Can Caesar Beat Galois?

Robustness of CAESAR Candidates Against Nonce Reusing and High Data Complexity Attacks
  • Serge Vaudenay
  • Damian VizárEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10892)


The Competition for Authenticated Encryption: Security, Applicability and Robustness (CAESAR) has as its official goal to “identify a portfolio of authenticated ciphers that offer advantages over [the Galois-Counter Mode with AES]” and are suitable for widespread adoption.” Each of the 15 candidate schemes competing in the currently ongoing \( {3}^{\text {rd}} \) round of CAESAR must clearly declare its security claims, i.e. whether it can tolerate nonce misuse, and what is the maximal data complexity for which security is guaranteed. These claims appear to be valid for all 15 candidates. Interpreting “Robustness” in CAESAR as the ability to mitigate damage when security guarantees are void, we describe attacks with 64-bit complexity or above, and/or with nonce reuse for each of the 15 candidates. We then classify the candidates depending on how powerful does an attacker need to be to mount (semi-)universal forgeries, decryption attacks, or key recoveries. Rather than invalidating the security claims of any of the candidates, our results provide an additional criterion for evaluating the security that candidates deliver, which can be useful for e.g. breaking ties in the final CAESAR discussions.


Authenticated encryption CAESAR competition Forgery Decryption attack Key recovery Birthday bound Nonce misuse 



We would like to thank all CAESAR designers who provided us with their feedback. We would like to thank the Ascon team for pointing out that generic attacks with the same time but much lower data complexity than our forgery exist, and the Deoxys team for suggesting a better way to measure adversarial resources for nonce misuse. We would also like to thank the attendants of the Dagstuhl seminar 2018, and the anonymous reviewers for constructive comments.


  1. 1.
    Andreeva, E., Bogdanov, A., Datta, N., Luykx, A., Mennink, B., Nandi, M., Tischhauser, E., Yasuda, K.: COLM v1 (2016).
  2. 2.
    Aumasson, J., Jovanovic, P., Neves, S.: NORX v3.0 (2016).
  3. 3.
    Bay, A., Ersoy, O., Karakoç, F.: Universal forgery and key recovery attacks on ELmD authenticated encryption algorithm. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 354–368. Springer, Heidelberg (2016). Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Encode-then-encipher encryption: how to exploit nonces or redundancy in plaintexts for efficient cryptography. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317–330. Springer, Heidelberg (2000). Scholar
  5. 5.
    Bernstein, D.J.: Cryptographic competitions: CAESAR submissions.
  6. 6.
    Bernstein, D.J.: Cryptographic competitions: CAESAR (2014).
  7. 7.
    Bernstein, D.J.: Cryptographic competitions: disasters (2014)Google Scholar
  8. 8.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak sponge function family main document. Submission NIST (Round 2) 3(30) (2009)Google Scholar
  9. 9.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Keer, R.V.: CAESAR submission: Ketje v2 (2016).
  10. 10.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Keer, R.V.: CAESAR submission: Keyak v2 (2016).
  11. 11.
    Bost, R., Sanders, O.: Trick or tweak: on the (in)security of OTR’s tweaks. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 333–353. Springer, Heidelberg (2016). Scholar
  12. 12.
    Chaigneau, C., Gilbert, H.: Is AEZ v4.1 sufficiently resilient against key-recovery attacks? IACR Trans. Symmetric Cryptol. 2016(1), 114–133 (2016). Scholar
  13. 13.
    Daemen, J., Mennink, B., Van Assche, G.: Full-state keyed duplex with built-in multi-user support. IACR Cryptology ePrint Archive 2017/498 (2017).
  14. 14.
    Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Ascon v1.2 (2016).
  15. 15.
    Ferguson, N.: Collision attacks on OCB. NIST CSRC website (2002)Google Scholar
  16. 16.
    Ferguson, N.: Authentication weaknesses in GCM (2005)Google Scholar
  17. 17.
    Fleischmann, E., Forler, C., Lucks, S.: McOE: a family of almost foolproof on-line authenticated encryption schemes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 196–215. Springer, Heidelberg (2012). Scholar
  18. 18.
    Forler, C., List, E., Lucks, S., Wenzel, J.: Reforgeability of authenticated encryption schemes. In: Pieprzyk, J., Suriadi, S. (eds.) ACISP 2017. LNCS, vol. 10343, pp. 19–37. Springer, Cham (2017). Scholar
  19. 19.
    Fuhr, T., Leurent, G., Suder, V.: Collision attacks against CAESAR candidates. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 510–532. Springer, Heidelberg (2015). Scholar
  20. 20.
    Handschuh, H., Preneel, B.: Key-recovery attacks on universal hash function based MAC algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008). Scholar
  21. 21.
    Hoang, V.T., Krovetz, T., Rogaway, P.: Robust authenticated-encryption AEZ and the problem that it solves. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 15–44. Springer, Heidelberg (2015). Scholar
  22. 22.
    Hoang, V.T., Krovetz, T., Rogaway, P.: AEZ v5: authenticated encryption by enciphering (2017).
  23. 23.
  24. 24.
    Iwata, T., Minematsu, K., Guo, J., Morioka, S., Kobayashi, E.: CLOC and SILC (2016).
  25. 25.
    Iwata, T., Ohashi, K., Minematsu, K.: Breaking and repairing GCM security proofs. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 31–49. Springer, Heidelberg (2012). Scholar
  26. 26.
    Jean, J., Nikolić, I., Peyrin, T.: Deoxys v1.41 (2016).
  27. 27.
    Jonsson, J.: On the security of CTR + CBC-MAC. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 76–93. Springer, Heidelberg (2003). Scholar
  28. 28.
    Joux, A.: Authentication failures in NIST version of GCM (2006)Google Scholar
  29. 29.
    Katz, J., Yung, M.: Unforgeable encryption and chosen ciphertext secure modes of operation. In: Goos, G., Hartmanis, J., van Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 284–299. Springer, Heidelberg (2001). Scholar
  30. 30.
    Krovetz, T., Rogaway, P.: OCB (v1.1) (2016).
  31. 31.
    Lu, J.: Almost universal forgery attacks on the COPA and marble authenticated encryption algorithms. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 789–799. ACM (2017)Google Scholar
  32. 32.
    McGrew, D.A., Viega, J.: The security and performance of the galois/counter mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004). Scholar
  33. 33.
    Mileva, A., Dimitrova, V., Velichkov, V.: Analysis of the authenticated cipher MORUS (v1). In: Pasalic, E., Knudsen, L.R. (eds.) BalkanCryptSec 2015. LNCS, vol. 9540, pp. 45–59. Springer, Cham (2016). Scholar
  34. 34.
    Minematsu, K.: AES-OTR v3.1 (2016).
  35. 35.
    Nikolić, I.: Tiaoxin - 346 (2016).
  36. 36.
    Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. J. Cryptology 28(4), 769–795 (2015). Scholar
  37. 37.
    Rogaway, P.: Authenticated-encryption with associated-data. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, Washington, DC, USA, 18–22 November 2002, pp. 98–107 (2002)Google Scholar
  38. 38.
    Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). Scholar
  39. 39.
    Rogaway, P., Wagner, D.A.: A critique of CCM. IACR Cryptology ePrint Archive 2003/70 (2003)Google Scholar
  40. 40.
    Saarinen, M.-J.O.: Cycling attacks on GCM, GHASH and other polynomial MACs and hashes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 216–225. Springer, Heidelberg (2012). Scholar
  41. 41.
    Sun, Z., Wang, P., Zhang, L.: Collision attacks on variant of OCB mode and its series. In: Kutyłowski, M., Yung, M. (eds.) Inscrypt 2012. LNCS, vol. 7763, pp. 216–224. Springer, Heidelberg (2013). Scholar
  42. 42.
    Vaudenay, S., Vizár, D.: Under pressure: security of caesar candidates beyond their guarantees. Cryptology ePrint Archive, Report 2017/1147 (2017).
  43. 43.
    Whiting, D., Ferguson, N., Housley, R.: Counter with CBC-MAC (CCM) (2003)Google Scholar
  44. 44.
    Wu, H.: ACORN: A lightweight authenticated cipher (v3) (2016).
  45. 45.
    Wu, H., Huang, T.: The authenticated cipher MORUS (v2) (2016).
  46. 46.
    Wu, H., Huang, T.: The JAMBU lightweight authentication encryption mode (v2.1) (2016).
  47. 47.
    Wu, H., Preneel, B.: AEGIS: a fast authenticated encryption algorithm (v1.1) (2016).

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.EPFLLausanneSwitzerland

Personalised recommendations