Forgery on iFeed[AES] in RUP and Nonce-Misuse ... -

Viewer
Transcript

Forgery on iFeed[AES] in RUP and Nonce-Misuse Settings Avik Chakraborti1 , Nilanjan Datta1 , Kazuhiko Minematsu2 , and Sourav Sen Gupta1 1

Indian Statistical Institute, Kolkata 2 NEC Corporation, Japan

Abstract. In this note we present a forgery attack of the CAESAR submission iFeed[AES] by Zhang et al [1] under the RUP (release of unverified plaintext) settings proposed by Andreeva et al [2]. We present a forgery algorithm that uses a single encryption query and two decryption queries, under the assumption that the decryption oracle may be queried with repeating public message number under RUP settings. We show that this attack can be extended under the Nonce-Misuse setting as well, to obtain a similar forgery on iFeed[AES].

1

iFeed[AES]

In 2013, the Input-Feed (iFeed) mode of operation for authenticated encryption was designed by Zhang, Han, Wu and Wang. The generic design was presented as an invited talk at Asian Symmetric Key workshop 2013 and at the rump session of Fast Software Encryption workshop 2013. Later in 2014, the iFeed mode instantiated with AES-128 was submitted at the CAESAR competition for authenticated encryption – this candidate is named iFeed[AES] [1]. iFeed[AES] is a rate-1 one-pass mode for authenticated encryption that is proved to be secure up to a birthday bound with q (number of queries) and σ (total block length of queried messages). It is claimed to be an AE candidate with several desired features – one-key, online, inverse-free, parallel encryption, length preserving, intermediate tag support, etc. One may find a complete description of iFeed[AES] in the design document submitted to the CAESAR competition by Zhang et al [1]. However, the designers of iFeed[AES] did not consider the RUP (release of unverified plaintext) model while proving the security bounds for this design. In the RUP model proposed by Andreeva et al [2], we consider the situation where an authenticated encryption scheme output decrypted plaintext (may be partially) before successful verification of the tag. Under such circumstances, the attacker gains control over the released unverified plaintext, which may be exploited towards forgery. In this note, we study the security of iFeed[AES] in the RUP model, and show that an existential forgery attack is possible with a constant number of queries. In addition, we show that the aforesaid forgery may be trivially generalized towards a Non-Misuse forgery attack on iFeed[AES] as well.

2 2.1

Forgery attack on iFeed[AES] in RUP setting Accessing the underlying block cipher

First, we make an encryption query with a random public message number PMN, no associated data AD, and a random `-block plaintext P = (p1 , p2 , . . . , p` ) with a full sized (128 bit) last block p` , and obtain cipher text C = (c1 , c2 , . . . , c` ). (C, T ) ←− iFeed[AES].AEnc(K, PMN, −, P ) N = PMN || 10127−|PMN| ,

U = EK (N ),

ci = EK (pi−1 ⊕ Zi+2 ⊕ U ) ⊕ pi ⊕ Zi+3 ⊕ U

p0 = 0128 for i = 1, 2, . . . , ` − 2

c`−1 = EK (p`−2 ⊕ Z`+1 ⊕ U ) ⊕ p`−1 ⊕ Z`+2 ⊕ U c` = EK (p`−1 ⊕ Z`+2 ⊕ U ) ⊕ p` T = Truncate(EK (p` ⊕ Z2 ⊕ U ), τ )

Next, we make a decryption query with the same public message number PMN as before, no associated data AD, and cipher text C = (c1 , c2 , . . . , c` , x) where c1 , c2 , . . . , c` are generated from our previous encryption query and x is a random full sized (128 bit) single block. We use a random tag t for this query, and obtain an unverified plaintext P = (P1 , P2 , . . . , P`+1 ) in the RUP setting. RUP

P ←− iFeed[AES].ADec(K, PMN, −, C, t) N = PMN || 10127−|PMN| ,

U = EK (N ),

P0 = 0128 = p0

Pi = EK (Pi−1 ⊕ Zi+2 ⊕ U ) ⊕ ci ⊕ Zi+3 ⊕ U = pi

for i = 1, 2, . . . , ` − 2

P`−1 = EK (p`−2 ⊕ Z`+1 ⊕ U ) ⊕ c`−1 ⊕ Z`+2 ⊕ U = p`−1 P` = EK (p`−1 ⊕ Z`+2 ⊕ U ) ⊕ c` ⊕ Z`+3 ⊕ U = p` ⊕ Z`+3 ⊕ U P`+1 = EK (P` ⊕ Z`+3 ⊕ U ) ⊕ x = EK (p` ) ⊕ x Combining information of the two queries, we obtain p` = P` ⊕ Z`+3 ⊕ U and EK (p` ) = P`+1 ⊕ x. In effect, these two queries on iFeed[AES] reveal a plaintext-ciphertext pair {p` , EK (p` )} for the underlying block cipher. We make the second decryption query with the same public message number PMN as before, no associated data AD, and cipher text C¯ = (c1 , c2 , . . . , c`−1 ) where c1 , c2 , . . . , c`−1 are generated from the encryption query. We use a random tag t¯, and obtain unverified plaintext P¯ = (P¯1 , P¯2 , . . . , P¯`−1 ) in the RUP setting. RUP P¯ ←− iFeed[AES].ADec(K, PMN, −, C, t¯)

N = PMN || 10127−|PMN| , U = EK (N ), P¯0 = 0128 = p0 P¯i = EK (P¯i−1 ⊕ Zi+2 ⊕ U ) ⊕ ci ⊕ Zi+3 ⊕ U = pi for i = 1, 2, . . . , ` − 2 P¯`−1 = EK (p`−2 ⊕ Z`+1 ⊕ U ) ⊕ c`−1 From this decryption query, we retrieve EK (p`−2 ⊕ Z`+1 ⊕ U ) = P¯`−1 ⊕ c`−1 . 2.2

Query for the forgery attack

The decryption query for the actual forgery attack on iFeed[AES] uses the same public message number PMN as before, no associated data AD, and cipher text Cˆ = (c1 , c2 , . . . , c`−2 , cˆ`−1 , cˆ` ), where c1 , c2 , . . . , c`−2 are generated from the previous encryption query, and the last two blocks are constructed as follows. cˆ`−1 = p` ⊕ EK (p`−2 ⊕ Z`+1 ⊕ U ) and cˆ` = p` ⊕ EK (p` ). We shall use the tag T generated from the previous encryption query, and demonstrate a forgery ˆ T ). The decryption query with successful verification of the aforesaid cipher text and tag pair (C, plays as follows. N = PMN || 10127−|PMN| , U = EK (N ), Pˆ0 = 0128 = p0 Pˆi = EK (Pˆi−1 ⊕ Zi+2 ⊕ U ) ⊕ ci ⊕ Zi+3 ⊕ U = pi for i = 1, 2, . . . , ` − 2 Pˆ`−1 = EK (p`−2 ⊕ Z`+1 ⊕ U ) ⊕ cˆ`−1 ⊕ Z`+2 ⊕ U = p` ⊕ Z`+2 ⊕ U Pˆ` = EK (Pˆ`−1 ⊕ Z`+2 ⊕ U ) ⊕ cˆ` = EK (p` ) ⊕ p` ⊕ EK (p` ) = p` Tˆ = Truncate(EK (Pˆ` ⊕ Z2 ⊕ U ), τ ) = Truncate(EK (p` ⊕ Z2 ⊕ U ), τ ) ˆ T) We see that Tˆ = Truncate(EK (p` ⊕ Z2 ⊕ U ), τ ) = T , and hence the cipher text tag pair (C, successfully verifies iFeed[AES] authenticated decryption.

3 3.1

Forgery attack on iFeed[AES] with Nonce-misuse Accessing the underlying block cipher

We make the first encryption query with a random public message number PMN, no associated data AD, and a random `-block plaintext P = (p1 , p2 , . . . , p` ) with a full sized (128 bit) last block p` , and obtain cipher text C = (c1 , c2 , . . . , c` ). (C, T ) ←− iFeed[AES].AEnc(K, PMN, −, P ) N = PMN || 10127−|PMN| ,

p0 = 0128

U = EK (N ),

ci = EK (pi−1 ⊕ Zi+2 ⊕ U ) ⊕ pi ⊕ Zi+3 ⊕ U

for i = 1, 2, . . . , ` − 2

c`−1 = EK (p`−2 ⊕ Z`+1 ⊕ U ) ⊕ p`−1 ⊕ Z`+2 ⊕ U c` = EK (p`−1 ⊕ Z`+2 ⊕ U ) ⊕ p` T = Truncate(EK (p` ⊕ Z2 ⊕ U ), τ ) We make the second encryption query with the same public message number PMN as before, no associated data AD, and an ` + 1 block plaintext P¯ = (p1 , p2 , . . . , p` , x) where p1 , p2 , . . . , p` are same as in our previous encryption query and x is a random full sized (128 bit) single block. ¯ T¯) ←− iFeed[AES].AEnc(K, PMN, −, P¯ ) (C, N = PMN || 10127−|PMN| ,

U = EK (N ),

p¯0 = 0128 = p0

c¯i = EK (pi−1 ⊕ Zi+2 ⊕ U ) ⊕ pi ⊕ Zi+3 ⊕ U = ci

for i = 1, 2, . . . , ` − 2

c¯`−1 = EK (p`−2 ⊕ Z`+1 ⊕ U ) ⊕ p`−1 ⊕ Z`+2 ⊕ U = c`−1 c¯` = EK (p`−1 ⊕ Z`+2 ⊕ U ) ⊕ p` ⊕ Z`+3 ⊕ U = c` ⊕ Z`+3 ⊕ U c¯`+1 = EK (p` ⊕ Z`+3 ⊕ U ) ⊕ x T¯ = Truncate(EK (x ⊕ Z2 ⊕ U ), τ ) From these two encryption queries, we obtain Z`+3 ⊕U = c¯` ⊕c` , and hence p` ⊕Z`+3 ⊕U = p` ⊕¯ c` ⊕c` . We also obtain EK (p` ⊕ Z`+3 ⊕ U ) = c¯`+1 ⊕ x from the second encryption query. In effect, these two queries reveal a plaintext-ciphertext pair {p, EK (p)} for the underlying block cipher, where p = p` ⊕ Z`+3 ⊕ U . We make the third encryption query with the same public message number PMN, no associated data AD, and an ` − 1 block plaintext P˜ = (p1 , p2 , . . . , p`−1 ). ˜ T˜) ←− iFeed[AES].AEnc(K, PMN, −, P˜ ) (C, N = PMN || 10127−|PMN| ,

U = EK (N ),

p˜0 = 0128 = p0

c˜i = EK (pi−1 ⊕ Zi+2 ⊕ U ) ⊕ pi ⊕ Zi+3 ⊕ U = ci

for i = 1, 2, . . . , ` − 2

c˜`−1 = EK (p`−2 ⊕ Z`+1 ⊕ U ) ⊕ p`−1 = c`−1 ⊕ Z`+2 ⊕ U T˜ = Truncate(EK (p`−1 ⊕ Z2 ⊕ U ), τ ) From this encryption query, we obtain EK (p`−2 ⊕ Z`+1 ⊕ U ) = c˜`−1 ⊕ p`−1 . 3.2

Query for the forgery attack

The decryption query for the actual forgery attack on iFeed[AES] uses the same public message number PMN as before, no associated data AD, and cipher text Cˆ = (c1 , c2 , . . . , c`−2 , cˆ`−1 , cˆ` ), where c1 , c2 , . . . , c`−2 are generated from the first encryption query, and the last two blocks are constructed as follows. cˆ`−1 = p ⊕ EK (p`−2 ⊕ Z`+1 ⊕ U ) and cˆ` = p` ⊕ EK (p), where p = p` ⊕ Z`+3 ⊕ U.

We shall use the tag T generated from the first encryption query, and demonstrate a forgery with ˆ T ). The decryption query plays successful verification of the aforesaid cipher text and tag pair (C, as follows. N = PMN || 10127−|PMN| , U = EK (N ), Pˆ0 = 0128 = p0 Pˆi = EK (Pˆi−1 ⊕ Zi+2 ⊕ U ) ⊕ ci ⊕ Zi+3 ⊕ U = pi for i = 1, 2, . . . , ` − 2 Pˆ`−1 = EK (p`−2 ⊕ Z`+1 ⊕ U ) ⊕ cˆ`−1 ⊕ Z`+2 ⊕ U = p ⊕ Z`+2 ⊕ U Pˆ` = EK (Pˆ`−1 ⊕ Z`+2 ⊕ U ) ⊕ cˆ` = EK (p) ⊕ p` ⊕ EK (p) = p` Tˆ = Truncate(EK (Pˆ` ⊕ Z2 ⊕ U ), τ ) = Truncate(EK (p` ⊕ Z2 ⊕ U ), τ ) ˆ T) We see that Tˆ = Truncate(EK (p` ⊕ Z2 ⊕ U ), τ ) = T , and hence the cipher text tag pair (C, successfully verifies iFeed[AES] authenticated decryption.

4

Conclusion

In this note, we have demonstrated existential forgery attacks on iFeed[AES] in both RUP and NonceMisuse settings. The crux of the attacks is based on the simple observation that one may access the internal block cipher of the iFeed mode of operation, using only a pair of Encryption-Decryption queries. The knowledge of a specific input-output pair of the underlying block cipher, coupled with RUP/Nonce-Misuse power, trivially leads to the proposed forgery attacks on iFeed[AES]. Acknowledgment. The authors would like to acknowledge the collaborative forum for research discussions provided by ASK 2014, the Fourth Asian Workshop on Symmetric Key Cryptography.

References 1. Liting Zhang, Wenling Wu, Han Sui, and Peng Wang, iFeed[AES] v1, Submission to the CAESAR competition: http://competitions.cr.yp.to/round1/ifeedaesv1.pdf, 2014. 2. Elena Andreeva, Andrey Bogdanov, Atul Luykx, Bart Mennink, Nicky Mouha, and Kan Yasuda, How to Securely Release Unverified Plaintext in Authenticated Encryption, In proceedings of Advances in Cryptology – ASIACRYPT 2014, Springer LNCS, 8873, pages 105–125, 2014.