Paper 2022/111

Breaking Panther

Christina Boura
Rachelle Heim Boissier
Yann Rotella

Panther is a sponge-based lightweight authenticated encryption scheme published at Indocrypt 2021. Its round function is based on four Nonlinear Feedback Shift Registers (NFSRs). We show here that it is possible to fully recover the secret key of the construction by using a single known plaintext-ciphertext pair and with minimal computational ressources. Furthermore, we show that in a known ciphertext setting an attacker is able with the knowledge of a single ciphertext to decrypt all plaintext blocks expect for the very first ones and can forge the tag with only one call and probability one. As we demonstrate, the problem of the design comes mainly from the low number of iterations of the round function during the absorption phase. All of our attacks have been implemented and validated.

Available format(s)
Secret-key cryptography
Publication info
cryptanalysis panther
Contact author(s)
christina boura @ uvsq fr
rachelle heim @ uvsq fr
yann rotella @ uvsq fr
2022-11-25: revised
2022-01-31: received
See all versions
Short URL
Creative Commons Attribution


      author = {Christina Boura and Rachelle Heim Boissier and Yann Rotella},
      title = {Breaking Panther},
      howpublished = {Cryptology ePrint Archive, Paper 2022/111},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.