Differential and Linear Cryptanalysis of ARX with Partitioning - Application to FEAL and Chaskey

In this work, we refine a partitioning technique recently proposed by Biham and Carmeli to improve the linear cryptanalysis of addition operations, and we propose an analogue improvement of differential cryptanalysis of addition operations. These two technique can reduce the data complexity of linear and differential attacks, at the cost of more processing time. Our technique can be seen of the analogue for ARX ciphers of partial key guess and partial decryption for SPN ciphers. We show a first application of the generalized linear partitioning technique on FEAL-8X, revisiting the attack of Biham and Carmeli. We manage to reduce the data complexity from 2 14 to 2 12 known plaintexts, while the time complexity increases from 2 45 to 2 47. Then, we use these technique to analyze Chaskey, a recent MAC proposal by Mouha et al., that is being studied for standardisation by ISO and ITU-T. Chaskey uses an ARX structure very similar to SipHash. We use a differential-linear attack with improvements from the partitioning technique, combined with a convolution-based method to reduce the time complexity. This leads to an attack on 6 rounds with 2 25 data and 2 28.6 time (verified experimentally), and an attack on 7 rounds with 2 48 data and 2 67 time. These results show that the full version of Chaskey with 8 rounds has a rather small security margin.

[1]  Alex Biryukov,et al.  On Multiple Linear Approximations , 2004, IACR Cryptol. ePrint Arch..

[2]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[3]  Gregor Leander,et al.  Differential-Linear Cryptanalysis Revisited , 2014, FSE.

[4]  Kaisa Nyberg,et al.  Improved Linear Distinguishers for SNOW 2.0 , 2006, FSE.

[5]  Amr M. Youssef,et al.  Selected areas in cryptography SAC 2014 : 21st International Conference Montreal, QC, Canada, August 14-15, 2014 : revised selected papers , 2014 .

[6]  Johan Wallén Linear Approximations of Addition Modulo 2n , 2003, FSE.

[7]  Susan K. Langford,et al.  Differential-Linear Cryptanalysis , 1994, CRYPTO.

[8]  Antoine Joux,et al.  Cryptanalysis of SHA-0 and Reduced SHA-1 , 2014, Journal of Cryptology.

[9]  Alex Biryukov,et al.  Boomerang Attacks on BLAKE-32 , 2011, FSE.

[10]  Yvo Desmedt Advances in cryptology--CRYPTO '94 : 14th Annual International Cryptology Conference, Santa Barbara, California, USA, August 21-25, 1994 : proceedings , 1994 .

[11]  Eli Biham,et al.  Enhancing Differential-Linear Cryptanalysis , 2002, ASIACRYPT.

[12]  Mitsuru Matsui,et al.  A New Method for Known Plaintext Attack of FEAL Cipher , 1992, EUROCRYPT.

[13]  Hiroshi Miyano Addend Dependency of Differential/Linear Probability of Addition (Special Section on Cryptography and Information Security) , 1998 .

[14]  Josef Pieprzyk,et al.  Crossword Puzzle Attack on NLS , 2006, IACR Cryptol. ePrint Arch..

[15]  Jean-Pierre Tillich,et al.  Accurate estimates of the data complexity and success probability for various cryptanalyses , 2011, Des. Codes Cryptogr..

[16]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[17]  Kazuo Ohta,et al.  Linear Cryptanalysis of the Fast Data Encipherment Algorithm , 1994, CRYPTO.

[18]  Shiho Moriai,et al.  Efficient Algorithms for Computing Differential Properties of Addition , 2001, FSE.

[19]  Eli Biham,et al.  On Matsui's Linear Cryptanalysis , 1994, EUROCRYPT.

[20]  Henri Gilbert,et al.  A Known Plaintext Attack of FEAL-4 and FEAL-6 , 1991, CRYPTO.

[21]  Florian Mendel,et al.  Boomerang Distinguisher for the SIMD-512 Compression Function , 2011, INDOCRYPT.

[22]  Scott A. Vanstone,et al.  Advances in Cryptology-CRYPTO’ 90 , 2001, Lecture Notes in Computer Science.

[23]  Xiutao Feng,et al.  Linear Approximations of Addition Modulo 2n-1 , 2010, IACR Cryptol. ePrint Arch..

[24]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[25]  Chrysanthi Mavromati,et al.  Key-Recovery Attacks Against the MAC Algorithm Chaskey , 2015, SAC.

[26]  Tao Huang,et al.  Differential-Linear Cryptanalysis of ICEPOLE , 2015, FSE.

[27]  Yu Sasaki,et al.  Boomerang Distinguishers on MD4-Family: First Practical Results on Full 5-Pass HAVAL , 2011, Selected Areas in Cryptography.

[28]  Henri Gilbert,et al.  A Statistical Attack of the FEAL-8 Cryptosystem , 1990, CRYPTO.

[29]  Shahram Khazaei,et al.  New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba , 2008, FSE.

[30]  Gaëtan Leurent,et al.  Construction of Differential Characteristics in ARX Designs Application to Skein , 2013, CRYPTO.

[31]  Gaëtan Leurent,et al.  Boomerang Attacks on Hash Function Using Auxiliary Differentials , 2012, CT-RSA.

[32]  Gaëtan Leurent,et al.  Analysis of Differential Attacks in ARX Constructions , 2012, ASIACRYPT.

[33]  Annett Baier Selected Areas in Cryptography , 2005, Lecture Notes in Computer Science.

[34]  Eli Biham,et al.  An Improvement of Linear Cryptanalysis with Addition Operations with Applications to FEAL-8X , 2014, Selected Areas in Cryptography.

[35]  S. Murphy Overestimates for the Gain of Multiple Linear Approximations in Symmetric Cryptology , 2011, IEEE Transactions on Information Theory.

[36]  Jiazhe Chen,et al.  The Boomerang Attacks on the Round-Reduced Skein-512 , 2012, Selected Areas in Cryptography.

[37]  Bart Preneel,et al.  The Differential Analysis of S-Functions , 2010, Selected Areas in Cryptography.

[38]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[39]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[40]  Shoji Miyaguchi,et al.  Fast Data Encipherment Algorithm FEAL , 1987, EUROCRYPT.

[41]  Ingrid Verbauwhede,et al.  Chaskey: An Efficient MAC Algorithm for 32-bit Microcontrollers , 2014, Selected Areas in Cryptography.

[42]  Florian Mendel,et al.  Higher-Order Differential Attack on Reduced SHA-256 , 2011, IACR Cryptol. ePrint Arch..

[43]  Jean-Jacques Quisquater,et al.  Improving the Time Complexity of Matsui's Linear Cryptanalysis , 2007, ICISC.

[44]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[45]  Kaisa Nyberg,et al.  Dependent Linear Approximations: The Algorithm of Biryukov and Others Revisited , 2010, CT-RSA.

[46]  Eli Biham,et al.  Differential Cryptanalysis of Feal and N-Hash , 1991, EUROCRYPT.

[47]  D. R. Stinson Advances in Cryptology - CRYPTO '90, 10th Annual International Cryptology Conference, Santa Barbara, California, USA, August 11-15, 1990, Proceedings , 1991, CRYPTO.