A fundamental flaw in the ++AE authenticated encryption mode
In this article, we analyse a block cipher mode of operation for authenticated encryption known as ++AE (plus-plus-AE). We show that this mode has a fundamental flaw: the scheme does not verify the most significant bit of any block in the plaintext message. This flaw can be exploited by choosing a p...
Saved in:
Published in | Journal of mathematical cryptology Vol. 12; no. 1; pp. 37 - 42 |
---|---|
Main Authors | , , , , |
Format | Journal Article |
Language | English |
Published |
Berlin
De Gruyter
01.03.2018
Walter de Gruyter GmbH |
Subjects | |
Online Access | Get full text |
Cover
Loading…
Summary: | In this article, we analyse a block cipher mode of operation for authenticated encryption known as ++AE (plus-plus-AE). We show that this mode has a fundamental flaw: the scheme does not verify the most significant bit of any block in the plaintext message. This flaw can be exploited by choosing a plaintext message and then constructing multiple forged messages in which the most significant bit of certain blocks is flipped. All of these plaintext messages will generate the same authentication tag. This forgery attack is deterministic and guaranteed to pass the ++AE integrity check. The success of the attack is independent of the underlying block cipher, key or public message number. We outline the mathematical proofs for the flaw in the ++AE algorithm. We conclude that ++AE is insecure as an authenticated encryption mode of operation. |
---|---|
ISSN: | 1862-2976 1862-2984 |
DOI: | 10.1515/jmc-2016-0037 |