Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Impossible Differential Cryptanalysis of TEA, XTEA and HIGHT

Jiazhe Chen1,2 Meiqin Wang1,2 Bart Preneel2

1Shangdong University, China

2KU Leuven, ESAT/COSIC and IBBT, Belgium

AfricaCrypt 2012 July 10, 2012

1 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Preliminaries Impossible Differential Attack TEA, XTEA and HIGHT

Impossible Differential Attacks on TEA and XTEA Deriving Impossible Differentials for TEA and XTEA Key Recovery Attacks on TEA and XTEA

Impossible Differential Cryptanalysis of HIGHT Impossible Differential Attacks on HIGHT

Conclusion

2 / 27 I Pr(∆A → ∆B) = 1, Pr(∆G → ∆F) = 1, ∆B 6= ∆F, Pr(∆A → ∆G) = 0

I Extend the impossible differential forward and backward to attack a block cipher

I Guess subkeys in Part I and Part II, if there is a pair meets ∆A and ∆G, then the subkey guess must be wrong

P

I

A

B

F

G II

C

Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Impossible Differential Attack Impossible Differential Attack

3 / 27 I Pr(∆A → ∆B) = 1, Pr(∆G → ∆F) = 1, ∆B 6= ∆F, Pr(∆A → ∆G) = 0

I Extend the impossible differential forward and backward to attack a block cipher

I Guess subkeys in Part I and Part II, if there is a pair meets ∆A and ∆G, then the subkey guess must be wrong

Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Impossible Differential Attack Impossible Differential Attack

P

I

A

B

F

G II

C

3 / 27 I Pr(∆A → ∆B) = 1, Pr(∆G → ∆F) = 1, ∆B 6= ∆F, Pr(∆A → ∆G) = 0

I Extend the impossible differential forward and backward to attack a block cipher

I Guess subkeys in Part I and Part II, if there is a pair meets ∆A and ∆G, then the subkey guess must be wrong

Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Impossible Differential Attack Impossible Differential Attack

P

I

A

B

F

G II

C

3 / 27 I Extend the impossible differential forward and backward to attack a block cipher

I Guess subkeys in Part I and Part II, if there is a pair meets ∆A and ∆G, then the subkey guess must be wrong

Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Impossible Differential Attack Impossible Differential Attack

P I Pr(∆A → ∆B) = 1, Pr(∆G → ∆F) = 1, I ∆B 6= ∆F, A Pr(∆A → ∆G) = 0

B

F

G II

C

3 / 27 I Guess subkeys in Part I and Part II, if there is a pair meets ∆A and ∆G, then the subkey guess must be wrong

Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Impossible Differential Attack Impossible Differential Attack

P I Pr(∆A → ∆B) = 1, Pr(∆G → ∆F) = 1, I ∆B 6= ∆F, A Pr(∆A → ∆G) = 0

I Extend the impossible differential

B forward and backward to attack a block cipher F

G II

C

3 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Impossible Differential Attack Impossible Differential Attack

P I Pr(∆A → ∆B) = 1, Pr(∆G → ∆F) = 1, I ∆B 6= ∆F, A Pr(∆A → ∆G) = 0

I Extend the impossible differential

B forward and backward to attack a block cipher F I Guess subkeys in Part I and Part II, if there is a pair meets ∆A and ∆G, then G the subkey guess must be wrong II

C

3 / 27 I TEA was used in Microsoft’s Xbox gaming console

I Both TEA and XTEA are implemented in the Linux kernel

Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

TEA, XTEA and HIGHT TEA and XTEA

Li Ri+1 F Li Ri K[0] F <<4 <<4 i·δ K[(i·δ>>11)&3] δ Ͱ Ͱ Ͱ >>5 K[1] >>5

Li+1 Ri+1 TEA Li+1 Ri+1 XTEA

I 64 rounds; block size: 64 bits; key size: 128 bits

4 / 27 I Both TEA and XTEA are implemented in the Linux kernel

Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

TEA, XTEA and HIGHT TEA and XTEA

Li Ri+1 F Li Ri K[0] F <<4 <<4 i·δ K[(i·δ>>11)&3] δ Ͱ Ͱ Ͱ >>5 K[1] >>5

Li+1 Ri+1 TEA Li+1 Ri+1 XTEA

I 64 rounds; block size: 64 bits; key size: 128 bits

I TEA was used in Microsoft’s Xbox gaming console

4 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

TEA, XTEA and HIGHT TEA and XTEA

Li Ri+1 F Li Ri K[0] F <<4 <<4 i·δ K[(i·δ>>11)&3] δ Ͱ Ͱ Ͱ >>5 K[1] >>5

Li+1 Ri+1 TEA Li+1 Ri+1 XTEA

I 64 rounds; block size: 64 bits; key size: 128 bits

I TEA was used in Microsoft’s Xbox gaming console

I Both TEA and XTEA are implemented in the Linux kernel

4 / 27 I HIGHT is adopted as an International Standard by ISO/IEC 18033-3

I A common property of TEA, XTEA and HIGHT: the subkeys intervene after the confusion and diffusion

Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

TEA, XTEA and HIGHT HIGHT

i i i i i Xi Xi Xi X 7 X 6 X 5 X 4 X 3 2 1 0 SK4( i+1)- 1 SK4(i+1 )-2 SK4(i+1)-3 SK4(i+1)-4

F0 F1 F0 F1

i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 X7 X6 X5 X4 X3 X2 X1 X0

F0(x) = (x ≪ 1) ⊕ (x ≪ 2) ⊕ (x ≪ 7), F1(x) = (x ≪ 3) ⊕ (x ≪ 4) ⊕ (x ≪ 6) I 32 rounds; block size: 64 bits; key size: 128 bits

5 / 27 I A common property of TEA, XTEA and HIGHT: the subkeys intervene after the confusion and diffusion

Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

TEA, XTEA and HIGHT HIGHT

i i i i i Xi Xi Xi X 7 X 6 X 5 X 4 X 3 2 1 0 SK4( i+1)- 1 SK4(i+1 )-2 SK4(i+1)-3 SK4(i+1)-4

F0 F1 F0 F1

i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 X7 X6 X5 X4 X3 X2 X1 X0

F0(x) = (x ≪ 1) ⊕ (x ≪ 2) ⊕ (x ≪ 7), F1(x) = (x ≪ 3) ⊕ (x ≪ 4) ⊕ (x ≪ 6) I 32 rounds; block size: 64 bits; key size: 128 bits

I HIGHT is adopted as an International Standard by ISO/IEC 18033-3

5 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

TEA, XTEA and HIGHT HIGHT

i i i i i Xi Xi Xi X 7 X 6 X 5 X 4 X 3 2 1 0 SK4( i+1)- 1 SK4(i+1 )-2 SK4(i+1)-3 SK4(i+1)-4

F0 F1 F0 F1

i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 X7 X6 X5 X4 X3 X2 X1 X0

F0(x) = (x ≪ 1) ⊕ (x ≪ 2) ⊕ (x ≪ 7), F1(x) = (x ≪ 3) ⊕ (x ≪ 4) ⊕ (x ≪ 6) I 32 rounds; block size: 64 bits; key size: 128 bits

I HIGHT is adopted as an International Standard by ISO/IEC 18033-3

I A common property of TEA, XTEA and HIGHT: the subkeys intervene after the confusion and diffusion

5 / 27 I D[i]: a 32-bit difference where the i-th bit is 1, the first to the (i − 1)-th bits are 0, and the (i + 1)-th to 32-th bits are indeterminate. For i < 0, D[i] means that all the 32 bits of the difference are indeterminate.

Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Deriving Impossible Differentials for TEA and XTEA Some Notations

I e0: (???????0)2, e1: (???????1)2, e4: (?????100)2

6 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Deriving Impossible Differentials for TEA and XTEA Some Notations

I e0: (???????0)2, e1: (???????1)2, e4: (?????100)2 I D[i]: a 32-bit difference where the i-th bit is 1, the first to the (i − 1)-th bits are 0, and the (i + 1)-th to 32-th bits are indeterminate. For i < 0, D[i] means that all the 32 bits of the difference are indeterminate.

6 / 27 Property If the input difference of the i-th round of XTEA (TEA) is (D[m], D[n]), where (m > n − 5), then the output difference is (D[n], D[n − 5]). Vice versa, if the output difference of the j-th round of XTEA (TEA) is (D[p], D[q]), where (q > p − 5), then the input difference is (D[p − 5], D[p]).

Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Deriving Impossible Differentials for TEA and XTEA

Impossible Differential for ARX (ASX) type cipher: looking for one-bit contradiction. Property If the input difference of the i-th round of XTEA (TEA) is (0, D[n]), then the output difference is (D[n], D[n − 5]). Vice versa, if the output difference of the j-th round of XTEA (TEA) is (D[p], 0), then the input difference is (D[p − 5], D[p]).

7 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Deriving Impossible Differentials for TEA and XTEA

Impossible Differential for ARX (ASX) type cipher: looking for one-bit contradiction. Property If the input difference of the i-th round of XTEA (TEA) is (0, D[n]), then the output difference is (D[n], D[n − 5]). Vice versa, if the output difference of the j-th round of XTEA (TEA) is (D[p], 0), then the input difference is (D[p − 5], D[p]). Property If the input difference of the i-th round of XTEA (TEA) is (D[m], D[n]), where (m > n − 5), then the output difference is (D[n], D[n − 5]). Vice versa, if the output difference of the j-th round of XTEA (TEA) is (D[p], D[q]), where (q > p − 5), then the input difference is (D[p − 5], D[p]).

7 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Deriving Impossible Differentials for TEA and XTEA Impossible Differential of TEA and XTEA

If we choose the input difference to be (0, D[n]) (or (D[m], D[n]) (m > n − 5)), then after i rounds, the difference should be of the form (D[n − 5(i − 1)], D[n − 5i]). Similarly, if we choose the output difference (D[p], 0) (or (D[p], D[q]) (q > p − 5)), then after propagating backwards for j rounds, the difference should be of the form (D[p − 5j], D[p − 5(j − 1)]). Then at least one bit contradiction will appear if

n − 5(i − 1) > 0, p − 5j > 0, n − 5(i − 1) 6= p − 5j.

8 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Deriving Impossible Differentials for TEA and XTEA Impossible Differentials of TEA and XTEA

F Round 1 F Round 1

F Round 2 F Round 2

F Round 3 F Round 3

F Round 4 F Round 4

F Round 5 F Round 5

F Round 6 F Round 6

F Round 7 F Round 7

contradiction contradiction

F Round 8 F Round 8

F Round 9 F Round 9

F Round 10 F Round 10

F Round 11 F Round 11

F Round 12 F Round 12

F Round 13 F Round 13

F Round 14

9 / 27 Property Given x, x0, y, y 0 be n-bit values, and z = (x + y) mod 2n, z0 = (x0 + y 0) mod 2n. If the i-th (counting from 1) to j-th bits of 0 0 0 0 0 x, x , y, y and the i-th carry ci , ci of x + y, x + y are known, then the i-th to j-th (i < j ≤ n) bits of ∆z can be obtained, regardless of the values of least significant i − 1 bits of x (or x0), y (or y 0). Note that if there are no differences in the the least 0 0 0 significant i − 1 bits of x + y and x + y , then ci = ci .

Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Key Recovery Attacks on TEA and XTEA Properties for Key Recovery

Theorem[Daum] n Let [x + y] be (x + y) mod 2 , then [x + y]i = xi ⊕ yi ⊕ ci (i = 1, ..., n), where c1 = 0 and ci = xi−1yi−1 ⊕ xi−1ci−1 ⊕ yi−1ci−1, for i = 2, ..., n.

10 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Key Recovery Attacks on TEA and XTEA Properties for Key Recovery

Theorem[Daum] n Let [x + y] be (x + y) mod 2 , then [x + y]i = xi ⊕ yi ⊕ ci (i = 1, ..., n), where c1 = 0 and ci = xi−1yi−1 ⊕ xi−1ci−1 ⊕ yi−1ci−1, for i = 2, ..., n. Property Given x, x0, y, y 0 be n-bit values, and z = (x + y) mod 2n, z0 = (x0 + y 0) mod 2n. If the i-th (counting from 1) to j-th bits of 0 0 0 0 0 x, x , y, y and the i-th carry ci , ci of x + y, x + y are known, then the i-th to j-th (i < j ≤ n) bits of ∆z can be obtained, regardless of the values of least significant i − 1 bits of x (or x0), y (or y 0). Note that if there are no differences in the the least 0 0 0 significant i − 1 bits of x + y and x + y , then ci = ci .

10 / 27 I XTEA:

K0 K3 K1 K2 K2 K1 K3 K0 K0 K0 K1 K3 K2 K2 K3 K1

K0 K0 K1 K0 K2 K3 K3 K2 K0 K1 K1 K1 K2 K0 K3 K3

K0 K2 K1 K1 K2 K1 K3 K0 K0 K3 K1 K2 K2 K1 K3 K1

K0 K0 K1 K3 K2 K2 K3 K2 K0 K1 K1 K0 K2 K3 K3 K2

Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Key Recovery Attacks on TEA and XTEA Key Schedule

I TEA: (K0, K1), (K2, K3), (K0, K1), (K2, K3) ...

11 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Key Recovery Attacks on TEA and XTEA Key Schedule

I TEA: (K0, K1), (K2, K3), (K0, K1), (K2, K3) ... I XTEA:

K0 K3 K1 K2 K2 K1 K3 K0 K0 K0 K1 K3 K2 K2 K3 K1

K0 K0 K1 K0 K2 K3 K3 K2 K0 K1 K1 K1 K2 K0 K3 K3

K0 K2 K1 K1 K2 K1 K3 K0 K0 K3 K1 K2 K2 K1 K3 K1

K0 K0 K1 K3 K2 K2 K3 K2 K0 K1 K1 K0 K2 K3 K3 K2

11 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Key Recovery Attacks on TEA and XTEA Key Schedule

Set s0 ← 0, s1 ← 1, s2 ← 0, s3 ← 1, s4 ← 1, s5 ← 0 and s6 ← 1.

δ0 = s6||s5||s4||s3||s2||s1||s0. For i = 1 to 127,

si+6 = si+2 ⊕ si−1,

δi = si+6||si+5||si+4||si+3||si+2||si+1||si . I HIGHT: For i = 0 to 7, for j = 0 to 7,

SK16i+j = MK(j−i) mod 8
δ16i+j . for j = 0 to 7,

SK16i+j+8 = MK((j−i) mod 8)+8
δ16i+j+8.

12 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Key Recovery Attacks on TEA and XTEA Impossible Differential Attacks on TEA and XTEA

F 5RXQG

5RXQG F

F 5RXQG F 5RXQG F 5RXQG F 5RXQG F 5RXQG 13-Round Impossible Differential

14-Round Impossible Differential F 5RXQG F 5RXQG F 5RXQG F 5RXQG

F 5RXQG

5RXQG F

13 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Key Recovery Attacks on TEA and XTEA Attack on 23-Round XTEA

Step Guess Bits Complexity Sieve on Conds Pairs Kept

97.8 79.3 1 K1 : 1 ∼ 12 2 round 6 10 2

97.8 69.3 2 K1 : 13 ∼ 22 2 round 28 10 2

98.8 49.3 3 K1 : 23 ∼ 32 2 round 26,27 20 2

85.8 43.3 4 K0 : 26 ∼ 32, c1 * 2 round 25 6 2

90.8 33.3 5 K3 : 7 ∼ 17, c2 † 2 round 7 10 2

103.8 23.3 6 K3 : 1 ∼ 6, 18 ∼ 32, K0 : 12 ∼ 22, c3 ‡ 2 round 8 10 2

114.9 7 K0 : 1 ∼ 11, 23 ∼ 25 2 round 9,10 20 −

*c1 is the 26th carry in the left modular addition of the 25th round

† c2 is the 7th carry in the left modular addition of the 7th round

‡ c3 is the 12th carry in the left modular addition of the 8th round

14 / 27 I Attack on TEA → 19 rounds

I Attack on XTEA → 26 rounds

I With complexities close to exhaustive search

Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Key Recovery Attacks on TEA and XTEA Using the Full Codebook

I Impossible differential → 15 rounds

15 / 27 I Attack on XTEA → 26 rounds

I With complexities close to exhaustive search

Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Key Recovery Attacks on TEA and XTEA Using the Full Codebook

I Impossible differential → 15 rounds

I Attack on TEA → 19 rounds

15 / 27 I With complexities close to exhaustive search

Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Key Recovery Attacks on TEA and XTEA Using the Full Codebook

I Impossible differential → 15 rounds

I Attack on TEA → 19 rounds

I Attack on XTEA → 26 rounds

15 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Key Recovery Attacks on TEA and XTEA Using the Full Codebook

I Impossible differential → 15 rounds

I Attack on TEA → 19 rounds

I Attack on XTEA → 26 rounds

I With complexities close to exhaustive search

15 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Impossible Differential Attacks on HIGHT

i i i i i i i i i ∆X7 ∆X6 ∆X5 ∆X4 ∆X3 ∆X2 ∆X1 ∆X0 9 0 0 0 0 e 0 0 0 1 i ∆X i ∆X i ∆X i ∆X i ∆X i ∆X i ∆X i ∆X i 10 0 0 0 e 0 0 0 0 7 6 5 4 3 2 1 0 1 P ? e 0 0 ? ? ? ? 11 0 ? e 0 0 0 0 0 1 1 4 ? e 0 0 ? ? ? ? 12 ? e 0 0 0 0 0 ? 1 1 5 e 0 0 0 ? ? ? ? 13 e 0 0 0 0 ? ? ? 1 1 6 0 0 0 0 ? ? ? e 14 0 0 0 ? ? ? ? e 1 1 7 0 0 0 0 ? ? e 0 15 0 ? ? ? ? ? e 0 1 1 8 0 0 0 0 ? e 0 0 16 ? ? ? ? ? e 0 ? 1 1 9 0 0 0 0 e 0 0 0 17 ? ? ? ? e ? ? ? 1 1 Impossible Differential 17 ? ? ? ? e 0x80 ? ? 0 25 0 0 0 0 0 0x80 0 0 18 ? ? ? e 0x80 0 ? ? 1 26 0 0 0 e 0x80 0 0 0 19 ? ? e 0x80 0 0 ? ? 1 1 27 0 ? e 0x80 0 0 0 0 20 ? e 0x80 0 0 0 ? ? 1 1 28 ? e 0x80 0 0 0 0 ? 21 e 0x80 0 0 0 0 ? ? 1 1 29 e 0 0 0 0 ? ? ? 22 0x80 0 0 0 0 0 ? e 1 4 30 0x80 0 0 ? ? ? ? e 23 0 0 0 0 0 0 e 0x80 0 4 C e 0x80 0 0 ? ? ? ? 24 0 0 0 0 0 0 0x80 0 0 25 0 0 0 0 0 0x80 0 0 (b) Impossible Differential Attack (a) The 16-Round Impossible on 26-Round HIGHT Differential Figure: 26-Round Attack

16 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Impossible Differential Attacks on HIGHT

i i i i i i i i i ∆X7 ∆X6 ∆X5 ∆X4 ∆X3 ∆X2 ∆X1 ∆X0 i i i i i i i i 9 e1 0 0 0 0 0 0 0 i ∆X7 ∆X6 ∆X5 ∆X4 ∆X3 ∆X2 ∆X1 ∆X0 10 0 0 0 0 0 0 0 e1 P ? ? ? ? ? ? e1 0 11 0 0 0 0 0 ? e1 0 3 ? ? ? ? ? ? e1 0 12 0 0 0 ? ? e1 0 0 4 ? ? ? ? ? e1 0 0 13 0 ? ? ? e1 0 0 0 5 ? ? ? ? e1 0 0 0 14 ? ? ? e1 0 0 0 ? 6 ? ? ? e1 0 0 0 0 15 ? ? e1 0 0 ? ? ? 7 ? ? e1 0 0 0 0 0 16 ? e1 0 ? ? ? ? ? 8 ? e1 0 0 0 0 0 0 17 e1 ? ? ? ? ? ? ? 9 e1 0 0 0 0 0 0 0 17 e0 0x80 ? ? ? ? ? ? Impossible Differential 18 0x80 0 ? ? ? ? ? e1 25 0 0x80 0 0 0 0 0 0 19 0 0 ? ? ? ? e1 0x80 26 0x80 0 0 0 0 0 0 e1 20 0 0 ? ? ? e1 0x80 0 27 0 0 0 0 0 ? e1 0x80 21 0 0 ? ? e1 0x80 0 0 28 0 0 0 ? ? e1 0x80 0 22 0 0 ? e4 0x80 0 0 0 29 0 ? ? ? e1 0x80 0 0 23 0 0 e4 0x80 0 0 0 0 30 ? ? ? e0 0x80 0 0 ? 24 0 0 0x80 0 0 0 0 0 C ? ? ? ? e0 0x80 0 0 25 0 0x80 0 0 0 0 0 0 (b) Impossible Differential Attack (a) 16-Round Impossible on 27-Round HIGHT Differential of Özen et al.’s Figure: 27-Round Attack

17 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Impossible Differential Attacks on HIGHT Subkeys Used in the Attack on 26-Round HIGHT

#Round Subkey Used

5 SK19 (MK2 ) SK18 (MK1 ) SK17 (MK0 ) SK16 (MK7 )

6 SK23 (MK6 ) SK22 (MK5 ) SK21 (MK4 ) SK20 (MK3 )

7 SK27 (MK10 ) SK26 (MK9 ) SK25 (MK8 ) SK24 (MK15 )

8 SK31 (MK14 ) SK30 (MK13 ) SK29 (MK12 ) SK28 (MK11 )

9 SK35 (MK1 ) SK34 (MK0 ) SK33 (MK7 ) SK32 (MK6 )

......

26 SK103 (MK1 ) SK102 (MK0 ) SK101 (MK7 ) SK100 (MK6 )

27 SK107 (MK13 ) SK106 (MK12 ) SK105 (MK11 ) SK104 (MK10 )

28 SK111 (MK9 ) SK110 (MK8 ) SK109 (MK15 ) SK108 (MK14 )

29 SK115 (MK4 ) SK114 (MK3 ) SK113 (MK2 ) SK112 (MK1 )

30 SK119 (MK0 ) SK118 (MK7 ) SK117 (MK6 ) SK116 (MK5 )

Post-Whitening WK7 (MK3 ) WK6 (MK2 ) WK5 (MK1 ) WK4 (MK0 )

18 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Impossible Differential Attacks on HIGHT Subkeys Used in the Attack on 27-Round HIGHT

#Round Subkey Used

Pre-Whitening WK3 (MK15 ) WK2 (MK14 ) WK1 (MK13 ) WK0 (MK12 )

4 SK15 (MK15 ) SK14 (MK14 ) SK13 (MK13 ) SK12 (MK12 )

5 SK19 (MK2 ) SK18 (MK1 ) SK17 (MK0 ) SK16 (MK7 )

6 SK23 (MK6 ) SK22 (MK5 ) SK21 (MK4 ) SK20 (MK3 )

7 SK27 (MK10 ) SK26 (MK9 ) SK25 (MK8 ) SK24 (MK15 )

8 SK31 (MK14 ) SK30 (MK13 ) SK29 (MK12 ) SK28 (MK11 )

9 SK35 (MK1 ) SK34 (MK0 ) SK33 (MK7 ) SK32 (MK6 )

......

26 SK103 (MK1 ) SK102 (MK0 ) SK101 (MK7 ) SK100 (MK6 )

27 SK107 (MK13 ) SK106 (MK12 ) SK105 (MK11 ) SK104 (MK10 )

28 SK111 (MK9 ) SK110 (MK8 ) SK109 (MK15 ) SK108 (MK14 )

29 SK115 (MK4 ) SK114 (MK3 ) SK113 (MK2 ) SK112 (MK1 )

30 SK119 (MK0 ) SK118 (MK7 ) SK117 (MK6 ) SK116 (MK5 )

Post-Whitening WK7 (MK3 ) WK6 (MK2 ) WK5 (MK1 ) WK4 (MK0 ) 19 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Impossible Differential Attacks on HIGHT

6 6 6 6 6 6 X 1, X 1 X , X 7 7 7 7 7 X 2,ƸX 2 Ƹ 0 Ƹ 0 X 1,ƸX 1 X 2,ƸX 2 X 0 MK 15 MK11

F1 F1

MK12 MK 7 7 7 X , X 8 F0 1 Ƹ 1 F0 X 1

X8 8 8 9 X9 , X9 4 X 3,ƸX 3 X 4 3 Ƹ 3 Table α Table є 25 25 X 3 X 2 MK 7

F0

X26 MK11 2

F0

27 27 27 X , X X 4 27 5 Ƹ 5 X 3 Table β Figure: The Construction of Tables α, β and  in the Attack on 26-Round HIGHT

20 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Impossible Differential Attacks on HIGHT

25 25 25 X 7 X 6(ƸX 6=0x80) MK1

F0

6 6 6 6 26 26 6 6 (X 5, X 5) (X , X ) 6 6 X ( X =0) (X 6,ƸX 6) Ƹ 4 Ƹ 4 X 3 X 2 MK 6 Ƹ 6 MK9 MK8 13

F0 F1 F0

27 27 X 6(ƸX 6=0) MK9 MK14 MK 14 MK13 7 7 X 3(ƸX 3=0) F0 F1 F0 F1

MK1 28 MK 1 8 8 X 7 F1 8 8 X 0(ƸX 0=0) X 5(ƸX 5=0) F0

29 29 (X 3,ƸX 3) X29 9 9 1 X 0( X 0=0) 9 9 Ƹ (X 7,ƸX 7)

MK 1

30 X 3 Figure: Precomputation for Rounds 7 ∼ 9 (left) and Rounds 26 ∼ 30 (right) in the Attack on 27-Round HIGHT

21 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Impossible Differential Attacks on HIGHT

Table: Key Recovery Procedure of the Attack on 26-Round HIGHT

Step Guess Bits Known Keys Known Values Complexity Conds Pairs Kept Sieve on 5 84.9 74.6 1 MK0 SK17 X4 2 EN 8 2 (5,1) 29 92.9 66.6 2 MK1, MK6 WK5, SK117 X3 2 EN 8 2 (30,1) 29 29 28 93.9 58.6 3 MK5 WK4, SK116, X1 , ∆X1 , X1 2 EN 8 2 (29,0) SK112 5 5 6 101.9 50.6 4 MK4, MK7 SK16, SK21 X2 , ∆X2 , X4 2 EN 8 2 (6, 1) 29 29 28 110.8 42.6 5 MK3, MK9 WK7, SK119, X7 , ∆X7 , X7 , 2 EN 8 2 (28,3) 28 27 SK115, SK111 ∆X7 , X7 5 6 6 109.9 42.6 6 MK2 SK19, SK20 X0 , X2 , ∆X2 2 EN − 2 − 29 28 109.9 42.6 7 − SK118, SK114, X5 , X5 2 EN − 2 − WK6 7 111.9 34.6 8 MK8† SK25 X4 2 EN 8 2 (7,1) 27 27 26 112.9 26.6 9 MK12† SK110, SK106 X5 , ∆X5 , X5 2 EN 8 2 (27,2) 6 6 6 109.9 26.6 10 − SK18, SK19, X6 , X7 , X0 , 2 EN − 2 − 6 6 6 SK22, SK23 ∆X0 , X1 , ∆X1 11 (accessing the pre-computed tables) Complexity: 2116.6MA+2111EN MA: memory accesses; EN: 26-round HIGHT encryptions † The key byte is guessed bit by bit from the LSB to the MSB.

22 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Impossible Differential Attacks on HIGHT

Table: Key Recovery Procedure of the Attack on 27-Round HIGHT

Step Guess Bits Known Keys Known Values Complexity Conds Pairs Left Sieve on 4 91.2 79 1 MK15 WK3, SK15 X0 2 EN 8 2 (4,3) 29 99.2 71 2 MK0, MK3 WK7, SK119 X7 2 EN 8 2 (30,3) 29 29 107.2 71 3 MK6, MK1 SK117, WK5 X3 , ∆X3 2 EN − 2 − 4 4 115.2 71 4 MK14 WK1, SK14 X6 , ∆X6 2 EN − 2 − 5 6 118.2 63 5 MK2 † SK19 X0 , X2 2 EN 8 2 (5,3) 28 28 115.2 63 6 − SK113, SK109 X3 , ∆X3 2 EN − 2 −‡ 29 29 118.2 55 7 MK7 † WK6, SK118 X5 , ∆X5 2 EN 8 2 (30,2) 28 115.2 47 8 − SK114 X5 2 EN 8 2 (29,2) 4 4 5 115.2 39 9 MK13 SK13, SK18, SK23, X4 , ∆X4 , X6 , 2 EN 8 2 (6,3) 5 6 WK2 ∆X6 , X0 29 28 27 27 115.2 39 10 MK5 WK4, SK116, SK108 X1 , X1 , X1 , ∆X1 2 EN − 2 − 26 118.2 31 11 MK10 † SK104 X1 2 EN 8 2 (27,0) 4 4 5 123.2 23 12 MK12 WK0, SK12, SK17, X2 , ∆X2 , X4 , 2 EN 8 2 (7,3) 5 6 6 7 SK22, SK27 ∆X4 , X6 , ∆X6 , X0 6 6 28 120 13 MK4 SK16, SK21, SK26, X4 , ∆X4 , X7 2 MA + * 126.6 SK107, SK31 2 EN SK111, SK115 MA: memory accesses; EN: 27-round HIGHT encryptions † The key byte is guessed bit by bit from the LSB to the MSB. 28 ‡ calculate ∆X4 * the sieving is already done by precomputation

23 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Conclusion

Table: Summary of Single-Key Attacks on TEA

Attack #Rounds Data Time Ref.

Impossible Differential 11 252.5 CP 284 EN Moon+ FSE2002

Truncated Differential 17 1920 CP 2123.37 EN Hong+ ICISC2003

Impossible Differential 17 257 CP 2106.6 EN this paper

Zero Correlation Linear † 21 262.62 KP 2121.52 EN Bogdanov, Wang FSE2012

Zero Correlation Linear † 23 264 2119.64 EN Bogdanov, Wang FSE2012

†: Very recent results

24 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Table: Summary of Single-Key Attacks on XTEA

Attack #Rounds Data Time Ref.

Impossible Differential 14 262.5 CP 285 EN Moon+ FSE2002

Truncated Differential 23 220.55 CP 2120.65 EN Hong+ ICISC2003

Meet-in-the-Middle 23 18 KP 2117 EN Sekar+ CT-RSA2011

Impossible Differential 23 262.3 CP 2114.9 EN this paper

Impossible Differential 23 263 CP 2101 MA+2105.6 EN this paper

Zero Correlation Linear† 25 262.62 KP 2124.53 EN Bogdanov, Wang FSE2012

3-Sub. Meet-in-the-Middle† 25 9KP 2120.4 EN Sasaki+ AFRICACRYPT2012

Zero Correlation Linear† 27 264 2120.71 EN Bogdanov, Wang FSE2012

3-Sub. Meet-in-the-Middle† 28 237 CP 2120.38 EN Sasaki+ AFRICACRYPT2012

Meet-in-the-Middle† 29 245 CP 2124 EN Isobe+ AICSP2012

†: Very recent results

25 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Table: Summary of Single-Key Attacks on HIGHT

Attack #Rounds Data Time Ref.

Saturation 22 262.04 CP 2118.71 EN Zhang+ CANS2009

Impossible Differential 25 260 CP 2126.78 EN Lu ICISC2007

Impossible Differential 26 261 CP 2119.53 EN Özen+ ACISP2009

Impossible Differential 26 261.6 CP 2114.35 EN this paper

Impossible Differential 27 258 CP 2120 MA+2126.6 EN this paper

Biclique† 32 248 CP 2126.4 EN Hong+ ICISC2011

†: Very recent results

CP: Chosen Plaintext; KP: Known Plaintext;

EN: Encryptions; MA: Memory Accesses.

26 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion

Thanks! Questions and Comments?

27 / 27