Volume 31 Issue 2
Mar.  2022
Turn off MathJax
Article Contents
SHI Tairong, HU Bin, GUAN Jie, WANG Senpeng. Cryptanalysis of AEGIS-128[J]. Chinese Journal of Electronics, 2022, 31(2): 285-292. doi: 10.1049/cje.2020.00.231
 Citation: SHI Tairong, HU Bin, GUAN Jie, WANG Senpeng. Cryptanalysis of AEGIS-128[J]. Chinese Journal of Electronics, 2022, 31(2): 285-292.

# Cryptanalysis of AEGIS-128

##### doi: 10.1049/cje.2020.00.231
Funds:  This work was supported by the National Natural Science Foundation of China (61672509, 61602514, 61802437, 61902428, 62102448, 62072445)
• Author Bio:

was born in 1992. She received the Ph.D. degree from PLA SSF Information and Engineering University, Zhengzhou, China in 2021. Her research interests include cryptography and information security. (Email: strwanzi@163.com)

was born in 1971. He is a Professor of PLA SSF Information and Engineering University. His research interests include information security, cryptography and Boolean function. (Email: hb2110@126.com)

was born in 1974. She is a Professor of PLA SSF Information and Engineering University. Her research interests include cryptography and the theory of information security. (Email: guanjie007@163.com)

was born in 1990. He received the Ph.D. degree from PLA SSF Information and Engineering University. His research interests include cryptography and information security. (Email: wsp2110@126.com)

• Accepted Date: 2021-09-24
• Available Online: 2021-11-11
• Publish Date: 2022-03-05
• AEGIS, an authenticated encryption (AE) algorithm designed by H. J. Wu and B. Preneel, is one of the six winners of the Competition for Authenticated Encryption: Security, Applicability, and Robustness, which was launched by the National Institute of Standards and Technology. In this paper, we comprehensively investigate the existence of collision in the initialization of AEGIS-128 and evaluate the number of advanced encryption standard (AES) round functions involved in initialization, which reflects the resistance to differential attack. As a result, we find that there are 40 AES round functions, which is less than 50 ones claimed in the design document. We also prove that AEGIS-128 is strong enough to resist adversary who has access to partial state. In particular, we present a collision-based distinguisher and exploit it to recover the key of 4-step and 5-step (out of the full 10) AEGIS-128. The time and memory complexities are about ${{\boldsymbol{2}}}^{{\boldsymbol{29.7}}}$ and ${{\boldsymbol{2}}}^{{\boldsymbol{26}}}$ respectively. Specifically, we quantize the attack of 4-step AEGIS-128, in which we solve the technical issue of dealing with the function that does not fulfill Simon’s promise. It is noted that the nonce is not reused in our work. Although we present some results of AEGIS-128 that exceed the existed analysis, the security margin of AEGIS-128 remains large.
•  [1] M. Bellare and C. Namprempre, “Authenticated encryption: Relations among notions and analysis of the generic composition paradigm,” Journal of Cryptology, vol.21, no.4, pp.531–545, 2008. [2] CAESAR, “Competition for authenticated encryption: Security, applicability and robustness,” available at: http:// competition.cr.yp.to/caesar.html, 2019. [3] D. A. Mcgrew and J. Viega, “The Galois/counter mode of operation (GCM),” The 5th International Conference on Cryptology in India (INDOCRYPT 2004), Chennai, India, pp.343–355, 2004. [4] T. Ashur, M. Eichlseder, M. M. Lauridsen, et al., “Cryptanalysis of MORUS,” The 24th International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT 2018), Brisbane, QLD, Australia, pp.35–64, 2018. [5] Y. Sasaki, “Improved related-tweakey boomerang attacks on deoxys-BC,” The 10th International Conference on Cryptology in Africa (AFRICACRYPT 2018), Marrakesh, Morocco, pp.87–106, 2018. [6] A. Bar-On, O. Dunkelman, N. Keller, et al., “DLCT: A new tool for differential-linear cryptanalysis,” The 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2019), Darmstadt, Germany, pp.313–342, 2019. [7] T. R. Shi and J. Guan, “Real-time state recovery attack against MORUS in nonce-misuse setting,” Science China Information Sciences, vol.63, no.3, pp.214–216, 2019. [8] Danping Shi, Siwei Sun, Yu Sasaki, et al., “Correlation of quadratic Boolean functions: Cryptanalysis of all versions of full MORUS,” The 39th Annual International Cryptology Conference (CRYPTO 2019), IACR, Santa Barbara, CA, USA, pp.190–209, 2019. [9] H. J. Wu and B. Preneel, “AEGIS: A fast authenticated encryption algorithm,” available at: http://competitions.cr.yp.to/round3/aegisv11.pdf, 2016. [10] H. J. Wu and B. Preneel, “AEGIS: A fast authenticated encryption algorithm,” The 20th International Conference on Selected Areas in Cryptography (SAC 2013), Burnaby, BC, Canada, pp.185–201, 2013. [11] D. F. Ye, P. Wang, L. Hu, et al., “PAES v1: Parallelizable authenticated encryption schemes based on AES round function,” available at: http://competitions.cr.yp.to/round1/paesv1.pdf, 2014. [12] I. Nikolić, “Tiaoxin-346,” available at: http://competitions.cr.yp.to/round3/tiaoxinv21.pdf, 2016. [13] B. Minaud, “Linear biases in AEGIS keystream,” The 21st International Conference on Selected Areas in Cryptography (SAC 2014), Montreal, Canada, pp.290–305, 2014. [14] P. Dey, R. S. Rohit, S. Sarkar, et al., “Differential fault analysis on Tiaoxin and AEGIS family of ciphers,” The 4th International Symposium on Security in Computing and Communications (SSCC 2016), Jaipur, India, pp.74–86, 2016. [15] D. S. N. Mary and A. T. Begum, “An algorithm for moderating DoS attack in web based application,” The 14th International Colloquium on Theoretical Aspects of Computing (ICTAC 2017), Hanoi, Vietnam, pp.26–31, 2017. [16] T. R. Shi, J. Guan, and W. Z. Liu, “Analysis on the weak states of AEGIS,” Acta Electronica Sinica, vol.46, no.9, pp.2102–2107, 2018. (in Chinese) [17] M. Eichlseder, M. Nageler, and R. Primas, “Analyzing the linear keystream biases in AEGIS,” IACR Transactions on Symmetric Cryptology, vol.2019, no.4, pp.348–368, 2019. [18] P. Derbez, P. A. Fouque, and J. Jean, “Improved key recovery attacks on reduced-round AES in the single-key setting,” The 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2013), Athens, Greece, pp.371–387, 2013. [19] D. R. Simon, “On the power of quantum computation,” SIAM Journal on Computing, vol.26, no.5, pp.1474–1509, 1997. [20] H. Kuwakado and M. Morii, “Quantum distinguisher between the 3-round Feistel cipher and the random permutation,” International Symposium on Information Theory and Its Applications, vol.41, no.3, pp.2682–2685, 2010. [21] H. Kuwakado and M. Morii, “Security on the quantum-type Even-Mansour cipher,” International Sympsium on Information Theory and Its Applications, Hawaii, USA, pp.312–316, 2012. [22] M. Kaplan, G. Leurent, A. Leverrier, et al., “Breaking symmetric cryptosystems using quantum period finding,” The 36th International Cryptology Conference (CRYPTO 2016), Santa Barbara, USA, pp.207–237, 2016. [23] G. Leander and A. May, “Grover meets simon - quantumly attacking the FX-construction,” The 23rd International Conference on the Theory and Applications of Cryptology and Information Security (ASIACRYPT 2017), Hong Kong, China, pp.161–178, 2017. [24] L. K. Grover, “A fast quantum mechanical algorithm for database search,” The 28th Annual ACM Symposium on the Theory of Computing, Philadelphia, Pennsylvania, USA, pp.212–219, 1996.

### Catalog

###### 通讯作者: 陈斌, bchen63@163.com
• 1.

沈阳化工大学材料科学与工程学院 沈阳 110142

Figures(2)  / Tables(3)

/