Cryptology ePrint Archive: Report 2018/292

Linear Biases in AEGIS Keystream

Brice Minaud

Abstract: AEGIS is an authenticated cipher introduced at SAC 2013, which takes advantage of AES-NI instructions to reach outstanding speed in software. Like LEX, Fides, as well as many sponge-based designs, AEGIS leaks part of its inner state each round to form a keystream. In this paper, we investigate the existence of linear biases in this keystream. Our main result is a linear mask with bias $2^{-89}$ on the AEGIS-256 keystream. The resulting distinguisher can be exploited to recover bits of a partially known message encrypted $2^{188}$ times, regardless of the keys used. We also consider AEGIS-128, and find a surprising correlation between ciphertexts at rounds $i$ and $i+2$, although the biases would require $2^{140}$ data to be detected. Due to their data requirements, neither attack threatens the practical security of the cipher.

Category / Keywords: secret-key cryptography / Linear Cryptanalysis, AEGIS

Original Publication (in the same form): SAC 2014

Date: received 26 Mar 2018

Contact author: brice minaud at gmail com

Available format(s): PDF | BibTeX Citation

Note: This article was originally published at SAC 2014, but was not available on ePrint until now.

Version: 20180328:023841 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]