Rotational Cryptanalysis of ARX Revisited

Rotational cryptanalysis is a probabilistic attack applicable to word oriented designs that use (almost) rotation-invariant constants. It is believed that the success probability of rotational cryptanalysis against ciphers and functions based on modular additions, rotations and XORs, can be computed only by counting the number of additions. We show that this simple formula is incorrect due to the invalid Markov cipher assumption used for computing the probability. More precisely, we show that chained modular additions used in ARX ciphers do not form a Markov chain with regards to rotational analysis, thus the rotational probability cannot be computed as a simple product of rotational probabilities of individual modular additions. We provide a precise value of the probability of such chains and give a new algorithm for computing the rotational probability of ARX ciphers. We use the algorithm to correct the rotational attacks on BLAKE2 and to provide valid rotational attacks against the simplified version of Skein.

[1]  Samuel Neves,et al.  BLAKE2: Simpler, Smaller, Fast as MD5 , 2013, ACNS.

[2]  Ivica Nikolic,et al.  Rotational Cryptanalysis of ARX , 2010, FSE.

[3]  Ivica Nikolic,et al.  Rotational Rebound Attacks on Reduced Skein , 2010, ASIACRYPT.

[4]  Marian Srebrny,et al.  Rotational Cryptanalysis of Round-Reduced Keccak , 2013, FSE.

[5]  Gaoli Wang,et al.  Boomerang and Slide-Rotational Analysis of the SM3 Hash Function , 2012, Selected Areas in Cryptography.

[6]  Van Assche,et al.  A rotational distinguisher on Shabal ’ s keyed permutation and its impact on the security proofs , 2010 .

[7]  Marc Stevens,et al.  New Collision Attacks on SHA-1 Based on Optimal Joint Local-Collision Analysis , 2013, EUROCRYPT.

[8]  Pulak Mishra,et al.  Mergers, Acquisitions and Export Competitive- ness: Experience of Indian Manufacturing Sector , 2012 .

[9]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[10]  Thomas Peyrin,et al.  The LED Block Cipher , 2011, IACR Cryptol. ePrint Arch..

[11]  Gaëtan Leurent,et al.  Analysis of Differential Attacks in ARX Constructions , 2012, ASIACRYPT.

[12]  Stefan Lucks,et al.  The Skein Hash Function Family , 2009 .

[13]  Magnus Daum,et al.  Cryptanalysis of Hash functions of the MD4-family , 2005 .

[14]  Samuel Neves,et al.  Analysis of NORX: Investigating Differential and Rotational Properties , 2014, LATINCRYPT.

[15]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.

[16]  Shuang Wu,et al.  Analysis of BLAKE2 , 2014, CT-RSA.

[17]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[18]  María Naya-Plasencia,et al.  Block Ciphers That Are Easier to Mask: How Far Can We Go? , 2013, CHES.

[19]  Christophe De Cannière,et al.  Finding SHA-1 Characteristics: General Results and Applications , 2006, ASIACRYPT.

[20]  Xuejia Lai,et al.  Markov Ciphers and Differential Cryptanalysis , 1991, EUROCRYPT.

[21]  W. Marsden I and J , 2012 .

[22]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.