Cryptology ePrint Archive: Report 2017/332

Reforgeability of Authenticated Encryption Schemes

Christian Forler and Eik List and Stefan Lucks and Jakob Wenzel

Abstract: This work pursues the idea of multi-forgery attacks as introduced by Ferguson in 2002. We recoin reforgeability for the complexity of obtaining further forgeries once a first forgery has succeeded. First, we introduce a security notion for the integrity (in terms of reforgeability) of authenticated encryption schemes: j-Int-CTXT, which is derived from the notion INT-CTXT. Second, we define an attack scenario called j-IV-Collision Attack (j-IV-CA), wherein an adversary tries to construct j forgeries provided a first forgery. The term collision in the name stems from the fact that we assume the first forgery to be the result from an internal collision within the processing of the associated data and/or the nonce. Next, we analyze the resistance to j-IV-CAs of classical nonce-based AE schemes (CCM, CWC, EAX, GCM) as well as all 3rd-round candidates of the CAESAR competition. The analysis is done in the nonce-respecting and the nonce-ignoring setting. We find that none of the considered AE schemes provides full built-in resistance to j-IV-CAs. Based on this insight, we briefly discuss two alternative design strategies to resist j-IV-CAs.

Category / Keywords: secret-key cryptography / authenticated encryption, CAESAR, multi-forgery attack, reforgeability

Original Publication (with minor differences): ACISP 2017

Date: received 14 Apr 2017

Contact author: jakob wenzel at uni-weimar de, eik list@uni-weimar de

Available format(s): PDF | BibTeX Citation

Version: 20170418:212727 (All versions of this report)

Short URL: ia.cr/2017/332

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]