Paper 2017/431

Understanding RUP Integrity of COLM

Nilanjan Datta, Atul Luykx, Bart Mennink, and Mridul Nandi


The authenticated encryption scheme COLM is a third-round candidate in the CAESAR competition. Much like its antecedents COPA, ELmE, and ELmD, COLM consists of two parallelizable encryption layers connected by a linear mixing function. While COPA uses plain XOR mixing, ELmE, ELmD, and COLM use a more involved invertible mixing function. In this work, we investigate the integrity of the COLM structure when unverified plaintext is released, and demonstrate that its security highly depends on the choice of mixing function. Our results are threefold. First, we discuss the practical nonce-respecting forgery by Andreeva et al. (ASIACRYPT 2014) against COPA's XOR mixing. Then we present a nonce-misusing forgery against arbitrary mixing functions with practical time complexity. Finally, by using significantly larger queries, we can extend the previous forgery to be nonce-respecting.

Available format(s)
Publication info
Published by the IACR in TOSC 2017 ISSUE 2
IntegrityRelease of unverified plaintextCOLMCOPAELmDELmE
Contact author(s)
nilanjan_isi_jrf @ yahoo com
atul luykx @ esat kuleuven be
b mennink @ cs ru nl
mridul nandi @ gmail com
2017-05-22: received
Short URL
Creative Commons Attribution


      author = {Nilanjan Datta and Atul Luykx and Bart Mennink and Mridul Nandi},
      title = {Understanding RUP Integrity of COLM},
      howpublished = {Cryptology ePrint Archive, Paper 2017/431},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.