A Forgery Attack against PANDA-s
نویسندگان
چکیده
PANDA is an authenticated encryption scheme designed by Ye et al., and submitted to the CAESAR competition. The designers claim that PANDA-s, which is one of the designs of the PANDA-family, provides 128-bit security in the nonce misuse model. In this note, we describe our forgery attack against PANDA-s. Our attack works in the nonce misuse model. It exploits the fact that the message processing function and the finalization function are identical, and thus a variant of the lengthextension attack can be applied. We can find a tag for a pre-specified formatted message with 2 encryption oracle calls, 2 computational cost, and negligible memory.
منابع مشابه
A forgery and state recovery attack on the authenticated cipher PANDA-s
PANDA is a family of authenticated ciphers submitted to CARSAR, which consists of two ciphers: PANDA-s and PANDA-b. In this work we present a state recovery attack against PANDA-s with time complexity about 2 under the known-plaintext-attack model, which needs about 132 pairs of known plaintext/ciphertext. Based on the above attack, we further deduce a forgery attack against PANDA-s. Our result...
متن کاملA practical forgery and state recovery attack on the authenticated cipher PANDA-s
PANDA is a family of authenticated ciphers submitted to CARSAR, which consists of two ciphers: PANDA-s and PANDA-b. In this work we present a state recovery attack against PANDA-s with time complexity about 2 under the known-plaintext-attack model, which needs 137 pairs of known plaintext/ciphertext and about 2GB memories. Our attack is practical in a small workstation. Based on the above attac...
متن کاملCryptanalysis of some first round CAESAR candidates
ΑΕS _ CMCCv₁, ΑVΑLΑNCHEv₁, CLΟCv₁, and SILCv₁ are four candidates of the first round of CAESAR. CLΟCv₁ is presented in FSE 2014 and SILCv₁ is designed upon it with the aim of optimizing the hardware implementation cost. In this paper, structural weaknesses of these candidates are studied. We present distinguishing attacks against ΑES _ CMCCv₁ with the complexity of two queries and the success ...
متن کاملA Universal Forgery of Hess's Second ID-based Signature against the Known-message Attack
In this paper we propose a universal forgery attack of Hess’s second IDbased signature scheme against the known-message attack.
متن کاملA Practical Universal Forgery Attack against PAES-8
PAES is an authenticated encryption scheme designed by Ye et al., and submitted to the CAESAR competition. The designers claim that PAES-8, which is one of the designs of the PAES-family, provides 128-bit security in the nonce misuse model. In this note, we show our forgery attack against PAES-8. Our attack works in the nonce misuse model. The attack exploits the slow propagation of message dif...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2014 شماره
صفحات -
تاریخ انتشار 2014