# Related-Key Forgeries for Prøst-OTR

- 4 Citations
- 1.1k Downloads

## Abstract

We present a forgery attack on Prøst-OTR in a related-key setting. Prøst is a family of authenticated encryption algorithms proposed as candidates in the currently ongoing CAESAR competition, and Prøst-OTR is one of the three variants of the Prøst design. The attack exploits how the Prøst permutation is used in an Even-Mansour construction in the Feistel-based OTR mode of operation. Given the ciphertext and tag for any two messages under two related keys *K* and \(K \oplus \varDelta \) with related nonces, we can forge the ciphertext and tag for a modified message under *K*. If we can query ciphertexts for chosen messages under \(K \oplus \varDelta \), we can achieve almost universal forgery for *K*. The computational complexity is negligible.

## Keywords

CAESAR competition Cryptanalysis Prøst Authenticated encryption Related-key## 1 Introduction

Due to the currently ongoing CAESAR competition for authenticated encryption [25], the new favourite toy of the cryptographic community are clearly authenticated ciphers. A significant collective effort will be necessary to judge the 57 submitted candidate ciphers with respect to their security and applicability. The goal of this cryptographic competition is to identify a portfolio of reliable, efficient, secure authenticated encryption algorithms with unique features for different application scenarios. Experience with previous competitions and focused projects like AES, SHA-3, eSTREAM and NESSIE has clearly demonstrated that the joint effort of the community to focus on a particular topic can impressively advance the understanding of the reasearched primitives in a relatively short period of time. Right now, first security analyses of the submitted candidates are necessary to allow the competition committee to judge the first-round candidates adequately, and select the most promising submissions for the next round.

Prøst, designed by Kavun et al. [16], is one of the candidates submitted to the CAESAR competition. It combines a newly designed, efficient permutation, the Prøst permutation, with several modes of operation. The resulting Prøst family of authenticated ciphers consists of three variants: Prøst-COPA, Prøst-OTR, and Prøst-APE, each with its own advantages and features. The Prøst-OTR variant uses the Prøst permutation in a single-key Even-Mansour construction [9, 11, 12] as a block cipher in Minematsu’s provably secure, Feistel-based OTR mode of operation [21]. Due to the novelty of the design, previous cryptanalysis results on Prøst itself are limited to the designers’ own analysis, published together with the design document [16].

We present a forgery attack on Prøst-OTR in a related-key setting. The scenario is that an attacker is given ciphertexts and tags of two messages: one under the target key *K*, and one under a related key \(K \oplus \varDelta \) for some arbitrary \(\varDelta \). Both keys are secret, but their difference \(\varDelta \) is known to the attacker. The nonces used for encrypting the two messages are also related in a similar way. Then, with negligible computational complexity, the attacker can forge the ciphertext and authentication tag for a third message under the target key *K*. In fact, depending on the length of the original messages, forgeries for a large number of fake messages can be obtained. In addition, in case the attacker has control over one of the two originally encrypted messages, he can even control the content of the third, forged message.

Our attack is generic and exploits the combination of the OTR mode of operation with an Even-Mansour block cipher construction. It is independent of the used permutation, and thus does not use any particular properties or weaknesses of the Prøst permutation. Consequently, the other members of the Prøst family, Prøst-COPA and Prøst-APE, are not affected or endangered by the attack. However, the attack demonstrates the possible complications of using an Even-Mansour construction as a block cipher in otherwise secure modes of operation. The Even-Mansour approach of creating a block cipher from a pseudorandom permutation by xoring a secret key before and after applying the permutation to the plaintext has been studied extensively [6, 7, 8, 9, 13, 19]. It has been proven secure under different notions of security, with detailed bounds relating the security level with the key length. However, it is inherently susceptible to related-key attacks. The OTR mode of operation allows to “lift” this property to the full encryption and authentication scheme. This unfortunate combination of otherwise secure building blocks shows two things: that the Even-Mansour construction should only be used very cautiously, and that related-key properties are not well covered by the classical security notions, although they can lead to powerful forgery attacks.

Related-key setups are a relatively strong attack setting. Nevertheless, depending on the exact requirements, they are often not entirely far-fetched in practical scenarios. In particular, scenarios where only a known (but arbitrary) difference \(\varDelta \) between any two unknown keys is required, like in our attack, are quite realistic, and occur as side effects of several published protocols. The only limitation the attack imposes on \(\varDelta \) is that it does not affect the least significant bits of the key. For compatibility with the nonce difference, the modified part of the key must not be longer than the nonce length (half the key size in Prøst-OTR).

As an example for related keys in practice, consider the WEP standard [14]. There, the keys for the individual communication links are derived by concatenating (public, random) IVs with the fixed secret WEP key. Clearly, any two keys constructed this way have a publicly known differential relation. Similar scenarios could be imagined in any other network of resource-constrained devices (e.g., of sensor nodes), where individual encryption keys need to be derived in a cheap way from some master secret (e.g., by xoring individual IDs, nonces or challenge values to the key). Despite its inherent susceptibility to birthday attacks, the idea to “xor nonce to key” is also incorporated in several CAESAR candidates, such as AVALANCHE [1] and Calico [24]. Recently, cheap modifications of some master secret have also gained some popularity as a countermeasure to side-channel attacks, termed “fresh re-keying”. The rationale is that to avoid differential side-channel attacks, subsequent encryption processes should never use the same key twice, but derive some sort of session keys from the long-term key in a cheap way.

The additional requirement of related nonces is not as strong as the related keys. In many applications, nonces are generated in a very predictable pattern (typically a simple counter as a message sequence number). In some cases, the attacker may even be able to influence the nonce counter: a simple example is by triggering encryptions until the nonce counter arrives at the desired value, or by somehow causing the device to jump the unwanted nonce values. We note that the attack does not require “nonce misuse” in the sense that the attacker requests repeated encryptions under the same nonce.

Related-key attacks [4, 17] have been studied extensively, for various ciphers and applications. A prominent example is Biryukov et al.’s related-key attack on AES [5], which makes very strong assumptions about the relations between subkeys. The combination of related keys with related nonces has previously been applied primarily to stream ciphers, in particular in the context of the eSTREAM project. Examples include the key recovery attacks on Grain-v1 and Grain-128 by Lee et al. [20], or the recent analysis of generic chosen-IV attacks with applications to Trivium by Pasalic and Wei [22].

**Outline.** We first describe the Prøst family of authenticated ciphers and the notational conventions for the remaining document in Sect. 2. In Sect. 3, we derive a first basic related-key attack on Prøst-OTR. In Sect. 4, we propose a few possible improvements to the attack and extended attack scenarios. Finally, in Sect. 5, we conclude with a discussion of the applicability of the Prøst-OTR attack to other authenticated encryption modes.

## 2 Description of Prøst-OTR-*n*

### 2.1 The Prøst Family of Authenticated Ciphers

Prøst is a family of authenticated encryption algorithms. Kavun et al. [16] proposed the cipher family as a candidate in the currently ongoing CAESAR competition [25] for authenticated ciphers. Prøst comes in three flavors: Prøst-COPA, Prøst-OTR and Prøst-APE. All flavors share the same core permutation, the Prøst permutation designed by Kavun et al. [16], but use it in different modes of operation.

Prøst-APE uses the Prøst permutation in Andreeva et al.’s sponge-based APE mode [2]. The other two flavors, Prøst-OTR and Prøst-COPA, use modes of operation that are originally not permutation-based, but block-cipher-based: Andreeva et al.’s COPA mode [3], and Minematsu’s OTR mode [21]. In these variants, the Prøst permutation is used in a single-key Even-Mansour construction [9] to provide the required block cipher.

Each of the three flavors is available in two security levels, specified by a parameter \(n \in \{128,256\}\), resulting in a total of six proposed cipher family members. The designers rank the COPA variants as their primary recommendations, the OTR variants second, and the APE variants last.

### 2.2 Notation

*n*-bit bitstring \(N \in \mathbb {F}_{2}^{n}\), concatenated with \((1, 0, \ldots , 0) \in \mathbb {F}_{2}^{n}\) to get an element in \(\mathbb {F}_{2}^{2n}\). Otherwise, numbers mean integer numbers \(\in \mathbb {Z}\) or individual bits \(\in \mathbb {F}_{2}^{}\) when written in roman font (\(1, 2, 3, \ldots \)), but elements of \(\mathbb {F}_{2}^{2n}\) in truncated hex notation when written in typewriter font (\(\mathtt {1}, \mathtt {2}, \mathtt {3}, \ldots \)); for example, \(\mathtt {13} = (0, \ldots , 0, 1, 0, 0, 1, 1) \in \mathbb {F}_{2}^{2n}\). The variable names we use are summarized in Table 1.

Notation and variables used throughout this document.

| Security level |

\(K, K'\) | 2 |

| |

\(M = M_0 \cdots M_{2m-1}\) | The padded message, split into 2 |

\(C = C_0 \cdots C_{2m-1}\) | The ciphertext in 2 |

| |

\(\ell \) | Secret counter basis, derived from |

| The Prøst permutation |

\(\tilde{P}_K\) | |

\(\varSigma \) | Sum of message blocks, basis for the tag |

\(\varDelta \) | Difference between the related keys |

\(M', C', T'\) | Message encrypted under related key \(K'\) and nonce |

\(\widetilde{M}, \widetilde{C}\) | Modified message and ciphertext |

\(M^*, C^*, T^*\) | Attacker’s forged message, ciphertext and tag |

\(\alpha , \gamma \) | Intermediate values, inputs to |

### 2.3 Prøst-OTR-*n*

Prøst-OTR-*n* uses the block cipher \(\tilde{P}_K\), built from the permutation *P* in a single-key Even-Mansour construction [9], in Minematsu’s OTR mode of operation [21]. The result is a nonce-based authenticated encryption scheme with online encryption and decryption that is fully parallelizable [16]. Prøst-OTR-*n* is proposed in two security levels, \(n \in \{128, 256\}\). The security level defines the permutation size 2*n* and block size 2*n*, the key size 2*n* and nonce size *n*, and the tag size *n*. The claimed security for Prøst-OTR-*n* is \(\frac{n}{2}\) bits (confidentiality and integrity of plaintext and integrity of associated data). No particular claims are made for or against the related-key security of the cipher.

*P*in this description. The design of the permutation-based block cipher \(\tilde{P}_K\), however, is essential for the attack. For a key \(K \in \mathbb {F}_{2}^{2n}\), the block cipher \(\tilde{P}_K : \mathbb {F}_{2}^{2n} \rightarrow \mathbb {F}_{2}^{2n}\) is defined as follows:

*T*is finally computed by encrypting a function of the checksum \(\varSigma \), which is the xor of all odd-indexed message blocks \(M_{2i+1}\). The detailed algorithm is listed in Algorithm 1 and illustrated in Fig. 1. For simplicity, we only describe the mode for empty associated data, and only for padded messages with an even (rather than odd) number of message blocks.

## 3 Basic Forgery Attack on Prøst-OTR

In this section, we describe our basic forgery attack on Prøst-OTR. The attack exploits the combination of the OTR mode with the Even-Mansour block cipher construction, and is independent of the concrete permutation *P* used. We consider a related-key scenario, where encrypted messages of two different keys *K* and \(K'\) can be observed. Both *K* and \(K'\) are secret, but we assume the attacker knows the difference \(\varDelta = K \oplus K'\) (i.e., \(K' = K \oplus \varDelta \)). In addition, we assume that the attacker can observe encrypted messages for related nonces \(N, N'\), such that \(\varDelta = (N\Vert 10^*) \oplus (N'\Vert 10^*)\). Since the last *n* bits of the padded nonces are identical, this means that the *n* least significant bits of \(\varDelta \) must be 0.

*M*under the two related keys \(K, K'\) to forge a ciphertext and tag for a modified message \(M^*\) under one of the two keys,

*K*. More specifically, we will first show how to use the ciphertext from the related key \(K' = K \oplus \varDelta \) to forge ciphertexts for modified messages under the target key

*K*. Then, we will combine original and forged ciphertexts in a way such that the original tag remains valid for the resulting modified plaintext under

*K*. The attack works for any plaintext of sufficient length (\({\ge }514\) message blocks for Prøst-OTR-128, \({\ge }1026\) blocks for Prøst-OTR-256).

### 3.1 Forging the Ciphertext

*n*(instead of 2

*n*like the other values), \(\varDelta \) must only modify the most significant

*n*bits, i.e., \(\varDelta = \varDelta _n\Vert 0^n\). Then, in the initialization phase illustrated in Fig. 2a, the differences in \(K'\) and \(N'\) cancel out right before the call to the permutation

*P*in the initialization. Thus, we receive a related counter value \(\ell '\) with a simple relation to the original \(\ell \):

*K*and nonce

*N*. As Fig. 3 illustrates, the message differences “cancel out” with the corresponding difference in the \(\ell \) values from the encryption under the related key in Fig. 2. Thus, in both Figs. 2 and 3, the inputs \(\alpha \) and \(\gamma \) to the permutations are the same:

*K*can be derived from the ciphertexts \(C_j'\) of the original message \(M_j\) under the related key \(K \oplus \varDelta \):

*T*for our forged message.

### 3.2 Forging the Tag

*K*and nonce

*N*, the authentication tag only depends on the xor sum of all message blocks with odd index,

*T*for our forged message, we need to make sure that any induced differences cancel out when summing up the message blocks. We want to use original and modified message

*M*and \(\widetilde{M}\) to construct the final forged message \(M^*\) that satisfies this property.

*n*, any \(2n+1\) such vectors are linearly dependent, and suitable coefficients \(\lambda _i\) exist. Thus, for any given key difference \(\varDelta \) and known plaintext

*M*with \(2m \ge 4n+2\) message blocks, we can solve this system of equations to find suitable coefficients \(\lambda _i\). The ciphertext blocks \(C^*\) for the resulting forged message \(M^*\) can be computed as in Sect. 3.1, while the correct tag \(T^* = T\) can be copied from

*M*.

Summarizing, from observing the ciphertext and tag for encryptions of the same message *M* under two related keys *K* and \(K'=K \oplus \varDelta \), the attacker has forged the ciphertext \(C^*\) and tag \(T^*\) for a different message \(M^*\) of the same block length with negligible computational effort. The attacker knows this forged message, but has almost no control over its contents. The attack nonce is the same as the original nonce *N*. We discuss some remarks and improvements to this attack in Sect. 4.

### 3.3 Practical Example

For illustration, we apply the attack to Prøst-OTR-128 with \(n = 128\). This variant of Prøst-OTR uses a 256-bit key, a 128-bit nonce, and a message blocksize of 256 bits. The irreducible polynomial for the finite field \(\mathbb {F}_{2^{2n}}^{}\) is \(f(x) = x^{256}\oplus x^{10} \oplus x^5 \oplus x^2 \oplus 1\).

*K*and nonce

*N*are

*M*with 514 blocks of 256 bits each was encrypted under

*K*to ciphertext

*C*and tag

*T*, and under \(K'\) to \(C'\) and \(T'\).

A solution for coefficients \(\lambda _i = 1\) in Eq. (1) in \(\mathbb {F}_{2^{256}}^{}\) with field polynomial \(f(x) = x^{256}\oplus x^{10} \oplus x^5 \oplus x^2 \oplus 1\).

Index | Modifications | |
---|---|---|

To plaintext \(M_{2i}, M_{2i+1}\) (\(\mathbb {F}_{2^{256}}^{}\)) | To ciphertext \(C'_{2i}, C'_{2i+1}\) (hex) | |

i = 2 | \((\mathtt {2}^4 \!\!+\!\!\mathtt {1})\varDelta = \mathtt {2}^{132}+\mathtt {2}^{128}\) | \(\mathtt {2}^4 \varDelta =\mathtt {00}^{14} \Vert \mathtt {0010} \Vert \mathtt {00}^{16}\) |

i = 3 | \((\mathtt {2}^5 \!\!+\!\!\mathtt {1})\varDelta = \mathtt {2}^{133}+\mathtt {2}^{128}\) | \(\mathtt {2}^5 \varDelta = \mathtt {00}^{14} \Vert \mathtt {0020} \Vert \mathtt {00}^{16}\) |

i = 5 | \((\mathtt {2}^7 \!\!+\!\!\mathtt {1})\varDelta = \mathtt {2}^{135}+\mathtt {2}^{128}\) | \(\mathtt {2}^7 \varDelta = \mathtt {00}^{14} \Vert \mathtt {0080} \Vert \mathtt {00}^{16}\) |

i = 8 | \((\mathtt {2}^{10} \!\!+\!\!\mathtt {1})\varDelta = \mathtt {2}^{138}+\mathtt {2}^{128}\) | \(\mathtt {2}^{10} \varDelta = \mathtt {00}^{14} \Vert \mathtt {0400} \Vert \mathtt {00}^{16}\) |

i = 10 | \((\mathtt {2}^{12} \!\!+\!\!\mathtt {1})\varDelta = \mathtt {2}^{140}+\mathtt {2}^{128}\) | \(\mathtt {2}^{12} \varDelta = \mathtt {00}^{14} \Vert \mathtt {1000} \Vert \mathtt {00}^{16}\) |

i = 254 | \((\mathtt {2}^{256}\!\!+\!\!\mathtt {1})\varDelta = \mathtt {2}^{138} +\mathtt {2}^{133} +\mathtt {2}^{130}\) | \(\mathtt {2}^{256} \varDelta = \mathtt {00}^{14} \Vert \mathtt {0425} \Vert \mathtt {00}^{16}\) |

i = 256 | \((\mathtt {2}^{258}\!\!+\!\!\mathtt {1})\varDelta = \mathtt {2}^{140} +\mathtt {2}^{135} +\mathtt {2}^{132} +\mathtt {2}^{130} +\mathtt {2}^{128}\) | \(\mathtt {2}^{258} \varDelta = \mathtt {00}^{14} \Vert \mathtt {1094} \Vert \mathtt {00}^{16}\) |

*M*, we can now forge tag \(T^*\) and ciphertext \(C^*\) for the modified message \(M^*\), which differs from

*M*in blocks indices \(j \in J\):

*K*, nonce

*N*and message

*M*with \(\ge 514\) blocks, and the corresponding related values \(K'\), \(N'\) for \(\varDelta = \mathtt {2}^{128}\).

## 4 Remarks and Advanced Attacks

### 4.1 Remarks on the Message Length

If an attacker carries out the basic attack as in Sect. 3, the modified message may have a slightly modified bit length. This is because the modification can shift the last nonzero bit, which marks the beginning of the message padding. This is not a problem since the message bitlength is not encoded anywhere else in the encryption process – except in the rare case that the last nonzero bit moves to the second-to-last block or earlier, which is not a valid format for the padded plaintext. This can be avoided by not including the last block pair in the modification process.

The attack is also applicable to messages \(M = M_0 \cdots M_{2m-1} M_{2m}\) with an odd number of blocks: simply do not include the last block \(M_{2m}\) in the modification process, and copy it directly to \(M^*_{2m}\). The same holds true for messages that include associated data *A*: simply copy the same associated data to the forged message.

### 4.2 Unknown Messages

The description in Sect. 3 assumes that one and the same message *M* is encrypted under both keys, *K* and \(K' = K \oplus \varDelta \), and that *M* is known to the attacker. This is, however, not necessarily required. Even without knowing *M*, the attacker can compute forged ciphertext blocks and the tag. In this case, he will not know the modified message \(M^*\), but only the induced difference \(M^* \oplus M\).

*M*is encrypted under both

*K*and \(K \oplus \varDelta \). In fact, it is sufficient that the attacker has access to the ciphertexts for any two (not necessarily known, not necessarily equal-length) messages

*M*(under

*K*) and \(M'\) (under \(K' = K \oplus \varDelta \)), and knows the difference \(M_{2i+1} \oplus M'_{2i+1}\) for at least \(2n+1\) values of

*i*. Let

*I*be the set of indices

*i*with known message differences, with \(|I| \ge 2n+1\). Then, the attacker solves

*M*), ciphertext \(C^*\) and tag \(T^*\) are then given by

### 4.3 Multiple Forgeries

*n*equations. Thus, the solution space has dimension \(\ge s\), containing \(\ge 2^{s}-1\) different non-zero solutions for \(\lambda \).

### 4.4 Almost Universal Forgery with Related-Key Queries

*K*. He can achieve this goal if (a) \(M^*\) has an even number of blocks, (b) he has access to the tag

*T*of a known message

*M*with the same number of blocks as \(M^*\) under the key

*K*, and (c) he can modify one 2

*n*-bit block with odd index of \(M^*\) (or, alternatively, of

*M*). The attack works as follows:

- 1.
Fix the target message length \(|M^*| = 2m\) (in blocks).

- 2.
Obtain tag

*T*for any known message*M*with \(|M| = 2m\) under key*K*and any nonce*N*. - 3.
Fix the preliminary target (challenge) message \(M^*\).

- 4.Let \(j^* = 2i^*+1\) be the modifiable block of \(M^*\). Modify$$\begin{aligned} M^*_{2i^*+1} = M_{2i^*+1} \oplus \bigoplus _{i \ne i^*} M_{2i+1} \oplus M^*_{2i+1}. \end{aligned}$$
- 5.Construct the query message \(M'\) as$$\begin{aligned} (M'_{2i}, M'_{2i+1}) = (M^*_{2i} \oplus (\mathtt {2}^{i+1} \oplus \mathtt {1}) \varDelta , M^*_{2i+1} \oplus (\mathtt {2}^{i+1} \oplus \mathtt {1}) \varDelta ) \qquad i = 0, \ldots , m-1. \end{aligned}$$
- 6.
Request the ciphertext \(C'\) for the query message \(M'\) under \(K' = K \oplus \varDelta \) with nonce \(N' \Vert 10^* = (N \Vert 10^*) \oplus \varDelta \).

- 7.The forged ciphertext \(C^*\) and tag \(T^*\) for message \(M^*\) and nonce \(N^* = N\) can be computed as$$\begin{aligned} (C^*_{2i}, C^*_{2i+1})&= (C'_{2i} \oplus \mathtt {2}^{i+2} \varDelta , C'_{2i+1} \oplus \mathtt {2}^{i+2} \varDelta ) \qquad i = 0, \ldots , m-1, \\ T^*&= T. \end{aligned}$$

This is essentially the same strategy as in Sect. 4.2, except that instead of using fixed \(M, M'\) and adapting \(M^*\), we fix \(M, M^*\) and adapt \(M'\). To avoid solving the equation system for the correct \(\lambda _i\) (which would require relatively long message lenghts 2*m*, and force us to have \(M^*_j = M_j\) for many *j*), we modify one block \(M^*_{j^*}\) to make \(\forall i : \, \lambda _i = 1\) a valid solution.

## 5 Discussion

The core of our attack is the following observation: If an authenticated encryption mode applies the block cipher to variable (controllable) inputs, an attacker can “lift” the inherent related-key weaknesses of the Even-Mansour construction to the entire mode. Then, he can use information from encryptions under a related key to forge ciphertext and tag for the target key.

A question that suggests itself is whether similar attacks are possible on other Prøst modes. In addition, other authenticated encryption modes might display similar problems when combined with an Even-Mansour block cipher.

Prøst-APE does not use the Even-Mansour construction at all, but plugs the permutation into a sponge construction. Thus, the attack is clearly not applicable. Prøst-COPA does use the permutation in an Even-Mansour construction. However, it seems to defy the attack by including \(E_K(0)\), the encryption of the value 0, in the definition of the helper value *L* (which plays a role similar to \(\ell \) in Prøst-OTR). Since a constant instead of the variable nonce *N* serves as input to the encryption, the input cannot be controlled to produce (differentially) predictable outputs of *L*. The situation is similar, for example, for the OCB mode of operation [18]: while the message could be used to cancel out differences in the helper counter value, this value is also derived from the encryption \(E_K(0)\) of the zero value and thus unpredictable.

*M*under key

*K*and padded nonce \(N \Vert 0\) is simply

Clearly, the Even-Mansour construction is not well-suited as a general-purpose block cipher construction for all modes of operation. The Prøst-OTR design is an example how even more complex modes can allow some undesirable properties of the Even-Mansour construction to be lifted to the complete authentication mode, in this case to generate related-key forgeries. The rising popularity of sponge modes and permutation-based encryption in general may lead to interesting new observations in this direction.

Finally, we stress again that the presented attack only concerns the OTR variant of Prøst. For this variant, powerful forgery attacks are possible in a related-key setting. The security of the other modes, Prøst-COPA and Prøst-APE, and in particular of the Prøst permutation itself, remains unaffected. It may be possible to tweak OTR to prevent the specific attack, for example by adapting the initialization of \(\ell \) to include \(\tilde{P}_K(0)\), similar to COPA and OCB. However, the general interactions of the OTR mode with the single-key Even-Mansour construction remains a reason for concern.

## Notes

### Acknowledgments

The work has been supported in part by the Austrian Science Fund (project P26494-N15) and by the Austrian Research Promotion Agency (FFG) and the Styrian Business Promotion Agency (SFG) under grant number 836628 (SeCoS).

## References

- 1.Alomair, B.: AVALANCHE v1. Submission to the CAESAR competition (2014). http://competitions.cr.yp.to/caesar-submissions.html
- 2.Andreeva, E., Bilgin, B., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: APE: authenticated permutation-based encryption for lightweight cryptography. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 168–186. Springer, Heidelberg (2015) Google Scholar
- 3.Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: Parallelizable and authenticated online ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 424–443. Springer, Heidelberg (2013) CrossRefGoogle Scholar
- 4.Biham, E.: New types of cryptanalytic attacks using related keys. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 398–409. Springer, Heidelberg (1994) CrossRefGoogle Scholar
- 5.Biryukov, A., Khovratovich, D., Nikolić, I.: Distinguisher and related-key attack on the full AES-256. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 231–249. Springer, Heidelberg (2009) CrossRefGoogle Scholar
- 6.Biryukov, A., Wagner, D.: Advanced slide attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 589–606. Springer, Heidelberg (2000) CrossRefGoogle Scholar
- 7.Bogdanov, A., Knudsen, L.R., Leander, G., Standaert, F., Steinberger, J.P., Tischhauser, E.: Key-alternating ciphers in a provable setting: encryption using a small number of public permutations (extended abstract). In: Pointcheval and Johansson [23], pp. 45–62Google Scholar
- 8.Daemen, J.: Limitations of the Even-Mansour construction. In: Imai et al. [15], pp. 495–498Google Scholar
- 9.Dunkelman, O., Keller, N., Shamir, A.: Minimalism in cryptography: the Even-Mansour scheme revisited. In: Pointcheval and Johansson [23], pp. 336–354Google Scholar
- 10.Dworkin, M.J.: SP 800–38C. Recommendation for block cipher modes of operation: The CCM mode for authentication and confidentiality. Technical report, National Institute of Standards & Technology, Gaithersburg, MD, United States (2004)Google Scholar
- 11.Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. In: Imai et al. [15], pp. 210–224Google Scholar
- 12.Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptology
**10**(3), 151–162 (1997)MathSciNetCrossRefzbMATHGoogle Scholar - 13.Gentry, C., Ramzan, Z.: Eliminating random permutation oracles in the Even-Mansour cipher. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 32–47. Springer, Heidelberg (2004) CrossRefGoogle Scholar
- 14.IEEE 802.11 working group: IEEE Standard for information technology–Telecommunications and information exchange between systems–Local and metropolitan area networks–Specific requirements–Part 11: Wireless LAN medium access control (MAC) and physical layer (PHY) specifications. IEEE Std 802.11-1997 (1997). http://ieeexplore.ieee.org/servlet/opac?punumber=5258
- 15.Matsumoto, T., Imai, H., Rivest, R.L. (eds.): ASIACRYPT 1991. LNCS, vol. 739. Springer, Heidelberg (1993) zbMATHGoogle Scholar
- 16.Kavun, E.B., Lauridsen, M.M., Leander, G., Rechberger, C., Schwabe, P., Yalçın, T.: Prøst v1. Submission to the CAESAR competition (2014). http://competitions.cr.yp.to/caesar-submissions.html
- 17.Knudsen, L.R.: Cryptanalysis of LOKI. In: Imai et al. [15], pp. 22–35Google Scholar
- 18.Krovetz, T., Rogaway, P.: The OCB authenticated-encryption algorithm. IETF RFC 7253 (2014). http://tools.ietf.org/html/rfc7253
- 19.Lampe, R., Patarin, J., Seurin, Y.: An asymptotically tight security analysis of the iterated Even-Mansour cipher. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 278–295. Springer, Heidelberg (2012) CrossRefGoogle Scholar
- 20.Lee, Y., Jeong, K., Sung, J., Hong, S.H.: Related-key chosen IV attacks on Grain-v1 and Grain-128. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 321–335. Springer, Heidelberg (2008) CrossRefGoogle Scholar
- 21.Minematsu, K.: Parallelizable Rate-1 authenticated encryption from pseudorandom functions. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 275–292. Springer, Heidelberg (2014) CrossRefGoogle Scholar
- 22.Pasalic, E., Wei, Y.: Generic related-key and induced chosen IV attacks using the method of key differentiation. Cryptology ePrint Archive, Report 2013/586 (2013). http://eprint.iacr.org/2013/586
- 23.Pointcheval, D., Johansson, T. (eds.): EUROCRYPT 2012. LNCS, vol. 7237. Springer, Heidelberg (2012) zbMATHGoogle Scholar
- 24.Taylor, C.: Calico v8. Submission to the CAESAR competition (2014). http://competitions.cr.yp.to/caesar-submissions.html
- 25.The CAESAR committee: CAESAR: Competition for authenticated encryption: Security, applicability, and robustness (2014). http://competitions.cr.yp.to/caesar.html
- 26.Whiting, D., Housley, R., Ferguson, N.: Counter with CBC-MAC (CCM). IETF RFC 3610 (2003). http://tools.ietf.org/html/rfc3610