Improved Slide Attacks Eli Biham, Orr Dunkelman, Nathan Keller
Computer Science Dept. Technion, Israel Dept. of Electrical Engineering ESATSCD/COSIC, Katholieke Universitiet Leuven, Belgium Einstein Institute of Mathematics, Hebrew University, Israel
Improved Slide Attack 1/32 UCL Seminar, 19th December 2006 Topics of the Talk Description of the slide attacks Various improvements Studying the cycle structure Application to GOST Summary
Improved Slide Attack 2/32 UCL Seminar, 19th December 2006 Slide Attacks [BW99]
Applied to ciphers with the same applied keyed permutation
fk fk fk fk
Improved Slide Attack 3/32 UCL Seminar, 19th December 2006 Slide Attacks
Seek slid pairs (P,P') s.t.
P' P fk fk fk fk fk C C P' fk fk fk fk fk C'
Improved Slide Attack 4/32 UCL Seminar, 19th December 2006 Slide Attacks
If fk is ''simple'' enough, given one slid pair the key k can be found The attack is independent of the
number of times fk is applied
simple = can be broken using two input/output pairs Improved Slide Attack 5/32 UCL Seminar, 19th December 2006 Genreating Slid Pairs
Using birthday paradox (requires ~2n/2 KP) Identification can be done by treating each pair as a slid pair and analyzing it Time complexity 2n applications of
the attack on fk
Improved Slide Attack 6/32 UCL Seminar, 19th December 2006 Genreating Slid Pairs in Feistel Block Ciphers For Feistel block ciphers it can be reduced to ~2n/4 CP Pick 2n/4 CP of the form (for a fixed A) Pick 2n/4 CP of the form Due to the birthday paradox, a slid pair is expected Identification of the slid pair is also easier Improved Slide Attack 7/32 UCL Seminar, 19th December 2006 Making ''Simple'' More Complex
In [BW00] some advanced slide techniques were presented The aim of these techniques – to allow attacking ciphers with more complex round functions
Improved Slide Attack 8/32 UCL Seminar, 19th December 2006 Complementation Slide
Consider a 2round Feistel with two independent subkeys A regular slide by 1round is not possible due to the different keys However ... it is possible to slide with a difference, i.e., where is the key difference
Improved Slide Attack 9/32 UCL Seminar, 19th December 2006 Complementation Slide (cont.)
Assume that the subkey is XORed into the data before the nonlinear function Then, the difference assures that the inputs to the nonlinear function is the same for all shared rounds Thus,
Improved Slide Attack 10/32 UCL Seminar, 19th December 2006 Complementation Slide (cont.)
Data complexity ~2n/2 KP Time complexity ~2n/2 applications of the attack on fk
(There are 2n possible pairs, each suggesting an n/2bit value for , which gives indication whether the ciphertexts can form a slid pair)
Improved Slide Attack 11/32 UCL Seminar, 19th December 2006 Sliding with a Twist
In the same case, encryption under is closely related to decrpytion under Thus, the slid pair is generated from the encryption under one key, and decryption under the second key
Improved Slide Attack 12/32 UCL Seminar, 19th December 2006 Twisted Complemented Slide
Both improvements can be combined to
attack fk of 4round Feistel structure with independent subkeys Consider the sequences of subkeys:
If we have a difference to the inputs in the slid pair of the form , the slid property can be preserved Improved Slide Attack 13/32 UCL Seminar, 19th December 2006 A Different Approach
What if there is no good attack on fk that uses only two input/output pairs? Most interesting property observed [BW00,F01]: If (P,P') is a slid pair, then so does
(Ek(P),Ek(P'))
Improved Slide Attack 14/32 UCL Seminar, 19th December 2006 Allowing More Complex ''Simple'' Functions It is possible to use the observation to
attack fk using a KP attack (that uses m KP) Take ~2n/2 KP, and iteratively encrypt each of them m times Try all pairs among the 2n/2 starting points Apply the KP attack with m pairs for each candidate slid pair (T.C. = m2n)
Improved Slide Attack 15/32 UCL Seminar, 19th December 2006 Allowing More Complex ''Simple'' Functions (cont.) Data complexity: ~m2n/2 adaptive chosen plaintexts Time complexity: 2n applications of the known plaintext attack on f k For Feistel Ciphers: Data complexity: ~2n/2 known plaintexts + 2m daptive chosen plaintexts Time complexity: 1 application of the attack
Improved Slide Attack 16/32 UCL Seminar, 19th December 2006 Making the Complex Real
Our technique solves two problems: Finding the slid pairs easily Allowing chosen plaintext attacks (even ACPC)
How?
Improved Slide Attack 17/32 UCL Seminar, 19th December 2006 Making the Complex Become Real – Considering Cycles Let Choose randomly Iteratively encrypt until is obtained again
Improved Slide Attack 18/32 UCL Seminar, 19th December 2006 Making the Complex Become Real – Considering Cycles The cycle is actually also a multiple
of the cycle of fk as well! Let Then j*m = C*r for some constant C if gcd(m,r)=1, then r=j
Improved Slide Attack 19/32 UCL Seminar, 19th December 2006 So You Have Cycles... So What?! The information on the cycle can be used to find slid pairs Once one slid pair is found, we can find as many pairs as there plaintexts in the cycle We can use CP attacks (and even
ACPC attacks) on fk
Improved Slide Attack 20/32 UCL Seminar, 19th December 2006 Data and Time Complexities
Data complexity: ~2n known plaintexts/~2n1 adaptive chosen plaintexts Time complexity: 1 application of the attack on fk
Improved Slide Attack 21/32 UCL Seminar, 19th December 2006 GOST
Russian encryption standard 32round Feistel construction 64bit block, 256bit key Round function consists of key addition, eight 4x4 Sboxes, rotate to the left by 11 Sboxes are unknown...
Improved Slide Attack 22/32 UCL Seminar, 19th December 2006 GOST
Simple key schedule: rounds 18: rounds 916: rounds 1724: rounds 2532:
Improved Slide Attack 23/32 UCL Seminar, 19th December 2006 24Round GOST in our attack
As there are 3 iterations of the same function – we can find slid pairs All that is needed is an 8round attack on GOST, when the Sboxes are not known ...
Improved Slide Attack 24/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown Sboxes We use a 7round truncated differential (with probability 0.495) that predicts four bits. Given sufficiently enough pairs, we can use partial decryption to verify what is the probablity of the differential being satisfied. But we can't decrypt! The Sboxes are unknown! Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown Sboxes (cont.) We start by using only two entries in the Sbox S4 To do so, we use only ''ciphertexts'' with a fixed value that enters this S4 We also fix the bits before to be 0 (to reduce the chance of carry)
Improved Slide Attack 26/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown Sboxes (cont.) Now, we guess the outputs of the S4 in these two entries For a succesful guess* – the truncated differential holds with probability 0.494, otherwise 1/16
* actually, for a succesful guess of the difference in the output Improved Slide Attack 27/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown Sboxes (cont.) Repeat for other entries of S4, and you can reconstruct S4 up to: the key the exact values (you know all the relative values) Use a shifted version of the differential to find the same information on other Sboxes
Improved Slide Attack 28/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown Sboxes (cont.) Data Complexity: 263 ACPC or almost 264 KP Time Complexity: ~264
Improved Slide Attack 29/32 UCL Seminar, 19th December 2006 30Round GOST (Known Sboxes) Guess subkey of last six rounds Partially decrypt all ciphertexts 6 rounds Apply the 24round attack Data Complexity: almost 264 KP Time Complexity: ~2254
Improved Slide Attack 30/32 UCL Seminar, 19th December 2006 Summary
Improved Slide Attack 31/32 UCL Seminar, 19th December 2006 Questions?
Thank you!
Improved Slide Attack 32/32 UCL Seminar, 19th December 2006