Our attack works in the nonce misuse model. It exploits the fact that the message processing function and the finalization function are identical, and thus a variant of the length-extension attack can be applied. We can find a tag for a pre-specified formatted message with 2 encryption oracle calls, $2^{64}$ computational cost, and negligible memory.
Category / Keywords: secret-key cryptography / PANDA, Forgery Attack, Nonce Misuse Date: received 24 Mar 2014 Contact author: sasaki yu at lab ntt co jp Available format(s): PDF | BibTeX Citation Version: 20140324:154422 (All versions of this report) Short URL: ia.cr/2014/217 Discussion forum: Show discussion | Start new discussion