MarketRotational cryptanalysis
Company Profile

Rotational cryptanalysis

In cryptography, rotational cryptanalysis is a generic cryptanalytic attack against algorithms that rely on three operations: modular addition, rotation and XOR — ARX for short. Algorithms relying on these operations are popular because they are relatively cheap in both hardware and software and run in constant time, making them safe from timing attacks in common implementations.

Method
Rotational cryptanalysis takes advantage of the fact that the XOR function preserves the rotations that are done to a piece of data with a probability of 1, and that while modular addition does not always preserve the rotation, the probability can be high enough (depending on the cryptosystem) that reduced-round versions, cryptosystems modified with modular addition removed, or extremely weak ARX cryptosystems that do not utilize enough additions can become easily vulnerable. Let any letter be a given variable in binary, and let any operations and or data in parentheses "()" be a given statement regarding data that has been shifted an "r" amount. (x\oplusy)=(x)\oplus(y), and "(x)r" is trivially equal to "(x shifted by r)" (as x and r are the only things that determine the output). Modular addition of 2^nis trickier as it can be non-linear in most cases. The probability-hood of a given string that was shifted surviving modular addition (that is, "(x+y) = (x)+(y)") equals: (1/4)(1+2^ + 2^ +2^) where "e" is the error constant and " (Skein(X))" is the output of the round function at the given time without the constant involved. Error correction constants are unique to each cryptosystem, and presumably must be found by Monte-Carlo simulations. There is currently no publicly known formula to discover the error correction variable needed on the fly. == Limitations ==
Limitations
Apart from the reduced-round nature of rotational cryptanalysis and the luck needed for a successful attack, a big mitigation against it is to add the amount of additions needed to fit the security level of the cipher. For an ARX cipher that requires 2^security, there must approximately at most 128 modular additions as per the previous (p)^q equation, not including the other limitations. The attack method for Threefish requires a chosen-plaintext-attack to occur, which comes with the limitations of such an attack. Another limitation is that there is no guarantee that successful application of the error correction variables will undo constants within rounds. The original paper claims that the chance of constants being randomly nullified in a given round become lower as the hamming weight becomes higher. Raising hamming weights of constants in key rounds and compression rounds increases the security margin. == References ==
Source: Wikipedia ↗
tickerdossier.comtickerdossier.substack.com