Paper 2015/160

Differential-Linear Cryptanalysis of ICEPOLE

Tao Huang, Ivan Tjuawinata, and Hongjun Wu


ICEPOLE is a CAESAR candidate with the intermediate level of robustness under nonce misuse circumstances in the original document. In particular, it was claimed that key recovery attack against ICEPOLE is impossible in the case of nonce misuse. ICEPOLE is strong against the differential cryptanalysis and linear cryptanalysis. In this paper, we developed the differential-linear attacks against ICEPOLE when nonce is misused. Our attacks show that the state of ICEPOLE-128 and ICEPOLE-128a can be recovered with data complexity $2^{46}$ and time complexity $2^{46}$; the state of ICEPOLE-256a can be recovered with data complexity $2^{60}$ and time complexity $2^{60}$. For ICEPOLE-128a and ICEPOLE-256a, the secret key is recovered once the state is recovered. We experimentally verified the attacks against ICEPOLE-128 and ICEPOLE-128a.

Available format(s)
Publication info
Published by the IACR in FSE 2015
ICEPOLEAuthenticated cipherCAESARDifferential-linear cryptanalysis
Contact author(s)
huangtao @ ntu edu sg
2015-02-27: received
Short URL
Creative Commons Attribution


      author = {Tao Huang and Ivan Tjuawinata and Hongjun Wu},
      title = {Differential-Linear Cryptanalysis of ICEPOLE},
      howpublished = {Cryptology ePrint Archive, Paper 2015/160},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.