International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Multidimensional Linear Cryptanalysis of AEGIS

Authors:
Yinuo Liu
Tian Tian
Jing Yang
Download:
DOI: 10.46586/tosc.v2025.i3.368-399
URL: https://tosc.iacr.org/index.php/ToSC/article/view/12474
Search ePrint
Search Google
Abstract: AEGIS is a family of authenticated encryption with associated data (AEAD) ciphers that target for highly efficient implementations in software. The main operation in AEGIS is the AES encryption round function such that it can make full use of the cryptographic properties and efficient implementation. AEGIS includes three variants AEGIS-128, AEGIS-128L, and AEGIS-256, which achieve 128, 128, and 256 bits of security, respectively. AEGIS-128 has been selected and included into the final portfolio of the CAESAR competition. In this paper, we perform multidimensional linear cryptanalysis of AEGIS. We first dig into the reason of the inconsistency between the byte and bit trails in AEGIS and propose an improved truncated model to efficiently derive the accurate minimum number of active Sboxes. Based on the derived byte trails, we perform deep theoretical analysis of the correlation propagation in AEGIS and derive linear approximations with high correlations. Moreover, we find interesting properties of AEGIS that enable us to derive a number of equivalent but independent linear approximations. By combining these linear approximations, we perform multidimensional linear distinguishing attacks on AEGIS-128, AEGIS-256, and AEGIS-128L with complexities 2126.46, 2154.11, and 2144.44, respectively. These results suggest that AEGIS-128 and AEGIS-256 do not meet their security claims. We also apply the improved truncated model to two AES-based stream cipher families LOL and Rocca for the linear cryptanalysis of them. Particularly, for LOL-MINI, we give a fast correlation attack with complexity 2250.5, thereby breaking its security claim if we ignore the restriction in the length of the keystream under a single pair of key and IV.
BibTeX
@article{tosc-2025-36289,
  title={Multidimensional Linear Cryptanalysis of AEGIS},
  journal={IACR Transactions on Symmetric Cryptology},
  publisher={Ruhr-Universität Bochum},
  volume={2025},
  pages={368-399},
  url={https://tosc.iacr.org/index.php/ToSC/article/view/12474},
  doi={10.46586/tosc.v2025.i3.368-399},
  author={Yinuo Liu and Tian Tian and Jing Yang},
  year=2025
}