International Association
for Cryptologic Research

AEGIS is a family of authenticated encryption with associated data (AEAD) ciphers that target for highly efficient implementations in software. The main operation in AEGIS is the AES encryption round function such that it can make full use of the cryptographic properties and efficient implementation. AEGIS includes three variants AEGIS-128, AEGIS-128L, and AEGIS-256, which achieve 128, 128, and 256 bits of security, respectively. AEGIS-128 has been selected and included into the final portfolio of the CAESAR competition. In this paper, we perform multidimensional linear cryptanalysis of AEGIS. We first dig into the reason of the inconsistency between the byte and bit trails in AEGIS and propose an improved truncated model to efficiently derive the accurate minimum number of active Sboxes. Based on the derived byte trails, we perform deep theoretical analysis of the correlation propagation in AEGIS and derive linear approximations with high correlations. Moreover, we find interesting properties of AEGIS that enable us to derive a number of equivalent but independent linear approximations. By combining these linear approximations, we perform multidimensional linear distinguishing attacks on AEGIS-128, AEGIS-256, and AEGIS-128L with complexities 2126.46, 2154.11, and 2144.44, respectively. These results suggest that AEGIS-128 and AEGIS-256 do not meet their security claims. We also apply the improved truncated model to two AES-based stream cipher families LOL and Rocca for the linear cryptanalysis of them. Particularly, for LOL-MINI, we give a fast correlation attack with complexity 2250.5, thereby breaking its security claim if we ignore the restriction in the length of the keystream under a single pair of key and IV.

In this paper, we perform linear cryptanalysis of the stream cipher SNOW 5G, which is recommended by the international standardization group (SAGE) as one standard algorithm for 5G confidentiality and integrity protection over the wireless channel. SNOW 5G can be regarded as one member of the SNOW-V family, as it is modified from SNOW-Vi by SAGE with a slight improvement. As an overall contribution, we provide a comprehensive and elaborate theoretical analysis of linear approximations of SNOW 5G and provide the best public cryptanalysis result by far. Specifically, we first theoretically analyze the formats of linear masks of SNOW5G that can introduce high correlations, and then search for high-quality linear masks using a divide-and-conquer method based on the different cases of a critical intermediate linear mask. We find a linear approximation of SNOW 5G with correlation −2−67.67 and further launch a correlation attack against it with complexity 2279.8, improving the existing best correlation attack by a factor of 232.4. Our results are mainly from theoretical analysis, which involve little computation overhead and help to better understand the security of SNOW 5G.