1 Introduction

The CAESAR competition [2] (Competition for Authenticated Encryption: Security, Applicability, and Robustness) has started in March 2014, and its goal is to improve the understanding of the crypto community in the area of authenticated ciphers through a public competition for submitting authenticated encryption schemes that offer advantages over the widely used AES-GCM [8]. In total, 58 ciphers were submitted to the open call, and in the following three years, through security analysis and investigation of the implementations advantages, it is expected that among these ciphers, a few to be selected in a portfolio of recommended authenticated schemes that are suitable for widespread adoption.

A number of the proposed CAESAR candidates (as well as the benchmark AES-GCM) are based on the current encryption standard: the AES family of block ciphers. The reason for this is twofold. First, the AES has undergone an extensive analysis and is assumed that its security is well understood (or at least better understood compared to all of the remaining unbroken ciphers). Second, AES offers a large software implementation advantage on the latest processor through the so-called AES-NI instruction set, i.e., modern processors have dedicated instructions that allow to reduce the execution time of the AES cipher calls.

In general, the CAESAR candidates based on the AES use the block cipher in two ways: either as a whole (or a variant consisting of at least a certain number of rounds), or only its round function. The first type of candidates (OCB [6], AES-COPA [1], etc., and AES-GCM) are constructions that require calls to the full 10-round AES-128 (or at least 4-round variants with independent round keys, e.g., SHELL [11]). Usually, they are provable modes based on security reduction to the security of AES, and thus benefit from the current state-of-the-art cryptanalysis of AES-128 [4, 5]. The second type uses only the AES round function and has no strict security proof, i.e., the mode is not provably secure, however, the resistance against common attacks is provided through ad-hoc techniques. Such candidates (see AEGIS [12], PAES [13], Tiaoxin-346 [9]) benefit from the good security properties and the software performance of the AES round function. They tend to use less than 10 AES round calls per message blocks, and as such are extremely fast.

Our Contributions. We provide a cryptanalysis of the CAESAR candidate PAES [13] and show two attacks that contradict the security claims given by the designers. Common for both of the attacks are the low complexity requirements and misuse of the AES round function in PAES.

The first attack targets the nonce-repeating mode of PAES (called PAES-8) and is a universal forgery attack of any plaintext with at least 240 bytes. It requires \(2^{11}\) time and data complexity to fully recover the internal state and produce forgery. To launch the attack, we use a special differential trail that can take two different paths. By analyzing the ciphertext difference, the path is uniquely determined and allows state recovery based on the differential property of the AES S-Box. Our attack shows that a mere differential analysis (often given by providing the best differential characteristic of a construction) is insufficient for proving security in the nonce-repeating mode, even when the candidates guarantees multiple applications of AES round function.

The second attack comes in a form of a distinguisher for a class of \(2^{64}\) weak keys among the total \(2^{128}\) keys of PAES. We show that if the attacker can control the nonce, then a single pair of known plaintext and corresponding ciphertext is sufficient to distinguish PAES from an ideal authenticated encryption scheme. The attack relies on the initialization phase of PAES that does not use constants, while the AES round function preserves certain symmetric properties when constants are absent. The results of this paper are summarized in Table 1.

Table 1. Attacks on PAES.
Full size table

Organization of the Paper. We recall the design details of the PAES submissions in Sect. 2 and present the universal forgery attack on PAES-8 in Sect. 3. Then, in Sect. 4 we introduce the distinguisher for PAES in the context of weak keys, and we conclude the paper in Sect. 5.

2 Description of PAES

The family of authenticated encryption (AE) algorithms PAES has been submitted to the ongoing CAESAR competition and consists of two concrete proposals: PAES-4 and PAES-8. As the name suggests, they both use the AES design strategy [3], and take as input a variable-length plaintext, a 128-bit key, a 128-bit nonce and produce a variable-length ciphertext and a 128-bit authentication tag. The difference between PAES-4 and PAES-8 lies in the size of the internal state, which amounts to four 128-bit blocks for the former, and eight 128-bit blocks for the latter. A functional difference between these two variants is in the mode: PAES-4 has security claims only in the nonce-respecting mode, while PAES-8 in both, the nonce-respecting and nonce-repeating modes.

To simplify the presentation, we describe only PAES-8 in the sequel, and only as authenticated encryption. The design resembles a stream cipher: it has an initialization (where the key and the nonce are loaded into the state), then it processes the input message and produces the ciphertext, and finally in the finalization it produces the tag. The internal state \(S\) has eight words \(S_1,S_2,\ldots ,S_8\), each of 128 bits, i.e., \(|S_i|=128, i = 1,\ldots ,8\). The state update function \(StateUpdate(S,M)\) is the round transformation and uses eight keylessFootnote 1 AES-round calls (denoted further as \(\mathtt{AES} _{0}\)) to update the state as depicted in Fig. 1.

Fig. 1.
figure 1

The round function \(StateUpdate(S,M)\). During the processing of the plaintext, the XOR from \(S_7\) to \(S_8\) is absent.

Full size image

Initialization. The 128-bit master key \(K\) and the nonce \(N\) are loaded into the eight words of the state, the state goes through 10 rounds and at the end the key is XORed to all eight words of the state:

$$\begin{aligned}&S_1 = K\oplus N,&S_5 = L^4(K) \oplus L^7(N) \\&S_2 = L(K) \oplus L^3(N),&S_6 = L^5(K) \oplus L^3(N)\\&S_3 = L^2(K) \oplus L(N),&S_7 = L^6(K) \oplus L^5(N)\\&S_4 = L^3(K) \oplus L^2(N),&S_8 = L^7(K) \oplus L^6(N)\\&for\ i = 1\ to\ 10 \\&\quad \,\,\,S = StateUpdate(State,0) \\&for\ i = 1\ to\ 8 \\&\quad \,\,\,S_i = S_i \oplus K \end{aligned}$$

where \(L\) is the linear transformation that operates on the four 32-bit columns \(a,b,c,d\) of a 128-bit word \(a||b||c||d\), and is defined as \(L(a,b,c,d) = (b,c,d\oplus a, a)\). We denote \(L^{i}\) the \(i\)-th functional power of the transformation \(L\), e.g., \(L^{2}=L\circ L\).

Processing the Plaintext. In one round, from 16-byte plaintext \(P_i\), 16-byte ciphertext \(C_i\) is obtained with one call to the \(StateUpdate\) function (see Fig. 2):

Fig. 2.
figure 2

One round of the encryption.

Full size image
$$\begin{aligned}&tmp = S_7 \\&StateUpdate( S, P_i) \\&R_i = tmp \oplus S_7\\&C_i = P_i \oplus R_i \end{aligned}$$

Finalization and the Tag Production. Let \(|M|\) be the 128-bit encoding of the message length. Then, the tag \(T\) is produced after 10 rounds of the \(StateUpdate\) function where the message input is set to \(|M|\):

$$\begin{aligned}&for\ i = 1\ to\ 10 \\&\quad \,\,\, StateUpdate(S,|M|) \\&T = S_7 \oplus S_8 \end{aligned}$$

Claimed Security of PAES . The claimed security of PAES is given in Table 2. We emphasize in particular that 128-bit security is claimed for the integrity of PAES in the nonce-repeating mode.

Table 2. Bits of security goals of PAES [13, Table 3.1].
Full size table

3 Practical Universal Forgery Attack Against PAES-8

In this section, we show a universal forgery attack for PAES-8  in the nonce-repeating mode. The attack works for any plaintext with length of at least 240 bytes, and requires only a small time and data complexity. The steps of the attack can be summarized as follows:

  1. 1.

    Inject differences in two consecutive plaintext blocks such that they cancel in \(S_8\) with a high probability.

  2. 2.

    The ciphertext difference after eight rounds will reveal if the cancellation in \(S_8\) occurred and if so, it will leak information about the state bits.

  3. 3.

    Once the state is recovered, the tag is produced by going through the remaining of the transformations of the (now) public construction.

3.1 Differential Trail and Detection of Difference Cancellation

The differential trail used in the attack is given in Fig. 3. We inject difference \(\varDelta \alpha \) in the plaintext \(P_0\), and try to cancel it with another difference \(\varDelta \beta \) in the plaintext \(P_1\). Interestingly, this type of trail has been discussed by the designers of PAES (see [13, Figure 4.3]), however, they focused on the standard case of propagating the difference through eight rounds and tried to predict it. On the other hand, we use a different approach: our goal is not to predict the difference after eight rounds, but only to detect if the initial differences in \(\varDelta \alpha \) and \(\varDelta \beta \) have canceled. In Fig. 3, the trail can take two paths:

  1. 1.

    The differences \(\varDelta \alpha \) and \(\varDelta \beta \) cancel, thus only the words with bold lines are active,

  2. 2.

    The differences \(\varDelta \alpha \) and \(\varDelta \beta \) do not cancel and there are additional active words depicted with red lines.

We further show how to choose optimal \(\varDelta \alpha \) and \(\varDelta \beta \) and how to detect the cancellation.

Fig. 3.
figure 3

Differential trail used in the attack. The black bold lines denote active state words. The red lines denote active words when \(\varDelta \alpha \) and \(\varDelta \beta \) do not cancel in \(S_8\).

Full size image

Choosing Plaintext Differences \({\varvec{\varDelta \alpha }}\) and \({\varvec{\varDelta \beta }}\) . For an arbitrary difference \(\varDelta \alpha \) in the plaintext \(P_0\), the difference \(\varDelta \beta \) in the plaintext \(P_1\) should be chosen such that it will cancel \(\varDelta \alpha \) and thus will avoid activating the state \(S_8\). Therefore, \(\varDelta \alpha \) and \(\varDelta \beta \) are chosen so that the cancellation can occur with a high probability – this happens when \(\varDelta \alpha \) has only one active byte. Let \(\alpha \) and \(\beta \) be the input and output difference transition of the S-Box, i.e., \(\alpha \) changes to \(\beta \) with a probability \(2^{-6}\). Then, \(\varDelta \alpha \) and \(\varDelta \beta \) are defined as

$$\begin{aligned} \varDelta \alpha&= (\alpha ,0,0,0, \ 0,0,0,0, \ 0,0,0,0, \ 0,0,0,0), \\ \varDelta \beta&= \mathtt{MixColumns} \circ \mathtt{ShiftRows}(\beta ,0,0,0, \ 0,0,0,0, \ 0,0,0,0, \ 0,0,0,0), \end{aligned}$$

and thus \(\varDelta \alpha \) after \(\mathtt{AES} _{0}\) will change to \(\varDelta \beta \) with probability \(2^{-6}\). We note that the difference \(\alpha \) can be located in any of the 16 bytes of the state.

Detecting the Cancellation Between \(\varvec{\varDelta \alpha }\) and \(\varvec{\varDelta \beta }\) . We can detect if the cancellation occurred by observing the differences in the ciphertexts \(C_i\) (or equivalently, the difference in the key streams \(R_i\)) after eight rounds. There are two cases:

  • Cancellation occurred. From the trail on Fig. 3, it follows that the difference \(\varDelta R_8\oplus \varDelta R_7\) is obtained when \(\varDelta R_7\) goes through one \(\mathtt{AES} _{0}\) round. It means that the difference in each of the 16 bytes of \(\varDelta R_7\) can be matched through the S-Box with the corresponding differences in the bytes of \(\mathtt{ShiftRows}^{-1} \circ \mathtt{MixColumns}^{-1}(\varDelta R_8\oplus \varDelta R_7)\). We note that the probability of matching is one.

  • Cancellation did not occurred. If the cancellation did not occur, then there are additional state words with differences (depicted with red lines in Fig. 3). In this case, \(\varDelta R_8\oplus \varDelta R_7\) is obtained when \(\varDelta R_7 \oplus \varDelta X\) (where \(\varDelta X\) is the non-zero difference in \(S_6\)) goes through \(\mathtt{AES} _{0}\). In contrast to the above case, now \(\varDelta R_7\) and \(\mathtt{ShiftRows}^{-1} \circ \mathtt{MixColumns}^{-1}(\varDelta R_8\oplus \varDelta R_7)\) can be matched through the S-Box only with some probability lower than one.

Two randomly chosen differences can be matched through the S-Box with a probability \(127/256\approx 2^{-1}\). Without loss of generality, we can assume that \(\varDelta X\) is active in all 16 bytesFootnote 2. Therefore, when \(\varDelta \alpha \) and \(\varDelta \beta \) cancel, the probability of a 16-byte match is 1, however, when they do not cancel, then the probability drops to \(2^{-16}\). As a result, we can easily distinguish the above two cases, by analyzing \(\varDelta R_7\) and \(\varDelta R_8\).

Fig. 4.
figure 4

Extending the previous trail for 4 additional rounds.

Full size image

The same distinguishing method can be applied to 4 additional rounds (see Fig. 4). This way, we can increase the probability of distinguishing the two cases, and end up with a very low probability of matching differences through S-Boxes in the case when \(\varDelta \alpha \) and \(\varDelta \beta \) do not cancel. As we apply it to five rounds, the probability becomes \(2^{-5\cdot 16} = 2^{-80}\).

3.2 Recovery of State Words

Assume that \(\varDelta \alpha \) and \(\varDelta \beta \) have canceled (as demonstrated above, we can single out the case when they cancel). It means that we have the input difference \(\varDelta R_7\) and the output difference \(\varDelta R_8 \oplus \varDelta R_7\) of an active \(\mathtt{AES} _{0}\) for the word \(S_7\), i.e., \(\mathtt{SubBytes}(\varDelta R_7) = \mathtt{ShiftRows}^{-1} \circ \mathtt{MixColumns}^{-1}(\varDelta R_8\oplus \varDelta R_7)\). As in \(S_7\), all 16 bytes are active (with a probability very close to 1), we can easily find the values of the individual bytes by the well-known method of solving 16 differential equations of the form \(\mathsf S (x \oplus \varDelta _{input}) \oplus \mathsf S (x) = \varDelta _{output}\) that come from the system using S-Box S. Each such equation on average has two solutions, because if \(x\) is a solution, then \(x \oplus \varDelta _{input}\) is also a solution. To find a single solution for each byte, we repeat once the recovery for different \(\varDelta \alpha \) and \(\varDelta \beta \). As a result, we can recover the value of \(S_7\) at round 8 of the encryption.

Using the very same method, we can recover \(S_7\) at rounds 9, 10, 11 and 12. For instance, for round 9, the input (resp. output) difference of \(\mathtt{AES} _{0}\) is \(\varDelta R_7 \oplus \varDelta R_8\) (resp. \(\varDelta R_7 \oplus \varDelta R_8 \oplus \varDelta R_9\)). With the knowledge of the values of 5 consecutive \(S_7\), we can uniquely recover the values of \(S_6,S_5,S_4,S_3\) at round 8 by simple computation using those words. Let \(S_u^{vR}\) be the \(u\)-th variable of the state for round \(v\). For instance, \(S_6^{\mathrm {8R}}\) is computed by \(S_7^{\mathrm {8R}} \oplus \mathtt{AES} _{0}^{-1}(S_7^{\mathrm {9R}})\).

We can recover two more \(S_7\) words (of additional 2 rounds) if we shift the round where we apply the difference \(\varDelta \alpha \) and instead to \(P_0\) we introduce \(\varDelta \alpha \) at \(P_2\) and \(\varDelta \beta \) at \(P_3\). Hence, we will have the values of \(S_7\) for 7 consecutive rounds.

The state word \(S_8\) is different compared to the remaining seven words and it is not possible to recover it by using the above method. Nevertheless, we can still recover \(S_8\) at round 0 of the encryption based on the differences \(\varDelta \alpha \) and \(\varDelta \beta \), i.e., we can recover the active byte where the difference \(\varDelta \alpha \) is non-zero. By repeating the recovery with 16 different positions of active bytes, we can deduce the whole state word \(S_8\) at round 0. As \(S_8\) does not take feedback from any other word (but the plaintext), we can easily find the value of \(S_8\) at any round, including our target round 8. That is, with the knowledge of \(S_7\) of seven consecutive rounds (8, 9,...14) which can be deduced as shown above, and \(S_8\) at round 8, we can recover the full state at round 8.

3.3 The Attack

We now present the universal forgery attack. The goal of the attack is to produce a tag of an arbitrary plaintext. In our case, the attack works as long as the length of the plaintext is at least 16 blocks (240 bytes). Our forgery is based on a state recovery, i.e., if at some round the whole state is known, then the tag can easily be produced by performing the remaining operations of the finalization, and therefore it can be produced offline.

Let \(P_0,P_1,\ldots ,P_{14}\) be the first 15 blocks of the plaintext. Then, the forgery can be described with the following algorithm:

figure a

The first loop is used to recover \(S_8\), and to recover five \(S_7\), and the second to recover the remaining two \(S_7\). Note, each of the loops (the inner loop of the first loop) will produce two pairs, as the probability of the trail in the top (\(\varDelta \alpha \) will be canceled by \(\varDelta \beta \)) is \(2^{-6}\). In case no good trails with probability \(2^{-6}\) exist, the attacker can switch to ones with probability \(2^{-7}\) and run the loops \(2^8\) times. Furthermore, as we have seen from the previous analysis, a probability of false positives is very low (around \(2^{-80}\)).

From the algorithm, it follows that the time complexity of the attack is \(16\cdot 2^7 + 2^7 \approx 2^{11}\) computations. The data complexity is similar and comes in a form of chosen plaintexts. To solve efficiently the differential equations, the attack needs about \(2^{16}\) bytes in memory.

4 Practical Distinguisher for a Weak-Key Class of PAES

We continue our analysis by presenting a distinguisher for a class of \(2^{64}\) weak keys (out of \(2^{128}\) keys) in PAES-8. The distinguisher requires negligible time complexity and only a single pair of known plaintext-ciphertext and a chosen nonce. It exploits the lack of constants in the design and the symmetric properties of the keyless AES round function. Although we give the distinguisher for PAES-8, we note that a similar attack is applicable to the nonce-respecting mode PAES-4.

4.1 Symmetric Properties of the AES Round Function

We first recall the known symmetric property of the AES round function [7]. Namely, if a state is symmetric in the sense that its two halves are equal, then the keyless round function \(\mathtt{AES} _{0}\) of the AES maintains this property. We recall the property of [7] using block matrices, and we introduce the following more general notations:

$$\begin{aligned} U(A,B)= \left( \begin{array}{c|c} A &{} A\\ \hline B &{} B \end{array} \right) ,\qquad V(A,B)= \left( \begin{array}{c|c} A &{} B\\ \hline B &{} A \end{array} \right) ,\qquad W(A,B)= \left( \begin{array}{c|c} A &{} B\\ \hline A &{} B \end{array} \right) . \end{aligned}$$

Additionally, we denote by \(\mathcal U\), \(\mathcal V\) and \(\mathcal W\) the associated sets respectively for all possible values of the \(2\times 2\) block matrices \(A\) and \(B\). Finally, we denote \(M\) the constant MDS matrix used in the AES round function, and observe that:

$$\begin{aligned} M= \left( \begin{array}{cccc} 2 &{} 3 &{} 1 &{} 1 \\ 1 &{} 2 &{} 3 &{} 1 \\ 1 &{} 1 &{} 2 &{} 3 \\ 3 &{} 1 &{} 1 &{} 2 \end{array} \right) = \left( \begin{array}{c|c} M_{1} &{} M_{2} \\ \hline M_{2} &{} M_{1} \end{array} \right) = V(M_{1}, M_{2}) \in \mathcal V. \end{aligned}$$

Property 1

Let \(S\in \mathcal U\). Then, \(\mathtt{AES} _{0}(S)\in \mathcal U\).

Proof

Let \(S=U(A,B)\in \mathcal U\), and write the bytes in \(S\) as:

$$\begin{aligned} \left( \begin{array}{c|c} A &{} A\\ \hline B &{} B \end{array} \right) = \left( \begin{array}{cc|cc} x_{0} &{} x_{4} &{} x_{0} &{} x_{4} \\ x_{1} &{} x_{5} &{} x_{1} &{} x_{5} \\ \hline x_{2} &{} x_{6} &{} x_{2} &{} x_{6} \\ x_{3} &{} x_{7} &{} x_{3} &{} x_{7} \end{array} \right) . \end{aligned}$$

As the SubBytes operation applies the same bijection to all the bytes in the state, we ignore it here as it obviously preserves the structure. After the ShiftRows operation, the state becomes

$$\begin{aligned} \left( \begin{array}{cc|cc} x_{0} &{} x_{4} &{} x_{0} &{} x_{4} \\ x_{5} &{} x_{1} &{} x_{5} &{} x_{1} \\ \hline x_{2} &{} x_{6} &{} x_{2} &{} x_{6} \\ x_{7} &{} x_{3} &{} x_{7} &{} x_{3} \end{array} \right) \mathop {=}\limits ^{\text {def}} \left( \begin{array}{c|c} A' &{} A' \\ \hline B' &{} B' \end{array} \right) , \end{aligned}$$

thus it still belongs to \(\mathcal U\). Then, the MixColumns operation results in:

$$\begin{aligned}&\left( \begin{array}{cccc} 2 &{} 3 &{} 1 &{} 1 \\ 1 &{} 2 &{} 3 &{} 1 \\ 1 &{} 1 &{} 2 &{} 3 \\ 3 &{} 1 &{} 1 &{} 2 \end{array} \right) \times \left( \begin{array}{cccc} x_{0} &{} x_{4} &{} x_{0} &{} x_{4} \\ x_{5} &{} x_{1} &{} x_{5} &{} x_{1} \\ x_{2} &{} x_{6} &{} x_{2} &{} x_{6} \\ x_{7} &{} x_{3} &{} x_{7} &{} x_{3} \end{array} \right) = \left( \begin{array}{c|c} M_{1} &{} M_{2} \\ \hline M_{2} &{} M_{1} \end{array} \right) \times \left( \begin{array}{c|c} A' &{} A' \\ \hline B' &{} B' \end{array} \right) \\&\ \ \!\!= \left( \begin{array}{c|c} M_{1}A'\oplus M_{2}B' &{} M_{1}A'\oplus M_{2}B' \\ \hline M_{2}A'\oplus M_{1}B' &{} M_{2}A'\oplus M_{1}B' \end{array} \right) \mathop {=}\limits ^{\text {def}} \left( \begin{array}{c|c} A'' &{} A'' \\ \hline B'' &{} B'' \end{array} \right) \in \mathcal U. \end{aligned}$$

   \(\square \)

Property 2

Let \(S\in \mathcal W\). Then, \(\mathtt{AES} _{0}(S)\in \mathcal V\), and \(\mathtt{AES} _{0}(\mathtt{AES} _{0}(S))\in \mathcal W\).

Proof

Let \(S=W(A,B)\in \mathcal W\), and write the bytes in \(S\) as:

$$\begin{aligned} \left( \begin{array}{c|c} A &{} B\\ \hline A &{} B \end{array} \right) = \left( \begin{array}{cc|cc} x_{0} &{} x_{2} &{} x_{4} &{} x_{6} \\ x_{1} &{} x_{3} &{} x_{5} &{} x_{7} \\ \hline x_{0} &{} x_{2} &{} x_{4} &{} x_{6} \\ x_{1} &{} x_{3} &{} x_{5} &{} x_{7} \end{array} \right) . \end{aligned}$$

Again, we ignore the SubBytes operation as the applied bijection preserves the structure of the internal states. However, after the ShiftRows operation the state becomes:

$$\begin{aligned} \left( \begin{array}{cc|cc} x_{0} &{} x_{2} &{} x_{4} &{} x_{6} \\ x_{3} &{} x_{5} &{} x_{7} &{} x_{1} \\ \hline x_{4} &{} x_{6} &{} x_{0} &{} x_{2} \\ x_{7} &{} x_{1} &{} x_{3} &{} x_{5} \end{array} \right) \mathop {=}\limits ^{\text {def}} \left( \begin{array}{c|c} A' &{} B' \\ \hline B' &{} A' \end{array} \right) \in \mathcal V, \end{aligned}$$

which is transformed by the subsequent MixColumns transformation into the state:

$$\begin{aligned} \left( \begin{array}{c|c} M_{1} &{} M_{2} \\ \hline M_{2} &{} M_{1} \end{array} \right) \times \left( \begin{array}{c|c} A' &{} B' \\ \hline B' &{} A' \end{array} \right)&= \left( \begin{array}{c|c} M_{1}A'\oplus M_{2}B' &{} M_{1}B'\oplus M_{2}A' \\ \hline M_{2}A'\oplus M_{1}B' &{} M_{2}B'\oplus M_{1}A' \end{array} \right) \\&\mathop {=}\limits ^{\text {def}} \left( \begin{array}{c|c} A'' &{} B'' \\ \hline B'' &{} A'' \end{array} \right) \in \mathcal V. \end{aligned}$$

After applying a second keyless AES round, we get:

$$\begin{aligned} \left( \begin{array}{c|c} A'' &{} B'' \\ \hline B'' &{} A'' \end{array} \right) = \left( \begin{array}{cc|cc} y_{0} &{} y_{2} &{} y_{4} &{} y_{6} \\ y_{1} &{} y_{3} &{} y_{5} &{} y_{7} \\ \hline y_{4} &{} y_{6} &{} y_{0} &{} y_{2} \\ y_{5} &{} y_{7} &{} y_{1} &{} y_{3} \end{array} \right) \mathop {\longrightarrow }\limits ^\mathsf{SR } \left( \begin{array}{cc|cc} y_{0} &{} y_{2} &{} y_{4} &{} y_{6} \\ y_{3} &{} y_{5} &{} y_{7} &{} y_{1} \\ \hline y_{0} &{} y_{2} &{} y_{4} &{} y_{6} \\ y_{3} &{} y_{5} &{} y_{7} &{} y_{1} \end{array} \right) \mathop {=}\limits ^\mathsf{def } \left( \begin{array}{c|c} A''' &{} B''' \\ \hline A''' &{} B''' \end{array} \right) \in \mathcal W, \end{aligned}$$

and by the MixColumns:

$$\begin{aligned} \left( \begin{array}{c|c} M_{1} &{} M_{2} \\ \hline M_{2} &{} M_{1} \end{array} \right) \times \left( \begin{array}{c|c} A''' &{} B''' \\ \hline A''' &{} B''' \end{array} \right)&= \left( \begin{array}{c|c} M_{1}A'''\oplus M_{2}A''' &{} M_{1}B'''\oplus M_{2}B''' \\ \hline M_{2}A'''\oplus M_{1}A''' &{} M_{2}B'''\oplus M_{1}B''' \end{array} \right) \\&\mathop {=}\limits ^{\text {def}} \left( \begin{array}{c|c} A'''' &{} B'''' \\ \hline A'''' &{} B'''' \end{array} \right) \in \mathcal W, \end{aligned}$$

which concludes the proof.    \(\square \)

Finally, we can represent the action of the keyless AES round function \(\mathtt{AES} _{0}\) on the three sets \(\mathcal U\), \(\mathcal V\) and \(\mathcal W\) as follows on Fig. 5.

Fig. 5.
figure 5

Action of \(\mathtt{AES} _{0}\) of the symmetrical states from \(\mathcal U\), \(\mathcal V\) and \(\mathcal W\).

Full size image

4.2 Symmetric Properties of the PAES Transformations

Along with \(\mathtt{AES} _{0}\), PAES uses a few more transformations, in particular, the XOR and the linear transformation \(L\). We investigate here how these two transformations preserve the class belongings.

Property 3

Let \(\mathcal X\) be either \(\mathcal U\), \(\mathcal V\) or \(\mathcal W\), and let \(S_1,S_2\in \mathcal X\). Then, \(S_1 \oplus S_2 \in \mathcal X\).

Proof

Let \(S_1=U(A_1,B_1), S_2 = U(A_2,B_2)\in \mathcal U\). Then:

$$\begin{aligned} S_1\oplus S_2 = \left( \begin{array}{c|c} A_1 &{} A_1\\ \hline B_1 &{} B_1 \end{array} \right) \oplus \left( \begin{array}{c|c} A_2 &{} A_2\\ \hline B_2 &{} B_2 \end{array} \right) = \left( \begin{array}{c|c} A_1\oplus A_2 &{} A_1\oplus A_2\\ \hline B_1\oplus B_2 &{} B_1\oplus B_2 \end{array} \right) \in \mathcal U. \end{aligned}$$

The cases for \(\mathcal V\) and \(\mathcal W\) can be proven similarly.    \(\square \)

Property 4

Let \(S\in \mathcal W\). Then, \(L(S)\in \mathcal W\).

Proof

Let \(S=W(A,B)\in \mathcal W\), and write the bytes in \(S\) as:

$$\begin{aligned} S = \left( \begin{array}{c|c} A &{} B\\ \hline A &{} B \end{array} \right) = \left( \begin{array}{cc|cc} x_{0} &{} x_{2} &{} x_{4} &{} x_{6} \\ x_{1} &{} x_{3} &{} x_{5} &{} x_{7} \\ \hline x_{0} &{} x_{2} &{} x_{4} &{} x_{6} \\ x_{1} &{} x_{3} &{} x_{5} &{} x_{7} \end{array} \right) . \end{aligned}$$

Then:

$$\begin{aligned} L(S) = L\left( \begin{array}{cc|cc} x_{0} &{} x_{2} &{} x_{4} &{} x_{6} \\ x_{1} &{} x_{3} &{} x_{5} &{} x_{7} \\ \hline x_{0} &{} x_{2} &{} x_{4} &{} x_{6} \\ x_{1} &{} x_{3} &{} x_{5} &{} x_{7} \end{array} \right) = \left( \begin{array}{cc|cc} x_{2} &{} ~~x_{4} ~&{} ~x_{6} \oplus x_{0} &{} ~~x_{0} \\ x_{3} &{} ~~x_{5} ~&{} ~x_{7} \oplus x_{1} &{} ~~x_{1} \\ \hline x_{2} &{} ~~x_{4} ~&{} ~x_{6} \oplus x_{0} &{} ~~x_{0} \\ x_{3} &{} ~~x_{5} ~&{} ~x_{7} \oplus x_{1} &{} ~~x_{1} \end{array} \right) \in \mathcal W. \end{aligned}$$

   \(\square \)

4.3 The Distinguisher

To distinguish PAES, we use the first ciphertext \(C_0\) produced during the encryption of an arbitrary plaintext \(P_0\) with a secret key \(K\in \mathcal W\) and nonce \(N\in \mathcal W\). The key \(K\) can be any of such \(2^{64}\) keys (the first two rows equal to the second two rows), and the same structure holds for the nonce \(N\).

We first inspect how the state words \(S_1,S_2,\ldots ,S_8\) change the class belongings (either \(\mathcal W\) or \(\mathcal V\)) from the very first to the last steps of the initialization phase:

  • \(K,N\in \mathcal W\). By Properties 3 and 4 \(S_1,S_2,\ldots ,S_8\in \mathcal W\) after the initial assignments in the initialization.

  • After the first update. By Property 3, the XORs do not change the class belongings, thus each \(S_6,S_7,S_8\) stay in \(\mathcal W\) after the XORs at the top of the \(StateUpdate\). Further, according to the Property 2, \(\mathtt{AES} _{0}\) changes the class from \(\mathcal W\) to \(\mathcal V\). Consequently, at the end of the first update, \(S_i\in \mathcal V, i = 1,\ldots ,8\).

  • The second update is similar to the previous one, but this time the class of \(S_i\) changes to \(\mathcal W\).

  • \(\ldots \)

  • After the tenth update. The classes of all \(S_i\) are \(\mathcal W\).

  • After the XORs of the key. As each \(S_i\) is in \(\mathcal W\) and the key is in \(\mathcal W\), by Property 3, it follows that each \(S_i\) will be in \(\mathcal W\).

We now focus on the production of the ciphertext \(C_0\). Obviously, \(tmp=S_7 =W(A_1,B_1)\in \mathcal W\) and after the application of the \(StateUpdate\), \(S_7 =V(A_2,B_2)\in \mathcal V\) by Property 2. Thus, from the definition of the ciphertext \(C_0 = P_0 \oplus tmp \oplus S_7\), we get:

$$\begin{aligned} C_0 \oplus P_0 = \left( \begin{array}{c|c} A_1 &{} B_1\\ \hline A_1 &{} B_1 \end{array} \right) \oplus \left( \begin{array}{c|c} A_2 &{} B_2\\ \hline B_2 &{} A_2 \end{array} \right) = \left( \begin{array}{c|c} A_1\oplus A_2 &{} B_1\oplus B_2\\ \hline A_1\oplus B_2 &{} B_1\oplus A_2 \end{array} \right) = \left( \begin{array}{c|c} X &{} Z\\ \hline Y &{} T \end{array} \right) . \end{aligned}$$

Obviously \(X\oplus Y \oplus Z \oplus T = 0\), hence the xor of the four 32-bit blocks of the first ciphertext and plaintext must result in a zero block. Therefore, we have a distinguisher which requires negligible complexity and only a single block of plaintext/ciphertexts to distinguish PAES when instantiated with any of the \(2^{64}\) keys and nonces from the class \(\mathcal W\). We note that our computer simulation confirmed the correctness of the distinguisher.

5 Conclusion

We have shown two practical attacks on the CAESAR candidate PAES: a universal forgery attack and a distinguisher, which contradict the security claims of this authenticated encryption scheme.

Our analysis gives insights into possible misuses of the AES round function. Although this transformation per se provides excellent resistance against differential and linear attacks (once it has been iterated several times), by no means it is sufficient proof of security against all attacks. The designs based on the round function that does not apply any constants, as we have seen on the example of our distinguisher and the chosen-key rotational distinguisher [10] of PAES, are susceptible to attacks that exploit the symmetry of the AES transformations. Consequently, using random constants in such designs should be taken as a requirement to destroy those symmetric behaviors. Furthermore, as our forgery attack shows, evaluating the differential properties in a straightforward manner (providing the best in terms of probability differential characteristic), does not guarantee security against differential attacks in the nonce-repeating mode.

We would also like to emphasize the importance of the technique used in the forgery attack on the nonce-repeating mode. Due to the mode and the attack framework, there is no need to provide a valid tag at the beginning of the attack (forgery or state recovery). Hence the attacker can focus only on finding a differential characteristic that will leak differences in state words sufficient for recovery based on solving differential equations. The characteristic does not necessarily need to hold with a high probability, but for the forgery on PAES this was required in the first two rounds only because there was an alternative path that does not permit state recovery. In general, the probability of the characteristic is irrelevant, however, it is important for the characteristic to leak input and output differences of non-linear operations which subsequently will be used to recover the state bits. We believe that this technique (improved or modified variants) can be a valuable approach for cryptanalysis of other CAESAR submissions and authenticated encryption schemes.