Rotational Cryptanalysis on ChaCha Stream Cipher
Abstract
:1. Introduction
2. Notation and ChaCha20 Stream Cipher Description
2.1. Notation
- ⊕ for the bitwise exclusive or (XOR), i.e., the addition in ;
- ⊞ for the -bit addition ;
- ⊟ for the -bit subtraction , i.e., the sum with the opposite of an element in ;
- for the -bit addition of k words ;
- for the vector bitwise OR operation between x and y;
- for the concatenation of x and y;
- for a non–cyclic left shift by one bit of x;
- ;
- and respectively for constant-distance left and right circular rotation of bits of a -bit word with ;
- for the Hamming weight of x;
- for the cardinality of a set I;
- for the characteristic function of a condition Z, which is equal to 1 when Z is satisfied and equal to 0 otherwise;
- ;
- if and only if we have for all ;
- , where, for ,
- for the operator which gives for any the integer satisfying
2.2. ChaCha20 Specification
2.3. Rotational and Rotational-XOR (RX) Cryptanalysis
- The rotational property is preserved through the XOR of rotational pairs and after a rotation by a constant value :
- The rotational property is preserved through a modular addition of two –bit words with a probability given by
- In the case of chained modular additions of more than two –bit strings, must be evaluated using Lemma 2 in [14];
- with probability
- Given a random function , with probability
- ;
- for a fixed rotational amount .
3. Searching for Rotational/RX Pairs in ChaCha20
3.1. Conditions for the Rotational Propagation
3.2. On the Choices of the Input Relations and of a, b, c, d
- , i.e., which is equivalent to the equation
- , i.e., , , which is equivalent to the equation
- , i.e., , which is equivalent to the equation
- , i.e., , , which is equivalent to the equation
3.3. Probability of Rotational Propagation for 1 Bit Rotations
- : in this case when congruence (52) becomesComparing the two members it clearly holds if and only if
- : in this case we necessarily have and since only when , thus (52) becomes
- : in this last case we have in the first congruence in (51) so this congruence becomes the equalitySince
- ,
- and ,
- , , i.e., is the zero vector in ,
4. Discussion
- conditions (21) and (22) hold automatically from (23);
4.1. Propagation Probability of Rotational-XOR Pairs through ChaCha20 Quarter Round
- and , so , which gives when ;
- and with as before;
- and , , so , which gives when ;
- and with as for the first two constants.
4.2. ChaCha20 Alternative Constants Giving Non-Negligible Probability
5. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
- Bernstein, D.J. ChaCha, a Variant of Salsa20. In Workshop Record of SASC; 2008; Volume 8, pp. 3–5. Available online: https://cr.yp.to/chacha/chacha-20080120.pdf (accessed on 23 May 2022).
- Bernstein, D.J. Salsa20 Specification. In Technical Report, eSTREAM Project; 2005; Available online: http://www.ecrypt.eu.org/stream/salsa20pf.html (accessed on 23 May 2022).
- Nir, Y.; Langley, A. Chacha20 and poly1305 for IETF protocols. RFC 2018, 8439, 1–46. [Google Scholar] [CrossRef]
- Bernstein, D.J.; Hopwood, D.; Hülsing, A.; Lange, T.; Niederhagen, R.; Papachristodoulou, L.; Schneider, M.; Schwabe, P.; Wilcox-O’Hearn, Z. SPHINCS: Practical Stateless Hash–Based Signatures. In Advances in Cryptology—EUROCRYPT 2015; LNCS; Springer: Berlin/Heidelberg, Germany, 2015; Volume 9056, pp. 368–397. [Google Scholar] [CrossRef] [Green Version]
- Biham, E. New Types of Cryptanalytic Attacks Using Related Keys. J. Cryptol. 1994, 7, 229–246. [Google Scholar] [CrossRef]
- Kelsey, J.; Schneier, B.; Wagner, D. Related-key cryptanalysis of 3-way, biham-DES, CAST, DES-X, newDES, RC2, and TEA. In Information and Communications Security. ICICS 1997; LNCS; Springer: Berlin/Heidelberg, Germany, 1997; Volume 1334, pp. 233–246. [Google Scholar] [CrossRef]
- Knudsen, L.R.; Matusiewicz, K.; Thomsen, S.S. Observations on the Shabal Keyed Permutation. In Official Comment. 2009. Available online: http://www2.mat.dtu.dk/people/oldusers/S.Thomsen/shabal/shabal.pdf (accessed on 23 May 2022).
- Bernstein, D.J. Salsa20 Security. In Technical Report, eSTREAM Project; 2005; Available online: http://cr.yp.to/snuffle/security.pdf (accessed on 23 May 2022).
- Standaert, F.-X.; Piret, G.; Gershenfeld, N.; Quisquater, J.-J. Sea: A Scalable Encryption Algorithm for Small Embedded Applications. In Smart Card Research and Advanced Applications. CARDIS 2006; LNCS; Springer: Berlin/Heidelberg, Germany, 2006; Volume 3928, pp. 222–236. [Google Scholar] [CrossRef] [Green Version]
- Daum, M. Cryptanalysis of Hash Functions of the MD4-Family. Ph.D. Thesis, Ruhr University Bochum, Bochum, Germany, 2005. Available online: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.88.7847&rep=rep1&type=pdf (accessed on 23 May 2022).
- Khovratovich, D.; Nikolić, I. Rotational cryptanalysis of ARX. In Fast Software Encryption. FSE 2010; LNCS; Springer: Berlin/Heidelberg, Germany, 2010; Volume 6147, pp. 333–346. [Google Scholar] [CrossRef] [Green Version]
- Khovratovich, D.; Nikolić, I.; Rechberger, C. Rotational Rebound Attacks on Reduced Skein. In Advances in Cryptology—ASIACRYPT 2010; LNCS; Springer: Berlin/Heidelberg, Germany, 2010; Volume 6477, pp. 1–19. [Google Scholar] [CrossRef] [Green Version]
- Ferguson, N.; Lucks, S.; Schneier, B.; Whiting, D.; Bellare, M.; Kohno, T.; Callas, J.; Walker, J. The Skein Hash Function Family. Submiss. NIST (Round 3) 2010, 7, 3. [Google Scholar]
- Khovratovich, D.; Nikolić, I.; Pieprzyk, J.; Sokolowski, P.; Steinfeld, R. Rotational Cryptanalysis of ARX Revisited. In Fast Software Encryption. FSE 2015; LNCS; Springer: Berlin/Heidelberg, Germany, 2015; Volume 9054, pp. 519–536. [Google Scholar] [CrossRef] [Green Version]
- Guo, J.; Karpman, P.; Nikolić, I.; Wang, L.; Wu, S. Analysis of BLAKE2. In Topics in Cryptology—CT-RSA 2014; LNCS; Springer: Cham, Switzerland, 2014; Volume 8366, pp. 402–423. [Google Scholar] [CrossRef]
- Morawiecki, P.; Pieprzyk, J.; Srebrny, M. Rotational Cryptanalysis of Round-reduced Keccak. In Fast Software Encryption: 20th International Workshop; LNCS; Springer: Berlin/Heidelberg, Germany, 2013; Volume 8424, pp. 241–262. [Google Scholar] [CrossRef] [Green Version]
- Ashur, T.; Liu, Y. Rotational Cryptanalysis in the Presence of Constants. IACR Trans. Symmetric Cryptol. 2016, 2016, 57–70. [Google Scholar] [CrossRef]
- Ashur, T.; De Witte, G.; Liu, Y. An Automated Tool for Rotational-XOR Cryptanalysis of ARX-based Primitives. In Proceedings of the 2017 Symposium on Information Theory and Signal Processing in the Benelux (SITB 2017), Delft, The Netherlands, 11–12 May 2017. [Google Scholar]
- Ito, R. Rotational Cryptanalysis of Salsa Core Function. In Information Security. ISC 2020; LNCS; Springer: Cham, Switzerland, 2020; Volume 12472, pp. 129–145. [Google Scholar] [CrossRef]
- Barbero, S.; Bellini, E.; Makarim, R. Rotational Analysis of ChaCha Permutation. Adv. Math. Commun. 2021. [Google Scholar] [CrossRef]
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Barbero, S.; Bazzanella, D.; Bellini, E. Rotational Cryptanalysis on ChaCha Stream Cipher. Symmetry 2022, 14, 1087. https://doi.org/10.3390/sym14061087
Barbero S, Bazzanella D, Bellini E. Rotational Cryptanalysis on ChaCha Stream Cipher. Symmetry. 2022; 14(6):1087. https://doi.org/10.3390/sym14061087
Chicago/Turabian StyleBarbero, Stefano, Danilo Bazzanella, and Emanuele Bellini. 2022. "Rotational Cryptanalysis on ChaCha Stream Cipher" Symmetry 14, no. 6: 1087. https://doi.org/10.3390/sym14061087
APA StyleBarbero, S., Bazzanella, D., & Bellini, E. (2022). Rotational Cryptanalysis on ChaCha Stream Cipher. Symmetry, 14(6), 1087. https://doi.org/10.3390/sym14061087