Symmetry (Dec 2021)
Rotational Cryptanalysis of MORUS
Abstract
MORUS is one of the finalists of the CAESAR competition. This is an ARX construction that required investigation against rotational cryptanalysis. We investigated the power of rotational cryptanalysis against MORUS. We show that all the operations in the state update function of MORUS maintain the rotational pairs when the rotation distance is set to a multiple of the sub-word size. Our investigation also confirms that the rotational pairs can be used as distinguishers for the full version of MORUS if the constants used in MORUS are rotational-invariant. However, the actual constants used in MORUS are not rotational-invariant. The introduction of such constants in the state update function breaks the symmetry of the rotational pairs. Experimental results show that rotational pairs can be used as distinguishers for only one step of the initialization phase of MORUS. For more than one step, there are not enough known differences in the rotational pairs of MORUS to provide an effective distinguisher. This is due to the XOR-ing of the constants that are not rotational-invariant. Therefore, it is unlikely for an adversary to construct a distinguisher for the full version of MORUS by observing the rotational pairs.
Keywords
