ARX-based Cryptography Nicky Mouha ESAT/COSIC, K.U.Leuven, Belgium - PowerPoint PPT Presentation

Introduction Addition and XOR Multiplication, Counting ARX Conclusion ARX-based Cryptography Nicky Mouha ESAT/COSIC, K.U.Leuven, Belgium IBBT, Belgium ECRYPT II Summer School, Albena Friday, June 3, 2011 1 / 75

Introduction Addition and XOR Multiplication, Counting ARX Conclusion Outline Introduction 1 Addition and XOR 2 Multiplication, Counting 3 ARX 4 5 Conclusion 2 / 75

Introduction ARX Addition and XOR Differential Cryptanalysis Multiplication, Counting xdp + : Definition ARX xdp + : Motivating Example Conclusion ARX Addition ( mod 2 n ) : + , ⊞ Rotation: ≪ r XOR: ⊕ Term ‘AXR’: Ralf-Philipp Weinmann (Dagstuhl 2009) Later: renamed to ARX Concept of ARX is much older E.g. FEAL (Eurocrypt 1987) 3 / 75

Introduction ARX Addition and XOR Differential Cryptanalysis Multiplication, Counting xdp + : Definition ARX xdp + : Motivating Example Conclusion Advantages of ARX Fast performance on PCs Compact implementation Easy algorithm No timing attacks Functionally complete (assuming constant included) 4 / 75

Introduction ARX Addition and XOR Differential Cryptanalysis Multiplication, Counting xdp + : Definition ARX xdp + : Motivating Example Conclusion Disadvantages of ARX Not best trade-off in hardware Security against linear and differential cryptanalysis? Security margin? Side-channel attacks? 5 / 75

Introduction ARX Addition and XOR Differential Cryptanalysis Multiplication, Counting xdp + : Definition ARX xdp + : Motivating Example Conclusion ARX Designs Block ciphers FEAL, Threefish Stream ciphers Salsa20, ChaCha, HC-128 Hash functions: SHA-3 Finalists: BLAKE, Skein SHA-3 Second Round: Blue Midnight Wish, Cubehash SHA-3 First Round: E DON - R 6 / 75

Introduction ARX Addition and XOR Differential Cryptanalysis Multiplication, Counting xdp + : Definition ARX xdp + : Motivating Example Conclusion Designs Similar to ARX Including left shift, right shift: Block ciphers: TEA, XTEA, XXTEA SHA-3 candidate: EnRUPT Including bitwise Boolean functions: Hash functions: MD4, MD5, SHA-1 SHA-3 candidates: SIMD, Shabal 7 / 75

Introduction ARX Addition and XOR Differential Cryptanalysis Multiplication, Counting xdp + : Definition ARX xdp + : Motivating Example Conclusion This presentation Introduce S-function concept Can handle left/right shifts, bitwise Boolean functions, multiplication by constants Focus on differential cryptanalysis Analyze addition, XOR, and ARX components Provide observations on larger components 8 / 75

Introduction ARX Addition and XOR Differential Cryptanalysis Multiplication, Counting xdp + : Definition ARX xdp + : Motivating Example Conclusion Differential Cryptanalysis Differential characteristic: describes desired propagation of differences through cryptographic primitive p 1 p 2 ∆ p a 1 a 2 ∆ a b 1 b 2 ∆ b c 1 ∆ c c 2 9 / 75

Introduction ARX Addition and XOR Differential Cryptanalysis Multiplication, Counting xdp + : Definition ARX xdp + : Motivating Example Conclusion S-box vs ARX S-box Typical size up to 8 × 8 bit Difference distribution table: up to 2 16 = 65536 elements Easy to calculate: differential probability, number of output differences, output difference with highest probability,... ARX operations Typically, n = 32 or n = 64 Difference distribution table: 2 64 or 2 128 elements, too large! Fast algorithms ( O ( n ) ) required to calculate properties 10 / 75

Introduction ARX Addition and XOR Differential Cryptanalysis Multiplication, Counting xdp + : Definition ARX xdp + : Motivating Example Conclusion xdp + : The XOR Differential Probability of Addition y 1 y 2 x 1 x 2 z 1 z 2 ∆ x , ∆ y , ∆ z are fixed xor differences such that x 2 = x 1 ⊕ ∆ x , y 2 = y 1 ⊕ ∆ y , z 2 = z 1 ⊕ ∆ z , xdp + expresses the fraction of pairs ( x 1 , y 1 ) for which the following holds: (( x 1 ⊕ ∆ x ) + ( y 1 ⊕ ∆ y )) ⊕ ( x 1 + y 1 ) = ∆ z . 11 / 75

Introduction ARX Addition and XOR Differential Cryptanalysis Multiplication, Counting xdp + : Definition ARX xdp + : Motivating Example Conclusion xdp + : Motivating Example From “On the Additive Differential Probability of Exclusive-Or”, Lipmaa, Wallén, Dumas, FSE 2004: xdp + ( 11100 , 00110 → 10110 ) = LA 101 A 100 A 111 A 011 A 000 C = 1 4 where � 1 � , A 001 = A 010 = A 100 = 1 � 0 � 0 1 A 000 = , 0 0 0 1 2 A 011 = A 101 = A 110 = 1 � 1 � � 0 � 0 0 , A 111 = , 1 0 0 1 2 0 ] T . L = [ 1 1 ] , C = [ 1 12 / 75

Introduction S-functions Addition and XOR xdp + Multiplication, Counting Linearization ARX adp ⊕ Conclusion S-function An S-function accepts n -bit words a 1 , a 2 , . . . , a k and an n -digit input state S , and produces an n -bit output word b : ( b [ i ] , S [ i + 1 ]) = f ( a 1 [ i ] , a 2 [ i ] , . . . , a k [ i ] , S [ i ]) , 0 ≤ i < n . a 1 [ n − 1] a 2 [ n − 1] a k [ n − 1] a 1 [1] a 2 [1] a k [1] a 1 [0] a 2 [0] a k [0] . . . . . . . . . S [ n ] S [ n − 1] S [2] S [1] S [0] f f f . . . b [ n − 1] b [1] b [0] 13 / 75

Introduction S-functions Addition and XOR xdp + Multiplication, Counting Linearization ARX adp ⊕ Conclusion xdp + : From Words to Bits: Constructing f x 2 [ i ] ← x 1 [ i ] ⊕ ∆ x [ i ]    x 2 ← x 1 ⊕ ∆ x y 2 [ i ] ← y 1 [ i ] ⊕ ∆ y [ i ]         y 2 ← y 1 ⊕ ∆ y z 1 [ i ] ← x 1 [ i ] ⊕ y 1 [ i ] ⊕ c 1 [ i ]           z 1 ← x 1 + y 1 c 1 [ i + 1 ] ← ( x 1 [ i ] + y 1 [ i ] + c 1 [ i ]) ≫ 1 = ⇒ z 2 ← x 2 + y 2 z 2 [ i ] ← x 2 [ i ] ⊕ y 2 [ i ] ⊕ c 2 [ i ]           ∆ z ← z 2 ⊕ z 1 c 2 [ i + 1 ] ← ( x 2 [ i ] + y 2 [ i ] + c 2 [ i ]) ≫ 1        ∆ z [ i ] ← z 2 [ i ] ⊕ z 1 [ i ]   14 / 75

Introduction S-functions Addition and XOR xdp + Multiplication, Counting Linearization ARX adp ⊕ Conclusion xdp + : From Words to Bits: S-function The S-function for xdp + is: (∆ z [ i ] , S [ i + 1 ]) = f ( x 1 [ i ] , y 1 [ i ] , ∆ x [ i ] , ∆ y [ i ] , S [ i ]) , 0 ≤ i < n , S [ i ] ← ( c 1 [ i ] , c 2 [ i ]) , S [ i + 1 ] ← ( c 1 [ i + 1 ] , c 2 [ i + 1 ]) . 15 / 75

Introduction S-functions Addition and XOR xdp + Multiplication, Counting Linearization ARX adp ⊕ Conclusion xdp + : Subgraph (∆ x [ i ] , ∆ y [ i ] , ∆ z [ i ]) = (1,0,1) ( 0 , 0) x 2 [ i ] ← x 1 [ i ] ⊕ ∆ x [ i ]  ( 1 , 0) 0 , 0 0 , 0   ( 0 , 1) y 2 [ i ] ← y 1 [ i ] ⊕ ∆ y [ i ]   ( 1 , 1)    z 1 [ i ] ← x 1 [ i ] ⊕ y 1 [ i ] ⊕ c 1 [ i ]  0 , 1 0 , 1     c 1 [ i + 1 ] ← ( x 1 [ i ] + y 1 [ i ] + c 1 [ i ]) ≫ 1 ( 0 1 , 0 1 , 0 z 2 [ i ] ← x 2 [ i ] ⊕ y 2 [ i ] ⊕ c 2 [ i ] (  1 0 , 0 )  ) ,   ( 0 , 1)  c 2 [ i + 1 ] ← ( x 2 [ i ] + y 2 [ i ] + c 2 [ i ]) ≫ 1   ( 1 , 1)  1 , 1 1 , 1   ∆ z [ i ] ← z 2 [ i ] ⊕ z 1 [ i ]   ( x 1 [ i ] , y 1 [ i ]) 16 / 75

Introduction S-functions Addition and XOR xdp + Multiplication, Counting Linearization ARX adp ⊕ Conclusion xdp + : All Subgraphs (0,0,0) (0,0,1)=(0,1,0)=(1,0,0) 0 , 0 0 , 0 0 , 0 0 , 0 0 , 1 0 , 1 0 , 1 0 , 1 1 , 0 1 , 0 1 , 0 1 , 0 1 , 1 1 , 1 1 , 1 1 , 1 (0,1,1)=(1,0,1)=(1,1,0) (1,1,1) 0 , 0 0 , 0 0 , 0 0 , 0 0 , 1 0 , 1 0 , 1 0 , 1 1 , 0 1 , 0 1 , 0 1 , 0 1 , 1 1 , 1 1 , 1 1 , 1 17 / 75

Introduction S-functions Addition and XOR xdp + Multiplication, Counting Linearization ARX adp ⊕ Conclusion xdp + : From Graphs to Probability Computing probability xdp + is equivalent to counting number of paths that satisfy ∆ x , ∆ y , ∆ z . Each valid pair ( x 1 , y 1 ) corresponds to path in graph (shown in bold). 0 , 0 0 , 0 0 , 0 0 , 0 0 , 0 0 , 0 0 , 0 0 , 0 0 , 1 0 , 1 0 , 1 0 , 1 0 , 1 0 , 1 0 , 1 0 , 1 . . . 1 , 0 1 , 0 1 , 0 1 , 0 1 , 0 1 , 0 1 , 0 1 , 0 1 , 1 1 , 1 1 , 1 1 , 1 1 , 1 1 , 1 1 , 1 1 , 1 18 / 75

Introduction S-functions Addition and XOR xdp + Multiplication, Counting Linearization ARX adp ⊕ Conclusion xdp + : From Subgraph to Matrix (∆ x [ i ] , ∆ y [ i ] , ∆ z [ i ]) = (1,0,1) ( 0 , 0) ( 1 , 0) 0 , 0 0 , 0 S [ i ] ( 0 , 1) ( 1 , 1) ( 0 , 0 ) , ( 0 , 1 ) , ( 1 , 0 ) , ( 1 , 1 ) 0 , 1 0 , 1 ( 0 , 0 ) 2 2 3 0 0 0 ( 0 , 1 ) ( 1 1 0 0 1 0 5 = A 101 1 , 0 1 , 0 6 7 S [ i + 1 ] ( 1 , 0 ) ( 1 , 0) 0 , 6 7 ) 1 0 0 1 4 4 ( 0 , 1) 0 0 0 2 ( 1 , 1 ) ( 1 , 1) 1 , 1 1 , 1 ( x 1 [ i ] , y 1 [ i ]) 19 / 75

Introduction S-functions Addition and XOR xdp + Multiplication, Counting Linearization ARX adp ⊕ Conclusion xdp + : All Matrices There are four distinct matrices for xdp + : A 000 , A 001 = A 010 = A 100 , A 011 = A 101 = A 110 , A 111 .  3 0 0 1   0 1 1 0  A 000 = 1  , A 001 = 1 0 0 0 0 0 2 0 0      ,     0 0 0 0 0 0 2 0 4 4   1 0 0 3 0 1 1 0     2 0 0 0 0 0 0 0 A 011 = 1  , A 111 = 1 1 0 0 1 0 1 3 0      .     4 1 0 0 1 4 0 3 1 0   0 0 0 2 0 0 0 0 20 / 75