Latin Dances Reloaded: Improved Cryptanalysis Against Salsa and ChaCha, and the Proposal of Forró
In this paper, we present 4 major contributions to ARX ciphers and in particular, to the Salsa/ChaCha family of stream ciphers: We propose an improved differential-linear distinguisher against ChaCha. To do so, we propose a new way to approach the derivation of linear approximations by viewing the a...
Gespeichert in:
| Veröffentlicht in: | Journal of cryptology 2023-07, Vol.36 (3), Article 18 |
|---|---|
| Hauptverfasser: | , , , , , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | 3 |
| container_start_page | |
| container_title | Journal of cryptology |
| container_volume | 36 |
| creator | Coutinho, Murilo Passos, Iago Vásquez, Juan C. Grados Sarkar, Santanu de Mendonça, Fábio L. L. de Sousa, Rafael T. Borges, Fábio |
| description | In this paper, we present 4 major contributions to ARX ciphers and in particular, to the Salsa/ChaCha family of stream ciphers:
We propose an improved differential-linear distinguisher against ChaCha. To do so, we propose a new way to approach the derivation of linear approximations by viewing the algorithm in terms of simpler subrounds. Using this idea, we show that it is possible to derive almost all linear approximations from previous works from just 3 simple rules. Furthermore, we show that with one extra rule, it is possible to improve the linear approximations proposed by Coutinho and Souza at Eurocrypt 2021 (Coutinho and Neto, in: Canteaut, Standaert (eds) Advances in cryptology—EUROCRYPT 2021—40th annual international conference on the theory and applications of cryptographic techniques, Zagreb, Croatia, October 17–21, 2021, proceedings, Part I. Lecture notes in computer science, vol 12696, Springer, 2021).
We propose a technique called Bidirectional Linear Expansions (BLE) to improve attacks against Salsa. While previous works only considered linear expansions moving forward into the rounds, BLE explores the expansion of a single bit in both forward and backward directions. Applying BLE, we propose the first differential-linear distinguishers reaching 7 and 8 rounds of Salsa and we improve Probabilistic Neutral Bit (PNB) key-recovery attacks against 8 rounds of Salsa.
At Eurocrypt 2022 (Dey et al in Revamped differential-linear cryptanalysis on reduced round chacha, Springer, 2022), Dey et al. proposed a technique to combine two input–output positions in a PNB attack. In this paper, we generalize this technique for an arbitrary number of input–output positions. Combining this approach with BLE, we are able to improve key recovery attacks against 7 rounds of Salsa.
Using all the knowledge acquired studying the cryptanalysis of these ciphers, we propose some modifications in order to provide better diffusion per round and higher resistance to cryptanalysis, leading to a new stream cipher named Forró. We show that Forró has higher security margin; this allows us to reduce the total number of rounds while maintaining the security level, thus creating a faster cipher in many platforms, especially in constrained devices.
Finally, we developed
CryptDances
, a new tool for the cryptanalysis of Salsa, ChaCha, and Forró designed to be used in high performance environments with several GPUs. With
CryptDances
it is possible to compute differential correlation |
| doi_str_mv | 10.1007/s00145-023-09455-5 |
| format | Article |
| fullrecord | <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_2808311694</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2808311694</sourcerecordid><originalsourceid>FETCH-LOGICAL-c319t-c56dcff59037035480cee32d522c5aab3cbbe103c5a2ac9ed15670707ff3a7bb3</originalsourceid><addsrcrecordid>eNp9kM9KAzEQxoMoWKsv4Cng1egks2l2vZVqtVBQ_HMO2Wy23dLurslW6HP5CL6YsSt4kxmYGeb3DcNHyDmHKw6grgMATyQDgQyyREomD8iAJygYR5UekgFkiEyoDI7JSQiriCupcEDyuemqmt6a2rpAn926MYUrbuhs0_rmwxV04ndtZ2qz3oUq0PHCVHXo6ItZB0NNHfdLE_Ny33dLR5980zbBrGlT0mnj_dfnKTkqI-7OfuuQvE3vXicPbP54P5uM58wizzpm5aiwZSkzQAUokxSscygKKYSVxuRo89xxwDgIYzNXcDlSEKMs0ag8xyG56O_Gz9-3LnR61Wx9_DxokUKKnI-yJFKip6xvQvCu1K2vNsbvNAf946XuvdTRS733Ussowl4UIlwvnP87_Y_qGzsgd3c</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2808311694</pqid></control><display><type>article</type><title>Latin Dances Reloaded: Improved Cryptanalysis Against Salsa and ChaCha, and the Proposal of Forró</title><source>SpringerLink Journals - AutoHoldings</source><creator>Coutinho, Murilo ; Passos, Iago ; Vásquez, Juan C. Grados ; Sarkar, Santanu ; de Mendonça, Fábio L. L. ; de Sousa, Rafael T. ; Borges, Fábio</creator><creatorcontrib>Coutinho, Murilo ; Passos, Iago ; Vásquez, Juan C. Grados ; Sarkar, Santanu ; de Mendonça, Fábio L. L. ; de Sousa, Rafael T. ; Borges, Fábio</creatorcontrib><description>In this paper, we present 4 major contributions to ARX ciphers and in particular, to the Salsa/ChaCha family of stream ciphers:
We propose an improved differential-linear distinguisher against ChaCha. To do so, we propose a new way to approach the derivation of linear approximations by viewing the algorithm in terms of simpler subrounds. Using this idea, we show that it is possible to derive almost all linear approximations from previous works from just 3 simple rules. Furthermore, we show that with one extra rule, it is possible to improve the linear approximations proposed by Coutinho and Souza at Eurocrypt 2021 (Coutinho and Neto, in: Canteaut, Standaert (eds) Advances in cryptology—EUROCRYPT 2021—40th annual international conference on the theory and applications of cryptographic techniques, Zagreb, Croatia, October 17–21, 2021, proceedings, Part I. Lecture notes in computer science, vol 12696, Springer, 2021).
We propose a technique called Bidirectional Linear Expansions (BLE) to improve attacks against Salsa. While previous works only considered linear expansions moving forward into the rounds, BLE explores the expansion of a single bit in both forward and backward directions. Applying BLE, we propose the first differential-linear distinguishers reaching 7 and 8 rounds of Salsa and we improve Probabilistic Neutral Bit (PNB) key-recovery attacks against 8 rounds of Salsa.
At Eurocrypt 2022 (Dey et al in Revamped differential-linear cryptanalysis on reduced round chacha, Springer, 2022), Dey et al. proposed a technique to combine two input–output positions in a PNB attack. In this paper, we generalize this technique for an arbitrary number of input–output positions. Combining this approach with BLE, we are able to improve key recovery attacks against 7 rounds of Salsa.
Using all the knowledge acquired studying the cryptanalysis of these ciphers, we propose some modifications in order to provide better diffusion per round and higher resistance to cryptanalysis, leading to a new stream cipher named Forró. We show that Forró has higher security margin; this allows us to reduce the total number of rounds while maintaining the security level, thus creating a faster cipher in many platforms, especially in constrained devices.
Finally, we developed
CryptDances
, a new tool for the cryptanalysis of Salsa, ChaCha, and Forró designed to be used in high performance environments with several GPUs. With
CryptDances
it is possible to compute differential correlations, to derive new linear approximations for ChaCha automatically, to automate the computation of the complexity of PNB attacks, among other features. We make
CryptDances
available for the community at
https://github.com/murcoutinho/cryptDances
.</description><identifier>ISSN: 0933-2790</identifier><identifier>EISSN: 1432-1378</identifier><identifier>DOI: 10.1007/s00145-023-09455-5</identifier><language>eng</language><publisher>New York: Springer US</publisher><subject>Algorithms ; Approximation ; Coding and Information Theory ; Combinatorics ; Communications Engineering ; Computational Mathematics and Numerical Analysis ; Computer Science ; Cryptography ; Diffusion rate ; Encryption ; Knowledge acquisition ; Networks ; Probability Theory and Stochastic Processes ; Recovery ; Research Article ; Security</subject><ispartof>Journal of cryptology, 2023-07, Vol.36 (3), Article 18</ispartof><rights>International Association for Cryptologic Research 2023. Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c319t-c56dcff59037035480cee32d522c5aab3cbbe103c5a2ac9ed15670707ff3a7bb3</citedby><cites>FETCH-LOGICAL-c319t-c56dcff59037035480cee32d522c5aab3cbbe103c5a2ac9ed15670707ff3a7bb3</cites><orcidid>0000-0001-7545-5040 ; 0000-0002-3863-3714 ; 0000-0001-5159-9517 ; 0000-0003-1101-3029 ; 0000-0001-7100-7304 ; 0000-0002-6296-6041 ; 0000-0001-6821-920X</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktopdf>$$Uhttps://link.springer.com/content/pdf/10.1007/s00145-023-09455-5$$EPDF$$P50$$Gspringer$$H</linktopdf><linktohtml>$$Uhttps://link.springer.com/10.1007/s00145-023-09455-5$$EHTML$$P50$$Gspringer$$H</linktohtml><link.rule.ids>314,780,784,27923,27924,41487,42556,51318</link.rule.ids></links><search><creatorcontrib>Coutinho, Murilo</creatorcontrib><creatorcontrib>Passos, Iago</creatorcontrib><creatorcontrib>Vásquez, Juan C. Grados</creatorcontrib><creatorcontrib>Sarkar, Santanu</creatorcontrib><creatorcontrib>de Mendonça, Fábio L. L.</creatorcontrib><creatorcontrib>de Sousa, Rafael T.</creatorcontrib><creatorcontrib>Borges, Fábio</creatorcontrib><title>Latin Dances Reloaded: Improved Cryptanalysis Against Salsa and ChaCha, and the Proposal of Forró</title><title>Journal of cryptology</title><addtitle>J Cryptol</addtitle><description>In this paper, we present 4 major contributions to ARX ciphers and in particular, to the Salsa/ChaCha family of stream ciphers:
We propose an improved differential-linear distinguisher against ChaCha. To do so, we propose a new way to approach the derivation of linear approximations by viewing the algorithm in terms of simpler subrounds. Using this idea, we show that it is possible to derive almost all linear approximations from previous works from just 3 simple rules. Furthermore, we show that with one extra rule, it is possible to improve the linear approximations proposed by Coutinho and Souza at Eurocrypt 2021 (Coutinho and Neto, in: Canteaut, Standaert (eds) Advances in cryptology—EUROCRYPT 2021—40th annual international conference on the theory and applications of cryptographic techniques, Zagreb, Croatia, October 17–21, 2021, proceedings, Part I. Lecture notes in computer science, vol 12696, Springer, 2021).
We propose a technique called Bidirectional Linear Expansions (BLE) to improve attacks against Salsa. While previous works only considered linear expansions moving forward into the rounds, BLE explores the expansion of a single bit in both forward and backward directions. Applying BLE, we propose the first differential-linear distinguishers reaching 7 and 8 rounds of Salsa and we improve Probabilistic Neutral Bit (PNB) key-recovery attacks against 8 rounds of Salsa.
At Eurocrypt 2022 (Dey et al in Revamped differential-linear cryptanalysis on reduced round chacha, Springer, 2022), Dey et al. proposed a technique to combine two input–output positions in a PNB attack. In this paper, we generalize this technique for an arbitrary number of input–output positions. Combining this approach with BLE, we are able to improve key recovery attacks against 7 rounds of Salsa.
Using all the knowledge acquired studying the cryptanalysis of these ciphers, we propose some modifications in order to provide better diffusion per round and higher resistance to cryptanalysis, leading to a new stream cipher named Forró. We show that Forró has higher security margin; this allows us to reduce the total number of rounds while maintaining the security level, thus creating a faster cipher in many platforms, especially in constrained devices.
Finally, we developed
CryptDances
, a new tool for the cryptanalysis of Salsa, ChaCha, and Forró designed to be used in high performance environments with several GPUs. With
CryptDances
it is possible to compute differential correlations, to derive new linear approximations for ChaCha automatically, to automate the computation of the complexity of PNB attacks, among other features. We make
CryptDances
available for the community at
https://github.com/murcoutinho/cryptDances
.</description><subject>Algorithms</subject><subject>Approximation</subject><subject>Coding and Information Theory</subject><subject>Combinatorics</subject><subject>Communications Engineering</subject><subject>Computational Mathematics and Numerical Analysis</subject><subject>Computer Science</subject><subject>Cryptography</subject><subject>Diffusion rate</subject><subject>Encryption</subject><subject>Knowledge acquisition</subject><subject>Networks</subject><subject>Probability Theory and Stochastic Processes</subject><subject>Recovery</subject><subject>Research Article</subject><subject>Security</subject><issn>0933-2790</issn><issn>1432-1378</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2023</creationdate><recordtype>article</recordtype><recordid>eNp9kM9KAzEQxoMoWKsv4Cng1egks2l2vZVqtVBQ_HMO2Wy23dLurslW6HP5CL6YsSt4kxmYGeb3DcNHyDmHKw6grgMATyQDgQyyREomD8iAJygYR5UekgFkiEyoDI7JSQiriCupcEDyuemqmt6a2rpAn926MYUrbuhs0_rmwxV04ndtZ2qz3oUq0PHCVHXo6ItZB0NNHfdLE_Ny33dLR5980zbBrGlT0mnj_dfnKTkqI-7OfuuQvE3vXicPbP54P5uM58wizzpm5aiwZSkzQAUokxSscygKKYSVxuRo89xxwDgIYzNXcDlSEKMs0ag8xyG56O_Gz9-3LnR61Wx9_DxokUKKnI-yJFKip6xvQvCu1K2vNsbvNAf946XuvdTRS733Ussowl4UIlwvnP87_Y_qGzsgd3c</recordid><startdate>20230701</startdate><enddate>20230701</enddate><creator>Coutinho, Murilo</creator><creator>Passos, Iago</creator><creator>Vásquez, Juan C. Grados</creator><creator>Sarkar, Santanu</creator><creator>de Mendonça, Fábio L. L.</creator><creator>de Sousa, Rafael T.</creator><creator>Borges, Fábio</creator><general>Springer US</general><general>Springer Nature B.V</general><scope>AAYXX</scope><scope>CITATION</scope><orcidid>https://orcid.org/0000-0001-7545-5040</orcidid><orcidid>https://orcid.org/0000-0002-3863-3714</orcidid><orcidid>https://orcid.org/0000-0001-5159-9517</orcidid><orcidid>https://orcid.org/0000-0003-1101-3029</orcidid><orcidid>https://orcid.org/0000-0001-7100-7304</orcidid><orcidid>https://orcid.org/0000-0002-6296-6041</orcidid><orcidid>https://orcid.org/0000-0001-6821-920X</orcidid></search><sort><creationdate>20230701</creationdate><title>Latin Dances Reloaded: Improved Cryptanalysis Against Salsa and ChaCha, and the Proposal of Forró</title><author>Coutinho, Murilo ; Passos, Iago ; Vásquez, Juan C. Grados ; Sarkar, Santanu ; de Mendonça, Fábio L. L. ; de Sousa, Rafael T. ; Borges, Fábio</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c319t-c56dcff59037035480cee32d522c5aab3cbbe103c5a2ac9ed15670707ff3a7bb3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2023</creationdate><topic>Algorithms</topic><topic>Approximation</topic><topic>Coding and Information Theory</topic><topic>Combinatorics</topic><topic>Communications Engineering</topic><topic>Computational Mathematics and Numerical Analysis</topic><topic>Computer Science</topic><topic>Cryptography</topic><topic>Diffusion rate</topic><topic>Encryption</topic><topic>Knowledge acquisition</topic><topic>Networks</topic><topic>Probability Theory and Stochastic Processes</topic><topic>Recovery</topic><topic>Research Article</topic><topic>Security</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Coutinho, Murilo</creatorcontrib><creatorcontrib>Passos, Iago</creatorcontrib><creatorcontrib>Vásquez, Juan C. Grados</creatorcontrib><creatorcontrib>Sarkar, Santanu</creatorcontrib><creatorcontrib>de Mendonça, Fábio L. L.</creatorcontrib><creatorcontrib>de Sousa, Rafael T.</creatorcontrib><creatorcontrib>Borges, Fábio</creatorcontrib><collection>CrossRef</collection><jtitle>Journal of cryptology</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Coutinho, Murilo</au><au>Passos, Iago</au><au>Vásquez, Juan C. Grados</au><au>Sarkar, Santanu</au><au>de Mendonça, Fábio L. L.</au><au>de Sousa, Rafael T.</au><au>Borges, Fábio</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Latin Dances Reloaded: Improved Cryptanalysis Against Salsa and ChaCha, and the Proposal of Forró</atitle><jtitle>Journal of cryptology</jtitle><stitle>J Cryptol</stitle><date>2023-07-01</date><risdate>2023</risdate><volume>36</volume><issue>3</issue><artnum>18</artnum><issn>0933-2790</issn><eissn>1432-1378</eissn><abstract>In this paper, we present 4 major contributions to ARX ciphers and in particular, to the Salsa/ChaCha family of stream ciphers:
We propose an improved differential-linear distinguisher against ChaCha. To do so, we propose a new way to approach the derivation of linear approximations by viewing the algorithm in terms of simpler subrounds. Using this idea, we show that it is possible to derive almost all linear approximations from previous works from just 3 simple rules. Furthermore, we show that with one extra rule, it is possible to improve the linear approximations proposed by Coutinho and Souza at Eurocrypt 2021 (Coutinho and Neto, in: Canteaut, Standaert (eds) Advances in cryptology—EUROCRYPT 2021—40th annual international conference on the theory and applications of cryptographic techniques, Zagreb, Croatia, October 17–21, 2021, proceedings, Part I. Lecture notes in computer science, vol 12696, Springer, 2021).
We propose a technique called Bidirectional Linear Expansions (BLE) to improve attacks against Salsa. While previous works only considered linear expansions moving forward into the rounds, BLE explores the expansion of a single bit in both forward and backward directions. Applying BLE, we propose the first differential-linear distinguishers reaching 7 and 8 rounds of Salsa and we improve Probabilistic Neutral Bit (PNB) key-recovery attacks against 8 rounds of Salsa.
At Eurocrypt 2022 (Dey et al in Revamped differential-linear cryptanalysis on reduced round chacha, Springer, 2022), Dey et al. proposed a technique to combine two input–output positions in a PNB attack. In this paper, we generalize this technique for an arbitrary number of input–output positions. Combining this approach with BLE, we are able to improve key recovery attacks against 7 rounds of Salsa.
Using all the knowledge acquired studying the cryptanalysis of these ciphers, we propose some modifications in order to provide better diffusion per round and higher resistance to cryptanalysis, leading to a new stream cipher named Forró. We show that Forró has higher security margin; this allows us to reduce the total number of rounds while maintaining the security level, thus creating a faster cipher in many platforms, especially in constrained devices.
Finally, we developed
CryptDances
, a new tool for the cryptanalysis of Salsa, ChaCha, and Forró designed to be used in high performance environments with several GPUs. With
CryptDances
it is possible to compute differential correlations, to derive new linear approximations for ChaCha automatically, to automate the computation of the complexity of PNB attacks, among other features. We make
CryptDances
available for the community at
https://github.com/murcoutinho/cryptDances
.</abstract><cop>New York</cop><pub>Springer US</pub><doi>10.1007/s00145-023-09455-5</doi><orcidid>https://orcid.org/0000-0001-7545-5040</orcidid><orcidid>https://orcid.org/0000-0002-3863-3714</orcidid><orcidid>https://orcid.org/0000-0001-5159-9517</orcidid><orcidid>https://orcid.org/0000-0003-1101-3029</orcidid><orcidid>https://orcid.org/0000-0001-7100-7304</orcidid><orcidid>https://orcid.org/0000-0002-6296-6041</orcidid><orcidid>https://orcid.org/0000-0001-6821-920X</orcidid></addata></record> |
| fulltext | fulltext |
| identifier | ISSN: 0933-2790 |
| ispartof | Journal of cryptology, 2023-07, Vol.36 (3), Article 18 |
| issn | 0933-2790 1432-1378 |
| language | eng |
| recordid | cdi_proquest_journals_2808311694 |
| source | SpringerLink Journals - AutoHoldings |
| subjects | Algorithms Approximation Coding and Information Theory Combinatorics Communications Engineering Computational Mathematics and Numerical Analysis Computer Science Cryptography Diffusion rate Encryption Knowledge acquisition Networks Probability Theory and Stochastic Processes Recovery Research Article Security |
| title | Latin Dances Reloaded: Improved Cryptanalysis Against Salsa and ChaCha, and the Proposal of Forró |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-08T20%3A49%3A51IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Latin%20Dances%20Reloaded:%20Improved%20Cryptanalysis%20Against%20Salsa%20and%20ChaCha,%20and%20the%20Proposal%20of%20Forr%C3%B3&rft.jtitle=Journal%20of%20cryptology&rft.au=Coutinho,%20Murilo&rft.date=2023-07-01&rft.volume=36&rft.issue=3&rft.artnum=18&rft.issn=0933-2790&rft.eissn=1432-1378&rft_id=info:doi/10.1007/s00145-023-09455-5&rft_dat=%3Cproquest_cross%3E2808311694%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2808311694&rft_id=info:pmid/&rfr_iscdi=true |