Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [arx]

Design philosophy for ciphers. ARX solely relies on additions, rotations and XORs to build ciphers and similar algorithms. This usually constructs ciphers that are highly resistant against side-channel attacks. Well-known examples are Threefish and Salsa20/ChaCha.

Advantages of ARX ( Add Rotation X-or)

  • Fast performance on PCs
  • Compact implementation
  • Easy algorithm
  • No timing attacks Functionally complete (assuming constant included)

Disadvantages of ARX

  • Not best trade-off in hardware
  • Security against linear and differential cryptanalysis?
  • Security margin?
  • Side-channel attacks

ARX Desingns

  • Block ciphers
    • FEAL, Threefish
  • Stream ciphers
    • Salsa20, ChaCha, HC-128
  • Hash functions:
    • SHA-3 Finalists: BLAKE, Skein
    • SHA-3 Second Round: Blue Midnight Wish, Cubehash
    • SHA-3 First Round: EDON-R
39 questions
17
votes
1 answer

Selection of rotation constants in ARX design

My question is about choosing the rotation values in ARX design such as SIMON-like or SPECK-like ciphers to provide optimal differential and linear immunity. According to this, the selection of $a$ and $b$ values (shown in SIMON-like figure below)…
hardyrama
  • 2,288
  • 1
  • 17
  • 41
9
votes
2 answers

Fast cipher without needing hardware support (like ChaCha20) for disk encryption

On my old laptop, ChaCha20 is quite a bit faster than AES as there is no hardware acceleration for AES. But for disk encryption AES based schemes seem to be the only option, as a stream cipher like ChaCha20 cannot directly be used for disk…
JanKanis
  • 253
  • 1
  • 6
8
votes
3 answers

Weaknesses in ARX block ciphers

What are the weaknesses in a block cipher that uses modular addition, rotations with fixed amounts, and XOR? Can substitution boxes or permutation boxes be replicated with these three operations? Would the weaknesses in an ARX block cipher be…
Melab
  • 4,178
  • 4
  • 24
  • 49
5
votes
0 answers

Why does chacha20 not use bitwise not?

Right now chacha20 and blake use constants in order to eliminate fixpoints. As far as I know however inserting a bitwise not every $n$ rounds should eliminate this issue without using constants (and as a bonus chacha20 would be a $\{0, 1\}^{512} \to…
8321992485
  • 123
  • 3
5
votes
0 answers

What is the probability equation of rotational cryptanalysis on modulo multiplication?

The answer in this question defined how to calculate the probability of rotational cryptanalysis on modulo multiplication $\odot$. This paper defined an algebraic equation of how to calculate the rotational probability of modular addition $\boxplus$…
hardyrama
  • 2,288
  • 1
  • 17
  • 41
5
votes
1 answer

How are boolean functions used in cryptography?

I recently started becoming interested in Boolean functions. Because they are defined as $f: \{0, 1\}^n \rightarrow \{0, 1\}$, or in other words only over $\{0, 1\}$, I guessed they can somehow be applied in cryptography. After all in cryptography…
user4936
5
votes
1 answer

Which precautions to protect against side-channel attacks on ARX ciphers?

In recent crypto there has been a trend to design ciphers using only the ARX set of instructions - i.e. additions (modulo $2^{32}$ or $2^{64}$), rotations (by a fixed constant) and XORs, examples include Threefish, Salsa20 and ChaCha20. One of the…
SEJPM
  • 46,697
  • 9
  • 103
  • 214
5
votes
1 answer

Do data-dependent rotations have any advantage over fixed rotations?

There are many ARX ciphers, however most use fixed rotations. I know data-dependent compared to fixed rotations are: patented (expired) harder to implement constant time more expensive in hardware harder to analyse attacker can control rotation to…
LightBit
  • 1,741
  • 14
  • 28
5
votes
1 answer

Why was Adiantum chosen over an ARX block cipher in XTS mode?

In Android, Adiantum is an alternative to AES-XTS for devices without AES instructions. I cannot understand the reason for why such a convoluted scheme was chosen. There are 128-bit ARX block ciphers that could have been a drop-in with XTS…
DroidQ
  • 51
  • 1
5
votes
2 answers

Why do popular ARX ciphers have large states?

salsa20/chacha20/blake/blake2/blake3 all utilize a 4x4 grid of words on which transformations occur row-wise and then column/diagonal-wise. State size varies between 512 and 1024 bits based on word size (32 bit or 64 bit). Using these alternating…
thenighday
  • 51
  • 1
4
votes
1 answer

Why do some ARX ciphers require many more rounds than others?

chacha20 has 20 rounds and even that is somewhat deceptive because the rounds alternate between columns and diagonals such that you need 2 rounds to involve the entire state. However if you compare it to some other ARX ciphers such as Threefish and…
Unlordship
  • 41
  • 2
3
votes
1 answer

Fastest order-sensitive operations

For any $v$ many $b$-bits vectors $(\mathbf{x}_0, \mathbf{x}_1, \ldots, \mathbf{x}_{v-1}) \in \{\{0, 1\}^b\}^v$, what's the fastest way to combine $\mathbf{x}_0, \mathbf{x}_1, \ldots, \mathbf{x}_{v-1}$ into a single number, such that the operation…
caveman
  • 721
  • 3
  • 15
3
votes
1 answer

Countermeasures to prevent integral cryptanalysis against 4-rounds AES

Integral cryptanalysis against 4-rounds AES is practical (Security of the AES with a Secret S-box). I did two experiments in order to find the impact and remove the integral distinguisher of 4 rounds: I replaced key addition $\oplus$ with…
hardyrama
  • 2,288
  • 1
  • 17
  • 41
3
votes
1 answer

Role of xor in ARX construction

In ARX construction like Salsa 20, why xor operation is required? That is why AR is not sufficient? Note that xor is a linear operation.
user15864
  • 229
  • 1
  • 7
3
votes
1 answer

ChaCha20 core vs ideal unkeyed PRP

I know that the ChaCha20 core (without the initial constant) is not an ideal PRP and must not be used as such. I also know that $\text{ChaChaCore}(0) = 0$. Are there any other differences?
Demi
  • 4,853
  • 1
  • 22
  • 40
1
2 3