In this paper, the security of Advanced Encryption Standard-based authenticated encryption schemes, including AEGIS family, Tiaoxin-346, and Rocca by mixed integer linear programming tools is examined. Specifically, for the initialisation phase of AEGIS, Tiaoxin-346, and Rocca, the security against differential attacks and integral attacks is evaluated by estimating the lower bounds for the number of active S-boxes and utilising division property, respectively. In addition to the estimations of initialisation phases, the security of the encryption phases of AEGIS, Tiaoxin-346, and Rocca against distinguishing attacks on keystream is evaluated by exploiting integral properties. As a result, the authors show that the initialisation phases of AEGIS-128/128L/256, Tiaoxin-346, and Rocca are secure against differential attacks after 4/3/6, 5, and 6 rounds, respectively. Regarding integral attacks, the distinguisher is found on 6/6/7, 15, and 7 rounds in the initialisation phases of AEGIS-128/128L/256, Tiaoxin-346, and Rocca, respectively. Additionally, the integral distinguisher is presented on 2/2/4, 4, and 4 rounds in the encryption phases of AEGIS-128/128L/256, Tiaoxin-346, and Rocca, respectively. As far as it is known, this study's results are the first distinguishing attacks on the keystream on AEGIS, Tiaoxin-346, and Rocca without relying on weak keys. K E Y W O R D S cryptography, security 1 | INTRODUCTION 1.1 | Background At Selected Areas in Cryptography (SAC) 2013, Wu and Preneel proposed an Advanced Encryption Standard (AES)-based Authenticated-Encryption with an Associated-Data (AEAD) scheme called AEGIS-128/128L/256 to achieve high-speed on software [1]. To perform high-speed encryption, the AEGIS family utilises the AES New Instructions (AES-NI) [2, 3], which is a special instruction set of single instruction multiple data. The AEGIS family was submitted to CAESAR competition [4], and AEGIS-128 was selected as the final portfolio for high-performance applications. Nikolić proposed an efficient AEAD scheme called Tiaoxin-346 using AES-NI in 2014 [5], which was chosen as the third-round candidates in the CAESAR competition. At Fast Software Encryption (FSE) 2016, Jean and Nikolić generalised the round function of AEGIS and Tiaoxin-346, and proposed more efficient round functions than them [6]. At FSE 2022, Sakamoto et al. further optimised the round function of Jean and Nikolić, and proposed an AEAD scheme called Rocca [7,8] for Beyond 5G systems. These consist of an initialisation phase and encryption phase. In the initialisation phases, key and nonce are loaded into the state, and the initial state is generated. In the encryption phases, based on the initial state, keystream is generated with updating state values, and then a ciphertext is obtained by Xoring a plaintext and a key stream.
| Existing workRecently, Takeuchi et al. evaluated the security against differential attacks [9] and integral attacks [10] for the initialisation phase of AEGIS and Rocca [11]. In designer's evaluations of Tiaoxin-346, t...