Cryptanalysis of Lightweight Block Ciphers
Mar´ıaNaya-Plasencia INRIA, France
Sibenikˇ 2014 Outline
▶ Introduction
▶ Impossible Differential Attacks
▶ Meet-in-the-middle and improvements
▶ Multiple Differential Attacks
▶ Dedicated attacks (examples) Outline
▶ Introduction
▶ Impossible Differential Attacks
▶ Meet-in-the-middle and improvements
▶ Multiple Differential Attacks Cryptanalysis of Lightweight Block Ciphers Lightweight Block Ciphers
▶ Lightweight Block Ciphers designed for constrained environments, like RFID tags, sensor networks.
▶ Real need ⇒ an enormous amount of proposals in the last years:
PRESENT, LED, KATAN/KTANTAN, KLEIN, PRINCE, PRINTcipher, LBLOCK, TWINE, XTEA, mCrypton, Iceberg, HIGHT, Piccolo, SIMON, SPECK, SEA, DESL...
1/30 Lightweight Block Ciphers
▶ Cryptanalysis of lightweight block ciphers: a fundamental task, responsibility of the community.
▶ Importance of cryptanalysis (especially on new proposals): the more a block cipher is analyzed, the more confidence we can have in it...
▶ ...or know which algorithms are not secure to use.
2/30 Lightweight Block Ciphers
▶ Lightweight: more ’risky’ design, lower security margin, simpler components.
▶ Often innovative constructions: dedicated attacks
▶ Types of attacks: single-key/related-key, distinguisher/key- recovery, weak-keys, reduced versions.
3/30 Impossible Differential Attacks Classical Differential Attacks [BS’90]
Given an input difference between two plaintexts, some output differences occur more often than others.
′ ′ X EK Y
∆X ∆Y
′′ ′′ X EK Y
4/30 Impossible Differential Attacks [K,BBS’98]
▶ Impossible differential attacks use a differential with probability 0.
▶ We can find the impossible differential using the Miss-in-the-middle [BBS’99] technique.
▶ Extend the impossible differential backward and forward ⇒ Active Sboxes transitions give information on the involved key bits. 5/30 Impossible Differential Attack
∆in
rin (cin, kin)
∆X
r∆
∆Y
rout (cout, kout)
∆out 6/30 Discarding Wrong Keys
▶ Given a pair of inputs with ∆in that generates ∆out,
▶ all the (partial) keys that produce ∆X from ∆in and ∆Y from ∆out are not the correct one.
7/30 For the Attacks to Work
We need s Cdata < 2 and
|kin∪kout| |K|−|kin∪kout| |kin∪kout| |K| Cdata + 2 CN + 2 P 2 < 2
where Cdata is the data needed for obtaining N pairs (∆in, ∆out), CN is the average cost of testing the pairs per candidate key (early abort technique [LKKD08]) and P is the probability of not discarding a trial key.
8/30 Example: LBlock
Designed by Wu and Zhang, (ACNS 2011). ▶ 80-bit key and 64-bit state. ▶ 32 rounds.
ki <<< 8
F
9/30 Example: LBlock
Inside the function F :
▶ add the subkey to the input. ▶ 8 different Sboxes 4 × 4. ▶ a nibble permutation P :
Best attack so far: Imp. Diff. on 23 rounds [CFMS’14,BMNPS’14]. 10/30 Impossible differential: 14 rounds
k14 <<< 8
k5 <<< 8 k10 <<< 8 F F F
k15 <<< 8
k6 <<< 8 k11 <<< 8 F F F
k16 <<< 8
k7 <<< 8 F F
k12 <<< 8 k17 <<< 8
k8 <<< 8 F F F
k13 <<< 8 k18 <<< 8
k9 <<< 8 F F F L1 R1
K First Rounds 1 <<< 8 3 cond.
L2 R2
K 2 <<< 8 2 cond.
L3 R3
K 3 <<< 8 1 cond.
L4 R4
K 4 <<< 8 1 cond.
R L5 5 12/30 L19 R19
K19 Last Rounds <<< 8 1 cond.
L20 R20
K 20 <<< 8 1 cond.
L21 R21
K 21 <<< 8 2 cond.
L22 R22
K 22 <<< 8 3 cond.
L23 R23 13/30 Impossible Differential on LBlock
▶ For 21 rounds a complexity of 269.5 in time with 263 data, for 22: 271.53 time and 260 data, for 23: 275.36 time and 259 data.
▶ Feistel constructions in general are good targets
14/30 Meet-in-the-Middle Attacks Meet-in-the-Middle Attacks
▶ Introduced by Diffie and Hellman in 1977.
▶ Largely applied tool. ▶ Few data needed. ▶ Many improvements: partial matching, bicliques, sieve- in-the-middle...
15/30 Meet-in-the-Middle Attacks
78$,-+9:+ !"#$"%&'!()*+$+,!-,+.& $ * /
0 1$'2#$"%&'!()*+$+,!-,+.&0 1
34&5&06
;,).9"+9:+ !"!!"!#$
16/30 With Partial Matching [AS’08]
,-./01231
! "
# $ %&'('#)'*+
4/56271231 !"#$# ! #$# !% 17/30 With Bicliques [KRS’11]
!"#!$%& '()*#*+ ,%"+*-%./ ./
.0 1
1#&2"#!$%& '()*#*+ ,%"+*-%.0 3 %%%%%%.456.78.98.:; 1+&>+?)@ .9 .7 < = 18/30 Bicliques
▶ Improvement of MITM attacks, but also... ▶ It can always be applied to reduce the total number of computations (at least the precomputed part) ⇒ acceleration of exhaustive search [BKR’11] 1 ▶ Many other accelerated exhaustive search on LW block ciphers: PRESENT, LED, KLEIN, HIGHT, Piccolo, TWINE, LBlock ... (less than 2 bits of gain). ▶ Is everything broken? No.
1Most important application: best key-recovery on AES-128 in 2126.1 instead of the naive 2128. 19/30 Sieve-in-the-Middle [CNPV’13]
▶ We compute some inputs and some outputs to an Sbox S ⇒ sieving with transitions instead of collisions. !"#$%#&'(")*+,%,-".'$-,/' ! 0 ?-&&@A'1B"C'$-,/'0 1
2 3%(4$%#&'(")*+,%,-".'$-,/'2 3
1 5 6 ''''''7896:5:;< 3-(@-D+AE = > 20/30 What is S?
▶ It can basically be anything.
▶ We just need to be able to precompute and store the possible transitions (in the case of a classical Sbox, just the Sbox itself), or sometimes on-the-fly.
▶ Next we get a list of inputs forward and a list of outputs backward: and merge both with the middle conditions (for ex.: N-P 2011).
21/30 PRESENT [BKLPPRSV 2007]
Block n = 64 bits, key 80 or 128 bits.
✻ ✹ ❜ ✁