We present two practical attacks on the CAESAR candidate PAES. The first attack is a universal forgery for any plaintext with at least 240 bytes. It works for the nonce-repeating variant of PAES and in a nutshell it is a state recovery based on solving differential equations for the S-box leaked throught the ciphertext that arise when the plaintext has a certain difference. We show that to prod...

In this paper, we describe efficient forgery and full-key recovery attacks on the `-IC− signature scheme recently proposed at PKC 2007. This cryptosystem is a multivariate scheme based on a new internal quadratic primitive which avoids some drawbacks of previous multivariate schemes: the scheme is extremely fast since it requires one exponentiation in a finite field of medium size and the publi...

In this paper, we provide a security analysis of the FullState Keyed Sponge (FKS), Full-State Keyed Duplex (FKD) and Keyak, one of the third-round CAESAR candidates, in the classic setting and the quantum model, respectively. In the classic setting, we present an universal forgery attack that can be implemented in O(2) queries, where c is the capacity. In the quantum model, by utilizing the Sim...

In this paper, we describe efficient forgery and full-key recovery attacks on the `-IC− signature scheme recently proposed at PKC 2007. This cryptosystem is a multivariate scheme based on a new internal quadratic primitive which avoids some drawbacks of previous multivariate schemes: the scheme is extremely fast since it requires one exponentiation in a finite field of medium size and the publi...

A proxy signature scheme enables a proxy signer to sign messages on behalf of the original signer. In this paper, we demonstrate that a number of discrete logarithm based proxy signature schemes are vulnerable to an original signer’s forgery attack. In this attack, a malicious original signer can impersonate a proxy signer and produce a forged proxy signature on a message. A third party will in...

In this paper we investigate the security of the two most recent versions of the message authentication code 128-EIA3, which is considered for adoption as a third integrity algorithm in the emerging 3GPP standard LTE. We first present an efficient existential forgery attack against the June 2010 version of the algorithm. This attack allows, given any message and the associated MAC value under a...

In 2003, Wang et al.[1] proposed a (t, n) threshold signature scheme without a trusted party based on the discrete logarithm problem. In this paper, according to [5]’s attacking method, we show that there are still some security leaks in that scheme, and give some methods of forgery attack. Moreover, we point out this scheme is vulnerable to universal forgery by an insider attacker under reason...

This paper presents a model for generating a MAC tag with a stream cipher using the input message indirectly. Several recent proposals represent instances of this model with slightly different options. We investigate the security of this model for different options, and identify cases which permit forgery attacks. Based on this, we present a new forgery attack on version 1.4 of 128-EIA3. Design...

iFeed is a blockcipher-based authenticated encryption design by Zhang, et al. [81] and a candidate to the CAESAR competition. iFeed is claimed to achieve confidentiality and authenticity in the nonce-respecting setting, and confidentiality in the noncereuse setting. In this thesis, we consider the security of iFeed in three settings. In the noncerespecting setting we show a forgery and subkey r...

Recently Manik et al. [13] proposed a novel remote user authentication scheme using bilinear pairings. Chou et al. [14] identified a weakness in Manik et al.’s scheme and made an improvement. In this paper, we show that both Manik et al.’s and Chou et al.’s schemes are insecure against forgery attack and replay attack.