Advances in Cryptology – ASIACRYPT 2011

Volume 7073 of the series Lecture Notes in Computer Science pp 308-326

Cryptanalysis of ARMADILLO2

  • Mohamed Ahmed AbdelraheemAffiliated withDepartment of Mathematics, Technical University of Denmark
  • , Céline BlondeauAffiliated withINRIA, project-team SECRET
  • , María Naya-PlasenciaAffiliated withFHNWUniversity of Versailles
  • , Marion VideauAffiliated withAgence nationale de la sécurité des systèmes d’informationUniversité Henri Poincaré-Nancy 1 / LORIA
  • , Erik ZennerAffiliated withUniversity of Applied Sciences


ARMADILLO2 is the recommended variant of a multipurpose cryptographic primitive dedicated to hardware which has been proposed by Badel et al. in [1]. In this paper, we describe a meet-in-the-middle technique relying on the parallel matching algorithm that allows us to invert the ARMADILLO2 function. This makes it possible to perform a key recovery attack when used as a FIL-MAC. A variant of this attack can also be applied to the stream cipher derived from the PRNG mode. Finally we propose a (second) preimage attack when used as a hash function. We have validated our attacks by implementing cryptanalysis on scaled variants. The experimental results match the theoretical complexities.

In addition to these attacks, we present a generalization of the parallel matching algorithm, which can be applied in a broader context than attacking ARMADILLO2.


ARMADILLO2 meet-in-the-middle key recovery attack preimage attack parallel matching algorithm