Advertisement

Rotational Cryptanalysis of ARX Revisited

  • Dmitry Khovratovich
  • Ivica Nikolić
  • Josef Pieprzyk
  • Przemysław Sokołowski
  • Ron Steinfeld
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9054)

Abstract

Rotational cryptanalysis is a probabilistic attack applicable to word oriented designs that use (almost) rotation-invariant constants. It is believed that the success probability of rotational cryptanalysis against ciphers and functions based on modular additions, rotations and XORs, can be computed only by counting the number of additions. We show that this simple formula is incorrect due to the invalid Markov cipher assumption used for computing the probability. More precisely, we show that chained modular additions used in ARX ciphers do not form a Markov chain with regards to rotational analysis, thus the rotational probability cannot be computed as a simple product of rotational probabilities of individual modular additions. We provide a precise value of the probability of such chains and give a new algorithm for computing the rotational probability of ARX ciphers. We use the algorithm to correct the rotational attacks on BLAKE2 and to provide valid rotational attacks against the simplified version of Skein.

Keywords

Rotational cryptanalysis Markov cipher Markov chain Skein BLAKE2 

Notes

Acknowledgements

The authors would like to thank the anonymous reviewers of FSE’15 for very helpful comments and suggestions. Ivica Nikolić is supported by the Singapore National Research Foundation Fellowship 2012 (NRF-NRFF2012-06). Josef Pieprzyk was supported by Australian Research Council grant DP0987734.

References

  1. 1.
    Aumasson, J.-P., Neves, S., Wilcox-O’Hearn, Z., Winnerlein, C.: BLAKE2: simpler, smaller, fast as MD5. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 119–135. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  2. 2.
    Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptology 4(1), 3–72 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Bresson, E., Canteaut, A., Chevallier-Mames, B., Clavier, C., Fuhr, T., Gouget, A., Icart, T., Misarsky, J.-F., Naya-Plasencia, M., Paillier, P., et al.: Shabal, a submission to NISTs cryptographic hash algorithm competition. Submission to NIST (2008)Google Scholar
  4. 4.
    De Cannière, C., Rechberger, C.: Finding SHA-1 characteristics: general results and applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  5. 5.
    M. Daum. Cryptanalysis of Hash Functions of the MD4-Family. PhD thesis, Ruhr-Universität Bochum, May 2005Google Scholar
  6. 6.
    Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The Skein hash function family. Submission to NIST (Round 1) (2008)Google Scholar
  7. 7.
    Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The Skein hash function family. Submission to NIST (Round 2) (2009)Google Scholar
  8. 8.
    Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The Skein hash function family (2010)Google Scholar
  9. 9.
    Gérard, B., Grosso, V., Naya-Plasencia, M., Standaert, F.-X.: Block Ciphers that are easier to mask: how far can we go? In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 383–399. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  10. 10.
    Guo, J., Karpman, P., Nikolić, I., Wang, L., Wu, S.: Analysis of BLAKE2. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 402–423. Springer, Switzerland (2014) CrossRefGoogle Scholar
  11. 11.
    Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED block cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  12. 12.
    Aumasson, J.-P., Jovanovic, P., Neves, S.: Analysis of NORX: investigating differential and rotational properties. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 306–323. Springer, Heidelberg (2015) Google Scholar
  13. 13.
    Khovratovich, D., Nikolić, I.: Rotational cryptanalysis of ARX. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 333–346. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  14. 14.
    Khovratovich, D., Nikolić, I., Pieprzyk, J., Sokolowski, P., Steinfeld, R.: Rotational cryptanalysis of ARX revisited. IACR Cryptology ePrint Archive, 2015:95 (2015)Google Scholar
  15. 15.
    Khovratovich, D., Nikolić, I., Rechberger, C.: Rotational rebound attacks on reduced skein. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 1–19. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  16. 16.
    Khovratovich, D., Nikolić, I., Rechberger, C.: Rotational rebound attacks on reduced Skein. J. Cryptology 27(3), 452–479 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Kircanski, A., Shen, Y., Wang, G., Youssef, A.M.: Boomerang and slide-rotational analysis of the SM3 hash function. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 304–320. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  18. 18.
    Lai, X., Massey, J.L.: Markov ciphers and differential cryptanalysis. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 17–38. Springer, Heidelberg (1991) CrossRefGoogle Scholar
  19. 19.
    Leurent, G.: Analysis of differential attacks in ARX constructions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 226–243. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  20. 20.
    Morawiecki, P., Pieprzyk, J., Srebrny, M.: Rotational cryptanalysis of round-reduced keccak. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 241–262. Springer, Heidelberg (2014) Google Scholar
  21. 21.
    Nikolić, I., Pieprzyk, J., Sokołowski, P., Steinfeld, R.: Rotational cryptanalysis of (modified) versions of BMW and SIMD (2010)Google Scholar
  22. 22.
    Stevens, M.: New collision attacks on SHA-1 based on optimal joint local-collision analysis. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 245–261. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  23. 23.
    Van Assche, G.: A rotational distinguisher on Shabals keyed permutation and its impact on the security proofs. NIST mailing list (2010)Google Scholar
  24. 24.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  25. 25.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005) CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Dmitry Khovratovich
    • 1
  • Ivica Nikolić
    • 2
  • Josef Pieprzyk
    • 3
  • Przemysław Sokołowski
    • 4
  • Ron Steinfeld
    • 5
  1. 1.University of LuxembourgLuxembourgLuxembourg
  2. 2.Nanyang Technological UniversitySingaporeSingapore
  3. 3.Queensland University of TechnologyBrisbaneAustralia
  4. 4.Adam Mickiewicz UniversityPoznanPoland
  5. 5.Monash UniversityMelbourneAustralia

Personalised recommendations