Improved Differential-Linear Attacks with Applications to ARX Ciphers

Abstract

We present several improvements to the framework of differential-linear attacks with a special focus on ARX ciphers. As a demonstration of their impact, we apply them to Chaskey and ChaCha and we are able to significantly improve upon the best attacks published so far.

Appendices

Summary of Partitioning

We summarize various partition rules for modular addition. Note that we can verify the correlation of each case experimentally because they have a very high absolute correlation.

1.1 Single Modular Addition

Fig. 15

Partitions for a single modular addition

Let us start with the most simple case of a single modular addition. To compute the parity \(z_0[i]\) and \(z_0[i] \oplus z_0[i-1]\) (shortly denoted by \(z_0[i,i-1]\)) from \(c_0\) and \(c_1\) (see Fig. 15), we represent each element of \({\mathcal {P}}\) as two-bit values \(b_0b_1\), therefore dividing the whole set into four subsets

$$\begin{aligned} {\mathcal {T}}_{b_0b_1} = \{ (y_1, y_0) \in ({\mathbb {F}}_2^n)^2 \mid b_0b_1 \cong s[i-1] \Vert s[i-2] \}, \end{aligned}$$

where \(s = {{\bar{y}}}_1 \oplus y_0\). Note that these partition can be constructed by guessing two bits of key information, i.e., \((k_1 \oplus k_0)[i-1]\) and \((k_1 \oplus k_0)[i-2]\). Linear masks used in the previous partitioning technique involves 4 bits, i.e., \(y_1[i]\), \(y_0[i]\), \(y_0[i-1]\), and \(y_0[i-2]\). Our new partitioning technique additionally involves \(y_0[i-3]\), and parities \(z_0[i]\) and \(z_0[i,i-1]\) are approximated to

$$\begin{aligned} \langle \gamma , y_1[i] \Vert y_0[i] \Vert y_0[i-1] \Vert y_0[i-2] \Vert y_0[i-3] \rangle , \end{aligned}$$

where \(\gamma \) and the corresponding correlations are summarized in Fig. 15.

1.2 More Complicated Case

Fig. 16

Partition for two consecutive modular additions

In a similar way, we can extend the technique for the case of two consecutive modular additions. A concrete example, which is used to attack 7-round Chaskey, is shown in Fig. 16.

The goal is to compute the parity \(z_2[11]\) and \(z_2[11,10]\) from \(c_1\), \(c_2\), and \(c_3\) (see Fig. 16). We split the ciphertext into \(2^5\) partitions (this time indexed by five-bit values \(b_0b_1b_2b_3b_4\) representing the generic element of \({\mathcal {P}}\)) in the following way:

$$\begin{aligned} {\mathcal {T}}_{b_0b_1b_2b_3b_4} = \{ (v_1, v_2, v_3) \in ({\mathbb {F}}_2^n)^3 \mid b_0b_1b_2b_3b_4 \cong&(v_3[18] \oplus v_2[17] \oplus v_2[9]) \Vert \\&\quad s[10] \Vert s[9] \Vert s[18] \Vert s[17] \}, \end{aligned}$$

where \(s = {{\bar{v}}}_1 \oplus v_2\). In order for previously discarded partition to be available, our new partitioning technique additionally involves \(v_2[8]\) and \(v_2[16]\), and parities \(z_2[11]\) and \(z_2[11,10]\) are approximated to

$$\begin{aligned} \langle \gamma , v_3[19] \Vert v_1[11] \Vert v_2[11] \Vert v_2[10] \Vert v_2[9] \Vert v_2[8] \Vert v_1[19] \Vert v_2[19] \Vert v_2[18] \Vert v_2[17] \Vert v_2[16] \rangle , \end{aligned}$$

where \(\gamma \) is appropriately chosen following Fig. 16. We remark that this new way of partitioning the ciphertexts allows us to find high-absolute-correlation masks for all the 32 partitions, up from the 24 used with the original [1].

Understanding Partition Points

1.1 A Simple Toy Example

We transfer the above terminology to the simple toy example given in Fig. 17 and already discussed earlier in Sect. 2.2. In this example, for a fixed \(i\ge 2\), we want to evaluate \(z_0[i]\) or \(z_0[i]\oplus z_0[i-1]\) by using the partitioning rules as expressed in Lemma 2 and Lemma 3. For this, we say that \((z_0[i],z_0[i]\oplus z_0[i-1])\) defines a partition point \(\zeta \). This partition point gives rise to a 2-dimensional subspace \({\mathcal {P}}\) which can be defined by two parity check equations, i.e., \({\mathcal {P}}\) is a complement space of the space

$$\begin{aligned} {\mathcal {R}}= \{ (x_1,x_0) \in {\mathbb {F}}_2^{2m} \mid x_0[i-1] \oplus {{\bar{x}}}_1[i-1] = 0 \text { and } x_0[i-2] \oplus {{\bar{x}}}_1[i-2] = 0\} . \end{aligned}$$

For example, \({\mathcal {P}}\) can be chosen as \(\{([],[]),([i-1],[]),([i-2],[]),([i-2,i-1],[])\}\).

Fig. 17

A simple toy example with a single modular addition

To demonstrate the attack from the previous section, we split \({\mathbb {F}}_2^{2m}\) into the direct sum \({\mathcal {P}}\oplus {\mathcal {R}}\). By the isomorphism between \({\mathcal {P}}\) and \({\mathbb {F}}_2^2\), we can identify the elements \(p \in {\mathcal {P}}\) by two-bit values \(p \cong b_0b_1\), where \(b_0\) indicates the parity of \(x_0[i-1] \oplus {{\bar{x}}}_1[i-1]\) and \(b_1\) indicates the parity of \(x_0[i-2] \oplus {{\bar{x}}}_1[i-2]\). We then consider the following four tuples \(({\mathcal {T}}_{b_0b_1},\Gamma _{\mathrm {out}}^{(b_0b_1)},\gamma ^{(b_0b_1)})\) and corresponding \(\varepsilon _{b_0b_1}\), whose definition come from the properties presented in Lemmas 2 and 3:

$$\begin{aligned} \begin{array}{ll} {\mathcal {T}}_{\mathtt {00}} = {\mathcal {R}}\oplus \mathtt {00} = {\mathcal {S}}_{\mathtt {00}} \quad &{} \Gamma _{\mathrm {out}}^{(\mathtt {00})} = ([],[i]) \\ \gamma ^{(\mathtt {00})}= ([i],[i,i-1]) \quad &{} \varepsilon _{\mathtt {00}} = -1 \\ {\mathcal {T}}_{\mathtt {01}} = {\mathcal {R}}\oplus \mathtt {01} = {\mathcal {S}}_{\mathtt {01}} \quad &{} \Gamma _{\mathrm {out}}^{(\mathtt {01})} = ([],[i]) \\ \gamma ^{(\mathtt {01})}= ([i],[i,i-1]) \quad &{} \varepsilon _{\mathtt {01}} = -1 \\ {\mathcal {T}}_{\mathtt {10}}= {\mathcal {R}}\oplus \mathtt {10} = {\mathcal {S}}_{\mathtt {10}} \quad &{} \Gamma _{\mathrm {out}}^{(\mathtt {10})} = ([],[i]) \\ \gamma ^{(\mathtt {10})}= ([i],[i,i-2]) \quad &{} \varepsilon _{\mathtt {10}} = -1 \\ {\mathcal {T}}_{\mathtt {11}}= {\mathcal {R}}\oplus \mathtt {11} = {\mathcal {S}}_{\mathtt {11}} \quad &{} \Gamma _{\mathrm {out}}^{(\mathtt {11})} = ([],[i]) \\ \gamma ^{(\mathtt {11})}= ([i],[i,i-3]) \quad &{} \varepsilon _{\mathtt {11}} = -2^{-1}. \\ \end{array} \end{aligned}$$

and

$$\begin{aligned} \begin{array}{ll} {\mathcal {T}}_{\mathtt {00}} = {\mathcal {R}}\oplus \mathtt {00} = {\mathcal {S}}_{\mathtt {00}} \quad &{} \Gamma _{\mathrm {out}}^{(\mathtt {00})} = ([],[i,i-1]) \\ \gamma ^{(\mathtt {00})}= ([i],[i,i-1,i-2]) \quad &{} \varepsilon _{\mathtt {00}} = -1 \\ {\mathcal {T}}_{\mathtt {01}} = {\mathcal {R}}\oplus \mathtt {01} = {\mathcal {S}}_{\mathtt {01}} \quad &{} \Gamma _{\mathrm {out}}^{(\mathtt {01})} = ([],[i,i-1]) \\ \gamma ^{(\mathtt {01})}= ([i],[i,i-1,i-3]) \quad &{} \varepsilon _{\mathtt {01}} = -2^{-1} \\ {\mathcal {T}}_{\mathtt {10}}= {\mathcal {R}}\oplus \mathtt {10} = {\mathcal {S}}_{\mathtt {10}} \quad &{} \Gamma _{\mathrm {out}}^{(\mathtt {10})} = ([],[i,i-1]) \\ \gamma ^{(\mathtt {10})}= ([i],[i]) \quad &{} \varepsilon _{\mathtt {10}} = 1 \\ {\mathcal {T}}_{\mathtt {11}}= {\mathcal {R}}\oplus \mathtt {11} = {\mathcal {S}}_{\mathtt {11}} \quad &{} \Gamma _{\mathrm {out}}^{(\mathtt {11})} = ([],[i,i-1]) \\ \gamma ^{(\mathtt {11})}= ([i],[i]) \quad &{} \varepsilon _{\mathtt {11}} = 1. \\ \end{array} \end{aligned}$$

For example, we give an intuition for the choice of the second tuple when \((y_1,y_0) \in {\mathcal {S}}_{\mathtt {01}}\). Lemma 2 tells us that \(\langle ([],[i]) ,(z_1,z_0) \rangle = \langle ([i],[i,i-1]), (y_1,y_0) \rangle \oplus 1\), i.e., \(\varepsilon _{\texttt {0}{} \texttt {1}} = {{\textbf {Cor}}}_{y \in {\mathcal {T}}_{\texttt {0}{} \texttt {1}}} [\langle ({[}{]},[i]),z \rangle \oplus \langle ([i],[i,i-1]),y \rangle ] = -1\). On the other hand, Lemma 3 tells us that there is no linear representation with absolute correlation 1. Thus, if available, we should use \(\Gamma _{\mathrm {out}}^{(\mathtt {01})} = ([],[i])\) for this subset.

We further have

$$\begin{aligned} W&= \mathrm {Span}\{ \gamma ^{(a)} \oplus \gamma ^{(b)} \mid a,b \in {\mathbb {F}}_2^2\} \\&= \{ ([],[]),([],[i-1]),([],[i-2]),([],[i-1,i-2]), \\&\quad \quad ([],[i-3]),([],[i-1,i-3]),([],[i-2,i-3]),([],[i-1,i-2,i-3])\}, \end{aligned}$$

and we could recover the three bits, \(k_0[i-1]\), \(k_0[i-2]\), and \(k_0[i-3]\), by the last step using the fast Walsh–Hadamard transform.

1.2 Toy Example Using Multiple Partition Points

Let us now look at another example which consists of two branches of the structure depicted in Fig. 17 in parallel, i.e., \((y_3,y_2,y_1,y_0) = (F(z_3,z_2),F(z_1,z_0))\) and \(c_i = y_i \oplus k_i\). By using a single partition point as done in the above example, we can only evaluate the parity of at most two (consecutive) bits of \(z = (z_3,z_2,z_1,z_0)\). Instead of just one single partition point, we can also consider multiple partition points. For example, if we want to evaluate the parity involving three non-consecutive bits of \(z = (z_3,z_2,z_1,z_0)\), we can use three partition points, i.e.,

$$\begin{aligned} \zeta _1&=(z_0[i],z_0[i] \oplus z_0[i-1]),\\ \zeta _2&=(z_0[j],z_0[j] \oplus z_0[j-1]),\\ \zeta _3&=(z_2[\ell ],z_2[\ell ] \oplus z_2[\ell -1]), \end{aligned}$$

where \(i,j,\ell \ge 3\). In a specific attack, the choice of the partition points depends on the definition of the linear trail. Those partition points give rise to three subspaces \({\mathcal {P}}_1\), \({\mathcal {P}}_2\), and \({\mathcal {P}}_3\), defined by two parity-check equations each, i.e., \({\mathcal {P}}_i\) is a complement space of \({\mathcal {R}}_i\), where

$$\begin{aligned} {\mathcal {R}}_1&= \{ (x_3,x_2,x_1,x_0) \in {\mathbb {F}}_2^{4m} \mid x_0[i-1] \oplus {{\bar{x}}}_1[i-1] = 0, x_0[i-2] \oplus {{\bar{x}}}_1[i-2] = 0\}\\ {\mathcal {R}}_2&= \{ (x_3,x_2,x_1,x_0) \in {\mathbb {F}}_2^{4m} \mid x_0[j-1] \oplus {{\bar{x}}}_1[j-1] = 0, x_0[j-2] \oplus {{\bar{x}}}_1[j-2] = 0\}\\ {\mathcal {R}}_3&= \{ (x_3,x_2,x_1,x_0) \in {\mathbb {F}}_2^{4m} \mid x_2[\ell -1] \oplus {{\bar{x}}}_3[\ell -1] = 0, x_2[\ell -2] \oplus {{\bar{x}}}_3[\ell -2] = 0\}. \end{aligned}$$

By defining¹²\({\mathcal {P}}= {\mathcal {P}}_1 \oplus {\mathcal {P}}_2 \oplus {\mathcal {P}}_3\) and \({\mathcal {R}}\) to be a complement space of \({\mathcal {P}}\), we split \({\mathbb {F}}_2^{4m}\) into the direct sum \({\mathcal {P}}\oplus {\mathcal {R}}\).

We can identify the elements \(p \in {\mathcal {P}}\) by \(n_{{\mathcal {P}}}\)-bit values \(p \cong b_0b_1\dots b_{n_{{\mathcal {P}}}-1}\). We can then again define tuples

$$\begin{aligned} ({\mathcal {T}}_{b_0b_1\dots b_{n_{{\mathcal {P}}}-1}},\Gamma _{\mathrm {out}}^{(b_0b_1\dots b_{n_{{\mathcal {P}}}-1})},\gamma ^{(b_0b_1\dots b_{n_{{\mathcal {P}}}-1})})\end{aligned}$$

(9)

by using the properties presented in Lemma 2 and Lemma 3. For example, if \(n_{{\mathcal {P}}} = 6\), we can define

$$\begin{aligned} {\mathcal {T}}_{\mathtt {010101}} = \{ (x_3,x_2,x_1,x_0) \in {\mathbb {F}}_2^{4m} \mid&x_0[i-1] \ne x_1[i-1], x_0[i-2] = x_1[i-2],\\&x_0[j-1]\ne x_1[j-1], x_0[j-2]= x_1[j-2],\\&x_2[\ell -1] \ne x_3[\ell -1],x_2[\ell -2] = x_3[\ell -2] \}, \end{aligned}$$

\(\Gamma _{\mathrm {out}}^{(\mathtt {010101})} = ([],[\ell ],[],[i,j]), \quad \gamma ^{(\mathtt {010101})} = ([\ell ],[\ell ,\ell -1],[i,j],[i,i-1,j,j-1])\), and \(\varepsilon _{\mathtt {010101}} = -1\) by using the first case of Lemma 2.

We can also use the three partition points to compute the parity of more than three bits of z. For example, if \(n_{{\mathcal {P}}} = 6\), by using Lemma 2 and 3, we can define

$$\begin{aligned} {\mathcal {T}}_{\mathtt {001011}} = \{ (x_3,x_2,x_1,x_0) \in {\mathbb {F}}_2^{4m} \mid&x_0[i-1] \ne x_1[i-1], x_0[i-2] \ne x_1[i-2],\\&x_0[j-1]=x_1[j-1], x_0[j-2]\ne x_1[j-2],\\&x_2[\ell -1]=x_3[\ell -1],x_2[\ell -2]=x_3[\ell -2] \}, \end{aligned}$$

and

$$\begin{aligned} \Gamma _{\mathrm {out}}^{(\mathtt {001011})}&= ([],[\ell ,\ell -1],[],[i,i-1,j])\\ \gamma ^{(\mathtt {001011})}&= ([\ell ],[\ell ],[i,j],[i,i-1,i-2,j,j-2]), \quad \varepsilon _{\mathtt {001011}} = 1, \end{aligned}$$

which evaluates the parity of five bits of z. Again, several choices for the definition of the tuples in Eq. (9) are possible.

1.3 Analysis for Two Consecutive Modular Additions

To avoid the usage of long linear trails and to reduce the data complexity, we may use the partition technique for the more complicated structure of two consecutive modular additions. Inspired by the round function of Chaskey, we consider the case depicted in Fig. 16.

Suppose that we have two partition points, i.e.,

$$\begin{aligned} \zeta _1&=(z_2[i], z_2[i] \oplus z_2[i-1]), \\ \zeta _2&=(z_3[j], z_3[j,j-1]), \end{aligned}$$

where \(i,j \ge 3\). We use the same strategy described in “Appendix B.2”. Namely, we identify the elements \(p \in {\mathcal {P}}\) by \((5+2)\)-bit values, where 5-bit and 2-bit indicators come from the partition point \(\zeta _1\) and \(\zeta _2\), respectively. The applied linear mask and corresponding correlation can be computed as depicted in Figs. 15 and 16.

Exploiting the Conditions for Finding Chaskey Relations

Fig. 18

Conditions on the differential transitions for the 3 first rounds of Chaskey

In Fig. 18, we have depicted the relations and the influence of the input bits on the conditions of the differential path. The bits that stay white (and have no pink color beneath, coming from the carries of the furthest additions) are the bits that do not affect the differential transitions.

It is easy to see how the bits provided in [1] as available for sampling with probability one are the only white ones, and therefore not needed for the differential conditions: [31,30,25,24,23,22,20,19,18,17,16] from \(v_2\) and [23,22,20,19,18,17,16] from \(v_3\). The differences are represented in gray. Dependencies in colors. A ‘g’ in the position of a difference means that this difference will go away (be absorbed) after the next addition. An ‘s’ means that the difference stays where it is, while ‘m’ means that it moves one position to the left. The color of the bits with differences in each transition will be applied to all the bits that might affect this transition. Carries are not directly applied to the involved bits but to the upper row to report the difference this implies.

Please note that for instance bits 28 and 27 from \(v_2\) cannot be included as the carry of the position 29 is needed by the orange bit relations, i.e., the differences after one round at position 29 of \(v_2\) and \(v_3\), but as said in Sect. 5.3, the bits of previous positions to 26 and 27 will not affect this orange carry anymore due to the particular configuration of 26 and 27. The bits provided in [1] that are neutral with very high probability are 20 and 19 from \(v_1\) and 31, 20 and 19 from \(v_0\) and 25 and 24 of \(v_3\).

Let us now see how can we use the conditional differential ideas and Fig. 18 in order to recover for free the value of some keybits and also to find additional bits of information for sampling and increasing the dimension of \({\mathcal {U}}\) from 18 as given in [1] (and involving exclusively one-bit relations) to 22, or 23 if one-bit relation on the key is known.

Additional space for sampling

Using Fig. 18 we can try to exploit the conditions to find more evolved relations for increasing the size of \({\mathcal {U}}\). Let us provide an example: Let us imagine we flip the bit from \(v_0[8]\). The corresponding difference, marked with a ‘g’, will have a change of parity. In order for this difference to be absorbed, we need to also flip the other blue difference that will be used for absorbing this one: \(v_1[8]\). However, if we flip this one, the value of the bit \(v_1[13]\) after one round, that does not contain a difference, will be flipped also, as to produce it, \(v_1[8]\) is shifted of 5 positions and XORed with the sum of \(v_0\) and \(v_1\), that has a difference in position 13, marked with an ‘s’: these differences cancel out in both cases, but the value of the resulting bit will change with the parity of \(v_1[8]\), and the value of this pink will affect the final light-pink transition in the third round, as can be seen in the picture. In order to avoid this, we have to also flip \(v_1[13]\): the state \(v_1\) after 1 round will be known the same, but the orange bit \(v_2[29]\) after one round that contains a difference and a ‘g’ will have the parity changed. In order to make the related transition be satisfied, we need to also change the parity of the other orange bit with a ‘g’: we flip \(v_2[29]\) from the first round, that does not have a difference, but that will change the parity of \(v_3[29]\) after the XOR. This bit will not have any more influence in the remaining transitions, so we have found our close relation. In total, we found four new probability-one relations by hand using this same technique. We have verified these relations as well as exhaustively searched all the ones with weight at most 3, and found that no other such relations exist.