Automatic Search for the Best Trails in ARX: Application to Block Cipher Speck

Biryukov, Alex; Velichkov, Vesselin; Corre, Y.

doi:10.1007/978-3-662-52993-5_15

Cited by 43 publications

(29 citation statements)

References 27 publications

(44 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We have implemented the search algorithm proposed in [10] in order to find the probabilities of the best differential trails in LAX-16 and LAX-32. In Table 8, we compare the results to the theoretical bounds computed using Theorem 2.…”

Section: Resultsmentioning

confidence: 99%

“…Possible constructions for arx-boxes can be found in a recent paper by Biryukov et al [10]. A first one is based on the MIX function of Skein [3] and is called Marx-2.…”

Section: Arx-boxesmentioning

confidence: 99%

“…More specifically, the matrices L for LAX-16, LAX-32 and LAX-64 are derived from the following codes respectively: [16,8,5], [32, 16,8] and [64,32,10]. Note that the matrix of LAX-32 is the same as the one used in block cipher ARIA [29].…”

Section: The Lax Constructionmentioning

confidence: 99%

“…In [10] Biryukov et al have proposed several ARX constructions for which it is feasible to compute the exact maximum differential and linear probabilities over any number of rounds. However, these constructions are limited to 32-bit blocks.…”

mentioning

confidence: 99%

See 3 more Smart Citations

Design Strategies for ARX with Provable Bounds: Sparx and LAX

Dinu

Perrin

Udovenko

et al. 2016

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. We present, for the first time, a general strategy for designing ARX symmetric-key primitives with provable resistance against singletrail differential and linear cryptanalysis. The latter has been a long standing open problem in the area of ARX design. The wide trail design strategy (WTS), that is at the basis of many S-box based ciphers, including the AES, is not suitable for ARX designs due to the lack of S-boxes in the latter. In this paper we address the mentioned limitation by proposing the long trail design strategy (LTS) -a dual of the WTS that is applicable (but not limited) to ARX constructions. In contrast to the WTS, that prescribes the use of small and efficient S-boxes at the expense of heavy linear layers with strong mixing properties, the LTS advocates the use of large (ARX-based) S-Boxes together with sparse linear layers. With the help of the so-called Long Trail argument, a designer can bound the maximum differential and linear probabilities for any number of rounds of a cipher built according to the LTS. To illustrate the effectiveness of the new strategy, we propose Sparx -a family of ARX-based block ciphers designed according to the LTS. Sparx has 32-bit ARX-based S-boxes and has provable bounds against differential and linear cryptanalysis. In addition, Sparx is very efficient on a number of embedded platforms. Its optimized software implementation ranks in the top 6 of the most software-efficient ciphers along with Simon, Speck, Chaskey, LEA and RECTANGLE. As a second contribution we propose another strategy for designing ARX ciphers with provable properties, that is completely independent of the LTS. It is motivated by a challenge proposed earlier by Wallén and uses the differential properties of modular addition to minimize the maximum differential probability across multiple rounds of a cipher. A new primitive, called LAX, is designed following those principles. LAX partly solves the Wallén challenge.

show abstract

Section: Resultsmentioning

confidence: 99%

“…Possible constructions for arx-boxes can be found in a recent paper by Biryukov et al [10]. A first one is based on the MIX function of Skein [3] and is called Marx-2.…”

Section: Arx-boxesmentioning

confidence: 99%

Section: The Lax Constructionmentioning

confidence: 99%

mentioning

confidence: 99%

See 2 more Smart Citations

Design Strategies for ARX with Provable Bounds: Sparx and LAX

Dinu

Perrin

Udovenko

et al. 2016

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…According to the position of the starting round of the search algorithm, there are currently 3 types of automatic search technologies for linear/differential cryptanalysis on ARX primitives. ey are bottom-up techniques [15], topdown techniques [19][20][21], and the method of extending from the middle to the ends [22]. In these methods, the linear correlations are directly calculated based on the inputoutput masks or by looking up the precomputed partial linear approximation table (pLAT) [23].…”

Section: Introductionmentioning

confidence: 99%

Automatic Search for the Linear (Hull) Characteristics of ARX Ciphers: Applied to SPECK, SPARX, Chaskey, and CHAM-64

Huang

Wang

2020

Security and Communication Networks

View full text Add to dashboard Cite

Linear cryptanalysis is an important evaluation method for cryptographic primitives against key recovery attack. In this paper, we revisit the Walsh transformation for linear correlation calculation of modular addition, and an efficient algorithm is proposed to construct the input-output mask space of specified correlation weight. By filtering out the impossible large correlation weights in the first round, the search space of the first round can be substantially reduced. We introduce a concept of combinational linear approximation table (cLAT) for modular addition with two inputs. When one input mask is fixed, another input mask and the output mask can be obtained by the Splitting-Lookup-Recombination approach. We first split the n-bit fixed input mask into several subvectors and then find the corresponding bits of other masks, and in the recombination phase, pruning conditions can be used. By this approach, a large number of search branches in the middle rounds can be pruned. With the combination of the optimization strategies and the branch-and-bound search algorithm, we can improve the search efficiency for linear characteristics on ARX ciphers. The linear hulls for SPECK32/48/64 with a higher average linear potential (ALP) than existing results have been obtained. For SPARX variants, an 11-round linear trail and a 10-round linear hull have been found for SPARX-64 and a 10-round linear trail and a 9-round linear hull are obtained for SPARX-128. For Chaskey, a 5-round linear trail with a correlation of 2−61 has been obtained. For CHAM-64, 34/35-round optimal linear characteristics with a correlation of 2−31/2−33 are found.

show abstract