Universal hashing and authentication codes
Designs, Codes and Cryptography
LFSR-based Hashing and Authentication
CRYPTO '94 Proceedings of the 14th Annual International Cryptology Conference on Advances in Cryptology
Bucket Hashing and its Application to Fast Message Authentication
CRYPTO '95 Proceedings of the 15th Annual International Cryptology Conference on Advances in Cryptology
On Fast and Provably Secure Message Authentication Based on Universal Hashing
CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
Key-Recovery Attacks on Universal Hash Function Based MAC Algorithms
CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
Plaintext Recovery Attacks against SSH
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Grain-128a: a new version of Grain-128 with optional authentication
International Journal of Wireless and Mobile Computing
Analysis of indirect message injection for MAC generation using stream ciphers
ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy
SAT based analysis of LTE stream cipher ZUC
Proceedings of the 6th International Conference on Security of Information and Networks
Hi-index | 0.00 |
In this paper we investigate the security of the two most recent versions of the message authentication code 128-EIA3, which is considered for adoption as a third integrity algorithm in the emerging 3GPP standard LTE. We first present an efficient existential forgery attack against the June 2010 version of the algorithm. This attack allows, given any message and the associated MAC value under an unknown integrity key and an initial vector, to predict the MAC value of a related message under the same key and the same initial vector with a success probability 1/2. We then briefly analyse the tweaked version of the algorithm that was introduced in January 2011 to circumvent this attack. We give some evidence that while this new version offers a provable resistance against similar forgery attacks under the assumption that (key, IV) pairs are never reused by any legitimate sender or receiver, some of its design features limit its resilience against IV reuse.