Skip to main content
Log in

Cryptanalysis of MORUS

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

MORUS is an authenticated cipher submitted to the ongoing CAESAR competition and becomes one of 15 candidates entering the third round. This paper studies the bit-based division property and differential trails of MORUS-640/1280 with Mixed Integer Linear Programming (MILP) tool. The key-recovery attacks are executed against at most 5.5/6.5-step MORUS-640/1280 with the new concept of cube attacks based on the division property proposed by Todo et al. Meanwhile, we take the MILP model of bitwise AND operation with a constant introduced by Sun et al. into consideration, which makes the division trails and the subsequent integral distinguishers more accurate. And we also obtain 6/6.5-step integral distinguishers for MORUS-640/1280 and 4.5-step differential distinguishers of MORUS-1280. Compared to previous work, the cryptanalysis in this paper is the best result in terms of the number of attacked steps and required complexity.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

Notes

  1. Note that the we can not find all possible superpolys for limited computing resource.

  2. For a cube \(C_I\), there are many values in the constant part of iv whose corresponding superpoly is balanced.—Definition of Strong Assumption from [20].

References

  1. Bellare M., Namprempre C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000).

  2. Dinur I., Shamir A.: Cube attacks on tweakable black box polynomials. In: Joux A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009).

  3. Dwivedi A.D., Morawiecki P., Wòjtowicz S.: Differential and rotational cryptanalysis of round-reduced MORUS. In: SECRYPT 2017.

  4. Gligor V., Donescu P.: Fast encryption and authentication: XCBC encryption and XECB authentication modes. In: Matsui M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 92–108. Springer, Heidelberg (2002).

  5. Gurobi Optimization Inc.: Gurobi optimizer 6.5. Ocial webpage (2015). http://www.gurobi.com/.

  6. Jutla C.: Encryption modes with almost free message integrity. In: Pfitzmann B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 529–544. Springer, Heidelberg (2001).

  7. Mileva A., Dimitrova V., Velichkov V.: Analysis of the Authenticated Cipher MORUS (v1). In: Pasalic E., Knudsen L.R. (eds.) BalkanCryptSec 2015. LNCS, vol. 9540, Koper, Slovenia, pp. 45–59 (2016).

  8. Mouha N., Wang Q., Gu D., Preneel B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Wu C.-K., Yung M., Lin D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012).

  9. NIST: Advanced Encryption Standard (AES), federal Information Processing Standards Publication FIPS 197.

  10. Rogaway P.: Authenticated-encryption with associated-data. In: ACM Conference on Computer and Communications Security (CCS-9). ACM Press, New York, pp. 98–107 (2002).

  11. Rogaway P., Bellare M., Black J., Krovetz T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: ACM Conference on Computer and Communications Security (CCS-8). ACM Press, New York (2001).

  12. Shi T.R., Guan J., Li J.Z., Zhang P.: Improved collision cryptanalysis of authenticated cipher MORUS. In: AIIE 2016. Advances in Intelligent Systems Research, vol. 133, pp. 429–432.

  13. Sun S., Hu L., Song L., Xie Y., Wang P.: Automatic security evaluation of block ciphers with S-bP structures against related-key differential attacks. In: Lin D., et al. (eds.) Inscrypt 2013. LNCS, vol. 8567, pp. 39–51. Springer, Heidelberg (2013).

  14. Sun S., Hu L., Qiao K., Ma X., Song L.: Automatic Security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar P., Iwata T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014).

  15. Sun S., Hu L., Wang M., Wang P., Qiao K., Ma X., Shi D., Song L., Fu K.: Towards finding the best characteristics of some bit-oriented block ciphers and automatic enumeration of (related-key) differential and linear characteristics with predefined properties. Cryptology ePrint Archive. Report 2014/747 (2014). https://eprint.iacr.org/.

  16. Sun L., Wang W., Liu R., Wang M.Q.: MILP-aided bit-based division property for ARX-based block cipher. http://eprint.iacr.org/2016/1101.pdf.

  17. The CAESAR committee: CAESAR: Competition for authenticated encryption: Security, applicability, and robustness. http://competitions.cr.yp.to/caesar.html.

  18. Todo Y.: Structural evaluation by generalized integral property. In: Oswald E., Fischlin M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 287–314. Springer, Heidelberg (2015).

  19. Todo Y., Morii M.: Bit-based division property and application to SIMON family. In: Peyrin T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 357–377. Springer, Heidelberg (2016).

  20. Todo Y., Isobe T., Hao Y.L., Meier W.: Cube attacks on non-blackbox polynomials based on division property. In: Katz J., Shacham H. (eds.) CRYPTO 2017, Part III. LNCS, vol. 10403, pp. 250–279. Springer, Heidelberg (2017).

  21. Winnen L.: Sage S-box Milp Toolkit. http://www.ecrypt.eu.org/tools/sage-s-box-milp-toolkit.

  22. Wu H.J., Huang T.: The Authenticated Cipher MORUS (v2). http://competitions.cr.yp.to/round3/morusv2.pdf.

  23. Wu S., Wang M.: Security evaluation against differential cryptanalysis for block cipher structures. Cryptology ePrint Archive. Report 2011/551 (2011). https://eprint.iacr.org/.

  24. Xiang Z.J., Zhang W.T., Bao Z.Z., Lin D.D.: Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers. In: Cheon J.H., Takagi T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 648–678. Springer, Heidelberg (2016).

  25. Zhang P., Guan J., Li J.Z., Shi T.R.: Research on the confusion and diffusion properties of the initialization of MORUS. J. Cryptol. Res. 2(6), 536–548 (2015).

    Google Scholar 

Download references

Acknowledgements

This work has been supported by National Cryptography Development Fund (MMJJ20170102), National Natural Science Foundation of China (Nos. 61502276, 61572293, 61692276), National Natural Science Foundation of Shandong Province, China (ZR2016FM22), Major Scientific and Technological Innovation Projects of Shandong Province, China (2017CXGC0704), Fundamental Research Fund of Shandong Academy of Sciences (NO.2018:12-16).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Meiqin Wang.

Additional information

Communicated by L. R. Knudsen.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Li, Y., Wang, M. Cryptanalysis of MORUS. Des. Codes Cryptogr. 87, 1035–1058 (2019). https://doi.org/10.1007/s10623-018-0501-6

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-018-0501-6

Keywords

Mathematics Subject Classification

Navigation