Partitioning Oracle Attacks

Explore a comprehensive analysis of partitioning oracle attacks in cryptography through this conference talk from the Workshop on Attacks in Cryptography at Crypto 2021. Delve into modern symmetric cryptography, authenticated encryption, and non-committing AEAD. Examine the definitional landscape and brute-force dictionary attacks before focusing on partitioning oracle attacks in various settings. Investigate key multi-collision attacks, targeted multi-key collision resistance, and their application to AES-GCM. Learn about the GHASH algorithm and its role in Carter-Wegman MACs. Analyze real-world examples, including password recovery in Shadowsocks and vulnerabilities in OPAQUE implementations. Gain insights into asymmetric Password Authenticated Key Exchange (PAKE) and the broader implications of non-committing AEAD vulnerabilities in cryptographic systems.

Intro
Modern Symmetric Cryptography
Authenticated Encryption
(Non-) Committing AEAD
What we know about non-committing AEAD Definitional landscape
Brute-force Dictionary Attack
Partitioning Oracle Attacks: Setting Setting interface has secret pwchosen from D
Key multi-collision attacks Targeted multi-key collision resistance TMKCRI
Computing Key Multi-Collisions for AES-GCM then
An Overview of GHASH A Carter Wegman MAC which computes over Galois field GF213
Shadowsocks: threat model
Password Recovery for Shadowsocks
Shadowsocks Attack: experimental evaluation
OPAQUE: building partitioning oracles
OPAQUE: early implementations
OPAQUE An asymmetric Pasword Authenticated Key Exchange (PAKE)
Vulnerabilities from non-committing AEAD (so far)