Forgery and Subkey Recovery on CAESAR candidate iFeed

© Springer International Publishing Switzerland 2016. iFeed is a blockcipher-based authenticated encryption design by Zhang, Wu, Sui, and Wang and a first round candidate to the CAESAR competition. iFeed is claimed to achieve confidentiality and authenticity in the nonce-respecting setting, and confidentiality in the nonce-reuse setting. Recently, Chakraborti et al. published forgeries on iFeed in the RUP and nonce-reuse settings. The latter attacks, however, do not invalidate the iFeed designers’ security claims. In this work, we consider the security of iFeed in the nonce-respecting setting, and show that a valid forgery can be constructed after only one encryption query. Even more, the forgery leaks both subkeys E K (0 128 ) and E K (PMN‖1), where K is the secret key and PMN the nonce used for the authenticated encryption. Furthermore, we show how at the price of just one additional forgery one can learn EK(P ∗ ) for any freely chosen plaintext P ∗ . These design weaknesses allow one to decrypt earlier iFeed encryptions under the respective nonces, breaking the forward secrecy of iFeed, and leading to a total security compromise of the iFeed design.

ISBN:9783319313009

Jaar van publicatie:2015

Toegankelijkheid:Open