Key Committing AES-GCM

Question

There is a handful of attacks against AEAD, and GCM in particular, which demonstrates that it is feasible for an attacker $\mathcal{A}$ to obtain a ciphertext $C$ which encrypts to multiple key/message pairs $(k_i, M_i)$. This is commonly referred to AES-GCM not being key-committing. Now, I'm a bit confused about the nature of the attacks that are possible with this, do I understand correctly that $\mathcal{A}$ needs to be able to 'modify' the ciphertext $C$ to be able to perform the outlined attacks? Or is it also possible for $\mathcal{A}$, given a fixed $C$ encrypting $m_1$ under $k_1$, to obtain another decryption $m_2$ which yields $C$ under another key $k_2$?

score 3 · Accepted Answer · answered Jun 21 '22 at 16:32

do I understand correctly that $\mathcal{A}$ needs to be able to 'modify' the ciphertext $C$ to be able to perform the outlined attacks?

No, these attacks assume that the attacker generates $C$; he takes a number of keys $k_1, k_2, ..., k_n$, and using those, generates a ciphertext $C$ that 'decrypts' successfully (that is, the integrity tag check succeeds) under all of them.

Or is it also possible for $\mathcal{A}$, given a fixed $C$ encrypting $m_1$ under $k_1$, to obtain another decryption $m_2$ which yields $C$ under another key $k_2$?

We don't know how to do that; the attack we know about requires that the attacker has some flexibility in choosing $C$. Now, he doesn't need to specify the entire value; he does need to specify at least 2 16-byte blocks to construct a $C$ that will decrypt under two different keys).

Key Committing AES-GCM

1 Answers1