Cryptology ePrint Archive: Report 2014/325

A practical forgery and state recovery attack on the authenticated cipher PANDA-s

Xiutao FENG, Fan ZHANG and Hui WANG

Abstract: PANDA is a family of authenticated ciphers submitted to CARSAR, which consists of two ciphers: PANDA-s and PANDA-b. In this work we present a state recovery attack against PANDA-s with time complexity about $2^{41}$ under the known-plaintext-attack model, which needs 137 pairs of known plaintext/ciphertext and about 2GB memories. Our attack is practical in a small workstation. Based on the above attack, we further deduce a forgery attack against PANDA-s, which can forge a legal ciphertext $(C,T)$ of an arbitrary plaintext $P$. The results show that PANDA-s is insecure.

Category / Keywords: secret-key cryptography / CAESAR, PANDA, state recovery attack, forgery attack

Date: received 9 May 2014

Contact author: fengxt at amss ac cn

Available format(s): PDF | BibTeX Citation

Version: 20140510:072133 (All versions of this report)

Short URL: ia.cr/2014/325

Discussion forum: Show discussion | Start new discussion