eprint.iacr.org will be offline for approximately an hour for routine maintenance at 11pm UTC on Tuesday, April 16. We lost some data between April 12 and April 14, and some authors have been notified that they need to resubmit their papers.

Paper 2014/850

The BRUTUS automatic cryptanalytic framework: Testing CAESAR authenticated encryption candidates for weaknesses

Markku-Juhani O. Saarinen

Abstract

This report summarizes our results from security analysis covering all 57 competitions for authenticated encryption: security, applicability, and robustness (CAESAR) first-round candidates and over 210 implementations. We have manually identified security issues with three candidates, two of which are more serious, and these ciphers have been withdrawn from the competition. We have developed a testing framework, BRUTUS, to facilitate automatic detection of simple security lapses and susceptible statistical structures across all ciphers. From this testing, we have security usage notes on four submissions and statistical notes on a further four. We highlight that some of the CAESAR algorithms pose an elevated risk if employed in real-life protocols due to a class of adaptive-chosen-plaintext attacks. Although authenticated encryption with associated data are often defined (and are best used) as discrete primitives that authenticate and transmit only complete messages, in practice, these algorithms are easily implemented in a fashion that outputs observable ciphertext data when the algorithm has not received all of the (attacker-controlled) plaintext. For an implementor, this strategy appears to offer seemingly harmless and compliant storage and latency advantages. If the algorithm uses the same state for secret keying information, encryption, and integrity protection, and the internal mixing permutation is not cryptographically strong, an attacker can exploit the ciphertext–plaintext feedback loop to reveal secret state information or even keying material. We conclude that the main advantages of exhaustive, automated cryptanalysis are that it acts as a very necessary sanity check for implementations and gives the cryptanalyst insights that can be used to focus more specific attack methods on given candidates.

Note: © The Author(s) 2015 Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://​creativecommons.​org/​licenses/​by/​4.​0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Journal of Cryptographic Engineering
DOI
10.1007/s13389-015-0114-1
Keywords
Authenticated EncryptionCAESARBRUTUSAdaptive Chosen Plaintext AttacksAutomated Cryptanalysis
Contact author(s)
mjos @ iki fi
History
2015-12-14: last of 10 revisions
2014-10-22: received
See all versions
Short URL
https://ia.cr/2014/850
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2014/850,
      author = {Markku-Juhani O.  Saarinen},
      title = {The BRUTUS automatic cryptanalytic framework: Testing CAESAR authenticated encryption candidates for weaknesses},
      howpublished = {Cryptology ePrint Archive, Paper 2014/850},
      year = {2014},
      doi = {10.1007/s13389-015-0114-1},
      note = {\url{https://eprint.iacr.org/2014/850}},
      url = {https://eprint.iacr.org/2014/850}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.