Skip to main content
Log in

Improved Differential-Linear Attacks with Applications to ARX Ciphers

  • Research Article
  • Published:
Journal of Cryptology Aims and scope Submit manuscript

Abstract

We present several improvements to the framework of differential-linear attacks with a special focus on ARX ciphers. As a demonstration of their impact, we apply them to Chaskey and ChaCha and we are able to significantly improve upon the best attacks published so far.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14

Similar content being viewed by others

Notes

  1. After presenting those results at CRYPTO 2020 [1], improved attacks on ChaCha have been proposed [26]. Later, [27] pointed out mistakes in some parts of [26], leading to an updated version that has been published on the Cryptology ePrint Archive [28]. Very recently, another improved differential-linear attack has been presented [25].

  2. Under the assumption that the sets \(\{\langle \Gamma _{\mathrm {out}}, E(x) \rangle \oplus \langle \Gamma _{\mathrm {out}}, E(x \oplus \Delta _{\mathrm {in}}) \rangle \mid x \in {\mathcal {X}}\}\) and \(\{\langle \Gamma _{\mathrm {out}}, E(x) \rangle \oplus \langle \Gamma _{\mathrm {out}}, E(x \oplus \Delta _{\mathrm {in}}) \rangle \mid x \in {\mathcal {S}}\}\) are indistinguishable, where \({\mathcal {S}}\) denotes a set of uniformly chosen samples of the same size as \({\mathcal {X}}\).

  3. Or at least with a cost much lower than \(p^{-1}\), see Sect. 5.2.

  4. The first case is exactly the one shown in [19], but its correlation was reported as \(2^{-6.1}\). We are not sure about the reason for this gap, but we think that \(2^{-6.1}\) refers to the bias instead of the correlation.

  5. The theoretical justification is discussed in [27] after the proposal of our original paper [1].

  6. This correlation is estimated originally when the key \(k_7\) changes randomly, but \(k_7\) is a fixed constant. These correlations are much higher or lower according to the fixed key, but on key average, which is the natural attack assumption for symmetric-key ciphers, the average correlation is \(-2^{-1}\).

  7. Note that it means that the success probability is \(0.491 \times 2 = 0.982\) under the condition that the right pair is successfully obtained during \(2^{5}\) iterations.

  8. This is the same attack proposed in our original paper [1].

  9. Note that it means that the success probability is almost 1 under the condition that the right pair is successfully obtained during \(2^{5}\) iterations.

  10. When we estimate \(\epsilon _a\), we used the average correlation. When we used the median instead of the average, \(\epsilon _a = 2^{-11.1687}\). Then, the data and time complexities are \(2^{49.7856}\) and \(2^{231.823}\), respectively.

  11. Some follow-up works [25,26,27, 41] have been proposed after our original proposal [1]. Our attack is still the best for 6-round attack in the context of key recovery. Even for 7 rounds, there have not been follow-up works that essentially improve the complexity yet. On the other hand, Coutinho and Neto presented more efficient distinguishing attacks in [41], and Miyashita, Ito, and Miyaji showed the key-recovery attack on 7.25 rounds in [25].

  12. Note that \({\mathcal {P}}\) is not necessarily a direct sum of \({\mathcal {P}}_1\), \({\mathcal {P}}_2\), and \({\mathcal {P}}_3\). In other words, the dimension of \({\mathcal {P}}\) might be smaller than 6, for instance if \(i=j\), i.e., \(\zeta _1 = \zeta _2\).

References

  1. C. Beierle, G. Leander, Y. Todo, Improved differential-linear attacks with applications to ARX ciphers, in Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Proceedings, Part III. LNCS, vol. 12172 (Springer, Cham, 2020), pp. 329–358

  2. M. Broll, F. Canale, N. David, A. Flórez-Gutiérrez, G. Leander, M. Naya-Plasencia, Y. Todo, Further improving differential-linear attacks: Applications to Chaskey and Serpent. IACR Cryptol. ePrint Arch. 2021, 820 (2021). https://eprint.iacr.org/2021/820

  3. A. Shimizu, S. Miyaguchi, Fast data encipherment algorithm FEAL, in Chaum, D., Price, W.L. (eds.) EUROCRYPT ’87, Proceedings. LNCS, vol. 304 (Springer, Berlin, Heidelberg, 1987), pp. 267–278

  4. D.J. Bernstein, The Salsa20 family of stream ciphers, in Robshaw, M.J.B., Billet, O. (eds.) New Stream Cipher Designs - The eSTREAM Finalists. LNCS, vol. 4986 (Springer, Berlin, Heidelberg, 2008), pp. 84–97

  5. D.J. Bernstein, ChaCha, a variant of Salsa20 (2008). http://cr.yp.to/chacha.html

  6. J.-P. Aumasson, L. Henzen, W. Meier, R.C.-W. Phan, SHA-3 proposal Blake. Submission to NIST (2008)

  7. J. Aumasson, S. Neves, Z. Wilcox-O’Hearn, C. Winnerlein, BLAKE2: simpler, smaller, fast as MD5, in Jr., M.J.J., Locasto, M.E., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013, Proceedings. LNCS, vol. 7954 (Springer, Berlin, Heidelberg, 2013), pp. 119–135

  8. D. Dinu, L. Perrin, A. Udovenko, V. Velichkov, J. Großschädl, A. Biryukov, Design strategies for ARX with provable bounds: Sparx and LAX, in Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Proceedings, Part I. LNCS, vol. 10031 (Springer, Berlin, Heidelberg, 2016), pp. 484–513

  9. C. Beierle, A. Biryukov, L.C. dos Santos, J. Großschädl, L. Perrin, A. Udovenko, V. Velichkov, Q. Wang, Lightweight AEAD and hashing using the Sparkle permutation family. IACR Trans. Symmetric Cryptol. 2020(S1), 208–261 (2020)

    Article  Google Scholar 

  10. N. Mouha, B. Mennink, A.V. Herrewege, D. Watanabe, B. Preneel, I. Verbauwhede, Chaskey: An efficient MAC algorithm for 32-bit microcontrollers, in Joux, A., Youssef, A.M. (eds.) SAC 2014, Revised Selected Papers. LNCS, vol. 8781 (Springer, Cham, 2014), pp. 306–323

  11. L.R. Knudsen, D.A. Wagner, Integral cryptanalysis, in Daemen, J., Rijmen, V. (eds.) FSE 2002, Revised Papers. LNCS, vol. 2365 (Springer, Berlin, Heidelberg, 2002), pp. 112–127

  12. Y. Todo, G. Leander, Y. Sasaki, Nonlinear invariant attack: Practical attack on full SCREAM, iSCREAM, and Midori64. J. Cryptol. 32(4), 1383–1422 (2019)

    Article  MathSciNet  Google Scholar 

  13. D. Khovratovich, I. Nikolic, Rotational cryptanalysis of ARX, in Hong, S., Iwata, T. (eds.) FSE 2010, Revised Selected Papers. LNCS, vol. 6147 (Springer, Berlin, Heidelberg, 2010), pp. 333–346

  14. E. Biham, A. Shamir, Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991)

    Article  MathSciNet  Google Scholar 

  15. M. Matsui, Linear cryptanalysis method for DES cipher, in Helleseth, T. (ed.) EUROCRYPT ’93, Proceedings. LNCS, vol. 765 (Springer, Berlin, Heidelberg, 1993), pp. 386–397

  16. H. Lipmaa, S. Moriai, Efficient algorithms for computing differential properties of addition, in Matsui, M. (ed.) FSE 2001, Revised Papers. LNCS, vol. 2355 (Springer, Berlin, Heidelberg, 2001), pp. 336–350

  17. J. Wallén, Linear approximations of addition modulo 2\({}^{\text{n}}\), in Johansson, T. (ed.) FSE 2003, Revised Papers. LNCS, vol. 2887 (Springer, Berlin, Heidelberg, 2003), pp. 261–273

  18. S.K. Langford, M.E. Hellman, Differential-linear cryptanalysis, in Desmedt, Y. (ed.) CRYPTO ’94, Proceedings. LNCS, vol. 839 (Springer, Berlin, Heidelberg, 1994), pp. 17–25

  19. G. Leurent, Improved differential-linear cryptanalysis of 7-round Chaskey with partitioning, in Fischlin, M., Coron, J. (eds.) EUROCRYPT 2016, Proceedings, Part I. LNCS, vol. 9665 (Springer, Berlin, Heidelberg, 2016), pp. 344–371

  20. A.R. Choudhuri, S. Maitra, Significantly improved multi-bit differentials for reduced round Salsa and ChaCha. IACR Trans. Symmetric Cryptol. 2016(2), 261–287 (2016)

    Google Scholar 

  21. S. Dey, S. Sarkar, Improved analysis for reduced round Salsa and Chacha. Discrete Appl. Math. 227, 58–69 (2017)

    Article  MathSciNet  Google Scholar 

  22. J. Aumasson, S. Fischer, S. Khazaei, W. Meier, ,C. Rechberger, New features of Latin dances: Analysis of Salsa, ChaCha, and Rumba, in Nyberg, K. (ed.) FSE 2008, Revised Selected Papers. LNCS, vol. 5086 (Springer, Berlin, Heidelberg, 2008), pp. 470–488

  23. Z. Shi, B. Zhang, D. Feng, W. Wu, Improved key recovery attacks on reduced-round Salsa20 and ChaCha, in Kwon, T., Lee, M., Kwon, D. (eds.) ICISC 2012, Revised Selected Papers. LNCS, vol. 7839 (Springer, Berlin, Heidelberg, 2012), pp. 337–351

  24. S. Maitra, Chosen IV cryptanalysis on reduced round ChaCha and Salsa. Discrete Appl. Math. 208, 88–97 (2016)

    Article  MathSciNet  Google Scholar 

  25. S. Miyashita, R. Ito, A. Miyaji, Pnb-focused differential cryptanalysis of ChaCha stream cipher. IACR Cryptol. ePrint Arch. 2021, 1537 (2021). https://eprint.iacr.org/2021/1537 (to appear at ACISP 2022)

  26. M. Coutinho, T.C.S. Neto, Improved linear approximations to ARX ciphers and attacks against ChaCha, in Canteaut, A., Standaert, F. (eds.) EUROCRYPT 2021, Proceedings, Part I. LNCS, vol. 12696 (Springer, Cham, 2021), pp. 711–740

  27. S. Dey, C. Dey, S. Sarkar, W. Meier, Revisiting cryptanalysis on ChaCha from Crypto 2020 and Eurocrypt 2021. IEEE Trans. Inf. Theory 68(9),6114–6133 (2022). https://doi.org/10.1109/TIT.2022.3171865

    Article  MathSciNet  MATH  Google Scholar 

  28. M. Coutinho, T.C.S. Neto, Improved linear approximations to ARX ciphers and attacks against ChaCha. IACR Cryptol. ePrint Arch. 2021, 224 (2021). https://eprint.iacr.org/2021/224

  29. E. Biham, Y. Carmeli, An improvement of linear cryptanalysis with addition operations with applications to FEAL-8X, in Joux, A., Youssef, A.M. (eds.) SAC 2014, Revised Selected Papers. LNCS, vol. 8781 (Springer, Cham, 2014), pp. 59–76

  30. J. Neyman, E.S. Pearson, On the problem of the most efficient tests of statistical hypotheses. Philos. Trans. R. Soc. Lond. Ser. A Containing Papers of a Mathematical or Physical Character 231, 289–337 (1933)

  31. T. Baignères, P. Junod, S. Vaudenay, How far can we go beyond linear cryptanalysis? in Lee, P.J. (ed.) ASIACRYPT 2004, Proceedings. LNCS, vol. 3329 (Springer, Berlin, Heidelberg, 2004), pp. 432–450

  32. C. Blondeau, B. Gérard, K. Nyberg, Multiple differential cryptanalysis using LLR and \(\chi \) 2 statistics, in Visconti, I., Prisco, R.D. (eds.) SCN 2012, Proceedings. LNCS, vol. 7485 (Springer, Berlin, Heidelberg, 2012), pp. 343–360

  33. B. Collard, F. Standaert, J. Quisquater, Improving the time complexity of Matsui’s linear cryptanalysis, in Nam, K., Rhee, G. (eds.) ICISC 2007, Proceedings. LNCS, vol. 4817 (Springer, Berlin, Heidelberg, 2007), pp. 77–88

  34. E. Biham, O. Dunkelman, N. Keller, Enhancing differential-linear cryptanalysis, in Zheng, Y. (ed.) ASIACRYPT 2002, Proceedings. LNCS, vol. 2501 (Springer, Berlin, Heidelberg, 2002), pp. 254–266

  35. A. Bar-On, O. Dunkelman, N. Keller, A. Weizman, DLCT: A new tool for differential-linear cryptanalysis, in Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Proceedings, Part I. LNCS, vol. 11476 (Springer, Cham, 2019), pp. 313–342

  36. S. Knellwolf, W. Meier, M. Naya-Plasencia, Conditional differential cryptanalysis of NLFSR-based cryptosystems, in Abe, M. (ed.) ASIACRYPT 2010, Proceedings. LNCS, vol. 6477 (Springer, Berlin, Heidelberg, 2010), pp. 130–145

  37. C. Blondeau, G. Leander, K. Nyberg, Differential-linear cryptanalysis revisited. J. Cryptol. 30(3), 859–888 (2017)

    Article  MathSciNet  Google Scholar 

  38. C. Carlet, Boolean Functions for Cryptography and Coding Theory (Cambridge University Press, Cambridge, 2021)

    MATH  Google Scholar 

  39. K. Nyberg, Linear approximation of block ciphers, in Santis, A.D. (ed.) EUROCRYPT 1994. LNCS, vol. 950 (Springer, Berlin, Heidelberg, 1994), pp. 439–444

  40. N. Mouha, Chaskey: a MAC algorithm for microcontrollers - status update and proposal of Chaskey-12. IACR Cryptol. ePrint Arch. 2015, 1182 (2015). https://eprint.iacr.org/2015/1182

  41. M. Coutinho, T.C.S. Neto, New multi-bit differentials to improve attacks against ChaCha. IACR Cryptol. ePrint Arch. 2020, 350 (2020). https://eprint.iacr.org/2020/350

Download references

Acknowledgements

We thank the reviewers for their detailed and helpful comments. We further thank Lukas Stennes for checking the application of our framework to ChaCha in a first version of this paper. We also thank Juan del Carmen Grados Vásquez for pointing out the use of the median to evaluate the PNB-based key recovery. This work was partially funded by Deutsche Forschungsgemeinschaft (DFG) under Germany’s Excellence Strategy - EXC 2092 CASA - 390781972. This project has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement no. 714294 - acronym QUASYModo).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Yosuke Todo.

Additional information

Communicated by Joan Daemen.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article is an extended version of the paper presented at CRYPTO 2020 [1]. Some further improvements introduced in [2] are included.

Appendices

Summary of Partitioning

We summarize various partition rules for modular addition. Note that we can verify the correlation of each case experimentally because they have a very high absolute correlation.

1.1 Single Modular Addition

Fig. 15
figure 15

Partitions for a single modular addition

Let us start with the most simple case of a single modular addition. To compute the parity \(z_0[i]\) and \(z_0[i] \oplus z_0[i-1]\) (shortly denoted by \(z_0[i,i-1]\)) from \(c_0\) and \(c_1\) (see Fig. 15), we represent each element of \({\mathcal {P}}\) as two-bit values \(b_0b_1\), therefore dividing the whole set into four subsets

$$\begin{aligned} {\mathcal {T}}_{b_0b_1} = \{ (y_1, y_0) \in ({\mathbb {F}}_2^n)^2 \mid b_0b_1 \cong s[i-1] \Vert s[i-2] \}, \end{aligned}$$

where \(s = {{\bar{y}}}_1 \oplus y_0\). Note that these partition can be constructed by guessing two bits of key information, i.e., \((k_1 \oplus k_0)[i-1]\) and \((k_1 \oplus k_0)[i-2]\). Linear masks used in the previous partitioning technique involves 4 bits, i.e., \(y_1[i]\), \(y_0[i]\), \(y_0[i-1]\), and \(y_0[i-2]\). Our new partitioning technique additionally involves \(y_0[i-3]\), and parities \(z_0[i]\) and \(z_0[i,i-1]\) are approximated to

$$\begin{aligned} \langle \gamma , y_1[i] \Vert y_0[i] \Vert y_0[i-1] \Vert y_0[i-2] \Vert y_0[i-3] \rangle , \end{aligned}$$

where \(\gamma \) and the corresponding correlations are summarized in Fig. 15.

1.2 More Complicated Case

Fig. 16
figure 16

Partition for two consecutive modular additions

In a similar way, we can extend the technique for the case of two consecutive modular additions. A concrete example, which is used to attack 7-round Chaskey, is shown in Fig. 16.

The goal is to compute the parity \(z_2[11]\) and \(z_2[11,10]\) from \(c_1\), \(c_2\), and \(c_3\) (see Fig. 16). We split the ciphertext into \(2^5\) partitions (this time indexed by five-bit values \(b_0b_1b_2b_3b_4\) representing the generic element of \({\mathcal {P}}\)) in the following way:

$$\begin{aligned} {\mathcal {T}}_{b_0b_1b_2b_3b_4} = \{ (v_1, v_2, v_3) \in ({\mathbb {F}}_2^n)^3 \mid b_0b_1b_2b_3b_4 \cong&(v_3[18] \oplus v_2[17] \oplus v_2[9]) \Vert \\&\quad s[10] \Vert s[9] \Vert s[18] \Vert s[17] \}, \end{aligned}$$

where \(s = {{\bar{v}}}_1 \oplus v_2\). In order for previously discarded partition to be available, our new partitioning technique additionally involves \(v_2[8]\) and \(v_2[16]\), and parities \(z_2[11]\) and \(z_2[11,10]\) are approximated to

$$\begin{aligned} \langle \gamma , v_3[19] \Vert v_1[11] \Vert v_2[11] \Vert v_2[10] \Vert v_2[9] \Vert v_2[8] \Vert v_1[19] \Vert v_2[19] \Vert v_2[18] \Vert v_2[17] \Vert v_2[16] \rangle , \end{aligned}$$

where \(\gamma \) is appropriately chosen following Fig. 16. We remark that this new way of partitioning the ciphertexts allows us to find high-absolute-correlation masks for all the 32 partitions, up from the 24 used with the original [1].

Understanding Partition Points

1.1 A Simple Toy Example

We transfer the above terminology to the simple toy example given in Fig. 17 and already discussed earlier in Sect. 2.2. In this example, for a fixed \(i\ge 2\), we want to evaluate \(z_0[i]\) or \(z_0[i]\oplus z_0[i-1]\) by using the partitioning rules as expressed in Lemma 2 and Lemma 3. For this, we say that \((z_0[i],z_0[i]\oplus z_0[i-1])\) defines a partition point \(\zeta \). This partition point gives rise to a 2-dimensional subspace \({\mathcal {P}}\) which can be defined by two parity check equations, i.e., \({\mathcal {P}}\) is a complement space of the space

$$\begin{aligned} {\mathcal {R}}= \{ (x_1,x_0) \in {\mathbb {F}}_2^{2m} \mid x_0[i-1] \oplus {{\bar{x}}}_1[i-1] = 0 \text { and } x_0[i-2] \oplus {{\bar{x}}}_1[i-2] = 0\} . \end{aligned}$$

For example, \({\mathcal {P}}\) can be chosen as \(\{([],[]),([i-1],[]),([i-2],[]),([i-2,i-1],[])\}\).

Fig. 17
figure 17

A simple toy example with a single modular addition

To demonstrate the attack from the previous section, we split \({\mathbb {F}}_2^{2m}\) into the direct sum \({\mathcal {P}}\oplus {\mathcal {R}}\). By the isomorphism between \({\mathcal {P}}\) and \({\mathbb {F}}_2^2\), we can identify the elements \(p \in {\mathcal {P}}\) by two-bit values \(p \cong b_0b_1\), where \(b_0\) indicates the parity of \(x_0[i-1] \oplus {{\bar{x}}}_1[i-1]\) and \(b_1\) indicates the parity of \(x_0[i-2] \oplus {{\bar{x}}}_1[i-2]\). We then consider the following four tuples \(({\mathcal {T}}_{b_0b_1},\Gamma _{\mathrm {out}}^{(b_0b_1)},\gamma ^{(b_0b_1)})\) and corresponding \(\varepsilon _{b_0b_1}\), whose definition come from the properties presented in Lemmas 2 and 3:

$$\begin{aligned} \begin{array}{ll} {\mathcal {T}}_{\mathtt {00}} = {\mathcal {R}}\oplus \mathtt {00} = {\mathcal {S}}_{\mathtt {00}} \quad &{} \Gamma _{\mathrm {out}}^{(\mathtt {00})} = ([],[i]) \\ \gamma ^{(\mathtt {00})}= ([i],[i,i-1]) \quad &{} \varepsilon _{\mathtt {00}} = -1 \\ {\mathcal {T}}_{\mathtt {01}} = {\mathcal {R}}\oplus \mathtt {01} = {\mathcal {S}}_{\mathtt {01}} \quad &{} \Gamma _{\mathrm {out}}^{(\mathtt {01})} = ([],[i]) \\ \gamma ^{(\mathtt {01})}= ([i],[i,i-1]) \quad &{} \varepsilon _{\mathtt {01}} = -1 \\ {\mathcal {T}}_{\mathtt {10}}= {\mathcal {R}}\oplus \mathtt {10} = {\mathcal {S}}_{\mathtt {10}} \quad &{} \Gamma _{\mathrm {out}}^{(\mathtt {10})} = ([],[i]) \\ \gamma ^{(\mathtt {10})}= ([i],[i,i-2]) \quad &{} \varepsilon _{\mathtt {10}} = -1 \\ {\mathcal {T}}_{\mathtt {11}}= {\mathcal {R}}\oplus \mathtt {11} = {\mathcal {S}}_{\mathtt {11}} \quad &{} \Gamma _{\mathrm {out}}^{(\mathtt {11})} = ([],[i]) \\ \gamma ^{(\mathtt {11})}= ([i],[i,i-3]) \quad &{} \varepsilon _{\mathtt {11}} = -2^{-1}. \\ \end{array} \end{aligned}$$

and

$$\begin{aligned} \begin{array}{ll} {\mathcal {T}}_{\mathtt {00}} = {\mathcal {R}}\oplus \mathtt {00} = {\mathcal {S}}_{\mathtt {00}} \quad &{} \Gamma _{\mathrm {out}}^{(\mathtt {00})} = ([],[i,i-1]) \\ \gamma ^{(\mathtt {00})}= ([i],[i,i-1,i-2]) \quad &{} \varepsilon _{\mathtt {00}} = -1 \\ {\mathcal {T}}_{\mathtt {01}} = {\mathcal {R}}\oplus \mathtt {01} = {\mathcal {S}}_{\mathtt {01}} \quad &{} \Gamma _{\mathrm {out}}^{(\mathtt {01})} = ([],[i,i-1]) \\ \gamma ^{(\mathtt {01})}= ([i],[i,i-1,i-3]) \quad &{} \varepsilon _{\mathtt {01}} = -2^{-1} \\ {\mathcal {T}}_{\mathtt {10}}= {\mathcal {R}}\oplus \mathtt {10} = {\mathcal {S}}_{\mathtt {10}} \quad &{} \Gamma _{\mathrm {out}}^{(\mathtt {10})} = ([],[i,i-1]) \\ \gamma ^{(\mathtt {10})}= ([i],[i]) \quad &{} \varepsilon _{\mathtt {10}} = 1 \\ {\mathcal {T}}_{\mathtt {11}}= {\mathcal {R}}\oplus \mathtt {11} = {\mathcal {S}}_{\mathtt {11}} \quad &{} \Gamma _{\mathrm {out}}^{(\mathtt {11})} = ([],[i,i-1]) \\ \gamma ^{(\mathtt {11})}= ([i],[i]) \quad &{} \varepsilon _{\mathtt {11}} = 1. \\ \end{array} \end{aligned}$$

For example, we give an intuition for the choice of the second tuple when \((y_1,y_0) \in {\mathcal {S}}_{\mathtt {01}}\). Lemma 2 tells us that \(\langle ([],[i]) ,(z_1,z_0) \rangle = \langle ([i],[i,i-1]), (y_1,y_0) \rangle \oplus 1\), i.e., \(\varepsilon _{\texttt {0}{} \texttt {1}} = {{\textbf {Cor}}}_{y \in {\mathcal {T}}_{\texttt {0}{} \texttt {1}}} [\langle ({[}{]},[i]),z \rangle \oplus \langle ([i],[i,i-1]),y \rangle ] = -1\). On the other hand, Lemma 3 tells us that there is no linear representation with absolute correlation 1. Thus, if available, we should use \(\Gamma _{\mathrm {out}}^{(\mathtt {01})} = ([],[i])\) for this subset.

We further have

$$\begin{aligned} W&= \mathrm {Span}\{ \gamma ^{(a)} \oplus \gamma ^{(b)} \mid a,b \in {\mathbb {F}}_2^2\} \\&= \{ ([],[]),([],[i-1]),([],[i-2]),([],[i-1,i-2]), \\&\quad \quad ([],[i-3]),([],[i-1,i-3]),([],[i-2,i-3]),([],[i-1,i-2,i-3])\}, \end{aligned}$$

and we could recover the three bits, \(k_0[i-1]\), \(k_0[i-2]\), and \(k_0[i-3]\), by the last step using the fast Walsh–Hadamard transform.

1.2 Toy Example Using Multiple Partition Points

Let us now look at another example which consists of two branches of the structure depicted in Fig. 17 in parallel, i.e., \((y_3,y_2,y_1,y_0) = (F(z_3,z_2),F(z_1,z_0))\) and \(c_i = y_i \oplus k_i\). By using a single partition point as done in the above example, we can only evaluate the parity of at most two (consecutive) bits of \(z = (z_3,z_2,z_1,z_0)\). Instead of just one single partition point, we can also consider multiple partition points. For example, if we want to evaluate the parity involving three non-consecutive bits of \(z = (z_3,z_2,z_1,z_0)\), we can use three partition points, i.e.,

$$\begin{aligned} \zeta _1&=(z_0[i],z_0[i] \oplus z_0[i-1]),\\ \zeta _2&=(z_0[j],z_0[j] \oplus z_0[j-1]),\\ \zeta _3&=(z_2[\ell ],z_2[\ell ] \oplus z_2[\ell -1]), \end{aligned}$$

where \(i,j,\ell \ge 3\). In a specific attack, the choice of the partition points depends on the definition of the linear trail. Those partition points give rise to three subspaces \({\mathcal {P}}_1\), \({\mathcal {P}}_2\), and \({\mathcal {P}}_3\), defined by two parity-check equations each, i.e., \({\mathcal {P}}_i\) is a complement space of \({\mathcal {R}}_i\), where

$$\begin{aligned} {\mathcal {R}}_1&= \{ (x_3,x_2,x_1,x_0) \in {\mathbb {F}}_2^{4m} \mid x_0[i-1] \oplus {{\bar{x}}}_1[i-1] = 0, x_0[i-2] \oplus {{\bar{x}}}_1[i-2] = 0\}\\ {\mathcal {R}}_2&= \{ (x_3,x_2,x_1,x_0) \in {\mathbb {F}}_2^{4m} \mid x_0[j-1] \oplus {{\bar{x}}}_1[j-1] = 0, x_0[j-2] \oplus {{\bar{x}}}_1[j-2] = 0\}\\ {\mathcal {R}}_3&= \{ (x_3,x_2,x_1,x_0) \in {\mathbb {F}}_2^{4m} \mid x_2[\ell -1] \oplus {{\bar{x}}}_3[\ell -1] = 0, x_2[\ell -2] \oplus {{\bar{x}}}_3[\ell -2] = 0\}. \end{aligned}$$

By definingFootnote 12\({\mathcal {P}}= {\mathcal {P}}_1 \oplus {\mathcal {P}}_2 \oplus {\mathcal {P}}_3\) and \({\mathcal {R}}\) to be a complement space of \({\mathcal {P}}\), we split \({\mathbb {F}}_2^{4m}\) into the direct sum \({\mathcal {P}}\oplus {\mathcal {R}}\).

We can identify the elements \(p \in {\mathcal {P}}\) by \(n_{{\mathcal {P}}}\)-bit values \(p \cong b_0b_1\dots b_{n_{{\mathcal {P}}}-1}\). We can then again define tuples

$$\begin{aligned} ({\mathcal {T}}_{b_0b_1\dots b_{n_{{\mathcal {P}}}-1}},\Gamma _{\mathrm {out}}^{(b_0b_1\dots b_{n_{{\mathcal {P}}}-1})},\gamma ^{(b_0b_1\dots b_{n_{{\mathcal {P}}}-1})})\end{aligned}$$
(9)

by using the properties presented in Lemma 2 and Lemma 3. For example, if \(n_{{\mathcal {P}}} = 6\), we can define

$$\begin{aligned} {\mathcal {T}}_{\mathtt {010101}} = \{ (x_3,x_2,x_1,x_0) \in {\mathbb {F}}_2^{4m} \mid&x_0[i-1] \ne x_1[i-1], x_0[i-2] = x_1[i-2],\\&x_0[j-1]\ne x_1[j-1], x_0[j-2]= x_1[j-2],\\&x_2[\ell -1] \ne x_3[\ell -1],x_2[\ell -2] = x_3[\ell -2] \}, \end{aligned}$$

\(\Gamma _{\mathrm {out}}^{(\mathtt {010101})} = ([],[\ell ],[],[i,j]), \quad \gamma ^{(\mathtt {010101})} = ([\ell ],[\ell ,\ell -1],[i,j],[i,i-1,j,j-1])\), and \(\varepsilon _{\mathtt {010101}} = -1\) by using the first case of Lemma 2.

We can also use the three partition points to compute the parity of more than three bits of z. For example, if \(n_{{\mathcal {P}}} = 6\), by using Lemma 2 and 3, we can define

$$\begin{aligned} {\mathcal {T}}_{\mathtt {001011}} = \{ (x_3,x_2,x_1,x_0) \in {\mathbb {F}}_2^{4m} \mid&x_0[i-1] \ne x_1[i-1], x_0[i-2] \ne x_1[i-2],\\&x_0[j-1]=x_1[j-1], x_0[j-2]\ne x_1[j-2],\\&x_2[\ell -1]=x_3[\ell -1],x_2[\ell -2]=x_3[\ell -2] \}, \end{aligned}$$

and

$$\begin{aligned} \Gamma _{\mathrm {out}}^{(\mathtt {001011})}&= ([],[\ell ,\ell -1],[],[i,i-1,j])\\ \gamma ^{(\mathtt {001011})}&= ([\ell ],[\ell ],[i,j],[i,i-1,i-2,j,j-2]), \quad \varepsilon _{\mathtt {001011}} = 1, \end{aligned}$$

which evaluates the parity of five bits of z. Again, several choices for the definition of the tuples in Eq. (9) are possible.

1.3 Analysis for Two Consecutive Modular Additions

To avoid the usage of long linear trails and to reduce the data complexity, we may use the partition technique for the more complicated structure of two consecutive modular additions. Inspired by the round function of Chaskey, we consider the case depicted in Fig. 16.

Suppose that we have two partition points, i.e.,

$$\begin{aligned} \zeta _1&=(z_2[i], z_2[i] \oplus z_2[i-1]), \\ \zeta _2&=(z_3[j], z_3[j,j-1]), \end{aligned}$$

where \(i,j \ge 3\). We use the same strategy described in “Appendix B.2”. Namely, we identify the elements \(p \in {\mathcal {P}}\) by \((5+2)\)-bit values, where 5-bit and 2-bit indicators come from the partition point \(\zeta _1\) and \(\zeta _2\), respectively. The applied linear mask and corresponding correlation can be computed as depicted in Figs. 15 and 16.

Exploiting the Conditions for Finding Chaskey Relations

Fig. 18
figure 18

Conditions on the differential transitions for the 3 first rounds of Chaskey

In Fig. 18, we have depicted the relations and the influence of the input bits on the conditions of the differential path. The bits that stay white (and have no pink color beneath, coming from the carries of the furthest additions) are the bits that do not affect the differential transitions.

It is easy to see how the bits provided in [1] as available for sampling with probability one are the only white ones, and therefore not needed for the differential conditions: [31,30,25,24,23,22,20,19,18,17,16] from \(v_2\) and [23,22,20,19,18,17,16] from \(v_3\). The differences are represented in gray. Dependencies in colors. A ‘g’ in the position of a difference means that this difference will go away (be absorbed) after the next addition. An ‘s’ means that the difference stays where it is, while ‘m’ means that it moves one position to the left. The color of the bits with differences in each transition will be applied to all the bits that might affect this transition. Carries are not directly applied to the involved bits but to the upper row to report the difference this implies.

Please note that for instance bits 28 and 27 from \(v_2\) cannot be included as the carry of the position 29 is needed by the orange bit relations, i.e., the differences after one round at position 29 of \(v_2\) and \(v_3\), but as said in Sect. 5.3, the bits of previous positions to 26 and 27 will not affect this orange carry anymore due to the particular configuration of 26 and 27. The bits provided in [1] that are neutral with very high probability are 20 and 19 from \(v_1\) and 31, 20 and 19 from \(v_0\) and 25 and 24 of \(v_3\).

Let us now see how can we use the conditional differential ideas and Fig. 18 in order to recover for free the value of some keybits and also to find additional bits of information for sampling and increasing the dimension of \({\mathcal {U}}\) from 18 as given in [1] (and involving exclusively one-bit relations) to 22, or 23 if one-bit relation on the key is known.

Additional space for sampling

Using Fig. 18 we can try to exploit the conditions to find more evolved relations for increasing the size of \({\mathcal {U}}\). Let us provide an example: Let us imagine we flip the bit from \(v_0[8]\). The corresponding difference, marked with a ‘g’, will have a change of parity. In order for this difference to be absorbed, we need to also flip the other blue difference that will be used for absorbing this one: \(v_1[8]\). However, if we flip this one, the value of the bit \(v_1[13]\) after one round, that does not contain a difference, will be flipped also, as to produce it, \(v_1[8]\) is shifted of 5 positions and XORed with the sum of \(v_0\) and \(v_1\), that has a difference in position 13, marked with an ‘s’: these differences cancel out in both cases, but the value of the resulting bit will change with the parity of \(v_1[8]\), and the value of this pink will affect the final light-pink transition in the third round, as can be seen in the picture. In order to avoid this, we have to also flip \(v_1[13]\): the state \(v_1\) after 1 round will be known the same, but the orange bit \(v_2[29]\) after one round that contains a difference and a ‘g’ will have the parity changed. In order to make the related transition be satisfied, we need to also change the parity of the other orange bit with a ‘g’: we flip \(v_2[29]\) from the first round, that does not have a difference, but that will change the parity of \(v_3[29]\) after the XOR. This bit will not have any more influence in the remaining transitions, so we have found our close relation. In total, we found four new probability-one relations by hand using this same technique. We have verified these relations as well as exhaustively searched all the ones with weight at most 3, and found that no other such relations exist.

Rights and permissions

Springer Nature or its licensor holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Beierle, C., Broll, M., Canale, F. et al. Improved Differential-Linear Attacks with Applications to ARX Ciphers. J Cryptol 35, 29 (2022). https://doi.org/10.1007/s00145-022-09437-z

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s00145-022-09437-z

Keywords

Navigation