![Page 1: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/1.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
Practical Cryptanalysis of ARMADILLO-2
Thomas Peyrin(joint work with Marı́a Naya-Plasencia)
Nanyang Technological University - Singapore
ASK 2012
Nagoya, Japan - August 29, 2012
![Page 2: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/2.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
Outline
The ARMADILLO-2 function
Free-start collision attack
Semi-free-start collision attack
Conclusion
![Page 3: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/3.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
Outline
The ARMADILLO-2 function
Free-start collision attack
Semi-free-start collision attack
Conclusion
![Page 4: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/4.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
What is ARMADILLO-2 ?
• ARMADILLO-2 is a lightweight, multi-purpose cryptographicprimitive published by Badel et al. at CHES 2010
• in the original article, ARMADILLO-1 is proposed but the authorsidentified a security issue and advised to use ARMADILLO-2
• ARMADILLO-2 is• a FIL-MAC• a stream-cipher• a hash function
• they are all based on an internal function that usesdata-dependent bit transpositions
• 5 different parameters sizes defined
![Page 5: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/5.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The basic building block: a parametrized permutation QX
ARMADILLO-2 uses a permutation QA(B) as basic building block:
• the internal state is initialized with input Bwe apply a steps, where a is the bitsize of the input parameter A
• for each step i:• extract bit i from A• if A[i]=0, apply the bitwise permutations σ0, otherwise σ1• bitwise XOR the constant 1010 · · · 10 to the internal state
QA(B)
B
A
![Page 6: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/6.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The basic building block: a parametrized permutation QX
ARMADILLO-2 uses a permutation QA(B) as basic building block:
• the internal state is initialized with input Bwe apply a steps, where a is the bitsize of the input parameter A
• for each step i:• extract bit i from A• if A[i]=0, apply the bitwise permutations σ0, otherwise σ1• bitwise XOR the constant 1010 · · · 10 to the internal state
QA(B)
B
A
1 −→ apply σ1 and xor 1010 · · · 10
![Page 7: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/7.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The basic building block: a parametrized permutation QX
ARMADILLO-2 uses a permutation QA(B) as basic building block:
• the internal state is initialized with input Bwe apply a steps, where a is the bitsize of the input parameter A
• for each step i:• extract bit i from A• if A[i]=0, apply the bitwise permutations σ0, otherwise σ1• bitwise XOR the constant 1010 · · · 10 to the internal state
QA(B)
B
A
1 −→ apply σ1 and xor 1010 · · · 101 −→ apply σ1 and xor 1010 · · · 10
![Page 8: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/8.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The basic building block: a parametrized permutation QX
ARMADILLO-2 uses a permutation QA(B) as basic building block:
• the internal state is initialized with input Bwe apply a steps, where a is the bitsize of the input parameter A
• for each step i:• extract bit i from A• if A[i]=0, apply the bitwise permutations σ0, otherwise σ1• bitwise XOR the constant 1010 · · · 10 to the internal state
QA(B)
B
A
1 −→ apply σ1 and xor 1010 · · · 101 −→ apply σ1 and xor 1010 · · · 100 −→ apply σ0 and xor 1010 · · · 10
![Page 9: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/9.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The basic building block: a parametrized permutation QX
ARMADILLO-2 uses a permutation QA(B) as basic building block:
• the internal state is initialized with input Bwe apply a steps, where a is the bitsize of the input parameter A
• for each step i:• extract bit i from A• if A[i]=0, apply the bitwise permutations σ0, otherwise σ1• bitwise XOR the constant 1010 · · · 10 to the internal state
QA(B)
B
A
1 −→ apply σ1 and xor 1010 · · · 101 −→ apply σ1 and xor 1010 · · · 100 −→ apply σ0 and xor 1010 · · · 100 −→ apply σ0 and xor 1010 · · · 10
![Page 10: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/10.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The basic building block: a parametrized permutation QX
ARMADILLO-2 uses a permutation QA(B) as basic building block:
• the internal state is initialized with input Bwe apply a steps, where a is the bitsize of the input parameter A
• for each step i:• extract bit i from A• if A[i]=0, apply the bitwise permutations σ0, otherwise σ1• bitwise XOR the constant 1010 · · · 10 to the internal state
QA(B)
B
A
1 −→ apply σ1 and xor 1010 · · · 101 −→ apply σ1 and xor 1010 · · · 100 −→ apply σ0 and xor 1010 · · · 100 −→ apply σ0 and xor 1010 · · · 101 −→ apply σ1 and xor 1010 · · · 10
![Page 11: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/11.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The basic building block: a parametrized permutation QX
ARMADILLO-2 uses a permutation QA(B) as basic building block:
• the internal state is initialized with input Bwe apply a steps, where a is the bitsize of the input parameter A
• for each step i:• extract bit i from A• if A[i]=0, apply the bitwise permutations σ0, otherwise σ1• bitwise XOR the constant 1010 · · · 10 to the internal state
QA(B)
B
A
1 −→ apply σ1 and xor 1010 · · · 101 −→ apply σ1 and xor 1010 · · · 100 −→ apply σ0 and xor 1010 · · · 100 −→ apply σ0 and xor 1010 · · · 101 −→ apply σ1 and xor 1010 · · · 100 −→ apply σ0 and xor 1010 · · · 10
![Page 12: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/12.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The ARMADILLO-2 compression function
QM(C||M)
C
M
MC
QX(C||M) X
M
Y
C′
• two inputs:- the chaining variable C- the message block M
• one output:- the chaining variable C′
![Page 13: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/13.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The ARMADILLO-2 compression function
QM(C||M)
C
M
MC
QX(C||M) X
M
Y
C′ k c m
128 80 48192 128 64240 160 80288 192 96384 256 128
![Page 14: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/14.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
Cryptanalysis of ARMADILLO-2
Abdelraheem et al. (ASIACRYPT 2011):
• key recovery attack on the FIL-MAC• key recovery attack on the stream cipher• (second)-preimage attack on the hash function
... but computation and memory complexity is very high, often close to thegeneric complexity (example 256-bit preimage with 2208 computations and2205 memory or 2249 computations and 245 memory)
We provide very practical attacks (only a few operations):
• distinguisher and related-key recovery on the stream cipher• free-start collision on the compression function (chosen-related IVs)• semi-free-start collision on the compression/hash function (chosen IV)
![Page 15: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/15.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
First tools
For two random k-bit words A and B of Hamming weight a and brespectively, the probability that HAM(A ∧ B) = i is
Pand(k, a, b, i) =
(ai
)(k−ab−i
)(kb
) =
(bi
)(k−ba−i
)(ka
) .
![Page 16: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/16.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
First tools
For two random k-bit words A and B of Hamming weight a and brespectively, the probability that HAM(A ∧ B) = i is
Pand(k, a, b, i) =
(ai
)(k−ab−i
)(kb
) =
(bi
)(k−ba−i
)(ka
) .
![Page 17: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/17.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
First tools
For two random k-bit words A and B of Hamming weight a and brespectively, the probability that HAM(A ∧ B) = i is
Pand(k, a, b, i) =
(ai
)(k−ab−i
)(kb
) =
(bi
)(k−ba−i
)(ka
) .
![Page 18: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/18.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
First tools
For two random k-bit words A and B of Hamming weight a and brespectively, the probability that HAM(A ∧ B) = i is
Pand(k, a, b, i) =
(ai
)(k−ab−i
)(kb
) =
(bi
)(k−ba−i
)(ka
) .
![Page 19: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/19.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
First tools
For two random k-bit words A and B of Hamming weight a and brespectively, the probability that HAM(A⊕ B) = j is
Pxor(k, a, b, j) =
{Pand(k, a, b, a+b−j
2 ) for (a + b− j) even0 for (a + b− j) odd
![Page 20: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/20.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
Outline
The ARMADILLO-2 function
Free-start collision attack
Semi-free-start collision attack
Conclusion
![Page 21: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/21.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The differential path - right side
QM(C||M)
C
M
MC
QX(C||M) X
M
Y
C′
![Page 22: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/22.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The differential path - right side
C
M
M
HAM(∆C) = 1 ∆M = 0
∆M = 0
b
b
![Page 23: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/23.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The differential path - right side
C
M
M
HAM(∆C) = 1 ∆M = 0
∆M = 0
b
b
b
b
b
b
HAM(∆X) = 1
b
We have HAM(∆X) = 1 with probability 1
![Page 24: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/24.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The differential path - right side
C
M
M
HAM(∆C) = 1 ∆M = 0
∆M = 0
b
b
b
b
b
b
∆X = 0 . . . 01
b
We have ∆X = 0 . . . 01 with probability PX = 1k
![Page 25: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/25.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The differential path - left side
QM(C||M)
C
M
MC
QX(C||M) X
M
Y
C′
![Page 26: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/26.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The differential path - left side
C
X
M
Y
C′
b
b
b
HAM(∆C) = 1 ∆M = 0
∆X = 0 . . . 01
![Page 27: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/27.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The differential path - left side
C
X
M
Y
C′
b
b
b
HAM(∆C) = 1 ∆M = 0
∆X = 0 . . . 01
b b
We have b active bits afterfirst step with probability
Pstep(b)
![Page 28: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/28.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The differential path - left side
C
X
M
Y
C′
b
b
b
HAM(∆C) = 1 ∆M = 0
∆X = 0 . . . 01
b b
b b
b
b b
b b
bb
b
b
b
b b
bb
b b
bb
b b
b b
HAM(∆Y ) = b
We have HAM(∆Y) = b withprobability
Pstep(b)
![Page 29: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/29.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The differential path - left side
C
X
M
Y
C′
b
b
b
HAM(∆C) = 1 ∆M = 0
∆X = 0 . . . 01
b b
b b
b
b b
b b
bb
b
b
b
b b
bb
b b
bb
b b
b b
∆MSBc(Y ) = 0
bb
We have ∆MSBc(Y) = 0with probability
Pstep(b) · Pout(b)
= Pstep(b) · Pand(k,m, b, b)
= Pstep(b) ·i=b−1∏
i=0
m− ik− i
![Page 30: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/30.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The differential path - overall differential probability
QM(C||M)
C
M
MC
QX(C||M) X
M
Y
C′
The overall collision probability is
PX ·i=m∑i=1
Pstep(i) · Pout(i) =1k·
i=m∑i=1
Pstep(i) ·i=b−1∏
i=0
m− ik− i
![Page 31: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/31.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The freedom degrees
For randomly chosen values of C and M,the collision probability will be too small:
• we can choose b small, so that Pout(b) is very high ...• ... but Pstep(b) is very low anyway
![Page 32: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/32.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The freedom degrees
For randomly chosen values of C and M,the collision probability will be too small:
• we can choose b small, so that Pout(b) is very high ...• ... but Pstep(b) is very low anyway
![Page 33: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/33.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The freedom degrees
For randomly chosen values of C and M,the collision probability will be too small:
• we can choose b small, so that Pout(b) is very high ...• ... but Pstep(b) is very low anyway
![Page 34: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/34.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The freedom degrees
However, we can use the freedom degrees:
• by fixing the value of M and the difference position, one can firsthandle the right part of the differential path (QM)
• then by forcing the inputs value (C||M) to have very low (or very high)Hamming weight hw it will be possible to have Pstep(b) high
![Page 35: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/35.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The freedom degrees
However, we can use the freedom degrees:
• by fixing the value of M and the difference position, one can firsthandle the right part of the differential path (QM)
• then by forcing the inputs value (C||M) to have very low (or very high)Hamming weight hw it will be possible to have Pstep(b) high
![Page 36: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/36.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The freedom degrees
However, we can use the freedom degrees:
• by fixing the value of M and the difference position, one can firsthandle the right part of the differential path (QM)
• then by forcing the inputs value (C||M) to have very low (or very high)Hamming weight hw it will be possible to have Pstep(b) high
Pstep(b, hw) =hwc·Pxor(k, hw, hw−1, b)+
c− hwc·Pxor(k, hw, hw+1, b)
![Page 37: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/37.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
Attack complexity and results
The total attack complexity is (probability PX can be handled separately):
1∑i=mi=1 Pstep(i, hw) · Pout(i)
scheme parameters attack
k c mgeneric attack
complexity complexity
128 80 48 240 27.5
192 128 64 264 27.8
240 160 80 280 28.1
288 192 96 296 28.3
384 256 128 2128 28.7
We implemented and verified the attack
![Page 38: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/38.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
Outline
The ARMADILLO-2 function
Free-start collision attack
Semi-free-start collision attack
Conclusion
![Page 39: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/39.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The differential path - right side
QM(C||M)
C
M
MC
QX(C||M) X
M
Y
C′
![Page 40: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/40.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The differential path - right side
C
M
M
∆C = 0 ∆M
∆M
b
b
b
b
b
b
Assume we force the first g bits of M to a certain value(g being the most significant difference bit of M)
![Page 41: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/41.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The differential path - right side
C
M
M
∆C = 0 ∆M
∆M
b
b
b
b
b
b
bb b b
bb bb
g bits
We would like a collision after step g, and this event can beobtained by solving a very particular system of linear equations
since we know all first g steps
![Page 42: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/42.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The differential path - right side
C
M
M
∆C = 0 ∆M
∆M
b
b
b
b
b
b
bb b b
bb bb
∆X = 0
g bits
If the internal collision is obtained,we have ∆X = 0 with probability 1
![Page 43: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/43.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The differential path - left side
QM(C||M)
C
M
MC
QX(C||M) X
M
Y
C′
![Page 44: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/44.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The differential path - left side
C
X
M
Y
C′
b
b
∆C = 0 ∆M
∆X = 0
b
b
Assume we have b activebits on M
![Page 45: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/45.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The differential path - left side
C
X
M
Y
C′
b
b
∆C = 0 ∆M
∆X = 0
b
b
b b
b b
b
b b
b b
bb
b
b
b
b b
bb
b b
bb
b b
b b
We have b active bits afterapplying QX with
probability 1
![Page 46: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/46.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The differential path - left side
C
X
M
Y
C′
b
b
∆C = 0 ∆M
∆X = 0
b
b
b b
b b
b
b b
b b
bb
b
b
b
b b
bb
b b
bb
b b
b b
b b
We have ∆MSBc(Y) = 0with probability
Pout(b) = Pand(k,m, b, b)
=
i=b−1∏i=0
m− ik− i
![Page 47: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/47.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The system of linear equations
We know the value of the g first bit of M, therefore we know exactly thepermutation applied to I and I ⊕∆I for the g first rounds of QM. For acollision after g rounds of QM, we want that
σM1[g−1](· · · (σM1[1](σM1[0](I)⊕ cst)⊕ cst) · · · )= σM2[g−1](· · · (σM2[1](σM2[0](I ⊕∆I)⊕ cst)⊕ cst) · · · )
and since all operations are linear, this can be rewritten as
ρ(I)⊕ A = ρ′(I ⊕∆I)⊕ B = ρ′(I)⊕ ρ′(∆I)⊕ B
where
ρ = σM1[g−1] ◦ · · ·σM1[1] ◦ σM1[0] A = σM1[g−1](· · · (σM1[1](cst)⊕ cst) · · · )ρ′ = σM2[g−1] ◦ · · ·σM2[1] ◦ σM2[0] B = σM2[g−1](· · · (σM2[1](cst)⊕ cst) · · · ).
![Page 48: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/48.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The system of linear equationsWe have to solve ρ(I)⊕ ρ′(I) = A⊕ B⊕ ρ′(∆I) which can be rewritten
I ⊕ τ(I) = C
with C a constant and τ a bit permutation (we model as random)
![Page 49: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/49.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The system of linear equationsWe have to solve ρ(I)⊕ ρ′(I) = A⊕ B⊕ ρ′(∆I) which can be rewritten
I ⊕ τ(I) = C
with C a constant and τ a bit permutation (we model as random)
![Page 50: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/50.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The system of linear equationsWe have to solve ρ(I)⊕ ρ′(I) = A⊕ B⊕ ρ′(∆I) which can be rewritten
I ⊕ τ(I) = C
with C a constant and τ a bit permutation (we model as random)
![Page 51: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/51.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The system of linear equationsWe have to solve ρ(I)⊕ ρ′(I) = A⊕ B⊕ ρ′(∆I) which can be rewritten
I ⊕ τ(I) = C
with C a constant and τ a bit permutation (we model as random)
![Page 52: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/52.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The system of linear equationsWe have to solve ρ(I)⊕ ρ′(I) = A⊕ B⊕ ρ′(∆I) which can be rewritten
I ⊕ τ(I) = C
with C a constant and τ a bit permutation (we model as random)
![Page 53: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/53.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The system of linear equationsWe have to solve ρ(I)⊕ ρ′(I) = A⊕ B⊕ ρ′(∆I) which can be rewritten
I ⊕ τ(I) = C
with C a constant and τ a bit permutation (we model as random)
![Page 54: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/54.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The system of linear equationsWe have to solve ρ(I)⊕ ρ′(I) = A⊕ B⊕ ρ′(∆I) which can be rewritten
I ⊕ τ(I) = C
with C a constant and τ a bit permutation (we model as random)
![Page 55: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/55.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The system of linear equationsWe have to solve ρ(I)⊕ ρ′(I) = A⊕ B⊕ ρ′(∆I) which can be rewritten
I ⊕ τ(I) = C
with C a constant and τ a bit permutation (we model as random)
![Page 56: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/56.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The system of linear equationsWe have to solve ρ(I)⊕ ρ′(I) = A⊕ B⊕ ρ′(∆I) which can be rewritten
I ⊕ τ(I) = C
with C a constant and τ a bit permutation (we model as random)
![Page 57: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/57.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The system of linear equationsWe have to solve ρ(I)⊕ ρ′(I) = A⊕ B⊕ ρ′(∆I) which can be rewritten
I ⊕ τ(I) = C
with C a constant and τ a bit permutation (we model as random)
![Page 58: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/58.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The system of linear equationsWe have to solve ρ(I)⊕ ρ′(I) = A⊕ B⊕ ρ′(∆I) which can be rewritten
I ⊕ τ(I) = C
with C a constant and τ a bit permutation (we model as random)
![Page 59: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/59.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The system of linear equationsWe have to solve ρ(I)⊕ ρ′(I) = A⊕ B⊕ ρ′(∆I) which can be rewritten
I ⊕ τ(I) = C
with C a constant and τ a bit permutation (we model as random)
![Page 60: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/60.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The system of linear equationsWe have to solve ρ(I)⊕ ρ′(I) = A⊕ B⊕ ρ′(∆I) which can be rewritten
I ⊕ τ(I) = C
with C a constant and τ a bit permutation (we model as random)
![Page 61: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/61.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
The freedom degrees
The system of linear equations:
• admits at least a solution with a probability depending on the numberof cycles of a complex composition of σ0 and σ1(for random permutations σ0 and σ1, we have a probability of 2− log(k))
• the average number of solutions is 1
Thus, in order to find a collision, we need:
• that the guess of the g bits of M is valid (with probability 2−g)• that the b active bits in M are truncated on the output of QX (with
probability Pout(b))
Minimizing g and b will provide better complexity, but we needenough randomization to eventually find a solution
![Page 62: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/62.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
Attack complexity and results
The total attack complexity is:
2g
Pout(b), with
(gb
)≥ 2 · P−1
out(b) so as to find a solution
scheme parameters attack
k c mgeneric attack
complexity complexity
128 80 48 240 28.9
192 128 64 264 210.2
240 160 80 280 210.2
288 192 96 296 210.2
384 256 128 2128 210.2
We implemented and verified the attack
![Page 63: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/63.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
Outline
The ARMADILLO-2 function
Free-start collision attack
Semi-free-start collision attack
Conclusion
![Page 64: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/64.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
ARMADILLO-2 is not secure, attack complexities are very low:
• the diffusion can be controlled too easily
• local linearization allows to render linear the complex part of thedifferential paths
• the permutation QA(B) preserves the parity of the input
![Page 65: Practical Cryptanalysis of ARMADILLO-2...Practical Cryptanalysis of ARMADILLO-2 Thomas Peyrin (joint work with Mar´ıa Naya-Plasencia) Nanyang Technological University - Singapore](https://reader035.vdocument.in/reader035/viewer/2022070811/5f0ac8ee7e708231d42d5431/html5/thumbnails/65.jpg)
The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion
Thank you for your attention !