Paper 2018/292

Linear Biases in AEGIS Keystream

Brice Minaud

Abstract

AEGIS is an authenticated cipher introduced at SAC 2013, which takes advantage of AES-NI instructions to reach outstanding speed in software. Like LEX, Fides, as well as many sponge-based designs, AEGIS leaks part of its inner state each round to form a keystream. In this paper, we investigate the existence of linear biases in this keystream. Our main result is a linear mask with bias $2^{-89}$ on the AEGIS-256 keystream. The resulting distinguisher can be exploited to recover bits of a partially known message encrypted $2^{188}$ times, regardless of the keys used. We also consider AEGIS-128, and find a surprising correlation between ciphertexts at rounds $i$ and $i+2$, although the biases would require $2^{140}$ data to be detected. Due to their data requirements, neither attack threatens the practical security of the cipher.

Note: This article was originally published at SAC 2014, but was not available on ePrint until now.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. SAC 2014
DOI
10.1007/978-3-319-13051-4_18
Keywords
Linear CryptanalysisAEGIS
Contact author(s)
brice minaud @ gmail com
History
2018-03-28: received
Short URL
https://ia.cr/2018/292
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2018/292,
      author = {Brice Minaud},
      title = {Linear Biases in AEGIS Keystream},
      howpublished = {Cryptology ePrint Archive, Paper 2018/292},
      year = {2018},
      doi = {10.1007/978-3-319-13051-4_18},
      note = {\url{https://eprint.iacr.org/2018/292}},
      url = {https://eprint.iacr.org/2018/292}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.