Advances in Intelligent Systems Research, volume 133 2nd International Conference on Artificial Intelligence and Industrial Engineering (AIIE2016)

Improved Collision Cryptanalysis of Authenticated Cipher MORUS

Tairong Shi *, Jie Guan, Junzhi Li and Pei Zhang Information Science and Technology Institute, Zhengzhou, Henan, China *Corresponding author

Abstract—MORUS is an authenticated stream cipher designed by each other, we utilize the partition method and propose the Wu et al. and submitted for the third-round of the CAESAR necessary conditions for an internal state collision after two- competition. The collision properties of MORUS-640-128 are step update. There results imply that MORUS resists against studied. We propose the necessary conditions for an internal state collision attack in theory. collision after two-step update, i.e., the Hamming weight of the input difference is at least 5 and the difference is distributed in at This paper is organized as follows. In Section 2, the least three 32-bit words, which provide the theoretical support description of MORUS is provided. In Section 3, the for MORUS’s resistance against collision attack. distribution of word difference is given. Section 4 discusses the lower bound of difference weight for collision. Section 5 Keywords-CAESAR; MORUS; collision cryptanalysis; partition concludes the paper. method II. DESCRIPTION OF MORUS I. INTRODUCTION MORUS operates four phases: initialization, processing of Authenticated encryption algorithm [1] combines the authenticated data, encryption, and finalization. In this encryption with authentication, providing both confidentiality paper we only focus on the processing of associated data and and authenticity simultaneously and has been widely used in encryption and study the security of MORUS-640-128. the security protocols such as SSL/TLS [2], etc. In order to MORUS takes a 128-bit key, a 128-bit nonce, and a tag length accelerate the development of authentication encryption, less than or equal to 128. More details of MORUS-640-128 can CAESAR competition [3] merges. CAESAR is a large-scale be found in [9]. All the “MORUS” in the rest of this paper cryptographic competition supported by the US National refers to “MORUS-640-128”. Institute of Standards and Technology (NIST) like AES [4], e- STREAM [5]. With the advance of the competition, A. Notations authenticated cipher receives more attentions and develops i rapidly. The third-round candidates own excellent performance S : State at the beginning of i-th step, where i t 0 ; on security and efficiency which are competitive and attract S i : State at the beginning of k-th round at i-th step, where many researchers [6], [7], [8]. k SSSSSSiiiiii (,,,,), 04ddk ; MORUS [9] is a notable family of authenticated stream kkkkkk,0 ,1 ,2 ,3 ,4 ciphers designed by H. Wu and T. Huang, which has been S i : The j-th element of the state S i . SSSiii (, , selected as a third-round candidate of CAESAR competition. kj, k kj,,,1,,2 kj kj ii By adopting the idea of block cipher, MORUS uses 5 registers SSkj,,3,) kj ,,4 , 04ddj ; of equal length in its internal state and update each state i i successively. Three MORUS versions: MORUS-640-128, Skjl,, : l-th 32-bit word of the Skj, , where 14ddl , MORUS-1280-128, and MORUS-1280-256 are recommended 04ddj ; with different internal state and key sizes. Mileva et al. [10] have proposed a distinguisher attack on MORUS in non-reuse & : Bit-wise AND; setting. And Zhang et al. [11] researched on the confusion and diffusion properties of the initialization of MORUS. The <<< : Rotation to the left; research on MORUS is relatively limited currently. >>> : Rotation to the right; Collision attack [12], [13] is a typical method used in x : The smallest integer not less than x ; attacking the message authentication. The basic technique is to «»ªº inject a message difference at certain encryption (or processing Rotl(,) x n : Divide the 128-bit block x into four 32-bit the associated date) step and cancel it at a later step. words and rotate each word left by n bits, In this paper, we evaluate the security of authentication by theory deduction. Observations reveal that 32-bit word are not Rotl-1 (,) x n : Analogous to Rotl(,) x n , divide the 128-bit x confused completely with internal state. Based on the feature into four 32-bit words and rotate each word right by n bits; that the 32-bit words in the state element are independent of

Copyright © 2016, the Authors. Published by Atlantis Press. 429 This is an open access article under the CC BY-NC license (http://creativecommons.org/licenses/by-nc/4.0/). Advances in Intelligent Systems Research, volume 133

1n ( 0n ): n bits of ‘1’s (‘0’s); III. THE DISTRIBUTION OF WORD-ORIENTED DIFFERENCE FOR COLLISION W(D ) : The hamming weight of D , namely, the number of In this section, we divide each message into four 32-bit 1 in D ’s binary representation; words and give the representation of internal state differences.

WB('mt ) : The number of nonzero word in 'mt . 'mt Suppose that a message difference ''zmmtt(0) is denotes the message difference, where Di (1ddi 4) represents injected at i-th encryption (or processing the associated date) a 32-bit word difference. step and 'S t 0 , through the differential analysis, it’s easy to get internal state differences in t+1-th step: B. The State Update Function of MOURS t1 MORUS uses five 128-bit registers in its internal state. This 'S0 0 function consists of five rounds with similar operations that t1 'SRotlm1 ( 't ,31) 64 update the state S. t1 'SRotlm2 (,7)32 't ii1 SS StateUpdate( ,mi ) is given as follows: t1 'S3 Rotl((,31),22)32 Rotl ' mtt † ' m Round 1: tttt1111 'S4012 Rotl(& S '†'!!!†' S ( S 32),13) mt iiiii 64 SRotlSSS1,0 ((&),);0,0† 0,1 0,2 † Sb 0,3 0 ii Note: For convenience, we perform the left rotation for SS1,3 0,3 w 0 ; t1 t1 'S3 and 'S4 in advance. ii SS1,1 0,1; If and only if 'Sit2 0(0dd 4) , the internal state SSii ; i 1,2 0,2 collision occurs. Because we only concern that whether the ii SS1,4 0,4 ; difference is zero and external operation Rotl x, n doesn’t Round 2 to 5: influence the results, we leave out Rotl x, n . Each element of For k=1 to 4, state differences after the second step is shown as:

tt21 t  1 tt  11 iiii 'SS01 (& ' S 2 )(&) †' SS 12 † SRotlSSS(k 1)mod5, k ((kk,† kk ,( 1)mod5 &kk ,( 2)mod5 )† tt11 t  1 i ('SS12 & ' ) † ( ' S 3 !!! 32); Smbkk,( 3)mod5 † i, k ); ii tttt2111 tt  11 SSw ; 'SSSS1123 '†(& ' )(&) †' SS 23 † (kk 1)mod5,( 3)mod5 kk ,(  3)mod5 k ii ('SStt11 & ' ) † ( ' S t  1 !!! 64) † ' m ; SS(1)mod5,(1)mod5kk kk ,(1)mod5 ; 23 4t 1

i i tttt2111 tt  11 S(kk 1)mod5,( 2)mod5 Skk,( 2)mod5; 'SSSS '†(& ' )(&) †' SS † 2234 34 ii tt11 SS(kk 1)mod5,( 4)mod5 kk ,(  4)mod5. (''†'SS34 & ) mt 1 ;

i1 ii1 tt21 tt  12 Generate S : For k=0 to 4: SSkk . 'SS33 '†'(&) SSm 40 †'t 1 ; The rotation constants bwi,, 0,,4,4 for each round are tt21 ii 'SSm44 '†'t 1. defined in [10]. It should be noted that 'St2 0 is a precondition, then we C. Processing the Associated Data and Encryption analyze the differences after the second step. The Processing the associated data AD of MORUS can be Now we discuss the difference distribution in the following described as follows. adlen means bit length of the associated situations with different values of WB('mt ) . Remember that data, where u ªº adlen 128 . «» Di (1ddi 4) represents a 32-bit word difference.

ii128 For i=0 to u-1: SS StateUpdate( ,ADi ). A. When WB('mt ) 1 The encryption is described as follows. Let msglen Now, we assume that there is only one nonzero word represents the length of plaintext and vmsglen «»ªº128 . difference in 'mt , 'mt (D1 , 0, 0, 0) ,D1 z 0 .

t1 For i 0 to v 1: 'S1 000Dc , whereDDc 31;

ui ui ui ui t1 CPSii †01 †( S 96) † ( S23 & S ); 'S 00Dcc 0 , whereDDcc 7,i 1,2 ; 2 ui1 ui SS StateUpdate( ,Pi );

430 Advances in Intelligent Systems Research, volume 133

'St1 00E 0 , where EDD ()22 †c ; 'SSSSmtttt2112 '†'& †' 3 3340t 1 t1 0EE11 00†uuuu 0 uu 'Su4 00J , where JDD ()13 †c , u is unknown difference. t2 32 To ensure 'S3 0 , we deduce E1 0 , DDccc 1 and tt21 t2 J 0 , therefore 'S t1 0000 , 'Smt1 ' 00 uu. As Because of 'SSm44 '†'t 1 and 'S4 0 , we get 1 3 41t t1 for 'S t2 , we get that 'mSt14 ' 00J u. 2

tttt2111 Through update function, we know the presentation of 'SSSSm2234 '†'†'& t 1 t2 'S . 0DD12cc cc 0† 00uu 0D 1 cc uu z 0 ttttttt2111111 t2 'SSSSSSS0121212 &&& '†' †'' It contradicts to 'S2 0 . The above results also hold for t1 † 'S3 !!! 32 'mt 00DD12 , 'mt 00DD12 and 'mt DD1200 . 0uu 0† 000EE 0uu Case 2 'miti 00(DDD12 z 0,1,2) To ensure 'S t2 0 , we deduce E 0 , namely 0 'St1 00DDcc, where DDc 31,i 1,2 ; DD† 31 0 , then D 132 must be established. Therefore 121 ii 32 t1 we can deduce DDccc 1 and EJ 0 , furthermore 'S212 DDcc00 cc , where DDiicc 7,i 1,2 ; t2 t2 'S3 0000 , 'Sm41 't 000 u. t1 'S312 EE00, where EDDiii ()22,1,2 †c i ; t2 Supposed 'S1 0, we can get t1 'Suu4 00 . u denotes unknown difference. tttt2111 'SSSSm2234 '†'†'& t 1 t1 'mSuut14 ' 00 . 00DDcc 0†† 000uu 000 00 cc uz 0 ttt222 t2 t2 Supposed 'SSS01 ' ' 2 0 , we analyze 'S3 . It contradicts to 'S0 0, The above results also hold for 'm 000D , 'm 00D 0 and 'm 000D , so 'SSSSmtttt2112 '†'& †' t 1 t 1 t 1 3340t 1 WB('zmt ) 1 . EE12 0 0† 0uu 0 EE 12 u u

t2 To ensure 'S3 , we get EE12 0 and JJ12 0 , B. When WB('mt ) 2 therefore 'S t1 0000 . Take consideration of 'S t2 , There are two cases: 3 2 tttt2111 Case 1 'mi 00DD ( D z 0, 1,2) 'SSSSm2234 '†'†'&0t 112 DDcc cc0 †0 uu0 ti12 DDccuu cc z 0 t1 12 'S112 DDcc00 , where DDiic 31,i 1,2 ; It contradicts to 'S t2 0 , The same results also hold for t1 2 'S212 00DDcc cc , where DDiicc 7,i 1,2 ; 'mt 00DD24, so WB('zmt ) 2 . t1 'S312 00EE , where EDDiii ()22,1,2 †c i ; C. When WB('mt ) 3 'Suut1 JJ , JDD ()13,1,2 †c i . u refers to 412 iii Assume that 'mi (0,DDD , , )( Dz 0, 1,2,3) , we can an unknown difference, ti123 deduce the followings. t1 'mSt1412 ' JJ uu. t1 'S1231 DDcc0 D c, where DDiic 31,i 1,2,3 ; t2 Now we analyze the 'S0 . t1 'S2123 DDDcc cc cc0 , where DDiicc 7,i 1,2,3 ; ttttttt2111111 'SSSSSSS0121212 &&& '†' †'' t1 'S3123 EEE0 , where EDDiii ()22,1,2,3 †c i ; t1 † 'S3 !!! 32 'St1 J uuu , JDD ()13,1,2,3† c i , u denotes uuu 0† 00EE uuu E 41 iii 12 2 unknown difference. t2 To ensure 'S0 0 , we deduce E2 0 , it’s easy to get t2 32 tt11 'mt141 ' S J uuu . DDccc 1, J2 0. So 'SSmu314 000,EJ ' 't 11 0u. We can obtain the internal state difference 'S t2 as tt22 Supposed 'SS12 ' 0 , we can obtain follows:

431 Advances in Intelligent Systems Research, volume 133

'SSSSSSSttttttt2111111 &&& '†' †'' We can draw the conclusion below. 0121212 t1 Conclusion 1. For MORUS, if the message difference † 'S3 !!!32 uuuu ''zmmtt(0) is injected at i-th encryption (or processing tttttttt21111111 'SSSSSSSS11232323 '†'†'&&& †'' the associated date) step and gets eliminated at the next step, t1 then WB('tm ) 3 must be true. †'S41 !!!64 †'mt uuuu t tttttttt21111111 'SSSSSSSS22343434 '†'†'&&& †'' IV. THE LOWER BOUND OF DIFFERENCE WEIGHT FOR †'m uuuu t1 COLLISION tttt2112 'S3340 '†' S S& S †' mt 1 uuuu Because the collision probability is related to the weight of message difference, we discuss the bit-oriented t2 Each 128-bit element of 'S could be 0, therefore necessary conditions in this section. Through theory

WB('mt ) 3 is possible. deduction, we complete exhaustion when the weight of message difference is less than or equal to 5.

D. When WB('mt ) 4 In the end the experiment results indicate the following conclusion. We know 'mt (,DDDD1234 , , )(Di z 0,i 1,2,3,4) . t1 t1 Conclusion 2. For MORUS, when the weight of After one step update, each 32-bit word of 'S1 and 'S2 message difference is less than or equal to 5, there is no are non-zero, meanwhile, each 32-bit word of 'S t1 and 3 collision. 'S t1 is uncertain, through our analysis, each 128-bit element 4 Table I. compares the result of this paper with that of t2 of 'S could be 0,therefore WB('mt ) 4 is possible. designers on collision cryptanalysis.

TABLE I. RESULTS COMPARISON

Analyst Analysis method Idea Difference distribution Weight of difference

Designers Experiment — — W('tmt ) 26

This paper Theory deduction Partition method WB('tmt ) 3 W('tmt ) 5

[4] J. Daemen et al., “AES the advanced encryption standard,” The Design V. CONCLUSIONS of Rijndael, 2002. In this work, we focus on the security of message [5] ECRYPT, European Network of Excellence in Cryptology: “The Stream Cipher Project: eSTREAM,” IST-2002-507932. authentication in MORUS. Through partition method, we http://www.ecrypt.eu.org/stream. found out the distribution of input difference is determined, [6] C. Dobrauning et al., “Heuristic Tool for Linear Cryptanalysis with namely WB('tmt ) 3 . Finally, by experiments, we deduce Applications to CAESAR Candidates,” ASIACRYPT, Auckland, New the lower bound of difference is 5. Zealand, 2015, pp.490-509. [7] T. Peyrin et al., “Cryptanalysis of JAMBU,” FSE 2015, Istanbul, Turkey, The new idea we used to find the distribution of word- Mar. 2015, pp. 264-281. oriented difference for collision is universal, which can be [8] M. Salam et al., “Investigating Cube Attack on the Authenticated applied to other authenticated ciphers. Moreover, we will Encryption Stream Cipher ACORN,” ATIS 2016, Cairns, QLD, evaluate the ability of MORUS in resisting other attacks. Australia, Oct. 2016, pp. 15-26 [9] H. Wu et al., “The authenticated cipher MORUS (v1),” CAESAR submissions. http://competitions.cr.yp.to/ round2/morusv11.pdf, 2015. ACKNOWLEDGMENT [10] A. Mileva et al., “Analysis of the Authenticated Cipher MORUS (v1),” This work was supported by the National Natural Science Int. Conf. BalkanCryptSec 2015, Koper, Slovenia, Sept. 2015, pp. 45-59. Foundation of China (Grant No. 61572516, 61272041 and [11] P. Zhang et al., “Research on the confusion and diffusion properties of the initialization of MORUS,” J. Cryptologic Research, 2015, vol. 2, no. 61272488). 6, pp. 536-548. [12] T. Fuhr et al., “Collision Attacks Against CAESAR Candidates – REFERENCES Forgery and Key-Recovery Against AEZ and Marble,” Advances in Cryptology-ASIACRYPT 2015, Auckland, New Zealand, Nov. 2015, pp. [1] M. Bellare et al., “Authenticated encryption: Relations among notions 510-532. and analysis of the generic composition paradigm,” Journal of Cryptology, vol. 21, no. 4, Jan. 2008, pp. 469-491. [13] T. Peyrin, “Collision Attack on Grindahl,” J. Cryptology, vol. 28, no. 4, January 2015, pp. 879-898. [2] K. Hickman et al., “The SSL protocol,” Netscape Communications Corp, 1995, 501. [3] D. J. Bernstein, “Caesar: Competition for authenticated encryption: Security, applicability, and robustness,” 2015.

432