D inamite : internal differential match‐in‐the‐end attack on eight‐round PAEQ

The authors explore a cryptanalysis strategy which seems to be particularly applicable to parallelisable ciphers where the key forms a part of the internal state. The proposed technique combines internal differentials with guess and determine analysis to come up with what is referred to as the match‐in‐the‐end attack. The notion of difference here deviates from the classical differential where the difference is controllable via the plaintext/ciphertext. Here, they exploit the Hamming distance between parallel branches to devise the differential trail. They apply the strategy on full eight (out of 20) rounds of parallelisable authenticated cipher [parallelisable AE based on quadrupled AES ( PAEQ )] to devise key recovery attacks with practical time complexities. They first show an initial attack on paeq‐64/80/128 and then devise improvements which give us the best key‐recovery attacks with time complexities of 2 33 , 2 48 , and 2 64 , respectively. While the best reported attacks on eight‐round paeq‐64/80/128 have a data complexity of 2 89blocks, the result improves their time complexities by factors of 2 , 2 18 , and 2 34 , while preserving the data complexity. Finally, they present a nonce‐based differential attack which works on paeq‐128‐t with 2 64time complexity but uses just two single block known plaintexts making it the most practical attack on any round‐reduced PAEQ variant reported so far.