Rotational-XOR cryptanalysis on ARX and AND-RX ciphers Yunwen Liu - PowerPoint PPT Presentation

Rotational-XOR cryptanalysis on ARX and AND-RX ciphers Yunwen Liu ASK 2019 at Kobe National University of Defense Technology 1

Acknowledgement This talk is based on the joint works with: Tomer Ashur, Adrián Ranea & Glenn De Witte from KU Leuven Chao Li, Jinyu Lu, Bing Sun & Wenqian Xin from NUDT 2

Cryptanalysis with Invariance Some lightweight block ciphers are vulnerable to invariant attacks: light round function + simple key schedule • Invariant subspace [LAA+11] • Nonlinear invariants [TLS16] • Rotational invariance [LAA+11] Leander G., Abdelraheem M.A., AlKhzaimi H., Zenner E. (2011) A Cryptanalysis of PRINTcipher: The Invariant Subspace Attack. CRYPTO 2011 [TLS16] Todo Y., Leander G., Sasaki Y. (2016) Nonlinear Invariant Attack. ASIACRYPT 2016. 3

Rotational Invariance For a function: 2 n outputs are also rotated, then f is rotational invariant. 4 f ( x 1 , x 2 , . . . , x m ) = ( y 1 , y 2 , . . . , y l ) : F m 2 n → F l Given a bitwise left rotation by γ bits S γ on the inputs, if the f ( S γ ( x 1 ) , S γ ( x 2 ) , . . . , S γ ( x m )) = ( S γ ( y 1 ) , S γ ( y 2 ) , . . . , S γ ( y l ))

Rotational Invariance in Bitwise AND Observation: with probability 1 5 S γ ( x ) ⊙ S γ ( y ) = S γ ( x ⊙ y ) • Bitwise AND is rotational invariant for any γ

Rotational Invariance in Modular Addition Observation: Rotational Cryptanalysis (v1), [KN10] A rotational distinguisher holds for an ARX structure with Rotational Cryptanalysis (v2), [KN15] Refined probability estimation for a chain of modular additions 6 with probability 2 − 1 . 415 S 1 ( x ) ⊞ S 1 ( y ) = S 1 ( x ⊞ y ) Pr = ( 2 − 1 . 415 ) # ⊞

Rotational Invariance in the Presence of Constants • Round keys: under related-key setting • Rotational-invariant constants: for free in most cases • Arbitrary constants? 7

Rotational-XOR Cryptanalysis

Idea in a Nutshell P P x y E k E k x y By XORing some difference to the outputs, the rotational invariance is regained. 8 x ′ = x ≪ r x ≪ r y ′ ⊕ δ = y ≪ r y ≪ r

Rotational-XOR difference Combine rotational relation with an XOR difference to obtain an RX-pair RX-difference [AL17] T. Ashur and Y. Liu. Rotational cryptanalysis in the presence of constants. ToSC 2017 [LDRA18] Y. Liu, G. D. Witte, A. Ranea, and T. Ashur. Rotational-XOR Cryptanalysis of Reduced-round SPECK. ToSC 2018 9 ( x , S γ ( x ) ⊕ δ ) The RX-difference of a pair ( x 1 , x 2 ) : ∆ γ ( x 1 , x 2 ) = x 2 ⊕ S γ ( x 1 ) Given an RX-difference δ , an RX-pair is ( x , S γ ( x ) ⊕ δ )

Properties of RX-difference RX-difference: a Rotation XOR 10 x ≪ η → x ≪ η − − − ≪ η S γ ( x ) ⊕ a → S γ ( x ≪ η ) ⊕ ( a ≪ η ) − − − ≪ η → ( a ≪ η ) − − − ⊕ x , y − − → x ⊕ y → ← − − − ← − x ⊕ a , ← − ⊕ x ⊕ y ⊕ ( a ⊕ b ) y ⊕ b − − ⊕ RX-difference: ( a , b ) − − → a ⊕ b

Rotational-XOR Cryptanalysis on ARX

Propagation of RX-difference in Modular Addition Modular addition where 11 S γ ( z ) ⊕ d z = ( S γ ( x ) ⊕ d x ) ⊞ ( S γ ( y ) ⊕ d y ) ⊞ RX-differences for γ = 1 : d x , d y − − → d z with a probability Pr [( d x , d y ) → d z ] = 1 ( I ⊕ SHL )( δ x ⊕ δ y ⊕ δ z ) ⊕ 1 ⪯ SHL (( δ x ⊕ δ z ) | ( δ y ⊕ δ z )) · 2 −| SHL (( δ x ⊕ δ z ) | ( δ y ⊕ δ z )) | · 2 − 3 + 1 ( I ⊕ SHL )( δ x ⊕ δ y ⊕ δ z ) ⪯ SHL (( δ x ⊕ δ z ) | ( δ y ⊕ δ z )) · 2 −| SHL (( δ x ⊕ δ z ) | ( δ y ⊕ δ z )) | · 2 − 1 . 415 , δ x = L ′ ( d x ) , δ y = L ′ ( d y ) , δ z = L ′ ( d z ) .

SPECK Block Ciphers R i k i y i x i • ARX cipher designed by the NSA in 2013 i k i l i 12 • Block size 2 n bits, n = 16 / 24 / 32 / 48 / 64 • Key size mn bits, m = 2 , 3 , 4 ≫ α l i + m − 2 · · · ≪ β y i + 1 x i + 1

RX-differences in SPECK R r Search for RX-characteristics in the key part and data part r 13 ∆ 1 a r ∆ 1 b r ≫ α ∆ 1 a r ≫ α ∆ 1 l r + 2 ∆ 1 l r + 1 ∆ 1 l r ∆ 1 k r ∆ 1 d r ∆ 1 k r ≪ β ∆ 1 b r ≪ β ∆ 1 a r + 1 ∆ 1 b r + 1

Search Strategy 1. Aim: Find a characteristic covering more rounds 2. Find a good key characteristic with weight w k 3. Fix the RX-characteristic in the key part and use it to find a good characteristic in the encryption part with weight w d 4. Binary search 14

RX-characteristics found in SPECK32/SPECK48 12 11 Version [FWG+16] 48/96 11 Ours 48/96 48/96 12 13 48/96 14 48/96 15 [Din14] Dinur, I. Improved Differential Cryptanalysis on Round-reduced SPECK. FSE 2014. [FWG+16] Fu K., Wang M., Guo Y., Sun S., and Hu L. MILP-Based Automatic Search Algorithms for Differential and Linear Trails for SPECK. FSE 2016. 48/96 2 96 32/64 10 Rounds Data Prob. Key Class Size Ref. 32/64 9 2 64 [Din14] 32/64 15 32/64 Ours 11 2 − 30 2 − 19 . 15 2 28 . 10 2 − 22 . 15 2 18 . 68 2 − 25 . 57 2 4 . 92 2 − 45 2 − 24 . 15 2 25 . 68 2 − 26 . 57 2 43 . 51 2 − 31 . 98 2 24 . 51 2 − 37 . 40 2 0 . 34 2 − 43 . 81 2 1 . 09

Application to the pseudorandom function SipHash SipHash Round • ARX-based Pseudorandom function 16 • Four 64-bit modular additions in each SipHash round • 256-bit permutation parted to 4 branches u v w v b ! ! z ! ! ! $ % ! u v w v a !" z !" !" !" ! !# !# !" v u v w c !" z !" !" !" ! !" u v w v d !" !" !" !" z ! " # !"

Application to the pseudorandom function SipHash SipHash-1-x with one message block 3. Initial constants get a collision 2. Requirements on the input and output RX-differences to messages 1. Related-key setting and RX-differences injected by the 17 k k m , a !"#$%&'()*+ V !"#$%&'()*+ !"#$%&'()*+ a b b V H !" # c c V V d d m k k xff

Application to the pseudorandom function SipHash Version [XLL19] W. Xin, Y. Liu, C. Li. Improved cryptanalysis on SipHash. CANS 2019. 2 RX Revised SipHash-1-x 1 RX Revised SipHash-1-x 2 RX SipHash-1-x Probability Blocks Type 18 2 − 280 2 − 93 . 6 2 − 160

Rotational-XOR Cryptanalysis on AND-RX

• It has a probability that is the same as the probability of Properties of RX-difference same function. • The resistance against RX-cryptanalysis relies on the design of the constants 19 Bitwise AND: S a ( x ) ⊙ S b ( x ) S a ( S γ ( x ) ⊕ α ) ⊙ S b ( S γ ( x ) ⊕ α ) = S γ ( S a ( x ) ⊙ S b ( x )) ⊕ β ⊙ RX-differences: α → β − − the XOR-difference propagation ( α → β ) through the

The block ciphers SIMON and SIMECK • SIMON: proposed together with SPECK • AND-RX-based structure with a linear key schedule • No design rationales Yang et al. in 2015 • SIMON-like cipher with a nonlinear key schedule • Different rotational amounts 20 • SIMECK: SIMON + SPECK by

The block ciphers SIMON and SIMECK One round of SIMON: One round of SIMECK: 21 x i y i S 8 k i +3 k i +2 k i +1 k i S 1 S − 3 c ⊕ ( z j ) i S 2 S − 1 x i +1 y i +1 x i y i S 5 t i +2 t i +1 t i k i S 5 S 1 S 1 c ⊕ ( z j ) i x i +1 y i +1

Find RX-characteristics in SIMECK Model for RX-difference propagations 1. Define RX-differences as bit-string variables in SMT 2. Describe the propagation rules in the round function and the key schedule by clauses 4. Ask for a satisfiability verification Advantage: The characteristics do not require a key characteristic found beforehand 22 3. Set an upper bound for the cost w d and w k

Applications to SIMON32/64 Best RX-characteristic found in round-reduced SIMON32/64 less rounds than the differential ones. However, the best found RX-characteristic in SIMON32 covers RX 11 RX 10 RKDC 10 32/64 Type Probability Rounds Version 23 with γ = 1 2 − 16 2 − 14 2 − 24

Applications to SIMECK 2 30 2 48 25 2 64 19 2 64 18 2 70 16 RX-characteristics found in SIMECK32 and SIMECK48 SIMECK48 19 2 40 15 SIMECK32 Weak keys Data prob. Round Cipher 24 2 − 16 2 − 30 2 − 20 2 − 26 2 − 30 2 − 46

Observations 1. It takes much longer to find RX-characteristics in SIMON than in SIMECK 2. SIMECK seems to be more vulnerable to RX-cryptanalysis than SIMON 3. We believe that the cause lies in the key schedule 4. In our case, a nonlinear key schedule is no better than a linear one 25

Comparisons 1 10 9 8 7 1. Change the rotational amount: not much influence 1 1 6 1 1 1 SIM1: round function of SIMON and key schedule of SIMECK observed 2. Change the key schedule: relatively high contrast 5 26 SIM2: round function of SIMECK and key schedule of SIMON SIM-1 SIMON32 SIM-2 Rounds 2 − 2 2 − 4 2 − 4 2 − 4 2 − 6 2 − 6 2 − 6 2 − 10 2 − 10 2 − 8 2 − 14 2 − 14

Conclusion

Wrap up 1. Rotational-XOR cryptanalysis generalises the rotational cryptanalysis to include the effect of constants 2. A new type of difference for tracking the rotational relation: RX-difference 3. RX-characteristics found • in ARX ciphers SPECK & SipHash • in AND-RX ciphers SIMON & SIMECK 4. Insights on the key schedules in terms of the resistance against RX-cryptanalysis Thank you for your attention! 27