Conference paper Open Access

Forgery and Subkey Recovery on CAESAR candidate iFeed

Schroé, Willem; Mennink, Bart; Andreeva, Elena; Preneel, Bart


Dublin Core Export

<?xml version='1.0' encoding='utf-8'?>
<oai_dc:dc xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:oai_dc="http://www.openarchives.org/OAI/2.0/oai_dc/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.openarchives.org/OAI/2.0/oai_dc/ http://www.openarchives.org/OAI/2.0/oai_dc.xsd">
  <dc:creator>Schroé, Willem</dc:creator>
  <dc:creator>Mennink, Bart</dc:creator>
  <dc:creator>Andreeva, Elena</dc:creator>
  <dc:creator>Preneel, Bart</dc:creator>
  <dc:date>2015-08-12</dc:date>
  <dc:description>iFeed is a blockcipher-based authenticated encryption design by Zhang, Wu, Sui, and Wang and a first round candidate to the CAESAR competition. iFeed is claimed to achieve confidentiality and authenticity in the nonce-respecting setting, and confidentiality in the nonce-reuse setting. Recently, Chakraborti et al. published forgeries on iFeed in the RUP and nonce-reuse settings. The latter attacks, however, do not invalidate the iFeed designers’ security claims. In this work, we consider the security of iFeed in the nonce-respecting setting, and show that a valid forgery can be constructed after only one encryption query. Even more, the forgery leaks both subkeys EK(0128) and EK(PMN∥1), where K is the secret key and PMN the nonce used for the authenticated encryption. Furthermore, we show how at the price of just one additional forgery one can learn EK(P∗) for any freely chosen plaintext P∗. These design weaknesses allow one to decrypt earlier iFeed encryptions under the respective nonces, breaking the forward secrecy of iFeed, and leading to a total security compromise of the iFeed design.</dc:description>
  <dc:description>H2020 644052 / HECTOR</dc:description>
  <dc:identifier>https://zenodo.org/record/55452</dc:identifier>
  <dc:identifier>10.5281/zenodo.55452</dc:identifier>
  <dc:identifier>oai:zenodo.org:55452</dc:identifier>
  <dc:publisher>Springer International Publishing</dc:publisher>
  <dc:relation>doi:10.1007/978-3-319-31301-6</dc:relation>
  <dc:relation>url:https://zenodo.org/communities/hector</dc:relation>
  <dc:rights>info:eu-repo/semantics/openAccess</dc:rights>
  <dc:rights>http://creativecommons.org/licenses/by-nc-sa/4.0/legalcode</dc:rights>
  <dc:subject>CAESAR, iFeed, Forgery, Subkey recovery, Breaking forward secrecy</dc:subject>
  <dc:title>Forgery and Subkey Recovery on CAESAR candidate iFeed</dc:title>
  <dc:type>info:eu-repo/semantics/conferencePaper</dc:type>
  <dc:type>publication-conferencepaper</dc:type>
</oai_dc:dc>
37
7
views
downloads
All versions This version
Views 3737
Downloads 77
Data volume 4.7 MB4.7 MB
Unique views 3737
Unique downloads 77

Share

Cite as