Key Recovery Attacks on Recent Authenticated Ciphers

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8895)


In this paper, we cryptanalyze three authenticated ciphers: AVALANCHE, Calico, and RBS. While the former two are contestants in the ongoing international CAESAR competition for authenticated encryption schemes, the latter has recently been proposed for lightweight applications such as RFID systems and wireless networks.

All these schemes use well-established and secure components such as the AES, Grain-like NFSRs, ChaCha and SipHash as their building blocks. However, we discover key recovery attacks for all three designs, featuring square-root complexities. Using a key collision technique, we can recover the secret key of AVALANCHE in \(2^{n/2}\), where \(n\in \{128,192,256\}\) is the key length. This technique also applies to the authentication part of Calico whose 128-bit key can be recovered in \(2^{64}\) time. For RBS, we can recover its full 132-bit key in \(2^{65}\) time with a guess-and-determine attack. All attacks also allow the adversary to mount universal forgeries.


Authenticated encryption CAESAR Key collision Guess-and-determine Universal forgery AVALANCHE Calico RBS 



The work has been supported in part by the Austrian government through the research program FIT-IT Trust in IT Systems (project 835919) and by the Austrian Science Fund (project P26494-N15).


  1. 1.
    CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness, March 2014.
  2. 2.
    Ågren, M., Hell, M., Johansson, T.: On hardware-oriented message authentication. IET Inf. Secur. 6, 329–336 (2012)CrossRefGoogle Scholar
  3. 3.
    Ågren, M., Hell, M., Johansson, T., Meier, W.: Grain-128a: a new version of Grain-128 with optional authentication. IJWMC 5, 48–59 (2011)CrossRefGoogle Scholar
  4. 4.
    Alomair, B.: AVALANCHEv1. Submission to the CAESAR competition (2014).
  5. 5.
    Aumasson, J.-P., Bernstein, D.J.: SipHash: a fast short-input PRF. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 489–508. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000) CrossRefGoogle Scholar
  7. 7.
    Bernstein, D.J.: ChaCha, a variant of Salsa20. In: Workshop Record of SASC 2008: The State of the Art of Stream Ciphers (2008)Google Scholar
  8. 8.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak SHA-3 submission. Submission to NIST (2011)Google Scholar
  9. 9.
    Dworkin, M.J.: SP 800–38C. Recommendation for block cipher modes of operation: the CCM mode for authentication and confidentiality. Technical report, Gaithersburg, MD, United States (2004)Google Scholar
  10. 10.
    Dworkin, M.J.: SP 800–38D. Recommendation for block cipher modes of operation: galois/counter mode (GCM) and GMAC. Technical report, Gaithersburg, MD, United States (2007)Google Scholar
  11. 11.
    ISO 19772:2009. Information technology - Security techniques - Authenticated encryption (2009)Google Scholar
  12. 12.
    Jeddi, Z., Amini, E., Bayoumi, M.: A novel authenticated cipher for RFID systems. Int. J. Crypt. Inf. Secur. 4 (2014)Google Scholar
  13. 13.
    Katz, J., Yung, M.: Unforgeable encryption and chosen ciphertext secure modes of operation. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 284–299. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  14. 14.
    Krovetz, T., Rogaway, P.: The software performance of authenticated-encryption modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 306–327. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  15. 15.
    McGrew, D.A., Viega, J.: The security and performance of the galois/counter mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  16. 16.
    Mendel, F., Mennink, B., Rijmen, V., Tischhauser, E.: A simple key-recovery attack on McOE-X. In: Pieprzyk, J., Sadeghi, A.-R., Manulis, M. (eds.) CANS 2012. LNCS, vol. 7712, pp. 23–31. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  17. 17.
    Minematsu, K.: Parallelizable rate-1 authenticated encryption from pseudorandom functions. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 275–292. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  18. 18.
    Quisquater, J.-J., Delescaille, J.-P.: How easy is collision search. new results and applications to DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 408–413. Springer, Heidelberg (1990) Google Scholar
  19. 19.
    Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  20. 20.
    Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: ACM Conference on Computer and Communications Security, pp. 196–205 (2001)Google Scholar
  21. 21.
    Taylor, C.: The Calico Family of Authenticated Ciphers Version 8. Submission to the CAESAR competition (2014).

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.DTU ComputeTechnical University of DenmarkKongens LyngbyDenmark
  2. 2.IAIKGraz University of TechnologyGrazAustria

Personalised recommendations