but these are formulated as strict functional limits, such as the maximum length of inputs, which are determined by the properties of the underlying AEAD composition. Degradation of the security of the AEAD as a single key is used multiple times is not given a thorough treatment. The number of times a single pair of key and nonce can be used might also be relevant to security. For some algorithms, such as AEAD_AES_128_GCM or AEAD_AES_256_GCM, this limit is 1 and using the same pair of key and nonce has serious consequences for both confidentiality and integrity; see . Nonce-reuse resistant algorithms like AEAD_AES_128_GCM_SIV can tolerate a limited amount of nonce reuse. It is good practice to have limits on how many times the same key (or pair of key and nonce) are used. Setting a limit based on some measurable property of the usage, such as number of protected messages or amount of data transferred, ensures that it is easy to apply limits. This might require the application of simplifying assumptions. For example, TLS 1.3 specifies limits on the number of records that can be protected, using the simplifying assumption that records are the same size; see Section 5.5 of . Currently, AEAD limits and usage requirements are scattered among peer-reviewed papers, standards documents, and other RFCs. Determining the correct limits for a given setting is challenging as papers do not use consistent labels or conventions, and rarely apply any simplifications that might aid in reaching a simple limit. The intent of this document is to collate all relevant information about the proper usage and limits of AEAD algorithms in one place. This may serve as a standard reference when considering which AEAD algorithm to use, and how to use it.

Requirements Notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Notation This document defines limitations in part using the quantities below.

Symbol	Description
n	Size of the AEAD block cipher (in bits)
t	Size of the authentication tag (in bits)
l	Length of each message (in blocks)
s	Total plaintext length in all messages (in blocks)
q	Number of encryption attempts
v	Number of forgery attempts
p	Adversary attack probability

For each AEAD algorithm, we define the confidentiality and integrity advantage roughly as the advantage an attacker has in breaking the corresponding security property for the algorithm. Specifically:

• Confidentiality advantage (CA): The advantage of an attacker succeeding in breaking the confidentiality properties of the AEAD. In this document, the definition of confidentiality advantage is the increase in the probability that an attacker is able to successfully distinguish an AEAD ciphertext from the output of an ideal pseudorandom permutation (PRP).
• Integrity advantage (IA): The probability of an attacker succeeding in breaking the integrity properties of the AEAD. In this document, the definition of integrity advantage is the probability that an attacker is able to forge a ciphertext that will be accepted as valid.

Each application requires a different application of limits in order to keep CA and IA sufficiently small. For instance, TLS aims to keep CA below 2^-60 and IA below 2^-57. See , Section 5.5.

Calculating Limits Once an upper bound on CA and IA are determined, this document defines a process for determining two overall limits:

• Confidentiality limit (CL): The number of bytes of plaintext and maybe authenticated additional data (AAD) an application can encrypt before giving the adversary a non-negligible CA.
• Integrity limit (IL): The number of bytes of ciphertext and maybe authenticated additional data (AAD) an application can process, either successfully or not, before giving the adversary a non-negligible IA.

For an AEAD based on a block function, it is common for these limits to be expressed instead in terms of the number of blocks rather than bytes. Furthermore, it might be more appropriate to track the number of messages rather than track bytes. Therefore, the guidance is usually based on the total number of blocks processed (s). To aid in calculating limits for message-based protocols, a formulation of limits that includes a maximum message size (l) is included. All limits are based on the total number of messages, either the number of protected messages (q) or the number of forgery attempts (v); which correspond to CL and IL respectively. Limits are then derived from those bounds using a target attacker probability. For example, given a confidentiality advantage of v * (8l / 2^106) and attacker success probability of p, the algorithm remains secure, i.e., the adversary's advantage does not exceed the probability of success, provided that v <= (p * 2^106) / 8l. In turn, this implies that v <= (p * 2^106) / 8l is the corresponding limit.

AEAD Limits and Requirements This section summarizes the confidentiality and integrity bounds and limits for modern AEAD algorithms used in IETF protocols, including: AEAD_AES_128_GCM , AEAD_AES_256_GCM , AEAD_AES_128_CCM , AEAD_CHACHA20_POLY1305 , AEAD_AES_128_CCM_8 . The CL and IL values bound the total number of encryption and forgery queries (q and v). Alongside each value, we also specify these bounds.

AEAD_AES_128_GCM and AEAD_AES_256_GCM The CL and IL values for AES-GCM are derived in and summarized below. For this AEAD, n = 128 and t = 128 . In this example, the length s is the sum of AAD and plaintext, as described in .

Confidentiality Limit This implies the following usage limit: Which, for a message-based protocol with s <= q * l, if we assume that every packet is size l, produces the limit:

Integrity Limit This implies the following limit:

AEAD_CHACHA20_POLY1305 The only known analysis for AEAD_CHACHA20_POLY1305 combines the confidentiality and integrity limits into a single expression, covered below: This advantage is a tight reduction based on the underlying Poly1305 PRF . It implies the following limit:

AEAD_AES_128_CCM The CL and IL values for AEAD_AES_128_CCM are derived from and specified in the QUIC-TLS mapping specification . This analysis uses the total number of underlying block cipher operations to derive its bound. For CCM, this number is the sum of: the length of the associated data in blocks, the length of the ciphertext in blocks, the length of the plaintext in blocks, plus 1. In the following limits, this is simplified to a value of twice the length of the packet in blocks, i.e., 2l represents the effective length, in number of block cipher operations, of a message with l blocks. This simplification is based on the observation that common applications of this AEAD carry only a small amount of associated data compared to ciphertext. For example, QUIC has 1 to 3 blocks of AAD. For this AEAD, n = 128 and t = 128.

Confidentiality Limit This implies the following limit:

Integrity Limit This implies the following limit: In a setting where v or q is sufficiently large, v is negligible compared to (2l * (v + q))^2, so this this can be simplified to:

AEAD_AES_128_CCM_8 The analysis in also applies to this AEAD, but the reduced tag length of 64 bits changes the integrity limit calculation considerably. This results in reducing the limit on v by a factor of 2^64.

Security Considerations Many of the formulae in this document depend on simplifying assumptions that are not universally applicable. When using this document to set limits, it is necessary to validate all these assumptions for the setting in which the limits might apply. In most cases, the goal is to use assumptions that result in setting a more conservative limit, but this is not always the case.

IANA Considerations This document does not make any request of IANA.

References Normative References n.d. n.d. This document defines algorithms for Authenticated Encryption with Associated Data (AEAD), and defines a uniform interface and a registry for such algorithms. The interface and registry can be used as an application-independent set of cryptoalgorithm suites. This approach provides advantages in efficiency and security, and promotes the reuse of crypto implementations. [STANDARDS-TRACK] In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This document defines the ChaCha20 stream cipher as well as the use of the Poly1305 authenticator, both as stand-alone algorithms and as a "combined mode", or Authenticated Encryption with Associated Data (AEAD) algorithm. RFC 7539, the predecessor of this document, was meant to serve as a stable reference and an implementation guide. It was a product of the Crypto Forum Research Group (CFRG). This document merges the errata filed against RFC 7539 and adds a little text to the Security Considerations section. This memo describes the use of the Advanced Encryption Standard (AES) in the Counter with Cipher Block Chaining - Message Authentication Code (CBC-MAC) Mode (CCM) of operation within Transport Layer Security (TLS) and Datagram TLS (DTLS) to provide confidentiality and data origin authentication. The AES-CCM algorithm is amenable to compact implementations, making it suitable for constrained environments. [STANDARDS-TRACK] Informative References This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. This document describes how Transport Layer Security (TLS) is used to secure QUIC. Note to Readers Discussion of this draft takes place on the QUIC working group mailing list (quic@ietf.org (mailto:quic@ietf.org)), which is archived at https://mailarchive.ietf.org/arch/ search/?email_list=quic. Working Group information can be found at https://github.com/quicwg; source code and issues list for this draft can be found at https://github.com/quicwg/base-drafts/labels/-tls.