We present two practical attacks on the CAESAR candidate PAES. The rst attack is a universal forgery for any plaintext with at least 240 bytes. It works for the nonce-repeating variant of PAES and in a nutshell it is a state recovery based on solving di erential equations for the S-Box leaked through the ciphertext that arise when the plaintext has a certain di erence. We show that to produce t...

In 2009, Lin et al. proposed a digital multi-signature scheme based on the concepts of generalized conic curves over Zn. They claimed that the multi-signature scheme is well secured and the forgery attack is infeasible on it. Unfortunately, three weaknesses on their proposed multi-signature have been observed and it has been shown that an attacker can compute the secret pairs of all signers usi...

Recently, based on RSA and discrete logarithm with composite modulus, Huang and Chang proposed two multisignature schemes with distinguished signing authority and claimed that their scheme can resist forgery attack. Unfortunately, in this works, we show that their schemes have forgery attack by security analysis of Huang-Chang multi-signature schemes. Given a multisignature of certain a documen...

We show how to produce a forged (ciphertext,tag) pair for the scheme ALE with data and time complexity of 2 ALE encryptions of short messages and the same number of authentication attempts. We use a differential attack based on a local collision, which exploits the availability of extracted state bytes to the adversary. Our approach allows for a time-data complexity tradeoff, with an extreme ca...

The security of two message authentication code (MAC) algorithms is considered: the MD5-based envelope method (RFC 1828), and the banking standard MAA (ISO 8731–2). Customization of a general MAC forgery attack allows improvements in both cases. For the envelope method, the forgery attack is extended to allow key recovery; for example, a 128-bit key can be recovered using 2 known text-MAC pairs...

In 1999, Yang and shieh proposed two password authentication schemes using smart cards. But in 2003, Sun and Yeh indicated that their schemes are subject to the forgery attack. So in 2005, Yang and Wang proposed an improvement of Yang and Shieh’s schemes to resist against Sun and Yeh’s attack. However in this paper, we will point out that Yang and Wang’s schemes still suffer from the forgery at...

LAC is one of the candidates to the CAESAR competition. In this paper we present a differential forgery attack on LAC. We study the collection of characteristics following a fixed truncated characteristic, in order to obtain a lower bound on the probability of a differential. We show that some differentials have a probability higher than 2−64, which allows a forgery attack on the full LAC. This...

EMV signature is one of specifications for authenticating credit and debit card data, which is based on ISO/IEC 9796-2 signature scheme. At CRYPTO 2009, Coron, Naccache, Tibouchi, and Weinmann proposed a new forgery attack against the signature ISO/IEC 9796-2 (CNTW attack) [2]. They also briefly discussed the possibility when the attack is applied to the EMV signatures. They showed that the for...

An universal forgery attack means that for any given message M , an adversary without the key can forge the corresponding Message Authentication Code (MAC) tag τ , and the pair (M, τ) can be verified with probability 1. For a idea MAC, the universal forgery attack should be infeasible to be implemented, whose complexity is believed to be min(2, 2) queries in the classic setting, where n is the ...

In this paper, we analyze two proxy signatures scheme [1], [2] proposed by Lal and Awasthi and found that both the schemes suffer with the security flaws. The scheme [1] suffers with proxy signer’s forgery attacks and misuse of original signer’s delegated information. The other scheme [2] suffers with original signer’s forgery attack, proxy signer’s undeniability and misuse of delegated informa...