SCIENCE CHINA Information Sciences, Volume 62, Issue 3: 039109(2019) https://doi.org/10.1007/s11432-017-9457-x

Real-time state recovery attack against MORUS in nonce-misuse setting

More info
  • ReceivedMay 12, 2017
  • AcceptedMay 4, 2018
  • PublishedJan 3, 2019


There is no abstract available for this article.


This work was supported by National Natural Science Foundation of China (Grant Nos. 61572516, 61602514, 61272041, 61272488).


[1] The CAESAR committee. Competition for Authenticated Encryption: Security, Applicability, and Robustness. 2014. http://competitions.cr.yp.to/caesar.html. Google Scholar

[2] Wu H, Huang T. The Authenticated Cipher MORUS (v1.1). 2016. http://competitions.cr.yp.to/round2/~morusv11.pdf. Google Scholar

[3] Mileva A, Dimitrova V, Velichkov V. Analysis of the authenticated cipher MORUS (v1). In: Proceedings of International Conference on Cryptography and Information Security in the Balkans, Koper, 2015. 45--59. Google Scholar

[4] Nozaki Y, Yoshikawa M. Power analysis attack for a fast authenticated encryption MORUS. In: Proceedings of International Conference on Applied System Innovation, Sapporo, 2017. 365--368. Google Scholar

[5] Dwivedi A D, Klouček M, Morawiecki P, et al. SAT-based cryptanalysis of authenticated ciphers from the CAESAR competition. In: Proceedings of International Conference on Security and Cryptography, Madrid, 2017. 237--246. Google Scholar

[6] Zhang P, Guan J, Li J Z, et al. Research on the confusion and diffusion properties of the initialization of MORUS. J Cryptol Res, 2015, 2: 536--548. Google Scholar

[7] Guan J, Shi T R, Li J Z, et al. Analysis of MORUS against collision attack (in Chinese). J Elec Inf Tech, 2017, 39: 1704--1710. Google Scholar

  • Table 1   Summary of state recovery
    Recovery state $\Delta~{{P}_{0}}$ $\Delta~{{P}_{1}}$ $\Delta~{{P}_{2}}$ Reuse time
    $S_{3}^{1}$ ${{\alpha~}_{0}},{{\alpha~}_{1}},{{\alpha~}_{2}},{{\alpha~}_{3}}$ ${{0}^{128}}$ ${{0}^{128}}$ 4
    $S_{2}^{1}$ ${{e}_{j}},j\in[0,15]$ ${{0}^{128}}$ ${{0}^{128}}$ 1
    $S_{3}^{2}$ ${{0}^{128}}$ ${{1}^{128}}$ ${{0}^{128}}$ 1
    $S_{2}^{2}$ ${{0}^{128}}$ ${{e}_{j}},j\in[0,15]$ ${{0}^{128}}$ 1
    $S_{0}^{1},S_{1}^{1},S_{4}^{1}$ 0 0 0 0

Copyright 2020 Science China Press Co., Ltd. 《中国科学》杂志社有限责任公司 版权所有

京ICP备18024590号-1       京公网安备11010102003388号