## Cryptology ePrint Archive: Report 2021/187

Weak Keys in Reduced AEGIS and Tiaoxin

Fukang Liu and Takanori Isobe and Willi Meier and Kosei Sakamoto

Abstract: AEGIS-128 and Tiaoxin-346 (Tiaoxin for short) are two AES-based primitives submitted to the CAESAR competition. Among them, AEGIS-128 has been selected in the final portfolio for high-performance applications, while Tiaoxin is a third-round candidate. Although both primitives adopt a stream cipher based design, they are quite different from the well-known bit-oriented stream ciphers like Trivium and the Grain family. Their common feature consists in the round update function, where the state is divided into several 128-bit words and each word has the option to pass through an AES round or not. During the 6-year CAESAR competition, it is surprising that for both primitives there is no third-party cryptanalysis of the initialization phase. Due to the similarities in both primitives, we are motivated to investigate whether there is a common way to evaluate the security of their initialization phases. Our technical contribution is to write the expressions of the internal states in terms of the nonce and the key by treating a 128-bit word as a unit and then carefully study how to simplify these expressions by adding proper conditions. As a result, we found that there are several groups of weak keys with $2^{96}$ keys each in 5-round AEGIS-128 and 8-round Tiaoxin, which allows us to construct integral distinguishers with time complexity $2^{32}$ and data complexity $2^{32}$. Based on the distinguisher, the time complexity to recover the weak key is $2^{72}$ for 5-round AEGIS-128. However, the weak key recovery attack on 8-round Tiaoxin will require the usage of a weak constant occurring with probability $2^{-32}$. All the attacks reach half of the total number of initialization rounds. We expect that this work can advance the understanding of the designs similar to AEGIS and Tiaoxin.

Category / Keywords: secret-key cryptography / AES, AEGIS, Tiaoxin, weak key, distinguisher, key-recovery

Original Publication (in the same form): ToSC 2021 (Issue 2)

Date: received 20 Feb 2021, last revised 22 May 2021

Contact author: liufukangs at 163 com, takanori isobe at ai u-hyogo ac jp, willimeier48 at gmail com, k sakamoto0728 at gmail com

Available format(s): PDF | BibTeX Citation

Note: This is the final version. We simplified the proofs of property 1 and property 3. Some typos were also fixed.

Short URL: ia.cr/2021/187

[ Cryptology ePrint archive ]