On Chaskey Work in progress... Gatan Leurent (Inria) On Chaskey - PowerPoint PPT Presentation

Chaskey Cryptanalysis Conclusion On Chaskey Work in progress... Gaëtan Leurent (Inria) On Chaskey ESC 2015 1 / 16 Gaëtan Leurent Inria ESC 2015

Chaskey Cryptanalysis ESC 2015 On Chaskey Gaëtan Leurent (Inria) 2 / 16 Chaskey Conclusion ▶ Fast lightweight MAC, without nonce ▶ CBCMAC with an EvenMansour cipher ▶ Birthday security ▶ 128bit key ▶ 128bit state ▶ Security claim: 2 48 data, 2 80 time. m 0 m 1 m 2 K ′ K ′ K 𝜌 𝜌 𝜌 𝜐 ▶ Sponge based, no permutation inverse

Chaskey Cryptanalysis ESC 2015 On Chaskey Gaëtan Leurent (Inria) 3 / 16 Chaskey permutation Conclusion v 1 v 0 v 2 v 3 5 8 Mini Siphash 16 ▶ ARX ▶ 32bit words ▶ 128bit state ▶ 8 rounds 7 13 16

Chaskey Cryptanalysis Conclusion Cryptanalysis of ARX schemes Gaëtan Leurent (Inria) On Chaskey ESC 2015 4 / 16 ▶ No iterative differential/linear trails ▶ Small difference in the middle and propagate ▶ Only short trails ▶ Can we combine two trails? with high probability Complexity Rounds Rounds

Chaskey Cryptanalysis ESC 2015 On Chaskey Gaëtan Leurent (Inria) 5 / 16 Conclusion Cryptanalysis of Chaskey ▶ Use singleblock messages ▶ Chaskey becomes an EvenMansour cipher K ⊕ K ′ K ′ m 0 𝜌 𝜐 ▶ No decryption oracle ▶ Boomerang not possible ▶ DifferentialLinear cryptanalysis does not require 𝜌 − 1

Chaskey Cryptanalysis ESC 2015 On Chaskey Gaëtan Leurent (Inria) 5 / 16 Conclusion Cryptanalysis of Chaskey ▶ Use singleblock messages ▶ Chaskey becomes an EvenMansour cipher K ⊕ K ′ K ′ m 0 𝜌 𝜐 ▶ No decryption oracle ▶ Boomerang not possible ▶ DifferentialLinear cryptanalysis does not require 𝜌 − 1

Chaskey Cryptanalysis ESC 2015 On Chaskey Gaëtan Leurent (Inria) 6 / 16 Difgerential-Linear Cryptanalysis Conclusion 𝜀 x x ′ ▶ Divide E in two subciphers E = E 2 ∘ E 1 ▶ Let y = E 1 ( x ) , z = E 2 ( y ) E 1 E 1 ▶ Find a differential 𝜀 → 𝛿 for E 1 𝛿 ▶ Pr 􏿯 E 1 ( x ⊕ 𝜀) = E 1 ( x ) ⊕ 𝛿􏿲 = p y y ′ 𝛽 𝛽 ▶ Find a linear approximation 𝛽 → 𝛾 of E 2 E 2 E 2 ▶ Pr 􏿯𝛽 • y = 𝛾 • E 2 ( y )􏿲 = 1 2 ( 1 + 𝜁) z z ′ 𝛾 𝛾 ▶ Query a pair ( x , x ′ = x ⊕ 𝜀) : y ⊕ y ′ = 𝛿 proba p (1) 𝛽 • ( y ⊕ y ′ ) = 𝛽 • 𝛿 proba ≈ p + 1 / 2 ( 1 − p ) = 1 / 2 ( 1 + p ) (2) 𝛾 • z = 𝛽 • y proba 1 / 2 ( 1 + 𝜁) (3) 𝛾 • z ′ = 𝛽 • y ′ proba 1 / 2 ( 1 + 𝜁) (4) proba 1 / 2 ( 1 + p 𝜁 2 ) 𝛾 • ( z ⊕ z ′ ) = 𝛽 • 𝛿 (5) ▶ Distinguisher with complexity ≈ p − 2 𝜁 − 4

Chaskey Cryptanalysis ESC 2015 On Chaskey Gaëtan Leurent (Inria) 7 / 16 Conclusion Application to Chaskey ▶ Accurate analysis of differentiallinear attack is hard [BLN, FSE’14] 𝜀 ▶ Proba for wrong pair is not 1 / 2 w w ′ ▶ Many differential trails with same 𝜀 ▶ Many linear trails with same 𝛾 E 1 E 1 𝛿 ′ x x ′ ▶ Evaluate middle rounds experimentally ▶ Shorter trails 𝜀 → 𝛿 ′ , 𝛽 ′ → 𝛾 E 2 E 2 ▶ Single bit difference 𝛿 ′ y y ′ 𝛽 ′ 𝛽 ′ ▶ Single bit mask 𝛽 ′ ▶ Eval Pr 􏿯𝛽 ′ • ( E 2 ( x ) ⊕ E 2 ( x ⊕ 𝛿 ′ )) = 1 􏿲 E 3 E 3 ▶ Biased output bit, with 1bit input z z ′ difference 𝛾 𝛾 ▶ Select the best single bit 𝛿 ′ , 𝛽 ′

Chaskey Cryptanalysis Conclusion A 6-round distinguisher Gaëtan Leurent (Inria) On Chaskey ESC 2015 8 / 16 ▶ E 1 : 1 round, p = 2 − 5 ▶ v 0 [ 26 ], v 1 [ 26 ], v 2 [ 6 , 23 , 30 ], v 3 [ 23 , 30 ] → v 2 [ 22 ] ▶ E 2 : 4 rounds, b ≈ 2 − 6 . 05 ▶ v 2 [ 22 ] → v 2 [ 16 ] ▶ E 3 : 1 round, 𝜁 ≈ 2 − 2 . 6 ▶ v 2 [ 16 ] → v 0 [ 5 ], v 1 [ 23 , 31 ], v 2 [ 0 , 8 , 15 ], v 3 [ 5 ] ▶ Differentiallinear bias: p ⋅ b ⋅ 𝜁 2 ≈ 2 − 16 . 25 ▶ Distinguisher with complexity c / p 2 b 2 𝜁 4 ≈ c ⋅ 2 32 . 5

Chaskey Cryptanalysis Conclusion Improved attack Gaëtan Leurent (Inria) On Chaskey ESC 2015 9 / 16 1 We guess some keybits in order to increase the probability of the linear and differential trails. 2 Partition the data, and keep subsets with higher bias 3 Multiple differentials and structures ▶ Techniques inspired by: ▶ Improved linear cryptanalysis of addition [Biham  Carmeli, SAC ’14] ▶ Salsa20 Probabilistic Neutral Bits [AFKMR, FSE ’08]

Chaskey Cryptanalysis ESC 2015 On Chaskey Gaëtan Leurent (Inria) 10 / 16 ̃ First non-linear operation Improved linear Conclusion x = ( a ⊕ k a ) ⊞ ( b ⊕ k b ) a = a ⊕ k a , ̃ b = b ⊕ k b ▶ Goal: predict bit x [ k ] for inputs ( a , b ) ▶ Classic linear: x [ k ] ≈ a [ k ] ⊕ b [ k ] ⊕ b [ k − 1 ] ▶ Pr 􏿯 x [ k ] = a [ k ] ⊕ b [ k ] ⊕ b [ k − 1 ]􏿲 = 3 / 4 ▶ Guessing key bits gives bits of ̃ a and ̃ b

Chaskey Cryptanalysis ESC 2015 On Chaskey Gaëtan Leurent (Inria) 10 / 16 Conclusion ̃ Improved linear First non-linear operation x = ( a ⊕ k a ) ⊞ ( b ⊕ k b ) a = a ⊕ k a , ̃ b = b ⊕ k b ▶ If ( ̃ ▶ If ( ̃ a k − 1 , ̃ b k − 1 ) = ( 0 , 0 ) a k − 1 , ̃ b k − 1 ) = ( 1 , 1 ) there is no carry there is always a carry 0 1 ? a 0 ? ? ? a 1 ? ? + ? b 1 ? ? + ? b 0 ? ? ? x ? ? ? ? x ? ? ? ▶ Therefore x k = ̃ ▶ Therefore x k = ̃ a k ⊕ ̃ a k ⊕ ̃ b k ⊕ 1 b k ▶ We throw out one half of the data ▶ But the distinguisher requires 4 times less data

Chaskey Cryptanalysis ESC 2015 On Chaskey Gaëtan Leurent (Inria) 10 / 16 Conclusion ̃ Improved linear First non-linear operation x = ( a ⊕ k a ) ⊞ ( b ⊕ k b ) a = a ⊕ k a , ̃ b = b ⊕ k b ▶ If ( ̃ ▶ If ( ̃ a k − 1 , ̃ b k − 1 ) = ( 0 , 0 ) a k − 1 , ̃ b k − 1 ) = ( 1 , 1 ) there is no carry there is always a carry 0 0 1 1 ? a 0 0 ? ? a 0 1 ? + ? b 1 1 ? + ? b 1 0 ? ? x ? ? ? ? x ? ? ? ▶ Therefore x k = ̃ ▶ Therefore x k = ̃ a k ⊕ ̃ a k ⊕ ̃ b k ⊕ 1 b k ▶ We throw out one fourth of the data ▶ But the distinguisher requires 4 times less data

Chaskey ̃ ESC 2015 On Chaskey Gaëtan Leurent (Inria) ̃ ̃ Cryptanalysis ̃ 10 / 16 Conclusion Improved linear First non-linear operation ̃ x = ( a ⊕ k a ) ⊞ ( b ⊕ k b ) a = a ⊕ k a , ̃ b = b ⊕ k b ▶ If ( ̃ 0 0 1 1 a k − 1 , ̃ b k − 1 ) = ( 0 , 0 ) b k − 1 there is no carry a k − 2 0 1 0 1 a k − 1 b k − 2 0 0 0 0 + + + ? ? a 0 0 ? 0 1 + + ? − + ? b 1 0 ? 1 0 + ? − − ? x ? ? ? 1 1 ? − − − ▶ Therefore x k = ̃ a k ⊕ ̃ b k ▶ We throw out one fourth of the data ▶ But the distinguisher requires 4 times less data

Chaskey Cryptanalysis ESC 2015 On Chaskey Gaëtan Leurent (Inria) 11 / 16 Improved linear Experimental approach Conclusion ▶ We can also predict some input bits of the next additions ▶ But it gets messy... ▶ Identify candidate bits (by hand) ▶ Collect data: ▶ Filter according to candidate bits ▶ Measure bias ▶ Build vector of bias, and look for symmetries ▶ Symmetries allow the reduce the number of filtering bits

Chaskey Cryptanalysis ESC 2015 On Chaskey Gaëtan Leurent (Inria) 12 / 16 ̃ First non-linear operation Improved difgerential Conclusion x = ( a ⊕ k a ) ⊞ ( b ⊕ k b ) , x ′ = ( a ′ ⊕ k a ) ⊞ ( b ′ ⊕ k b ) a = a ⊕ k a , ̃ b = b ⊕ k b ▶ Goal: generate pairs ( a , b ) with x ⊕ x ′ = 2 k ▶ Classic differential: a ⊕ a ′ = 2 k , b = b ′ ▶ Pr 􏿯 x ⊕ x ′ = 2 k 􏿲 = 1 / 2 ▶ Guessing key bits gives bits of ̃ a and ̃ b

Chaskey Cryptanalysis ESC 2015 On Chaskey Gaëtan Leurent (Inria) 12 / 16 ̃ Conclusion Improved difgerential First non-linear operation x = ( a ⊕ k a ) ⊞ ( b ⊕ k b ) , x ′ = ( a ′ ⊕ k a ) ⊞ ( b ′ ⊕ k b ) a = a ⊕ k a , ̃ b = b ⊕ k b ▶ If ̃ ▶ If ̃ b k − 1 = 0, no carry b k − 1 = 1, carry 0 ? x   x     x   +   0   +   1     x   ? x x   ▶ We throw out one half of the data ▶ But the distinguisher requires 4 times less data

Chaskey Cryptanalysis ESC 2015 On Chaskey Gaëtan Leurent (Inria) u ? x x - - n - - x - - 12 / 16 Conclusion ̃ Improved difgerential First non-linear operation x = ( a ⊕ k a ) ⊞ ( b ⊕ k b ) , x ′ = ( a ′ ⊕ k a ) ⊞ ( b ′ ⊕ k b ) a = a ⊕ k a , ̃ b = b ⊕ k b ▶ If ̃ ▶ If ̃ b k − 1 = 0, no carry b k − 1 = 1, carry ▶ Use multiple differentials: multiple bits input difference ▶ Encrypt structure of plaintexts, build pairs depending on key guess ▶ If different signs, no carry ▶ If same signs, carry - u n - - - u u - - + - - 1 - - + - - 1 - - ▶ We throw out one fourth of the data ▶ But the distinguisher requires 4 times less data

Chaskey Cryptanalysis ESC 2015 On Chaskey Gaëtan Leurent (Inria) Remark 13 / 16 Experimental approach Improved difgerential Conclusion ▶ We can also predict some input bits of the next additions ▶ But it gets messy... ▶ Identify candidate bits (by hand) ▶ Collect data: ▶ Filter according to candidate bits ▶ Measure probability ▶ Build vector of probabilities, and look for symmetries ▶ Symmetries allow the reduce the number of filtering bits Need more key bit guesses to improve differential than to improve linear