AbstractIn this paper, the security of Advanced Encryption Standard‐based authenticated encryption schemes, including AEGIS family, Tiaoxin‐346, and Rocca by mixed integer linear programming tools is examined. Specifically, for the initialisation phase of AEGIS, Tiaoxin‐346, and Rocca, the security against differential attacks and integral attacks is evaluated by estimating the lower bounds for the number of active S‐boxes and utilising division property, respectively. In addition to the estimations of initialisation phases, the security of the encryption phases of AEGIS, Tiaoxin‐346, and Rocca against distinguishing attacks on keystream is evaluated by exploiting integral properties. As a result, the authors show that the initialisation phases of AEGIS‐128/128L/256, Tiaoxin‐346, and Rocca are secure against differential attacks after 4/3/6, 5, and 6 rounds, respectively. Regarding integral attacks, the distinguisher is found on 6/6/7, 15, and 7 rounds in the initialisation phases of AEGIS‐128/128L/256, Tiaoxin‐346, and Rocca, respectively. Additionally, the integral distinguisher is presented on 2/2/4, 4, and 4 rounds in the encryption phases of AEGIS‐128/128L/256, Tiaoxin‐346, and Rocca, respectively. As far as it is known, this study’s results are the first distinguishing attacks on the keystream on AEGIS, Tiaoxin‐346, and Rocca without relying on weak keys.
Read full abstract