Lecture Notes in Computer Science 2365 Edited by G. Goos, J. Hartmanis, and J. van Leeuwen 3 Berlin Heidelberg New York Barcelona Hong Kong London Milan Paris Tokyo Joan Daemen Vincent Rijmen (Eds.)
Fast Software Encryption
9th International Workshop, FSE 2002 Leuven, Belgium, February 4-6, 2002 Revised Papers
13 Series Editors
Gerhard Goos, Karlsruhe University, Germany Juris Hartmanis, Cornell University, NY, USA Jan van Leeuwen, Utrecht University, The Netherlands
Volume Editors
Joan Daemen Proton World Zweefvliegtuigstraat 10 1130 Brussel, Belgium E-mail: [email protected] Vincent Rijmen Cryptomathic Lei 8A 3000 Leuven, Belgium E-mail: [email protected]
Cataloging-in-Publication Data applied for
Die Deutsche Bibliothek - CIP-Einheitsaufnahme Fast software encryption : 9th international workshop ; revised papers / FSE 2002, Leuven, Belgium, February 2002. Joan Daemen ; Vincent Rijmen (ed.). - Berlin ; Heidelberg ; New York ; Barcelona ; Hong Kong ; London ; Milan ; Paris ; Tokyo : Springer, 2002 (Lecture notes in computer science ; Vol. 2365) ISBN 3-540-44009-7
CR Subject Classi cation (1998): E.3, F.2.1, E.4, G.4
ISSN 0302-9743 ISBN 3-540-44009-7 Springer-Verlag Berlin Heidelberg New York
This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, speci cally the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on micro lms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer-Verlag. Violations are liable for prosecution under the German Copyright Law. Springer-Verlag Berlin Heidelberg New York, a member of BertelsmannSpringer Science+Business Media GmbH http://www.springer.de ' Springer-Verlag Berlin Heidelberg 2002 Printed in Germany Typesetting: Camera-ready by author, data conversion by PTP-Berlin, Stefan Sossna e.K. Printed on acid-free paper SPIN: 10870318 06/3142 543210 Preface
This Fast Software Encryption workshop was the ninth in a series of workshops started in Cambridge in December 1993. The previous workshop took place in Yokohama in April2001. It concentrated on allaspects of fast primitives for symmetric cryptography: secret key ciphers, the design and cryptanalysis of block and stream ciphers, as well as hash functions and message authentication codes (MACs). The ninth Fast Software Encryption workshop was held in February 2002 in Leuven, Belgium and was organized by General Chair Matt Landrock (Crypto- mathic Belgium), in cooperation with the research group COSIC of K.U. Leuven. This year there were 70 submissions, of which 21 were selected for presentation and publication in this volume. We would like to thank the following people. First of all the submitting authors and the program committee for their work. Then Markku-Juhani O. Saarinen, Orr Dunkelman, Fredrik J¨onsson,Helger Lipmaa, Greg Rose, Al Biryukov, and Christophe De Canniere, who provided reviews at the request of program committee members. Bart Preneelfor lettingus use COSIC’s Web- review software in the review process and Wim Moreau for all his support. Finally we would like to thank Krista Geens of Cryptomathic for her help in the registration and the practicalorganization.
May 2002 Joan Daemen and Vincent Rijmen Fast Software Encryption 2002
February 4–6, 2002, Leuven, Belgium
Sponsored by the International Association for Cryptologic Research
General Chair
Matt Landrock, Cryptomathic, Belgium
Program Co-chairs
Joan Daemen, Proton World, Belgium Vincent Rijmen, Cryptomathic, Belgium
Program Committee
Ross Anderson ...... Cambridge University, UK Eli Biham ...... Technion, IL Don Coppersmith ...... IBM, USA Cunshen Ding ...... Hong Kong University of Science and Technology, HK Thomas Johansson ...... Lund University, SE Mitsuru Matsui ...... Mitsubishi Electric, JP Willi Meier ...... FachhochschuleAargau, CH Kaisa Nyberg ...... Nokia, FI Bart Preneel ...... Katholieke Universiteit Leuven, BE Table of Contents
Block Cipher Cryptanalysis
New Results on Boomerang and Rectangle Attacks ...... 1 Eli Biham, Orr Dunkelman, and Nathan Keller (Technion – Israel Institute of Technology)
Multiplicative Differentials ...... 17 Nikita Borisov, Monica Chew, Rob Johnson, and David Wagner (University of California at Berkeley) Differentialand Linear Cryptanalysisof a Reduced-Round SC2000 ...... 34 Hitoshi Yanami, Takeshi Shimoyama (Fujitsu Laboratories Ltd.), and Orr Dunkelman (Technion – Israel Institute of Technology) Impossible Differential Cryptanalysis of Reduced Round XTEA and TEA ...... 49 Dukjae Moon, Kyungdeok Hwang, Wonil Lee, Sangjin Lee, and Jongin Lim (Center for Information and Security Technologies, Korea University) Improved Cryptanalysis of MISTY1 ...... 61 Ulrich K¨uhn(Dresdner Bank AG) Multiple Linear Cryptanalysis of a Reduced Round RC6 ...... 76 Takeshi Shimoyama, Masahiko Takenaka, and Takeshi Koshiba (Fujitsu Laboratories Ltd.) Integral Cryptanalysis
On the Security of CAMELLIA against the Square Attack ...... 89 Yongjin Yeom, Sangwoo Park, and Iljun Kim (National Security Research Institute Korea) Saturation Attacks on Reduced-Round Skipjack ...... 100 Kyungdeok Hwang, Wonil Lee (Center for Information and Security Technologies (CIST) Korea University), Sungjae Lee (Korea Information Security Agency), Sangjin Lee, and Jongin Lim (CIST), Korea University IntegralCryptanalysis ...... 112 Lars Knudsen (Dept. of Mathematics, DTU) and David Wagner (University of California at Berkeley) X Table of Contents
Block Cipher Theory
Improved Upper Bounds of Differentialand Linear Characteristic Probability for Camellia ...... 128 Taizo Shirai, Shoji Kanamaru, and George Abe (Sony Corporation)
The Round Functions of RIJNDAEL Generate the Alternating Group ....143 Ralph Wernsdorf (Rohde & Schwarz SIT GmbH)
Non-cryptographic Primitive for Pseudorandom Permutation ...... 149 Tetsu Iwata, Tomonobu Yoshino (Tokyo Institute of Technology), and Kaoru Kurosawa (Ibaraki University) Stream Cipher Design
BeepBeep: Embedded Real-Time Encryption ...... 164 Kevin Driscoll (Honeywell Laboratories)
A New Keystream Generator MUGI ...... 179 Dai Watanabe, Soichi Furuya, Hirotaka Yoshida, Kazuo Takaragi (Hitachi), and Bart Preneel (K.U. Leuven, Dept. ESAT)
Scream: A Software-Efficient Stream Cipher ...... 195 Shai Halevi, Don Coppersmith, and Charanjit Jutla (IBMT.J. Watson Research Center) Stream Cipher Cryptanalysis
Distinguishing Attacks on SOB-t16 and t32 ...... 210 Patrik Ekdahl and Thomas Johansson (Dept. of Information Technology, Lund University)
Linearity Properties of the SOBER-t32 Key Loading ...... 225 Markus Dichtl and Marcus Schafheutle (Siemens AG)
A Time-Memory Tradeoff Attack against LILI-128 ...... 231 Markku-Juhani Olavi Saarinen (Helsinki University of Technology) Odds and Ends
On the Security of Randomized CBC–MAC beyond the Birthday Paradox Limit: A New Construction ...... 237 Eliane´ Jaulmes, Antoine Jo, and Fr´ ed´eric Valette (DCSSI Crypto Lab)
Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC’98 ...... 252 Daewan Han, Sangwoo Park, and Seongtaek Chee (National Security Research Institute Korea) Table of Contents XI
Compression and Information Leakage of Plaintt ...... 263 John Kelsey (Certicom)
Author Index ...... 277 New Results on Boomerang and Rectangle Attacks
Eli Biham1, Orr Dunkelman1, and Nathan Keller2
1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department, Technion. Haifa 32000, Israel [email protected]
Abstract. The boomerang attack is a newand very powerfulcrypt- analytic technique. However, due to the adaptive chosen plaintext and ciphertext nature of the attack, boomerang key recovery attacks that re- trieve key material on both sides of the boomerang distinguisher are hard to mount. We also present a method for using a boomerang distinguisher, which enables retrieving subkey bits on both sides of the boomerang dis- tinguisher. The rectangle attack evolved from the boomerang attack.In this paper we present a new algorithm which improves the results of the rectangle attack. Using these improvements we can attack 3.5-round SC2000 with 267 adaptive chosen plaintexts and ciphertexts, and 10-round Serpent with time complexity of 2173.8 memory accesses (which are equivalent to 2165.3 Serpent encryptions) with data complexity of 2126.3 chosen plaintexts.
1 Introduction
Differential cryptanalysis [3] is based on studying the propagation of differences through an encryption function.Since its introduction many techniques based on it were introduced.Some of these techniques, like the truncated differentials [11] and the higher order differentials [2,11], are generalizations of the differ- ential attack.Some other techniques like differential-linear attack [14] and the boomerang attack [18] use the differential attack as a building block. The boomerang attack is an adaptive chosen plaintext and ciphertext at- tack.It is based on a pair of short differential characteristics used in a specially built quartet.In the attack a pair of plaintexts with a given input difference are encrypted.Their ciphertexts are used to compute two other ciphertexts accord- ing to some other difference, these new ciphertexts are then decrypted, and the difference after the decryption is compared to some (fixed known) value.
The work described in this paper has been supported by the European Commission through the IST Programme under Contract IST-1999-12324.
J. Daemen and V. Rijmen (Eds.): FSE 2002, LNCS 2365, pp. 1–16, 2002. c Springer-Verlag Berlin Heidelberg 2002 2 E. Biham, O. Dunkelman, and N. Keller
The boomerang attack was further developed in [10] into a chosen plaintext attack called the amplified boomerang attack.Later, the amplified boomerang attack was further developed into the rectangle attack [7]. In the transition from the boomerang attack to the rectangle attack the probability of the distinguisher is reduced (in exchange for easing the require- ments from adaptive chosen plaintext and ciphertext attack to a chosen plain- text attack).The reduction in the distinguisher’s probability results in higher data complexity requirements.For example, the data requirements for distin- guishing a 2.5-round SC2000 [17] from a random permutation using a rectangle distinguisher is 284.6 chosen plaintext blocks, whereas only 239.2 adaptive chosen plaintext and ciphertext blocks are required for the boomerang distinguisher. In this paper we present a method to retrieve more subkey bits in key recov- ery boomerang attacks.We also present a better algorithm to perform rectangle attacks.These improvements result in better key recovery attacks which re- quire less data or time (or both) and are more effective.The improvement to the generic rectangle attack reduces the time complexity of attacking 10-round Serpent from 2217 memory accesses1 to 2173.8 memory accesses which are equiv- alent to about 2166.3 10-round Serpent encryptions.We also prove that these key recovery attacks succeed (with very high probability) assuming that the distinguishers are successful. The paper is organized as follow In Section 2 we briefly describe the boomerang and the rectangle attacks.In Section 3 we present our new opti- mized generic rectangle attack and analyze its application to generic ciphers and to SC2000 and Serpent.In Section 4 we present our optimized generic boomerang attack and analyze its application to both a generic cipher and real blockciphers like SC2000 and Serpent.Section 5 describes a new technique to transform a boomerang distinguisher into a key recovery attack that retrieves more subkey material.We summarize this paper and our new results in Section 6.
2 Introduction to Boomerang and Rectangle Attacks
2.1 The Boomerang Attack
The boomerang attack was introduced in [18].The main idea behind the boomerang attack is to use two short differentials with high probabilities in- stead of one differential of more rounds with low probability.The motivation for such an attack is quite apparent, as it is easier to find short differentials with a high probability than finding a long one with a high enough probability. We assume that a block cipher E : {0, 1}n ×{0, 1}k →{0, 1}n can be de- scribed as a cascade E = E1 ◦ E0, such that for E0 there exists a differential α → β with probability p, and for E1 there exists a differential γ → δ with probability q.The boomerang attack uses the first characteristic ( α → β) for E0 with respect to the pairs (P1,P2) and (P3,P4), and uses the second characteristic 1 In [7] it was claimed to be 2205 due to an error that occurred in the analysis. NewResults on Boomerang and Rectangle Attacks 3
(γ → δ) for E1 with respect to the pairs (C1,C3) and (C2,C4).The attack is based on the following boomerang proces
– Ask for the encryption of a pair of plaintexts (P1,P2) such that P1 ⊕ P2 = α and denote the corresponding ciphertexts by (C1,C2). – Calculate C3 = C1 ⊕ δ and C4 = C2 ⊕ δ, and ask for the decryption of the pair (C3,C4).Denote the corresponding plaintexts by ( P3,P4). – Check whether P3 ⊕ P4 = α.
We call these steps (encryption, XOR by δ and then decryption) a δ−shift. For a random permutation the probability that the last condition is satisfied −n is 2 .For E, however, the probability that the pair (P1,P2) is a right pair with respect to the first differential (α → β)isp.The probability that both pairs 2 (C1,C3) and (C2,C4) are right pairs with respect to the second differential is q . −1 −1 If all these are right pairs, then they satisfy E1 (C3)⊕E1 (C4)=β = E0(P3)⊕ E0(P4), and thus, with probability p also P3 ⊕P4 = α.Therefore, the probability of this quartet of plaintexts and ciphertexts to satisfy the boomerang conditions is (pq)2.Therefore, pq > 2−n/2 must hold for the boomerang distinguisher (and the boomerang key recovery attacks) to work. The attack can be mounted for all possible β’s and γ’s simultaneously (as long as β = γ), thus, a right quartet for E is built with probability (ˆpqˆ)2, wher 2 2 pˆ = Pr [α → β] andq ˆ = Pr [γ → δ]. β γ α→β γ→δ
We refer the reader to [18,7] for the complete description and the analysis.
2.2 The Rectangle Attack
Converting adaptive chosen plaintext and ciphertext distinguishers into key re- covery attacks pose several difficulties.Unlike the regular known plaintext, cho- sen plaintext, or chosen ciphertext distinguishers, using the regular methods of [3,15,11,4,5,14] to use adaptive chosen plaintext and ciphertext distinguishers in key recovery attacks fail, as these techniques require the ability to directly control either the input or the output of the encryption function. In [10] the amplified boomerang attack is presented.This is a method for elim- inating the need of adaptive chosen plaintexts and ciphertexts.The amplified boomerang attack achieves this goal by encrypting many pairs with input differ- ence α, and looking for a quartet (pair of pairs) for which, C1 ⊕C3 = C2 ⊕C4 = δ when P1 ⊕ P2 = P3 ⊕ P4 = α.Given the same decomposition of E as before, and the same basic differentials α → β,γ → δ, the analysis shows that the probability of a quartet to be a right quartet is 2−(n+1)/2pq. The reason for the lower probability is that no one can guarantee that the γ difference (in the middle of the encryption; needed for the quartet to be a right boomerang quartet) is achieved.The lower probability makes the additional 4 E. Biham, O. Dunkelman, and N. Keller problem (already mentioned earlier) of finding and identifying the right quartets even more difficult. The rectangle attack [7] shows that it is possible to count over all the possible β’s and γ’s, and presents additional improvements over the amplified boomerang attack.The improvements presented in the rectangle attack improve the proba- bility of a quartet to be a right rectangle quartet to 2−n/2pˆqˆ.2
3 Improving the Rectangle Attack
The main problem dealt in previous works is the large number of possible quar- tets.Unlike in the boomerang attack, in which the identification of possible quartets is relatively simple, it is hard to find the right quartets in the rectangle attacks since the attacker encrypts a large number of pairs (or structures) and then has to find the right quartets through analysis of the ciphertexts.As the number of possible quartets is quadratic in the number of pairs3, and as the attacker has to test all the quartets, it is evident that the time complexity of the attack is very large. In this section we present an algorithm which solves the above problem by exploiting the properties of a right quartet, and which tests only a small part of the possible quartets.The new algorithm is presented on a generic cipher with the following parameter Let E be a cipher which can be described as a cascade E = Ef ◦E1 ◦E0 ◦Eb, and assume that E0 and E1 satisfy the properties of E0 and E1 presented in Section 2 (i.e., there exist differentials α → β with probability p of E0 and γ → δ with probability q of E1).An outline of such an E is presented in Figure 1.We can treat this E as composed of E = E1 ◦ E0 (for which we have a distinguisher) surrounded by the additional rounds of Eb and Ef .As mentioned in Section 2, for sufficiently high probabilities ˆp, qˆ,wecan distinguish E1 ◦ E0 from a random permutation using either a boomerang or a rectangle distinguisher.However, we also like to mount key recovery attacks on the full E. Recall that the rectangle distinguisher parameters are α, δ,ˆp, andq ˆ.Given these parameters, the rectangle distinguisher of the cipher E = E1 ◦ E0 can easily be constructed.
Before we continue we introduce some additional notation Let Xb be the set of all plaintext differences that may cause a difference α after Eb.Let Vb be the space spanned by the values in Xb.Note that usually n − rb bits are set to 0 for all the values in Vb.Let rb = log2 |Vb| and tb = log2 |Xb| (rb and tb are not necessarily integers).Let mb be the number of subkey bits which enter Eb and affect the difference of the plaintexts by decrypting pairs whose difference after Eb is α, or formally
2 This is a lower bound for the probability. For further analysis see [7]. 3 In the rectangle attack the quartet [(x, y), (z,w)] differs from the quartet [(x, y), (w, z)]. NewResults on Boomerang and Rectangle Attacks 5
E E’
Plaintext Ciphertext EEb 01 E Ef
Fig. 1. Outline of E
−1 −1 E (x) ⊕ E (x ⊕ α) = m = K w(K )=1and∃K, x : bK bK b E−1 (x) ⊕ E−1 (x ⊕ α) bK⊕K bK⊕K where w(x) denotes the hamming weight of x. Similarly, let Xf is the set of all ciphertext differences that a difference δ before Ef may cause.Let Vf denote the space spanned by the values of Xf and denote rf = log2 |Vf |.Let tf = log2 |Xf |.Let mf be the number of subkey bits which enter Ef and affect the difference when encrypting a pair with difference δ or formally E (x) ⊕ E (x ⊕ α) = m = K w(K )=1and∃K, x : fK fK . f E (x) ⊕ E (x ⊕ α) fK⊕K fK⊕K We outline all these notations in Figure 2.
m : subkey bits m :subkey bits b f
Xb :possible Xf :possible values lead to values cuased by α difference. δ difference. EEb E E Vb :set of all 01f Vf :set of all differences in differences in the active bits the active bits
in Xb in Xf
α difference between δ difference between
(P12 ,P ) and (P3 ,P4 ). (C 1,C3 ) and (C2 ,C4 ).
Fig. 2. The Notations Used in This Paper 6 E. Biham, O. Dunkelman, and N. Keller
Our new algorithm for using rectangle distinguisher in a key recovery attack is as follow
1.Create Y = 2n/2+2−rb /pˆqˆ structures of 2rb plaintexts each.In each struc- ture choose P0 randomly and let L = P0 ⊕ Vb be the set of plaintexts in the structure. 2.Initialize an array of 2 mb+mf counters.Each counter corresponds to a dif- ferent guess of the mb subkey bits of Eb and the mf subkey bits of Ef . r 3.Insert the N = Y · 2 b ciphertexts into a hash table according to the n − rf ciphertext bits that are set to 0 in Vf .If a pair agrees on these n − rf bits, check whether the ciphertext difference is in Xf . 4.For each collision ( C 1,C2) which remains, denote Ci’s structure by SCi and attach to C the index of S and vice versa. 1 C2 5.In each structure S we search for two ciphertexts C1 and C2 which are attached to some other S .When we find such a pair we check that the P1 ⊕ P2 (the corresponding plaintexts) is in Xb, and check the same for the plaintexts which P1 and P2 are related to. 6.For all the quartets which passed the last test denote by ( P1,P2,P3,P4) the plaintexts of a quartet and by (C1,C2,C3,C4) the corresponding ci- phertexts.Increment the counters which correspond to all subkeys Kb,Kf (actually their bits which affect the α and δ differences, respectively) for which E (P ) ⊕ E (P )=E (P ) ⊕ E (P )=α and E−1 (C ) ⊕ bK 1 bK 2 bK 3 bK 4 f 1 b b b b Kf −1 −1 −1 Ef (C3)=Ef (C2) ⊕ Ef (C4)=δ. Kf Kf Kf 7.Output the subkey with maximal number of hits.
The data complexity of the attack is N =2rb Y =2rb 2n/2+2−rb /pˆqˆ cho- sen plaintexts.The time complexity of Step 1 (the data collection step) is N encryptions.The time complexity of Step 2 is 2 mb+mf memory accesses in a trivial implementation and only one memory access using a more suitable data structures (like B-trees). Step 3 requires N memory accesses for the insertion of the ciphertexts into a hash table (indexed by the n − rf bits which are set to 0 in Vf ).The number of colliding pairs is about N 2 · 2rf −n/2 as there are N plaintexts divided into n−r 2 f bins (each bin correspond to a value of the n − rf bits).Note that we not necessarily use all the bins due to large memory requirements (i.e., we can hash only according the first 30 bits set to 0 in Vf ).For each collision we check whether the difference of the ciphertexts of the colliding pair belongs to Xf .We t keep all the 2 f values of Xf in a hash table, and thus, the check requires one memory access for each colliding pair.Out of the 2 rf possible differences for a t colliding pair, only 2 f differences are in Xf (i.e., can occur in a right quartet), and thus, about N 2 · 2tf −n−1 pairs remain.The time complexity of this step is N + N 2 · 2rf −n−1 memory accesses on average. Step 4 requires one memory access for each pair which passes the filtering of Step 3.In a real implementation it is wiser to implement Step 4 as part of Step 3, but we separate these steps for the sake of simpler analysis.As there are NewResults on Boomerang and Rectangle Attacks 7
N 2·2tf −n−1 such pairs, the time complexity of this step is on average N 2·2tf −n−1 memory accesses. Step 5 implements a search for possible quartets.In a right quartet both (P1,P2) and (P3,P4) must satisfy that Eb(P1) ⊕ Eb(P2)=Eb(P3) ⊕ Eb(P4)=α, and thus any right quartet must be combined from some P1,P2 ∈ S and ˜ ˜ P3,P4 ∈ S where S and S are two (not necessarily distinct) structures.Moreover, −1 −1 −1 −1 a right quartet satisfies that Ef (C1) ⊕ Ef (C3)=Ef (C2) ⊕ Ef (C4)=δ, and thus C 1 is attached to SC3 and C2 is attached to SC4 and as P3,P4 are from the same structure then – S = S .Therefore, in each structure S we search C3 C4 for colliding attachments, i.e., pairs of ciphertexts in S which are attached to the same (other) structure S˜.The N 2 ·2tf −n−1 attachments (colliding pairs) are dis- tributed over Y structures, and we get that approximately (N · 2tf +rb−n−1)2/Y possible quartets are suggested in each structure (where a quartet corresponds to a pair of plaintexts from some structure attached to the same structure).We im- plement the test in the same manner as in Step 3, i.e., keeping a hash table HS for each structure S and inserting each ciphertext C to H according to the index SC of the structure attached to C.Denoting the plaintexts of the suggested quartet by (P1,P2,P3,P4) and their corresponding ciphertexts by (C1,C2,C3,C4), we first check that P1 ⊕ P2 ∈ Xb.This test requires one memory access for each t −r possible quartet.The probability that the value P1 ⊕ P2 is in Xb is 2 b b .A quartet which fails this test can be discarded immediately.Therefore, out of the N 2 · 22tf +2rb−2n−2 possible quartets only N 2 · 22tf +rb+tb−2n−2 quartets remain. As stated before, this filtering requires one memory accesses for each candidate quartet, thus the algorithm requires N 2 ·22tf +2rb−2n−2 memory accesses.We can discard more quartets by testing whether P3 ⊕P4 ∈ Xb.In total this step requires N 2 · 22tf +2rb−2n−2 · (1+2tb−rb ) memory accesses and about N 2 · 22tf +2tb−2n−2 quartets remain after this step. In Step 6 we try to deduce the right subkey from the remaining quartets. Recall that a right quartet satisfies Eb(P1)⊕Eb(P2)=α = Eb(P3)⊕Eb(P4).Both pairs are encrypted by the same subkey, hence, a right quartet must agree on Kb (the mb subkey bits which enter Eb and affect the output difference α).There are t m −t 2 b possible input differences that lead to α difference after Eb, therefore, 2 b b subkeys on average take one of these values into the difference α.As each pair suggests 2mb−tb subkeys, they agree on average on (2mb−tb )2/2(2mb )=2mb−2tb−1 subkeys for Eb.We can find these options by keeping in a precomputed table either the possible values for any pair on its own, or for the whole quartet. m −2t −1 Repeating the analysis for Ef ,(C1,C3), and (C2,C4) we get about 2 f f subkeys suggestions from each quartet.Thus, each of the remaining quartets suggests 2mb+mf −2tf −2tb−2 possible subkeys.There are 2 mb+mf possible subkeys and N 2 ·22tf +2tb−2n−2 ·2mb+mf −2tf −2b−2 = N 2 ·2mb+mf −2n−4 hits.The expected number of hits for a (wrong) subkey is about N 2 · 2−2n−4.Since N ≤ 2n is the number of plaintexts the expected number of hits per wrong subkey is less than 2−4 =1/16, and we can conclude that the attack almost always succeeds in recovering subkey bits (since the number of expected hits for the right subkey is 4), or at least reduces the number of candidates for the right subkey.We 8 E. Biham, O. Dunkelman, and N. Keller
m −t can insert the 2 b b subkeys suggested by (P1,P2) into a hash table, and for each subkey suggested by the pair (P3,P4) we can check whether it was already suggested.Doing the same for Ef we get that for each quartet we need 3 · 2mb−tb +3· 2mf −tf memory accesses.We can optimize this a little bit by storing in advance a table and a list for each difference in Xb and save the time of building the hash table.This method saves 1/3 of the number of memory accesses.Using this method this step requires about N 2 · 22tf +2tb−2n−3 · (2mb−2tb − 2mf −2tf )= N 2 · 2−2n−3 · (2mb+2tf +2mf +2tb ) memory accesses for the entire attack. Step 7 requires 2mb+mf memory accesses using a trivial implementation, which can be reduced to 1–4 memory accesses using a more efficient data struc- ture (e.g., B-trees or dynamic hash tables). Overall, this algorithm requires N =2rb Y =2rb 2n/2+2−rb /pˆqˆ chosen plaintexts, and time complexity of N + N 2(2rf −n−1 +2tf −n +22tf +2rb−2n−2 + 2mb+tb+2tf −2n−1 +2mf +2tb+tf −2n−1) memory accesses.The memory complexity is N +2tb +2tf +2mb+mf . Table 1 summarizes the time complexity of each step and the number of plaintexts / pairs / quartets that remain after each step of the algorithm.
Table 1. The Rectangle Attack Steps and their Effect
Step Short Time # Remaining Texts/ No. Description Complexity Pairs/Quartets 1 Data generation N encryptions N plaintexts 2 Subkey counters’ init. 1 No change 3 First filtering N + N 22rf −n−1 N 2 · 2tf −n−1 pairs 4 Suggesting quartets N 22tf −n−1 No change 5 Eliminating quartets N 222tf +2rb−2n−2 N 222tf +2tb−2n−2 qts. 6 Subkey detection N 22tb+tf −2n−1(2mb+tf +2mf +tb) No change 7 Printing subkey 1–4 No change - Memory Accesses
Using this algorithm we can break 3.5-round SC2000, using the following decompositio Eb consists of the first S4 layer, the following 1.25 rounds are E0, the next 1.25 rounds are E1, and the final S4 layer is Ef .For this decomposition the following properties were presented in [8 rb = rf = mb = mf =40,tb = −8.96 −9.16 27,tf =27.9,n = 128, pˆ =2 , qˆ =2 .Thus, we conclude that the data complexity is N =284.6 chosen plaintexts and that the time complexity is 284.6 memory accesses, which slightly improves the results in [8]. We can also break 10-round Serpent using the following decompositio Eb consists of round 0.The following 4 rounds are E0, the next 4 rounds are E1, and round 9 is Ef .For this decomposition the following properties are presented 4 in [7 rb = mb =76,rf = mf =20,tb =48.85,tf =13.6,n = 128, pˆ = 4 As stated earlier, in [7] it was mistakenly claimed that tb = 64. We use the correct value of 76, and derive the correct time complexity. NewResults on Boomerang and Rectangle Attacks 9
2−25.4, qˆ =2−34.9.Thus, we conclude that the data complexity is N =2126.3 chosen plaintexts and that the time complexity is 2173.8 memory accesses.Note that the time complexity of the attack presented in [7] is 2217 memory accesses using 2196 memory cells (or 2219.4 memory accesses with 2131.8 memory cells). Note that we can use the above algorithm in several other scenarios.One of them is a chosen ciphertext scenario, where the above algorithm is applied on −1 −1 −1 −1 −1 E = Eb ◦ E0 ◦ E1 ◦ Ef .The analysis of this case is the same as before as long as we replace in the above equations all the sub-scripts b by f and vice versa. Sometimes, we might want to attack a cipher E with additional rounds only at one side, i.e., to divide E to E = E1 ◦ E0 ◦ Eb (or E = Ef ◦ E1 ◦ Eb).In this case our analysis still holds with mf = rf = tf =0.
4 A Key Recovery Attack Based on Boomerang Distinguisher
In this section we apply our ideas from the previous section to the boomerang attack.We generalized the results of [18,8].Like the rectangle attack, we have found that whenever the boomerang distinguisher succeeds then the key recovery attack also succeeds. There are various standard techniques to use distinguishers for a key recovery attack [3,15,11,4,5].The basic idea is to try all subkeys which affect the differ- ence (or the approximation) before and after the distinguishers (i.e., in Eb and Ef ), and to deduce that the correct subkey is the one for which the statistical distinguisher has the best results.However, this basic idea can be very expensive in terms of time and memory complexities.Moreover, due to the adaptive chosen plaintext and ciphertext requirement, using a boomerang distinguisher in a key recovery attack can be done if either Eb or Ef is present but not when both exist. As both boomerang and rectangle distinguishers exploit the same α and δ, we use the same notations of E = Ef ◦ E1 ◦ E0 ◦ Eb, mb , rb , tb, mf , rf , and tf as in the earlier sections. The generic boomerang attack on E = E1 ◦ E0 ◦ Eb is as follow
1.Initialize an array of 2 mb counters.Each counter corresponds to a different guess of the mb subkey bits of Eb. 2.Generate a structure F of plaintexts, choose P0 randomly and let F = P0⊕Vb be the set of plaintexts in the structure. 3.Ask for the encryption of F and denote the set of ciphertexts by G. 4.For each ciphertext c ∈ G compute c = c ⊕ δ, and define the set H = {c ⊕ δ|c ∈ G}. 5.Ask for the decryption of H, and denote the plaintexts set by I. 6.Insert all the plaintexts in I into a hash table according to the n−rb plaintext bits which are set to 0 in Vb. 7.In case of a collision of plaintexts in the hash tabl 10 E. Biham, O. Dunkelman, and N. Keller
a) Denote the plaintexts which collide in the hash table by (P3,P4), and test whether P3 ⊕ P4 ∈ Xb.If this condition is satisfied denote the plaintexts from F which correspond to (P3,P4)by(P1,P2).Test whether P1 ⊕ P2 ∈ Xb.If any of the tests fails, discard this quartet. b) For a quartet (P1,P2,P3,P4) which passes the above filtering we check all possible Kb which enter Eb (actually its bits which affect the α) and increment the counters which correspond to the subkeys for which Eb (P1) ⊕ Eb (P2)=Eb (P3) ⊕ Eb (P4)=α. Kb Kb Kb Kb 8.Repeat Steps 2–7 until a subkey is suggested 4 times.
Steps 2–5 perform a δ-shift on structures (and not on the pairs directly). From the analysis in [18] and the properties of the algorithm it is evident that the data complexity of the attack is about 8(ˆpqˆ)−2.However, we generate at least 2rb+1 plaintexts and ciphertexts, and thus the data complexity of the attack is N = max{2rb+1, 8(ˆpqˆ)−2}. The time complexity of Step 1 is equivalent to 2mb memory accesses.How- ever, we can keep the counters in more efficient data structures (like B-trees, or dynamic hash tables) for which Step 1 takes only one memory access. In steps 2–5 we encrypt N/2 plaintexts, compute N/2 XOR operations and decrypt N/2 ciphertexts.Thus, the total time complexity of Steps 2–5 for the whole attack is N encryptions/decryptions. Repeating the analysis from the previous section, we restrict our attention to time complexity analysis for each F independently of other F ’s, as each execution of Steps 6–7 for a given structure is independent of the execution of these steps for other structures. As we insert the plaintexts into a hash tables, each plaintext in I requires one memory access.Thus, the time complexity of Step 6 is 2 rb memory accesses per structure, and therefore N/2 memory accesses for the entire attack. Repeating the analysis from the previous section (with the relevant minor changes), we get that Step 7 for each structure I (and therefore, for each F ) requires about 23rb−n−1 memory accesses.For the entire N/2rb+1 structures this step requires 23rb−n−1 · N/2rb+1 = N · 22rb−n−1 memory accesses.
Using the same arguing about right quartets (as in right quartet both (P1,P2) m −t and (P3,P4) have an α difference after Eb), we get that each pair suggests 2 b b m −t 2 m m −2t −1 subkeys, and both pairs agree on (2 b b ) /2(2 b )=2 b b subkeys for Eb on average.Hence, the expected number of memory accesses in Step 7(b) is 2tb+mb+rb−n for each structure.We conclude that the total time complexity of Step 7(b) is expected to be N ·2tb+mb−n−1 memory accesses for the whole attack. Each structure F induces about 22tb+rb−n−1·2mb−2tb−1 =2rb+mb−n−2 subkey hits.As there are N/2rb+1 structures, the total number of subkey hits is expected to be N · 2mb−n−3, which are distributed over 2mb subkeys.Thus, the expected number of hits for each subkey is N · 2−n−3.As N ≤ 2n, the expected number of hits for a wrong subkey is less then 1/8 while the right subkey is expected to get 4 hits.This is sufficient for either recovering the right subkey, or to reduce the subkey candidates space by a very large factor. NewResults on Boomerang and Rectangle Attacks 11
In Step 8 we check whether one of the counters has the value of 4 (or more). This has to be done whenever we finish Step 7(b) for some F .We can implement this step as part of Step 7(b).Whenever a counter is increased we check that it has not exceeded 4.However, this method results in enlarging the time of Step 7(b).Using more appropriate data structures, we can perform the check once whenever we replace the F structure we work with.This yields a time complexity of N/2rb+1 memory accesses. We conclude that the attack requires N = max{2rb+1, 8(ˆpqˆ)−2} adaptive chosen plaintexts and ciphertexts and time complexity of about N(1+22rb−n−2 + 2tb+mb−n−1) memory accesses. Table 2 summarizes the time complexity of each step and the number of plaintexts / pairs / quartets that remain after each step of the algorithm.
Table 2. The Basic Boomerang Attack Steps and their Effect
Step Short Time # of Remaining Plaintexts/ No. Description Complexity Pairs/ Quartets 1 Subkey counters’ init. 1 — 2+3 Data generation N/2 encryptions N/2 plaintexts 4 Data generation N/2 No change 5 Data generation N/2 decryptions N plaintexts 6 Finding possible quartets N/2MA N · 22rb−n−2 quartets 7(a) Eliminating quartets N · 22rb−n−2 N · 22tb−n−2 quartets 7(b) Subkey detection N · 2rb+mb−n−1 No change 8 Printing subkey N/2rb+1 No change - Memory Accesses
Using this algorithm, we can break 3-round SC2000, using the following de- compositio Eb consists of the first S4 layer, the following 1.25 rounds are E0 and the next 1.25 rounds are E1.For this decomposition the following properties −8.96 −9.16 were presented in [8 rb = mb =40,tb =27,n = 128, pˆ =2 , qˆ =2 . Thus, we conclude that the data complexity of the attack is N =241 adaptive chosen plaintexts and ciphertexts.The time complexity of the attack is about 241 memory accesses. We attack 9-round Serpent, using this algorithm and the following decom- positio Eb consists of round 0, the following 4 rounds are E0, and the next 4 rounds are E1.For this decomposition the following properties were presented −25.4 −34.9 in [7 rb = mb =76,tb =48.85,n = 128, pˆ =2 , qˆ =2 .The data com- plexity of the attack is N =2123.6 adaptive chosen plaintexts and ciphertexts, with time complexity of 2147.2 memory accesses.We can also attack rounds 1–9 of Serpent using the decomposition used in the previous section.In this attack −1 −1 −1 we are attacking rounds 9–1 (i.e., the attack is on E0 ◦ E1 ◦ Ef ).For this −25.4 −34.9 decomposition we ge rf = mf =20,tf =13.6,n = 128, pˆ =2 , qˆ =2 . Obviously the data complexity does not change, as we use the same underly- 12 E. Biham, O. Dunkelman, and N. Keller ing distinguisher.However, the time complexity of this attack drops to 2 123.6 memory accesses (instead of 2147.2).
5Enhancing the Boomerang Attack
In this section we present a new method to use the boomerang attack with both Eb and Ef .Recall that the main step of the boomerang attack is the δ-shift (encryption of each plaintext, XORing of the corresponding ciphertext with δ, and decryption of the outcome).Our method uses a generalization of the δ-shift. The new algorithm to attack Ef ◦ E1 ◦ E0 ◦ Eb is as follow
1.Initialize an array of 2 mb+mf counters.Each counter corresponds to a dif- ferent guess of the mb subkey bits of Eb and the mf bits of Ef . 2.Generate a structure F of plaintexts, choose P0 randomly and let F = P0⊕Vb be the set of plaintexts in the structure. 3.Ask for the encryption of F and denote the set of ciphertexts by G. 4.For each c ∈ G and ∈ Xf compute c = c ⊕ , and define the set H = {c ⊕ | c ∈ G and ∈ Xf }. 5.Ask for the decryption of H, and denote the plaintexts set by I. 6.Insert all the plaintexts in I into a hash table according to the n−rb plaintext bits which are set to 0 in Vb. 7.In case of a collision of plaintexts in the hash tabl a) Denote the plaintexts which collide in the hash table by (P3,P4), and test whether P3 ⊕ P4 ∈ Xb.If this condition is satisfied denote the plaintexts from F which correspond to (P3,P4)by(P1,P2).Test whether P1 ⊕ P2 ∈ Xb.If any of the tests fails, discard this quartet. b) For a quartet (P1,P2,P3,P4) which passes the above filtering we obtain from a precomputed table the possible values for the mb subkey bits which enter Eb and affect the α difference.We also obtain from a precom- puted table the possible values for the mf subkey bits which enter Ef and affect the δ difference.The specific implementation aspects of this step are described later on.We increment counters which correspond to sub- keys Kb,Kf for which Eb (P1) ⊕ Eb (P2)=Eb (P3) ⊕ Eb (P4)=α Kb Kb Kb Kb −1 −1 −1 −1 and Ef (C1) ⊕ Ef (C3)=Ef (C2) ⊕ Ef (C4)=δ. Kf Kf Kf Kf 8.Repeat Steps 2–7 until a subkey is suggested 4 times.
We call Steps 2–5 an -shift as each plaintext is encrypted, then shifted by all possible ’s and the values of the shifted ciphertexts are decrypted. The time complexity of Step 1 is equivalent to 2mb+mf memory accesses. However, we can keep the counters in a more efficient data structures (like B- trees, or dynamic hash tables), for which Step 1 takes only one memory access. Each F induces a set of 2rb ciphertexts in G, and each ciphertext is shifted by 2tf possible values, hence |H| = |I| =2rb+tf .Even though we expand the number of possible quartets (by multiplying the size of I by 2tf ), the number of right quartets does not change.Hence, we still need about 8(ˆpqˆ)−2/2rb+1 structures. NewResults on Boomerang and Rectangle Attacks 13
The data complexity of the attack is N =2rb+tf · 8(ˆpqˆ)−2/2rb+1 .However, we might get that N>2n.We can implement these cases in one of two ways. The first way is to ask for the encryption/decryption N (not necessarily differ- ent) oracle queries.The second way to implement this is to store the already encrypted/decrypted values in a table, and test for each encryption/decryption if it is already in the table, in order to save most of the encryptions/decryptions. This way the attack requires 2n known plaintexts and N memory accesses. Like in the previous section we perform the time complexity analysis for each F independently of other F ’s, as each execution of Steps 6–7 for a given structure is independent of the execution of these steps for some other structure. Like in the previous section, Step 6 inserts into a hash table the plaintexts. Thus, the time complexity of Step 6 is 2rb+tf memory accesses per structure, and N memory accesses in total. Since each collision in the hash table of Step 6 suggests a quartet, we have in this step about 23rb+2tf −n−1 memory accesses for each structure F , and the expected number of remaining quartets is 23rb+2tf −n−1 · (2tb−rb )2 = 22tb+rb+2tf −n−1.Since there are N/2rb+tf structures we conclude that for the whole attack this step requires about N · 22rb+tf −n−1 memory accesses.
We recover subkey material both in Eb and Ef .By repeating the analysis from Section 3, each remaining quartet suggests 2mb+mf −2tb−2tf −2 subkeys for r +m +m −n−3 Eb and Ef , and thus, we get 2 b b f hits (on average) from each struc- ture and N · 2mb+mf −n−tf −3 subkey hits in total.We conclude that Step 7(b) requires N ·2tb+tf −n−1 ·(2mb+tf +2mf +tb ) memory accesses for the whole attack. As there are about N · 2mb+mf −tf −n−3 subkey hits in total, the expected number of hits per subkey is about N · 2−tf −n−3.Note that N might be bigger than 2n but on the same time, N ≤ 2n+tf (as we take at most 2n ciphertexts and shift them by 2tf values).We again find that the number of hits per wrong subkey is ≤ 1/8. In Step 8 we check whether one of the counters has the value of 4 (or more). Using the same methods as in the previous section, we can use more appropriate data structures which reduce the time complexity of this step to 1 memory accesses for each F , and for the entire attack N/2rb+tf memory accesses. The data complexity of the attack is N =2rb+tf · 8(ˆpqˆ)2/2rb+1 adaptive chosen plaintexts and ciphertexts (and as stated earlier if N>2n we can replace it by 2n known plaintexts using a table of size 2n).The expected time complexity of the attack is N(2+22rb+tf −n−1 +2mb+tb+2tf −n−1 +2mf +2tb+tf −n−1) memory accesses.The memory complexity of the attack is 2 mb+mf +2rb+tf . Table 3 summarizes the time complexity of each step and the number of plaintexts / pairs / quartets that remain after each step of the algorithm. We use the same decomposition of 3.5-round SC2000 as in Section 3. For this decomposition the following properties were presented in [8 rb = rf = mb = −8.96 −9.16 mf =40,tb =27,tf =27.9,n = 128, pˆ =2 , qˆ =2 .Hence, the data complexity of the attack is 267.9 adaptive chosen plaintexts and ciphertexts (this complexity can be reduced to 267 by attacking E−1).The attack requires 2 67.9 memory cells (when we attack E−1 it requires only 267 memory cells).The time 14 E. Biham, O. Dunkelman, and N. Keller
Table 3. The Steps of the Improved Boomerang Attack and Their Effect
Step Short Time # Remaining Texts/ No. Description Complexity Pairs/ Quartets 1 Subkey counters’ init. 1 — 2+3 Data generation N/2tf encryptions N/2tf plaintexts 4 Data generation N No change 5 Data generation N decryptions N Plaintexts 6 Eliminating wrong pairs N N22rb+2tf −n−2 qts. 7(a) Eliminating quartets N22rb+tf −n−1 N22tb+2tf −n−2 qts. 7(b) Subkey detection N2tb+tf−n−2(2mb+tf +2mf+tb) No change 8 Printing subkey N/2rb+tf No change - Memory Accesses complexity of the attack is 268.9 memory accesses (the attack on E−1 requires 268 memory accesses). We also use the same decomposition of 10-round Serpent like in Section 3. For this decomposition the following properties were presented in [7 rb = mb = −25.4 −34.9 76,rf = mf =20,tb =48.85,tf =13.6,n = 128, pˆ =2 , qˆ =2 .The data complexity of the attack is N =2123.6+13.6 =2137.2.As mentioned before, we can either treat this as 2137.2 queries to the encryption/decryption oracle (of course not distinct queries) or we can just ask the encryption/decryption of any plaintext/ciphertext we need, and store it in a table.The attack requires 2 173.8 memory accesses.
Table 4. Comparison of the Boomerang and the Rectangle Generic Attacks
Attack Rectangle Boomerang Enhanced (Section 3) (Section 4) Boomerang (Section 5)
Cipher’s parts Ef ◦ E1 ◦ E0 ◦ Eb E1 ◦ E0 ◦ Eb Ef ◦ E1 ◦ E0 ◦ Eb being attacked Type of Chosen Plaintext Adaptive Chosen Adaptive Chosen Attack Plaintext and Ciphert. Plaint. and Ciphertext Data max{2rb , 2n/2+2/pˆqˆ} max{8(ˆpqˆ)−2, 2rb } 2tf max{2rb , 8(ˆpqˆ)−2} Complexity (N) Memory N 2(2rf −n−1 +2tf −n N(1+22rb−n−2+ N(2+22rb+tf −n−1+ Accesses +22tf +2rb−2n−2 2tb+mb−n−1)2mb+tb+2tf −n−1+ +2mb+2tf +tb−2n−1 2mf +tf +2tb−n−1) +2mf +2tb+tf −2n−1) +N Memory Cells 2mb+mf + N 2rb +2mb 2rb+tf +2mb+mf
Subkey Bits mb + mf mb mb + mf Hits per ≤ 1/16 ≤ 1/8 ≤ 1/8 Wrong Subkey NewResults on Boomerang and Rectangle Attacks 15
Table 5. NewBoomerang and Rectangle Results on SC2000 and Serpent
Cipher Attack Number Complexity of Rounds Data Time Memory SC2000 Rectangle – this paper 3.5 284.6 CP 284.6 2 84.6 Boomerang – this paper 3 241 ACPC 241 2 40 Boomerang – this paper 3.5 267 ACPC 267 2 67 best Linear [19] 4.5 2104.3 KP 283.3 2 80 Serpent Amp. Boomerang[10] 9 2110 CP 2252 2 208 Rectangle[7] 10 2126.8 CP 2217 2 192 Rectangle[7] 10 2126.8 CP 2219.4 2 126.8 Boomerang – this paper 9 2123.6 ACPC 2123.6 2 21.5 Boomerang – this paper 10 2128 KP 2173.8 2 96 Rectangle – this paper 10 2126.3 CP 2173.8 2 126.3 best Linear [6] 11 2118 KP 2214 2 85 - Memory Accesses CP - Chosen Plaintexts, KP - Known Plaintexts ACPC - Adaptive Chosen Plaintexts and Ciphertexts
6 Summary
This paper presents several contributions.The first contribution is an improved generic rectangle attack.The improved attack algorithm can attack 10-round Serpent with data complexity of 2126.3 chosen plaintexts and time complexity of 2173.8 memory accesses.This new result enables attacking 10-round Serpent with 192-bit subkeys.We also have shown that the algorithm is very successful and almost always reduces the number of candidate subkeys. The second contribution is a generic boomerang key recovery attack.The attack uses similar techniques as in the rectangle key recovery attack and the result is an efficient algorithm for retrieving subkey material.In the analysis of this attack we found out that this attack also almost always succeeds. The third contribution is extending the generic boomerang key recovery at- tack to attack more rounds.This contribution allows for the boomerang attack to attack as many rounds as the rectangle attack despite its adaptive chosen plaintext and ciphertext nature.This allows to attack 10-round Serpent with the enhanced boomerang attack using 2137.2 adaptive chosen plaintexts and ci- phertexts (or 2128 known plaintexts), and 2173.8 memory accesses. In Table 4 we compare the requirements of the generic attacks, and in Table 5 we present our new results on Serpent and SC2000.For comparison, we also include the previous boomerang and rectangle results and the best known attacks against these ciphers.
References
1. Ross Anderson, Eli Biham, Lars R. Knudsen, Serpent: A Proposal for the Advanced Encryption Standard, NIST AES Proposal, 1998. 16 E. Biham, O. Dunkelman, and N. Keller
2. Eli Biham, Higher Order Differential Cryptanalysis, unpublished paper, 1994. 3. Eli Biham, Adi Shamir, Differential Cryptanalysis of the Data Encryption Stan- dard, Springer-Verlag, 1993. 4. Eli Biham, Alex Biryukov, Adi Shamir, Cryptanalysis of Skipjack reduced to 31 rounds, Advances in Cryptology, proceedings of EUROCRYPT ’99, LNCS 1592, pp. 12–23, Springer-Verlag, 1999. 5. Eli Biham, Alex Biryukov, Adi Shamir, Miss in the Middle Attacks on IDEA and Khufu, proceedings of Fast Software Encryption 6, LNCS 1636, pp. 124–138, Springer-Verlag, 1999. 6. Eli Biham, Orr Dunkelman, Nathan Keller, Linear Cryptanalysis of Reduced Round Serpent, proceedings of Fast Software Encryption 8, 2001, to appear. 7. Eli Biham, Orr Dunkelman, Nathan Keller, The Rectangle Attack – Rectangling the Serpent, Advances in Cryptology, proceedings of EUROCRYPT ’01, LNCS 2045, pp. 340–357, Springer-Verlag, 2001. 8. Orr Dunkelman, Nathan Keller, Boomerang and Rectangle Attacks on SC2000, preproceedings of the NESSIE second workshop, 2001. 9. Louis Granboulan, Flaws in Differential Cryptanalysis of Skipjack, proceedings of Fast Software Encryption 8, 2001, to appear. 10. John Kelsey, Tadayoshi Kohno, Bruce Schneier, Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent, proceedings of Fast Software Encryp- tion 7, LNCS 1978, pp. 75–93, Springer-Verlag, 1999. 11. Lars Knudsen, Truncated and Higher Order Differentials, proceedings of Fast Soft- ware Encryption 2, LNCS 1008, pp. 196–211, Springer-Verlag, 1995. 12. Lars Knudsen, H˚avard Raddum, A Differential Attack on Reduced-Round SC2000, preproceedings of the NESSIE second workshop, 2001. 13. Lars Knudsen, Matt J.B. Robshaw, David Wagner, Truncated Differentials and Skipjack, Advances in Cryptology, proceedings of CRYPTO ’99, LNCS 1666, pp. 165–180, Springer-Verlag, 1999. 14. Suzan K. Langford, Martin E. Hellman, Differential-Linear Cryptanalysis, Ad- vances in Cryptology, proceedings of CRYPTO ’94, LNCS 839, pp. 17–25, Springer- Verlag, 1994. 15. Mitsuru Matsui, Linear Cryptanalysis Method for DES Cipher, Advances in Cryp- tology, proceedings of EUROCRYPT ’93, LNCS 765, pp. 386–397, Springer-Verlag, 1994. 16. NESSIE - NewEuropean Schemes for Signatures, Integrity and Encryption. http://www.nessie.eu.org/nessie/. 17. Takeshi Shimoyama, Hitoshi Yanami, Kazuhiro Yokoyama, Masahiko Takenaka, Kouichi Itoh, Jun Yajima, Naoya Torii, Hidema Tanaka, The Block Cipher SC2000, proceedings of Fast Software Encryption 8, 2001, to appear. 18. David Wagner, The Boomerang Attack, proceedings of Fast Software Encryption 6, LNCS 1636, pp. 156–170, Springer-Verlag, 1999. 19. Hitoshi Yanami, Takeshi Shimoyama, Orr Dunkelman, Differential and Linear Cryptanalysis of a Reduced-Round SC2000, these proceedings. Multiplicative Differentials
Nikita Borisov, Monica Chew, Rob Johnson, and David Wagner
University of California at Berkeley
Abstract. We present a new type of differential that is particularly suited to an- alyzing ciphers that use modular multiplication as a primitive operation. These differentials are partially inspired by the differential used to break Nimbus, and we generalize that result. We use these differentials to break the MultiSwap cipher that is part of the Microsoft Digital Rights Management subsystem, to derive a complementation property in the xmx cipher using the recommended modulus, and to mount a weak key attack on the xmx cipher for many other moduli. We also present weak key attacks on several variants of IDEA. We conclude that cipher designers may have placed too much faith in multiplication as a mixing opera- tor, and that it should be combined with at least two other incompatible group operations.
1 Introduction
Modular multiplication is a popular primitive for ciphers targeted at software because many CPUs have built-in multiply instructions. In memory-constrained environments, multiplication is an attractive alternative to S-boxes, which are often implemented using large tables. Multiplication has also been quite successful at foiling traditional differential cryptanalysis, which considers pairs of messages of the form (x, x ⊕ ∆) or (x, x + ∆). These differentials behave well in ciphers that use xors, additions, or bit permutations, but they fall apart in the face of modular multiplication. Thus, we consider differential pairs of the form (x, αx), which clearly commute with multiplication. The task of the cryptanalyst applying multiplicative differentials is to find values for α that allow the differential to pass through the other operations in a cipher. It is well-known that differential cryptanalysis can be applied with respect to any Abelian group, with the group operation defining the notion of difference between texts. However, researchers have mostly ignored multiplicative differentials, i.e., differentials over the multiplicative group (Z/nZ)∗, perhaps because it was not clear how to combine them with basic operations like xor. In this paper, we develop new techniques that make multiplicative differentials a more serious threat than previously recognized. A key observation is that in certain cases, multiplicative differentials can be used to approximate bitwise operations, like xor, with high probability. As we will see in Section 4, for many choices of n there exists a ∆n such that −1 · x mod n = x ⊕ ∆n with non-negligible probability. Similarly, 2x mod 2n is simply a left-shift operation. It is therefore possible to analyze how these differentials interact with other operations that are normally thought incompatible with multiplication, such as xor and bitwise permutations.
J. Daemen and V. Rijmen (Eds.): FSE 2002, LNCS 2365, pp. 17–33, 2002. c Springer-Verlag Berlin Heidelberg 2002 18 N. Borisov et al.
Table 1. A summary of some cryptanalytic results using multiplicative differentials. The attacks on xmx are distinguishing attacks with advantages close to one; the remaining attacks are key- recovery attacks. All attacks are on the full ciphers; we do not need to consider reduced-round variants. “CP” denotes chosen plaintexts, and “KP” denotes known plaintexts.
Cipher Complexity Comments [Data] [Time] [Keys] Nimbus 28 CP 210 all see [4] (previously known) xmx (standard version) 2 CP 2 all mult. complementation property (new) xmx (challenge version) 233 CP 233 2−8 multiplicative differentials (new) MultiSwap 213 CP 225 all multiplicative differentials (new) MultiSwap 222 KP 227 all multiplicative differentials (new) IDEA-X 238 CP 236 2−16 multiplicative differentials (new)
After reviewing previous work in Section 2, we give two examples using the ciphers xmx [11] and Nimbus [8] to convey the flavor of these attacks in Section 3. In Section 4, we generalize these ideas and catalogue several common cipher primitives that preserve multiplicative differentials. We then focus on specific ciphers. Section 5 presents many moduli, including the xmx challenge modulus, that admit large numbers of weak keys in xmx. In Section 6, we examine the MultiSwap cipher [12], which is used in Microsoft’s Digital Rights Management system, and show that it is extremely vulnerable to mul- tiplicative differential cryptanalysis. In Section 7, we study several IDEA [7] variants obtained by replacing additions with xors and show that these variants are vulnerable to weak key attacks using multiplicative differentials. As an example, we show that IDEA-X, a version of IDEA derived by replacing all the additions with xors, is insecure. This suggests that multiplicative differentials may yield new attacks on IDEA. Table 1 summarizes the attacks developed in this paper.
2 Related Work
In this paper, we analyze the xmx cipher, originally proposed by M’Raihi, Naccache, Stern and Vaudenay [11]. We also look at Nimbus, which was proposed by Machado [8] and broken by Furman [4]. IDEA was first proposed by Lai, Massey and Murphy [7]. Meier observed that part of the IDEA cipher often reduces to an affine transformation, and used this to break 2 rounds using differential cryptanalysis [10]. Daemen, Govaerts, 16 andVandewalle observed that −x mod 2 +1 = x⊕11 ···101 whenever x1, the second least signicant bit of x,is1[2]. They showed that if certain IDEA subkeys are ±1, the algorithm can be broken with differential cryptanalysis. We use the same observation to find weak keys for a variant of IDEA in Section 7. The class of weak keys we find is much larger (2112 keys versus 251 keys), but they are otherwise unrelated. The newest cipher we look at, MultiSwap, was designed by Microsoft and subsequently reverse-engineered and published on the Internet under the pseudonym Beale Screamer [12]. Differential cryptanalysis was invented by Biham and Shamir [1]. In the present paper, we apply the ideas of differential cryptanalysis using a non-standard group op- eration: multiplication modulo n. Daemen, van Linden, Govaerts, and Vandewalle have Multiplicative Differentials 19 performed a very thorough analysis of multiplication mod 2 − 1, how it relates to elementary bit-operations, and its potential for foiling differential cryptanalysis [3]. In Section 6 we use the multiplicative homomorphism (Z/232Z)∗ → (Z/216Z)∗ to recover MultiSwap keys efficiently. This technique is the multiplicative equivalent of Matsui’s linear cryptanalysis [9]. In a similar vein, Harpes, Kramer and Massey applied the quadratic residue multiplicative homomorphism QR:(Z/nZ)∗ → Z/2Z, for n =216 +1, to attack IDEA [5]. Kelsey, Schneier and Wagner used the reduction map Z/nZ → Z/mZ (a ring homomorphism), for n =2 − 1 and m dividing n,in cryptanalysis[6].
3 Two Examples
To illustrate some of the ideas behind our attacks, we give two examples of using mul- tiplicative differentials to cryptanalyze simple ciphers. Throughout the paper, xi will 1 represent the ith bit of x, and x0 will denote the least significant bit of x.
Cryptanalysis of xmx. As a first example, we demonstrate a complementation property for the “standard” version of the xmx cipher [11], which operates on -bit blocks using two basic operations: multiplication modulo n and xor. The ith round of the cipher is
f(x, k2i−1,k2i)=(x ◦ k2i−1) × k2i mod n, where the binary operator “◦” is defined by x ⊕ k2i−1 if x ⊕ k2i−1 The cipher has an output termination phase that may be viewed as an extra half-round, so the entire algorithm is xmx(x)=(f(f(···f(x, k1,k2) ···),k2r−3,k2r−2),k2r−1,k2r) ◦ k2r+1. where r counts the number of rounds. In the paper introducing xmx [11], the designers recommend selecting n =2 − 1.2 The curious thing about this choice of n is that for all x, x ⊕ n = −x mod n. This is a consequence of the following simple observation: if 0 ≤ x, y < 2 − 1, then x+y =2 −1 if and only if x⊕y =2 −1.As a result, this differential will be preserved with probability 1 through the entire cipher, giving a complementation property xmx(−x mod n)=−xmx(x)modn. 1 However, for convenience, we will use ki to denote a cipher’s ith subkey, not the ith bit of k. 2 Actually, at one point the authors suggest that n be secret, but later state, “Standard implemen- tations should use ... = 512, n =2512 − 1.” For this reason, we call this the “standard” version of xmx, as opposed to the “challenge” version discussed later in this paper. 20 N. Borisov et al. After describing the basic cipher, the xmx designers suggest several possible extensions, including rotations and other bit permutations. None of these enhancements would de- stroy this complementation property. We analyze other versions of xmx later; see Section 5. Cryptanalysis of Nimbus. As a second example, we explain how the framework of multiplicative differentials can be used to better understand a previously known attack on Nimbus. Nimbus accepts 64-bit blocks, and its ith round is 64 f(x)=k2i+1 × rev(x ⊕ k2i)mod2 , where rev() reverses the bits in a 64-bit word. The subkeys k2i+1 must be odd for the cipher to be invertible. At FSE2001, Furman used the xor differential 011 ···10 −→ 011 ···10, which passes through one round of Nimbus whenever t = rev(x ⊕ k2i) is odd, to launch a devastating attack on this cipher [4]. Furman’s xor differential may appear mysterious at first, but can be readily explained using the language of multiplicative differentials. Whenever t is odd, t ⊕ 11 ···10 = −t mod 2. (This is a standard fact from two’s complement arithmetic, and follows from the earlier observation that (t ⊕ 11 ···11) + t =2 − 1.) So Furman’s differential pairs (x, x ⊕ 011 ···10) are in fact pairs (x, x∗) where x∗ = −x mod 263 but x∗ = −x mod 264, a property that obviously survives multiplication by k2i+1 whenever k2i+1 is odd. In other words, Furman’s xor differential is equivalent to the multiplicative differential −1 −→ − 1 (with probability 1/2), taken mod 263, with explicit analysis of the high bit to ease propagation through the rev() operation. Discussion. The complementation property of standard xmx has not been previously de- scribed, despite xmx’s relative maturity. The attack on Nimbus was previously described using xor differentials, but is neatly summarized in our new framework for multiplica- tive differentials. We believe these two examples motivate further study of multiplicative differentials, and the remainder of this paper is dedicated to this task. 4 New Differentials Most of the conclusions in this section are summarized in Table 2. The xmx example in Section 3 used the multiplicative difference α = −1, because −x mod 2 − 1=x ⊕ 11 ···1. Thus the multiplicative differential pair (x, −x) is equivalent to the xor differential pair (x, x ⊕ 11 ···1). In the Nimbus example, the modulus is of the form 2 instead of 2 −1, so the identity between the multiplicative and xor differentials does not hold. However, there is an approximate identity −x mod 2 = x ⊕ 11 ···10, which holds whenever x is odd, or equivalently, when x0 =1. Multiplicative Differentials 21 Table 2. A partial list of the operations we consider. Each entry in the table specifies the probability that the two operations commute. See Proposition 1 for an explanation of c(n). See Proposition 3 for the definitions of z(σ) and ω(σ). An entry of “0” indicates the probability is negligible, and a “–” means we do not investigate this combination. Operation Modulus multiply by α xor rotate bit perm σ multiply by −12 − 1 1111 −12 1 z(σ) multiply by 1 2 0 multiply by −1 n 1 2−c(n) –– multiply by 22 − 1 101– 22 1 2−ω(σ)−z(σ) multiply by 104 reduction mod 2k 2 11–– n 11110 0000111001 x x14 x13 x12 0 x10 x9 x8 x7 1 x5 x4 0 x2 1 x0 ∆n 11101 1110110101 x + x ⊕ ∆n 11110 0000111001 Fig. 1. The modulus n = 30777, the bit-constraints on values of x for which x +(x ⊕ ∆n)=n, and ∆n. See Proposition 1 for a precise definition of ∆n. To generalize the multiplicative/xor correspondence exploited in these two examples, first observe that every -bit modulus, n, can be divided into strings of the form 11 ···1 and strings of the form 100 ···0. As an example, the 15-bit modulus n = 30777 is divided into such substrings in Figure 1. For each segment of the modulus of the form 11 ···1, we use the xor differential 11 ···1. For the segments of the modulus of the form 100 ···0, we use the xor differential 011 ···10. Suppose nk ···nj is one of the segments of n of the form 100 ···0. Then we also require that xj =1and xk =0. The constraint that xj =1serves the same purpose as the constraint that x be odd in the Nimbus differential: it ensures that when x and x ⊕ ∆n are added together, a chain of carries is started at bit j. The requirement n that xk =0assures that no carry bits propagate past bit k when x and x ⊕ ∆ are added together. In the example, bit i of x is constrained if and only if bit i of ∆n is 0. This is always true because of the symmetry between x and −x. The above scheme works by controlling the carry bits when x and x ⊕ ∆n are added together. It ensures that, for each substring of the modulus of the form 10 ···0, a carry chain is started at the low bit and terminated at the high bit. Starting and stopping carry chains necessitates imposing constraints on x, and if two substrings of the form 10 ···0 are adjacent, it is more efficient to simply ensure that the carry chain from the first substring propagates to the second. Analogously, if the modulus contains a substring of the form 11 ···1011 ···1, then the above method will start a carry chain, only to terminate it at the next bit. A more efficient approach would ensure that no carry ever started. Algorithm 1, which computes an optimal value of ∆n for a given n, incorporates these improvements. The algorithm also outputs ωn and νn, which represent the bits of x constrained to 0 and 1, respectively. 22 N. Borisov et al. Algorithm 1 Compute the optimal ∆ = ¬(ω ∨ ν). best-differential(n) c ← 0, ω, ν ← 00 ···0 for i =0,... ,length(n)-2 switch (ni+1,ni,c) case (0, 0, 0) // Begin a carry chain by requiring xi =1. νi ← 1, c ← 1 case (0, 1, 1) // Force carry propagation by requiring xi =1. νi ← 1 case (1, 0, 0) // Force no carry by requiring xi =0. ωi ← 1 case (1, 1, 1) // End carry chain by requiring xi =0. ωi ← 1, c ← 0 default // No change to carry bit. No constraint on x. if c =1 then ω−1 ← 1 ∆ = ¬(ω ∨ ν) output (∆, ω, ν) To determine the probability that a randomly selected x ∈ Z/nZ satisfies the bit- constraints described above, let c(n) be the number of 0 bits in ∆n (i.e., the number of bits of x that are constrained). Then x will satisfy these constraints with probability at least 2−c(n). To see why this is only a lower bound, consider the modulus n = 1001 (base 2). The constraints derived from this modulus are x3 =0and x1 =1. However, only one value of x ∈ Z/nZ fails to satisfy x3 =0, so this constraint is nearly vacuous. The following proposition formalizes this discussion: Proposition 1. Let n be an -bit modulus. Let the -bit words ωn, νn be the result of Algorithm 1, and let ∆n = ¬(ωn ∨ νn). Take any x ∈ Z/nZ. Define: −1 if x ∧ ωn =0and ¬x ∧ νn =0 Cn(x)= 1 otherwise. n Then Cn(x)=−1 if and only if −x mod n = x ⊕ ∆ . By symmetry, Cn(−x)= n Cn(x). Further, define c(n) to be the number of 0 bits in ∆ . Then, for a uniformly −c(n) distributed x ∈ Z/nZ, Cn(x)=−1 with probability at least 2 . Finally, for any ∆, Pr[x ⊕ (−x mod n)=∆] ≤ Pr[x ⊕ (−x mod n)=∆n]. The Nimbus attack uses the slight tweak of considering pairs (x, x∗) such that x∗ = −x mod 2−1 but not mod 2. Generalizing this gives a truncated multiplica- tive differential. Proposition 2. Suppose ∗ x = x ⊕ (a−1a−2 ···am11 ···10), where each ai stands for any single bit, and suppose moreover that x is odd. If k is odd, then ∗ k × x =(k × x) ⊕ b−1b−2 ···bm11 ···10, where the multiplication is modulo 2 . Additionally, am = bm. Multiplicative Differentials 23 Until now, we have only discussed multiplicative differential pairs (x, −x), but the cryptanalysis of MultiSwap uses pairs of the form (x, 2x mod 232). One of the basic operations in MultiSwap is to swap the two 16-bit halves of a 32-bit word. The multi- plicative relation (x, 2x) is preserved through this operation whenever x15 = x31 =0. An arbitrary bit permutation σ can cause two types of problems for the multiplicative differential 2. First, it can disturb the consecutive ordering of the bits. Because multi- plication by 2 is just a left-shift, it’s not surprising that the bit ordering comes into play. Second, σ may place some bit i in position 0. If σ is to commute with multiplication by 2, then the value of bit i must be 0. These notions are summarized in the following proposition: Proposition 3. Let σ be a permutation of the set {0,... , −1}, and let σˆ be the induced function on -bit words given by σˆ(x)=xσ(−1)xσ(−2) ···xσ(0). Then Pr [ˆσ(2x)=2ˆσ(x)] = 2−ω(σ)−z(σ) where ω(σ)=#{j ∈ 0,... , − 2|σ(j +1) = σ(j)+1} and 0 σ(0)=0 z(σ)= if 1 otherwise. Intuitively, ω(σ) counts the number of times that σ disturbs the consecutive ordering of the bits, and z(σ) tests whether σ places bit i =0in position 0. So, for example, the 1 (x, 2x) differential survives rotations with probability 4 independent of the amount of rotation. Also, dividing a word into k chunks, such as dividing a 32-bit word into 4 bytes, and permuting the chunks leaves the differential undisturbed with probability 2−k. Multiplicative differentials are compatible with many other operations. Reversing the bits in a word transforms the pair (x, 2x mod 2) into (x, x/2mod2) with probability 1. Multiplicative differentials may even survive addition in some cases, since α×a+α× b = α × (a + b). Finally one may consider differentials in which part of the differential is defined using multiplication, and part is defined using some other operation. For example, if a cipher operates on 64-bit blocks (a, b, c, d), where a, b, c, and d are 16- bit subblocks, we may want to consider differential pairs (a, b, c, d) and (a∗,b∗,c∗,d∗) where a∗ = α×a, b∗ = b⊕∆, c∗ = c⊕∆, and d∗ = α×d. In other words, the differences (α, ∆, ∆, α) are elements of the group (Z/216Z)∗×(Z/2Z)16×(Z/2Z)16×(Z/216Z)∗. When there can be no confusion as to the groups in question, we simply refer to these as “hybrid” differentials. 5 xmx We can now apply our new understanding to find differentials for a large class of moduli in the xmx cipher. 24 N. Borisov et al. We describe the analysis using the parameters given in the “xmx challenge” [11]. This cipher has 8 rounds, 256-bit blocks, and modulus n =(280 − 1) · 2176 + 157, which is the smallest prime whose 80 most significant bits are all 1. Written in binary, this modulus is 80 168 n = 11 ···1 00 ···0 10011101, which has c(n)=4. From Proposition 1, whenever x is of the form x = x255x254 ···x1770x175 ···x81x61x4x3x20x0 (i.e. whenever x176 =0,x7 =1,x5 =1and x1 =0) then Cn(x)=−1 and therefore x ⊕ ∆n = −x mod n, where 79 167 ∆n = 11 ···1 0 11 ···1 101011101. Recall that ∆n has a 0 bit in exactly those positions that are constrained in x.If n k ∧¬∆ =0, then k hasa0ineach constrained bit position, and hence Cn(x ⊕ k)= Cn(x). The key schedule for the xmx challenge cipher is s,s,...,s,s,s⊕ s−1,s,s−1,... ,s,s−1 where s is a 256-bit number. Suppose s ∧¬∆n =0and s−1 ∧¬∆n =0. The first equation is satisfied whenever bits 1,5,7 and 176 of s are 0, and hence will be satisfied with probability 2−4. The second equation establishes similar requirements on the bits of s−1, and will be satisfied with probability 2−4. So about 2−8 of the keys s satisfy these constraints simultaneously. Obviously, if s ∧¬∆n =0and s−1 ∧¬∆n =0, then (s ⊕ s−1) ∧¬∆n =0, as well. Consider one round of xmx using such a weak key, and let a and b be the subkeys for the current round, so that a = s or s−1 or s ⊕ s−1, but it doesn’t matter which. Suppose we apply this round of the cipher to the differential pair (x, x∗), where x⊕x∗ = ∆n and ∗ n n Cn(x)=−1. Then by Proposition 1, x = x⊕∆ = −x mod n. Since a∧¬∆ =0, ∗ n Cn(x ⊕ a)=−1,sox ⊕ a = x ⊕ a ⊕ ∆ = −(x ⊕ a)modn. We would like to conclude that −(x ◦ a)=x∗ ◦ a mod n, but must consider the two different behaviors of the operator “◦”. From the definition, x ⊕ a x ⊕ a But by assumption, x176 = a176 =0. Thus bit 176 of x ⊕ a is also 0. Furthermore, bits 255 through 176 of n are all 1. This implies x ⊕ a ∆n −→ ∆n (with probability 1/16), or equivalently, the 1-round iterative multiplicative differential −1 −→ − 1 (with probability 1/16). The probability of the differential may be much higher for many keys, because there are many −1 ↔ ∆ correspondences that hold with high probability. For example, 78 167 x ⊕ (−x mod n)=11 ···1 00 11 ···1 101011101. whenever x1 =0, x5 =1, x7 =1, x176 =1and x177 =0. Thus, if, in addition to −1 the weak key constraints described above, s177 = s177 =0, then the multiplicative differential −1 survives one round of the cipher with probability 2−4 +2−5. There are many other very similar differentials, and if s satisfies even more weak key constraints, then the −1 differential will survive with even greater probability. This differential survives 8 rounds of the cipher with probability 2−32. The last half round of the cipher consists of only the “◦” operator, and we’ve already seen that this differential passes through that operation with probability 1, so the differential survives the whole cipher with probability 2−32. Each right pair, (x, x∗), yields 4 constraints on the bits of (x ⊕ s) × s mod n, the output of the first round of the cipher. Although a careful analysis of multiplication mod n may reveal an efficient key recovery attack, we leave this as a distinguishing attack. This analysis easily generalizes to other instances of xmx with different parameters. For any -bit modulus n that is not a power of 2, we can compute ∆n and c(n) as described in the previous section. Consider a single round of xmx that uses modulus n, subkeys n k2i−1 and k2i in the ◦ and multiply steps respectively, and suppose k2i−1 ∧¬∆ =0. n −c(n) Given an input pair (x, x ⊕ ∆ ) where Cn(x)=−1, with probability 2 the output n of the round for the pair is of the form (y, y ⊕ ∆ ), with Cn(y)=−1, by an analysis similar to the one above. Therefore, the differential survives r rounds of the cipher with probability 2−c(n)r, as long as each subkey used in the “◦” operation satisfies n −c(n)r k2i−1 ∧¬∆ =0. If independent subkeys are used, 2 of all keys satisfy this weak key condition. If the xmx key schedule is used, 2−2c(n) of all keys are weak, since only s and s−1 must satisfy the condition. Whenever the modulus n used in xmx has a highly regular bit pattern—in particular, long sequences of 1’s and 0’s—c(n) will be small and therefore such a weak key analysis may be of significantly lower complexity than an exhaustive search. 26 N. Borisov et al. x0 k0 k1 k2 k3 k4 k5 ❄ ❄ ❄ ❄ ❄ ❄ ❄ s0 ✲+ ✲⊗ ✲ ✲⊗ ✲ ✲⊗ ✲ ✲⊗ ✲ ✲⊗ ✲ ✲+ ✲ s t u 0 ✲ ❄✲ s1 + s1 x1 k6 k7 k8 k9 k10 k11 ❄ ❄ ❄ ❄ ❄ ❄ ❄ s ✲+ ✲⊗ ✲ ✲⊗ ✲ ✲⊗ ✲ ✲⊗ ✲ ✲⊗ ✲ ✲+ ✲ c0 0 w v ✲ ❄ ✲ s1 + c1 Fig. 2. The MultiSwap cipher. Processing begins with s0 = s1 =0on plaintext x0,x1 and proceeds from left to right. The output of the first half, s0 and s1, is fed into the second half to produce ciphertext c0,c1. The “ ” operator swaps the 16-bit halves of a 32-bit word, “” represents addition modulo 232, and “⊗” represents multiplication modulo 232. 6 MultiSwap The MultiSwap cipher is used in Microsoft’s Digital Rights Management subsystem and was first described in a report published on the Internet under the pseudonym Beale Screamer [12]. The cipher, shown in Figure 2, operates entirely on 32-bit words, main- tains two words of internal state, s0 and s1, and uses 12 32-bit subkeys k0,... ,k11. The subkeys k0,... ,k4,k6,... ,k10 must be odd if the cipher is to be invertible. Unless the cipher is being used in some sort of feedback mode, s0 = s1 =0; we will assume this in the analysis. This analysis is also applicable when s0 and s1 are non-zero but their values are known. No key schedule is described, so we assume the subkeys are all independent. The cipher operates on 64-bit blocks (x0,x1) to produce ciphertext (c0,c1). We first present a chosen-plaintext attack, and then describe how to convert this to a known-plaintext attack. Consider the algorithm operating on input (0,x1). Since s0 = s1 =0, t = s0 + x0 =0. Since u =0if and only if t =0, u is also 0. Thus s0 = s1 = k5. After the second half, regardless of the input x1 the output satisfies c1 = c0 + k5. Thus one can derive k5 = c1 − c0 with one chosen-plaintext message of the form (0,x1).Givenk5, one additional message suffices to recover k11. With input (0, −k5), it is still the case that s0 = s1 = k5. In the second half, though, since x1 = −k5, w = s0 + x1 = k5 +(−k5)=0, which propagates through the multiplications and swaps as before. Thus the output is c0 = k11 and c1 = k5 +k11. So a 2-message adaptive chosen-plaintext attack exposes k5 and k11. Given k5, we can control the input to the second half of the cipher. To make w = a, query the encryption oracle with the plaintext (0,a− k5). With k11, we can partially decrypt a ciphertext to obtain the intermediate value v. Therefore, we only have to analyze the sequence of multiplications and swaps in the second half of the cipher between w and v. Similarly, we can analyze the sequence between t and u using knowledge of k5 and the fact that s0 = c1 − c0 − s1. Because this is a chosen-plaintext attack, we have Multiplicative Differentials 27 k6 k7 k8 k9 k10 ❄ ❄ ❄ ❄ ❄ w ✲⊗ ✲ ✲⊗ ✲ ✲⊗ ✲ ✲⊗ ✲ ✲⊗ ✲v Fig. 3. The second half of the MultiSwap cipher. reduced the problem to the system in Figure 3 for which the input, w, can be controlled and the output, v, can be observed. The goal is to recover k6,... ,k10. So we focus only on this fragment of MultiSwap. If this fragment operates on inputs ∗ ∗ ∗ w and w =2w, then k6 ·w = k6 ·(2w)=2(k6 ·w). From Proposition 3, (k6 ·w )= 1 2 · (k6 · w) whenever bits 15 and 31 of k6 · w are 0, or 4 of the time. Analyzing the ∗ 1 rest of Figure 3 in the same way shows that v =2v with probability 256 . If this condition holds, call (w, 2w) a right pair. Then with high probability bits 15 and 31 of k6 · w are 0. This is a two-bit condition on k6 · w that we can use to filter the 1 set of potential values of k6; 4 of all k6 values will pass this test. We can repeat this test for 16 right input pairs (w1, 2w1),... ,(w16, 2w16) chosen uniformly at random, and 1 16 −32 the probability of a given k6 value surviving all 16 tests is roughly ( 4 ) =2 ,so with high probability only one value of k6 survives. If (w, 2w) is a right pair, then the multiplicative differential of w∗ =2w must survive each one of the operations. Therefore, k7 · (k6 · w) must have bits 15 and 31 set to 0. Thus the same right pairs can determine k7, and then k8 and k9. At this point we can determine k10 from any known-plaintext. Thus 16 right pairs are enough to recover 12 k6,... ,k10, and we can obtain the pairs with about 2 chosen plaintexts. Repeating 13 the analysis for k0,... ,k4 breaks the whole cipher with 2 chosen plaintexts. This is surprisingly small considering the large key size. The work factor of breaking the cipher is quite low. Let (w1, 2w1),... ,(w16, 2w16) be right pairs that determine k6. By definition of being right, bits 15 and 31 of k6 · wi are 0 for all i. Observe that bit 15 of k6 · wi is independent of bits 16 through 31 of k6. Thus we can determine the value of the low 16 bits of k6 independently of the high bits. After discovering the low 16 bits, we can then do the same thing for the upper 16 bits. Since we have to test each half of a key against each right pair, the total number of tests 16 21 performed is 2 · 2 · 16=2 . Repeating for k7, ..., k9, and then again for k0,... ,k3 yields a break on the whole cipher requiring 8 · 221 =224 tests. Each test is quite cheap, involving only a multiply, bit-mask, and test for equality. To convert this to a known-plaintext attack, observe that even without knowledge of k5 and k11, we can derive the input to the second half of the cipher via w = c1 −c0 +x1. Consider a pair of inputs such that the differential (w, 2w) −→ (v, 2v) holds. Suppose ∗ further that (2v)=2· (v). In this case, c0 = (v)+k11 and c0 =2· (v)+k11; ∗ hence, k11 =2c0 − c0. If, on the other hand, (2v) =2· (v), there are three possible ∗ values for c0: 2c0 + k11 − 1, 2c0 + k11 + 65536, 2c0 + k11 + 65535. Each of these possibilities suggests an equation for k11; we can try all four equations and see which ∗ ∗ makes v =2v hold under partial decryption of c0,c0. Therefore, each right pair suggests the correct value for k11. So collect 222 known plaintexts which by the birthday paradox will contain 212 pairs whose input to the second half of the cipher is of the form (w, 2w). Each pair is a right −8 pair with probability 2 , so the correct k11 value will be suggested 16 times. Most 28 N. Borisov et al. wrong pairs will suggest a random value for k11, but, because the sequence of multiplies and swaps maintains sufficient structure, some incorrect values of k11 will be suggested with a lower, but still significant probability. In practice, the correct k11 will be among the top few, say 8, suggested; since the rest of the analysis is fast, we can repeat it for each of the top 8 suggested values of k11 and use trial encryptions to detect the correct one. With k11, we can now use the same set of pairs to recover k6,... ,k10. A similar attack reveals k5, and then k0,... ,k4. Except for having to repeat the attack for several possible values of k11 and k5, the work factor is about the same as for the previous attacks. Hence the total work for the known plaintext attack is 227. The storage is also quite small, since we don’t have to keep a counter for every possible value of k11, only the ones suggested by a pair. Since the attack uses only about 212 pairs, the storage requirement is about 215 bytes. To summarize, MultiSwap can be broken with a 213 chosen-plaintext attack requiring 225 work or a 222 known-plaintext attack requiring a work factor of about 227. 7 IDEA Variants The IDEA cipher designers deliberately used incompatible group operations to destroy any algebraic relations among the inputs, and this strategy has proven very successful. The basic operations used in IDEA are addition modulo 216, xor of 16-bit words, and multiplication modulo 216 +1. IDEA uses the addition operation in two places: key mixing and the MA-structure. As has been noted before [10], if a+b<216, then a+b mod 216 = a+b mod 216 +1, 1 and thus the MA-structure is linear about 4 of the time. We consider a variant of IDEA, which we call IDEA-X, in which all the additions have been replaced by xors. Because of the observations above, it may appear that IDEA-X is an improvement over IDEA, but we show below that IDEA-X has a large class of weak keys for which it is susceptible to multiplicative differential cryptanalysis. Because of the heavy use of the xor operation in IDEA-X, we use the multiplicative differential (−1, −1, −1, −1). Let n =216 +1, and ∆ =11···101. By Proposition 1, 16 −x mod n = x ⊕ ∆ if and only if Cn(x)=−1.Forn =2 +1, Cn(x)=−1 if and 3 only if x1 =1. The analysis maintains, with non-negligible probability, an invariant on all the intermediate values z and z∗ in the cipher. The invariant is that all the intermediate values will satisfy the relation z∗ =(−1)z1 z. This condition may look mysterious, but it simply means that either z∗ = z,orz∗ = −z = z ⊕ ∆. The rest of the analysis is essentially repeated application of the following two rules. ∗ x1 ∗ (kx)1 1 Rule 1 If x =(−1) · x, then kx =(−1) · kx with probability 2 . This is the multiplication rule. Rule 2 If a∗ =(−1)a1 · a and b∗ =(−1)b1 · b, then a∗ ⊕ b∗ =(−1)(a⊕b)1 · (a ⊕ b) with probability 1. This is the xor rule. 3 Technically, Cn(x)=−1 if and only if x1 =1and x16 =0, but since x is a 16-bit number, the latter condition is vacuous. Multiplicative Differentials 29 X0 X1 X2 X3 a −1 b −1 c −1 d −1 ❄ ❄ ❄ ❄ (1) ✲ (1) ✲ (1) ✲ (1) ✲ Z0 Z1 Z2 Z3 e g r ✲ ✛ −1 r −1 f h r −1 ✲ ✛ r −1 pq11 ❄ r ❄ Z(1) ✲ ✲ 4 1 rs11 one round −1 ❄t ❄ −1 ✛ 1 ✛ (1) Z5 e −1 g −1 ❄t t ❄ ✛ 1 r 1 ✲ h f ❄ u u ❄ ✛ 1 r 1 ✲ ❤ ✭ ❤❤❤ ✭✭✭ ❤✭❤✭❤✭ ✭✭✭ ❤❤❤ vw−1 x ✭✭ ❤❤ y −1 ❄ ❄ −1 −1 ❄ ❄ ...... 7 more rounds ❤❤ ✭✭ ❤❤❤ ✭✭✭ AD−1 ✭✭❤✭❤❤ −1 BC✭✭✭✭ ❤❤−❤1❤ output −1 ❄ ❄ ❄ ❄ Z(9) ✲ Z(9) ✲ Z(9) ✲ Z(9) ✲ 0 1 2 3 transform −1 ❄ ∆∆❄ ❄ −1 ❄ Y0 Y1 Y2 Y3 Xi : 16-bit plaintext subblock Yi : 16-bit ciphertext subblock Z(r) : i 16-bit key subblock : bit-by-bit exclusive-OR of 16-bit subblocks : multiplication modulo 216 +1of 16-bit integers with the zero subblock corresponding to 216 Fig. 4. The IDEA-X cipher. All the adds in IDEA have been changed to xors. The diagram is annotated with the path of the multiplicative differential (−1, −1, −1, −1). Both rules are easy to prove. Figure 5 explains the xor rule in more detail. To demonstrate the use of these rules, consider one round of IDEA-X in which bit (1) 1ofZ2 is 0. This is a weak key condition. We’ll look only at the inputs X0 and X2. Referring to Figure 4, consider two different executions of the round, one with inputs 30 N. Borisov et al. a b a b a b 11 1 −1 −1 −1 ❅❅❘ ✠ ❅❅❘ ✠ ❅❅❘ ✠ ❄1 ❄−1 ❄1 c c c (i) (ii) (iii) Fig. 5.The three cases of the xor rule.The edges are labeled with the multiplicative differentials, e.g. x∗/x.The probability in each case is 1. Recall that differential pairs always satisfy x∗ =(−1)x1 ·x. ∗ ∗ So in case (iii), a1 = b1 =1, and hence a = −a = a ⊕ ∆ and b = −b = b ⊕ ∆. Thus ∗ c = −a ⊕−b = a ⊕ ∆ ⊕ b ⊕ ∆ = a ⊕ b = c. Furthermore, a1 = b1 =1,soc1 =0. Hence c∗ =(−1)c1 · c. The other cases are similar. X0 = a and X2 = c, the other with inputs X0 = −a and X2 = −c. Suppose also that ∗ g a1 = c1 =1. By the xor rule, g1 =1and g = −g =(−1) 1 g with probability 1. By ∗ e1 1 the multiplication rule, e1 =1and e = −e =(−1) e with probability 2 . Combining ∗ these two results and applying the xor rule to e ⊕ g shows that p = p whenever e1 =1. (1) If we also assume that bit 1 of Z1 =0then more of the same sort of reasoning shows that the multiplicative differential (−1, −1, −1, −1) −→ (−1, −1, −1, −1) 1 survives one round of IDEA-X with probability 16 . In order for this differential to work, the input (a, b, c, d) must satisfy a1 = b1 = c1 = d1 =1. When the differential does successfully pass through the round, the output (v, w, x, y) satisfies v1 = w1 = x1 = y1 =1. Thus the differential can be iterated. So we have found an iterative 1-round multiplicative differential that works for keys (i) (i) in which bit 1 of Z1 is 0 and bit 1 of Z2 is 0 in every round. This differential survives 8 rounds of IDEA-X with probability 2−32, and works against 2−16 of the keys. The only thing left to consider is the output phase. This phase uses multiplications, which will not disturb the −1 differential, and xors. The differential will survive the xors even without weak key constraints on the subkeys used in the output phase. To see this, consider a differential that has passed 8 rounds; then we have a pair of intermediate texts (A, B, C, D) and (A∗,B∗,C∗,D∗) where (A∗,B∗,C∗,D∗)=(−A, −B,−C, −D). Recall that the −1 multiplicative differential is equivalent to the ∆ xor differential. Therefore, B∗ = B ⊕ ∆ and C∗ = C ⊕ ∆. This differential survives the final xor of ∗ ∗ ∗ ∗ the output phase, giving a hybrid differential (Y0 ,Y1 ,Y2 ,Y3 )=(−Y0,Y1 ⊕ ∆, Y2 ⊕ −32 −16 ∆, −Y3) that survives the whole cipher with probability 2 for 2 of the keys. Using this differential to recover keys is relatively straightforward. An attack using 238 chosen plaintexts yields 32 right pairs with high probability. Each right pair (a, b, c, d) ∗ ∗ ∗ ∗ (1) and (a ,b ,c ,d ) establishes the condition that bit 1 of Z0 · a is 1. Just as in the (1) MultiSwap attack, we can use this condition to filter the possible values of Z0 , and (1) (1) given 32 right pairs only two values of Z0 will survive. Unfortunately, whenever Z0 ·a (1) satisfies this constraint, so will −Z0 · a, so this filter will leave us with two choices for (1) (1) Z0 which differ by a factor of −1. We can recover ±Z3 in a similar manner. Each Multiplicative Differentials 31 Table 3. A characterization of many IDEA variants which are susceptible to multiplicative differ- ential cryptanalysis. Round Modifications A The additions in the MA-structure are changed to xors or multiplications B The subkey Z2 is mixed with input X2 using xor or multiplication C The subkey Z1 is mixed with input X1 using xor or multiplication The additions in the MA-structure are changed to xors or multiplications (1) (1) right pair also yields a constraint r1 =0. Observe that r = Z4 · (e ⊕ Z2 ⊕ c). After (1) recovering ±Z0 , we can compute ±e. Thus we can compute the correct value of e or (1) (1) e ⊕ ∆. Hence we can use this condition to filter possible values for (Z2 ,Z4 ) and (1) given 32 right pairs only two values will survive. If we guess the wrong value for Z0 , we will perform this filtering with intermediate value e ⊕ ∆, and hence will compute (1) (1) (1) Z2 ⊕ ∆ instead of Z2 . As before, the filter can only determine Z4 up to a factor of (1) (1) (1) ±1. We now guess the correct value of Z4 and recover Z1 and ±Z5 in a manner (1) (1) (1) similar to the recovery of Z2 and ±Z4 . We then guess the correct value of Z5 , and (2) (1) (1) recover ±Z0 the same way we recovered Z0 . We finish by making guesses for ±Z0 , (1) (2) (2) ±Z3 , and ±Z0 and using trial encryptions to recover Z1 and verify our guesses. (1) (1) 32 38 Recovering Z1 and Z5 , dominates the analysis time, requiring 2 · 2 · 32 ≈ 2 trials. Each trial involves one round of IDEA-X, so the work required is equivalent to about 235 IDEA-X encryptions. A generous estimate of the rest of the work easily gives a work factor of 236 IDEA-X encryptions. Many other variants of IDEA are also vulnerable to multiplicative differential attacks. Table 3 characterizes a large class of weak IDEA variants by showing the minimum changes necessary to IDEA to render it vulnerable. These IDEA variants have three different round functions, A, B, and C. The output function, D, is exactly as in the original IDEA cipher. The cipher can be any number of rounds, and can begin with A, B,orC, but must cycle through the rounds in the order A, B, C. The round functions are almost identical to the IDEA round functions, except that some of the additions have been changed to xors or multiplications. Each of the specified additions may be replaced with either an xor or a multiply, independent of the other additions. The other additions in the cipher may also be replaced, but this isn’t necessary. This class of weak IDEA variants generalizes our results on IDEA-X: it is only necessary to remove half the additions from the cipher to render it vulnerable to multi- plicative differential attacks. From this we conclude that multiplicative differentials can be applicable even to some ciphers with three incompatible group operations. 8 Experimental Verification We performed several experiments to verify our claims. We first tested the differential probabilities derived in this paper; Table 4 summarizes the results. With the exception of the xmx challenge cipher, all the measurements agree with the theory. 32 N. Borisov et al. Table 4. Experimental verification of differential probabilities. We use reduced-rounds variants of the xmx challenge cipher and IDEA-X to make the measurement feasible. Cipher Rounds Probability Pairs Right pairs [Expected] [Actual] Nimbus 52−5 106 31250 31245 xmx (standard version) 81105 105 105 xmx (challenge version) 42−16 106 15.3 562 IDEA-X 42−16 108 1525.9 1537 MultiSwap all 2−8 108 390625 390532 The experiments show that the differential −1 survives 4 rounds of xmx with much higher probability than expected. Part of this discrepancy can be explained by observing that a randomly chosen weak key may allow many −1 ↔ ∆ correspondences, for different choices of ∆, increasing the probability of the −1 differential. We did further experiments to verify that this was indeed the source of the discrepancy, and were able to predict the experimentally observed probability for a given key to within a factor of 4 (for 4 rounds). We leave it as an open question to explain the remaining error. Since the differential actually survives four rounds with probability about 2−11, we estimate that the xmx challenge cipher can be distinguished using only 223 chosen plaintexts. We next verified the claim, made in Section 5, that approximately 2−8 keys for the xmx challenge cipher are weak. Recall that a key s is weak if s∧¬∆n = s−1 ∧¬∆n =0. These comprise 4 bit constraints on s and 4 bit constraints on s−1. It is not clear that this will be satisfied by 2−8 keys, so we tested 106 randomly generated keys, from which we expected to find 3906 weak keys. The actual number of weak keys was 3886, confirming our analysis. Next we implemented the chosen-plaintext key recovery attack on IDEA-X. In order to make the data requirements feasible, we only attacked 4 rounds of IDEA-X, and only ran 10 trials. The IDEA-X experiments required an average of 124 right pairs to recover the key, about 4 times as many right pairs as we predicted in Section 7. Observing the attack in action reveals that frequently a small number of right pairs—around 30 or 40—are sufficient to eliminate all but 2 or 3 candidates for a particular subkey. A more efficient attack would simply try each candidate, an approach we did not implement. We implemented the known-plaintext attack on MultiSwap, but since this attack involves repeating the same attack on the two halves of the cipher, we only attacked the latter half. The attack worked as described in Section 6; however, on some trials there were too few right pairs to perform the analysis. Nonetheless, 70 out of 100 runs using 222 known plaintexts were able to successfully recover the key. Increasing the number of plaintexts to 5000000 increased the success rate to 99%. Recall that the attack required guessing the correct value of k11 from a list sorted by likelihood. The average position of the correct k11 in this list was 2. 9 Conclusion In this paper we have defined the concept of a multiplicative differential. We described several particular differentials and analyzed how they interact with standard operations Multiplicative Differentials 33 used in cryptography such as xor and bit permutations. We then used these differentials to cryptanalyze two existing ciphers and variants of IDEA. Our results demonstrate that the modular multiplication operation by itself is in- sufficient to prevent differential attacks. Further, multiplicative differentials can be sur- prisingly resilient in the presence of incompatible group operations. Therefore, multi- plication needs to be carefully combined with other group operations to destroy these differential properties. We are hopeful that this paper will help further the understanding of how to use the multiply operator to build secure cryptographic algorithms. Acknowledgements. We thank Joan Daemen for providing LATEX source for a diagram of IDEA from which Figure 4 is derived. We also thank John Kelsey for suggesting that we implement our attacks, an exercise which led to many improvements to our results. References 1. Eli Biham and Adi Shamir. Differential cryptanalysis of DES-like cryptosystems. Journal of Cryptology, 4(1):3–72, 1991. 2. Joan Daemen, Rene Govaerts, and Joos Vandewalle. Weak keys for IDEA. In CRYPTO, pages 224–231, 1993. 3. Joan Daemen, Luc van Linden, Rene Govaerts, and Joos Vandewalle. Propagation properties of multiplication modulo 2n − 1. In G. H. L. M. Heideman et.al., editor, Thirteenth Symp. on Information Theory in the Benelux, pages 111–118, Enschede (NL), 1-2 1992. Werkgemeen- schap Informatie- en Communicatietheorie, Enschede (NL). 4. Vladimir Furman. Differential cryptanalysis of Nimbus. In Fast Software Encryption. Springer-Verlag, 2001. 5. Carlo Harpes, Gerhard G. Kramer, and James L. Massey. A Generalization of Linear Crypt- analysis and the Applicability of Matsui’s Piling-up Lemma. In EUROCRYPT ’95. Springer- Verlag, May 1995. 6. John Kelsey, Bruce Schneier, and David Wagner. Mod n cryptanalysis, with applications against RC5P and M6. In Fast Software Encryption, pages 139–155, 1999. 7. Xuejia Lai, James L. Massey, and Sean Murphy. Markov ciphers and differential cryptanalysis. In EUROCRYPT ’91. Springer-Verlag, 1991. 8. Alexis Warner Machado. The Nimbus cipher: A proposal for NESSIE. NESSIE Proposal, September 2000. 9. Mitsuru Matsui. Linear cryptanalysis method for DES cipher. In T. Helleseth, editor, EURO- CRYPT ’93, volume 765, pages 386–397, Berlin, 1994. Springer-Verlag. 10. Willi Meier. On the security of the IDEA block cipher. In EUROCRYPT ’93, pages 371–385. Springer-Verlag, 1994. 11. David M’Raihi, David Naccache, Jacques Stern, and Serge Vaudenay. XMX: a firmware- oriented block cipher based on modular multiplications. In Fast Software Encryption. Springer-Verlag, 1997. 12. Beale Screamer. Microsoft’s digital rights management scheme—technical details. http://cryptome.org/ms-drm.htm, October 2001. Differential and Linear Cryptanalysis of a Reduced-Round SC2000 Hitoshi Yanami1, Takeshi Shimoyama1, and Orr Dunkelman2 1 FUJITSU LABORATORIES LTD. 1-1, Kamikodanaka 4-Chome, Nakahara-ku, Kawasaki, 211-8588, Japan {yanami,shimo}@flab.fujitsu.co.jp 2 COMPUTER SCIENCE DEPARTMENT, TECHNION. Haifa 32000, Israel [email protected] Abstract. We analyze the security of the SC2000 block cipher against both differential and linear attacks. SC2000 is a six-and-a-half-round block cipher, which has a unique structure that includes both the Feistel and Substitution-Permutation Network (SP structures. Taking the structure of SC2000 into account, we investigate one- and two-round iterative differential and linear characteristics. We present two-round iterative differential characteristics with probability 2−58 and two-round iterative linear characteristics with probability 2−56. These characteristics, which we obtained through a search, allowed us to attack four-and-a-half-round SC2000 in the 128-bit user-key case. Our differential attack needs 2103 pairs of chosen plaintexts and 220 memory accesses and ourlinearattack needs 2 115.17 known plaintexts and 242.32 memory accesses, or 2104.32 known plaintexts and 283.32 memory accesses. Keywords: Symmetric block cipher, SC2000, differential attack, linear attack, characteristic, probability 1 Introduction Differential cryptanalysis was initially introduced by Murphy [10]in an attack on FEAL-4 and was later improved by Biham and Shamir [1,2]to attack DES. Linear cryptanalysis was first proposed by Matsui and Yamagishi [6]in an at- tack on FEAL and was extended by Matsui [7]to attack DES. Both methods are well known and often provide very effective means for attacking block ci- phers. One of the many steps in establishing a cipher’s security is to evaluate its strength against these attacks. The respective degrees of security of a cipher against differential attacks and linear attacks can be estimated from the max- imum differential probability and the maximum linear probability. A cipher is considered to be secure against attacks of both types if both probabilities are low enough to make the respective forms of attack impractical. SC2000 is a block cipher which was submitted to the NESSIE [11]and CRYP- TREC [3]projects by Shimoyama et al. [13].In the Self-Evaluation Report, one J. Daemen and V. Rijmen (Eds.): FSE 2002, LNCS 2365, pp. 34–48, 2002. c Springer-Verlag Berlin Heidelberg 2002 Differential and Linear Cryptanalysis of a Reduced-Round SC2000 35 of the submitted documents, the security against differential and linear crypt- analysis was evaluated by estimating the number of active S-boxes in differential and linear characteristics. The strength of the SC2000 cipher has been evaluated in other published work on attacking SC2000 [3,4,12,17]. This paper is based on the work of Yanami and Shimoyama [17]at the 2nd NESSIE workshop, which is a report by the authors on investigation they carried out with both differential and linear attacks on a reduced-round SC2000. We use the same differential characteristics as was used in the above work in the work we describe here. This has a slightly higher probability than the characteristics that have been found by Raddum and Knudsen [12]. The linear cryptanalysis by Yanami and Shimoyama [17]contained some incorrect calculations. We have corrected these and re-examined the linear characteristics. Moreover, in this paper we use a better method of deducing the subkey bits. This new technique reduces the time complexity of the attacks by several orders of magnitude. In this paper we investigate the one- and two-round iterative differential/lin- ear characteristics of SC2000. By iterating the differential/linear characteristic obtained by our search, we construct a longer characteristic and utilize it to attack four-and-a-half-round SC2000. The paper is organized as follows. We briefly describe the encryption algo- rithm for SC2000 in Section 2. In Section 3, we illustrate our search method and show our search results. We present our differential and linear attacks on four-and-a-half-round SC2000 in Sections 4 and 5, respectively. We summarize our paper in Section 6. 2 Description of SC2000 SC2000 is a block cipher which was submitted to the NESSIE [11]and CRYPT- REC [3]projects by Shimoyama et al. [13].SC2000 has a 128-bit block size and supports 128-/192-/256-bit user keys, and in these ways is the same as the AES. Before proceeding further, we need to make two remarks: Firstly, we mainly take up the case of 128-bit user keys. Secondly, we omit the description of the SC2000 key schedule as it has no relevance to the attacks presented in this paper. The key schedule generates sixty-four 32-bit subkeys from a 128-bit user key. 2.1 The Encryption Algorithm Three functions are applied in the SC2000 encryption algorithm: the I, R and B functions. Each function has 128-bit input and output. The R functions used are of two types, which only differ in terms of a single constant (0x55555555 or 0x33333333). When we need to distinguish between the two types, we use R5 and R3 to indicate the respective constants. The encryption function may be written as: I-B-I-R5×R5-I-B-I-R3×R3-I-B-I-R5×R5- I-B-I-R3×R3-I-B-I-R5×R5-I-B-I-R3×R3-I-B-I, 36 H. Yanami, T. Shimoyama, and O. Dunkelman 32 32 mask 32 32 32 32 32 F_func 32 32 32 32 32 Fig. 1. The R function 32 32 M_func 32 S_func 32 mask 32 32M_func 32S_func 32 mask L_func Fig. 2. The F function where × stands for the exchange of the left and right 64 bits. We define -I-B- I-R×R- as the round in SC2000. The round is iterated six times by the cipher and the final set of operations, -I-B-I, is then applied to obtain symmetry for encryption and decryption. For the sake of simplicity, we refer to the last part -I-B-I as half a round. SC2000 involves six and a half rounds with a 128-bit user key, and seven and a half rounds with a 192-/256-bit user key. 2.2 The I Function The I function XORs a 128-bit input with four 32-bit subkeys. The I function divides the input into four 32-bit words, and then applies an XOR to each of these words and a corresponding 32-bit subkey. These subkeys are only used in the I function. 2.3 The R Function The R function has a conventional Feistel structure, except for the swapping of the left and right 64 bits in its last part (Fig. 1). The F function is applied to the right 64 bits of the input, and the output of the function is XORed with the left 64 bits. The result of the XOR becomes the left half of the output of the R function. The right half of the output of the R function is the same as the right half of the input. The input and output of the F function in the R function are both 64 bits; the function consists of three subfunctions, the S, M and L functions (Fig. 2). Differential and Linear Cryptanalysis of a Reduced-Round SC2000 37 The F function divides its input into two 32-bit variables and each variable is successively dealt with by the S and M functions. The two outputs become the input value for the L function, the output of which becomes the output of the F function. Note that the F function is bective. We describe the S, M and L functions below. The S function is a 32-bit input/output nonlinear function. The 32-bit input is divided into groups, in order, 6, 5, 5, 5, 5 and 6 bits. These groups of bits enter corresponding S-boxes; each of the two 6-bit groups enters S6, while each of the four 5-bit groups enters S5. The output of the S function is the concatenation of the outputs of the S-boxes. We refer to Shimoyama et al. [13]for the values in the S5 and S6 tables. The M function is a 32-bit input/output linear function. The output b for an input a is the product of a and a matrix M, b = a·M, where M is a square matrix of order 32 with entries that are elements of GF (2), the Galois field of order two, and a and b are row vectors with entries from GF (2). We refer to Shimoyama et al. [13]for the entries of the matrix M. The L function has two 32-bit variables as its input and output. We use (a, b)to denote the input and (c, d) to denote the corresponding output. The variables c and d are obtained by applying the following formulae: c =(a ∧ mask) ⊕ b; d =(b ∧ mask) ⊕ a, where mask is the constant we earlier mentioned, 0x55555555 or 0x33333333, mask is the bitwise-NOT of the mask, and the symbol ∧ rep- resents the bitwise-AND operation. 2.4 The B Function The B function has an SPN structure with 128-bit input/output which contains the thirty-two 4-bit input/output S-boxes. This structure is similar to the one that is used in the Serpent block cipher. We can use a bitslice approach to implement the B function. We represent the input to the B function as (a, b, c, d), where each variable has 32 bits; the i-th bit of a is ai, and equivalent notation applies to b, c and d.Fori =0, 1,...,31, the i-th bit is taken from each of the variables a, b, c and d, and the resulting four bits (ai,bi,ci,di) are replaced by (ei,fi,gi,hi) according to the S4 table, where the notation is analogous to that for (a, b, c, d) above, and (e, f, g, h) denotes the four 32-bit words which compose the output of the B function. We refer to Shimoyama et al. [13]for the values in the S4 table. Note that if the B functions in SC2000 are all replaced by the swapping of the left and right 64 bits, the resulting structure becomes the classical Feistel structure. 38 H. Yanami, T. Shimoyama, and O. Dunkelman 3 The Differential and Linear Characteristics of SC2000 In investigating the differential/linear characteristics of a block cipher, it is very hard to compute the probability of every characteristic by applying an exhaustive search to the cipher itself. Roughly speaking, the following strategy is often used to construct a long characteristic that has a high probability. 1) Examine few- round iterative characteristics, i.e., characteristics of the same input and output differences/masks appearing at intervals of a few rounds. 2) Iterate the one with the highest differential/linear probability which was found by the search to make a characteristic for larger numbers of rounds. We will follow this strategy in examining the differential/linear characteristics. In the SC2000 encryption algorithm, the I functions are merely used for XORing data with subkeys, so we can eliminate them from our examination of differential/linear relationships. Removing these functions leaves the following sequence: B-R5×R5-B-R3×R3-B-R5×R5-B-R3×R3-B-R5×R5-B-R3×R3-B. It can be seen that -B-R×R- is a period. It is repeated six times until the final B function is added to preserve symmetry of the encryption and decryption procedures. Taking the period into consideration, we investigate the one- and two-round differential/linear characteristics with certain patterns of differences and masks. 3.1 Differential Characteristics We explain our efficient way of searching for an iterative differential characteristic that has a high probability. We start by reviewing the nonlinear functions of SC2000. They are all realized by the S-boxes, S4, S5 and S6. There are thirty- two S4 boxes in the B function and eight S5 boxes and four S6 boxes in the R function. The S function is made up of four S5 boxes and two S6 boxes; there are two S functions in the R function. In the differential distribution tables for the S-boxes, we see that given a pair of nonzero input and output differences, −2 −3 −4 the differential probability for S4 is either 2 or 2 , while for S5 it is 2 and −4 −5 for S6 it is either 2 or 2 . These facts suggest that the number of nonzero differences for the S5 and S6 boxes in the S function will have a stronger effect on the overall differential probability of characteristics than the number for the S4 boxes in the B function. Taking this into consideration, we decide to investigate those differential characteristics that have a nonzero difference in a single one of the four S func- tions in a -B-R×R- cycle, which enables us to efficiently find those differential characteristics that have high probabilities. One-RoundCharacteristics. We investigate those one-round iterative char- acteristics that have a nonzero difference in a single one of the four S functions Differential and Linear Cryptanalysis of a Reduced-Round SC2000 39 X 0 0 0 0X 0 0 B B Y mask Y X 0 YY mask 0X Y mask Y X’ X Y 0 0 0 M S M S L L Y 0 0 0 Y mask Y X’ X M S M S 0 0 0 0 0 0 0 0 M S M S L L 0000 0000 M S M S X 0 0 0 0X 0 0 D1 D2 Y mask Y X 0 YY mask 0X B B X 0 0 0 0X 0 0 0 0 0 0 0 0 0 0 M S M S L L 0000 0000 M S M S Y mask Y X’ X Y 0 0 0 M S M S L L Y 0 0 0 Y mask Y X’ X M S M S Y mask Y X 0 Y Y mask 0X D3 D4 Fig. 3. Patterns of differences ina-B-R×R- cycle. We illustrate the differential patterns of the characteristics we need to investigate in Fig. 3. We call the respective types of differential pattern D1, D2, D3 and D4, according to the position of the S function that has a nonzero difference. We have investigated differential characteristics that have these patterns for both -B-R5×R5- and -B-R3×R3-. We have found differential characteristics that have a probability of 2−33 in both cycles. This is the highest probability for dif- ferential characteristics of the four types mentioned above. These characteristics are of type D3. We give an example of one such differential characteristic: 40 H. Yanami, T. Shimoyama, and O. Dunkelman -B-R×R- ( 0 0x00080008 0x08090088 0) −15 B ↓ B 2 (0x08090088 0 0 0) R ( 00) ←−F ( 00) 1 R ( 0 0x00080008) ←−F (0x08090088 0) 2−18. Note that this characteristic has a probability of 2−33 regardless of the constant in the R function, and that we can construct an n-round differential characteristic with probability 2−33n by concatenating this characteristic n times. Two-RoundCharacteristics. By distinguishing R5 from R3, we are also able to treat -B-R5×R5-B-R3×R3- as a cycle. Turning our attention to this cycle, we have investigated those two-round iterative characteristics which have a nonzero difference in a single one of the four S functions in each -R×R- part. It would appear that we are able to independently choose differential patterns from among Di (i =1, 2, 3, 4) for the former -B-R5×R5- and latter -B-R3×R3- sequence, but some patterns cannot be concatenated. We can judge whether or not it is possible to concatenate Di and Dj from the differential distribution table of S4 (see the Appendix). Below we list the pairs that may be concatenated and thus need to be investigated: -B-R5×R5--B-R3×R3- -B-R5×R5--B-R3×R3- ∆A → (D1) → ∆B → (D1) → ∆A ∆A → (D1) → ∆B → (D2) → ∆A ∆A → (D2) → ∆B → (D2) → ∆A ∆A → (D2) → ∆B → (D1) → ∆A ∆A → (D3) → ∆B → (D3) → ∆A ∆A → (D3) → ∆B → (D4) → ∆A ∆A → (D4) → ∆B → (D4) → ∆A ∆A → (D4) → ∆B → (D3) → ∆A . Note that differences ∆A’s and ∆B’s in the above list should be austed as required: When, for example, the former pattern is D1 and the latter is D2,we think of ∆A as (0,∆X,0, 0) and ∆B as (∆X, 0, 0, 0), adopting the respective output differences of the preceding R functions. We have investigated character- istics of the above types and found that the differential characteristics with the highest probability have the pattern ∆A → (D4) → ∆B → (D3) → ∆A with probability 2−58. An example of such a characteristic is given below: -B-R5×R5-B-R3×R3- (0x01120000 0x01124400 0x01124400 0) −15 B ↓ B 2 ( 0 0x01124400 0 0) F R5 ( 00) ←− ( 00) 1 R F 2−16 5 (0x01124400 0x00020000) ←− ( 0 0x01124400) (0x01124400 0x00020000 0 0x01124400) −11 B ↓ B 2 (0x01124400 0 0 0) F R3 ( 00) ←− ( 00) 1 F −16 R3 (0x01120000 0x01124400) ←− (0x01124400 0) 2 . Differential and Linear Cryptanalysis of a Reduced-Round SC2000 41 The probability 2−58 of this characteristic is higher than 2−66, the probability obtained for the two-round differential characteristic from the one-round itera- tive characteristic with the highest probability that we found. We will later use the former characteristic in our differential attack on a reduced-round SC2000. 3.2 Linear Characteristics As with the differential probability, the linear distribution tables tell us that the number of nonzero masks for the S5 and S6 boxes in the S function have a stronger effect on the overall linear probability than the number for the S4 boxes in the B function; given a pair of nonzero input/output masks, the linear † −2 −4 −4 probability for S4 is either 2 or 2 , while for S5 it is 2 and for S6 it is between 2−4 and 2−8. We investigate the linear characteristics in the same way as the iterative dif- ferential characteristics, i.e., we examine the linear characteristics with a nonzero mask in a single one of the four S functions in a -B-R×R- cycle. One-RoundCharacteristics. We investigate those one-round iterative char- acteristics whose masks have a nonzero value in a single one of the four S func- tions in a -B-R×R- cycle. We illustrate the mask patterns of the characteristics we investigate in Fig. 4. We call the respective types of mask pattern L1, L2, L3 and L4, according to the position of the S function that has a nonzero mask. We investigated characteristics of these types and found that the linear char- acteristics with the highest probability have probabilities of 2−28.83 for −28 -B-R5×R5- and of 2 for -B-R3×R3-. All of them are of type L2. Below, we give examples of such linear characteristics for both -B-R5×R5- and -B-R3×R3-: -B-R5×R5- ( 0 0 0x84380080 0x04100000) −20 B ↓ B 2 (0x84380080 0x04100000 0 0x84180000) F −8.83 R5 (0x84380080 0x04100000) ←− ( 0 0x84180000) 2 F R5 ( 00) ←− ( 00) 1, -B-R3×R3- ( 0 0 0x12020040 0x12020000) −10 B ↓ B 2 (0x12020040 0x12020000 0 0x12020040) F −18 R3 (0x12020040 0x12020000) ←− ( 0 0x12020040) 2 F R3 ( 00) ←− ( 00) 1. † In Yanami and Shimoyama [17], the authors used 2−2 or2 −3 forthis probability, which turned out to be wrong. We have re-examined linear characteristics with the correct values. 42 H. Yanami, T. Shimoyama, and O. Dunkelman 0 0 ΓY mask ΓY 0 0 ΓYΓY mask B B ΓY mask ΓY ΓX 0 ΓYΓY mask 0 ΓX ΓY mask ΓY ΓX’ ΓX M S ΓY00 M 0 S L L ΓY00 0 ΓY mask ΓY ΓX’ ΓX M S M S 0 0 0 0 0 0 0 0 M S M S L L 0000 0000 M S M S 0 0 ΓY mask ΓY 0 0 ΓYΓY mask L1 L2 ΓY mask ΓY ΓX 0 ΓYΓY mask 0 ΓX B B 0 0 ΓY mask ΓY 0 0 ΓYΓY mask 0 0 0 0 0 0 0 0 M S M S L L 0000 0000 M S M S ΓY mask ΓY ΓX’ ΓX M S ΓY00 M 0 S L L ΓY00 0 ΓY mask ΓY ΓX’ ΓX M S M S ΓY mask ΓY ΓX 0 ΓYΓY mask 0 ΓX L3 L4 Fig. 4. Patterns of masks It is not possible for these characteristics to pass through the sequence when the constant is changed into the other one. The highest probability for any linear characteristics which do pass through both constants is 2−36.83. An example of such a linear characteristic is: -B-R×R- ( 0 0 0x11108008 0x11100000) −14 B ↓ B 2 (0x11108008 0x11100000 0 0x11108008) R (0x11108008 0x11100000) ←−F ( 0 0x11108008) 2−22.83 R ( 00) ←−F ( 00) 1. Differential and Linear Cryptanalysis of a Reduced-Round SC2000 43 We are able to construct an n-round linear characteristic with probability 2−36.83n by concatenating the above characteristic n times. Two-RoundCharacteristics. We can apply the same method as we used for the differential case. We can use the linear distribution table of S4 to judge whether or not Li and Lj can be concatenated (see the Appendix). Below, we list those pairs that need to be investigated: -B-R5×R5--B-R3×R3- -B-R5×R5--B-R3×R3- ΓA → (L1) → ΓB → (L1) → ΓA ΓA → (L1) → ΓB → (L2) → ΓA ΓA → (L2) → ΓB → (L2) → ΓA ΓA → (L2) → ΓB → (L1) → ΓA ΓA → (L3) → ΓB → (L3) → ΓA ΓA → (L3) → ΓB → (L4) → ΓA ΓA → (L4) → ΓB → (L4) → ΓA ΓA → (L4) → ΓB → (L3) → ΓA . The masks ΓA and ΓB should be considered as the masks output by the imme- diately preceding R functions, respectively. We have investigated characteristics of the above types and found that the linear characteristics with the highest probability have the pattern ΓA → (L4) → ΓB → (L4) → ΓA. The probability of these linear characteristics is 2−56. We list a example of such a characteristic below: -B-R5×R5-B-R3×R3- (0x204000a2 0x20000022 0 0x20400022) −12 B ↓ B 2 ( 0 0 0x204000a2 0x00400000) F R5 ( 00) ←− ( 00) 1 R F 2−16 5 (0x204000a2 0x00400000) ←− ( 0 0x20400022) (0x204000a2 0x00400000 0 0x20400022) −12 B ↓ B 2 ( 0 0 0x204000a2 0x20000022) F R3 ( 00) ←− ( 00) 1 F −16 R3 (0x204000a2 0x20000022) ←− ( 0 0x20400022) 2 . The probability 2−56 of this characteristic is much higher than 2−73.66, the probability of the two-round linear characteristic obtained from any one of the one-round iterative characteristics with the highest probability which we had previously found. We use this characteristic in our linear attack on a reduced- round SC2000. 4 A Differential Attackon 4.5-Round SC2000 We now present our attack on a reduced-round SC2000 with 128-bit user key. By using a differential or linear characteristic with the highest probability which we had obtained in our search, we were able to attack the following four-and-a- half-round SC2000: 44 H. Yanami, T. Shimoyama, and O. Dunkelman I-B-I-R5×R5-I-B-I-R3×R3-I-B-I-R5×R5-I-B-I-R3×R3-I-B-I. In this section, we illustrate how we use our differential attack to guess some bits in subkeys. Our linear attack will be described in the next section. Our differential attack utilizes the two-round iterative differential character- istic with probability 2−58, which we mentioned in Section 3.1. By concatenating the two-round differential characteristic we mentioned in Section 3.1 twice (and removing one B function), we obtain a three-and-a-half-round differential char- acteristic with probability 2−101. We apply the characteristic in the following way: 101 0 16 11 0 16 15 0 16 11 0 16 Input- ⊕ -B -R -R -B -R -R -B -R -R -B -R -R -B - ⊕ - Output, K1 K2 (1) (2) where the numeral above the B is read as “the differential probability for the B function is 2−15.” We present a table of total differential probabilities according to the number of functions in the Appendix. By using this differential characteristic, we are able to deduce 40 bits in the subkeys K1 and K2. These subkey bits correspond to the five active S-boxes of the first B function and the five active S-boxes of the last B function. We used the following algorithm to retrieve these 40 bits in the subkeys K1 and K2: – We start by encrypting 284 structures, where each structure contains 220 plaintexts which have the same value in the 108 inactive bits in the first B function, and with the 20 active bits varying across all possible values. – In each structure we look for collisions in the 108 inactive output bits of the last B function. – When a collision is detected, we analyze the pair of plaintexts and cipher- texts, and check for the subkey values where the pair satisfied the differential characteristic. For each subkey which satisfies the characteristic, we incre- ment the counter by 1. – In the end, we go over all of the subkey counters and output the subkey that corresponds to counter with the highest number. As each structure induces 219 pairs, we have in total 2103 pairs which have the same input difference as the input of the characteristic above after the B function. We would expect the right subkey to be suggested about four times. Since in each structure the chance that two of the 220 ciphertexts will agree is about (220)2/2 · 2−108 =2−69, we would also expect 2−69 · 284 =215 false hits varying over all the 240 possible subkeys, These false hits have few effects on subkey-counting. Thus, we are assured with a very high probability that the suggested subkey is the correct one. The time complexity of this attack (aside from the 2104 encryptions) is the time taken to hash the ciphertexts in each structure according to the 108 inactive bits, plus the time taken to analyze the 215 suggested pairs. The first term may be neglected as representing part of the encryption, and the analysis can be done in about 220 memory accesses. Differential and Linear Cryptanalysis of a Reduced-Round SC2000 45 5 Linear Attacks on 4.5-Round SC2000 We now present our linear attack on a reduced-round SC2000 with 128-bit user key. By using the linear characteristic with the highest probability which we had obtained in our search, we are able to attack the following four-and-a-half-round SC2000: I-B-I-R5×R5-I-B-I-R3×R3-I-B-I-R5×R5-I-B-I-R3×R3-I-B-I. We now illustrate how we use the linear attack to guess subkeys. We use the two-round iterative linear characteristic with probability 2−56 from Section 3.2. By concatenating this characteristic twice, we obtain a four-round linear characteristic with probability 2−112. We illustrate two types of attacks; in one, the four-round linear characteristic is used; in the other, the three-and-a-half- round characteristic obtained by eliminating the first B function from the four- round one is used. We illustrate both attacks in due order. 5.1 Attack Using a Four-RoundCharacteristic We use the following four-round linear characteristic with probability 2−112: 112 12 16 0 12 16 0 12 16 0 12 16 0 Input-B -R -R -B -R -R -B -R -R -B -R -R -B - ⊕ - Output, K1 (1) where the numeral 12 above the B is read as “the linear probability of passage through the B function is 2−12.” We present a table of total linear probabilities according to the number of functions in the Appendix. We are able to deduce 20 bits in the subkey K1, which consists of four 32-bit subkeys. In the last B function (1), output mask is only related to the five S4 S-boxes. As there are only 20 ciphertext bits which interest us, we are able to count the number of occurrences of each case, and do this analysis once for each 20-bit ciphertext value. The following algorithm is capable of extracting the 20 subkey bits: – Initialize a 220 array of counters (corresponding to the 20 ciphertext bits which are related to the characteristic). – Encrypt 2112 · 9=2115.17 plaintexts. – For each plaintext and its corresponding ciphertext add or subtract 1 (ac- cording to the parity of the input subset) to/from the counter related to the given 20 ciphertext bits. – After counting all occurrences of the given 20 ciphertext bits, for each subkey and for each 20 bit value, calculate the parity of the output subset. – Rank the subkey candidates according to their respective biases from 1/2. We expect the right subkey to be highly ranked, and on this basis guess that the top-ranked candidate is the right subkey. The time complexity of the above 46 H. Yanami, T. Shimoyama, and O. Dunkelman 40 42.32 algorithm is at most 2 · 5=2 S4 calls. The success rate for the above algorithm is at least 62.3%. We can use key ranking to improve the success rate without affecting the complexity of the data. We conclude that our linear attack 115.17 42.32 requires 2 known plaintexts and 2 S4 calls. 5.2 Attack Basedon a 3.5-RoundCharacteristic We use the following linear characteristic with probability 2−100: 100 16 0 12 16 0 12 16 0 12 16 0 Input- ⊕ -B -R -R -B -R -R -B -R -R -B -R -R -B - ⊕ - Output. K1 K2 (1) (2) We need to infer 20 bits in each of K1 and K2. By making a small change to the above algorithm (taking the 40 plaintext and ciphertext bits into consideration, and trying 40 subkey bits) we obtain the 104.32 83.32 result that, given 2 known plaintexts, the attack requires 2 S4 calls. 6 Conclusions We have studied the security of SC2000 against differential and linear crypt- analysis. Taking the periodic structure of SC2000 into consideration, we have investigated two-round iterative characteristics in which the differences or masks have a nonzero value in only one of the four S functions in each -B-R×R- cycle, and found iterative differential characteristics with probability 2−58 and iterative linear characteristics with probability 2−56. We respectively utilized the best differential and best linear characteristic we found. We have presented both differential and linear attacks on the four-and-a- half-round SC2000. Our differential attack needs 2104 pairs of chosen plaintexts and 220 memory accesses, and our linear attack requires 2115.17 known plaintexts 42.32 104.32 83.32 and 2 S4 calls, or 2 known plaintexts and 2 S4 calls. Either attack is capable of deducing 40 bits in the subkeys used in the first and last I functions. We stress that neither our differential nor our linear attack would work on the full-round SC2000, which has six and a half rounds. The equivalent differen- tial and linear characteristics needed to attack 6.5-round SC2000 has respective probabilities of 2−159 and 2−156. We conclude that these figures show that these attacks are not applicable to the full-round SC2000. References 1. E. Biham and A. Shamir, Differential Cryptanalysis of DES-like Cryptosystems, CRYPTO ’90, LNCS 537, pp.2-21, 1991. 2. E. Biham and A. Shamir, Differential Cryptanalysis of the Full 16-round DES, CRYPTO ’92, LNCS 740, pp.487-496, 1993. Differential and Linear Cryptanalysis of a Reduced-Round SC2000 47 3. CRYPTREC project – Evaluation of Cryptographic Techniques. (http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html) 4. O. Dunkelman and N. Keller, Boomerang and Rectangle Attack on SC2000, Pro- ceedings of Second Open NESSIE Workshop, September 12-13, 2001. 5. L. R. Knudsen and H. Raddum, Afirst report on Whirlpool, NUSH, SC2000, Noekeon, Two-Track-Mac and RC6, 2001. (http://www.cosic.esat.kuleuven.ac.be/nessie/reports/) 6. M. Matsui and A. Yamagishi, Anew method for known plaintext attack of FEAL cipher, EUROCRYPT ’92, LNCS 658, pp.81-91, 1993. 7. M. Matsui, Linear Cryptanalysis Method for DES Cipher, EUROCRYPT ’93, LNCS 765, pp.386-397, 1994. 8. M. Matsui, The First Experimental Cryptanalysis of the Data Encryption Standard, CRYPTO ’94, LNCS 839, pp.1-11, 1994. 9. M. Matsui, On Correlation Between the Order of S-boxes and the Strength of DES, EUROCRYPT ’94, LNCS 950, pp.366-375, 1995. 10. S. Murphy, The cryptanalysis of FEAL-4 with 20 chosen plaintexts, Journal of Cryptology 2(, pp.145-154, 1990. 11. NESSIE - New European Schemes for Signatures, Integrity and Encryption. (http://www.nessie.eu.org/nessie) 12. H. Raddum, L. Knudsen, ADifferential Attackon Reduced-Round SC2000 Pro- ceedings of Second Open NESSIE Workshop, September 12-13, 2001. 13. T. Shimoyama, H. Yanami, K. Yokoyama, M. Takenaka, K. Itoh, J. Yajima, N. Torii, H. Tanaka, The SC2000 Block Cipher, Proceedings of First Open NESSIE Workshop, November 13-14, 2000. 14. T. Shimoyama, H. Yanami, K. Yokoyama, M. Takenaka, K. Itoh, J. Yajima, N. Torii, H. Tanaka, The Block Cipher SC2000, Preproceedings of 8th Fast Software Encryption Workshop, April 2-4, 2001. 15. H. Yanami, T. Shimoyama, Differential/Linear Characteristics of the SC2000 Block Cipher, Proceedings of the 2001 Symposium on Cryptography and Information Security, SCIS2001-12A-2, pp.653-658, 2001, in Japanese. 16. H. Yanami, T. Shimoyama, Differential/Linear Characteristics of the SC2000 Block Cipher (II), IEICE Technical Report, ISEC2001-10, pp.63-70, 2001, in Japanese. 17. H. Yanami, T. Shimoyama, Differential and Linear Cryptanalysis of Reduced- Round SC2000, Proceedings of Second Open NESSIE Workshop, September 12-13, 2001. 48 H. Yanami, T. Shimoyama, and O. Dunkelman Appendix Differential distribution table of S4 ∆Out ∆In0x00x10x20x30x40x50x60x70x80x90xa0xb0xc0xd0xe0xf 0x0 16000000000000000 0x1 0000002222222200 0x2 0000204222000202 0x3 0000202000222042 0x4 0002020402220020 0x5 0240020000200420 0x6 0204200020000240 0x7 0002240022020200 0x8 0024040200200002 0x9 0002200040022004 0xa 0222220200202000 0xb 0200020004024002 0xc 0240002004200200 0xd 0420200020220002 0xe 0200202200022220 0xf 0020004220002022 (Prob = {∆In → ∆Out} = x/16) Lineardistributiontable of S4 ΓOut ΓIn0x00x10x20x30x40x50x60x70x80x90xa0xb0xc0xd0xe0xf 0x0 8000000000000000 0x1 000022-2-240042-22-2 0x2 0000-440022-2-2-2-2-2-2 0x3 0000-2-2-2-2-22-22040-4 0x4 022-402-2002-200224 0x5 02-202402-4220200-2 0x6 0-2-2-40-2-24200-2200-2 0x7 0-220200-2-20-4-24-2-20 0x8 0-2-2002-2-40-22-40220 0x9 02-2-4204-20-2-20-200-2 0xa 0-2-200220200224-42 0xb 02-24200220-4-20220 0xc 040000-400-40000-40 0xd 00-402-2-2-20400-2-2-22 0xe 00404000222-2-22-2-2 0xf 0400-2-22-2222-24000 (Prob{In · ΓIn + Out · ΓOut =0}−1/2=x/16) Probability list obtained from our best differential characteristic Number of functions 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 Function name B R5 R5 B R3 R3 B R5 R5 B R3 R3 B R5 R5 B R3 Probability 15 0 16 11 0 16 15 0 16 11 0 16 15 0 16 11 0 Total probability 15 15 31 42 42 58 73 73 89 100 100 116 131 131 147 158 158 Probability list obtained from our best linear characteristic Number of functions 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 Function name B R5 R5 B R3 R3 B R5 R5 B R3 R3 B R5 R5 B R3 Probability 12 0 16 12 0 16 12 0 16 12 0 16 12 0 16 12 0 Total probability 12 12 28 40 40 56 68 68 84 96 96 112 124 124 140 152 152 Impossible Differential Cryptanalysis of Reduced Round XTEA and TEA Dukjae Moon, Kyungdeok Hwang, Wonil Lee, Sangjin Lee, and Jongin Lim Center for Information and Security Technologies(CIST), Korea University, Anam Dong, Sungbuk Gu, Seoul, KOREA {djmoon, kdhwang, wonil, sangjin, jilim}@cist.korea.ac.kr Abstract. We present the impossible differential cryptanalysis of the block cipher XTEA[7] and TEA[6]. The core of the design principle of these block ciphers is an easy implementation and a simplicity. But this simplicity dose not offer a large diffusion property. Our impossible dif- ferential cryptanalysis of reduced-round versions of XTEA and TEA is based on this fact. We will show how to construct a 12-round impossible characteristic of XTEA. We can then derive 128-bit user key of the 14- round XTEA with 262.5 chosen plaintexts and 285 encryption times using the 12-round impossible characteristic. In addition, we will show how to construct a 10-round impossible characteristic of TEA. Then we can de- rive 128-bit user key of the 11-round TEA with 252.5 chosen plaintexts and 284 encryption times using the 10-round impossible characteristic. 1 Introduction In 1990, E. Biham and A. Shamir proposed the differential cryptanalysis[1]. Later, it was regarded as a very useful method in attacking the known block ciphers. For these reasons, block ciphers have been designed to be secure against the differential cryptanalysis since the middle of 1990’s. The differ- ential cryptanalysis has also been advanced variously - truncated differential cryptanalysis[4], higher order differential cryptanalysis[5], impossible differential cryptanalysis[3], and so on. In 1998, the impossible differential cryptanalysis[3] was proposed by E. Bi- ham et al. This cryptanalysis is a chosen plaintext attack and applied to the reduced 31 rounds of Skipjack. The traditional differential cryptanalysis finds a key using the differential characteristic with high probability. But the impossi- ble differential cryptanalysis uses the differential characteristic with probability zero. The general impossible differential cryptanalysis can be briefly described as follows: First of all, we must find an impossible differential characteristic. We then choose any plaintext pairs with the input difference of the impossi- ble differential characteristic, and obtain the corresponding ciphertext pairs. We eliminate the ciphertext pairs which are not satisfied with a special property derived from the impossible differential characteristic. For each key value in the key space of the last one or two rounds, we decrypt the ciphertext pairs with J. Daemen and V. Rijmen (Eds.): FSE 2002, LNCS 2365, pp. 49–60, 2002. c Springer-Verlag Berlin Heidelberg 2002 50 D. Moon et al. that key value and if the differences of the decrypted ciphertext pairs satisfy the output difference of the impossible differential characteristic, then we eliminate the key value from the key space. We repeat the above process until the only one key value remains with very high probability. In this paper, we describe an impossible differential cryptanalysis of 14-round XTEA. It is based on a 12-round impossible differential characteristic. We will be able to find the 128-bit user key of 14-round XTEAwith 2 62.5 chosen plain- texts and 285 encryption times. In addition, we present an impossible differential cryptanalysis of 11-round TEA. To find the 128-bit user key of 11-round TEA, this cryptanalysis uses a 10-round impossible differential characteristic and re- quires 252.5 chosen plaintexts and 284 encryption times. The paper is organized as follows: In Section 2, we introduce notation. The description of algorithms of TEAand XTEAis briefly given in Section 3. In Section 4, we explain how to construct a 12-round impossible differential char- acteristic of XTEAand a 10-round impossible differential characteristic of TEA. In Section 5, we describe our attack on 14-round XTEAand 11-round TEA. Finally, we summarize our results and conclude this paper. 2 Notation We introduce notation as follows for some binary operations. Exclusive-OR : The operation of addition of n-tuples over the field F2 (also known as exlusive- or) is denoted by x ⊕ y. Integer Addition : The addition operation of integers under modulo 2n is denoted by x y (where x , y ∈ Z2n ). The value of n will be clear from the context. Bitwise Shifts : The logical left shift of x by y bits is denoted by x y. The logical right shift of x by y bits is denoted by x y. 3 Description of TEA and XTEA TEA(Tiny Encryption Algorithm)[6] was presented by David J. Wheeler et al. TEAwas designed for a short program which would run on most machines and encrypt safely. This cipher used a simple key schedule. But because of the simple key schedule, the related key attack[8] was possible. To repair this weakness, designers of TEAproposed XTEA(TEAExtensions)[7]which evolved from TEA. Impossible Differential Cryptanalysis of Reduced Round XTEA and TEA 51 PL PR ...... K1 . . . . ❄ . . . . ✛ . . F ...... One Cycle ...... K2 . . . . ❄ . . . . ✛ . . F ...... K63 ❄ ✛ F K64 ❄ ✛ F CL CR Fig. 1. The structure of TEA/XTEA 52 D. Moon et al. 3.1 The Tiny Encryption Algorithm(TEA) TEAis a 64-bit iterated block cipher with 64 rounds, as shown in Fig. 1. TEA can be represented as 32 cycles in which one cycle is two rounds. The round function F consists of the key addition, bitwise XOR and left and right shift operation. We can describe the output (Yi+1,Zi+1)ofthei-th cycle of TEA with the input (Yi,Zi) as follows (See Fig. 2): Yi+1 = Yi F (Zi,K[0, 1],δi), Zi+1 = Zi F (Yi+1,K[2, 3],δi), i +1 δ = ·δ, i 2 where the round function F is defined by F (X, K[j, k],δi)=((X 4) K[j]) ⊕ (X δi) ⊕ ((X 5) K[k]). The constant δ =9E3779B9h is derived from the golden number, where ‘h’ represents the hexadecimal number, e.g., 10h = 16. Yi Zi K[0] 4 ✛ δ ✛ ❄✛ i ✻ K[1] 5 ✛ K[2] 4 ✛ δ ✛ ❄✛ i ✻ K[3] 5 ✛ Yi+1 Zi+1 Fig. 2. The i-th cycle of TEA The key schedule algorithm is very simple. The 128-bit user key K is split into four 32-bit blocks K =(K[0],K[1],K[2],K[3]). Then the round keys Kr are as follows: Impossible Differential Cryptanalysis of Reduced Round XTEA and TEA 53 (K[0],K[1]) if r is odd K = r (K[2],K[3]) if r is even, where r =1,··· , 64. Yi Zi