Security Analysis Of Several Authenticated Encryption Algorithms

Authenticated encryption algorithm can realize data encryption and message authentication at the same time,which is widely used in the cyberspace security system.In 2014,the International Association for Cryptologic Research launched CAESAR competition to solicit secure and efficient authenticated encryption algorithms for different scenarios.In 2018,the National Institute of Standards and Technology published a call for lightweight cryptographic algorithms（LWC）with authenticated encryption.With the development of a large number of new authenticated encryption algorithms,the security analysis of these algorithms has become a research hotspot.Baesed on the popular automated search technology,this paper analyzes the security performance of several authenticated encryption algorithms proposed in CAESAR competition and LWC by using different ways,including differential analysis,linear analysis,differential forgery attack and fault attack.The main contributions and innovations of this paper are as follows:1.We research on the differential property of MORUS initialization phase.Firstly,an improved differential derivation rule is presented,which makes use of the idea of local optimality to generate fewer active and gates in the next step of state update function.As a result,a differential characteristic with high probability can be quickly obtained.Based on this,we construct the mixed integer linear programming（MILP）model to search for the differential characteristic with the least active and gates.In order to speed up the search process,we propose a Divide-and-Conquer approach according to the structure of MORUS initialization phase.The MILP differential model is divided into a number of sub-models according to the weight and value ofΔIV.The rotation equivalence of the differential states is defined,and it is proved that the solution of the submodels whose initial differential states are rotation equivalent are same.Thus,the solution of most submodels can be eliminated,and the time to solve the MILP differential model is greatly shortened.We obtain the optimal differential characteristic of the MORUS initialization phase with1 to 7 steps,and propose the differential distinguish attack of simplified MORUS.2.We research on the linear property of authenticated encryption algorithms ACE and SPIX designed based on the Simeck round function.We define the n-dimensional ring AND-gate combination,and transform its linear approximation expression to the disjoint quadratic form.We analyze the correlation of the expression with different input masks and out masks,and give the relationship between the correlation and mask.Based on this we use only O（n）expressions to accurately describe the linear property of the n-dimensional ring AND-gate combination with MILP.The main parts of ACE and SPIX are ACE permutation and SLISCP permutation respectively.The nonlinear operations of the permutation are transformed to the 32-dimensional ring AND-gate combination,and then the MILP linear model is constructed.We get the linear characteristics with high correlation of 2-to-7-step ACE permutation and SLISCP permutation.Under the assumption that round functions are independent,the optimal linear characteristics of2-to-4-step ACE permutation and 2-to-5-step SLISCP permutation are obtained.For ACE permutation and SLISCP permutation with arbitrary number of steps,ACE-AE-128 and SPIX can resist linear distinguish attack of plaintext processing phase.3.We research on the differential forgery attack of authenticated encryption algorithms ACE and SPIX designed based on the Simeck round function.For the n-dimensional ring AND-gate combination,we analyze the relationship among the n and gates,and use only O（n）expressions to accurately describe the differential property of the structure with MILP.We analyze the relationship between the input difference and the differential probability in the ring AND-gate combination.The range of differential probability can be determined according to the weight of the input difference.We construct the MILP differential model of ACE and SPIX,and show the way to fast solve the model.We show the differential characteristics of 2-to-10-step ACE permutation with high probability.And the differential characteristic probability of 10-step ACE permutation is 2^-274.We get the differential characteristic of 3-step ACE permutation with the probability 2^-90.52,and give the differential forgery attack of ACE-AE-128 with 3-step ACE permutation.We show the differential characteristics of 2-to-11-step SLISCP permutation with high probability.And the differential characteristic probability of 11-step SLISCP permutation is2^-242.We also get the differential characteristic of 3-step SLISCP permutation with the probability2^-81.45,and give the differential forgery attack of SPIX with 3-step SLISCP permutation.4.We research on the differential fault attack on authenticated encryption algorithm HYENA,and firstly achieve the differential fault attack on the nonce-repecting authenticated encryption algorithm with single fault model.Firstly,differential fault attack on GIFT-128 is given.We induce a nonzero difference by injecting a random fault into a random nibble of the 39th round input of GIFT-128,find that the weight of the input difference of the active Sbox in the 40th round is 1,and analyze the restriction relationship among the input difference of those active Sboxes to further reduce the scope of the input difference.Then,the key bits of the 40th round can be recovered using the known information.It is proved that when the above fault is injected into the decryption process of HYENA,the probability of generating the correct tag is not less than 0.026,which ensures that the decryption process can output the plaintext and satisfys the conditions of differential fault attack.Then the differential fault attack on HYENA is successfully implemented.The experimental results show that the attack can recover 56 key bits of HYENA.And the fault model is easy to implement.5.LOTUS\LOCUS adopts XEX-like structure,whose mask is related to Nonce and secret.Thus,the previous fault attack techniques are not applicable to LOTUS\LOCUS.In order to solve this problem,the differential statistical fault attack is proposed.We analyze the key expansion algorithm of LOTUS\LOCUS to determine the fault injection location.Under the transient fault model,the correct key bit is determined according to the optimal distinguisher between two discrete random variables.Under the permanent fault model,only one fault ciphertext is needed to recover the complete key.6.We research on the collision fault attacks on authenticated encryption algorithms ESTATE＿Twe GIFT-128,GIFT-COFB and SUNDAE-GIFT.Firstly,the collision fault attack of GIFT-128 is presented.Based on this,the collision fault attacks on the three authenticated encryption algorithms are designed respectively.For ESTATE＿Twe GIFT-128 and GIFT-COFB,we directly attack the GIFT-128 invocation in the initialization phase.For SUNDAE-GIFT,we regard the output of the initialization phase as the whitening key of the first GIFT-128 invocation in the associated data processing phase,and attack the GIFT-128 invocation.We can recover the key effectively.