A Practical Universal Forgery Attack against PAES-8
نویسندگان
چکیده
PAES is an authenticated encryption scheme designed by Ye et al., and submitted to the CAESAR competition. The designers claim that PAES-8, which is one of the designs of the PAES-family, provides 128-bit security in the nonce misuse model. In this note, we show our forgery attack against PAES-8. Our attack works in the nonce misuse model. The attack exploits the slow propagation of message differences. The attack is very close to the universal forgery attack. As long as the target message is not too short, e.g. more than 10 blocks (160 bytes), a tag is forged only with 2 encryption oracle calls, 2 computational cost, and negligible memory.
منابع مشابه
Practical Forgeries and Distinguishers against PAES
We present two practical attacks on the CAESAR candidate PAES. The rst attack is a universal forgery for any plaintext with at least 240 bytes. It works for the nonce-repeating variant of PAES and in a nutshell it is a state recovery based on solving di erential equations for the S-Box leaked through the ciphertext that arise when the plaintext has a certain di erence. We show that to produce t...
متن کاملPractical Cryptanalysis of PAES
We present two practical attacks on the CAESAR candidate PAES. The first attack is a universal forgery for any plaintext with at least 240 bytes. It works for the nonce-repeating variant of PAES and in a nutshell it is a state recovery based on solving differential equations for the S-box leaked throught the ciphertext that arise when the plaintext has a certain difference. We show that to prod...
متن کاملA Universal Forgery of Hess's Second ID-based Signature against the Known-message Attack
In this paper we propose a universal forgery attack of Hess’s second IDbased signature scheme against the known-message attack.
متن کاملOn the Security of the COPA and Marble Authenticated Encryption Algorithms against (Almost) Universal Forgery Attack
COPA is a block-cipher-based authenticated encryption mode with a provable birthday-bound security under the assumption that the underlying block cipher is a strong pseudorandom permutation, and its instantiation with the AES block cipher is called AES-COPA. Marble is an AES-based COPA-like authenticated encryption algorithm with a full security. In this paper, we analyse the security of COPA a...
متن کاملA practical forgery and state recovery attack on the authenticated cipher PANDA-s
PANDA is a family of authenticated ciphers submitted to CARSAR, which consists of two ciphers: PANDA-s and PANDA-b. In this work we present a state recovery attack against PANDA-s with time complexity about 2 under the known-plaintext-attack model, which needs 137 pairs of known plaintext/ciphertext and about 2GB memories. Our attack is practical in a small workstation. Based on the above attac...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2014 شماره
صفحات -
تاریخ انتشار 2014