{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,5,2]],"date-time":"2025-05-02T15:30:12Z","timestamp":1746199812765,"version":"3.37.3"},"reference-count":11,"publisher":"Oxford University Press (OUP)","issue":"8","license":[{"start":{"date-parts":[[2021,5,22]],"date-time":"2021-05-22T00:00:00Z","timestamp":1621641600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/academic.oup.com\/journals\/pages\/open_access\/funder_policies\/chorus\/standard_publication_model"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["61902030","61772517","62022018"],"award-info":[{"award-number":["61902030","61772517","62022018"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022,8,11]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>AEGIS is one of the authenticated encryption with associated data designs selected for the final portfolio of the CAESAR competition. It combines the AES round function and simple Boolean operations to update its large state and extract a keystream to achieve an excellent software performance. The AEGIS family consists of AEGIS-128, AEGIS-256 and AEGIS-128L, which use 5, 6 and 8 parallel AES round functions to process 128, 128 and 256 bits message block per step with slightly different output functions separately. Surprisingly, very few cryptanalytic results on AEGIS have been published so far. This paper presents the first guess-and-determine attacks on AEGIS family. Firstly, we propose a new observation on the structure of AEGIS that the relations of fixed variables remain in the outputs at consecutive steps under some conditions on the AND operations, and the vectorial bitwise AND operation is biased, which is able to derive the additional variables added directly. Secondly, we add several techniques, such as divide and conquer on byte-based columns, reduction by meet in the middle and simplification through constraints on variables, for each AEGIS member. Finally, we conduct guess-and-determine attacks on AEGIS-128, AEGIS-256 and AEGIS-128L and result in a complexity of $2^{309}$, $2^{437}$ and $2^{384}$ to $2^{416}$, respectively. Although neither attack threatens the practical security of AEGIS, it has great significance to evaluate the resistance of such structure compared with their large internal state exploited of 640, 768 and 1024 bits. It is also the first internal state recovery attack on AEGIS without nonce reusing, while only distinguishing attacks on AEGIS exist up to now.<\/jats:p>","DOI":"10.1093\/comjnl\/bxab059","type":"journal-article","created":{"date-parts":[[2021,4,23]],"date-time":"2021-04-23T11:22:09Z","timestamp":1619176929000},"page":"2221-2230","source":"Crossref","is-referenced-by-count":1,"title":["Guess-and-Determine Attacks on AEGIS"],"prefix":"10.1093","volume":"65","author":[{"given":"Lin","family":"Jiao","sequence":"first","affiliation":[{"name":"State Key Laboratory of Cryptology , Beijing 100878, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yongqiang","family":"Li","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Information Security , Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100089, China"},{"name":"School of Cyber Security , University of Chinese Academy of Sciences, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Shaoyu","family":"Du","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Cryptology , Beijing 100878, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"286","published-online":{"date-parts":[[2021,5,22]]},"reference":[{"volume-title":"Caesar: competition for authenticated encryption: security, applicability, and robustness","year":"2013\u20132019","author":"CAESAR Committee","key":"2022081612471388300_ref1"},{"key":"2022081612471388300_ref2","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-662-60769-5","volume-title":"The Design of Rijndael\u2014The Advanced Encryption Standard (AES)","author":"Daemen","year":"2020"},{"key":"2022081612471388300_ref3","first-page":"348","article-title":"Analyzing the linear keystream biases in AEGIS","volume":"2019","author":"Eichlseder","year":"2019","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"2022081612471388300_ref4","doi-asserted-by":"crossref","first-page":"146","DOI":"10.1007\/978-3-642-17373-8_9","article-title":"A Byte-based Guess and Determine Attack on SOSEMANUK","volume-title":"Advances in Cryptology\u2014ASIACRYPT 2010\u201416th Int. Conf. Theory and Application of Cryptology and Information Security","author":"Feng","year":"2010"},{"key":"2022081612471388300_ref5","first-page":"239","article-title":"Cryptanalysis of Alleged A5 Stream Cipher","volume-title":"Advances in Cryptology\u2014EUROCRYPT \u201897, Int. Conf. Theory and Application of Cryptographic Techniques","author":"Golic","year":"1997"},{"key":"2022081612471388300_ref6","first-page":"37","article-title":"Guess-and-Determine Attacks on SNOW","volume-title":"Selected Areas in Cryptography, 9th Annual Int. Workshop, SAC 2002","author":"Hawkes","year":"2002"},{"key":"2022081612471388300_ref7","first-page":"1137","article-title":"Note on the robustness of CAESAR candidates","volume":"2017","author":"Kales","year":"2017","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"2022081612471388300_ref8","doi-asserted-by":"crossref","first-page":"290","DOI":"10.1007\/978-3-319-13051-4_18","article-title":"Linear Biases in AEGIS Keystream","volume-title":"Selected Areas in Cryptography\u2014SAC 2014\u201421st Int. Conf.","author":"Minaud","year":"2014"},{"key":"2022081612471388300_ref9","first-page":"476","article-title":"Can Caesar Beat Galois?\u2014Robustness of CAESAR Candidates Against Nonce Reusing and High Data Complexity Attacks","volume-title":"Applied Cryptography and Network Security\u201416th Int. Conf., ACNS 2018","author":"Vaudenay","year":"2018"},{"key":"2022081612471388300_ref10","first-page":"185","article-title":"AEGIS: A Fast Authenticated Encryption Algorithm","volume-title":"Selected Areas in Cryptography\u2014SAC 2013\u201420th Int. Conf.","author":"Wu","year":"2013"},{"volume-title":"AEGIS: a fast authenticated encryption algorithm (v1.1). Submission to CAESAR: competition for authenticated encryption. Security, applicability, and robustness (round 3 and final portfolio)","year":"2016","author":"Wu","key":"2022081612471388300_ref11"}],"container-title":["The Computer Journal"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/comjnl\/article-pdf\/65\/8\/2221\/45329771\/bxab059.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/comjnl\/article-pdf\/65\/8\/2221\/45329771\/bxab059.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,8,16]],"date-time":"2022-08-16T12:48:48Z","timestamp":1660654128000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/comjnl\/article\/65\/8\/2221\/6280579"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,5,22]]},"references-count":11,"journal-issue":{"issue":"8","published-online":{"date-parts":[[2021,5,22]]},"published-print":{"date-parts":[[2022,8,11]]}},"URL":"https:\/\/doi.org\/10.1093\/comjnl\/bxab059","relation":{},"ISSN":["0010-4620","1460-2067"],"issn-type":[{"type":"print","value":"0010-4620"},{"type":"electronic","value":"1460-2067"}],"subject":[],"published-other":{"date-parts":[[2022,8]]},"published":{"date-parts":[[2021,5,22]]}}}