没有合适的资源?快使用搜索试试~ 我知道了~
首页破解COPA与大理石加密算法:全面伪造攻击剖析
破解COPA与大理石加密算法:全面伪造攻击剖析
0 下载量 108 浏览量
更新于2024-08-28
收藏 480KB PDF 举报
本研究论文探讨了对COPA和 Marble认证加密算法的几乎全盘伪造攻击。COPA是一种被证明在完整性方面具有生日攻击界限安全的加密模式,其AES-COPA版本(v1/2)据称或被猜测在标签猜测攻击上具有完全安全性。Marble算法(v1.0/1.1/1.2)则声称在真实性验证上具有全面的安全保障。 这两种算法在2014年的“安全、适用性和稳健性”(CAESAR)加密竞赛中提交过。Marble在第一轮中经历了两次修订(v1.1/1.2),而AES-COPA最初版本(v1)在第二轮中进行了微调(v2)。本研究的重点在于深入分析这些算法在处理消息长度是块大小整数倍的基本情况下。 研究人员展示了针对COPA、AES-COPA(v1/2)和Marble基本版本的碰撞基几乎通用伪造攻击。这种攻击类型利用了算法在处理特定输入模式时可能出现的漏洞,通过构造特定的碰撞(两个不同的输入导致相同的输出),攻击者能够伪造看似真实的密文,从而破坏了认证和加密的初衷。 具体来说,伪造者可能会找到两个不同的原始消息,它们经过加密后在特定位置产生了相同的输出,然后利用这个特性构造一个假的消息,使其在验证过程中与一个已知的真消息产生相同的认证标签,从而欺骗接收方。这种攻击的成功率并非100%,但理论上接近于最优情况,足以威胁到算法在实际应用中的安全性。 因此,这项研究揭示了这些认证加密算法在面对特定条件下的脆弱性,并提醒设计者和评估者在选择和评估此类算法时,需要考虑这些潜在的攻击向量,以确保系统的完整性和安全性得到充分保障。同时,对于加密算法的设计者而言,这是一项挑战,需要寻找更强大的抗伪造策略来抵御这类几乎全盘伪造攻击。
资源详情
资源推荐
• We present collision-based almost universal forgery at-
tacks on the basic case of Marble (v1.0/1.2) under vari-
able associated data (in our earlier work [17, 18]), fol-
lowing Fuhr et al.’s attack [10] on Marble v1.1. Each
attack has a data/time/memory complexity of about
2
65
. However, since Fuhr et al. recently extended
their attack on Marble v1.1 to Marble v1.2 in the final
publication version [11] of the earlier work [10], who
acknowledged our attacks by writing ‘as shown inde-
pendently by ourselves and Lu’, we only focus on a
different forgery way for an almost universal forgery
on Marble v1.0/1.1 in this final publication version of
our work.
Table 1 summarises previously published and our main
(almost) universal forgery attacks on COPA and Marble.
Our attacks on COPA and AES-COPA do not violate their
birthday-bound security proof on integrity, but the attack
on AES-COPA violates its full (i.e. 128-bit) security claim
or conjecture on tag guessing. In summary, our attacks sug-
gest that the full security claim and conjecture on tag guess-
ing of AES-COPA and the full security claim on authentic-
ity of Marble are incorrectly far overestimated in the sense
of a general understanding of full security of these security
notions. More specifically, our attacks have the following
meanings:
1. Our attacks suggest that the AES-COPA designers
should also claim a birthday-bound security on tag
guessing, instead of a full security. Although the AES-
COPA designers proved a birthday-bound security on
integrity (i.e. existential forgery resistance) by refer-
ring to the integrity security proof of COPA, they did
not prove its security on tag guessing (i.e. univer-
sal forgery), but they claimed a full security for it.
Our attacks have a complexity similar to the com-
plexity of the proven birthday-bound security on in-
tegrity, showing that AES-COPA (v1/2) has roughly
(at most) a birthday-bound security against tag guess-
ing in the nonce-respecting scenario, rather than a full
security as the designers claimed or conjectured. (Note
that AES-COPA merged recently with another second
round candidate of CAESAR and the merger [5] went
into the third round of CAESAR in August 2016. The
merger uses a completely different nonce process and
does not make any security claim or conjection on tag
guessing or universal forgery resistance.)
2. The COPA designers proved a birthday-bound security
on integrity (i.e. existential forgery resistance), but
did not specify its security against universal forgery.
As mentioned earlier, existential and universal forgery
attacks represent different threat levels and usually
have different complexity levels. The security claim
and conjecture of AES-COPA (v1/2) indicated that
the designers might have thought that COPA had a
full security against universal forgery (even under the
birthday-bound data constraint), however, our attacks
show that COPA has roughly (at most) a birthday-
bound security against universal forgery, the same se-
curity level as for integrity. Thus, COPA users should
not take it for granted that the general belief of a
full security on universal forgery holds for COPA, and
should not misuse COPA for such a full security in
reality.
3. Our attacks show that Marble has roughly (at most) a
birthday-bound security on authenticity, rather than a
full security that the designer claimed. We would like
to mention that as a consequence, our attacks resulted
partially in the withdrawal of Marble from the CAE-
SAR competition in January 2015, together with Fuhr
et al.’s attack [10].
4. Our attacks are mainly based on the structures of
COPA and Marble, and thus designers should pay at-
tention to these attacks when designing authenticated
encryption algorithms with similar structures in the
future.
5. Lastly, if some security notion of a cryptographic al-
gorithm is proved under its most fundamental form,
it should be careful when claiming the security of an
advanced form of the security notion without making
a corresponding pro of, for example, claiming universal
forgery security after proving integrity only under ex-
istential forgery security, claiming key/plaintext/state
recovery security after proving confidentiality/privacy
only under distinguishing attack security [27]. Strictly
speaking, a corresponding proof or justification is also
required for a security claim on such an advanced form.
1.2 Organization
The remainder of the paper is organised as follows. In
the next section, we give the notation used throughout this
paper and briefly describe the basic cases of the COPA and
Marble algorithms that process messages of a multiple of
the block size long. We present our almost universal forgery
attacks on COPA (as well as AES-COPA) and Marble in
Sections 3 and 4, respectively. Section 5 concludes this pa-
per.
2. PRELIMINARIES
In this section, we give the notation used throughout this
paper and briefly describe the concerned basic cases of COPA
and Marble that process messages of a multiple of the block
size long (that is, no message padding is required). We refer
the reader to [1–4,12–14] for detailed specifications of COPA
and Marble.
2.1 Notation
We use the following notation throughout this paper.
⊕ bitwise logical exclusive OR (XOR) operation
∗ polynomial multiplication modulo the polynomial
x
128
⊕ x
7
⊕ x
2
⊕ x⊕ 1 in GF(2
128
)
|| string concatenation
e the base of the natural logarithm (e = 2.71828 · · · )
2.2 The COPA Authenticated Encryption Al-
gorithm
The COPA [3] authenticated encryption mo de was pub-
lished in 2013. Its internal state, key and tag have the same
length as the block size of the underlying block cipher. It has
mainly three phases: processing associated data, message
encryption, and tag generation. Fig. 1 illustrates the mes-
sage encryption and tag generation phase of COPA, where
• E
K
is an n-bit block cipher with a k-bit user key K;
791
剩余10页未读,继续阅读
weixin_38660579
- 粉丝: 11
- 资源: 918
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
- C++标准程序库:权威指南
- Java解惑:奇数判断误区与改进方法
- C++编程必读:20种设计模式详解与实战
- LM3S8962微控制器数据手册
- 51单片机C语言实战教程:从入门到精通
- Spring3.0权威指南:JavaEE6实战
- Win32多线程程序设计详解
- Lucene2.9.1开发全攻略:从环境配置到索引创建
- 内存虚拟硬盘技术:提升电脑速度的秘密武器
- Java操作数据库:保存与显示图片到数据库及页面
- ISO14001:2004环境管理体系要求详解
- ShopExV4.8二次开发详解
- 企业形象与产品推广一站式网站建设技术方案揭秘
- Shopex二次开发:触发器与控制器重定向技术详解
- FPGA开发实战指南:创新设计与进阶技巧
- ShopExV4.8二次开发入门:解决升级问题与功能扩展
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功