论文信息 - Practical Cryptanalysis of PAES

Practical Cryptanalysis of PAES

We present two practical attacks on the CAESAR candidate PAES. The first attack is a universal forgery for any plaintext with at least 240 bytes. It works for the nonce-repeating variant of PAES and in a nutshell it is a state recovery based on solving differential equations for the S-box leaked throught the ciphertext that arise when the plaintext has a certain difference. We show that to produce the forgery based on this method the attacker needs only \(2^{11}\) time and data. The second attack is a distinguisher for \(2^{64}\) out of \(2^{128}\) keys that requires negligible complexity and only one pair of known plaintext-ciphertext. The attack is based on the lack of constants in the initialization of the PAES which allows to exploit the symmetric properties of the keyless AES round. Both of our attacks contradict the security goals of PAES.

Yu Sasaki | Lei Wang | Jérémy Jean | Ivica Nikolic

[1] Phong Q. Nguyen,et al. Advances in Cryptology – EUROCRYPT 2013 , 2013, Lecture Notes in Computer Science.

[2] Vincent Rijmen,et al. The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[3] Yvo Desmedt,et al. Complementation-Like and Cyclic Properties of AES Round Functions , 2004, AES Conference.

[4] D. McGrew,et al. The Galois/Counter Mode of Operation (GCM) , 2005 .

[5] Simon Heron,et al. Encryption: Advanced Encryption Standard (AES) , 2009 .

[6] John Viega,et al. The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.

[7] Jérémy Jean,et al. Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting , 2013, IACR Cryptol. ePrint Arch..

[8] Vincent Rijmen,et al. The Design of Rijndael , 2002, Information Security and Cryptography.