August 12, 2015 Conference paper Open Access

Schroé, Willem; Mennink, Bart; Andreeva, Elena; Preneel, Bart

DataCite XML Export

<?xml version='1.0' encoding='utf-8'?>
<resource xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://datacite.org/schema/kernel-4" xsi:schemaLocation="http://datacite.org/schema/kernel-4 http://schema.datacite.org/meta/kernel-4.1/metadata.xsd">
  <identifier identifierType="DOI">10.5281/zenodo.55452</identifier>
  <creators>
    <creator>
      <creatorName>Schroé, Willem</creatorName>
      <givenName>Willem</givenName>
      <familyName>Schroé</familyName>
      <affiliation>KU Leuven</affiliation>
    </creator>
    <creator>
      <creatorName>Mennink, Bart</creatorName>
      <givenName>Bart</givenName>
      <familyName>Mennink</familyName>
      <affiliation>KU Leuven</affiliation>
    </creator>
    <creator>
      <creatorName>Andreeva, Elena</creatorName>
      <givenName>Elena</givenName>
      <familyName>Andreeva</familyName>
      <affiliation>KU Leuven</affiliation>
    </creator>
    <creator>
      <creatorName>Preneel, Bart</creatorName>
      <givenName>Bart</givenName>
      <familyName>Preneel</familyName>
      <affiliation>KU Leuven</affiliation>
    </creator>
  </creators>
  <titles>
    <title>Forgery and Subkey Recovery on CAESAR candidate iFeed</title>
  </titles>
  <publisher>Zenodo</publisher>
  <publicationYear>2015</publicationYear>
  <subjects>
    <subject>CAESAR, iFeed, Forgery, Subkey recovery, Breaking forward secrecy</subject>
  </subjects>
  <dates>
    <date dateType="Issued">2015-08-12</date>
  </dates>
  <resourceType resourceTypeGeneral="Text">Conference paper</resourceType>
  <alternateIdentifiers>
    <alternateIdentifier alternateIdentifierType="url">https://zenodo.org/record/55452</alternateIdentifier>
  </alternateIdentifiers>
  <relatedIdentifiers>
    <relatedIdentifier relatedIdentifierType="DOI" relationType="IsPartOf">10.1007/978-3-319-31301-6</relatedIdentifier>
    <relatedIdentifier relatedIdentifierType="URL" relationType="IsPartOf">https://zenodo.org/communities/hector</relatedIdentifier>
  </relatedIdentifiers>
  <rightsList>
    <rights rightsURI="http://creativecommons.org/licenses/by-nc-sa/4.0/legalcode">Creative Commons Attribution Non Commercial Share Alike 4.0 International</rights>
    <rights rightsURI="info:eu-repo/semantics/openAccess">Open Access</rights>
  </rightsList>
  <descriptions>
    <description descriptionType="Abstract">&lt;p&gt;iFeed is a blockcipher-based authenticated encryption design by Zhang, Wu, Sui, and Wang and a first round candidate to the CAESAR competition. iFeed is claimed to achieve confidentiality and authenticity in the nonce-respecting setting, and confidentiality in the nonce-reuse setting. Recently, Chakraborti et al. published forgeries on iFeed in the RUP and nonce-reuse settings. The latter attacks, however, do not invalidate the iFeed designers’ security claims. In this work, we consider the security of iFeed in the nonce-respecting setting, and show that a valid forgery can be constructed after only one encryption query. Even more, the forgery leaks both subkeys &lt;em&gt;E&lt;/em&gt;&lt;em&gt;K&lt;/em&gt;(0128) and &lt;em&gt;E&lt;/em&gt;&lt;em&gt;K&lt;/em&gt;(&lt;em&gt;P&lt;/em&gt;&lt;em&gt;M&lt;/em&gt;&lt;em&gt;N&lt;/em&gt;∥1), where &lt;em&gt;K&lt;/em&gt; is the secret key and &lt;em&gt;P&lt;/em&gt;&lt;em&gt;M&lt;/em&gt;&lt;em&gt;N&lt;/em&gt; the nonce used for the authenticated encryption. Furthermore, we show how at the price of just one additional forgery one can learn &lt;em&gt;E&lt;/em&gt;&lt;em&gt;K&lt;/em&gt;(&lt;em&gt;P&lt;/em&gt;∗) for any freely chosen plaintext &lt;em&gt;P&lt;/em&gt;∗. These design weaknesses allow one to decrypt earlier iFeed encryptions under the respective nonces, breaking the forward secrecy of iFeed, and leading to a total security compromise of the iFeed design.&lt;/p&gt;</description>
    <description descriptionType="Other">H2020 644052 / HECTOR</description>
  </descriptions>
</resource>