AEGIS, an authenticated encryption (AE) algorithm designed by H. J. Wu and B. Preneel, is one of the six winners of the Competition for Authenticated Encryption: Security, Applicability, and Robustness, which was launched by the National Institute of Standards and Technology. In this paper, we comprehensively investigate the existence of collision in the initialization of AEGIS‐128 and evaluate the number of advanced encryption standard (AES) round functions involved in initialization, which reflects the resistance to differential attack. As a result, we find that there are 40 AES round functions, which is less than 50 ones claimed in the design document. We also prove that AEGIS‐128 is strong enough to resist adversary who has access to partial state. In particular, we present a collision‐based distinguisher and exploit it to recover the key of 4‐step and 5‐step (out of the full 10) AEGIS‐128. The time and memory complexities are about 229.7 and 226 respectively. Specifically, we quantize the attack of 4‐step AEGIS‐128, in which we solve the technical issue of dealing with the function that does not fulfill Simon’s promise. It is noted that the nonce is not reused in our work. Although we present some results of AEGIS‐128 that exceed the existed analysis, the security margin of AEGIS‐128 remains large.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.