Welcome to the resource topic for 2018/292
Title:
Linear Biases in AEGIS Keystream
Authors: Brice Minaud
Abstract:AEGIS is an authenticated cipher introduced at SAC 2013, which takes advantage of AES-NI instructions to reach outstanding speed in software. Like LEX, Fides, as well as many sponge-based designs, AEGIS leaks part of its inner state each round to form a keystream. In this paper, we investigate the existence of linear biases in this keystream. Our main result is a linear mask with bias 2^{-89} on the AEGIS-256 keystream. The resulting distinguisher can be exploited to recover bits of a partially known message encrypted 2^{188} times, regardless of the keys used. We also consider AEGIS-128, and find a surprising correlation between ciphertexts at rounds i and i+2, although the biases would require 2^{140} data to be detected. Due to their data requirements, neither attack threatens the practical security of the cipher.
ePrint: https://eprint.iacr.org/2018/292
See all topics related to this paper.
Feel free to post resources that are related to this paper below.
Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.
For more information, see the rules for Resource Topics .