International Association for Cryptologic Research

International Association
for Cryptologic Research

IACR News item: 20 November 2015

Markku-Juhani O. Saarinen
ePrint Report ePrint Report
This report summarizes our results from security

analysis covering all 57 CAESAR first round candidates and over 210

implementations. We have manually

identified security issues with three candidates, two of which are

more serious, and these ciphers been withdrawn from the competition.

We have developed a testing framework, BRUTUS, to facilitate automatic

detection of simple security lapses and susceptible statistical

structures across all ciphers.

From this testing we have security usage notes on four submissions and

statistical notes on a further four. We highlight that some of the CAESAR

algorithms pose an elevated risk if employed in real-life protocols due

to a class of adaptive chosen plaintext attacks. Although AEADs are often

defined (and are best used) as discrete primitives that authenticate and

transmit only complete messages, in practice these algorithms are

easily implemented in a fashion that outputs observable ciphertext data

when the algorithm has not received all of the (attacker-controlled)

plaintext. For an implementor, this strategy

appears to offer seemingly harmless and compliant storage and latency

advantages. If the algorithm uses the same state for secret

keying information, encryption, and integrity protection, and the

internal mixing permutation is not cryptographically strong, an attacker

can exploit the ciphertext-plaintext feedback loop to reveal secret

state information or even keying material. We conclude that

the main advantages of exhaustive, automated cryptanalysis is that it

acts as a very necessary sanity check for implementations and gives the

cryptanalyst insights that can be used to focus more specific attack

methods on given candidates.

Expand

Additional news items may be found on the IACR news page.