Skip to main content
SpringerLink
Log in

Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full \(\mathsf {MORUS}\)

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2019 (CRYPTO 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11693))

Included in the following conference series:

Abstract

We show that the correlation of any quadratic Boolean function can be read out from its so-called disjoint quadratic form. We further propose a polynomial-time algorithm that can transform an arbitrary quadratic Boolean function into its disjoint quadratic form. With this algorithm, the exact correlation of quadratic Boolean functions can be computed efficiently.

We apply this method to analyze the linear trails of \(\mathsf {MORUS}\) (one of the seven finalists of the CAESAR competition), which are found with the help of a generic model for linear trails of \(\mathsf {MORUS}\)-like key-stream generators. In our model, any tool for finding linear trails of block ciphers can be used to search for trails of \(\mathsf {MORUS}\)-like key-stream generators. As a result, a set of trails with correlation \(2^{-38}\) is identified for all versions of full \(\mathsf {MORUS}\), while the correlations of previously published best trails for \(\mathsf {MORUS}\)-640 and \(\mathsf {MORUS}\)-1280 are \(2^{-73}\) and \(2^{-76}\) respectively (ASIACRYPT 2018). This significantly improves the complexity of the attack on \(\mathsf {MORUS}\)-1280-256 from \(2^{152}\) to \(2^{76}\). These new trails also lead to the first distinguishing and message-recovery attacks on \(\mathsf {MORUS}\)-640-128 and \(\mathsf {MORUS}\)-1280-128 with surprisingly low complexities around \(2^{76}\).

Moreover, we observe that the condition for exploiting these trails in an attack can be more relaxed than previously thought, which shows that the new trails are superior to previously published ones in terms of both correlation and the number of ciphertext blocks involved.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 119.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 159.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. AlFardan, N.J., Bernstein, D.J., Paterson, K.G., Poettering, B., Schuldt, J.C.N.: On the security of RC4 in TLS. In: Proceedings of the 22th USENIX Security Symposium, Washington, DC, USA, 14–16 August 2013, pp. 305–320 (2013)

    Google Scholar 

  2. Ashur, T., et al.: Cryptanalysis of MORUS. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11273, pp. 35–64. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03329-3_2

    Chapter  Google Scholar 

  3. Bar-On, A., Dunkelman, O., Keller, N., Weizman, A.: DLCT: a new tool for differential-linear cryptanalysis. IACR Cryptology ePrint Archive 2019/256 (2019). https://eprint.iacr.org/2019/256. Accepted to EUROCRYPT 2019

  4. Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_41

    Chapter  Google Scholar 

  5. Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. J. Cryptology 21(4), 469–491 (2008)

    Article  MathSciNet  Google Scholar 

  6. Biryukov, A., De Cannière, C., Quisquater, M.: On multiple linear approximations. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 1–22. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_1

    Chapter  Google Scholar 

  7. CAESAR: Call for Submission. http://competitions.cr.yp.to/

  8. Dobraunig, C., Eichlseder, M., Mendel, F.: Heuristic tool for linear cryptanalysis with applications to CAESAR candidates. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 490–509. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_20

    Chapter  Google Scholar 

  9. Domonkos, T.P., Lueg, L.: Taking a different approach to attack WPA2-AES, or the born of the CCMP known-plain-text attack (2010). https://www.hwsw.hu/kepek/hirek/2011/05/wpa2aes_ccmp_known_plaintext.pdf

  10. Duong, T., Rizzo, J.: Here come the \(\oplus \) ninjas. Ekoparty (2011)

    Google Scholar 

  11. Dwivedi, A.D., Kloucek, M., Morawiecki, P., Nikolic, I., Pieprzyk, J., Wójtowicz, S.: SAT-based cryptanalysis of authenticated ciphers from the CAESAR competition. In: Proceedings of the 14th International Joint Conference on e-Business and Telecommunications (ICETE 2017), SECRYPT, Madrid, Spain, 24–26 July 2017, vol. 4, pp. 237–246 (2017)

    Google Scholar 

  12. Dwivedi, A.D., Morawiecki, P., Wójtowicz, S.: Differential and rotational cryptanalysis of round-reduced MORUS. In: Proceedings of the 14th International Joint Conference on e-Business and Telecommunications (ICETE 2017), SECRYPT, Madrid, Spain, 24–26 July 2017, vol. 4, pp. 275–284 (2017)

    Google Scholar 

  13. Early Symmetric Crypto workshop ESC (2013). https://www.cryptolux.org/mediawiki-esc2013/index.php/ESC_2013

  14. Fu, K., Wang, M., Guo, Y., Sun, S., Hu, L.: MILP-based automatic search algorithms for differential and linear trails for speck. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 268–288. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_14

    Chapter  Google Scholar 

  15. Kaliski Jr., B.S., Robshaw, M.J.B.: Linear cryptanalysis using multiple approximations. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 26–39. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_4

    Chapter  Google Scholar 

  16. Kaliski Jr., B.S., Robshaw, M.J.B.: Linear cryptanalysis using multiple approximations and FEAL. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 249–264. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-60590-8_19

    Chapter  Google Scholar 

  17. Kales, D., Eichlseder, M., Mendel, F.: Note on the robustness of CAESAR candidates. IACR Cryptology ePrint Archive 2017/1137 (2017). http://eprint.iacr.org/2017/1137

  18. Langford, S.K., Hellman, M.E.: Differential-linear cryptanalysis. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 17–25. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_3

    Chapter  Google Scholar 

  19. Li, Y., Wang, M.: Cryptanalysis of MORUS. Des. Codes Cryptography (2018). https://doi.org/10.1007/s10623-018-0501-6

    Article  MathSciNet  Google Scholar 

  20. Mantin, I., Shamir, A.: A practical attack on broadcast RC4. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 152–164. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45473-X_13

    Chapter  Google Scholar 

  21. Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_33

    Chapter  Google Scholar 

  22. Matsui, M.: On correlation between the order of S-boxes and the strength of DES. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 366–375. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053451

    Chapter  Google Scholar 

  23. Mileva, A., Dimitrova, V., Velichkov, V.: Analysis of the authenticated cipher MORUS (v1). In: Pasalic, E., Knudsen, L.R. (eds.) BalkanCryptSec 2015. LNCS, vol. 9540, pp. 45–59. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29172-7_4

    Chapter  MATH  Google Scholar 

  24. Minaud, B.: Linear biases in AEGIS keystream. In: Joux, A., Youssef, A.M. (eds.) SAC 2014. LNCS, vol. 8781, pp. 290–305. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13051-4_18

    Chapter  MATH  Google Scholar 

  25. Rogaway, P.: Authenticated-encryption with associated-data. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, Washington, DC, USA, 18–22 November 2002, pp. 98–107 (2002)

    Google Scholar 

  26. Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–358. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-25937-4_22

    Chapter  MATH  Google Scholar 

  27. Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_23

    Chapter  Google Scholar 

  28. Salam, M.I., Simpson, L., Bartlett, H., Dawson, E., Pieprzyk, J., Wong, K.K.: Investigating cube attacks on the authenticated encryption stream cipher MORUS. In: 2017 IEEE Trustcom/BigDataSE/ICESS, Sydney, Australia, 1–4 August 2017, pp. 961–966 (2017)

    Google Scholar 

  29. Shi, T., Guan, J., Li, J., Zhang, P.: Improved collision cryptanalysis of authenticated cipher MORUS. In: Artificial Intelligence and Industrial Engineering-AIIE, pp. 429–432 (2016)

    Google Scholar 

  30. Strassen, V.: Gaussian elimination is not optimal. Numer. Math. 13(4), 354–356 (1969)

    Article  MathSciNet  Google Scholar 

  31. Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_9

    Chapter  Google Scholar 

  32. Tews, E., Weinmann, R.-P., Pyshkin, A.: Breaking 104 bit WEP in less than 60 seconds. In: Kim, S., Yung, M., Lee, H.-W. (eds.) WISA 2007. LNCS, vol. 4867, pp. 188–202. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77535-5_14

    Chapter  Google Scholar 

  33. Todo, Y., Isobe, T., Meier, W., Aoki, K., Zhang, B.: Fast correlation attack revisited. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 129–159. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_5

    Chapter  Google Scholar 

  34. Vaudenay, S., Vizár, D.: Under pressure: security of CAESAR candidates beyond their guarantees. IACR Cryptology ePrint Archive 2017/1147 (2017). http://eprint.iacr.org/2017/1147

  35. Wu, H., Huang, T.: The authenticated cipher MORUS (v2). Submission to CAESAR: Competition for Authenticated Encryption. Security, Applicability, and Robustness (Round 3 and Finalist) (2016). https://competitions.cr.yp.to/round3/morusv2.pdf

Download references

Acknowledgment

The authors thank the anonymous reviewers for many helpful comments.The work is supported by the National Key R&D Program of China (Grant No. 2018YFB0804402), the Chinese Major Program of National Cryptography Development Foundation (Grant No. MMJJ20180102), the National Natural Science Foundation of China (61732021, 61802400, 61772519, 61802399), and the Youth Innovation Promotion Association of Chinese Academy of Sciences. Chaoyun Li is supported by the Research Council KU Leuven: C16/15/058, OT/13/071, and by European Union’s Horizon 2020 research and innovation programme (No. H2020-MSCA-ITN-2014-643161 ECRYPT-NET).

Author information

Authors and Affiliations

  1. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Danping Shi, Siwei Sun & Lei Hu

  2. Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, Beijing, China

    Danping Shi, Siwei Sun & Lei Hu

  3. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

    Siwei Sun & Lei Hu

  4. NTT Secure Platform Laboratories, Tokyo, Japan

    Yu Sasaki

  5. imec-COSIC, Department Electrical Engineering (ESAT), KU Leuven, Leuven, Belgium

    Chaoyun Li

Authors
  1. Danping Shi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Siwei Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yu Sasaki
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Chaoyun Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Lei Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Siwei Sun .

Editor information

Editors and Affiliations

  1. Georgia Institute of Technology, Atlanta, GA, USA

    Alexandra Boldyreva

  2. University of California at San Diego, La Jolla, CA, USA

    Daniele Micciancio

Rights and permissions

Reprints and permissions

Copyright information

© 2019 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Shi, D., Sun, S., Sasaki, Y., Li, C., Hu, L. (2019). Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full \(\mathsf {MORUS}\). In: Boldyreva, A., Micciancio, D. (eds) Advances in Cryptology – CRYPTO 2019. CRYPTO 2019. Lecture Notes in Computer Science(), vol 11693. Springer, Cham. https://doi.org/10.1007/978-3-030-26951-7_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-26951-7_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-26950-0

  • Online ISBN: 978-3-030-26951-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation