2014 | OriginalPaper | Chapter
Message Extension Attack against Authenticated Encryptions: Application to PANDA
Authors : Yu Sasaki, Lei Wang
Published in: Cryptology and Network Security
Publisher: Springer International Publishing
Activate our intelligent search to find suitable subject content or patents.
Select sections of text to find matching patents with Artificial Intelligence. powered by
Select sections of text to find additional relevant content using AI-assisted search. powered by
In this paper, a new cryptanalysis approach for a class of authenticated encryption schemes is presented, which is inspired by the previous length extension attack against hash function based MACs. The approach is called message extension attack. The target class is the schemes that initialize the internal state with nonce and key, update the state by associated data and message, extract key stream from the state, and finally generate a tag from the updated state. A forgery attack can be mounted in the nonce-repeating model in the chosen-plaintext scenario when a function to update the internal state is shared for processing the message and generating the tag. The message extension attack is then applied to
PANDA
, which is a dedicated authenticated encryption design submitted to CAESAR. An existential forgery attack is mounted with 2
5
chosen plaintexts, 2
64
computations, and a negligible memory, which breaks the claimed 128-bit security for the nonce-repeating model. This is the first result that breaks the security claim of
PANDA
.