Related-key Boomerang Attack on Block Cipher SQUARE
2010. 2.
Bonwook Koo1, Yongjin Yeom1, Junghwan Song2 1 : Attached Inistitute of ETRI, 2 : Hanyang Univ. Boomerang and Rectangle Attacks Boomerang and Rectangle Attacks Boomerang and Rectangle Attacks Boomerang and Rectangle Attacks Boomerang and Rectangle Attacks
COCONUT98 Khufu FEAL-6 CAST-256 MARS SERPENT …….. Boomerang and Rectangle Attacks
COCONUT98 Khufu FEAL-6 CAST-256 MARS SERPENT ……..
SERPENT SHACAL SHACAL-1 …….. Related-Key Boomerang and Rectangle Attacks Related-Key Boomerang and Rectangle Attacks Related-Key Boomerang and Rectangle Attacks
SHACAL-1 AES-192 AES-256 IDEA KASUMI …….. Related-Key Boomerang and Rectangle Attacks
SHACAL-1 AES-192 AES-256 IDEA KASUMI ……..
COCONUT98 IDEA …….. Related-Key Sandwich Attack Related-Key Sandwich Attack Related-Key Sandwich Attack Related-Key Sandwich Attack
KASUMI Related-Key Sandwich Attack
KASUMI
PRACTICAL !! Our Contribution Our Contribution Our Contribution Our Contribution
SQUARE Block Cipher SQUARE
• A predecessor of AES-128 • What about AES-128? • 8-round SPN structure • 10-round SPN structure • Round functions consist of • Round functions consist of • : Linear Transformation Transpose • MixColumns • : S-boxes The same • SubBytes Similar • : Transposition • ShiftRows The same • : Key addition • AddRoundKey
• If a round function [rki] = [rki] о о о , then
SQUARE[k]=[rk8]о[rk7]о[rk6]о[rk5]о[rk4]о[rk3]о[rk2]о[rk1]о[rki]о-1 Block Cipher SQUARE
• What about Key Schedule?
rk0
rotl C0 C0 C1 C2
1 s rk s s
Rotl Rotl Rotl s rotl C1
rk2 rk0 rk1 rk2 rk3
rotl C2
rk3
Key schedule of AES-128 Key schedule of SQUARE Transpose and Remove S-boxes Local Collision of SQUARE
Byte difference values
i-th round = ∈ { 0a, 11, 17, 1d, 20, 3b, 4d, 53, 73, 76, 7c, 87, i+1-th round 9d, a4, a8, ae, p = 1 c6, d2, d5, e0, ee, fc} i+2-th round p = 2-28 = 2 = 3 i+3-th round p = 1 = 0 Differential Trails for Distinguisher
Drk1
Drk5
p = 1 Drk2 \S0,1 p = 1 Drk 6
p = 1 Drk3
p = 2-28 Drk7
p = 2-28 Drk4
p = 1 Drk8
p = 1
p = 1
S0,1
Differential Trail for E0 Differential Trail for E1 Differential Trails for Distinguisher
Drk0 (Drk0)
DP DX
Differential Trail for the first round T
y y y y y y y y DK=Drk0 Drk1 Drk2 Drk3 Drk4 Drk5 Drk6 Drk7 Drk8
y y y y y y y y ÑK=Ñrk0 Ñrk1 Ñrk2 Ñrk3 Ñrk4 Ñrk5 Ñrk6 Ñrk7 Ñrk8
Differential Trail for Round Keys 7-Round Distinguisher of SQUARE
P3 DQ P4 The locally amplified probability T P T P1 K3 D P2 K4 of distinguisher is X3 X4 DX T T K1 K2 2 ~2 2 X1 X2 p q r DX i E0 E0 i K3 p=2-28 K4
p=2-28 E0K1 E0K2 So we have a probability of 7-round DY Y3 Y4 distinguisher of SQUARE as
ÑY DY ÑY Y1 i i Y2 126 -7 r =2-7 ri=2 i 282 282 ÑD E1K3 ÑD E1K4 2 2 ri i0 E1 E1 K1 K2 ~ ~q=2-28 q=2-28 2112 (212 126214) 2119 ÑC C3 ÑC C4
C1 C2 Attack for Full SQUARE
T’ We can recover the first two y bytes of (K1), (K2), (K3), and (K4) with the following p = 2-7 complexities. y y
Data Complexity of this attack is y y p = 2-28 1041711 123 E0 E1 2 2
Time Complexity of this attack is y p = 2-28 y 231625 36 2 2
The S/N of this attack is y y m3311916 m102 2 2 2 2 9 2 2m811416 2m111 27 Thanks to you all and my actors