Analyzing the Linear Keystream Biases in AEGIS

AEGIS is one of the authenticated encryption designs selected for the final portfolio of the CAESAR competition. It combines the AES round function and simple Boolean operations to update its large state and extract a keystream to achieve an excellent software performance. In 2014, Minaud discovered slight biases in the keystream based on linear characteristics. For family member AEGIS-256, these could be exploited to undermine the confidentiality faster than generic attacks, but this still requires very large amounts of data. For final portfolio member AEGIS-128, these attacks are currently less efficient than generic attacks. We propose improved keystream approximations for the AEGIS family, but also prove upper bounds below 2−128 for the squared correlation contribution of any single suitable linear characteristic.

[1]  Yu Sasaki,et al.  Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS , 2019, IACR Cryptol. ePrint Arch..

[2]  Brice Minaud,et al.  Cryptanalysis of MORUS , 2018, IACR Cryptol. ePrint Arch..

[3]  Bin Zhang,et al.  Fast Correlation Attack Revisited -Cryptanalysis on Full Grain-128a, Grain-128, and Grain-v1 , 2018, IACR Cryptol. ePrint Arch..

[4]  Serge Vaudenay,et al.  Can Caesar Beat Galois? - Robustness of CAESAR Candidates Against Nonce Reusing and High Data Complexity Attacks , 2018, ACNS.

[5]  Marine Minier,et al.  Revisiting AES Related-Key Differential Attacks with Constraint Programming , 2018, IACR Cryptol. ePrint Arch..

[6]  Amr M. Youssef,et al.  MILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics , 2017, IACR Trans. Symmetric Cryptol..

[7]  Daniel Kales,et al.  Note on the Robustness of CAESAR Candidates , 2017, IACR Cryptol. ePrint Arch..

[8]  Tao Huang,et al.  A Security Analysis of Deoxys and its Internal Tweakable Block Ciphers , 2017, IACR Trans. Symmetric Cryptol..

[9]  Roberto Maria Avanzi,et al.  The QARMA Block Cipher Family. Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-Boxes , 2017, IACR Trans. Symmetric Cryptol..

[10]  Thomas Peyrin,et al.  The SKINNY Family of Block Ciphers and its Low-Latency Variant MANTIS , 2016, IACR Cryptol. ePrint Arch..

[11]  Lei Hu,et al.  Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-Oriented Block Ciphers , 2014, ASIACRYPT.

[12]  Brice Minaud,et al.  Linear Biases in AEGIS Keystream , 2014, Selected Areas in Cryptography.

[13]  Bart Preneel,et al.  AEGIS: A Fast Authenticated Encryption Algorithm , 2013, Selected Areas in Cryptography.

[14]  Kenneth G. Paterson,et al.  On the Security of RC4 in TLS , 2013, USENIX Security Symposium.

[15]  Masakatu Morii,et al.  Full Plaintext Recovery Attack on Broadcast RC4 , 2013, FSE.

[16]  Dawu Gu,et al.  Differential and Linear Cryptanalysis Using Mixed-Integer Linear Programming , 2011, Inscrypt.

[17]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[18]  Vincent Rijmen,et al.  The Block Cipher Rijndael , 1998, CARDIS.

[19]  Joos Vandewalle,et al.  Correlation Matrices , 1994, FSE.

[20]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.