Practical Cryptanalysis of ARMADILLO2
The ARMADILLO2 primitive is a very innovative hardware-oriented multi-purpose design published at CHES 2010 and based on data-dependent bit transpositions. In this paper, we first show a very unpleasant property of the internal permutation that allows for example to obtain a cheap distinguisher on ARMADILLO2 when instantiated as a stream-cipher. Then, we exploit the very weak diffusion properties of the internal permutation when the attacker can control the Hamming weight of the input values, leading to a practical free-start collision attack on the ARMADILLO2 compression function. Moreover, we describe a new attack so-called local-linearization that seems to be very efficient on data-dependent bit transpositions designs and we obtain a practical semi-free-start collision attack on the ARMADILLO2 hash function. Finally, we provide a related-key recovery attack when ARMADILLO2 is instantiated as a stream cipher. All collision attacks have been verified experimentally, they require negligible memory and a very small number of computations (less than one second on an average computer), even for the high security versions of the scheme.
KeywordsARMADILLO2 hash function stream-cipher MAC cryptanalysis collision
- 2.Badel, S., Dağtekin, N., Nakahara Jr., J., Ouafi, K., Reffé, N., Sepehrdad, P., Sušil, P., Vaudenay, S.: ARMADILLO: A Multi-purpose Cryptographic Primitive Dedicated to Hardware. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 398–412. Springer, Heidelberg (2010)CrossRefGoogle Scholar
- 4.Damgård, I.: A Design Principle for Hash Functions. In: Brassard , pp. 416–427Google Scholar
- 6.Merkle, R.C.: One Way Hash Functions and DES. In: Brassard , pp. 428–446Google Scholar
- 7.Rivest, R.L.: The RC5 Encryption Algorithm, pp. 86–96. Springer (1995)Google Scholar
- 8.Rivest, R.L., Robshaw, M.J.B., Yin, Y.L.: RC6 as the AES (2000)Google Scholar