The use of encryption in Kerberos for network authentication (invited)
CRYPTO '89 Proceedings on Advances in cryptology
Handbook of Applied Cryptography
Handbook of Applied Cryptography
Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS ...
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption
Proceedings of the 11th USENIX Security Symposium
Integrity-Aware PCBC Encryption Schemes
Proceedings of the 7th International Workshop on Security Protocols
OCB: A block-cipher mode of operation for efficient authenticated encryption
ACM Transactions on Information and System Security (TISSEC)
ACM Transactions on Information and System Security (TISSEC)
Low computational cost integrity for block ciphers
Future Generation Computer Systems - Special issue: Computational chemistry and molecular dynamics
User's Guide To Cryptography And Standards (Artech House Computer Security)
User's Guide To Cryptography And Standards (Artech House Computer Security)
Cryptanalysis of the EPBC authenticated encryption mode
Cryptography and Coding'07 Proceedings of the 11th IMA international conference on Cryptography and coding
A survey on automatic configuration of virtual private networks
Computer Networks: The International Journal of Computer and Telecommunications Networking
Transactions on computational science X
Hi-index | 0.00 |
The PCBC block cipher mode of operation has many variants, of which one, due to Meyer and Matyas, dates back over 20 years. Whilst a particularly simple variant of PCBC has long been known to be very weak when used for data integrity protection, the Meyer-Matyas variant has not previously been attacked. In this paper we cryptanalyse this mode, and show that it possesses a serious weakness when used for data integrity protection. Specifically, we show how to construct an existential forgery using only a single known ciphertext message and a modest amount of known plaintext (this could be as little as three plaintext blocks). We also describe a ciphertext-only existential forgery attack against another, recently proposed, PCBC-variant called M-PCBC.