Cryptanalysis of two variants of PCBC mode when used for message integrity

Authors:
Chris J. Mitchell
Affiliations:
Information Security Group, Royal Holloway, University of London, Egham, Surrey, UK
Venue:
ACISP'05 Proceedings of the 10th Australasian conference on Information Security and Privacy
Year:
2005

Citing 9
Cited 3

The use of encryption in Kerberos for network authentication (invited)

CRYPTO '89 Proceedings on Advances in cryptology
Handbook of Applied Cryptography

Handbook of Applied Cryptography
Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS ...

EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption

Proceedings of the 11th USENIX Security Symposium
Integrity-Aware PCBC Encryption Schemes

Proceedings of the 7th International Workshop on Security Protocols
OCB: A block-cipher mode of operation for efficient authenticated encryption

ACM Transactions on Information and System Security (TISSEC)
Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm

ACM Transactions on Information and System Security (TISSEC)
Low computational cost integrity for block ciphers

Future Generation Computer Systems - Special issue: Computational chemistry and molecular dynamics
User's Guide To Cryptography And Standards (Artech House Computer Security)

User's Guide To Cryptography And Standards (Artech House Computer Security)

Cryptanalysis of the EPBC authenticated encryption mode

Cryptography and Coding'07 Proceedings of the 11th IMA international conference on Cryptography and coding
A survey on automatic configuration of virtual private networks

Computer Networks: The International Journal of Computer and Telecommunications Networking
Block-level added redundancy explicit authentication for parallelized encryption and integrity checking of processor-memory transactions

Transactions on computational science X

Quantified Score

Hi-index	0.00

Visualization

Abstract

The PCBC block cipher mode of operation has many variants, of which one, due to Meyer and Matyas, dates back over 20 years. Whilst a particularly simple variant of PCBC has long been known to be very weak when used for data integrity protection, the Meyer-Matyas variant has not previously been attacked. In this paper we cryptanalyse this mode, and show that it possesses a serious weakness when used for data integrity protection. Specifically, we show how to construct an existential forgery using only a single known ciphertext message and a modest amount of known plaintext (this could be as little as three plaintext blocks). We also describe a ciphertext-only existential forgery attack against another, recently proposed, PCBC-variant called M-PCBC.