Introduction to the Block Cipher KASUMI

Improved Cryptanalysis of the Block Cipher KASUMI

Keting Jia1, Leibo Li2, Christian Rechberger3 Jiazhe Chen2, Xiaoyun Wang1,2

1 Tsinghua University, 2 Shandong University, 3 The Technical University of Denmark Outline

• Introduction to the Block Cipher KASUMI – Brief Description of KASUMI – Main Cryptanalysis Results of KASUMI • Impossible Differential Attacks on 7-round KASUMI – Impossible Differential Attack on Last 7-round KASUMI – Impossible Differential Attack on First 7-round KASUMI • Summary

2 Outline

3 Brief Description of KASUMI

• KASUMI is designed by ETSI SAGE • Modification of MISTY1 • Widely used in UMTS, GSM and GPRS mobile communications systems • 8-round Feistel structure • Block: 64 bits • Key: 128 bits

4 Round Function

• Each round is made up of an FL function and an FO function • FO is a 3-round Feistel structure made up from three FI functions • The FI functions use two S-boxes S7 and S9 • FL function is a simple key-dependent boolean function

FL Function

5 Key Schedule

•

6 Outline

7 Main Cryptanalysis Results of KASUMI • Previous Results – Kühn introduced an impossible differential attack on 6- round KASUMI, EUROCRYPT 2001 – Blunden et al. gave a related-key differential attack on 6- round KASUMI, FSE 2001 – Biham et al. introduced related-key boomerang and rectangle attacks on the full 8-round KASUMI, ASIACRYPT 2005 – Dunkelman et al. proposed a practical related-key attack on the full KASUMI, CRYPTO 2010 • Our Contribution – Propose impossible differential attacks on 7-round KASUMI 8 Outline

9 Impossible Differential Attack

• The impossible differential attack use a differential hold with probability 0 • eliminate wrong keys which bring about the input and output values of the impossible differential Plaintext

α p K1 The correspongding Pr(α→β)=0 subkeys which make the impossible β differential hold q K2 Ciphertext

10 Impossible Differential Attack on Last 7-round KASUMI • Observation 1. Given a pair of input values (XOi, XOi’) of the function with difference ∆= XO il ( a || 0) , ∆ where al is a 16-bit non-zero value. Let YO i be the

corresponding output difference, and then ∆ YO i only

depends on the 64-bit subkey KIi1, KO ii 13 ,, KI KO i 3

11 Impossible Differential Attack on Last 7-round KASUMI • The 6-round attack on KASUMI given by Kühn use a generic 5-round impossible differential of Feistel

structure: 5R (0,,aa )→ (0 ) • We select some special impossible differentials to attack the 7-round KASUMI • For the last 7 rounds, the impossible differential path 5R (0,,aall || 0)→ (0 || 0)

12 Impossible Differential Attack on Last 7-round KASUMI • Extend one round forward and backward

13 Impossible Differential Attack on Last 7-round KASUMI • Data Collection – Choose 2n structures of plaintexts, with each structure 48 containing 2 plaintexts (L1, R1)=(*||x,*||*), and query their corresponding ciphertexts

– Store (L1, R1, L8, R8) in a hash table indexed by 32-bit

values (L1,,l⊕ RR 8 lr ,) 8,

– Save the plaintext-ciphertext pair, such that ∆=∆ LR 18 ,,ll and n+95-32 n+63 ∆= R 8 ,r 0 . There are 2 =2 kept pairs on average

14 Impossible Differential Attack on Last 7-round KASUMI Take FI as a key dependent big Sbox and build • Key Recovery the difference distribution table for each key – Considering the key schedule and the definition of the

round function, the subkey (k4, k6, k7, k8) can be deduced by guessing the 48-bit subkey (k1, k2, k3) ∆XO,, ∆ YL→kk21 ∆ YI →k′ YI 7 7 FL7 7,1 ()XI7 ,1 FI 1,1 4 7,1

∆XO,, ∆ YL  →∆YI k3 →k′ YI 1 1 (,)k2 k 4 FL1 1,1 ()XI1,1 FI 1,1 6 1,1

∆YL → ∆YI   → XI→ k (,)k2 k 4 FL 1 1,3 ()k1 FI 1,3 1,3 YI1,1 8

∆YL → ∆ YI →k′ 7 FL7 7,3 ()XI7,3 FI7,3 7

15 Impossible Differential Attack on Last 7-round KASUMI • Key Recovery

– For each guess of (k1, k2, k3), there are several 64-bit key n+63 words (k4, k6, k7, k8) kept after the 2 -pair filters

– Search for the remaining 16-bit key word k5 • Complexity Evaluation

– In the computation of (k1, k2, k3, k4, k6, k7, k8) , there are 3∙2n+63+48 accesses to hash table of size 248 n+63 128 1 2 2⋅− (164 ) – We need 2 encryptions to exhaustively search k5 – By balance, n=4.5 – We need 252.5 chosen plaintexts and 2114.3 encryptions

16 Outline

17 Impossible Differential Attack on First 7-round KASUMI • For the first 7 rounds, the impossible differential is 5R

(0,,aalr || )→ (0 aa lr || ) • Extend one round forward and backward

18 Impossible Differential Attack on First 7-round KASUMI • Observation 3. Let aa lr || be the input differences of functions FL1 and FL7, and the input differences of FI1,2, FI7,2 be zero. Then the following equations hold

(aklr∧ (1 <<< 1)) <<< 1 = a (3)

(aklr∧ (7 <<< 1)) <<< 1 = a (4) – This observation is obtained by the definition of round function and Kühn’s observation (XK∧ )( ⊕ X′ ∧ K ) =∆∧, XK (XK∨ )( ⊕ X′ ∨ K ) =∆ X ⊕∆ ( XK ∧ ) .

19 Impossible Differential Attack on First 7-round KASUMI • Observation 4. Based on equations (3) and (4), we can get

(alr<<< 1) ∨ ¬ a = 0 xffff (5) • Proof – Because the equations (3) and (4) can be represented as 16 parallel equations +∧ = + ajlr[ 1] kj1 [ ] aj [ 2] aj[+∧ 1] k [ j ] = aj [ + 2] lr7

– (ajlr [+ 1], aj [ +∈ 2]) {(0,0),(1,0),(1,1)} – The equation (5) holds with probability (3/4)16=2-6.64 , when 16 al and ar are chosen from the uniform set {0,1}

20 Impossible Differential Attack on First 7-round KASUMI • The expected number of (k1, k7) which make equations (3) and (4) hold together ? aj[+∧ 1] kj [ ] = aj [ + 2 – For each bit equation lr 1 holds aj[+∧ 1] k [ j ] = aj [ + 2] lr7 (k [j], k [j]) al[j+1], ar[j+2] 1 7 0,0 (0,0), (0,1), (1,0),(1,1) 1,0 (0,0) 1,1 (1,1)

16 jj16− 16 12  42j = 16 – The expected number of (k1, k7) ∑   j=1 j 33  when j=0,…,15, al[j+1], ar[j+1] is chosen from the uniform set {(0,0),(1,0),(1,1)} 21

Impossible Differential Attack on First 7-round KASUMI • This attack is a known plaintexts attack • Data Collection m – Collect 2 plaintexts P(L0, R0) and corresponding ciphertexts C(L7, R7) , and store the pairs in a hash table

with index LR07⊕ – There are about 22m-33 pairs whose input and output

differences are (al||ar,*) and (*, al||ar)

– Save the pairs whose differences al||ar , such that

(alr<<< 1) ∨ ¬ a = 0 xffff – There are about 22m-33∙(3/4)16=22m-39.64 pairs kept on average

22 Impossible Differential Attack on First 7-round KASUMI • Key Recovery XL, XL →kk17, YL,, YL ∆ XI , XI 1 7 (∆=∆=YL1,rr 0, YL 7, 0) FL 1 , FL 7 1,r 7 11 71 ∆XI,, ∆ YI k5 → ( XI YI ) →k 11 11 FI1,1 11 11 (k1 ,k 7) FI 1,3 8

∆YI →k, YI 71 ( XI71) FI 7 ,1 3 71

→YL → k FL1 1,l XI11 2 ∆YI →k 73 ( XI73,) FI 7 ,1 6

23 Impossible Differential Attack on Last 7-round KASUMI • Key Recovery

– For each guess of (k1, k5, k7), there are several 64-bit key 2m-55.64 words (k2, k3, k6, k8) kept after the 2 -pair filters

– Search for the remaining 16-bit key word k4 • Complexity Evaluation

– In the computation of (k1, k2, k3, k5, k6, k7, k8) , there are 5∙22m-55.64+48 accesses to hash table 2m− 55.64 128 1 2 2⋅− (164 ) – We need 2 encryptions to exhaustive k4 – By balance, m=62 – We need 262 known plaintexts and 2115.8 encryptions

24 Outline

• Introduction to the Block Cipher KASUMI – Brief Description of KASUMI – Main Cryptanalysis Results of KASUMI • Impossible Differential Attacks on 7-round KASUMI – Some Observations of KASUMI – Impossible Differential Attack on Last 7-round KASUMI – Impossible Differential Attack on First 7-round KASUMI • Summary

25 Summary of the Attacks on Reduced KASUMI

Attack Type Rounds Data Time Source

Higher-Order Differential 5 222. 1 CP 260. 7 Enc Sugio et al.

Higher-Order Differential 5 228. 9 CP 231. 2 Enc Sugio et al.

Integral-Interpolation 6 248 CP 2126. 2 Enc Sugio et al. Impossible Differential 6 255 CP 2100 Enc Kühn Impossible Differential 7(2-8) 252. 5 CP 2114. 3 Enc Sect. 4 Impossible Differential 7(1-7) 262 KP 2115. 8 Enc Sect. 5

Thanks for your attention！ Questions?