Paper 2017/332
Reforgeability of Authenticated Encryption Schemes
Christian Forler, Eik List, Stefan Lucks, and Jakob Wenzel
Abstract
This work pursues the idea of multi-forgery attacks as introduced by Ferguson in 2002. We recoin reforgeability for the complexity of obtaining further forgeries once a first forgery has succeeded. First, we introduce a security notion for the integrity (in terms of reforgeability) of authenticated encryption schemes: j-Int-CTXT, which is derived from the notion INT-CTXT. Second, we define an attack scenario called j-IV-Collision Attack (j-IV-CA), wherein an adversary tries to construct j forgeries provided a first forgery. The term collision in the name stems from the fact that we assume the first forgery to be the result from an internal collision within the processing of the associated data and/or the nonce. Next, we analyze the resistance to j-IV-CAs of classical nonce-based AE schemes (CCM, CWC, EAX, GCM) as well as all 3rd-round candidates of the CAESAR competition. The analysis is done in the nonce-respecting and the nonce-ignoring setting. We find that none of the considered AE schemes provides full built-in resistance to j-IV-CAs. Based on this insight, we briefly discuss two alternative design strategies to resist j-IV-CAs.
Metadata
- Available format(s)
-
PDF
- Category
- Secret-key cryptography
- Publication info
- Published elsewhere. Minor revision. ACISP 2017
- Keywords
- authenticated encryptionCAESARmulti-forgery attackreforgeability
- Contact author(s)
-
jakob wenzel @ uni-weimar de
eik list @ uni-weimar de - History
- 2017-04-18: received
- Short URL
- https://ia.cr/2017/332
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2017/332,
author = {Christian Forler and Eik List and Stefan Lucks and Jakob Wenzel},
title = {Reforgeability of Authenticated Encryption Schemes},
howpublished = {Cryptology {ePrint} Archive, Paper 2017/332},
year = {2017},
url = {https://eprint.iacr.org/2017/332}
}
