• PDF / 886,779 Bytes
• 15 Pages / 439.37 x 666.142 pts Page_size
• 25 Downloads / 188 Views

DOWNLOAD

REPORT

¨ ITAK ˙ ˙ TUB BILGEM, Gebze, Turkey {asli.bay,ferhat.karakoc}@tubitak.gov.tr Electrical and Electronics Engineering Department, Bo˘ gazi¸ci University, Istanbul, Turkey [email protected]

Abstract. In this paper, we provide a security analysis of ELmD: a block cipher based Encrypt-Linear-mix-Decrypt authentication mode. As being one of the second-round CAESAR candidate, it is claimed to provide misuse resistant against forgeries and security against blockwise adaptive adversaries as well as 128-bit security against key recovery attacks. We scrutinize ElmD in such a way that we provide universal forgery attacks as well as key recovery attacks. First, based on the collision attacks on similar structures such as Marble, AEZ, and COPA, we present universal forgery attacks. Second, by exploiting the structure of ELmD, we acquire ability to query to the block cipher used in ELmD. Finally, for one of the proposed versions of ELmD, we mount key recovery attacks reducing the effective key strength by more than 60 bits. Keywords: Authenticated encryption attack · Key recovery

1

·

CAESAR

·

ELmD

·

Forgery

Introduction

CAESAR competition [1] (Competition for Authenticated Encryption: Security, Applicability, and Robustness) has been announced in January 2013 aiming at fulfilling the needs of secure, efficient and robust authenticated encryption schemes. In total, 57 candidates are submitted to the competition. These schemes are released to crypto community for their security analysis and around 20 of them were eliminated in the first round of the competition in July 2015. Since then, around 30 candidates compete in the second round, and are being analyzed in terms of their security and efficiency. ELmD is amongst the second-round CAESAR candidates designed by Datta and Nandi [5]. It is an Encrypt-Linear-mix-Decrypt block cipher authentication mode accepting associated data, and its structure is similar to some other ¨ ITAK ˙ ˙ A. Bay—This author is financially supported by TUB (BIDEB 2232, Project No. 115C119). ¨ ITAK ˙ ˙ O. Ersoy—The work was done while this author was working at TUB BILGEM. c International Association for Cryptologic Research 2016  J.H. Cheon and T. Takagi (Eds.): ASIACRYPT 2016, Part I, LNCS 10031, pp. 354–368, 2016. DOI: 10.1007/978-3-662-53887-6 13

Universal Forgery and Key Recovery Attacks

355

authenticated encryption schemes such as AES-COPA [2], Marble [10], and SHELL [12]. ELmD is fully parallelizable and online, that is, ith block of ciphertext only depends on the first i blocks of plaintext. As an optional property, it provides intermediate tag verification in order to fasten verification process and to be secure against block-wise adaptive adversaries. Designers of ELmD claim that the scheme provides nonce misuse resistance against forgery attacks. According to authors’ assertion, ELmD provides 62.8-bit security for integrity (forgery attacks) and for privacy (distinguishing attacks). Indeed, they claim that ELmD provides 128-bit security against key recovery attacks that we disprove by

Recommend Documents

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes

155 0 31MB

Investigating Cube Attacks on the Authenticated Encryption Stream Cipher ACORN

183 101 7MB

Subvert KEM to Break DEM: Practical Algorithm-Substitution Attacks on Public-Key Encryption

149 70 24MB

Multi-key Authenticated Encryption with Corruptions: Reductions Are Lossy

183 76 651KB

Password-authenticated searchable encryption

195 69 1012KB

Biometric-Authenticated Searchable Encryption

163 49 15MB

The RSA Public-Key Encryption Algorithm

173 110 2MB

Security of Public Key Encryption Against Resetting Attacks

176 69 32MB

Authenticated Encryption with Variable Stretch

215 46 31MB

Heterogeneous Deniable Authenticated Encryption Protocol

185 52 57MB

Session key based fast, secure and lightweight image encryption algorithm

180 65 4MB

Identity-Based Authenticated Encryption with Identity Confidentiality

213 87 39MB