The Sponge function is known to achieve 2 security, where c is its capacity. This bound was carried over to keyed variants of the function, such as SpongeWrap, to achieve a min{2, 2} security bound, with κ the key length. Similarly, many CAESAR competition submissions are designed to comply with the classical 2 security bound. We show that Spongebased constructions for authenticated encryption ...

ion Latin Caesar Caesar caesar, emperor English Bismarck Bismarck great statesman

Shall We Kill or Enslave Caesar? Analyzing the Caesar Model When a society overthrows a ruler – call the ruler Caesar – what determines whether Caesar is killed or enslaved? This paper presents a model of killing versus enslaving Caesar, based on a new theory which unifies justice, status, and power. The model pertains to societies which value ordinal goods like bravery, yielding predictions fo...

JAMBU is an AEAD mode of operation which entered the third round of CAESAR competition. However, it does not have a security proof like other modes of operation do, and there was a cryptanalysis result that has overthrown the security claim under nonce misuse case by the designers. In this paper, we complement the shortage of the scheme by giving security proofs of JAMBU both under nonce respec...

PAES is an authenticated encryption scheme designed by Ye et al., and submitted to the CAESAR competition. The designers claim that PAES-8, which is one of the designs of the PAES-family, provides 128-bit security in the nonce misuse model. In this note, we show our forgery attack against PAES-8. Our attack works in the nonce misuse model. The attack exploits the slow propagation of message dif...

Sablier is an authenticated encryption cipher submitted to the CAESAR competition, which is composed of the encryption Sablier v1 and the authentication Au. In this work we present a state recovery attack against the encryption Sablier v1 with time complexity about 2 operations and data complexity about 24 of 16-bit keywords. Our attack is practical in the workstation. It is noticed that the up...

We explore the feasibility of applying SAT solvers to optimizing implementations of small functions such as S-boxes for multiple optimization criteria, e.g., the number of nonlinear gates and the number of gates. We provide optimized implementations for the S-boxes used in Ascon, ICEPOLE, Joltik/Piccolo, Keccak/Ketje/Keyak, LAC, Minalpher, PRIMATEs, Prøst, and RECTANGLE, most of which are candi...

LAC is one of the candidates to the CAESAR competition. In this paper we present a differential forgery attack on LAC. We study the collection of characteristics following a fixed truncated characteristic, in order to obtain a lower bound on the probability of a differential. We show that some differentials have a probability higher than 2−64, which allows a forgery attack on the full LAC. This...

PANDA is an authenticated encryption scheme designed by Ye et al., and submitted to the CAESAR competition. The designers claim that PANDA-s, which is one of the designs of the PANDA-family, provides 128-bit security in the nonce misuse model. In this note, we describe our forgery attack against PANDA-s. Our attack works in the nonce misuse model. It exploits the fact that the message processin...

Abstract. The software performance of cryptographic schemes is an important factor in the decision to include such a scheme in real-world protocols like TLS, SSH or IPsec. In this paper, we develop a benchmarking framework to perform software performance measurements on authenticated encryption schemes. In particular, we apply our framework to independently benchmark the 29 remaining 2nd round ...