MILP-aided Cryptanalysis of Round Reduced ChaCha

The inclusion of ChaCha20 and Poly1305 into the list of supported ciphers in TLS 1.3 necessitates a security evaluation of those ciphers with all the state-of-the-art tools and innovative cryptanalysis methodologies. Mixed Integer Linear Programming (MILP) has been successfully applied to find more accurate characteristics of several ciphers such as SIMON and SPECK. In our research, we use MILP-aided cryptanalysis to search for differential characteristics, linear approximations and integral properties of ChaCha. We are able to find differential trails up to 2 rounds and linear trails up to 1 round. However, no integral distinguisher has been found, even for 1 round

PNB-focused Differential Cryptanalysis of ChaCha Stream Cipher

This study focuses on differential cryptanalysis of the ChaCha stream cipher. In the conventional approach, an adversary first searches for an input/output differential pair with the highest differential bias and then analyzes the probabilistic neutral bits (PNB) based on the obtained input/output differential pair. However, although the time and data complexities for the attack can be estimated by the differential bias and PNB obtained by this approach, the combination of the differential bias and PNB is not always optimal. In addition, the existing studies have not performed a comprehensive analysis of the PNB; thus, they have not provided an upper bound on the number of rounds required for a differential attack that uses a single-bit truncated differential to be successful. To address these limitations, we propose a PNB-focused differential attack on reduced-round ChaCha by first comprehensively analyzing the PNB for all possible single-bit truncated output differences and then searching for the input/output differential pair with the highest differential bias based on the obtained PNB. The best existing attack on ChaCha, proposed by Beierle et al. at CRYPTO 2020, works on up to 7 rounds, whereas the most extended attack we observed works on up to 7.25 rounds using the proposed PNB-focused approach. The time complexity, data complexity, and success probability of the proposed attack are $2^{255.62}$, $2^{48.36}$, and 0.5, respectively. Although the proposed attack is less efficient than a brute force attack, it is the first dedicated attack on the target and provides both a baseline and useful components (i.e., differential bias and PNB) for improved attacks

New Multi-bit Differentials to Improve Attacks Against ChaCha

The stream cipher ChaCha is an ARX type algorithm developed by Daniel Bernstein in 2008. Since its development, ChaCha has received a lot of attention and is currently being used in several systems. The most powerful cryptanalysis of reduced versions of this cipher was presented by Choudhuri and Maitra on FSE 2017 by using differential-linear cryptanalysis. In their work they show that is possible to obtain linear relations between bits from different rounds with high probability and use the proposed equations to create multi-bit differentials and improve previous attacks. In this work, we provide new linear approximations that can be used in a similar fashion but with increased efficiency. Therefore, we show that using these new equations is possible to improve the attacks against 6 and 7 rounds of ChaCha

Differential Cryptanalysis of Salsa and ChaCha -- An Evaluation with a Hybrid Model

While \textsf{Salsa} and \textsf{ChaCha} are well known software oriented stream ciphers, since the work of Aumasson et al in FSE 2008 there aren\u27t many significant results against them. The basic model of their attack was to introduce differences in the IV bits, obtain biases after a few forward rounds, as well as to look at the Probabilistic Neutral Bits (PNBs) while reverting back. In this paper we first consider the biases in the forward rounds, and estimate an upper bound on the number of rounds till such biases can be observed. For this, we propose a hybrid model (under certain assumptions), where initially the nonlinear rounds as proposed by the designer are considered, and then we employ their linearized counterpart. The effect of reverting the rounds with the idea of PNBs is also considered. Based on the assumptions and analysis, we conclude that 12 rounds of \textsf{Salsa} and \textsf{ChaCha} should be considered sufficient for 256-bit keys under the current best known attack models

Revamped Differential-Linear Cryptanalysis on Reduced Round ChaCha

In this paper, we provide several improvements over the existing differential-linear attacks on ChaCha. ChaCha is a stream cipher which has $20$ rounds. At CRYPTO $2020$, Beierle et al. observed a differential in the $3.5$-th round if the right pairs are chosen. They produced an improved attack using this, but showed that to achieve a right pair, we need $2^5$ iterations on average. In this direction, we provide a technique to find the right pairs with the help of listing. Also, we provide a strategical improvement in PNB construction, modification of complexity calculation and an alternative attack method using two input-output pairs. Using these, we improve the time complexity, reducing it to $2^{221.95}$ from $2^{230.86}$ reported by Beierle et al. for $256$ bit version of ChaCha. Also, after a decade, we improve existing complexity (Shi et al: ICISC 2012) for a $6$-round of $128$ bit version of ChaCha by more than 11 million times and produce the first-ever attack on 6.5-round ChaCha$128$ with time complexity $2^{123.04}.

Moving a Step of ChaCha in Syncopated Rhythm

The stream cipher ChaCha is one of the most widely used ciphers in the real world, such as in TLS, SSH and so on. In this paper, we study the security of ChaCha via differential cryptanalysis based on probabilistic neutrality bits (PNBs). We introduce the \textit{syncopation} technique for the PNB-based approximation in the backward direction, which significantly amplifies its correlation by utilizing the property of ARX structure. In virtue of this technique, we present a new and efficient method for finding a good set of PNBs. A refined framework of key-recovery attack is then formalized for round-reduced ChaCha. The new techniques allow us to break 7.5 rounds of ChaCha without the last XOR and rotation, as well as to bring faster attacks on 6 rounds and 7 rounds of ChaCha

Improved Differential-Linear Attacks with Applications to ARX Ciphers

We present several improvements to the framework of differential-linear attacks with a special focus on ARX ciphers. As a demonstration of their impact, we apply them to Chaskey and ChaCha and we are able to significantly improve upon the best attacks published so far

SAFE-NET: Secure and Fast Encryption using Network of Pseudo-Random Number Generators

We propose a general framework to design a general class of random number generators suit- able for both computer simulation and computer security applications. It can include newly pro- posed generators SAFE (Secure And Fast Encryption) and ChaCha, a variant of Salsa, one of the four finalists of the eSTREAM ciphers. Two requirements for ciphers to be considered se- cure is that they must be unpredictable with a nice distributional property. Proposed SAFE-NET is a network of n nodes with external pseudo-random number generators as inputs nodes, several inner layers of nodes with a sequence of random variates through ARX (Addition, Rotation, XOR) transformations to diffuse the components of the initial state vector. After several rounds of transformations (with complex inner connections) are done, the output layer with n nodes are outputted via additional transformations. By utilizing random number generators with desirable empirical properties, SAFE-NET injects randomness into the keystream generation process and constantly updates the cipher’s state with external pseudo-random numbers during each iteration. Through the integration of shuffle tables and advanced output functions, extra layers of security are provided, making it harder for attackers to exploit weaknesses in the cipher. Empirical results demonstrate that SAFE-NET requires fewer operations than ChaCha while still producing a sequence of uniformly distributed random numbers

Implementing ChaCha based crypto primitives on programmable SmartNICs

Control and management plane applications such as serverless function orchestration and 4G/5G control plane functions are offloaded to smartNICs to reduce communication and processing latency. Such applications involve multiple inter-host interactions that were traditionally secured using SSL/TLS gRPC-based communication channels. Offloading the applications to smartNIC implies that we must also offload the security algorithms. Otherwise, we need to send the application messages to the host VM/container for crypto operations, negating offload benefits. We propose crypto externs for Netronome Agilio smartNICs that implement authentication and confidentiality (encryption/decryption) using the ChaCha stream cipher algorithm. AES and ChaCha are two popular cipher suites, but we chose ChaCha since none of the smartNICs have ChaCha-based crypto accelerators. However, smartNICs have restricted instruction set, and limited memory, making it difficult to implement security algorithms. This paper identifies and addresses several challenges to implement ChaCha crypto primitives successfully. Our evaluations show that our crypto extern implementation satisfies the scalability requirement of popular applications such as serverless management functions and host in-band network telemetry. © 2022 ACM

Fully Automated Differential-Linear Attacks against ARX Ciphers

In this paper, we present a fully automated tool for differential-linear attacks using Mixed-Integer Linear Programming (MILP) and Mixed-Integer Quadratic Constraint Programming (MIQCP) techniques, which is, to the best of our knowledge, the very first attempt to fully automate such attacks. We use this tool to improve the correlations of the best 9 and 10-round differential-linear distinguishers on Speck32/64, and reach 11 rounds for the first time. Furthermore, we improve the latest 14-round key-recovery attack against Speck32/64, using differential-linear distinguishers obtained with our MILP/MIQCP tool. The techniques we present are generic and can be applied to other ARX ciphers as well