Understanding RUP Integrity of COLM

The authenticated encryption scheme COLM is a third-round candidate in the CAESAR competition. Much like its antecedents COPA, ELmE, and ELmD, COLM consists of two parallelizable encryption layers connected by a linear mixing function. While COPA uses plain XOR mixing, ELmE, ELmD, and COLM use a more involved invertible mixing function. In this work, we investigate the integrity of the COLM structure when unverified plaintext is released, and demonstrate that its security highly depends on the choice of mixing function. Our results are threefold. First, we discuss the practical nonce-respecting forgery by Andreeva et al. (ASIACRYPT 2014) against COPA’s XOR mixing. Then we present a noncemisusing forgery against arbitrary mixing functions with practical time complexity. Finally, by using significantly larger queries, we can extend the previous forgery to be nonce-respecting.

[1]  Nilanjan Datta,et al.  ELmE: A Misuse Resistant Parallel Authenticated Encryption , 2014, ACISP.

[2]  Antoine Joux,et al.  Authenticated On-Line Encryption , 2003, Selected Areas in Cryptography.

[3]  Damian Vizár,et al.  Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance , 2015, CRYPTO.

[4]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.

[5]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[6]  Vincent Rijmen,et al.  ALE: AES-Based Lightweight Authenticated Encryption , 2013, FSE.

[7]  Andrey Bogdanov,et al.  Parallelizable and Authenticated Online Ciphers , 2013, IACR Cryptol. ePrint Arch..

[8]  Phillip Rogaway,et al.  Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[9]  Florian Mendel,et al.  Submission to the CAESAR Competition , 2014 .

[10]  S. Griffis EDITOR , 1997, Journal of Navigation.

[11]  Martijn Stam,et al.  Rogue Decryption Failures: Reconciling AE Robustness Notions , 2015, IMACC.

[12]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[13]  Mihir Bellare,et al.  A New Paradigm for Collision-Free Hashing: Incrementality at Reduced Cost , 1997, EUROCRYPT.

[14]  Avik Chakraborti,et al.  INT-RUP Analysis of Block-cipher Based Authenticated Encryption Schemes , 2016, CT-RSA.

[15]  Stefan Lucks,et al.  McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes , 2012, FSE.

[16]  Kenneth G. Paterson,et al.  On Symmetric Encryption with Distinguishable Decryption Failures , 2013, FSE.

[17]  Sean W. Smith,et al.  Authenticated Streamwise On-line Encryption , 2009 .

[18]  Phillip Rogaway,et al.  The Software Performance of Authenticated-Encryption Modes , 2011, FSE.

[19]  Phillip Rogaway,et al.  The OCB Authenticated-Encryption Algorithm , 2014, RFC.

[20]  Andrey Bogdanov,et al.  How to Securely Release Unverified Plaintext in Authenticated Encryption , 2014, ASIACRYPT.

[21]  Nilanjan Datta,et al.  ELmD: A Pipelineable Authenticated Encryption and Its Hardware Implementation , 2016, IEEE Transactions on Computers.

[22]  Phillip Rogaway,et al.  Robust Authenticated-Encryption AEZ and the Problem That It Solves , 2015, EUROCRYPT.

[23]  Bart Preneel,et al.  AEGIS: A Fast Authenticated Encryption Algorithm , 2013, Selected Areas in Cryptography.