Practical Forgeries and Distinguishers against PAES

We present two practical attacks on the CAESAR candidate PAES. The first attack is a universal forgery for any plaintext with at least 240 bytes. It works for the nonce-repeating variant of PAES and in a nutshell it is a state recovery based on solving differential equations for the S-Box leaked thr...

Full description

Saved in:
Bibliographic Details
Main Authors: Jean, Jérémy, Nikolic, Ivica, Sasaki, Yu, Wang, Lei
Other Authors: School of Physical and Mathematical Sciences
Format: Article
Language:English
Published: 2016
Subjects:
Online Access:https://hdl.handle.net/10356/82018
http://hdl.handle.net/10220/39784
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Nanyang Technological University
Language: English
Description
Summary:We present two practical attacks on the CAESAR candidate PAES. The first attack is a universal forgery for any plaintext with at least 240 bytes. It works for the nonce-repeating variant of PAES and in a nutshell it is a state recovery based on solving differential equations for the S-Box leaked through the ciphertext that arise when the plaintext has a certain difference. We show that to produce the forgery based on this method the attacker needs only 211 time and data. The second attack is a distinguisher for 264 out of 2128 keys that requires negligible complexity and only one pair of known plaintext-ciphertext. The attack is based on the lack of constants in the initialization of the PAES which allows to exploit the symmetric properties of the keyless AES round. Both of our attacks contradict the security goals of PAES.