Cryptanalysis of MORUS (Initially discussed at Lorentz center in Mar - PowerPoint PPT Presentation

Cryptanalysis of MORUS (Initially discussed at Lorentz center in Mar 2018) Tomer Ashur imec-COSIC KU Leuven Maria Eichlseder Graz University of Technology Martin M. Lauridsen G ӓ etan Leurent Inria Brice Minaud, Royal Holloway University of London Yann Rotella Inria Yu Sasaki NTT Secure Platform Laboratories Benoît Viguier Radbond University 13 Nov 2018 @ ASK2018

Outline • Background and MORUS specification • MiniMORUS and its linear trails • Extension to Full MORUS (omit details) • Observations for Initialization and Finalization • Conclusion 1

Remarks: Paper Title Collision After the galley-proof of our paper submission, we realized the following paper. Yanbin Li and Meiqin Wang. “ Cryptanalysis of MORUS ”. Designs, Codes and Cryptography, pages 1 — 24, First Online: 09 June 2018 (Our paper was submitted to ePrint on 17 May 2018) MILP-aided search for reduced MORUS. • Integral distinguishers for 6.5 steps of MORUS-640. • Differential distinguishers for 4.5 steps of MORUS-1280. 2

Authenticated Encryption (AE) message privacy Encryption independently computed MAC authenticity message privacy + all-in-one authenticity Authentication Encryption • Simple security discussion • Higher performance 3

History of CAESAR • Competition to determine portfolio of authenticated encryption (AE) schemes R1 : From March 2014 with 58 candidates R2 : From July 2015 with 29 candidates R3 : From August 2016 with 15 candidates RF : From March 2018 with 7 candidates 4

CAESAR Finalists Low-end High-end Security AEGIS ACORN COLM (dedicated) (dedicated) (online AE) MORUS (dedicated) ASCON Deoxys-II (sponge) (robust AE) OCB (parallelizable) 5

MORUS

MORUS • Designed by Hongjun Wu and Tao Huang • Suitable for SIMD instructions • Stream-cipher like design • A big state (640 or 1280 bits) is initialized from nonce 𝑂 and key 𝐿 (heavy operation). • Encryption part is light. • MORUS-640 for 128-bit key • MOUS-1280 for 128- or 256-bit key 7

Overall Structure of MORUS 𝐷 𝑘 𝐵 𝑚𝑓𝑜 𝑁 𝑚𝑓𝑜 0 𝐿 𝐵 𝑗 𝑁 𝑘 𝑂 𝐿 1 𝑇𝑢𝑓𝑞 16 1 𝑡𝑢𝑓𝑞 10 𝑈 𝑞𝑓𝑠 𝑇𝑢𝑓𝑞𝑡 𝑞𝑓𝑠 𝑐𝑚𝑝𝑑𝑙 𝑑𝑝𝑜𝑡𝑢 Steps 128 𝑐𝑚𝑝𝑑𝑙 • Allow lines: 4 𝑥 -bit register, 𝑥 = 32 and 64 for MORUS640 / MORUS1280 • Each register consists of 4 words of 𝑥 bits. 8

Step Function of MORUS WR 3 WR 1 WR 2 WR 3 WR 2 WR 1 9

Step Function for Encryption WR 3 WR 1 WR 2 WR 3 WR 2 WR 1 10

Aim to Analyze All Parts of MORUS 𝐷 𝑘 𝐵 𝑚𝑓𝑜 𝑁 𝑚𝑓𝑜 0 𝐿 𝐵 𝑗 𝑁 𝑘 𝑂 𝐿 1 𝑇𝑢𝑓𝑞 16 1 𝑡𝑢𝑓𝑞 10 𝑈 𝑞𝑓𝑠 𝑇𝑢𝑓𝑞𝑡 𝑞𝑓𝑠 𝑐𝑚𝑝𝑑𝑙 𝑑𝑝𝑜𝑡𝑢 Steps 128 𝑐𝑚𝑝𝑑𝑙 Reduced-round Reduced-round full brake of key-recovery in forgery confidentiality nonce respect 11

Security Claim • Nonce respect security Confidentiality of MORUS-1280-256 can be broken after 2 152 encryptions. 12

Bias of Key Stream Generated by Encryption

Basics of Linear Cryptanalysis 1 An event 𝐹 with probability Pr 𝐹 = 2 ± 𝜗 has bias 𝜗 . • Correlation: 𝐷𝑝𝑠 𝐹 = 2 Pr 𝐹 − 1 = 2𝜗 • Weight: weight 𝐹 = − log 2 𝐷𝑝𝑠(𝐹) • Piling-Up Lemma : The correlation (resp. weight) of an XOR of independent variables is equal to their product (resp. sum). Linear approximation of AND : Pr(𝐹) = 3/4 . 𝜗. = 2 −2 . Pr 𝑏 ⋅ 𝑐 = 0 𝑝𝑠 1 (weight 1) 𝐷𝑝𝑠(𝐹). = 2 −1 . Pr 𝑏 ⋅ 𝑐 = 𝑏 𝑝𝑠 𝑐 (weight 1) 𝑥𝑓𝑗𝑕ℎ𝑢(𝐹) = 1 Pr 𝑏 ⋅ 𝑐 = 𝑏 ⊕ 𝑐 (weight 1) Effect of 𝐹 is detected by processing 2 2⋅𝑥𝑓𝑗𝑕ℎ𝑢(𝐹) inputs. 14

Rotation-Invariant of Step Function • Each register has 4 words and register different registers are rotated by 4𝑥 different word numbers (complex). 𝑥 • linearly approximate 4 bits in word positions 𝑗, 𝑗 + 𝑥, 𝑗 + 2𝑥, 𝑗 + 3𝑥 . • 4 iterations of the same linear trail  compress the register to 𝑥 bits. MiniMORUS • A linear trail with weight 𝑌 for MiniMORUS  A linear trail with weight 4𝑌 for MORUS. 15

Diagram of MiniMORUS 𝑻 𝟏 𝑻 𝟐 𝑻 𝟑 𝑻 𝟒 𝑻 𝟓 16

Overview of Liner Trails We combine the following five trail fragments; 𝛽 𝑗 : approximate 1 bit of 𝑇 0 from ciphertext bit. 𝛾 𝑗 : approximate 1 bit of 𝑇 1 from 𝑇 0 and ctxt bit. 𝛿 𝑗 : approximate 1 bit of 𝑇 4 from 2 bits of 𝑇 1 . 𝜀 𝑗 : approximate 1 bit of 𝑇 2 from 2 bits of 𝑇 4 . 𝜗 𝑗 : approximate 1 bit of 𝑇 0 from 2 bits of 𝑇 2 . 17

𝛽 𝑗 : from ciphertext bit to 𝑇 0 𝑇 0 𝑇 1 𝑇 2 𝑇 3 𝑇 4 0 𝑗 𝑇 3 𝐷 𝑗 = 𝑇 2 𝑗 ⋅ 𝑇 3 𝑗 ⊕ 𝑇 1 𝑗 ⊕ 𝑇 0 𝑗 𝑗+𝑐 0 = 𝑇 1 𝑗 ⋅ 𝑇 2 𝑗 ⊕ 𝑇 3 𝑗 ⊕ 𝑇 0 𝑗 𝑇 0 𝑗 𝑇 1 𝐷 𝑗 = 𝑇 0 𝑗+𝑐 0 Combine (weight: 2) 18

𝛽 𝑗 : from ciphertext bit to 𝑇 0 𝑇 0 𝑇 1 𝑇 2 𝑇 3 𝑇 4 0 𝒋 ⊕ 𝑻 𝟒 𝑗 𝒋 𝑇 3 𝑻 𝟑 𝐷 𝑗 = 𝑇 2 𝑗 ⋅ 𝑇 3 𝑗 ⊕ 𝑇 1 𝑗 ⊕ 𝑇 0 𝑗 𝑗+𝑐 0 = 𝑇 1 𝑗 ⋅ 𝑇 2 𝑗 ⊕ 𝑇 3 𝑗 ⊕ 𝑇 0 𝑗 𝑇 0 𝒋 ⊕ 𝑻 𝟑 𝒋 𝑻 𝟐 𝑗 𝑇 1 𝐷 𝑗 = 𝑇 0 𝑗+𝑐 0 Combine (weight: 2) Linear Hull : weight: 2  1 19

𝛾 𝑗 : from 𝑇 0 and 𝐷 to 𝑇 1 𝑇 0 𝑇 1 𝑇 2 𝑇 3 𝑇 4 0 0 0 𝛾 𝑗 : 𝐷 𝑗 = 𝑇 2 𝑗 ⋅ 𝑇 3 𝑗 ⊕ 𝑇 1 𝑗 ⊕ 𝑇 0 𝑗 (weight: 1) Combine 𝛽 𝑗 and 𝛾 𝑗+𝑐 0 𝛽 𝑗 : 𝐷 𝑗 = 𝑇 0 𝑗+𝑐 0 𝑗+𝑐 0 ⊕ 𝑇 0 𝑗+𝑐 0 𝛾 𝑗+𝑐 0 : 𝐷 𝑗+𝑐 0 = 𝑇 1 ⊕ 𝑗 𝐷 𝑗 = 𝑇 1 𝑘 (weight: 2) 20

𝛿 𝑗 : from two bits of 𝑇 1 to 𝑇 4 𝑇 0 𝑇 1 𝑇 2 𝑇 3 𝑇 4 0 𝑗+𝑐 1 = 𝑇 2 𝑗 ⋅ 𝑇 3 𝑗 ⊕ 𝑇 4 𝑗 ⊕ 𝑇 1 𝑗 𝛿 𝑗 : 𝑇 1 (weight: 1) 0 0 21

𝜀 𝑗 : from two bits of 𝑇 4 to 𝑇 2 𝑇 0 𝑇 1 𝑇 2 𝑇 3 𝑇 4 0 𝑗+𝑐 4 = 𝑇 0 𝑗 ⋅ 𝑇 1 𝑗 ⊕ 𝑇 2 𝑗 ⊕ 𝑇 4 𝑗 𝜀 𝑗 : 𝑇 4 (weight: 1) 𝟏 0 22

𝜗 𝑗 : from two bits of 𝑇 4 to 𝑇 2 𝑇 0 𝑇 1 𝑇 2 𝑇 3 𝑇 4 0 𝑗+𝑐 2 = 𝑇 3 𝑗 ⋅ 𝑇 4 𝑗 ⊕ 𝑇 0 𝑗 ⊕ 𝑇 2 𝑗 𝜗 𝑗 : 𝑇 2 (weight: 1) 0 0 23

𝐷 𝑗 = 𝑇 0 𝑘 𝐷 𝑇 0 𝑇 1 𝑇 2 𝑇 3 𝑇 4 𝛽 𝑗 24

⊕ 𝑗 𝐷 𝑗 = 𝑇 1 𝑘 𝐷 𝑇 0 𝑇 1 𝑇 2 𝑇 3 𝑇 4 𝛽 𝑗 𝛾 𝑗 𝑐 0 25

⊕ 𝑗 𝐷 𝑗 = 𝑇 4 𝑘 𝐷 𝑇 0 𝑇 1 𝑇 2 𝑇 3 𝑇 4 𝛽 𝑗 𝛾 𝑗 𝛿 𝑗 𝑐 0 𝑐 1 𝑐 0 26

⊕ 𝑗 𝐷 𝑗 = 𝑇 2 𝑘 𝐷 𝑇 0 𝑇 1 𝑇 2 𝑇 3 𝑇 4 𝛽 𝑗 𝛾 𝑗 𝛿 𝑗 𝑐 0 𝑐 1 𝑐 0 𝜀 𝑗 𝑐 4 𝑐 0 𝑐 1 𝑐 0 27

⊕ 𝑗 𝐷 𝑗 = 𝑇 0 𝑘 𝐷 𝑇 0 𝑇 1 𝑇 2 𝑇 3 𝑇 4 𝛽 𝑗 𝛾 𝑗 𝛿 𝑗 𝑐 0 𝑐 1 𝑐 0 𝜀 𝑗 𝑐 4 𝑐 0 𝑐 1 𝑐 0 𝑐 2 𝜗 𝑗 28

⊕ 𝑗 𝐷 𝑗 = 0 𝐷 𝑇 0 𝑇 1 𝑇 2 𝑇 3 𝑇 4 𝛽 𝑗 𝛾 𝑗 𝛿 𝑗 𝑐 0 𝑐 1 𝑐 0 𝜀 𝑗 𝑐 4 𝑐 0 𝑐 1 𝑐 0 𝑐 2 𝜗 𝑗 𝛽 𝑗 29

× 𝟐 × 𝟒 × 𝟐 × 𝟐 × 𝟒 × 𝟐 × 𝟐 × 𝟐 × 𝟐 × 𝟐 × 𝟐 × 𝟐 30

Result of Combination for MiniMORUS ⨁𝐷 𝑗 = 0 with weight 24 • Dependency between 𝛾 𝑗 and 𝛿 𝑗 (occur 4 times): 𝛾 𝑗 : 𝐷 𝑗 = 𝑇 2 𝑗 ⋅ 𝑇 3 𝑗 ⊕ 𝑇 1 𝑗 ⊕ 𝑇 0 𝑗 • (weight: 1) 𝑗+𝑐 1 = 𝑇 2 𝑗 ⋅ 𝑇 3 𝑗 ⊕ 𝑇 4 𝑗 ⊕ 𝑇 1 𝑗 𝛿 𝑗 : 𝑇 1 • (weight: 1) 0 No need to approximate, saves weight 8 for 4 (𝛽 𝑗 , 𝛾 𝑗 ) . • ⨁𝐷 𝑗 = 0 with weight 16. • Experimentally verified with 2 32 ciphertexts. • works for different choices of rotation numbers 31

Extension to MORUS: Overview 𝑥 -bit state of MiniMORUS can be extended to • 4𝑥 -bit state of MORUS by making 4 copies of the linear trail. • Linear trail for MiniMORUS: weight 16 • Linear trail for MORUS: weight 64 ?? • Most of the part, the evaluation is true, however saving weight by dependency cannot be used. • A few more issued on overlap of the bit position in independent linear approximation. • In the end, the weight is 76, which is verified if you have 2 152 ciphertexts. 32

Attack Impact • Detected bias is absolute. The attack does not have any limitation for the choice of 𝐿 and 𝑂 . (cannot be prevented by key management) • The attack works in the broadcast setting. Some protocol fixes the first message block to some sensitive information (e.g. user authentication token in HTTP). Correlation of key steam may be exploited to recover it 33

Analysis on Finalization of MORUS-1280-256