Related-Key Forgeries for Prøst-OTR

  • Christoph Dobraunig
  • Maria Eichlseder
  • Florian Mendel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9054)

Abstract

We present a forgery attack on Prøst-OTR in a related-key setting. Prøst is a family of authenticated encryption algorithms proposed as candidates in the currently ongoing CAESAR competition, and Prøst-OTR is one of the three variants of the Prøst design. The attack exploits how the Prøst permutation is used in an Even-Mansour construction in the Feistel-based OTR mode of operation. Given the ciphertext and tag for any two messages under two related keys K and \(K \oplus \varDelta \) with related nonces, we can forge the ciphertext and tag for a modified message under K. If we can query ciphertexts for chosen messages under \(K \oplus \varDelta \), we can achieve almost universal forgery for K. The computational complexity is negligible.

Keywords

CAESAR competition Cryptanalysis Prøst Authenticated encryption Related-key 

Notes

Acknowledgments

The work has been supported in part by the Austrian Science Fund (project P26494-N15) and by the Austrian Research Promotion Agency (FFG) and the Styrian Business Promotion Agency (SFG) under grant number 836628 (SeCoS).

References

  1. 1.
    Alomair, B.: AVALANCHE v1. Submission to the CAESAR competition (2014). http://competitions.cr.yp.to/caesar-submissions.html
  2. 2.
    Andreeva, E., Bilgin, B., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: APE: authenticated permutation-based encryption for lightweight cryptography. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 168–186. Springer, Heidelberg (2015) Google Scholar
  3. 3.
    Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: Parallelizable and authenticated online ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 424–443. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  4. 4.
    Biham, E.: New types of cryptanalytic attacks using related keys. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 398–409. Springer, Heidelberg (1994) CrossRefGoogle Scholar
  5. 5.
    Biryukov, A., Khovratovich, D., Nikolić, I.: Distinguisher and related-key attack on the full AES-256. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 231–249. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  6. 6.
    Biryukov, A., Wagner, D.: Advanced slide attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 589–606. Springer, Heidelberg (2000) CrossRefGoogle Scholar
  7. 7.
    Bogdanov, A., Knudsen, L.R., Leander, G., Standaert, F., Steinberger, J.P., Tischhauser, E.: Key-alternating ciphers in a provable setting: encryption using a small number of public permutations (extended abstract). In: Pointcheval and Johansson [23], pp. 45–62Google Scholar
  8. 8.
    Daemen, J.: Limitations of the Even-Mansour construction. In: Imai et al. [15], pp. 495–498Google Scholar
  9. 9.
    Dunkelman, O., Keller, N., Shamir, A.: Minimalism in cryptography: the Even-Mansour scheme revisited. In: Pointcheval and Johansson [23], pp. 336–354Google Scholar
  10. 10.
    Dworkin, M.J.: SP 800–38C. Recommendation for block cipher modes of operation: The CCM mode for authentication and confidentiality. Technical report, National Institute of Standards & Technology, Gaithersburg, MD, United States (2004)Google Scholar
  11. 11.
    Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. In: Imai et al. [15], pp. 210–224Google Scholar
  12. 12.
    Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptology 10(3), 151–162 (1997)MathSciNetCrossRefMATHGoogle Scholar
  13. 13.
    Gentry, C., Ramzan, Z.: Eliminating random permutation oracles in the Even-Mansour cipher. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 32–47. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  14. 14.
    IEEE 802.11 working group: IEEE Standard for information technology–Telecommunications and information exchange between systems–Local and metropolitan area networks–Specific requirements–Part 11: Wireless LAN medium access control (MAC) and physical layer (PHY) specifications. IEEE Std 802.11-1997 (1997). http://ieeexplore.ieee.org/servlet/opac?punumber=5258
  15. 15.
    Matsumoto, T., Imai, H., Rivest, R.L. (eds.): ASIACRYPT 1991. LNCS, vol. 739. Springer, Heidelberg (1993) MATHGoogle Scholar
  16. 16.
    Kavun, E.B., Lauridsen, M.M., Leander, G., Rechberger, C., Schwabe, P., Yalçın, T.: Prøst v1. Submission to the CAESAR competition (2014). http://competitions.cr.yp.to/caesar-submissions.html
  17. 17.
    Knudsen, L.R.: Cryptanalysis of LOKI. In: Imai et al. [15], pp. 22–35Google Scholar
  18. 18.
    Krovetz, T., Rogaway, P.: The OCB authenticated-encryption algorithm. IETF RFC 7253 (2014). http://tools.ietf.org/html/rfc7253
  19. 19.
    Lampe, R., Patarin, J., Seurin, Y.: An asymptotically tight security analysis of the iterated Even-Mansour cipher. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 278–295. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  20. 20.
    Lee, Y., Jeong, K., Sung, J., Hong, S.H.: Related-key chosen IV attacks on Grain-v1 and Grain-128. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 321–335. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  21. 21.
    Minematsu, K.: Parallelizable Rate-1 authenticated encryption from pseudorandom functions. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 275–292. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  22. 22.
    Pasalic, E., Wei, Y.: Generic related-key and induced chosen IV attacks using the method of key differentiation. Cryptology ePrint Archive, Report 2013/586 (2013). http://eprint.iacr.org/2013/586
  23. 23.
    Pointcheval, D., Johansson, T. (eds.): EUROCRYPT 2012. LNCS, vol. 7237. Springer, Heidelberg (2012) MATHGoogle Scholar
  24. 24.
    Taylor, C.: Calico v8. Submission to the CAESAR competition (2014). http://competitions.cr.yp.to/caesar-submissions.html
  25. 25.
    The CAESAR committee: CAESAR: Competition for authenticated encryption: Security, applicability, and robustness (2014). http://competitions.cr.yp.to/caesar.html
  26. 26.
    Whiting, D., Housley, R., Ferguson, N.: Counter with CBC-MAC (CCM). IETF RFC 3610 (2003). http://tools.ietf.org/html/rfc3610

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Christoph Dobraunig
    • 1
  • Maria Eichlseder
    • 1
  • Florian Mendel
    • 1
  1. 1.IAIKGraz University of TechnologyGrazAustria

Personalised recommendations