On the Security of the COPA and Marble Authenticated Encryption Algorithms against (Almost) Universal Forgery Attack

Abstract. COPA is a block-cipher-based authenticated encryption mode with a provable birthday-bound security under the assumption that the underlying block cipher is a strong pseudorandom permutation, and its instantiation with the AES block cipher is called AES-COPA. Marble is an AES-based COPA-like authenticated encryption algorithm with a full security. In this paper, we analyse the security of COPA and Mar-ble against universal forgery attacks. We present beyond-birthday-bound (almost) universal forgery attacks on the COPA when used with constant or variable associate data, and present (almost) universal forgery attacks on the Marble when used without associated data or with (variable) as-sociate data. Our attacks on the COPA with variable associate data have a complexity very near the birthday bound, and their applications to AES-COPA show that the security claim of AES-COPA against tag guessing may be not correct; and our attacks on the (newest as well as initial version of) Marble with associate data show that Marble does not provide a full security that the designer claimed. Like many recently pub-lished cryptanalytic results on message authentication algorithms with a provable birthday-bound security, our attacks on COPA do not violate its security proofs, but provide a comprehensive understanding of its se-curity against universal forgery attack, show that the success probability of a universal forgery on the COPA is larger than the ideal bound 2n of the standard forgery-resistance, and boil down to an existing open question: Should a message authentication algorithm with a weaker se-curity claim than the standard forgery-resistance be regarded as a sound design