Cryptanalysis of MORUS (Initially discussed at Lorentz center in Mar - - PowerPoint PPT Presentation

Cryptanalysis of MORUS

Tomer Ashur imec-COSIC KU Leuven Maria Eichlseder Graz University of Technology Martin M. Lauridsen Gӓetan Leurent Inria Brice Minaud, Royal Holloway University of London Yann Rotella Inria Yu Sasaki NTT Secure Platform Laboratories Benoît Viguier Radbond University

13 Nov 2018 @ ASK2018

(Initially discussed at Lorentz center in Mar 2018)

1

Outline

• Background and MORUS specification
• MiniMORUS and its linear trails
• Extension to Full MORUS (omit details)
• Observations for Initialization and Finalization
• Conclusion

2

Remarks: Paper Title Collision

After the galley-proof of our paper submission, we realized the following paper. Yanbin Li and Meiqin Wang. “Cryptanalysis of MORUS”. Designs, Codes and Cryptography, pages 1—24, First Online: 09 June 2018 (Our paper was submitted to ePrint on 17 May 2018) MILP-aided search for reduced MORUS.

• Integral distinguishers for 6.5 steps of MORUS-640.
• Differential distinguishers for 4.5 steps of MORUS-1280.

3

Authenticated Encryption (AE)

message privacy authenticity Encryption MAC message privacy + authenticity Authentication Encryption

independently computed all-in-one

• Simple security discussion
• Higher performance

4

History of CAESAR

• Competition to determine portfolio of

authenticated encryption (AE) schemes

R1: From March 2014 with 58 candidates R2: From July 2015 with 29 candidates R3: From August 2016 with 15 candidates RF: From March 2018 with 7 candidates

5

CAESAR Finalists

Low-end High-end Security

OCB AEGIS ACORN ASCON MORUS COLM Deoxys-II

(dedicated) (sponge) (parallelizable) (dedicated) (dedicated) (online AE) (robust AE)

MORUS

7

MORUS

• Designed by Hongjun Wu and Tao Huang
• Suitable for SIMD instructions
• Stream-cipher like design
• A big state (640 or 1280 bits) is initialized from

nonce 𝑂 and key 𝐿 (heavy operation).

• Encryption part is light.
• MORUS-640 for 128-bit key
• MOUS-1280 for 128- or 256-bit key

8

Overall Structure of MORUS

• Allow lines: 4𝑥-bit register, 𝑥 = 32 and 64

for MORUS640 / MORUS1280

• Each register consists of 4 words of 𝑥 bits.

𝑂

1 𝑇𝑢𝑓𝑞 𝑞𝑓𝑠 𝑐𝑚𝑝𝑑𝑙

𝐵𝑗

1 𝑡𝑢𝑓𝑞 𝑞𝑓𝑠 𝑐𝑚𝑝𝑑𝑙

𝑁

𝑘

𝐷

𝑘

𝐵𝑚𝑓𝑜 𝑁𝑚𝑓𝑜 𝑈 𝐿

10 Steps

128

16 𝑇𝑢𝑓𝑞𝑡 𝑑𝑝𝑜𝑡𝑢

𝐿

9

Step Function of MORUS

WR 1 WR 2 WR 2 WR 3 WR 1 WR 3

10

Step Function for Encryption

WR 1 WR 2 WR 2 WR 3 WR 1 WR 3

11

Aim to Analyze All Parts of MORUS

𝑂

1 𝑇𝑢𝑓𝑞 𝑞𝑓𝑠 𝑐𝑚𝑝𝑑𝑙

𝐵𝑗

1 𝑡𝑢𝑓𝑞 𝑞𝑓𝑠 𝑐𝑚𝑝𝑑𝑙

𝑁

𝑘

𝐷

𝑘

𝐵𝑚𝑓𝑜 𝑁𝑚𝑓𝑜 𝑈 𝐿

10 Steps

128

full brake of confidentiality

16 𝑇𝑢𝑓𝑞𝑡 𝑑𝑝𝑜𝑡𝑢

𝐿

Reduced-round key-recovery in nonce respect Reduced-round forgery

12

Security Claim

• Nonce respect security

Confidentiality of MORUS-1280-256 can be broken after 2152 encryptions.

Bias of Key Stream Generated by Encryption

14

Basics of Linear Cryptanalysis

• An event 𝐹 with probability Pr 𝐹 =

1 2 ± 𝜗 has bias 𝜗.

• Correlation: 𝐷𝑝𝑠 𝐹 = 2 Pr 𝐹 − 1 = 2𝜗
• Weight: weight 𝐹 = − log2 𝐷𝑝𝑠(𝐹)

Piling-Up Lemma: The correlation (resp. weight) of an XOR of independent variables is equal to their product (resp. sum). Linear approximation of AND: Pr 𝑏 ⋅ 𝑐 = 0 𝑝𝑠 1 (weight 1) Pr 𝑏 ⋅ 𝑐 = 𝑏 𝑝𝑠 𝑐 (weight 1) Pr 𝑏 ⋅ 𝑐 = 𝑏 ⊕ 𝑐 (weight 1) Effect of 𝐹 is detected by processing 22⋅𝑥𝑓𝑗𝑕ℎ𝑢(𝐹) inputs.

Pr(𝐹) = 3/4 . 𝜗. = 2−2. 𝐷𝑝𝑠(𝐹). = 2−1. 𝑥𝑓𝑗𝑕ℎ𝑢(𝐹) = 1

15

Rotation-Invariant of Step Function

• Each register has 4 words and

different registers are rotated by different word numbers (complex).

• linearly approximate 4 bits in

positions 𝑗, 𝑗 + 𝑥, 𝑗 + 2𝑥, 𝑗 + 3𝑥.

• 4 iterations of the same linear trail

 compress the register to 𝑥 bits. register

4𝑥 𝑥

word

• A linear trail with weight 𝑌 for MiniMORUS

 A linear trail with weight 4𝑌 for MORUS. MiniMORUS

16

Diagram of MiniMORUS

𝑻𝟏 𝑻𝟐 𝑻𝟑 𝑻𝟒 𝑻𝟓

17

Overview of Liner Trails We combine the following five trail fragments; 𝛽𝑗: approximate 1 bit of 𝑇0 from ciphertext bit. 𝛾𝑗: approximate 1 bit of 𝑇1 from 𝑇0 and ctxt bit. 𝛿𝑗: approximate 1 bit of 𝑇4 from 2 bits of 𝑇1. 𝜀𝑗: approximate 1 bit of 𝑇2 from 2 bits of 𝑇4. 𝜗𝑗: approximate 1 bit of 𝑇0 from 2 bits of 𝑇2.

18

𝛽𝑗: from ciphertext bit to 𝑇0

𝑇0 𝑇1 𝑇2 𝑇3 𝑇4

𝐷𝑗 = 𝑇2

𝑗 ⋅ 𝑇3 𝑗 ⊕ 𝑇1 𝑗 ⊕ 𝑇0 𝑗

𝑇0

𝑗+𝑐0 = 𝑇1 𝑗 ⋅ 𝑇2 𝑗 ⊕ 𝑇3 𝑗 ⊕ 𝑇0 𝑗

𝑇3

𝑗

𝑇1

𝑗

Combine

𝐷𝑗 = 𝑇0

𝑗+𝑐0

(weight: 2)

19

𝛽𝑗: from ciphertext bit to 𝑇0

𝑇0 𝑇1 𝑇2 𝑇3 𝑇4

𝐷𝑗 = 𝑇2

𝑗 ⋅ 𝑇3 𝑗 ⊕ 𝑇1 𝑗 ⊕ 𝑇0 𝑗

𝑇0

𝑗+𝑐0 = 𝑇1 𝑗 ⋅ 𝑇2 𝑗 ⊕ 𝑇3 𝑗 ⊕ 𝑇0 𝑗

𝑇3

𝑗

𝑇1

𝑗

Combine

𝐷𝑗 = 𝑇0

𝑗+𝑐0

𝑻𝟑

𝒋 ⊕ 𝑻𝟒 𝒋

𝑻𝟐

𝒋 ⊕ 𝑻𝟑 𝒋

(weight: 2)

Linear Hull :

weight: 2  1

20

𝛾𝑗: from 𝑇0 and 𝐷 to 𝑇1

𝑇0 𝑇1 𝑇2 𝑇3 𝑇4

𝛾𝑗: 𝐷𝑗 = 𝑇2

𝑗 ⋅ 𝑇3 𝑗 ⊕ 𝑇1 𝑗 ⊕ 𝑇0 𝑗

Combine 𝛽𝑗 and 𝛾𝑗+𝑐0

𝛾𝑗+𝑐0: 𝐷𝑗+𝑐0 = 𝑇1

𝑗+𝑐0 ⊕ 𝑇0 𝑗+𝑐0

(weight: 2) (weight: 1) 𝛽𝑗: 𝐷𝑗 = 𝑇0

𝑗+𝑐0

⊕𝑗 𝐷𝑗 = 𝑇1

𝑘

21

𝛿𝑗: from two bits of 𝑇1 to 𝑇4

𝑇0 𝑇1 𝑇2 𝑇3 𝑇4

𝛿𝑗: 𝑇1

𝑗+𝑐1 = 𝑇2 𝑗 ⋅ 𝑇3 𝑗 ⊕ 𝑇4 𝑗 ⊕ 𝑇1 𝑗

(weight: 1)

22

𝜀𝑗: from two bits of 𝑇4 to 𝑇2

𝑇0 𝑇1 𝑇2 𝑇3 𝑇4

𝜀𝑗: 𝑇4

𝑗+𝑐4 = 𝑇0 𝑗 ⋅ 𝑇1 𝑗 ⊕ 𝑇2 𝑗 ⊕ 𝑇4 𝑗

(weight: 1) 𝟏

23

𝜗𝑗: from two bits of 𝑇4 to 𝑇2

𝑇0 𝑇1 𝑇2 𝑇3 𝑇4

𝜗𝑗: 𝑇2

𝑗+𝑐2 = 𝑇3 𝑗 ⋅ 𝑇4 𝑗 ⊕ 𝑇0 𝑗 ⊕ 𝑇2 𝑗

(weight: 1)

24

𝐷𝑗 = 𝑇0

𝑘

𝐷 𝑇0 𝑇1 𝑇2 𝑇3 𝑇4

𝛽𝑗

25

⊕𝑗 𝐷𝑗 = 𝑇1

𝑘

𝐷 𝑇0 𝑇1 𝑇2 𝑇3 𝑇4

𝛽𝑗 𝛾𝑗

𝑐0

26

⊕𝑗 𝐷𝑗 = 𝑇4

𝑘

𝐷 𝑇0 𝑇1 𝑇2 𝑇3 𝑇4 𝛿𝑗

𝛽𝑗 𝛾𝑗

𝑐0 𝑐0 𝑐1

27

⊕𝑗 𝐷𝑗 = 𝑇2

𝑘

𝐷 𝑇0 𝑇1 𝑇2 𝑇3 𝑇4 𝜀𝑗 𝛿𝑗

𝛽𝑗 𝛾𝑗

𝑐0 𝑐0 𝑐1 𝑐0 𝑐0 𝑐1 𝑐4

28

⊕𝑗 𝐷𝑗 = 𝑇0

𝑘

𝐷 𝑇0 𝑇1 𝑇2 𝑇3 𝑇4 𝜗𝑗 𝜀𝑗 𝛿𝑗

𝛽𝑗 𝛾𝑗

𝑐0 𝑐0 𝑐1 𝑐0 𝑐0 𝑐1 𝑐4 𝑐2

29

⊕𝑗 𝐷𝑗 = 0

𝐷 𝑇0 𝑇1 𝑇2 𝑇3 𝑇4 𝜗𝑗 𝛽𝑗 𝜀𝑗 𝛿𝑗

𝛽𝑗 𝛾𝑗

𝑐2 𝑐0 𝑐0 𝑐1 𝑐0 𝑐0 𝑐1 𝑐4

30

× 𝟐 × 𝟒 × 𝟒 × 𝟐

× 𝟐 × 𝟐 × 𝟐 × 𝟐 × 𝟐 × 𝟐 × 𝟐

× 𝟐

31

Result of Combination for MiniMORUS

• ⨁𝐷𝑗 = 0 with weight 24

Dependency between 𝛾𝑗 and 𝛿𝑗 (occur 4 times):

• 𝛾𝑗: 𝐷𝑗 = 𝑇2

𝑗 ⋅ 𝑇3 𝑗 ⊕ 𝑇1 𝑗 ⊕ 𝑇0 𝑗

• 𝛿𝑗: 𝑇1

𝑗+𝑐1 = 𝑇2 𝑗 ⋅ 𝑇3 𝑗 ⊕ 𝑇4 𝑗 ⊕ 𝑇1 𝑗

• No need to approximate, saves weight 8 for 4 (𝛽𝑗, 𝛾𝑗).
• ⨁𝐷𝑗 = 0 with weight 16.

Experimentally verified with 232 ciphertexts.

• works for different choices of rotation numbers

(weight: 1) (weight: 1)

32

Extension to MORUS: Overview

• 𝑥-bit state of MiniMORUS can be extended to

4𝑥-bit state of MORUS by making 4 copies of the linear trail.

• Linear trail for MiniMORUS: weight 16
• Linear trail for MORUS: weight 64 ??
• Most of the part, the evaluation is true, however

saving weight by dependency cannot be used.

• A few more issued on overlap of the bit position

in independent linear approximation.

• In the end, the weight is 76, which is verified if

you have 2152 ciphertexts.

33

Attack Impact

• Detected bias is absolute. The attack does not

have any limitation for the choice of 𝐿 and 𝑂. (cannot be prevented by key management)

• The attack works in the broadcast setting.

Some protocol fixes the first message block to some sensitive information (e.g. user authentication token in HTTP). Correlation of key steam may be exploited to recover it

Analysis on Finalization of MORUS-1280-256

35

Attack Strategy

Padding for associated data is 0-padding.

• 𝐵 and 𝐵||0 lead to the same state value.
• HW(Δ𝐵𝑚𝑓𝑜) can be set to 1.
• Expect that diffusion is slow in finalization. Differential trail

with prob > 2−128 can immediately be used for forgery.

𝑂

1 𝑇𝑢𝑓𝑞 𝑞𝑓𝑠 𝑐𝑚𝑝𝑑𝑙

𝐵𝑗||0∗

1 𝑡𝑢𝑓𝑞 𝑞𝑓𝑠 𝑐𝑚𝑝𝑑𝑙

𝑁

𝑘

𝐷

𝑘

𝐵𝑚𝑓𝑜 𝑁𝑚𝑓𝑜 𝑈 𝐿

10 Steps

128

16 𝑇𝑢𝑓𝑞𝑡 𝑑𝑝𝑜𝑡𝑢

𝐿 Δ

High prob. diff. trail

36

Fast Diffusion Diffusion is fast. Only works for 3 out of 10 steps. There exists Δ𝑈 that can be observed with 𝐸𝑄 = 2−88 after 3 steps and the tag generation.

#rounds 1 2 3 4 5 6 7 8 Log(DP)

• 1
• 3
• 6
• 10

#rounds 9 10 11 12 13 14 15 tag Log(DP)

• 14
• 20
• 28
• 39
• 53
• 69
• 88

Step 1 Step 2 Step 3

37

Remarks

• The last operation in Step function:

𝑇4 ← 𝑇4 ⊕ 𝑇0 ⋅ 𝑇1 ⊕ 𝑇2 ⊕ (𝐵𝑚𝑓𝑜||𝑁𝑚𝑓𝑜) ≪ 𝑐4

• The tag generation function:

𝑈 ← 𝑇0 ⊕ 𝑇2 ⋅ 𝑇3 ⊕ (𝑇1 ≪ 𝑐𝑢)

• The last updated value 𝑇4 is not used to

generate tag. (waste of computation resource)

Analysis on initialization of MORUS-1280-256

39

Previous Work

• State-recovery and universal forgery in

nonce-repeating using 25 queries [KEM2017].

• Cannot recover the key due to feed-forward.
• Our goal is to recover K for reduced rounds.

𝑂

1 𝑇𝑢𝑓𝑞 𝑞𝑓𝑠 𝑐𝑚𝑝𝑑𝑙

𝐵𝑗

1 𝑡𝑢𝑓𝑞 𝑞𝑓𝑠 𝑐𝑚𝑝𝑑𝑙

𝑁

𝑘

𝐵𝑚𝑓𝑜 𝑁𝑚𝑓𝑜 𝑈 𝐿

10 Steps

128

16 𝑇𝑢𝑓𝑞𝑡 𝑑𝑝𝑜𝑡𝑢

𝐿

40

Overview: (3-Subset) MitM Attack 𝐽𝑊 (0, 𝐿, 0,0,0) (0, 𝐿, 0,0,0)

recovered state

𝑔

0 steps

𝑔

1 steps

• 𝐻0: a set of key bits guessed for the forward function
• 𝐻1: a set of key bits guessed for the backward function
• 𝐻2: a set of key bits in the intersection of 𝐻0 and 𝐻1
• 𝑛 : the number of bits matching in the middle

partially match

41

Attack Results

• Set 𝐻0 = 𝐻1 = 127 and 𝐻2 = 126.
• Search for such separation that ensures 𝑦 ≥ 1.
• For (𝑔

0, 𝑔 1) = (4,6), we found a configuration

achieving 𝑦 = 4.

• 128-bit key 𝐿 is recovered with 2127

computations against 10 out of 16 steps.

• MORUS was designed to have fast diffusion in
• forwards. The attack exploits slow backward

diffusion.

Concluding Remarks

43

Concluding Remarks

• Breaking 256-bit confidentiality of MORUS-

1280-256 with 2152 encryptions.)

• First full break of CAESAR finalists.
• Combination of AND operations allows the

efficient construction of linear trail.

• The same attack was known on AEGIS by

[Minaud SAC2014]

• Initialization/Finalization were investigated.

Thank you for your attention!!