Cryptanalysis of MORUS.

MORUS is an authenticated cipher submitted to the ongoing CAESAR competition and becomes one of 15 candidates entering the third round. This paper studies the bit-based division property and differential trails of MORUS-640/1280 with Mixed Integer Linear Programming (MILP) tool. The key-recovery attacks are executed against at most 5.5/6.5-step MORUS-640/1280 with the new concept of cube attacks based on the division property proposed by Todo et al. Meanwhile, we take the MILP model of bitwise AND operation with a constant introduced by Sun et al. into consideration, which makes the division trails and the subsequent integral distinguishers more accurate. And we also obtain 6/6.5-step integral distinguishers for MORUS-640/1280 and 4.5-step differential distinguishers of MORUS-1280. Compared to previous work, the cryptanalysis in this paper is the best result in terms of the number of attacked steps and required complexity.