An observation on NORX, BLAKE2, and ChaCha

Abstract This note extends the first-order truncated differentials found by Das, Maitra, and Meier [1] on 2 rounds of the NORX 32 permutation. These lead to stronger 2.5-round differential biases for NORX and BLAKE2's permutation, and for 5 rounds of the ChaCha permutation. These biases lead to efficient “inside-out” distinguishers on 4 rounds of the NORX and BLAKE2 permutations, and 8 rounds of the ChaCha permutation. These distinguishers do not directly affect the security claims of NORX , BLAKE2, or ChaCha in their respective modes of operation.

[1]  Tao Huang,et al.  Distinguishing Attack on NORX Permutation , 2018, IACR Trans. Symmetric Cryptol..

[2]  Guido Bertoni,et al.  Sponge-Based Pseudo-Random Number Generators , 2010, CHES.

[3]  Willi Meier,et al.  Higher Order Differential Analysis of NORX , 2015, IACR Cryptol. ePrint Arch..

[4]  Yonglin Hao,et al.  The Boomerang Attacks on BLAKE and BLAKE2 , 2014, Inscrypt.

[5]  Bin Zhang,et al.  Improved Key Recovery Attacks on Reduced-Round Salsa20 and ChaCha , 2012, ICISC.

[6]  Samuel Neves,et al.  NORX: Parallel and Scalable AEAD , 2014, ESORICS.

[7]  Alex Biryukov,et al.  Analysis of the NORX Core Permutation , 2017, IACR Cryptol. ePrint Arch..

[8]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[9]  Matthew J. B. Robshaw,et al.  The Block Cipher Companion , 2011, Information Security and Cryptography.

[10]  Subhamoy Maitra,et al.  Significantly Improved Multi-bit Differentials for Reduced Round Salsa and ChaCha , 2017, IACR Cryptol. ePrint Arch..

[11]  Samuel Neves,et al.  BLAKE2: Simpler, Smaller, Fast as MD5 , 2013, ACNS.

[12]  Alex Biryukov,et al.  Slid Pairs in Salsa20 and Trivium , 2008, INDOCRYPT.

[13]  Santanu Sarkar,et al.  Improved analysis for reduced round Salsa and Chacha , 2017, Discret. Appl. Math..

[14]  Pierre Karpman From Distinguishers to Key Recovery: Improved Related-Key Attacks on Even-Mansour , 2015, ISC.

[15]  Bart Mennink,et al.  Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption , 2016, IACR Cryptol. ePrint Arch..

[16]  Alex Biryukov,et al.  Boomerang Attacks on BLAKE-32 , 2011, FSE.

[17]  Jérémy Jean,et al.  Cryptanalysis of NORX v2.0 , 2017, Journal of Cryptology.

[18]  Guido Bertoni,et al.  Duplexing the sponge: single-pass authenticated encryption and other applications , 2011, IACR Cryptol. ePrint Arch..

[19]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[20]  Vincent Rijmen,et al.  Known-Key Distinguishers for Some Block Ciphers , 2007, ASIACRYPT.

[21]  Willi Meier,et al.  Salsa20 Cryptanalysis: New Moves and Revisiting Old Styles , 2015, IACR Cryptol. ePrint Arch..

[22]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[23]  Lei Hu,et al.  Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-Oriented Block Ciphers , 2014, ASIACRYPT.

[24]  Tao Huang,et al.  Cryptanalysis of Reduced NORX , 2016, FSE.

[25]  Benoit Cogliati,et al.  Tweaking Even-Mansour Ciphers , 2015, CRYPTO.

[26]  Subhamoy Maitra,et al.  Chosen IV cryptanalysis on reduced round ChaCha and Salsa , 2016, Discret. Appl. Math..

[27]  Samuel Neves,et al.  Analysis of NORX: Investigating Differential and Rotational Properties , 2014, LATINCRYPT.

[28]  Ji Li,et al.  Attacks on Round-Reduced BLAKE , 2009, IACR Cryptol. ePrint Arch..

[29]  Paul Crowley Truncated differential cryptanalysis of five rounds of Salsa20 , 2005, IACR Cryptol. ePrint Arch..

[30]  Willi Meier,et al.  Differential and Invertibility Properties of BLAKE , 2010, FSE.

[31]  Tsukasa Ishiguro,et al.  Latin Dances Revisited: New Analytic Results of Salsa20 and ChaCha , 2011, ICICS.

[32]  Daniel J. Bernstein,et al.  The Salsa20 Family of Stream Ciphers , 2008, The eSTREAM Finalists.

[33]  Michael Hamburg The STROBE protocol framework , 2017, IACR Cryptol. ePrint Arch..

[34]  Bart Mennink,et al.  XPX: Generalized Tweakable Even-Mansour with Improved Security Guarantees , 2016, CRYPTO.