TY - JOUR
ID - 100988
TI - Investigation of Some Attacks on GAGE (v1), InGAGE (v1), (v1.03), and CiliPadi (v1) Variants
JO - The ISC International Journal of Information Security
JA - ISECURE
LA - en
SN - 2008-2045
AU - Mahmoudzadeh Niknam, Majid
AU - Sadeghi, Sadegh
AU - Aref, Mohammad Reza
AU - Bagheri, Nasour
AD - Kharazmi University
AD - Sharif University of Technology
AD - SRTTU
Y1 - 2020
PY - 2020
VL - 12
IS - 1
SP - 13
EP - 23
KW - NIST lightweight cryptography competition
KW - GAGE
KW - InGAGE
KW - Preimage attack
KW - confidentialityŁ IntegrityŁ MILP
KW - CiliPadi
DO - 10.22042/isecure.2020.199099.480
N2 - In this paper, we present some attacks on GAGE, InGAGE, and CiliPadi which are candidates of the first round of the NIST-LWC competition. GAGE and InGAGE are lightweight sponge based hash function and Authenticated Encryption with Associated Data (AEAD), respectively and support different sets of parameters. The length of hash, key, and tag are always 256, 128, and 128 bits, respectively. We show that the security bounds for some variants of its hash and AEAD are less than the designers' claims. For example, the designers' security claim of preimage attack for a hash function when the rate is 128 bits and the capacity is $256$ bits, is 2^{256}, however, we show that the security of preimage for this parameter set is 2^{128}. Also, the designer claimed security of confidentiality for an AEAD, when the rate is 8 bits and the capacity is 224 bits, is 2^{116}, however, we show the security of confidentiality for it is 2^{112$. We also investigate the structure of the permutation used in InGAGE and present an attack to recover the key for reduced rounds of a variant of InGAGE. In an instance of AEAD of InGAGE, when the rate is 8 bits and the capacity is 224 bits, we recover the key when the number of the composition of the main permutation with itself, i.e., r_{1}, is less than 8. We also show that CiliPadi is vulnerable to the length extension attack by presenting concrete examples of forged messages.
UR - http://www.isecure-journal.com/article_100988.html
L1 - http://www.isecure-journal.com/article_100988_9d69088b877cbe848d16d2788c40efee.pdf
ER -