Cryptanalysis of MORUS

[Brice Minaud]

Hi all, 

We have found a linear correlation in the keystream of full MORUS, which can be used to distinguish its output from random, and recover plaintext bits in the broadcast setting, similar to biases on the RC4 stream cipher (http://www.isg.rhul.ac.uk/tls/). For MORUS-1280, the correlation is 2^-76, which can be exploited after encrypting around 2^152 short messages (using arbitrary keys and nonces), less than would be expected for a 256-bit secure cipher. For MORUS-640, the same attack results in a correlation of 2^-73, which does not violate the security claims of the cipher. We note that similar correlations have also been found for AEGIS (http://ia.cr/2018/292).

In addition, we present results on several components of the algorithm (initialization, state update and tag generation). The full paper is attached, and also available at:

https://eprint.iacr.org/2018/464

We thank the designers of MORUS for checking a preliminary version of this work and confirming the attack.

Tomer, Maria, Martin, Gaëtan, Brice, Yann, Yu and Benoît