sign in sign up
<<
Home , Cryptanalysis

Applying Differential Cryptanalysis for XTEA using a Genetic

Pablo Itaima and Mar´ıa Cristina Riffa

aDepartment of Computer Science, Universidad Tecnica´ Federico Santa Mar´ıa, Casilla 110-V, Valpara´ıso, Chile, {pitaim,mcriff}@inf.utfsm.cl

Keywords: Cryptanalysis, XTEA, Genetic .

Abstract. Differential Cryptanalysis is a well-known chosen attack on block . One of its components is a search procedure. In this paper we propose a genetic algorithm for this search procedure. We have applied our approach to the Extended Tiny Algorithm. We have obtained encouraging results for 4, 7 and 13 rounds.

1 Introduction In the Differential Cryptanalysis, Biham and Shamir (1991), we can identify many problems to be solved in order to complete a successful attack. The first problem is to define a differential characteristic, with a high , which will guide the attack. The second problem is to generate a set of pairs, with a fixed difference, which follows the differential charac- teristic of the algorithm. Other problem is related to the search of the correct subkey during the partial deciphering process made during the attack. For this, many possible subkeys are tested and the algorithm selects the subkey that, most of the time, generates the best results. This is evaluated, in the corresponding round, by the number of plaintext pairs that have the same difference respect to the characteristic. Our aim is to improve this searching process using a ge- netic algorithm. Roughly speaking, the idea is to quickly find a correct subkey, allowing at the same time to reduce the computational resources required. We have designed our algorithm to apply differential cryptanalysis for a well-known modern cryptographic algorithm: Extended Tiny Encryption Algorithm(XTEA). XTEA is a block encryption algorithm, that is very easy to implement, has fast execution time and takes minimal storage space. It is designed to use exclusive-or, addition and shift, its round functions are very simple, but is considered a secure modern algorithm that is ideal for use in low memory environments, like a smartcard, Wheeler and Needham (1997). The goal is not to attack the Extended Tiny Encryption Algorithm (XTEA), but to use a genetic algorithm during the process of finding the correct subkey to improve the perfor- mance of the Differential Cryptanalysis. For all the Tests we use the R-1 attack described in Biham and Shamir (1993). This work is inspired in some ideas presented in Song et al. (2007). The authors introduced an attack to a modern cryptographic algorithm, a two round DES, using a genetic algorithm. They have reported good results.

2 Our Approach In order to apply a Differential Cryptanalysis we need a set of pairs of plaintexts with a given difference, as well as a search algorithm.

2.1 Generation of the Pairs of Plaintexts Before the attack, a procedure to generate pairs of plaintexts has been implemented. This procedure randomly generates a plaintext. It creates another plaintext using both the plaintext randomly generated and the corresponding characteristic. Both plaintexts are encrypted. The procedure selects that satisfy the expected differential value. All the encryption are made using the same key as it is required by the technique. The procedure will stop when we obtain the numbers of pairs of plaintext required for the attack. This value depends on the used characteristic probability in the different rounds of the algorithm under attack. This process implies a filtration step in order to discard wrong pairs that don’t follow the differential characteristic. Every pair suggests several subkeys. Good pairs suggest one good subkey and few wrong subkeys. Most of the times wrong pairs suggest wrong subkeys, but they can suggest a good one. The indicator of how many times the correct subkey is more frequent than other subkeys is the Signal to Noise (S/N) ratio. This indicator has been defined in Biham and Shamir (1993) and described by Misztal (2006) as:

2kp S/N = (1) αβ Where,

k = the number of bits of the computed subkeys p = the probability of the characteristic α = the average number of subkeys suggested by one analyzed pair β = the ratio of analyzed pairs to all pairs

2.2 Search Algorithm In this section we introduce the components of our genetic algorithm, based on the one defined by A. B. Albassal (2003, 2004).

2.2.1 Representation We use a binary representation. One chromosome represents a possible key by a string of 4 subkeys of 32 bits each. The deciphering process uses both the possible key and the set of pairs of cipher texts in the last round of XTEA.

2.2.2 Evaluation Function The evaluation function is defined as:

Definition 2.1 Given M the total number of plaintexts pairs used to evaluated the key with a fixed difference, and d the count that is kept for each value of the target partial subkey value, we define F as the evaluation function to be maximized as: d F = (2) M We have implemented a recursive procedure to compute the evaluation function value. Using the set of plaintexts pairs to be tested and a chromosome, it identifies the number d of those pairs that have obtained the expected differential after the partial decryption process. 2.2.3 Initial Population, Operators and Selection Our algorithm generates randomly the initial population. We use roulette wheel for selection. The operators are the classical mutation and crossover. Elitism is also implemented.

3 Tests We have tested our approach for 4, 7 and 13 rounds. In order to evaluate the algorithm, we need to generate plaintexts pairs which must respect some attack conditions. These conditions strongly depend on the number of rounds to be considered.

3.1 Results 3.1.1 Four Rounds XTEA The first set of results is for a 4 rounds XTEA. The results are shown in Table 1.

Test Subkey Best Solution Correct # Bits (of 32) Time(s) 1 0x4A4D7485 0x784D7485 29 0.515 2 0x3F0608DA 0x350608DA 30 0.406 3 0x01234567 0x01234567 32 0.538 4 0x9ABCDEF0 0x1ABCDED0 30 0.296 5 0x1B714F21 0x09714F21 30 0.359 6 0x6287F127 0x6987F127 29 0.421 7 0x7162E4AA 0x7B62E4AA 30 0.328 8 0x2E04FF96 0x7E04FF96 30 0.312 9 0x21F711DA 0x03F711DA 30 0.421 10 0xDFADB873 0x4FADB873 30 0.375 11 0x863A7401 0x8F3A7401 30 0.328 12 0xD8445C27 0x58445C27 31 0.578 13 0x65189ABC 0x6D189A9C 30 0.453 14 0x78BE3254 0x68BE3254 31 0.328 15 0x001485AF 0x101445AF 29 0.437 Table 1: Algorithm execution for the 4 Rounds XTEA

For a traditional Differential Attack, the attacker requires 2n counters, where n is the number of bits of the target key. Thus, in our case, 232 counters are needed. Our approach just needs 200 counters that correspond to the population size.

3.1.2 Seven Rounds XTEA The results for the attack of 7 rounds XTEA are shown in Table 2. In this case, our approach has just required 600 counters.

3.1.3 Thirteen Rounds XTEA The results are shown in Table 3. Our approach has also required just 600 counters. The time reported in table 3) corresponds to the execution time of the genetic algorithm. It does not include the time to search for a set of suitable plaintext pairs.

4 Conclusions and Future Work In this paper we have shown that a genetic algorithm is a good technique to be included into differential cryptanalysis for XTEA. Using our algorithm the attacks reported have required a lower computational resources than using the traditional one. Our approach is quite general, Test Subkey Best Solution Correct # Bits (of 32) Time(s) 1 0x09114D5E 0x99114D5E 30 92.239 2 0x5FCC6B36 0x5F4C6B36 31 79.310 3 0x2A3E1FEC 0x283F5FEC 29 3732.883 4 0x34F32ADD 0x10F32BDD 29 3030.476 5 0x45080A89 0x45880A89 31 1175.171 6 0x165A54EA 0x085A54EA 28 1103.640 7 0x7FAC5E17 0xEFAC1E37 28 1651.709 8 0x07476060 0x13C76060 29 143.887 9 0x26C261C8 0x16C321C8 28 473.793 10 0x6943125B 0x6A43125B 30 6660.790 11 0x628C18D9 0xA48C18D9 28 1546.029 12 0x3C53618E 0x3E53618E 31 2942.571 13 0x52E77D78 0x10E77D78 30 459.171 14 0x78A028BE 0x68A028BE 31 3744.216 15 0x59421A1F 0x38C21A3F 27 3836.248 Table 2: Algorithm execution for the 7 Rounds XTEA

Test Subkey Best Solution Correct # Bits (of 32) Time(s) 1 0x5BD966B9 0x5ADC66B9 29 6853.258 2 0x1B6D3F21 0x1A4D3F21 30 7420.235 3 0x56455550 0x55455550 30 5689.045 4 0x05972B00 0x15142B00 28 8045.985 5 0x20AD57DD 0x54BD57DD 27 4856.125 6 0x61A0642D 0x65A0642D 31 7849.843 7 0x56D619EB 0x5CD619EB 30 6671.257 8 0x315C0F52 0x754C0F52 29 9674.076 9 0x57747BB8 0xC5547BB8 28 7461.994 10 0x47B0445C 0x46B0445C 31 6589.178 11 0x59495771 0x6D695775 27 6985.148 12 0x55C5016A 0x59C5016A 30 7327.557 13 0x27CA2888 0x27EA2888 31 7015.994 14 0x1B3C1AA2 0x493C1AA2 29 5789.879 15 0x6A9E5934 0x099E5934 28 8645.159 Table 3: Algorithm execution for the 13 Rounds XTEA thus it can be implemented for others Feistel Ciphers which are suitable to be attacked by Dif- ferential Cryptanalysis. We will study other cryptographic characteristics that could be included on the genetic operators in order to improve the performance of the search.

References A. B. Albassal, A. W.: 2003, Genetic algorithm cryptanalysis of the basic substitution permu- tation network., The 46th IEEE International Midwest Symposium on Circuits and Systems . Cairo Egypt. A. B. Albassal, A. W.: 2004, Genetic algorithm cryptanalysis of a feistel type ., IEEE joint conference,ICEEC’04 5-7(9), 217–221. Cairo, Egypt. Biham, E. and Shamir, A.: 1991, Differential cryptanalysis of des-like , CRYPTO ’90: Proceedings of the 10th Annual International Cryptology Conference on Advances in Cryptology, Springer-Verlag, London, UK, pp. 2–21. Biham, E. and Shamir, A.: 1993, Differential cryptanalysis of the . Misztal, M.: 2006, The signal to noise ratio in the differential cryptanalysis of 9 rounds of data encryption standar, Journal of Telecommunications and Information Technology 3, 49–59. Song, J., Zhang, H., Meng, . and yi Wang, Z.: 2007, Cryptanalysis of two-round des us- ing genetic algorithms, ISICA’07:International Symposium on Intelligence Computation and Applications. Lecture Notes in Computer Science 4683, pp. 583–590. Wheeler, D. and Needham, R.: 1997, Tea extensions, Technical report, Computer Laboratory, University of Cambridge.