Research On Forgery Attack Methods Of Authenticated Encryption Algorithms

The authenticated encryption algorithm（AE）,providing both confidentiality and authenticity simultaneously,is widely used in communications system.To promote the development of authenticated encryption algorithm,CAESAR competition was launched by US National Institute of Standards and Technology（NIST）in 2014.And then the cryptanalysis of authenticated encryption algorithms has become a hot topic in cryptographic community.As a typical method,forgery attack plays an important role in the cryptanalysis of authenticated encryption algorithm.However the authenticated encryption is a developing concept so that there are different demands in various stages,applications and environments,so traditional forgery attack has achieve limited results.The analysis of CAESAR competition is not progressing smoothly.Therefore,the targeted research on the forgery methods in accordance with the development of authenticated encryption algorithms has become one of the most difficult and pressing work in the field of analysis of authenticated encryption ciphers.Aiming at the possible disadvantages in applications,this paper pointedly and systematically studies the differential forgery attack under general occasion,forgery attack under weak states,direct and collision-forgery attacks under Nonce-reuse setting and collision-forgery attack under quantum computation.Furthermore,we apply those forgery attacks to the finalists of CAESAR such as MORUS,ACORN,AEGIS and the third-round candidate AEZ.The main results are summarized as follows.1.Research on differential forgery attack under general occasion and give the fundamental and procedure of differential forgery attack.Combining with meet-in-the-middle thought,a differential forgery attack is proposed.The fundamental and procedure of differential forgery attack is given through the intense research of differential attack.We apply the attack to ACORN and MORUS-640-128,giving the valid result when the round of authentication in ACORN is less than 87.The results show that the ACORN has a good performance on resistance against differential forgery attack.Meanwhile we analyzed the cause why the round in our attack is limited.For MORUS-640-128,the necessary conditions of collision after two steps update are proposed for the first time and the differential distribution is determined.Furthermore,we obtain the collision probability is less than2^-140,which is a better bound than designers’2^-130.A new differential automatic deduction based on meet-in-the-middle thought is proposed,in which the constant has been taken into consideration.It improves the number of round other than that without constant to some extent.Therefore we can better realize the differential forgery attack.As an application,we improve the differential search algorithm of MORUS and find4-step and 5-step differential chains with probabilities 2^-32 and 2^-85.As a result,this paper shows that MORUS-640-128 has great performance in resisting differential forgery attack.2.A forgery attack under weak state is proposed,aiming at the weak state generated during the update of authenticated encryption.Then we apply it to AEGIS algorithm.Two types of weak states for AEGIS-256 and AEGIS-128L are proposed respectively with higher probabilities than existed results.And on this basis,a forgery attack under weak state is introduced to AEGIS-256,pointing out that there are 2⁵¹² internal states and corresponding message have same tag 0 with probability more than 2^-128.The specific style is given as well.We present a specific example of weak state in AEGIS-128L,illustrating that the weak state in this paper is realistic.The information leakage of AEZ-128L encryption is revealed,namely,the algorithm cannot guarantee 256-bit confidentiality during an encryption on 256-bit message.Finally,we provide the causes of the weak state and corresponding design suggestions to avoid the damage from weak state.3.Two forgery attacks in Nonce-reuse setting,i.e.,the direct forgery attack based on state recovery attack and collision forgery attack based on collision attack,aiming at the problem that Nonce cannot be changed in time under limited resource environment.By means of differential technique,we select special input difference that prompt the internal state to be exposed to ciphertext or tag,and then propose the direct forgery attack in Nonce-reuse setting combining with state recovery attack.As a result,we construct the first full state recovery attack and forgery on MORUS-640-128.All 640 bits of internal state can be revealed by 7 times of reuse with the computational complexity and data complexity is negligible,and the success rate is 1.In Nonce-reuse setting,the collision forgery attack is proposed by the use of collision with high probability.The attack is applied to ACORN with success rate 0.632 while the time complexity O(2¹²⁰),which is better than brute-force attack.4.The collision forgery attack under quantum computation is given,aiming at the challenge that the rapid development of quantum computation brought to symmetric cryptography.The attack gets use of quantum computation and Simon’s quantum algorithm which is a quantum period finding algorithm.For the authenticated encryption based on block-cipher mode of operation,we analyze the self-character of algorithm,and construct a function that satisfies the generalized Simon’s assumption,finally realize the collision forgery attack by use of quantum computation.As a result,we initiate the forgery attack on AES-prf model of AEZ v4.2 with O（n）computation complexity and success rate close to 1.Apply the collision forgery attack to AEZ v3,which has been published on Eurocrypt 2015.The attack is available as well.Finally,we give a brief analysis of what is responsible for forgery attack in conclusion and several recommendations for improvement.