Fast Key Recovery Attack on ARMADILLO1 and Variants

Transcription

1 Fast Key Recovery Attack on ARMADILLO and Variants Pouyan Sepehrdad, Petr Sušil, and Serge Vaudenay EPFL, Lausanne, Switzerland Abstract. The ARMADILLO cryptographic priitive is a ulti-purpose cryptographic priitive for RFID devices proposed at CHES 0. The ain purpose of the priitive is to provide a secure authentication in a challenge-response protocol. It has two versions, naed ARMADILLO (subsequently denoted by AR- MADILLO) and ARMADILLO2. However, we found a fatal weakness in the design which allows a passive attacker to recover the secret key in polynoial tie, of ARMADILLO and soe generalizations. We introduce soe interediate designs which try to prevent the attack and link ARMADILLO to ARMADILLO2. Considering the fact that the attack against ARMADILLO is polynoial, this brings about soe concerns into the security of the second version ARMADILLO2, although it reains unbroken so far. Introduction ARMADILLO is a hardware oriented ulti-purpose cryptographic priitive presented at CHES 0 [2]. It was built for RFID applications. It can be used as a PRF/MAC, e.g. for a challenge-response protocol as a MAC, and also as a hash function for digital signatures, or a PRNG for aking a strea cipher. It has two versions, naed ARMADILLO (subsequently denoted by ARMADILLO)andARMADILLO2. During the review process of CHES 0 we found an attack against ARMADILLO and its variants. The ARMADILLO2 includes a quick fix to resist it. The attack and its variants are presented in this paper. To fix the vulnerability of ARMADILLO and siultaneously shrink the design, we define ultiple interediate versions of ARMADILLO and we investigate their security with respect to the original attack and illustrate that they are still vulnerable to a key recovery or a forgery attack. Although our attack is not applicable against ARMADILLO2, the step by step approach in the design of other variants would give a concern behind the security of ARMADILLO2. These interediate designs reveal that the security bounds on ARMADILLO2 ight be insufficient. We introduce a generalized version ARMADILLOgen andweexplainwhenthekeyrecovery or forgery attack is possible. Finally, we coe to the definition of ARMADILLO2. The attacks we show have always coplexity polynoial in the size of input. Specifically, the attack against ARMADILLO has coplexity O(k 2 logk) and it can be perfored by hand, as the actual key recovery algorith is very siple. Supported by a grant of the Swiss National Science Foundation, /. E. Prouff (Ed.): CARDIS 20, LNCS 7079, pp , 20. c IFIP International Federation for Inforation Processing 20

2 34 P. Sepehrdad, P. Sušil, and S. Vaudenay. Related Work In [] the authors found an attack against ARMADILLO2 based on parallel atching. The key recovery attack against FIL-MAC application of ARMADILLO2-A and AR- MADILLO2-E using single challenge-response pair is 2 7 and 2 8 ties faster than exhaustive search respectively. The techniques presented in our paper ay help to reduce the tie coplexity if the attacker uses ultiple saples. 2 Description of ARMADILLO ARMADILLO relies on data-dependent bit transpositions. Given a bitstring x with bit ordering x =(x l x ), fixed perutations σ 0 and σ over the set {,2,...,l}, abit string s,abitb {0,} and a perutation σ,definex σs = x when s has length zero, and x σs b = x σs σ b,wherex σ is the bit string x transposed by σ, thatis, x σ =(x σ (l) x σ () ) The function (s,x) x σs is a data-dependent transposition of x. The function s σ s can be seen as a particular case of the general sei-group hooorphis fro {0,} to a group G. Notations. Throughout this docuent, denotes the concatenation of bitstrings, denotes the bitwise XOR operation, x denotes the bitwise copleent of a bitstring x; we assue the little-endian nubering of bits, such as x =(x l x ). In this section, we give the description of two variants ARMADILLO and ARMADILLO2. Then, we introduce a coon generalized version ARMADILLOgen and show how it relates to all versions. We show the attack against ARMADILLOgen for any different choices of paraeters. 2. ARMADILLO ARMADILLO aps an initial value C and a essage block U to two values (see Fig. ). (V C,V T )=ARMADILLO(C,U) ARMADILLO works based on a register Xinter. By definition, C and V C are of c bits, V T as well as each block U i are of bits, Xinter is of k = c + bits. ARMADILLO is defined by integer paraeters c,, and two fixed perutations σ 0 and σ over the set {,2,...,2k}. Concretely, we consider 40 and k = c +. To initialize AR- MADILLO, Xinter is set to C 0 where 0 is a null padding block, and C is an initial value. ARMADILLO works as follows (Fig. ). : in the i-th step, replace the rightost -bit block of Xinter by the block U i ; 2: set a l = 2k bits register x = Xinter Xinter; 3: x undergoes a sequence of bit perutations which we denote by P. The output of this sequence of bit perutations is truncated to the rightost k bits, denoted S,by S = tail k ((Xinter Xinter) σxinter )

3 Fast Key Recovery Attack on ARMADILLO and Variants 35 4: set Xinter to the value of S Xinter. 5: after processing the last block U n,take(v C V T )=Xinter as the output. V C V T S (Xinter Xinter) σxinter k Xinter Xinter 32 C c U i Fig.. Schee of ARMADILLO 2.2 ARMADILLO2 For copleteness, we now provide the description of ARMADILLO2 [2] here. The AR- MADILLO2 is ostly based on ARMADILLOb (be defined later) with an additional preprocessing echanis. As the reader see later in the paper, the pre-processing prevents our attack. We note that the pre-processing step outputs a sequence of bits that defines the data dependent perutation and ensures that the data dependent perutation σ Xinter cannot be easily controlled by the attacker (see Fig. 2). : in the i-th step, replace the rightost -bit block of Xinter by the block U i ; 2: set a l = k bits register x = Xinter; 3: x undergoes a sequence of bit perutations, σ 0 and σ and a constant γ addition, which we denote by P. In fact, P aps a bitstring of bits and a vector x of k bits into another vector of k bits as P(s b,x)=p(s,x σb γ), whereb {0,} and x σb is a perutation of bits of x (transposition). The output of this sequence of k bit perutations and constant addition is denoted Y = P(U i,x). We call this step pre-processing, since it is used to define the perutation for the consequent step. 4: x undergoes a sequence of bit perutations and constant addition P defined by Y. The output of this sequence of k bit perutations and constant addition is denoted S = P(Y,x). 5: set Xinter to the value of S Xinter. 6: after processing the last block U n,take(v C V T ) as the output.

4 36 P. Sepehrdad, P. Sušil, and S. Vaudenay V C V T Y. P(Y,C U i ) C k Y = P(U i,c U i ). U i C c U i Fig. 2. Schee of ARMADILLO2 3 General ARMADILLOgen Algorith We define various interediate versions of ARMADILLO. These interediate versions show the relation between ARMADILLO and ARMADILLO2 and give a security concern on ARMADILLO2. We explain step by step how the weakness in the design of ARMADILLO relate to a possible weaknesses in design of ARMADILLO2. All these versions are based on data-dependent perutation P. They all can be covered under ARMADILLOgen as a paraetrized version of distinct variants, and by setting corresponding paraeters we obtain ARMADILLO, ARMADILLOb, ARMADILLOc, ARMADILLOd and ARMADILLO2. We show an attack against ARMADILLOgen for soe choices of paraeters. ARMADILLOgen is defined as ARMADILLOgen(X)=T 4 (P(T (X),T 2 (X)),X) where P(s b,y)=p(s,t 3 (b,y)) P(λ,Y)=Y λ denotes the epty string, T, T 2,andT 4 are soe linear functions, and T 3 in its ost general for is T 3 (b,y )=L(Y ) σb γ where L is linear and γ is a constant.

5 Fast Key Recovery Attack on ARMADILLO and Variants 37 Then, ARMADILLO is defined as ARMADILLOgen for T (X)=X T 2 (X)=X X T 3 (b,x)=x σb T 4 (X,Y )=tail k (X) Y ARMADILLO2 is defined as ARMADILLOgen for T (X)=P(tail (X),X) T 2 (X)=X T 3 (b,x)=x σb γ T 4 (X,Y)=X Y 3. ARMADILLOb: Shrinking the Xinter Register The ARMADILLOb is a copact version of ARMADILLO which prevents the preservation of Haing weight by adding a constant. However, it does not prevent the attack against ARMADILLO. According to [2], the ARMADILLO design prevents a distinguishing attack based on constant Haing weight by having the double sized internal register and the final truncation, assuing the output of P transposition looks pseudorando. We see later in this paper (see section 4) that this proof does not hold in standard attack odel and ARMADILLO can be broken in polynoial tie. First, we define ARMADILLOb and then deonstrate an attack against this version and explain how the sae attack can be used against ARMADILLO. ARMADILLOb is defined as ARMADILLOgen for T (X)=X T 2 (X)=X T 3 (b,x)=x σb γ T 4 (X,Y)=X Y In the design of ARMADILLOb the state size is reduced to k bits to save ore gates. So, there is only the register Xinter and not its copleent, and there is no truncation. To avoid Haing weight preservation, after each perutation there is an XOR of the current state with a constant γ (see Fig. 3). 3.2 ARMADILLOc: Adding a Linear Layer in T 3 To investigate whether a ore coplex layer in T 3 can prevent the attack on AR- MADILLOb we define ARMADILLOc.ItisdefinedasARMADILLOgen for T (X)=X T 3 (b,x)=l(x) σb γ for a linear transforation L, with arbitrary linear T 2 and T 4.

6 38 P. Sepehrdad, P. Sušil, and S. Vaudenay V C V T S P(Xinter, Xinter). 3 2 k Xinter 32 C c U i Fig. 3. Schee of ARMADILLOb 3.3 ARMADILLOd: Adding a Fixed Transposition in T We will see later that ARMADILLOc is still vulnerable. To prevent the attack on AR- MADILLOc, a fixed transposition was added in T to ix the bits of the secret and the challenge. ARMADILLOd is defined as ARMADILLOgen for T (X)=X π T 3 (b,x)=x σb γ for a fixed perutation π and with arbitrary linear T 2 and T 4. 4 Key Recovery Attack against ARMADILLO and ARMADILLOb In this section, we describe an attack against two versions of ARMADILLO. Wefirst explain the attack on ARMADILLOb and then setting γ = 0 and extending the initial state to (Xinter Xinter) =(C U C U), the sae attack can be directly used against ARMADILLO. Since ARMADILLO has ore than one applications, we just briefly explain how it is deployed in the challenge-response application. We refer the reader to [2] for ore details. The objective is to have a fixed input-length MAC. Suppose that C is a secret and U is a one block challenge. The value V T is the response or the authentication tag. We write V T = ARMADILLO(C,U)

7 Fast Key Recovery Attack on ARMADILLO and Variants 39 As can be seen fro the description of the algorith, there is no substitution layer. This eans that for a fixed key C the perutation σ C is fixed (but unknown). As we see later in the paper, it can be easily recovered. For the attack it suffices to recover the apping σ C of a single index, for instance we recover σ C ( j) =n for soe value j. If we can recover the apping σ C ( j), we than take challenges U i so that j-th bit of P(U i,c U i ) contains different bits of the key. This allows us to recover the secret key fro literally reading the key fro the output of ARMADILLOb. We also show that the attack can be extended to other scenarios, or can be changed to forgery attack if the key recovery is not possible. More precisely, we consider T (X)=X T 3 (b,x)=x σb γ with arbitrary linear T 2 and T 4. This includes ARMADILLO and ARMADILLOb. The attack is based on the fact that a bit perutation is linear with respect to XOR operation, i.e., for a perutation σ, X andy be two vectors, we have (X Y) σ = X σ Y σ. Lea. For any T 3, C, and U, we have P(C U,C U)=P(C, P(U,C U)) Proof. We easily prove it by induction on the size of C. Lea 2. For T 3 (b,x)=x σb γ, there exists a function f :2 X 2 X such that for any Y =(y k... y ) and X, we have P(Y,X)=X σy f (Y ) Proof. Let rewrite ( (( ) ) ) P(Y,X)= X γ σy γ γ... γ σ y2 σ y3 σ yk Let define the prefix of Y as Thus, P can be rewritten as prefix(y )={Y j ; Y j =(y k... y j ), j k} P(Y,X)=(X γ) σy γ p prefix(y ) γ σp = X σy P(Y,0) Now we apply the above results to ARMADILLOgen with T (X) =X and T 3 (b,x) = X σb γ. ARMADILLOgen(C U) =T 4 (P(C U,T 2 (C U)),C U) = T 4 (P(C,P(U,T 2 (C U))),C U) = T 4 (P(C,(L U (C) σu f (U))),C U) ) = T 4 ((L U (C) σu f (U)) σc f (C),C U

8 40 P. Sepehrdad, P. Sušil, and S. Vaudenay where L U (C)=T 2 (C U) and f (U) is given by Lea 2. The first equality is coing fro the definition, the second fro Lea and the last two fro Lea 2. So, we can write ( ) ARMADILLOgen(C U)=L (L U (C) σu f (U)) σc g(u) h(c) for soe linear function L and soe functions g and h. For all the variants we consider, L is either the identity function or consists of dropping a few bits. For ARMADILLOb and ARMADILLO the function h(c)= f (C) (C 0 ), g(u)=(0 c U). Siilarly, L(X)=X and L(X)=tail k (X) respectively. In what follows, we consider an arbitrary i and take a vector e i such that e i L(X)= X[i],i.e,thei-th bit of register X. So, we obtain e i ARMADILLOgen(C U)=(L U (C) σu f (U)) σ C (i) g(u) i h(c) i Clearly, there exists a j = σc (i) such that e i ARMADILLOgen(C U) g(u) i = L U (C) σ Ut ( j) f (U) j h(c) i () In chosen-input attacks against the PRF ode, we assue that the adversary can copute e i ARMADILLOgen(C U) for a chosenu and a secret C. In the challenge-response application, we only have access to V T, but in all considered variants, e i has Haing weight one, so we just need to select i so that this bit lies in the V T window. We introduce an attack (see Fig. 4) which only needs this bit of the response for n = k logk queries. This algorith has coplexity O(k 2 logk) to recover the secretc (also see Fig. 5). In fact, the attacker can siply recover the perutationy = P(U i,xinter), since she has control overu i s. Now, her goal is to find out how P(C,Y) aps the index j to i. The goal of the algorith is to find this apping and recovers C. It is exploiting the fact that fixing the i,thenh(c) i is fixed for all challenges and the left side of Eq. () can be coputed directly by the adversary. Then, it recovers C by solving an overdefined linear syste of equations and check it has a solution. If so, it checks whether the recovered C is consistent with other saples. Attack coplexity. The first for loop runs ARMADILLO algorith k logk ties. The second loop runs l ties where l = 2k for ARMADILLO and l = k for ARMADILLOb.We perforup to 2k logk siple arithetic operations in the second loop to copute values L Ut (C) σ Ut ( j). Solving the syste of n linear equation requires O(n3 ) in general case. However, in the case of ARMADILLO and ARMADILLOb every line contains only one variable of secret C, which coes fro the Lea 2. As we have k logk equations in c variables, if the apping i j is not guessed correctly we have high probability to obtain contradiction on line 3. So overall, we have coplexity of O(k 2 logk) for attacking both ARMADILLO and ARMADILLOb. Probability of success. We first choose randoly k logk challenges U t and copute ARMADILLOgen(C U t ). That is because, according to coupon collector proble [3]

9 Fast Key Recovery Attack on ARMADILLO and Variants 4 : Pick a rando i fro to. 2: for t fro to n = k logk do 3: collect challenge-response pair (U t,e i ARMADILLOgen(C U t )) 4: copute b t = e i ARMADILLOgen(C U t ) g(u t ) i. 5: end for 6: for j fro to l do 7: for each β {0,} do 8: set h(c) i = β. 9: for t fro to n do 0: copute L Ut (C) σ Ut ( j) = b t f (U t ) j β for all c bits. : end for 2: solve the syste of n linear equations L Ut (C) σ Ut ( j) 3: if no solution then 4: break 5: end if 6: derive C 7: if C is consistent with saples then 8: output C. 9: end if 20: end for 2: end for Fig. 4. The key recovery algorith against ARMADILLO and ARMADILLOb the expected nuber of challenges so that every bit of C is apped to i-th bit of output is k logk. Therefore, aong k logk challenges all the bits of challenge and all the bits of secret key are apped to a single bit of the output. The attacker can derive equation for the j-th bit of P(U t,c U t ),andfork logk distinct challenges U t the set of equations will have full rank. These equations do not change through the fixed apping σ C, only the constant ter ight change due to ter P(C,0). Therefore if the attacker guess j i correctly, the set of k logk equations in c variables has a solution, otherwise the set of k logk equations in c variables has no solution with probability at least 2 n. Failure of the previous attack. The previously entioned attack would fail, if the perutations σ 0, σ ap bit indices in the set [,] to the set [,], i.e., σ 0 [..]=[..] and σ [..]=[..]. So, it ight be speculated that picking such perutations in the design akes the cryptosyste secure. However, the ARMADILLO with such perutations is vulnerable to a siple forgery attack. Let reind the decoposition ARMADILLOb(C U) =P(C U,C U) (C U) = P(C,P(U,C U)) (C U) = P(C,(L(C) σu f (U))) g(u) =(L(C) σu f (U)) σc g(u) h(c) Given challenges which for a linearly independent syste, we can copute the response by solving the set of these linear equations.

10 42 P. Sepehrdad, P. Sušil, and S. Vaudenay V C V T S i C P(C,Y ) U t Y = P(U t,xinter) j k Xinter 32 C c U t Fig. 5. Schee of the key recovery algorith against ARMADILLO and ARMADILLOb 5 Attack Extension with Linear Layer in T 3 (ARMADILLOc) T 3 function is very siple in the previous versions. The first attept to prevent the previous attack is to use a ore coplex layer but still linear and check whether it prevents the attack. We define another interediate version and call it ARMADILLOc. Then, we show that only adding a linear layer L in T 3 (b,x) =L(X) σb γ would not prevent the attack. Let L be a linear transforation. This attack requires O(k) challenges and three Gaussian eliinations which require O(k 3 ) operations. We define the new ARMADILLOc as follows. ARMADILLOc(C U)=T 4 (P(C U,T 2 (C U)),(C U)) where P(s b,y)=p(s,l(y ) σb γ) P(λ,Y)=Y We build a syste of equations, where ARMADILLOc(C U j )=T 4 (P(C U j,t 2 (C U j )),C U j ) = T 4 (P(C,P(U j,t 2 (C U j ))),C U j ) = T 4 (P(C,P(U j,t 2 (C 0) T 2 (0 U j ))),C U j ) = T 4 (P(C,P(U j,t 2 (C 0)) P(U j,t 2 (0 U j ))),C U j ) ( ) = T 4 LC (L Uj (C) γ j ) P(C,0),C U j where L Uj (C)=P(U j,t 2 (C 0)) and γ j = P(U j,t 2 (0 U j )).

11 Fast Key Recovery Attack on ARMADILLO and Variants 43 We use the fact that a set of ck + equations L Uj (C) is linearly dependent. Using this we can bypass the unknown apping L C. We can find a set J of equations whose su is 0. Let ε be the parity of the cardinality of J. We obtain ( ( ) ) ARMADILLOc(C U j )=T 4 L C γ j εp(c,0),εc U j j J j J j J Using the above expression with several J s, we can recover linear apping L C and P(C,0). Using the knowledge of( L C (X) we recover P(C,2 i ) for 0 < i < k.wedothisby Gaussian eliination on values γ j ).UsingP(C,2 i ) for 0 i < k, we can recover j J L Uj (C) as follow. ARMADILLOc(C U j )=T 4 ( LC (L Uj (C) γ j ) P(C,0),C U j ) Therefore, we can copute = T 4 ( LC (L Uj (C)),C 0 ) T 4 (L C (γ j ) P(C,0),0 U j ) T 4 ( LC (L Uj (C)),C 0 ) = ARMADILLOc(C U j ) T 4 (L C (γ j ) P(C,0),0 U j ) Let consider U i U j,wehave ( Δ(U i,u j )=T 4 (L C (L Ui (C)),C 0) T 4 LC (L Uj (C)),C 0 ) ( =T 4 LC (L Ui (C) L Uj (C)),0 ) =ARMADILLOc(C U i ) T 4 (L C (γ i ) P(C,0),0 U i ) ARMADILLOc(C U j ) T 4 (L C (γ j ) P(C,0),0 U j ) Hence, we obtain L Ui (C) L Uj (C)=LC (T4 (ARMADILLOc(C U i ) T 4 (L C (γ i ) P(C,0),0 U i ) ARMADILLOc(C U j ) T 4 (L C (γ j ) P(C,0),0 U j ),0)) Since L Ui (C) is a known transforation linear in C we can recover the secret key by solving the set of linear equations. 6 Attack Extension with a Fixed Transposition in T (ARMADILLOd) 6. Case with no General T 2 and T 4 The previous attack can be prevented by using an S-box layer. However, if the underlying perutation P is not predictable then we can not apply the aforeentioned attack. We used P(U,C U) to generate linear equations, and then guess the apping P(C,Y ). So, an attept is to ix bits of C and U. But then,we show that even though we do not

12 44 P. Sepehrdad, P. Sušil, and S. Vaudenay know the secret parts of perutation since these parts are fixed, we can guess the one by one. We design a version called ARMADILLOd that first applies a fixed perutation π on the first register, i.e., T is a transposition. Then, we show that setting T to be a transposition does not prevent a forgery attack. ARMADILLOd is defined as follows. ARMADILLOd(C U)=T 4 (P((C U) π,t 2 (C U)),(C U)) where P(s b,y)=p(s,y σb γ) P(λ,Y)=Y We first consider a siple case for T when bits of challenge U for an interval (see Fig. 6), and T 2 is identity and T 4 (X,Y)=X Y. Later, we extend the attack to a general transposition T, T 2 and T 4. ARMADILLOd(C C 2 U)=P(C U C 2,C C 2 U) (C C 2 U) Let denote X =(C C 2 U).Wehave ARMADILLOd(C C 2 U) =P(C U C 2,X) X = P(C U,P(C 2,X)) X = P(C,P(U,P(C 2,X))) X V C V T S C P(Xinter, Xinter) U k C 2 Xinter C C 2 U c Fig. 6. The copression function of ARMADILLOd

13 Fast Key Recovery Attack on ARMADILLO and Variants 45 Concentrating on an arbitrary output bit n and using Lea 2, we obtain ARMADILLOd(C C 2 U)[n] = P(C,P(U,P(C 2,C C 2 U)))[n] (C C 2 U)[n] t=σc (n) = P(C,0)[n] P(U,P(C 2,C C 2 U))[t] (C C 2 U)[n] l=σu = (t) P(C,0)[n] P(U,0)[t] P(C 2,C C 2 U)[l] (C C 2 U)[n] i=σc (l) = 2 P(C,0)[n] P(U,0)[t] P(C 2,0)[l] (C C 2 U)[i] (C C 2 U)[n] Re-arranging the above expression, for a l = P(C 2,0)[l] and b n = P(C,0)[n] we obtain ARMADILLOd(C C 2 U)[n] g(u)[t] X[n] X[i]=(a l b n ) (2) We follow Fig. 7. for the attack scenario. Let n = σ C (t) and l = σ C2 (i), where both perutations are unknown. Set a value q to be deterined later. We group k.q distinct challenges as follows: we put the challenge U j in group G l t if σ Uj (l) =t. Infact,a challenge appears in k groups. These are groups G σuj (), G 2 σuj (2),..., G k σuj (k). We obtain k 2 groups with approxiately q challenges in each. The right hand side of equation (2) is fixed for all challenges in the sae group, since σ U (l) =t for all U G l t. Hence the left hand side should be fixed for all challenges in the sae group as well, since neither a l not b n changes. We deploy this property and use the following algorith to filter out bad groups and recover relations which allow us to forge the response. Since C and C 2 are fixed, σ C2 (i) and σ C (n) are fixed for (i,n) fixed. So, σ C2 (i) for i [,] can only ap to distinct positions, therefore l can have only possibilities out of k. The sae is true for σ C (n) which can only have possibilities for t. Intuitively, what we ean by a bad group is a group which whether in the apping σ C 2 (l) aps l out of the corresponding windows of size or in the apping σ C (t) aps t out of the corresponding windows of size. Ter good groups is used to recover σ C, σ C2. We now define ore precisely what we ean by a bad group and how they can be filtered. Definition. We call a group a bad group if the exists no pair (i,n) [,] 2,such that σ C2 (i)=l and σc (n)=t. Lea 3. The group G l t is bad if for every pair (i,n) [,] 2 there exists U G l t such that the equation 2 is not satisfied. Proof. The equation 2 has to be satisfied for group G l t only if we guess σ C2 (i) =l and σc (n)=t correctly. If σ C2 (i) l or σ C (t) n, thengivenu G l t we have 2 probability that the equation 2 would be satisfied even if the group is chosen incorrectly. Therefore, we drop out a bad group G l t if there exists no pair (i,n) [,] 2 such that (i l t n) for which equation (2) is satisfied for all eleents (see Fig 9). Following

14 46 P. Sepehrdad, P. Sušil, and S. Vaudenay Fig. 7. ARMADILLOd attack schee this step, we also output a correct apping (i l t n) where (l,t) [,k] 2 and (i,n) [,] 2. The probability to accept a given incorrect group is lower than 2 k2 q.so, for k 4 2 q we keep no incorrect group for sure. That is, we need q 4log 2 k. Now we have 2 groups left after filtering and at least one apping (i f l f t f n f ) for a group G l f t f.these 2 groups correspond to all groups G li e i for l i {σ C2 [],...,σ C2 []} and e i {σc [],...,σc []} (see Fig. 8). Since σ C,σ C2 are fixed, the correct groups correspond to all appings between the set of indices {σ C2 [],...,σ C2 []} and the set of indices {σc [],...,σc []}. Now, we fix l to l f. This way we reduce the nuber of groups to. At this stage, we know the exact apping is i f l f. Depending on which group G l f t g we pick at this stage (we have a free choice of t g ), we have distinct appings fro bit l f.wepick one of these groups G l f t g which aps l f to t g. i.e., the appings on both ends of Fig. 7 are fixed. Then, we go through all possibilities for n and check for all U G l f t g whether ARMADILLOd(C C 2 U)[n] g(u)[t g ] X[n] X[i f ] is constant. If yes, we know that t g aps to n. Usingall groups G l f, we can recover perutation σc on [,]. We can fix t to t f this tie and perfor the sae procedure to recover σ C2. Now we have all we need to forge a response for a new challenge. Let U be a new challenge. We forge ARMADILLOd bit by bit. Let consider bit n of the responce R.We have recovered σc [,] and therefore we know σc (n) where n [,] i.e., position to which the n th bit of the response R is apped. Now we select l such that U Notice that this l can be in the bad groups. We only use the good groups to recover the secret perutations σ C2 and σ C.

15 Fast Key Recovery Attack on ARMADILLO and Variants 47 σ ( ) σ σ ( ) Fig. 8. ARMADILLOd group filtering schee G l σ.ifwefindsuchl (i.e., we find the corresponding group) then we forge the C (n) n = σ C σ U σ C2 (i)-th bit of the response as follows. Let U G l σ C (n) be a representative of such a group. Fro equation (2) we have and therefore ARMADILLOd(C C 2 U)[n] g(u)[t] X[n] X[i]=(a l b n ) ARMADILLOd(C C 2 U )[n] g(u )[t] X [n] X [i]=(a l b n ) ARMADILLOd(C U )[n]=armadillod(c U)[n] (X[i] X [i]) (g(u)[t] g(u )[t]) (X[n] X [n]) If there is no such l (i.e., we cannot find any corresponding group) we forge the n = σ C σ U σ C2 (i)-th bit of response as follows. Copared to the previous case we only drop (X[i] X [i]), sincex[i]=x [i], since the bit is coing fro the secret part. ARMADILLOd(C U )[n]=armadillod(c U)[n] g(u)[t] g(u )[t] X[n] X [n] The coplexity of the forgery attack is O(qk 4 ) with qk challenges, where q 4log 2 k. 6.2 Extension with the T 4 and T 2 Transforations Let now consider the definition for a general case of a T 2 and T 4 and T (C C 2 U)= (C U C 2 ), i.e., we assue that π keeps a large piece of consecutive bits of U together. ARMADILLOd(C C 2 U)=T 4 (P(C U C 2,T 2 (C C 2 U)),(C C 2 U))

16 48 P. Sepehrdad, P. Sušil, and S. Vaudenay : for all G l t,where(l,t) [,k] 2 do 2: ω = 0 3: for all (i,n) [,] 2 do 4: err = 0 5: pick an arbitrary U G l 6: ν = ARMADILLOd(C C 2 U )[n] g(u )[t] X[n] X[i] 7: for all U G l \U do 8: if ν ARMADILLOd(C C 2 U)[n] g(u)[t] X[n] X[i] then 9: ω = ω + 0: err = : break 2: end if 3: end for 4: if (err == 0) then 5: output (i l t n). 6: end if 7: end for 8: if (ω == 2 ) then 9: drop G l t. 20: end if 2: end for Fig. 9. Group filtering algorith for ARMADILLOd The sae steps as the previous attacks hold in the general case as well. In the case of T 2, since the secret is fixed it can be derived out as a constant in our coputations. So, deploying the sae grouping strategy, the attack still works. It is not difficult to see that the sae ethod also holds even if we have the T 4 function. 6.3 Extension to a General π Let now consider the definition ARMADILLOd(X)=P(X π,x) X for X =(C... C t U... U t ). In the algorith above, the attacker decoposes the coputation of ARMADILLOd into several stages. Let suppose wlog that we perute the bits of secret using perutation π as follows (C... C t U... U t ) π = C U C 2 U 2... C t U t C t I.e. π ixes C and U bits together, without putting too any consecutive bits of U.We use t ties the forgery algorith on ARMADILLOd to recover all appings σ Ci. Let assue that 2 U i kq for every i. If this is not the case we can recover the apping σ Ci σ Ui σ Ci for all evaluations of U i in polynoial tie. In both cases, we recover each σ Ci and σ Ci+ recursively. To recover σ Ci and σ Ci+,wefixE i+ = U i+ C i+2... C t by fixing U i+,...,u t,sincec i+2,...,c t is already fixed. Then, the proble is reduced

17 Fast Key Recovery Attack on ARMADILLO and Variants 49 to the sae situation as the previous attack, where we have a challenge part sandwiched between two intervals of the secret bits C. Finally, we obtain the apping σ C on set [,], σ C2,..., σ Ct on set [,k] and σc t on set [,]. Note that we can recover perutations σ C2,..., σ Ct on set [,k] by setting challenge bits to different values k ties. All we need is to describe an algorith to recover all constants P(C i,0). Then we will have everything we need to forge the response of ARMADILLOd to any challenge. We now describe how to recover P(C,0). The sae ethod can be used to derive other P(C i,0) recursively. The sae as before, Let fix all U i s except U. We use Lea. and Lea 2. and rewrite ARMADILLOd(X) X = P(C U E 2,X) = P(E 2,P(U,P(C,X))) = P(C,X) σu σ E2 P(U,0) σe2 P(E 2,0) = P(C,0) σu σ E2 X σu σ E2 P(U,0) σe2 P(E 2,0) which gives us set of linear equations and we can vary σ U as necessary to obtain a large syste of equations and solve it. Coplexity. The general attack ay iterate the algorith in Fig. 9. up to k ties. In soe iterations, the requireent 2 Ui k logk does not need to be satisfied. In such case, we need to extend the interval U i by guessing soe bits of key. Such technique would require another k logk steps. Therefore, the coplexity is bounded by O(k k 4 q k logk). We specified before that q 4logk. Hence, the coplexity of the offline stage of the attack is O(k 6 log 2 k) and the algorith requires at ost k 3 log 2 k queries. 6.4 Attack Ipact on ARMADILLO2 We can see ARMADILLO2 as a successor of ARMADILLOd with a pre-processing T which is ore elaborate than a siple transposition. Such preprocessing akes it resistant against our attack. Our attack is based on decoposition according to Lea and a guess of a constant value of function f (U) fro Lea 2. The pre-processing phase protects against both the decoposition and the constant value of function f (U). However, the attack we propose points out possible weaknesses in the design of AR- MADILLO2. 7 Conclusion We have shown a devastating key recovery attack against ARMADILLO and discussed a potential iplication on ARMADILLO2. Although we did not find an attack on AR- MADILLO2, we have illustrated that the non-linearity based on data-dependent perutations in both ARMADILLO and ARMADILLO2 is not sufficient. The results do not iediately apply on ARMADILLO2 but they allow for better understanding the design and they ight be used to iprove the attack in []. Acknowledgeents. This work was sponsored by Oridao 2. We would like to thank Nicolas Reffé for his kind support. The ARMADILLO algoriths are subject to patent nuber WO/2008/48784 [4]. 2

18 50 P. Sepehrdad, P. Sušil, and S. Vaudenay References. Abdelrahee, M., Blondeau, C., Naya-Plasencia, M., Videau, M., Zenner, E.: Cryptanalysis of ARMADILLO2. In: Proceeding of ASIACRYPT 20. Springer, Heidelberg (20) 2. Badel, S., Dağtekin, N., Nakahara Jr., J., Ouafi, K., Reffé, N., Sepehrdad, P., Sušil, P., Vaudenay, S.: ARMADILLO: A Multi-purpose Cryptographic Priitive Dedicated to Hardware. In: Mangard, S., Standaert, F.-X. (eds.) CHES 200. LNCS, vol. 6225, pp Springer, Heidelberg (200) 3. Kobza, J., Jacobson, S., Vaughan, D.: A Survey of the Coupon Collector s Proble with Rando Saple Sizes. Methodology and Coputing in Applied Probability 9(4), (2007) 4. Reffé, N.: Cryptographic Methods and Devices for the Pseudo-Rando Generation of Data Encryption and Cryptographic Hashing of a Message (Deceber 2008)