Differential-Linear and Impossible Differential Cryptanalysis of Round-Reduced Scream

Differential-linear and Impossible Differential Cryptanalysis of Round-reduced Scream

Ashutosh Dhar Dwivedi, Pawel Morawiecki and Sebastian Wojtowicz´ Institute of Computer Science, Polish Academy of Sciences, Warsaw, Poland

Keywords: Linear Cryptanalysis, Differential Cryptanalysis, Differential-linear Cryptanalysis, Impossible Differential Cryptanalysis.

Abstract: In this work we focus on the tweakable block cipher Scream, We have analysed Scream with the techniques, which previously have not been applied to this algorithm, that is differential-linear and impossible differential cryptanalysis. This is work in progress towards a comprehensive evaluation of Scream. We think it is essential to analyse these new, promising algorithms with a possibly wide range of cryptanalytic tools and techniques. Our work helps to realize this goal.

1 INTRODUCTION The main purpose behind introducing a tweak is to bring functionality of a nonce (or initialization vector) A block cipher is one of the most important primi- down to the primitive block-cipher level, instead of in- tive of modern cryptography. A conventional block corporating it only at the higher modes-of-operation cipher has two inputs — a plaintext (or message) levels (Liskov et al., 2011). An extra cost of mak- M 0,1 n, a key K 0,1 k and produces a single ing a block cipher ”tweakable” is small, so it is eas- output∈ { —} a ciphertext∈ C{ }0,1 n (seeFigure 1(a)). ier to design and prove modes of operation based on Therefore we can describe∈ a { block} cipher as tweakable block ciphers. In this work we focus on the tweakable block cipher Scream (Grosso et al., ). An E : 0,1 n 0,1 k 0,1 n (1) interesting and distinctive feature of Scream is that the { } × { } → { } algorithm has been designed to be secure against side- Compared to conventional block cipher, a tweakable channel attacks. A side-channel attack is a way of block cipher takes an additional input called tweak exploiting information obtained from a physical im- along with the usual inputs — message and key (see plementation of the cryptosystem. Such information Figure 1(b)) and maps the inputs to the ciphertext: could be power or time consumption, area of memory access, electromagnetic radiation or even sound made E˜ : 0,1 n 0,1 t 0,1 k 0,1 n (2) by a device. Two techniques taken into consideration { } × { } × { } → { } by Scream designers are differential power analysis The tweak plays a very similar role as a nonce in (Kocher et al., 1999) and electro-magnetic analysis the OCB mode or an initialization vector in the CBC (Gandolﬁ et al., 2001). mode. Related Work. Leander et al. presented a paper (Le- ander et al., 2015), where they introduced a generic algorithm to detect invariant subspaces and with this technique they cryptanalysed iSCREAM — an authenticated cipher based on a variant of Scream. Their attack is on a full cipher yet in a weak- or related- key model. A year later, at Asiacrypt 2016, an attack called the non-linear invariant attack was introduced (Todo et al., 2016). In that paper authors Figure 1: (a) Standard block cipher encrypts a message M showed how to distinguish the full version of tweak- under control of a key K to produce a ciphertext C. (b) able block cipher i-Scream, Scream and Midori64 in Tweakable block cipher encrypts a message M under control of a key K and a ”tweak” T to produce a ciphertext C. a weak key setting. For the authenticated encryption (c) Here the key K is shown inside the box. 501

Dwivedi, A., Morawiecki, P. and Wójtowicz, S. Differential-linear and Impossible Differential Cryptanalysis of Round-reduced Scream. DOI: 10.5220/0006461905010506 In Proceedings of the 14th International Joint Conference on e-Business and Telecommunications (ICETE 2017) - Volume 4: SECRYPT, pages 501-506 ISBN: 978-989-758-259-2 Copyright © 2017 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved SECRYPT 2017 - 14th International Conference on Security and Cryptography

schemes SCREAM and i-SCREAM, the plaintext can Algorithm 1: TLS-design with l bit L-boxes and s bit − − be practically recovered only from the ciphertext in S-boxes (n = l s). the nonce-respecting setting. × 1: x = x TK(0) . Set plaintext to all-zero vector Our Contribution. To have a reliable evaluation ⊕ 2: for 0 < σ N do of a new promising ciphers, such as Scream, third- ≤ s 3: < N party cryptanalysis is essential. Our goal is to anal- for 0 ρ r do r = 2.(σ≤ 1) + ρ yse Scream with the techniques, which have not been − 4: for 0 j < l do . S-box Layer considered or fully explored against Scream. In this ≤ 5: x[ , j] = S[x[ , j]]; work we focus on differential-linear and impossible- ∗ ∗ differential cryptanalysis and apply them to round- 6: end for x = x C ; . Constant addition reduced variants of the cipher. First we propose a lin- ⊕ r 49 7: for 0 i < s do . L-box Layer ear approximation for 5 rounds with the bias ε = 2− , ≤ 8: x[i, ] = L[x[i, ]]; upon which we build the 5-round key recovery attack. ∗ ∗ A linear approximation can be extended with a differ- 9: end for ential part, which is known as differential-linear anal- 10: end for x = x TK(σ) . Tweakey addition ysis and it lets us mount the theoretical attack for 5 ⊕ rounds with the complexity 2116. Finally, we show 11: end for an impossible differential path for 4 rounds obtained 12: return x through the miss-in-the-middle approach. cryptanalytic technique. The main idea behind linear cryptanalysis is to construct a linear approximation which describes a relation between input (plaintext) 2 SCREAM DESCRIPTION and output (ciphertext) bits. For a secure cipher we expect that such a relation holds with probability 0.5 The tweakable block cipher Scream is based on the (bias ε = 0) and we try to find an approximation where LS-design variant (Grosso et al., 2014) known as ε = 0. That would mean that the algorithm exhibits TLS-design. The state is represented as an s l ma- 6 × a non-random behaviour and potentially it could be trix, where each element of the matrix represents a bit. converted to some attacks, such as the key recovery Therefore a size of the block is n = s l and Scream attack. has a block size of 8 16 = 128 bits.× The state x is × To construct a linear approximation for (round- updated by iterating Ns steps, where each step has Nr reduced) Scream we proceed as follows. First, we ex- rounds as shown in Algorithm 1. A number of steps amine the linear approximation table for the Scream can vary and it serves as the security margin param- S-box and choose the approximation with the high- eter. In the pseudo-code given below a plaintext is est bias. We find that the approximation in8 = out8 denoted by P, whereas TK (tweakey) is a simple lin- (8th input bit of the S-box equals 8th output bit) has T K 3 ear combination of a tweak and the master key . the highest bias, namely 2− . There are 16 columns In Scream, both key and tweak are 128 bits long. in the Scream state, hence 16 S-boxes in the S-box The round constant C(r) is defined as layer. We examine 216 initial states for our linear ap- C(r) = 2199 r( mod 216) (3) proximation, where each S-box is either inactive or × its 8th bit is active. In the subsequent rounds we al- To calculate tweakeys (TK), first the tweak is divided ways use the same S-box approximation (in8 = out8). into 64-bit halves, i.e., T = t t and then tweakeys 0|| 1 A total bias is calculated using a formula introduced are calculated as follows: by Matsui (Matsui, 1993).

TK(σ = 3i) = K (t0 t1), (4) ⊕ k i=15 n 1 TK(σ = 3i + 1) = K (t0 t1 t1), (5) ε1,2,3...15 = 2 − ∏ εi (7) ⊕ ⊕ k i=0 TK(σ = 3i + 2) = K (t1 t0 t1). (6) ⊕ k ⊕ For 5 rounds, the best approximation we found has 49 the bias ε = 2− with 24 active S-boxes. Table 1 shows this linear approximation. 3 LINEAR APPROXIMATION We also investigate more rounds, for example 6- FOR 5-ROUND SCREAM round approximation obtained by the same method 65 has a total bias 2− . However, as a number of plain- Linear cryptanalysis was introduced by Matsui (Mat- text required for the key recovery attack is typically 2 sui, 1993) and since then it has become a powerful proportional to ε− , for 6 rounds (or more) we ex-

502 Differential-linear and Impossible Differential Cryptanalysis of Round-reduced Scream

Table 1: Linear approximation for the 5-round Scream subkeys and the result is run forward through the S- (Each column of the state is encoded as two hexadecimal box. We need to guess these bits, which are needed numbers). to calculate values of bits involved in the linear ap- 00 80 00 00 80 00 00 00 00 80 00 00 00 00 80 00 proximation. Table 2 shows the details. For each subkey guess we create a counter and it is incremented ↓ 9 S-box Layer (active S-boxes: 4, bias: 2− ) once the linear approximation holds. A counter with a value which differs the most from a half of a number ↓ 00 80 00 00 80 00 00 00 00 80 00 00 00 00 80 00 of plaintext/ciphertext pairs corresponds to the correct subkey guess. L-box↓ Layer Table 2: Initial and final states of the 4.5-round linear ap- ↓ 00 00 00 00 80 80 80 00 00 00 80 00 00 00 00 00 proximation. 00 80 00 00 80 00 00 00 00 80 00 00 00 00 80 00 ↓ 9 S-box Layer (active S-boxes: 4, bias: 2− ) 4.5-Rounds↓ ↓ 00 00 00 00 80 80 80 00 00 00 80 00 00 00 00 00 ↓ 80 80 80 80 00 00 80 80 80 00 00 00 80 00 00 00 L-box↓ Layer 41 The above approximation has a total bias ε = 2− ↓ 00 80 00 80 80 00 00 80 80 00 00 80 00 80 00 80 and a number of plaintext/ciphertext pairs needed to 2 82 detect the bias is ε− = 2 . Active input bits in ↓ 17 S-box Layer (active S-boxes: 8, bias: 2− ) the linear approximation are placed in four different columns of the state (see Table 2). Therefore, we need ↓ 32 00 80 00 80 80 00 00 80 80 00 00 80 00 80 00 80 to guess 4 8 = 32 key bits, which gives 2 possible combinations.∗ For each combination we check 282 L-box↓ Layer plaintext/ciphertext pairs, so the time complexity of our key-recovery attack is 282+32 = 2114. ↓ 80 00 00 00 00 00 80 00 00 00 80 00 00 80 00 00 By this procedure and with the presented 4.5- round linear approximation we extract 32 key bits. ↓ 9 To recover more bits, we just repeat the procedure S-box Layer (active S-boxes: 4, bias: 2− ) but with a different approximation, where input active ↓ 80 00 00 00 00 00 80 00 00 00 80 00 00 80 00 00 bits are placed in different columns. Comparison With an Automated Tool. In (Dobrau- nig et al., 2015) a heuristic tool for finding linear char- L-box↓ Layer acteristics was presented. The tool is inspired by SAT ↓ solvers and it was applied to modern authenticated ci- 00 00 80 00 00 80 00 00 00 80 80 00 00 00 00 00 phers. We used this tool to find good linear approxi- ↓ 9 mations for Scream and compare the results with our S-box Layer (active S-boxes: 4, bias: 2− ) approach. For 5 rounds, the tool provides the approxi- 50.71 ↓ mation with bias 2− with 22 active S-boxes, while 00 00 80 00 00 80 00 00 00 80 80 00 00 00 00 00 49 our approach leads to the characteristic with bias 2− ↓ and 24 S-boxes. Generally, we find the results simi- L-box Layer lar and we argue that our relatively simple procedure ↓ for building linear approximations is comparable with 80 80 80 80 00 00 80 80 80 00 00 00 80 00 00 00 this much sophisticated tool. ceed the exhaustive search bound 2128 and analysis becomes much less meaningful. 4 DIFFERENTIAL-LINEAR 3.1 5-round Key Recovery Attack CRYPTANALYSIS OF ROUND-REDUCED SCREAM We can use a linear approximation we constructed to recover the secret key. First, we partially encrypt the Differential cryptanalysis was introduced (publicly) first S-box layer by guessing some key bits, specifi- by Biham and Shamir (Biham and Shamir, 1990) in cally the plaintext bits are XORed with the guessed

503 SECRYPT 2017 - 14th International Conference on Security and Cryptography

1990 and is still one of the most powerful attacks 5-round Key Recovery Attack on a wide range of cryptographic algorithms. In 1994 Langford and Hellman(Langford and Hellman, This attack uses a differential path with probability 1 1994) described a combination of linear and differen- to set up a linear relation between two parallel instan- tial analysis known as differential-linear cryptanaly- tiations of the cipher. A linear approximation involves sis. the bits after 1.5 rounds so we have not a direct access to their values. However, we know the XOR differ- Table 3: 1.5-round differential path with probability 1. ence between these bits and consequently the differ- 00 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 ence between ciphertext bits involved in the linear approximation. Therefore, to ﬁlter out the key guesses S-box↓ Layer we check the linear relation between ciphertext bits. In the attack we peel off the 5th round by guess- ↓ 00 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 ing 48 key bits. Then we check a linear relation between bits in the 4th round, which serves as a ﬁlter. A ↓ 17 L-box Layer bias for the approximation is ε = 2− and we need 4 68 we need ε− = 2 chosen plaintexts to detect the ↓ ?? ?? 00 ?? 00 00 ?? 00 00 ?? ?? 00 00 00 ?? 00 bias. Therefore the time complexity of the attack is 248+68 = 2116. S-box↓ Layer ↓ ?? ?? 00 ?? 00 00 ?? 00 00 ?? ?? 00 00 00 ?? 00 5 IMPOSSIBLE DIFFERENTIAL

Table 4: Linear approximation covering 2.5 rounds. OF ROUND REDUCED 00 00 80 80 00 00 00 00 00 80 00 80 80 00 80 00 SCREAM An impossible differential path is a differential path L-box↓ Layer which can not occur. Typically we build such a path ↓ by the miss-in-the-middle approach, that is showing a 00 00 00 00 00 80 00 80 00 00 80 00 80 80 80 00 contradiction somewhere in the middle of character- ↓ 13 istics. S-box Layer (active S-boxes: 6, bias: 2− ) Consider we have a 4-round characteristic of ↓ Scream. Each round consists of an S-box followed by 00 00 00 00 00 80 00 80 00 00 80 00 80 80 80 00 an L-box. After each 2 rounds 128-bit key is added. ↓ We use a path shown in the figure 1. In the given path L-box Layer as shown in figure 1, each symbol represents a byte. ↓ In our notation ’00’ denotes the zero difference, ’ ’ 00 00 00 00 80 00 00 00 00 00 00 80 00 00 00 00 denotes non zero difference and ’??’ denotes an∗∗ uncertain difference. ↓ 5 S-box Layer (active S-boxes: 2, bias: 2− ) We have selected the given characteristic to get the contradiction in the middle. Here, the conflict will oc- ↓ 00 00 00 00 80 00 00 00 00 00 00 80 00 00 00 00 cur after 2 rounds. When we encrypt the plaintext for 2 rounds we get 7th byte is as non-zero while oth- ↓ L-box Layer ers are uncertain. On the other hand side we decrypt ciphertext for 2 rounds and get 7th byte as inactive, ↓ 80 00 00 80 80 00 00 00 00 00 00 80 00 80 00 80 therefore it will lead to contradiction. In this section we apply differential-linear cryptanalysis to the round-reduced Scream cipher. We fol- low a typical scheme in this kind of attacks, namely first we create a differential path with probability 1 and then extend it by a linear part. Our differential path covers 1.5 rounds, please see Table 3. After the second S-box layer, there are still some bits with known differences. Using these known bits, we build the linear approximation as shown in Table 4.

504 Differential-linear and Impossible Differential Cryptanalysis of Round-reduced Scream

Table 5: 4-round impossible differential path. nation of target subkeys, hence we need all the keys to 00 00 00 ** 00 00 00 00 00 00 00 00 00 00 00 00 decrypt. To avoid this condition of guessing all keys, we interchange the L-Box position with key addition. S-box↓ Layer We are interested in those pairs where differences at 3rd and 6th byte after applying inverse S-box in ↓ 00 00 00 ** 00 00 00 00 00 00 00 00 00 00 00 00 round 4 are same and non-zero, while other differences are zero. This is only possible when S-box in- L-box↓ Layer verse in round 4 gives two identical differences. If this is the case, 7th byte before round 3 will be inac- ↓ ** 00 00 00 00 00 ** ** 00 ** ** 00 ** 00 00 ** tive. Therefore, guessed key will lead to a contradiction and we can discard that key. Each time we will halve the remaining candidates for key while always S-box↓ Layer retaining the correct one. The complexity to guess ↓ keys and decrypt 2 rounds is 216. We have calculated ** 00 00 00 00 00 ** ** 00 ** ** 00 ** 00 00 ** from the difference distribution table for S-box and found probability that the transition through the S-box L-box↓ Layer in the 4th round gives two identical differences is ap- 7 ↓ proximately 2− . Therefore the total complexity is ?? ?? ?? ?? ?? ?? ** ?? ?? ?? ?? ?? ?? ?? ?? ?? 214 264 = 278. × Contradiction

?? ?? ?? 00 00 ?? 00 00 00 00 ?? 00 00 00 00 ?? 6 CONCLUSION

S-box↑ Layer We have analysed Scream with the techniques, which previously have not been applied to this algorithm, ↑ ** ** ** 00 00 ** 00 00 00 00 ** 00 00 00 00 ** that is differential-linear and impossible differential cryptanalysis. This is work in progress towards a L-box↑ Layer comprehensive evaluation of Scream. We think it is essential to analyse these new, promising algorithms ↑ 00 00 ** 00 00 ** 00 00 00 00 00 00 00 00 00 00 with a possibly wide range of cryptanalytic tools and techniques. Our work helps to realize this goal. S-box↑ Layer ↑ 00 00 80 00 00 80 00 00 00 00 00 00 00 00 00 00 REFERENCES

L-box↑ Layer Biham, E. and Shamir, A. (1990). Differential cryptanalysis of des-like cryptosystems. In Advances in Cryptology ↑ 80 80 00 00 80 00 80 00 80 00 00 00 00 00 80 00 - CRYPTO ’90, 10th Annual International Cryptology Conference, Santa Barbara, California, USA, August 11-15, 1990, Proceedings, pages 2–21. Extracting Key Bits. Here we encrypt many plaintexts to get the required ciphertext which satisfy our Dobraunig, C., Eichlseder, M., and Mendel, F. (2015). Heuristic tool for linear cryptanalysis with applica- characteristic. The number of plaintexts required to tions to CAESAR candidates. In Advances in Cryp- encrypt, to get at least one pair of plaintext-ciphertext tology - ASIACRYPT 2015 - 21st International Con- is 2n/2 = 2128/2 = 264 (where n is the size of state)by ference on the Theory and Application of Cryptology using birthday paradox. For all the pairs of plaintext- and Information Security, Auckland, New Zealand, ciphertext which satisfy the above differential char- November 29 - December 3, 2015, Proceedings, Part acteristic, we decrypt the ciphertext for 1 round by II, pages 490–509. guessing all possible values of key in 4th round and by Gandolﬁ, K., Mourtel, C., and Olivier, F. (2001). Elec- applying the inverse L-box followed by the inverse S- tromagnetic analysis: Concrete results. In Crypto- graphic Hardware and Embedded Systems - CHES box. Here we interchanged the L-Box position with 2001, Third International Workshop, Paris, France, key addition. In case of Scream the L-box is work- May 14-16, 2001, Proceedings, number Generators, ing with row bits and S-box is working with column pages 251–261. 16 bits. Therefore for L-box we need 2 combination of Grosso, V., Leurent, G., Standaert, F., and Varici, K. (2014). target subkeys and again for S-box we need 28 combi- Ls-designs: Bitslice encryption for efﬁcient masked

505 SECRYPT 2017 - 14th International Conference on Security and Cryptography

software implementations. In Fast Software Encryp- tion - 21st International Workshop, FSE 2014, Lon- don, UK, March 3-5, 2014. Revised Selected Papers, pages 18–37. Grosso, V., Leurent, G., Standaert, F.-X., Varici, K., Journault, A., Durvaux, F., Gas- par, L., and Kerckhof, S. SCREAM. https://competitions.cr.yp.to/round2/screamv3.pdf. Kocher, P. C., Jaffe, J., and Jun, B. (1999). Differential power analysis. In Advances in Cryptology - CRYPTO ’99, 19th Annual International Cryptology Confer- ence, Santa Barbara, California, USA, August 15-19, 1999, Proceedings, pages 388–397. Langford, S. K. and Hellman, M. E. (1994). Differential- linear cryptanalysis. In Advances in Cryptology - CRYPTO ’94, 14th Annual International Cryptology Conference, Santa Barbara, California, USA, August 21-25, 1994, Proceedings, pages 17–25. Leander, G., Minaud, B., and Rønjom, S. (2015). A generic approach to invariant subspace attacks: Cryptanalysis of robin, iscream and zorro. In Advances in Cryp- tology - EUROCRYPT 2015 - 34th Annual Interna- tional Conference on the Theory and Applications of Cryptographic Techniques, Soﬁa, Bulgaria, April 26- 30, 2015, Proceedings, Part I, pages 254–283. Liskov, M., Rivest, R. L., and Wagner, D. (2011). Tweak- able block ciphers. J. Cryptology, 24(3):588–613. Matsui, M. (1993). Linear cryptanalysis method for DES cipher. In Advances in Cryptology - EUROCRYPT ’93, Workshop on the Theory and Application of of Cryp- tographic Techniques, Lofthus, Norway, May 23-27, 1993, Proceedings, pages 386–397. Todo, Y., Leander, G., and Sasaki, Y. (2016). Nonlin- ear invariant attack - practical attack on full scream, iscream, and midori64. In Advances in Cryptology - ASIACRYPT 2016 - 22nd International Conference on the Theory and Application of Cryptology and In- formation Security, Hanoi, Vietnam, December 4-8, 2016, Proceedings, Part II, pages 3–33.

506