Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Significantly Improved Multi-bit Differentials for Reduced
Round Salsa and ChaCha
Arka Rai Choudhuri
Johns Hopkins University
USA
Subhamoy Maitra
Indian Statistical Institute
India
FSE 2017, Tokyo
Salsa and ChaCha
ARX based stream ciphers.
Designed by Dan Bernstein.
Salsa and ChaCha
ARX based stream ciphers.
Designed by Dan Bernstein.
Salsa accepted into the eStream software portfolio (2007).
Salsa and ChaCha
ARX based stream ciphers.
Designed by Dan Bernstein.
Salsa accepted into the eStream software portfolio (2007).
ChaCha designed to address some concerns about Salsa (2008).
Motivation
Motivation
Standardization process for inclusion of cipher suite based on ChaCha20-Poly1305 AEAD in TLS1.3 is almost complete.
Motivation
Standardization process for inclusion of cipher suite based on ChaCha20-Poly1305 AEAD in TLS1.3 is almost complete.
Existing cryptanalysis treats ciphers as black-boxes.
Motivation
Standardization process for inclusion of cipher suite based on ChaCha20-Poly1305 AEAD in TLS1.3 is almost complete.
Existing cryptanalysis treats ciphers as black-boxes.
Brute force search for multiple components in cryptanalysis.
Structure
Structure
https://en.wikipedia.org/wiki/File:Salsa_round_function.svg
Structure
Easy to implement.
https://en.wikipedia.org/wiki/File:Salsa_round_function.svg
Structure
Easy to implement.
Fast on PCs.https://en.wikipedia.org/wiki/File:Salsa_round_function.svg
Structure
Easy to implement.
Fast on PCs.
No security guarantees.
https://en.wikipedia.org/wiki/File:Salsa_round_function.svg
Non Randomness
๐0๐3๐ก0
๐0 ๐1 ๐2๐1 ๐ฃ0 ๐ฃ1๐ก1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
๐0๐3๐กโฒ0
๐0 ๐1 ๐2๐1 ๐ฃโฒ0 ๐ฃโฒ1๐กโฒ1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
๐0๐3๐ก0
๐0 ๐1 ๐2๐1 ๐ฃ0 ๐ฃ1๐ก1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
โ(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
๐0๐3๐กโฒ0
๐0 ๐1 ๐2๐1 ๐ฃโฒ0 ๐ฃโฒ1๐กโฒ1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
๐0๐3๐ก0
๐0 ๐1 ๐2๐1 ๐ฃ0 ๐ฃ1๐ก1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
โ(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
๐0๐3๐กโฒ0
๐0 ๐1 ๐2๐1 ๐ฃโฒ0 ๐ฃโฒ1๐กโฒ1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
๐0๐3๐ก0
๐0 ๐1 ๐2๐1 ๐ฃ0 ๐ฃ1๐ก1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
Salsar
Salsar
โ(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
๐0๐3๐กโฒ0
๐0 ๐1 ๐2๐1 ๐ฃโฒ0 ๐ฃโฒ1๐กโฒ1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
๐0๐3๐ก0
๐0 ๐1 ๐2๐1 ๐ฃ0 ๐ฃ1๐ก1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
๐ฅ0๐ฅ4๐ฅ8
๐ฅ1 ๐ฅ2 ๐ฅ3๐ฅ5 ๐ฅ6 ๐ฅ7๐ฅ9 ๐ฅ10 ๐ฅ11
๐ฅ12 ๐ฅ13 ๐ฅ14 ๐ฅ15
๐ฅโฒ0๐ฅโฒ4๐ฅโฒ8
๐ฅโฒ1 ๐ฅโฒ2 ๐ฅโฒ3๐ฅโฒ5 ๐ฅโฒ6 ๐ฅโฒ7๐ฅโฒ9 ๐ฅโฒ10 ๐ฅโฒ11
๐ฅโฒ12 ๐ฅโฒ13 ๐ฅโฒ14 ๐ฅโฒ15
Salsar
Salsar
โ(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
๐0๐3๐กโฒ0
๐0 ๐1 ๐2๐1 ๐ฃโฒ0 ๐ฃโฒ1๐กโฒ1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
๐0๐3๐ก0
๐0 ๐1 ๐2๐1 ๐ฃ0 ๐ฃ1๐ก1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
โ(๐) =
???
? ? ?? ? ?? ? ?
? ? ? ?
๐ฅ0๐ฅ4๐ฅ8
๐ฅ1 ๐ฅ2 ๐ฅ3๐ฅ5 ๐ฅ6 ๐ฅ7๐ฅ9 ๐ฅ10 ๐ฅ11
๐ฅ12 ๐ฅ13 ๐ฅ14 ๐ฅ15
๐ฅโฒ0๐ฅโฒ4๐ฅโฒ8
๐ฅโฒ1 ๐ฅโฒ2 ๐ฅโฒ3๐ฅโฒ5 ๐ฅโฒ6 ๐ฅโฒ7๐ฅโฒ9 ๐ฅโฒ10 ๐ฅโฒ11
๐ฅโฒ12 ๐ฅโฒ13 ๐ฅโฒ14 ๐ฅโฒ15
Salsar
Salsar
โ(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
๐0๐3๐กโฒ0
๐0 ๐1 ๐2๐1 ๐ฃโฒ0 ๐ฃโฒ1๐กโฒ1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
๐0๐3๐ก0
๐0 ๐1 ๐2๐1 ๐ฃ0 ๐ฃ1๐ก1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
โ(๐) =
???
? ? ?? ? ?? ? ?
? ? ? ?
๐ฅ0๐ฅ4๐ฅ8
๐ฅ1 ๐ฅ2 ๐ฅ3๐ฅ5 ๐ฅ6 ๐ฅ7๐ฅ9 ๐ฅ10 ๐ฅ11
๐ฅ12 ๐ฅ13 ๐ฅ14 ๐ฅ15
๐ฅโฒ0๐ฅโฒ4๐ฅโฒ8
๐ฅโฒ1 ๐ฅโฒ2 ๐ฅโฒ3๐ฅโฒ5 ๐ฅโฒ6 ๐ฅโฒ7๐ฅโฒ9 ๐ฅโฒ10 ๐ฅโฒ11
๐ฅโฒ12 ๐ฅโฒ13 ๐ฅโฒ14 ๐ฅโฒ15
Salsar
Salsar
โ(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
๐0๐3๐กโฒ0
๐0 ๐1 ๐2๐1 ๐ฃโฒ0 ๐ฃโฒ1๐กโฒ1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
๐0๐3๐ก0
๐0 ๐1 ๐2๐1 ๐ฃ0 ๐ฃ1๐ก1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
โ(๐) =
???
? ? ?? ? ?? ? ?
? ? ? ?
๐ฅ0๐ฅ4๐ฅ8
๐ฅ1 ๐ฅ2 ๐ฅ3๐ฅ5 ๐ฅ6 ๐ฅ7๐ฅ9 ๐ฅ10 ๐ฅ11
๐ฅ12 ๐ฅ13 ๐ฅ14 ๐ฅ15
๐ฅโฒ0๐ฅโฒ4๐ฅโฒ8
๐ฅโฒ1 ๐ฅโฒ2 ๐ฅโฒ3๐ฅโฒ5 ๐ฅโฒ6 ๐ฅโฒ7๐ฅโฒ9 ๐ฅโฒ10 ๐ฅโฒ11
๐ฅโฒ12 ๐ฅโฒ13 ๐ฅโฒ14 ๐ฅโฒ15
Salsar
Salsar
โ(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
๐0๐3๐กโฒ0
๐0 ๐1 ๐2๐1 ๐ฃโฒ0 ๐ฃโฒ1๐กโฒ1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
๐0๐3๐ก0
๐0 ๐1 ๐2๐1 ๐ฃ0 ๐ฃ1๐ก1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
โ(๐) =
???
? ? ?? ? ?? ? ?
? ? ? ?
๐ฅ0๐ฅ4๐ฅ8
๐ฅ1 ๐ฅ2 ๐ฅ3๐ฅ5 ๐ฅ6 ๐ฅ7๐ฅ9 ๐ฅ10 ๐ฅ11
๐ฅ12 ๐ฅ13 ๐ฅ14 ๐ฅ15
๐ฅโฒ0๐ฅโฒ4๐ฅโฒ8
๐ฅโฒ1 ๐ฅโฒ2 ๐ฅโฒ3๐ฅโฒ5 ๐ฅโฒ6 ๐ฅโฒ7๐ฅโฒ9 ๐ฅโฒ10 ๐ฅโฒ11
๐ฅโฒ12 ๐ฅโฒ13 ๐ฅโฒ14 ๐ฅโฒ15
Salsar
Salsar
Attack idea (for R rounds) [Aumasson et al. 08]
r rounds
ฮ
Attack idea (for R rounds) [Aumasson et al. 08]
r rounds
๐
ฮ
Attack idea (for R rounds) [Aumasson et al. 08]
r rounds
๐
ฮ
Attack idea (for R rounds) [Aumasson et al. 08]
r rounds
๐
ฮ
significant key bits
non-significant key bits
Attack idea (for R rounds) [Aumasson et al. 08]
r rounds R-r rounds
๐
ฮ
significant key bits
non-significant key bits
Attack idea (for R rounds) [Aumasson et al. 08]
r rounds R-r rounds
๐
ฮ
significant key bits
non-significant key bits
Complexity of attack increases with increase in number of significant bits.
Salsa
4 rounds
Salsa
4 rounds 4 rounds
Salsa
4 rounds 4 rounds
3 rounds
ChaCha
Salsa
4 rounds 4 rounds
4 rounds3 rounds
ChaCha
Salsa update function
Salsa update function ๐ฅ0๐ฅ4๐ฅ8
๐ฅ1 ๐ฅ2 ๐ฅ3๐ฅ5 ๐ฅ6 ๐ฅ7๐ฅ9 ๐ฅ10 ๐ฅ11
๐ฅ12 ๐ฅ13 ๐ฅ14 ๐ฅ15
Salsa update function ๐ฅ0๐ฅ4๐ฅ8
๐ฅ1 ๐ฅ2 ๐ฅ3๐ฅ5 ๐ฅ6 ๐ฅ7๐ฅ9 ๐ฅ10 ๐ฅ11
๐ฅ12 ๐ฅ13 ๐ฅ14 ๐ฅ15
Salsa update function ๐ฅ0๐ฅ4๐ฅ8
๐ฅ1 ๐ฅ2 ๐ฅ3๐ฅ5 ๐ฅ6 ๐ฅ7๐ฅ9 ๐ฅ10 ๐ฅ11
๐ฅ12 ๐ฅ13 ๐ฅ14 ๐ฅ15
abcd
Salsa update function ๐ฅ0๐ฅ4๐ฅ8
๐ฅ1 ๐ฅ2 ๐ฅ3๐ฅ5 ๐ฅ6 ๐ฅ7๐ฅ9 ๐ฅ10 ๐ฅ11
๐ฅ12 ๐ฅ13 ๐ฅ14 ๐ฅ15
abcd
abc
d
Salsa update function ๐ฅ0๐ฅ4๐ฅ8
๐ฅ1 ๐ฅ2 ๐ฅ3๐ฅ5 ๐ฅ6 ๐ฅ7๐ฅ9 ๐ฅ10 ๐ฅ11
๐ฅ12 ๐ฅ13 ๐ฅ14 ๐ฅ15
abcd
ab
cda
bc
d
Salsa update function ๐ฅ0๐ฅ4๐ฅ8
๐ฅ1 ๐ฅ2 ๐ฅ3๐ฅ5 ๐ฅ6 ๐ฅ7๐ฅ9 ๐ฅ10 ๐ฅ11
๐ฅ12 ๐ฅ13 ๐ฅ14 ๐ฅ15
abcd
ab
cda
bc
d bcd
a
Differential-Linear Biases
โ(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
๐0๐3๐กโฒ0
๐0 ๐1 ๐2๐1 ๐ฃโฒ0 ๐ฃโฒ1๐กโฒ1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
๐0๐3๐ก0
๐0 ๐1 ๐2๐1 ๐ฃ0 ๐ฃ1๐ก1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
โ(๐) =
???
? ? ?? ? ?? ? ?
? ? ? ?
๐ฅ0๐ฅ4๐ฅ8
๐ฅ1 ๐ฅ2 ๐ฅ3๐ฅ5 ๐ฅ6 ๐ฅ7๐ฅ9 ๐ฅ10 ๐ฅ11
๐ฅ12 ๐ฅ13 ๐ฅ14 ๐ฅ15
๐ฅโฒ0๐ฅโฒ4๐ฅโฒ8
๐ฅโฒ1 ๐ฅโฒ2 ๐ฅโฒ3๐ฅโฒ5 ๐ฅโฒ6 ๐ฅโฒ7๐ฅโฒ9 ๐ฅโฒ10 ๐ฅโฒ11
๐ฅโฒ12 ๐ฅโฒ13 ๐ฅโฒ14 ๐ฅโฒ15
r rounds
r rounds
โ(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
๐0๐3๐กโฒ0
๐0 ๐1 ๐2๐1 ๐ฃโฒ0 ๐ฃโฒ1๐กโฒ1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
๐0๐3๐ก0
๐0 ๐1 ๐2๐1 ๐ฃ0 ๐ฃ1๐ก1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
โ(๐) =
???
? ? ?? ? ?? ? ?
? ? ? ?
๐ฅ0๐ฅ4๐ฅ8
๐ฅ1 ๐ฅ2 ๐ฅ3๐ฅ5 ๐ฅ6 ๐ฅ7๐ฅ9 ๐ฅ10 ๐ฅ11
๐ฅ12 ๐ฅ13 ๐ฅ14 ๐ฅ15
๐ฅโฒ0๐ฅโฒ4๐ฅโฒ8
๐ฅโฒ1 ๐ฅโฒ2 ๐ฅโฒ3๐ฅโฒ5 ๐ฅโฒ6 ๐ฅโฒ7๐ฅโฒ9 ๐ฅโฒ10 ๐ฅโฒ11
๐ฅโฒ12 ๐ฅโฒ13 ๐ฅโฒ14 ๐ฅโฒ15
๐ฅ0๐ฅ4๐ฅ8
๐ฅ1 ๐ฅ2 ๐ฅ3๐ฅ5 ๐ฅ6 ๐ฅ7๐ฅ9 ๐ฅ10 ๐ฅ11
๐ฅ12 ๐ฅ13 ๐ฅ14 ๐ฅ15
r rounds
r rounds
rโ rounds
โ(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
๐0๐3๐กโฒ0
๐0 ๐1 ๐2๐1 ๐ฃโฒ0 ๐ฃโฒ1๐กโฒ1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
๐0๐3๐ก0
๐0 ๐1 ๐2๐1 ๐ฃ0 ๐ฃ1๐ก1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
โ(๐) =
???
? ? ?? ? ?? ? ?
? ? ? ?
๐ฅ0๐ฅ4๐ฅ8
๐ฅ1 ๐ฅ2 ๐ฅ3๐ฅ5 ๐ฅ6 ๐ฅ7๐ฅ9 ๐ฅ10 ๐ฅ11
๐ฅ12 ๐ฅ13 ๐ฅ14 ๐ฅ15
๐ฅโฒ0๐ฅโฒ4๐ฅโฒ8
๐ฅโฒ1 ๐ฅโฒ2 ๐ฅโฒ3๐ฅโฒ5 ๐ฅโฒ6 ๐ฅโฒ7๐ฅโฒ9 ๐ฅโฒ10 ๐ฅโฒ11
๐ฅโฒ12 ๐ฅโฒ13 ๐ฅโฒ14 ๐ฅโฒ15
๐ฅ0๐ฅ4๐ฅ8
๐ฅ1 ๐ฅ2 ๐ฅ3๐ฅ5 ๐ฅ6 ๐ฅ7๐ฅ9 ๐ฅ10 ๐ฅ11
๐ฅ12 ๐ฅ13 ๐ฅ14 ๐ฅ15
r rounds
r rounds
rโ rounds
โ(0) =
00?
0 0 00 ? ?? 0 0
0 0 0 0
๐0๐3๐กโฒ0
๐0 ๐1 ๐2๐1 ๐ฃโฒ0 ๐ฃโฒ1๐กโฒ1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
๐0๐3๐ก0
๐0 ๐1 ๐2๐1 ๐ฃ0 ๐ฃ1๐ก1 ๐2 ๐ฅ11
๐5 ๐6 ๐7 ๐3
โ(๐) =
???
? ? ?? ? ?? ? ?
? ? ? ?
๐ฅ0๐ฅ4๐ฅ8
๐ฅ1 ๐ฅ2 ๐ฅ3๐ฅ5 ๐ฅ6 ๐ฅ7๐ฅ9 ๐ฅ10 ๐ฅ11
๐ฅ12 ๐ฅ13 ๐ฅ14 ๐ฅ15
๐ฅโฒ0๐ฅโฒ4๐ฅโฒ8
๐ฅโฒ1 ๐ฅโฒ2 ๐ฅโฒ3๐ฅโฒ5 ๐ฅโฒ6 ๐ฅโฒ7๐ฅโฒ9 ๐ฅโฒ10 ๐ฅโฒ11
๐ฅโฒ12 ๐ฅโฒ13 ๐ฅโฒ14 ๐ฅโฒ15
๐ฅ0๐ฅ4๐ฅ8
๐ฅ1 ๐ฅ2 ๐ฅ3๐ฅ5 ๐ฅ6 ๐ฅ7๐ฅ9 ๐ฅ10 ๐ฅ11
๐ฅ12 ๐ฅ13 ๐ฅ14 ๐ฅ15
r rounds
r rounds
rโ rounds
Given ๐๐ and ๐๐ฟ , we can find the differential-linear bias for r+rโrounds.
Linear approximation with ๐๐ฟ = 1
Letโs look at the Salsa update function again
Linear approximation with ๐๐ฟ = 1
Letโs look at the Salsa update function again
Letโs look at the Salsa update function again
Get rid of the carry.
Move things around, from the linearity of XOR
Move things around, from the linearity of XOR
๐
Move things around, from the linearity of XOR
๐ ๐
Move things around, from the linearity of XOR
๐ ๐
Lets us search over 8 possible bits instead of 5123
3 bit
combinations.
Similar idea for ChaCha, but involves more bits because of a more involved state update function.
Similar idea for ChaCha, but involves more bits because of a more involved state update function.
โUnlike Salsa20, our exhaustive search showed no bias in 4-round ChaCha, be it with one, two, or three target output bits.โ
Reference ๐
Tsunoo et al. (2007) 2โ5.24
Aumasson et al. (2008) 2โ2.93
Maitra, Paul, Meier (2015) 2โ2.35
Maitra (2016) 2โ2.12
Reference ๐
Fischer et al. (2006) 2โ10.34
Maitra, Paul, Meier (2015) 2โ9.05
Salsa
4 rounds
5 rounds
Reference ๐
Tsunoo et al. (2007) 2โ5.24
Aumasson et al. (2008) 2โ2.93
Maitra, Paul, Meier (2015) 2โ2.35
Maitra (2016) 2โ2.12
This work โ ๐๐
Reference ๐
Fischer et al. (2006) 2โ10.34
Maitra, Paul, Meier (2015) 2โ9.05
This work โ ๐โ๐.๐๐
Salsa
4 rounds
5 rounds
Reference ๐
Tsunoo et al. (2007) 2โ5.24
Aumasson et al. (2008) 2โ2.93
Maitra, Paul, Meier (2015) 2โ2.35
Maitra (2016) 2โ2.12
This work โ ๐๐
Reference ๐
Fischer et al. (2006) 2โ10.34
Maitra, Paul, Meier (2015) 2โ9.05
This work โ ๐โ๐.๐๐
Salsa
Reference ๐
Aumasson et al. (2008) 2โ5.26
Maitra (2016) 2โ2.83
Reference ๐
ChaCha
4 rounds
5 rounds
3 rounds
4 rounds
Reference ๐
Tsunoo et al. (2007) 2โ5.24
Aumasson et al. (2008) 2โ2.93
Maitra, Paul, Meier (2015) 2โ2.35
Maitra (2016) 2โ2.12
This work โ ๐๐
Reference ๐
Fischer et al. (2006) 2โ10.34
Maitra, Paul, Meier (2015) 2โ9.05
This work โ ๐โ๐.๐๐
Salsa
Reference ๐
Aumasson et al. (2008) 2โ5.26
Maitra (2016) 2โ2.83
This work ๐๐
Reference ๐
This work โ ๐โ๐.๐๐
ChaCha
4 rounds
5 rounds
3 rounds
4 rounds
Reference ๐
Tsunoo et al. (2007) 2โ5.24
Aumasson et al. (2008) 2โ2.93
Maitra, Paul, Meier (2015) 2โ2.35
Maitra (2016) 2โ2.12
This work โ ๐๐
Reference ๐
Fischer et al. (2006) 2โ10.34
Maitra, Paul, Meier (2015) 2โ9.05
This work โ ๐โ๐.๐๐
Salsa
Reference ๐
Aumasson et al. (2008) 2โ5.26
Maitra (2016) 2โ2.83
This work ๐๐
Reference ๐
This work โ ๐โ๐.๐๐
ChaCha
4 rounds
5 rounds
3 rounds
4 rounds
Distinguisher with complexity โ 28
247 improvement
Reference ๐
Tsunoo et al. (2007) 2โ5.24
Aumasson et al. (2008) 2โ2.93
Maitra, Paul, Meier (2015) 2โ2.35
Maitra (2016) 2โ2.12
This work โ ๐๐
Reference ๐
Fischer et al. (2006) 2โ10.34
Maitra, Paul, Meier (2015) 2โ9.05
This work โ ๐โ๐.๐๐
Salsa
Reference ๐
Aumasson et al. (2008) 2โ5.26
Maitra (2016) 2โ2.83
This work ๐๐
Reference ๐
This work โ ๐โ๐.๐๐
ChaCha
4 rounds
5 rounds
3 rounds
4 rounds
Distinguisher with complexity โ 28
247 improvement
Distinguisher with complexity โ 26
Linear approximation with ๐๐ฟ < 1
Linear approximation with ๐๐ฟ < 1
Linear approximation with ๐๐ฟ < 1
Linear approximation with ๐๐ฟ < 1
Linear approximation with ๐๐ฟ < 1
Combination of 19 bits from the subsequent round
Reference ๐
This work โ ๐โ๐๐.๐๐
Reference ๐
This work โ ๐โ๐๐.๐๐
Salsa
6 rounds 7 rounds
Reference ๐
This work โ ๐โ๐๐.๐๐
Reference ๐
This work โ ๐โ๐๐.๐๐
Salsa
Reference ๐
This work โ ๐โ๐.๐
Reference ๐
This work โ ๐โ๐๐.๐
ChaCha
6 rounds 7 rounds
5 rounds 6 rounds
Reference ๐
This work โ ๐โ๐๐.๐๐
Reference ๐
This work โ ๐โ๐๐.๐๐
Salsa
Reference ๐
This work โ ๐โ๐.๐
Reference ๐
This work โ ๐โ๐๐.๐
ChaCha
6 rounds 7 rounds
5 rounds 6 rounds
Distinguisher with complexity โ 232
241 improvement
Reference ๐
This work โ ๐โ๐๐.๐๐
Reference ๐
This work โ ๐โ๐๐.๐๐
Salsa
Reference ๐
This work โ ๐โ๐.๐
Reference ๐
This work โ ๐โ๐๐.๐
ChaCha
6 rounds 7 rounds
5 rounds 6 rounds
Distinguisher with complexity โ 232
241 improvement
Distinguisher with complexity โ 216
Reference ๐
This work โ ๐โ๐๐.๐๐
Reference ๐
This work โ ๐โ๐๐.๐๐
Salsa
Reference ๐
This work โ ๐โ๐.๐
Reference ๐
This work โ ๐โ๐๐.๐
ChaCha
6 rounds 7 rounds
5 rounds 6 rounds
Distinguisher with complexity โ 232
241 improvement
Distinguisher with complexity โ 216 Distinguisher with complexity โ 2116
220 improvement
Implications to the key recovery attack
Salsa
4 rounds 4 rounds
Salsa
4 rounds 4 rounds
6 rounds
Salsa
4 rounds 4 rounds
6 rounds
Salsa
4 rounds 4 rounds
6 rounds
But...
Salsa
4 rounds 4 rounds
6 rounds 2 rounds
Salsa
4 rounds 4 rounds
5 rounds 3 rounds
4 rounds3 rounds
ChaCha
4 rounds3 rounds
ChaCha
2.5 rounds4.5 rounds
Reference Time
Aumasson et al. (2008) 2151
Shi et al. (2012) 2148
Reference Time
Aumasson et al. (2008) 2251
Shi et al. (2012) 2250
Maitra(2016) 2245.5
Salsa
7 rounds
8 rounds
Reference Time
Aumasson et al. (2008) 2151
Shi et al. (2012) 2148
This work ๐๐๐๐
Reference Time
Aumasson et al. (2008) 2251
Shi et al. (2012) 2250
Maitra(2016) 2245.5
This work ๐๐๐๐.๐
Salsa
7 rounds
8 rounds
Reference Time
Aumasson et al. (2008) 2151
Shi et al. (2012) 2148
This work ๐๐๐๐
Reference Time
Aumasson et al. (2008) 2251
Shi et al. (2012) 2250
Maitra(2016) 2245.5
This work ๐๐๐๐.๐
Salsa
Reference Time
Aumasson et al. (2008) 2139
Shi et al. (2012) 2136
Reference Time
Aumasson et al. (2008) 2248
Shi et al. (2012) 2246.5
Maitra(2016) 2238.9
ChaCha
7 rounds
8 rounds
6 rounds
7 rounds
Reference Time
Aumasson et al. (2008) 2151
Shi et al. (2012) 2148
This work ๐๐๐๐
Reference Time
Aumasson et al. (2008) 2251
Shi et al. (2012) 2250
Maitra(2016) 2245.5
This work ๐๐๐๐.๐
Salsa
Reference Time
Aumasson et al. (2008) 2139
Shi et al. (2012) 2136
This work ๐๐๐๐.๐
Reference Time
Aumasson et al. (2008) 2248
Shi et al. (2012) 2246.5
Maitra(2016) 2238.9
This work ๐๐๐๐.๐
ChaCha
7 rounds
8 rounds
6 rounds
7 rounds
Conclusion
We obtain biases in Salsa and ChaCha not obtained for almost a decade. Develop a theory on how to do this.
We obtain biases in Salsa and ChaCha not obtained for almost a decade. Develop a theory on how to do this.
Improve attacks on some reduced round versions, importantly moving some to practical realms.
We obtain biases in Salsa and ChaCha not obtained for almost a decade. Develop a theory on how to do this.
Improve attacks on some reduced round versions, importantly moving some to practical realms.
A different method to partition the key space could potentially improve our attacks in both complexity and rounds.
We obtain biases in Salsa and ChaCha not obtained for almost a decade. Develop a theory on how to do this.
Improve attacks on some reduced round versions, importantly moving some to practical realms.
A different method to partition the key space could potentially improve our attacks in both complexity and rounds.
(or is this inherent to this kind of cryptanalysis?)
Thank you. Questions?
References
[C05] Paul Crowley. โTruncated differential cryptanalysis of five rounds of Salsa20". In: IACR Cryptology ePrint Archive 2005 (2005), p. 375. url: http : / /eprint.iacr.org/2005/375.
[FMB+06] Simon Fischer, Willi Meier, Come Berbain, Jean-Francois Biasse, and Matthew J. B. Robshaw. โNon-randomness in eSTREAM Candidates Salsa20 and TSC-4". In: Progress in Cryptology - INDOCRYPT 2006, 7th International Conference on Cryptology in India, Kolkata, India, December 11-13, 2006, Proceedings.
[TSK+07] Yukiyasu Tsunoo, Teruo Saito, Hiroyasu Kubo, Tomoyasu Suzaki, and Hiroki Nakashima. โDifferential Cryptanalysis of Salsa20/8โ. 2007. url: http://ecrypt.eu.org/stream/papersdir/2007/010.pdf.
[AFK+08] Jean-Philippe Aumasson, Simon Fischer, Shahram Khazaei, Willi Meier, and Christian Rechberger. โNew features of Latin dances: analysis of Salsa, ChaCha, and Rumba". In: Fast Software Encryption. Springer. 2008.
[SZF+12] Zhenqing Shi, Bin Zhang, Dengguo Feng, and Wenling Wu. โImproved Key Recovery Attacks on Reduced-Round Salsa20 and ChaCha". In: Information Security and Cryptology - ICISC 2012 - 15th International Conference, Seoul, Korea, November 28-30, 2012, Revised Selected Papers.
[MPM15] Subhamoy Maitra, Goutam Paul, and Willi Meier. โSalsa20 Cryptanalysis: New Moves and Revisiting Old Styles". In: WCC 2015, the Ninth International Workshop on Coding and Cryptography, April 13-17, 2015, Paris, France.
[Mai16] Subhamoy Maitra. โChosen IV cryptanalysis on reduced round ChaCha and Salsa". In: Discrete Applied Mathematics 208 (2016).