Cryptanalysis of Lightweight Block Ciphers
Total Page:16
File Type:pdf, Size:1020Kb
Cryptanalysis of Lightweight Block Ciphers Mar´ıaNaya-Plasencia INRIA, France Sibenikˇ 2014 Outline I Introduction I Impossible Differential Attacks I Meet-in-the-middle and improvements I Multiple Differential Attacks I Dedicated attacks (examples) Outline I Introduction I Impossible Differential Attacks I Meet-in-the-middle and improvements I Multiple Differential Attacks Cryptanalysis of Lightweight Block Ciphers Lightweight Block Ciphers I Lightweight Block Ciphers designed for constrained environments, like RFID tags, sensor networks. I Real need ) an enormous amount of proposals in the last years: PRESENT, LED, KATAN/KTANTAN, KLEIN, PRINCE, PRINTcipher, LBLOCK, TWINE, XTEA, mCrypton, Iceberg, HIGHT, Piccolo, SIMON, SPECK, SEA, DESL... 1/30 Lightweight Block Ciphers I Cryptanalysis of lightweight block ciphers: a fundamental task, responsibility of the community. I Importance of cryptanalysis (especially on new proposals): the more a block cipher is analyzed, the more confidence we can have in it... I ...or know which algorithms are not secure to use. 2/30 Lightweight Block Ciphers I Lightweight: more 'risky' design, lower security margin, simpler components. I Often innovative constructions: dedicated attacks I Types of attacks: single-key/related-key, distinguisher/key- recovery, weak-keys, reduced versions. 3/30 Impossible Differential Attacks Classical Differential Attacks [BS'90] Given an input difference between two plaintexts, some output differences occur more often than others. ′ ′ X EK Y ∆X ∆Y ′′ ′′ X EK Y 4/30 Impossible Differential Attacks [K,BBS'98] I Impossible differential attacks use a differential with probability 0. I We can find the impossible differential using the Miss-in-the-middle [BBS'99] technique. I Extend the impossible differential backward and forward ) Active Sboxes transitions give information on the involved key bits. 5/30 Impossible Differential Attack ∆in rin (cin, kin) ∆X r∆ ∆Y rout (cout, kout) ∆out 6/30 Discarding Wrong Keys I Given a pair of inputs with ∆in that generates ∆out, I all the (partial) keys that produce ∆X from ∆in and ∆Y from ∆out are not the correct one. 7/30 For the Attacks to Work We need s Cdata < 2 and jkin[koutj jK|−|kin[koutj jkin[koutj jKj Cdata + 2 CN + 2 P 2 < 2 where Cdata is the data needed for obtaining N pairs (∆in; ∆out), CN is the average cost of testing the pairs per candidate key (early abort technique [LKKD08]) and P is the probability of not discarding a trial key. 8/30 Example: LBlock Designed by Wu and Zhang, (ACNS 2011). I 80-bit key and 64-bit state. I 32 rounds. ki <<< 8 F 9/30 Example: LBlock Inside the function F : I add the subkey to the input. I 8 different Sboxes 4 × 4. I a nibble permutation P : Best attack so far: Imp. Diff. on 23 rounds [CFMS'14,BMNPS'14]. 10/30 Impossible differential: 14 rounds k14 <<< 8 k5 <<< 8 k10 <<< 8 F F F k15 <<< 8 k6 <<< 8 k11 <<< 8 F F F k16 <<< 8 k7 <<< 8 F F k12 <<< 8 k17 <<< 8 k8 <<< 8 F F F k13 <<< 8 k18 <<< 8 k9 <<< 8 F F F L1 R1 K First Rounds 1 <<< 8 3 cond. L2 R2 K 2 <<< 8 2 cond. L3 R3 K 3 <<< 8 1 cond. L4 R4 K 4 <<< 8 1 cond. R L5 5 12/30 L19 R19 K19 Last Rounds <<< 8 1 cond. L20 R20 K 20 <<< 8 1 cond. L21 R21 K 21 <<< 8 2 cond. L22 R22 K 22 <<< 8 3 cond. L23 R23 13/30 Impossible Differential on LBlock I For 21 rounds a complexity of 269:5 in time with 263 data, for 22: 271:53 time and 260 data, for 23: 275:36 time and 259 data. I Feistel constructions in general are good targets 14/30 Meet-in-the-Middle Attacks Meet-in-the-Middle Attacks I Introduced by Diffie and Hellman in 1977. I Largely applied tool. I Few data needed. I Many improvements: partial matching, bicliques, sieve- in-the-middle... 15/30 Meet-in-the-Middle Attacks 78$,-+9:+ !"#$"% '!()*+$+,!- #,+. $ * / 0 1$'2#$"% '!()*+$+,!- #,+. 0 1 34 5 06 ;,).9"+9:+ !"!!"!#$ 16/30 With Partial Matching [AS'08] ,-./01231 ! " # $ % '('#)'*+ 4/56271231 !"#$# ! #$# !% 17/30 With Bicliques [KRS'11] !"#!$% '()*#*+ ,%"+*-%./ ./ .0 1 1# 2"#!$% '()*#*+ ,%"+*-%.0 3 %%%%%%.456.78.98.:; 1+ >+")# .9 .7 < 18/30 Bicliques I Improvement of MITM attacks, but also... I It can always be applied to reduce the total number of computations (at least the precomputed part) ) acceleration of exhaustive search [BKR'11] 1 I Many other accelerated exhaustive search on LW block ciphers: PRESENT, LED, KLEIN, HIGHT, Piccolo, TWINE, LBlock ... (less than 2 bits of gain). I Is everything broken? No. 1Most important application: best key-recovery on AES-128 in 2126:1 instead of the naive 2128: 19/30 Sieve-in-the-Middle [CNPV'13] I We compute some inputs and some outputs to an Sbox S ) sieving with transitions instead of collisions. !"#$%# '(")*+,%,-".'$-,/' ! 0 "- @A'1B"C'$-,/'0 1 2 3%(4$%# '(")*+,%,-".'$-,/'2 3 1 5 6 ''''''7896:5:;< 3-(#-D+AE > 20/30 What is S? I It can basically be anything. I We just need to be able to precompute and store the possible transitions (in the case of a classical Sbox, just the Sbox itself), or sometimes on-the-fly. I Next we get a list of inputs forward and a list of outputs backward: and merge both with the middle conditions (for ex.: N-P 2011). 21/30 PRESENT [BKLPPRSV 2007] Block n = 64 bits, key 80 or 128 bits. ✻ ✹ ❜ t✁ s ❦ ✐ ❙ ❙ ❙ ❙ ❙ ❙ ❙ ❙ ❙ ❙ ❙ ❙ ❙ ❙ ❙ ❙ 31 rounds + 1 key addition. Forward Computation Backward Computation Sieving through the Sboxes: 1 Sbox x3x2x1x0 S(x)3S(x)2S(x)1S(x)0 x2x1x0!Sy1y0 0000 1100 000!00 0001 0101 000!11 0010 0110 001!01 0011 1011 001!10 0100 1001 010!10 0101 0000 010!11 0110 1010 011!00 0111 1101 011!11 1000 0011 100!00 1001 1110 100!01 1010 1111 101!00 1011 1000 101!11 1100 0100 110!01 1101 0111 110!10 1110 0001 111!01 1111 0010 111!10 16 values of x2; x1; x0; y1; y0, out of 32, correspond to a valid transition. Sieving through the Sboxes ❙ ❙ ❙ ❙ ❙ ❙ ❙ ❙ ❙ ❙ ❙ ❙ ❙ ❙ ❙ ❙ I Probability for 1 Sbox p = 16=32 = 1=2 I 1 Probability for the 6 Sboxes: 26 I We only try 280−6 = 274 potential key candidates. I 7 rounds. PRINCE [Borghoff et al. 2012] Block cipher 64 bits. jKaj = jKbj = 64 (128 keybits). I Non-linear layer of 16 4x4 Sboxes (S). I Linear layers: permutation of nibbles (P ) and "mixcolumns" on groups of 4 nibbles(M). 0 Ka + Kb RC1 Kb RC5 Kb RC6 Kb RC11 Ka + Kb ? ? ? ? ? ? ? ? ? - - - - - ... - - - - - - −1 - - - −1 -... −1 - - - + R + + R + + SB M S + + + + " b B " R b R " b " b " b " b " b " b " b " b " b " − b " -S - - -bb " - −1 - - 1 -bb B M SR SR M SB 8 rounds attack ! Complexity I Improved bicliques when the key is bigger than the internal state: just 1 pair (P; C) of data. I Complexity: 97 20 20+11−4 117 113 97+12 128−36 2 (2 + 2 )cH + 2 cF + 2 cB + 2 + 2 cE 122 < 2 cE Multiple Differential Cryptanalysis Multiple Differential Cryptanalysis I Applied to Crypton[GM00], similar to multiple linear cryptanalysis[BDQ04]. I Formalized in [BG11]: "...multiple differential cryptanalysis is the general case where the set of considered differentials has no particular structure, i.e., several input differences are considered together and the corresponding output differences can be different from an input difference to another." I Applied to PUFFIN(full round), ICEBERG, PRINCE(best attacks)... 22/30 PRINCE [Borghoff et al. 2012] Block cipher 64 bits. jKaj = jKbj = 64 (128 keybits). 0 Ka + Kb RC1 Kb RC5 Kb RC6 Kb RC11 Ka + Kb ? ? ? ? ? ? ? ? ? - - - - - ... - - - - - - −1 - - - −1 -... −1 - - - + R + + R + + SB M S + + + + " b B " R b R " b " b " b " b " b " b " b " b " b " − b " -S - - -bb " - −1 - - 1 -bb B M SR SR M SB !"#$% !"#$ !"#$' !"#$( $% $ $' $( )*$% +( +' + +% ,- ,+ ,. ,, ( (% '/ '0 . , ( ' 1%2%3 1%2 3 1%2'3 1%2(3 )*$ ./ .0 .- .+ ,( ,' , ,% '- '+ '. ', % / 0 1 2%3 1 2 3 1 2'3 1 2(3 )*$' .. ., .( .' (/ (0 (- (+ '( '' ' '% - + . , 1'2%3 1'2 3 1'2'3 1'2(3 )*$( . .% ,/ ,0 (. (, (( (' / 0 - + ( ' % 1(2%3 1(2 3 1(2'3 1(2(3 4567$#!"89:5#; <588 97$#!"89:5#; 23/30 Square Iterative Differentials ! "# "$ %% %% %% %% 24/30 Square Iterative Differentials " -.".*/&0 - 1&"*/&2 -* 1&/ ".3$' !"#"$% '() * !*"+",% !" #$% %'( %')*+*,'-.//% %01%2 3$(3'( %'4(55%-'3$ 678$' ' (0-'!"'36'('297( %'5(33% 0 ! ! ;%'0%%- !: # AB' # AB < < # AB' # A 36' %'5622. >%'3 (02.3.602 < < 25/30 Multiple Differential on PRINCE[CFGNR'14] We consider multiple differentials and multiple characteristics, all following square patterns as in Example: !"!#$% !"!#$% !"!#$% $!"!# % $!"!# % $!"!# % 26/30 Multiple Differential on PRINCE For 6 rounds: ( ) 2 −1 −1 −1 2 (M!SR!S) !M!SR!Ssbox!SR !M! S !SR !M 0 0 ∆in = (δ1; δ2) and ∆out = (δ1; δ2). For any square pattern in the input and in the output, the probability of ∆in ! ∆out when (∆in; ∆out) 2 −56:47 f(1; 2); (2; 1)g × f(1; 2); (2; 1)g is Pb = 2 : 27/30 Recovering the key We can add 2 + 2 rounds: + + ! "# ,-(,. ,.(). $ % $ $ / '(''. (' /0 + 123/423 + 456721 ,-%(,. ,.() $8. % $ 8. $8. '(''(' ) * *")# I 66 key bits involved. 32+31−32 I Ns structures ) Ns2 pairs. −33 I Wrong guess: Ns2 j∆injj∆outj pairs. 31 I Good guess: Ns2 j∆injj∆outjPb pairs. 28/30 Multiple Differential on PRINCE Best known attack on PRINCE: 10 rounds out of 12. Complexity D × T = 2118:6 compared to 2126 for the generic attack. Good example for transition between classical attacks and dedicated ones. 29/30 Conclusion To Sum Up2 I Classical attacks, but also new dedicated ones exploiting the originality of the designs.