Bernstein Bound on WCS is Tight - Repairing Luykx-Preneel Optimal Forgeries.
IACR Cryptology ePrint Archive(2018)
摘要
In Eurocrypt 2018, Luykx and Preneel described hash-key-recovery and forgery attacks against polynomial hash based Wegman-Carter-Shoup (WCS) authenticators. Their attacks require message-tag pairs and recover hash-key with probability about where n is the bit-size of the hash-key. Bernstein in Eurocrypt 2005 had provided an upper bound (known as Bernstein bound) of the maximum forgery advantages. The bound says that all adversaries making queries of WCS can have maximum forgery advantage . So, Luykx and Preneel essentially analyze WCS in a range of query complexities where WCS is known to be perfectly secure. Here we revisit the bound and found that WCS remains secure against all adversaries making queries. So it would be meaningful to analyze adversaries with beyond birthday bound complexities. In this paper, we show that the Bernstein bound is tight by describing two attacks (one in the “chosen-plaintext model” and other in the “known-plaintext model” ) which recover the hash-key (hence forges) with probability at least [inline-graphic not available: see fulltext] based on message-tag pairs . We also extend the forgery adversary to the Galois Counter Mode (or GCM). More precisely, we recover the hash-key of GCM with probability at least based on only encryption queries , where is the number of blocks present in encryption queries.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络