Forgery Attacks on Round-Reduced ICEPOLE-128
نویسندگان
چکیده
ICEPOLE is a family of authenticated encryptions schemes submitted to the ongoing CAESAR competition and in addition presented at CHES 2014. To justify the use of ICEPOLE, or to point out potential weaknesses, third-party cryptanalysis is needed. In this work, we evaluate the resistance of ICEPOLE-128 against forgery attacks. By using differential cryptanalysis, we are able to create forgeries from a known ciphertext-tag pair with a probability of 2−60.3 for a round-reduced version of ICEPOLE-128, where the last permutation is reduced to 4 (out of 6) rounds. This is a noticeable advantage compared to simply guessing the right tag, which works with a probability of 2−128. As far as we know, this is the first published attack in a nonce-respecting setting on round-reduced versions of ICEPOLE-128.
منابع مشابه
Practical State Recovery Attack on ICEPOLE
ICEPOLE is a CAESAR candidate which is claimed to have intermediate level of robustness under nonce reuse circumstances. In this report, we apply the differential-linear cryptanalysis to the ICEPOLE family and show that ICEPOLE is insecure when the nonce is reused. Under the nonce-misuse circumstances, there is differential-linear distinguishing attack on ICEPOLE with time and data complexity l...
متن کاملDifferential-Linear Cryptanalysis of ICEPOLE
ICEPOLE is a CAESAR candidate with the intermediate level of robustness under nonce misuse circumstances in the original document. In particular, it was claimed that key recovery attack against ICEPOLE is impossible in the case of nonce misuse. ICEPOLE is strong against the differential cryptanalysis and linear cryptanalysis. In this paper, we developed the differential-linear attacks against I...
متن کاملCryptanalysis of some first round CAESAR candidates
ΑΕS _ CMCCv₁, ΑVΑLΑNCHEv₁, CLΟCv₁, and SILCv₁ are four candidates of the first round of CAESAR. CLΟCv₁ is presented in FSE 2014 and SILCv₁ is designed upon it with the aim of optimizing the hardware implementation cost. In this paper, structural weaknesses of these candidates are studied. We present distinguishing attacks against ΑES _ CMCCv₁ with the complexity of two queries and the success ...
متن کاملCryptanalysis of Ascon
We present a detailed security analysis of the CAESAR candidate Ascon. Amongst others, cube-like, differential and linear cryptanalysis are used to evaluate the security of Ascon. Our results are practical key-recovery attacks on round-reduced versions of Ascon-128, where the initialization is reduced to 5 out of 12 rounds. Theoretical keyrecovery attacks are possible for up to 6 rounds of init...
متن کاملUniversal Forgery and Key Recovery Attacks on ELmD Authenticated Encryption Algorithm
In this paper, we provide a security analysis of ELmD: a block cipher based Encrypt-Linear-mix-Decrypt authentication mode. As being one of the second-round CAESAR candidate, it is claimed to provide misuse resistant against forgeries and security against blockwise adaptive adversaries as well as 128-bit security against key recovery attacks. We scrutinize ElmD in such a way that we provide uni...
متن کامل