Impossible Differentials in Twofish
Total Page：16
File Type：pdf, Size：1020Kb
Twoﬁsh Technical Report #5 Impossible diﬀerentials in Twoﬁsh Niels Ferguson∗ October 19, 1999 Abstract We show how an impossible-diﬀerential attack, ﬁrst applied to DEAL by Knudsen, can be applied to Twoﬁsh. This attack breaks six rounds of the 256-bit key version using 2256 steps; it cannot be extended to seven or more Twoﬁsh rounds. Keywords: Twoﬁsh, cryptography, cryptanalysis, impossible diﬀerential, block cipher, AES. Current web site: http://www.counterpane.com/twofish.html 1 Introduction 2.1 Twoﬁsh as a pure Feistel cipher Twoﬁsh is one of the ﬁnalists for the AES [SKW+98, As mentioned in [SKW+98, section 7.9] and SKW+99]. In [Knu98a, Knu98b] Lars Knudsen used [SKW+99, section 7.9.3] we can rewrite Twoﬁsh to a 5-round impossible diﬀerential to attack DEAL. be a pure Feistel cipher. We will demonstrate how Eli Biham, Alex Biryukov, and Adi Shamir gave the this is done. The main idea is to save up all the ro- technique the name of `impossible diﬀerential', and tations until just before the output whitening, and applied it with great success to Skipjack [BBS99]. apply them there. We will use primes to denote the In this report we show how Knudsen's attack can values in our new representation. We start with the be applied to Twoﬁsh. We use the notation from round values: [SKW+98] and [SKW+99]; readers not familiar with R0 = ROL(Rr;0; (r + 1)=2 ) the notation should consult one of these references. r;0 b c R0 = ROR(Rr;1; (r + 1)=2 ) r;1 b c R0 = ROL(Rr;2; r=2 ) 2 The attack r;2 b c R0 = ROR(Rr;3; r=2 ) r;3 b c Knudsen's 5-round impossible diﬀerential works for To get the same output we update the rule to com- any Feistel cipher where the round function is in- pute the output whitening. vertible. Twoﬁsh has some additional rotations in the datapath which make things a bit more compli- C0 = ROR(Rn;2; n=2 ) K4 cated. It turns out that these extra rotations do not b c ⊕ C1 = ROL(Rn;3; n=2 ) K5 complicate the attack, but only its description. To b c ⊕ C2 = ROR(Rn;0; (n + 1)=2 ) K6 avoid these complications we ﬁrst rewrite Twoﬁsh as b c ⊕ a pure Feistel cipher. C3 = ROL(Rn;1; (n + 1)=2 ) K7 b c ⊕ ∗Counterpane Internet Security, Inc. 1 where n is the number of rounds. Of course, n = 16 (0; α). We can draw the following conclusions: the for the full cipher but we will be attacking reduced- diﬀerence after round 1 (0; α), the diﬀerence after round versions and that would aﬀect the rotation round 4 is (0; α), the diﬀerence after round 2 is (β; α) amounts. for some nonzero β, and the diﬀerence after round We now have to adjust the round function to the 3 is (γ; α) for some nonzero γ. We trivially get that new representation. The input to the round func- β = γ, but more interesting is the output diﬀerence of the round function in the third round. As the tion of round r consists of (Rr;0 0;Rr;0 1). At the be- ginning of the round function we undo the rotates diﬀerence in the right half after round 2 is equal to the diﬀerence in the right half after round 3, we con- to get the original (Rr;0;Rr;1), and apply the orig- clude that the output diﬀerence of the round func- inal F -function to get (Fr;0;Fr;1). We then apply appropriate rotates to the outputs, namely: tion in the third round must be zero. As the input diﬀerence to the round function in the third round is nonzero and the round function is bijective, we get Fr;0 0 = ROL(Fr;0; r=2 ) b c a contradiction. We conclude that the diﬀerential F 0 = ROR(Fr;1; (r + 2)=2 ) r;1 b c (0; α) (0; α) is a 5-round impossible diﬀerential. 7! We can now write the update rule: 2.3 Finding the last round key R0 = ROL(Rr+1;0; (r + 2)=2 ) r+1;0 b c = ROL(ROR(Rr;2 Fr;0; 1); (r + 2)=2 ) To use this impossible diﬀerential we search for ⊕ b c plaintext pairs that exhibit a 6-round diﬀerential of = ROL(Rr;2; r=2 ) ROL(Fr;0; r=2 ) b c ⊕ b c the form (0; α) (δ; α) for any α = 0. = R0 F 0 7! 6 r;2 ⊕ r;0 Our ﬁrst task is to ﬁnd pairs of this form. Fix an Rr0 +1;1 = ROR(Rr+1;1; (r + 2)=2 ) 64 b c 8-byte value A, and let Bi take on all 2 possi- = ROR(ROL(Rr;3; 1) Fr;1; (r + 2)=2 ) ble 8-byte values. Encrypt each of the plaintexts ⊕ b c = R0 ROR(Fr;1; (r + 2)=2 ) (A; Bi) to produce (Ci;Di), and sort them by the r;3 ⊕ b c value Bi Di. Any pair of encryptions that has the = R0 F 0 r;3 ⊕ r;1 same B ⊕ D produces a diﬀerence of the correct R = R i i r0 +1;2 r;0 0 form. As⊕ there are 2127 pairs and a 64-bit restric- 63 Rr0 +1;3 = Rr;0 1 tion, we expect to get about 2 pairs with the right form of diﬀerential. As we can see from these formulas, the combining If we ignore the output whitening for a moment, function used to mix the output of the round func- we can now try each possible round key for the last tion and the right half is now a simple xor. round with each of the diﬀerentials that we found, All in all we can replace the one-bit rotations in and compute what the diﬀerential would be after Twoﬁsh by round-dependent rotations at the input the ﬁfth round. We know that this cannot be of the and output of the round function, and by some suit- form (0; α), so any key value that produces this dif- able rotations just before the output whitening. ference after ﬁve rounds must be wrong. We keep To make it easier to follow the diﬀerentials through track of which key values we have determined are the cipher we make one more change. Instead of wrong until the key space is sparse enough to apply having a swap after each round, we apply the round other methods. functions alternating from left to right and from Each 6-round diﬀerential of the form (0; α) (δ; α) right to left. This is the representation that we will eliminates about one in 264 of the possible7! keys for use for the rest of this paper. If the number of rounds the last round, so a single structure of 264 plain- is even we need a swap just before the output whiten- texts that generates 263 of these diﬀerentials will re- ing, but we will ignore this as it does not aﬀect any duce the key space by about one bit. We can of of the attacks. course generate many more structures to generate more suitable diﬀerential pairs. 2.2 The impossible diﬀerential 2.4 128-bit keys We will now look at a particular diﬀerential for ﬁve rounds. The xor input diﬀerence (written as two 64- To make this attack work for 128-bit keys we have bit quantities) is of the form (0; α) for some nonzero to arrange these computations in a proper way; oth- α, and the output diﬀerence after 5 rounds is also erwise we end up decrypting 264 ciphertexts for one 2 round for each of the 2128 possible keys of the last 2.6 256-bit keys round, which is obviously more work than an ex- haustive search. For 256-bit keys the S-box key is 128 bits long. The basic attack thus has an overall complexity of about The best way we see to arrange this is to guess 2192 steps. the 64-bit S-box key S. For the two ciphertexts Even with the whitening we can perform this attack. of the diﬀerential pair we decrypt part of the last All that is required is to guess 64 bits of the post- round, stopping at the point where the round keys whitening key. This brings the attack complexity get added in. We now know that adding the round to 2256 steps, but as we mentioned before each step key to these two outputs is not allowed to produce might very well be faster than a single encryption. a speciﬁc xor-diﬀerential. We assume that we can generate the set of disallowed round keys very fast We can also push the attack through one more round in constant time (on average). without whitening. In the 7-round cipher we use the 5-round impossible diﬀerential (α; 0) (α; 0) All in all we have to compute the F 0-function (i.e. F in the middle ﬁve rounds. We look for7! diﬀeren- without the key additions) of the last round about tial pairs for the 7-round cipher that have the form 128 2 times, and have to generate the forbidden set (α; ) (α; δ). These can be generated by encrypt- 127 of round keys 2 times to get a 1-bit reduction ing random7! plaintexts, and sorting them by the xor 127 in the key space. The remaining 2 keys can be of the ﬁrst half of the plaintext with the ﬁrst half exhaustively searched.