Abstract
This work presents practical key-recovery attacks on round-reduced variants of CAESAR Round 2 candidate PAEQ by analyzing it in the light of guess-and-determine analysis. The attack developed here targets the mode of operation along with diffusion inside the AES based internal permutation AESQ. The first attack uses a guess-and-invert technique leading to a meet-in-the-middle attack that is able to recover the key for 6 out of the 20 rounds of paeq-64/80/128 with reduced key entropy of 1, 216 and 232, respectively. The second analysis extends the attack to 7 rounds using a invert-and-guess strategy which results in reduced key space of 224, 232, and 240 for the same PAEQ variants. Then, an 8-round attack (without the last shuffle operation) is mounted using a guess-invert-guess strategy which works on any of the three variants with a complexity of 248. Moreover, unlike the CICO attack mounted by the designers which works with only AESQ, our 8-round attack additionally takes into account the mode of operation of PAEQ. Finally, combining guess-and-determine with internal differential cryptanalytic strategies a full 8-round attack is devised which recovers the key for paeq-64/80/128 with time complexities of 234, 266, and 298, respectively.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
It is understood that here 2|n.
The unknown byte of the input column.
Except the last branch when the last message block is incomplete. This is because for last incomplete block output is further truncated resulting in loss of information available to the attacker.
References
Al Fardan NJ, Paterson KG (2013) Lucky thirteen: breaking the TLS and DTLS record protocols. In: IEEE Symposium on security and privacy 2013. IEEE, pp 526–540
Biryukov A, Khovratovich D (2014) PAEQ v1. http://competitions.cr.yp.to/round1/paeqv1.pdf
Bagheri N, Mendel F, Sasaki Y (2016) Improved rebound attacks on AESQ: core permutation of CAESAR candidate PAEQ. In: 21st Australasian conference on information security and privacy - ACISP 2016. Springer, pp 301–316
Biryukov A, Khovratovich D (2014) PAEQ: parallelizable permutation-based authenticated encryption. In: Information security - 17th international conference, ISC 2014, Hong Kong, China, October 12-14, 2014. Proceedings. Springer, pp 72–89. doi:10.1007/978-3-319-13257-0_5
Boura C, Chakraborti A, Leurent G, Paul G, Saha D, Soleimany H, Suder V (2016) Key recovery attack against 2.5-round π-Cipher. In: Fast software encryption - 23rd international workshop, FSE 2016, Bochum, Germany, March 20–23, 2016. Revised Selected Papers. Springer, pp 535–553
CAESAR (2014) Competition for authenticated encryption: security, applicability, and robustness. http://competitions.cr.yp.to/caesar.html/
Duong T, Rizzo J (2011) Here come the XOR ninjas. White paper. Netifera
Gligoroski D, Mihajloska H, Samardjiska S, Jacobsen H, El-Hadedy M, Jensen R, Otte D (2014) π-Cipher v2.0. Submission to the CAESAR competition. http://competitions.cr.yp.to/caesar-submissions.html/
Saha D, Chowdhury DR (2016) EnCounter: on breaking the nonce barrier in differential fault analysis with a case-study on PAEQ. In: International conference on cryptographic hardware and embedded systems. Springer, pp 581–601
Saha D, Kakarla S, Mandava S, Chowdhury DR (2016) Gain: practical key-recovery attacks on round-reduced PAEQ. In: SPACE, lecture notes in computer science, vol 10076. Springer, pp 194–210
Author information
Authors and Affiliations
Corresponding author
Additional information
Submitted to Special issue on invited extended papers from SPACE 2016
Rights and permissions
About this article
Cite this article
Saha, D., Kakarla, S., Mandava, S. et al. Gain: Practical Key-Recovery Attacks on Round-Reduced PAEQ . J Hardw Syst Secur 1, 282–296 (2017). https://doi.org/10.1007/s41635-017-0010-5
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s41635-017-0010-5