Related-Key Forgeries for Prøst-OTR

We present a forgery attack on Prost-OTR in a related-key setting. Prost is a family of authenticated encryption algorithms proposed as candidates in the currently ongoing CAESAR competition, and Prost-OTR is one of the three variants of the Prost design. The attack exploits how the Prost permutation is used in an Even-Mansour construction in the Feistel-based OTR mode of operation. Given the ciphertext and tag for any two messages under two related keys K and \(K \oplus \varDelta \) with related nonces, we can forge the ciphertext and tag for a modified message under K. If we can query ciphertexts for chosen messages under \(K \oplus \varDelta \), we can achieve almost universal forgery for K. The computational complexity is negligible.

[1]  Florian Mendel,et al.  Submission to the CAESAR Competition , 2014 .

[2]  Russ Housley,et al.  Counter with CBC-MAC (CCM) , 2003, RFC.

[3]  Eli Biham,et al.  New types of cryptanalytic attacks using related keys , 1994, Journal of Cryptology.

[4]  Seokhie Hong,et al.  Related-Key Chosen IV Attacks on Grain-v1 and Grain-128 , 2008, ACISP.

[5]  Craig Gentry,et al.  Eliminating Random Permutation Oracles in the Even-Mansour Cipher , 2004, ASIACRYPT.

[6]  Lars R. Knudsen,et al.  Cryptanalysis of LOKI , 1991, ASIACRYPT.

[7]  Joan Daemen,et al.  Limitations of the Even-Mansour Construction , 1991, ASIACRYPT.

[8]  Yannick Seurin,et al.  An Asymptotically Tight Security Analysis of the Iterated Even-Mansour Cipher , 2012, ASIACRYPT.

[9]  Adi Shamir,et al.  Minimalism in Cryptography: The Even-Mansour Scheme Revisited , 2012, EUROCRYPT.

[10]  Andrey Bogdanov,et al.  Parallelizable and Authenticated Online Ciphers , 2013, IACR Cryptol. ePrint Arch..

[11]  Yishay Mansour,et al.  A Construction of a Cioher From a Single Pseudorandom Permutation , 1991, ASIACRYPT.

[12]  John P. Steinberger,et al.  Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations , 2012, IACR Cryptol. ePrint Arch..

[13]  Yongzhuang Wei,et al.  Generic related-key and induced chosen IV attacks using the method of key differentiation , 2013, IACR Cryptol. ePrint Arch..

[14]  Phillip Rogaway,et al.  The OCB Authenticated-Encryption Algorithm , 2014, RFC.

[15]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[16]  Alex Biryukov,et al.  Distinguisher and Related-Key Attack on the Full AES-256 , 2009, CRYPTO.

[17]  Alex Biryukov,et al.  Advanced Slide Attacks , 2000, EUROCRYPT.

[18]  Andrey Bogdanov,et al.  APE: Authenticated Permutation-Based Encryption for Lightweight Cryptography , 2014, FSE.

[19]  Kazuhiko Minematsu,et al.  Parallelizable Rate-1 Authenticated Encryption from Pseudorandom Functions , 2014, EUROCRYPT.

[20]  Eli Biham,et al.  New Types of Cryptanalytic Attacks Using related Keys (Extended Abstract) , 1994, EUROCRYPT.

[21]  Morris J. Dworkin SP 800-38C. Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality , 2004 .