A fundamental flaw in the ++AE authenticated encryption mode

In this article, we analyse a block cipher mode of operation for authenticated encryption known as ++AE (plus-plus-AE). We show that this mode has a fundamental flaw: the scheme does not verify the most significant bit of any block in the plaintext message. This flaw can be exploited by choosing a p...

Full description

Saved in:
Bibliographic Details
Published inJournal of mathematical cryptology Vol. 12; no. 1; pp. 37 - 42
Main Authors Qahur Al Mahri, Hassan, Simpson, Leonie, Bartlett, Harry, Dawson, Ed, Wong, Kenneth Koon-Ho
Format Journal Article
LanguageEnglish
Published Berlin De Gruyter 01.03.2018
Walter de Gruyter GmbH
Subjects
68P25
94A60
AE
Authenticated encryption
block cipher
CAESAR
Encryption
Forgery
forgery attack
Messages
symmetric encryption
Online AccessGet full text

Cover

More Information
Summary:In this article, we analyse a block cipher mode of operation for authenticated encryption known as ++AE (plus-plus-AE). We show that this mode has a fundamental flaw: the scheme does not verify the most significant bit of any block in the plaintext message. This flaw can be exploited by choosing a plaintext message and then constructing multiple forged messages in which the most significant bit of certain blocks is flipped. All of these plaintext messages will generate the same authentication tag. This forgery attack is deterministic and guaranteed to pass the ++AE integrity check. The success of the attack is independent of the underlying block cipher, key or public message number. We outline the mathematical proofs for the flaw in the ++AE algorithm. We conclude that ++AE is insecure as an authenticated encryption mode of operation.
ISSN:1862-2976
1862-2984
DOI:10.1515/jmc-2016-0037