## Cryptology ePrint Archive: Report 2018/292

Linear Biases in AEGIS Keystream

Brice Minaud

Abstract: AEGIS is an authenticated cipher introduced at SAC 2013, which takes advantage of AES-NI instructions to reach outstanding speed in software. Like LEX, Fides, as well as many sponge-based designs, AEGIS leaks part of its inner state each round to form a keystream. In this paper, we investigate the existence of linear biases in this keystream. Our main result is a linear mask with bias $2^{-89}$ on the AEGIS-256 keystream. The resulting distinguisher can be exploited to recover bits of a partially known message encrypted $2^{188}$ times, regardless of the keys used. We also consider AEGIS-128, and find a surprising correlation between ciphertexts at rounds $i$ and $i+2$, although the biases would require $2^{140}$ data to be detected. Due to their data requirements, neither attack threatens the practical security of the cipher.

Category / Keywords: secret-key cryptography / Linear Cryptanalysis, AEGIS

Original Publication (in the same form): SAC 2014
DOI:
10.1007/978-3-319-13051-4_18