Message Extension Attack against Authenticated Encryptions: Application to PANDA

Message Extension Attack against Authenticated Encryptions: Application to PANDA

We present a new cryptanalysis approach to analyze the security of a class of authenticated encryption schemes, which shares similarity with the previous length extension attack against hash-function-based MACs. Hence we name our approach by message extension attack. For an authenticated encryption...

Full description

Saved in:
Bibliographic Details
Main Authors: Sasaki, Yu, Wang, Lei
Other Authors: Lee Kong Chian School of Medicine (LKCMedicine)
Format: Article
Language:English
Published: 2016
Subjects:
Message extension attack
Internal state recovery
CAESAR
PANDA
Existential forgery
Nonce misuse
Online Access:https://hdl.handle.net/10356/82092
http://hdl.handle.net/10220/39785
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Nanyang Technological University
Language: English
id sg-ntu-dr.10356-82092
record_format dspace
spelling sg-ntu-dr.10356-820922020-11-01T05:15:41Z Message Extension Attack against Authenticated Encryptions: Application to PANDA Sasaki, Yu Wang, Lei Lee Kong Chian School of Medicine (LKCMedicine) Message extension attack Internal state recovery CAESAR PANDA Existential forgery Nonce misuse We present a new cryptanalysis approach to analyze the security of a class of authenticated encryption schemes, which shares similarity with the previous length extension attack against hash-function-based MACs. Hence we name our approach by message extension attack. For an authenticated encryption from the target class, it consists of three phases; initialization with nonce and key as input, state update function with associated data and message as input and tag generation with updated state as input. We will show how to mount a forgery attack in the nonce-repeating model under the chosen-plaintext scenario, when both state update function and tag generation is built based on the same function. To demonstrate the effectiveness of our message extension attack approach, we apply it to a dedicated authenticated encryption called PANDA, which is a candidate of the ongoing CAESAR cryptographic competition. We successfully found an existential forgery attack on PANDA with 25 chosen plaintexts, 264 computations, and a negligible memory, and it breaks the claimed 128-bit security for the nonce-repeating model. We note that this is the first result that breaks the security claim of PANDA, which makes it withdrawn from the CAESAR competition by its designer. NRF (Natl Research Foundation, S’pore) Published version 2016-01-26T03:42:05Z 2019-12-06T14:46:23Z 2016-01-26T03:42:05Z 2019-12-06T14:46:23Z 2016 Journal Article Sasaki, Y., & Wang, L. (2016). Message Extension Attack against Authenticated Encryptions: Application to PANDA. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, E99.A(1), 49-57. 0916-8508 https://hdl.handle.net/10356/82092 http://hdl.handle.net/10220/39785 10.1587/transfun.E99.A.49 en IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences © 2016 Institute of Electronics, Information and Communication Engineers. This paper was published in IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences and is made available as an electronic reprint (preprint) with permission of Institute of Electronics, Information and Communication Engineers. The published version is available at: [http://dx.doi.org/10.1587/transfun.E99.A.49]. One print or electronic copy may be made for personal use only. Systematic or multiple reproduction, distribution to multiple locations via electronic or other means, duplication of any material in this paper for a fee or for commercial purposes, or modification of the content of the paper is prohibited and is subject to penalties under law. 9 p. application/pdf
institution Nanyang Technological University
building NTU Library
continent Asia
country Singapore
Singapore
content_provider NTU Library
collection DR-NTU
language English
topic Message extension attack
Internal state recovery
CAESAR
PANDA
Existential forgery
Nonce misuse
spellingShingle Message extension attack
Internal state recovery
CAESAR
PANDA
Existential forgery
Nonce misuse
Sasaki, Yu
Wang, Lei
Message Extension Attack against Authenticated Encryptions: Application to PANDA
description We present a new cryptanalysis approach to analyze the security of a class of authenticated encryption schemes, which shares similarity with the previous length extension attack against hash-function-based MACs. Hence we name our approach by message extension attack. For an authenticated encryption from the target class, it consists of three phases; initialization with nonce and key as input, state update function with associated data and message as input and tag generation with updated state as input. We will show how to mount a forgery attack in the nonce-repeating model under the chosen-plaintext scenario, when both state update function and tag generation is built based on the same function. To demonstrate the effectiveness of our message extension attack approach, we apply it to a dedicated authenticated encryption called PANDA, which is a candidate of the ongoing CAESAR cryptographic competition. We successfully found an existential forgery attack on PANDA with 25 chosen plaintexts, 264 computations, and a negligible memory, and it breaks the claimed 128-bit security for the nonce-repeating model. We note that this is the first result that breaks the security claim of PANDA, which makes it withdrawn from the CAESAR competition by its designer.
author2 Lee Kong Chian School of Medicine (LKCMedicine)
author_facet Lee Kong Chian School of Medicine (LKCMedicine)
Sasaki, Yu
Wang, Lei
format Article
author Sasaki, Yu
Wang, Lei
author_sort Sasaki, Yu
title Message Extension Attack against Authenticated Encryptions: Application to PANDA
title_short Message Extension Attack against Authenticated Encryptions: Application to PANDA
title_full Message Extension Attack against Authenticated Encryptions: Application to PANDA
title_fullStr Message Extension Attack against Authenticated Encryptions: Application to PANDA
title_full_unstemmed Message Extension Attack against Authenticated Encryptions: Application to PANDA
title_sort message extension attack against authenticated encryptions: application to panda
publishDate 2016
url https://hdl.handle.net/10356/82092
http://hdl.handle.net/10220/39785
_version_ 1683493366729277440

Similar Items