Investigation of Some Attacks on GAGE (v1), InGAGE (v1), (v1.03), and CiliPadi (v1) Variants

Document Type: ORIGINAL RESEARCH PAPER

Authors

1 Kharazmi University

2 Sharif University of Technology

3 SRTTU

10.22042/isecure.2020.199099.480

Abstract

In this paper, we present some attacks on GAGE, InGAGE, and CiliPadi which are candidates of the first round of the NIST-LWC competition.

GAGE and InGAGE are lightweight sponge based hash function and Authenticated Encryption with Associated Data (AEAD), respectively and support different sets of parameters. The length of hash, key, and tag are always 256, 128, and 128 bits, respectively. We show that the security bounds for some variants of its hash and AEAD are less than the designers' claims. For example, the designers' security claim of preimage attack for a hash function when the rate is 128 bits and the capacity is $256$ bits, is 2^{256}, however, we show that the security of preimage for this parameter set is 2^{128}. Also, the designer claimed security of confidentiality for an AEAD, when the rate is 8 bits and the capacity is 224 bits, is 2^{116}, however, we show the security of confidentiality for it is 2^{112$.

We also investigate the structure of the permutation used in InGAGE and present an attack to recover the key for reduced rounds of a variant of InGAGE. In an instance of AEAD of InGAGE, when the rate is 8 bits and the capacity is 224 bits, we recover the key when the number of the composition of the main permutation with itself, i.e., r_{1}, is less than 8.

We also show that CiliPadi is vulnerable to the length extension attack by presenting concrete examples of forged messages.

Keywords


[1] Secure Hash Standard. National institute of standards and technology, fips 180-1.(apr. 1995).

[2] Secure Hash Standard. National institute of standards and technology, fips 180-2.(aug. 2002).

[3] Secure Hash Standard. National institute of standards and technology, fips 202. sha-3 standard: Permutation-based hash and extendableoutput functions, (aug. 2015).

[4] Jian Guo, Thomas Peyrin, and Axel Poschmann. The photon family of lightweight hash functions. In Annual Cryptology Conference, pages 222–239. Springer, 2011.

[5] Jean-Philippe Aumasson, Luca Henzen, Willi Meier, and María Naya-Plasencia. Quark: A lightweight hash. J. Cryptology, 26(2):313–339, 2013.

[6] Avik Chakraborti, Anupam Chattopadhyay, Muhammad Hassan, and Mridul Nandi. Trivia: a fast and secure authenticated encryption scheme. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 330–353. Springer, 2015.

[7] Niels Ferguson, Doug Whiting, Bruce Schneier, JohnKelsey,StefanLucks,andTadayoshiKohno. Helix: Fast encryption and authentication in a single cryptographic primitive. In International workshop on fast software encryption, pages 330– 346. Springer, 2003.

[8] NIST. Submission requirements and evaluation criteria for the lightweight cryptography standardization process. csrc.nist.gov/CSRC/media/Projects/LightweightCryptography/documents/final-lwcsubmission-requirements-august2018.pdf, 2018. https://csrc.nist.

[9] Danilo Gligoroski, Hristina Mihajloska, and Daniel Otte. GAGE and InGAGE. NIST, Information Technology Laboratory COMPUTER SECURITY RESOURCE CENTER, 2019. https://csrc.nist. gov/CSRC/media/Projects/LightweightCryptography /documents/round-1/specdoc/GAGEandInGAGE-spec.pdf.

[10] Danilo Gligoroski, Hristina Mihajloska, and Daniel Otte. GAGE and InGAGE V1.01. http://gageingage.org, 07.05.2019.

[11] Danilo Gligoroski, Hristina Mihajloska, and Daniel Otte. GAGE and InGAGE V1.03. http://gageingage.org, 01 Aug 2019.

[12] Muhammad Reza Z’aba, Norziana Jamil, Mohd Saufy Rohmad, Hazlin Abdul Rani, and Solahuddin Shamsuddin. The cilipadi family of lightweight authenticated encryption. 2019.

[13] Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. Keccak. In Thomas Johansson and Phong Q. Nguyen, editors, Advances in Cryptology - EUROCRYPT 2013, 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, May 26-30, 2013. Proceedings, volume 7881 of Lecture Notes in Computer Science, pages 313–314. Springer, 2013.

[14] Jian Guo, Thomas Peyrin, and Axel Poschmann. The PHOTON family of lightweight hash functions. In Phillip Rogaway, editor, Advances in Cryptology - CRYPTO 2011 - 31st Annual Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2011. Proceedings, volume 6841 of Lecture Notes in Computer Science, pages 222– 239. Springer, 2011.

[15] Jian Guo, Thomas Peyrin, and Axel Poschmann. The PHOTON family of lightweight hash functions. IACR Cryptology ePrint Archive,2011:609, 2011.

[16] Nicky Mouha, Qingju Wang, Dawu Gu, and Bart Preneel. Differential and linear cryptanalysis using mixed-integer linear programming. In International Conference on Information Security and Cryptology, pages 57–76. Springer, 2011.

[17] LLC Gurobi Optimization. Gurobi optimizer reference manual.

[18] Ahmed Abdelkhalek, Yu Sasaki, Yosuke Todo, Mohamed Tolba, and Amr M Youssef. Milp modeling for (large) s-boxes to optimize probability of differential characteristics. IACR Transactions on Symmetric Cryptology, pages 99–129, 2017.