Collision Attacks on AES-192/256, Crypton-192/256, Mcrypton-96/128, and Anubis

Home , CRYPTON

Hindawi Publishing Corporation Journal of Applied Mathematics Volume 2013, Article ID 713673, 10 pages http://dx.doi.org/10.1155/2013/713673

Research Article Collision Attacks on AES-192/256, Crypton-192/256, mCrypton-96/128, and Anubis

Jinkeon Kang,1 Kitae Jeong,1 Jaechul Sung,2 Seokhie Hong,1 and Kyungho Lee1

1 Center for Information Security Technologies (CIST), Korea University, Anam-dong, Seongbuk-gu, Seoul 136-713, Republic of Korea 2 Department of Mathematics, University of Seoul, Jeonnong-dong, Dongdaemun-gu, Seoul 130-743, Republic of Korea

Correspondence should be addressed to Kyungho Lee; [email protected]

Received 19 July 2013; Accepted 22 August 2013

Academic Editor: Jongsung Kim

Copyright © 2013 Jinkeon Kang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

At AES’00, a collision attack on 7-round reduced AES was proposed. In this paper, we apply this idea to seven SPN block ciphers, AES-192/256, Crypton-192/256, mCrypton-96/128, and Anubis. Applying our attacks on AES-192/256, we improve the attack result based on meet-in-the-middle attack (AES-192) and the attack result proposed in AES’00 (AES-256), respectively. Our attack result on Anubis is superior to known cryptanalytic result on it. In the cases of Crypton-192/256 and mCrypton-96/128, our attacks are applicable to 8-round reduced versions. The attack results on mCrypton-96/128 are more practical than known cryptanalytic results on them.

1. Introduction attack results on them. Rijndael was announced as the Advanced Encryption Standard (AES) in 2001. After DES, it Recently, meet-in-the-middle attack has received attention. isoneofthemostwidelyusedandanalyzedciphersinthe The attack procedure of meet-in-the-middle attack can be world. AES is a 128-bit block cipher and accepts key sizes of summarized as follows. Let M be the message space and K 128, 192,and256 bits. These versions of AES are called AES- thekeyspace.Supposethat𝐺𝐾 and 𝐻𝐾 : M × K → M are 128/192/256 and the number of rounds for these versions two block ciphers and let 𝐹𝐾 =𝐻𝐾 ∘𝐺𝐾. In this attack, an is 10, 12,and14, respectively. Our attacks on AES-192/256 69.2 attacker tries to deduce 𝐾 from a given plaintext/ciphertext require a computational complexity of 2 encryptions with −1 32 74 pair 𝑐=𝐹𝐾(𝑝) by trying to solve 𝐺𝐾(𝑝) =𝐾 𝐻 (𝑐).In 2 chosen plaintexts and 2 memory bytes, respectively. somecases,theequationisnottestedforallthebitsof Though our attacks on them are not applicable to the full the intermediate encryption value, but rather for only some AES-192/256, these are superior to the attack results of [1] of them. So far, many meet-in-the-middle attack results on (AES-192)and[3](AES-256), respectively. block cipher have been proposed [1, 2]. On the other hand, Crypton is a 128-bit block cipher submitted as a candidate Gilbert and Minier proposed a collision attack on 7-round for the AES proposal of NIST. This algorithm has a 12-round of AES in [3]. This attack is a type of meet-in-the middle SPN structure with 128/192/256-bit secret keys. According attack and exploits a 4-round distinguisher. In general, block to the length of the secret keys, we call them Crypton- cipher is completely deterministic, that is, if it is run again 128/192/256, respectively. Our attack is applicable to 8-round with the exact same input values, identical output values will reduced Crypton-192/256. To our knowledge, truncated dif- be produced. Similarly, the different input values result in ferential cryptanalysis on 8-round reduced Crypton-192/256 the different output values. However, it is possible that the has the best results on them, so far [8]. The attacks on an different input values result in the output values of which the 8-round reduced Crypton-192/256 need the computational 161.6 96 specific parts are the same. We call this case a collision. complexity of 2 encryptions with 2 chosen plaintexts 138 In this paper, we apply the main idea of [3]toseven and 2 memory bytes, respectively. Compared to the attack SPN block ciphers, such as AES-192/256 [4], Crypton [5], results of [8], our attacks decrease the data complexity but mCrypton-96/128 [6], and Anubis [7]. Table 1 shows our increase the computational complexity. 2 Journal of Applied Mathematics

secret key, the number of rounds is 12 and 14,respectively. 4×4 S00 S01 S02 S03 Each internal state is treated as a byte matrix of size , 8 where each byte represents a value in GF(2 ) (see Figure 1). In round 𝑟, input/output values and round key are 𝑟 𝑟 𝑟 S10 S11 S12 S13 denoted by 𝐼 ,𝑂 ,andRK,respectively(𝑟=1,...,12(AES- 0 192)or14 (AES-256)). A whitening key is denoted by RK . The round function of AES-192/256 applies the following

S20 S21 S22 S23 four operations to the state matrix: (i) SubBytes (SB): applying the same 8×8invertible S- box 16 timesinparalleloneachbyteofthestate; S30 S31 S32 S33 (ii) ShiftRows (SR): cyclic shift of each row (the 𝑖th row is shifted by 𝑖 bytes to the left); Figure 1: Internal state of AES-192/256 and Anubis. (iii) MixColumns (MC): multiplication of each column by 8 aconstant4×4matrix over GF(2 ); (iv) AddRoundKey (ARK): XORing the state with a 128- A 64-bit block cipher mCrypton was designed as a bit round key. reduced version of Crypton for a ubiquitous environment. It provides low-resource hardware implementation, which is TheSB,SR,MC,andARKtransformationsareapplied suitable for low-end devices such as RFID tags and wireless to each round except that MC is omitted in the last round. sensor network. Several security aspects related to RFID Besides, before the first round, an extra ARK is applied, tags and wireless sensor network have already been studied. which we call a whitening key step. For the more detailed mCrypton has 12 rounds and supports the 64/96/128-bit descriptions of AES-192/256, we refer to [4]. We omit the key secret keys. Our attack is applicable to mCrypton-96/128. schedules of them, as they do not affect our attacks. 81.6 We require the computational complexity of 2 encryptions 48 65 with 2 chosen plaintexts and 2 memory bytes. However, 2.2. Finding a 4-Round Distinguisher of AES. In our attack this is not the best result on them, since related-key impossi- on AES, we use a 4-rounddistinguisherofround2∼5. We 2 ble differential cryptanalysis on 9-round reduced mCrypton- consider an input value 𝐼 of round 2 in AES which is 96/128 was proposed in [9]. However, considering the attack constructed as follows: assumption of a related-key attack, our attacks are more 2 2 2 2 (i) (𝐼 ,𝐼 ,𝐼 ,𝐼 ):four8-bit variables; practical than it. 00 10 20 30 2 Anubis is a block cipher submitted to the NESSIE project (ii) 𝐼𝑖𝑗 :afixed8-bit constant (0≤𝑖≤3,1≤𝑗≤3). 128 and operates on data blocks of bits, accepting keys of 𝐼2 length 32𝑁 bits (𝑁 = 4,...,10).ItisaRijndaelvariant By using ,wecanconstructthefollowingequationson 𝐼3 (𝑖 = 0,...,3) 𝑎 that uses involutions for the various operations. Our attack .Here, 𝑖𝑗 means the entry of the coefficient (𝑗=0,...,3) is applicable to Anubis where the length of the secret key is matrix of MC : longer than 192 bits. We need the computational complexity 3 2 2 2 161.6 96 138 𝐼𝑖0 =𝑎𝑖0 ∘ SB [𝐼00]⊕𝑎𝑖1 ∘ SB [𝐼11]⊕𝑎𝑖2 ∘ SB [𝐼22] of 2 encryptions with 2 chosen plaintexts and 2 memory bytes. This result is superior to known cryptanalytic 2 2 ⊕𝑎𝑖3 ∘ SB [𝐼33]⊕RK𝑖0, results on this algorithm. The rest of this paper is organized as follows. In Section 2, 3 2 2 2 𝐼𝑖1 =𝑎𝑖0 ∘ SB [𝐼01]⊕𝑎𝑖1 ∘ SB [𝐼12]⊕𝑎𝑖2 ∘ SB [𝐼23] weproposecollisionattacksonAES-192/256.Collision attacks on Crypton-192/256 and mCrypton-96/128 are intro- 2 2 ⊕𝑎𝑖3 ∘ SB [𝐼30]⊕RK𝑖1, duced in Section 3.InSection 4,wepresentacollisionattack (1) on Anubis. In each section, we start with a brief description 3 2 2 2 𝐼 =𝑎𝑖0 ∘ SB [𝐼 ]⊕𝑎𝑖1 ∘ SB [𝐼 ]⊕𝑎𝑖2 ∘ SB [𝐼 ] of the block cipher concerned. Finally, we give our conclusion 𝑖2 02 13 20 in Section 5. 2 2 ⊕𝑎𝑖3 ∘ SB [𝐼31]⊕RK𝑖2,

3 2 2 2 2. Collision Attacks on 7-Round Reduced 𝐼𝑖3 =𝑎𝑖0 ∘ SB [𝐼03]⊕𝑎𝑖1 ∘ SB [𝐼10]⊕𝑎𝑖2 ∘ SB [𝐼21]

AES-192/256 2 2 ⊕𝑎𝑖3 ∘ SB [𝐼32]⊕RK𝑖3. First, we briefly present AES-192/256.Andthenweintroduce 3 3 3 3 collision attacks on AES-192/256.Notethattheattackproce- Note that each 𝐼𝑖0, 𝐼𝑖1, 𝐼𝑖2,and𝐼𝑖3 depends on only one 192 256 2 2 2 2 dure on AES- isthesameasthatonAES- .Thus,forthe 8-bit variable and one 8-bit round key: (𝐼00, RK𝑖0), (𝐼30, RK𝑖1), 192 256 2 2 2 2 simplicity of notations, we just call them AES- / AES. (𝐼20, RK𝑖2),and(𝐼10, RK𝑖3). Applying the above procedure repeatedly, as shown in (2), 5 2.1. AES-192/256. AES-192/256 are 128-bit block ciphers wecanobtainanequationonaninputvalue𝐼00 of round 5 by 192 256 2 2 2 2 with / -bit secret keys. According to the length of the using 𝐼 . Here, bold characters indicate (𝐼10,𝐼20,𝐼30) Journal of Applied Mathematics 3

5 2 2 2 2 2 𝐼00 =𝑎00 ∘ SB [𝑎00 ∘ SB (𝑎00 ∘ SB [𝐼00]⊕𝑎01 ∘ SB [𝐼11]⊕𝑎02 ∘ SB [𝐼22]⊕𝑎03 ∘ SB [𝐼33]⊕RK00)

2 2 2 2 2 ⊕𝑎01 ∘ SB (𝑎10 ∘ SB [𝐼01]⊕𝑎11 ∘ SB [𝐼12]⊕𝑎12 ∘ SB [𝐼23]⊕𝑎13 ∘ SB [I30]⊕RK11)

2 2 2 2 2 ⊕𝑎02 ∘ SB (𝑎20 ∘ SB [𝐼02]⊕𝑎21 ∘ SB [𝐼13]⊕𝑎22 ∘ SB [I20]⊕𝑎23 ∘ SB [𝐼31]⊕RK22)

2 2 2 2 2 3 ⊕𝑎03 ∘ SB (𝑎30 ∘ SB [𝐼03]⊕𝑎31 ∘ SB [I10]⊕𝑎32 ∘ SB [𝐼21]⊕𝑎33 ∘ SB [𝐼32]⊕RK33)⊕RK00]

2 2 2 2 2 ⊕𝑎01 ∘ SB [𝑎10 ∘ SB (𝑎00 ∘ SB [𝐼01]⊕𝑎01 ∘ SB [𝐼02]⊕𝑎𝑖2 ∘ SB [𝐼23]⊕𝑎03 ∘ SB [I30]⊕RK01)

2 2 2 2 2 ⊕𝑎11 ∘ SB (𝑎10 ∘ SB [𝐼02]⊕𝑎11 ∘ SB [𝐼13]⊕𝑎12 ∘ SB [I20]⊕𝑎13 ∘ SB [𝐼31]⊕RK12)

2 2 2 2 2 ⊕𝑎12 ∘ SB (𝑎20 ∘ SB [𝐼03]⊕𝑎21 ∘ SB [I10]⊕𝑎22 ∘ SB [𝐼21]⊕𝑎23 ∘ SB [𝐼32]⊕RK23)

2 2 2 2 2 3 ⊕𝑎13 ∘ SB (𝑎30 ∘ SB [𝐼 ]⊕𝑎31 ∘ SB [𝐼 ]⊕𝑎32 ∘ SB [𝐼 ]⊕𝑎33 ∘ SB [𝐼 ]⊕RK )⊕RK ] 00 11 22 33 30 11 (2) 2 2 2 2 2 ⊕𝑎02 ∘ SB [𝑎20 ∘ SB (𝑎00 ∘ SB [𝐼02]⊕𝑎01 ∘ SB [𝐼13]⊕𝑎02 ∘ SB [I20]⊕𝑎03 ∘ SB [𝐼31]⊕RK02)

2 2 2 2 2 ⊕𝑎21 ∘ SB (𝑎10 ∘ SB [𝐼03]⊕𝑎11 ∘ SB [I10]⊕𝑎12 ∘ SB [𝐼21]⊕𝑎13 ∘ SB [𝐼32]⊕RK13)

2 2 2 2 2 ⊕𝑎22 ∘ SB (𝑎20 ∘ SB [𝐼00]⊕𝑎21 ∘ SB [𝐼11]⊕𝑎22 ∘ SB [𝐼22]⊕𝑎23 ∘ SB [𝐼33]⊕RK20)

2 2 2 2 2 3 ⊕𝑎23 ∘ SB (𝑎30 ∘ SB [𝐼01]⊕𝑎31 ∘ SB [𝐼12]⊕𝑎32 ∘ SB [𝐼23]⊕𝑎33 ∘ SB [I30]⊕RK31)⊕RK22]

2 2 2 2 2 ⊕𝑎03 ∘ SB [𝑎30 ∘ SB (𝑎00 ∘ SB [𝐼03]⊕𝑎01 ∘ SB [I10]⊕𝑎02 ∘ SB [𝐼21]⊕𝑎03 ∘ SB [𝐼32]⊕RK03)

2 2 2 2 2 ⊕𝑎31 ∘ SB (𝑎10 ∘ SB [𝐼00]⊕𝑎11 ∘ SB [𝐼11]⊕𝑎12 ∘ SB [𝐼22]⊕𝑎13 ∘ SB [𝐼33]⊕RK10)

2 2 2 2 2 ⊕𝑎32 ∘ SB (𝑎20 ∘ SB [𝐼01]⊕𝑎21 ∘ SB [𝐼12]⊕𝑎22 ∘ SB [𝐼23]⊕𝑎23 ∘ SB [I30]⊕RK21)

2 2 2 2 2 3 4 ⊕𝑎33 ∘ SB (𝑎30 ∘ SB [𝐼02]⊕𝑎31 ∘ SB [𝐼13]⊕𝑎32 ∘ SB [I20]⊕𝑎33 ∘ SB [𝐼31]⊕RK32)⊕RK33]⊕RK00.

5 5 −1 Note that this equation consists of five parts as follows: We can express 𝐼 by using 𝑂 as follows. Here, 𝑓 means the inverse of a function 𝑓 𝑂5 = ∘ ∘ ∘ [𝐼5] ARKRK5 MC SR SB 𝐼5 =(𝑎 ∘ [⋅])⊕(𝑎 ∘ [⋅])⊕(𝑎 ∘ [⋅]) 00 00 SB 01 SB 02 SB 5 = ∘ ∘ −1 −1 ∘ [𝐼 ] (3) MC SR ARKSR ∘MC [RK5] SB (4) 4 ⊕(𝑎 ∘ [⋅])⊕ . 5 −1 −1 5 03 SB RK00 󳨐⇒ [𝐼 ]= −1 −1 ∘ ∘ [𝑂 ]. SB ARKSR ∘MC [RK5] SR MC 2󸀠 2󸀠 2󸀠 2󸀠󸀠 2󸀠󸀠 2󸀠󸀠 If we obtain different (𝐼10,𝐼20,𝐼30) and (𝐼10 ,𝐼20 ,𝐼30 ) satisfying 󸀠 󸀠󸀠 󸀠 󸀠󸀠 󸀠 󸀠 󸀠 󸀠󸀠 󸀠󸀠 󸀠󸀠 5 5 5 5 2 2 2 2 2 2 𝐼00 =𝐼00 ,thenSB[𝐼00] is also equal to SB[𝐼00 ].Thus,from If we find different (𝐼10,𝐼20,𝐼30) and (𝐼10 ,𝐼20 ,𝐼30 ) which 2 2 2 the above equation, we can construct the following equation. satisfy that each subpart including (𝐼10,𝐼20,𝐼30),thatis, −1 Here, 𝑏𝑖𝑗 means the entry of the coefficient matrix of MC (2, 3, 4)th rows of the first part, (1, 2, 3)th rows of the second part, (1, 2, 4)th rows of the third part, and (1, 3, 4)th rows 5󸀠 5󸀠 5󸀠 5󸀠 5󸀠 2 SB [𝐼00]=𝑏00 ∘𝑂00 ⊕𝑏01 ∘𝑂10 ⊕𝑏02 ∘𝑂20 ⊕𝑏03 ∘𝑂30 of the fourth part in (2), has the same value for a given 𝐼00, 5󸀠 5󸀠󸀠 2 𝐼 𝐼 𝐼 ∈ {0, . . . , 255} 5󸀠󸀠 5󸀠󸀠 5󸀠󸀠 5󸀠󸀠 then 00 is equal to 00 .Thatis,forall 00 , =𝑏 ∘𝑂 ⊕𝑏 ∘𝑂 ⊕𝑏 ∘𝑂 ⊕𝑏 ∘𝑂 (5) 2󸀠 2󸀠 2󸀠 2󸀠󸀠 2󸀠󸀠 2󸀠󸀠 00 00 01 10 02 20 03 30 these (𝐼10,𝐼20,𝐼30) and (𝐼10 ,𝐼20 ,𝐼30 ) result in the same 32-bit 5󸀠󸀠 valueoffoursubparts(thelengthofthevalueineachsubpart = SB [𝐼00 ]. is 8 bits). By the birthday paradox, we can obtain different 2󸀠 2󸀠 2󸀠 2󸀠󸀠 2󸀠󸀠 2󸀠󸀠 16 2 2 2 2 5󸀠 5󸀠󸀠 (𝐼10,𝐼20,𝐼30) and (𝐼10 ,𝐼20 ,𝐼30 ) from 2 (𝐼10,𝐼20,𝐼30) with the For all 𝐼00 ∈{0,...,255},wecancheckthat𝐼00 is equal to 𝐼00 probability of 0.5. by using (5). That is, with the probability of 0.5,wecanfind 4 Journal of Applied Mathematics

Table 1: Our attack results on AES-192/256, Crypton-192/256, mCrypton-96/128, and Anubis.

Target Algorithm Attack Number of rounds Data complexity Computational complexity 40 80 MitM [1] 72 2 123 176 AES-192 RKABA [10] 12 2 2 32 69.2 CA (This paper) 72 2 32 140 CA [3] 72 2 99.5 99.5 AES-256 RKBA [10] 14 2 2 32 69.2 CA (This paper) 72 2 126 126.2 TDC [8] 82 2 Crypton-192/256 96 161.6 CA (This paper) 82 2 9259.9 274.9 96 RKIDC [9] mCrypton- 48 81.6 CA (This paper) 82 2 9259.7 266.7 128 RKIDC [9] mCrypton- 48 81.6 CA (This paper) 82 2 32 140 CA [11] 72 2 128 119 120 Anubis Square [11] 72∼2 2 96 161.6 CA (This paper) 82 2 MitM: meet-in-the-middle attack. TDC: truncated differential cryptanalysis. RKABA: related-key amplified boomerang attack. RKBA: related-key boomerang attack. RKIDC: related-key impossible differential cryptanalysis. CA: collision attack.

2󸀠 2󸀠 2󸀠 2󸀠󸀠 2󸀠󸀠 2󸀠󸀠 𝐶𝑖 32 𝑃𝑖 || 𝑃𝑖 || 𝑃𝑖 || different (𝐼10,𝐼20,𝐼30) and (𝐼10 ,𝐼20 ,𝐼30 ) satisfying (5)forall Sort ’s according to a -bit value 00 11 22 2 16 𝑖 𝐼00 (among 2 candidates). 𝑃33. 192 On the other hand, our attack on AES recovers a -bit 𝑗(=0,...,3) 40 ( 6∗ 𝐼2 (2) For each ,guess -bit round keys RK𝑗0 , round key and the probability that (5)holdsforone 00 is 7∗ 7∗ 7∗ 2−8 25 𝐼2 RK0((4−𝑗) mod 4),RK1((4−𝑗) mod 4),RK2((4−𝑗) mod 4), .So,ifweuseonly 00,theprobabilitythat(5)holdsis 7∗ 5 −8 25 −200 −200 192 2 RK ) and compute the corresponding 𝑂 (2 ) =2 .Since2 ⋅2 ≪1,weconsideronly25 𝐼00. 3((4−𝑗) mod 4) 𝑗0 𝑖 from the guessed round keys and 𝐶 by using (6)(e.g., ( 6∗, 7∗, 7∗, 7∗, 7∗) 2.3.CollisionAttackona7-RoundReducedAES. Now, we guess RK00 RK00 RK10 RK20 RK30 to compute 5 5 show how to exploit a 4-round distinguisher constructed in 𝑂00). Sort 𝑂𝑗0 according to the guessed round keys, 𝑖 theprevioussubsectioninordertoattacka7-round reduced and 𝑗, and keep them in a table. AES. 16 𝑘 5 (3) Select 2 sets 𝑆 including 25 output values 𝑋 of MC Similarly to the previous subsection, 𝑂 can be expressed 16 𝑂7 in round 1(𝑘=0,...,2 −1).Notethat𝑋𝑚𝑛 are fixed by using as follows: 𝑘 𝑘 constants in all 𝑆 (0≤𝑚≤3,1≤𝑛≤3). In each 𝑆 , 7 5 𝑘 𝑂 = 7 ∘ ∘ ∘ 6 ∘ ∘ ∘ [𝑂 ] 25𝑋00 have different values but all 𝑆 contain the same ARKRK SR SB ARKRK MC SR SB 𝑋00.Inthecaseof(𝑋10,𝑋20,𝑋30), they are different 𝑘 𝑘 = ∘ −1 7 ∘ ∘ ∘ 𝑆 𝑆 SR ARKSR [RK ] SB MC SR in each but the same in all . 0 0 0 0 5 (4) Guess 32-bit round keys (RK00, RK11, RK22, RK33) ∘ ARK −1∘ −1[ 6] ∘ SB [𝑂 ] 16 𝑘 SR MC RK and construct 2 sets 𝑄 including the corresponding 5 −1 −1 −1 (𝑃󸀠 ,𝑃󸀠 ,𝑃󸀠 ,𝑃󸀠 ) 𝑋 𝑆𝑘 󳨐⇒ 𝑂 = ∘ −1 −1 6 ∘ ∘ 00 11 22 33 from each in ,anddothe SB ARKSR ∘MC [RK ] SR MC following: −1 −1 7 ∘ ∘ −1[ 7] ∘ [𝑂 ]. SB ARKSR RK SR 𝑘 𝑘 𝑄 1 𝑄 2 (6) (i) choose different two sets and .Byusing the table constructed in Step 2, check that 25 −1 −1 6 𝑘1 𝑘2 For the simplicity of notations, SR ∘ MC [RK ] and pairs from 𝑄 and 𝑄 satisfy (5); −1 7 6∗ 7∗ SR [RK ] in (6) are denoted by RK and RK ,respectively. (ii) if all 25 pairs satisfy (5), then output the corre- Our attack procedure on AES is as follows (see Figure 2). sponding 192-bit guessed round keys as the right 32 𝑖 round keys of AES. (1) Construct 2 plaintexts 𝑃 , where all byte values exc- 𝑖 𝑖 𝑖 𝑖 32 ept (𝑃00,𝑃11,𝑃22,𝑃33) are fixed constants, and obtain The data complexity of this attack is 2 chosen plaintexts 𝑖 32 74 32 40 the corresponding ciphertexts 𝐶 (𝑖= 0,...,2 −1). and the memory complexity is 2 (≈ 4 ⋅ 2 ⋅2 ) memory Journal of Applied Mathematics 5

P I1 P00 X00 P −1 −1 −1 11 ARK SB SR MC X10 ARK 0 1 P22 RK X20 RK P33 X30 Guess! O1(= I2) 2 Choose! I00 2 I10 4-round 2 I20 distinguisher 2 I30 O5(= I6) 5 O00 5 −1 −1 −1 O10 SB ARK SR MC 5 6∗ O20 RK 5 O30

Check! 6 7 Guess! 7 O (= I ) O (= C)

−1 −1 SB ARK SR 7∗ RK

Figure 2: The attack procedure on AES-192/256.

bytes. The computational complexity depends on Step 2 (i) 𝛾: applying four 4×4S-boxes (𝑆0,𝑆1,𝑆2,𝑆3) 4times 69.2 32 40 heavily. Thus, it is about 2 (≈ 2 ⋅2 ⋅1/7⋅1/4⋅4) in parallel on each byte of the state. Note that two encryptions. Though this attack is not applicable to the full versions (𝛾𝑜,𝛾𝑒) of 𝛾 are used according to rounds. In AES-192/256, this result is superior to the attack results of [1] detail, 𝛾𝑜 is for odd rounds and 𝛾𝑒 is for even rounds; (AES-192) and [3] (AES-256), respectively. (ii) 𝜋: mixing each byte column of 4 × 4arraybyusing four masking bytes (𝑚0,𝑚1,𝑚2,𝑚3).Similarlyto𝛾, two versions (𝜋𝑜,𝜋𝑒) of 𝜋 are applied according to 3. Collision Attacks on 8-Round Reduced rounds (𝜋𝑜 is for odd rounds and 𝜋𝑒 is for even Crypton-192/256 and mCrypton-96/128 rounds); (iii) 𝜏:movingthebyteatthe(𝑖, 𝑗)th position to the (𝑗, 𝑖)th In this section, we present collision attacks on 8-round position; reduced Crypton-192/256 and mCrypton-96/128. Our attacks on 8-round reduced mCrypton-96/128 are similar to them (iv) 𝜎:XORingthestatewithan128-bitroundkey. on 8-round reduced Crypton-192/256. Thus, we mainly intro- The round function 𝜌 consists of applying in sequence duce the attacks on 8-round reduced Crypton-192/256. Fur- four operations, the S-box transformation 𝛾,thebitpermuta- thermore, similarly to the attacks on AES-192/256, the attack tion 𝜋,thebytetransposition𝜏, and the key addition 𝜎,tothe procedure on Crypton-192 (mCrypton-96) is the same as that 4×4 𝜌 byte array. More specifically, the odd round function 𝑜RK on Crypton-256 (mCrypton-128). Thus, for the simplicity of 𝜌 and the even round function 𝑒RK are defined (for a round key notations, we just call them Crypton-192/256 (mCrypton- RK) as follows: 96/128) and Crypton (mCrypton). First, we briefly present 𝜌 =𝜎 ∘𝜏∘𝜋 ∘𝛾 Crypton and mCrypton. (i) 𝑜RK RK 𝑜 𝑜 for odd rounds; 𝜌 =𝜎 ∘𝜏∘𝜋 ∘𝛾 (ii) 𝑒RK RK 𝑒 𝑒 for even rounds. 3.1. Crypton and mCrypton. As shown in Figure 3(a),a128- For the more detailed descriptions of Crypton, we refer bit block cipher Crypton has a 12-round SPN structure with to [5]. Similarly to our attacks on AES-192/256, our attacks 128/192/256-bitsecretkeysandprocessesblocksof128bitsin on Crypton do not also consider the key schedule of this the form of 4 × 4bytearray(seeFigure 4). Note that indices algorithm. Thus, we omit its key schedules. used in the internal state of Crypton are different from that of mCrypton is a 64-bit lightweight block cipher designed AES. for use in low-cost and resource-constrained applications Similarly to AES-192/256, in round 𝑟, we denote such as RFID tags and sensors in wireless sensor networks. 𝑟 𝑟 𝑟 input/output values and round key 𝐼 ,𝑂 ,andRK, As shown in Figure 3(b), it has a 12-round SPN structure and respectively (𝑟=1,...,12). The round function 𝜌 of Crypton supports the 64/96/128-bit secret keys. The overall structure consists of the following four operations: of mCrypton is similar to Crypton except that mCrypton is 6 Journal of Applied Mathematics

P (four 32-bit words) P (four 16-bit words)

0 0 Initial key addition (RK ) Initial key addition (RK )

Byte substitution (𝛾) Byte substitution (𝛾)

Round 1 Bit permutation (𝜋) Round 1 Bit permutation (𝜋) ∼ ∼ Round 11 Byte transposition (𝜏) Round 11 Byte transposition (𝜏)

Key addition (𝜎) Key addition (𝜎)

Byte transposition (𝜏) Byte transposition (𝜏)

Round 12 Bit permutation (𝜋) Round 12 Bit permutation (𝜋)

Byte transposition (𝜏) Byte transposition (𝜏)

C (four 32-bit words) C (four 16-bit words)

(a) (b)

Figure 3: (a) Crypton and (b) mCrypton.

also construct a 4-round distinguisher of Crypton. Further-

S30 S20 S10 S00 more, because of the weak diffusion property of Crypton, we can extend this distinguisher to a 5-round distinguisher of it. In detail, our attacks on an 8-round reduced Crypton 2∼6 S31 S21 S11 S01 consider a 5-round distinguisher of round . Recall that, in the attack on AES-192/256, an equation on 5 2 𝑂00 can be constructed by using 𝐼 .Weapplythismethodto 𝐼6 𝐼2 S32 S22 S12 S02 Crypton. As a result, we obtain an equation on 30 by using . Similarly to AES-192/256, this equation consists of five parts as follows. Here, 𝑚𝑖 means a masking byte used in 𝜋 and “∧”

S33 S23 S13 S03 is a bitwise AND operation 6 𝐼30 =(𝑆0 [⋅] ∧𝑚3)⊕(𝑆1 [⋅] ∧𝑚0)⊕(𝑆2 [⋅] ∧𝑚1) (7) Figure 4: Internal state of Crypton and mCrypton. 5 ⊕(𝑆3 [⋅] ∧𝑚2)⊕RK30. 6 6 On the other hand, 𝐼 canbewrittenbyusing𝑂 as basedonnibble-orientedoperations(notethatCryptonis follows: basedonbyte-orientedoperations). 6 6 6 𝑂 =𝜎 6 ∘𝜏∘𝜋 ∘𝛾 [𝐼 ]=𝜏∘𝜋 ∘𝜎 −1 −1 6 ∘𝛾 [𝐼 ] RK 𝑒 𝑒 𝑒 𝜋𝑒 ∘𝜏 (RK ) 𝑒 3.2. Collision Attacks on an 8-Round Reduced Crypton. First, 6 −1 −1 6 󳨐⇒ 𝛾 𝑒 [𝐼 ]=𝜎𝜋−1∘𝜏−1( 6) ∘𝜋𝑒 ∘𝜏 [𝑂 ]. we explain the way to find a distinguisher of Crypton. By 𝑒 RK using a similar method in the attack on AES-192/256, we can (8) Journal of Applied Mathematics 7

48 Thus, we use the following equation as a checking equa- (i) the data complexity: 2 chosen plaintexts; tion (note that, in the case of the attack on AES-192/256, a 81.6 (ii) the memory complexity: 2 memory bytes; checking equation is (5)) 265 6󸀠 6󸀠 6󸀠 (iii) the computational complexity: encryptions. 𝛾𝑒 [𝐼30]=(𝑂03 ∧𝑚0)⊕(𝑂13 ∧𝑚3) In [9], related-key impossible differential cryptanalysis on 6󸀠 6󸀠 9-round reduced mCrypton-96/128 was proposed. The attack ⊕(𝑂 ∧𝑚2)⊕(𝑂 ∧𝑚1) 23 33 on a 9-round reduced mCrypton-96 needs the computational 74.9 59.9 󸀠󸀠 󸀠󸀠 󸀠󸀠 2 2 =(𝑂6 ∧𝑚 )⊕(𝑂6 ∧𝑚 )⊕(𝑂6 ∧𝑚 ) complexity of encryptions with chosen plaintexts. 03 0 13 3 23 2 (9) In the case of a 9-round reduced mCrypton-128, we need 66.7 59.7 󸀠󸀠 the computational complexity of 2 encryptions with 2 ⊕(𝑂6 ∧𝑚 ) 33 1 chosen plaintexts. To our knowledge, these are the best results on mCrypton-96/128. However, considering the attack 6󸀠󸀠 =𝛾𝑒 [𝐼30 ]. assumption of a related-key attack, our attacks are more practical than it. The overall attack procedure is similar to the case of AES. Figure 5 presents our attack procedure on an 8-round 6 8 4. Collision Attack on an 8-Round reducedCrypton.Themethodtocompute𝑂 from 𝑂 is shown in Reduced Anubis 8 6 First, we present Anubis, and then a collision attack on an 8- 𝑂 =𝜏∘𝜋𝑒 ∘𝜏∘𝜎 8 ∘𝜏∘𝜋𝑒 ∘𝛾𝑒 ∘𝜎 7 ∘𝜏∘𝜋𝑜 ∘𝛾𝑜 [𝑂 ] RK RK round reduced Anubis is introduced.

=𝜏∘𝜋 ∘𝜏∘𝜏∘𝜋 ∘𝜎 −1 −1 8 ∘𝛾 ∘𝜏∘𝜋 𝑒 𝑒 𝜋𝑒 ∘𝜏 [RK ] 𝑒 𝑜 128 6 4.1. Anubis. As shown in Figure 6,Anubisisa -bit block ∘𝜎 −1 −1 7 ∘𝛾 [𝑂 ] 128 320 𝜋𝑜 ∘𝜏 [RK ] 𝑜 cipher with variable-length keys from bits to bits in steps of 32 bits. The number of rounds depends on the length 6 =𝜏∘𝜎 −1 −1 8 ∘𝛾 ∘𝜏∘𝜋 ∘𝜎 −1 −1 7 ∘𝛾 [𝑂 ] 12 128 𝜋𝑒 ∘𝜏 [RK ] 𝑒 𝑜 𝜋𝑜 ∘𝜏 [RK ] 𝑜 ofthesecretkey:atleast (for the -bit secret key), plus one extra round for each additional 32 bits. For example, 6 =𝜎 −1 −1 8 ∘𝜏∘𝛾 ∘𝜏∘𝜋 ∘𝜎 −1 −1 7 ∘𝛾 [𝑂 ] 192(= 128 + 2 ⋅ 32) 𝜏∘𝜋𝑒 ∘𝜏 [RK ] 𝑒 𝑜 𝜋𝑜 ∘𝜏 [RK ] 𝑜 when the length of the secret key is bits, the number of rounds is 14(= 12 + 2). 6 =𝜎 −1 −1 8 ∘𝛾 ∘𝜋 ∘𝜎 −1 −1 7 ∘𝛾 [𝑂 ]. 128 4×4 𝜏∘𝜋𝑒 ∘𝜏 [RK ] 𝑒 𝑜 𝜋𝑜 ∘𝜏 [RK ] 𝑜 Anubis processes blocks of bits in the form of byte array and uses the same indices as AES (see Figure 1). 6 −1 −1 −1 8 󳨐⇒ 𝑂 =𝛾𝑜 ∘𝜎𝜋−1∘𝜏−1[ 7] ∘𝜋𝑜 ∘𝛾𝑒 ∘𝜎𝜏∘𝜋−1∘𝜏−1[ 8] [𝑂 ]. Similarly to block ciphers concerned in the previous sections, 𝑜 RK 𝑒 RK 𝑟 in round 𝑟, we denote input/output values and round key 𝐼 , (10) 𝑟 𝑟 𝑂 ,andRK,respectively. The complexities of this attack are as follows: The round function of Anubis consists of sixteen 8×8S- 96 box parallel lookups, a linear transformation (matrix transpo- (i) the data complexity: 2 chosen plaintexts; 133 sition followed by multiplication by a constant MDS diffusion (ii) the memory complexity: 2 memory bytes; matrix), and the round key addition. These transformations 161.6 (iii) the computational complexity: 2 encryptions. are defined as follows: So far, the best attack result was the truncated differential (i) 𝛾: applying the same 8×8S-box 16 times in parallel cryptanalysis on 8-round reduced Crypton-192/256 proposed on each byte of the state; in [8]. This attack requires the computational complexity of (ii) 𝜏:movingthebyteatthe(𝑖, 𝑗)th position to the (𝑗, 𝑖)th 2126.2 2126 encryptions with chosen plaintexts, respectively. position; Compared to these results, our attack decreases the data (iii) 𝜃: multiplication of each column by a constant 4×4 complexity but increases the computational complexity. 8 matrix over GF(2 ); 3.3. Collision Attacks on an 8-Round Reduced mCrypton. As (iv) 𝜎:XORingthestatewitha128-bit round key. shown in Figure 5, the attack procedure on mCrypton is the same as that on Crypton except that it is based on nibble- For the more detailed descriptions of Anubis, we refer oriented operations (recall that Crypton is based on byte- to [7]. Similarly to the previous sections, we omit their key oriented operations). In detail, our attack on mCrypton uses schedules, as they do not affect our attacks. 6 8 (9) as a checking equation and 𝑂 is computed from 𝑂 by using (10). 4.2. Collision Attacks on an 8-Round Reduced Anubis. Our Since the size of internal state of mCrypton is half of that attack on an 8-round reduced Anubis is similar to the attacks in Crypton, the complexities of the attack on mCrypton are on AES-192/256,Crypton-192/256,andmCrypton-96/128. half of them on Crypton. The complexities of the attack on In collision attack on an 8-round reduced Anubis, we use mCrypton are as follows: a 5-round distinguisher of round 2∼6. By using a similar 8 Journal of Applied Mathematics

P I1

P20 P10 P00 X30X20X10X00 −1 −1 −1 𝜎 P21 P11 P01 𝜎 𝛾o 𝜋o 𝜏 X31X21X11 P 0 1 22 P12 P02 RK X22X12 RK P23 P13 P03 1 2 Guess! O (= I ) I2 2 2 2 30 I20 I10 I00 Choose! 2 I2 2 I31 21 I11 5-round 2 2 I22 I12 distinguisher

O6(= I7)

−1 −1 −1 𝛾o 𝜎 𝜋o 𝛾e 7∗ RK O6 O6 O6 6 33 23 13O03 Guess! O8 C Check! (= )

𝜎 8∗ RK

Figure 5: The attack procedure on Crypton-192/256 and mCrypton-96/128.

|K| = 32 ·N bits P (128 bits)

0 Initial key addition (RK )

Byte substitution (𝛾)

Round 1 Byte transposition (𝜏) ∼ Round N+7 Linear diffusion (𝜃)

Key addition (𝜎)

Byte substitution (𝛾)

Round N+8 Byte transposition (𝜏)

Key addition (𝜎)

C (128 bits)

Figure 6: Anubis. Journal of Applied Mathematics 9

P I1

P00 P01 P02 P03 X00 −1 −1 −1 𝜎 P 𝜎 𝛾 𝜏 𝜃 10 P11 P12 P13 X10X11X12 P P P P 0 X X X 1 20 21 22 23 RK 20 21 22 RK X30 X32

1 2 Guess! O (= I ) 2 I00 Choose! 2 2 2 I10 I11 I12 5-round 2 2 2 I20 I21 I22 distinguisher 2 2 I30 I32 O6(= I7) O6 00 −1 6 𝛾 𝜎 𝜏−1 𝜃−1 O10 6 7∗ O20 RK 6 O30

Guess! 8 O (= C) Check! 𝜎 𝜏−1 8∗ RK

Figure 7: The attack procedure on Anubis. method of the attack introduced in the previous sections, we sections. Figure 7 presents our attack procedure on an 8- 6 2 can obtain the following equation on 𝐼00 by using 𝐼 : round reduced Anubis. In our attack, the method to compute 6 8 𝑂 from 𝑂 is

6 8 6 𝐼 = (𝑆 [⋅] ∘01) ⊕ (𝑆 [⋅] ∘02) ⊕ (𝑆 [⋅] ∘04) 𝑂 =𝜎 8 ∘𝜏∘𝛾∘𝜎 7 ∘𝜃∘𝜏∘𝛾[𝑂 ] 00 RK RK (11) 5 6 ⊕ (𝑆 [⋅] ∘06) ⊕ . =𝜏∘𝜎 8 ∘𝛾∘𝜎 7 ∘𝜃∘𝜏∘𝛾[𝑂 ] RK00 𝜏−1[RK ] RK 6 =𝜏∘𝜎 −1 8 ∘𝜃∘𝜏∘𝜎 −1 −1 7 ∘𝛾[𝑂 ] 6 6 𝜏 [RK ] 𝜏 ∘𝜃 [RK ] On the other hand, 𝐼 canbewrittenbyusing𝑂 as 6 −1 −1 −1 −1 8 follows: 󳨐⇒ 𝑂 =𝛾 ∘𝜎 7 ∘𝜏 ∘𝜃 ∘𝜎 8 ∘𝜏 [𝑂 ]. 𝜏−1∘𝜃−1[RK ] 𝜏−1[RK ] (14) 6 6 6 𝑂 =𝜎 6 ∘𝜃∘𝜏∘𝛾[𝐼 ]=𝜃∘𝜏∘𝜎 6 ∘𝛾[𝐼 ] RK 𝜏−1∘𝜃−1[RK ] (12) The complexities of this attack is as follows: 6 −1 −1 6 󳨐⇒ 𝛾 [𝐼 ]=𝜎−1 −1 6 ∘𝜏 ∘𝜃 [𝑂 ]. 96 𝜏 ∘𝜃 [RK ] (i) the data complexity: 2 chosen plaintexts; 133 (ii) the memory complexity: 2 memory bytes; Thus, we use the following equation as a checking equation 161.6 (iii) the computational complexity: 2 encryptions.

󸀠 𝛾[𝐼6 ] So far, the best attack results on Anubis are a collision 00 attack and a square attack on a 7-round reduced version 6󸀠 6󸀠 6󸀠 6󸀠 [11]. A collision attack on a 7-round reduced Anubis requires =(𝑂 ∘ 01) ⊕ (𝑂 ∘ 02) ⊕ (𝑂 ∘ 04) ⊕ (𝑂 ∘ 06) 140 32 00 10 20 30 the computational complexity of 2 encryptions with 2 chosen plaintexts. In the case of a square attack on this 6󸀠󸀠 6󸀠󸀠 6󸀠󸀠 6󸀠󸀠 120 =(𝑂00 ∘ 01) ⊕ (𝑂10 ∘ 02) ⊕ (𝑂20 ∘ 04) ⊕ (𝑂30 ∘ 06) algorithm, we need the computational complexity of 2 128 119 encryptions with 2 ∼2 chosen plaintexts. Thus, our attack 6󸀠󸀠 =𝛾𝑒 [𝐼00 ]. result is superior to these cryptanalytic results. (13) 5. Conclusion The attack procedure on an 8-round reduced Anubis is In this paper, we have introduced collision attacks on seven similartothatonblockciphersproposedintheprevious SPN block ciphers, 7-round reduced AES-192/256, 8-round 10 Journal of Applied Mathematics reduced Crypton-192/256, 8-round reduced mCrypton- [10] A. Biryukov and D. Khovratovich, “Related-key cryptanalysis of 96/128, and an 8-round reduced Anubis. Our attacks are the full AES-192 and AES-256,” in Proceedings of the Asiacrypt, basedontheideaof[3]. vol. 5912 of Lecture Notes in Computer Science,pp.1–18,Springer, Our attacks on 7-round reduced AES-192/256 improve Berlin, Germany, 2009. the attack results based on a type of meet-in-the-middle [11] A. Biryukov, “Analysis of involutional ciphers: Khazad and attack. Considering that the best attack results on Crypton- Anubis,” in Proceedings of the FSE,vol.2887ofLecture Notes in 192/256 are those on 8-round reduced versions, our attacks Computer Science,pp.45–53,2003. on these algorithms are meaningful. Our attacks on 8-round reduced mCrypton-96/128 are not best results on mCrypton- 96/128. However, considering that known best attack results on them are based on a related-key attack, our attacks are more practical than them. In the case of Anubis, our attack result is superior to known cryptanalytic result on this algorithm.

Conflict of Interests The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments This research was supported by the Ministry of Science, ICT & Future Planning (MSIP), Korea, under the Conver- gence Information Technology Research Center (C-ITRC) Support Program (NIPA-2013-H0301-13-3007), supervised by the National IT Industry Promotion Agency (NIPA).

References

[1] H. Demirci and A. Selc¸uk, “A meet-in-the-middle attack on 8- round AES,”in Proceedings of the FSE,vol.5086ofLecture Notes in Computer Science, pp. 116–126, 2008. [2] O. Dunkelman, G. Sekar, and B. Preneel, “Improved meet-in- the-middle attacks on reduced-round DES,” in Proceedings of the Indocrypt,vol.4859ofLecture Notes in Computer Science, pp. 86–100, Springer, Berlin, Germany, 2007. [3] H. Gilbert and M. Minier, “A collision attack on 7 rounds of Rijndael,” in Proceedings of the AES Candidate Conference,pp. 230–241, 2000. [4] FIPS 197, “Advanced Encryption Standard (AES),” 2001, http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf. [5] C. Lim, “A revised version of crypton. Crypton Version 1.0,” in Proceedings of the FSE,vol.1638ofLecture Notes in Computer Science, pp. 31–45, 1999. [6]C.LimandT.Korkishko,“mCrypton—alightweightblock cipher for security of low-cost RFID tags and sensors,” in Proceedings of the WISA,vol.3786ofLecture Notes in Computer Science,pp.243–258,2006. [7] P. Baretto and V. Rijmen, “The Anubis block cipher,” The NESSIE, 2000. [8]J.Kim,S.Hong,S.Lee,J.H.Song,andH.Yang,“Truncated differential attacks on 8-round CRYPTON,” in Proceedings of the Information Security and Cryptology Conference (ICISC ’03), vol. 2971 of Lecture Notes in Computer Science, pp. 446–456, Springer, Berlin, Germany, 2004. [9] H. Mala, M. Dakhilalian, and M. Shakiba, “Cryptanalysis of mCrypton—a lightweight block cipher for security of RFID tags and sensors,” International Journal of Communication Systems, vol.25,no.4,pp.415–426,2012. Copyright of Journal of Applied Mathematics is the property of Hindawi Publishing Corporation and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.