MANUSCRIPT FOR IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 1 Freestyle, a randomized version of ChaCha for resisting offline brute-force and dictionary attacks P. Arun Babu and Jithin Jose Thomas Abstract—This paper introduces Freestyle, a randomized and Techniques such as introducing a delay between incor- variable round version of the ChaCha cipher. Freestyle uses rect key/password attempts, multi-factor authentication, and the concept of hash based halting condition where a decryption CAPTCHAs (Completely Automated Public Turing test to tell attempt with an incorrect key is likely to take longer time to halt. This makes Freestyle resistant to key-guessing attacks i.e. Computers and Humans Apart) are being used to resist brute- brute-force and dictionary based attacks. Freestyle demonstrates force attacks over the network (i.e. on-line brute-force attack). a novel approach for ciphertext randomization by using random However, such techniques cannot be used if the ciphertext is number of rounds for each block, where the exact number available with the adversary (i.e. offline brute-force attack); of rounds are unknown to the receiver in advance. Freestyle for example: encrypted data gathered from a wireless channel, provides the possibility of generating 2128 different ciphertexts for a given key, nonce, and message; thus resisting key and nonce or lost/stolen encrypted files/disks. To resist offline brute- reuse attacks. Due to its inherent random behavior, Freestyle force attacks, key-stretching and slower algorithms [28] are makes cryptanalysis through known-plaintext, chosen-plaintext, preferred. Although, such techniques are useful, they are much and chosen-ciphertext attacks difficult in practice. On the other slower on low-powered devices, and also slow down genuine hand, Freestyle has costlier cipher initialization process, typically users. generates 3.125% larger ciphertext, and was found to be 1.6 to 3.2 times slower than ChaCha20. Freestyle is suitable for This paper makes three main contributions: (i) We demon- applications that favor ciphertext randomization and resistance strate the use of bounded hash based halting condition, which to key-guessing and key reuse attacks over performance and makes key-guessing attacks less effective by slowing down the ciphertext size. Freestyle is ideal for applications where ciphertext adversary, but remaining relatively computationally simpler can be assumed to be in full control of an adversary, and an for genuine users. We introduce the key guessing penalty, offline key-guessing attack can be carried out. which is a measure for a cipher’s resistance to key-guessing Index Terms—Brute-force resistant ciphers, dictionary based attacks. The physical significance of KGP is that the adversary attacks, key-guessing, probabilistic encryption, Freestyle, would require at least KGP times computational power than ChaCha. a genuine user to launch an effective key-guessing attack; (ii) We demonstrate a novel approach for ciphertext randomization I. INTRODUCTION by using random number of rounds for each block of message; Randomized (aka probabilistic) encryption scheme in- where the exact number of rounds are unknown to the receiver A volves a cipher that uses randomness to generate different in advance; (iii) We introduce the concept of non-deterministic ciphertexts for a given key, nonce (a.k.a. initial vector), and CTR mode of operation and demonstrate the possibility of message. The goal of randomization is to make cryptanalysis using the random round numbers to generate 2128 different difficult and a time consuming process. This paper presents the ciphertexts - even though the key, nonce, and message are design and analysis of Freestyle, a randomized and variable- the same. The randomization makes the cipher resistant to key round version of ChaCha cipher [1]. ChaCha20 (i.e. ChaCha re-installation attacks such as KRACK [13] and cryptanalysis with 20 rounds) is one of the modern, popular (for TLS [2] by XOR of ciphertexts in the event of the key and nonce and SSH [3], [4]), and faster symmetric stream cipher on being reused. arXiv:1802.03201v2 [cs.CR] 19 Feb 2018 most machines [5], [6]. Even on lightweight ciphers, realistic Freestyle attempts to address the following two issues: brute-force attacks with key sizes 128 bits is not feasible (i) reuse of a key and nonce combination is not secure in with current computational power.≥ However, algorithms and deterministic stream ciphers, as demonstrated attacks such applications that have lower key-space due to: (i) generation as Key installation attack (KRACK) [13]. And maintaining of keys from a poor (pseudo-)random number generator [7]– a list of used keys and nonces is an overhead, especially [12]; (ii) weak passwords being used to derive keys; and, for constrained and low-powered devices, (ii) Existing ciphers (iii) poor protocol or cryptographic implementations [13]–[15] take nearly the same amount of time to decrypt a message are prone to key-guessing attacks (brute-force and dictionary irrespective of whether the key used is correct or not. This based attacks). Also, steady advances are being made in the ar- makes lightweight ciphers prone to key-guessing attacks. The eas of GPUs [16]–[18], specialized hardware for cryptography proposed decryption algorithm in Freestyle is designed to be [19]–[24], and memories in terms of storage and in-memory computationally simpler for a user with a correct key; but, for processing [25]–[27] to speedup key-guessing attacks. an adversary with an incorrect key, the decryption algorithm is likely to take longer time to halt. Thus, each brute-force P. Arun Babu ([email protected]) is with the Robert Bosch Center for or dictionary attack attempt is likely to be computationally Cyber-physical Systems, Indian Institute of Science, Bengaluru. Jithin Jose Thomas ([email protected]) was with the Department of Elec- expensive and time consuming. trical Communication Engineering, Indian Institute of Science, Bengaluru. The rest of the paper is structured as follows: Table I MANUSCRIPT FOR IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 2 TABLE I TABLE II LIST OF SYMBOLS LIST OF ABBREVIATIONS Notation Description Abbreviation Expansion Rmin The minimum number of rounds to be used ARX Add-Rotate-XOR 16 for encryption. Rmin 2 [1; 2 ] CAPTCHA Completely Automated Public Turing test Rmax The maximum number of rounds to be used for to tell Computers and Humans Apart 16 decryption. Rmax 2 [1; 2 ] and Rmax ≥ Rmin. CCA Chosen Ciphertext Attack R Number of rounds used to encrypt the current CPA Chosen Plaintext Attack CTR Counter mode of operation block of message. R = random(Rmin;Rmax) th DoS Denial of service R Number of rounds used to encrypt i block of i HKDF Halting Key-Derivation Function message. R = random(R ;R ) and i ≥ 0. i min max KGP Key Guessing Penalty r The current round number. r 2 [R ;R] min KPA Known Plaintext Attack h() Freestyle hash function which generates a 16-bit hash. KRACK Key Re-installation Attack HI Round intervals at which a 16-bit hash has to be MAC Message Authentication Code 2 j j computed. HI [1;Rmin], Rmin HI , Rmax HI . MITM Man In The Middle Attack HC The complexity of Freestyle’s hash function NONCE Number used once to be used. HC 2 f1; 2; 3g QR Quarter Round IC The log2(iterations) (or number of pepper bits) SSH Secure Shell to be used in during initialization. IC 2 [8; 32] TLS Transport Layer Security pepper The pepper value indicating the number of iterations required during initialization. pepper = random(0; 2IC − 1). CRi The number of rounds computed using an expected bit counter, and 64-bit nonce to form an initial cipher state th hash and pepper for i block of message. denoted by S(0), as: Epepper The expected value of pepper. ERw The expected number of rounds executed by an 2constant[0]; constant[1]; constant[2]; constant[3]3 adversary during cipher initialization. key[0]; key[1]; key[2]; key[3] ER The expected number of rounds used by a genuine user 6 7 to encrypt/decrypt a block of message. If a uniform 4 key[4]; key[5]; key[6]; key[7]5 Rmin + Rmax counter[0]; counter[1]; nonce[0]; nonce[1] distribution is used, then ER = . 2 v (in red color) An input variable. v (in green color) A variable derived from one or more input variables. ChaCha20 uses 10 double-rounds (or 20 rounds) on v (in blue color) An output variable. S(0); where each of the double-round consists of 8 quarter v(r) The value of v after r rounds of Freestyle rounds(QR) defined as: If v(0) is not explicitly defined, then v(0) = 0. th v[n] n element of v. QR (S[0];S[4];S[ 8];S[12]) jj Concatenation of and . v1 v2 v1 v2 QR (S[1];S[5];S[ 9];S[13]) v1 j v2 v2 is a factor of v1. (1) v1 ⊕ v2 Bit-wise XOR of v1 and v2. QR (S[2];S[6];S[10];S[14]) 32 v1 v2 Addition of v1 and v2 modulo 2 . QR (S[3];S[7];S[11];S[15]) 32 v1 v2 Subtraction of v1 and v2 modulo 2 . mod The modulo operator. QR (S[0];S[5];S[10];S[15]) v∗ Set of values guessed by an adversary for v. QR (S[1];S[6];S[11];S[12]) (2) cf (v1; v2) A set containing common factors of QR (S[2];S[7];S[ 8];S[13]) integers v1 and v2. QR (S[3];S[4];S[ 9];S[14]) jvj The length of v in bits. Nb The number of blocks in a message. The 16 elements of the cipher-state matrix are denoted jmessagej Nb = 512 by using an index in range [0,15], and the quarter-round QR(a; b; c; d) is defined as: P rn(X = 1) The probability of collision of a 16-bit hash th at the n trial when using an incorrect key.