Ryoma Ito NICT, Japan ISC 2020 December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Keywords: ARX, Stream Cipher, Salsa, Rotational Cryptanalysis

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Salsa stream cipher Salsa n ARX-based stream cipher u ARX: Addition-Rotation-XOR construction n designed by Bernstein in 2005 n one of the finalists for the eSTREAM software portfolio 2 Introduction (1/8)

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Salsa Core Function 3 Introduction (2/8) ⋘ 7 𝑎 𝑏 𝑐 𝑑 𝑎′ 𝑏′ 𝑐′ 𝑑′ ⋘ 18 ⋘ 13 ⋘ 9

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Salsa Core Function 4 Introduction (3/8) ⋘ 7 𝑎 𝑏 𝑐 𝑑 𝑎′ 𝑏′ 𝑐′ 𝑑′ ⋘ 18 ⋘ 13 ⋘ 9 Addition Rotation XOR Addition … 4 Additions 4 Rotations 4 XORs

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Salsa stream cipher and Rotational Cryptanalysis Salsa n ARX-based stream cipher u ARX: Addition-Rotation-XOR construction n designed by Bernstein in 2005 n one of the finalists for the eSTREAM software portfolio 5 Introduction (4/8) Rotational Cryptanalysis [KN10, KNP+15] n A probabilistic attack that follows the evolution of a so-called rotational pair through the rounds of a function (or a cipher) u Rotational pair: 𝑋, ⃖ 𝑋 = 𝑋, 𝑋 ⋘ 𝑟 , 𝑋, ⃗ 𝑋 = 𝑋, 𝑋 ⋙ 𝑟 u Rotational probability: Pr 𝐹(𝑋) = 𝐹 ⃖ 𝑋 , Pr 𝐹(𝑋) = 𝐹 ⃗ 𝑋 [KN10] Dmitry Khovratovich and Ivica Nikolic. Rotational Cryptanalysis of ARX. FSE 2010. [KNP+15] Dmitry Khovratovich et al. Rotational Cryptanalysis of ARX Revisited. FSE 2015.

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Motivations: Rotational Cryptanalysis of Salsa Core Function Cryptanalysis of Salsa n mainly differential cryptanalysis u attack only up to 8 rounds (out of 20 rounds) n No study has yet applied rotational cryptanalysis to ARX-based stream ciphers including ChaCha (https://eprint.iacr.org/2020/1049, received 31 Aug 2020) 6 Introduction (5/8)

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Motivations: Rotational Cryptanalysis of Salsa Core Function Cryptanalysis of Salsa n mainly differential cryptanalysis u attack only up to 8 rounds (out of 20 rounds) n No study has yet applied rotational cryptanalysis to ARX-based stream ciphers including ChaCha (https://eprint.iacr.org/2020/1049, received 31 Aug 2020) 7 Introduction (6/8) Rotational Cryptanalysis of ARX-based Stream Ciphers n practically difficult to obtain a rotational pair of all inputs. u Salsa and ChaCha utilize constant as one of their inputs. n The core function of one encryption scheme is often implemented in another to design symmetric-key primitives. u e.g., SOSEMANUK ← Serpent, BLAKE2 ← ChaCha, SNOW-V ← AES n It is important to clarify whether Salsa core function has a fatal weakness to rotational cryptanalysis.

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Summary of Our Results 8 Introduction (7/8) Table 1. A comparison between the previous and our results (r = 1). ※log2 # of modular additions 1 2 3 4 5 6 7 8 [KN10, Theorem 2] -1.4 -2.8 -4.2 -5.7 -7.1 -8.5 -9.9 -11.3 [KNP+15, Lemma 2] -1.4 -3.6 -6.3 -9.3 -12.7 -16.3 -20.1 -24.1 Experimental results -1.415 -2.263 -3.263 -4.206 -5.169 -6.126 -7.086 -8.043 Theoretical results -1.415 -2.263 -3.111 -3.959 -7.918 Rotational Probabilities of Salsa-type ARX Primitive

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Summary of Our Results 9 Introduction (7/8) Rotational Distinguisher* for Salsa/ChaCha Permutations** Table 1. A comparison between the previous and our results (r = 1). ※log2 # of modular additions 1 2 3 4 5 6 7 8 [KN10, Theorem 2] -1.4 -2.8 -4.2 -5.7 -7.1 -8.5 -9.9 -11.3 [KNP+15, Lemma 2] -1.4 -3.6 -6.3 -9.3 -12.7 -16.3 -20.1 -24.1 Experimental results -1.415 -2.263 -3.263 -4.206 -5.169 -6.126 -7.086 -8.043 Theoretical results -1.415 -2.263 -3.111 -3.959 -7.918 Rotational Probabilities of Salsa-type ARX Primitive *Distinguisher is to distinguish the cipher from a random function/permutation. **The permutations can allow us to set the arbitrary input values. Table 2. A comparison of the rotational distinguisher for Salsa/ChaCha permutations. # of rounds Probability (log2 ) Ref Salsa permutation 32 -506.752 (< -512.0) ChaCha permutation 8 -489.6 (< -512.0) 17 -487.6 (< -512.0) [ePrint]

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Outline of the Talk 10 1. Preliminaries n Salsa stream cipher n Rotational Cryptanalysis 2. Rotational Cryptanalysis of the Salsa Core Function n Experimental Observations n Our lemmas, theorem, and prediction n Experimental Verifications 3. A Weakness of the Salsa Permutation 4. Conclusion

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Salsa stream cipher 11 n 256-bit key: 𝑘!, … , 𝑘" n 64-bit nonce: 𝑣! , 𝑣# n 64-bit counter: 𝑡! , 𝑡# n 128-bit constant: 𝑐!, 𝑐#, 𝑐$, 𝑐% Preliminaries (1/7) Initial state matrix 𝑋 ! = 𝑥! ! 𝑥# ! 𝑥& ! 𝑥' ! 𝑥$ ! 𝑥% ! 𝑥( ! 𝑥" ! 𝑥) ! 𝑥* ! 𝑥#$ ! 𝑥#% ! 𝑥#! ! 𝑥## ! 𝑥#& ! 𝑥#' ! = 𝑐! 𝑘! 𝑘% 𝑐# 𝑘# 𝑘$ 𝑣! 𝑣# 𝑡! 𝑡# 𝑘' 𝑘( 𝑐$ 𝑘& 𝑘" 𝑐%

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Salsa stream cipher 12 n columnrounds (in the odd number rounds): 𝑥! " , 𝑥# " , 𝑥$ " , 𝑥%& " , 𝑥' " , 𝑥( " , 𝑥%) " , 𝑥% " , 𝑥%! " , 𝑥%# " , 𝑥& " , 𝑥* " , 𝑥%' " , 𝑥) " , 𝑥+ " , 𝑥%% " n rowrounds (in the even number rounds): 𝑥! " , 𝑥% " , 𝑥& " , 𝑥) " , 𝑥' " , 𝑥* " , 𝑥+ " , 𝑥# " , 𝑥%! " , 𝑥%% " , 𝑥$ " , 𝑥( " , 𝑥%' " , 𝑥%& " , 𝑥%) " , 𝑥%# " n output 512-bit keystream block: 𝑍 = 𝑋 ! + 𝑋 + Preliminaries (2/7) The quarterround function (Salsa Core Function) vector 𝑥, " , 𝑥- " , 𝑥. " , 𝑥/ " is updated as below: 𝑥- "0% = 𝑥, " + 𝑥/ " ⋘ 7 ⨁𝑥- " , 𝑥. "0% = 𝑥- "0% + 𝑥, " ⋘ 9 ⨁𝑥. " , 𝑥/ "0% = 𝑥. "0% + 𝑥- "0% ⋘ 13 ⨁𝑥/ " , 𝑥, "0% = 𝑥/ "0% + 𝑥. "0% ⋘ 18 ⨁𝑥, " .

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Rotational Cryptanalysis 13 Preliminaries (3/7) Lemma 1 ([Daum05, Corollary 4.12]) 1. If we suppose an 𝑛-bit word 𝐴 to be fixed and an 𝑛-bit word 𝐵 to be chosen uniformly at random, then we obtain Pr 𝐴 + 𝐵 ⋘ 𝑟 = 𝐴 ⋘ 𝑟 + 𝐵 ⋘ 𝑟 = 𝟐!𝒏 𝟐𝒏!𝒓 − 𝑨𝑹 𝟐𝒓 − 𝑨𝑳 , where 𝐴& = 𝑎'!(, … , 𝑎'!) and 𝐴* = 𝑎'!)!(, … , 𝑎+ for 𝐴. 2. If we suppose two 𝑛-bit words 𝐴 and 𝐵 to be chosen uniformly at random, then we obtain Pr 𝐴 + 𝐵 ⋘ 𝑟 = 𝐴 ⋘ 𝑟 + 𝐵 ⋘ 𝑟 = 𝟏 𝟒 𝟏 + 𝟐𝒓!𝒏 + 𝟐!𝒓 + 𝟐!𝒏 . For 𝑛 = 32 and 𝑟 = 1, we obtain the rotational probabilities for the first and second types of modular addition in Lemma 1 as 𝟐!𝟏.𝟐𝟒𝟓 and 𝟐!𝟏.𝟒𝟏𝟓. Rotational probabilities of rotation and XOR: Pr 𝐴 ⋘ 𝑟( ⋘ 𝑟1 = 𝐴 ⋘ 𝑟1 ⋘ 𝑟( = 𝟏 , Pr 𝐴⨁𝐵 ⋘ 𝑟 = 𝐴 ⋘ 𝑟 ⨁ 𝐵 ⋘ 𝑟 = 𝟏 .

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Rotational Cryptanalysis 14 Preliminaries (4/7) Theorem 1 ([KN10, Theorem 2]): Let 𝑞 be the number of modular additions in an ARX-based primitive that has an arbitrary number of rotations and XORs. Then, the rotational probability of the ARX- based primitive is 𝒑2 𝒒 , where 𝑝2 denotes the rotational probability of modular addition depending on the word size 𝑛 and the rotation amount 𝑟. Fact1: The rotational probability of the ARX-based primitive can be obtained by simply counting the number of the second type of modular additions in Lemma 1.

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Rotational Cryptanalysis 15 Preliminaries (5/7) Fact2: The rotational probability may not follow Theorem 1 when the output of modular addition becomes the input of another, called chained modular addition. Theorem 1 ([KN10, Theorem 2]): Let 𝑞 be the number of modular additions in an ARX-based primitive that has an arbitrary number of rotations and XORs. Then, the rotational probability of the ARX- based primitive is 𝒑2 𝒒 , where 𝑝2 denotes the rotational probability of modular addition depending on the word size 𝑛 and the rotation amount 𝑟. Fact1: The rotational probability of the ARX-based primitive can be obtained by simply counting the number of the second type of modular additions in Lemma 1.

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Rotational Cryptanalysis: example of chained modular addition 16 Preliminaries (6/7)

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Rotational Cryptanalysis 17 Preliminaries (7/7) Fact2: The rotational probability may not follow Theorem 1 when the output of modular addition becomes the input of another, called chained modular addition. Theorem 1 ([KN10, Theorem 2]): Let 𝑞 be the number of modular additions in an ARX-based primitive that has an arbitrary number of rotations and XORs. Then, the rotational probability of the ARX- based primitive is 𝒑2 𝒒 , where 𝑝2 denotes the rotational probability of modular addition depending on the word size 𝑛 and the rotation amount 𝑟. Fact1: The rotational probability of the ARX-based primitive can be obtained by simply counting the number of the second type of modular additions in Lemma 1. Lemma 2 ([KNP+15, Lemma 2]) Let 𝑎(, … , 𝑎4 be 𝑛-bit words chosen at random and let 𝑟 be the rotation amount. Then Pr( 𝑎( + 𝑎1 ⋘ 𝑟 = 𝑎( ⋘ 𝑟 + 𝑎1 ⋘ 𝑟 ∧ ⋯ ∧ 𝑎( + ⋯ + 𝑎4 ⋘ 𝑟 = 𝑎( ⋘ 𝑟 + ⋯ + 𝑎4 ⋘ 𝑟 ) = 𝟏 𝟐𝒏𝒌 𝒌 + 𝟐𝒓 − 𝟏 𝟐𝒓 − 𝟏 𝒌 + 𝟐𝒏!𝒓 − 𝟏 𝟐𝒏!𝒓 − 𝟏 .

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Outline of the Talk 18 1. Preliminaries n Salsa stream cipher n Rotational Cryptanalysis 2. Rotational Cryptanalysis of the Salsa Core Function n Experimental Observations n Our lemmas, theorem, and prediction n Experimental Verifications 3. A Weakness of the Salsa Permutation 4. Conclusion

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Experimental Observations: Toy Model Construct a toy model of the Salsa core function n a word size of 8 bits (instead of 32 bits) u The rotational probability can be obtained from all the input/output rotational pairs with 232 trials, which can execute an exhaustive search. 19 Rotational Cryptanalysis of the Salsa Core Function (1/9) The quarterround function (Toy model of the Salsa Core Function) The function family 𝑓5 is defined by 𝑓5 𝑎, 𝑏, 𝑐, 𝑟 = 𝑎 + 𝑏 ⋘ 𝑟 ⨁𝑐. Then 𝑏 = 𝑓( 𝑎, 𝑑, 𝑏, 7 = 𝑎 + 𝑑 ⋘ 7 ⨁𝑏, 𝑐 = 𝑓1 𝑏, 𝑎, 𝑐, 5 = 𝑏 + 𝑎 ⋘ 5 ⨁𝑐, 𝑑 = 𝑓6 𝑐, 𝑏, 𝑑, 3 = 𝑐 + 𝑏 ⋘ 3 ⨁𝑑, 𝑎 = 𝑓7 𝑑, 𝑐, 𝑎, 1 = 𝑑 + 𝑐 ⋘ 1 ⨁𝑎. The function family 𝐹5 is defined as follows: 𝐹( = 𝑓(, 𝐹1 = 𝑓1 ∘ 𝑓(, 𝐹6 = 𝑓6 ∘ 𝑓1 ∘ 𝑓(, 𝐹7 = 𝑓7 ∘ 𝑓6 ∘ 𝑓1 ∘ 𝑓(

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Experimental Observations: Toy Model 20 Rotational Cryptanalysis of the Salsa Core Function (2/9) ⋘ 7 𝑎 𝑏 𝑐 𝑑 𝑎′ 𝑏′ 𝑐′ 𝑑′ ⋘ 1 ⋘ 3 ⋘ 5 𝑓( 𝑓1 𝑓6 𝑓7 𝐹( 𝐹1 𝐹6 𝐹7

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Experimental Observations Rotational Probabilities of Functions 𝑭𝟏 , 𝑭𝟐 , 𝑭𝟑 , 𝑭𝟒* 21 Rotational Cryptanalysis of the Salsa Core Function (3/9) Pr 𝐹( 𝑎, 𝑏, 𝑐, 𝑑 = 𝐹( ⃖ 𝑎, 𝑏, ⃖ 𝑐, ⃖ 𝑑 , Pr 𝐹1 𝑎, 𝑏, 𝑐, 𝑑 = 𝐹1 ⃖ 𝑎, 𝑏, ⃖ 𝑐, ⃖ 𝑑 , Pr 𝐹6 𝑎, 𝑏, 𝑐, 𝑑 = 𝐹6 ⃖ 𝑎, 𝑏, ⃖ 𝑐, ⃖ 𝑑 , Pr 𝐹7 𝑎, 𝑏, 𝑐, 𝑑 = 𝐹7 ⃖ 𝑎, 𝑏, ⃖ 𝑐, ⃖ 𝑑 . *Symbol ‘←’ represents the left rotation by one bit. **The Salsa core function has no chained modular addition; rotational probability may not follow Lemma 2. Table 3. A comparison between the previous and our observations (r = 1). ※log2 Rotational probabilities 𝐹! 𝐹" 𝐹# 𝐹$ Theorem 1** -1.404 -2.808 -4.212 -5.616 Experimental observations -1.404 -2.246 -3.241 -4.197 Our lemmas and theorem Lemma 3 Lemma 4 Theorem 2

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Rotational Probability of Function Family 𝑭𝒊 22 Rotational Cryptanalysis of the Salsa Core Function (4/9) Properties of the Salsa Core Function 1. One variable remains the same and becomes the input of the two consecutive modular additions. 2. The rotational probability throughout the function matches the one after the output of the last modular addition. ⋘ 7 𝑎 𝑏 𝑐 𝑑 𝑎′ 𝑏′ 𝑐′ 𝑑′ ⋘ 5

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Rotational Probability of Function 𝑭𝟐 23 Rotational Cryptanalysis of the Salsa Core Function (5/9) Lemma 3 Let 𝑃 ⋅, 𝑛, 𝑟 be a rotational probability of the first type of modular addition in Lemma 1, that is, 𝑷 𝑨, 𝒏, 𝒓 = 𝟐%𝒏 𝟐𝒏%𝒓 − 𝑨𝑹 𝟐𝒓 − 𝑨𝑳 . Then, the rotational probability of function 𝐹" is given as follows: Pr 𝐹1 𝑎, 𝑏, 𝑐, 𝑑 = 𝐹1 ⃖ 𝑎, 𝑏, ⃖ 𝑐, ⃖ 𝑑 = 2!' K 8∈ +,( 3 𝑃 𝑎, 𝑛, 1 M 𝑃 𝑎, 𝑛, 1 , where Symbol ‘←’ represents the left rotation by one bit, and thus the rotation amount is r = 1. (Proof Sketch) Our proof is based on two properties of the Salsa core function. 1. One variable remains the same and becomes the input of the two consecutive modular additions. u We use the rotational probability for the first type of modular addition in Lemma 1. 2. The rotational probability throughout the function matches the one after the output of the last modular addition. □

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Rotational Probability of Functions 𝑭𝟑 and 𝑭𝟒 24 Rotational Cryptanalysis of the Salsa Core Function (6/9) Lemma 4 The rotational probability of function 𝑭𝟑 is given by Pr 𝐄< = => 𝐄4 => 𝐄5 M Pr 𝐄@ , where Pr 𝐄@ is given by Lemma 3 and Pr 𝐄6 is given by Pr 𝐄( in the proof of Lemma 3. 𝐄6: 𝑓( 𝑎, 𝑑, 𝑏, 7 = 𝑓( ⃖ 𝑎, ⃖ 𝑑, 𝑏, 7 , 𝐄@: 𝐹1 𝑎, 𝑏, 𝑐, 𝑑 = 𝐹1 ⃖ 𝑎, 𝑏, ⃖ 𝑐, ⃖ 𝑑 , 𝐄<: 𝐹6 𝑎, 𝑏, 𝑐, 𝑑 = 𝐹6 ⃖ 𝑎, 𝑏, ⃖ 𝑐, ⃖ 𝑑 , 𝐄A: 𝐹7 𝑎, 𝑏, 𝑐, 𝑑 = 𝐹7 ⃖ 𝑎, 𝑏, ⃖ 𝑐, ⃖ 𝑑 . Theorem 2 The rotational probability of function 𝑭𝟒 is given by Pr 𝐄A = => 𝐄4 => 𝐄5 M Pr 𝐄< , where Pr 𝐄< is given by Lemma 4, Pr 𝐄@ is given by Lemma 3, and Pr 𝐄6 is given by Pr 𝐄( in the proof of Lemma 3.

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Experimental Verifications 25 Rotational Cryptanalysis of the Salsa Core Function (7/9) Theorem 1 ([KN10, Theorem 2]): Let 𝑞 be the number of modular additions in an ARX-based primitive that has an arbitrary number of rotations and XORs. Then, the rotational probability of the ARX- based primitive is 𝒑2 𝒒 , where 𝑝2 denotes the rotational probability of modular addition depending on the word size 𝑛 and the rotation amount 𝑟. Fact1: The rotational probability of the ARX-based primitives can be obtained by simply counting the number of the second type of modular additions in Lemma 1.

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Experimental Verifications 26 Rotational Cryptanalysis of the Salsa Core Function (8/9) Prediction 1: Let 𝑞 be the number of Salsa core functions that has four modular additions. Then, the rotational probability of the Salsa-type ARX primitive is 𝒑2 𝒒 , where 𝑝2 denotes the rotational probability of the Salsa core function depending on the word size 𝑛 and the rotation amount 𝑟. Fact3: If our prediction is correct, we can easily analyze the rotational probability of the Salsa-type ARX primitives by simply counting the number of Salsa core functions. Theorem 1 ([KN10, Theorem 2]): Let 𝑞 be the number of modular additions in an ARX-based primitive that has an arbitrary number of rotations and XORs. Then, the rotational probability of the ARX- based primitive is 𝒑2 𝒒 , where 𝑝2 denotes the rotational probability of modular addition depending on the word size 𝑛 and the rotation amount 𝑟. Fact1: The rotational probability of the ARX-based primitives can be obtained by simply counting the number of the second type of modular additions in Lemma 1.

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Experimental Verifications 27 Rotational Cryptanalysis of the Salsa Core Function (9/9) Table 4. A comparison between the experimental and theoretical values (log2 ) for the original version of the Salsa core function when the rotation amount is r = 1. The value in parentheses is the predicted value based on Prediction 1. # of modular additions 1 2 3 4 5 6 7 8 Experimental value -1.415 -2.263 -3.263 -4.206 -5.169 -6.126 -7.086 -8.043 Theoretical value -1.415 -2.263 -3.111 -3.959 -- -- -- (-7.918) # of modular additions 9 10 11 12 13 14 15 16 Experimental value -9.000 -9.959 -10.918 -11.875 -12.831 -13.790 -14.753 -15.712 Theoretical value -- -- -- (-11.877) -- -- -- (-15.836) # of modular additions 17 18 19 20 21 22 23 24 Experimental value -16.669 -17.634 -18.580 -19.530 -20.495 -21.446 -22.417 -23.415 Theoretical value -- -- -- (-19.795) -- -- -- (-23.754) The experimental values are not always correct because we could not execute an exhaustive search. n They are considered to be sufficiently accurate as rough estimation.

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Outline of the Talk 28 1. Preliminaries n Salsa stream cipher n Rotational Cryptanalysis 2. Rotational Cryptanalysis of the Salsa Core Function n Experimental Observations n Our lemmas, theorem, and prediction n Experimental Verifications 3. A Weakness of the Salsa Permutation 4. Conclusion

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Salsa stream cipher 29 A Weakness of the Salsa Permutation (1/5)

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Salsa stream cipher 30 A Weakness of the Salsa Permutation (2/5) By simply counting the number of the Salsa core functions, the rotational probability of the Salsa permutation can be computed based on Prediction 1. n 𝒑2 = 𝟐!𝟑.𝟗𝟓𝟗 from Theorem 2. Salsa permutation comprises four Salsa core functions in each round. n The rotational probability of the 𝑅-round Salsa is 𝒑2 𝟒𝑹 = 𝟐!𝟑.𝟗𝟓𝟗 𝟒𝑹 .

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function ChaCha stream cipher 31 A Weakness of the Salsa Permutation (3/5)

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function ChaCha stream cipher 32 A Weakness of the Salsa Permutation (4/5) According to the study in [KNP+15], the 𝑅-round ChaCha permutation has exactly 8 chains of 2𝑹 modular additions in each chain. n The rotational probability of the 𝑅-round ChaCha permutation can be obtained from Lemme 2 (chained modular addition).

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Rotational Distinguisher for the Salsa/ChaCha Permutations 33 A Weakness of the Salsa Permutation (5/5) Table 5. A comparison of the rotational probabilities (log2 ) of the Salsa and ChaCha permutations when the rotation amount is r = 1. # of rounds 1 2 3 4 5 6 Salsa permutation -15.836 -31.672 -47.508 -63.344 -79.180 -95.016 ChaCha permutation -28.800 -74.400 -130.400 -192.800 -261.600 -333.600 # of rounds 7 8 9 10 11 12 Salsa permutation -110.852 -126.688 -142.524 -158.630 -174.196 -190.032 ChaCha permutation -410.400 -489.600 -571.200 -656.000 -743.200 -832.000 Rotational Distinguisher for ChaCha permutation n 8 rounds (with 8 chains of 16 modular additions): 𝟐%𝟔𝟏.𝟐 𝟖 = 𝟐%𝟒𝟖𝟗.𝟔 > 2%1!".2 Rotational Distinguisher for Salsa permutation n 32 rounds (with 128 Salsa core functions): 𝟐%𝟑.𝟗𝟓𝟗 𝟒×𝟑𝟐 = 𝟐%𝟓𝟎𝟔.𝟕𝟓𝟐 > 2%1!".2

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Outline of the Talk 34 1. Preliminaries n Salsa stream cipher n Rotational Cryptanalysis 2. Rotational Cryptanalysis of the Salsa Core Function n Experimental Observations n Our lemmas, theorem, and prediction n Experimental Verifications 3. A Weakness of the Salsa Permutation 4. Conclusion

Ryoma Ito (NICT, Japan) December 17, 2020 Rotational Cryptanalysis of Salsa Core Function Summary of Our Results 35 Conclusion Rotational Distinguisher* for Salsa/ChaCha Permutations** Table 1. A comparison between the previous and our results (r = 1). ※log2 # of modular additions 1 2 3 4 5 6 7 8 [KN10, Theorem 2] -1.4 -2.8 -4.2 -5.7 -7.1 -8.5 -9.9 -11.3 [KNP+15, Lemma 2] -1.4 -3.6 -6.3 -9.3 -12.7 -16.3 -20.1 -24.1 Experimental results -1.415 -2.263 -3.263 -4.206 -5.169 -6.126 -7.086 -8.043 Theoretical results -1.415 -2.263 -3.111 -3.959 -7.918 Rotational Probabilities of Salsa-type ARX Primitive *Distinguisher is to distinguish the cipher from a random function/permutation. **The permutations can allow us to set the arbitrary input values. Table 2. A comparison of the rotational distinguisher for Salsa/ChaCha permutations. # of rounds Probability (log2 ) Ref Salsa permutation 32 -506.752 (< -512.0) ChaCha permutation 8 -489.6 (< -512.0) 17 -487.6 (< -512.0) [ePrint]