3

Recently, another question here made me start thinking about authenticated encryption.

In my understanding AE allows to check whether a key is valid for decryption without even decrypting the complete ciphertext. Instead, only the MAC will be checked, which should be considerably faster.

My questions are:

  1. Does this feature of AE make it more vulnerable to bruteforce attacks?
  2. Why is this not significant? (It can't be, since TLS 1.3 allows only AEAD modes.)
  3. Does the defense of AE schemes against key bruteforcing boil down to the strength of the hash function, which combines the secret key and plain- or ciphertext (depending on EtM/E&M/MtE)?
Euphrasius von der Hummelwiese
  • 1,018
  • 5
  • 20

1 Answers1

3

Instead, only the MAC will be checked, which should be considerably faster.

Not so. In fact, it can be the opposite.

  • For Encrypt then MAC, you'd have to MAC the entire ciphertext to test a MAC key
  • For both Encrypt and MAC and MAC then Encrypt you'd have to decrypt the entire ciphertext and then MAC the entire plaintext to test an encryption+MAC key
  • If the ciphertext starts with a known plaintext block, you can decrypt the first block and see if it matches to test an encryption key

The fastest of those options is the 3rd, and ciphers should still be secure against that. With a 128 bit or larger key there are just too many possibilities to guess (as long as the key is random).

AndrolGenhald
  • 15,506
  • 5
  • 45
  • 50