Cryptanalysis of all versions of full MORUS

[siweisun]

Hi all,

 

We present a cryptanalysis of all versions of full MORUS (see the attachment).

 

We present a polynomial-time algorithm for computing the correlation of an arbitrary Quadratic Boolean function by converting it into the so-called disjoint quadratic form.  Then we compute the correlation of the trails of MORUS we find using a generic model for finding linear trails of MORUS-like key stream generators. As a result, we identify a set of trails with correlation 2^{-38} for all versions of full MORUS. 

 

This significantly improves the complexity of the attack on MORUS-1280-256 presented by Tomer Ashur, Maria Eichlseder, Martin M. Lauridsen, Gaetan Leurent, Brice Minaud, Yann Rotella, Yu Sasaki, and Benoit Viguier [ASIACRYPT 2018] from 2^152 to 2^76. These new trails also lead to the first distinguishing and message-recovery attacks on MORUS-640-128 and MORUS-1280-128 with surprisingly low complexities around 2^76. Moreover, we observe that the condition for exploiting these trails in an attack can be more relaxed than previously thought, which shows that the new trails aresuperior to previously published ones in terms of both correlation and the number of ciphertext blocks involved.

 

We have shared an early draft of this work with the designers. The designers confirmed our verification on full MiniMORUS and they think that the correlation is still too low to threat the practical security.

 

 

Best regards,

Danping Shi, Siwei Sun, Yu Sasaki, Chaoyun Li, Lei Hu