Reforgeability of Authenticated Encryption Schemes

  • Christian Forler
  • Eik List
  • Stefan Lucks
  • Jakob WenzelEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10343)


This work pursues the idea of multi-forgery attacks as introduced by Ferguson in 2002. We recoin reforgeability for the complexity of obtaining further forgeries once a first forgery has succeeded. First, we introduce a security notion for the integrity (in terms of reforgeability) of authenticated encryption schemes: \(j\text {-}\textsc {Int}\text {-}\textsc {CTXT}\), which is derived from the notion INT-CTXT. Second, we define an attack scenario called \(j\text {-IV-Collision Attack}\) (\(j\text {-IV-CA}\)), wherein an adversary tries to construct j forgeries provided a first forgery. The term collision in the name stems from the fact that we assume the first forgery to be the result from an internal collision within the processing of the associated data and/or the nonce. Next, we analyze the resistance to \(j\text {-IV-CAs}\) of classical nonce-based AE schemes (CCM, CWC, EAX, GCM) as well as all 3rd-round candidates of the CAESAR competition. The analysis is done in the nonce-respecting and the nonce-ignoring setting. We find that none of the considered AE schemes provides full built-in resistance to \(j\text {-IV-CAs}\). Based on this insight, we briefly discuss two alternative design strategies to resist \(j\text {-IV-CAs}\).


Authenticated encryption CAESAR Multi-forgery attack Reforgeability 


  1. 1.
    Abdelraheem, M.A., Beelen, P., Bogdanov, A., Tischhauser, E.: Twisted polynomials and forgery attacks on GCM. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 762–786. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_29 Google Scholar
  2. 2.
    Abed, F., Fluhrer, S., Foley, J., Forler, C., List, E., Lucks, S., McGrew, D., Wenzel, J.: The POET Family of On-Line Authenticated Encryption Schemes (2014).
  3. 3.
    Andreeva, E., Bogdanov, A., Datta, N., Luykx, A., Mennink, B., Nandi, M., Tischhauser, E., Yasuda, K.: COLM v1 (2016).
  4. 4.
    Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: AES-COPA (2014).
  5. 5.
    Aumasson, J.-P., Jovanovic, P., Neves, S.: NORX (2016).
  6. 6.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996). doi: 10.1007/3-540-68697-5_1 Google Scholar
  7. 7.
    Bellare, M., Goldreich, O., Mityagin, A.: The power of verification queries in message authentication and authenticated encryption. IACR Cryptology ePrint Arch. 2004, 309 (2004)Google Scholar
  8. 8.
    Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci. 61(3), 362–399 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Bellare, M., Rogaway, P., Wagner, D.: The EAX mode of operation. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 389–407. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-25937-4_25 CrossRefGoogle Scholar
  10. 10.
    Bernstein, D.J.: CAESAR Call for Submissions, Final, 27 January 2014.
  11. 11.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. ECRYPT Hash Function Workshop (2007)Google Scholar
  12. 12.
    Bertoni, G., Daemen, J., Peeters, M., Van Keer, R., Van Assche, G.: CAESAR submission, Ketje v2 (2016).
  13. 13.
    Black, J., Cochran, M.: MAC reforgeability. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 345–362. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03317-9_21 CrossRefGoogle Scholar
  14. 14.
    Datta, N., Nandi, M.: ELmD (2014).
  15. 15.
    Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Ascon v1.2 (2016).
  16. 16.
    Dworkin, M.J.: SP 800–38C. Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality. Technical report, Gaithersburg, MD, United States (2004)Google Scholar
  17. 17.
    Ferguson, N.: Collision Attacks on OCB. Unpublished manuscript (2002).
  18. 18.
    Ferguson, N.: Authentication weaknesses in GCM (2005).
  19. 19.
    Forler, C., List, E., Lucks, S., Wenzel, J.: Reforgeability of Authenticated Encryption Schemes. Cryptology ePrint Archive, Report 2017/332 (2017).
  20. 20.
    Fouque, P.-A., Martinet, G., Valette, F., Zimmer, S.: On the security of the CCM encryption mode and of a slight variant. In: Bellovin, S.M., Gennaro, R., Keromytis, A., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 411–428. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-68914-0_25 CrossRefGoogle Scholar
  21. 21.
    Peeters, M., Bertoni, G., Daemen, J., Van Assche, G., Van Keer, R.: CAESAR submission, Keyak v2 (2016).
  22. 22.
    Handschuh, H., Preneel, B.: Key-recovery attacks on universal hash function based MAC algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-85174-5_9 CrossRefGoogle Scholar
  23. 23.
    Hoang, V.T., Krovetz, T., Rogaway, P.: AEZ v4.2: Authenticated Encryption by Enciphering (2016).
  24. 24.
    Iwata, T., Minematsu, K., Guo, J., Morioka, S.: CLOC and SILC v3 (2016).
  25. 25.
    Iwata, T., Ohashi, K., Minematsu, K.: Breaking and repairing GCM security proofs. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 31–49. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-32009-5_3 CrossRefGoogle Scholar
  26. 26.
    Jean, J., Nikolić, I., Peyrin, T., Seurin, Y.: Deoxys v1.41 (2016).
  27. 27.
    Westerlund, M., Mattsson, J.: Authentication Key Recovery on Galois Counter Mode (GCM). Cryptology ePrint Archive, Report 2015/477 (2015).
  28. 28.
    Joux, A.: Authentication Failures in NIST version of GCM. NIST Comment (2006)Google Scholar
  29. 29.
    Kohno, T., Viega, J., Whiting, D.: CWC: a high-performance conventional authenticated encryption mode. In: FSE, pp. 408–426, 2004Google Scholar
  30. 30.
    Krovetz, T., Rogaway, P.: OCB (2016).
  31. 31.
    List, E., Nandi, M.: Revisiting full-PRF-secure PMAC and using it for beyond-birthday authenticated encryption. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 258–274. Springer, Cham (2017). doi: 10.1007/978-3-319-52153-4_15 CrossRefGoogle Scholar
  32. 32.
    Jiqiang, L.: On the security of the COPA and marble authenticated encryption algorithms against (almost) universal forgery attack. IACR Cryptology ePrint Arch. 2015, 79 (2015)Google Scholar
  33. 33.
    Lucks, S.: A failure-friendly design principle for hash functions. In: Proceedings of the Advances in Cryptology - ASIACRYPT 2005, 11th International Conference on the Theory and Application of Cryptology and Information Security, Chennai, India, December 4–8, 2005, pp. 474–494 (2005)Google Scholar
  34. 34.
    McGrew, D., Viega, J.: The Galois/Counter Mode of Operation (GCM). Submission to NIST (2004).
  35. 35.
    McGrew, D.A., Fluhrer, S.R.: Multiple forgery attacks against message authentication codes. IACR Cryptology ePrint Arch. 2005, 161 (2005)Google Scholar
  36. 36.
    McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter Mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30556-9_27 CrossRefGoogle Scholar
  37. 37.
    Minematsu, K.: AES-OTR v3.1 (2016).
  38. 38.
    Namprempre, C., Rogaway, P., Shrimpton, T.: Reconsidering generic composition. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 257–274. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-55220-5_15 CrossRefGoogle Scholar
  39. 39.
    Nandi, M.: Revisiting security claims of XLS and COPA. Cryptology ePrint Archive, Report 2015/444 (2015).
  40. 40.
    Nikolić, I.: Tiaoxin-346 (2016).
  41. 41.
    Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 287–304. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-43933-3_15 Google Scholar
  42. 42.
    Rogaway, P., Wagner, D.: A Critique of CCM. Cryptology ePrint Archive, Report 2003/070 (2003).
  43. 43.
    Rogaway, P.: Authenticated-encryption with associated-data. In: ACM Conference on Computer and Communications Security, pp. 98–107 (2002)Google Scholar
  44. 44.
    Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–358. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-25937-4_22 CrossRefGoogle Scholar
  45. 45.
    Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: ACM Conference on Computer and Communications Security, pp. 196–205 (2001)Google Scholar
  46. 46.
    Saarinen, M.-J.O.: Cycling attacks on GCM, GHASH and other polynomial MACs and hashes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 216–225. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34047-5_13 CrossRefGoogle Scholar
  47. 47.
    Hongjun, W.: A Lightweight Authenticated Cipher (v3) (2016).
  48. 48.
    Wu, H., Huang, T.: The Authenticated Cipher MORUS (2016).
  49. 49.
    Wu, H., Huang, T.: The JAMBU Lightweight Authentication Encryption Mode (v2.1) (2016).
  50. 50.
    Wu, H., Preneel, B.: AEGIS: A Fast Authenticated Encryption Algorithm (v1,1) (2016).

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Christian Forler
    • 1
  • Eik List
    • 2
  • Stefan Lucks
    • 2
  • Jakob Wenzel
    • 2
    Email author
  1. 1.Beuth Hochschule für Technik BerlinBerlinGermany
  2. 2.Bauhaus-Universitä WeimarWeimarGermany

Personalised recommendations