Message Extension Attack against Authenticated Encryptions: Application to PANDA

  • Yu Sasaki
  • Lei Wang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8813)

Abstract

In this paper, a new cryptanalysis approach for a class of authenticated encryption schemes is presented, which is inspired by the previous length extension attack against hash function based MACs. The approach is called message extension attack. The target class is the schemes that initialize the internal state with nonce and key, update the state by associated data and message, extract key stream from the state, and finally generate a tag from the updated state. A forgery attack can be mounted in the nonce-repeating model in the chosen-plaintext scenario when a function to update the internal state is shared for processing the message and generating the tag. The message extension attack is then applied to PANDA, which is a dedicated authenticated encryption design submitted to CAESAR. An existential forgery attack is mounted with 25 chosen plaintexts, 264 computations, and a negligible memory, which breaks the claimed 128-bit security for the nonce-repeating model. This is the first result that breaks the security claim of PANDA.

Keywords

message extension attack internal state recovery existential forgery nonce misuse CAESAR PANDA 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Bernstein, D.: CAESAR Competition (2013), http://competitions.cr.yp.to/caesar.html
  2. 2.
    AlFardan, N.J., Paterson, K.G.: Lucky Thirteen: Breaking the TLS and DTLS Record Protocols. In: IEEE Symposium on Security and Privacy, pp. 526–540. IEEE Computer Society (2013)Google Scholar
  3. 3.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the Sponge: Single-Pass Authenticated Encryption and Other Applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  4. 4.
    Wu, H., Preneel, B.: AEGIS: A Fast Authenticated Encryption Algorithm. In: Lange, T., Lauter, K., Lisonek, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 185–201. Springer, Heidelberg (2013)Google Scholar
  5. 5.
    Wu, H., Preneel, B.: AEGIS: A Fast Authenticated Encryption Algorithm (v1). Submitted to the CAESAR competition (2014)Google Scholar
  6. 6.
    Zhang, L., Wu, W., Wang, Y., Wu, S., Zhang, J.: LAC: A Lightweight Authenticated Encryption Cipher. Submitted to the CAESAR competition (2014)Google Scholar
  7. 7.
    Ye, D., Wang, P., Hu, L., Wang, L., Xie, Y., Sun, S., Wang, P.: PAES v1. Submitted to the CAESAR competition (2014)Google Scholar
  8. 8.
    Ye, D., Wang, P., Hu, L., Wang, L., Xie, Y., Sun, S., Wang, P.: PANDA v1. Submitted to the CAESAR competition (2014)Google Scholar
  9. 9.
    Jakimoski, G., Khajuria, S.: ASC-1: An Authenticated Encryption Stream Cipher. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 356–372. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  10. 10.
    Bogdanov, A., Mendel, F., Regazzoni, F., Rijmen, V., Tischhauser, E.: ALE: AES-Based Lightweight Authenticated Encryption. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 447–466. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  11. 11.
    Bilgin, B., Bogdanov, A., Knežević, M., Mendel, F., Wang, Q.: Fides: Lightweight Authenticated Cipher with Side-Channel Resistance for Constrained Hardware. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 142–158. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  12. 12.
    U.S. Department of Commerce, National Institute of Standards and Technology: Federal Register /Vol. 72, No. 212/Friday, November 2, 2007/Notices (2007), http://csrc.nist.gov/groups/ST/hash/documents/FR_Notice_Nov07.pdf
  13. 13.
    Khovratovich, D., Rechberger, C.: The LOCAL Attack: Cryptanalysis of the Authenticated Encryption Scheme ALE. In: Lange, T., Lauter, K., Lisonek, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 174–184. Springer, Heidelberg (2013)Google Scholar
  14. 14.
    Wu, S., Wu, H., Huang, T., Wang, M., Wu, W.: Leaked-State-Forgery Attack against the Authenticated Encryption Algorithm ALE. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 377–404. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  15. 15.
    Dinur, I., Jean, J.: Cryptanalysis of FIDES. In: Cid, C., Rechberger, C. (eds.) FSE. LNCS. Springer (to appear, 2014)Google Scholar
  16. 16.
    Sasaki, Y., Wang, L.: A Practical Universal Forgery Attack against PAES-8. Cryptology ePrint Archive, Report 2014/218 (2014), https://eprint.iacr.org/2014/218
  17. 17.
    Jean, J., Nikolíc, I.: Using AES Round Symmetries to Distinguish PAES (2014), http://www1.spms.ntu.edu.sg/~syllab/m/images/6/6e/Using_AES_Round_Symmetries_to_Distinguish_PAES.pdf
  18. 18.
  19. 19.
    Jean, J., Nikolić, I., Sasaki, Y., Wang, L.: Practical Cryptanalysis of PAES. In: Joux, A., Youssef, A. (eds.) SAC. Springer (to appear, 2014)Google Scholar
  20. 20.
    Sasaki, Y., Wang, L.: A Forgery Attack against PANDA-s. Cryptology ePrint Archive, Report 2014/217 (2014), https://eprint.iacr.org/2014/217
  21. 21.
    Feng, X., Zhang, F., Wang, H.: A Forgery and State Recovery Attack on the Authenticated Cipher PANDA-s. Cryptology ePrint Archive, Report 2014/325 (2014)Google Scholar
  22. 22.
    Feng, X., Zhang, F., Wang, H.: A Practical Forgery and State Recovery Attack on the Authenticated Cipher PANDA-s (2014), http://www.amss.ac.cn/xwdt/kydt/201405/t20140506_4109871.html

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Yu Sasaki
    • 1
  • Lei Wang
    • 2
  1. 1.NTT Secure Platform LaboratoriesTokyoJapan
  2. 2.Nanyang Technological UniversitySingaporeSingapore

Personalised recommendations