On Chaskey Work in progress... Gatan Leurent (Inria) On Chaskey - - PowerPoint PPT Presentation

Chaskey Cryptanalysis Conclusion

On Chaskey

Work in progress... Gaëtan Leurent

Inria

ESC 2015

Gaëtan Leurent (Inria) On Chaskey ESC 2015 1 / 16

Chaskey Cryptanalysis Conclusion

Chaskey

▶ Fast lightweight MAC, without nonce ▶ CBCMAC with an EvenMansour cipher ▶ Birthday security

▶ 128bit key ▶ 128bit state ▶ Security claim: 248 data, 280 time.

K m0 𝜌 m1 𝜌 m2 K′ 𝜌 K′ 𝜐

▶ Sponge based, no permutation inverse

Gaëtan Leurent (Inria) On Chaskey ESC 2015 2 / 16

Chaskey Cryptanalysis Conclusion

Chaskey permutation

v1 v0 v2 v3

5 8 16 7 13 16

Mini Siphash

▶ ARX ▶ 32bit words ▶ 128bit state ▶ 8 rounds

Gaëtan Leurent (Inria) On Chaskey ESC 2015 3 / 16

Chaskey Cryptanalysis Conclusion

Cryptanalysis of ARX schemes

▶ No iterative differential/linear trails ▶ Small difference in the middle and propagate ▶ Only short trails

with high probability

Rounds Complexity

▶ Can we combine two trails?

Rounds

Gaëtan Leurent (Inria) On Chaskey ESC 2015 4 / 16

Chaskey Cryptanalysis Conclusion

Cryptanalysis of Chaskey

▶ Use singleblock messages

▶ Chaskey becomes an EvenMansour cipher

m0 K ⊕ K′ 𝜌 K′ 𝜐

▶ No decryption oracle

▶ Boomerang not possible ▶ DifferentialLinear cryptanalysis does not require 𝜌−1 Gaëtan Leurent (Inria) On Chaskey ESC 2015 5 / 16

Chaskey Cryptanalysis Conclusion

Cryptanalysis of Chaskey

▶ Use singleblock messages

▶ Chaskey becomes an EvenMansour cipher

m0 K ⊕ K′ 𝜌 K′ 𝜐

▶ No decryption oracle

▶ Boomerang not possible ▶ DifferentialLinear cryptanalysis does not require 𝜌−1 Gaëtan Leurent (Inria) On Chaskey ESC 2015 5 / 16

Chaskey Cryptanalysis Conclusion

Difgerential-Linear Cryptanalysis

▶ Divide E in two subciphers E = E2 ∘ E1

▶ Let y = E1(x), z = E2(y)

▶ Find a differential 𝜀 → 𝛿 for E1

▶ Pr 􏿯E1(x ⊕ 𝜀) = E1(x) ⊕ 𝛿􏿲 = p

▶ Find a linear approximation 𝛽 → 𝛾 of E2

▶ Pr 􏿯𝛽 • y = 𝛾 • E2(y)􏿲 = 1

2(1 + 𝜁)

▶ Query a pair (x, x′ = x ⊕ 𝜀):

y ⊕ y′ = 𝛿 proba p (1) 𝛽 • (y ⊕ y′) = 𝛽 • 𝛿 proba ≈ p + 1/2(1 − p) = 1/2(1 + p) (2) 𝛾 • z = 𝛽 • y proba 1/2(1 + 𝜁) (3) 𝛾 • z′ = 𝛽 • y′ proba 1/2(1 + 𝜁) (4) 𝛾 • (z ⊕ z′) = 𝛽 • 𝛿 proba 1/2(1 + p𝜁2) (5)

▶ Distinguisher with complexity ≈ p−2𝜁−4

x y z E1 E2 x′ y′ z′ E1 E2 𝜀 𝛿 𝛽 𝛾 𝛽 𝛾

Gaëtan Leurent (Inria) On Chaskey ESC 2015 6 / 16

Chaskey Cryptanalysis Conclusion

Application to Chaskey

▶ Accurate analysis of differentiallinear

attack is hard [BLN, FSE’14]

▶ Proba for wrong pair is not 1/2 ▶ Many differential trails with same 𝜀 ▶ Many linear trails with same 𝛾

▶ Evaluate middle rounds experimentally

▶ Shorter trails 𝜀 → 𝛿′, 𝛽′ → 𝛾 ▶ Single bit difference 𝛿′ ▶ Single bit mask 𝛽′ ▶ Eval Pr 􏿯𝛽′ • (E2(x) ⊕ E2(x ⊕ 𝛿′)) = 1􏿲 ▶ Biased output bit, with 1bit input

difference

▶ Select the best single bit 𝛿′, 𝛽′

w x y z E1 E2 E3 w′ x′ y′ z′ E1 E2 E3 𝜀 𝛿′ 𝛽′ 𝛾 𝛽′ 𝛾

Gaëtan Leurent (Inria) On Chaskey ESC 2015 7 / 16

Chaskey Cryptanalysis Conclusion

A 6-round distinguisher

▶ E1: 1 round, p = 2−5

▶ v0[26], v1[26], v2[6, 23, 30], v3[23, 30] → v2[22]

▶ E2: 4 rounds, b ≈ 2−6.05

▶ v2[22] → v2[16]

▶ E3: 1 round, 𝜁 ≈ 2−2.6

▶ v2[16] → v0[5], v1[23, 31], v2[0, 8, 15], v3[5]

▶ Differentiallinear bias: p ⋅ b ⋅ 𝜁2 ≈ 2−16.25 ▶ Distinguisher with complexity c/p2b2𝜁4 ≈ c ⋅ 232.5

Gaëtan Leurent (Inria) On Chaskey ESC 2015 8 / 16

Chaskey Cryptanalysis Conclusion

Improved attack

1 We guess some keybits in order to increase the probability

• f the linear and differential trails.

2 Partition the data, and keep subsets with higher bias 3 Multiple differentials and structures ▶ Techniques inspired by:

▶ Improved linear cryptanalysis of addition [Biham  Carmeli, SAC ’14] ▶ Salsa20 Probabilistic Neutral Bits

[AFKMR, FSE ’08]

Gaëtan Leurent (Inria) On Chaskey ESC 2015 9 / 16

Chaskey Cryptanalysis Conclusion

Improved linear

First non-linear operation x = (a ⊕ ka) ⊞ (b ⊕ kb) ̃ a = a ⊕ ka, ̃ b = b ⊕ kb

▶ Goal: predict bit x[k] for inputs (a, b) ▶ Classic linear: x[k] ≈ a[k] ⊕ b[k] ⊕ b[k − 1]

▶ Pr􏿯x[k] = a[k] ⊕ b[k] ⊕ b[k − 1]􏿲 = 3/4

▶ Guessing key bits gives bits of ̃

a and ̃ b

Gaëtan Leurent (Inria) On Chaskey ESC 2015 10 / 16

Chaskey Cryptanalysis Conclusion

Improved linear

First non-linear operation x = (a ⊕ ka) ⊞ (b ⊕ kb) ̃ a = a ⊕ ka, ̃ b = b ⊕ kb

▶ If ( ̃

ak−1, ̃ bk−1) = (0, 0) there is no carry ? a 0 ? ? + ? b 0 ? ? ? x ? ? ?

▶ Therefore xk = ̃

ak ⊕ ̃ bk

▶ If ( ̃

ak−1, ̃ bk−1) = (1, 1) there is always a carry ? a 1 ? ? + ? b 1 ? ? ? x ? ? ?

1

▶ Therefore xk = ̃

ak ⊕ ̃ bk ⊕ 1

▶ We throw out one half of the data ▶ But the distinguisher requires 4 times less data

Gaëtan Leurent (Inria) On Chaskey ESC 2015 10 / 16

Chaskey Cryptanalysis Conclusion

Improved linear

First non-linear operation x = (a ⊕ ka) ⊞ (b ⊕ kb) ̃ a = a ⊕ ka, ̃ b = b ⊕ kb

▶ If ( ̃

ak−1, ̃ bk−1) = (0, 0) there is no carry ? a 0 0 ? + ? b 1 0 ? ? x ? ? ?

▶ Therefore xk = ̃

ak ⊕ ̃ bk

▶ If ( ̃

ak−1, ̃ bk−1) = (1, 1) there is always a carry ? a 0 1 ? + ? b 1 1 ? ? x ? ? ?

1 1

▶ Therefore xk = ̃

ak ⊕ ̃ bk ⊕ 1

▶ We throw out one fourth of the data ▶ But the distinguisher requires 4 times less data

Gaëtan Leurent (Inria) On Chaskey ESC 2015 10 / 16

Chaskey Cryptanalysis Conclusion

Improved linear

First non-linear operation x = (a ⊕ ka) ⊞ (b ⊕ kb) ̃ a = a ⊕ ka, ̃ b = b ⊕ kb

▶ If ( ̃

ak−1, ̃ bk−1) = (0, 0) there is no carry ? a 0 0 ? + ? b 1 0 ? ? x ? ? ?

▶ Therefore xk = ̃

ak ⊕ ̃ bk 0 0 1 1

̃ bk−1 ̃ ak−1 ̃ ak−2 0 1 0 1 ̃ bk−2

+ + + ? 1 + + ? − 1 + ? − − 1 1 ? − − −

▶ We throw out one fourth of the data ▶ But the distinguisher requires 4 times less data

Gaëtan Leurent (Inria) On Chaskey ESC 2015 10 / 16

Chaskey Cryptanalysis Conclusion

Improved linear

▶ We can also predict some input bits of the next additions ▶ But it gets messy...

Experimental approach

▶ Identify candidate bits (by hand) ▶ Collect data:

▶ Filter according to candidate bits ▶ Measure bias

▶ Build vector of bias, and look for symmetries

▶ Symmetries allow the reduce the number of filtering bits Gaëtan Leurent (Inria) On Chaskey ESC 2015 11 / 16

Chaskey Cryptanalysis Conclusion

Improved difgerential

First non-linear operation x = (a ⊕ ka) ⊞ (b ⊕ kb), x′= (a′⊕ ka) ⊞ (b′⊕ kb) ̃ a = a ⊕ ka, ̃ b = b ⊕ kb

▶ Goal: generate pairs (a, b) with x ⊕ x′ = 2k ▶ Classic differential: a ⊕ a′ = 2k, b = b′

▶ Pr􏿯x ⊕ x′ = 2k􏿲 = 1/2

▶ Guessing key bits gives bits of ̃

a and ̃ b

Gaëtan Leurent (Inria) On Chaskey ESC 2015 12 / 16

Chaskey Cryptanalysis Conclusion

Improved difgerential

First non-linear operation x = (a ⊕ ka) ⊞ (b ⊕ kb), x′= (a′⊕ ka) ⊞ (b′⊕ kb) ̃ a = a ⊕ ka, ̃ b = b ⊕ kb

▶ If ̃

bk−1 = 0, no carry   x   +   0     x  

▶ If ̃

bk−1 = 1, carry   x   +   1   ? x x  

x ?

▶ We throw out one half of the data ▶ But the distinguisher requires 4 times less data

Gaëtan Leurent (Inria) On Chaskey ESC 2015 12 / 16

Chaskey Cryptanalysis Conclusion

Improved difgerential

First non-linear operation x = (a ⊕ ka) ⊞ (b ⊕ kb), x′= (a′⊕ ka) ⊞ (b′⊕ kb) ̃ a = a ⊕ ka, ̃ b = b ⊕ kb

▶ If ̃

bk−1 = 0, no carry

▶ If ̃

bk−1 = 1, carry

▶ Use multiple differentials: multiple bits input difference

▶ Encrypt structure of plaintexts, build pairs depending on key guess

▶ If different signs, no carry

• u n - -

+ - - 1 - -

• - x - -

n

▶ If same signs, carry

• u u - -

+ - - 1 - - ? x x - -

u

▶ We throw out one fourth of the data ▶ But the distinguisher requires 4 times less data

Gaëtan Leurent (Inria) On Chaskey ESC 2015 12 / 16

Chaskey Cryptanalysis Conclusion

Improved difgerential

▶ We can also predict some input bits of the next additions ▶ But it gets messy...

Experimental approach

▶ Identify candidate bits (by hand) ▶ Collect data:

▶ Filter according to candidate bits ▶ Measure probability

▶ Build vector of probabilities, and look for symmetries

▶ Symmetries allow the reduce the number of filtering bits

Remark Need more key bit guesses to improve differential than to improve linear

Gaëtan Leurent (Inria) On Chaskey ESC 2015 13 / 16

Chaskey Cryptanalysis Conclusion

Improved 6-round attack

▶ To summarize:

half round at the top and bottom almost for free

▶ Improved 6 round attack

▶ Implemented ▶ Algorithmic tricks to reduce the time complexity (using counters) ▶ Data complexity: 225 (v. 235) ▶ Time complexity: 229 (elementary operations) ▶ Recovers 13 key bits with high probability

▶ TODO: full key recovery

Gaëtan Leurent (Inria) On Chaskey ESC 2015 14 / 16

Chaskey Cryptanalysis Conclusion

A 7-round attack?

▶ The attack can be extended to 7 rounds ▶ E1: 1.5 round

▶ p = 2−17

▶ E2: 4 round

▶ Best bias: v0[31] → v2[20], b ≈ 2−6.1

▶ E3: 1.5 round

▶ 𝜁 ≈ 2−7.6

▶ Simple distinguisher: bias ≈ 238.3 ▶ Work in progress to identify good bits ▶ Expected data complexity ≈ 245 − 248

Gaëtan Leurent (Inria) On Chaskey ESC 2015 15 / 16

Chaskey Cryptanalysis Conclusion

Conclusion

▶ DifferentialLinear attack quite efficient for ARX designs ▶ Security margin of Chaskey rather slim (7/8 rounds broken)

Comparison with SipHash

▶ Same round function with 64bit words ▶ Fewer rounds ▶ Inputs smaller blocks in the state

▶ Input differential can not affect the full state ▶ DL can analyze fewer rounds backward

▶ 4 output words are xored together

▶ Smaller bias with forward rounds Gaëtan Leurent (Inria) On Chaskey ESC 2015 16 / 16