Abstract
In this paper, we present a new technique which can be used to find better linear approximations in ARX ciphers. Using this technique, we present the first explicitly derived linear approximations for 3 and 4 rounds of ChaCha and, as a consequence, it enables us to improve the recent attacks against ChaCha . Additionally, we present new differentials for 3 and 3.5 rounds of ChaCha that, when combined with the proposed technique, lead to further improvement in the complexity of the Differential-Linear attacks against ChaCha.
Keywords
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aumasson, J.-P., Fischer, S., Khazaei, S., Meier, W., Rechberger, C.: New features of Latin dances: analysis of Salsa, ChaCha, and Rumba. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 470–488. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_30
Aumasson, J.P., Henzen, L., Meier, W., Phan, R.C.W.: SHA-3 proposal blake. Submission to NIST 92 (2008)
Beierle, C., et al.: Schwaemm and Esch: lightweight authenticated encryption and hashing using the Sparkle permutation family (2019)
Beierle, C., Leander, G., Todo, Y.: Improved differential-linear attacks with applications to ARX ciphers. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 329–358. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_12
Bernstein, D.J.: The poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005). https://doi.org/10.1007/11502760_3
Bernstein, D.J.: ChaCha, a variant of Salsa20. In: Workshop Record of SASC, vol. 8, 3–5 (2008)
Bernstein, D.J.: The Salsa20 family of stream ciphers. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 84–97. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68351-3_8
Blondeau, C., Leander, G., Nyberg, K.: Differential-linear cryptanalysis revisited. J. Cryptol. 30(3), 859–888 (2016). https://doi.org/10.1007/s00145-016-9237-5
Choudhuri, A.R., Maitra, S.: Significantly improved multi-bit differentials for reduced round Salsa and Chacha. IACR Transa. Symmetric Cryptol. 261–287 (2016)
Coutinho, M., Neto, T.S.: New multi-bit differentials to improve attacks against ChaCha. IACR Cryptology ePrint Archive 2020, 350 (2020)
Crowley, P.: Truncated differential cryptanalysis of five rounds of Salsa20. In: The State of the Art of Stream Ciphers SASC 2006, pp. 198–202 (2006)
Dey, S., Roy, T., Sarkar, S.: Revisiting design principles of Salsa and ChaCha. Adv. Math. Commun. 13(4), 689 (2019)
Dey, S., Sarkar, S.: Improved analysis for reduced round Salsa and Chacha. Discrete Appl. Math. 227, 58–69 (2017)
Ding, L.: Improved related-cipher attack on Salsa20 stream cipher. IEEE Access 7, 30197–30202 (2019)
Dinu, D., Perrin, L., Udovenko, A., Velichkov, V., Großschädl, J., Biryukov, A.: Design strategies for ARX with provable bounds: Sparx and LAX. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 484–513. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_18
Fischer, S., Meier, W., Berbain, C., Biasse, J.-F., Robshaw, M.J.B.: Non-randomness in eSTREAM Candidates Salsa20 and TSC-4. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 2–16. Springer, Heidelberg (2006). https://doi.org/10.1007/11941378_2
Hernandez-Castro, J.C., Tapiador, J.M.E., Quisquater, J.-J.: On the Salsa20 core function. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 462–469. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_29
IANIX: ChaCha usage & deployment (2020). https://ianix.com/pub/chacha-deployment.html. Accessed 13 Jan 2020
Ishiguro, T., Kiyomoto, S., Miyake, Y.: Latin dances revisited: new analytic results of Salsa20 and ChaCha. In: Qing, S., Susilo, W., Wang, G., Liu, D. (eds.) ICICS 2011. LNCS, vol. 7043, pp. 255–266. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25243-3_21
Langford, S.K., Hellman, M.E.: Differential-linear cryptanalysis. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 17–25. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_3
Langley, A., Chang, W., Mavrogiannopoulos, N., Strombergson, J., Josefsson, S.: ChaCha20-Poly1305 cipher suites for transport layer security (TLS). RFC 7905 (10) (2016)
Maitra, S., Paul, G., Meier, W.: Salsa20 cryptanalysis: new moves and revisiting old styles. In: The Ninth International Workshop on Coding and Cryptography (2015)
Maitra, S.: Chosen IV cryptanalysis on reduced round ChaCha and Salsa. Discrete Appl. Math. 208, 88–97 (2016)
Mouha, N., Preneel, B.: A proof that the ARX cipher Salsa20 is secure against differential cryptanalysis. IACR Cryptology ePrint Archive 2013, 328 (2013)
Muller, S.: Documentation and analysis of the Linux random number generator - federal office for information security (Germany’s) (2019). https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/LinuxRNG/LinuxRNG_EN.pdf;jsessionid=6B0F8D7795B80F5EADA3DB3DB3E4043B.1_cid360?__blob=publicationFile&v=19
Robshaw, M., Billet, O. (eds.): New Stream Cipher Designs. LNCS, vol. 4986. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68351-3
Shi, Z., Zhang, B., Feng, D., Wu, W.: Improved key recovery attacks on reduced-round Salsa20 and ChaCha. In: Kwon, T., Lee, M.-K., Kwon, D. (eds.) ICISC 2012. LNCS, vol. 7839, pp. 337–351. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-37682-5_24
Torvalds, L.: Linux kernel source tree (2016). https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=818e607b57c94ade9824dad63a96c2ea6b21baf3
Tsunoo, Y., Saito, T., Kubo, H., Suzaki, T., Nakashima, H.: Differential cryptanalysis of Salsa20/8. In: Workshop Record of SASC, vol. 28 (2007)
Wallén, J.: Linear approximations of addition modulo 2n. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 261–273. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-39887-5_20
Acknowledgements
The authors would like to thank the anonymous reviewers for their valuable comments and suggestions which helped us to improve our work.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proofs
A Proofs
In this appendix, we expand the proof of Lemma 9 for each individual linear approximation.
1.1 A.1 Eq. (19)
Proof
Using Eqs. (9) and (10) we can write
Using the approximation of Eq. (17) we can write \(\varTheta _i(x^{(m-1)}_c, x^{\prime (m-1)}_{d}) = x^{\prime (m-1)}_{d,i-1}\) with probability \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \). Thus, using Eq. (7) and canceling out common factors we get
with probability \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \), which concludes the proof.\(\square \)
1.2 A.2 Eqs. (20) and (21)
Proof
Using Eqs. (9) and (12) we can write
Cancelling out common factors, using the approximation of Eq. (17) and the Piling-up Lemma we can write
with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{2}}\right) \). Now we can replace \(x^{\prime (m-1)}_{b,i-1}\) using Eq. (5) and \(x^{(m-1)}_{b,i-1}\) using Lemma 3, which leads to
with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{3}}\right) \) by the Piling-up Lemma. We can also use Lemma 1 in order to obtain
with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{2}}\right) \).\(\square \)
1.3 A.3 Eqs. (22) and (23)
Proof
Combining Eq. (10) and Eq. (12) we have
Using the approximation of Eq. (17) and the Piling-up Lemma we can write
with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{3}}\right) \). Now we can replace \(x^{\prime (m-1)}_{d,i-1}\) using Eq. (7), \(x^{\prime (m-1)}_{b,i-1}\) using Eq. (5) and \(x^{(m-1)}_{b,i-1}\) using Lemma 3 if \(i>1\) or 1 if \(i=1\), which leads to
with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{4}}\right) \) by the Piling-up Lemma or
with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{3}}\right) \). \(\square \)
1.4 A.4 Eq. (24)
Proof
Using Eq. (11) and Eq. (12) we can write
Using Eq. (17) we get
and from Eq. (9)
with probability \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \). Thus, using the approximation of Eq. (18) and the Piling-up Lemma we can write
with probability \( \frac{1}{2}\left( 1+\frac{1}{2^2}\right) \).\(\square \)
1.5 A.5 Eq. (25)
Proof
Using Eq. (12) and Eq. (10) and canceling out common factors we get
Using the approximation of Eq. (18) and the Piling-up Lemma we obtain
with probability \(\frac{1}{2}\left( 1+\frac{1}{2^2}\right) \). Using Eq. (17) and Eq. (7) we get
with probability \(\frac{1}{2}\left( 1+\frac{1}{2^4}\right) \).\(\square \)
1.6 A.6 Eq. (26)
Proof
Using Eq. (9) and Eq. (12) and canceling out common factors we can write
Using the approximation of Eq. (18) and the Piling-up Lemma we can write
with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{2}}\right) \). Using the approximation of Eq. (17) we get
with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{3}}\right) \). \(\square \)
1.7 A.7 Eq. (27)
Proof
Using Eq. (11) and Eq. (12), and canceling out common factors we have
Using the approximation of Eq. (17) we have \(\varTheta _i(x^{(m-1)}_{a}, x^{(m-1)}_{b}) = x^{(m-1)}_{b,i-1}\) occurring with probability \(\frac{1}{2}\left( 1+\frac{1}{2^2}\right) \). Then
with probability \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \). Finally, using the approximation of Eq. (17) and the Piling-up Lemma we get
with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{2}}\right) \). \(\square \)
1.8 A.8 Eq. (28)
Proof
Using Eq. (9) and Eq. (10), we can write
Canceling out common factors we get
Thus, using the approximation of Eq. (18) we get
with probability \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \). \(\square \)
1.9 A.9 Eq. (29)
Proof
Using the approximation of Eq. (18) and the Piling-up Lemma we can write
with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{2}}\right) \). Therefore, Eqs. (17) and (7) give us
with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{3}}\right) \). \(\square \)
1.10 A.10 Eq. (30)
Proof
Using Eqs. (10), (11) and (12), we can write
Using the approximation of Eq. (18) we have
with probability \(\frac{1}{2}\left( 1+\frac{1}{2}\right) \). Finally, by the Piling-up Lemma and using the approximation of Eq. (17) and Eq. (7), we get
with probability \(\frac{1}{2}\left( 1+\frac{1}{2^{3}}\right) \). \(\square \)
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Coutinho, M., Souza Neto, T.C. (2021). Improved Linear Approximations to ARX Ciphers and Attacks Against ChaCha. In: Canteaut, A., Standaert, FX. (eds) Advances in Cryptology – EUROCRYPT 2021. EUROCRYPT 2021. Lecture Notes in Computer Science(), vol 12696. Springer, Cham. https://doi.org/10.1007/978-3-030-77870-5_25
Download citation
DOI: https://doi.org/10.1007/978-3-030-77870-5_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-77869-9
Online ISBN: 978-3-030-77870-5
eBook Packages: Computer ScienceComputer Science (R0)