Conference paper Open Access

Forgery and Subkey Recovery on CAESAR candidate iFeed

Schroé, Willem; Mennink, Bart; Andreeva, Elena; Preneel, Bart


JSON Export

{
  "files": [
    {
      "links": {
        "self": "https://zenodo.org/api/files/7c79400e-e58d-470d-a95c-04713fb4190e/HECTOR-Forgery-subkey-recovery-2015.pdf"
      }, 
      "checksum": "md5:351c2d8743cbaf66388e21fa2a80e717", 
      "bucket": "7c79400e-e58d-470d-a95c-04713fb4190e", 
      "key": "HECTOR-Forgery-subkey-recovery-2015.pdf", 
      "type": "pdf", 
      "size": 667485
    }
  ], 
  "owners": [
    22112
  ], 
  "doi": "10.5281/zenodo.55452", 
  "stats": {
    "version_unique_downloads": 8.0, 
    "unique_views": 37.0, 
    "views": 37.0, 
    "version_views": 37.0, 
    "unique_downloads": 8.0, 
    "version_unique_views": 37.0, 
    "volume": 5339880.0, 
    "version_downloads": 8.0, 
    "downloads": 8.0, 
    "version_volume": 5339880.0
  }, 
  "links": {
    "doi": "https://doi.org/10.5281/zenodo.55452", 
    "latest_html": "https://zenodo.org/record/55452", 
    "bucket": "https://zenodo.org/api/files/7c79400e-e58d-470d-a95c-04713fb4190e", 
    "badge": "https://zenodo.org/badge/doi/10.5281/zenodo.55452.svg", 
    "html": "https://zenodo.org/record/55452", 
    "latest": "https://zenodo.org/api/records/55452"
  }, 
  "created": "2016-08-29T08:29:55+00:00", 
  "updated": "2020-01-20T17:46:07.767516+00:00", 
  "conceptrecid": "636867", 
  "revision": 15, 
  "id": 55452, 
  "metadata": {
    "access_right_category": "success", 
    "part_of": {
      "pages": "197-204", 
      "title": "Selected Areas in Cryptography - SAC 2015"
    }, 
    "doi": "10.5281/zenodo.55452", 
    "description": "<p>iFeed is a blockcipher-based authenticated encryption design by Zhang, Wu, Sui, and Wang and a first round candidate to the CAESAR competition. iFeed is claimed to achieve confidentiality and authenticity in the nonce-respecting setting, and confidentiality in the nonce-reuse setting. Recently, Chakraborti et al.\u00a0published forgeries on iFeed in the RUP and nonce-reuse settings. The latter attacks, however, do not invalidate the iFeed designers\u2019 security claims. In this work, we consider the security of iFeed in the nonce-respecting setting, and show that a valid forgery can be constructed after only one encryption query. Even more, the forgery leaks both subkeys <em>E</em><em>K</em>(0128) and <em>E</em><em>K</em>(<em>P</em><em>M</em><em>N</em>\u22251), where <em>K</em> is the secret key and <em>P</em><em>M</em><em>N</em> the nonce used for the authenticated encryption. Furthermore, we show how at the price of just one additional forgery one can learn <em>E</em><em>K</em>(<em>P</em>\u2217) for any freely chosen plaintext <em>P</em>\u2217. These design weaknesses allow one to decrypt earlier iFeed encryptions under the respective nonces, breaking the forward secrecy of iFeed, and leading to a total security compromise of the iFeed design.</p>", 
    "license": {
      "id": "CC-BY-NC-SA-4.0"
    }, 
    "title": "Forgery and Subkey Recovery on CAESAR candidate iFeed", 
    "notes": "H2020 644052 / HECTOR", 
    "relations": {
      "version": [
        {
          "count": 1, 
          "index": 0, 
          "parent": {
            "pid_type": "recid", 
            "pid_value": "636867"
          }, 
          "is_last": true, 
          "last_child": {
            "pid_type": "recid", 
            "pid_value": "55452"
          }
        }
      ]
    }, 
    "imprint": {
      "publisher": "Springer International Publishing", 
      "isbn": "978-3-319-31301-6"
    }, 
    "communities": [
      {
        "id": "hector"
      }
    ], 
    "keywords": [
      "CAESAR, iFeed, Forgery, Subkey recovery, Breaking forward secrecy"
    ], 
    "publication_date": "2015-08-12", 
    "creators": [
      {
        "affiliation": "KU Leuven", 
        "name": "Schro\u00e9, Willem"
      }, 
      {
        "affiliation": "KU Leuven", 
        "name": "Mennink, Bart"
      }, 
      {
        "affiliation": "KU Leuven", 
        "name": "Andreeva, Elena"
      }, 
      {
        "affiliation": "KU Leuven", 
        "name": "Preneel, Bart"
      }
    ], 
    "meeting": {
      "acronym": "SAC 2015", 
      "url": "http://mta.ca/sac2015/", 
      "dates": "12-14 August 2015", 
      "place": "Sackville, New Brunswick, Canada", 
      "title": "22nd International Conference on Selected Areas in Cryptography"
    }, 
    "access_right": "open", 
    "resource_type": {
      "subtype": "conferencepaper", 
      "type": "publication", 
      "title": "Conference paper"
    }, 
    "related_identifiers": [
      {
        "scheme": "doi", 
        "identifier": "10.1007/978-3-319-31301-6", 
        "relation": "isPartOf"
      }
    ]
  }
}
37
8
views
downloads
All versions This version
Views 3737
Downloads 88
Data volume 5.3 MB5.3 MB
Unique views 3737
Unique downloads 88

Share

Cite as