中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 软件所图书馆  > 期刊论文
Title:
对Raviyoyla v1的实际伪造攻击
Alternative Title: A Single Query Forgery Attack on Raviyoyla v1
Author: 姚远 ; 张斌 ; 吴文玲
Keyword: 伪造攻击 ; 差分分析
Source: 计算机学报
Issued Date: 2016
Volume: 39, Issue:3, Pages:478-491
Indexed Type: CSCD
Department: 姚远, 中国科学院软件研究所可信计算与信息保障实验室, 北京 100190, 中国;张斌, 中国科学院软件研究所可信计算与信息保障实验室, 北京 100190, 中国;吴文玲, 中国科学院软件研究所可信计算与信息保障实验室, 北京 100190, 中国;
Abstract: 随着移动互联网的兴起和大数据时代的来临,人们迫切需要安全高效的认证密码算法.2013年,在NIST的赞助下,Bernstein等人发起了名为CA ESAR的认证密码竞选.对竞选算法的安全性评估已成为当前对称密码学研究领域的热点问题.Raviyoyla v1是提交到CAESAR第1轮竞选的候选算法之一.它是建立在eStream计划的候选算法MAG v2的基础上的流密码算法,并采用带密钥的杂凑函数进行认证.虽然设计者声称Raviyoyla v1具有128比特的完整性,但是该文成功地构造了一种针对Raviyoyla v1的实际伪造攻击,从而说明该算法是极不安全的.具体地,通过在明文消息中引入特殊形式的差分,攻击者能够使算法的内部状态在输出认证标签时没有差分. 而且,这种差分并不局限于某些具体值,从而可以利用同一个消息得到多个伪造.理论分析表明,该形式的差分有超过0.307 143的概率使得内部状态发生碰撞.因此,平均而言只需要大约3次实验即可成功地进行伪造.特别地,若将差分限定到一些特殊值上,成功概率非常接近于1. 单机实验结果显示,攻击者能够在几秒钟之内成功地进行伪造.尽管设计者针对上述攻击提出了一种可能的改进方案,但文章的进一步分析表明改进并不是本质的, 修改后的算法仍然不能抵抗基于差分的伪造攻击.针对设计者提出的各种可能的修正,该文都给出了实际可行的攻击.实验证实,这些攻击具有很高的成功概率且在 单机上只需花费几秒钟的时间.文章最后列举了所有可能情形下的伪造示例.据我们所知,公开文献中尚无对Raviyoyla v1及其改进版的认证部分的分析,因此该文对CAESAR竞选有重要意义.
English Abstract: Raviyoyla v1 is an authenticated encryption algorithm submitted for the first round of the CAESAR competition,which is a grand occasion launched in 2013 with the support of NIST to identify efficient,flexible and secure authenticated encryption primitives.Raviyoyla v1 is composed by an additive stream cipher motivated by the eStream candidate MAG v2 and a keyed hash function. While the designer declares 128 bit security for authentication,we propose a method to construct forgeries using a single query in this paper and the complexity is negligible.Indeed,we introduce a differential of a specific form to the public message and try to canceling it before outputting any authenticated tags.Specially,the differential is not restricted to any particular value and thus multiple forgeries may be made through a single query.Our theoretical analysis shows that the probability for a randomly selected differential of our form to be canceled out is at least 0.307143. Therefore,it is sufficient to have three trials to obtain a forgery.Moreover,the probability can approach one for some specialized values and the attack can be applied successfully within a few seconds based on our experiments on a PC.Furthermore,the revised Raviyoyla v1 is vulnerable from our attack as well and we provide several sample forgeries for possible revisions,which are found by negligible time complexity.As far as we know,no cryptanalysis on the authentication part of Raviyoyla v1 and its revision has been proposed in public.Therefore,our work is significant for the CAESAR competition.
Language: 中文
Citation statistics:
Content Type: 期刊论文
URI: http://ir.iscas.ac.cn/handle/311060/17373
Appears in Collections:软件所图书馆_期刊论文

Files in This Item:
File Name/ File Size Content Type Version Access License
对Raviyoyla v1的实际伪造攻击.pdf(1165KB)----限制开放 联系获取全文

Recommended Citation:
姚远,张斌,吴文玲. 对Raviyoyla v1的实际伪造攻击[J]. 计算机学报,2016-01-01,39(3):478-491.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[姚远]'s Articles
[张斌]'s Articles
[吴文玲]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[姚远]‘s Articles
[张斌]‘s Articles
[吴文玲]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2020  中国科学院软件研究所 - Feedback
Powered by CSpace