Linear Cryptanalysis of Pseudorandom Functions

Home , Key feedback mode

View metadata, citation and similar papers at core.ac.uk brought to you by CORE FREITAS, D.S.; MARKOWITCH O.; NAKAHARA JR, J. Linear cryptanalysis of pseudorandom functions. Florianópolis:provided by RepositórioINE-UFSC, Institucional da UFSC 2015. 6p. (Relatório Técnico, INE 001-2015) Relatório Técnico do INE

Linear cryptanalysis of pseudorandom functions Daniel Santana de Freitas, Olivier Markowitch, Jorge Nakahara Jr

Relatório Técnico INE 001/2015

Universidade Federal de Santa Catarina Departamento1 de Informática e Estatística

FREITAS, D.S.; MARKOWITCH O.; NAKAHARA JR, J. Linear cryptanalysis of pseudorandom functions. Florianópolis: INE-UFSC, 2015. 6p. (Relatório Técnico, INE 001-2015)

Linear cryptanalysis of pseudorandom functions

Daniel Santana de Freitas1, Olivier Markowitch2, Jorge Nakahara Jr2∗ 1Dept. Computer Science, Federal University of Santa Catarina, Brazil 2Dept. d’Informatique, Universite´ Libre de Bruxelles, Belgium [email protected], {olivier.markowitch, jorge.nakahara}@ulb.ac.be

Keywords: linear cryptanalysis, Key feedback mode of operation, linear key schedule algorithms.

Abstract: In this paper, we study linear relations propagating across block ciphers from the key input to the ciphertext (for a fixed plaintext block). This is a usual setting of a one-way function, used for instance in modes of operation such as KFB (key feedback). We instantiate the block cipher with the full 16-round DES and s2-DES, 10-round LOKI91 and 24-round Khufu, for which linear relations with high bias are well known. Other interesting targets include the full 8.5-round IDEA and PES ciphers for which high bias linear relations exist under the assumption of weak keys. Consequences of these findings impact the security of modes of operation such as KFB and of pseudorandom number/bit generators. These analyses were possible due to the linear structure and the poor diffusion of the key schedule algorithms. These findings shall motivate carefull (re)design of current and future key schedule algorithms.

1 INTRODUCTION distinguish-from-random setting. This paper is organized as follows: Sect. 2 stud- The technique of linear cryptanalysis was exten- ies linear relations across a pseudorandom function sively developed by Matsui (Matsui, 1994a; Matsui, based on the full 16-round DES and s2-DES ciphers, 1994b) in attacks initially aimed at the DES (NIST, as well as 10-round LOKI91; Sect. 3 studies linear re- 1993) and FEAL (Matsui and Yamaguishi, 1992) lations across a pseudorandom function based on the block ciphers. These attacks used so called linear re- IDEA and PES ciphers; Sect. 4 studies linear relations lations that are linear combinations of bits from the across a pseudorandom function based on variable- plaintext, ciphertext and key that hold with high bias round Khufu cipher; Sect. 5 concludes the paper. (deviation of the linear relation’s probability from 0.5). The conventional strategy is to derive these relations piecewise, starting from an S-box or other nonlinear components and then extend the relations into 2 LINEAR RELATIONS FOR DES, 2 larger components, and further to a full round and S -DES AND LOKI91 then to multiple rounds. FUNCTIONS k n Let a block cipher have signature E : ZZ2 × ZZ2 → ZZn, where n is the block size and k is the key size. A 2 In (Matsui, 1994a), Matsui performed a divide- linear attack in a block cipher setting assumes the key and-conquer analysis to determine the best linear ex- to be ﬁxed but unknown, while the plaintext is vari- pression for variable-round DES, that is, linear rela- able, so that the cipher behaves as a (pseudorandom) tions covering multiple rounds of DES with the high- permutation: E : ZZn → ZZn for any secret key K. In K 2 2 est possible bias. We adopt the same notation and this paper we analyse the setting in which the plain- bit numbering for DES as (Matsui, 1994a): a bit- text is ﬁxed and randomly chosen, while the key is mask will be represented by either Γ or a sequence variable: E(P) : ZZk → ZZn. In this setting, the plain- 2 2 of numbers between square brackets, for instance, text is considered secret. X[i, j,...,z] = X[i] ⊕ X[ j] ⊕ ... ⊕ X[z]. In both cases, In this paper we focus only on attacks in the the bits ’1’ in Γ or the numbers between brackets in- ∗Research funded by INNOVIRIS, the Brussels Institute dicate the bits participating in the linear relation. For for Research and Innovation, under the ICT Impulse pro- n-bit strings a and b, the dot (or inner) product is n−1 gram CRYPTASC. denoted a · b = ⊕i=0 ai · bi and it gives a parity bit.

2 FREITAS, D.S.; MARKOWITCH O.; NAKAHARA JR, J. Linear cryptanalysis of pseudorandom functions. Florianópolis: INE-UFSC, 2015. 6p. (Relatório Técnico, INE 001-2015)

A plaintext P for DES is split into its left and right the same bias as before. Note that knowledge of the halves as P = (PL,PR) and similarly for the ciphertext full 64-bit P is not actually needed, since (2) only re- C = (CL,CR). lies on one bit: PH [7,18,24] ⊕ PR[12,16]. Since the A linear relation for the full 16-round DES (Mat- masks and P are fixed, knowledge of P is not neces- sui, 1994b) without the IP and FP bit permutations, sary, and the bias of (2) does not change. Only the and where the i-th round subkey is denoted Ki, is sign of the deviation changes according to the parity of PH [7,18,24]⊕PR[12,16]. Nonetheless, to avoid PL[7,18,24] ⊕ PR[12,16]⊕ trivial attacks based on the knowledge of the block ci- CL[15] ⊕CR[7,18,24,27,28,29,30,31] = pher, we assume that P is secret. A similar equation can be derived by fixing the K1[19,23] ⊕ K3[22] ⊕ K4[44] ⊕ K5[22] ⊕ K7[22]⊕ ciphertext block C = (C ,C ) and varying the key K K [ ] ⊕ K [ ] ⊕ K [ ] ⊕ K [ ] ⊕ K [ ]⊕ L R 8 44 9 22 11 22 12 44 13 22 (the plaintext P is the output). K15[22] ⊕ K16[42,43,45,46], (1) PL[7,18,24] ⊕ PR[12,16]⊕ holding with bias 1.49·2−24, which leads to 4·(1.49· 2−24)−2 = 248.84 messages for a high success rate dis- K[8,14,0,54,24,20,46,17,13,39,9,5,51,55,45,39] tinguishing attack. = CL[15] ⊕CR[7,18,24,27,28,29,30,31], (3) In (Junod, 2000), Junod showed experimentally which also applies to a random function E(C0) : that Matsui’s key-recovery attack complexity was 56 64 pessimistic, that is, Junod’s results indicate a high ZZ2 → ZZ2 , where C0 is a random 64-bit string. In (Matsui, 1994c), a 2-round iterative lin- success rate (85%) can be achieved with one eighth 3 of the original attack complexity that is, 243 known ear relation for DES was described with the plaintexts (KP) instead of 247 KP predicted by Mat- form F(X,K)[0,5,10,11,20,25,27] = K[4,5,6,7] sui. If the same results apply for a distinguish-from- and probability 1/2 + 2(40/64 − 172)(20/64 − 43 1/2) = 0.453, that is, with bias 1/2 − 0.453 = random setting, then we can expect only about 2 −4.411 plaintext-ciphertext pairs are needed for a high suc- 0.047 ≈ 2 . This is a so called 2-round itera- cess rate attack. tive Type-II linear relation with a single active F func- Taking into account the key schedule of tion (only the output of F is approximated) every two DES (except that PC1 bit selection trans- rounds, with only two active neighbouring S-boxes, formation is omitted) (NIST, 1993), the S7 and S8, every two rounds. For the full 16-round DES, concatenating the linear relation eight times, the right-hand side of (1) can be summarized as 7 8·(−4.411) −28.289 K[8,14,0,54,24,20,46,17,13,39,9,5,51,55,45,39] = bias becomes 2 ·2 ≈ 2 . Thus, this bias K · ΓK, where K stands for the original 56-bit key. is smaller than (1). The data complexity for a high success rate becomes 8 · (2−28.289)−2 = 23+56.579 = Note that the linear relations stretch all across the key 59.579 schedule up to the original 56-bit key. 2 known plaintexts (KP). This is more data than Now, unlike the original linear attack setting, let P can be expected by operating DES from the key entry be fixed to a random value, but the key be variable2. (the key input is only 56 bits). Note that even though We can rewrite (1) as the original 2-round relation is iterative, when con- catenated eight times for the full DES, the resulting CL[15] ⊕CR[7,18,24,27,28,29,30,31]⊕ linear relation is not iterative because there is no swap of half blocks in the last (sixteenth) round. K[8,14,0,54,24,20,46,17,13,39,9,5,51,55,45,39] Thus, (2) represents a new framework for the lin- = PH [7,18,24] ⊕ PR[12,16], (2) ear relation originally applied to the full DES. It was where the right-hand side is a fixed value. Note possible because the key schedule of DES is a linear that (2) contains the same bits as (1) but some terms mapping, that is, there are only bit permutations and were rearranged because now P is fixed instead of bit selections but no S-boxes nor other nonlinear com- K. This means (2) is applied to a random mapping ponents. So, the original key bitmasks for the DES 56 64 round subkeys could propagate up to the original key E(P) : ZZ2 → ZZ2 instead of a random permutation 64 64 K without any bias penalty. This fact demonstrates, EK : ZZ2 → ZZ2 . This is a typical construction of one-way functions (Winternitz, 1983) and in the KFB once more, the need for the key schedule algorithm to mode of operation (Hastad, 2000). Nonetheless, the be nonlinear. linear relation still covers the full 16-round DES, with The mapping from the key to the ciphertext is not injective. Assuming that a linear relation such as (3) 2The mapping from key to plaintext (or from key to ci- holds with the same bias 2−28.289 for each fixed key phertext) is modeled as a random, non-injective mapping, thus not a permutation. 3Without the IP and FP bit permutations.

3 FREITAS, D.S.; MARKOWITCH O.; NAKAHARA JR, J. Linear cryptanalysis of pseudorandom functions. Florianópolis: INE-UFSC, 2015. 6p. (Relatório Técnico, INE 001-2015)

K when the probability is taken over all P, then one be denoted gets that (3) holds with bias 2−28.289 when the probability is taken over P and K. This assumption may (PR ⊕CL)[5,10,11] = (K2 ⊕ K4 ⊕ K6 ⊕ K8⊕ not always hold, but is necessary to the analysis in K ⊕ K ⊕ K ⊕ K )[4,5,6,7], (4) this paper. Taken it as granted, one can, by letting 10 12 14 16 the key vary, generate as much data as needed without following the same bit-numbering as in DES. This lin- worrying about possible collisions between the values ear relation is based on a 2-round iterative linear rela- E (P) for variable K. K tion (PL ⊕CR)[5,10,11] = Ki[4,5,6,7], with a single In the Key-FeedBack (KFB) mode of operation active F function. (Hastad, 2000) proposed for NIST’s Advanced En- Now, consider that the plaintext P is fixed to a ran- cryption Standard (AES), the ciphertext produced for dom value, but the key is variable. We can rewrite (4) a fixed plaintext P is fedback as key to the next as block cipher instantiation: C0 = br(EK(P)) and Ci = br(Eg(Ci−1 (P)), were g converts the ciphertext to the CL[5,10,11] ⊕ (K2 ⊕ K4 ⊕ K6 ⊕ K8 ⊕ K10⊕ appropriate size for the key input, and br is the out- K ⊕ K ⊕ K )[4,5,6,7] = P [5,10,11], (5) put transformation that extracts hard-core bits for 12 14 16 R each instantiation of E. In (Hastad, 2000), br(x) where the right-hand side is a fixed value. This means is the dot product between an n-bit selection vec- 56 64 (5) applied to a random mapping E(P) : ZZ2 → ZZ2 tor r = (r ,r ,...,r ) and an n-bit ciphertext block 1 2 n (for a fixed P) instead of a random permutation EK : x = (x1,x2,...,xn). Alternatively, the output trans- 64 64 48.3 ZZ2 → ZZ2 . The data complexity for (4) is 2 keys. formation can be larger than a single bit, leading to In (Tokita et al., 1994), Tokita et al. also de- a larger throughput per encryption, and is denoted m scribed linear relations for reduce-round variants of BR (x) corresponding to m = O(logn) bits selected ac- LOKI91 (Brown et al., 1991; Sakurai and Furuya, cording to a random m × n matrix. This matrix is not 1997), a Feistel Network cipher operating on 64-bit invertible. blocks, under a 64-bit key and iterating 16 rounds. Thus, in an attack using (2), the initial 56-bit We focus on a 10-round linear relation with bias key K is secret, but subsequent keys to DES invoca- 2−28.24 based on the one-round iterative linear relations are derived from previous ciphertexts Ci. If a tion (X ⊕ F(X))[18,22,26] = K[18,22,26], with bias −5 −5.54 single br is used, then a single bit is generated for 0.687 · 2 ≈ 2 . each DES encryption. Otherwise, up to logn bits Denoting the plaintext to LOKI91 as P = (PL,PR) are output per encryption. We assume that some and the ciphertext as C = (CL,CR), the linear relation m of the coefficients of the BR matrix match the bits can be denoted CL[15] ⊕ CR[7,18,24,27,28,29,30,31] in (2). The Bm matrix R is not secret or we assume it could be cho- (PR ⊕CR)[18,22,26] = sen by the adversary. Moreover, the fact that Bm(x) R (K ⊕ K ⊕ K ⊕ K ⊕ K ⊕ K )[18,22,26]. (6) is not invertible means that the full n-bit plaintext P 2 3 5 6 8 9 m is not disclosed. Otherwise, if BR (x) was invertible, This linear relation contains only six active F func- then knowing two consecutive n-bit ciphertexts, say tions across ten rounds. If we now consider that the Ci and Ci+1, and knowing the block cipher E, one −1 plaintext P is fixed to a random value, but the key is could easily compute P as P = E (Ci+ ). Ci 1 variable. This is facilitated by the fact that the key Starting from the second DES instantiation, there schedule of LOKI91 consists only of bit rotations. is a nonzero correlation between the key, which is There are only linear components in the key sched- g(C0) from the previous encryption, and the cipher- ule. m text, BR (Eg(C0)(P)). This correlation can be detected We can rewrite (6) as after collecting 243 keystream bits from this instantiation of KFB. (CR ⊕ K2 ⊕ K3 ⊕ K5 ⊕ K6 ⊕ K8 ⊕ K9)[18,22,26] = 2 Similar attacks apply to the full 16-round s -DES PR[18,22,26], (7) (Kim, 1991). The s2-DES cipher operates on 64-bit blocks and has a 56-bit key, just like the DES. In where the right-hand side is a fixed value. This means (Tokita et al., 1994), Tokita et al. described a lin- relation (7) is applied to a random mapping E(P) : 2 56 64 ear relation for the full 16-round s -DES with bias ZZ2 → ZZ2 (for a fixed P) instead of a random per- −26 64 64 1.19·2 . Denoting the plaintext as P = (PL,PR) and mutation EK : ZZ2 → ZZ2 . The data complexity for 9 −4 5.54 −6 59.48 the ciphertext as C = (CL,CR), the linear relation can (6) is 8 · 2 · 2 · (2 ) = 2 keys.

4 FREITAS, D.S.; MARKOWITCH O.; NAKAHARA JR, J. Linear cryptanalysis of pseudorandom functions. Florianópolis: INE-UFSC, 2015. 6p. (Relatório Técnico, INE 001-2015)

3 LINEAR RELATIONS FOR the key schedule of IDEA consists simply of bit per- IDEA AND PES FUNCTIONS mutation, this restriction on eleven subkeys can be translated into restrictions on 105 bits of the origi- The IDEA block cipher (Lai et al., 1991) oper- nal 128-bit key. Following (Daemen and Vandewalle, ates on 64-bit blocks, iterates eight rounds plus an 1993), only the key bits with indices in the ranges 16–28, 72–74 and 111–127 are free of any condi- output transformation and is parameterized by a 128- 23 bit key. IDEA was designed as an alternative to the tions, which means 23 key bits. In summary, for 2 DES (NIST, 1993) and is well-known for the use of weak keys, the linear relation (8) holds with maximum bias. This linear attack applies to the setting in three incompatible group operations on 16-bit words: 64 64 bitwise xor, addition modulo 216 and multiplication which EK : ZZ2 → ZZ2 is a permutation with E be- 128 in GF(216 + 1), where 0 = 216. The key schedule ing the full IDEA and a key K ∈ ZZ2 with the above of IDEA is linear and consists only of bit permuta- restriction on 105 bits. Thus, a distinguishing attack −1 −2 tions. All multiplication operations in IDEA involve would require about 8 · (2 ) = 32 KP and equiva- a round subkey and that is the main feature explored lent effort. 128 64 in (Daemen and Vandewalle, 1993). Daemen et al. Now suppose we operate on E(P0) : ZZ2 → ZZ2 described linear attacks on the full IDEA cipher using for E being the full IDEA, and a fixed plaintext P0 ∈ 64 weak keys. In this setting, a weak key is a 128-bit key ZZ2 . Suppose, we apply once more the linear relation that leads, through the key schedule, to some round (8), but this time to E(P0) instead of EK. This means subkeys which are either 0 or 1 for the multiplication that the key is variable, while the plaintext is fixed. operations4. Note that multiplication (together with The new linear relation becomes addition) are the main nonlinear operations in IDEA. 1 2 3 3 Using weak keys and the (linear) key schedule, Dae- (c1 ⊕ c3 ⊕ Z3 ⊕ Z2 ⊕ Z2 ⊕ Z3 ⊕ 4 5 6 6 7 8 9 9 men et al. were able to determine a series of linear Z3 ⊕ Z2 ⊕ Z2 ⊕ Z3 ⊕ Z3 ⊕ Z2 ⊕ Z2 ⊕ Z3 ) · 1 = relations, some of which are iterative, across the full (p1 ⊕ p3) · 1. (9) 8.5-round IDEA. Due to the use of weak keys, their linear relations hold with maximum bias. Because of the key restrictions, we have only 223 As an example, let P = (p1, p2, p3, p4) denote keys as input. Under any of the weak keys, rela- a plaintext block, and C = (c1,c2,c3,c4) the corre- tion (9) holds with maximum bias. Each time we sponding ciphertext. The i-th round subkeys are de- test it, it shall hold only with probability 1 for a ran- i i i 9 9 9 9 2 noted Z1, Z2, ..., Z6, for 1 ≤ i ≤ 8, and Z1 , Z2 , Z3 , Z4 dom permutation. Thus, we can efficiently distinguish 23 64 for the output transformation. In (Daemen and Vande- E(P0) : ZZ2 → ZZ2 from a random function over the walle, 1993), Table 2, Daemen et al. provided a list- same domain and range. We estimate that 32 keys will ing of all 1-round linear relations: they called them be needed (out of 223). linear factors. Each such relation holds with maxi- A similar analysis can be performed on the pre- mum bias once the weak subkey conditions are satis- decessor of IDEA, called PES (Proposed Encryption fied. These conditions imply that some round subkeys Standard) (Lai and Massey, 1990), since both use the should be 0 or 1, so that the corresponding linear trail same key schedule algorithm. The PES cipher oper- r is satisfied. For instance, (1,0,1,0) →1 (1,1,0,0) is ates on 64-bit blocks, under a 128-bit key and iterates a 1-round linear trail that stands for p1 · 1 ⊕ p3 · 1 = 8.5 rounds. In (Nakahara Jr et al., 2003), Nakahara −1 c1 · 1 ⊕ c2 · 1 that holds with maximum bias 2 once et al. describe linear relations for large sets of weak i 8.5r Z1 ∈ {0,1}. A larger linear relation across the full keys. For instance, (0,0,0,1) → (0,0,0,1) is an it- . r 8.5-round IDEA has the form (1,0,1,0) 8→5 (0,1,1,0) erative linear relation covering the full PES under the i which can be translated into assumption that subkeys Z6, 1 ≤ i ≤ 8 are weak. Ac- cording to the key schedule of PES, this implies that (p1 ⊕ p3 ⊕ c1 ⊕ c3) · 1 = key bits 0–12, 49–65, 95–108 and 124–127 are un- 1 2 3 3 4 5 6 restricted. In summary, the following linear relation (Z3 ⊕ Z2 ⊕ Z2 ⊕ Z3 ⊕ Z3 ⊕ Z2 ⊕ Z2 ⊕ 5 48 64 holds for E(P0) : ZZ2 → ZZ2 for E being the full 6 7 8 9 9 Z3 ⊕ Z3 ⊕ Z2 ⊕ Z2 ⊕ Z3 ) · 1, (8) 8.5-round PES cipher, and a weak-key class of size 48 so, the right-hand-side of (8) stands for K · ΓK. It 2 : 1 is required that eleven round subkeys be weak: Z1 , 1 2 3 4 5 6 (c4 ⊕ Z ⊕ Z ⊕ Z ⊕ Z ⊕ Z ⊕ Z ⊕ Z2, Z2, Z3, Z4, Z5, Z5, Z6, Z7, Z8 and Z8. Since 4 4 4 4 4 4 1 5 5 1 1 5 5 1 1 5 7 8 9 Z4 ⊕ Z4 ⊕ Z4 ) · 1 = p4 · 1. (10) 4In (Daemen and Vandewalle, 1993), the restriction is that a weak subkey belongs to the set {−1,1} 5Note the updated domain size.

5 FREITAS, D.S.; MARKOWITCH O.; NAKAHARA JR, J. Linear cryptanalysis of pseudorandom functions. Florianópolis: INE-UFSC, 2015. 6p. (Relatório Técnico, INE 001-2015)

48 Thus, we can efﬁciently distinguish E(P0) : ZZ2 → where we include the pre- and post-whitening keys. 64 ZZ2 from a random function over the same domain Fixing the plaintext (L0,R0) and making the key vari- and range. We estimate that 32 keys will be needed able in (11), we arrive at the following linear relation (out of 248). (L ⊕ K ⊕ K ) · mmmm = L · mmmm . (12) The threat of a linear key schedule can be mea- 24 1 3 x 0 x sured by the fact that there is at least one weak To match the block size, we assume a key of 64 key even for 17.5-round PES (Nakahara Jr et al., bits. This means (12) applied to a random mapping 2003), using the 1-round iterative linear relation E(P) : ZZ64 → ZZ64, for a ﬁxed P = (L ,R ) instead 4 2 2 0 0 (0,1,0,1) → (0,1,0,1). Moreover, there are 2 64 64 of a random permutation EK : ZZ2 → ZZ2 . The data weak keys for 14-round IDEA using a 3-round iter- complexity for a distinguishing attack on (12) is 253 ative relation (1,0,0,1) → (0,1,0,1) → (0,0,1,1) → keys. (1,0,0,1).

5 CONCLUSIONS 4 LINEAR RELATIONS FOR KHUFU FUNCTION This paper applied linear analyses originally designed against the full DES, the full s2-DES, 10-round Khufu is a block cipher designed by Merkle LOKI91, 24-round Khufu, variable-round IDEA and (Merkle, 1991) for fast software encryption. Khufu is PES block ciphers under a (pseudo-)random func- a Feistel Network cipher operating on 64-bit blocks, tion setting. In other words, instead of applying under a user key of up to 512 bits and iterating 8r linear relations from the plaintext input to the ci- rounds, for 1 ≤ r ≤ 8, where r is called the number of phertext, under a fixed key, the (same) linear rela- octets. Originally, r = 2 was suggested. Khufu oper- tions were applied from the key input to the cipher- ates on 8- and 32-bit words and its internal operations text, under a fixed plaintext. This is possible be- include: exclusive-or, byte rotations and an 8×32-bit cause the key schedule algorithms are linear map- S-box. Each S-box is key dependent, represents 213 pings, which means the linear approximation through bits of the secret key and is used for one octet only. the key schedule framework does not affect the bias Let a plaintext block be denoted P = (L0,R0), the S- of the original linear relation. box by S, a leftwards rotation of a data x by n bits by These linear relations are a potential threat to ap- x ≪ n and the least significant n bits of x by lsbn(x). plications of such block ciphers in pseudorandom Then, the ith round of Khufu outputs (Ri,Li), where number generators and PRFs, since they provide a lin- Ri = Li−1 ≪ si, where si is a fixed rotation amount, ear relationship between the inputs and outputs in a multiple of 8 bits, and Li = Ri−1 ⊕ S[lsb8(Li−1)]. For known-input-output setting. each round in an octet, the values of si are 16, 16, 24, The linear relations emphasize the need for non- 24, 16, 16, 8 and 8 in this order and repeated cycli- linearity in the key schedule algorithms to avoid lin- cally. There is a pre-whitening in which two 32-bit ear relations to be applied from the key input to the subkeys K1 and K2 are xored to the plaintext and an ciphertext, and holding with the same bias as the orig- output transformation in which subkeys K3 and K4 are inal attack from plaintext to ciphertext. xored to the output of the last round. We will use the 2-round iterative linear analysis of Khufu described in (Nakahara Jr, 2007), with bias 2−3, which holds for a fraction of 5% of the REFERENCES keys. This fraction corresponds to a weak-key class. This 2-round iterative linear relation has the form Brown, L., Kwan, M., Pieprzyk, J., and Seberry, J. (1991). L · mmmm = L · mmmm , for 0 < m ≤ 255, and Improving resistance to differential cryptanalysis and i x i+2 x the redesign of loki. Technical Report CS38/91, Dept. mmmmx stands for a 32-bit mask. This mask is ro- of Computer Science, Univ. College, Australian De- tation invariant, that is, mmmmx ≪ 8t = mmmmx for fence Force Academy. any t, because rotations are over multiples of 8 bits. Daemen, J.and Govaerts, R. and Vandewalle, J. (1993). Repeating this 2-round iterative relation, we can Weak keys for idea. In Stinson, D., editor, Adv. in achieve a linear distinguisher for 24-round Khufu Cryptology, CRYPTO 93, LNCS 773, pages 224–231. with bias 211−12·3 = 2−25, and requiring 8(2−25)−2 = Springer. 253 known plaintexts (KP): Hastad, J. (2000). Key feedback mode: a keystream gener- ator with provable security. NIST modes of operation (L0 ⊕ L24) · mmmmx = (K1 ⊕ K3) · mmmmx, (11) workshop.

6 FREITAS, D.S.; MARKOWITCH O.; NAKAHARA JR, J. Linear cryptanalysis of pseudorandom functions. Florianópolis: INE-UFSC, 2015. 6p. (Relatório Técnico, INE 001-2015)

Table 1: Attack complexities on pseudorandom functions in KFB mode. Memory complexity is negligible. Function Block size Key size Time Data Source (bits) (bits) (Eq.) 16-round DES 64 56 243 243 (1) 16-round s2-DES 64 56 248.3 248.3 (5) 8.5-round IDEA 64 128 32 32 (9) 8.5-round PES 64 128 32 32 (10) 10-round LOKI91 64 64 259.48 259.48 (7) 24-round Khufu 64 ≤ 512 253 253 (12)

Junod, P. (2000). Linear cryptanalysis of des. Master’s Tokita, T., Sorimachi, T., and Matsui, M. (1994). Lin- thesis, ETH Zurich and EPFL Lausanne. ear cryptanalysis of loki and s2-des. In Pieprzyk, J. Kim, K. (1991). Construction of des-like s-boxes based and Safavi-Naini, R., editors, Adv. in Cryptology, Asi- on boolean functions satisfying the sac. In Imai, H., acrypt’94, LNCS 917, pages 293–303. Springer. Rivest, R., and Matsumoto, T., editors, Adv. in Cryp- Winternitz, R. (1983). Producing a one-way hash function tology, Asiacrypt, LNCS 739, pages 59–72. Springer. from des. In Adv. in Cryptology, Crypto’83, pages Lai, X. and Massey, J. (1990). A proposal for a new block 203–207. Springer. encryption standard. In Damgard,˚ I., editor, Adv. in Cryptology, EUROCRYPT, LNCS 473, pages 389– 404. Springer. Lai, X., Massey, J., and Murphy, S. (1991). Markov ciphers and differential cryptanalysis. In Davies, D., editor, Adv. in Cryptology, EUROCRYPT, LNCS 547, pages 17–38. Springer. Matsui, M. (1994a). The ﬁrst experimental cryptanalysis of the data encryption standard. In Desmedt, Y., editor, Adv. in Cryptology, Crypto 1994, LNCS 839, pages 1–11. Springer. Matsui, M. (1994b). Linear cryptanalysis method for des cipher. In Helleseth, T., editor, Adv. in Cryptology, Eurocrypt’93, LNCS 765, pages 386–397. Springer. Matsui, M. (1994c). On correlation between the order of s-boxes and the strength of des. In Adv. in Cryptology, Eurocrypt’94, LNCS 950, pages 366–375. Springer. Matsui, M. and Yamaguishi, A. (1992). A new method for known plaintext attack of feal cipher. In Ruep- pel, R., editor, Adv. in Cryptology, Eurocrypt 1992, LNCS 658, pages 81–91. Springer. Merkle, R. (1991). Fast software encryption functions. In Adv. in Cryptology, Crypto 1990, LNCS 537, pages 476–501. Springer. Nakahara Jr, J. (2007). A linear analysis of blowﬁsh and khufu. In Dawson, E. and Wong, D., editors, ISPEC, LNCS 4464, pages 20–32. Springer. Nakahara Jr, J., Preneel, B., and Vandewalle, J. (2003). A note on weak-keys of pes, idea and some extended variants. In Boyd, C. and Mao, W., editors, 6th Infor- mation Security Conference (ISC), LNCS 2851, pages 269–279. Springer. NIST (1993). Fips pub 46-1, data encryption standard. Fed- eral Information Processing Standards Publication 46- 2. Sakurai, K. and Furuya, S. (1997). Improving linear cryptanalysis of loki91 by probabilistic counting method (extended abstract). In Biham, E., editor, Fast Soft- ware Encryption (FSE) Workshop, LNCS 1267, pages 114–133. Springer.