Linear Cryptanalysis of MORUS Tomer Ashur, Maria Eichlseder, Martin - PowerPoint PPT Presentation

Linear Cryptanalysis of MORUS Tomer Ashur, Maria Eichlseder, Martin M. Lauridsen, Ga¨ etan Leurent, Brice Minaud, Yann Rotella, Yu Sasaki, Benoˆ ıt Viguier Asiacrypt, December 4, 2018 1 / 16

� Paper collision Yanbin Li and Meiqin Wang. “Cryptanalysis of MORUS”. Designs, Codes and Cryptography, pages 1—24, First Online: 09 June 2018 Our paper was submitted to ePrint on 17 May 2018. MILP-aided search for reduced MORUS. ◮ Integral distinguishers for 6.5 steps of MORUS-640 . ◮ Differential distinguishers for 4.5 steps of MORUS-1280 . 2 / 16

� Overview � MORUS design ◮ � Analysis of MiniMORUS ◮ � Application to MORUS ◮ 3 / 16

� MORUS design

MORUS ◮ Family of authenticated ciphers by Wu and Huang • MORUS-640 with 128-bit key S 0 S 1 S 2 S 3 S 4 5 × 4 × 32-bit words • MORUS-1280-128 with 128-bit key • MORUS-1280-256 with 256-bit key S 0 S 1 S 2 S 3 S 4 5 × 4 × 64-bit words ◮ Security claim for confidentiality = key size; re-key every 2 64 blocks ◮ CAESAR finalist for Use-Case 2 (High Performance) 4 / 16

MORUS Authenticated Cipher (simplified) S 0 S 1 S 2 S 3 S 4 � 1 Initialization: out a S 0 = N , S 1 = K 16 × StateUpdate � (0) b c S 1 = S 1 ⊕ K in 2 Encryption: For each msg block M i : a C i = M i ⊕ � ( S 0 , . . . , S 3 ) StateUpdate � StateUpdate � ( M i ) b 3 Finalization: a S 4 = S 4 ⊕ S 0 10 × StateUpdate � (len( M )) b c T = � ( S 0 , . . . , S 3 ) 5 / 16

MORUS Authenticated Cipher (simplified) S 0 S 1 S 2 S 3 S 4 � 1 Initialization: out a S 0 = N , S 1 = K 16 × StateUpdate � (0) b c S 1 = S 1 ⊕ K in 2 Encryption: For each msg block M i : a C i = M i ⊕ � ( S 0 , . . . , S 3 ) StateUpdate � StateUpdate � ( M i ) b 3 Finalization: a S 4 = S 4 ⊕ S 0 10 × StateUpdate � (len( M )) b c T = � ( S 0 , . . . , S 3 ) 5 / 16

MORUS StateUpdate Function M S 0 S 0 S 1 S 1 S 2 S 2 S 3 S 3 S 4 S 4 · ≪ 3 w · C M ◮ Nonlinearity: ≪ b 0 ≪ 1 w · “Toffoli” gate z = z ⊕ ( x ⊙ y ) M ◮ Diffusion: ≪ b 1 ≪ 2 w · Xors z = z ⊕ x M Rotation within words ≪ r ≪ 3 w ≪ b 2 Rotate words ≪ rw · M ≪ 2 w ≪ b 3 · ≪ 1 w ≪ b 4 6 / 16

MiniMORUS StateUpdate Function M S 0 S 1 S 2 S 3 S 4 · ◮ MORUS state · S 0 S 1 S 2 S 3 S 4 C M ≪ b 0 · ○ M ≪ b 1 ◮ MiniMORUS state · S 0 S 1 S 2 S 3 S 4 M ≪ b 2 · ◮ We will later use = + + + M ≪ b 3 ◮ Rotational invariance · ≪ b 4 7 / 16

� Analysis of MiniMORUS

Weight and Bias x = u ⊕ y ⊕ (z ∧ t) Can be linear approximated with Pr( E ) = 3 E: x = u ⊕ y and 4 The bias ε is: Pr( E ) = 1 ε = 1 2 + ε = ⇒ 4 The correlation and weight of an approximation is: cor( E ) := 2 ε weight( E ) := − log 2 | cor( E ) | = ⇒ weight( E ) = 1 Pilling Up Lemma (Matsui M., 1993) The correlation (resp. weight) of an XOR of independent variables is equal to the product (resp. sum) of their individual correlations (resp. weights) 8 / 16

MiniMORUS : Approximation fragments α, β, γ, δ, ε 0 M M 0 i i M 0 i i M 0 i M 0 i · · · · · i · i · · · · C C C C C M M M M M ≪ b 0 ≪ b 0 ≪ b 0 ≪ b 0 ≪ b 0 · · · · · M M M M M ≪ b 1 ≪ b 1 ≪ b 1 ≪ b 1 ≪ b 1 · · · · · M M M M M ≪ b 2 ≪ b 2 ≪ b 2 ≪ b 2 ≪ b 2 · · · · · M M M M M ≪ b 3 ≪ b 3 ≪ b 3 ≪ b 3 ≪ b 3 · · · · · ≪ b 4 ≪ b 4 ≪ b 4 ≪ b 4 ≪ b 4 i + b 0 i + b 1 i i + b 4 i i + b 2 weight( α t weight( β t weight( γ t weight( δ t weight( ε t i ) = 1 (not 2) i ) = 1 i ) = 1 i ) = 1 i ) = 1 9 / 16

MiniMORUS : Approximation fragments α, β, γ, δ, ε 0 M M 0 i i M 0 i i M 0 i M 0 i · · · · · i · i · · · · C C C C C M M M M M ≪ b 0 ≪ b 0 ≪ b 0 ≪ b 0 ≪ b 0 · · · · · M M M M M ≪ b 1 ≪ b 1 ≪ b 1 ≪ b 1 ≪ b 1 · · · · · M M M M M ≪ b 2 ≪ b 2 ≪ b 2 ≪ b 2 ≪ b 2 · · · · · M M M M M ≪ b 3 ≪ b 3 ≪ b 3 ≪ b 3 ≪ b 3 · · · · · ≪ b 4 ≪ b 4 ≪ b 4 ≪ b 4 ≪ b 4 i + b 0 i + b 1 i i + b 4 i i + b 2 weight( α t weight( β t weight( γ t weight( δ t weight( ε t i ) = 1 (not 2) i ) = 1 i ) = 1 i ) = 1 i ) = 1 9 / 16

MiniMORUS : Approximation fragments α, β, γ, δ, ε 0 M M 0 i i M 0 i i M 0 i M 0 i · · · · · i · i · · · · C C C C C M M M M M ≪ b 0 ≪ b 0 ≪ b 0 ≪ b 0 ≪ b 0 · · · · · M M M M M ≪ b 1 ≪ b 1 ≪ b 1 ≪ b 1 ≪ b 1 · · · · · M M M M M ≪ b 2 ≪ b 2 ≪ b 2 ≪ b 2 ≪ b 2 · · · · · M M M M M ≪ b 3 ≪ b 3 ≪ b 3 ≪ b 3 ≪ b 3 · · · · · ≪ b 4 ≪ b 4 ≪ b 4 ≪ b 4 ≪ b 4 i + b 0 i + b 1 i i + b 4 i i + b 2 weight( α t weight( β t weight( γ t weight( δ t weight( ε t i ) = 1 (not 2) i ) = 1 i ) = 1 i ) = 1 i ) = 1 9 / 16

Building Trails 10 / 16

MiniMORUS-640 : Building trails with χ 1 and χ 2 S 0 S 1 S 2 S 3 S 4 C α 27 27 C 1 2 ⊕ C 2 1 ⊕ C 2 7 ⊕ C 2 15 ⊕ C 2 27 ⊕ C 3 6 ⊕ C 3 14 ⊕ C 3 20 ⊕ C 4 19 → S 2 2 , 0 S 0 S 1 S 2 S 3 S 4 0 0 0 0 0 C 0 0 α 2 β 0 2 8 26 α 26 , , 8 γ 0 δ 0 31 13 31 13 13 7 7 7 0 7 7 × × 31 13 31 13 0 13 7 31 7 β 31 , β 7 , 13 13 15 7 1 α 15 , 1 , 27 α 7 27 γ 13 γ 7 ε 0 δ 7 12 12 0 6 20 6 20 20 12 12 0 6 20 6 20 7 7 20 6 12 β 12 β 20 , 6 20 14 α 14 γ 20 χ 1 : estimated weight 11 19 19 19 19 β 19 19 C 0 27 ⊕ C 1 0 ⊕ C 1 8 ⊕ C 1 26 ⊕ C 2 7 ⊕ C 2 13 ⊕ C 2 31 ⊕ C 3 12 → S 2 2 , 0 χ 2 : estimated weight 13 11 / 16

MiniMORUS-640 : Building trails with χ 1 and χ 2 S 0 S 1 S 2 S 3 S 4 C α 27 27 C 1 2 ⊕ C 2 1 ⊕ C 2 7 ⊕ C 2 15 ⊕ C 2 27 ⊕ C 3 6 ⊕ C 3 14 ⊕ C 3 20 ⊕ C 4 19 → S 2 2 , 0 S 0 S 1 S 2 S 3 S 4 0 0 0 0 0 C 0 0 α 2 β 0 2 8 26 α 26 , , 8 γ 0 δ 0 31 13 31 13 13 7 7 7 0 7 7 × × 31 13 31 13 0 13 7 31 7 β 31 , β 7 , 13 13 15 7 1 α 15 , 1 , 27 α 7 27 γ 13 γ 7 ε 0 δ 7 12 12 0 6 20 6 20 20 12 12 0 6 20 6 20 7 7 20 6 12 β 12 β 20 , 6 20 14 α 14 γ 20 χ 1 : estimated weight 11 19 19 19 19 β 19 19 C 0 27 ⊕ C 1 0 ⊕ C 1 8 ⊕ C 1 26 ⊕ C 2 7 ⊕ C 2 13 ⊕ C 2 31 ⊕ C 3 12 → S 2 2 , 0 χ 2 : estimated weight 13 11 / 16

MiniMORUS-640 : Building trails with χ 1 and χ 2 S 0 S 1 S 2 S 3 S 4 C α 27 27 C 1 2 ⊕ C 2 1 ⊕ C 2 7 ⊕ C 2 15 ⊕ C 2 27 ⊕ C 3 6 ⊕ C 3 14 ⊕ C 3 20 ⊕ C 4 19 → S 2 2 , 0 S 0 S 1 S 2 S 3 S 4 0 0 0 0 0 C 0 0 α 2 β 0 2 8 26 α 26 , , 8 γ 0 δ 0 31 13 31 13 13 7 7 7 0 7 7 × × 31 13 31 13 0 13 7 31 7 β 31 , β 7 , 13 13 15 7 1 α 15 , 1 , 27 α 7 27 γ 13 γ 7 ε 0 δ 7 12 12 0 6 20 6 20 20 12 12 0 6 20 6 20 7 7 20 6 12 β 12 β 20 , 6 20 14 α 14 γ 20 χ 1 : estimated weight 11 19 19 19 19 β 19 19 C 0 27 ⊕ C 1 0 ⊕ C 1 8 ⊕ C 1 26 ⊕ C 2 7 ⊕ C 2 13 ⊕ C 2 31 ⊕ C 3 12 → S 2 2 , 0 χ 2 : estimated weight 13 11 / 16

MiniMORUS-640 : Building trails with χ 1 and χ 2 S 0 S 1 S 2 S 3 S 4 C α 27 27 C 1 2 ⊕ C 2 1 ⊕ C 2 7 ⊕ C 2 15 ⊕ C 2 27 ⊕ C 3 6 ⊕ C 3 14 ⊕ C 3 20 ⊕ C 4 19 → S 2 2 , 0 S 0 S 1 S 2 S 3 S 4 0 0 0 0 0 C 0 0 α 2 β 0 2 8 26 α 26 , , 8 γ 0 δ 0 31 13 31 13 13 7 7 7 0 7 7 × × 31 13 31 13 0 13 7 31 7 β 31 , β 7 , 13 13 15 7 1 α 15 , 1 , 27 α 7 27 γ 13 γ 7 ε 0 δ 7 12 12 0 6 20 6 20 20 12 12 0 6 20 6 20 7 7 20 6 12 β 12 β 20 , 6 20 14 α 14 γ 20 χ 1 : estimated weight 11 19 19 19 19 β 19 19 C 0 27 ⊕ C 1 0 ⊕ C 1 8 ⊕ C 1 26 ⊕ C 2 7 ⊕ C 2 13 ⊕ C 2 31 ⊕ C 3 12 → S 2 2 , 0 χ 2 : estimated weight 13 11 / 16

MiniMORUS-640 : Building trails with χ 1 and χ 2 S 0 S 1 S 2 S 3 S 4 C α 27 27 C 1 2 ⊕ C 2 1 ⊕ C 2 7 ⊕ C 2 15 ⊕ C 2 27 ⊕ C 3 6 ⊕ C 3 14 ⊕ C 3 20 ⊕ C 4 19 → S 2 2 , 0 S 0 S 1 S 2 S 3 S 4 0 0 0 0 0 C 0 0 α 2 β 0 2 8 26 α 26 , , 8 γ 0 δ 0 31 13 31 13 13 7 7 7 0 7 7 × × 31 13 31 13 0 13 7 31 7 β 31 , β 7 , 13 13 15 7 1 α 15 , 1 , 27 α 7 27 γ 13 γ 7 ε 0 δ 7 12 12 0 6 20 6 20 20 12 12 0 6 20 6 20 7 7 20 6 12 β 12 β 20 , 6 20 14 α 14 γ 20 χ 1 : estimated weight 11 19 19 19 19 β 19 19 C 0 27 ⊕ C 1 0 ⊕ C 1 8 ⊕ C 1 26 ⊕ C 2 7 ⊕ C 2 13 ⊕ C 2 31 ⊕ C 3 12 → S 2 2 , 0 χ 2 : estimated weight 13 11 / 16

MiniMORUS-640 : Building trails with χ 1 and χ 2 S 0 S 1 S 2 S 3 S 4 C α 27 27 C 1 2 ⊕ C 2 1 ⊕ C 2 7 ⊕ C 2 15 ⊕ C 2 27 ⊕ C 3 6 ⊕ C 3 14 ⊕ C 3 20 ⊕ C 4 19 → S 2 2 , 0 S 0 S 1 S 2 S 3 S 4 0 0 0 0 0 C 0 0 α 2 β 0 2 8 26 α 26 , , 8 γ 0 δ 0 31 13 31 13 13 7 7 7 0 7 7 × × 31 13 31 13 0 13 7 31 7 β 31 , β 7 , 13 13 15 7 1 α 15 , 1 , 27 α 7 27 γ 13 γ 7 ε 0 δ 7 12 12 0 6 20 6 20 20 12 12 0 6 20 6 20 7 7 20 6 12 β 12 β 20 , 6 20 14 α 14 γ 20 χ 1 : estimated weight 11 19 19 19 19 β 19 19 C 0 27 ⊕ C 1 0 ⊕ C 1 8 ⊕ C 1 26 ⊕ C 2 7 ⊕ C 2 13 ⊕ C 2 31 ⊕ C 3 12 → S 2 2 , 0 χ 2 : estimated weight 13 11 / 16