Rotational Cryptanalysis of ARX

Khovratovich, Dmitry; Nikolić, Ivica

doi:10.1007/978-3-642-13858-4_19

Cited by 89 publications

(128 citation statements)

References 17 publications

Supporting

Mentioning

126

Contrasting

Unclassified

Order By: Relevance

“…P L [0, 5, 6, 10, 11, 14, 15], P R [13,14] fixed to an arbitrary value. We can identify 2 25 pairs of plaintexts (for each differential) from P so that the pairs satisfy the corresponding (∆ 2 L , ∆ 2 R ) after two rounds of encryption.…”

Section: Attack On 19 Roundsmentioning

confidence: 99%

See 1 more Smart Citation

Differential Analysis of Block Ciphers SIMON and SPECK

Biryukov

Roy

Velichkov

2015

Lecture Notes in Computer Science

108

View full text Add to dashboard Cite

Abstract. In this paper we continue the previous line of research on the analysis of the differential properties of the lightweight block ciphers Simon and Speck. We apply a recently proposed technique for automatic search for differential trails in ARX ciphers and improve the trails in Simon32 and Simon48 previously reported as best. We further extend the search technique for the case of differentials and improve the best previously reported differentials on Simon32, Simon48 and Simon64 by exploiting more effectively the strong differential effect of the cipher. We also present improved trails and differentials on Speck32, Speck48 and Speck64. Using these new results we improve the currently best known attacks on several versions of Simon and Speck. A second major contribution of the paper is a graph based algorithm (linear time) for the computation of the exact differential probability of the main building block of Simon: an AND operation preceded by two bitwise shift operations. This gives us a better insight into the differential property of the Simon round function and differential effect in the cipher. Our algorithm is general and works for any rotation constants. The presented techniques are generic and are therefore applicable to a broader class of ARX designs.

show abstract

Section: Attack On 19 Roundsmentioning

confidence: 99%

“…Furthermore, the two designs are very simple and elegant. They are both built on the ARX philosophy [21,14], using only basic arithmetic operations such as modular addition, XOR, bitwise AND and bit rotation.…”

Section: Introductionmentioning

confidence: 99%

Differential Analysis of Block Ciphers SIMON and SPECK

Biryukov

Roy

Velichkov

2015

Lecture Notes in Computer Science

108

View full text Add to dashboard Cite

show abstract

“…Countermeasures must be taken against rotational cryptanalysis [16] due to inherent rotational invariance of φ functions. Algebraically these functions have surprising properties.…”

Section: On Cryptanalysis Of φ Functionsmentioning

confidence: 99%

“…Ignoring the round constant, the mx transform may be viewed as a transpose of a matrix followed by 16 parallel, independent invocations of a 16 -bit permutation, (φ • λ) 16 . We start with the most fundamental observation:…”

Section: Hashing and Authenticated Encryptionmentioning

confidence: 99%

CBEAM: Efficient Authenticated Encryption from Feebly One-Way ϕ Functions

Saarinen

2014

Topics in Cryptology – CT-RSA 2014

View full text Add to dashboard Cite

Abstract. We show how efficient and secure cryptographic mixing functions can be constructed from low-degree rotation-invariant φ functions rather than conventional S-Boxes. These novel functions have surprising properties; many exhibit inherent feeble (Boolean circuit) one-wayness and offer speed/area tradeoffs unobtainable with traditional constructs. Recent theoretical results indicate that even if the inverse is not explicitly computed in an implementation, its degree plays a fundamental role to the security of the iterated composition. To illustrate these properties, we present CBEAM, a Cryptographic Sponge Permutation based on a single 5 × 1-bit Boolean function. This simple nonlinear function is used to construct a 16-bit rotation-invariant φ function of Degree 4 (but with a very complex Degree 11 inverse), which in turn is expanded into an efficient 256-bit mixing function. In addition to flexible tradeoffs in hardware we show that efficient implementation strategies exist for software platforms ranging from low-end microcontrollers to the very latest x86-64 AVX2 instruction set. A rotational bit-sliced software implementation offers not only comparable speeds to AES but also increased security against cache side channel attacks. Our construction supports Sponge-based Authenticated Encryption, Hashing, and PRF/PRNG modes and is highly useful as a compact "all-in-one" primitive for pervasive security.

show abstract

“…RSA-OAEP [2], it is important to ensure that no special property can be observed that allows an attacker to distinguish the primitive from a random oracle. Distinguishers on hash functions, compression functions or permutations can be very diverse, from classical differential distinguishers (limited-birthday [13] or subspace [20]) to rotational [18] or zero-sum distinguishers [6]. In any case, for the distinguisher to be valid, the cryptanalyst has to compare the cost of finding the specific property for the function analyzed and for an ideal primitive.…”

Section: Introductionmentioning

confidence: 99%

Multiple Limited-Birthday Distinguishers and Applications

Jean

Naya-Plasencia

Peyrin

2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. In this article, we propose a new improvement of the rebound techniques, used for cryptanalyzing AES-like permutations during the past years. Our improvement, that allows to reduce the complexity of the attacks, increases the probability of the outbound part by considering a new type of differential paths. Moreover, we propose a new type of distinguisher, the multiple limited-birthday problem, based on the limited-birthday one, but where differences on the input and on the output might have randomized positions. We also discuss the generic complexity for solving this problem and provide a lower bound of it as well as we propose an efficient and generic algorithm for solving it. Our advances lead to improved distinguishing or collision results for many AES-based functions such as AES, ECHO, Grøstl, LED, PHOTON and Whirlpool.

show abstract

Rotational Cryptanalysis of ARX

Cited by 89 publications

References 17 publications

Differential Analysis of Block Ciphers SIMON and SPECK

Differential Analysis of Block Ciphers SIMON and SPECK

CBEAM: Efficient Authenticated Encryption from Feebly One-Way ϕ Functions

Multiple Limited-Birthday Distinguishers and Applications

Contact Info

Product

Resources

About