Cryptanalysis of IAR-CTR and IAR-CFB and a fixing method

We present practical attacks on IAR-CTR and IAR-CFB, AE modes proposed by Hwang and Gope to offer both privacy and authenticity in a single pass. Then we use the idea of iCOFB, which is originally defined with a tweakable random function, to fix the IAR-CTR mode using the tweakable block cipher, and propose the TIAR-CTR mode, which is a one-pass AEAD mode with provable security. However, the same fixed method does not work for the IAR-CFB mode.

Authenticated encryption (AE) provides both privacy and authenticity. Privacy ensures that the ciphertext does not reveal any information about the plaintext, except length, while authenticity ensures that an adversary cannot forge a valid ciphertext. A general method to construct an AE scheme combines an encryption scheme and a message authentication code (MAC), resulting in a two-pass scheme (Bellare and Namprempre 2000; Namprempre et al 2014).

In 2001, several one-pass AE schemes have been proposed ( Lucks (2005)): IAPM, IACBC (Jutla 2001), XCBC, XECB (Gligor and Donescu 2001) and OCB1 (Rogaway et al 2003). One-pass AE schemes process the message once to engender both privacy and authenticity. To avoid one-pass AE patents, new two-pass AEAD schemes have been developed. The well-known two-pass schemes consist of CCM (Whiting et al 2003), EAX (Bellare et al 2004), CWC (Kohno et al 2004) and GCM (McGrew and Viega 2004). However, the one-pass scheme just needs to process the data once, so it is better in terms of time and memory.

Considering in a real-time environment, we cannot expect to have a huge number of auxiliary storages, which will always keep on holding a large number of key-stream outputs for a long time. Hwang and Gope proposed a series of one-pass schemes (Gope 2015; Hwang and Gope 2016), such as IAR-CTR and IAR-CFB, aimed at modifying the CTR and CFB stream cipher modes to provide authenticity. It also offers low latency and low jitter, which are imperative in the real-time cryptosystem. Although the authors gave the corresponding security proofs, including IND-CPA, IND-CCA, and INT-CTXT, we will show that both modes are insecure and the proofs fail. We try to fix them. There are two more defects. First, IAR-CTR and IAR-CFB do not support associated data (AD) that need authenticity but not privacy. Second, they are randomized or stateful modes that do not support nonce. The fixed mode supports both AD and nonce.

Related work Chakraborti et al. in 2017 presented COFB mode (Chakraborti et al 2020), this is an excellent block-cipher-based authenticated encryption mode. A key idea of COFB is a new type of feedback function that combines both plaintext and ciphertext blocks. They first presented an idealized version of COFB, named iCOFB along with its provable security analysis. Our idea to fix the IAR-CTR mode comes from iCOFB. The core idea of iCOFB is that it uses the tweakable random function (TRF) for each message/ciphertext block. Because the tweaks are distinct, each block is processed by an independent random function. Furthermore, the tweak includes the nonce, which never repeats in encryption, so each random function is a one-time use. These guarantee the randomness and independence of the output, making the mode secure with easy proof. Several COFB-based schemes have been designed, including GIFT-COFB (Banik et al 2020), PFB (Naito and Sugawara 2020a), etc.

Our contributions Our contributions include forgery attacks against IAR-CTR and IAR-CFB, and designing a fixed mode named TIAR-CTR.

1. 1)

   We present forgery attacks against both IAR-CTR and IAR-CFB. Attacks require only one encryption query to get a successful forgery with probability one. Generally, these forgery attacks lead to chosen ciphertext attacks against privacy.

2. 2)

   We try to fix the two modes and get a secure one: TIAR-CTR. We use the idea of iCOFB, and change the block cipher to a tweakable block cipher. In the case of nonce being distinct, the tweak will not repeat to ensure the randomness of the blocks so that the security is guaranteed. And we show why fixing IAR-CFB is impractical in this way. Our nonce-based mode supports associated data.

Organization We first review the concepts of the AE scheme and its security, as well as the concept of the tweakable block cipher in Sect. . After introducing IAR-CTR and IAR-CFB in Sect. , we present the forgery attacks against both modes in Sect. . Finally, in Sect.  we consider using tweakable block ciphers to repair the IAR-CTR and IAR-CFB modes.

Notation

Let \(\{0, 1 \}^*\) be the set of all binary strings and let \(\epsilon\) be the empty string. For a string X, we denote the length of X by |X|. For the concatenation of two strings X and Y, we denote it by \(X \Vert Y\). Given a string X, we define the parsing of X into n-bit blocks as

where \(|X[i]|=n\) and i means the i-th block. Typically, we fix the block size n as \(n=128\), so we will write in simplified form as

We write \(s{\mathop {\leftarrow }\limits ^{\$}}{\mathcal {S}}\) meaning the variable s samples uniformly from the finite set \({\mathcal {S}}\). In the security definitions, we write \({\mathcal {A}}^{\mathcal {O}}\rightarrow 1\) to denote the event in which the adversary returns 1 after interacting with the oracle \({\mathcal {O}}\).

AE and security definitions

An authenticated encryption scheme provides both privacy and authenticity. An AE scheme \(\Pi\) consists of two algorithms: encryption \({\mathcal {E}}\) and decryption \({\mathcal {D}}\) algorithms, with key space \({\mathcal {K}}\), nonce space \({\mathcal {N}}\), associated data (AD) space \({\mathcal {A}}\), plaintext space \({\mathcal {P}}\), ciphertext space \({\mathcal {C}}\), and tag space \({\mathcal {T}}\). Here, the AD is the data that do not need to be encrypted, but need to be authenticated. For example, in a network protocol, AD includes ports, addresses, etc. Formally, the encryption algorithm is: \({\mathcal {E}}: {\mathcal {K}} \times {\mathcal {N}} \times {\mathcal {A}} \times {\mathcal {P}} \rightarrow {\mathcal {C}} \times {\mathcal {T}}\), and the decryption algorithm is: \({\mathcal {D}}: {\mathcal {K}}\times {\mathcal {N}} \times {\mathcal {A}} \times {\mathcal {C}} \times {\mathcal {T}} \rightarrow {\mathcal {M}} \cup \{ {\bot } \}\), where the error symbol \(\bot\) indicates that the ciphertext is invalid or unauthentic. We require \({\mathcal {D}}_K(N,A,{\mathcal {E}}_K(N,A,M))=M\).

Early AE schemes do not support AD, i.e. \({\mathcal {A}}=\emptyset\), such as IAPM, IACBC and OCB1. IAR-CTR and IAR-CFB also do not support AD. When AE supports AD, we call it AEAD (authenticated encryption with associated data).

The security of AE is typically captured with two notions: privacy and authenticity. Privacy requires that ciphertexts (including the tag) cannot be distinguished with random strings. Authenticity requires that an adversary cannot compute a new ciphertext (which means that it is not obtained from encryption oracle queries) that can pass verification. We give the two definitions below.

PrivacyPrivacy advantage is defined as

where the adversary \({\mathcal {A}}\)is nonce-respecting (means the nonce never repeat in the encryption queries), and the random oracle $ returns a random string with length equal to the output length of \({\mathcal {E}}\) for each query.

In addition to this, if the adversary has the ability to access the decryption oracle, we can define the privacy advantage under chosen ciphertext attacks as follows.

Notice that there is no restriction on nonce in decryption queries.

Authenticity We say that the adversary \({\mathcal {A}}\) can successfully forge with access to encryption and decryption oracle if \({\mathcal {A}}\) can give (N, C, T) which \(D_{K}(N, C, T) \ne \bot\), with the restriction that the adversary cannot query the decryption oracle using the answer of the encryption oracle. Formally, the authenticity advantage is defined as

Tweakable block cipher

A tweakable block cipher (TBC) (Liskov et al 2002) has an additional input, tweak (\(t\in {\mathcal {T}}\)), compared to block ciphers. We can sign it as

It is a family of permutations on \(\{0,1\}^n\) (\({\widetilde{E}}(K,t, \cdot )\)) indexed by the key \(K\in \{0,1\}^k\) and tweak \(t\in {\mathcal {T}}\). When \({\mathcal {T}} = \emptyset\) becomes a block cipher.

We often write \({\widetilde{E}}(K,t,P)\) as \({\widetilde{E}}_K(t, P)\) or \({\widetilde{E}}_K^t(P)\). When \({\widetilde{E}}\) is a block cipher, we write it as E. Without ambiguity, we sometimes omit the key or the tweak in \({\widetilde{E}}\) or E. Similarly, we define the concept of a tweakable function:

It is a family of functions from \(\{0,1\}^n\) to \(\{0,1\}^n\) indexed by the key \(K\in \{0,1\}^k\) and the tweak \(t\in {\mathcal {T}}\).

In this paper, the TBC is assumed to be a tweakable pseudorandom permutation (TPRP), which is indistinguishable from a tweakable random permutation (TRP). Similarly, the tweakable pseudorandom function (TPRF) is indistinguishable from the tweakable random function (TRF).

Let \(Func^{\mathcal {T}}(n)\) be the set of all functions from \({\mathcal {T}}\times \{0,1\}^n\) to \(\{0,1\}^n\). Let \(Perm^T(n)\) be the set of all functions \(f: {\mathcal {T}}\times \{0,1\}^n \rightarrow \{0,1\}^n\) such that for any \(T \in {\mathcal {T}}\), \(f(T,\cdot )\) is a permutation.

The TRP \({\widetilde{\pi }}\) and TRF \({{\widetilde{\rho }}}\) are defined as follows:

Finally, for a TBC \({\widetilde{E}}\) (tweakable function F) the TPRP (TPRF)-security advantage of an adversary \({\mathcal {A}}\), is defined as:

Finally, we give the TPRP/TPRF switching lemma (Andreeva et al 2017).

Lemma 1

(TPRP/TPRF switching lemma (Andreeva et al 2017)) Let \(n\ge 1\) be an integer. Let \({\mathcal {A}}\) be a distinguisher that asks at most \(\sigma\) oracle queries. Then

where \({\widetilde{\pi }}\) is a tweakable random permutation and \({{\widetilde{\rho }}}\) is a tweakable random function.

Hwang and Gope proposed a series of one-pass AE schemes based on conventional stream cipher modes of operation, including CTR and CFB (Gope 2015; Hwang and Gope 2015, 2016). They mainly added authenticity to the existing encryption modes. To do that and make it suitable for the real-time environment, they used the method of intentional delay, Which have been adopted by several AE schemes, including COFB (Chakraborti et al 2020), Ascon (Dobraunig et al 2021), etc. Specifically speaking, during the encryption of CTR and CFB, they XORed the plaintext blocks consequently into the encryption process of CTR and CFB with a delay of t blocks, and used the result of the last t blocks as the verification tag. So, IAR-CTR and IAR-CFB were designed.

Although the authors gave security proofs for both modes, they were not correct. The aim of the intentional delay method is to make all blocks affect the last tag computation, so that any forgery is detectable. However, the two modes do not provide enough randomization and dependence to guarantee authenticity. We give pseudocodes for IAR-CTR and IAR-CFB in Fig. 1 and Fig. 2 respectively. And further pseudo codes illustrate them in Fig. 3 and Fig. 4.

Encryption and Decryption of the IAR-CTR Authenticated Encryption Mode

Full size image

Encryption and Decryption of the IAR-CFB Authenticated Encryption Mode

Full size image

The IAR-CTR Mode

Full size image

The IAR-CFB Mode

Full size image

We show that the IAR-CTR mode and the IAR-CFB mode do not provide authenticity. We give an attack using a single encryption query to produce an existential forgery with probability 1. The same point of attacks on the two modes is that the adversary \({\mathcal {A}}\) queries the M and receives the IV, ciphertext, and tag (IV, C, T), then modifies C by adding length information, and forges the tag through \(C \oplus M\). In the actual attack, the adversary can intercept the ciphertext replace it with the forged one, and send it to the receiver, who will pass the forgery by the decryption algorithm.

Forgery attack against IAR-CTR

We will give a simple example of our forgery attacks against IAR-CTR. The following steps of our attack are also illustrated in Fig. 5 and specified in pseudocode in Fig. 7 (left).

Forgery Attack against IAR-CTR

Full size image

1. 1.

   The adversary \({\mathcal {A}}\) queries the message \((M[1],M[2],\dots ,M[m])\), and then gets (IV, C, T) consisting of a ciphertext \(C=(C[1],C[2],\cdots ,C[m])\) and a tag \(T=(T[1],T[2],\cdots ,T[t]])\).

2. 2.

   The adversary \({\mathcal {A}}\) makes a forgery \((IV',C',T')\) where \(IV'=IV\), \(C=(C'[1],C'[2],\cdots ,C'[m-t])\), and the length is \(L'\). More specifically,

   $$\begin{aligned} & C'[i]=C[i], \; \;for\; 1 \le i \le m-t-1, \end{aligned}$$

   (12)
   $$\begin{aligned} & C'[m-t]=C[m-t] \oplus L', \end{aligned}$$

   (13)
   $$\begin{aligned} & T'[i]=C[m-t+i] \oplus M[m-t+i] \; \;for\; 1 \le i \le t. \end{aligned}$$

   (14)

To see that this tuple will pass verification, let \(T^*\) be the reconstructed (untruncated) tag in the decryption query. Notice that the first \(m-t-1\) blocks of ciphertext don’t change, so these blocks will be decrypted

For the \((m-t)\)-th block \(C'[m-t]=C[m-t] \oplus L'\), notice that

so \(C'[m-t]\) will be decrypted to

In the encryption algorithm, we have

Then when verifying the tag, it is recovered as

and

Thus, we have \(T'=T^*\), and the tuple \((IV', C', T')\) is a successful forgery. This breaks the authenticity of IAR-CTR.

Forgery attack against IAR-CFB

Similarly, we give a forgery attack on IAR-CFB. Our attack process is shown in Fig. 6.

Forgery Attack against IAR-CFB

Full size image

1. 1.

   The adversary \({\mathcal {A}}\) queries the message \((M[1],M[2],\dots ,M[m])\) and receives (IV, C, T) where \(C=(C[1],C[2],\cdots ,C[m])\) and \(T=(T[1],T[2],\cdots ,T[t])\).

2. 2.

   The adversary \({\mathcal {A}}\) makes a forgery \((IV',C',T')\), where \(IV'=IV\), \(C'=(C'[1],C'[2],\cdots ,C'[m-t])\) and the length is \(L'\). More specifically,

   $$\begin{aligned} & C'[i]=C[i] \; \;for \; 1 \le i \le m-t-1, \end{aligned}$$

   (21)
   $$\begin{aligned} & C'[m-t]=C[m-t] \oplus L', \end{aligned}$$

   (22)
   $$\begin{aligned} & T'[i]=C[m-t+i] \oplus M[m-t+i] \;\; for \; 1 \le i \le t. \end{aligned}$$

   (23)

The tuple is also a successful forgery for similar reasons.

Privacy attack

In Sect.  and Sect. , we break the authenticity of IAR-CTR and IAR-CFB. Generally, forgery attacks also lead to chosen ciphertext attacks on privacy. Like Inoue et al. attack the privacy of OCB2 (Inoue et al 2020), we refer to their method and describe a two-query attack against the PRIV-CCA notion with probability 1. We illustrate our attack in the following with an example of IAR-CTR.

The adversary \({\mathcal {A}}\) performs the same encryption and decryption queries as in Sect.  and then checks if the message returned by the decryption oracle is valid or not. Specifically, if the decryption oracle returns a valid message, which means that the ciphertext is valid (i.e. does not return \(\bot\)), then the adversary \({\mathcal {A}}\) returns \(b=1\), otherwise, the decryption oracle returns \(\bot\), which means that the ciphertext is invalid, and the adversary returns \(b=0\). Noting that in Sect.  we have proven that forgery always succeeds with probability 1 if the adversary interacts with \({\mathcal {E}}\) and \({\mathcal {D}}\), then the adversary has \(b=1\). On the other hand, if the adversary interacts with \(\$\) and \({\mathcal {D}}\), the probability of ciphertext being valid is just \(2^{-n}\), so the adversary has \(b=1\) with high probability.

Now, we consider the IND-CCA notion (Rogaway 2004). It does not as priv-cca require that the ciphertext and random independent strings be indistinguishable, the IND-CCA notion focuses more on semantic security, i.e., information in the message cannot be inferred from the ciphertext alone. IND-CCA is defined by the classic left-or-right game, which is briefly described as follows: the adversary interacts with the encryptions and the decryption oracle, then the adversary submits two distinct plaintexts \((M_{0}, M_{1})\) to the challenger, the challenger selects a bit \(b\in (0, 1)\) uniformly at random, and sends the challenge ciphertext \(C=E_K(M_b)\) to the adversary, finally, the adversary needs to produce a guess for the value of b.

It is easy to modify our above attack to be successful in the IND-CCA sense: After one query to the encryption oracle, we just let the left message \(M_0\) as our forged ciphertext and the right message \(M_1\) is chosen to be something unrelated. Then the adversary will output \(b=0\) if and only if the forgery attempt is valid.

Left: Attack authenticity for IAR-CTR. Right: Attack privacy for IAR-CTR

Full size image

In this section, we use the strategy of the COFB mode proposed by Chakraborti et al. to repair the IAR-CTR and IAR-CFB modes. Specifically speaking, we will use a tweakable block cipher instead of the block cipher that is being used now. Using different tweaks, each block cipher is equivalent to a random independent permutation. By incorporating a feedback mode, any block change affects all blocks behind it. That is, by using this strategy, each output is made a random string, which ensures the integrity. As can be seen from the following account, the repair of IAR-CTR by this method works, and we give proof of security below, but the same method does not work for the repair of IAR-CFB, and we still give an example of forgery below to show that.

Fixng IAR-CTR and security analysis

From the above attacks, it can be seen that because of the AE mode adopt the block cipher, corresponding to the same pseudorandom permutation. The previous forgery fully utilizes the input value of this permutation, and even if the ciphertext is modified, it can still pass verification. However, by using tweakable block ciphers, firstly, each different tweak corresponds to a different pseudorandom permutation, which can prevent previous attacks; Secondly, nonce can be added so that each pseudorandom permutation is only used once during the encryption process.

So, we use tweakable block cipher instead of all the blocks to fix the IAR-CTR mode, we call the resulting scheme TIAR-CTR. We make \(t=1\) in the original IAR-CTR, which means a block tag. Our mode is described in Fig. 8. The tweak we define as

where N is called a nonce chosen from a nonce space, i is the position of the blocks, \(b=00\) for encrypting a message and \(b=01\) for generating tags.

Encryption of fixed IAR-CTR

Full size image

In our next proof of security, we can see that the information of length L and the counter Ctr is not helpful for privacy and authenticity, so we can simplify our scheme by removing L and Ctr, which further reduces memory usage and improves efficiency. We assume that the message size is an integer multiple of the block size (including the processing of the AD in Sect. ). If the message size is not a multiple of the block size of the cipher, we can refer to the OCB2 way. The TIAR-CTR algorithm is detailed in Fig. 9. The algorithm is further illustrated in Fig. 10.

Encryption of TIAR-CTR

Full size image

Algorithms of TIAR-CTR

Full size image

We present the security result of TIAR-CTR in Theorem 1. We next proceed with our proof for our instantiation.

Theorem 1

If the adversary \({\mathcal {A}}\) making \(q_e\) encryption queries and \(q_f\) forging attempts with at most \(L_{max}\) blocks, and we can construct another adversary \({\mathcal {B}}\) of about the same queries, then we have

where \(\sigma\) corresponds to the total number of block ciphers calls through the game.

Proof

We first make a two-step transition. The first transition we make is to use a tweakable random permutation \({\widetilde{P}}\) instead of \({\widetilde{E}}\), and then to use a tweakable random function \({\widetilde{R}}\) instead of \({\widetilde{P}}\). This two-step transition requires the first two terms of our bound, from the TPRP-TPRF switching lemma 1. Now, we just need to prove that

Considering an adversary \({\mathcal {A}}\) which makes \(q_e\) nonce-respecting encryption queries \((N_i,M_i)\) and receives \((C_i,T_i),1\le i \le q_e\),and makes \(q_f\) decryption queries \((N^*_i,C^*_i,T^*_i),1 \le i \le q_f\). Variables \(V_i[j]\) represent the j-th computation of the i-th query.

Privacy. It would be sufficient to show that \(C_1,\cdots ,C_{q_e}\) are distributed uniformly and independently. We know that a tweakable random function returns a random string if the input concatenated with the tweak is fresh. And we note that no tweak is ever repeated when the adversary \({\mathcal {A}}\) is nonce-respecting, so the tweaks are distinct for all \(\left( i,j\right)\).

Authenticity First, we consider the case of the adversary attempting a single forgery. Let \((N', C', T')\) be the forging attempt, in which the ciphertext \(C'\) has \(L'\) n-bit blocks. We define p as the length of the largest common prefix of \(((C_\alpha [1],t_\alpha [1]),\cdots ,(C_\alpha [L_\alpha ],t_\alpha [L_\alpha ]))\) and \(((C'[1],t'[1]),\cdots ,(C'[L'],t'[L']))\).

There are two cases that we need to consider. In the first case, the adversary uses the old nonce, which means \(N'=N_\alpha\). In this case, the \(\alpha\) is unique if exists because the adversary \({\mathcal {A}}\) is nonce-respecting. And when p>0, In the second case, the nonce is new. In this case, we define \(p=0\) because the tweak is new and distinct.

Because the length of the largest common prefix is p, the input for the \((p+1)\)-st block must be fresh and uniformly distributed. Therefore, the probability of the next input also remains fresh with probability at least \(1-2^{-n}\). We can continue this until the last tweaked input, and so the last tweaked input remains fresh with probability at least \(1-(L^\prime -p)/2^n\), then the tag is completely random. So, if all input is fresh, the forging probability is \(2^{-n}\). If there is an output from the \((p+1)\)-st block to the \(L^\prime\)-st block that happens to create a collision (that is, the input will no longer be fresh), the adversary \({\mathcal {A}}\) guesses that \(T^\prime = T_\alpha\) will maximize the probability. Therefore, in this case, the forging probability is \((L^\prime -p)/2^n\). Therefore, the forging probability is \((L^\prime -p)/2^n + 1/2^n\). When \(p=0\), the first tweaked input is fresh, and hence the forging probability is \((L^\prime +1)/2^n\). Thus, the case p=0 achieves the maximum forging probability \((L^\prime +1)/2^n\) for a single attempt.

Finally, we consider adversary attempts \(q_f>1\) forgeries. The probability of success is at most a multiplication of \(q_f\) and the bound for the single forging attempt. Hence, it is at most \(q_{l}(L_{max}+1)/2^n\), which concludes the proof. \(\square\)

The processing of AD

The original scheme, as well as our modified scheme described above, does not consider the treatment of Associated Data (AD), and we refer to the generalized treatment of AD by Rogaway et al. (Rogaway 2002). A more specifical scheme is to process AD by HASH in (Krovetz and Rogaway 2021) and then XOR with T as the final tag T, that is, \(T=T \oplus Hash_K(AD)\) as illustrated Fig. 11. We omit the analysis, for which please refer to (Rogaway 2002) or (Krovetz and Rogaway 2021).

11a: Algorithms of Process of AD.  11b: An AD of three full blocks.  11c: TIAR-CTR with Associated Data

Full size image

Fixing IAR-CFB and forgery attack

However, if IAR-CFB is changed in the same way as IAR-CTR, it is still not secure, and we give a simple explanation as follows. As can be seen in Fig. 12, the tag is generated in the fixed IAR-CFB mode as

which is independent of the ciphertext. So the adversary \({\mathcal {A}}\) just forges arbitrarily \((N^\prime ,C^\prime ,T^\prime )\) with \(|C^\prime |=|C|\) and \(N^\prime =N,T^\prime =T\), and then the forgery is successful.

The fixed IAR-CFB mode fails

Full size image

Although the above modification to the IAR-CFB scheme does not work, there are many one-pass AE schemes constructed based on the idea of Cipher FeedBack mode, such as iCOFB (Chakraborti et al 2020), PFB (Naito and Sugawara 2020b). Therefore, we do not consider a further modification to the IAR-CFB scheme. These two schemes use a tweakable block cipher to get independent random permutations, but also use the feedback function to further process the ciphertext before returning it.

We analyze one-pass AE schemes IAR-CTR and IAR-CFB. Despite the security proofs given by the authors, we present practical forgery attacks against two typical schemes of IAR-CTR and IAR-CFB. Subsequently, we use the tweakable block cipher to repair the two schemes and produce TIAR-CTR, which is a secure one-pass AE scheme. However, it is inappropriate to use the same method to fix IAR-CFB.

The datasets supporting the conclusions of this article are included within the article.

Not applicable

The work of this paper was supported by the National Key Research and Development Program of China (Grant No. 2023YFB3105802), the National Natural Science Foundation of China (Grant No. 62272454).

1. Xueqi Zhu, Fangzhou Liu, Yan Jia, Jun Xu, Peng Wang have equally contributed to this work.

Authors and Affiliations

1. Key Laboratory of Cyberspace Security Defense, Institute of Information Engineering, CAS, Beijing, China

   Xueqi Zhu, Fangzhou Liu, Yan Jia & Jun Xu

2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

   Xueqi Zhu, Fangzhou Liu, Yan Jia & Jun Xu

3. School of Cryptology, University of Chinese Academy of Sciences, Beijing, China

   Peng Wang

Contributions

All the authors have equal contributions to this paper.

Corresponding author

Correspondence to Peng Wang.

Competing interest

The authors declare that they have no Conflict of interest.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions