Understanding RUP Integrity of COLM

Understanding RUP Integrity of COLM

The authenticated encryption scheme COLM is a third-round candidate in the CAESAR competition. Much like its antecedents COPA, ELmE, and ELmD, COLM consists of two parallelizable encryption layers connected by a linear mixing function. While COPA uses plain XOR mixing, ELmE, ELmD, and COLM use a mor...

Full description

Saved in:
Bibliographic Details
Published in:IACR Transactions on Symmetric Cryptology pp. 143 - 161
Main Authors: Nilanjan Datta, Atul Luykx, Bart Mennink, Mridul Nandi
Format: Journal Article
Language:English
Published: Ruhr-Universität Bochum 01-06-2017
Subjects:
COLM
COPA
ELmD
ELmE
Integrity
Release of unverified plaintext
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:The authenticated encryption scheme COLM is a third-round candidate in the CAESAR competition. Much like its antecedents COPA, ELmE, and ELmD, COLM consists of two parallelizable encryption layers connected by a linear mixing function. While COPA uses plain XOR mixing, ELmE, ELmD, and COLM use a more involved invertible mixing function. In this work, we investigate the integrity of the COLM structure when unverified plaintext is released, and demonstrate that its security highly depends on the choice of mixing function. Our results are threefold. First, we discuss the practical nonce-respecting forgery by Andreeva et al. (ASIACRYPT 2014) against COPA’s XOR mixing. Then we present a noncemisusing forgery against arbitrary mixing functions with practical time complexity. Finally, by using significantly larger queries, we can extend the previous forgery to be nonce-respecting.
ISSN:2519-173X
DOI:10.13154/tosc.v2017.i2.143-161