Keywords

1 Introduction

Due to the currently ongoing CAESAR competition for authenticated encryption [25], the new favourite toy of the cryptographic community are clearly authenticated ciphers. A significant collective effort will be necessary to judge the 57 submitted candidate ciphers with respect to their security and applicability. The goal of this cryptographic competition is to identify a portfolio of reliable, efficient, secure authenticated encryption algorithms with unique features for different application scenarios. Experience with previous competitions and focused projects like AES, SHA-3, eSTREAM and NESSIE has clearly demonstrated that the joint effort of the community to focus on a particular topic can impressively advance the understanding of the reasearched primitives in a relatively short period of time. Right now, first security analyses of the submitted candidates are necessary to allow the competition committee to judge the first-round candidates adequately, and select the most promising submissions for the next round.

Prøst, designed by Kavun et al. [16], is one of the candidates submitted to the CAESAR competition. It combines a newly designed, efficient permutation, the Prøst permutation, with several modes of operation. The resulting Prøst family of authenticated ciphers consists of three variants: Prøst-COPA, Prøst-OTR, and Prøst-APE, each with its own advantages and features. The Prøst-OTR variant uses the Prøst permutation in a single-key Even-Mansour construction [9, 11, 12] as a block cipher in Minematsu’s provably secure, Feistel-based OTR mode of operation [21]. Due to the novelty of the design, previous cryptanalysis results on Prøst itself are limited to the designers’ own analysis, published together with the design document [16].

We present a forgery attack on Prøst-OTR in a related-key setting. The scenario is that an attacker is given ciphertexts and tags of two messages: one under the target key K, and one under a related key \(K \oplus \varDelta \) for some arbitrary \(\varDelta \). Both keys are secret, but their difference \(\varDelta \) is known to the attacker. The nonces used for encrypting the two messages are also related in a similar way. Then, with negligible computational complexity, the attacker can forge the ciphertext and authentication tag for a third message under the target key K. In fact, depending on the length of the original messages, forgeries for a large number of fake messages can be obtained. In addition, in case the attacker has control over one of the two originally encrypted messages, he can even control the content of the third, forged message.

Our attack is generic and exploits the combination of the OTR mode of operation with an Even-Mansour block cipher construction. It is independent of the used permutation, and thus does not use any particular properties or weaknesses of the Prøst permutation. Consequently, the other members of the Prøst family, Prøst-COPA and Prøst-APE, are not affected or endangered by the attack. However, the attack demonstrates the possible complications of using an Even-Mansour construction as a block cipher in otherwise secure modes of operation. The Even-Mansour approach of creating a block cipher from a pseudorandom permutation by xoring a secret key before and after applying the permutation to the plaintext has been studied extensively [69, 13, 19]. It has been proven secure under different notions of security, with detailed bounds relating the security level with the key length. However, it is inherently susceptible to related-key attacks. The OTR mode of operation allows to “lift” this property to the full encryption and authentication scheme. This unfortunate combination of otherwise secure building blocks shows two things: that the Even-Mansour construction should only be used very cautiously, and that related-key properties are not well covered by the classical security notions, although they can lead to powerful forgery attacks.

Related-key setups are a relatively strong attack setting. Nevertheless, depending on the exact requirements, they are often not entirely far-fetched in practical scenarios. In particular, scenarios where only a known (but arbitrary) difference \(\varDelta \) between any two unknown keys is required, like in our attack, are quite realistic, and occur as side effects of several published protocols. The only limitation the attack imposes on \(\varDelta \) is that it does not affect the least significant bits of the key. For compatibility with the nonce difference, the modified part of the key must not be longer than the nonce length (half the key size in Prøst-OTR).

As an example for related keys in practice, consider the WEP standard [14]. There, the keys for the individual communication links are derived by concatenating (public, random) IVs with the fixed secret WEP key. Clearly, any two keys constructed this way have a publicly known differential relation. Similar scenarios could be imagined in any other network of resource-constrained devices (e.g., of sensor nodes), where individual encryption keys need to be derived in a cheap way from some master secret (e.g., by xoring individual IDs, nonces or challenge values to the key). Despite its inherent susceptibility to birthday attacks, the idea to “xor nonce to key” is also incorporated in several CAESAR candidates, such as AVALANCHE [1] and Calico [24]. Recently, cheap modifications of some master secret have also gained some popularity as a countermeasure to side-channel attacks, termed “fresh re-keying”. The rationale is that to avoid differential side-channel attacks, subsequent encryption processes should never use the same key twice, but derive some sort of session keys from the long-term key in a cheap way.

The additional requirement of related nonces is not as strong as the related keys. In many applications, nonces are generated in a very predictable pattern (typically a simple counter as a message sequence number). In some cases, the attacker may even be able to influence the nonce counter: a simple example is by triggering encryptions until the nonce counter arrives at the desired value, or by somehow causing the device to jump the unwanted nonce values. We note that the attack does not require “nonce misuse” in the sense that the attacker requests repeated encryptions under the same nonce.

Related-key attacks [4, 17] have been studied extensively, for various ciphers and applications. A prominent example is Biryukov et al.’s related-key attack on AES [5], which makes very strong assumptions about the relations between subkeys. The combination of related keys with related nonces has previously been applied primarily to stream ciphers, in particular in the context of the eSTREAM project. Examples include the key recovery attacks on Grain-v1 and Grain-128 by Lee et al. [20], or the recent analysis of generic chosen-IV attacks with applications to Trivium by Pasalic and Wei [22].

Outline. We first describe the Prøst family of authenticated ciphers and the notational conventions for the remaining document in Sect. 2. In Sect. 3, we derive a first basic related-key attack on Prøst-OTR. In Sect. 4, we propose a few possible improvements to the attack and extended attack scenarios. Finally, in Sect. 5, we conclude with a discussion of the applicability of the Prøst-OTR attack to other authenticated encryption modes.

2 Description of Prøst-OTR-n

2.1 The Prøst Family of Authenticated Ciphers

Prøst is a family of authenticated encryption algorithms. Kavun et al. [16] proposed the cipher family as a candidate in the currently ongoing CAESAR competition [25] for authenticated ciphers. Prøst comes in three flavors: Prøst-COPA, Prøst-OTR and Prøst-APE. All flavors share the same core permutation, the Prøst permutation designed by Kavun et al. [16], but use it in different modes of operation.

Prøst-APE uses the Prøst permutation in Andreeva et al.’s sponge-based APE mode [2]. The other two flavors, Prøst-OTR and Prøst-COPA, use modes of operation that are originally not permutation-based, but block-cipher-based: Andreeva et al.’s COPA mode [3], and Minematsu’s OTR mode [21]. In these variants, the Prøst permutation is used in a single-key Even-Mansour construction [9] to provide the required block cipher.

Each of the three flavors is available in two security levels, specified by a parameter \(n \in \{128,256\}\), resulting in a total of six proposed cipher family members. The designers rank the COPA variants as their primary recommendations, the OTR variants second, and the APE variants last.

2.2 Notation

Throughout this paper, we use essentially the same notation as Prøst ’s designers [16]. Unless noted otherwise, all operations are performed in \(\mathbb {F}_{2^{2n}}^{}\) with respect to Prøst ’s irreducible polynomial, where \(n \in \{128,256\}\) defines the security level. For convenience of notation, elements in \(\mathbb {F}_{2^{2n}}^{}\) are often represented interchangeably as elements of \(\mathbb {F}_{2}^{2n}\). We denote addition in \(\mathbb {F}_{2^{2n}}^{}\) (xor) by \(\oplus \), and multiplication in \(\mathbb {F}_{2^{2n}}^{}\) by \(\cdot \) (operator omitted where possible). By \(N \Vert 10^*\), we mean the n-bit bitstring \(N \in \mathbb {F}_{2}^{n}\), concatenated with \((1, 0, \ldots , 0) \in \mathbb {F}_{2}^{n}\) to get an element in \(\mathbb {F}_{2}^{2n}\). Otherwise, numbers mean integer numbers \(\in \mathbb {Z}\) or individual bits \(\in \mathbb {F}_{2}^{}\) when written in roman font (\(1, 2, 3, \ldots \)), but elements of \(\mathbb {F}_{2}^{2n}\) in truncated hex notation when written in typewriter font (\(\mathtt {1}, \mathtt {2}, \mathtt {3}, \ldots \)); for example, \(\mathtt {13} = (0, \ldots , 0, 1, 0, 0, 1, 1) \in \mathbb {F}_{2}^{2n}\). The variable names we use are summarized in Table 1.

Table 1. Notation and variables used throughout this document.

2.3 Prøst-OTR-n

Prøst-OTR-n uses the block cipher \(\tilde{P}_K\), built from the permutation P in a single-key Even-Mansour construction [9], in Minematsu’s OTR mode of operation [21]. The result is a nonce-based authenticated encryption scheme with online encryption and decryption that is fully parallelizable [16]. Prøst-OTR-n is proposed in two security levels, \(n \in \{128, 256\}\). The security level defines the permutation size 2n and block size 2n, the key size 2n and nonce size n, and the tag size n. The claimed security for Prøst-OTR-n is \(\frac{n}{2}\) bits (confidentiality and integrity of plaintext and integrity of associated data). No particular claims are made for or against the related-key security of the cipher.

Since our attack does not exploit any particular properties of the Prøst permutation \(P : \mathbb {F}_{2}^{2n} \rightarrow \mathbb {F}_{2}^{2n}\), we do not include the definition of P in this description. The design of the permutation-based block cipher \(\tilde{P}_K\), however, is essential for the attack. For a key \(K \in \mathbb {F}_{2}^{2n}\), the block cipher \(\tilde{P}_K : \mathbb {F}_{2}^{2n} \rightarrow \mathbb {F}_{2}^{2n}\) is defined as follows:

$$\begin{aligned} \tilde{P}_K(x) = K \oplus P(x \oplus K). \end{aligned}$$

In OTR, message blocks \(M_j\) are encrypted in pairs in 2-round Feistel networks to get the ciphertext blocks \(C_j\). The Feistel round function first adds a counter-like value, then applies the block cipher \(\tilde{P}_k\). For the counter-like value, a helper value \(\ell \) is computed in an initialization phase by encrypting the padded nonce \(N \Vert 10^*\) under \(\tilde{P}_K\). After processing all block pairs, the tag T is finally computed by encrypting a function of the checksum \(\varSigma \), which is the xor of all odd-indexed message blocks \(M_{2i+1}\). The detailed algorithm is listed in Algorithm 1 and illustrated in Fig. 1. For simplicity, we only describe the mode for empty associated data, and only for padded messages with an even (rather than odd) number of message blocks.

figure a

3 Basic Forgery Attack on Prøst-OTR

In this section, we describe our basic forgery attack on Prøst-OTR. The attack exploits the combination of the OTR mode with the Even-Mansour block cipher construction, and is independent of the concrete permutation P used. We consider a related-key scenario, where encrypted messages of two different keys K and \(K'\) can be observed. Both K and \(K'\) are secret, but we assume the attacker knows the difference \(\varDelta = K \oplus K'\) (i.e., \(K' = K \oplus \varDelta \)). In addition, we assume that the attacker can observe encrypted messages for related nonces \(N, N'\), such that \(\varDelta = (N\Vert 10^*) \oplus (N'\Vert 10^*)\). Since the last n bits of the padded nonces are identical, this means that the n least significant bits of \(\varDelta \) must be 0.

The basic idea of the proposed forgery attack is to combine information from the encryption of the same message M under the two related keys \(K, K'\) to forge a ciphertext and tag for a modified message \(M^*\) under one of the two keys, K. More specifically, we will first show how to use the ciphertext from the related key \(K' = K \oplus \varDelta \) to forge ciphertexts for modified messages under the target key K. Then, we will combine original and forged ciphertexts in a way such that the original tag remains valid for the resulting modified plaintext under K. The attack works for any plaintext of sufficient length (\({\ge }514\) message blocks for Prøst-OTR-128, \({\ge }1026\) blocks for Prøst-OTR-256).

Fig. 1.
figure 1

Encrypting 2m message blocks \(M_j\) with Prøst-OTR-n under key K and nonce N. All values are 2n bits, with \(n \in \{128,256\}\), except the n-bit tag T.

3.1 Forging the Ciphertext

Assume that the attacker obtains the ciphertext for the same message \(M=M_0\cdots M_{2m-1}\) (from Fig. 1) under a related key \(K' = K \oplus \varDelta \) and a related nonce \(N' \Vert 10^* = (N \Vert 10^*) \oplus \varDelta \), as illustrated in Fig. 2. Note that since the nonce only has length n (instead of 2n like the other values), \(\varDelta \) must only modify the most significant n bits, i.e., \(\varDelta = \varDelta _n\Vert 0^n\). Then, in the initialization phase illustrated in Fig. 2a, the differences in \(K'\) and \(N'\) cancel out right before the call to the permutation P in the initialization. Thus, we receive a related counter value \(\ell '\) with a simple relation to the original \(\ell \):

$$\begin{aligned} \ell '&= P_{K'}(N' \Vert 10^*) = K' \oplus P((N' \Vert 10^*) \oplus K') \\&= K \oplus \varDelta \oplus P(K \oplus \varDelta \oplus (N \Vert 10^*) \oplus \varDelta ) \\&= \ell \oplus \varDelta . \end{aligned}$$

Now consider the encryption of a modified message with message blocks

$$\begin{aligned} \widetilde{M}_j = M_j \oplus (\mathtt {2}^{\lfloor j/2 \rfloor + 2} +\mathtt {1}) \varDelta \end{aligned}$$

under the original key K and nonce N. As Fig. 3 illustrates, the message differences “cancel out” with the corresponding difference in the \(\ell \) values from the encryption under the related key in Fig. 2. Thus, in both Figs. 2 and 3, the inputs \(\alpha \) and \(\gamma \) to the permutations are the same:

$$\begin{aligned} \alpha&= \widetilde{M}_{2i} \oplus \mathtt {2}^{i+2} \ell \oplus K \\&= M_{2i} \oplus \mathtt {2}^{i+2}\ell \oplus \mathtt {2}^{i+2}\varDelta \oplus \varDelta \oplus K, \\ \gamma&= \widetilde{M}_{2i+1} \oplus P(\alpha ) \oplus (\mathtt {2}^{i+2}+\mathtt {1})\ell \\&= M_{2i+1} \oplus P(\alpha ) \oplus \mathtt {2}^{i+2}\ell \oplus \mathtt {2}^{i+2}\varDelta \oplus \ell \oplus \varDelta . \end{aligned}$$

For this reason, the ciphertext \(\widetilde{C}_j\) of the modified message block \(\widetilde{M}_j\) under the original key K can be derived from the ciphertexts \(C_j'\) of the original message \(M_j\) under the related key \(K \oplus \varDelta \):

$$\begin{aligned} \widetilde{C}_{2i}&= \widetilde{M}_{2i+1} \oplus P(\alpha ) \oplus K \\&= C_{2i}' \oplus \mathtt {2}^{i+2} \varDelta , \\ \widetilde{C}_{2i+1}&= \widetilde{M}_{2i} \oplus P(\gamma ) \oplus K \\&= C_{2i+1}' \oplus \mathtt {2}^{i+2} \varDelta , \end{aligned}$$

since

$$\begin{aligned} C_{2i}'&= M_{2i+1} \oplus P(\alpha ) \oplus K \oplus \varDelta , \\ C_{2i+1}'&= M_{2i} \oplus P(\gamma ) \oplus K \oplus \varDelta . \\ \end{aligned}$$

Now, we know the correct ciphertexts for a modified message. However, we still need to find the corresponding authentication tag. We will try to re-use the original tag T for our forged message.

Fig. 2.
figure 2

Encrypting the original message blocks \(M_j\) under a related key \(K \oplus \varDelta \) and nonce.

Fig. 3.
figure 3

Encrypting modified message blocks \(\widetilde{M}_j = M_j \oplus (\mathtt {2}^{\lfloor j/2 \rfloor + 2} +\mathtt {1}) \varDelta \) under the original key K and nonce N.

3.2 Forging the Tag

For a fixed key K and nonce N, the authentication tag only depends on the xor sum of all message blocks with odd index,

$$\begin{aligned} \varSigma = \bigoplus _{i=0}^{m-1} M_{2i+1}. \end{aligned}$$

Thus, if we want to re-use the original tag T for our forged message, we need to make sure that any induced differences cancel out when summing up the message blocks. We want to use original and modified message M and \(\widetilde{M}\) to construct the final forged message \(M^*\) that satisfies this property.

For each message block pair \(M^*_{2i},M^*_{2i+1}\) of the forged message \(M^*\), we can decide to use either the original message block pair \(M_{2i},M_{2i+1}\), or the modified blocks \(\widetilde{M}_{2i},\widetilde{M}_{2i+1}\). Let \(\lambda _i\) denote whether we use the original (\(\lambda _i = 0\)) or modified (\(\lambda _i = 1\)) block pair for \(0 \le i < m\). Then, we get the message sum

$$\begin{aligned} \varSigma ^* = \bigoplus _{i=0}^{m-1} M^*_{2i+1} = \varSigma \oplus \bigoplus _{i=0}^{m-1} \lambda _i (\mathtt {2}^{i+2}+\mathtt {1}) \varDelta . \end{aligned}$$

Note that if \(\varSigma \) would sum up all message blocks (not only every second), then any choice of \(\lambda _i\) would create a successful forgery, since \(M_{2i} \oplus M_{2i+1} = \widetilde{M}_{2i} \oplus \widetilde{M}_{2i+1}\). As it is, however, we need to select suitable coefficients \(\lambda _i \in \mathbb {F}_{2}^{}\) such that at least one coefficient \(\lambda _{i^*}\) is nonzero and

$$\begin{aligned} \bigoplus _{i=0}^{m-1} \lambda _i (\mathtt {2}^{i+2}+\mathtt {1}) \varDelta = \mathtt {0}. \end{aligned}$$
(1)

Since \(\{(\mathtt {2}^{i+2}+\mathtt {1}) \varDelta \} \subseteq \mathbb {F}_{2}^{2n}\), a vector space with dimension 2n, any \(2n+1\) such vectors are linearly dependent, and suitable coefficients \(\lambda _i\) exist. Thus, for any given key difference \(\varDelta \) and known plaintext M with \(2m \ge 4n+2\) message blocks, we can solve this system of equations to find suitable coefficients \(\lambda _i\). The ciphertext blocks \(C^*\) for the resulting forged message \(M^*\) can be computed as in Sect. 3.1, while the correct tag \(T^* = T\) can be copied from M.

Summarizing, from observing the ciphertext and tag for encryptions of the same message M under two related keys K and \(K'=K \oplus \varDelta \), the attacker has forged the ciphertext \(C^*\) and tag \(T^*\) for a different message \(M^*\) of the same block length with negligible computational effort. The attacker knows this forged message, but has almost no control over its contents. The attack nonce is the same as the original nonce N. We discuss some remarks and improvements to this attack in Sect. 4.

3.3 Practical Example

For illustration, we apply the attack to Prøst-OTR-128 with \(n = 128\). This variant of Prøst-OTR uses a 256-bit key, a 128-bit nonce, and a message blocksize of 256 bits. The irreducible polynomial for the finite field \(\mathbb {F}_{2^{2n}}^{}\) is \(f(x) = x^{256}\oplus x^{10} \oplus x^5 \oplus x^2 \oplus 1\).

As a simple example, assume that \(\varDelta = \mathtt {2}^{128}\). Then, the related key and nonce for the target key K and nonce N are

$$\begin{aligned} K'&= K \oplus \mathtt {2}^{128}, \\ N'&= N \oplus \mathtt {1}. \end{aligned}$$

Assume that some message M with 514 blocks of 256 bits each was encrypted under K to ciphertext C and tag T, and under \(K'\) to \(C'\) and \(T'\).

For each block pair \((M^*_{2i}, M^*_{2i+1})\) of the forged message \(M^*\), we now need to decide whether we copy the original message \((M_{2i}, M_{2i+1})\) or the modified version \((\widetilde{M}_{2i}, \widetilde{M}_{2i+1})\). Our choice needs to satisfy the coefficient Eq. (1). A solution can easily be found by hand; an example is given in Table 2.

Table 2. A solution for coefficients \(\lambda _i = 1\) in Eq. (1) in \(\mathbb {F}_{2^{256}}^{}\) with field polynomial \(f(x) = x^{256}\oplus x^{10} \oplus x^5 \oplus x^2 \oplus 1\).

For any example message M, we can now forge tag \(T^*\) and ciphertext \(C^*\) for the modified message \(M^*\), which differs from M in blocks indices \(j \in J\):

$$\begin{aligned} J&= \{4,5,6,7,10,11,16,17,20,21,508,509,512,513\}, \\ M^*_j&= {\left\{ \begin{array}{ll} M_j \oplus (\mathtt {2}^{\lfloor \frac{j}{2}\rfloor +2}\!\!+\!\!\mathtt {1}) \varDelta \quad &{} j \in J, \\ M_j &{} \text {else;} \end{array}\right. }\\ C^*_j&= {\left\{ \begin{array}{ll} C'_j \oplus \mathtt {2}^{\lfloor \frac{j}{2}\rfloor +2} \varDelta \quad &{} j \in J, \\ C_j &{} \text {else;} \end{array}\right. }\\ T^*&= T. \end{aligned}$$

This example can easily be verified with the reference implementation of Prøst-OTR-128 for any key K, nonce N and message M with \(\ge 514\) blocks, and the corresponding related values \(K'\), \(N'\) for \(\varDelta = \mathtt {2}^{128}\).

4 Remarks and Advanced Attacks

4.1 Remarks on the Message Length

If an attacker carries out the basic attack as in Sect. 3, the modified message may have a slightly modified bit length. This is because the modification can shift the last nonzero bit, which marks the beginning of the message padding. This is not a problem since the message bitlength is not encoded anywhere else in the encryption process – except in the rare case that the last nonzero bit moves to the second-to-last block or earlier, which is not a valid format for the padded plaintext. This can be avoided by not including the last block pair in the modification process.

The attack is also applicable to messages \(M = M_0 \cdots M_{2m-1} M_{2m}\) with an odd number of blocks: simply do not include the last block \(M_{2m}\) in the modification process, and copy it directly to \(M^*_{2m}\). The same holds true for messages that include associated data A: simply copy the same associated data to the forged message.

4.2 Unknown Messages

The description in Sect. 3 assumes that one and the same message M is encrypted under both keys, K and \(K' = K \oplus \varDelta \), and that M is known to the attacker. This is, however, not necessarily required. Even without knowing M, the attacker can compute forged ciphertext blocks and the tag. In this case, he will not know the modified message \(M^*\), but only the induced difference \(M^* \oplus M\).

Neither is it necessary that the same message M is encrypted under both K and \(K \oplus \varDelta \). In fact, it is sufficient that the attacker has access to the ciphertexts for any two (not necessarily known, not necessarily equal-length) messages M (under K) and \(M'\) (under \(K' = K \oplus \varDelta \)), and knows the difference \(M_{2i+1} \oplus M'_{2i+1}\) for at least \(2n+1\) values of i. Let I be the set of indices i with known message differences, with \(|I| \ge 2n+1\). Then, the attacker solves

$$\begin{aligned} \bigoplus _{i \in I} \lambda _i \left( M_{2i+1} \oplus M'_{2i+1} \oplus (\mathtt {2}^{i+2}+\mathtt {1}) \varDelta \right) = \mathtt {0}. \end{aligned}$$

Again, a non-zero solution for \(\lambda \) exists since the \(\ge 2n+1\) vectors in \(\mathbb {F}_{2}^{2n}\) must be linearly dependent.

The forged message \(M^*\) (not known to the attacker, same block length as M), ciphertext \(C^*\) and tag \(T^*\) are then given by

$$\begin{aligned} (M^*_{2i}, M^*_{2i+1})&= {\left\{ \begin{array}{ll} (M_{2i}, M_{2i+1}) &{} i \notin I \vee \lambda _i = 0, \\ (M'_{2i} \oplus (\mathtt {2}^{i+2}+\mathtt {1})\varDelta , M'_{2i+1} \oplus (\mathtt {2}^{i+2}+\mathtt {1})\varDelta ) &{} i \in I \wedge \lambda _i = 1; \end{array}\right. } \\ (C^*_{2i}, C^*_{2i+1})&= {\left\{ \begin{array}{ll} (C_{2i}, C_{2i+1}) &{} i \notin I \vee \lambda _i = 0, \\ (C'_{2i} \oplus \mathtt {2}^{i+2}\varDelta , C'_{2i+1} \oplus \mathtt {2}^{i+2}\varDelta ) &{} i \in I \wedge \lambda _i = 1; \end{array}\right. } \\ T^*&= T. \end{aligned}$$

4.3 Multiple Forgeries

As described in Sects. 3 and 4.2, an attacker can forge one message from \(4n+2\) original message blocks. This can be extended to \(2^s-1\) different forgeries from \(4n+2s\) blocks (i.e., \(|I| \ge 2n+s\)). Then, the homogenous linear system

$$\begin{aligned} \bigoplus _{i \in I} \lambda _i \left( M_{2i+1} \oplus M'_{2i+1} \oplus (\mathtt {2}^{i+2}+\mathtt {1}) \varDelta \right) = \mathtt {0}\end{aligned}$$

is underdetermined with \(\ge 2n+s\) variables for 2n equations. Thus, the solution space has dimension \(\ge s\), containing \(\ge 2^{s}-1\) different non-zero solutions for \(\lambda \).

In the case \(M_j = M_j'\), different values \(\lambda , \lambda '\) produce different plaintexts as long as

$$\begin{aligned} \max \{i \in I : \lambda _i \ne \lambda _i'\} < {\text {ord}}(\mathtt {2}) - 2, \end{aligned}$$

where \({\text {ord}}(\mathtt {2})\) denotes the multiplicative order of \(\mathtt {2}\) in \(\mathbb {F}_{2^{2n}}^*\). For Prøst ’s irreducible polynomials, \({\text {ord}}(\mathtt {2}) = 2^{256}-1\) for \(n=128\) and \({\text {ord}}(\mathtt {2}) = 2^{512}-1\) for \(n=256\). In general, if

$$\begin{aligned} M_{2i+1} \oplus M'_{2i+1} \oplus (\mathtt {2}^{i+2}+\mathtt {1}) \varDelta \ne \mathtt {0}\qquad \forall i \in I, \end{aligned}$$

then all different \(\lambda \) produce different forgeries.

4.4 Almost Universal Forgery with Related-Key Queries

Assume that the attacker can query for the encryption of a chosen message under one of the two keys, \(K' = K \oplus \varDelta \). He wants to forge the ciphertext and tag for a meaningful message \(M^*\) (chosen beforehand or provided externally) under the original key K. He can achieve this goal if (a) \(M^*\) has an even number of blocks, (b) he has access to the tag T of a known message M with the same number of blocks as \(M^*\) under the key K, and (c) he can modify one 2n-bit block with odd index of \(M^*\) (or, alternatively, of M). The attack works as follows:

  1. 1.

    Fix the target message length \(|M^*| = 2m\) (in blocks).

  2. 2.

    Obtain tag T for any known message M with \(|M| = 2m\) under key K and any nonce N.

  3. 3.

    Fix the preliminary target (challenge) message \(M^*\).

  4. 4.

    Let \(j^* = 2i^*+1\) be the modifiable block of \(M^*\). Modify

    $$\begin{aligned} M^*_{2i^*+1} = M_{2i^*+1} \oplus \bigoplus _{i \ne i^*} M_{2i+1} \oplus M^*_{2i+1}. \end{aligned}$$
  5. 5.

    Construct the query message \(M'\) as

    $$\begin{aligned} (M'_{2i}, M'_{2i+1}) = (M^*_{2i} \oplus (\mathtt {2}^{i+1} \oplus \mathtt {1}) \varDelta , M^*_{2i+1} \oplus (\mathtt {2}^{i+1} \oplus \mathtt {1}) \varDelta ) \qquad i = 0, \ldots , m-1. \end{aligned}$$
  6. 6.

    Request the ciphertext \(C'\) for the query message \(M'\) under \(K' = K \oplus \varDelta \) with nonce \(N' \Vert 10^* = (N \Vert 10^*) \oplus \varDelta \).

  7. 7.

    The forged ciphertext \(C^*\) and tag \(T^*\) for message \(M^*\) and nonce \(N^* = N\) can be computed as

    $$\begin{aligned} (C^*_{2i}, C^*_{2i+1})&= (C'_{2i} \oplus \mathtt {2}^{i+2} \varDelta , C'_{2i+1} \oplus \mathtt {2}^{i+2} \varDelta ) \qquad i = 0, \ldots , m-1, \\ T^*&= T. \end{aligned}$$

This is essentially the same strategy as in Sect. 4.2, except that instead of using fixed \(M, M'\) and adapting \(M^*\), we fix \(M, M^*\) and adapt \(M'\). To avoid solving the equation system for the correct \(\lambda _i\) (which would require relatively long message lenghts 2m, and force us to have \(M^*_j = M_j\) for many j), we modify one block \(M^*_{j^*}\) to make \(\forall i : \, \lambda _i = 1\) a valid solution.

5 Discussion

The core of our attack is the following observation: If an authenticated encryption mode applies the block cipher to variable (controllable) inputs, an attacker can “lift” the inherent related-key weaknesses of the Even-Mansour construction to the entire mode. Then, he can use information from encryptions under a related key to forge ciphertext and tag for the target key.

A question that suggests itself is whether similar attacks are possible on other Prøst modes. In addition, other authenticated encryption modes might display similar problems when combined with an Even-Mansour block cipher.

Prøst-APE does not use the Even-Mansour construction at all, but plugs the permutation into a sponge construction. Thus, the attack is clearly not applicable. Prøst-COPA does use the permutation in an Even-Mansour construction. However, it seems to defy the attack by including \(E_K(0)\), the encryption of the value 0, in the definition of the helper value L (which plays a role similar to \(\ell \) in Prøst-OTR). Since a constant instead of the variable nonce N serves as input to the encryption, the input cannot be controlled to produce (differentially) predictable outputs of L. The situation is similar, for example, for the OCB mode of operation [18]: while the message could be used to cancel out differences in the helper counter value, this value is also derived from the encryption \(E_K(0)\) of the zero value and thus unpredictable.

On the other hand, other popular modes show significant weaknesses when combined with Even-Mansour ciphers. Of course, unlike Prøst, these modes are usually not recommended for use with an Even-Mansour block cipher, but with AES. Consider, for example, the CCM mode of operation [10, 26], an ISO/IEC-standardized combination of CBC-MAC with CTR encryption, as illustrated in Fig. 4. CCM allows a much simpler related-key attack. Assume that an attacker knows the ciphertext (including the tag) \(C = C_1 \cdots C_{\ell } C_{\ell +1}\) of a message \(M = M_1 \cdots M_{\ell }\) under key \(K \oplus \varDelta \) and padded nonce \((N \Vert 0) \oplus \varDelta \) (in the format used as counter input to the CTR encryption). Then, the ciphertext \(C'\) for M under key K and padded nonce \(N \Vert 0\) is simply

$$\begin{aligned} C'_i = {\left\{ \begin{array}{ll} C_i \oplus \varDelta &{} 1 \le i \le \ell , \\ C_i &{} i = \ell +1. \end{array}\right. } \end{aligned}$$

As can be observed from Fig. 4, all differences \(\varDelta \) during the CCM computation cancel out either with the nonce difference fed to the Even-Mansour block encryptions \(E_{K \oplus \varDelta }\), or with neighbouring block cipher calls in the CBC-MAC computation. The final differences at the block cipher outputs from the CTR encryption can simply be added to the ciphertext blocks.

Fig. 4.
figure 4

CCM encryption.

Clearly, the Even-Mansour construction is not well-suited as a general-purpose block cipher construction for all modes of operation. The Prøst-OTR design is an example how even more complex modes can allow some undesirable properties of the Even-Mansour construction to be lifted to the complete authentication mode, in this case to generate related-key forgeries. The rising popularity of sponge modes and permutation-based encryption in general may lead to interesting new observations in this direction.

Finally, we stress again that the presented attack only concerns the OTR variant of Prøst. For this variant, powerful forgery attacks are possible in a related-key setting. The security of the other modes, Prøst-COPA and Prøst-APE, and in particular of the Prøst permutation itself, remains unaffected. It may be possible to tweak OTR to prevent the specific attack, for example by adapting the initialization of \(\ell \) to include \(\tilde{P}_K(0)\), similar to COPA and OCB. However, the general interactions of the OTR mode with the single-key Even-Mansour construction remains a reason for concern.