Birthday Forgery Attack on 128 - EIA 3 (
نویسنده
چکیده
128-EIA3 is an integrity algorithm considered for adoption as a third integrity algorithm by European Telecommunication Standard Institute (ETSI) for 4th generation of GSM networks.128-EIA3 is vulnerable to birthday forgery attack. Birthday forgery attack requires minimum 2 known message-MAC pairs for finding collision in 128-EIA3. 128-EIA3 is susceptible to internal collision of its universal hash function and external collision of its Xoring transformation. Birthday forgery attack on 128-EIA3 allows message forgery with success probability greater than 1/2.
منابع مشابه
On the Security of the COPA and Marble Authenticated Encryption Algorithms against (Almost) Universal Forgery Attack
COPA is a block-cipher-based authenticated encryption mode with a provable birthday-bound security under the assumption that the underlying block cipher is a strong pseudorandom permutation, and its instantiation with the AES block cipher is called AES-COPA. Marble is an AES-based COPA-like authenticated encryption algorithm with a full security. In this paper, we analyse the security of COPA a...
متن کاملUniversal Forgery with Birthday Paradox: Application to Blockcipher-based Message Authentication Codes and Authenticated Encryptions
An universal forgery attack means that for any given message M , an adversary without the key can forge the corresponding Message Authentication Code (MAC) tag τ , and the pair (M, τ) can be verified with probability 1. For a idea MAC, the universal forgery attack should be infeasible to be implemented, whose complexity is believed to be min(2, 2) queries in the classic setting, where n is the ...
متن کاملNew Generic Attacks against Hash-Based MACs
In this paper we study the security of hash-based MAC algorithms (such as HMAC and NMAC) above the birthday bound. Up to the birthday bound, HMAC and NMAC are proven to be secure under reasonable assumptions on the hash function. On the other hand, if an n-bit MAC is built from a hash function with a l-bit state (l ≥ n), there is a well-known existential forgery attack with complexity 2. Howeve...
متن کاملA Forgery Attack on the Candidate LTE Integrity Algorithm 128-EIA3
In this note we show that the message authentication code 128-EIA3 considered for adoption as a third integrity algorithm in the emerging mobile standard LTE is vulnerable to a simple existential forgery attack. This attack allows, given any message and the associated MAC value under an unknown integrity key and an initial vector, to predict the MAC value of a related message under the same key...
متن کاملCollision Attacks Against CAESAR Candidates - Forgery and Key-Recovery Against AEZ and Marble
In this paper we study authenticated encryption algorithms inspired by the OCB mode (Offset Codebook). These algorithms use secret offsets (masks derived from a whitening key) to turn a block cipher into a tweakable block cipher, following the XE or XEX construction. OCB has a security proof up to 2 queries, and a matching forgery attack was described by Ferguson, where the main step of the att...
متن کامل