Fast Key Recovery Attack on ARMADILLO1 and Variants

Sepehrdad, Pouyan; Sušil, Petr; Vaudenay, Serge

doi:10.1007/978-3-642-27257-8_9

Cited by 6 publications

(6 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The ARMADILLO3 is the third generation of the multipurpose cryptographic function ARMADILLO [3] introduced at CHES'10. The new version ARMADILLO3 prevents all known attacks against the ARMADILLO [22] design and the attack against ARMADILLO2 based on parallel matching [1], and Hamming weight preservation in PRNG mode [19]. We provide a security analysis against known types of attacks and discuss some dedicated attacks and counter-measures.…”

Section: Introductionmentioning

confidence: 99%

“…That is, we use an internal function P defined by P (p b, Z) = P (p, S(Z σ b )) iteratively, where b is the tailing bit of the first operand p b, S is a substitution layer, σ b is a permutation (σ 0 or σ 1 ) and Z σ b denotes the transposition of Z based on permutation σ b . The extension ARMADILLO3 adopts a preprocessing to prevent the known attacks against ARMADILLO1 reported in [22], and it introduces a reduced-size S-box layer to improve the confusion of ARMADILLO2 which lead to a practical low complexity attack reported in [19].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Multipurpose Cryptographic Primitive ARMADILLO3

Sušil

Vaudenay

2013

Smart Card Research and Advanced Applications

Self Cite

View full text Add to dashboard Cite

Abstract. This paper describes a new design of the multipurpose cryptographic primitive ARMADILLO3 and analyses its security. The AR-MADILLO3 family is oriented on small hardware such as smart cards and RFID chips. The original design ARMADILLO and its variants were analyzed by Sepehrdad et al. at CARDIS'11, the recommended variant ARMADILLO2 was analyzed by Plasencia et al. at FSE'12 and by Abdelraheem et al. at ASIACRYPT'11. The ARMADILLO3 design takes the original approach of combining a substitution and a permutation layer. The new family ARMADILLO3 introduces a reduced-size substitution layer with 3 × 3 and 4 × 4 S-boxes, which covers the substitution layer from 25% to 100% of state bits, depending on the security requirements. We propose an instance ARMADILLO3-A1/4 with a pair of permutations and S-boxes applied on 25% of state bits at each stage.

show abstract

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Multipurpose Cryptographic Primitive ARMADILLO3

Sušil

Vaudenay

2013

Smart Card Research and Advanced Applications

Self Cite

View full text Add to dashboard Cite

show abstract

“…For both primitives, several applications are proposed: fixed input-length MAC (FIL-MAC), pseudo-random number generator/pseudo-random function (PRNG/PRF), and hash function. In [6], authors present a polynomial attack on ARMADILLO1. Even if the design of ARMADILLO2 is similar to the design of the first version, authors of [6] claim that this attack can not be applied on ARMADILLO2.…”

Section: Introductionmentioning

confidence: 99%

“…In [6], authors present a polynomial attack on ARMADILLO1. Even if the design of ARMADILLO2 is similar to the design of the first version, authors of [6] claim that this attack can not be applied on ARMADILLO2.…”

Section: Introductionmentioning

confidence: 99%

Cryptanalysis of ARMADILLO2

Abdelraheem

Blondeau

Naya-Plasencia

et al. 2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. ARMADILLO2 is the recommended variant of a multi-purpose cryptographic primitive dedicated to hardware which has been proposed by Badel et al. in [1]. In this paper, we describe a meet-inthe-middle technique relying on the parallel matching algorithm that allows us to invert the ARMADILLO2 function. This makes it possible to perform a key recovery attack when used as a FIL-MAC. A variant of this attack can also be applied to the stream cipher derived from the PRNG mode. Finally we propose a (second) preimage attack when used as a hash function. We have validated our attacks by implementing cryptanalysis on scaled variants. The experimental results match the theoretical complexities.In addition to these attacks, we present a generalization of the parallel matching algorithm, which can be applied in a broader context than attacking ARMADILLO2.

show abstract

“…Originally, two versions were proposed, ARMADILLO and ARMADILLO2, the later being the recommended one. A key recovery attack on ARMADILLO was rapidly published by a subset of the designers [9]. ARMADILLO2 remained unbroken until Abdelraheem et al [1] found a meet-in-the-middle technique that allows to invert the ARMADILLO2 main function.…”

Section: Introductionmentioning

confidence: 99%

Practical Cryptanalysis of ARMADILLO2

Naya-Plasencia

Peyrin

2012

Fast Software Encryption

View full text Add to dashboard Cite

Abstract. The ARMADILLO2 primitive is a very innovative hardwareoriented multi-purpose design published at CHES 2010 and based on data-dependent bit transpositions. In this paper, we first show a very unpleasant property of the internal permutation that allows for example to obtain a cheap distinguisher on ARMADILLO2 when instantiated as a stream-cipher. Then, we exploit the very weak diffusion properties of the internal permutation when the attacker can control the Hamming weight of the input values, leading to a practical free-start collision attack on the ARMADILLO2 compression function. Moreover, we describe a new attack so-called local-linearization that seems to be very efficient on datadependent bit transpositions designs and we obtain a practical semifree-start collision attack on the ARMADILLO2 hash function. Finally, we provide a related-key recovery attack when ARMADILLO2 is instantiated as a stream cipher. All collision attacks have been verified experimentally, they require negligible memory and a very small number of computations (less than one second on an average computer), even for the high security versions of the scheme.

show abstract

Fast Key Recovery Attack on ARMADILLO1 and Variants

Cited by 6 publications

References 3 publications

Multipurpose Cryptographic Primitive ARMADILLO3

Multipurpose Cryptographic Primitive ARMADILLO3

Cryptanalysis of ARMADILLO2

Practical Cryptanalysis of ARMADILLO2

Contact Info

Product

Resources

About