Abstract
This work presents practical key-recovery attacks on round-reduced variants of CAESAR Round 2 candidate PAEQ by analyzing it in the light of guess-and-determine analysis. The attack developed here targets the mode of operation along with diffusion inside the AES based internal permutation AESQ. The first attack uses a guess-and-invert technique leading to a meet-in-the-middle attack that is able to recover the key for 6 out of the 20 rounds of paeq-64/80/128 with reduced key entropy of \(1,2^{16}\) and \(2^{32}\) respectively. The second analysis extends the attack to 7 rounds using a invert-and-guess strategy which results in reduced key-space of \(2^{24},2^{32}\) and \(2^{40}\) for the same PAEQ variants. Finally, an 8-round attack is mounted using a guess-invert-guess strategy which works on any of the three variants with a complexity of \(2^{48}\). Moreover, unlike the CICO attack mounted by the designers which works with only AESQ, our 8-round attack additionally takes into account the mode of operation of PAEQ.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
It is understood that here 2|n.
- 2.
The unknown byte of the input column.
- 3.
Except the last branch when the last message block is incomplete. This is because for last incomplete block output is further truncated resulting in loss of information available to the attacker.
References
Al Fardan, N.J., Paterson, K.G.: Lucky thirteen: breaking the TLS and DTLS record protocols. In: IEEE Symposium on Security and Privacy 2013, pp. 526–540. IEEE (2013)
Alex Biryukov, D.K.: PAEQ v1 (2014). http://competitions.cr.yp.to/round1/paeqv1.pdf
Bagheri, N., Mendel, F., Sasaki, Y.: Improved rebound attacks on AESQ: core permutation of CAESAR candidate PAEQ. In: Liu, J.K., Steinfeld, R. (eds.) ACISP 2016. LNCS, vol. 9723, pp. 301–316. Springer, Heidelberg (2016). doi:10.1007/978-3-319-40367-0_19
Biryukov, A., Khovratovich, D.: PAEQ: parallelizable permutation-based authenticated encryption. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 72–89. Springer, Heidelberg (2014). doi:10.1007/978-3-319-13257-0_5
Boura, C., Chakraborti, A., Leurent, G., Paul, G., Saha, D., Soleimany, H., Suder, V.: Key recovery attack against 2.5-round \(\pi \)-cipher. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 535–553. Springer, Heidelberg (2016). doi:10.1007/978-3-662-52993-5_27
CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness (2014). http://competitions.cr.yp.to/caesar.html/
Duong, T., Rizzo, J.: Here Come The XOR Ninjas. White paper, Netifera (2011)
Gligoroski, D., Mihajloska, H., Samardjiska, S., Jacobsen, H., El-Hadedy, M., Jensen, R., Otte, D.: \(\pi \)-Cipher v2.0. Submission to the CAESAR Competition (2014). http://competitions.cr.yp.to/caesar-submissions.html/
Saha, D., Chowdhury, D.R.: EnCounter: on breaking the nonce barrier in differential fault analysis with a case-study on PAEQ. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 581–601. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53140-2_28
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Saha, D., Kakarla, S., Mandava, S., Chowdhury, D.R. (2016). Gain: Practical Key-Recovery Attacks on Round-reduced PAEQ . In: Carlet, C., Hasan, M., Saraswat, V. (eds) Security, Privacy, and Applied Cryptography Engineering. SPACE 2016. Lecture Notes in Computer Science(), vol 10076. Springer, Cham. https://doi.org/10.1007/978-3-319-49445-6_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-49445-6_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49444-9
Online ISBN: 978-3-319-49445-6
eBook Packages: Computer ScienceComputer Science (R0)