Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment Verification Conclusion 2 • Symmetric-key designs • Addition + Rotation + XOR • Differential cryptanalysis and linear cryptanalysis • Rotational cryptanalysis ARX 3 • Addition + Rotation + XOR • Differential cryptanalysis and linear cryptanalysis • Rotational cryptanalysis ARX • Symmetric-key designs 3 • Differential cryptanalysis and linear cryptanalysis • Rotational cryptanalysis ARX • Symmetric-key designs • Addition + Rotation + XOR 3 • Rotational cryptanalysis ARX • Symmetric-key designs • Addition + Rotation + XOR • Differential cryptanalysis and linear cryptanalysis 3 ARX • Symmetric-key designs • Addition + Rotation + XOR • Differential cryptanalysis and linear cryptanalysis • Rotational cryptanalysis 3 XOR difference Modular difference Rotational difference x x ⊕ δ x x δ x x n r E E E E Ek Ek k k k k y y y r y y ⊕ ∆ y ∆ n Differences 4 Modular difference Rotational difference x x δ x x n r Ek Ek Ek Ek y y y ∆ y n r Differences XOR difference x x ⊕ δ Ek Ek y y ⊕ ∆ 4 Rotational difference x x n r Ek Ek y y n r Differences XOR difference Modular difference x x ⊕ δ x x δ E E Ek Ek k k y y y ⊕ ∆ y ∆ 4 Differences XOR difference Modular difference Rotational difference x x ⊕ δ x x δ x x n r E E E E Ek Ek k k k k y y y r y y ⊕ ∆ y ∆ n 4 Circular Rotation (x n r) n s = x n (r + s) XOR (x n r) ⊕ (y n r) = (x ⊕ y) n r Modular Addition (x n r) (y n r) = (x y) n r with probability p Rotational Cryptanalysis 5 XOR (x n r) ⊕ (y n r) = (x ⊕ y) n r Modular Addition (x n r) (y n r) = (x y) n r with probability p Rotational Cryptanalysis Circular Rotation (x n r) n s = x n (r + s) 5 Modular Addition (x n r) (y n r) = (x y) n r with probability p Rotational Cryptanalysis Circular Rotation (x n r) n s = x n (r + s) XOR (x n r) ⊕ (y n r) = (x ⊕ y) n r 5 Rotational Cryptanalysis Circular Rotation (x n r) n s = x n (r + s) XOR (x n r) ⊕ (y n r) = (x ⊕ y) n r Modular Addition (x n r) (y n r) = (x y) n r with probability p 5 When r = 1, p achieves the maximum. p = 2−1:415 − Denote x n 1 by x for simplicity. Rotational Cryptanalysis Modular Addition (x n r) (y n r) = (x y) n r with probability p 6 − Denote x n 1 by x for simplicity. Rotational Cryptanalysis Modular Addition (x n r) (y n r) = (x y) n r with probability p When r = 1, p achieves the maximum. p = 2−1:415 6 Rotational Cryptanalysis Modular Addition (x n r) (y n r) = (x y) n r with probability p When r = 1, p achieves the maximum. p = 2−1:415 − Denote x n 1 by x for simplicity. 6 Rotational Cryptanalysis Rotational Cryptanalysis (v1), [KN10] The probability that a rotational distinguisher holds for an ARX primitive is determined by the number of modular additions. Pr = (2−1:415)# [KN10]: D. Khovratovich, I. Nikolic: Rotational Cryptanalysis of ARX, FSE 2010 7 (x n r) (y n r) = (x y) n r (x n r) (y n r) (z n r) = (x y z) n r [KNP+15]: D. Khovratovich, I. Nikolic, J. Pieprzyk, P. Sokolowski, R. Steinfeld: Rotational Cryptanalysis of ARX Revisited. FSE 2015 Rotational Cryptanalysis Rotational Cryptanalysis (v2), [KNP+15] The probability that a rotational distinguisher holds for an ARX primitive is dependent with the chained modular additions. 8 Rotational Cryptanalysis Rotational Cryptanalysis (v2), [KNP+15] The probability that a rotational distinguisher holds for an ARX primitive is dependent with the chained modular additions. (x n r) (y n r) = (x y) n r (x n r) (y n r) (z n r) = (x y z) n r [KNP+15]: D. Khovratovich, I. Nikolic, J. Pieprzyk, P. Sokolowski, R. Steinfeld: Rotational Cryptanalysis of ARX Revisited. FSE 2015 8 Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment Verification Conclusion 9 • Complete system ARX-C • Constants come with keys and round constants XOR with a rotational variable (x n r) ⊕ (y n r) = (x ⊕ y) n r XOR with a constant (x n r) ⊕ k • Previous analyses: experiment ARX with constants 10 • Constants come with keys and round constants XOR with a rotational variable (x n r) ⊕ (y n r) = (x ⊕ y) n r XOR with a constant (x n r) ⊕ k • Previous analyses: experiment ARX with constants • Complete system ARX-C 10 XOR with a rotational variable (x n r) ⊕ (y n r) = (x ⊕ y) n r XOR with a constant (x n r) ⊕ k • Previous analyses: experiment ARX with constants • Complete system ARX-C • Constants come with keys and round constants 10 XOR with a constant (x n r) ⊕ k • Previous analyses: experiment ARX with constants • Complete system ARX-C • Constants come with keys and round constants XOR with a rotational variable (x n r) ⊕ (y n r) = (x ⊕ y) n r 10 • Previous analyses: experiment ARX with constants • Complete system ARX-C • Constants come with keys and round constants XOR with a rotational variable (x n r) ⊕ (y n r) = (x ⊕ y) n r XOR with a constant (x n r) ⊕ k 10 ARX with constants • Complete system ARX-C • Constants come with keys and round constants XOR with a rotational variable (x n r) ⊕ (y n r) = (x ⊕ y) n r XOR with a constant (x n r) ⊕ k • Previous analyses: experiment 10 0 x x n r x x = x n r Ek Ek Ek Ek y y r y 0 n y ⊕δ = y n r Rotational cryptanalysis on ARX-C 11 0 x x = x n r Ek Ek y 0 y ⊕δ = y n r Rotational cryptanalysis on ARX-C x x n r Ek Ek y y n r 11 Rotational cryptanalysis on ARX-C 0 x x n r x x = x n r Ek Ek Ek Ek y y r y 0 n y ⊕δ = y n r 11 ⊕ a) ((a1; a2); γ)-Rotational-XOR difference (RX-difference) (x ⊕ a1; (x n γ) ⊕ a2) equivalent to (~x; (~x n γ) ⊕ (a1 n γ) ⊕ a2) Rotational-XOR difference Combine rotational difference with XOR difference (x; (x n γ) 12 ((a1; a2); γ)-Rotational-XOR difference (RX-difference) (x ⊕ a1; (x n γ) ⊕ a2) equivalent to (~x; (~x n γ) ⊕ (a1 n γ) ⊕ a2) Rotational-XOR difference Combine rotational difference with XOR difference (x; (x n γ) ⊕ a) 12 equivalent to (~x; (~x n γ) ⊕ (a1 n γ) ⊕ a2) Rotational-XOR difference Combine rotational difference with XOR difference (x; (x n γ) ⊕ a) ((a1; a2); γ)-Rotational-XOR difference (RX-difference) (x ⊕ a1; (x n γ) ⊕ a2) 12 Rotational-XOR difference Combine rotational difference with XOR difference (x; (x n γ) ⊕ a) ((a1; a2); γ)-Rotational-XOR difference (RX-difference) (x ⊕ a1; (x n γ) ⊕ a2) equivalent to (~x; (~x n γ) ⊕ (a1 n γ) ⊕ a2) 12 Rotation nγ x −−−! x n γ − nγ −−−− x ⊕ a −−−! x n γ ⊕ (a n γ) nγ ) ((0; a); 1) −−−! ((0; a n γ); 1) XOR ⊕ x; y −−! x ⊕ y ⊕ −−− x− ⊕ a; −y ⊕ b −−! x ⊕ y ⊕ (a ⊕ b) ⊕ ) ((0; a); 1); ((0; b); 1) −−! ((0; a ⊕ b); 1) Rotational-XOR difference through ARX 13 XOR ⊕ x; y −−! x ⊕ y ⊕ −−− x− ⊕ a; −y ⊕ b −−! x ⊕ y ⊕ (a ⊕ b) ⊕ ) ((0; a); 1); ((0; b); 1) −−! ((0; a ⊕ b); 1) Rotational-XOR difference through ARX Rotation nγ x −−−! x n γ − nγ −−−− x ⊕ a −−−! x n γ ⊕ (a n γ) nγ ) ((0; a); 1) −−−! ((0; a n γ); 1) 13 Rotational-XOR difference through ARX Rotation nγ x −−−! x n γ − nγ −−−− x ⊕ a −−−! x n γ ⊕ (a n γ) nγ ) ((0; a); 1) −−−! ((0; a n γ); 1) XOR ⊕ x; y −−! x ⊕ y ⊕ −−− x− ⊕ a; −y ⊕ b −−! x ⊕ y ⊕ (a ⊕ b) ⊕ ) ((0; a); 1); ((0; b); 1) −−! ((0; a ⊕ b); 1) 13 −−−−−−−−−−−−−−−−−− − − (x ⊕ a1) (y ⊕ b1) ⊕ ∆1 = ( x ⊕ a2) ( y ⊕ b2) ⊕ ∆2 Sketch of proof: x = L(x) R(x) = L0(x) R0(x) γ bits γ bits The addition of two variables: L(x) R(x) L(y) R(y) x one bit of carry 1 L(x) L(y) Cn γ R(x) R(y) − Rotational-XOR difference through ARX Modular addition 14 Sketch of proof: x = L(x) R(x) = L0(x) R0(x) γ bits γ bits The addition of two variables: L(x) R(x) L(y) R(y) x one bit of carry 1 L(x) L(y) Cn γ R(x) R(y) − Rotational-XOR difference through ARX Modular addition −−−−−−−−−−−−−−−−−− − − (x ⊕ a1) (y ⊕ b1) ⊕ ∆1 = ( x ⊕ a2) ( y ⊕ b2) ⊕ ∆2 14 x = L(x) R(x) = L0(x) R0(x) γ bits γ bits The addition of two variables: L(x) R(x) L(y) R(y) x one bit of carry 1 L(x) L(y) Cn γ R(x) R(y) − Rotational-XOR difference through ARX Modular addition −−−−−−−−−−−−−−−−−− − − (x ⊕ a1) (y ⊕ b1) ⊕ ∆1 = ( x ⊕ a2) ( y ⊕ b2) ⊕ ∆2 Sketch of proof: 14 x = L(x) R(x) = L0(x) R0(x) γ bits γ bits The addition of two variables: L(x) R(x) L(y) R(y) x one bit of carry 1 L(x) L(y) Cn γ R(x) R(y) − Rotational-XOR difference through ARX Modular addition −−−−−−−−−−−−−−−−−− − − (x ⊕ a1) (y ⊕ b1) ⊕ ∆1 = ( x ⊕ a2) ( y ⊕ b2) ⊕ ∆2 Sketch of proof: 14 x = L(x) R(x) = L0(x) R0(x) γ bits γ bits L(x) R(x) L(y) R(y) x one bit of carry 1 L(x) L(y) Cn γ R(x) R(y) − Rotational-XOR difference through ARX Modular addition −−−−−−−−−−−−−−−−−− − − (x ⊕ a1) (y ⊕ b1) ⊕ ∆1 = ( x ⊕ a2) ( y ⊕ b2) ⊕ ∆2 Sketch of proof: The addition of two variables: 14 = ((R(x) ⊕ R(a1)) (R(y) ⊕ R(b1))) ⊕ R(∆1)jj 1 ((L(x) ⊕ L(a1)) (L(y) ⊕ L(b1)) Cn−γ ) ⊕ L(∆1): − − RHS: ( x ⊕ a2) ( y ⊕ b2) ⊕ ∆2 0 0 2 0 = ((R(x) ⊕ L (a2)) (R(y) ⊕ L (b2)) Cγ ) ⊕ L (∆2)jj 0 0 0 ((L(x) ⊕ R (a2)) (L(y) ⊕ R (b2))) ⊕ R (∆2): proof continued −−−−−−−−−−−−−−−−−− LHS: (x ⊕ a1) (y ⊕ b1) ⊕ ∆1 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− 1 = ((L(x) ⊕ L(a1)) (L(y) ⊕ L(b1)) Cn−γ ) ⊕ L(∆1)jj ((R(x) ⊕ R(a1)) (R(y) ⊕ R(b1))) ⊕ R(∆1) 15 − − RHS: ( x ⊕ a2) ( y ⊕ b2) ⊕ ∆2 0 0 2 0 = ((R(x) ⊕ L (a2)) (R(y) ⊕ L (b2)) Cγ ) ⊕ L (∆2)jj 0 0 0 ((L(x) ⊕ R (a2)) (L(y) ⊕ R (b2))) ⊕ R (∆2): proof continued −−−−−−−−−−−−−−−−−− LHS: (x ⊕ a1) (y ⊕ b1) ⊕ ∆1 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− 1 = ((L(x) ⊕ L(a1)) (L(y) ⊕ L(b1)) Cn−γ ) ⊕ L(∆1)jj ((R(x) ⊕ R(a1)) (R(y) ⊕ R(b1))) ⊕ R(∆1) = ((R(x) ⊕ R(a1)) (R(y) ⊕ R(b1))) ⊕ R(∆1)jj 1 ((L(x) ⊕ L(a1)) (L(y) ⊕ L(b1)) Cn−γ ) ⊕ L(∆1): 15 proof continued −−−−−−−−−−−−−−−−−− LHS: (x ⊕ a1) (y ⊕ b1) ⊕ ∆1 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− 1 = ((L(x)