AEGIS算法的弱状态分析

AEGIS算法是进入CAESAR竞赛（Competition for Authenticated Encryption：Security，Applicability，and Robustness）第三轮评选的认证加密算法.根据内部状态和密钥长度的不同，设计者推荐了三个AEGIS系列算法：AEGIS-128、AEGIS-256和AEGIS-128L.本文分别给出AEGIS-256和AEGIS-128L算法一组新的弱状态，对应出现的概率远优于现有分析结果.在此基础上，针对AEGIS-256算法，本文实现了对算法的伪造攻击，并给出内部状态与各自的明文对应，使得产生的认证标签为全0；针对AEGIS-128L算法，本文得到了算法在弱状态下的信息泄漏规律.最后对AEGIS系列算法弱状态的成因进行分析，给出了具体的设计及使用建议.目前，除设计报告外尚无对AEGIS算法的弱状态的分析，因此该文对CAESAR竞选有重要意义.

Analysis on the Weak States of AEGIS

AEGIS,an authenticated stream cipher,is one of fifteen third-round candidates of CAESAR competition (Competition for Authenticated Encryption:Security,Applicability,and Robustness).Three AEGIS versions:AEGIS-128、AEGIS-256 and AEGIS-128L are recommended in different internal state and key sizes.This paper proposes two types of weak state for AEGIS-256 and AEGIS-128L respectively.The probabilities of these types of weak state are greater than the existing results.And based on those analyses,a forgery attack on AEGIS-256 is introduced.Indeed,we present internal states with the corresponding plaintexts,in which the tags are 0.As for AEGIS-128L,we attain the information leakage of encryption.Finally,we give brief analysis of what is responsible for weak states.To the best of our knowledge,except for design document,there is no cryptanalysis on weak state of AEGIS proposed until now.Therefore,our work is significant for CAESAR competition.