đź“ťNon-committing AEAD weakness
Many AEAD encryption schemes (e.g., AES-GCM and ChaCha20-Poly1305) are not committing, meaning that they can be decoded successfully using multiple keys (producing different plaintext). This is unexpected for most developers who assume that authenticated encryption would not decrypt under a different key.
This does not break confidentiality / integrity in single-key setting but it has led to vulnerabilities in more complex protocols and is now recognized as a security gap. It is recommended to use committing AEAD (cAEAD) when non-committing AEAD vulnerabilities cannot be ruled out.
Example attacks
- An attacker who knows the key may find different plaintext messages that produce the same authentication tag.
- Partitioning Oracle Attacks.
- Attack on Facebook Messenger’s message franking scheme: Fast Message Franking: From Invisible Salamanders to Encryptment.
Backlinks
- 📝 § Cryptography