IACR News item: 24 March 2014
Yu Sasaki, Lei Wang
ePrint Report
\\panda~is an authenticated encryption scheme designed by Ye {\\it et al.}, and submitted to the CAESAR competition.
The designers claim that \\pandas, which is one of the designs of the \\panda-family, provides 128-bit security in the nonce misuse model.
In this note, we describe our forgery attack against \\pandas.
Our attack works in the nonce misuse model.
It exploits the fact that the message processing function and the finalization function are identical,
and thus a variant of the length-extension attack can be applied.
We can find a tag for a pre-specified formatted message with 2 encryption oracle calls, $2^{64}$ computational cost, and negligible memory.
Additional news items may be found on the IACR news page.