Key Recovery Attacks on Recent Authenticated Ciphers

Andrey Bogdanov, Christoph Dobraunig, Maria Eichlseder, Martin Mehl Lauridsen, Florian Mendel, Martin Schläffer, Elmar Wolfgang Tischhauser

Research output: Chapter in Book/Report/Conference proceedingArticle in proceedingsResearchpeer-review


In this paper, we cryptanalyze three authenticated ciphers: AVALANCHE, Calico, and RBS. While the former two are contestants in the ongoing international CAESAR competition for authenticated encryption schemes, the latter has recently been proposed for lightweight applications such as RFID systems and wireless networks. All these schemes use well-established and secure components such as the AES, Grain-like NFSRs, ChaCha and SipHash as their building blocks. However, we discover key recovery attacks for all three designs, featuring square-root complexities. Using a key collision technique, we can recover the secret key of AVALANCHE in 2n/2, where n 2∈ {28; 192; 256} is the key length. This technique also applies to the authentication part of Calico whose 128-bit key can be recovered in 264 time. For RBS, we can recover its full 132-bit key in 265 time with a guess-and-determine attack. All attacks also allow the adversary to mount universal forgeries.
Original languageEnglish
Title of host publication3rd International Conference on Cryptology and Information Security in Latin America
Number of pages12
Publication date2014
ISBN (Print)978-3-319-16294-2
ISBN (Electronic)978-3-319-16295-9
Publication statusPublished - 2014
Event3rd International Conference on Cryptology and Information Security in Latin America: Latincrypt 2014 - The Costão do Santinho Resort, Florianópolis, Brazil
Duration: 17 Sep 201419 Sep 2014
Conference number: 3


Conference3rd International Conference on Cryptology and Information Security in Latin America
Location The Costão do Santinho Resort
SeriesLecture Notes in Computer Science


  • authenticated encryption
  • key collision
  • guess-and-determine
  • universal forgery
  • Calico
  • RBS


Dive into the research topics of 'Key Recovery Attacks on Recent Authenticated Ciphers'. Together they form a unique fingerprint.

Cite this