COBRA: A Parallelizable Authenticated Online Cipher Without Block Cipher Inverse

Andreeva, Elena; Luykx, Atul; Mennink, Bart; Yasuda, Kan

doi:10.1007/978-3-662-46706-0_10

Cited by 9 publications

(8 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In fact, the attack works for the mode COBRA based on any blockcipher. Thus it disproves the claim stated in [4]. The authenticity advantage of our proposed algorithm is about 1/2 and it makes about 2n encryption queries where n is the plaintext size of the underlying blockcipher.…”

Section: Our Contributionsupporting

confidence: 78%

“…In this paper, we demonstrate forging attack on COBRA with practical complexity. Hence the theorem proved in [4] is wrong. We also demonstrate forging and distinguishing attack on POET-m for one particular recommended choice of AXU hash function.…”

Section: Resultsmentioning

confidence: 98%

“…COBRA is an authenticated encryption mode based on blockcipher. It was originally published in FSE 2014 [4]. Later the same mode with AES as the underlying blockcipher, called AES-COBRA, was submitted to CAESAR [1].…”

Section: Description Of Cobramentioning

confidence: 99%

“…We simply denote the tag by T (N, U, S). One can find the details of the construction of T in [1,4]. The verified decryption algorithm takes a tagged ciphertext (C 1 , .…”

Section: Tag Generation and Verified Decryption Algorithmmentioning

confidence: 99%

See 3 more Smart Citations

Forging Attacks on Two Authenticated Encryption Schemes COBRA and POET

Nandi

2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

In FSE 2014, an authenticated encryption mode COBRA [4], based on pseudorandom permutation (PRP) blockcipher, and POET [3], based on Almost XOR-Universal (AXU) hash and strong pseudorandom permutation (SPRP), were proposed. Few weeks later, COBRA mode and a simple variant of the original proposal of POET (due to a forging attack [13] on the original proposal) with AES as an underlying blockcipher, were submitted to CAESAR, a competition [1] of authenticated encryption (AE). In this paper, we show a forging attack on the mode COBRA based on any n-bit blockcipher. Our attack on COBRA requires about O(n) queries with success probability of about 1/2. This disproves the claim proved in the FSE 2014 paper. We also show both privacy and forging attack on the parallel version of POET, denoted POET-m. In case of the modes POET and POE (the underlying modes for encryption), we demonstrate a distinguishing attack making only one encryption query when we instantiate the underlying AXU hash function with some other AXU hash function, namely a uniform random involution. Thus, our result violates the designer's main claim (Theorem 8.1 in [1]). However, the attacks can not be extended to the specifications of POET submitted to the CAESAR competition.

show abstract

Section: Our Contributionsupporting

confidence: 78%

Section: Resultsmentioning

confidence: 98%

Section: Description Of Cobramentioning

confidence: 99%

“…We simply denote the tag by T (N, U, S). One can find the details of the construction of T in [1,4]. The verified decryption algorithm takes a tagged ciphertext (C 1 , .…”

Section: Tag Generation and Verified Decryption Algorithmmentioning

confidence: 99%

See 2 more Smart Citations

Forging Attacks on Two Authenticated Encryption Schemes COBRA and POET

Nandi

2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…However it also renders a compliant scheme vulnerable to CCA, CPSS, and NM attacks even if AD values are unique. Schemes1: COBRA [11] OAE1c Leaks equality of any blocks at the same position. E.g., if ciphertexts and ′ arise from 4-block plaintexts = A ‖ B ‖ C ‖ D and…”

Section: Oae1mentioning

confidence: 99%

Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance

Hoang

Reyhanitabar

Rogaway

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract.A definition of online authenticated-encryption (OAE), call it OAE1, was given by Fleischmann, Forler, and Lucks (2012). It has become a popular definitional target because, despite allowing encryption to be online, security is supposed to be maintained even if nonces get reused. We argue that this expectation is effectively wrong. OAE1 security has also been claimed to capture best-possible security for any online-AE scheme. We claim that this understanding is wrong, too. So motivated, we redefine OAE-security, providing a radically different formulation, OAE2. The new notion effectively does capture best-possible security for a user's choice of plaintext segmentation and ciphertext expansion. It is achievable by simple techniques from standard tools. Yet even for OAE2, nonce-reuse can still be devastating. The picture to emerge is that no OAE definition can meaningfully tolerate nonce-reuse, but, at the same time, OAE security ought never have been understood to turn on this question.

show abstract