Improved Rebound Attacks on AESQ: Core Permutation of CAESAR Candidate PAEQ

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9723)


In this paper, we present improved rebound attacks against AESQ permutation that is an underlying permutation of PAEQ authenticated encryption scheme currently discussed in the second round of the CAESAR competition. AESQ is an AES-based permutation. Designers claim that no attack should be found with complexity up to \(2^{256}\) and they have shown a rebound attack against 12 (out of 20) rounds with \(2^{256}\) computational cost and \(2^{256}\) memory. In this paper, we present the first third-party cryptanalysis on AESQ. First, we reduce the complexity of the 12-round attack to \(2^{128}\) computational cost and negligible memory. We then extend the number of rounds and present a 16-round attack with \(2^{192}\) computational cost and \(2^{128}\) memory. Moreover, we discuss time-memory tradeoffs and multiple limited birthday distinguishers. In particular, the time-memory tradeoff is useful for the 12-round attack, which allows us to balance the time and memory complexities to \(2^{102.4}\).


CAESAR PAEQ AESQ Permutation Authenticated encryption Rebound attack 



The authors would like to thank the organizers and the participants of ASK 2015 that initiated this work. Part of this work was done while Florian Mendel was visiting NTU and has been supported in part by the Austrian Science Fund (project P26494-N15).


  1. 1.
    CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness (2013).
  2. 2.
    Biryukov, A., Khovratovich, D.: PAEQ v1. Submitted to CAESAR (2014).
  3. 3.
    Daemen, J., Rijmen, V.: The Design of Rijndeal: AES - The Advnced Encryption Standard (AES). Springer, New York (2002)CrossRefMATHGoogle Scholar
  4. 4.
    Dobraunig, C., Eichlseder, M., Mendel, F.: Analysis of the kupyna-256 hash function. In: Peyrin, T. (ed.) Fast Software Encryption. Springer, LNCS (2016)Google Scholar
  5. 5.
    Dong, L., Wu, W., Wu, S., Zou, J.: Known-key distinguisher on round-reduced 3D block cipher. In: Jung, S., Yung, M. (eds.) WISA 2011. LNCS, vol. 7115, pp. 55–69. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  6. 6.
    Gilbert, H., Peyrin, T.: Super-sbox cryptanalysis: improved attacks for AES-like permutations. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 365–383. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  7. 7.
    Iwamoto, M., Peyrin, T., Sasaki, Y.: Limited-birthday distinguishers for hash functions. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 504–523. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  8. 8.
    Jean, J., Fouque, P.: Practical near-collisions and collisions on round-reduced ECHO-256 Compression Function. In: Joux, A. (ed.) FSE 2012. LNCS, vol. 6733, pp. 107–127. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  9. 9.
    Jean, J., Naya-Plasencia, M., Peyrin, T.: Improved rebound attackon the finalist grøstl. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 110–126. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  10. 10.
    Jean, J., Naya-Plasencia, M., Peyrin, T.: Multiple limited-birthday distinguishers and applications. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 533–550. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  11. 11.
    Jean, J., Naya-Plasencia, M., Schläffer, M.: Improved analysis of ECHO-256. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 19–36. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  12. 12.
    Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: Rebound distinguishers: results on the full whirlpool compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 126–143. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  13. 13.
    Lamberger, M., Mendel, F., Schläffer, M., Rechberger, C., Rijmen, V.: The rebound attack and subspace distinguishers: application to whirlpool. J. Cryptol. 28(2), 257–296 (2015)MathSciNetCrossRefMATHGoogle Scholar
  14. 14.
    Matusiewicz, K., Naya-Plasencia, M., Nikolić, I., Sasaki, Y., Schläffer, M.: Rebound attack on the full Lane compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 106–125. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Mendel, F., Peyrin, T., Rechberger, C., Schläffer, M.: Improved cryptanalysis of the reduced Grøstl compression function, ECHO permutation and AES block cipher. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 16–35. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  16. 16.
    Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The rebound attack: cryptanalysis of reduced whirlpool and grøstl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  17. 17.
    Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Rebound attacks on the reduced grøstl hash function. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 350–365. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  18. 18.
    Peyrin, T.: Improved differential attacks for ECHO and grøstl. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 370–392. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  19. 19.
    Sasaki, Y., Li, Y., Wang, L., Sakiyama, K., Ohta, K.: Non-full-active super-sbox analysis: applications to ECHO and grøstl. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 38–55. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  20. 20.
    Sasaki, Y., Takayanagi, N., Sakiyama, K., Ohta, K.: Experimental verification of super-sbox analysis — confirmation of detailed attack complexity. In: Iwata, T., Nishigaki, M. (eds.) IWSEC 2011. LNCS, vol. 7038, pp. 178–192. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  21. 21.
    Schläffer, M.: Subspace distinguisher for 5/8 rounds of the ECHO-256 hash function. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 369–387. Springer, Heidelberg (2011)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.IPMSRTTUTehranIran
  2. 2.Graz University of TechnologyGrazAustria
  3. 3.NTT Secure Platform LaboratoriesTokyoJapan

Personalised recommendations