AEGIS, an authenticated encryption (AE) algorithm designed by H. J. Wu and B. Preneel, is one of the six winners of the Competition for Authenticated Encryption: Security, Applicability, and Robustness, which was launched by the National Institute of Standards and Technology. In this paper, we comprehensively investigate the existence of collision in the initialization of AEGIS-128 and evaluate the number of advanced encryption standard (AES) round functions involved in initialization, which reflects the resistance to differential attack. As a result, we find that there are 40 AES round functions, which is less than 50 ones claimed in the design document. We also prove that AEGIS-128 is strong enough to resist adversary who has access to partial state. In particular, we present a collision-based distinguisher and exploit it to recover the key of 4-step and 5-step (out of the full 10) AEGIS-128. The time and memory complexities are about
\boldsymbol2^\boldsymbol29.7
and
\boldsymbol2^\boldsymbol26
respectively. Specifically, we quantize the attack of 4-step AEGIS-128, in which we solve the technical issue of dealing with the function that does not fulfill Simon’s promise. It is noted that the nonce is not reused in our work. Although we present some results of AEGIS-128 that exceed the existed analysis, the security margin of AEGIS-128 remains large.
DownLoad: