Practical Forgeries and Distinguishers against PAES

Practical Forgeries and Distinguishers against PAES

We present two practical attacks on the CAESAR candidate PAES. The first attack is a universal forgery for any plaintext with at least 240 bytes. It works for the nonce-repeating variant of PAES and in a nutshell it is a state recovery based on solving differential equations for the S-Box leaked thr...

Full description

Saved in:
Bibliographic Details
Main Authors: Jean, Jérémy, Nikolic, Ivica, Sasaki, Yu, Wang, Lei
Other Authors: School of Physical and Mathematical Sciences
Format: Article
Language:English
Published: 2016
Subjects:
PAES
Universal forgery
Distinguisher
Symmetric property
Authenticated encryption
Online Access:https://hdl.handle.net/10356/82018
http://hdl.handle.net/10220/39784
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Nanyang Technological University
Language: English
id sg-ntu-dr.10356-82018
record_format dspace
spelling sg-ntu-dr.10356-820182020-11-01T05:25:54Z Practical Forgeries and Distinguishers against PAES Jean, Jérémy Nikolic, Ivica Sasaki, Yu Wang, Lei School of Physical and Mathematical Sciences Lee Kong Chian School of Medicine (LKCMedicine) PAES Universal forgery Distinguisher Symmetric property Authenticated encryption We present two practical attacks on the CAESAR candidate PAES. The first attack is a universal forgery for any plaintext with at least 240 bytes. It works for the nonce-repeating variant of PAES and in a nutshell it is a state recovery based on solving differential equations for the S-Box leaked through the ciphertext that arise when the plaintext has a certain difference. We show that to produce the forgery based on this method the attacker needs only 211 time and data. The second attack is a distinguisher for 264 out of 2128 keys that requires negligible complexity and only one pair of known plaintext-ciphertext. The attack is based on the lack of constants in the initialization of the PAES which allows to exploit the symmetric properties of the keyless AES round. Both of our attacks contradict the security goals of PAES. NRF (Natl Research Foundation, S’pore) Published version 2016-01-26T03:35:43Z 2019-12-06T14:44:48Z 2016-01-26T03:35:43Z 2019-12-06T14:44:48Z 2016 Journal Article Jean, J., Nikolic, I., Sasaki, Y., & Wang, L. (2016). Practical Forgeries and Distinguishers against PAES. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, E99.A(1), 39-48. 0916-8508 https://hdl.handle.net/10356/82018 http://hdl.handle.net/10220/39784 10.1587/transfun.E99.A.39 en IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences © 2016 Institute of Electronics, Information and Communication Engineers. This paper was published in IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences and is made available as an electronic reprint (preprint) with permission of Institute of Electronics, Information and Communication Engineers. The published version is available at: [http://dx.doi.org/10.1587/transfun.E99.A.39]. One print or electronic copy may be made for personal use only. Systematic or multiple reproduction, distribution to multiple locations via electronic or other means, duplication of any material in this paper for a fee or for commercial purposes, or modification of the content of the paper is prohibited and is subject to penalties under law. 10 p. application/pdf
institution Nanyang Technological University
building NTU Library
continent Asia
country Singapore
Singapore
content_provider NTU Library
collection DR-NTU
language English
topic PAES
Universal forgery
Distinguisher
Symmetric property
Authenticated encryption
spellingShingle PAES
Universal forgery
Distinguisher
Symmetric property
Authenticated encryption
Jean, Jérémy
Nikolic, Ivica
Sasaki, Yu
Wang, Lei
Practical Forgeries and Distinguishers against PAES
description We present two practical attacks on the CAESAR candidate PAES. The first attack is a universal forgery for any plaintext with at least 240 bytes. It works for the nonce-repeating variant of PAES and in a nutshell it is a state recovery based on solving differential equations for the S-Box leaked through the ciphertext that arise when the plaintext has a certain difference. We show that to produce the forgery based on this method the attacker needs only 211 time and data. The second attack is a distinguisher for 264 out of 2128 keys that requires negligible complexity and only one pair of known plaintext-ciphertext. The attack is based on the lack of constants in the initialization of the PAES which allows to exploit the symmetric properties of the keyless AES round. Both of our attacks contradict the security goals of PAES.
author2 School of Physical and Mathematical Sciences
author_facet School of Physical and Mathematical Sciences
Jean, Jérémy
Nikolic, Ivica
Sasaki, Yu
Wang, Lei
format Article
author Jean, Jérémy
Nikolic, Ivica
Sasaki, Yu
Wang, Lei
author_sort Jean, Jérémy
title Practical Forgeries and Distinguishers against PAES
title_short Practical Forgeries and Distinguishers against PAES
title_full Practical Forgeries and Distinguishers against PAES
title_fullStr Practical Forgeries and Distinguishers against PAES
title_full_unstemmed Practical Forgeries and Distinguishers against PAES
title_sort practical forgeries and distinguishers against paes
publishDate 2016
url https://hdl.handle.net/10356/82018
http://hdl.handle.net/10220/39784
_version_ 1683494121053880320

Similar Items