Conference paper Open Access

Forgery and Subkey Recovery on CAESAR candidate iFeed

Schroé, Willem; Mennink, Bart; Andreeva, Elena; Preneel, Bart

iFeed is a blockcipher-based authenticated encryption design by Zhang, Wu, Sui, and Wang and a first round candidate to the CAESAR competition. iFeed is claimed to achieve confidentiality and authenticity in the nonce-respecting setting, and confidentiality in the nonce-reuse setting. Recently, Chakraborti et al. published forgeries on iFeed in the RUP and nonce-reuse settings. The latter attacks, however, do not invalidate the iFeed designers’ security claims. In this work, we consider the security of iFeed in the nonce-respecting setting, and show that a valid forgery can be constructed after only one encryption query. Even more, the forgery leaks both subkeys EK(0128) and EK(PMN∥1), where K is the secret key and PMN the nonce used for the authenticated encryption. Furthermore, we show how at the price of just one additional forgery one can learn EK(P∗) for any freely chosen plaintext P∗. These design weaknesses allow one to decrypt earlier iFeed encryptions under the respective nonces, breaking the forward secrecy of iFeed, and leading to a total security compromise of the iFeed design.

H2020 644052 / HECTOR
Files (667.5 kB)
Name Size
667.5 kB Download
All versions This version
Views 3737
Downloads 1616
Data volume 10.7 MB10.7 MB
Unique views 3737
Unique downloads 1616


Cite as