2019
DOI: 10.1007/978-3-030-26951-7_7
|View full text |Cite
|
Sign up to set email alerts
|

Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full $$\mathsf {MORUS}$$

Abstract: We show that the correlation of any quadratic Boolean function can be read out from its so-called disjoint quadratic form. We further propose a polynomial-time algorithm that can transform an arbitrary quadratic Boolean function into its disjoint quadratic form. With this algorithm, the exact correlation of quadratic Boolean functions can be computed efficiently.We apply this method to analyze the linear trails of MORUS (one of the seven finalists of the CAESAR competition), which are found with the help of a … Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1

Citation Types

0
4
0

Year Published

2020
2020
2023
2023

Publication Types

Select...
4
2
1

Relationship

1
6

Authors

Journals

citations
Cited by 10 publications
(4 citation statements)
references
References 28 publications
0
4
0
Order By: Relevance
“…One possible way to distinguish keystreams of a cipher from a random sequence is to utilize linear biases. Recently, exploitable biases using linear combinations of output bits were found in the authenticated encryption schemes MORUS [1,18] and AEGIS [15]. It is important to known if this will happen to Subterranean 2.0.…”
Section: Attack Scenario 1: Keystream Biasesmentioning
confidence: 99%
See 1 more Smart Citation
“…One possible way to distinguish keystreams of a cipher from a random sequence is to utilize linear biases. Recently, exploitable biases using linear combinations of output bits were found in the authenticated encryption schemes MORUS [1,18] and AEGIS [15]. It is important to known if this will happen to Subterranean 2.0.…”
Section: Attack Scenario 1: Keystream Biasesmentioning
confidence: 99%
“…Taking all the dependency into account usually makes the search for differential/linear trails inefficient or even infeasible. In the case where there exist very sparse differential/linear trails such that there is no adjacent active AND operations, treating AND operations independently works well [18,19]. Recently, effort has been made to construct models that partially handles the dependency of the AND operations [17].…”
Section: Dependency Of and Operationsmentioning
confidence: 99%
“…This method demonstrated key recovery attacks on 6/7-step MORUS-640-128 and integral distinguishers against 7-step MORUS-640-128/MORUS-1280-256. Shi et al [16] proposed an algorithm to compute the correlation of quadratic Boolean functions. They applied the method to analyze the linear trails of MORUS.…”
Section: Introductionmentioning
confidence: 99%
“…Revealing structural properties of several ciphers from design and cryptanalysis aspects, Yu Sasaki and Yosuke Todo gave a new impossible differential search tool in [26]. Recently, Shi et al broke the full-round MORUS by means of the MILP tool [27].…”
Section: Introductionmentioning
confidence: 99%