Related-Key Forgeries for Prøst-OTR [chapter]

Christoph Dobraunig, Maria Eichlseder, Florian Mendel
2015 Lecture Notes in Computer Science  
We present a forgery attack on Prøst-OTR in a related-key setting. Prøst is a family of authenticated encryption algorithms proposed as candidates in the currently ongoing CAESAR competition, and Prøst-OTR is one of the three variants of the Prøst design. The attack exploits how the Prøst permutation is used in an Even-Mansour construction in the Feistel-based OTR mode of operation. Given the ciphertext and tag for any two messages under two related keys K and K ⊕ ∆ with related nonces, we can
more » ... orge the ciphertext and tag for a modified message under K. If we can query ciphertexts for chosen messages under K ⊕ ∆, we can achieve almost universal forgery for K. The computational complexity is negligible.
doi:10.1007/978-3-662-48116-5_14 fatcat:lxzfusctkndbjnraetol2jeegi