A Simple Forgery Attack on Pelican
摘要
Pelican, suggested by Daemen and Rijmen, is a Message Authentication Code (MAC) with a structure that resembles a CBC-MAC. A constant IV is first encrypted under the unknown key, and then a CBC “encryption” takes place with a fixed random permutation (of 4 keyless AES rounds). The finalization is composed of applying another full keyed AES encryption. Previous works relied on internal collisions, and resulted in an almost universal forgery, in which it is easy to generate the correct tag of any given message if the attacker is allowed to change a single block in it. However, no key-recovery attacks or forgery attacks invalidating the security claims of the Pelican were published. In this paper we show a simple forgery attack against Pelican. We show that adding a block of 0 to the message (at any location) does not change the tag with probability \(18 \cdot 2^{-128}\) (i.e., 18 times higher than expected), which contradicts the security claims of Pelican. We also show that one can increase the success rate of the attack up to \(3,810 \cdot 2^{-128}\approx 2^{-116.1}\) by adding 951 blocks of 0 to the message. We argue that the fixed-point based attacks contradict the security claims of Pelican.