Practical cryptanalysis of ARMADILL02

Authors:
María Naya-Plasencia;Thomas Peyrin
Affiliations:
University of Versailles, France;Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore
Venue:
FSE'12 Proceedings of the 19th international conference on Fast Software Encryption
Year:
2012

Citing 6
Cited 1

A proposal for a new block encryption standard

EUROCRYPT '90 Proceedings of the workshop on the theory and application of cryptographic techniques on Advances in cryptology
A Design Principle for Hash Functions

CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
One Way Hash Functions and DES

CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
ARMADILLO: a multi-purpose cryptographic primitive dedicated to hardware

CHES'10 Proceedings of the 12th international conference on Cryptographic hardware and embedded systems
Cryptanalysis of ARMADILLO2

ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security
Fast key recovery attack on ARMADILLO1 and variants

CARDIS'11 Proceedings of the 10th IFIP WG 8.8/11.2 international conference on Smart Card Research and Advanced Applications

Multipurpose cryptographic primitive ARMADILLO3

CARDIS'12 Proceedings of the 11th international conference on Smart Card Research and Advanced Applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

The ARMADILLO2 primitive is a very innovative hardware-oriented multi-purpose design published at CHES 2010 and based on data-dependent bit transpositions. In this paper, we first show a very unpleasant property of the internal permutation that allows for example to obtain a cheap distinguisher on ARMADILLO2 when instantiated as a stream-cipher. Then, we exploit the very weak diffusion properties of the internal permutation when the attacker can control the Hamming weight of the input values, leading to a practical free-start collision attack on the ARMADILLO2 compression function. Moreover, we describe a new attack so-called local-linearization that seems to be very efficient on data-dependent bit transpositions designs and we obtain a practical semi-free-start collision attack on the ARMADILLO2 hash function. Finally, we provide a related-key recovery attack when ARMADILLO2 is instantiated as a stream cipher. All collision attacks have been verified experimentally, they require negligible memory and a very small number of computations (less than one second on an average computer), even for the high security versions of the scheme.