Loading...

Cryptanalysis of Two Authenticated Encryption Schemes Pr∅st and NORX Introduced in CAESAR

Mahmoudi, Ali | 2015

3024 Viewed
  1. Type of Document: M.Sc. Thesis
  2. Language: Farsi
  3. Document No: 48093 (05)
  4. University: Sharif University of Technology
  5. Department: Electrical Engineering
  6. Advisor(s): Aref, Mohammad Reza; Mohajeri, Javad
  7. Abstract:
  8. The goal of authenticated encryption is to ensure confidentiality, integrity and authenti-cation of the messages simultaneously. The anouncement of CAESAR comptetition has attracted esearchers’ attention to this branch of symmetric cryptography, since 2014. 57 schemes have been introduced as the first round candidates of this competition, from which 29 where selected as second round candidates. Cryptanalysis of these schemes needs a lot of collective effort. In this thesis after describing preliminaries of authen- ticated encryption, general structure of the schemes and their reported cryptanalysis is reviewed. Then, the details of Pr∅st family of authenticated encryption, which is one of the second round candidates of CAESAR, is studied and an existential forgery attack is mounted on one of its versions, named pr∅st-OTR, in a related key setting. This attack exploits the weakness of Even-Mansour constructions, which have been used in an OTR mode of operation, against related key attacks. Subsequently, this attack is promoted to a universal forgery. If the adversary can query ciphertexts for chosen messages under the related keys K ⊕ ∆1 and K ⊕ ∆2 then he can forge ciphertext and authentication tag for any message under the key K with a negligible complexity. In addition, suggestions are made to immune Pr∅st-OTR against these attacks. Furthermore, the authenticated encryption scheme, NORX which has been accepted as a second round candidate, is studied. After introducing mathematical models for the propagation of differences in the nonlinear operation of NORX, some methods for distinguishing the output of this scheme from a random generator is presented for the case where the number of rounds parameter is set to 1 or 2. This proves that the scheme is not nonmalleable in the case where the number of rounds parameter is set to 1 and it is not secure to choose the round parameter less than 3. Also, a forgery attack is intoduced for the case where the number of rounds parameter is set to 1. In this attack, adversary can forge the authentication tag after 261 queries with a success probability near one for NORX64. According to the security claims of designers this probability should be 2−195. And for NORX32 the ad- versary needs to query the encryption oracle with 251 different nonces to forge the tag with a probability nea one. Again, according to the designers’ claims this probability should be around 2−7
  9. Keywords:
  10. Symmetric Cryptography ; Distinguish Attack ; Related-Key Cryptanalysis ; Differential Cryptoanalysis ; Authenticated Encryption ; Forgery Attack

 Digital Object List

 Bookmark

...see more