Skip to main content

Analysis of the Authenticated Cipher MORUS (v1)

Part of the Lecture Notes in Computer Science book series (LNSC,volume 9540)

Abstract

We present several new observations on the CAESAR candidate MORUS (v1). First, we report a collision on its \(\mathrm {StateUpdate}(S, M)\) function. Second, we describe a distinguisher in a nonce-reuse scenario with probability 1. Finally, we observe that the differences in some words of the state after the initialization have probabilities significantly higher than the random case. We note that the presented results do not threaten the security of the scheme. This is the first external analysis of the authenticated cipher MORUS.

Keywords

  • Symmetric-key
  • Cryptanalysis
  • Authenticated encryption
  • CAESAR
  • MORUS

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-29172-7_4
  • Chapter length: 15 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   54.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-29172-7
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   69.99
Price excludes VAT (USA)
Fig. 1.

References

  1. Wu, H., Huang, T.: The authenticated cipher MORUS (v1), CAESAR candidate, 15 March 2014

    Google Scholar 

  2. CAESAR - Competition for Authenticated Encryption: Security, Applicability, and Robustness (2014). http://competitions.cr.yp.to/caesar.html

  3. National Institute of Standards and Technology, Announcing Request for Candidate Algorithm Nominations for a the Advanced Encryption Standard (AES), Federal Register, vol. 62, pp. 48051–48058, September 1997. http://csrc.nist.gov/archive/aes/pre-round1/aes_9709.htm

  4. National Institute of Standards and Technology, Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3) Family, Federal Register, vol. 27, pp. 62212–62220, November 2007. http://csrc.nist.gov/groups/ST/hash/documents/FR_Notice_Nov07.pdf

  5. Daemen, J., Rijmen, V.: AES and the wide trail design strategy. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 108–109. Springer, Heidelberg (2002)

    CrossRef  Google Scholar 

  6. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 313–314. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

Download references

Acknowledgments

We would like to thank the anonymous reviewers for their time and valuable comments. In particular, we thank Reviewer 2 for pointing out the natural extension of our technique to the case where differences in the message blocks are allowed. Finally, we extend our thanks to the organizers of WG4 Meeting on Authenticated Encryption, COST CryptoAction IC1306, co-located with Eurocrypt 2015, for giving us the opportunity to work on this topic.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Aleksandra Mileva .

Editor information

Editors and Affiliations

Appendices

A Proof of Theorem 1

Proof

The state update function of MORUS-640 under \(\mathrm {AD_1}\) is expressed as follow:

$$\begin{aligned} (x_0, x_1, x_2, x_3, x_4) = \mathrm {StateUpdate}((s_0, s_1, s_2, s_3, s_4), \mathrm {AD_1})\,, \end{aligned}$$
(34)

where

$$\begin{aligned} x_0&= \mathrm {Rotl\_xxx\_yy}(s_0 \oplus (s_1\wedge s_2) \oplus s_3, 5)\lll 96\,, \end{aligned}$$
(35)
$$\begin{aligned} x_1&= \mathrm {Rotl\_xxx\_yy}(s_1 \oplus (s_2\wedge (s_3\lll 32)) \oplus s_4 \oplus \mathrm {AD_1}, 31)\lll 64\,, \end{aligned}$$
(36)
$$\begin{aligned} x_2&= \mathrm {Rotl\_xxx\_yy}(s_2 \oplus ((s_3 \lll 32)\wedge (s_4\lll 64)) \oplus \nonumber \\&\qquad \qquad \qquad (x_0 \ggg 96) \oplus \mathrm {AD_1}, 7)\lll 32\,, \end{aligned}$$
(37)
$$\begin{aligned} x_3&= \mathrm {Rotl\_xxx\_yy}((s_3 \lll 32) \oplus ((s_4 \lll 64)\wedge x_0) \oplus \nonumber \\&\qquad \qquad \qquad (x_1 \ggg 64) \oplus \mathrm {AD_1}, 22)\,, \end{aligned}$$
(38)
$$\begin{aligned} x_4&= \mathrm {Rotl\_xxx\_yy}((s_4 \lll 64) \oplus (x_0 \wedge x_1) \oplus (x_2 \ggg 32) \oplus \mathrm {AD_1}, 13)\,. \end{aligned}$$
(39)

We recall that each element \(x_j\) and \(y_j\) of the states \(X = (x_0, x_1, x_2, x_3, x_4)\) and \(Y = (y_0, y_1, y_2, y_3, y_4)\) is of size 128 bits organized in an array of four 32 bit words. Denote these words as \(x_j=(x_{j0}, x_{j1}, x_{j2}, x_{j3})\) and \(y_j=(y_{j0}, y_{j1}, y_{j2}, y_{j3})\), where \(|x_{ji}| = |y_{ji}| = 32\) bits for \(0 \le j \le 4\), \(1 \le i \le 3\).

Proof of Statement 1: \(x_0 = y_0\). Since Eq. (35) does not depend on the associated data block, it will be the same for both \(\mathrm {AD}_1\) and \(\mathrm {AD}_2\). It follows that \(x_0=y_0\).

Proof of Statement 2: Difference Between Words \(x_1\) and \(y_1\). In Eq. (36) denote

$$\begin{aligned} a_1&= s_1 \oplus (s_2 \wedge (s_3 \lll 32)) \oplus s_4\,, \end{aligned}$$
(40)
$$\begin{aligned} b_1&= (b_{10}, b_{11}, b_{12}, b_{13})\nonumber \\&= \mathrm {Rotl\_xxx\_yy}(a_1 \oplus \mathrm {AD}_1, 31) \nonumber \\&= \mathrm {Rotl\_xxx\_yy}(a_1, 31)\,. \end{aligned}$$
(41)

After rotation by 64 (see Eq. (36)) we have

$$\begin{aligned} x_1=(x_{10}, x_{11}, x_{12}, x_{13})= (b_{12}, b_{13}, b_{10}, b_{11})\,. \end{aligned}$$
(42)

For the second associated data block \(\mathrm {AD}_2 = (0^{(127)}||1)\) denote

$$\begin{aligned} c_1&= (c_{10}, c_{11}, c_{12}, c_{13})\nonumber \\&= \mathrm {Rotl\_xxx\_yy}(a_1 \oplus \mathrm {AD}_2, 31)\nonumber \\&= \mathrm {Rotl\_xxx\_yy}(a_1 \oplus (0^{(127)}||1), 31)\,. \end{aligned}$$
(43)

Analogously to \(\mathrm {AD}_1\), after rotation by 64 (see Eq. (36)) we get

$$\begin{aligned} y_1=(y_{10}, y_{11}, y_{12}, y_{13})= (x_{10}, x_{11}\oplus (1||0^{(31)}), x_{12}, x_{13})\,. \end{aligned}$$
(44)

For the words of \(b_1\) and \(c_1\), the following equalities hold:

$$\begin{aligned} c_{10}&= b_{10} = x_{12}\,, \end{aligned}$$
(45)
$$\begin{aligned} c_{11}&= b_{11} = x_{13}\,, \end{aligned}$$
(46)
$$\begin{aligned} c_{12}&= b_{12} = x_{10}\,, \end{aligned}$$
(47)
$$\begin{aligned} c_{13}&= b_{13} \oplus (1||0^{(31)}) = x_{11} \oplus (1||0^{(31)})\,. \end{aligned}$$
(48)

Therefore \(x_1\) and \(y_1\) differ only in the 33-th bit (counting from MSB to LSB).

Proof of Statement 3: Difference Between Words \(x_2\) and \(y_2\). In Eq. (37) denote

$$\begin{aligned} a_2&= s_2 \oplus ((s_3 \lll 32)\wedge (s_4\lll 64)) \oplus (x_0 \ggg 96)\,, \end{aligned}$$
(49)
$$\begin{aligned} b_2&= (b_{20}, b_{21}, b_{22}, b_{23})\nonumber \\&= \mathrm {Rotl\_xxx\_yy}(a_2 \oplus \mathrm {AD}_1, 7)\nonumber \\&= \mathrm {Rotl\_xxx\_yy}(a_2, 7)\,. \end{aligned}$$
(50)

After rotation by 32 (see Eq. (36)) we have

$$\begin{aligned} x_2 = (x_{20}, x_{21}, x_{22}, x_{23})= (b_{21}, b_{22}, b_{23}, b_{20})\,. \end{aligned}$$
(51)

For the second associated data block \(\mathrm {AD}_2 = (0^{(127)}||1)\) denote

$$\begin{aligned} c_2&= (c_{20}, c_{21}, c_{22}, c_{23}) \nonumber \\&= \mathrm {Rotl\_xxx\_yy}(a_2 \oplus \mathrm {AD}_2, 7) \nonumber \\&= \mathrm {Rotl\_xxx\_yy}(a_2 \oplus (0^{(127)}||1), 7)\,. \end{aligned}$$
(52)

For the words of \(b_2\) and \(c_2\), the following equalities hold:

$$\begin{aligned} c_{20}&= b_{20} = x_{23}\,, \end{aligned}$$
(53)
$$\begin{aligned} c_{21}&= b_{21} = x_{20}\,, \end{aligned}$$
(54)
$$\begin{aligned} c_{22}&= b_{22} = x_{21}\,, \end{aligned}$$
(55)
$$\begin{aligned} c_{23}&= b_{23} \oplus (0^{(24)}||1||0^{(7)}) = x_{22} \oplus (0^{(24)}||1||0^{(7)})\,, \end{aligned}$$
(56)

and so

$$\begin{aligned} y_2 = (y_{20}, y_{21}, y_{22}, y_{23}) = (x_{20}, x_{21}, x_{22} \oplus (0^{(24)}||1||0^{(7)}), x_{23})\,. \end{aligned}$$
(57)

Therefore \(x_2\) and \(y_2\) differ only in the 89-th bit (counting from MSB to LSB).

Proof of Statement 4: Difference Between Words \(x_3\) and \(y_3\). In Eq. (38) denote

$$\begin{aligned} a_3 = (s_3 \lll 32) \oplus ((s_4 \lll 64) \wedge x_0)\,. \end{aligned}$$
(58)

For \(x_3\) we have

$$\begin{aligned} x_3&= \mathrm {Rotl\_xxx\_yy}(a_3 \oplus (x_1 \ggg 64) \oplus \mathrm {AD}_1, 22) \end{aligned}$$
(59)
$$\begin{aligned}&= \mathrm {Rotl\_xxx\_yy}(a_3 \oplus (x_{12}, x_{13}, x_{10}, x_{11}), 22) \end{aligned}$$
(60)
$$\begin{aligned}&= ((a_{30} \oplus x_{12})\lll 22,~ (a_{31} \oplus x_{13})\lll 22,~(a_{32} \oplus x_{10})\lll 22,\nonumber \\&\qquad \qquad (a_{33} \oplus x_{11})\lll 22) \end{aligned}$$
(61)
$$\begin{aligned}&= (x_{30}, x_{31}, x_{32}, x_{33})\,. \end{aligned}$$
(62)

For \(y_3\) we have

$$\begin{aligned} y_3&= \mathrm {Rotl\_xxx\_yy}(a_3 \oplus (y_1 \ggg 64) \oplus \mathrm {AD}_2, 22) \end{aligned}$$
(63)
$$\begin{aligned}&= \mathrm {Rotl\_xxx\_yy}(a_3 \oplus (x_{12}, x_{13}, x_{10}, x_{11} \oplus (1||0^{(31)})) \oplus (0^{(127)}||1), 22) \end{aligned}$$
(64)
$$\begin{aligned}&= \mathrm {Rotl\_xxx\_yy}(a_3 \oplus (x_{12}, x_{13}, x_{10}, x_{11} \oplus (1||0^{(31)}) \oplus (0^{(31)}||1)), 22) \end{aligned}$$
(65)
$$\begin{aligned}&= ((a_{30} \oplus x_{12})\lll 22, (a_{31} \oplus x_{13})\lll 22, (a_{32} \oplus x_{10})\lll 22,\nonumber \\&\qquad (a_{33} \oplus x_{11}\oplus (1||0^{(31)}) \oplus (0^{(31)}||1))\lll 22) \end{aligned}$$
(66)
$$\begin{aligned}&= (x_{30}, x_{31}, x_{32}, x_{33} \oplus (0^{(9)}||11||0^{(21)}))\,. \end{aligned}$$
(67)

Therefore \(x_3\) and \(y_3\) differ only in the 106-th and 107-th bit (counting from MSB to LSB).

Proof of Statement 5: Difference Between Words \(x_4\) and \(y_4\). In Eq. (39) denote

$$\begin{aligned} a_4 = s_4 \lll w_1\,. \end{aligned}$$
(68)

Then \(x_4\) can be expressed as:

$$\begin{aligned} x_4&= \mathrm {Rotl\_xxx\_yy}(a_4 \oplus (x_0 \wedge x_1) \oplus (x_2 \ggg 32) \oplus \mathrm {AD}_1, 13) \end{aligned}$$
(69)
$$\begin{aligned}&= \mathrm {Rotl\_xxx\_yy}(a_4 \oplus (x_0 \wedge x_1) \oplus (x_{23}, x_{20}, x_{21}, x_{22}), 13) \end{aligned}$$
(70)
$$\begin{aligned}&= ((a_{40} \oplus (x_{00} \wedge x_{10}) \oplus x_{23})\lll 13,~ (a_{41} \oplus (x_{01} \wedge x_{11}) \oplus x_{20})\lll 13,\nonumber \\&\qquad (a_{42} \oplus (x_{02} \wedge x_{12}) \oplus x_{21})\lll 13,~ (a_{43} \oplus (x_{04} \wedge x_{14}) \oplus x_{22})\lll 13) \end{aligned}$$
(71)
$$\begin{aligned}&=(x_{40}, x_{41}, x_{42}, x_{43})\,, \end{aligned}$$
(72)

and \(y_4\) is expressed as:

$$\begin{aligned} y_4&= \mathrm {Rotl\_xxx\_yy}(a_4 \oplus (y_0 \wedge y_1) \oplus (y_2 \ggg 32) \oplus \mathrm {AD}_2, 13) \end{aligned}$$
(73)
$$\begin{aligned}&= \mathrm {Rotl\_xxx\_yy}(a_4 \oplus (x_0 \wedge y_1) \oplus \nonumber \\&\qquad (x_{23}, x_{20}, x_{21}, x_{22} \oplus (0^{(24)}||1||0^{(7)})) \oplus (0^{(127)}||1), 13) \end{aligned}$$
(74)
$$\begin{aligned}&= ((a_{40} \oplus (x_{00} \wedge x_{10}) \oplus x_{23})\lll 13,\nonumber \\&\qquad (a_{41} \oplus (x_{01} \wedge (x_{11}\oplus (1||0^{(31)}))) \oplus x_{20})\lll 13,\nonumber \\&\qquad (a_{42} \oplus (x_{02} \wedge x_{12}) \oplus x_{21})\lll 13,\nonumber \\&\qquad (a_{43} \oplus (x_{04} \wedge x_{14}) \oplus x_{22} \oplus (0^{(24)}||1||0^{(6)}||1) )\lll 13) \end{aligned}$$
(75)
$$\begin{aligned}&= ((a_{40} \oplus (x_{00} \wedge x_{10}) \oplus x_{23})\lll 13,\nonumber \\&\qquad (a_{41} \oplus (x_{01} \wedge (x_{11}\oplus (1||0^{(31)}))) \oplus x_{20})\lll 13,\nonumber \\& \qquad (a_{42} \oplus (x_{02} \wedge x_{12}) \oplus x_{21})\lll 13,\nonumber \\&\qquad (a_{43} \oplus (x_{04} \wedge x_{14}) \oplus x_{22})\lll 13 \oplus (0^{(11)}||1||0^{(6)}||1||0^{(13)})) \end{aligned}$$
(76)
$$\begin{aligned}&= (x_{40}, x'_{41}, x_{42}, x_{43} \oplus (0^{(11)}||1||0^{(6)}||1||0^{(13)}))\,, \end{aligned}$$
(77)

where \(x'_{41}\) differ from \(x_{41}\) at most in the first (i.e. most significant) bit with probability 1 / 2. Therefore \(x_4\) and \(y_4\) differ only in the 108-th and 115-th bit, and the 33-th bit is different with probability 1 / 2.    \(\square \)

B Derivation of the System of Equations (33) in Sect. 6

Let \(X=(x_0, x_1, x_2, x_3, x_4)=\mathrm {StateUpdate}(S^0,AD_1)\), and \(Y=(y_0, y_1, y_2, y_3, y_4)=\mathrm {StateUpdate}(S^0,AD_2)\). Let \(x_1 \oplus y_1 = x_2 \oplus y_2 = x_3 \oplus y_3 = x_4 \oplus y_4=\varDelta M\). Clearly \(x_0 = y_0\).

For \(x_1 \oplus y_1\) we derive:

$$\begin{aligned}&x_1 \oplus y_1 = \mathrm {Rotl\_xxx\_yy}(s_1 \oplus (s_2\wedge (s_3 \lll w_0)) \oplus s_4 \oplus \mathrm {AD}_1, b_1) \lll w_3 \oplus \nonumber \\&\qquad \qquad \qquad \mathrm {Rotl\_xxx\_yy}(s_1 \oplus (s_2\wedge (s_3 \lll w_0)) \oplus s_4 \oplus \mathrm {AD}_2, b_1) \lll w_3 \end{aligned}$$
(78)
$$\begin{aligned}&\mathrm {Rotr\_xxx\_yy}((x_1 \oplus y_1) \ggg w_3, b_1) = s_1 \oplus (s_2\wedge (s_3 \lll w_0)) \oplus \nonumber \\&\qquad \qquad \qquad s_4\oplus \mathrm {AD}_1\oplus s_1 \oplus (s_2\wedge (s_3 \lll w_0)) \oplus s_4 \oplus \mathrm {AD}_2 \end{aligned}$$
(79)
$$\begin{aligned}&\mathrm {Rotr\_xxx\_yy}((x_1 \oplus y_1) \ggg w_3, b_1) = \mathrm {AD}_1 \oplus \mathrm {AD}_2 \end{aligned}$$
(80)

For \(x_2 \oplus y_2\) we derive:

$$\begin{aligned}&x_2 \oplus y_2 = \mathrm {Rotl\_xxx\_yy}(s_2 \oplus ((s_3 \lll w_0)\wedge (s_4 \lll w_1)) \oplus \nonumber \\&\qquad \qquad \qquad (x_0 \ggg w_2) \oplus \mathrm {AD}_1, b_2) \lll w_4 \oplus \nonumber \\&\qquad \qquad \qquad \mathrm {Rotl\_xxx\_yy}(s_2 \oplus ((s_3 \lll w_0)\wedge (s_4 \lll w_1)) \oplus \nonumber \\&\qquad \qquad \qquad (y_0 \ggg w_2) \oplus \mathrm {AD}_2, b_2) \lll w_4 \end{aligned}$$
(81)
$$\begin{aligned}&\mathrm {Rotr\_xxx\_yy}((x_2 \oplus y_2) \ggg w_4, b_2) = s_2 \oplus ((s_3 \lll w_0)\wedge (s_4 \lll w_1)) \oplus \nonumber \\&\qquad \qquad \qquad (x_0 \ggg w_2) \oplus \mathrm {AD}_1 \oplus s_2 \oplus ((s_3 \lll w_0)\wedge (s_4 \lll w_1)) \oplus \nonumber \\&\qquad \qquad \qquad (y_0 \ggg w_2) \oplus \mathrm {AD}_2 \end{aligned}$$
(82)
$$\begin{aligned}&\mathrm {Rotr\_xxx\_yy}((x_2 \oplus y_2) \ggg w_4, b_2) = \mathrm {AD}_1 \oplus \mathrm {AD}_2 \end{aligned}$$
(83)

For \(x_3 \oplus y_3\) we derive:

$$\begin{aligned}&x_3 \oplus y_3 = \mathrm {Rotl\_xxx\_yy}((s_3 \lll w_0) \oplus ((s_4 \lll w_1)\wedge x_0) \oplus (x_1 \ggg w_3) \oplus \nonumber \\&\qquad \qquad \qquad \mathrm {AD}_1, b_3) \oplus \mathrm {Rotl\_xxx\_yy}((s_3 \lll w_0) \oplus ((s_4 \lll w_1)\wedge y_0) \oplus \nonumber \\&\qquad \qquad \qquad (y_1 \ggg w_3) \oplus \mathrm {AD}_2, b_3) \end{aligned}$$
(84)
$$\begin{aligned}&\mathrm {Rotr\_xxx\_yy}(x_3 \oplus y_3, b_3) = \nonumber \\&\qquad \qquad \qquad (s_3 \lll w_0) \oplus ((s_4 \lll w_1)\wedge x_0) \oplus (x_1 \ggg w_3) \oplus \nonumber \\&\qquad \qquad \qquad \mathrm {AD}_1 \oplus (s_3 \lll w_0) \oplus ((s_4 \lll w_1)\wedge y_0) \oplus (y_1 \ggg w_3) \oplus \mathrm {AD}_2 \end{aligned}$$
(85)
$$\begin{aligned}&\mathrm {Rotr\_xxx\_yy}(x_3 \oplus y_3, b_3) = (x_1 \ggg w_3) \oplus (y_1 \ggg w_3) \oplus \mathrm {AD}_1 \oplus \mathrm {AD}_2 \end{aligned}$$
(86)

For \(x_4 \oplus y_4\) we derive:

$$\begin{aligned}&x_4 \oplus y_4 = \mathrm {Rotl\_xxx\_yy}((s_4 \lll w_1) \oplus (x_0 \wedge x_1) \oplus (x_2 \ggg w_4) \oplus \nonumber \\&\qquad \qquad \qquad \mathrm {AD}_1, b_4) \oplus \mathrm {Rotl\_xxx\_yy}((s_4 \lll w_1) \oplus (y_0 \wedge y_1) \oplus \nonumber \\&\qquad \qquad \qquad (y_2 \ggg w_4) \oplus \mathrm {AD}_2, b_4) \end{aligned}$$
(87)
$$\begin{aligned}&\mathrm {Rotr\_xxx\_yy}(x_4 \oplus y_4, b_4) = (s_4 \lll w_1) \oplus (x_0 \wedge x_1) \oplus (x_2 \ggg w_4) \oplus \nonumber \\&\qquad \qquad \qquad \mathrm {AD}_1 \oplus (s_4 \lll w_1) \oplus (y_0 \wedge y_1) \oplus (y_2 \ggg w_4) \oplus \mathrm {AD}_2 \end{aligned}$$
(88)
$$\begin{aligned}&\mathrm {Rotr\_xxx\_yy}(x_4 \oplus y_4, b_4) = (x_0 \wedge x_1) \oplus (y_0 \wedge y_1) \oplus (x_2 \ggg w_4) \oplus \nonumber \\&\qquad \qquad \qquad (y_2 \ggg w_4) \oplus \mathrm {AD}_1 \oplus \mathrm {AD}_2 \end{aligned}$$
(89)

From Eqs. (80), (83), (86) and (89) we obtain the following system that is equivalent to the system (33) from Sect. 6:

$$\begin{aligned} {\left\{ \begin{array}{ll} &{}\mathrm {Rotr\_xxx\_yy}((x_1 \oplus y_1) \ggg w_3, b_1) = \mathrm {AD}_1 \oplus \mathrm {AD}_2\\ &{}\mathrm {Rotr\_xxx\_yy}((x_2 \oplus y_2) \ggg w_4, b_2) = \mathrm {AD}_1 \oplus \mathrm {AD}_2\\ &{}\mathrm {Rotr\_xxx\_yy}(x_3 \oplus y_3, b_3) = (x_1 \ggg w_3) \oplus (y_1 \ggg w_3) \oplus \mathrm {AD}_1 \oplus \mathrm {AD}_2\\ &{}\mathrm {Rotr\_xxx\_yy}(x_4 \oplus y_4, b_4) = (x_0 \wedge x_1) \oplus (y_0 \wedge y_1) \oplus (x_2 \ggg w_4) \oplus \\ &{}\qquad \qquad \qquad \qquad \qquad \qquad (y_2 \ggg w_4) \oplus \mathrm {AD}_1 \oplus \mathrm {AD}_2 \end{array}\right. } \end{aligned}$$
(90)

Rights and permissions

Reprints and Permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Mileva, A., Dimitrova, V., Velichkov, V. (2016). Analysis of the Authenticated Cipher MORUS (v1). In: Pasalic, E., Knudsen, L. (eds) Cryptography and Information Security in the Balkans. BalkanCryptSec 2015. Lecture Notes in Computer Science(), vol 9540. Springer, Cham. https://doi.org/10.1007/978-3-319-29172-7_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-29172-7_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-29171-0

  • Online ISBN: 978-3-319-29172-7

  • eBook Packages: Computer ScienceComputer Science (R0)