Improved Differential-Linear Cryptanalysis of 7-Round Chaskey with Partitioning

In this work we study the security of Chaskey, a recent lightweight MAC designed by Mouha et al., currently being considered for standardization by ISO/IEC and ITU-T. Chaskey uses an ARX structure very similar to SipHash. We present the first cryptanalysis of Chaskey in the single user setting, with a differential-linear attack against 6 and 7 rounds, hinting that the full version of Chaskey with 8 rounds has a rather small security margin. In response to these attacks, a 12-round version has been proposed by the designers. To improve the complexity of the differential-linear cryptanalysis, we refine a partitioning technique recently proposed by Biham and Carmeli to improve the linear cryptanalysis of addition operations. We also propose an analogue improvement of differential cryptanalysis of addition operations. Roughly speaking, these techniques reduce the data complexity of linear and differential attacks, at the cost of more processing time per data. It can be seen as the analogue for ARX ciphers of partial key guess and partial decryption for SBox-based ciphers. When applied to the differential-linear attack against Chaskey, this partitioning technique greatly reduces the data complexity, and this also results in a reduced time complexity. While a basic differential-linear attack on 7 round takes $$2^{78}$$278 data and time respectively $$2^{35}$$235 for 6 rounds, the improved attack requires only $$2^{48}$$248 data and $$2^{67}$$267 time respectively $$2^{25}$$225 data and $$2^{29}$$229 time for 6 rounds. We also show an application of the partitioning technique to FEAL-8X, and we hope that this technique will lead to a better understanding of the security of ARX designs.

[1]  Gaëtan Leurent,et al.  Analysis of Differential Attacks in ARX Constructions , 2012, ASIACRYPT.

[2]  Susan K. Langford,et al.  Differential-Linear Cryptanalysis , 1994, CRYPTO.

[3]  Shiho Moriai,et al.  Efficient Algorithms for Computing Differential Properties of Addition , 2001, FSE.

[4]  Eli Biham,et al.  On Matsui's Linear Cryptanalysis , 1994, EUROCRYPT.

[5]  Henri Gilbert,et al.  A Known Plaintext Attack of FEAL-4 and FEAL-6 , 1991, CRYPTO.

[6]  Mitsuru Matsui,et al.  A New Method for Known Plaintext Attack of FEAL Cipher , 1992, EUROCRYPT.

[7]  Eli Biham,et al.  Enhancing Differential-Linear Cryptanalysis , 2002, ASIACRYPT.

[8]  Hiroshi Miyano Addend Dependency of Differential/Linear Probability of Addition (Special Section on Cryptography and Information Security) , 1998 .

[9]  Gaëtan Leurent,et al.  Boomerang Attacks on Hash Function Using Auxiliary Differentials , 2012, CT-RSA.

[10]  Bart Preneel,et al.  The Differential Analysis of S-Functions , 2010, Selected Areas in Cryptography.

[11]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[12]  Scott A. Vanstone,et al.  Advances in Cryptology-CRYPTO’ 90 , 2001, Lecture Notes in Computer Science.

[13]  Tao Huang,et al.  Differential-Linear Cryptanalysis of ICEPOLE , 2015, FSE.

[14]  Yu Sasaki,et al.  Boomerang Distinguishers on MD4-Family: First Practical Results on Full 5-Pass HAVAL , 2011, Selected Areas in Cryptography.

[15]  Kaisa Nyberg,et al.  Dependent Linear Approximations: The Algorithm of Biryukov and Others Revisited , 2010, CT-RSA.

[16]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[17]  Shoji Miyaguchi,et al.  Fast Data Encipherment Algorithm FEAL , 1987, EUROCRYPT.

[18]  Henri Gilbert,et al.  A Statistical Attack of the FEAL-8 Cryptosystem , 1990, CRYPTO.

[19]  Ingrid Verbauwhede,et al.  Chaskey: An Efficient MAC Algorithm for 32-bit Microcontrollers , 2014, Selected Areas in Cryptography.

[20]  Chrysanthi Mavromati,et al.  Key-Recovery Attacks Against the MAC Algorithm Chaskey , 2015, SAC.

[21]  Eli Biham,et al.  Differential Cryptanalysis of Feal and N-Hash , 1991, EUROCRYPT.

[22]  Shahram Khazaei,et al.  New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba , 2008, FSE.

[23]  D. R. Stinson Advances in Cryptology - CRYPTO '90, 10th Annual International Cryptology Conference, Santa Barbara, California, USA, August 11-15, 1990, Proceedings , 1991, CRYPTO.

[24]  Alex Biryukov,et al.  On Multiple Linear Approximations , 2004, IACR Cryptol. ePrint Arch..

[25]  Kaisa Nyberg,et al.  Improved Linear Distinguishers for SNOW 2.0 , 2006, FSE.

[26]  Johan Wallén Linear Approximations of Addition Modulo 2n , 2003, FSE.

[27]  Yosuke Todo,et al.  How Much Can Complexity of Linear Cryptanalysis Be Reduced? , 2014, ICISC.

[28]  Xiutao Feng,et al.  Linear Approximations of Addition Modulo 2n-1 , 2010, IACR Cryptol. ePrint Arch..

[29]  Nicky Mouha,et al.  Chaskey: a MAC Algorithm for Microcontrollers - Status Update and Proposal of Chaskey-12 - , 2015, IACR Cryptol. ePrint Arch..

[30]  Jean-Jacques Quisquater,et al.  Improving the Time Complexity of Matsui's Linear Cryptanalysis , 2007, ICISC.

[31]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[32]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[33]  Jiazhe Chen,et al.  The Boomerang Attacks on the Round-Reduced Skein-512 , 2012, Selected Areas in Cryptography.

[34]  Amr M. Youssef,et al.  Selected areas in cryptography SAC 2014 : 21st International Conference Montreal, QC, Canada, August 14-15, 2014 : revised selected papers , 2014 .

[35]  Yvo Desmedt Advances in cryptology--CRYPTO '94 : 14th Annual International Cryptology Conference, Santa Barbara, California, USA, August 21-25, 1994 : proceedings , 1994 .

[36]  Josef Pieprzyk,et al.  Crossword Puzzle Attack on NLS , 2006, IACR Cryptol. ePrint Arch..

[37]  Jean-Pierre Tillich,et al.  Accurate estimates of the data complexity and success probability for various cryptanalyses , 2011, Des. Codes Cryptogr..

[38]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[39]  Florian Mendel,et al.  Higher-Order Differential Attack on Reduced SHA-256 , 2011, IACR Cryptol. ePrint Arch..

[40]  Florian Mendel,et al.  Boomerang Distinguisher for the SIMD-512 Compression Function , 2011, INDOCRYPT.

[41]  Pulak Mishra,et al.  Mergers, Acquisitions and Export Competitive- ness: Experience of Indian Manufacturing Sector , 2012 .

[42]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[43]  Gregor Leander,et al.  Differential-Linear Cryptanalysis Revisited , 2014, FSE.

[44]  Antoine Joux,et al.  Cryptanalysis of SHA-0 and Reduced SHA-1 , 2014, Journal of Cryptology.

[45]  Alex Biryukov,et al.  Boomerang Attacks on BLAKE-32 , 2011, FSE.

[46]  Gaëtan Leurent,et al.  Construction of Differential Characteristics in ARX Designs Application to Skein , 2013, CRYPTO.

[47]  Eli Biham,et al.  An Improvement of Linear Cryptanalysis with Addition Operations with Applications to FEAL-8X , 2014, Selected Areas in Cryptography.