A Simple Forgery Attack on Pelican

Orr Dunkelman

doi:10.1007/978-3-032-06754-8_12

A Simple Forgery Attack on Pelican

Orr Dunkelman

Department of Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Pelican, suggested by Daemen and Rijmen, is a Message Authentication Code (MAC) with a structure that resembles a CBC-MAC. A constant IV is first encrypted under the unknown key, and then a CBC “encryption” takes place with a fixed random permutation (of 4 keyless AES rounds). The finalization is composed of applying another full keyed AES encryption. Previous works relied on internal collisions, and resulted in an almost universal forgery, in which it is easy to generate the correct tag of any given message if the attacker is allowed to change a single block in it. However, no key-recovery attacks or forgery attacks invalidating the security claims of the Pelican were published. In this paper we show a simple forgery attack against Pelican. We show that adding a block of 0 to the message (at any location) does not change the tag with probability 18·2^-128 (i.e., 18 times higher than expected), which contradicts the security claims of Pelican. We also show that one can increase the success rate of the attack up to 3,810·2^-128≈2^-116.1 by adding 951 blocks of 0 to the message. We argue that the fixed-point based attacks contradict the security claims of Pelican.

Original language	English
Title of host publication	Progress in Cryptology – LATINCRYPT 2025 - 9th International Conference on Cryptology and Information Security in Latin America, Proceedings
Editors	Daniel Escudero, Ivan Damgård
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	333-344
Number of pages	12
ISBN (Print)	9783032067531
DOIs	https://doi.org/10.1007/978-3-032-06754-8_12
State	Published - 2026
Event	9th International Conference on Cryptology and Information Security in Latin America, LATINCRYPT 2025 - Medellín, Colombia Duration: 1 Oct 2025 → 3 Oct 2025

Publication series

Name	Lecture Notes in Computer Science
Volume	16129 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	9th International Conference on Cryptology and Information Security in Latin America, LATINCRYPT 2025
Country/Territory	Colombia
City	Medellín
Period	1/10/25 → 3/10/25

Bibliographical note

Publisher Copyright:
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2026.

Keywords

Cryptanalysis
Fixed points
MAC
Pelican

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-032-06754-8_12

Cite this

Dunkelman, O. (2026). A Simple Forgery Attack on Pelican. In D. Escudero, & I. Damgård (Eds.), Progress in Cryptology – LATINCRYPT 2025 - 9th International Conference on Cryptology and Information Security in Latin America, Proceedings (pp. 333-344). (Lecture Notes in Computer Science; Vol. 16129 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-032-06754-8_12

@inproceedings{a73efdca0b224f65aa180dd6419d1491,

title = "A Simple Forgery Attack on Pelican",

abstract = "Pelican, suggested by Daemen and Rijmen, is a Message Authentication Code (MAC) with a structure that resembles a CBC-MAC. A constant IV is first encrypted under the unknown key, and then a CBC “encryption” takes place with a fixed random permutation (of 4 keyless AES rounds). The finalization is composed of applying another full keyed AES encryption. Previous works relied on internal collisions, and resulted in an almost universal forgery, in which it is easy to generate the correct tag of any given message if the attacker is allowed to change a single block in it. However, no key-recovery attacks or forgery attacks invalidating the security claims of the Pelican were published. In this paper we show a simple forgery attack against Pelican. We show that adding a block of 0 to the message (at any location) does not change the tag with probability 18·2-128 (i.e., 18 times higher than expected), which contradicts the security claims of Pelican. We also show that one can increase the success rate of the attack up to 3,810·2-128≈2-116.1 by adding 951 blocks of 0 to the message. We argue that the fixed-point based attacks contradict the security claims of Pelican.",

keywords = "Cryptanalysis, Fixed points, MAC, Pelican",

author = "Orr Dunkelman",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2026.; 9th International Conference on Cryptology and Information Security in Latin America, LATINCRYPT 2025 ; Conference date: 01-10-2025 Through 03-10-2025",

year = "2026",

doi = "10.1007/978-3-032-06754-8\_12",

language = "English",

isbn = "9783032067531",

series = "Lecture Notes in Computer Science",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "333--344",

editor = "Daniel Escudero and Ivan Damg{\aa}rd",

booktitle = "Progress in Cryptology – LATINCRYPT 2025 - 9th International Conference on Cryptology and Information Security in Latin America, Proceedings",

address = "Germany",

}

Dunkelman, O 2026, A Simple Forgery Attack on Pelican. in D Escudero & I Damgård (eds), Progress in Cryptology – LATINCRYPT 2025 - 9th International Conference on Cryptology and Information Security in Latin America, Proceedings. Lecture Notes in Computer Science, vol. 16129 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 333-344, 9th International Conference on Cryptology and Information Security in Latin America, LATINCRYPT 2025, Medellín, Colombia, 1/10/25. https://doi.org/10.1007/978-3-032-06754-8_12

A Simple Forgery Attack on Pelican. / Dunkelman, Orr.
Progress in Cryptology – LATINCRYPT 2025 - 9th International Conference on Cryptology and Information Security in Latin America, Proceedings. ed. / Daniel Escudero; Ivan Damgård. Springer Science and Business Media Deutschland GmbH, 2026. p. 333-344 (Lecture Notes in Computer Science; Vol. 16129 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - A Simple Forgery Attack on Pelican

AU - Dunkelman, Orr

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Switzerland AG 2026.

PY - 2026

Y1 - 2026

N2 - Pelican, suggested by Daemen and Rijmen, is a Message Authentication Code (MAC) with a structure that resembles a CBC-MAC. A constant IV is first encrypted under the unknown key, and then a CBC “encryption” takes place with a fixed random permutation (of 4 keyless AES rounds). The finalization is composed of applying another full keyed AES encryption. Previous works relied on internal collisions, and resulted in an almost universal forgery, in which it is easy to generate the correct tag of any given message if the attacker is allowed to change a single block in it. However, no key-recovery attacks or forgery attacks invalidating the security claims of the Pelican were published. In this paper we show a simple forgery attack against Pelican. We show that adding a block of 0 to the message (at any location) does not change the tag with probability 18·2-128 (i.e., 18 times higher than expected), which contradicts the security claims of Pelican. We also show that one can increase the success rate of the attack up to 3,810·2-128≈2-116.1 by adding 951 blocks of 0 to the message. We argue that the fixed-point based attacks contradict the security claims of Pelican.

AB - Pelican, suggested by Daemen and Rijmen, is a Message Authentication Code (MAC) with a structure that resembles a CBC-MAC. A constant IV is first encrypted under the unknown key, and then a CBC “encryption” takes place with a fixed random permutation (of 4 keyless AES rounds). The finalization is composed of applying another full keyed AES encryption. Previous works relied on internal collisions, and resulted in an almost universal forgery, in which it is easy to generate the correct tag of any given message if the attacker is allowed to change a single block in it. However, no key-recovery attacks or forgery attacks invalidating the security claims of the Pelican were published. In this paper we show a simple forgery attack against Pelican. We show that adding a block of 0 to the message (at any location) does not change the tag with probability 18·2-128 (i.e., 18 times higher than expected), which contradicts the security claims of Pelican. We also show that one can increase the success rate of the attack up to 3,810·2-128≈2-116.1 by adding 951 blocks of 0 to the message. We argue that the fixed-point based attacks contradict the security claims of Pelican.

KW - Cryptanalysis

KW - Fixed points

KW - MAC

KW - Pelican

UR - https://www.scopus.com/pages/publications/105020008359

U2 - 10.1007/978-3-032-06754-8_12

DO - 10.1007/978-3-032-06754-8_12

M3 - Conference contribution

AN - SCOPUS:105020008359

SN - 9783032067531

T3 - Lecture Notes in Computer Science

SP - 333

EP - 344

BT - Progress in Cryptology – LATINCRYPT 2025 - 9th International Conference on Cryptology and Information Security in Latin America, Proceedings

A2 - Escudero, Daniel

A2 - Damgård, Ivan

PB - Springer Science and Business Media Deutschland GmbH

T2 - 9th International Conference on Cryptology and Information Security in Latin America, LATINCRYPT 2025

Y2 - 1 October 2025 through 3 October 2025

ER -

Dunkelman O. A Simple Forgery Attack on Pelican. In Escudero D, Damgård I, editors, Progress in Cryptology – LATINCRYPT 2025 - 9th International Conference on Cryptology and Information Security in Latin America, Proceedings. Springer Science and Business Media Deutschland GmbH. 2026. p. 333-344. (Lecture Notes in Computer Science). doi: 10.1007/978-3-032-06754-8_12