AEGIS,an authenticated encryption(AE)algorithm designed by H.J.Wu and B.Preneel,is one of the six winners of the Competition for Authentic-ated Encryption:Security,Applicability,and Robustness,which was launched by the National Institute of Stand-ards and Technology.In this paper,we comprehensively investigate the existence of collision in the initialization of AEGIS-128 and evaluate the number of advanced encryp-tion standard(AES)round functions involved in initializ-ation,which reflects the resistance to differential attack.As a result,we find that there are 40 AES round func-tions,which is less than 50 ones claimed in the design document.We also prove that AEGIS-128 is strong enough to resist adversary who has access to partial state.In particular,we present a collision-based distinguisher and exploit it to recover the key of 4-step and 5-step(out of the full 10)AEGIS-128.The time and memory com-plexities are about 229.7 and 226 respectively.Specifically,we quantize the attack of 4-step AEGIS-128,in which we solve the technical issue of dealing with the function that does not fulfill Simon's promise.It is noted that the nonce is not reused in our work.Although we present some res-ults of AEGIS-128 that exceed the existed analysis,the security margin of AEGIS-128 remains large.

SHI Tairong;HU Bin;GUAN Jie;WANG Senpeng

PLA SSF Information and Engineering University,Zhengzhou 450001,China;Institute of Software,Chinese Academy of Sciences,Beijing 100190,China

电子学报（英文）

[1]SHI Tairong;HU Bin;GUAN Jie;WANG Senpeng-.Cryptanalysis of AEGIS-128)[J].电子学报（英文）,2022(02):285-292

Cryptanalysis,AEGIS,Preneel,Authentic,encryp,initializ,distinguisher,plexities,quantize

authenticated,encryption,algorithm,designed,by,Wu,six,winners,Competition,Encryption,Security,Applicability,Robustness,which,was,launched,National,Institute,Stand,ards,Technology,this,paper,we,comprehensively,investigate,existence,collision,initialization,evaluate,number,advanced,standard,AES,round,functions,involved,reflects,resistance,differential,attack,result,find,that,there,are,less,than,ones,claimed,document,We,also,prove,strong,enough,adversary,who,has,access,partial,state,particular,present,exploit,recover,key,step,full,memory,about,respectively,Specifically,solve,technical,issue,dealing,does,fulfill,Simon,promise,It,noted,nonce,reused,our,work,Although,some,ults,exceed,existed,security,margin,remains,large

0.51752