Abstract
In this paper, we formulate a new framework of cryptanalysis called rotational-linear attack on ARX ciphers. We firstly build an efficient distinguisher for the cipher E consisted of the rotational attack and the linear attack together with some intermediate variables. Then a key recovery technique is introduced with which we can recover some bits of the last whitening key in the related-key scenario. To decrease data complexity of our attack, we also apply a new method, called bit flipping, in the rotational cryptanalysis for the first time and the effective partitioning technique to the key-recovery part.
Applying the new framework of attack to the MAC algorithm Chaskey, we build a full-round distinguisher over it. Besides, we have recovered 21 bits of information of the key in the related-key scenario, for keys belonging to a large weak-key class based on 6-round distinguisher. The data complexity is \(2^{38.8}\) and the time complexity is \(2^{46.8}\). Before our work, the rotational distinguisher can only be used to reveal key information by checking weak-key conditions. This is the first time it is applied in a last-rounds key-recovery attack. We build a 17-round rotational-linear distinguisher for ChaCha permutation as an improvement compared to single rotational cryptanalysis over it.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aumasson, J.-P., Neves, S., Wilcox-O’Hearn, Z., Winnerlein, C.: BLAKE2: simpler, smaller, fast as MD5. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 119–135. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38980-1_8
Bar-On, A., Dunkelman, O., Keller, N., Weizman, A.: DLCT: a new tool for differential-linear cryptanalysis. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 313–342. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_11
Barbero, S., Bellini, E., Makarim, R.H.: Rotational analysis of chacha permutation. CoRR abs/2008.13406 (2020)
Beierle, C., Leander, G., Todo, Y.: Improved differential-linear attacks with applications to ARX ciphers. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 329–358. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_12
Bernstein, D.J.: The Salsa20 family of stream ciphers. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 84–97. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68351-3_8
Biham, E., Carmeli, Y.: An improvement of linear cryptanalysis with addition operations with applications to FEAL-8X. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 59–76. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13051-4_4
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-38424-3_1
Carlet, C., Crama, Y., Hammer, P.L.: Boolean functions for cryptography and error-correcting codes. In: Crama, Y., Hammer, P.L. (eds.) Boolean Models and Methods in Mathematics, Computer Science, and Engineering, pp. 257–397. Cambridge University Press (2010)
Cogliati, B., Seurin, Y.: On the provable security of the iterated even-Mansour cipher against related-key and chosen-key attacks. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 584–613. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_23
Daum, M.: Cryptanalysis of Hash functions of the MD4-family. Ph.D. thesis, Ruhr University Bochum (2005)
Hermelin, M., Cho, J.Y., Nyberg, K.: Multidimensional linear cryptanalysis. J. Cryptol. 32(1), 1–34 (2019)
Khovratovich, D., Nikolić, I.: Rotational cryptanalysis of ARX. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 333–346. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13858-4_19
Khovratovich, D., Nikolić, I., Pieprzyk, J., Sokołowski, P., Steinfeld, R.: Rotational cryptanalysis of ARX revisited. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 519–536. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5_25
Kraleva, L., Ashur, T., Rijmen, V.: Rotational cryptanalysis on MAC algorithm Chaskey. In: Conti, M., Zhou, J., Casalicchio, E., Spognardi, A. (eds.) ACNS 2020. LNCS, vol. 12146, pp. 153–168. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57808-4_8
Langford, S.K., Hellman, M.E.: Differential-linear cryptanalysis. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 17–25. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_3
Leurent, G.: Improved differential-linear cryptanalysis of 7-round Chaskey with partitioning. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 344–371. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_14
Liu, Y., Sun, S., Li, C.: Rotational cryptanalysis from a differential-linear perspective: practical distinguishers for round-reduced FRIET, Xoodoo, and Alzette. Cryptology ePrint Archive, Report 2021/189 (2021). https://eprint.iacr.org/2021/189
Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_33
Mouha, N., Mennink, B., Van Herrewege, A., Watanabe, D., Preneel, B., Verbauwhede, I.: Chaskey: an efficient MAC algorithm for 32-bit microcontrollers. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 306–323. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13051-4_19
Wagner, D.: The Boomerang attack. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48519-8_12
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Application to ChaCha Permutation
The stream cipher ChaCha is an improvement of Salsa20 [5]. Each round of ChaCha uses 4 Quarter Round Functions, denoted by \(QR(v^{(r)}_a,v^{(r)}_b,v^{(r)}_c,v^{(r)}_d)\), to permute the \(4\times 4\) state matrix, denoted by \(V^{(r)}\). Every word \(v^{(r)}_i\) in \(V^{(r)}\) is 32 bits, \(i\in \{0,\dots ,15\}\). For odd rounds, \(V^{(r+1)}\) is calculated by selecting 4 columns, i.e., \((v_0^{(r)},v_4^{(r)},v_8^{(r)},v_{12}^{(r)})\), \((v_1^{(r)},v_5^{(r)},v_9^{(r)},v_{13}^{(r)})\), \((v_2^{(r)},v_6^{(r)},v_{10}^{(r)},v_{14}^{(r)})\) and \((v_3^{(r)},v_7^{(r)},v_{11}^{(r)},v_{15}^{(r)})\) as the inputs for QR functions. For even rounds, \(V^{(r+1)}\) is computed by selecting 4 diagonals \((v_0^{(r)},v_5^{(r)},v_{10}^{(r)},v_{15}^{(r)})\), \((v_1^{(r)},v_6^{(r)},v_{11}^{(r)},v_{12}^{(r)})\), \((v_2^{(r)},v_7^{(r)},v_{8}^{(r)}, v_{13}^{(r)})\), \((v_3^{(r)},v_4^{(r)},v_{9}^{(r)}, v_{14}^{(r)})\) as the inputs for QR functions. The round function QR is presented in Fig. 6. In [3], the authors applied rotational cryptanalysis to the underlying permutation of ChaCha. They presented a rotational distinguisher for 17-round ChaCha permutation with probability greater than \(2^{-488}\) whereas the probability of random permutation with same input size is \(2^{-511}\). It declares that the underlying permutation of ChaCha doesn’t behave as a random permutation.
The extended application of rotational-linear cryptanalysis is presented as follows. We build a rotational-linear distinguisher for 17-round ChaCha permutation with 15-round rotational part \(E_1\), 1-round connective part \(E_c\) and 1-round linear part \(E_2\). The lower bound for the probability of \(E_1\) is \(2^{-430.2}\), given by [3]. The correlation of \(E_c\) is \(2^{-2}\) with the masks \(\alpha = \nu _{15}^{15}[0]\) and \(\overleftarrow{\alpha } = \nu _{15}^{15}[1]\). For linear part \(E_2\), the two output trails are \(\beta _1=( \nu _{0}^{16}[16,0] \oplus \nu _{5}^{16}[7] \oplus \nu _{10}^{16}[0] \oplus \nu _{15}^{16}[24])\) and \(\beta _0=(\nu _{0}^{16}[17,1,0] \oplus \nu _{5}^{16}[8] \oplus \nu _{10}^{16}[1] \oplus \nu _{15}^{16}[25])\) with corresponding correlation \(2^{-1}\). In conclusion, the correlation of rotational-linear distinguisher for 17-round ChaCha permutation is greater than \(2^{-433}\). Compared to rotational cryptanalysis, the rotational-linear attack exhibits advantages.
B The Proposition used When Recovering Partial Key
Proposition 2
([4]). After running Algorithm 1 for \(N_r\) times, the probability that the correct key is among the key candidates is
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Xu, Y., Wu, B., Lin, D. (2021). Rotational-Linear Attack: A New Framework of Cryptanalysis on ARX Ciphers with Applications to Chaskey. In: Gao, D., Li, Q., Guan, X., Liao, X. (eds) Information and Communications Security. ICICS 2021. Lecture Notes in Computer Science(), vol 12919. Springer, Cham. https://doi.org/10.1007/978-3-030-88052-1_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-88052-1_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-88051-4
Online ISBN: 978-3-030-88052-1
eBook Packages: Computer ScienceComputer Science (R0)