Paper 2014/217

A Forgery Attack against PANDA-s

Yu Sasaki and Lei Wang

Abstract

\panda~is an authenticated encryption scheme designed by Ye {\it et al.}, and submitted to the CAESAR competition. The designers claim that \pandas, which is one of the designs of the \panda-family, provides 128-bit security in the nonce misuse model. In this note, we describe our forgery attack against \pandas. Our attack works in the nonce misuse model. It exploits the fact that the message processing function and the finalization function are identical, and thus a variant of the length-extension attack can be applied. We can find a tag for a pre-specified formatted message with 2 encryption oracle calls, $2^{64}$ computational cost, and negligible memory.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Keywords
PANDAForgery AttackNonce Misuse
Contact author(s)
sasaki yu @ lab ntt co jp
History
2014-03-24: received
Short URL
https://ia.cr/2014/217
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2014/217,
      author = {Yu Sasaki and Lei Wang},
      title = {A Forgery Attack against PANDA-s},
      howpublished = {Cryptology ePrint Archive, Paper 2014/217},
      year = {2014},
      note = {\url{https://eprint.iacr.org/2014/217}},
      url = {https://eprint.iacr.org/2014/217}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.