Paper 2014/218

A Practical Universal Forgery Attack against PAES-8

Yu Sasaki and Lei Wang

Abstract

\paes~is an authenticated encryption scheme designed by Ye {\it et al.}, and submitted to the CAESAR competition. The designers claim that \paese, which is one of the designs of the \paes-family, provides 128-bit security in the nonce misuse model. In this note, we show our forgery attack against \paese. Our attack works in the nonce misuse model. The attack exploits the slow propagation of message differences. The attack is very close to the universal forgery attack. As long as the target message is not too short, {\it e.g.} more than 10 blocks (160 bytes), a tag is forged only with $2^{11}$ encryption oracle calls, $2^{11}$ computational cost, and negligible memory.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Keywords
PAESUniversal Forgery AttackNonce Misuse
Contact author(s)
sasaki yu @ lab ntt co jp
History
2014-03-24: received
Short URL
https://ia.cr/2014/218
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2014/218,
      author = {Yu Sasaki and Lei Wang},
      title = {A Practical Universal Forgery Attack against PAES-8},
      howpublished = {Cryptology ePrint Archive, Paper 2014/218},
      year = {2014},
      note = {\url{https://eprint.iacr.org/2014/218}},
      url = {https://eprint.iacr.org/2014/218}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.