Forgery and Subkey Recovery on CAESAR Candidate iFeed
نویسندگان
چکیده
iFeed is a blockcipher-based authenticated encryption design by Zhang, Wu, Sui, and Wang and a first round candidate to the CAESAR competition. iFeed is claimed to achieve confidentiality and authenticity in the nonce-respecting setting, and confidentiality in the nonce-reuse setting. Recently, Chakraborti et al. published forgeries on iFeed in the RUP and nonce-reuse settings. The latter attacks, however, do not invalidate the iFeed designers’ security claims. In this work, we consider the security of iFeed in the nonce-respecting setting, and show that a valid forgery can be constructed after only one encryption query. Even more, the forgery leaks both subkeys EK(0 ) and EK(PMN ‖1), where K is the secret key and PMN the nonce used for the authenticated encryption. Furthermore, we show how at the price of just one additional forgery one can learn EK(P ∗) for any freely chosen plaintext P ∗. These design weaknesses allow one to decrypt earlier iFeed encryptions under the respective nonces, breaking the forward secrecy of iFeed, and leading to a total security compromise of the iFeed design.
منابع مشابه
Cryptanalysis of Submission to the CAESAR Cryptographic Competition iFeed
iFeed is a blockcipher-based authenticated encryption design by Zhang, et al. [81] and a candidate to the CAESAR competition. iFeed is claimed to achieve confidentiality and authenticity in the nonce-respecting setting, and confidentiality in the noncereuse setting. In this thesis, we consider the security of iFeed in three settings. In the noncerespecting setting we show a forgery and subkey r...
متن کاملSAT-based cryptanalysis of ACORN
The CAESAR competition aims to provide a portfolio of authenticated encryption algorithms. SAT solvers represent powerful tools to verify automatically and efficiently (among others) the confidentiality and the authenticity of information claimed by cryptographic primitives. In this work, we study the security of the CAESAR candidate Acorn against a SAT-based cryptanalysis. We provide the first...
متن کاملCryptanalysis of some first round CAESAR candidates
ΑΕS _ CMCCv₁, ΑVΑLΑNCHEv₁, CLΟCv₁, and SILCv₁ are four candidates of the first round of CAESAR. CLΟCv₁ is presented in FSE 2014 and SILCv₁ is designed upon it with the aim of optimizing the hardware implementation cost. In this paper, structural weaknesses of these candidates are studied. We present distinguishing attacks against ΑES _ CMCCv₁ with the complexity of two queries and the success ...
متن کاملFrom Related-Key Distinguishers to Related-Key-Recovery on Even-Mansour Constructions
We show that a distinguishing attack in the related key model on an EvenMansour block cipher can readily be converted into an extremely efficient key recovery attack. Concerned ciphers include in particular all iterated Even-Mansour schemes with independent keys. We apply this observation to the Caesar candidate Prøst-OTR and are able to recover the whole key with a number of requests linear in...
متن کاملUniversal Forgery and Key Recovery Attacks on ELmD Authenticated Encryption Algorithm
In this paper, we provide a security analysis of ELmD: a block cipher based Encrypt-Linear-mix-Decrypt authentication mode. As being one of the second-round CAESAR candidate, it is claimed to provide misuse resistant against forgeries and security against blockwise adaptive adversaries as well as 128-bit security against key recovery attacks. We scrutinize ElmD in such a way that we provide uni...
متن کامل