Improved Slide Attacks Eli Biham, Orr Dunkelman, Nathan Keller

Computer Science Dept. Technion, Israel Dept. of Electrical Engineering ESAT­SCD/COSIC, Katholieke Universitiet Leuven, Belgium Einstein Institute of Mathematics, Hebrew University, Israel

Improved Slide Attack 1/32 UCL Seminar, 19th December 2006 Topics of the Talk Description of the slide attacks Various improvements Studying the cycle structure Application to GOST Summary

Improved Slide Attack 2/32 UCL Seminar, 19th December 2006 Slide Attacks [BW99]

Applied to ciphers with the same applied keyed permutation

fk fk fk fk

Improved Slide Attack 3/32 UCL Seminar, 19th December 2006 Slide Attacks

Seek slid pairs (P,P') s.t.

P' P fk fk fk fk fk C C P' fk fk fk fk fk C'

Improved Slide Attack 4/32 UCL Seminar, 19th December 2006 Slide Attacks

If fk is ''simple'' enough, given one slid pair the key k can be found The attack is independent of the

number of times fk is applied

simple = can be broken using two input/output pairs Improved Slide Attack 5/32 UCL Seminar, 19th December 2006 Genreating Slid Pairs

Using birthday paradox (requires ~2n/2 KP) Identification can be done by treating each pair as a slid pair and analyzing it Time complexity 2n applications of

the attack on fk

Improved Slide Attack 6/32 UCL Seminar, 19th December 2006 Genreating Slid Pairs in Feistel Block Ciphers For Feistel block ciphers it can be reduced to ~2n/4 CP Pick 2n/4 CP of the form (for a fixed A) Pick 2n/4 CP of the form Due to the birthday paradox, a slid pair is expected Identification of the slid pair is also easier Improved Slide Attack 7/32 UCL Seminar, 19th December 2006 Making ''Simple'' More Complex

In [BW00] some advanced slide techniques were presented The aim of these techniques – to allow attacking ciphers with more complex round functions

Improved Slide Attack 8/32 UCL Seminar, 19th December 2006 Complementation Slide

Consider a 2­round Feistel with two independent subkeys A regular slide by 1­round is not possible due to the different keys However ... it is possible to slide with a difference, i.e., where is the key difference

Improved Slide Attack 9/32 UCL Seminar, 19th December 2006 Complementation Slide (cont.)

Assume that the subkey is XORed into the data before the nonlinear function Then, the difference assures that the inputs to the nonlinear function is the same for all shared rounds Thus,

Improved Slide Attack 10/32 UCL Seminar, 19th December 2006 Complementation Slide (cont.)

Data complexity ~2n/2 KP Time complexity ~2n/2 applications of the attack on fk

(There are 2n possible pairs, each suggesting an n/2­bit value for , which gives indication whether the ciphertexts can form a slid pair)

Improved Slide Attack 11/32 UCL Seminar, 19th December 2006 Sliding with a Twist

In the same case, encryption under is closely related to decrpytion under Thus, the slid pair is generated from the encryption under one key, and decryption under the second key

Improved Slide Attack 12/32 UCL Seminar, 19th December 2006 Twisted Complemented Slide

Both improvements can be combined to

attack fk of 4­round Feistel structure with independent subkeys Consider the sequences of subkeys:

If we have a difference to the inputs in the slid pair of the form , the slid property can be preserved Improved Slide Attack 13/32 UCL Seminar, 19th December 2006 A Different Approach

What if there is no good attack on fk that uses only two input/output pairs? Most interesting property observed [BW00,F01]: If (P,P') is a slid pair, then so does

(Ek(P),Ek(P'))

Improved Slide Attack 14/32 UCL Seminar, 19th December 2006 Allowing More Complex ''Simple'' Functions It is possible to use the observation to

attack fk using a KP attack (that uses m KP) Take ~2n/2 KP, and iteratively encrypt each of them m times Try all pairs among the 2n/2 starting points Apply the KP attack with m pairs for each candidate slid pair (T.C. = m2n)

Improved Slide Attack 15/32 UCL Seminar, 19th December 2006 Allowing More Complex ''Simple'' Functions (cont.) Data complexity: ~m2n/2 adaptive chosen plaintexts Time complexity: 2n applications of the known plaintext attack on f k For Feistel Ciphers: Data complexity: ~2n/2 known plaintexts + 2m daptive chosen plaintexts Time complexity: 1 application of the attack

Improved Slide Attack 16/32 UCL Seminar, 19th December 2006 Making the Complex ­ Real

Our technique solves two problems: Finding the slid pairs easily Allowing chosen plaintext attacks (even ACPC)

How?

Improved Slide Attack 17/32 UCL Seminar, 19th December 2006 Making the Complex Become Real – Considering Cycles Let Choose randomly Iteratively encrypt until is obtained again

Improved Slide Attack 18/32 UCL Seminar, 19th December 2006 Making the Complex Become Real – Considering Cycles The cycle is actually also a multiple

of the cycle of fk as well! Let Then j*m = C*r for some constant C if gcd(m,r)=1, then r=j

Improved Slide Attack 19/32 UCL Seminar, 19th December 2006 So You Have Cycles... So What?! The information on the cycle can be used to find slid pairs Once one slid pair is found, we can find as many pairs as there plaintexts in the cycle We can use CP attacks (and even

ACPC attacks) on fk

Improved Slide Attack 20/32 UCL Seminar, 19th December 2006 Data and Time Complexities

Data complexity: ~2n known plaintexts/~2n­1 adaptive chosen plaintexts Time complexity: 1 application of the attack on fk

Improved Slide Attack 21/32 UCL Seminar, 19th December 2006 GOST

Russian encryption standard 32­round Feistel construction 64­bit block, 256­bit key Round function consists of key addition, eight 4x4 S­boxes, rotate to the left by 11 S­boxes are unknown...

Improved Slide Attack 22/32 UCL Seminar, 19th December 2006 GOST

Simple key schedule: rounds 1­8: rounds 9­16: rounds 17­24: rounds 25­32:

Improved Slide Attack 23/32 UCL Seminar, 19th December 2006 24­Round GOST in our attack

As there are 3 iterations of the same function – we can find slid pairs All that is needed is an 8­round attack on GOST, when the S­boxes are not known ...

Improved Slide Attack 24/32 UCL Seminar, 19th December 2006 8­Round Attack with Unknown S­boxes We use a 7­round truncated differential (with probability 0.495) that predicts four bits. Given sufficiently enough pairs, we can use partial decryption to verify what is the probablity of the differential being satisfied. But we can't decrypt! The S­boxes are unknown! Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8­Round Attack with Unknown S­boxes (cont.) We start by using only two entries in the S­box S4 To do so, we use only ''ciphertexts'' with a fixed value that enters this S4 We also fix the bits before to be 0 (to reduce the chance of carry)

Improved Slide Attack 26/32 UCL Seminar, 19th December 2006 8­Round Attack with Unknown S­boxes (cont.) Now, we guess the outputs of the S4 in these two entries For a succesful guess* – the truncated differential holds with probability 0.494, otherwise 1/16

* ­ actually, for a succesful guess of the difference in the output Improved Slide Attack 27/32 UCL Seminar, 19th December 2006 8­Round Attack with Unknown S­boxes (cont.) Repeat for other entries of S4, and you can re­construct S4 up to: the key the exact values (you know all the relative values) Use a shifted version of the differential to find the same information on other S­boxes

Improved Slide Attack 28/32 UCL Seminar, 19th December 2006 8­Round Attack with Unknown S­boxes (cont.) Data Complexity: 263 ACPC or almost 264 KP Time Complexity: ~264

Improved Slide Attack 29/32 UCL Seminar, 19th December 2006 30­Round GOST (Known S­boxes) Guess subkey of last six rounds Partially decrypt all ciphertexts 6 rounds Apply the 24­round attack Data Complexity: almost 264 KP Time Complexity: ~2254

Improved Slide Attack 30/32 UCL Seminar, 19th December 2006 Summary

Improved Slide Attack 31/32 UCL Seminar, 19th December 2006 Questions?

Thank you!

Improved Slide Attack 32/32 UCL Seminar, 19th December 2006