Advances in Intelligent Systems Research, volume 133 2nd International Conference on Artificial Intelligence and Industrial Engineering (AIIE2016) Improved Collision Cryptanalysis of Authenticated Cipher MORUS Tairong Shi *, Jie Guan, Junzhi Li and Pei Zhang Information Science and Technology Institute, Zhengzhou, Henan, China *Corresponding author Abstract—MORUS is an authenticated stream cipher designed by each other, we utilize the partition method and propose the Wu et al. and submitted for the third-round of the CAESAR necessary conditions for an internal state collision after two- competition. The collision properties of MORUS-640-128 are step update. There results imply that MORUS resists against studied. We propose the necessary conditions for an internal state collision attack in theory. collision after two-step update, i.e., the Hamming weight of the input difference is at least 5 and the difference is distributed in at This paper is organized as follows. In Section 2, the least three 32-bit words, which provide the theoretical support description of MORUS is provided. In Section 3, the for MORUS’s resistance against collision attack. distribution of word difference is given. Section 4 discusses the lower bound of difference weight for collision. Section 5 Keywords-CAESAR; MORUS; collision cryptanalysis; partition concludes the paper. method II. DESCRIPTION OF MORUS I. INTRODUCTION MORUS operates four phases: initialization, processing of Authenticated encryption algorithm [1] combines the authenticated data, encryption, and finalization. In this encryption with authentication, providing both confidentiality paper we only focus on the processing of associated data and and authenticity simultaneously and has been widely used in encryption and study the security of MORUS-640-128. the security protocols such as SSL/TLS [2], etc. In order to MORUS takes a 128-bit key, a 128-bit nonce, and a tag length accelerate the development of authentication encryption, less than or equal to 128. More details of MORUS-640-128 can CAESAR competition [3] merges. CAESAR is a large-scale be found in [9]. All the “MORUS” in the rest of this paper cryptographic competition supported by the US National refers to “MORUS-640-128”. Institute of Standards and Technology (NIST) like AES [4], e- STREAM [5]. With the advance of the competition, A. Notations authenticated cipher receives more attentions and develops i rapidly. The third-round candidates own excellent performance S : State at the beginning of i-th step, where i t 0 ; on security and efficiency which are competitive and attract S i : State at the beginning of k-th round at i-th step, where many researchers [6], [7], [8]. k SSSSSSiiiiii (,,,,), 04ddk ; MORUS [9] is a notable family of authenticated stream kkkkkk,0 ,1 ,2 ,3 ,4 ciphers designed by H. Wu and T. Huang, which has been S i : The j-th element of the state S i . SSSiii (, , selected as a third-round candidate of CAESAR competition. kj, k kj,,,1,,2 kj kj ii By adopting the idea of block cipher, MORUS uses 5 registers SSkj,,3,) kj ,,4 , 04ddj ; of equal length in its internal state and update each state i i successively. Three MORUS versions: MORUS-640-128, Skjl,, : l-th 32-bit word of the Skj, , where 14ddl , MORUS-1280-128, and MORUS-1280-256 are recommended 04ddj ; with different internal state and key sizes. Mileva et al. [10] have proposed a distinguisher attack on MORUS in non-reuse & : Bit-wise AND; setting. And Zhang et al. [11] researched on the confusion and diffusion properties of the initialization of MORUS. The <<< : Rotation to the left; research on MORUS is relatively limited currently. >>> : Rotation to the right; Collision attack [12], [13] is a typical method used in x : The smallest integer not less than x ; attacking the message authentication. The basic technique is to «»ªº inject a message difference at certain encryption (or processing Rotl(,) x n : Divide the 128-bit block x into four 32-bit the associated date) step and cancel it at a later step. words and rotate each word left by n bits, In this paper, we evaluate the security of authentication by theory deduction. Observations reveal that 32-bit word are not Rotl-1 (,) x n : Analogous to Rotl(,) x n , divide the 128-bit x confused completely with internal state. Based on the feature into four 32-bit words and rotate each word right by n bits; that the 32-bit words in the state element are independent of Copyright © 2016, the Authors. Published by Atlantis Press. 429 This is an open access article under the CC BY-NC license (http://creativecommons.org/licenses/by-nc/4.0/). Advances in Intelligent Systems Research, volume 133 1n ( 0n ): n bits of ‘1’s (‘0’s); III. THE DISTRIBUTION OF WORD-ORIENTED DIFFERENCE FOR COLLISION W(D ) : The hamming weight of D , namely, the number of In this section, we divide each message into four 32-bit 1 in D ’s binary representation; words and give the representation of internal state differences. WB('mt ) : The number of nonzero word in 'mt . 'mt Suppose that a message difference ''zmmtt(0) is denotes the message difference, where Di (1ddi 4) represents injected at i-th encryption (or processing the associated date) a 32-bit word difference. step and 'S t 0 , through the differential analysis, it’s easy to get internal state differences in t+1-th step: B. The State Update Function of MOURS t1 MORUS uses five 128-bit registers in its internal state. This 'S0 0 function consists of five rounds with similar operations that t1 'SRotlm1 ('t ,31) 64 update the state S. t1 'SRotlm2 (,7)32't ii1 SS StateUpdate( ,mi ) is given as follows: t1 'S3 Rotl((,31),22)32 Rotl' mtt ' m Round 1: tttt1111 'S4012 Rotl(& S''!!!' S ( S 32),13) mt iiiii 64 SRotlSSS1,0 ((&),);0,0 0,1 0,2 Sb 0,3 0 ii Note: For convenience, we perform the left rotation for SS1,3 0,3 w 0 ; t1 t1 'S3 and 'S4 in advance. ii SS1,1 0,1; If and only if 'Sit2 0(0dd 4) , the internal state SSii ; i 1,2 0,2 collision occurs. Because we only concern that whether the ii SS1,4 0,4 ; difference is zero and external operation Rotl x, n doesn’t Round 2 to 5: influence the results, we leave out Rotl x, n . Each element of For k=1 to 4, state differences after the second step is shown as: tt21 t 1 tt 11 iiii 'SS (&' S )(&) ' SS SRotlSSS (( & ) 01 2 12 (k 1)mod5, k kk, kk ,( 1)mod5kk ,( 2)mod5 tt11 t 1 i ('SS12 & ' ) ( ' S 3 !!! 32); Smbkk,( 3)mod5 i, k ); ii tttt2111 tt 11 SSw ; 'SSSS1123 '(& ' )(&) ' SS 23 (kk 1)mod5,( 3)mod5 kk ,( 3)mod5 k ii ('SStt11 & ' ) ( ' S t 1 !!! 64) ' m ; SS(1)mod5,(1)mod5kk kk ,(1)mod5 ; 23 4t 1 i i tttt2111 tt 11 S S ; (kk 1)mod5,( 2)mod5 kk,( 2)mod5 'SSSS2234 '(& ' )(&) ' SS 34 ii tt11 SS(kk 1)mod5,( 4)mod5 kk ,( 4)mod5. ('''SS34 & ) mt 1 ; i1 ii1 tt21 tt 12 Generate S : For k=0 to 4: SSkk . 'SS33 ''(&) SSm 40 't 1 ; tt21 The rotation constants bwi,, 0,,4,4 for each round are ii 'SSm44 ''t 1. defined in [10]. It should be noted that 'St2 0 is a precondition, then we C. Processing the Associated Data and Encryption analyze the differences after the second step. The Processing the associated data AD of MORUS can be Now we discuss the difference distribution in the following described as follows. adlen means bit length of the associated situations with different values of WB('mt ) . Remember that data, where u ªº adlen 128 . «» Di (1ddi 4) represents a 32-bit word difference. ii128 For i=0 to u-1: SS StateUpdate( ,ADi ). A. When WB('mt ) 1 The encryption is described as follows. Let msglen Now, we assume that there is only one nonzero word represents the length of plaintext and vmsglen «»ªº128 . difference in 'mt , 'mt (D1 , 0, 0, 0) ,D1 z 0 . t1 For i 0 to v 1: 'S1 000Dc , whereDDc 31; CPS ui ( S ui 96) ( Sui & S ui ); t1 ii 01 23 'S2 00Dcc 0 , whereDDcc 7,i 1,2 ; ui1 ui SS StateUpdate( ,Pi ); 430 Advances in Intelligent Systems Research, volume 133 t1 tttt2112 'S3 00E 0 , where EDD ()22c ; 'SSSSm3340 ''& 't 1 t1 0EE11 00uuuu 0 uu 'Su4 00J , where JDD ()13c , u is unknown difference. t2 32 To ensure 'S3 0 , we deduce E1 0 , DDccc 1 and tt21 t2 J 0 , therefore 'S t1 0000 , 'Smt1 ' 00 uu. As Because of 'SSm44 ''t 1 and 'S4 0 , we get 1 3 41t t1 for 'S t2 , we get that 'mSt14 ' 00J u. 2 tttt2111 Through update function, we know the presentation of 'SSSSm2234 '''& t 1 t2 'S . 0DD12cc cc 0 00uu 0D 1 cc uu z 0 ttttttt2111111 t2 'SSSSSSS0121212 &&&'' '' It contradicts to 'S2 0 . The above results also hold for t1 'S3 !!! 32 'mt 00DD12 , 'mt 00DD12 and 'mt DD1200 . 0uu 0 000EE 0uu Case 2 'miti 00(DDD12 z 0,1,2) To ensure 'S t2 0 , we deduce E 0 , namely 0 'St1 00DDcc, where DDc 31,i 1,2 ; DD 31 0 , then D 132 must be established. Therefore 121 ii 32 t1 we can deduce DDccc 1 and EJ 0 , furthermore 'S212 DDcc00 cc , where DDiicc 7,i 1,2 ; t2 t2 'S3 0000 , 'Sm41 't 000 u. t1 'S312 EE00, where EDDiii ()22,1,2c i ; t2 Supposed 'S1 0, we can get t1 'Suu4 00 .