Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA

Andrey Bogdanov, Huizheng Geng, Meiqin Wang, Long Wen, Baudoin Collard

Technical University of Denmark, Denmark Shandong University, China Université Catholique de Louvain, Belgium

Presented by Yu Sasaki SAC 2013 August 15, 2013 Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA Zero Correlation

Outline

Zero Correlation

Fast Fourier Transform in Linear Cryptanalysis

Zero-Correlation Cryptanalysis of Camellia with FFT

Multidimensional Zero-Correlation Cryptanalysis of CLEFIA

Conclusions

2 / 25 Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA Zero Correlation

Zero Correlation Cryptanalysis: Overview

I The idea due to Bogdanov and Rijmen (to appear in DCC, see also IACR eprint report 2011/123):

I Use linear approximations with probability p=1/2, or correlation c = 2p − 1 = 0

I Bogdanov and Wang in FSE’12:

I Use multiple approximations of correlation 0

I Applications to TEA and XTEA (best attack on TEA!)

I Bogdanov, Leander, Nyberg, Wang in Asiacrypt’12:

I Multidimenstional distinguisher proposed

I Integrals are a special case of zero correlation

I Applications to CAST-256 (best attack on CAST-256!)

3 / 25 Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA Zero Correlation

Zero Correlation Cryptanalysis: Overall Procedure plaintext P

partial encryption I Identify linear approximations E I For each subkey guess:

I Partially encrypt/decrypt rounds covered by check for zero correlation zero correlation I Check the zero correlation linear approximation property D I If correct, output a subkey candidate partial decryption

ciphertext C

4 / 25 Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA Zero Correlation

Zero Correlation Cryptanalysis: Example

I 5-round zero-correlation for Feistel with balanced F-functions

5 / 25 Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA Zero Correlation

Motivation

I Time complexity is often an obstacle in attacks on more rounds

I Discrete Fast Fourier Transform for zero correlation cryptanalysis

I Break stronger ciphers!

⇒

6 / 25 Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA Fast Fourier Transform in Linear Cryptanalysis

Outline

Zero Correlation

Fast Fourier Transform in Linear Cryptanalysis

Zero-Correlation Cryptanalysis of Camellia with FFT

Multidimensional Zero-Correlation Cryptanalysis of CLEFIA

Conclusions

7 / 25 Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA Fast Fourier Transform in Linear Cryptanalysis

Towards FFT: Algorithm 2 [Matsui’93]:

Linear approximation χP χD for R − 1 rounds of R-round block cipher, k subkey bits κ, N PT/CT pairs needed

I Decrypt one round for→ every ciphertext by guessing κ k I Complexity O(N 2 )

8 / 25 Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA Fast Fourier Transform in Linear Cryptanalysis

Towards FFT: Improved Algorithm 2 [Matsui’94]

I Data counting phase 1. Initialize an array counter V [x] for 2k possible values of x 2. For N texts, take k-bit ciphertext x (output from active S-boxes) T and evaluate χP P χT P 3. Compute V [x]+ = (−1) P

I Key counting phase k 1. Guess k-bit subkey κ, decrypt 2 x to get χD D, M [κ, x] = χD D 2k −1 2. For each κ, Tκ = x=0 M [κ, x]V [x], use T to compute bias κ k k k I Complexity O(2 · 2 P) if N 2

9 / 25 Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA Fast Fourier Transform in Linear Cryptanalysis

FFT by Collard-Standaert-Quisquater in ICISC’07

I Vector bias through matrix-vector product M · V

I Structure of matrix M

−1 M (i, j ) = parity(S (i ⊕ j )) , f (i ⊕ j )

where S −1(·) represents a partial decryption of the last round

I M has a level-circulant structure M · V by Fast Walsh-Hadamard Transform in O(3k · 2k ) complexity

I M is a function of C ⊕ K or P ⊕⇒K

10 / 25 Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA Zero-Correlation Cryptanalysis of Camellia with FFT

Outline

Zero Correlation

Fast Fourier Transform in Linear Cryptanalysis

Zero-Correlation Cryptanalysis of Camellia with FFT

Multidimensional Zero-Correlation Cryptanalysis of CLEFIA

Conclusions

11 / 25 Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA Zero-Correlation Cryptanalysis of Camellia with FFT Camellia Camellia Block Cipher

I ISO/IEC standard, proposed by NTT and Mitsubishi

I Block size: 128 bits

I Key sizes: 128, 192 or 256 bits

I Round number: 18, 24, 24 −1 I Feistel structure with keyed functions FL/FL

I With whitening key at the top and bottom of the cipher

12 / 25 Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA Zero-Correlation Cryptanalysis of Camellia with FFT Camellia Structure of Camellia

kw1 kw2 KS P KL

6 Rounds <<<1

KS P KR FL FL-1

6 Rounds KS P FL Function FL FL-1 KS P 6 Rounds KR

-1 FL FL KS P KL

<<<1 6 Rounds KS P

-1 kw3 kw4 FL Function

13 / 25 Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA Zero-Correlation Cryptanalysis of Camellia with FFT Zero-Correlation Linear Approximations of Camellia Zero-correlation approximations over 7 rounds

(b|0|0|b|0|b|b|b) (0|0|0|0|0|0|0|0) KS P (0|0|0|0|0|0|0|a) (b|0|0|b|0|b|b|b) KS P (0|0|0|0|0|0|0|b) (c |0|0|c |c |c |c |0) (0|0|0|0|0|0|0|a) 1 4 5 6 7 KS P (a|0|0|a|a|a|a|0) (0|0|0|0|0|0|0|a) (c1⊕b|0|0|c4⊕b| FL FL-1 c |c ⊕b|c ⊕b|b) (f |f |f |f |f |f |f |f ) 5 6 7 1 2 3 4 5 6 7 8 KS P f =f =0 2 7 (0|0|0|0|0|0|0| i) (g1|0|0|g4|g5|g6|g7|0) KS P (i |0|0|i |i |i |i |0) (0|0|0|0|0|0|0|i) (h|0|0|h|0|h|h|h) KS P f2=0 g4⊕g5⊕g6=0 (0|0|0|0|0|0|0|h) f7=0 g1⊕g4⊕g5⊕g6=0 (0|0|0|0|0|0|0|0) KS P (0|0|0|0|0|0|0|0) (h|0|0|h|0|h|h|h)

14 / 25 Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA Zero-Correlation Cryptanalysis of Camellia with FFT Key Recovery Attack on 11-Round Camellia-128

1 1 (PL) XL XR (PR) w1 Attack on 11-round Camellia-128 with FFT (*,*,*,*,*,*,*,*) K0=k ⊕k1 (*,0,0,*,*,*,*,b) KS P 1 1 2 2 (PL) XL w1 XR (PR) XL XR K0=k ⊕k1 w2 (*,0,0,*,*,*,*,b) (0,0,0,0,0,0,0,*) (*,0,0,*,*,*,*,b) K1=k ⊕k2 (0,0,0,0,0,0,0,*) KS P (*,0,0,*,*,*,*,0) KS P (*,0,0,*,*,*,*,0) 2 2 3 3 XL w2 XR XL XR K1=k ⊕k2 w1 (0,0,0,0,0,0,0,*) (b,0,0,b,0,b,b,b) (0,0,0,0,0,0,0,*) K2=k ⊕k3 (b,0,0,b,0,b,b,b) KS P (0,0,0,0,0,0,0,b) KS P (0,0,0,0,0,0,0,b) 3 3 4 4 XL XR XL XR (b,0,0,b,0,b,b,b) (0,0,0,0,0,0,0,0) (b,0,0,b,0,b,b,b) (0,0,0,0,0,0,0,0) zero-correlation linear zero-correlation linear approximaitons of 7-round approximaitons of 7-round 10 w3 10 11 11 K ⊕ XR w3 X XL 2=k k10 XL K3=k ⊕k11 R (0,0,0,0,0,0,0,0) KS P (h,0,0,h,0,h,h,h) (0,0,0,0,0,0,0,0) (h,0,0,h,0,h,h,h) (0,0,0,0,0,0,0,h) KS P (0,0,0,0,0,0,0,h) 11 11 12 12 XL w4 X XL X K =k ⊕k R w4 R 3 11 (0,0,0,0,0,0,0,*) K4=k ⊕k12 (0,0,0,0,0,0,0,*) (*,0,0,*,*,*,*,h) KS P (*,0,0,*,*,*,*,0) (*,0,0,*,*,*,*,h) KS P (*,0,0,*,*,*,*,0) (0,0,0,0,0,0,0,*) (*,0,0,*,*,*,*,h) (0,0,0,0,0,0,0,*) (*,0,0,*,*,*,*,h) 12 12 13 13 (CL)XL XR (CR) (CL)XL XR (CR) (a) Attack on 11-round Camellia-128 (b) Attack on 12-round Camellia-192

15 / 25 Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA Zero-Correlation Cryptanalysis of Camellia with FFT Summary Summary of attacks on Camellia-128 and -192 With FL/FL−1 and starting from the 1st round

Key R Attack Data Time Memory Ref Size Type (Encs) (Bytes) 128 10 Imp. Diff 2113.8CPs 2120 284.8 [LLGWLCL’12] 11 ZC FFT 2125.3KPs 2124.8 2112.0 This paper 192 10 Imp. Diff 2121CPs 2175 2155.2 [CJYW’11] 10 Imp. Diff 2118.7CPs 2130.4 2132 [LCW’11] 11 Imp. Diff 2114.64CPs 2184 2141.64 [LLGWLCL’12] 12 ZC FFT 2125.7KPs 2188.8 2112.0 This paper

[LLGWLCL’12]: Liu, Li, Gu, Wang, Liu, Chen, and Li in FSE 2012

16 / 25 Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA Multidimensional Zero-Correlation Cryptanalysis of CLEFIA

Outline

Zero Correlation

Fast Fourier Transform in Linear Cryptanalysis

Zero-Correlation Cryptanalysis of Camellia with FFT

Multidimensional Zero-Correlation Cryptanalysis of CLEFIA

Conclusions

17 / 25 Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA Multidimensional Zero-Correlation Cryptanalysis of CLEFIA CLEFIA CLEFIA Block Cipher

I ISO/IEC standard for lightweight encryption, proposed by Sony

I Block size: 128 bits

I Key sizes: 128, 192 or 256 bits

I Round number: 18, 22, 26

I 4-Branch Generalized Feistel Structure

I With whitening key at top and bottom

18 / 25 Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA Multidimensional Zero-Correlation Cryptanalysis of CLEFIA CLEFIA Structure of CLEFIA

P0 P1 P2 P3 k0 k1 k2 k3 WK WK RK0 0 RK1 1 X0 S0 Y0 F0 F1 X1 S1 Y1 M0 X2 S0 Y2 RK2 RK3 X3 S1 Y3 F0 F1 (b) F0 k0 k1 k2 k3

X0 S1 Y0 RK2r-2 RK2r-1 X S0 Y F 1 1 0 F1 M1 WK2 WK3 X2 S1 Y2

X S0 Y C0 C1 C2 C3 3 3

(a) Encryption Process of CLEFIA (c) F1

19 / 25 Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA Multidimensional Zero-Correlation Cryptanalysis of CLEFIA Zero-Correlation Linear Approximations of CLEFIA Zero-correlation approximations over 9 rounds Bogdanov-Rijmen in DCC

0 0 a a 0 0 c a a 0 0 0 0 0 0 a 0 a 0 c a 0 0 0 F1 F1 F1 F1 F1 F1 F1 F1 F1 0 b 0 d 0 0 0 0 0 0 b a a 0 d a a 0 0 0 0 0 Input Output Mask Contradiction! Mask 0 0 0 0 b a a d a a 0 0 0 0 0 b a d a 0 F0 F0 F0 F0 F0 F0 F0 F0 F0 0 0 c 0 0 a a 0 0 0 c a a 0 0 0 a a 0 a,b,c,d are non-zero masks

20 / 25 Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA Multidimensional Zero-Correlation Cryptanalysis of CLEFIA Key Recovery Attack on 14-Round CLEFIA-192 Key recovery attack on 14-round CLEFIA-192

P0 P1 P2 P3 α K0 K1

S M0 S M1 α

1 1 1 1 X 0 K2 X 1 X 2 X 3

S M0 S M1 α Complexity: 2 K 2 2 2 X 0 3 Z X 1 X 2 X 3 S M0 S M1 127.5 Y α I Data Complexity: 2 KPs

3 3 3 3 X 0 X 1 X 2 X 3 115 α 0 0 0 I Memory Complexity: 2 Bytes zero-correlation linear approximations of 9-round

12 0 12 0 12 0 12 α 180.2 X 0 X 1 X 2 K4 X 3 I Time Complexity: 2 Encs S M0 S M1

13 13 13 13 X 0 K5 X 1 X 2 X 3

S M0 S M1

C 0 C 1 C 2 C3

21 / 25 Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA Multidimensional Zero-Correlation Cryptanalysis of CLEFIA Summary Summary of Attacks on CLEFIA-192 and -256

Key Attack R Data Time Memory Source size (Ens) (Bytes) 192 Integral 13 2113CPs 2180.5 NA [LWYD’11] Impossible 13 2119.8CPs 2146 2120 [YEMTTH’08] Improbable 14 2127.0CPs 2183.2 2127.0 [Tezcan’10] Multidim. ZC 14 2127.5KPs 2180.2 2115 This paper 256 Integral 14 2113CPs 2244.5 NA [LWYD’11] Impossible 14 2120.3CPs 2212 2121 [YEMTTH’08] Improbable 15 2127.4CPs 2247.5 2127.4 [Tezcan’10] Multidim. ZC 15 2127.5KPs 2244.2 2115 This paper

Note that the validity of the improbable diﬀerential cryptanalysis has been recently challenged by Celine Blondeau: http://users.ics.aalto.fi/blondeau/PDF/improbable.pdf

22 / 25 Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA Conclusions

Outline

Zero Correlation

Fast Fourier Transform in Linear Cryptanalysis

Zero-Correlation Cryptanalysis of Camellia with FFT

Multidimensional Zero-Correlation Cryptanalysis of CLEFIA

Conclusions

23 / 25 Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA Conclusions

Conclusions

I FFT technique to improve the time complexity of zero correlation attacks

I ZC attacks with FFT 1 more round of Camellia-128 and Camellia-192 with FL/FL−1 and starting from the ﬁrst round

I Multidimensional ZC attacks on the same number of rounds in CLEFIA-192 and CLEFIA-256 with improved memory complexities and similar time and data complexities if improbable diﬀerential cryptanalysis turns out correct and on 1 more round otherwise

24 / 25 Thanks!