Collision Attacks against CAESAR Candidates: Forgery and Key-Recovery against AEZ and Marble

Abstract : In this paper we study authenticated encryption algorithms inspired by the OCB mode (Offset Codebook). These algorithms use secret offsets (masks derived from a whitening key) to turn a block cipher into a tweakable block cipher, following the XE or XEX construction. OCB has a security proof up to 2 n/2 queries, and a matching forgery attack was described by Ferguson, where the main step of the attack recovers the whitening key. In this work we study recent authenticated en-cryption algorithms inspired by OCB, such as Marble, AEZ, and COPA. While Ferguson's attack is not applicable to those algorithms, we show that it is still possible to recover the secret mask with birthday complexity. Recovering the secret mask easily leads to a forgery attack, but it also leads to more devastating attacks, with a key-recovery attack against Marble and AEZ v2 and v3 with birthday complexity. For Marble, this clearly violates the security claims of full n-bit security. For AEZ, this matches the security proof, but we believe it is nonetheless a quite undesirable property that collision attacks allow to recover the master key, and more robust designs would be desirable. Our attack against AEZ is generic and independent of the internal permutation (in particular, it still works with the full AES), but the key-recovery is specific to the key derivation used in AEZ v2 and v3. Against Marble, the forgery attack is generic, but the key-recovery exploits the structure of the E permutation (4 AES rounds). In particular, we introduce a novel cryptanalytic method to attack 3 AES rounds followed by 3 inverse AES rounds, which can be of independent interest.
Type de document :
Communication dans un congrès
Advances in Cryptology - ASIACRYPT 2015 - Part II, Apr 2015, Sofia, Bulgaria. 9453, pp.510, Lecture Notes in Computer Science. <10.1007/978-3-662-48800-3_21>
Liste complète des métadonnées


https://hal.inria.fr/hal-01102031
Contributeur : Gaëtan Leurent <>
Soumis le : lundi 14 décembre 2015 - 15:31:33
Dernière modification le : mardi 15 décembre 2015 - 01:07:11
Document(s) archivé(s) le : samedi 29 avril 2017 - 13:21:11

Fichier

article (2).pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

Collections

Citation

Thomas Fuhr, Gaëtan Leurent, Valentin Suder. Collision Attacks against CAESAR Candidates: Forgery and Key-Recovery against AEZ and Marble. Advances in Cryptology - ASIACRYPT 2015 - Part II, Apr 2015, Sofia, Bulgaria. 9453, pp.510, Lecture Notes in Computer Science. <10.1007/978-3-662-48800-3_21>. <hal-01102031v3>

Partager

Métriques

Consultations de
la notice

155

Téléchargements du document

73