Gain: Practical Key-Recovery Attacks on Round-reduced PAEQ

摘要

This work presents practical key-recovery attacks on round-reduced variants of CAESAR Round 2 candidate PAEQ by analyzing it in the light of guess-and-determine analysis. The attack developed here targets the mode of operation along with diffusion inside the AES based internal permutation AESQ. The first attack uses a guess-and-invert technique leading to a meet-in-the-middle attack that is able to recover the key for 6 out of the 20 rounds of paeq-64/80/128 with reduced key entropy of 1,2~(16) and 2~(32) respectively. The second analysis extends the attack to 7 rounds using a invert-and-guess strategy which results in reduced key-space of 2~(24), 2~(32) and 2~(40) for the same PAEQ variants. Finally, an 8-round attack is mounted using a guess-invert-guess strategy which works on any of the three variants with a complexity of 2~(48). Moreover, unlike the CICO attack mounted by the designers which works with only AESQ, our 8-round attack additionally takes into account the mode of operation of PAEQ.