Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Impossible Differential Cryptanalysis of TEA, XTEA and HIGHT
Jiazhe Chen1,2 Meiqin Wang1,2 Bart Preneel2
1Shangdong University, China
2KU Leuven, ESAT/COSIC and IBBT, Belgium
AfricaCrypt 2012 July 10, 2012
1 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Preliminaries Impossible Differential Attack TEA, XTEA and HIGHT
Impossible Differential Attacks on TEA and XTEA Deriving Impossible Differentials for TEA and XTEA Key Recovery Attacks on TEA and XTEA
Impossible Differential Cryptanalysis of HIGHT Impossible Differential Attacks on HIGHT
Conclusion
2 / 27 I Pr(∆A → ∆B) = 1, Pr(∆G → ∆F) = 1, ∆B 6= ∆F, Pr(∆A → ∆G) = 0
I Extend the impossible differential forward and backward to attack a block cipher
I Guess subkeys in Part I and Part II, if there is a pair meets ∆A and ∆G, then the subkey guess must be wrong
P
I
A
B
F
G II
C
Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Impossible Differential Attack Impossible Differential Attack
3 / 27 I Pr(∆A → ∆B) = 1, Pr(∆G → ∆F) = 1, ∆B 6= ∆F, Pr(∆A → ∆G) = 0
I Extend the impossible differential forward and backward to attack a block cipher
I Guess subkeys in Part I and Part II, if there is a pair meets ∆A and ∆G, then the subkey guess must be wrong
Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Impossible Differential Attack Impossible Differential Attack
P
I
A
B
F
G II
C
3 / 27 I Pr(∆A → ∆B) = 1, Pr(∆G → ∆F) = 1, ∆B 6= ∆F, Pr(∆A → ∆G) = 0
I Extend the impossible differential forward and backward to attack a block cipher
I Guess subkeys in Part I and Part II, if there is a pair meets ∆A and ∆G, then the subkey guess must be wrong
Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Impossible Differential Attack Impossible Differential Attack
P
I
A
B
F
G II
C
3 / 27 I Extend the impossible differential forward and backward to attack a block cipher
I Guess subkeys in Part I and Part II, if there is a pair meets ∆A and ∆G, then the subkey guess must be wrong
Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Impossible Differential Attack Impossible Differential Attack
P I Pr(∆A → ∆B) = 1, Pr(∆G → ∆F) = 1, I ∆B 6= ∆F, A Pr(∆A → ∆G) = 0
B
F
G II
C
3 / 27 I Guess subkeys in Part I and Part II, if there is a pair meets ∆A and ∆G, then the subkey guess must be wrong
Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Impossible Differential Attack Impossible Differential Attack
P I Pr(∆A → ∆B) = 1, Pr(∆G → ∆F) = 1, I ∆B 6= ∆F, A Pr(∆A → ∆G) = 0
I Extend the impossible differential
B forward and backward to attack a block cipher F
G II
C
3 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Impossible Differential Attack Impossible Differential Attack
P I Pr(∆A → ∆B) = 1, Pr(∆G → ∆F) = 1, I ∆B 6= ∆F, A Pr(∆A → ∆G) = 0
I Extend the impossible differential
B forward and backward to attack a block cipher F I Guess subkeys in Part I and Part II, if there is a pair meets ∆A and ∆G, then G the subkey guess must be wrong II
C
3 / 27 I TEA was used in Microsoft’s Xbox gaming console
I Both TEA and XTEA are implemented in the Linux kernel
Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
TEA, XTEA and HIGHT TEA and XTEA
Li Ri+1 F Li Ri K[0] F <<4 <<4 i·δ K[(i·δ>>11)&3] δ Ͱ Ͱ Ͱ >>5 K[1] >>5
Li+1 Ri+1 TEA Li+1 Ri+1 XTEA
I 64 rounds; block size: 64 bits; key size: 128 bits
4 / 27 I Both TEA and XTEA are implemented in the Linux kernel
Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
TEA, XTEA and HIGHT TEA and XTEA
Li Ri+1 F Li Ri K[0] F <<4 <<4 i·δ K[(i·δ>>11)&3] δ Ͱ Ͱ Ͱ >>5 K[1] >>5
Li+1 Ri+1 TEA Li+1 Ri+1 XTEA
I 64 rounds; block size: 64 bits; key size: 128 bits
I TEA was used in Microsoft’s Xbox gaming console
4 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
TEA, XTEA and HIGHT TEA and XTEA
Li Ri+1 F Li Ri K[0] F <<4 <<4 i·δ K[(i·δ>>11)&3] δ Ͱ Ͱ Ͱ >>5 K[1] >>5
Li+1 Ri+1 TEA Li+1 Ri+1 XTEA
I 64 rounds; block size: 64 bits; key size: 128 bits
I TEA was used in Microsoft’s Xbox gaming console
I Both TEA and XTEA are implemented in the Linux kernel
4 / 27 I HIGHT is adopted as an International Standard by ISO/IEC 18033-3
I A common property of TEA, XTEA and HIGHT: the subkeys intervene after the confusion and diffusion
Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
TEA, XTEA and HIGHT HIGHT
i i i i i Xi Xi Xi X 7 X 6 X 5 X 4 X 3 2 1 0 SK4( i+1)- 1 SK4(i+1 )-2 SK4(i+1)-3 SK4(i+1)-4
F0 F1 F0 F1
i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 X7 X6 X5 X4 X3 X2 X1 X0
F0(x) = (x ≪ 1) ⊕ (x ≪ 2) ⊕ (x ≪ 7), F1(x) = (x ≪ 3) ⊕ (x ≪ 4) ⊕ (x ≪ 6) I 32 rounds; block size: 64 bits; key size: 128 bits
5 / 27 I A common property of TEA, XTEA and HIGHT: the subkeys intervene after the confusion and diffusion
Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
TEA, XTEA and HIGHT HIGHT
i i i i i Xi Xi Xi X 7 X 6 X 5 X 4 X 3 2 1 0 SK4( i+1)- 1 SK4(i+1 )-2 SK4(i+1)-3 SK4(i+1)-4
F0 F1 F0 F1
i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 X7 X6 X5 X4 X3 X2 X1 X0
F0(x) = (x ≪ 1) ⊕ (x ≪ 2) ⊕ (x ≪ 7), F1(x) = (x ≪ 3) ⊕ (x ≪ 4) ⊕ (x ≪ 6) I 32 rounds; block size: 64 bits; key size: 128 bits
I HIGHT is adopted as an International Standard by ISO/IEC 18033-3
5 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
TEA, XTEA and HIGHT HIGHT
i i i i i Xi Xi Xi X 7 X 6 X 5 X 4 X 3 2 1 0 SK4( i+1)- 1 SK4(i+1 )-2 SK4(i+1)-3 SK4(i+1)-4
F0 F1 F0 F1
i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 X7 X6 X5 X4 X3 X2 X1 X0
F0(x) = (x ≪ 1) ⊕ (x ≪ 2) ⊕ (x ≪ 7), F1(x) = (x ≪ 3) ⊕ (x ≪ 4) ⊕ (x ≪ 6) I 32 rounds; block size: 64 bits; key size: 128 bits
I HIGHT is adopted as an International Standard by ISO/IEC 18033-3
I A common property of TEA, XTEA and HIGHT: the subkeys intervene after the confusion and diffusion
5 / 27 I D[i]: a 32-bit difference where the i-th bit is 1, the first to the (i − 1)-th bits are 0, and the (i + 1)-th to 32-th bits are indeterminate. For i < 0, D[i] means that all the 32 bits of the difference are indeterminate.
Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Deriving Impossible Differentials for TEA and XTEA Some Notations
I e0: (???????0)2, e1: (???????1)2, e4: (?????100)2
6 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Deriving Impossible Differentials for TEA and XTEA Some Notations
I e0: (???????0)2, e1: (???????1)2, e4: (?????100)2 I D[i]: a 32-bit difference where the i-th bit is 1, the first to the (i − 1)-th bits are 0, and the (i + 1)-th to 32-th bits are indeterminate. For i < 0, D[i] means that all the 32 bits of the difference are indeterminate.
6 / 27 Property If the input difference of the i-th round of XTEA (TEA) is (D[m], D[n]), where (m > n − 5), then the output difference is (D[n], D[n − 5]). Vice versa, if the output difference of the j-th round of XTEA (TEA) is (D[p], D[q]), where (q > p − 5), then the input difference is (D[p − 5], D[p]).
Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Deriving Impossible Differentials for TEA and XTEA
Impossible Differential for ARX (ASX) type cipher: looking for one-bit contradiction. Property If the input difference of the i-th round of XTEA (TEA) is (0, D[n]), then the output difference is (D[n], D[n − 5]). Vice versa, if the output difference of the j-th round of XTEA (TEA) is (D[p], 0), then the input difference is (D[p − 5], D[p]).
7 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Deriving Impossible Differentials for TEA and XTEA
Impossible Differential for ARX (ASX) type cipher: looking for one-bit contradiction. Property If the input difference of the i-th round of XTEA (TEA) is (0, D[n]), then the output difference is (D[n], D[n − 5]). Vice versa, if the output difference of the j-th round of XTEA (TEA) is (D[p], 0), then the input difference is (D[p − 5], D[p]). Property If the input difference of the i-th round of XTEA (TEA) is (D[m], D[n]), where (m > n − 5), then the output difference is (D[n], D[n − 5]). Vice versa, if the output difference of the j-th round of XTEA (TEA) is (D[p], D[q]), where (q > p − 5), then the input difference is (D[p − 5], D[p]).
7 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Deriving Impossible Differentials for TEA and XTEA Impossible Differential of TEA and XTEA
If we choose the input difference to be (0, D[n]) (or (D[m], D[n]) (m > n − 5)), then after i rounds, the difference should be of the form (D[n − 5(i − 1)], D[n − 5i]). Similarly, if we choose the output difference (D[p], 0) (or (D[p], D[q]) (q > p − 5)), then after propagating backwards for j rounds, the difference should be of the form (D[p − 5j], D[p − 5(j − 1)]). Then at least one bit contradiction will appear if
n − 5(i − 1) > 0, p − 5j > 0, n − 5(i − 1) 6= p − 5j.
8 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Deriving Impossible Differentials for TEA and XTEA Impossible Differentials of TEA and XTEA
F Round 1 F Round 1
F Round 2 F Round 2
F Round 3 F Round 3
F Round 4 F Round 4
F Round 5 F Round 5
F Round 6 F Round 6
F Round 7 F Round 7
contradiction contradiction
F Round 8 F Round 8
F Round 9 F Round 9
F Round 10 F Round 10
F Round 11 F Round 11
F Round 12 F Round 12
F Round 13 F Round 13
F Round 14
9 / 27 Property Given x, x0, y, y 0 be n-bit values, and z = (x + y) mod 2n, z0 = (x0 + y 0) mod 2n. If the i-th (counting from 1) to j-th bits of 0 0 0 0 0 x, x , y, y and the i-th carry ci , ci of x + y, x + y are known, then the i-th to j-th (i < j ≤ n) bits of ∆z can be obtained, regardless of the values of least significant i − 1 bits of x (or x0), y (or y 0). Note that if there are no differences in the the least 0 0 0 significant i − 1 bits of x + y and x + y , then ci = ci .
Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Key Recovery Attacks on TEA and XTEA Properties for Key Recovery
Theorem[Daum] n Let [x + y] be (x + y) mod 2 , then [x + y]i = xi ⊕ yi ⊕ ci (i = 1, ..., n), where c1 = 0 and ci = xi−1yi−1 ⊕ xi−1ci−1 ⊕ yi−1ci−1, for i = 2, ..., n.
10 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Key Recovery Attacks on TEA and XTEA Properties for Key Recovery
Theorem[Daum] n Let [x + y] be (x + y) mod 2 , then [x + y]i = xi ⊕ yi ⊕ ci (i = 1, ..., n), where c1 = 0 and ci = xi−1yi−1 ⊕ xi−1ci−1 ⊕ yi−1ci−1, for i = 2, ..., n. Property Given x, x0, y, y 0 be n-bit values, and z = (x + y) mod 2n, z0 = (x0 + y 0) mod 2n. If the i-th (counting from 1) to j-th bits of 0 0 0 0 0 x, x , y, y and the i-th carry ci , ci of x + y, x + y are known, then the i-th to j-th (i < j ≤ n) bits of ∆z can be obtained, regardless of the values of least significant i − 1 bits of x (or x0), y (or y 0). Note that if there are no differences in the the least 0 0 0 significant i − 1 bits of x + y and x + y , then ci = ci .
10 / 27 I XTEA:
K0 K3 K1 K2 K2 K1 K3 K0 K0 K0 K1 K3 K2 K2 K3 K1
K0 K0 K1 K0 K2 K3 K3 K2 K0 K1 K1 K1 K2 K0 K3 K3
K0 K2 K1 K1 K2 K1 K3 K0 K0 K3 K1 K2 K2 K1 K3 K1
K0 K0 K1 K3 K2 K2 K3 K2 K0 K1 K1 K0 K2 K3 K3 K2
Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Key Recovery Attacks on TEA and XTEA Key Schedule
I TEA: (K0, K1), (K2, K3), (K0, K1), (K2, K3) ...
11 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Key Recovery Attacks on TEA and XTEA Key Schedule
I TEA: (K0, K1), (K2, K3), (K0, K1), (K2, K3) ... I XTEA:
K0 K3 K1 K2 K2 K1 K3 K0 K0 K0 K1 K3 K2 K2 K3 K1
K0 K0 K1 K0 K2 K3 K3 K2 K0 K1 K1 K1 K2 K0 K3 K3
K0 K2 K1 K1 K2 K1 K3 K0 K0 K3 K1 K2 K2 K1 K3 K1
K0 K0 K1 K3 K2 K2 K3 K2 K0 K1 K1 K0 K2 K3 K3 K2
11 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Key Recovery Attacks on TEA and XTEA Key Schedule
Set s0 ← 0, s1 ← 1, s2 ← 0, s3 ← 1, s4 ← 1, s5 ← 0 and s6 ← 1.
δ0 = s6||s5||s4||s3||s2||s1||s0. For i = 1 to 127,
si+6 = si+2 ⊕ si−1,
δi = si+6||si+5||si+4||si+3||si+2||si+1||si . I HIGHT: For i = 0 to 7, for j = 0 to 7,
SK16i+j = MK(j−i) mod 8 δ16i+j . for j = 0 to 7,
SK16i+j+8 = MK((j−i) mod 8)+8 δ16i+j+8.
12 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Key Recovery Attacks on TEA and XTEA Impossible Differential Attacks on TEA and XTEA
F 5RXQG
5RXQG F
F 5RXQG F 5RXQG F 5RXQG F 5RXQG F 5RXQG 13-Round Impossible Differential
14-Round Impossible Differential F 5RXQG F 5RXQG F 5RXQG F 5RXQG
F 5RXQG
5RXQG F
13 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Key Recovery Attacks on TEA and XTEA Attack on 23-Round XTEA
Step Guess Bits Complexity Sieve on Conds Pairs Kept
97.8 79.3 1 K1 : 1 ∼ 12 2 round 6 10 2
97.8 69.3 2 K1 : 13 ∼ 22 2 round 28 10 2
98.8 49.3 3 K1 : 23 ∼ 32 2 round 26,27 20 2
85.8 43.3 4 K0 : 26 ∼ 32, c1 * 2 round 25 6 2
90.8 33.3 5 K3 : 7 ∼ 17, c2 † 2 round 7 10 2
103.8 23.3 6 K3 : 1 ∼ 6, 18 ∼ 32, K0 : 12 ∼ 22, c3 ‡ 2 round 8 10 2
114.9 7 K0 : 1 ∼ 11, 23 ∼ 25 2 round 9,10 20 −
*c1 is the 26th carry in the left modular addition of the 25th round
† c2 is the 7th carry in the left modular addition of the 7th round
‡ c3 is the 12th carry in the left modular addition of the 8th round
14 / 27 I Attack on TEA → 19 rounds
I Attack on XTEA → 26 rounds
I With complexities close to exhaustive search
Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Key Recovery Attacks on TEA and XTEA Using the Full Codebook
I Impossible differential → 15 rounds
15 / 27 I Attack on XTEA → 26 rounds
I With complexities close to exhaustive search
Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Key Recovery Attacks on TEA and XTEA Using the Full Codebook
I Impossible differential → 15 rounds
I Attack on TEA → 19 rounds
15 / 27 I With complexities close to exhaustive search
Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Key Recovery Attacks on TEA and XTEA Using the Full Codebook
I Impossible differential → 15 rounds
I Attack on TEA → 19 rounds
I Attack on XTEA → 26 rounds
15 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Key Recovery Attacks on TEA and XTEA Using the Full Codebook
I Impossible differential → 15 rounds
I Attack on TEA → 19 rounds
I Attack on XTEA → 26 rounds
I With complexities close to exhaustive search
15 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Impossible Differential Attacks on HIGHT
i i i i i i i i i ∆X7 ∆X6 ∆X5 ∆X4 ∆X3 ∆X2 ∆X1 ∆X0 9 0 0 0 0 e 0 0 0 1 i ∆X i ∆X i ∆X i ∆X i ∆X i ∆X i ∆X i ∆X i 10 0 0 0 e 0 0 0 0 7 6 5 4 3 2 1 0 1 P ? e 0 0 ? ? ? ? 11 0 ? e 0 0 0 0 0 1 1 4 ? e 0 0 ? ? ? ? 12 ? e 0 0 0 0 0 ? 1 1 5 e 0 0 0 ? ? ? ? 13 e 0 0 0 0 ? ? ? 1 1 6 0 0 0 0 ? ? ? e 14 0 0 0 ? ? ? ? e 1 1 7 0 0 0 0 ? ? e 0 15 0 ? ? ? ? ? e 0 1 1 8 0 0 0 0 ? e 0 0 16 ? ? ? ? ? e 0 ? 1 1 9 0 0 0 0 e 0 0 0 17 ? ? ? ? e ? ? ? 1 1 Impossible Differential 17 ? ? ? ? e 0x80 ? ? 0 25 0 0 0 0 0 0x80 0 0 18 ? ? ? e 0x80 0 ? ? 1 26 0 0 0 e 0x80 0 0 0 19 ? ? e 0x80 0 0 ? ? 1 1 27 0 ? e 0x80 0 0 0 0 20 ? e 0x80 0 0 0 ? ? 1 1 28 ? e 0x80 0 0 0 0 ? 21 e 0x80 0 0 0 0 ? ? 1 1 29 e 0 0 0 0 ? ? ? 22 0x80 0 0 0 0 0 ? e 1 4 30 0x80 0 0 ? ? ? ? e 23 0 0 0 0 0 0 e 0x80 0 4 C e 0x80 0 0 ? ? ? ? 24 0 0 0 0 0 0 0x80 0 0 25 0 0 0 0 0 0x80 0 0 (b) Impossible Differential Attack (a) The 16-Round Impossible on 26-Round HIGHT Differential Figure: 26-Round Attack
16 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Impossible Differential Attacks on HIGHT
i i i i i i i i i ∆X7 ∆X6 ∆X5 ∆X4 ∆X3 ∆X2 ∆X1 ∆X0 i i i i i i i i 9 e1 0 0 0 0 0 0 0 i ∆X7 ∆X6 ∆X5 ∆X4 ∆X3 ∆X2 ∆X1 ∆X0 10 0 0 0 0 0 0 0 e1 P ? ? ? ? ? ? e1 0 11 0 0 0 0 0 ? e1 0 3 ? ? ? ? ? ? e1 0 12 0 0 0 ? ? e1 0 0 4 ? ? ? ? ? e1 0 0 13 0 ? ? ? e1 0 0 0 5 ? ? ? ? e1 0 0 0 14 ? ? ? e1 0 0 0 ? 6 ? ? ? e1 0 0 0 0 15 ? ? e1 0 0 ? ? ? 7 ? ? e1 0 0 0 0 0 16 ? e1 0 ? ? ? ? ? 8 ? e1 0 0 0 0 0 0 17 e1 ? ? ? ? ? ? ? 9 e1 0 0 0 0 0 0 0 17 e0 0x80 ? ? ? ? ? ? Impossible Differential 18 0x80 0 ? ? ? ? ? e1 25 0 0x80 0 0 0 0 0 0 19 0 0 ? ? ? ? e1 0x80 26 0x80 0 0 0 0 0 0 e1 20 0 0 ? ? ? e1 0x80 0 27 0 0 0 0 0 ? e1 0x80 21 0 0 ? ? e1 0x80 0 0 28 0 0 0 ? ? e1 0x80 0 22 0 0 ? e4 0x80 0 0 0 29 0 ? ? ? e1 0x80 0 0 23 0 0 e4 0x80 0 0 0 0 30 ? ? ? e0 0x80 0 0 ? 24 0 0 0x80 0 0 0 0 0 C ? ? ? ? e0 0x80 0 0 25 0 0x80 0 0 0 0 0 0 (b) Impossible Differential Attack (a) 16-Round Impossible on 27-Round HIGHT Differential of Özen et al.’s Figure: 27-Round Attack
17 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Impossible Differential Attacks on HIGHT Subkeys Used in the Attack on 26-Round HIGHT
#Round Subkey Used
5 SK19 (MK2 ) SK18 (MK1 ) SK17 (MK0 ) SK16 (MK7 )
6 SK23 (MK6 ) SK22 (MK5 ) SK21 (MK4 ) SK20 (MK3 )
7 SK27 (MK10 ) SK26 (MK9 ) SK25 (MK8 ) SK24 (MK15 )
8 SK31 (MK14 ) SK30 (MK13 ) SK29 (MK12 ) SK28 (MK11 )
9 SK35 (MK1 ) SK34 (MK0 ) SK33 (MK7 ) SK32 (MK6 )
......
26 SK103 (MK1 ) SK102 (MK0 ) SK101 (MK7 ) SK100 (MK6 )
27 SK107 (MK13 ) SK106 (MK12 ) SK105 (MK11 ) SK104 (MK10 )
28 SK111 (MK9 ) SK110 (MK8 ) SK109 (MK15 ) SK108 (MK14 )
29 SK115 (MK4 ) SK114 (MK3 ) SK113 (MK2 ) SK112 (MK1 )
30 SK119 (MK0 ) SK118 (MK7 ) SK117 (MK6 ) SK116 (MK5 )
Post-Whitening WK7 (MK3 ) WK6 (MK2 ) WK5 (MK1 ) WK4 (MK0 )
18 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Impossible Differential Attacks on HIGHT Subkeys Used in the Attack on 27-Round HIGHT
#Round Subkey Used
Pre-Whitening WK3 (MK15 ) WK2 (MK14 ) WK1 (MK13 ) WK0 (MK12 )
4 SK15 (MK15 ) SK14 (MK14 ) SK13 (MK13 ) SK12 (MK12 )
5 SK19 (MK2 ) SK18 (MK1 ) SK17 (MK0 ) SK16 (MK7 )
6 SK23 (MK6 ) SK22 (MK5 ) SK21 (MK4 ) SK20 (MK3 )
7 SK27 (MK10 ) SK26 (MK9 ) SK25 (MK8 ) SK24 (MK15 )
8 SK31 (MK14 ) SK30 (MK13 ) SK29 (MK12 ) SK28 (MK11 )
9 SK35 (MK1 ) SK34 (MK0 ) SK33 (MK7 ) SK32 (MK6 )
......
26 SK103 (MK1 ) SK102 (MK0 ) SK101 (MK7 ) SK100 (MK6 )
27 SK107 (MK13 ) SK106 (MK12 ) SK105 (MK11 ) SK104 (MK10 )
28 SK111 (MK9 ) SK110 (MK8 ) SK109 (MK15 ) SK108 (MK14 )
29 SK115 (MK4 ) SK114 (MK3 ) SK113 (MK2 ) SK112 (MK1 )
30 SK119 (MK0 ) SK118 (MK7 ) SK117 (MK6 ) SK116 (MK5 )
Post-Whitening WK7 (MK3 ) WK6 (MK2 ) WK5 (MK1 ) WK4 (MK0 ) 19 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Impossible Differential Attacks on HIGHT
6 6 6 6 6 6 X 1, X 1 X , X 7 7 7 7 7 X 2,ƸX 2 Ƹ 0 Ƹ 0 X 1,ƸX 1 X 2,ƸX 2 X 0 MK 15 MK11
F1 F1
MK12 MK 7 7 7 X , X 8 F0 1 Ƹ 1 F0 X 1
X8 8 8 9 X9 , X9 4 X 3,ƸX 3 X 4 3 Ƹ 3 Table α Table є 25 25 X 3 X 2 MK 7
F0
X26 MK11 2
F0
27 27 27 X , X X 4 27 5 Ƹ 5 X 3 Table β Figure: The Construction of Tables α, β and in the Attack on 26-Round HIGHT
20 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Impossible Differential Attacks on HIGHT
25 25 25 X 7 X 6(ƸX 6=0x80) MK1
F0
6 6 6 6 26 26 6 6 (X 5, X 5) (X , X ) 6 6 X ( X =0) (X 6,ƸX 6) Ƹ 4 Ƹ 4 X 3 X 2 MK 6 Ƹ 6 MK9 MK8 13
F0 F1 F0
27 27 X 6(ƸX 6=0) MK9 MK14 MK 14 MK13 7 7 X 3(ƸX 3=0) F0 F1 F0 F1
MK1 28 MK 1 8 8 X 7 F1 8 8 X 0(ƸX 0=0) X 5(ƸX 5=0) F0
29 29 (X 3,ƸX 3) X29 9 9 1 X 0( X 0=0) 9 9 Ƹ (X 7,ƸX 7)
MK 1
30 X 3 Figure: Precomputation for Rounds 7 ∼ 9 (left) and Rounds 26 ∼ 30 (right) in the Attack on 27-Round HIGHT
21 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Impossible Differential Attacks on HIGHT
Table: Key Recovery Procedure of the Attack on 26-Round HIGHT
Step Guess Bits Known Keys Known Values Complexity Conds Pairs Kept Sieve on 5 84.9 74.6 1 MK0 SK17 X4 2 EN 8 2 (5,1) 29 92.9 66.6 2 MK1, MK6 WK5, SK117 X3 2 EN 8 2 (30,1) 29 29 28 93.9 58.6 3 MK5 WK4, SK116, X1 , ∆X1 , X1 2 EN 8 2 (29,0) SK112 5 5 6 101.9 50.6 4 MK4, MK7 SK16, SK21 X2 , ∆X2 , X4 2 EN 8 2 (6, 1) 29 29 28 110.8 42.6 5 MK3, MK9 WK7, SK119, X7 , ∆X7 , X7 , 2 EN 8 2 (28,3) 28 27 SK115, SK111 ∆X7 , X7 5 6 6 109.9 42.6 6 MK2 SK19, SK20 X0 , X2 , ∆X2 2 EN − 2 − 29 28 109.9 42.6 7 − SK118, SK114, X5 , X5 2 EN − 2 − WK6 7 111.9 34.6 8 MK8† SK25 X4 2 EN 8 2 (7,1) 27 27 26 112.9 26.6 9 MK12† SK110, SK106 X5 , ∆X5 , X5 2 EN 8 2 (27,2) 6 6 6 109.9 26.6 10 − SK18, SK19, X6 , X7 , X0 , 2 EN − 2 − 6 6 6 SK22, SK23 ∆X0 , X1 , ∆X1 11 (accessing the pre-computed tables) Complexity: 2116.6MA+2111EN MA: memory accesses; EN: 26-round HIGHT encryptions † The key byte is guessed bit by bit from the LSB to the MSB.
22 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Impossible Differential Attacks on HIGHT
Table: Key Recovery Procedure of the Attack on 27-Round HIGHT
Step Guess Bits Known Keys Known Values Complexity Conds Pairs Left Sieve on 4 91.2 79 1 MK15 WK3, SK15 X0 2 EN 8 2 (4,3) 29 99.2 71 2 MK0, MK3 WK7, SK119 X7 2 EN 8 2 (30,3) 29 29 107.2 71 3 MK6, MK1 SK117, WK5 X3 , ∆X3 2 EN − 2 − 4 4 115.2 71 4 MK14 WK1, SK14 X6 , ∆X6 2 EN − 2 − 5 6 118.2 63 5 MK2 † SK19 X0 , X2 2 EN 8 2 (5,3) 28 28 115.2 63 6 − SK113, SK109 X3 , ∆X3 2 EN − 2 −‡ 29 29 118.2 55 7 MK7 † WK6, SK118 X5 , ∆X5 2 EN 8 2 (30,2) 28 115.2 47 8 − SK114 X5 2 EN 8 2 (29,2) 4 4 5 115.2 39 9 MK13 SK13, SK18, SK23, X4 , ∆X4 , X6 , 2 EN 8 2 (6,3) 5 6 WK2 ∆X6 , X0 29 28 27 27 115.2 39 10 MK5 WK4, SK116, SK108 X1 , X1 , X1 , ∆X1 2 EN − 2 − 26 118.2 31 11 MK10 † SK104 X1 2 EN 8 2 (27,0) 4 4 5 123.2 23 12 MK12 WK0, SK12, SK17, X2 , ∆X2 , X4 , 2 EN 8 2 (7,3) 5 6 6 7 SK22, SK27 ∆X4 , X6 , ∆X6 , X0 6 6 28 120 13 MK4 SK16, SK21, SK26, X4 , ∆X4 , X7 2 MA + * 126.6 SK107, SK31 2 EN SK111, SK115 MA: memory accesses; EN: 27-round HIGHT encryptions † The key byte is guessed bit by bit from the LSB to the MSB. 28 ‡ calculate ∆X4 * the sieving is already done by precomputation
23 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Conclusion
Table: Summary of Single-Key Attacks on TEA
Attack #Rounds Data Time Ref.
Impossible Differential 11 252.5 CP 284 EN Moon+ FSE2002
Truncated Differential 17 1920 CP 2123.37 EN Hong+ ICISC2003
Impossible Differential 17 257 CP 2106.6 EN this paper
Zero Correlation Linear † 21 262.62 KP 2121.52 EN Bogdanov, Wang FSE2012
Zero Correlation Linear † 23 264 2119.64 EN Bogdanov, Wang FSE2012
†: Very recent results
24 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Table: Summary of Single-Key Attacks on XTEA
Attack #Rounds Data Time Ref.
Impossible Differential 14 262.5 CP 285 EN Moon+ FSE2002
Truncated Differential 23 220.55 CP 2120.65 EN Hong+ ICISC2003
Meet-in-the-Middle 23 18 KP 2117 EN Sekar+ CT-RSA2011
Impossible Differential 23 262.3 CP 2114.9 EN this paper
Impossible Differential 23 263 CP 2101 MA+2105.6 EN this paper
Zero Correlation Linear† 25 262.62 KP 2124.53 EN Bogdanov, Wang FSE2012
3-Sub. Meet-in-the-Middle† 25 9KP 2120.4 EN Sasaki+ AFRICACRYPT2012
Zero Correlation Linear† 27 264 2120.71 EN Bogdanov, Wang FSE2012
3-Sub. Meet-in-the-Middle† 28 237 CP 2120.38 EN Sasaki+ AFRICACRYPT2012
Meet-in-the-Middle† 29 245 CP 2124 EN Isobe+ AICSP2012
†: Very recent results
25 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Table: Summary of Single-Key Attacks on HIGHT
Attack #Rounds Data Time Ref.
Saturation 22 262.04 CP 2118.71 EN Zhang+ CANS2009
Impossible Differential 25 260 CP 2126.78 EN Lu ICISC2007
Impossible Differential 26 261 CP 2119.53 EN Özen+ ACISP2009
Impossible Differential 26 261.6 CP 2114.35 EN this paper
Impossible Differential 27 258 CP 2120 MA+2126.6 EN this paper
Biclique† 32 248 CP 2126.4 EN Hong+ ICISC2011
†: Very recent results
CP: Chosen Plaintext; KP: Known Plaintext;
EN: Encryptions; MA: Memory Accesses.
26 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion
Thanks! Questions and Comments?
27 / 27