Analysis of the NORX Core Permutation

NORX is one of the fifteen authenticated encryption algorithms that have reached the third round of the CAESAR competition. NORX is built using the sponge-based Monkey Duplex construction. In this note we analyze the core permutation F. We show that it has rotational symmetries on different structure levels. This yields simple distinguishing properties for the permutation, which propagate with very high probability or even probability one. We also investigate differential symmetries in NORX at the word level. A new type of truncated differentials called symmetric truncated differentials (STD) is proposed. It is shown that, under the Markov assumption, up to 2.125 rounds of the F function of NORX32 and NORX64 can be distinguished using STD. Finally, we note that our analysis covers only the permutation F and does not immediately threaten the security claims of the designers

Automated Truncation of Differential Trails and Trail Clustering in ARX

We propose a tool for automated truncation of differential trails in ciphers using modular addition, bitwise rotation, and XOR (ARX). The tool takes as input a differential trail and produces as output a set of truncated differential trails. The set represents all possible truncations of the input trail according to certain predefined rules. A linear-time algorithm for the exact computation of the differential probability of a truncated trail that follows the truncation rules is proposed. We further describe a method to merge the set of truncated trails into a compact set of non-overlapping truncated trails with associated probability and we demonstrate the application of the tool on block cipher Speck64. We have also investigated the effect of clustering of differential trails around a fixed input trail. The best cluster that we have found for 15 rounds has probability 2^−55.03 (consisting of 389 unique output differences) which allows us to build a distinguisher using 128 times less data than the one based on just the single best trail, which has probability 2^−62. Moreover, we show examples for Speck64 where a cluster of trails around a suboptimal (in terms of probability) input trail results in higher overall probability compared to a cluster obtained around the best differential trail

On The Cost of ASIC Hardware Crackers: A SHA-1 Case Study

International audienceIn February 2017, the SHA-1 hashing algorithm was practically broken using an identical-prefix collision attack implemented on a GPU cluster, and in January 2020 a chosen-prefix collision was first computed with practical implications on various security protocols. These advances opened the door for several research questions, such as the minimal cost to perform these attacks in practice. In particular, one may wonder what is the best technology for software/hardware cryptanalysis of such primitives. In this paper, we address some of these questions by studying the challenges and costs of building an ASIC cluster for performing attacks against a hash function. Our study takes into account different scenarios and includes two cryptanalytic strategies that can be used to find such collisions: a classical generic birthday search, and a state-of-the-art differential attack using neutral bits for SHA-1. We show that for generic attacks, GPU and ASIC poses a serious practical threat to primitives with security level ∼ 64 bits, with rented GPU a good solution for a one-off attack, and ASICs more efficient if the attack has to be run a few times. ASICs also pose a non-negligible security risk for primitives with 80-bit security. For differential attacks, GPUs (purchased or rented) are often a very cost-effective choice, but ASIC provides an alternative for organizations that can afford the initial cost and look for a compact, energy-efficient, reusable solution. In the case of SHA-1, we show that an ASIC cluster costing a few millions would be able to generate chosen-prefix collisions in a day or even in a minute. This extends the attack surface to TLS and SSH, for which the chosen-prefix collision would need to be generated very quickly

New Design Techniques for Efficient Arithmetization-Oriented Hash Functions: Anemoi Permutations and Jive Compression Mode

International audienc

Automated Truncation of Differential Trails and Trail Clustering in ARX

We propose a tool for automated truncation of differential trails in ciphers using modular addition, bitwise rotation, and XOR (ARX). The tool takes as input a differential trail and produces as output a set of truncated differential trails. The set represents all possible truncations of the input trail according to certain predefined rules. A linear-time algorithm for the exact computation of the differential probability of a truncated trail that follows the truncation rules is proposed. We further describe a method to merge the set of truncated trails into a compact set of non-overlapping truncated trails with associated probability and we demonstrate the application of the tool on block cipher Speck64. We have also investigated the effect of clustering of differential trails around a fixed input trail. The best cluster that we have found for 15 rounds has probability 2^−55.03 (consisting of 389 unique output differences) which allows us to build a distinguisher using 128 times less data than the one based on just the single best trail, which has probability 2^−62. Moreover, we show examples for Speck64 where a cluster of trails around a suboptimal (in terms of probability) input trail results in higher overall probability compared to a cluster obtained around the best differential trail

Lightweight AEAD and Hashing using the Sparkle Permutation Family

We introduce the Sparkle family of permutations operating on 256, 384 and 512 bits. These are combined with the Beetle mode to construct a family of authenticated ciphers, Schwaemm, with security levels ranging from 120 to 250 bits. We also use them to build new sponge-based hash functions, Esch256 and Esch384. Our permutations are among those with the lowest footprint in software, without sacrificing throughput. These properties are allowed by our use of an ARX component (the Alzette S-box) as well as a carefully chosen number of rounds. The corresponding analysis is enabled by the long trail strategy which gives us the tools we need to efficiently bound the probability of all the differential and linear trails for an arbitrary number of rounds. We also present a new application of this approach where the only trails considered are those mapping the rate to the outer part of the internal state, such trails being the only relevant trails for instance in a differential collision attack. To further decrease the number of rounds without compromising security, we modify the message injection in the classical sponge construction to break the alignment between the rate and our S-box layer

New Design Techniques for Efficient Arithmetization-Oriented Hash Functions:Anemoi Permutations and Jive Compression Mode

Advanced cryptographic protocols such as Zero-knowledge (ZK) proofs of knowledge, widely used in cryptocurrency applications such as Zcash, Monero, Filecoin, Tezos, Topos, demand new cryptographic hash functions that are efficient not only over the binary field $\mathbb{F}_2$, but also over large fields of prime characteristic $\mathbb{F}_p$. This need has been acknowledged by the wider community and new so-called Arithmetization-Oriented (AO) hash functions have been proposed, e.g. MiMC-Hash, Rescue-Prime, Poseidon, Reinforced Concrete and Griffin to name a few. In this paper we propose Anemoi: a new family of ZK-friendly permutations, that can be used to construct efficient hash functions and compression functions. The main features of these algorithms are that 1) they are designed to be efficient within multiple proof systems (e.g. Groth16, Plonk, etc.), 2) they contain dedicated functions optimised for specific applications (namely Merkle tree hashing and general purpose hashing), 3) they have highly competitive performance e.g. about a factor of 2 improvement over Poseidon and Rescue-Prime in terms of R1CS constraints, a 21%-35% Plonk constraint reduction over a highly optimized Poseidon implementation, as well as competitive native performance, running between two and three times faster than Rescue-Prime, depending on the field size. On the theoretical side, Anemoi pushes further the frontier in understanding the design principles that are truly entailed by arithmetization-orientation. In particular, we identify and exploit a previously unknown relationship between CCZ-equivalence and arithmetization-orientation. In addition, we propose two new standalone components that can be easily reused in new designs. One is a new S-box called Flystel, based on the well-studied butterfly structure, and the second is Jive -- a new mode of operation, inspired by the ``Latin dance\u27\u27 symmetric algorithms (Salsa, ChaCha and derivatives). Our design is a conservative one: it uses a very classical Substitution-Permutation Network structure, and our detailed analysis of algebraic attacks highlights can be of independent interest

Recent Methods for Cryptanalysis of Symmetric-key Cryptographic Algorithms (Recente Methoden voor de Cryptanalyse van Symmetrische-sleutel Cryptografische Algoritmen)

Cryptography is the art and science of secret communication. In the past it has been exclusively the occupation of the military. It is only during the last forty years that the study and practice of cryptography has reached the wide public. Nowadays, cryptography is not only actively studied in leading universities as part of their regular curriculum, but it is also widely used in our everyday lives. It protects our GSM communications and on-line financial transactions, our electronic health records and personal data. Internet services for which security is critical, such as online banking, electronic commerce, e-voting and the whole concept of the e-Government are utterly unimaginable without the necessary cryptographic mechanisms.In order for cryptography to serve its purposes well, secure and reliable cryptographic algorithms are necessary. The design of such algorithms on its part is intimately linked to the ability to analyze and understand their properties. The latter are the subject of study of cryptanalysis. The goal of this thesis is to research new techniques for cryptanalysis of symmetric-key cryptographic algorithms.The first part of the thesis focuses on methods for cryptanalysis of ARX algorithms. These are algorithms based on the operations modular addition, bit rotation and XOR, collectively denoted as ARX. Many contemporary algorithms fall into this class. For example, the block ciphers TEA, XTEA and RC5, the stream cipher Salsa20, the hash functions MD4, MD5, SHA-1 and SHA-2 as well as two of the candidate proposals for the next generation cryptographic hash function standard SHA-3: the hash functions BLAKE and Skein.In this thesis we propose a general framework for the differential analysis of ARX algorithms. This framework is used to compute the probabilities with which differences propagate through the ARX operations. The accurate computation of these probabilities is critical for estimating the success of one of the most powerful cryptanalytic techniques - differential cryptanalysis. We demonstrate that the proposed framework is general, simple to use and easy to extend by applying it both to confirm known results and to solve new problems.We further focus on the propagation of additive differences through the ARX operations, as a generalization of the technique of differential cryptanalysis. We propose a new type of difference, called UNAF (unsigned non-adjacent form). A UNAF represents a set of specially chosen additive differences that are used to obtain more accurate estimations of the probabilities of differentials through sequences of ARX operations. This is demonstrated by applying UNAF differences to the differential cryptanalysis of stream cipher Salsa20.The second part of the thesis is dedicated to algebraic cryptanalysis. More specifically, we present results on the algebraic cryptanalysis of algorithms based on the most widely used block cipher today - the Advanced Encryption Standard (AES). We first provide a full algebraic representation of the round transformationof AES. Next we use it to design the fully symbolic polynomial system generator SYMAES. The latter is a software tool that automatically constructs symbolic Boolean equations for AES. A derivative of this tool is applied to the algebraic analysis of a small-scale version of the AES-based stream cipher LEX. For the small scale LEX we construct systems of Boolean equations and we solve them using Grobner basis techniques.Several conclusions can be drawn on the basis of the results presented in this thesis. Firstly, we believe that more research is necessary in the area of ARX algorithms. The interplay between modular addition, bit rotation and XOR proves to be far more complex and intricate than one would expect from such simple operations. The general methodology for the analysis of such constructions that was proposed in the thesis is an attempt to address this problem. Only the test of time will show how successful this attempt has been and, more importantly, if we are even moving in the right direction.As to the area of algebraic cryptanalysis, our results seem to confirm a belief already held by other members of the cryptographic community: algebraic techniques are rarely able to provide an advantage over statistical techniques in the analysis of block ciphers. Finding an example that would counter this opinion is a general challenge for future work.1. Introduction 2. General Framework for the Differential Analysis of ARX 3. The Additive Differential Probability of ARX 4. UNAF: A Special Set of Additive Differences 5. Application of UNAF to the Analysis of the Stream Cipher Salsa20 6. Algebraic Cryptanalysis of AES-based Primitives Using Grobner Bases 7. Algebraic Cryptanalysis of a Small-Scale Version of Stream Cipher LEX 8. Conclusionnrpages: 256status: publishe

Automatic Search for Differential Trails in ARX Ciphers (extended version)

Abstract. We propose a tool 1 for automatic search for differential trails in ARX ciphers. By introducing the concept of a partial difference distribution table (pDDT) we extend Matsui’s algorithm, originally proposed for DES-like ciphers, to the class of ARX ciphers. To the best of our knowledge this is the first application of Matsui’s algorithm to ciphers that do not have S-boxes. The tool is applied to the block ciphers TEA, XTEA, SPECK and RAIDEN. For RAIDEN we find an iterative characteristic on all 32 rounds that can be used to break the full cipher using standard differential cryptanalysis. This is the first cryptanalysis of the cipher in a non-related key setting. Differential trails on 9, 10 and 13 rounds are found for SPECK32, SPECK48 and SPECK64 respectively. The 13 round trail covers half of the total number of rounds. These are the first public results on the security analysis of SPECK. For TEA multiple full (i.e. not truncated) differential trails are reported for the first time, while for XTEA we confirm the previous best known trail reported by Hong et al.. We also show closed formulas for computing the exact additive differential probabilities of the left and right shift operations