Rotational-Linear Attack: A New Framework of Cryptanalysis on ARX Ciphers with Applications to Chaskey

Abstract

In this paper, we formulate a new framework of cryptanalysis called rotational-linear attack on ARX ciphers. We firstly build an efficient distinguisher for the cipher E consisted of the rotational attack and the linear attack together with some intermediate variables. Then a key recovery technique is introduced with which we can recover some bits of the last whitening key in the related-key scenario. To decrease data complexity of our attack, we also apply a new method, called bit flipping, in the rotational cryptanalysis for the first time and the effective partitioning technique to the key-recovery part.

Applying the new framework of attack to the MAC algorithm Chaskey, we build a full-round distinguisher over it. Besides, we have recovered 21 bits of information of the key in the related-key scenario, for keys belonging to a large weak-key class based on 6-round distinguisher. The data complexity is \(2^{38.8}\) and the time complexity is \(2^{46.8}\). Before our work, the rotational distinguisher can only be used to reveal key information by checking weak-key conditions. This is the first time it is applied in a last-rounds key-recovery attack. We build a 17-round rotational-linear distinguisher for ChaCha permutation as an improvement compared to single rotational cryptanalysis over it.

Appendices

A Application to ChaCha Permutation

The stream cipher ChaCha is an improvement of Salsa20 [5]. Each round of ChaCha uses 4 Quarter Round Functions, denoted by \(QR(v^{(r)}_a,v^{(r)}_b,v^{(r)}_c,v^{(r)}_d)\), to permute the \(4\times 4\) state matrix, denoted by \(V^{(r)}\). Every word \(v^{(r)}_i\) in \(V^{(r)}\) is 32 bits, \(i\in \{0,\dots ,15\}\). For odd rounds, \(V^{(r+1)}\) is calculated by selecting 4 columns, i.e., \((v_0^{(r)},v_4^{(r)},v_8^{(r)},v_{12}^{(r)})\), \((v_1^{(r)},v_5^{(r)},v_9^{(r)},v_{13}^{(r)})\), \((v_2^{(r)},v_6^{(r)},v_{10}^{(r)},v_{14}^{(r)})\) and \((v_3^{(r)},v_7^{(r)},v_{11}^{(r)},v_{15}^{(r)})\) as the inputs for QR functions. For even rounds, \(V^{(r+1)}\) is computed by selecting 4 diagonals \((v_0^{(r)},v_5^{(r)},v_{10}^{(r)},v_{15}^{(r)})\), \((v_1^{(r)},v_6^{(r)},v_{11}^{(r)},v_{12}^{(r)})\), \((v_2^{(r)},v_7^{(r)},v_{8}^{(r)}, v_{13}^{(r)})\), \((v_3^{(r)},v_4^{(r)},v_{9}^{(r)}, v_{14}^{(r)})\) as the inputs for QR functions. The round function QR is presented in Fig. 6. In [3], the authors applied rotational cryptanalysis to the underlying permutation of ChaCha. They presented a rotational distinguisher for 17-round ChaCha permutation with probability greater than \(2^{-488}\) whereas the probability of random permutation with same input size is \(2^{-511}\). It declares that the underlying permutation of ChaCha doesn’t behave as a random permutation.

Fig. 6.

The QR function of ChaCha.

The extended application of rotational-linear cryptanalysis is presented as follows. We build a rotational-linear distinguisher for 17-round ChaCha permutation with 15-round rotational part \(E_1\), 1-round connective part \(E_c\) and 1-round linear part \(E_2\). The lower bound for the probability of \(E_1\) is \(2^{-430.2}\), given by [3]. The correlation of \(E_c\) is \(2^{-2}\) with the masks \(\alpha = \nu _{15}^{15}[0]\) and \(\overleftarrow{\alpha } = \nu _{15}^{15}[1]\). For linear part \(E_2\), the two output trails are \(\beta _1=( \nu _{0}^{16}[16,0] \oplus \nu _{5}^{16}[7] \oplus \nu _{10}^{16}[0] \oplus \nu _{15}^{16}[24])\) and \(\beta _0=(\nu _{0}^{16}[17,1,0] \oplus \nu _{5}^{16}[8] \oplus \nu _{10}^{16}[1] \oplus \nu _{15}^{16}[25])\) with corresponding correlation \(2^{-1}\). In conclusion, the correlation of rotational-linear distinguisher for 17-round ChaCha permutation is greater than \(2^{-433}\). Compared to rotational cryptanalysis, the rotational-linear attack exhibits advantages.

B The Proposition used When Recovering Partial Key

Proposition 2

([4]). After running Algorithm 1 for \(N_r\) times, the probability that the correct key is among the key candidates is

$$p_{success}\ge \dfrac{1}{2}\mathrm{Pr}(\mathcal {C}(k_{\mu }, k_{\mathcal {P}})\ge \varTheta )=\dfrac{1}{2}\left( 1-\varPhi \left( \dfrac{\varTheta -N\cdot cor}{\sqrt{N}}\right) \right) .$$