Conference paper Open Access

Forgery and Subkey Recovery on CAESAR candidate iFeed

Schroé, Willem; Mennink, Bart; Andreeva, Elena; Preneel, Bart

Dublin Core Export

<?xml version='1.0' encoding='utf-8'?>
<oai_dc:dc xmlns:dc="" xmlns:oai_dc="" xmlns:xsi="" xsi:schemaLocation="">
  <dc:creator>Schroé, Willem</dc:creator>
  <dc:creator>Mennink, Bart</dc:creator>
  <dc:creator>Andreeva, Elena</dc:creator>
  <dc:creator>Preneel, Bart</dc:creator>
  <dc:description>iFeed is a blockcipher-based authenticated encryption design by Zhang, Wu, Sui, and Wang and a first round candidate to the CAESAR competition. iFeed is claimed to achieve confidentiality and authenticity in the nonce-respecting setting, and confidentiality in the nonce-reuse setting. Recently, Chakraborti et al. published forgeries on iFeed in the RUP and nonce-reuse settings. The latter attacks, however, do not invalidate the iFeed designers’ security claims. In this work, we consider the security of iFeed in the nonce-respecting setting, and show that a valid forgery can be constructed after only one encryption query. Even more, the forgery leaks both subkeys EK(0128) and EK(PMN∥1), where K is the secret key and PMN the nonce used for the authenticated encryption. Furthermore, we show how at the price of just one additional forgery one can learn EK(P∗) for any freely chosen plaintext P∗. These design weaknesses allow one to decrypt earlier iFeed encryptions under the respective nonces, breaking the forward secrecy of iFeed, and leading to a total security compromise of the iFeed design.</dc:description>
  <dc:description>H2020 644052 / HECTOR</dc:description>
  <dc:publisher>Springer International Publishing</dc:publisher>
  <dc:subject>CAESAR, iFeed, Forgery, Subkey recovery, Breaking forward secrecy</dc:subject>
  <dc:title>Forgery and Subkey Recovery on CAESAR candidate iFeed</dc:title>
All versions This version
Views 3737
Downloads 1616
Data volume 10.7 MB10.7 MB
Unique views 3737
Unique downloads 1616


Cite as