International Workshop on Selected Areas in Cryptography

SAC 2014: Selected Areas in Cryptography -- SAC 2014 pp 228-242 | Cite as

Practical Cryptanalysis of PAES

  • Jérémy Jean
  • Ivica Nikolić
  • Yu Sasaki
  • Lei Wang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8781)

Abstract

We present two practical attacks on the CAESAR candidate PAES. The first attack is a universal forgery for any plaintext with at least 240 bytes. It works for the nonce-repeating variant of PAES and in a nutshell it is a state recovery based on solving differential equations for the S-box leaked throught the ciphertext that arise when the plaintext has a certain difference. We show that to produce the forgery based on this method the attacker needs only \(2^{11}\) time and data. The second attack is a distinguisher for \(2^{64}\) out of \(2^{128}\) keys that requires negligible complexity and only one pair of known plaintext-ciphertext. The attack is based on the lack of constants in the initialization of the PAES which allows to exploit the symmetric properties of the keyless AES round. Both of our attacks contradict the security goals of PAES.

Keywords

PAES Universal forgery Distinguisher Symmetric property Authenticated encryption 

References

  1. 1.
    Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K., Compute, D.: AES-COPA v1. Submitted to the CAESAR competition, March 2014Google Scholar
  2. 2.
    Bernstein, D.: CAESAR Competition. http://competitions.cr.yp.to/caesar.html
  3. 3.
    Daemen, J., Rijmen, V.: The Design of Rijndael: - The Advanced Encryption Standard. Springer, New York (2002)Google Scholar
  4. 4.
    Derbez, P., Fouque, P.A., Jean, J.: Improved key recovery attacks on reduced-round AES in the single-key setting. IACR Cryptology ePrint Archive 2012, 477 (2012)Google Scholar
  5. 5.
    Derbez, P., Fouque, P.-A., Jean, J.: Improved key recovery attacks on reduced-round AES in the single-key setting. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 371–387. Springer, Heidelberg (2013)Google Scholar
  6. 6.
    Krovetz, T., Rogaway, P.: OCB v1. Submitted to the CAESAR competition, March 2014Google Scholar
  7. 7.
    Van Le, T., Sparr, R., Wernsdorf, R., Desmedt, Y.G.: Complementation-like and cyclic properties of AES round functions. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2005. LNCS, vol. 3373, pp. 128–141. Springer, Heidelberg (2005)Google Scholar
  8. 8.
    McGrew, D., Viega, J.: The Galois/Counter mode of operation (GCM). Submission to NIST (2004). http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/gcm/gcm-spec.pdf
  9. 9.
    Nikolić, I.: Tiaoxin-346 v1. Submitted to the CAESAR competition, March 2014Google Scholar
  10. 10.
    Saarinen, M.J.O.: PAES and rotations, March 2014. https://groups.google.com/forum/#!topic/crypto-competitions/vRmJdRQBzOo
  11. 11.
    Wang, L.: SHELL v1. Submitted to the CAESAR competition, March 2014Google Scholar
  12. 12.
    Wu, H., Preneel, B.: AEGIS v1. Submitted to the CAESAR competition, March 2014Google Scholar
  13. 13.
    Ye, D., Wang, P., Hu, L., Wang, L., Xie, Y., Sun, S., Wang, P.: PAES v1. Submitted to the CAESAR competition, March 2014Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Jérémy Jean
    • 1
  • Ivica Nikolić
    • 1
  • Yu Sasaki
    • 2
  • Lei Wang
    • 1
  1. 1.Nanyang Technological UniversitySingaporeSingapore
  2. 2.NTT Secure Platform LaboratoriesTokyoJapan

Personalised recommendations