Abstract
AEGIS-128 and Tiaoxin-346 (Tiaoxin for short) are two AES-based primitives submitted to the CAESAR competition. Among them, AEGIS-128 has been selected in the final portfolio for high-performance applications, while Tiaoxin is a third-round candidate. Although both primitives adopt a stream cipher based design, they are quite different from the well-known bit-oriented stream ciphers like Trivium and the Grain family. Their common feature consists in the round update function, where the state is divided into several 128-bit words and each word has the option to pass through an AES round or not. During the 6-year CAESAR competition, it is surprising that for both primitives there is no third-party cryptanalysis of the initialization phase. Due to the similarities in both primitives, we are motivated to investigate whether there is a common way to evaluate the security of their initialization phases. Our technical contribution is to write the expressions of the internal states in terms of the nonce and the key by treating a 128-bit word as a unit and then carefully study how to simplify these expressions by adding proper conditions. As a result, we find that there are several groups of weak keys with 296 keys each in 5-round AEGIS-128 and 8-round Tiaoxin, which allows us to construct integral distinguishers with time complexity 232 and data complexity 232. Based on the distinguisher, the time complexity to recover the weak key is 272 for 5-round AEGIS-128. However, the weak key recovery attack on 8-round Tiaoxin will require the usage of a weak constant occurring with probability 2−32. All the attacks reach half of the total number of initialization rounds. We expect that this work can advance the understanding of the designs similar to AEGIS and Tiaoxin.
Highlights
Strong diffusion and confusion are two principles to design secure symmetric-key primitives
With dedicated analysis of these expressions, the set of weak keys are eventually identified, which are used to simplify the quadratic part of the output for AEGIS-128 and to turn a probabilistic integral property into a deterministic one for Tiaoxin, respectively
To make the derived integral distinguisher theoretically correct, we have proved some integral properties for some unusual combinations of the AES round function, which will occur in the constructions like AEGIS and Tiaoxin but will never occur in real AES
Summary
Strong diffusion and confusion are two principles to design secure symmetric-key primitives. It is undoubtable that for almost all symmetric-key primitives the attackers lose the capability to write the accurate boolean expressions of the output bits in terms of the input bits. To address this problem, the cube attack [DS09] was invented to capture partial information of the boolean expressions of the output bits. An evident advantage to utilize the division property with the automatical tools is that attackers can find integral distinguishers [KW02] in a relatively easy way It seems that a naive implementation can only find integral distinguishers holding for all secret keys
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.