Advertisement

Can Caesar Beat Galois?

Robustness of CAESAR Candidates Against Nonce Reusing and High Data Complexity Attacks
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10892)

Abstract

The Competition for Authenticated Encryption: Security, Applicability and Robustness (CAESAR) has as its official goal to “identify a portfolio of authenticated ciphers that offer advantages over [the Galois-Counter Mode with AES]” and are suitable for widespread adoption.” Each of the 15 candidate schemes competing in the currently ongoing \( {3}^{\text {rd}} \) round of CAESAR must clearly declare its security claims, i.e. whether it can tolerate nonce misuse, and what is the maximal data complexity for which security is guaranteed. These claims appear to be valid for all 15 candidates. Interpreting “Robustness” in CAESAR as the ability to mitigate damage when security guarantees are void, we describe attacks with 64-bit complexity or above, and/or with nonce reuse for each of the 15 candidates. We then classify the candidates depending on how powerful does an attacker need to be to mount (semi-)universal forgeries, decryption attacks, or key recoveries. Rather than invalidating the security claims of any of the candidates, our results provide an additional criterion for evaluating the security that candidates deliver, which can be useful for e.g. breaking ties in the final CAESAR discussions.

Keywords

Authenticated encryption CAESAR competition Forgery Decryption attack Key recovery Birthday bound Nonce misuse 

Notes

Acknowledgements

We would like to thank all CAESAR designers who provided us with their feedback. We would like to thank the Ascon team for pointing out that generic attacks with the same time but much lower data complexity than our forgery exist, and the Deoxys team for suggesting a better way to measure adversarial resources for nonce misuse. We would also like to thank the attendants of the Dagstuhl seminar 2018, and the anonymous reviewers for constructive comments.

References

  1. 1.
    Andreeva, E., Bogdanov, A., Datta, N., Luykx, A., Mennink, B., Nandi, M., Tischhauser, E., Yasuda, K.: COLM v1 (2016). https://competitions.cr.yp.to/round3/colmv1.pdf
  2. 2.
    Aumasson, J., Jovanovic, P., Neves, S.: NORX v3.0 (2016). https://competitions.cr.yp.to/round3/norxv30.pdf
  3. 3.
    Bay, A., Ersoy, O., Karakoç, F.: Universal forgery and key recovery attacks on ELmD authenticated encryption algorithm. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 354–368. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_13CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Encode-then-encipher encryption: how to exploit nonces or redundancy in plaintexts for efficient cryptography. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317–330. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-44448-3_24CrossRefMATHGoogle Scholar
  5. 5.
    Bernstein, D.J.: Cryptographic competitions: CAESAR submissions. http://competitions.cr.yp.to/caesar-submissions.html
  6. 6.
    Bernstein, D.J.: Cryptographic competitions: CAESAR (2014). https://competitions.cr.yp.to/caesar-call.html
  7. 7.
    Bernstein, D.J.: Cryptographic competitions: disasters (2014)Google Scholar
  8. 8.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak sponge function family main document. Submission NIST (Round 2) 3(30) (2009)Google Scholar
  9. 9.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Keer, R.V.: CAESAR submission: Ketje v2 (2016). https://competitions.cr.yp.to/round3/ketjev2.pdf
  10. 10.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Keer, R.V.: CAESAR submission: Keyak v2 (2016). https://competitions.cr.yp.to/round3/keyakv22.pdf
  11. 11.
    Bost, R., Sanders, O.: Trick or tweak: on the (in)security of OTR’s tweaks. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 333–353. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_12CrossRefMATHGoogle Scholar
  12. 12.
    Chaigneau, C., Gilbert, H.: Is AEZ v4.1 sufficiently resilient against key-recovery attacks? IACR Trans. Symmetric Cryptol. 2016(1), 114–133 (2016).  https://doi.org/10.13154/tosc.v2016.i1.114-133CrossRefGoogle Scholar
  13. 13.
    Daemen, J., Mennink, B., Van Assche, G.: Full-state keyed duplex with built-in multi-user support. IACR Cryptology ePrint Archive 2017/498 (2017). http://eprint.iacr.org/2017/498
  14. 14.
    Dobraunig, C., Eichlseder, M., Mendel, F., Schläffer, M.: Ascon v1.2 (2016). https://competitions.cr.yp.to/round3/asconv12.pdf
  15. 15.
    Ferguson, N.: Collision attacks on OCB. NIST CSRC website (2002)Google Scholar
  16. 16.
    Ferguson, N.: Authentication weaknesses in GCM (2005)Google Scholar
  17. 17.
    Fleischmann, E., Forler, C., Lucks, S.: McOE: a family of almost foolproof on-line authenticated encryption schemes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 196–215. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34047-5_12CrossRefMATHGoogle Scholar
  18. 18.
    Forler, C., List, E., Lucks, S., Wenzel, J.: Reforgeability of authenticated encryption schemes. In: Pieprzyk, J., Suriadi, S. (eds.) ACISP 2017. LNCS, vol. 10343, pp. 19–37. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-59870-3_2CrossRefGoogle Scholar
  19. 19.
    Fuhr, T., Leurent, G., Suder, V.: Collision attacks against CAESAR candidates. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 510–532. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48800-3_21CrossRefGoogle Scholar
  20. 20.
    Handschuh, H., Preneel, B.: Key-recovery attacks on universal hash function based MAC algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-85174-5_9CrossRefGoogle Scholar
  21. 21.
    Hoang, V.T., Krovetz, T., Rogaway, P.: Robust authenticated-encryption AEZ and the problem that it solves. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 15–44. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_2CrossRefGoogle Scholar
  22. 22.
    Hoang, V.T., Krovetz, T., Rogaway, P.: AEZ v5: authenticated encryption by enciphering (2017). https://competitions.cr.yp.to/round3/aezv5.pdf
  23. 23.
  24. 24.
    Iwata, T., Minematsu, K., Guo, J., Morioka, S., Kobayashi, E.: CLOC and SILC (2016). https://competitions.cr.yp.to/round3/clocsilcv3.pdf
  25. 25.
    Iwata, T., Ohashi, K., Minematsu, K.: Breaking and repairing GCM security proofs. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 31–49. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32009-5_3CrossRefGoogle Scholar
  26. 26.
    Jean, J., Nikolić, I., Peyrin, T.: Deoxys v1.41 (2016). https://competitions.cr.yp.to/round3/deoxysv141.pdf
  27. 27.
    Jonsson, J.: On the security of CTR + CBC-MAC. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 76–93. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36492-7_7CrossRefGoogle Scholar
  28. 28.
    Joux, A.: Authentication failures in NIST version of GCM (2006)Google Scholar
  29. 29.
    Katz, J., Yung, M.: Unforgeable encryption and chosen ciphertext secure modes of operation. In: Goos, G., Hartmanis, J., van Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 284–299. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44706-7_20CrossRefMATHGoogle Scholar
  30. 30.
    Krovetz, T., Rogaway, P.: OCB (v1.1) (2016). https://competitions.cr.yp.to/round3/ocbv11.pdf
  31. 31.
    Lu, J.: Almost universal forgery attacks on the COPA and marble authenticated encryption algorithms. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 789–799. ACM (2017)Google Scholar
  32. 32.
    McGrew, D.A., Viega, J.: The security and performance of the galois/counter mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-30556-9_27CrossRefGoogle Scholar
  33. 33.
    Mileva, A., Dimitrova, V., Velichkov, V.: Analysis of the authenticated cipher MORUS (v1). In: Pasalic, E., Knudsen, L.R. (eds.) BalkanCryptSec 2015. LNCS, vol. 9540, pp. 45–59. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-29172-7_4CrossRefMATHGoogle Scholar
  34. 34.
    Minematsu, K.: AES-OTR v3.1 (2016). https://competitions.cr.yp.to/round3/aesotrv31.pdf
  35. 35.
    Nikolić, I.: Tiaoxin - 346 (2016). https://competitions.cr.yp.to/round3/tiaoxinv21.pdf
  36. 36.
    Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. J. Cryptology 28(4), 769–795 (2015).  https://doi.org/10.1007/s00145-014-9178-9MathSciNetCrossRefMATHGoogle Scholar
  37. 37.
    Rogaway, P.: Authenticated-encryption with associated-data. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, Washington, DC, USA, 18–22 November 2002, pp. 98–107 (2002)Google Scholar
  38. 38.
    Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006).  https://doi.org/10.1007/11761679_23CrossRefGoogle Scholar
  39. 39.
    Rogaway, P., Wagner, D.A.: A critique of CCM. IACR Cryptology ePrint Archive 2003/70 (2003)Google Scholar
  40. 40.
    Saarinen, M.-J.O.: Cycling attacks on GCM, GHASH and other polynomial MACs and hashes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 216–225. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34047-5_13CrossRefGoogle Scholar
  41. 41.
    Sun, Z., Wang, P., Zhang, L.: Collision attacks on variant of OCB mode and its series. In: Kutyłowski, M., Yung, M. (eds.) Inscrypt 2012. LNCS, vol. 7763, pp. 216–224. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38519-3_14CrossRefGoogle Scholar
  42. 42.
    Vaudenay, S., Vizár, D.: Under pressure: security of caesar candidates beyond their guarantees. Cryptology ePrint Archive, Report 2017/1147 (2017). https://eprint.iacr.org/2017/1147
  43. 43.
    Whiting, D., Ferguson, N., Housley, R.: Counter with CBC-MAC (CCM) (2003)Google Scholar
  44. 44.
    Wu, H.: ACORN: A lightweight authenticated cipher (v3) (2016). https://competitions.cr.yp.to/round2/acornv2.pdf
  45. 45.
    Wu, H., Huang, T.: The authenticated cipher MORUS (v2) (2016). https://competitions.cr.yp.to/round3/morusv2.pdf
  46. 46.
    Wu, H., Huang, T.: The JAMBU lightweight authentication encryption mode (v2.1) (2016). https://competitions.cr.yp.to/round3/jambuv21.pdf
  47. 47.
    Wu, H., Preneel, B.: AEGIS: a fast authenticated encryption algorithm (v1.1) (2016). https://competitions.cr.yp.to/round3/aegisv11.pdf

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.EPFLLausanneSwitzerland

Personalised recommendations