Cryptanalysis of PRIMATEs


PRIMATEs is a family of authenticated encryption design submitted to competition for authenticated encryption: security, applicability, and robustness. The three modes of operation in PRIMATEs family are: APE, HANUMAN, GIBBON with security levels: 80, 120 bits. APE is robust despite the nonce misusing. In this study, we revise the algebraic model and find new integral distinguishers for both PRIMATE permutation and its inverse permutation. Moreover, we construct a zero-sum distinguisher for full 12-round PRIMATE-80/120 permutation with the 2100/2105 complexity, improving over previous work. We also perform an integral attack on 8-round finalization of APE-80/120 with 230 chosen messages. The key recovery process is optimized using the FFT technique presented by Todo and Aoki. Our work is the best attack against APE, demonstrating the practical attack on 8-round finalization of APE-80. The new integral distinguishers apply to create forgeries on 5/6-round finalization of APE and HANUMAN that require 215/230 chosen messages, which is the first forgery attack against APE and HANUMAN.

This is a preview of subscription content, access via your institution.


  1. 1

    Rogaway P. Authenticated-encryption with associated-data. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), 2002. 98–107

    Google Scholar 

  2. 2

    Bellare M, Namprempre C. Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, 2000. 531–545

    Google Scholar 

  3. 3

    Jutla C. Encryption modes with almost free message integrity. In: Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology, 2001. 529–544

    Google Scholar 

  4. 4

    Gligor V, Donescu P. Fast encryption and authentication: XCBC encryption and XECB authentication modes. In: Proceedings of International Workshop on Fast Software Encryption, 2002. 92–108

    Google Scholar 

  5. 5

    Rogaway P, Bellare M, Black J, et al. OCB: a block-cipher mode of operation for efficient authenticated encryption. In: Proceedings of ACM Transactions on Information and System Security (TISSEC), 2003. 365–403

    Google Scholar 

  6. 6

    National Institute of Standards and Technology (NIST). Advanced encryption standard (AES). FIPS 197.

  7. 7

    Dworkin M. Recommendation for block cipher modes of operation: Galois/counter mode (GCM) and GMAC. NIST Special Publication 800-38D, 2007.

    Google Scholar 

  8. 8

    The CAESAR Committee. CAESAR: competition for authenticated encryption: security, applicability, and robustness.

  9. 9

    Andreeva E, Bilgin B, Bogdanov A, et al. PRIMATEs v1.02: submission to the CAESAR competition.

  10. 10

    Saha D, Kuila S, Chowdhury D R. EscApe: diagonal fault analysis of APE. In: Proceedings of International Conference on Cryptology in India, 2014. 197–216

    Google Scholar 

  11. 11

    Minaud B. Improved beer-recovery attack against APE.

  12. 12

    Morawiecki P, Pieprzyk J, Srebrny M, et al. Applications of key recovery cube-attack-like. 2015.

    Google Scholar 

  13. 13

    Lukas K, Daemen J. Cube attack on primates. Proc Rom Acad, 2017, 18: 293–306

    MathSciNet  Google Scholar 

  14. 14

    Todo Y, Aoki K. FFT key recovery for integral attack. In: Proceedings of International Conference on Cryptology and Network Security, 2014. 64–81

    Google Scholar 

  15. 15

    Daemen J, Rijmen V. The wide trail design strategy. In: Proceedings of the 8th IMA International Conference on Cryptography and Coding, 2001. 222–238

    Google Scholar 

  16. 16

    Daemen J, Rijmen V. The Design of Rijndael. Berlin: Springer, 2002

    Google Scholar 

  17. 17

    Boura C, Canteaut A. A zero-sum proposition for the Keccak-f permutation with 18 rounds. In: Proceedings of IEEE International Symposium on Information Theory, 2010. 2488–2492

    Google Scholar 

  18. 18

    Yang M H, Lai X J. The computational method of the algebraic degree of Boolean functions (in Chinese). In: Proceedings of Annual Meeting of Chinese Association for Cryptologic Research, 2009

    Google Scholar 

  19. 19

    Aumasson J P, Meier W. Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi. 2009.

    Google Scholar 

Download references


This work was supported by National Cryptography Development Fund (Grant No. MMJJ20170102), National Natural Science Foundation of China (Grant Nos. 61572293, 61502276, 61692276), Major Scientific and Technological Innovation Projects of Shandong Province (Grant No. 2017CXGC0704), National Natural Science Foundation of Shandong Province (Grant No. ZR2016FM22), and Open Research Fund from Shandong Provincial Key Laboratory of Computer Network (Grant No. SDKLCN-2017-04).

Author information



Corresponding author

Correspondence to Wei Wang.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Li, Y., Wang, M., Liu, W. et al. Cryptanalysis of PRIMATEs. Sci. China Inf. Sci. 63, 112106 (2020).

Download citation


  • APE
  • integral distinguisher
  • key recovery attack
  • forgery