Weak Keys in Reduced AEGIS and Tiaoxin

AEGIS-128 and Tiaoxin-346 (Tiaoxin for short) are two AES-based primitives submitted to the CAESAR competition. Among them, has been selected in final portfolio high-performance applications, while Tiaoxin is a third-round candidate. Although both adopt stream cipher based design, they quite different from well-known bit-oriented ciphers like Trivium Grain family. Their common feature consists round update function, where state divided into several 128-bit words each word option pass through an AES or not. During 6-year competition, it surprising that there no third-party cryptanalysis of initialization phase. Due similarities primitives, we motivated investigate whether way evaluate security their phases. Our technical contribution write expressions internal states terms nonce key by treating as unit then carefully study how simplify these adding proper conditions. As result, find groups weak keys with 296 5-round 8-round Tiaoxin, which allows us construct integral distinguishers time complexity 232 data 232. Based on distinguisher, recover 272 AEGIS-128. However, recovery attack will require usage constant occurring probability 2?32. All attacks reach half total number rounds. We expect this work can advance understanding designs similar AEGIS Tiaoxin.