Understanding RUP Integrity of COLM

Authors

  • Nilanjan Datta Indian Institute of Technology, Kharagpur, India
  • Atul Luykx imec - Computer Security and Industrial Cryptography (COSIC) research group, Department of Electrical Engineering (ESAT), KU Leuven, Leuven, Belgium; Department of Computer Science, University of California, Davis One Shields Ave, Davis, California 95616, USA
  • Bart Mennink Digital Security Group, Radboud University, Nijmegen, The Netherlands; CWI, Amsterdam, The Netherlands
  • Mridul Nandi Indian Statistical Institute, Kolkata, India

DOI:

https://doi.org/10.13154/tosc.v2017.i2.143-161

Keywords:

Integrity, Release of unverified plaintext, COLM, COPA, ELmD, ELmE

Abstract

The authenticated encryption scheme COLM is a third-round candidate in the CAESAR competition. Much like its antecedents COPA, ELmE, and ELmD, COLM consists of two parallelizable encryption layers connected by a linear mixing function. While COPA uses plain XOR mixing, ELmE, ELmD, and COLM use a more involved invertible mixing function. In this work, we investigate the integrity of the COLM structure when unverified plaintext is released, and demonstrate that its security highly depends on the choice of mixing function. Our results are threefold. First, we discuss the practical nonce-respecting forgery by Andreeva et al. (ASIACRYPT 2014) against COPA’s XOR mixing. Then we present a noncemisusing forgery against arbitrary mixing functions with practical time complexity. Finally, by using significantly larger queries, we can extend the previous forgery to be nonce-respecting.

Downloads

Published

2017-06-19

Issue

Volume 2017, Issue 2

Section

Articles

License

Copyright (c) 2017 Nilanjan Datta, Atul Luykx, Bart Mennink, Mridul Nandi

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

Understanding RUP Integrity of COLM. (2017). IACR Transactions on Symmetric Cryptology, 2017(2), 143-161. https://doi.org/10.13154/tosc.v2017.i2.143-161