Key Recovery Attacks On Recent Authenticated Ciphers

In this paper, we cryptanalyze three authenticated ciphers: AVALANCHE, Calico, and RBS. While the former two are contestants in the ongoing international CAESAR competition for authenticated encryption schemes, the latter has recently been proposed for lightweight applications such as RFID systems and wireless networks.All these schemes use well-established and secure components such as the AES, Grain-like NFSRs, ChaCha and SipHash as their building blocks. However, we discover key recovery attacks for all three designs, featuring square-root complexities. Using a key collision technique, we can recover the secret key of AVALANCHE in 2(n/2), where n is an element of {128, 192, 256} is the key length. This technique also applies to the authentication part of Calico whose 128-bit key can be recovered in 2(64) time. For RBS, we can recover its full 132-bit key in 2(65) time with a guess-and-determine attack. All attacks also allow the adversary to mount universal forgeries.