Collision Attacks on CAESAR Second-Round Candidate: ELmD

摘要

In this paper, we study the security of the algorithm ELmD, which is a second-round candidate of the ongoing CAESAR competition for authenticated encryption. ELmD is a well designed algorithm providing misuse resistance and full parallelism with security up to birthday bound O(2~(n/2)). Our work gives some attacks with complexity around birthday bound, which do not violate the provable security, but is still meaningful for academic interest and comprehensive understanding of the security of the algorithm. In our work, we first show how to recover the secret masking values with birthday bound complexity when the length of associated data is either variable or fixed, and then present a plaintext recovery attack after knowing the masks, which breaks the security claim of the designers for 128-bit security against plaintext recovery attack. Furthermore, we give an existential forgery attack by constructing two colliding associated data and present an almost universal forgery attack when two consecutive ciphertext blocks are equal. Finally, since 4-round AES is always used as the underlying primitives for provable security with at least 25 active S-boxes, we concern about the security of ELmD(4,4) by providing a differential attack using a differential trail with high probability, to recover the key with time complexity between 2~(106) and 2~(109). Although the key recovery attack is largely constrained by the data limitation, it shows some security property of the reduced-round algorithm.