Linear cryptanalysis of FASER128/256 and TriviA-ck

Abstract

In this paper, we evaluate the security of FASER and TriviAck, two authenticated encryption schemes submitted to the CAESAR competition, by linear cryptanalysis method. It is pointed out that the most serious weakness of FASER is that the linear FSRs and nonlinear FSRs do not interact with each other. Thus by linear approximation of the MAJ function, it is possible to derive linear approximations involving the keystream words and the linear FSR initial states only. We found some such equations with correlation coefficient 2-1 for FASER128 and FASER256, which lead to the initial state recovery of the linear FSRs with an off-line time complexity of 236 to compute a low weight multiple polynomial, and a negligible online time complexity, which is the polynomial time of the total length of linear FSRs, given 236 keystream words. Moreover, we construct some distinguishers involving two consecutive steps of keystream words with a correlation coefficient of 2-2 for FASER128 and FASER256. Thus we only need 16 keystream words for FASER128 and FASER256 to distinguish the corresponding keystream from random sequence, respectively. These distinguishers do not rely on any weakness of the MIX operation, so the distinguishing attack will still work even when the FASER designers modify the MIX function. Finally, we use the linear sequential circuit approximation (LSCA) method to analyze TriviA-ck, a stream cipher similar to Trivium, and derive a linear function of consecutive keystream bits with a correlation coefficient of 2-76. This shows that TriviA-ck has much more weaker immunity against linear cryptanalysis than Trivium.