MORUS is an authenticated stream cipher, which is selected is third-round candidate of the ongoing CAESAR competition. In this work, the security of MORUS-640-128 against collision attack is evaluated. The partition method is utilized to find the information leakage between the word differences of message in the nonlinear function determined by the collision. The necessary conditions of collision after two steps are proposed for the first time. The distribution of input difference is determined. Furthermore, necessary conditions are turned into Pseudo-Boolean optimization problems. With the usage of mixed integer programming, it is found that the weight of message difference must be higher than 28 with the collision probability less than 2-140 , which is a better upper bound than ref. [7] 2-130 . The result shows that MORUS-640-128 has a good performance on resistance against collision attack.
BELLARE M and NAMPREMPRE C. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm[J]. Journal of Cryptology, 2008, 21(4): 469-491. doi: 10.1007/s00145-008-9026-x.
[2]
BERNSTEIN D J. Caesar: Competition for authenticated encryption: Security, applicability, and robustness[OL]. http://competitions.cr.yp.to/index.html, 2015.
[3]
DOBRAUNING C, EICHLSEDER M, and MENDEL F. Heuristic tool for linear cryptanalysis with applications to CAESAR candidates[C]. Advances in Cryptology ASIACRYPT 2015, Auckland, New Zealand, 2015: 490-509. doi: 10.1007/978-3-662-48800-3_20.
[4]
DEY P, ROHIT S R, SARKAR S, et al. Differential fault analysis on Tiaoxin and AEGIS family of ciphers[C]. Security in Computing and Communications 2016, Jaipur, India, 2016: 74-86. doi: 10.1007/978-981-10-2738-3_7.
[5]
PEYRIN T, SIM S, WANG L, et al. Cryptanalysis of JAMBU[C]. Fast Software Encryption 2015, Istanbul, Turkey, 2015: 264-281. doi: 10.1007/978-3-662-48116-5_13.
[6]
SALAM M, BARTLETT H, PIEPRZYK J, et al. Investigating cube attack on the authenticated encryption stream cipher ACORN[C]. Applications and Techniques in Information Security 2016, Cairns, QLD, Australia, 2016: 15-26. doi: 10.1007/978-981-10-2741-3_2.
[7]
WU H and HUANG T. The authenticated cipher MORUS (v1)[OL]. http://competitions.cr.yp.to/round2/morusv11. pdf, 2015.
[8]
MILEVA A, DIMITROVA V, and VELICHKOV V. Analysis of the authenticated cipher MORUS (v1)[C]. Cryptography and Information Security in the Balkans 2015, Koper, Slovenia, 2015: 45-59. doi: 10.1007/978-3-319-29172-7_4.
ZHANG Pei, GUAN Jie, LI Junzhi, et al. Research on the confusion and diffusion properties of the initialization of MORUS[J]. Journal Cryptologic Research, 2015, 2(6): 536-548. doi: 10.13868/j.cnki.jcr.000100.
[10]
WANG Xiaoyun and YU Hongbo. How to break MD5 and other hash functions[C]. Advances in Cryptology EUROCRYPT 2005, Aarhus, Denmark, 2005: 19-35. doi: 10.1007/11426639_2.
[11]
FUHR T, LEURENT G, and SUDER V. Collision attacks against CAESAR candidatesForgery and key-recovery against AEZ and Marble[C]. Advances in Cryptology ASIACRYPT 2015, Auckland, New Zealand, 2015: 510-532. doi: 10.1007/978-3-662-48800-3_21.
[12]
PEYRIN T. Collision attack on Grindahl[J]. Journal of Cryptology, 2015, 28(4): 879-898. doi: 10.1007/s00145- 014-9186-9.
[13]
ROUSSEL O and MANQUINHO V. Input/output format and solver requirements for the competitions of pseudo-boolean solvers[OL]. http://www.cril.univ-artois.fr/ PB12/format.pdf, 2012.
[14]
BERTSIMAS D and WEISMANTEL R. Optimization over Integers[M]. Massachusetts, USA, Dynamic Ideas, 2005: 73-82.