Practical State Recovery Attack on ICEPOLE

ICEPOLE is a CAESAR candidate which is claimed to have intermediate level of robustness under nonce reuse circumstances. In this report, we apply the differential-linear cryptanalysis to the ICEPOLE family and show that ICEPOLE is insecure when the nonce is reused. Under the nonce-misuse circumstances, there is differential-linear distinguishing attack on ICEPOLE with time and data complexity less than 2. Based on the differential-linear properties, we propose the state recovery attacks on all the three variants of the ICEPOLE family. The results show that it is possible to recover the 256 bits unknown state of ICEPOLE–128 and ICEPOLE–128a with practical complexity 2. And for ICEPOLE–256a, the complexity is 2. We experimentally verified the state recovery attack on ICEPOLE–128 and ICEPOLE–128a, and the unknown state can be recovered in a few days using a 64 cores server. 1 The ICEPOLE Authenticated Cipher The ICEPOLE family of authenticated ciphers includes three variants according to the parameters: ICEPOLE–128, ICEPOLE–128a and ICEPOLE–256a. The one with 128-bit secret message number, 128-bit key and 128-bit nonce is named ICEPOLE–128. And the other two variants do not have secret message number and are named ICEPOLE–128a and ICEPOLE–256a according to the key length. The length of nonce for these two variants is 96-bit. We will briefly describe the ICEPOLE authenticated cipher. The full specification can be found in [7]. And an overview of ICEPOLE–128 is provided in Figure 1.