Truncated differential cryptanalysis of five rounds of Salsa20

Similar documents
Differential-Linear Cryptanalysis of Serpent

Salsa20 Cryptanalysis: New Moves and Revisiting Old Styles

Complementing Feistel Ciphers

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

The Hash Function JH 1

Towards Provable Security of Substitution-Permutation Encryption Networks

Modified version of Latin Dances Revisited: New Analytic Results of Salsa20 and ChaCha

Lecture 12: Block ciphers

Key Recovery with Probabilistic Neutral Bits

Cryptography Lecture 4 Block ciphers, DES, breaking DES

Lecture 4: DES and block ciphers

A Five-Round Algebraic Property of the Advanced Encryption Standard

On the Salsa20 Core Function

The Hash Function Fugue

Module 2 Advanced Symmetric Ciphers

Correlated Keystreams in Moustique

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

Klein s and PTW Attacks on WEP

Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers

Block Ciphers and Systems of Quadratic Equations

A block cipher enciphers each block with the same key.

Salsa20 Cryptanalysis: New Moves and Revisiting Old Styles

Linear Cryptanalysis

Lecture Notes. Advanced Discrete Structures COT S

An Improved Estimate of the Correlation of Distinguisher for Dragon

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER

Differential Analaysis of Block Ciphers SIMON and SPECK

Chapter 1 - Linear cryptanalysis.

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

A Block Cipher using an Iterative Method involving a Permutation

Message Authentication Codes (MACs)

Linear Cryptanalysis of Reduced-Round PRESENT

On the pseudo-random generator ISAAC

Cryptanalysis of Achterbahn

Algebraic Attack Against Trivium

Cryptanalysis of Hiji-bij-bij (HBB)

Improved Cryptanalysis of Py

Linear Approximations for 2-round Trivium

Algebraic Techniques in Differential Cryptanalysis

Attacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3

On the Design of Trivium

Bias in the LEVIATHAN Stream Cipher

Modified Hill Cipher for a Large Block of Plaintext with Interlacing and Iteration

Stream Ciphers: Cryptanalytic Techniques

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Differential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy

Correlation Attack to the Block Cipher RC5. and the Simplied Variants of RC6. 3 Fujitsu Laboratories LTD.

FFT-Based Key Recovery for the Integral Attack

Revisit and Cryptanalysis of a CAST Cipher

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Numerical Solvers in Cryptanalysis

3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis

Cryptanalysis of PRESENT-like ciphers with secret S-boxes

Security of the AES with a Secret S-box

Cryptanalysis of the Stream Cipher ABC v2

Improved Analysis of Some Simplified Variants of RC6

The Improved 96th-Order Differential Attack on 11 Rounds of the Block Cipher CLEFIA

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Impossible Differential Attacks on 13-Round CLEFIA-128

Finding good differential patterns for attacks on SHA-1

Specification on a Block Cipher : Hierocrypt L1

Security Analysis of the Block Cipher SC2000

An Extended DES. National Chiao Tung University Hsinchu, 300 Taiwan

Linear Cryptanalysis Using Multiple Approximations

K Anup Kumar et al,int.j.comp.tech.appl,vol 3 (1), 23-31

Linear Cryptanalysis of Reduced-Round Speck

(Solution to Odd-Numbered Problems) Number of rounds. rounds

AES side channel attacks protection using random isomorphisms

Differential Attack on Five Rounds of the SC2000 Block Cipher

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Optimized Interpolation Attacks on LowMC

Differential and Rectangle Attacks on Reduced-Round SHACAL-1

Lattice Cryptography

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Linear Cryptanalysis of RC5 and RC6

Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)

New Results in the Linear Cryptanalysis of DES

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

Solution of Exercise Sheet 7

Security Evaluation of Stream Cipher Enocoro-128v2

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

ON DISTINGUISHING ATTACK AGAINST THE REDUCED VERSION OF THE CIPHER NLSV2

Impossible differential and square attacks: Cryptanalytic link and application to Skipjack

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

Public-key Cryptography: Theory and Practice

AES-VCM, AN AES-GCM CONSTRUCTION USING AN INTEGER-BASED UNIVERSAL HASH FUNCTION.

Notes 10: Public-key cryptography

On Correlation Between the Order of S-boxes and the Strength of DES

Lecture 10 - MAC s continued, hash & MAC

A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix

Cryptanalysis of block EnRUPT

Diffusion Analysis of F-function on KASUMI Algorithm Rizki Yugitama, Bety Hayat Susanti, Magfirawaty

CPA-Security. Definition: A private-key encryption scheme

Attacks on the RC4 stream cipher

Modified Hill Cipher with Interlacing and Iteration

Improbable Differential Cryptanalysis and Undisturbed Bits

Block Cipher Cryptanalysis: An Overview

Transcription:

Truncated differential cryptanalysis of five rounds of Salsa20 Paul Crowley 17th October 2005 Abstract We present an attack on Salsa20 reduced to five of its twenty rounds. This attack uses many clusters of truncated differentials and requires 2 165 work and 2 6 plaintexts. 1 Definition of Salsa20 Salsa20 [1] is a candidate in the estream project to identify new stream ciphers that might be suitable for widespread adoption. For convenience, we recap here the parameterized family of variants Salsa20-w/r, with w the word size and r the number of rounds; Salsa20 itself is Salsa20-32/20. A word is an element of Z/2 w Z. We omit the precise definitions of word-oriented operations here for brevity; addition (+), XOR ( ) and rotation ( ) are defined in the usual way, and where words are mapped to bytes, a little-endian mapping is used. We define a bijective map S on four-element column vectors of words: S a (( y 0 y 1 y 2 y 3 ) T ) = ( y 1 ((y 0 + y 3 ) a) y 2 y 3 y 0 ) T and compose it four times to build this bijective map on the same: Q = S 18 S 13 S 9 S 7 (note that the constants given in the subscripts are appropriate for w = 32; different constants might be used for a different w) and compose it with a row and column rotate to get this bijective map on matrices: Q (m) = m 1,1 m 1,2 m 1,3 q 1 m 2,1 m 2,2 m 2,3 q 2 m 3,1 m 3,2 m 3,3 q 3 m 0,1 m 0,2 m 0,3 q 0 paul@ciphergoth.org. Work sponsored by LShift Ltd, www.lshift.net 1

where q = Q m 0,0 m 1,0 m 2,0 m 3,0, m = m 0,0 m 0,1 m 0,2 m 0,3 m 1,0 m 1,1 m 1,2 m 1,3 m 2,0 m 2,1 m 2,2 m 2,3 m 3,0 m 3,1 m 3,2 m 3,3 from which we build this bijective map on four-by-four square matrices of words: R(m) = (Q 4 (m)) T and from this, we define the Salsa20 hash function : H(m) = m + R r (m) Salsa20 maps an eight-word key k 0...7, a two-word nonce v 0...1 and a two-word stream position i 0...1 onto a 16-word output matrix as follows: Salsa20 k (v, i) = H c 0 k 0 k 1 k 2 k 3 c 1 v 0 v 1 i 0 i 1 c 2 k 4 k 5 k 6 k 7 c 3 where c 0...3 are constants dependent on the key length and omitted here for brevity. We also omit the (straightforward) definition of the row-wise deserialization of this output matrix, the resulting counter-mode-like stream cipher, and the Salsa20 variants defined for shorter keys. Salsa20 s security goal is that the function above be indistinguishable from a random function to a suitably-bounded attacker; from this its security as a stream cipher may be inferred. 2 Cryptanalysis of r = 5 We here attack the Salsa20 PRF directly; the resulting attack on the Salsa20 stream cipher follows straightforwardly. Though many techniques of block cipher cryptanalysis are applicable to Salsa20, it has several features to defeat these techniqes. First, the large block size allows for rapid diffusion without penalty of speed. Second, the attacker can control only four words of the sixteen-word input to the block cipher stage. Nevertheless, we can construct an attack based on multiple truncated differentials which breaks five rounds of the cipher. Where r = 5, the output of the PRF is m + R 5 (m). Eight of the sixteen cells in m are known to us; the other eight cells contain the key. We can thus straightforwardly infer eight of the sixteen cells in R 5 (m). If we correctly guess k 3, this will give us a complete row in R 5 (m), to which we can apply Q 1 to infer a complete row of R 4 (m). To go further back, we observe that if every input word but the first to Q 1 is known, the final output word may be inferred, and if every input but the second is 2

known, the first may be inferred. If we can guess the key words k 3...7, this allows us to infer these entries of R 5 (m) given H(m):??? Applying Q 1 to each row except the first allows us to infer these entries in R 4 (m):???? from which we can infer these entries in R 3 (m):?? Given a sufficiently powerful distinguisher for the function family f k (v, i) = (Salsa20 k (v, i) 3,0, Salsa20 k (v, i) 3,3 ) we can therefore test our guesses at k 3...7. Consider this example of a low-weight (ie high-probability) truncated differential trail suitable for our purposes, identifed using the techniques of [2]. The limitations on the bits under the attacker s control make it difficult to identify trails that start with useful combinations of bits; each word we control is combined with three we do not before the results are combined with each other. Thus, our input difference is simply a single bit in the high word of the stream position, chosen to minimize the nonlinear avalanche. Before round 1: After round 1 (with probability 1 2 ): 0 0x80000000 0 0 0x00201000? 0x80000000 0x00000100 After round 2 (with probability 2 9 ):? 0x00201000 0x40200000 0x02000800 0 0x00001000 0x00200000 0x04000080 3

And after round 3 (with probability 2 12 ): 0x02002802??? This trail has sufficiently high probability to act as a suitable distinguisher from which an attack can be built. However, we can do much better. The probability of this difference appearing in the output is much higher than this trail would suggest in fact, it is closer to 2 9. This is because there are many other lowweight differential trails that result in this difference in R 3 (m) 3,0. Furthermore, there are many high-probability differentials in this word. By experiment, we have even determined a few differential trails whose probability appears to be twice as high as their weight would suggest this is presumably because of problems with the independence assumption, and suggests that there may be trails which are less probable than their weight would suggest. By considering many trails, we can build a far more effective attack. Many tradeoffs are possible; we give one example here. We have experimentally determined a set of 1024 possible differences in R 3 (m) 3,0 from this one input difference such that the probability of one of them being right appears to be roughly 30%. With 32 output pairs, the probability that 5 or more of these pairs show a difference in the set is greater than 1 2 3, while the probability of this threshold being met or exceeded by chance is less than 2 99. We try all 2 160 possible values of k 3...7 ; for each that meets the threshold, we try to determine k 0...2 by simple bruteforce search. The true key will be among these values with probability 1 2 3 as noted, and we can expect 2 160 99 = 2 61 false positives; the cost of the bruteforce search stage will thus be roughly 2 96+61 = 2 157, much less than the cost of determining our candidates for k 3...7. 3 Conclusions and open questions It is clear that a naive attack of this type cannot be extended to more than a handful of rounds; this has no negative implications for the security of the full Salsa20-32/20 presented to estream. Nonetheless, the degree of clustering exhibited by these differential characteristics is surprising; it is more usual for a single differential trail to dominate. It is also striking to find differential trails whose overall probability is so greatly mispredicted by the products of the probabilities of its components, marking a violation of the independence assumption usual in differential cryptanalysis. In both instances, it would bear investigation whether other ciphers that rely heavily on addition mod 2 n to introduce nonlinearity in GF (2) would also show these properties in differential cryptanalysis, or related properties in other forms of cryptanalysis. 4

References [1] Daniel J. Bernstein. Salsa20 specification. http://cr.yp.to/snuffle/spec.pdf, 2005. [2] Helger Lipmaa and Shiho Moriai. Efficient algorithms for computing differential properties of addition. In Mitsuru Matsui, editor, Fast Software Encryption 2001, volume 2355 of Lecture Notes in Computer Science, pages 336 350. Springer, 2001. A Anomalous differential trails We give here examples of differential trails whose observed frequency is markedly different from that predicted by the simplifying assumptions of differential cryptanalysis. The trails below should appear with frequency 2 9, but in 2 26 trials appeared not the expected 131072 times, but 262018 and 262412 times respectively. Both trails start One goes on thus: and the other thus: 0 0x80000000 0 0 0x00601000? 0x80000000 0x00000100? 0x00601000 0x40200000 0x02000800 0 0x00000100??? 0x00601000 0x40200000 0x02001800 0 0x00000100?? 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback