Practical Forgeries for ORANGE

We analyze the authenticated encryption algorithm of ORANGE, a submission to the NIST lightweight cryptography standardization process. We show that it is practically possible to craft forgeries out of two observed transmitted messages that encrypt the same plaintext. The authors of ORANGE have conﬁrmed the attack, and they discuss a ﬁx for this attack in their second-round submission of ORANGE to the NIST lightweight cryptography competition.


Introduction
In symmetric cryptography, competitions play an essential role in converging towards good standards. In the past, competitions held by the US National Institute of Standards and Technology (NIST) resulted in cryptographic primitives and algorithms that became de facto a world-wide standard, e.g., the AES [1,2] and SHA-3 [3,4]. The newest competition in this field is the NIST lightweight cryptography standardization process [5], which aims to bring forward standards for authenticated encryption schemes that perform well on resource-constrained devices. With 56 candidates entering the first round, the pool of candidates is very diverse, and hence, comparison between them is not straightforward. However, the one thing that all candidates have in common is that they have to be appropriately secure. Therefore, in order to achieve that only excellent and reliable candidates get standardized, as much cryptanalysis as possible is needed.
In this work, we contribute to this effort by providing an analysis of the candidate called ORANGE [6], or to be more precise, the authenticated encryption algorithm contained in this proposal: ORANGE-Zest. ORANGE-Zest is a permutation-based design. It is inspired by the duplex construction [7], but differs in the fact that it uses the full b-bit state output by the permutation for plaintext/ciphertext processing. As the duplex construction does not support this, the authors have proposed modifications to that mode in order to accommodate this change. In the case of ORANGE-Zest, half of the state of the previous permutation call is used when processing the data of the current one.
Whenever changes to well-established structures are made, it is easy to overlook details that might lead to powerful attacks. In the case of ORANGE-Zest, such a detail was, indeed, missed. If ORANGE-Zest is evaluated on a message without associated data, for the first message block there is no such thing as "the previous permutation call" and the absorbing of the message has a special structure. In particular, the bottom part of the state is independent of the nonce. The other half of the state is known to an attacker who knows the message and it can be modified with the ciphertext. Hence, an attacker can change it to a value of its choice. We will use this knowledge to show a practical forgery that an attacker can make by just observing two encryptions of the same message block.
We first reported our findings on the NIST mailing list after the list of second-round candidates was announced. As ORANGE moved on to the second round, the authors could respond to the attack in an updated design document. In their second-round design document [8], the authors acknowledge our findings and discuss a modified algorithm of ORANGE-Zest that would fix our attack. However, since NIST did not allow design changes for the second round, the original version of ORANGE-Zest is still specified in the second-round submission.

ORANGE-Zest
We provide a short summary of the details of ORANGE-Zest needed to understand our attack. We refer to the design document [6] for a full specification. In Figure 1, we show the working principles of ORANGE-Zest in the absence of associated data. We consider a permutation of width b bits. First, the b-bit state is initialized with a concatenation of the nonce N and the key K plus one. Then, the permutation is applied to the state to get Y 0 . The function FB + takes as input the state Y 0 , the secret key K, and the b-bit plaintext block P 0 . It updates the state to X 0 and creates a b-bit ciphertext block C 0 . Then, the permutation p is applied on the state X 0 , and the next plaintext block P 1 is absorbed. It is important to note that only starting from the second plaintext block FB + takes as input the state Y i , plaintext block P i , and half of the previous state Y i−1 instead of the key K. If all plaintext blocks are absorbed, the tag T is created.
Next, we inspect the behavior of FB + in Algorithm 1. The keystream Z i is created by first splitting the state into two halves. One half of the state is transformed by xoring half of the state of the previous processing multiplied by α. The other half is just rotated by one. The value δ M equals 0, 1, 2 for an intermediate block, incomplete last block, or complete last block, respectively. We stress that, if no associated data is present, for an initial plaintext block P 0 the value Y −1 is defined as the secret key K (see also Figure 1). The ciphertext block is just the xor of the plaintext block with the keystream. Then, the ciphertext block is absorbed into the state to form X i .

Attack
As mentioned, our attack is a forgery attack that targets ORANGE-Zest if there is no associated data. First, let us have a look at the state X 0 that is created in this case.
An Observation. In the absence of associated data, FB + takes the secret key K as input as shown in Figure 1. Then, half of the keystream is computed as If we now take a look at the updated state halves, we get We see that the bottom half X b i is independent of the nonce and constant if the respective half of the message block is constant, while the top half X t i is known to an attacker that knows P t i . Hence, we can do the following forgery attack.
The Forgery. Assume we observe two transcripts of a single-block ciphertext (N, P 0 , C 0 , T ) and (N , P 0 , C 0 , T ), where P 0 = P 0 . Then, we can craft a forgery in the following manner. First, we calculate After that, we can compute Then, the transcript (N , C b 0 C t 0 , T ) gives then a valid forgery.
Correctness of Forgery. We will show that above forgery is valid. To do so, we will show that the state X 0 of our forgery equals X 0 and hence, will result in tag T . Since we use nonce N , after the first permutation call we end up with state Y 0 . For one halve of the state, we absorb Here, we then get which equals X t 0 . Hence, the state of the forgery X 0 before the last permutation call equals to X 0 and thus, the tag value T is the same in both cases.

Conclusion
In this paper, we have shown a practical forgery attack on ORANGE-Zest. In the second-round version of their submission document [8], the authors acknowledge our attack and provide a fix against it. This is done by not fixing the input of FB + to K in the absence of associated data. Instead, the scheme is modified so that a secret nonce-dependent value is fed into FB + instead of K.