Key Recovery Attack Against 2.5-Round Pi-Cipher

In this paper, we propose a guess and determine attack against some variants of the p-Cipher family of authenticated ciphers. This family of ciphers is a second-round candidate of the CAESAR competition. More precisely, we show a key recovery attack with time complexity little higher than 2(4 omega), and low data complexity, against variants of the cipher with omega-bit words, when the internal permutation is reduced to 2.5 rounds.In particular, this gives an attack with time complexity 2(72) against the variant pi 16-Cipher096 (using 16-bit words) reduced to 2.5 rounds, while the authors claim 96 bits of security with 3 rounds in their second-round submission. Therefore, the security margin for this variant of p-Cipher is very limited.The attack can also be applied to lightweight variants that are not included in the CAESAR proposal, and use only two rounds. The light-weight variants p16-Cipher096 and pi 16-Cipher128 claim 96 bits and 128 bits of security respectively, but our attack can break the full 2 rounds with complexity 2(72).Finally, the attack can be applied to reduced versions of two more variants of p-Cipher that were proposed in the first-round submission with 4 rounds: p16-Cipher128 (using 16-bit words) and pi 32-Cipher256 (using 32-bit words). The attack on 2.5 rounds has complexity 2(72) and 2(137) respectively, while the security claim for 4 rounds are 128 bits and 256 bits of security.