Related-Key Boomerang Attack on Block Cipher SQUARE

Home , Boomerang attack, COCONUT98, KASUMI, Q (cipher), Serpent (cipher), SHACAL

Related-key Boomerang Attack on Block Cipher SQUARE

2010. 2.

Bonwook Koo1, Yongjin Yeom1, Junghwan Song2 1 : Attached Inistitute of ETRI, 2 : Hanyang Univ. Boomerang and Rectangle Attacks Boomerang and Rectangle Attacks Boomerang and Rectangle Attacks Boomerang and Rectangle Attacks Boomerang and Rectangle Attacks

COCONUT98 Khufu FEAL-6 CAST-256 MARS SERPENT …….. Boomerang and Rectangle Attacks

COCONUT98 Khufu FEAL-6 CAST-256 MARS SERPENT ……..

SERPENT SHACAL SHACAL-1 …….. Related-Key Boomerang and Rectangle Attacks Related-Key Boomerang and Rectangle Attacks Related-Key Boomerang and Rectangle Attacks

SHACAL-1 AES-192 AES-256 IDEA KASUMI …….. Related-Key Boomerang and Rectangle Attacks

SHACAL-1 AES-192 AES-256 IDEA KASUMI ……..

COCONUT98 IDEA …….. Related-Key Sandwich Attack Related-Key Sandwich Attack Related-Key Sandwich Attack Related-Key Sandwich Attack

KASUMI Related-Key Sandwich Attack

KASUMI

PRACTICAL !! Our Contribution Our Contribution Our Contribution Our Contribution

SQUARE Block Cipher SQUARE

• A predecessor of AES-128 • What about AES-128? • 8-round SPN structure • 10-round SPN structure • Round functions consist of • Round functions consist of • : Linear Transformation Transpose • MixColumns • : S-boxes The same • SubBytes Similar • : Transposition • ShiftRows The same • : Key addition • AddRoundKey

• If a round function [rki] = [rki] о  о  о , then

SQUARE[k]=[rk8]о[rk7]о[rk6]о[rk5]о[rk4]о[rk3]о[rk2]о[rk1]о[rki]о-1 Block Cipher SQUARE

• What about Key Schedule?

rk0

rotl C0 C0 C1 C2

1 s rk s s

Rotl Rotl Rotl s rotl C1

rk2 rk0 rk1 rk2 rk3

rotl C2

rk3

Key schedule of AES-128 Key schedule of SQUARE Transpose and Remove S-boxes Local Collision of SQUARE

Byte difference values

i-th round =  ∈ { 0a, 11, 17, 1d,  20, 3b, 4d, 53, 73, 76, 7c, 87, i+1-th round 9d, a4, a8, ae, p = 1 c6, d2, d5, e0,     ee, fc} i+2-th round p = 2-28 = 2       = 3   i+3-th round p = 1     = 0 Differential Trails for Distinguisher

Drk1

 Drk5

p = 1 Drk2 \S0,1   p = 1 Drk     6

p = 1 Drk3    

p = 2-28 Drk7    

p = 2-28 Drk4    

p = 1 Drk8    

p = 1

p = 1    

 S0,1

Differential Trail for E0 Differential Trail for E1 Differential Trails for Distinguisher

Drk0 (Drk0) 

   DP DX

Differential Trail for the first round T

y y y y y y y y DK=Drk0 Drk1 Drk2 Drk3 Drk4 Drk5 Drk6 Drk7 Drk8

y y y y y y y y ÑK=Ñrk0 Ñrk1 Ñrk2 Ñrk3 Ñrk4 Ñrk5 Ñrk6 Ñrk7 Ñrk8

Differential Trail for Round Keys 7-Round Distinguisher of SQUARE

P3 DQ P4 The locally amplified probability T P T P1 K3 D P2 K4 of distinguisher is X3 X4 DX T T K1 K2 2 ~2 2 X1 X2 p q  r DX  i E0 E0 i K3 p=2-28 K4

p=2-28 E0K1 E0K2 So we have a probability of 7-round DY Y3 Y4 distinguisher of SQUARE as

ÑY DY ÑY Y1 i i Y2 126 -7 r =2-7 ri=2 i 282 282 ÑD E1K3 ÑD E1K4 2  2 ri i0 E1 E1 K1 K2 ~ ~q=2-28 q=2-28  2112 (212 126214)  2119 ÑC C3 ÑC C4

C1 C2 Attack for Full SQUARE

 T’  We can recover the first two y  bytes of (K1), (K2), (K3), and (K4) with the following  p = 2-7  complexities. y y  



  Data Complexity of this attack is y  y  p = 2-28 1041711 123  E0  E1 2  2

  Time Complexity of this attack is y  p = 2-28 y  231625 36  2  2 

 The S/N of this attack is  y  y m3311916 m102 2  2 2 2 9     2 2m811416 2m111 27 Thanks to you all and my actors