The Cryptanalysis of FEAL-4 with Twenty Chosen Plaintexts - DocsLib

sign in sign up

<<

THE CRYPTANALYSIS OF FEAL

WITH TWENTY CHOSEN PLAINTEXTS

SEAN MURPHY

Department of Mathematics

Royal Holloway and Bedford New College

University of London

Egham Surrey TW EX England

The FEAL Ciphering Algorithm

The FEALN cryptosystem has b een develop ed by NTT as a highly programming

ecientblock cipher system as it do es not use lo okup tables It was rst presented in

It is essentially an Nround Feistel blo ck cipher op erating on bit blo cks and determined

by a bit key FEAL is the standard blo ck cipher but NTT intend that FEAL

can b e used in cipher blo ckchaining mo de when plaintexts are not revealed a cryptogram

only environment or for data integrity usage The b est published attack on FEAL was

given by Den Bo er who used chosen plaintexts to recover the key We shall

give a metho d that uses at most twentychosen plaintexts to recover the key Whereas it

may b e p ossible to ensure the absence of chosen plaintexts ensuring the absence of

twenty plaintexts maywell b e to o restrictive for most uses

The functions used to construct FEALN are for i S Z Z Z These

i

are dened for x y Z by regarding x y as binary numbers x y in the range

so

S x y Rot x y i Mod

i

where Rot is a bit rotation to the left S and S are then used to dene two functions

Z Z which is used to pro cess the keyandf Z Z Z whichis f Z

K

used to encipher the plaintext

Supp ose a b c Z for i and a a a a a Z etc then

i i i

c f a b

K

The author was supp orted by SERC Research Grant GRE

is dened in the following manner

d a a

d a a

c S d d b

c S d c b

c S a c b

c S a c b

Aschematic representation of f is given in Figure

K

The key is pro cessed by using f to obtain twelve bit subkeys This is done by

K

splitting the bit key K into its left and right halves to givetwo bit strings K and

L

K We can dene

R

B B K B K

L R

and for i

B f B B B

i K i i i

The twelve bit subkeys K i used in the enciphering pro cess are then just

i

the left and right halves of B i so

i

L R

K K B B

i

i

i i

with b for i and also that b b Z Now supp ose that a c Z

i i

b b Z and a a a a a c Z etc then we can dene

c f a b

as follows

d a a b

b d a a

c S d d

c S d c

c S a c

c S a c

Figure is a schematic diagram of f

Supp ose we wish to enco de the bit plaintext P Firstlywesplit P into its left and

right halves to give bit strings P andP From these we can calculate the L and R

L R

L P K K

L

R P P K K K K

L R

We then p erform rounds of Feistel cipher dened by f and the keys K K K K

Thus for i we calculate

L R

i i

R L f R K

i i i i

Finally the enciphered message is C C C where

L R

C R K K

L

C R L K K

R

Similarlyifweknow the key we can deco de any cryptogram simply by following the ab ove

pro cedure in reverse

Reformulation of FEAL Algorithm

In order to attack the algorithm we shall reformulate it by the metho d given by Den

that expresses the linear nature Z Bo er Firstlywe shall dene a function G Z

etc then we for i and a a a a a c Z of f Supp ose a c Z

i i

can dene

c Ga

by

d a a

d a a

c S d d

c S d c

c S a c

c S a c

so clearly

f a b Ga a b a b a

Therefore Figure is a schematic diagram of G if we take The cryptanalysis

of FEAL will dep end up on the fast solution of linear equations involving G This is

considered in the next section

We nally need to dene two further simple functions Z Z by

L R

a a a a a a

L

a a a a a a

R

where a Z so

i

B K

L i

i

B K

R i i

These two functions can b e used to dene the following six bit keydep endent

constants

M B B

R

N B B B

L

M B B

L L

N B B

R R

M B B B

R

N B B

L

Note that the outer bits in b oth M and N are zero

Wearenow in a p osition to rewrite the FEAL algorithm in the following manner

X P M L B

L R

Y P P N R B L B

L R L L

X X GY R B L B

R R

Y Y GX R B L B

L L

X X GY M R B L B

R R

Y Y GX N R B

L

C Y N

L

C X M C

R L

Again we can deco de a cryptogram by following the ab ove pro cedure in reverse Thus if

we can calculate the unknown bits in the constants M M M N N N we can

decipher any cryptogram and also use the key pro cessing equations to recover the key

The Fast Solution of Linear Equations involvi ng G

In order to nd the constants M M M N N N we shall need to solve equations

involving the function G The simplest suchproblemsinvolve solving

Gx ab

for x where a and b are known We can solve this directly since S is an invertible

i

function in the sense that we can solve S x a b uniquely for xWe can however give

i

a general metho d to solve irresp ective of whether S is an invertible function There

i

are two reasons for doing this rstly to show that FEAL is a weak cipher no matter

how S is dened and secondly to motivate the solution of linear equations involving G

i

Thus supp ose G were not invertible then the most naive metho d to solve would b e

to calculate Gx a for every x Z However this would require evaluations of G

that is S evaluations However supp ose wecheck whether

i

S z a a z a a b

Z This will require S evaluations For most values of z and z for each z z

will b e false For those values for which is true we can checkwhether

S b z a a b

S b x a b

S b x a b

for values of x x Z stopping when one of the equalities is false If all the equations

in and are true then we can recover x and x by

x z x x z x

to obtain solutions for x

Another equation we shall need to solveis

Gx a Gx bd

where a b d are known constants We can ammend and to give the following

equations to b e checked for z z x x Z

S z a a z a a Sz b b z b b

d

S z a a S z b b

d

S x a S x b d

S x a S x b d

then gives us solutions for x In this case we will need evaluations of S to check

the truth of d for each z z Z

Solving will often giveustoomany solutions for x than we can eciently handle

so instead we shall often solve simultaneous equations of the form

Gx a Gx bd

Gx a Gx c e

We can do this eciently bychecking whether the analagous pairs of simultaneous equa

tions to holds at every stage This will require only evaluations of S to check

i

the rst pair of simultaneous equations

Cho osing the Plaintext s

i th i i

Let P denote the i plaintext i with P and P b eing the left and right

L R

i i th

halves of P Similarly supp ose C denotes the i co ded plaintext having left and right

i i

halves C and C We can then dene

L R

i i i

P Q P

R L

and

i i i

D C C

L R

The twenty plaintexts are then chosen according to the following rules

Cho ose P P P P P P P randomly

randomly P P P P P P P P Cho ose P

L L L L L L L L L

Dene

P P

L L

P P

L L

P P

L L

P P

L L

Dene

i i

P P Q i

R L

P P Q

R L

P P Q

R L

Thus wehavechosen seven plaintexts and nine halfplaintexts at random that is

random bits out of a total of bits

Cryptanalysis of FEAL

Referring to equation we see that

Y Y GX Y G X GY Y G P M GY

L

Y GX N C N GD M N

L

and hence

C Y N G P M G Y G D M N

L L

i

Thus for a particular plaintext P i we can dene

i i

U Y N

i i

V M GY

W M N

so b ecomes

i i i i i

C U GP V GD W

L L

i i

However for i Y Q N and GY is constant and hence U U and

i

V V and so we can rewrite as

i i i

C U GP V GD W i

L L

In order to solve for U V and W we can rst eliminate U by adding two

copies of to obtain

i i i

C C GP V GP V GD W GD W

L L L L

i

Thus if we knew the value of GP V GP V would giveusan

L L

equation for W alone Consider GaandGa It is easy to see that in b oth

cases d and d in are the same and hence only c diers a and a dier only

in the rst place so c diers only in the seventh place By a similar reasoning we can

evaluate other sums and so wehave

Ga Ga

Ga Ga

Ga Ga

Ga Ga

Hence from wehave

GD W GD W C C

L L

GD W GD W C C

L L

This is an equation of the form of so we can solve it eciently and get solutions for

W We can eliminate many of these solutions bychecking to see whether they satisfy

GD W GD W C C

L L

GD W C C GD W

L L

This typically gives us up to ten dierentvalues for W For eachvalue of W we can

nd values of V by solving

GP V GP V C C GD W GD W

L L L L

GP V GP V C C GD W GD W

L L L L

which is again of the form of then gives us U We can then check each triplet

i

WV U to see if it saties for the other plaintexts with Q Q that is to say

i This will usually give us less than twenty triplets WV U

For each triplet we can try and solve for the key constants M M M N N N

Now

U U U Q Q

U U U Q Q

and so gives us

GP V GD W C U

L L

GP V GD W C U

L L

These are two equations of the form so we can solve them for V V and

V V These twovalues can then b e checked with equation for i

If we obtain solutions for V and V we can attempt to calculate the key constant

N Equation gives us

GQ N GQ N V V

GQ N GQ N V V

which is again of the form so it can b e eciently solved for N For each p ossibility

for N we can calculate V and see if is satised Knowing p ossible solutions for

N immediately gives us corresp onding p ossible solutions for M and N

Wenow pro ceed byndingM We can do this by calculating the values of X and

Y in for plaintexts P P and P and noting that

GY M X X X D M

Hence

D D X M X M GY GY

GY M GY M X X D D

which is of the form of However the outer bits of M are zero so wehaveto

solve for M allowing for this For each p ossible value of M we can calculate X

X and X and hence three values for M which should of course agree If not we can

reject M Finally we can calculate N checking that the outer bits are zero

Th us wehave calculated M M M N N N and we can do a last checkby

co ding all twentyplaintexts with equations including the previously unused P

If we need to recover the keywe can use a metho d given by Den Bo er The

knowledge of M N M N and gives us the outer bits of B B B B Ifwe

know the outer bits of b oth the output and the two inputs to f we can determine all

K

the input and output bits of f We can thus solve the nal iteration of the key scheduling

K

B f B B B

K

B and B B We can also now calculate B B and B B to nd the values of B

Therefore if we knew B wewould know all the bits of B and hence B B We

can thus simply try all p ossibilities for B in

B f B B B

K

Having solved wethus have sucient information to determine B B We

can now recover the key by rst solving B f B B K for K and then solving

K R R

B f K B K for K Thekey K is then given by K K K

K R L L L R

Of course we do not need all twenty plaintexts to recover the key We could dis

p ense with some of the plaintexts that are only used to check p ossibiliti es for the various

constants This would of course mean that wewould have to compute more p ossibilities

for the various constants until later in the algorithm and consequently computing time

would b e increased For example we could cut the numb er of plaintexts to seven using

P P P P P P P and taking P P and P P Ifwe are prepared to

handle equations of the form of rather than we could only use four plaintexts

P P P P withP P

It may b e p ossible to extend this metho d of attack to a known plaintext attack The

i j

idea is to take similar pairs of plaintext P and P and predict the value of some of the

i i j i

V bits of V V with high probability and hence the value of certain bits of GP

L

j

j

GP V with high probability We can thus write down an equation for certain bit

L

p ositions of the form of whichwemay b e able to solve for some of the bits of W We

could solvemany such equations and hence nd W We then pro ceed as b efore solving

equations in certain bit p ositions as b est we can by using similar pairs of plaintext and

predicting the evaluation of the function G in certain bit p ositions with high probability

Conclusions

This metho d of attack with twenty plaintexts takes up to ten hours computing on a

Sun Workstation not a particularly p owerful computer The length of time dep ends

on the keysomekeys having b een found in less than an hour

However the function G is dened any four round cipher is vulnerable to the typ e of

attack based on that is outlined ab ove Obviously the more easily equations involving

G are solved the quicker the attack The problem is not so much the S transformation

i

since the metho ds of Section would work for any function S with a bit input and

i

bit output as that the two inner bit blo cks of the output of G c and c in b oth

dep end only on the same bits d and d We are therefore easily able to nd d and

d by exhaustive search and hence invert G G would b e much harder to invert if it was

redesigned so that every output blo ck of bits dep ended on dierent input bits and

an exhaustive search b ecame infeasible A further improvementwould b e to redesign the

function f so as to remove the linear connection b etween a and b in This would

make the denition of a function like G imp ossible and ensure that every output blo ckof

bits of f dep ended on all input bits

Whilst FEAL is not intended for use in a chosen plaintext environment a cipher

that falls so quickly to so few plaintexts must b e to o weak for most practical purp oses If

the proto col for the use of a cipher system has to b e such so as to preclude any p ossibilityof

less than twelvechosen plaintexts then the advantages of using a fast ciphering algorithm

like FEAL are less imp ortant and it would b e b etter to use a more secure cipher Such

a proto col would seem to b e to o restrictive for most data integrity uses Even if sucha

proto col could b e guaranteed data integrity usage would giverisetomany pairs of similar

plaintexts so a known plaintext attack of the typ e outlined ab ove mightwell succeed

References

B Den Bo er Cryptanalysis of FEAL Advances in Cryptology Eurocrypt

Lecture Notes in Computer Science

A Shimizu and S Miyaguchi Fast Data Encipherment Algorithm FEAL

Advances in Cryptology Eurocrypt Lecture Notes in Computer Science

Web Analytics