# Reforgeability of Authenticated Encryption Schemes

## Abstract

This work pursues the idea of multi-forgery attacks as introduced by Ferguson in 2002. We recoin reforgeability for the complexity of obtaining further forgeries once a first forgery has succeeded. First, we introduce a security notion for the integrity (in terms of reforgeability) of authenticated encryption schemes: \(j\text {-}\textsc {Int}\text {-}\textsc {CTXT}\), which is derived from the notion INT-CTXT. Second, we define an attack scenario called \(j\text {-IV-Collision Attack}\) (\(j\text {-IV-CA}\)), wherein an adversary tries to construct *j* forgeries provided a first forgery. The term *collision* in the name stems from the fact that we assume the first forgery to be the result from an internal collision within the processing of the associated data and/or the nonce. Next, we analyze the resistance to \(j\text {-IV-CAs}\) of classical nonce-based AE schemes (CCM, CWC, EAX, GCM) as well as all 3rd-round candidates of the CAESAR competition. The analysis is done in the nonce-respecting and the nonce-ignoring setting. We find that none of the considered AE schemes provides full built-in resistance to \(j\text {-IV-CAs}\). Based on this insight, we briefly discuss two alternative design strategies to resist \(j\text {-IV-CAs}\).

## Keywords

Authenticated encryption CAESAR Multi-forgery attack Reforgeability## References

- 1.Abdelraheem, M.A., Beelen, P., Bogdanov, A., Tischhauser, E.: Twisted polynomials and forgery attacks on GCM. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 762–786. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_29 Google Scholar
- 2.Abed, F., Fluhrer, S., Foley, J., Forler, C., List, E., Lucks, S., McGrew, D., Wenzel, J.: The POET Family of On-Line Authenticated Encryption Schemes (2014). http://competitions.cr.yp.to/caesar-submissions.html
- 3.Andreeva, E., Bogdanov, A., Datta, N., Luykx, A., Mennink, B., Nandi, M., Tischhauser, E., Yasuda, K.: COLM v1 (2016). http://competitions.cr.yp.to/caesar-submissions.html
- 4.Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: AES-COPA (2014). http://competitions.cr.yp.to/caesar-submissions.html
- 5.Aumasson, J.-P., Jovanovic, P., Neves, S.: NORX (2016). http://competitions.cr.yp.to/caesar-submissions.html
- 6.Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996). doi: 10.1007/3-540-68697-5_1 Google Scholar
- 7.Bellare, M., Goldreich, O., Mityagin, A.: The power of verification queries in message authentication and authenticated encryption. IACR Cryptology ePrint Arch.
**2004**, 309 (2004)Google Scholar - 8.Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci.
**61**(3), 362–399 (2000)MathSciNetCrossRefzbMATHGoogle Scholar - 9.Bellare, M., Rogaway, P., Wagner, D.: The EAX mode of operation. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 389–407. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-25937-4_25 CrossRefGoogle Scholar
- 10.Bernstein, D.J.: CAESAR Call for Submissions, Final, 27 January 2014. http://competitions.cr.yp.to/caesar-call.html
- 11.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. ECRYPT Hash Function Workshop (2007)Google Scholar
- 12.Bertoni, G., Daemen, J., Peeters, M., Van Keer, R., Van Assche, G.: CAESAR submission, Ketje v2 (2016). http://competitions.cr.yp.to/caesar-submissions.html
- 13.Black, J., Cochran, M.: MAC reforgeability. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 345–362. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03317-9_21 CrossRefGoogle Scholar
- 14.Datta, N., Nandi, M.: ELmD (2014). http://competitions.cr.yp.to/caesar-submissions.html
- 15.Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Ascon v1.2 (2016). http://competitions.cr.yp.to/caesar-submissions.html
- 16.Dworkin, M.J.: SP 800–38C. Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality. Technical report, Gaithersburg, MD, United States (2004)Google Scholar
- 17.Ferguson, N.: Collision Attacks on OCB. Unpublished manuscript (2002). http://www.cs.ucdavis.edu/rogaway/ocb/links.htm
- 18.Ferguson, N.: Authentication weaknesses in GCM (2005). http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf
- 19.Forler, C., List, E., Lucks, S., Wenzel, J.: Reforgeability of Authenticated Encryption Schemes. Cryptology ePrint Archive, Report 2017/332 (2017). http://eprint.iacr.org/2017/332
- 20.Fouque, P.-A., Martinet, G., Valette, F., Zimmer, S.: On the security of the CCM encryption mode and of a slight variant. In: Bellovin, S.M., Gennaro, R., Keromytis, A., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 411–428. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-68914-0_25 CrossRefGoogle Scholar
- 21.Peeters, M., Bertoni, G., Daemen, J., Van Assche, G., Van Keer, R.: CAESAR submission, Keyak v2 (2016). http://competitions.cr.yp.to/caesar-submissions.html
- 22.Handschuh, H., Preneel, B.: Key-recovery attacks on universal hash function based MAC algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-85174-5_9 CrossRefGoogle Scholar
- 23.Hoang, V.T., Krovetz, T., Rogaway, P.: AEZ v4.2: Authenticated Encryption by Enciphering (2016). http://competitions.cr.yp.to/caesar-submissions.html
- 24.Iwata, T., Minematsu, K., Guo, J., Morioka, S.: CLOC and SILC v3 (2016). http://competitions.cr.yp.to/caesar-submissions.html
- 25.Iwata, T., Ohashi, K., Minematsu, K.: Breaking and repairing GCM security proofs. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 31–49. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-32009-5_3 CrossRefGoogle Scholar
- 26.Jean, J., Nikolić, I., Peyrin, T., Seurin, Y.: Deoxys v1.41 (2016). http://competitions.cr.yp.to/caesar-submissions.html
- 27.Westerlund, M., Mattsson, J.: Authentication Key Recovery on Galois Counter Mode (GCM). Cryptology ePrint Archive, Report 2015/477 (2015). http://eprint.iacr.org/2015/477
- 28.Joux, A.: Authentication Failures in NIST version of GCM. NIST Comment (2006)Google Scholar
- 29.Kohno, T., Viega, J., Whiting, D.: CWC: a high-performance conventional authenticated encryption mode. In: FSE, pp. 408–426, 2004Google Scholar
- 30.Krovetz, T., Rogaway, P.: OCB (2016). http://competitions.cr.yp.to/caesar-submissions.html
- 31.List, E., Nandi, M.: Revisiting full-PRF-secure PMAC and using it for beyond-birthday authenticated encryption. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 258–274. Springer, Cham (2017). doi: 10.1007/978-3-319-52153-4_15 CrossRefGoogle Scholar
- 32.Jiqiang, L.: On the security of the COPA and marble authenticated encryption algorithms against (almost) universal forgery attack. IACR Cryptology ePrint Arch.
**2015**, 79 (2015)Google Scholar - 33.Lucks, S.: A failure-friendly design principle for hash functions. In: Proceedings of the Advances in Cryptology - ASIACRYPT 2005, 11th International Conference on the Theory and Application of Cryptology and Information Security, Chennai, India, December 4–8, 2005, pp. 474–494 (2005)Google Scholar
- 34.McGrew, D., Viega, J.: The Galois/Counter Mode of Operation (GCM). Submission to NIST (2004). http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/gcm/gcm-spec.pdf
- 35.McGrew, D.A., Fluhrer, S.R.: Multiple forgery attacks against message authentication codes. IACR Cryptology ePrint Arch.
**2005**, 161 (2005)Google Scholar - 36.McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter Mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30556-9_27 CrossRefGoogle Scholar
- 37.Minematsu, K.: AES-OTR v3.1 (2016). http://competitions.cr.yp.to/caesar-submissions.html
- 38.Namprempre, C., Rogaway, P., Shrimpton, T.: Reconsidering generic composition. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 257–274. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-55220-5_15 CrossRefGoogle Scholar
- 39.Nandi, M.: Revisiting security claims of XLS and COPA. Cryptology ePrint Archive, Report 2015/444 (2015). http://eprint.iacr.org/2015/444
- 40.Nikolić, I.: Tiaoxin-346 (2016). http://competitions.cr.yp.to/caesar-submissions.html
- 41.Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 287–304. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-43933-3_15 Google Scholar
- 42.Rogaway, P., Wagner, D.: A Critique of CCM. Cryptology ePrint Archive, Report 2003/070 (2003). http://eprint.iacr.org/2003/070
- 43.Rogaway, P.: Authenticated-encryption with associated-data. In: ACM Conference on Computer and Communications Security, pp. 98–107 (2002)Google Scholar
- 44.Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–358. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-25937-4_22 CrossRefGoogle Scholar
- 45.Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: ACM Conference on Computer and Communications Security, pp. 196–205 (2001)Google Scholar
- 46.Saarinen, M.-J.O.: Cycling attacks on GCM, GHASH and other polynomial MACs and hashes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 216–225. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34047-5_13 CrossRefGoogle Scholar
- 47.Hongjun, W.: A Lightweight Authenticated Cipher (v3) (2016). http://competitions.cr.yp.to/caesar-submissions.html
- 48.Wu, H., Huang, T.: The Authenticated Cipher MORUS (2016). http://competitions.cr.yp.to/caesar-submissions.html
- 49.Wu, H., Huang, T.: The JAMBU Lightweight Authentication Encryption Mode (v2.1) (2016). http://competitions.cr.yp.to/caesar-submissions.html
- 50.Wu, H., Preneel, B.: AEGIS: A Fast Authenticated Encryption Algorithm (v1,1) (2016). http://competitions.cr.yp.to/caesar-submissions.html