Abstract | ||
---|---|---|
AEGIS is an authenticated cipher introduced at SAC 2013, which takes advantage of AES-NI instructions to reach outstanding speed in software. Like LEX, Fides, as well as many sponge-based designs, AEGIS leaks part of its inner state each round to form a keystream. In this paper, we investigate the existence of linear biases in this keystream. Our main result is a linear mask with bias 2-89 on the AEGIS-256 keystream. The resulting distinguisher can be exploited to recover bits of a partially known message encrypted 2(188) times, regardless of the keys used. We also consider AEGIS-128, and find a surprising correlation between ciphertexts at rounds i and i+2, although the biases would require 2(140) data to be detected. Due to their data requirements, neither attack threatens the practical security of the cipher. |
Year | DOI | Venue |
---|---|---|
2014 | 10.1007/978-3-319-13051-4_18 | Lecture Notes in Computer Science |
Keywords | Field | DocType |
Cryptanalysis,AEGIS,CAESAR | Keystream,Discrete mathematics,Cipher,Authentication,Computer science,Cryptanalysis,Encryption | Conference |
Volume | ISSN | Citations |
8781 | 0302-9743 | 0 |
PageRank | References | Authors |
0.34 | 5 | 1 |
Name | Order | Citations | PageRank |
---|---|---|---|
Brice Minaud | 1 | 147 | 7.75 |