Paper 2019/907
Practical Forgery Attacks on Limdolen and HERN
Raghvendra Rohit and Guang Gong
Abstract
In this paper, we investigate the security of Limdolen and HERN which are Round 1 submissions of the ongoing NIST Lightweight Cryptography Standardization Project. We show that some non-conservative design choices made by the designers solely to achieve a lightweight design lead to practical forgery attacks. In particular, we create associated data-only, ciphertext-only and associated
data and ciphertext forgeries which require a feasible number of forging attempts.
Limdolen employs a tweaked PMAC based construction to offer authenticated encryption functionality. It has two variants, Limdolen-128 and Limdolen-256 with key sizes 128 and 256 bits, respectively. The designers claim 128(256)-bit integrity security for Limdolen-128(256). Our main observation is that it uses a sequence of period 2 consisting of only two distinct secret masks. This structural flaw attributes to a successful forgery (all three types) with probability 1 after observing the output of a single encryption
query. While, HERN is a 128-bit authenticated encryption scheme whose high level design is inspired from the CAESAR finalist Acorn. We show a message modification strategy by appending/removing a sequence of consecutive ‘0’ bits. Accordingly, we can construct associated data-only, ciphertext-only and associated data and ciphertext forgery with the success rate of
Metadata
- Available format(s)
-
PDF
- Category
- Secret-key cryptography
- Publication info
- Preprint. MINOR revision.
- Keywords
- AEADLimdolenHERNForgery
- Contact author(s)
- rsrohit @ uwaterloo ca
- History
- 2019-08-08: received
- Short URL
- https://ia.cr/2019/907
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2019/907, author = {Raghvendra Rohit and Guang Gong}, title = {Practical Forgery Attacks on Limdolen and {HERN}}, howpublished = {Cryptology {ePrint} Archive, Paper 2019/907}, year = {2019}, url = {https://eprint.iacr.org/2019/907} }