sign in sign up
<<
Home , GDES, NewDES, RC2

International Journal of Network Security, Vol.8, No.3, PP.221–226, May 2009 221

A Related Attack on the Feistel Type Block

Ali Bagherzandi1,2, Mahmoud Salmasizadeh2, and Javad Mohajeri2 (Corresponding author: Ali Bagherzandi)

Computer Engineering Department, Sharif University of Technology1 Electronic Research Center, Sharif University of Technology2 P. O. Box 11155-8639 Azadi Avenue 14588 Tehran, Iran (Email: [email protected]) (Received Jan. 3, 2006; revised and accepted Mar. 3, 2006)

Abstract related-key attacks. In order to strengthen DES, several extensions have In this paper we show that Biham’s chosen key attack can been developed including Triple-DES, DES-X, Biham- be generalized to include any block and we give a DES, DES-X and NewDES. These extensions improved low complexity chosen key attack on any Feistel type ci- the resistance of DES against exhaustive search, linear pher. Then we show that the irregularities in the shift and differential cryptanalysis; but not any pattern of DES algorithm is not sufficient significant improvement has been gained against related- for the to resist against related key attacks. key attacks and several related-key cryptanalysis have We have realized our proposition by a counter example been developed against these extensions [8, 9]. Even in in which the E-box of DES is slightly modified whiles the case of DES-X there has been introduced some novel other components and among those, the shift pattern in key related attacks [9]. It is believed that the irregularities key schedule algorithm is kept unchanged. We have ap- in the shift pattern of DES key schedule algorithm makes plied a new related key attack on the resulting DES-like DES immune against related key attacks [2]. Recently, it cryptosystem and demonstrated that the security of the has been shown that 1-bit shift in some less number of system decreases drastically. rounds in DES key schedule makes DES vulnerable to a Keywords: Chosen key attack, differential related key at- related-key attack [7]. tack, DES, feistel type cipher In this paper we show that Biham’s chosen key attack can be generalized to include any . Though this attack is applicable to the ciphers having block length 1 Introduction less than , it leads to a low complexity chosen key attack against any Feistel type cipher. Then we show The major attacks on Feistel type block ciphers fall into that the resistance of DES against differential related key three groups of differential analysis [1], linear analysis [10] attack is not merely upon the irregularities in the shift and related-key attacks [2]. The related key attack intro- pattern of its key schedule algorithm which is widely be- duced by Biham [2] is a chosen key attack assaulting the lieved since the time it was mentioned in [2]. We have key schedule algorithm of the cipher. In this attack, at- realized our proposition by mounting a differential related tacker obtains the of certain under key attack similar to that of [7] against a DES-like cipher several keys having certain relationships with each other. with the same key schedule algorithm as the original DES The goal in this type of attack is to reveal the secret key to demonstrate that the security of the system decreases of the cryptosystem and it can be accomplished whenever drastically. Our variant of DES is different from the origi- the attacker can chose the relationship between unknown nal DES in one index of its E-box. This makes it nonsense keys. So, it is best practical on key-exchange protocols to build the immunity of DES against related key attacks where key-integrity is not guaranteed thus an attacker can merely upon shift pattern irregularities. flip the key bits without knowing the key itself [6, 8, 9]. In Section 2 we formalize the chosen key attack and In differential related-key attacks [6], the relationship be- give a low complexity attack scenario against Feistel type tween the unknown keys is their difference; adversary can ciphers. Then in Section 3 we discuss the original DES choose the difference between the keys and seek for the algorithm and its mixed transformation representation keys themselves. The pairs can be in brief and introduce our DES-like encryption scheme. chosen or known which categorizes the related key attack Then in Section 4 we discuss our differential related key into two groups of known-related-key attacks and chosen- attack against the proposed DES-like system. International Journal of Network Security, Vol.8, No.3, PP.221–226, May 2009 222

2 Generalized Biham Chosen Key one can found k1 satisfying both conditions above and 0 0 0 consider (c, c ) satisfying c = F (c, k1) since p = F (p, k1), Attack 0 k1 is the first and last subkey of the keys K and K re- The chosen key attack is based on the observation that spectively. Reversing the encryption process one gets the 0 in many block ciphers we can view the key scheduling al- intermediate of p one round shifted as that gorithm as a set of algorithms each of which extracts one of p. particular subkey from the subkeys of previous rounds. If n Proposition 2: By 2 2 random n-bit plaintext-ciphertext all the algorithms of extracting the subkeys of the various n pair encrypted under key K and 2 2 plaintext-ciphertext rounds are the same then for a given a key we can shift pair encrypted under key K0 one expects to find a slid all the subkeys one round backwards and get a new set pair. of valid subkeys which can be derived from some other keys [12]. These keys are called related. The same argu- Proof. Consider plaintexts selected to encrypt under K ment is true for slide attacks introduced in [3, 4]. Slide and K0 as the set X and Y respectively. According to attacks can be viewed as a particular case of related-key birthday paradox the sets X and Y have a common ele- attack in which the relation is between the key and itself ment (so two elements with a determined relation) with a 1 [1]. Extending this idea, in this section, we introduce a probability greater than 2 . Thus, exposing to encryption generalization of chosen key attack to include any block under K and K0 we expect to have a slid pair. cipher and give low complexity attack scenarios against n Feistel type ciphers. Several related key analysis of block Proposition 3: By 2 4 random n-bit plaintext-ciphertext pair of the form Pi = Li k X encrypted under key K by a ciphers can be found in [2, 6, 8, 9]. n Feistel type cipher and 2 4 plaintext-ciphertext pair of the 0 Definition 1. (Block cipher): Our abstraction of block form Pj = X k Rj encrypted under key K one expects cipher is a triple C(n, r, K) in which n is the data block to find a slid pair. length, r the number of rounds and K the underlying key. Proof. Apply the birthday paradox to the half of the data We also write K → (k1, k2, . . . , kr) to denote the deriva- block. tion of round keys and F (x, ki) to denote the round func- K tion of C(n, r, K). we also write p→c to indicate the en- Attack model for general case: cryption process. n 2 0 1) Acquire 2 plaintext-ciphertext pair encrypted un- Definition 2. (Slid keys): The keys (K,K ) are called n der key K and 2 2 plaintext-ciphertext pair encrypted slid keys if they led to the same derivation of round keys under key K0. but one round out of phase. More formally (K,K0) are 0 0 called slid pairs if 2) For each pair½ ((p, c), (p , c )) solve the simultaneous F (p, k) = p0 0 equation: K → (k1, k2, . . . , kr) ⇐⇒ K → (k2, k3, . . . , kr, kr+1). F (c, k) = c0

0 If kr+1 = k1 then we call (K,K ) strong slid keys. According to Proposition 1 if the system has solution k then ((p, c), (p0, c0)) is a slid pair. And according to Definition 3. (Slid pair): A pair of plaintext-ciphertext Proposition 2 there is at list one slid pair. Thus in worst pairs ((p, c), (p0, c0)) in which p and p0 are encrypted under case performing O(2n) task, one can retrieve k . the keys K and K0 respectively, is called slid pair if: 1 1) (K,K0) are strong slid keys, Attack model for special case of Feistel ciphers: In Feistel ciphers the round function is F (L k R) = 0 2) P = F (P, k1). (R k L ⊕ f(R)). So the slid pair can be recognized more easily. Theorem 1. (Birthday Paradox): Let H : M → C be m n a random function in which |C| = 2 and let X and Y be 1) Acquire 2 2 plaintext-ciphertext pair encrypted un- n two randomly chosen subsets of M with |X| = |Y | = n. 2 m der key K and 2 plaintext-ciphertext pair encrypted If n ≥ 2 2 then the probability of finding one collision under key K0. 1 between sets X and Y exceeds 2 . [11] 2) Sort (pi, ci) encrypted with key K according to right Proposition 1: The pair ((p, c), (p0, c0)) is slid pair if and 0 0 halves of pi and ci and sort (pi, ci) encrypted with only if it satisfies the following conditions. 0 0 0 key K according to left halves of pi and ci. 0 1) p = F (p, K1), Now in order to find a slid pair it suffices to compare 0 0 the right half of pi with left half of pi and right half of 2) c = F (c, K1). 0 n ci with left half of ci. This requires O(2 2 ) task since the Proof. If ((p, c), (p0, c0)) is a slid pair then by Definition lists are sorted. 0 0 3 p = F (p, k1) and since encryption process for p is one One may reduce the number of plaintext-ciphertext 0 round shifted so c = F (c, k1). On the other hand suppose pairs required, by a kind of chosen plaintext attack. Note International Journal of Network Security, Vol.8, No.3, PP.221–226, May 2009 223 that both of the above attacks are known plaintext at- tacks. A chosen plaintext attack may run as follows:

n 1) Select 2 4 plaintexts of the form pi = Li k X for some constant X to submit to encrypt under the key n K and another 2 4 plaintexts of the form pj = X k Ri to submit to encrypt under the key K0. According to Proposition 3 there is at least one slid pair.

2) Like known plaintext attack Sort (pi, ci) encrypted with key K according to right halves of pi and ci and 0 0 0 sort (pi, ci) encrypted with key K according to left 0 0 halves of pi and ci. Again in order to find a slid pair it suffices to compare 0 the right half of pi with left half of pi and right half of ci 0 n with left half of ci. Thus by O(2 4 ) plaintext-ciphertext n pair and O(2 4 ) offline work one can extract the underly- ing key.

3 Mixed Transformation Repre- sentation of DES Figure 1: DES block diagram [5] DES encryption algorithm was introduced in 1972 by the researchers of IBM. It was accepted as a federal standard the (NSA) in 1977. It is a 16- rounded Feistel type block cipher which uses a 56 bit key rotated by 2 bits in every round except in the 1st, 2nd, 9th and operates on a block size of 64 bits. The encryption and the last rounds. The 48 bits of the 56 bits are chosen process consists of sixteen Feistel iterations surrounded according to permutation choice II (PC2). Figure 2 shows by two permutation layers: An initial bit permutation the key generation process for DES and the PC2 function. (IP) in the input, and its inverse, IP−1, in the output. The functionality of each of the Feistel iterations can be summarized as bellow: 4 Differential Related Key Analy- sis of DES 1) A 32-bit block is expanded to 48 bits through an expansion permutation function and xored with the In this section, we will analyze our attack approach i-th subkey. against a DES like block cipher. Our variant of DES has 2) The output of the phase 1) is divided into eight 6- the same components as the original DES except that its bit blocks. Each 6-bit block is then passed through expansion permutation function has been slightly mod- one of the S1,S2,...,S8 s-boxes. Each s-box is a non-linear function which maps a 6-bit input data to 4-bit output data.

3) The output of S1,S2,...,S8 is concatenated and passed through the permutation P to obtain the final output of each round.

Davio et al. [5] proposed several equivalent representa- tions that can be utilized for cryptanalysis or efficient im- plementation of DES. Here, we will use the mixed trans- formation representation depicted in Figure 1. The initial and the final permutation are omitted since they do not contribute to the security of the cipher. This representa- tion is also used in [7] to attack DES. In order to generate sixteen 48-bit sub keys from the 56-bit key, the following process is used: First, the key is loaded and manipulated by the permutation choice I Figure 2: Key generation block diagram of DES (PC1) and then the key block is halved. Each half is International Journal of Network Security, Vol.8, No.3, PP.221–226, May 2009 224

1 Let 4Lin, denotes the difference between left part of plaintexts x0 and x00 before the i-th round of encryption by the keys k0 and k00 respectively. 1 1 In the case of 4Lin and 4Rin according to Figure 1 it is clear that:

1 0 0 00 00 4Lin = (K2 ⊕ E(Lin)) ⊕ (K2 ⊕ E(Lin)) 0 00 = (4K2) ⊕ (E(Lin)) ⊕ (E(Lin)); (6) 1 0 0 00 00 Figure 3: The original and modified E function 4Rin = (K1 ⊕ E(Rin)) ⊕ (K1 ⊕ E(Rin)) 0 00 = (4K1) ⊕ (E(Rin)) ⊕ (E(Rin)), (7) where E is the expansion permutation function at the first ified. The modified table as well as the original one is layer. Since E is linear we have: shown in Figure 3. 0 00 0 00 0 00 By now let’s consider two keys K and K such that: E(Lin) ⊕ E(Lin) = E(Lin ⊕ Lin) = E(4Lin); E(R0 ) ⊕ E(R00 ) = E(R0 ⊕ R00 ) = E(4R ), 0 00 in in in in in 4C1 = C ⊕ C = 1111111111111111111111111111; (1) by applying expansion function E on the values of 4Lin 0 00 and 4Rin as they are in Conditions (4) and (5) we obtain: 4D1 = D ⊕ D = 0000000000000000000000000000. (2) E(4Lin) = E(4Rin) = 111111111111111111111111000000000000000000000000, 0 0 00 00 Where C1,D1,C1 , and D1 are the left and right halves of the keys and respectively as shown in Figure 2. which is equal to 4ki as it is in Equation (3). By selecting K0 and K00 such that Equations (1) and Thus according to Equations (6) and (7) (2) are satisfied, obviously we have 1 4Lin = 4k2 ⊕ E(4Lin) = 4k2 ⊕ 4k2 = 0; 4R1 = 4k ⊕ E(4R ) = 4k ⊕ 4k = 0. LSH1(4Ci) = 4Ci; in 1 in 1 1 LSH (4D ) = 4D , i i 1 i i But in the case of 4Lin and 4Rin for i > 1 there is non linear function F . However, since the difference of where, LSH1(x) indicates i-bit circular left shift of x. inputs to s-boxes will remain zero, this is not a problem. 2 2 Thus, for 1 ≤ i ≤ 16 we have: For example in the case of 4Lin and 4Rin we will have: 0 0 00 00 4L2 = L02 ⊕ L002 4Ki = PC2(Ci k Di) ⊕ PC2(Ci k Di ) in in in 28 28 = (k0 ⊕ k0 ⊕ L01 ⊕ F (R01 )) = PC2(4Ci k 4Di) = PC2(1 k 0 ) 4 2 in in 00 00 001 001 = 124 k 024, ⊕(k4 ⊕ k2 ⊕ Lin ⊕ F (Rin )) 1 01 001 = 4k4 ⊕ 4k2 ⊕ 4Lin ⊕ F (Rin) ⊕ F (Rin ). where x k y stands for the concatenation of x and y. So, 1 Now since 4Lin = 0 and F (x) = PE(S(x)) and PE is a 4Ki = const. On the other hand according to the key schedule algo- linear function, we have: rithm (Figure 2), we obtain: 2 01 001 4Lin = 4k4 ⊕ 4k2 ⊕ PE(S(Rin)) ⊕ S(Rin ). 0 00 0 00 0 0 4ki = 4ki−2 ⇒ ki ⊕ ki = ki−2 ⊕ ki−2 ⇒ ki ⊕ ki−2 But according to pairs XOR distribution table of s- 00 00 = ki ⊕ ki−2. (3) boxes, whenever the difference of input to an s-box equals to zero, the difference of corresponding outputs will be Now consider two plaintexts x0 and x00 encrypted by the zero too. So, the above formula reduces to: keys K0 and K00 respectively satisfying Conditions (4) and 2 (5) bellow: 4Lin = 4k4 ⊕ 4k2. 0 00 The same argument can be carried out for 4R2 and 4Lin = Lin ⊕ Lin in = 11111111111111111111111111111111; (4) consequent data parts. By doing so, we obtain: 0 00 i 4Rin = Rin ⊕ Rin 4Lin = 4k2i ⊕ 4k2i−2; i = 00000000000000000000000000000000, (5) 4Rin = 4k2i−1 ⊕ 4k2i−3. where Lin and Rin are the left and right halves of plain- And according to Equation (3) this will leads to i i text x. 4Lin = 4Rin = 0 for 1 ≤ i ≤ 8. Let’s see what happens to the plaintext during itera- Now, we encrypt two plaintexts x0 and x00 satisfying tions of encryption algorithm. Conditions (1) and (2) by the keys K0 and K00 satisfying International Journal of Network Security, Vol.8, No.3, PP.221–226, May 2009 225

[3] A. Biryukov and D. Wagner, “Slide attacks,” Ad- Table 1: The complexity of our attacks with respect to vances in Cryptology - Proceedings of FSE’ 99, block size -n LNCS, pp. 245-259, L.R. Knudsen, editor, Springer- Cipher and Attack Plaintext-Ciphertext Offline Verlag, 1999. Type Pairs Required Work [4] A. Biryukov and D. Wagner, “Advanced slide at- General block tacks,” Advances in Cryptology - Proceedings of Eu- n n cipher Known O(2 2 ) O(2 ) rocrypt ’00, LNCS 1807, pp. 589-606, B. Preneel, ed- Plaintext Attack itor, Springer-Verlag, 2000. Feistel Type [5] M. Davio, Y. Desmedt, M. Fosseprez, R. Govaerts, n n Known Plaintext O(2 2 ) O(2 2 ) J. Hulsbosch, P. Neutens, P. Piret, J. J. Quisquater, Attack J. Vandewalle, and P. Wouters, “Analytic charac- Feistel Type teristics of DES,” Advances in Cryptology, Proceed- n n Chosen Plaintext O(2 4 ) O(2 4 ) ings Crypto ’83 D. Chaum (Ed.), Plenum Press, New Attack York, pp. 171-202, 1984. [6] G. Jakimoski and Y. Desmedt, “Related-key differen- tial cryptanalysis of 192-bit key AES variants,” Tenth Annual Workshop on Selected Areas of , Conditions (4) and (5) respectively in order to get the LNCS 3006, pp.208-221, Springer-Verlag, 2004. 0 00 corresponding y and y . [7] G. Jakimoski and Y. Desmedt, “On re- According to Figure 1 we have, sistance of DES to related-key differential cryptanalysis,” ePrint archive no. 2005/085, R08 = E(R0 ) ⊕ k0 ⊕ F (E(L0 ) ⊕ k0 ); (8) in out 15 out 16 http://eprint.iacr.org/2005/084.pdf. 008 00 00 00 00 Rin = E(Rout) ⊕ k15 ⊕ F (E(Lout) ⊕ k16). (9) [8] J. Kelsey, B.Schneier, and D. Wagner, “Key sched- ule cryptanalysis of IDEA, GDES, GOST, SAFER Thus, we can search for subkeys k0 satisfying the Con- 16 and triple DES,” Advances in Cryptology, Proceed- ditions (8) and (9). ings Crypto ’96, LNCS 1109, pp. 237-252, 1996. This requires 8 × 26 search operation; for we don’t [9] J. Kelsey, B. Schneier, and D. Wagner, “Related-key need to search among all possible subkeys k0 . Instead 15 cryptanalysis of 3-WAY, Biham-DES, CAST, DES- we group carefully the subkeys into 6-bit groups that bits X, NewDES, RC2, and TEA,” ICICS’ 97 Proceed- in one group affect just one s-box. By knowing the subkey ings, pp. 233-246, Springer-Verlag, Nov. 1997. k0 we can easily evaluate the key K. 16 [10] M. Matsui, “ method for DES ci- pher,” Advances in Cryptography Eurocrypt ’93, pp. 5 Conclusions 386-397, 1994. [11] A. J. Menezes, P. C. Van Oorschot, and S. A. Van- We showed that Biham’s chosen key attack can be gener- stone, Handbook of Applied Cryptography, p. 53, alized to include any block cipher regarding it as a random CRC Press, 1996. substitution permutation network. We also proposed a [12] G. Piret, M. Ciet, and J. Quisquater, “Related key general attack scenario with low plaintext-ciphertext and and slide attacks: Analysis, connections, and im- offline complexity against any Feistel type cipher. The provements,” Proceedings of the 23rd Symposium on complexity of these attacks is summarized in Table 1. IT in Benelux, pp. 315-325, 2002. Then we introduced a differential related key attack to a variant of DES which has the same shift pattern as the Ali Bagherzandi is a senior B.Sc. student in Computer original one. This violates the previous belief that the Engineering department of Sharif University of Technol- strength of DES against related key attacks, is due to the ogy, Tehran, Iran, studying a dual degree program of com- irregularities in the shift pattern of its key schedule. We puter science and hardware engineering. He has joined realized this, by applying our attack on a variant of DES electronic research center of Sharif University of Technol- with a slightly modified E-box -as indicated in Figure 3- ogy as a research assistant in Jan 2005. He is the principal to demonstrate that the security of the system decreases author of 5 refereed papers. His main research interests drastically. include theory of computation, foundations of cryptogra- phy and data and network security. References Mahmoud Salmasizadeh received the B. S. and M. S. [1] E. Biham and A. Shamir, “Differential cryptanalysis degrees in Electrical Engineering from Sharif University of DES-like ,” Journal of Cryptology, of Technology in Iran, in 1972 and 1989, respectively. He vol. 1, pp. 3-72, 1991. also received the Ph.D. degree in Information Technology [2] E. Biham, “New types of cryptanalytic attacks using from Queensland University of Technology in Australia, related keys,” Journal of Cryptology, vol. 7, no. 4, in 1997. Currently he is an assistant professor in Elec- pp. 229-246, 1994. tronic Research Center and adjunct assistant professor in International Journal of Network Security, Vol.8, No.3, PP.221–226, May 2009 226

Electrical Engineering Department at Sharif University of Technology, Tehran, Iran. His research interests include cryptology and network security. He is the founding mem- ber and the head of scientific committee of Iranian Society of Cryptology.

Javad Mohajeri received his B.Sc. in Mathematics from Isfahan University, Isfahan, Iran in 1986 and his M.S. in Mathematics from Sharif University of Technol- ogy, Tehran, Iran in 1990. He is a lecturer in the electronic research center of Sharif University of Technology. Javad Mohajeri has published 31 papers in refereed journals and conferences. He is a member of founding committee of Ira- nian Society of Cryptology. He was the chairman of the technical program committee of the 2nd Iranian society of cryptology conference on cryptology communications and computer security. His research interests include design and analysis of cryptographic algorithms, data security, secret sharing schemes and PKI.