Rotational analysis of ChaCha permutation Rotational analysis of ChaCha permutation Stefano Barbero1,

  • View
    0

  • Download
    0

Embed Size (px)

Text of Rotational analysis of ChaCha permutation Rotational analysis of ChaCha permutation Stefano...

  • Rotational analysis of ChaCha permutation

    Stefano Barbero1, Emanuele Bellini2, and Rusydi Makarim2

    1 Politecnico di Torino, Italy stefano.barbero@polito.it

    2 Cryptography Research Centre, Technology Innovation Institute, UAE emanuele.bellini@tii.ae

    rusydi.makarim@tii.ae

    Abstract. We show that the underlying permutation of ChaCha20 stream cipher does not behave as a random permutation for up to 17 rounds with respect to rotational cryptanalysis. In particular, we derive a lower and an upper bound for the rotational probability through ChaCha quarter round, we show how to extend the bound to a full round and then to the full permutation. The obtained bounds show that the probability to find what we call a parallel rotational collision is, for example, less than 2−488 for 17 rounds of ChaCha permutation, while for a random permutation of the same input size, this probability is 2−511. We remark that our distinguisher is not an attack to ChaCha20 stream cipher, but rather a theoretical analysis of its internal permutation from the point of view of rotational cryptanalysis.

    Keywords: ChaCha20 · Stream Cipher · Rotational cryptanalysis · Permutation · Distinguisher

  • Table of Contents

    Rotational analysis of ChaCha permutation . . . . . . . . . . . . . . . . . . . . . . . . . 1 Stefano Barbero, Emanuele Bellini, and Rusydi Makarim

    1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1 Our contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2 Outline of the paper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.3 Related works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

    2 ChaCha permutation description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2 ChaCha permutation specification . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

    3 Propagation of rotational pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.1 Conditions for rotational pairs propagation . . . . . . . . . . . . . . . . . . . 7 3.2 Bounds for the quarter round . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.3 Experimental result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 3.4 Bounds propagation through the full round . . . . . . . . . . . . . . . . . . . 14 3.5 Bounds propagation through the full permutation . . . . . . . . . . . . . 15

    4 Distinguisher description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 4.1 Rotational collisions of a random permutation . . . . . . . . . . . . . . . . 15 4.2 ChaCha permutation vs random permutation . . . . . . . . . . . . . . . . . 17

    5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

    1 Introduction

    Salsa20 [9] and ChaCha20 [8] are two closely related stream ciphers developed by Daniel J. Bernstein. Salsa20, the original cipher, was designed in 2005, then later submitted to the eSTREAM project by Daniel J. Bernstein [5]. Its detailed specification can be found in [5]. ChaCha20 is a modification of Salsa20, published by Bernstein in 2008, aimed at increasing diffusion and performance on some architectures. Google has selected ChaCha20 along with Bernstein’s Poly1305 message authentication code as a replacement for RC4 in TLS, and its specifica- tions can be found in [15]. Both ciphers are ARX (Add-Rotate-Xor) ciphers, i.e. built on a pseudorandom function based only on the following three operations: 32-bit modular addition, circular rotation, and bitwise exclusive or (XOR). This pseudorandom function is itself built upon a 512 bit permutation. According to [10], both permutations are not designed to simulate ideal permutations: they are designed to simulate ideal permutations with certain symmetries, i.e., ideal permutations of the orbits of the state space under these symmetries. The input of the Salsa and ChaCha function is partially fixed to specific asymmetric con- stants, guaranteeing that different inputs lie in different orbits. To our knowledge, while for Salsa some of these properties of ”non-pseudorandomness” are well known, this is not the case for ChaCha (see Section subsection 1.3). Again to our knowledge, because of the use of asymmetric constants injected into the input

  • state of the permutation, none of these properties can be used to attack the entire stream cipher, or other ciphers where these permutations have been reused, as Salsa20 permutation in the Rumba20 compression function [7], a tweaked version of the ChaCha20 permutation in the BLAKE and BLAKE2 hash functions [1], or ChaCha12 permutation in the original SPHINCS post-quantum signature scheme [10] 3.

    That said, studying mathematical properties of the Salsa and ChaCha per- mutations is still of theoretical interest, and it is useful to understand how these permutations can be reused to design other cryptographic primitives.

    1.1 Our contribution

    In this work, we show that ChaCha permutation does not behave as a random permutation, with respect to rotational cryptanalysis. To do so, we first derive and formally prove a lower and an upper bound for the probability of the propagation of rotational pairs through ChaCha quarter round. We provide experimental evidence of the correctness of the bounds by testing them on a toy version of ChaCha permutation. We then show how to extend the bounds to a full round and then to the full permutation. The obtained bounds allow us to distinguish ChaCha permutation, with for example 17 rounds, from a random permutation by using 2489 calls to an oracle running either ChaCha permutation or the random permutation. To do so, we prove that what we call a parallel rotational collision, is more likely to happen in ChaCha permutation, rather than in a random permutation. For example, such a collision happens with probability less than 2−488 for ChaCha permutation with 17 rounds, while with probability 2−511 for a random permutation. This distinguisher is not an attack to ChaCha20 stream cipher, but rather a theoretical analysis of its permutation from the point of view of rotational cryptanalysis.

    1.2 Outline of the paper

    In subsection 1.3 we briefly summarize the existing studies on the core function of Salsa and ChaCha stream ciphers. In section 2, we introduce the notation used throughout this manuscript and recall ChaCha permutation specifications. In section 3, we derive the lower and upper bound on the probability of the propagation of a rotational pair for ChaCha quarter round, for the full rounds, and for the full permutation. In section 4, we describe a distinguihser exploiting the above mentioned bounds. Finally, in section 5, we conclude the manuscript.

    1.3 Related works

    Often, rather than only considering the underlying permutation of Salsa and ChaCha, researchers study the so called Salsa (or ChaCha) core function (also

    3 The current SPHINCS submission to the NIST post-quantum standardization process does not use ChaCha anymore.

  • called ChaCha block function in [15]), whose output consists in applying the permutation and then xoring the output of the permutation with its input.

    Already in the specifications of Salsa20 [6], there is an example showing how the 0 vector is a fixed point for Salsa core function. This is also true for ChaCha.

    In [13], the authors find4 an invariant for Salsa core main building block, the quarterround function, that is then extended to the row-round and column-round functions. This allows them to find an input subset of size 232 for which the Salsa20 core behaves exactly as the transformation f(x) = 2x. This allows to construct 231 collisions for any number of rounds. They also show a differential characteristic with probability one that proves that the Salsa20 core does not have 2nd preimage resistance. In [3], it is pointed out that none of the results in [13] has an impact on security of Salsa20 stream cipher, due to the use of fixed constants in the input. Indeed, Salsa20 is not designed to be a collision-resistant compression function [4].

    In the Salsa20 security document [2, Section 4], two other symmetries of the cipher are reported, i.e.

    – shifting the entire Salsa20 core input array along the diagonal has exactly the same effect on the output, i.e.

    y0,0 y0,1 y0,2 y0,3 y1,0 y1,1 y1,2 y1,3 y2,0 y2,1 y2,2 y2,3 y3,0 y3,1 y3,2 y3,3

     = Salsa   x0,0 x0,1 x0,2 x0,3 x1,0 x1,1 x1,2 x1,3 x2,0 x2,1 x2,2 x2,3 x3,0 x3,1 x3,2 x3,3

     

     y3,3 y3,0 y3,1 y3,2 y0,3 y0,0 y0,1 y0,2 y1,3 y1,0 y1,1 y1,2 y2,3 y2,0 y2,1 y2,2

     = Salsa   x3,3 x3,0 x3,1 x3,2 x0,3 x0,0 x0,1 x0,2 x1,3 x1,0 x1,1 x1,2 x2,3 x2,0 x2,1 x2,2

      ;

    – the Salsa20 core operations are almost compatible with rotation of each input word by, say, 10 bits.

    This shift and rotation structures are eliminated by the use of fixed constants in the input diagonal. Precisely, the input diagonal is different from all its nontrivial shifts and all its nontrivial rotations and all nontrivial shifts of its nontrivial rotations. In other words, two distinct arrays with this diagonal are always in distinct orbits under the shift/rotate group.

    We are not aware of similar properties for the case of the C