Paper 2017/1147

Under Pressure: Security of Caesar Candidates beyond their Guarantees

Serge Vaudenay and Damian Vizár

Abstract

The Competition for Authenticated Encryption: Security, Applicability and Robustness (CAESAR) has as its official goal to ``identify a portfolio of authenticated ciphers that offer advantages over AES-GCM and are suitable for widespread adoption.'' Each of the 15 candidate schemes competing in the currently ongoing 3rd round of CAESAR must clearly declare its security claims, i.a. whether or not it can tolerate nonce misuse, and what is the maximal data complexity for which security is guaranteed. These claims appear to be valid for all 15 candidates. Interpreting "Robustness" in CAESAR as the ability to mitigate damage even if security guarantees are void, we describe attacks with birthday complexity or beyond, and/or with nonce reuse for each of the 15 candidates. We then sort the candidates into classes depending on how powerful does an attacker need to be to mount (semi-)universal forgeries, decryption attacks, or key recoveries. Rather than invalidating the security claims of any of the candidates, our results provide an additional criterion for evaluating the security that candidates deliver, which can be useful for e.g. breaking ties in the final CAESAR discussions.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Keywords
Authenticated EncryptionCAESAR CompetitionForgeryDecryption AttackBirthday BoundNonce Misuse
Contact author(s)
damian vizar @ epfl ch
History
2017-12-07: revised
2017-11-27: received
See all versions
Short URL
https://ia.cr/2017/1147
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2017/1147,
      author = {Serge Vaudenay and Damian Vizár},
      title = {Under Pressure: Security of Caesar Candidates beyond their Guarantees},
      howpublished = {Cryptology {ePrint} Archive, Paper 2017/1147},
      year = {2017},
      url = {https://eprint.iacr.org/2017/1147}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.