Paper 2015/783

Cryptanalysis of the Authenticated Encryption Algorithm COFFE

Ivan Tjuawinata, Tao Huang, and Hongjun Wu


COFFE is a hash-based authenticated encryption scheme. In the original paper, it was claimed to have IND-CPA security and also ciphertext integrity even in nonce-misuse scenario. In this paper, we analyse the security of COFFE. Our attack shows that even under the assumption that the primitive hash function is ideal, a valid ciphertext can be forged with 2 enquiries with success probability close to 1. The motivation of the attack is to find a collision on the input of each of the hash calls in the COFFE instantiation. It can be done in two ways. The first way is by modifying nonce and last message block size. Chosen appropriately, we can ensure two COFFE instantiations with different nonce and different last message block size can have exactly the same intermediate state value. This hence leads to a valid ciphertext to be generated. Another way is by considering two different COFFE instantiations with different message block size despite same key. In this case, we will use the existence of consecutive zero in the binary representation the initial value to achieve identical intermediate state value on two different COFFE instantiations. Having the state collisions, the forgery attack is then conducted by choosing two different plaintexts with appropriate nonce and tag size to query. Having this fact, without knowing the secret key, we can then validly encrypt another plaintext with probability equal to 1.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. MINOR revision.SAC 2015
COFFEAuthenticated cipherForgery Attack
Contact author(s)
s120015 @ e ntu edu sg
2015-08-06: received
Short URL
Creative Commons Attribution


      author = {Ivan Tjuawinata and Tao Huang and Hongjun Wu},
      title = {Cryptanalysis of the Authenticated Encryption Algorithm COFFE},
      howpublished = {Cryptology ePrint Archive, Paper 2015/783},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.