Correlation of Quadratic Boolean Functions: Cryptanalysis of All - - PowerPoint PPT Presentation

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS

Siwei Sun Joint work with: Danping Shi Yu Sasaki Chaoyun Li Lei Hu

Chinese Academy of Sciences, China NTT Secure Platform Laboratories, Japan imec-COSIC, Dept. Electrical Engineering (ESAT), KU Leuven, Belgium

December 14, 2019

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 1 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Outlines

1

Correlation and Linear Cryptanalysis

2

Correlation of Quadratic Boolean Functions

3

Cryptanalysis of MORUS

4

Conclusion and Discussion

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 2 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Outline

1

Correlation and Linear Cryptanalysis

2

Correlation of Quadratic Boolean Functions

3

Cryptanalysis of MORUS

4

Conclusion and Discussion

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 3 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Correlation

Let f : Fn

2 → F2 be a Boolean function with ANF

f (①) =

• ✉∈Fn

2

a✉①✉, where ① = (x1, · · · , xn), ✉ = (u1, · · · , un), a✉ ∈ F2, and ①✉ = n

i=1 xui i .

Definition (Correlation) The correlation of an n-variable Boolean function f is cor(f ) = 1

2n

• ①∈Fn

2(−1)f (①), and the weight of the correlation is

defined as − log2 |cor(f )|. Pr(f = 0) = 1

2 + 1 2cor(f )

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 3 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Linear Cryptanalysis

Init SU β−1 S0 γ0 G λ0 Z0 α0 β0 F S1 γ1 G λ1 Z1 α1 β1 F · · · · · · αk−2 βk−2 F Sk−1 γk−1 G λk−1 Zk−1 αk−1 βk−1 F Sk γk G λk Zk αk

Object: max |cor k

i=0 λiZ i

| Note that k

i=0 λiZ i is a Boolean function whose variables are bits

• f S0.

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 4 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Definition (Correlation) The correlation of an n-variable Boolean function f is cor(f ) = 1

2n

• ①∈Fn

2(−1)f (①), and the weight of the correlation is

defined as − log2 |cor(f )|. Brute force the input Graph-based method [TIM+18] ... ...

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 5 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Outline

1

Correlation and Linear Cryptanalysis

2

Correlation of Quadratic Boolean Functions

3

Cryptanalysis of MORUS

4

Conclusion and Discussion

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 6 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Definition (Disjoint Quadratic Boolean Function) A quadratic Boolean function f (x1, · · · , xn) is disjoint if no variable xi appears in more than one quadratic term. Example x1x2 + x3x4 x1x3 + x2x4 + x2 + x5 Counter-Example x1x2 + x2x3

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 6 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

lemma Let f = xi1xi2 + · · · + xi2k−1xi2k + xj1 + · · · + xjs be a disjoint quadratic Boolean function. Then the correlation of f is

    

(−1)

k

t=1 Coef (xi2t−1)Coef (xi2t ) · 2−k

{j1, · · · , js} ⊆ {i1, · · · , i2k} {j1, · · · , js} {i1, · · · , i2k} where Coef (①✉) denotes the coefficient of the monomial ①✉ in the ANF of f . Examples |cor(x1x2 + x3x4)| = 2−2 |cor(x1x3 + x2x4 + x2 + x5)| = 0 |cor(x1x3 + x2x4 + x2 + x3)| = 2−2

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 7 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Idea Given a quadratic Boolean function, transform it into a disjoint quadratic Boolean function such that the transformation is correlation invariant (up to a minus sign).

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 8 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Example f = x1x2 + x1x5 + x2x3 + x2x4 + x1 + x2

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 9 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Example f = x1x2 + x1x5 + x2x3 + x2x4 + x1 + x2 f = x1x2 + x1x5 + x2x3 + x2x4 + x1 + x2

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 9 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Example f = x1x2 + x1x5 + x2x3 + x2x4 + x1 + x2 f = x1x2 + x1x5 + x2x3 + x2x4 + x1 + x2 f = x2(x1 + x3 + x4) + x1x5 + x1 + x2

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 9 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Example f = x1x2 + x1x5 + x2x3 + x2x4 + x1 + x2 f = x1x2 + x1x5 + x2x3 + x2x4 + x1 + x2 f = x2(x1 + x3 + x4) + x1x5 + x1 + x2 x1 ← x1 + x3 + x4 xj ← xj, j = 1

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 9 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Example f = x1x2 + x1x5 + x2x3 + x2x4 + x1 + x2 f = x1x2 + x1x5 + x2x3 + x2x4 + x1 + x2 f = x2(x1 + x3 + x4) + x1x5 + x1 + x2 x1 ← x1 + x3 + x4 xj ← xj, j = 1 f = x1x2 + x1x5 + x3x5 + x4x5 + x1 + x3 + x4 + x2

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 9 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Example f = x1x2 + x1x5 + x2x3 + x2x4 + x1 + x2 f = x1x2 + x1x5 + x2x3 + x2x4 + x1 + x2 f = x2(x1 + x3 + x4) + x1x5 + x1 + x2 x1 ← x1 + x3 + x4 xj ← xj, j = 1 f = x1x2 + x1x5 + x3x5 + x4x5 + x1 + x3 + x4 + x2

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 9 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Example f = x1x2 + x1x5 + x2x3 + x2x4 + x1 + x2 f = x1x2 + x1x5 + x2x3 + x2x4 + x1 + x2 f = x2(x1 + x3 + x4) + x1x5 + x1 + x2 x1 ← x1 + x3 + x4 xj ← xj, j = 1 f = x1x2 + x1x5 + x3x5 + x4x5 + x1 + x3 + x4 + x2 f = x1(x2 + x5) + x3x5 + x4x5 + x1 + x3 + x4 + x2

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 9 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Example f = x1x2 + x1x5 + x2x3 + x2x4 + x1 + x2 f = x1x2 + x1x5 + x2x3 + x2x4 + x1 + x2 f = x2(x1 + x3 + x4) + x1x5 + x1 + x2 x1 ← x1 + x3 + x4 xj ← xj, j = 1 f = x1x2 + x1x5 + x3x5 + x4x5 + x1 + x3 + x4 + x2 f = x1(x2 + x5) + x3x5 + x4x5 + x1 + x3 + x4 + x2 x2 ← x2 + x5 xj ← xj, j = 2

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 9 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Example f = x1x2 + x1x5 + x2x3 + x2x4 + x1 + x2 f = x1x2 + x1x5 + x2x3 + x2x4 + x1 + x2 f = x2(x1 + x3 + x4) + x1x5 + x1 + x2 x1 ← x1 + x3 + x4 xj ← xj, j = 1 f = x1x2 + x1x5 + x3x5 + x4x5 + x1 + x3 + x4 + x2 f = x1(x2 + x5) + x3x5 + x4x5 + x1 + x3 + x4 + x2 x2 ← x2 + x5 xj ← xj, j = 2 f = x1x2 + x3x5 + x4x5 + x1 + x2 + x3 + x4 + x5

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 9 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Example f = x1x2 + x1x5 + x2x3 + x2x4 + x1 + x2 f = x1x2 + x1x5 + x2x3 + x2x4 + x1 + x2 f = x2(x1 + x3 + x4) + x1x5 + x1 + x2 x1 ← x1 + x3 + x4 xj ← xj, j = 1 f = x1x2 + x1x5 + x3x5 + x4x5 + x1 + x3 + x4 + x2 f = x1(x2 + x5) + x3x5 + x4x5 + x1 + x3 + x4 + x2 x2 ← x2 + x5 xj ← xj, j = 2 f = x1x2 + x3x5 + x4x5 + x1 + x2 + x3 + x4 + x5

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 9 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Example f = x1x2 + x1x5 + x2x3 + x2x4 + x1 + x2 f = x1x2 + x1x5 + x2x3 + x2x4 + x1 + x2 f = x2(x1 + x3 + x4) + x1x5 + x1 + x2 x1 ← x1 + x3 + x4 xj ← xj, j = 1 f = x1x2 + x1x5 + x3x5 + x4x5 + x1 + x3 + x4 + x2 f = x1(x2 + x5) + x3x5 + x4x5 + x1 + x3 + x4 + x2 x2 ← x2 + x5 xj ← xj, j = 2 f = x1x2 + x3x5 + x4x5 + x1 + x2 + x3 + x4 + x5 f = x1x2 + x5(x3 + x4) + x1 + x2 + x3 + x4 + x5

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 9 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Example f = x1x2 + x1x5 + x2x3 + x2x4 + x1 + x2 f = x1x2 + x1x5 + x2x3 + x2x4 + x1 + x2 f = x2(x1 + x3 + x4) + x1x5 + x1 + x2 x1 ← x1 + x3 + x4 xj ← xj, j = 1 f = x1x2 + x1x5 + x3x5 + x4x5 + x1 + x3 + x4 + x2 f = x1(x2 + x5) + x3x5 + x4x5 + x1 + x3 + x4 + x2 x2 ← x2 + x5 xj ← xj, j = 2 f = x1x2 + x3x5 + x4x5 + x1 + x2 + x3 + x4 + x5 f = x1x2 + x5(x3 + x4) + x1 + x2 + x3 + x4 + x5 x3 ← x3 + x4 xj ← xj, j = 3 f ← x1x2 + x3x5 + x1 + x2 + x3 + x5

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 9 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Theorem Given a quadratic boolean function f (①) = f (x1, · · · , xn), the algorithm outputs a disjoint quadratic Boolean function ˆ f (①) and an invertible n × n matrix M, such that ˆ f (①) = f (①M). Moreover, The algorithm has time complexity O(n3.8) and memory complexity Ω(n2).

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 10 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Remark On 22-06-2019, we received an E-mail from Ryan Williams (MIT), which indicated that essentially the same theory concerning quadratic forms had been developed much earlier (despite some superficial differences in the appearance). Leonard Carlitz: Gauss sums over finite fields of order 2n. Acta Arithmetica. 1969. Andrzej Ehrenfeucht and Marek Karpinski: The computational complexity of (xor, and)-counting problems. International Computer Science Inst. 1990 Roland Mirwald and Claus-Peter Schnorr: The Multiplicative Complexity of Quadratic Boolean Forms. Theor. Comput.

• Sci. 1992.

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 11 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Outline

1

Correlation and Linear Cryptanalysis

2

Correlation of Quadratic Boolean Functions

3

Cryptanalysis of MORUS

4

Conclusion and Discussion

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 12 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

The CAESAR Competition

R1: 58 candidates, 2014.3-2015.7 R2: 29 candidates, 2015.7-2016.8 R3: 15 candidates, 2016.8-2018.3 RF: 7 candidates, 2018.3-2019.3

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 12 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Finalists of CAESAR

Lightweight applications ACORN ASCON High-performance applications AEGIS OCB MORUS Defense in depth COLM Deoxys-II 6 winners were announce on March 20, 2019.

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 13 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

MORUS

Designers: Hongjun Wu and Tao Huang Stream-cipher like design MORUS-640, 128-bit key MORUS-1280, 128-bit or 256-bit key MORUS-1280-256 was broken in ASIACRYPT 2018 [AEL+18]

Name State size Register size Word size Key size (5q) (q) (q/4) MORUS-640-128 640 128 32 128 MORUS-1280-128 1280 256 64 128 MORUS-1280-256 1280 256 64 256

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 14 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Encryption Algorithm

S0

S0,q−1 S0,0

S1

S1,q−1 S1,0

S2

S2,q−1 S2,0

S3

S3,q−1 S3,0

S4

S4,q−1 S4,0

Figure: Internal State

f(St, V t) = StateUpdate(St, V t) g(St) = St

0 ⊕ (St 1 ≪ b′ 2) ⊕ (St 2 ∧ St 3)

c1 c0 1∗ Key Nonce S−16

f

· · · · · · · · · · · · · · ·

f

0 Key

Initialization

S0

f

A0 · · · · · · · · · · · · · · ·

f

Au−1 Su

Associated data processing

g

f

M 0 C0 g

f

M 1 C1 g

f

M 2 C2 g

f

M 3 C3 · · ·

Figure: The encryption algorithm of MORUS

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 15 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

State Update Function

≪ b′

2

∧ C M ≪ω b0 ≪ b′ ∧ M ≪ω b1 ≪ b′

1

∧ M ≪ω b2 ≪ b′

2

∧ M ≪ω b3 ≪ b′

3

∧ ≪ω b4 ≪ b′

4

∧ S0 S1 S2 S3 S4

b′ is multiple of word size

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 16 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

f(St, V t) = StateUpdate(St, V t) g(St) = St

0 ⊕ (St 1 ≪ b′ 2) ⊕ (St 2 ∧ St 3)

c1 c0 1∗ Key Nonce S−16

f

· · · · · · · · · · · · · · ·

f

0 Key

Initialization

S0

f

A0 · · · · · · · · · · · · · · ·

f

Au−1 Su

Associated data processing

g

f

M 0 C0 g

f

M 1 C1 g

f

M 2 C2 g

f

M 3 C3 · · ·

Init SU β−1 S0 γ0 G λ0 Z0 α0 β0 F S1 γ1 G λ1 Z1 α1 β1 F · · · · · · αk−2 βk−2 F Sk−1 γk−1 G λk−1 Zk−1 αk−1 βk−1 F Sk γk G λk Zk αk Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 17 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

For a block cipher, we have many tools (Matsui’s branch and bound, MILP, SAT, SMT, CP etc.) to search for its linear trails. For the key stream generator?

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 18 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Init SU β−1 S0 γ0 G λ0 Z0 α0 β0 F S1 γ1 G λ1 Z1 α1 β1 F · · · · · · αk−2 βk−2 F Sk−1 γk−1 G λk−1 Zk−1 αk−1 βk−1 F Sk γk G λk Zk αk

Definition linear trail A linear trail of the key stream generator shown in Fig: (β−1, γ0, λ0, α0, β0, · · · , αk−1, βk−1, γk, λk, αk) is said to be exploitable if and only if β−1 = 0, αk = 0, and αi ⊕ γi ⊕ βi−1 = 0 for 0 ≤ i ≤ k.

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 19 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Linear characteristic

Init SU β−1 S0 γ0 G λ0 Z0 α0 β0 F S1 γ1 G λ1 Z1 α1 β1 F · · · · · · αk−2 βk−2 F Sk−1 γk−1 G λk−1 Zk−1 αk−1 βk−1 F Sk γk G λk Zk αk

               β−1 = 0 αk = 0 αi + γi + βi−1 = 0, 0 ≤ i ≤ k γiSi + λiZ i = 0, 0 ≤ i ≤ k αiSi + βiSi+1 = 0, 0 ≤ i ≤ k − 1 (1)

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 20 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Rotationally Invariant Masks [AEL+18]

≪ b′

2

∧ C M ≪ω b0 ≪ b′ ∧ M ≪ω b1 ≪ b′

1

∧ M ≪ω b2 ≪ b′

2

∧ M ≪ω b3 ≪ b′

3

∧ ≪ω b4 ≪ b′

4

∧ S0 S1 S2 S3 S4

b′ is multiple of word size

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 21 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

MiniMORUS: each register contains a single word

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 22 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

MiniMORUS

≪ b′

2

∧ C M ≪ω b0 ≪ b′ ∧ M ≪ω b1 ≪ b′

1

∧ M ≪ω b2 ≪ b′

2

∧ M ≪ω b3 ≪ b′

3

∧ ≪ω b4 ≪ b′

4

∧ S0 S1 S2 S3 S4

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 23 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

MiniMORUS

∧ C M ≪ b0 ∧ M ≪ b1 ∧ M ≪ b2 ∧ M ≪ b3 ∧ ≪ b4 ∧ S0 S1 S2 S3 S4

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 23 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Any linear characteristic search tool (Matsui, MILP, SAT/SMT, CP, etc.) can be applied. The resulting characteristics are only locally sound! Any characteristic can be converted to a quadratic boolean function in variables St

i,j, from which the correlation should be

recalculated!

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 24 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

• f1(x1, x2, x3) = x1x2 + x2, cor(f1) = 2−1

f2(x1, x2, x3) = x1x3, cor(f2) = 2−1 . f = f1 + f2 = x1x2 + x1x3 + x2 cor(f ) = 0 = 2−2

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 25 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Table: An invalid trail of MiniMORUS-640 with span 3

Round Linear masks α0 40400000 40400000 00000000 40400000 00000000 08000008 00400000 00000000 00000000 00000000 08000008 00200000 00000000 00000000 00400000 08000008 00200000 00000000 00000000 00400000 08000008 00200000 00000000 00000000 00400000 β0 08000008 00200000 00400000 00000000 00000008 γ0 40400000 40400000 00000000 40400000 00000000 λ0 40400000 1 α1 20600000 28400008 00400000 20600000 00000008 0c000004 08000008 00000000 00000000 00000008 0c000004 04000004 08000000 00000000 08000000 04000004 04000004 00000004 00000000 00000000 04000004 04000004 00000004 00000000 00000000 β1 04000004 04000004 00000004 00000000 00000000 γ1 28600008 28600008 00000000 20600000 00000000 λ1 28600008 2 γ2 04000004 04000004 00000004 00000000 00000000 λ2 04000004

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 26 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Dependent AND Gates

∧ C M

≪b0

∧ M

≪b1

∧ M

≪b2

∧ M

≪b3

∧

≪b4

∧ S0 S1 S2 S3 S4

• Ci = S0

0,i ⊕ S0 1,i ⊕ S0 2,i · S0 3,i

S1

0,i+b0 = S0 0,i ⊕ S0 3,i ⊕ S0 1,i · S0 2,i

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 27 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Table: A linear trail of MiniMORUS-640 with correlation −2−8

Round Linear masks α0 10000000 10000000 00000000 10000000 00000000 00000002 00000000 00000000 00000000 00000000 00000002 00000000 00000000 00000000 00000000 00000002 00000000 00000000 00000000 00000000 00000002 00000000 00000000 00000000 00000000 β0 00000002 00000000 00000000 00000000 00000000 γ0 10000000 10000000 00000000 10000000 00000000 λ0 10000000 1 α1 08000200 08000202 00000002 08000200 00000000 00004001 00000002 00000002 00000000 00000000 00004001 00000001 00000000 00000000 00000002 00004001 00000001 00000000 00000000 00000002 00004001 00000001 00000000 00000000 00000002 β1 00004003 00000003 00000002 00000000 00004000 γ1 08000202 08000202 00000002 08000200 00000000 λ1 08000202 2 α2 00000100 00004100 00000000 00000100 00004000 00002000 00004000 00000000 00000000 00004000 00002000 00002000 00000000 00000000 00000000 00002000 00002000 00000000 00000000 00000000 00002000 00002000 00000000 00000000 00000000 β2 00002000 00002000 00000000 00000000 00000000 γ2 00004103 00004103 00000002 00000100 00000000 λ2 00004103 3 γ3 00002000 00002000 00000000 00000000 00000000 λ3 00002000 Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 28 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

We only list the values for αi, βi, γi, and λi. Actually, for every input and output bits of all the AND gates involved, the solution specifies their masks. For every AND gate whose output mask is 1 (active AND gates), we can write down a equation in St

i,j.

Summing up this equations gives λiZi expressed in a quadratic Boolean function in St

i,j.

Trails for MiniMORUS can be extended to full MORUS.

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 29 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Table: A summary of the results

Target Span |cor| Data Time Source MiniMORUS-640 5 2−16 232 232 [AEL+18] 4 2−8 216 216 Ours MiniMORUS-1280 5 2−16 232 232 [AEL+18] 4 2−8 216 216 Ours MORUS-640-128 4 2−38 276 276 Ours MORUS-1280-128 4 2−38 276 276 Ours MORUS-1280-256 5 2−76 2152 2152 [AEL+18] 4 2−38 276 276 Ours

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 30 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Distinguishing attack Message recovery attack Assumptions S0 is random (quite reasonable!). Sis are independent for different i. (??)

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 31 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Table: Verification for MiniMORUS

Version Experiments Theoretically MiniMORUS-640 2−7.7919 2−8 MiniMORUS-1280 2−8.1528 2−8

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 32 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Table: The five trail fragments of MORUS-640

Trail fragment Weight χ1 C 0

{124,92,60,28} ⊕ C 1 {97,65,33,1} = S1 4,{97,65,33,1} ⊕ S2 1,{96,64,32,0}

7 χ2 C 1

{123,91,59,27} ⊕ C 2 {96,64,32,0} = S2 1,{96,64,32,0}

8 χ3 C 2

{104,72,40,8} ⊕ C 3 {109,77,45,13} = S3 1,{109,77,45,13}

8 χ4 C 1

{105,73,41,9} ⊕ C 2 {110,78,46,14} = S3 1,{109,77,45,13} ⊕ S2 4,{110,78,46,14}

7 χ5 C 2

{97,65,33,1} = S1 4,{97,65,33,1} ⊕ S2 4,{110,78,46,14}

8

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 33 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Table: The five trail fragments of MORUS-1280

Trail fragment Weight χ1 C 0

{208,144,80,16} ⊕ C 1 {221,157,93,29} = S1 4,{221,157,93,29} ⊕ S2 1,{203,139,75,11}

7 χ2 C 1

{254,190,126,62} ⊕ C 2 {203,139,75,11} = S2 1,{203,139,75,11}

8 χ3 C 2

{194,130,66,2} ⊕ C 3 {207,143,79,15} = S3 1,{207,143,79,15}

8 χ4 C 1

{212,148,84,20} ⊕ C 2 {225,161,97,33} = S3 1,{207,143,79,15} ⊕ S2 4,{225,161,97,33}

7 χ5 C 2

{221,157,93,29} = S1 4,{221,157,93,29} ⊕ S2 4,{225,161,97,33}

8

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 34 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion χ1 χ2 χ3 χ4 χ5 2 4 6 8 1 3 5 7 Weight of the correlation Predicted Measured

(a) MORUS-640

χ1 χ2 χ3 χ4 χ5 2 4 6 8 1 3 5 7 Predicted Measured

(b) MORUS-1280

Figure: Experimental verification of the trail fragments of MORUS-640 and MORUS-1280

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 35 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Outline

1

Correlation and Linear Cryptanalysis

2

Correlation of Quadratic Boolean Functions

3

Cryptanalysis of MORUS

4

Conclusion and Discussion

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 36 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Correlation of quadratic Boolean function can be computed efficiently. How about Boolean functions with higher degrees? How can we search for trails which are not rotationally invariant? MILP based search can only deal with small spans. Some manual analysis targeting Trivium, SNOW, and ZUC using very large spans!

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 36 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

Thanks! Any questions?

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 37 / 38

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion

References I

Tomer Ashur, Maria Eichlseder, Martin M. Lauridsen, Ga¨ etan Leurent, Brice Minaud, Yann Rotella, Yu Sasaki, and Benoˆ ıt Viguier. Cryptanalysis of MORUS. In Advances in Cryptology - ASIACRYPT 2018 - 24th International Conference

• n the Theory and Application of Cryptology and Information Security, Brisbane,

QLD, Australia, December 2-6, 2018, Proceedings, Part II, pages 35–64, 2018. Yosuke Todo, Takanori Isobe, Willi Meier, Kazumaro Aoki, and Bin Zhang. Fast Correlation Attack Revisited - Cryptanalysis on Full Grain-128a, Grain-128, and Grain-v1. In Advances in Cryptology - CRYPTO 2018 - 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2018, Proceedings, Part II, pages 129–159, 2018.

Siwei Sun et. al. Cryptanalysis of All Versions of Full MORUS 38 / 38