## Cryptology ePrint Archive: Report 2014/325

A practical forgery and state recovery attack on the authenticated cipher PANDA-s

Xiutao FENG, Fan ZHANG and Hui WANG

Abstract: PANDA is a family of authenticated ciphers submitted to CARSAR, which consists of two ciphers: PANDA-s and PANDA-b. In this work we present a state recovery attack against PANDA-s with time complexity about $2^{41}$ under the known-plaintext-attack model, which needs 137 pairs of known plaintext/ciphertext and about 2GB memories. Our attack is practical in a small workstation. Based on the above attack, we further deduce a forgery attack against PANDA-s, which can forge a legal ciphertext $(C,T)$ of an arbitrary plaintext $P$. The results show that PANDA-s is insecure.

Category / Keywords: secret-key cryptography / CAESAR, PANDA, state recovery attack, forgery attack