A New Cube Attack on MORUS by Using Division Property

摘要

MORUS is an authenticated encryption algorithm and one of the candidates in the CAESAR competition. Currently, the security of MORUS received extensive attention. In this paper, a new existence terms detection method in superpoly recovery phase in cube attack is proposed. More precisely, the upper bounding degree of superpoly is first estimated by using the cube attack based on the division property with Mixed Integer Linear Programming tool. Moreover, the $t$t-degree monomials that may be involved in the superpoly are divided into two groups, where the elements of the first group can be directly determined without using the solver via the embedded property. Compared with previous methods, the time consumption by the solvers of our new method is reduced significantly. In particular, the truth table from only the existent terms can be used to recover the superpoly in the offline phase of the cube attack. Therefore, the time complexity of cube attack can be further reduced. As illustrative example, the security of the reduced-step variants of MORUS-640-128 against cube attack is evaluated by using this new method. It is demonstrated that the key recovery attacks can be applied to 6/7-step MORUS-640-128. Furthermore, some integral distinguishers of 7-step MORUS-640-128/MORUS-1280-256 are achieved.