Conference paper Open Access

Forgery and Subkey Recovery on CAESAR candidate iFeed

Schroé, Willem; Mennink, Bart; Andreeva, Elena; Preneel, Bart

Citation Style Language JSON Export

  "publisher": "Springer International Publishing", 
  "DOI": "10.5281/zenodo.55452", 
  "ISBN": "978-3-319-31301-6", 
  "container_title": "Selected Areas in Cryptography - SAC 2015", 
  "title": "Forgery and Subkey Recovery on CAESAR candidate iFeed", 
  "issued": {
    "date-parts": [
  "abstract": "<p>iFeed is a blockcipher-based authenticated encryption design by Zhang, Wu, Sui, and Wang and a first round candidate to the CAESAR competition. iFeed is claimed to achieve confidentiality and authenticity in the nonce-respecting setting, and confidentiality in the nonce-reuse setting. Recently, Chakraborti et al.\u00a0published forgeries on iFeed in the RUP and nonce-reuse settings. The latter attacks, however, do not invalidate the iFeed designers\u2019 security claims. In this work, we consider the security of iFeed in the nonce-respecting setting, and show that a valid forgery can be constructed after only one encryption query. Even more, the forgery leaks both subkeys <em>E</em><em>K</em>(0128) and <em>E</em><em>K</em>(<em>P</em><em>M</em><em>N</em>\u22251), where <em>K</em> is the secret key and <em>P</em><em>M</em><em>N</em> the nonce used for the authenticated encryption. Furthermore, we show how at the price of just one additional forgery one can learn <em>E</em><em>K</em>(<em>P</em>\u2217) for any freely chosen plaintext <em>P</em>\u2217. These design weaknesses allow one to decrypt earlier iFeed encryptions under the respective nonces, breaking the forward secrecy of iFeed, and leading to a total security compromise of the iFeed design.</p>", 
  "author": [
      "family": "Schro\u00e9, Willem"
      "family": "Mennink, Bart"
      "family": "Andreeva, Elena"
      "family": "Preneel, Bart"
  "page": "197-204", 
  "note": "H2020 644052 / HECTOR", 
  "type": "paper-conference", 
  "id": "55452"
All versions This version
Views 3737
Downloads 1616
Data volume 10.7 MB10.7 MB
Unique views 3737
Unique downloads 1616


Cite as