In cryptography, rotational cryptanalysis is a generic cryptanalytic attack against algorithms that rely on three operations: modular addition, rotation and XOR — ARX for short. Algorithms relying on these operations are popular because they are relatively cheap in both hardware and software and run in constant time, making them safe from timing attacks in common implementations.
The basic idea of rotational cryptanalysis is that both the bit rotation and XOR operations preserve correlations between bit-rotated pairs of inputs, and that addition of bit-rotated inputs also partially preserves bit rotation correlations. Rotational pairs of inputs can thus be used to "see through" the cipher's cascaded ARX operations to a greater degree than might be expected.[1] This ability to "see" correlations through rounds of processing can then be exploited to break the cipher in a way that is similar to differential cryptanalysis.
The term "rotational cryptanalysis" was coined by Dmitry Khovratovich and Ivica Nikolić
in 2010 paper "Rotational Cryptanalysis of ARX", which presented the best cryptanalytic attacks at that time against a reduced-round Threefish cipher — part of the Skein hash function, a SHA-3 competition candidate.[1][2] A follow-up attack from the same authors and Christian Rechberger breaks collision resistance of up to 53 of 72 rounds in Skein-256, and 57 of 72 rounds in Skein-512. It also affects the Threefish cipher.[3]
^ abKhovratovich, Dmitry; Nikolic, Ivica (2010). "Rotational Cryptanalysis of ARX". In Hong, Seokhie; Iwata, Tetsu (eds.). Fast Software Encryption, 17th International Workshop, FSE 2010, Seoul, Korea, February 7-10, 2010, Revised Selected Papers. Lecture Notes in Computer Science. Vol. 6147. Springer. pp. 333–346. doi:10.1007/978-3-642-13858-4_19.
^Bruce Schneier (2010-02-07). "Schneier on Security: New Attack on Threefish".
^Dmitry Khovratovich; Ivica Nikolic; Christian Rechberger (2010-10-20). "Rotational Rebound Attacks on Reduced Skein". Cryptology ePrint Archive.
and 22 Related for: Rotational cryptanalysis information
cryptography, rotationalcryptanalysis is a generic cryptanalytic attack against algorithms that rely on three operations: modular addition, rotation and XOR...
A linear cryptanalysis is a form of cryptanalysis based on finding affine approximations to the action of a cipher. Linear cryptanalysis is one of the...
cryptography, mod n cryptanalysis is an attack applicable to block and stream ciphers. It is a form of partitioning cryptanalysis that exploits unevenness...
with Alex Biryukov Tradeoff Cryptanalysis of Memory-Hard Functions, Asiacrypt 2015, with Alex Biryukov RotationalCryptanalysis of ARX Revisited, FSE 2015...
In cryptography, linear cryptanalysis is a general form of cryptanalysis based on finding affine approximations to the action of a cipher. Attacks have...
Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash...
the boomerang attack is a method for the cryptanalysis of block ciphers based on differential cryptanalysis. The attack was published in 1999 by David...
cryptanalysis is a form of cryptanalysis for block ciphers. Developed by Carlo Harpes in 1995, the attack is a generalization of linear cryptanalysis...
Cryptanalysis of the Enigma ciphering system enabled the western Allies in World War II to read substantial amounts of Morse-coded radio communications...
less complexity than a brute-force search: differential cryptanalysis (DC), linear cryptanalysis (LC), and Davies' attack. However, the attacks are theoretical...
letter, a syllable, or a pair of letters, etc.) to produce a cyphertext. Cryptanalysis is the term used for the study of methods for obtaining the meaning...
and Dmitry Khovratovich, Related-key Cryptanalysis of the Full AES-192 and AES-256, "Related-key Cryptanalysis of the Full AES-192 and AES-256". Table...
the cipher key and the round keys, in order to resist such forms of cryptanalysis as related-key attacks and slide attacks, many modern ciphers use more...
impossible differential cryptanalysis is a form of differential cryptanalysis for block ciphers. While ordinary differential cryptanalysis tracks differences...
2000[update], the best published cryptanalysis of the Twofish block cipher is a truncated differential cryptanalysis of the full 16-round version. The...
in them are what both differential cryptanalysis and linear cryptanalysis seek to exploit. While Madryga's rotations are data-dependent to a small degree...
In cryptography, truncated differential cryptanalysis is a generalization of differential cryptanalysis, an attack against block ciphers. Lars Knudsen...
NXT). Unlike differential cryptanalysis, which uses pairs of chosen plaintexts with a fixed XOR difference, integral cryptanalysis uses sets or even multisets...
n=(280-1)·2176+157 Borisov, et al., using a multiplicative form of differential cryptanalysis, found a complementation property for any variant of xmx, like the first...
uses are AND, OR, XOR, modular addition, and bit rotation. It has been shown that linear cryptanalysis can break NUSH with less effort than a brute force...