Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

Cryptanalysis of PRIMATEs

  • 8 Accesses


PRIMATEs is a family of authenticated encryption design submitted to competition for authenticated encryption: security, applicability, and robustness. The three modes of operation in PRIMATEs family are: APE, HANUMAN, GIBBON with security levels: 80, 120 bits. APE is robust despite the nonce misusing. In this study, we revise the algebraic model and find new integral distinguishers for both PRIMATE permutation and its inverse permutation. Moreover, we construct a zero-sum distinguisher for full 12-round PRIMATE-80/120 permutation with the 2100/2105 complexity, improving over previous work. We also perform an integral attack on 8-round finalization of APE-80/120 with 230 chosen messages. The key recovery process is optimized using the FFT technique presented by Todo and Aoki. Our work is the best attack against APE, demonstrating the practical attack on 8-round finalization of APE-80. The new integral distinguishers apply to create forgeries on 5/6-round finalization of APE and HANUMAN that require 215/230 chosen messages, which is the first forgery attack against APE and HANUMAN.

This is a preview of subscription content, log in to check access.


  1. 1

    Rogaway P. Authenticated-encryption with associated-data. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), 2002. 98–107

  2. 2

    Bellare M, Namprempre C. Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, 2000. 531–545

  3. 3

    Jutla C. Encryption modes with almost free message integrity. In: Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology, 2001. 529–544

  4. 4

    Gligor V, Donescu P. Fast encryption and authentication: XCBC encryption and XECB authentication modes. In: Proceedings of International Workshop on Fast Software Encryption, 2002. 92–108

  5. 5

    Rogaway P, Bellare M, Black J, et al. OCB: a block-cipher mode of operation for efficient authenticated encryption. In: Proceedings of ACM Transactions on Information and System Security (TISSEC), 2003. 365–403

  6. 6

    National Institute of Standards and Technology (NIST). Advanced encryption standard (AES). FIPS 197. https://csrc.nist.gov/csrc/media/publications/fips/197/final/documents/fips-197.pdf

  7. 7

    Dworkin M. Recommendation for block cipher modes of operation: Galois/counter mode (GCM) and GMAC. NIST Special Publication 800-38D, 2007. https://www.govinfo.gov/content/pkg/GOVPUB-C13-1e1d0b2a761f50d919d892b9e020965b/pdf/GOVPUB-C13-1e1d0b2a761f50d919d892b9e020965b.pdf

  8. 8

    The CAESAR Committee. CAESAR: competition for authenticated encryption: security, applicability, and robustness. http://competitions.cr.yp.to/caesar.html

  9. 9

    Andreeva E, Bilgin B, Bogdanov A, et al. PRIMATEs v1.02: submission to the CAESAR competition. http://primates.ae/

  10. 10

    Saha D, Kuila S, Chowdhury D R. EscApe: diagonal fault analysis of APE. In: Proceedings of International Conference on Cryptology in India, 2014. 197–216

  11. 11

    Minaud B. Improved beer-recovery attack against APE. https://aezoo.compute.dtu.dk/doku.php?id=primates

  12. 12

    Morawiecki P, Pieprzyk J, Srebrny M, et al. Applications of key recovery cube-attack-like. 2015. http://eprint.iacr.org/2015/1009.pdf

  13. 13

    Lukas K, Daemen J. Cube attack on primates. Proc Rom Acad, 2017, 18: 293–306

  14. 14

    Todo Y, Aoki K. FFT key recovery for integral attack. In: Proceedings of International Conference on Cryptology and Network Security, 2014. 64–81

  15. 15

    Daemen J, Rijmen V. The wide trail design strategy. In: Proceedings of the 8th IMA International Conference on Cryptography and Coding, 2001. 222–238

  16. 16

    Daemen J, Rijmen V. The Design of Rijndael. Berlin: Springer, 2002

  17. 17

    Boura C, Canteaut A. A zero-sum proposition for the Keccak-f permutation with 18 rounds. In: Proceedings of IEEE International Symposium on Information Theory, 2010. 2488–2492

  18. 18

    Yang M H, Lai X J. The computational method of the algebraic degree of Boolean functions (in Chinese). In: Proceedings of Annual Meeting of Chinese Association for Cryptologic Research, 2009

  19. 19

    Aumasson J P, Meier W. Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi. 2009. http://www.131002.net/data/papers/AM09.pdf

Download references


This work was supported by National Cryptography Development Fund (Grant No. MMJJ20170102), National Natural Science Foundation of China (Grant Nos. 61572293, 61502276, 61692276), Major Scientific and Technological Innovation Projects of Shandong Province (Grant No. 2017CXGC0704), National Natural Science Foundation of Shandong Province (Grant No. ZR2016FM22), and Open Research Fund from Shandong Provincial Key Laboratory of Computer Network (Grant No. SDKLCN-2017-04).

Author information

Correspondence to Wei Wang.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Li, Y., Wang, M., Liu, W. et al. Cryptanalysis of PRIMATEs. Sci. China Inf. Sci. 63, 112106 (2020). https://doi.org/10.1007/s11432-019-1507-1

Download citation


  • APE
  • integral distinguisher
  • key recovery attack
  • forgery