Practical Forgeries and Distinguishers against PAES

We present two practical attacks on the CAESAR candidate PAES. The rst attack is a universal forgery for any plaintext with at least 240 bytes. It works for the nonce-repeating variant of PAES and in a nutshell it is a state recovery based on solving di erential equations for the S-Box leaked through the ciphertext that arise when the plaintext has a certain di erence. We show that to produce the forgery based on this method the attacker needs only 211 time and data. The second attack is a distinguisher for 264 out of 2128 keys that requires negligible complexity and only one pair of known plaintext-ciphertext. The attack is based on the lack of constants in the initialization of the PAES which allows to exploit the symmetric properties of the keyless AES round. Both of our attacks contradict the security goals of PAES. key words: PAES · universal forgery · distinguisher · symmetric property · authenticated encryption