Forgery and Subkey Recovery on CAESAR Candidate iFeed View Full Text


Ontology type: schema:Chapter      Open Access: True


Chapter Info

DATE

2016

AUTHORS

Willem Schroé , Bart Mennink , Elena Andreeva , Bart Preneel

ABSTRACT

iFeed is a blockcipher-based authenticated encryption design by Zhang, Wu, Sui, and Wang and a first round candidate to the CAESAR competition. iFeed is claimed to achieve confidentiality and authenticity in the nonce-respecting setting, and confidentiality in the nonce-reuse setting. Recently, Chakraborti et al. published forgeries on iFeed in the RUP and nonce-reuse settings. The latter attacks, however, do not invalidate the iFeed designers’ security claims. In this work, we consider the security of iFeed in the nonce-respecting setting, and show that a valid forgery can be constructed after only one encryption query. Even more, the forgery leaks both subkeys EK(0128)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$E_K(0^{128})$$\end{document} and EK(PMN‖1)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$E_K( PMN \Vert 1)$$\end{document}, where K is the secret key and PMN\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$ PMN $$\end{document} the nonce used for the authenticated encryption. Furthermore, we show how at the price of just one additional forgery one can learn EK(P∗)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$E_K(P^*)$$\end{document} for any freely chosen plaintext P∗\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$P^*$$\end{document}. These design weaknesses allow one to decrypt earlier iFeed encryptions under the respective nonces, breaking the forward secrecy of iFeed, and leading to a total security compromise of the iFeed design. More... »

PAGES

197-204

Book

TITLE

Selected Areas in Cryptography – SAC 2015

ISBN

978-3-319-31300-9
978-3-319-31301-6

Author Affiliations

Identifiers

URI

http://scigraph.springernature.com/pub.10.1007/978-3-319-31301-6_11

DOI

http://dx.doi.org/10.1007/978-3-319-31301-6_11

DIMENSIONS

https://app.dimensions.ai/details/publication/pub.1005197561


Indexing Status Check whether this publication has been indexed by Scopus and Web Of Science using the SN Indexing Status Tool
Incoming Citations Browse incoming citations for this publication using opencitations.net

JSON-LD is the canonical representation for SciGraph data.

TIP: You can open this SciGraph record using an external JSON-LD service: JSON-LD Playground Google SDTT

[
  {
    "@context": "https://springernature.github.io/scigraph/jsonld/sgcontext.json", 
    "about": [
      {
        "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/08", 
        "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
        "name": "Information and Computing Sciences", 
        "type": "DefinedTerm"
      }, 
      {
        "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/0804", 
        "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
        "name": "Data Format", 
        "type": "DefinedTerm"
      }
    ], 
    "author": [
      {
        "affiliation": {
          "alternateName": "iMinds, Ghent, Belgium", 
          "id": "http://www.grid.ac/institutes/grid.56912.39", 
          "name": [
            "Department of Electrical Engineering, ESAT/COSIC, KU Leuven, Leuven, Belgium", 
            "iMinds, Ghent, Belgium"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Schro\u00e9", 
        "givenName": "Willem", 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "iMinds, Ghent, Belgium", 
          "id": "http://www.grid.ac/institutes/grid.56912.39", 
          "name": [
            "Department of Electrical Engineering, ESAT/COSIC, KU Leuven, Leuven, Belgium", 
            "iMinds, Ghent, Belgium"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Mennink", 
        "givenName": "Bart", 
        "id": "sg:person.012130641461.76", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.012130641461.76"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "iMinds, Ghent, Belgium", 
          "id": "http://www.grid.ac/institutes/grid.56912.39", 
          "name": [
            "Department of Electrical Engineering, ESAT/COSIC, KU Leuven, Leuven, Belgium", 
            "iMinds, Ghent, Belgium"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Andreeva", 
        "givenName": "Elena", 
        "id": "sg:person.010624232445.91", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.010624232445.91"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "iMinds, Ghent, Belgium", 
          "id": "http://www.grid.ac/institutes/grid.56912.39", 
          "name": [
            "Department of Electrical Engineering, ESAT/COSIC, KU Leuven, Leuven, Belgium", 
            "iMinds, Ghent, Belgium"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Preneel", 
        "givenName": "Bart", 
        "id": "sg:person.011115044357.39", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.011115044357.39"
        ], 
        "type": "Person"
      }
    ], 
    "datePublished": "2016", 
    "datePublishedReg": "2016-01-01", 
    "description": "AbstractiFeed is a blockcipher-based authenticated encryption design by Zhang, Wu, Sui, and Wang and a first round candidate to the CAESAR competition. iFeed is claimed to achieve confidentiality and authenticity in the nonce-respecting setting, and confidentiality in the nonce-reuse setting. Recently, Chakraborti et al.\u00a0published forgeries on iFeed in the RUP and nonce-reuse settings. The latter attacks, however, do not invalidate the iFeed designers\u2019 security claims. In this work, we consider the security of iFeed in the nonce-respecting setting, and show that a valid forgery can be constructed after only one encryption query. Even more, the forgery leaks both subkeys EK(0128)\\documentclass[12pt]{minimal}\n\t\t\t\t\\usepackage{amsmath}\n\t\t\t\t\\usepackage{wasysym}\n\t\t\t\t\\usepackage{amsfonts}\n\t\t\t\t\\usepackage{amssymb}\n\t\t\t\t\\usepackage{amsbsy}\n\t\t\t\t\\usepackage{mathrsfs}\n\t\t\t\t\\usepackage{upgreek}\n\t\t\t\t\\setlength{\\oddsidemargin}{-69pt}\n\t\t\t\t\\begin{document}$$E_K(0^{128})$$\\end{document} and EK(PMN\u20161)\\documentclass[12pt]{minimal}\n\t\t\t\t\\usepackage{amsmath}\n\t\t\t\t\\usepackage{wasysym}\n\t\t\t\t\\usepackage{amsfonts}\n\t\t\t\t\\usepackage{amssymb}\n\t\t\t\t\\usepackage{amsbsy}\n\t\t\t\t\\usepackage{mathrsfs}\n\t\t\t\t\\usepackage{upgreek}\n\t\t\t\t\\setlength{\\oddsidemargin}{-69pt}\n\t\t\t\t\\begin{document}$$E_K( PMN \\Vert 1)$$\\end{document}, where K is the secret key and PMN\\documentclass[12pt]{minimal}\n\t\t\t\t\\usepackage{amsmath}\n\t\t\t\t\\usepackage{wasysym}\n\t\t\t\t\\usepackage{amsfonts}\n\t\t\t\t\\usepackage{amssymb}\n\t\t\t\t\\usepackage{amsbsy}\n\t\t\t\t\\usepackage{mathrsfs}\n\t\t\t\t\\usepackage{upgreek}\n\t\t\t\t\\setlength{\\oddsidemargin}{-69pt}\n\t\t\t\t\\begin{document}$$ PMN $$\\end{document} the nonce used for the authenticated encryption. Furthermore, we show how at the price of just one additional forgery one can learn EK(P\u2217)\\documentclass[12pt]{minimal}\n\t\t\t\t\\usepackage{amsmath}\n\t\t\t\t\\usepackage{wasysym}\n\t\t\t\t\\usepackage{amsfonts}\n\t\t\t\t\\usepackage{amssymb}\n\t\t\t\t\\usepackage{amsbsy}\n\t\t\t\t\\usepackage{mathrsfs}\n\t\t\t\t\\usepackage{upgreek}\n\t\t\t\t\\setlength{\\oddsidemargin}{-69pt}\n\t\t\t\t\\begin{document}$$E_K(P^*)$$\\end{document} for any freely chosen plaintext P\u2217\\documentclass[12pt]{minimal}\n\t\t\t\t\\usepackage{amsmath}\n\t\t\t\t\\usepackage{wasysym}\n\t\t\t\t\\usepackage{amsfonts}\n\t\t\t\t\\usepackage{amssymb}\n\t\t\t\t\\usepackage{amsbsy}\n\t\t\t\t\\usepackage{mathrsfs}\n\t\t\t\t\\usepackage{upgreek}\n\t\t\t\t\\setlength{\\oddsidemargin}{-69pt}\n\t\t\t\t\\begin{document}$$P^*$$\\end{document}. These design weaknesses allow one to decrypt earlier iFeed encryptions under the respective nonces, breaking the forward secrecy of iFeed, and leading to a total security compromise of the iFeed design.", 
    "editor": [
      {
        "familyName": "Dunkelman", 
        "givenName": "Orr", 
        "type": "Person"
      }, 
      {
        "familyName": "Keliher", 
        "givenName": "Liam", 
        "type": "Person"
      }
    ], 
    "genre": "chapter", 
    "id": "sg:pub.10.1007/978-3-319-31301-6_11", 
    "isAccessibleForFree": true, 
    "isPartOf": {
      "isbn": [
        "978-3-319-31300-9", 
        "978-3-319-31301-6"
      ], 
      "name": "Selected Areas in Cryptography \u2013 SAC 2015", 
      "type": "Book"
    }, 
    "keywords": [
      "nonce-respecting setting", 
      "security compromises", 
      "forward secrecy", 
      "encryption design", 
      "first round candidates", 
      "secret key", 
      "encryption queries", 
      "security claims", 
      "CAESAR competition", 
      "latter attack", 
      "forgery", 
      "encryption", 
      "nonce", 
      "design weaknesses", 
      "confidentiality", 
      "queries", 
      "decrypt", 
      "plaintext", 
      "security", 
      "subkeys", 
      "secrecy", 
      "designers", 
      "attacks", 
      "RUP", 
      "design", 
      "authenticity", 
      "key", 
      "setting", 
      "work", 
      "weakness", 
      "compromise", 
      "one", 
      "et al", 
      "Wang", 
      "Zhang", 
      "competition", 
      "Wu", 
      "prices", 
      "candidates", 
      "claims", 
      "al", 
      "recovery", 
      "suis", 
      "PMN"
    ], 
    "name": "Forgery and Subkey Recovery on CAESAR Candidate iFeed", 
    "pagination": "197-204", 
    "productId": [
      {
        "name": "dimensions_id", 
        "type": "PropertyValue", 
        "value": [
          "pub.1005197561"
        ]
      }, 
      {
        "name": "doi", 
        "type": "PropertyValue", 
        "value": [
          "10.1007/978-3-319-31301-6_11"
        ]
      }
    ], 
    "publisher": {
      "name": "Springer Nature", 
      "type": "Organisation"
    }, 
    "sameAs": [
      "https://doi.org/10.1007/978-3-319-31301-6_11", 
      "https://app.dimensions.ai/details/publication/pub.1005197561"
    ], 
    "sdDataset": "chapters", 
    "sdDatePublished": "2022-09-02T16:13", 
    "sdLicense": "https://scigraph.springernature.com/explorer/license/", 
    "sdPublisher": {
      "name": "Springer Nature - SN SciGraph project", 
      "type": "Organization"
    }, 
    "sdSource": "s3://com-springernature-scigraph/baseset/20220902/entities/gbq_results/chapter/chapter_272.jsonl", 
    "type": "Chapter", 
    "url": "https://doi.org/10.1007/978-3-319-31301-6_11"
  }
]
 

Download the RDF metadata as:  json-ld nt turtle xml License info

HOW TO GET THIS DATA PROGRAMMATICALLY:

JSON-LD is a popular format for linked data which is fully compatible with JSON.

curl -H 'Accept: application/ld+json' 'https://scigraph.springernature.com/pub.10.1007/978-3-319-31301-6_11'

N-Triples is a line-based linked data format ideal for batch operations.

curl -H 'Accept: application/n-triples' 'https://scigraph.springernature.com/pub.10.1007/978-3-319-31301-6_11'

Turtle is a human-readable linked data format.

curl -H 'Accept: text/turtle' 'https://scigraph.springernature.com/pub.10.1007/978-3-319-31301-6_11'

RDF/XML is a standard XML format for linked data.

curl -H 'Accept: application/rdf+xml' 'https://scigraph.springernature.com/pub.10.1007/978-3-319-31301-6_11'


 

This table displays all metadata directly associated to this object as RDF triples.

129 TRIPLES      22 PREDICATES      69 URIs      62 LITERALS      7 BLANK NODES

Subject Predicate Object
1 sg:pub.10.1007/978-3-319-31301-6_11 schema:about anzsrc-for:08
2 anzsrc-for:0804
3 schema:author N0ac2b9ff2f0b438988c9d11ace927489
4 schema:datePublished 2016
5 schema:datePublishedReg 2016-01-01
6 schema:description AbstractiFeed is a blockcipher-based authenticated encryption design by Zhang, Wu, Sui, and Wang and a first round candidate to the CAESAR competition. iFeed is claimed to achieve confidentiality and authenticity in the nonce-respecting setting, and confidentiality in the nonce-reuse setting. Recently, Chakraborti et al. published forgeries on iFeed in the RUP and nonce-reuse settings. The latter attacks, however, do not invalidate the iFeed designers’ security claims. In this work, we consider the security of iFeed in the nonce-respecting setting, and show that a valid forgery can be constructed after only one encryption query. Even more, the forgery leaks both subkeys EK(0128)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$E_K(0^{128})$$\end{document} and EK(PMN‖1)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$E_K( PMN \Vert 1)$$\end{document}, where K is the secret key and PMN\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$ PMN $$\end{document} the nonce used for the authenticated encryption. Furthermore, we show how at the price of just one additional forgery one can learn EK(P∗)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$E_K(P^*)$$\end{document} for any freely chosen plaintext P∗\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$P^*$$\end{document}. These design weaknesses allow one to decrypt earlier iFeed encryptions under the respective nonces, breaking the forward secrecy of iFeed, and leading to a total security compromise of the iFeed design.
7 schema:editor N1f1bfea1236d48c99397f6d9c7d4f301
8 schema:genre chapter
9 schema:isAccessibleForFree true
10 schema:isPartOf N4fe030dd55624f95ad1e95181c4fb520
11 schema:keywords CAESAR competition
12 PMN
13 RUP
14 Wang
15 Wu
16 Zhang
17 al
18 attacks
19 authenticity
20 candidates
21 claims
22 competition
23 compromise
24 confidentiality
25 decrypt
26 design
27 design weaknesses
28 designers
29 encryption
30 encryption design
31 encryption queries
32 et al
33 first round candidates
34 forgery
35 forward secrecy
36 key
37 latter attack
38 nonce
39 nonce-respecting setting
40 one
41 plaintext
42 prices
43 queries
44 recovery
45 secrecy
46 secret key
47 security
48 security claims
49 security compromises
50 setting
51 subkeys
52 suis
53 weakness
54 work
55 schema:name Forgery and Subkey Recovery on CAESAR Candidate iFeed
56 schema:pagination 197-204
57 schema:productId N4f56beb8198f472b9fe08be7debf216f
58 N8148fafc2cce492b898073244e5e1eda
59 schema:publisher N6e84f7e68d0d4c0f885ac8370fc17d88
60 schema:sameAs https://app.dimensions.ai/details/publication/pub.1005197561
61 https://doi.org/10.1007/978-3-319-31301-6_11
62 schema:sdDatePublished 2022-09-02T16:13
63 schema:sdLicense https://scigraph.springernature.com/explorer/license/
64 schema:sdPublisher N8b7f6e6583714a11a2a18796bd516665
65 schema:url https://doi.org/10.1007/978-3-319-31301-6_11
66 sgo:license sg:explorer/license/
67 sgo:sdDataset chapters
68 rdf:type schema:Chapter
69 N0ac2b9ff2f0b438988c9d11ace927489 rdf:first Nd0371dffbd4b4bae8572e065031b270a
70 rdf:rest N48ea8c0dc39540c5831e8fa342f41b4d
71 N0d1562ae09054463bb8da5b959574265 rdf:first sg:person.010624232445.91
72 rdf:rest Nd850cba6ea4346f2a10e157cb6018a93
73 N1f1bfea1236d48c99397f6d9c7d4f301 rdf:first N472434c4c6c84607b153dbfbb22f77de
74 rdf:rest Nd0ba6f710e3d46fe9b4b5b2ae776e6f9
75 N20de8da870af4843a703e6354e104115 schema:familyName Keliher
76 schema:givenName Liam
77 rdf:type schema:Person
78 N472434c4c6c84607b153dbfbb22f77de schema:familyName Dunkelman
79 schema:givenName Orr
80 rdf:type schema:Person
81 N48ea8c0dc39540c5831e8fa342f41b4d rdf:first sg:person.012130641461.76
82 rdf:rest N0d1562ae09054463bb8da5b959574265
83 N4f56beb8198f472b9fe08be7debf216f schema:name doi
84 schema:value 10.1007/978-3-319-31301-6_11
85 rdf:type schema:PropertyValue
86 N4fe030dd55624f95ad1e95181c4fb520 schema:isbn 978-3-319-31300-9
87 978-3-319-31301-6
88 schema:name Selected Areas in Cryptography – SAC 2015
89 rdf:type schema:Book
90 N6e84f7e68d0d4c0f885ac8370fc17d88 schema:name Springer Nature
91 rdf:type schema:Organisation
92 N8148fafc2cce492b898073244e5e1eda schema:name dimensions_id
93 schema:value pub.1005197561
94 rdf:type schema:PropertyValue
95 N8b7f6e6583714a11a2a18796bd516665 schema:name Springer Nature - SN SciGraph project
96 rdf:type schema:Organization
97 Nd0371dffbd4b4bae8572e065031b270a schema:affiliation grid-institutes:grid.56912.39
98 schema:familyName Schroé
99 schema:givenName Willem
100 rdf:type schema:Person
101 Nd0ba6f710e3d46fe9b4b5b2ae776e6f9 rdf:first N20de8da870af4843a703e6354e104115
102 rdf:rest rdf:nil
103 Nd850cba6ea4346f2a10e157cb6018a93 rdf:first sg:person.011115044357.39
104 rdf:rest rdf:nil
105 anzsrc-for:08 schema:inDefinedTermSet anzsrc-for:
106 schema:name Information and Computing Sciences
107 rdf:type schema:DefinedTerm
108 anzsrc-for:0804 schema:inDefinedTermSet anzsrc-for:
109 schema:name Data Format
110 rdf:type schema:DefinedTerm
111 sg:person.010624232445.91 schema:affiliation grid-institutes:grid.56912.39
112 schema:familyName Andreeva
113 schema:givenName Elena
114 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.010624232445.91
115 rdf:type schema:Person
116 sg:person.011115044357.39 schema:affiliation grid-institutes:grid.56912.39
117 schema:familyName Preneel
118 schema:givenName Bart
119 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.011115044357.39
120 rdf:type schema:Person
121 sg:person.012130641461.76 schema:affiliation grid-institutes:grid.56912.39
122 schema:familyName Mennink
123 schema:givenName Bart
124 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.012130641461.76
125 rdf:type schema:Person
126 grid-institutes:grid.56912.39 schema:alternateName iMinds, Ghent, Belgium
127 schema:name Department of Electrical Engineering, ESAT/COSIC, KU Leuven, Leuven, Belgium
128 iMinds, Ghent, Belgium
129 rdf:type schema:Organization
 




Preview window. Press ESC to close (or click here)


...