significantly improved multi- bit differentials for ...achoud/fse2017_talk.pdfsalsa accepted into...
TRANSCRIPT
Significantly Improved Multi-bit Differentials for Reduced
Round Salsa and ChaCha
Arka Rai Choudhuri
Johns Hopkins University
USA
Subhamoy Maitra
Indian Statistical Institute
India
FSE 2017, Tokyo
Salsa and ChaCha
ARX based stream ciphers.
Designed by Dan Bernstein.
Salsa and ChaCha
ARX based stream ciphers.
Designed by Dan Bernstein.
Salsa accepted into the eStream software portfolio (2007).
Salsa and ChaCha
ARX based stream ciphers.
Designed by Dan Bernstein.
Salsa accepted into the eStream software portfolio (2007).
ChaCha designed to address some concerns about Salsa (2008).
Motivation
Motivation
Standardization process for inclusion of cipher suite based on ChaCha20-Poly1305 AEAD in TLS1.3 is almost complete.
Motivation
Standardization process for inclusion of cipher suite based on ChaCha20-Poly1305 AEAD in TLS1.3 is almost complete.
Existing cryptanalysis treats ciphers as black-boxes.
Motivation
Standardization process for inclusion of cipher suite based on ChaCha20-Poly1305 AEAD in TLS1.3 is almost complete.
Existing cryptanalysis treats ciphers as black-boxes.
Brute force search for multiple components in cryptanalysis.
Structure
Structure
https://en.wikipedia.org/wiki/File:Salsa_round_function.svg
Structure
Easy to implement.
https://en.wikipedia.org/wiki/File:Salsa_round_function.svg
Structure
Easy to implement.
Fast on PCs.https://en.wikipedia.org/wiki/File:Salsa_round_function.svg
Structure
Easy to implement.
Fast on PCs.
No security guarantees.
https://en.wikipedia.org/wiki/File:Salsa_round_function.svg
Non Randomness
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
β(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
β(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
Salsar
Salsar
β(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
π₯β²0π₯β²4π₯β²8
π₯β²1 π₯β²2 π₯β²3π₯β²5 π₯β²6 π₯β²7π₯β²9 π₯β²10 π₯β²11
π₯β²12 π₯β²13 π₯β²14 π₯β²15
Salsar
Salsar
β(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
β(π) =
???
? ? ?? ? ?? ? ?
? ? ? ?
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
π₯β²0π₯β²4π₯β²8
π₯β²1 π₯β²2 π₯β²3π₯β²5 π₯β²6 π₯β²7π₯β²9 π₯β²10 π₯β²11
π₯β²12 π₯β²13 π₯β²14 π₯β²15
Salsar
Salsar
β(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
β(π) =
???
? ? ?? ? ?? ? ?
? ? ? ?
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
π₯β²0π₯β²4π₯β²8
π₯β²1 π₯β²2 π₯β²3π₯β²5 π₯β²6 π₯β²7π₯β²9 π₯β²10 π₯β²11
π₯β²12 π₯β²13 π₯β²14 π₯β²15
Salsar
Salsar
β(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
β(π) =
???
? ? ?? ? ?? ? ?
? ? ? ?
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
π₯β²0π₯β²4π₯β²8
π₯β²1 π₯β²2 π₯β²3π₯β²5 π₯β²6 π₯β²7π₯β²9 π₯β²10 π₯β²11
π₯β²12 π₯β²13 π₯β²14 π₯β²15
Salsar
Salsar
β(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
β(π) =
???
? ? ?? ? ?? ? ?
? ? ? ?
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
π₯β²0π₯β²4π₯β²8
π₯β²1 π₯β²2 π₯β²3π₯β²5 π₯β²6 π₯β²7π₯β²9 π₯β²10 π₯β²11
π₯β²12 π₯β²13 π₯β²14 π₯β²15
Salsar
Salsar
Attack idea (for R rounds) [Aumasson et al. 08]
r rounds
Ξ
Attack idea (for R rounds) [Aumasson et al. 08]
r rounds
π
Ξ
Attack idea (for R rounds) [Aumasson et al. 08]
r rounds
π
Ξ
Attack idea (for R rounds) [Aumasson et al. 08]
r rounds
π
Ξ
significant key bits
non-significant key bits
Attack idea (for R rounds) [Aumasson et al. 08]
r rounds R-r rounds
π
Ξ
significant key bits
non-significant key bits
Attack idea (for R rounds) [Aumasson et al. 08]
r rounds R-r rounds
π
Ξ
significant key bits
non-significant key bits
Complexity of attack increases with increase in number of significant bits.
Salsa
4 rounds
Salsa
4 rounds 4 rounds
Salsa
4 rounds 4 rounds
3 rounds
ChaCha
Salsa
4 rounds 4 rounds
4 rounds3 rounds
ChaCha
Salsa update function
Salsa update function π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
Salsa update function π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
Salsa update function π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
abcd
Salsa update function π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
abcd
abc
d
Salsa update function π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
abcd
ab
cda
bc
d
Salsa update function π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
abcd
ab
cda
bc
d bcd
a
Differential-Linear Biases
β(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
β(π) =
???
? ? ?? ? ?? ? ?
? ? ? ?
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
π₯β²0π₯β²4π₯β²8
π₯β²1 π₯β²2 π₯β²3π₯β²5 π₯β²6 π₯β²7π₯β²9 π₯β²10 π₯β²11
π₯β²12 π₯β²13 π₯β²14 π₯β²15
r rounds
r rounds
β(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
β(π) =
???
? ? ?? ? ?? ? ?
? ? ? ?
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
π₯β²0π₯β²4π₯β²8
π₯β²1 π₯β²2 π₯β²3π₯β²5 π₯β²6 π₯β²7π₯β²9 π₯β²10 π₯β²11
π₯β²12 π₯β²13 π₯β²14 π₯β²15
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
r rounds
r rounds
rβ rounds
β(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
β(π) =
???
? ? ?? ? ?? ? ?
? ? ? ?
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
π₯β²0π₯β²4π₯β²8
π₯β²1 π₯β²2 π₯β²3π₯β²5 π₯β²6 π₯β²7π₯β²9 π₯β²10 π₯β²11
π₯β²12 π₯β²13 π₯β²14 π₯β²15
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
r rounds
r rounds
rβ rounds
β(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
π0π3π‘β²0
π0 π1 π2π1 π£β²0 π£β²1π‘β²1 π2 π₯11
π5 π6 π7 π3
π0π3π‘0
π0 π1 π2π1 π£0 π£1π‘1 π2 π₯11
π5 π6 π7 π3
β(π) =
???
? ? ?? ? ?? ? ?
? ? ? ?
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
π₯β²0π₯β²4π₯β²8
π₯β²1 π₯β²2 π₯β²3π₯β²5 π₯β²6 π₯β²7π₯β²9 π₯β²10 π₯β²11
π₯β²12 π₯β²13 π₯β²14 π₯β²15
π₯0π₯4π₯8
π₯1 π₯2 π₯3π₯5 π₯6 π₯7π₯9 π₯10 π₯11
π₯12 π₯13 π₯14 π₯15
r rounds
r rounds
rβ rounds
Given ππ and ππΏ , we can find the differential-linear bias for r+rβrounds.
Linear approximation with ππΏ = 1
Letβs look at the Salsa update function again
Linear approximation with ππΏ = 1
Letβs look at the Salsa update function again
Letβs look at the Salsa update function again
Get rid of the carry.
Move things around, from the linearity of XOR
Move things around, from the linearity of XOR
π
Move things around, from the linearity of XOR
π π
Move things around, from the linearity of XOR
π π
Lets us search over 8 possible bits instead of 5123
3 bit
combinations.
Similar idea for ChaCha, but involves more bits because of a more involved state update function.
Similar idea for ChaCha, but involves more bits because of a more involved state update function.
βUnlike Salsa20, our exhaustive search showed no bias in 4-round ChaCha, be it with one, two, or three target output bits.β
Reference π
Tsunoo et al. (2007) 2β5.24
Aumasson et al. (2008) 2β2.93
Maitra, Paul, Meier (2015) 2β2.35
Maitra (2016) 2β2.12
Reference π
Fischer et al. (2006) 2β10.34
Maitra, Paul, Meier (2015) 2β9.05
Salsa
4 rounds
5 rounds
Reference π
Tsunoo et al. (2007) 2β5.24
Aumasson et al. (2008) 2β2.93
Maitra, Paul, Meier (2015) 2β2.35
Maitra (2016) 2β2.12
This work β ππ
Reference π
Fischer et al. (2006) 2β10.34
Maitra, Paul, Meier (2015) 2β9.05
This work β πβπ.ππ
Salsa
4 rounds
5 rounds
Reference π
Tsunoo et al. (2007) 2β5.24
Aumasson et al. (2008) 2β2.93
Maitra, Paul, Meier (2015) 2β2.35
Maitra (2016) 2β2.12
This work β ππ
Reference π
Fischer et al. (2006) 2β10.34
Maitra, Paul, Meier (2015) 2β9.05
This work β πβπ.ππ
Salsa
Reference π
Aumasson et al. (2008) 2β5.26
Maitra (2016) 2β2.83
Reference π
ChaCha
4 rounds
5 rounds
3 rounds
4 rounds
Reference π
Tsunoo et al. (2007) 2β5.24
Aumasson et al. (2008) 2β2.93
Maitra, Paul, Meier (2015) 2β2.35
Maitra (2016) 2β2.12
This work β ππ
Reference π
Fischer et al. (2006) 2β10.34
Maitra, Paul, Meier (2015) 2β9.05
This work β πβπ.ππ
Salsa
Reference π
Aumasson et al. (2008) 2β5.26
Maitra (2016) 2β2.83
This work ππ
Reference π
This work β πβπ.ππ
ChaCha
4 rounds
5 rounds
3 rounds
4 rounds
Reference π
Tsunoo et al. (2007) 2β5.24
Aumasson et al. (2008) 2β2.93
Maitra, Paul, Meier (2015) 2β2.35
Maitra (2016) 2β2.12
This work β ππ
Reference π
Fischer et al. (2006) 2β10.34
Maitra, Paul, Meier (2015) 2β9.05
This work β πβπ.ππ
Salsa
Reference π
Aumasson et al. (2008) 2β5.26
Maitra (2016) 2β2.83
This work ππ
Reference π
This work β πβπ.ππ
ChaCha
4 rounds
5 rounds
3 rounds
4 rounds
Distinguisher with complexity β 28
247 improvement
Reference π
Tsunoo et al. (2007) 2β5.24
Aumasson et al. (2008) 2β2.93
Maitra, Paul, Meier (2015) 2β2.35
Maitra (2016) 2β2.12
This work β ππ
Reference π
Fischer et al. (2006) 2β10.34
Maitra, Paul, Meier (2015) 2β9.05
This work β πβπ.ππ
Salsa
Reference π
Aumasson et al. (2008) 2β5.26
Maitra (2016) 2β2.83
This work ππ
Reference π
This work β πβπ.ππ
ChaCha
4 rounds
5 rounds
3 rounds
4 rounds
Distinguisher with complexity β 28
247 improvement
Distinguisher with complexity β 26
Linear approximation with ππΏ < 1
Linear approximation with ππΏ < 1
Linear approximation with ππΏ < 1
Linear approximation with ππΏ < 1
Linear approximation with ππΏ < 1
Combination of 19 bits from the subsequent round
Reference π
This work β πβππ.ππ
Reference π
This work β πβππ.ππ
Salsa
6 rounds 7 rounds
Reference π
This work β πβππ.ππ
Reference π
This work β πβππ.ππ
Salsa
Reference π
This work β πβπ.π
Reference π
This work β πβππ.π
ChaCha
6 rounds 7 rounds
5 rounds 6 rounds
Reference π
This work β πβππ.ππ
Reference π
This work β πβππ.ππ
Salsa
Reference π
This work β πβπ.π
Reference π
This work β πβππ.π
ChaCha
6 rounds 7 rounds
5 rounds 6 rounds
Distinguisher with complexity β 232
241 improvement
Reference π
This work β πβππ.ππ
Reference π
This work β πβππ.ππ
Salsa
Reference π
This work β πβπ.π
Reference π
This work β πβππ.π
ChaCha
6 rounds 7 rounds
5 rounds 6 rounds
Distinguisher with complexity β 232
241 improvement
Distinguisher with complexity β 216
Reference π
This work β πβππ.ππ
Reference π
This work β πβππ.ππ
Salsa
Reference π
This work β πβπ.π
Reference π
This work β πβππ.π
ChaCha
6 rounds 7 rounds
5 rounds 6 rounds
Distinguisher with complexity β 232
241 improvement
Distinguisher with complexity β 216 Distinguisher with complexity β 2116
220 improvement
Implications to the key recovery attack
Salsa
4 rounds 4 rounds
Salsa
4 rounds 4 rounds
6 rounds
Salsa
4 rounds 4 rounds
6 rounds
Salsa
4 rounds 4 rounds
6 rounds
But...
Salsa
4 rounds 4 rounds
6 rounds 2 rounds
Salsa
4 rounds 4 rounds
5 rounds 3 rounds
4 rounds3 rounds
ChaCha
4 rounds3 rounds
ChaCha
2.5 rounds4.5 rounds
Reference Time
Aumasson et al. (2008) 2151
Shi et al. (2012) 2148
Reference Time
Aumasson et al. (2008) 2251
Shi et al. (2012) 2250
Maitra(2016) 2245.5
Salsa
7 rounds
8 rounds
Reference Time
Aumasson et al. (2008) 2151
Shi et al. (2012) 2148
This work ππππ
Reference Time
Aumasson et al. (2008) 2251
Shi et al. (2012) 2250
Maitra(2016) 2245.5
This work ππππ.π
Salsa
7 rounds
8 rounds
Reference Time
Aumasson et al. (2008) 2151
Shi et al. (2012) 2148
This work ππππ
Reference Time
Aumasson et al. (2008) 2251
Shi et al. (2012) 2250
Maitra(2016) 2245.5
This work ππππ.π
Salsa
Reference Time
Aumasson et al. (2008) 2139
Shi et al. (2012) 2136
Reference Time
Aumasson et al. (2008) 2248
Shi et al. (2012) 2246.5
Maitra(2016) 2238.9
ChaCha
7 rounds
8 rounds
6 rounds
7 rounds
Reference Time
Aumasson et al. (2008) 2151
Shi et al. (2012) 2148
This work ππππ
Reference Time
Aumasson et al. (2008) 2251
Shi et al. (2012) 2250
Maitra(2016) 2245.5
This work ππππ.π
Salsa
Reference Time
Aumasson et al. (2008) 2139
Shi et al. (2012) 2136
This work ππππ.π
Reference Time
Aumasson et al. (2008) 2248
Shi et al. (2012) 2246.5
Maitra(2016) 2238.9
This work ππππ.π
ChaCha
7 rounds
8 rounds
6 rounds
7 rounds
Conclusion
We obtain biases in Salsa and ChaCha not obtained for almost a decade. Develop a theory on how to do this.
We obtain biases in Salsa and ChaCha not obtained for almost a decade. Develop a theory on how to do this.
Improve attacks on some reduced round versions, importantly moving some to practical realms.
We obtain biases in Salsa and ChaCha not obtained for almost a decade. Develop a theory on how to do this.
Improve attacks on some reduced round versions, importantly moving some to practical realms.
A different method to partition the key space could potentially improve our attacks in both complexity and rounds.
We obtain biases in Salsa and ChaCha not obtained for almost a decade. Develop a theory on how to do this.
Improve attacks on some reduced round versions, importantly moving some to practical realms.
A different method to partition the key space could potentially improve our attacks in both complexity and rounds.
(or is this inherent to this kind of cryptanalysis?)
Thank you. Questions?
References
[C05] Paul Crowley. βTruncated differential cryptanalysis of five rounds of Salsa20". In: IACR Cryptology ePrint Archive 2005 (2005), p. 375. url: http : / /eprint.iacr.org/2005/375.
[FMB+06] Simon Fischer, Willi Meier, Come Berbain, Jean-Francois Biasse, and Matthew J. B. Robshaw. βNon-randomness in eSTREAM Candidates Salsa20 and TSC-4". In: Progress in Cryptology - INDOCRYPT 2006, 7th International Conference on Cryptology in India, Kolkata, India, December 11-13, 2006, Proceedings.
[TSK+07] Yukiyasu Tsunoo, Teruo Saito, Hiroyasu Kubo, Tomoyasu Suzaki, and Hiroki Nakashima. βDifferential Cryptanalysis of Salsa20/8β. 2007. url: http://ecrypt.eu.org/stream/papersdir/2007/010.pdf.
[AFK+08] Jean-Philippe Aumasson, Simon Fischer, Shahram Khazaei, Willi Meier, and Christian Rechberger. βNew features of Latin dances: analysis of Salsa, ChaCha, and Rumba". In: Fast Software Encryption. Springer. 2008.
[SZF+12] Zhenqing Shi, Bin Zhang, Dengguo Feng, and Wenling Wu. βImproved Key Recovery Attacks on Reduced-Round Salsa20 and ChaCha". In: Information Security and Cryptology - ICISC 2012 - 15th International Conference, Seoul, Korea, November 28-30, 2012, Revised Selected Papers.
[MPM15] Subhamoy Maitra, Goutam Paul, and Willi Meier. βSalsa20 Cryptanalysis: New Moves and Revisiting Old Styles". In: WCC 2015, the Ninth International Workshop on Coding and Cryptography, April 13-17, 2015, Paris, France.
[Mai16] Subhamoy Maitra. βChosen IV cryptanalysis on reduced round ChaCha and Salsa". In: Discrete Applied Mathematics 208 (2016).