Biblio

π-Cipher is one of the twenty-nine candidates in the second round of the CAESAR competition for authenticated ciphers. π-Cipher uses a parallel sponge construction, based upon an ARX permutation. This work shows several state recovery attacks, on up to three rounds. These attacks use known values in the function's bitrate, combined with values found through exhaustive search, to retrieve the remaining values in the internal state. These attacks can break one round, for any variant of π-Cipher, in negligible time. They can also break two or three rounds much faster than exhaustive search on the key, for some variants. However, these attacks only work against version 1 of π-Cipher, due to the differences in the padding function for version 2.0. To fill this gap, this work also includes a one round attack against version 2.0, building upon the distinguisher present in the π-Cipher submission document.