Speaker:Dr. Siwei Sun is an associate researcher at the Institute of Information Engineering, Chinese Academy of Sciences. His main research interests are symmetric cryptographic algorithm design and automatic cryptanalysis, cryptographic algorithm optimization and security implementation. In recent years, he has published more than 30 papers at top-tier security conferences in the fields of cryptography and information security, such as CRYPTO, ASIACRYPT, FSE, USENIX Security, etc. He has also participated in many important projects such as the 973 and the National Key Research and Development Plan, and acts as the project leader of the behind. Moreover, he designed and developed a set of automated cryptanalysis software framework based on mixed integer linear programming (MILP), and it has been used in several relevant departments in China for algorithm analysis and design tasks.

Date:November 29, 2019

Time:14:00—17:30

Location:Room 320, Block D, Ganchang Building, Qingdao Campus

Abstract:

We show that the correlation of any quadratic Boolean function can be read out from its so-called disjoint quadratic form. We further propose a polynomial-time algorithm that can transform an arbitrary quadratic Boolean function into its disjoint quadratic form. With this algorithm, the exact correlation of quadratic Boolean functions can be computed efficiently. We apply this method to analyze the linear trails of MORUS (one of the seven finalists of the CAESAR competition), which are found with the help of a generic model for linear trails of MORUS-like key-stream generators. In our model, any tool for finding linear trails of block ciphers can be used to search for trails of MORUSlike key-stream generators. As a result, a set of trails with correlation 2^{38} is identified for all versions of full MORUS, while the correlations of previously published best trails for MORUS-640 and MORUS-1280 are 2^{73} and 2^{76} respectively (ASIACRYPT 2018). This significantly improves the complexity of the attack on MORUS-1280-256 from 2152 to 276. These new trails also lead to the first distinguishing and message-recovery attacks on MORUS-640-128 and MORUS-1280-128 with surprisingly low complexities around 276.Moreover, we observe that the condition for exploiting these trails in an attack can be more relaxed than previously thought, which shows that the new trails are superior to previously published ones in terms of both correlation and the number of ciphertext blocks involved.

Inviter:Prof. Meiqin Wang

Edited by:Jinsong L