Iranian Society of CryptologyThe ISC International Journal of Information Security2008-204512120200101Investigation of Some Attacks on GAGE (v1), InGAGE (v1), (v1.03), and CiliPadi (v1) Variants132310098810.22042/isecure.2020.199099.480ENMajidMahmoudzadeh NiknamKharazmi UniversitySadeghSadeghiKharazmi UniversityMohammad RezaArefSharif University of TechnologyNasourBagheriSRTTU0000-0002-6818-5342Journal Article20190824In this paper, we present some attacks on GAGE, InGAGE, and CiliPadi which are candidates of the first round of the NIST-LWC competition.<br /> <br /> GAGE and InGAGE are lightweight sponge based hash function and Authenticated Encryption with Associated Data (AEAD), respectively and support different sets of parameters. The length of hash, key, and tag are always 256, 128, and 128 bits, respectively. We show that the security bounds for some variants of its hash and AEAD are less than the designers' claims. For example, the designers' security claim of preimage attack for a hash function when the rate is 128 bits and the capacity is $256$ bits, is 2^{256}, however, we show that the security of preimage for this parameter set is 2^{128}. Also, the designer claimed security of confidentiality for an AEAD, when the rate is 8 bits and the capacity is 224 bits, is 2^{116}, however, we show the security of confidentiality for it is 2^{112$. <br /> <br /> We also investigate the structure of the permutation used in InGAGE and present an attack to recover the key for reduced rounds of a variant of InGAGE. In an instance of AEAD of InGAGE, when the rate is 8 bits and the capacity is 224 bits, we recover the key when the number of the composition of the main permutation with itself, i.e., r_{1}, is less than 8.<br /> <br /> We also show that CiliPadi is vulnerable to the length extension attack by presenting concrete examples of forged messages.http://www.isecure-journal.com/article_100988_9d69088b877cbe848d16d2788c40efee.pdf