Paper 2017/332

Reforgeability of Authenticated Encryption Schemes

Christian Forler, Eik List, Stefan Lucks, and Jakob Wenzel


This work pursues the idea of multi-forgery attacks as introduced by Ferguson in 2002. We recoin reforgeability for the complexity of obtaining further forgeries once a first forgery has succeeded. First, we introduce a security notion for the integrity (in terms of reforgeability) of authenticated encryption schemes: j-Int-CTXT, which is derived from the notion INT-CTXT. Second, we define an attack scenario called j-IV-Collision Attack (j-IV-CA), wherein an adversary tries to construct j forgeries provided a first forgery. The term collision in the name stems from the fact that we assume the first forgery to be the result from an internal collision within the processing of the associated data and/or the nonce. Next, we analyze the resistance to j-IV-CAs of classical nonce-based AE schemes (CCM, CWC, EAX, GCM) as well as all 3rd-round candidates of the CAESAR competition. The analysis is done in the nonce-respecting and the nonce-ignoring setting. We find that none of the considered AE schemes provides full built-in resistance to j-IV-CAs. Based on this insight, we briefly discuss two alternative design strategies to resist j-IV-CAs.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. MINOR revision.ACISP 2017
authenticated encryptionCAESARmulti-forgery attackreforgeability
Contact author(s)
jakob wenzel @ uni-weimar de
eik list @ uni-weimar de
2017-04-18: received
Short URL
Creative Commons Attribution


      author = {Christian Forler and Eik List and Stefan Lucks and Jakob Wenzel},
      title = {Reforgeability of Authenticated Encryption Schemes},
      howpublished = {Cryptology ePrint Archive, Paper 2017/332},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.