Conference paper Open Access

Forgery and Subkey Recovery on CAESAR candidate iFeed

Schroé, Willem; Mennink, Bart; Andreeva, Elena; Preneel, Bart


MARC21 XML Export

<?xml version='1.0' encoding='UTF-8'?>
<record xmlns="http://www.loc.gov/MARC21/slim">
  <leader>00000nam##2200000uu#4500</leader>
  <datafield tag="653" ind1=" " ind2=" ">
    <subfield code="a">CAESAR, iFeed, Forgery, Subkey recovery, Breaking forward secrecy</subfield>
  </datafield>
  <controlfield tag="005">20200120174607.0</controlfield>
  <datafield tag="500" ind1=" " ind2=" ">
    <subfield code="a">H2020 644052 / HECTOR</subfield>
  </datafield>
  <controlfield tag="001">55452</controlfield>
  <datafield tag="711" ind1=" " ind2=" ">
    <subfield code="d">12-14 August 2015</subfield>
    <subfield code="g">SAC 2015</subfield>
    <subfield code="a">22nd International Conference on Selected Areas in Cryptography</subfield>
    <subfield code="c">Sackville, New Brunswick, Canada</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">KU Leuven</subfield>
    <subfield code="a">Mennink, Bart</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">KU Leuven</subfield>
    <subfield code="a">Andreeva, Elena</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">KU Leuven</subfield>
    <subfield code="a">Preneel, Bart</subfield>
  </datafield>
  <datafield tag="856" ind1="4" ind2=" ">
    <subfield code="s">667485</subfield>
    <subfield code="z">md5:351c2d8743cbaf66388e21fa2a80e717</subfield>
    <subfield code="u">https://zenodo.org/record/55452/files/HECTOR-Forgery-subkey-recovery-2015.pdf</subfield>
  </datafield>
  <datafield tag="542" ind1=" " ind2=" ">
    <subfield code="l">open</subfield>
  </datafield>
  <datafield tag="856" ind1="4" ind2=" ">
    <subfield code="y">Conference website</subfield>
    <subfield code="u">http://mta.ca/sac2015/</subfield>
  </datafield>
  <datafield tag="260" ind1=" " ind2=" ">
    <subfield code="c">2015-08-12</subfield>
  </datafield>
  <datafield tag="909" ind1="C" ind2="O">
    <subfield code="p">openaire</subfield>
    <subfield code="p">user-hector</subfield>
    <subfield code="o">oai:zenodo.org:55452</subfield>
  </datafield>
  <datafield tag="100" ind1=" " ind2=" ">
    <subfield code="u">KU Leuven</subfield>
    <subfield code="a">Schroé, Willem</subfield>
  </datafield>
  <datafield tag="245" ind1=" " ind2=" ">
    <subfield code="a">Forgery and Subkey Recovery on CAESAR candidate iFeed</subfield>
  </datafield>
  <datafield tag="980" ind1=" " ind2=" ">
    <subfield code="a">user-hector</subfield>
  </datafield>
  <datafield tag="540" ind1=" " ind2=" ">
    <subfield code="u">http://creativecommons.org/licenses/by-nc-sa/4.0/legalcode</subfield>
    <subfield code="a">Creative Commons Attribution Non Commercial Share Alike 4.0 International</subfield>
  </datafield>
  <datafield tag="650" ind1="1" ind2="7">
    <subfield code="a">cc-by</subfield>
    <subfield code="2">opendefinition.org</subfield>
  </datafield>
  <datafield tag="520" ind1=" " ind2=" ">
    <subfield code="a">&lt;p&gt;iFeed is a blockcipher-based authenticated encryption design by Zhang, Wu, Sui, and Wang and a first round candidate to the CAESAR competition. iFeed is claimed to achieve confidentiality and authenticity in the nonce-respecting setting, and confidentiality in the nonce-reuse setting. Recently, Chakraborti et al. published forgeries on iFeed in the RUP and nonce-reuse settings. The latter attacks, however, do not invalidate the iFeed designers’ security claims. In this work, we consider the security of iFeed in the nonce-respecting setting, and show that a valid forgery can be constructed after only one encryption query. Even more, the forgery leaks both subkeys &lt;em&gt;E&lt;/em&gt;&lt;em&gt;K&lt;/em&gt;(0128) and &lt;em&gt;E&lt;/em&gt;&lt;em&gt;K&lt;/em&gt;(&lt;em&gt;P&lt;/em&gt;&lt;em&gt;M&lt;/em&gt;&lt;em&gt;N&lt;/em&gt;∥1), where &lt;em&gt;K&lt;/em&gt; is the secret key and &lt;em&gt;P&lt;/em&gt;&lt;em&gt;M&lt;/em&gt;&lt;em&gt;N&lt;/em&gt; the nonce used for the authenticated encryption. Furthermore, we show how at the price of just one additional forgery one can learn &lt;em&gt;E&lt;/em&gt;&lt;em&gt;K&lt;/em&gt;(&lt;em&gt;P&lt;/em&gt;∗) for any freely chosen plaintext &lt;em&gt;P&lt;/em&gt;∗. These design weaknesses allow one to decrypt earlier iFeed encryptions under the respective nonces, breaking the forward secrecy of iFeed, and leading to a total security compromise of the iFeed design.&lt;/p&gt;</subfield>
  </datafield>
  <datafield tag="773" ind1=" " ind2=" ">
    <subfield code="n">doi</subfield>
    <subfield code="i">isPartOf</subfield>
    <subfield code="a">10.1007/978-3-319-31301-6</subfield>
  </datafield>
  <datafield tag="773" ind1=" " ind2=" ">
    <subfield code="g">197-204</subfield>
    <subfield code="b">Springer International Publishing</subfield>
    <subfield code="z">978-3-319-31301-6</subfield>
    <subfield code="t">Selected Areas in Cryptography - SAC 2015</subfield>
  </datafield>
  <datafield tag="024" ind1=" " ind2=" ">
    <subfield code="a">10.5281/zenodo.55452</subfield>
    <subfield code="2">doi</subfield>
  </datafield>
  <datafield tag="980" ind1=" " ind2=" ">
    <subfield code="a">publication</subfield>
    <subfield code="b">conferencepaper</subfield>
  </datafield>
</record>
37
7
views
downloads
All versions This version
Views 3737
Downloads 77
Data volume 4.7 MB4.7 MB
Unique views 3737
Unique downloads 77

Share

Cite as