Guess-and-Determine Attacks on AEGIS. (22nd May 2021)
- Record Type:
- Journal Article
- Title:
- Guess-and-Determine Attacks on AEGIS. (22nd May 2021)
- Main Title:
- Guess-and-Determine Attacks on AEGIS
- Authors:
- Jiao, Lin
Li, Yongqiang
Du, Shaoyu - Abstract:
- Abstract: AEGIS is one of the authenticated encryption with associated data designs selected for the final portfolio of the CAESAR competition. It combines the AES round function and simple Boolean operations to update its large state and extract a keystream to achieve an excellent software performance. The AEGIS family consists of AEGIS-128, AEGIS-256 and AEGIS-128L, which use 5, 6 and 8 parallel AES round functions to process 128, 128 and 256 bits message block per step with slightly different output functions separately. Surprisingly, very few cryptanalytic results on AEGIS have been published so far. This paper presents the first guess-and-determine attacks on AEGIS family. Firstly, we propose a new observation on the structure of AEGIS that the relations of fixed variables remain in the outputs at consecutive steps under some conditions on the AND operations, and the vectorial bitwise AND operation is biased, which is able to derive the additional variables added directly. Secondly, we add several techniques, such as divide and conquer on byte-based columns, reduction by meet in the middle and simplification through constraints on variables, for each AEGIS member. Finally, we conduct guess-and-determine attacks on AEGIS-128, AEGIS-256 and AEGIS-128L and result in a complexity of $2^{309}$, $2^{437}$ and $2^{384}$ to $2^{416}$, respectively. Although neither attack threatens the practical security of AEGIS, it has great significance to evaluate the resistance of suchAbstract: AEGIS is one of the authenticated encryption with associated data designs selected for the final portfolio of the CAESAR competition. It combines the AES round function and simple Boolean operations to update its large state and extract a keystream to achieve an excellent software performance. The AEGIS family consists of AEGIS-128, AEGIS-256 and AEGIS-128L, which use 5, 6 and 8 parallel AES round functions to process 128, 128 and 256 bits message block per step with slightly different output functions separately. Surprisingly, very few cryptanalytic results on AEGIS have been published so far. This paper presents the first guess-and-determine attacks on AEGIS family. Firstly, we propose a new observation on the structure of AEGIS that the relations of fixed variables remain in the outputs at consecutive steps under some conditions on the AND operations, and the vectorial bitwise AND operation is biased, which is able to derive the additional variables added directly. Secondly, we add several techniques, such as divide and conquer on byte-based columns, reduction by meet in the middle and simplification through constraints on variables, for each AEGIS member. Finally, we conduct guess-and-determine attacks on AEGIS-128, AEGIS-256 and AEGIS-128L and result in a complexity of $2^{309}$, $2^{437}$ and $2^{384}$ to $2^{416}$, respectively. Although neither attack threatens the practical security of AEGIS, it has great significance to evaluate the resistance of such structure compared with their large internal state exploited of 640, 768 and 1024 bits. It is also the first internal state recovery attack on AEGIS without nonce reusing, while only distinguishing attacks on AEGIS exist up to now. … (more)
- Is Part Of:
- Computer journal. Volume 65:Number 8(2022)
- Journal:
- Computer journal
- Issue:
- Volume 65:Number 8(2022)
- Issue Display:
- Volume 65, Issue 8 (2022)
- Year:
- 2022
- Volume:
- 65
- Issue:
- 8
- Issue Sort Value:
- 2022-0065-0008-0000
- Page Start:
- 2221
- Page End:
- 2230
- Publication Date:
- 2021-05-22
- Subjects:
- AEGIS -- guess-and-determine attack -- stream cipher -- CAESAR competition
Computers -- Periodicals
005.1 - Journal URLs:
- http://comjnl.oxfordjournals.org/ ↗
http://ukcatalogue.oup.com/ ↗ - DOI:
- 10.1093/comjnl/bxab059 ↗
- Languages:
- English
- ISSNs:
- 0010-4620
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 3394.060000
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 23560.xml