Differential Attack on Five Rounds of the SC2000 Block Cipher?

Jiqiang Lu

Department of Mathematics and Computer Science, Eindhoven University of Technology, 5600 MB Eindhoven, The Netherlands [email protected]

Abstract. SC2000 is a 128-bit block cipher with a user key of 128, 192 or 256 bits, which employs a total of 6.5 rounds if a 128-bit user key is used. It is a CRYPTREC recommended e-government cipher. In this paper we describe one 4.75-round differential characteristic with proba- bility 2−126 of SC2000 and thirty 4.75-round differential characteristics with probability 2−127. Finally, we exploit these 4.75-round differentials to conduct a differential cryptanalysis attack on a 5-round reduced ver- sion of SC2000 when used with a 128-bit key. The attack suggests for the first time that the safety margin of SC2000 with a 128-bit key decreases below one and a half rounds.

Key words: Block cipher, SC2000, Differential cryptanalysis

1 Introduction

The SC2000 block cipher [1, 2] has a 128-bit block size and a user key of 128, 192 or 256 bits, which employs a total of 6.5 rounds for a 128-bit user key, and a total of 7.5 rounds for a 192 or 256-bit key. It was designed to “have high performance on a wide range of platforms from the low-end processors used in smart cards and mobilephones to the high-end ones that will be available in the near future by suitably implementing it in each platform, and also to have high security” [3]. In 2002, SC2000 became a CRYPTREC recommended e- government cipher [4], after a thorough analysis of its security and performance. In this paper we consider the version of SC2000 that uses 128 key bits. The SC2000 designers [1,2] first analysed the security of SC2000 against dif- ferential cryptanalysis [5] as well as certain other cryptanalytic methods, such

? The work was done when the author was with Royal Holloway, University of London (UK). This paper was published in Postproceedings of INSCRYPT ’09 — The 5th China International Conference on Information Security and Cryptology, Beijing, CHINA, Feng Bao, Moti Yung, Dongdai Lin and Jiwu Jing (eds), Volume 6151 of Lecture Notes in Computer Science, pp. 50–59, Springer-Verlag, 2010. 2

Table 1. Cryptanalytic results on SC2000

Attack T ype Rounds Data T ime Source Boomerang attack 3.5 267 ACPC 267 Memory accesses [8] Rectangle attack 3.5 284.6 CP 284.6 Memory accesses [8] Linear attack 4.5 2104.3 KP 283.3 Memory accesses [12] 4.5 2115.2 KP 242.3 Memory accesses [12] Differential attack 4.5 2111 CP 2111 Encryptions [7] 4.5 2104 CP 220 Memory accesses [12] 5 2127 CP 2132 Memory accesses This paper

as linear cryptanalysis [6]. In 2001, Raddum and Knudsen [7] presented a dif- ferential attack on 4.5-round SC2000, which is based on two 3.5-round differ- ential characteristics with probabilities 2−106 and 2−107, respectively. In 2002, by exploiting a few short differentials with large probabilities, Biham et al. [8] presented boomerang [9] and rectangle [10] attacks on 3.5-round SC2000, follow- ing the work described in [11]. In the same year, Yanami et al. [12] described a 2-round iterative differential characteristic with probability 2−58, and obtained a 3.5-round differential characteristic with probability 2−101 by concatenating the 2-round differential twice and then removing the first half round; finally they presented a differential attack on 4.5-round SC2000 with a time complexity smaller than that of the attack of Raddum and Knudsen. Yanami et al. also presented linear attacks on 4.5-round SC2000. These are the best previously published cryptanalytic results on SC2000 in terms of the numbers of attacked rounds.

In this paper we describe one 4.75-round differential characteristic with prob- ability 2−126 and thirty 4.75-round differential characteristics with probability 2−127, building on the two-round iterative differential characteristic with prob- ability 2−58 of Yanami et al. Finally, using these 4.75-round differential charac- teristics we present a differential cryptanalysis attack on 5-round SC2000, faster than an exhaustive key search. The attack is the first published attack on 5- round SC2000. Table 1 sumarises both the previous and our new cryptanalytic results on SC2000, where ACPC, CP and KP respectively refer to the required numbers of adaptive chosen plaintexts and ciphertexts, chosen plaintexts, and known plaintexts.

The remainder of this paper is organised as follows. In the next section, we give the notation, and describe differential cryptanalysis and the SC2000 block cipher. In Section 3, we give the 4.75-round differential characteristics. In Section 4, we present our differential attack on 5-round SC2000. Section 5 concludes the paper. 3

2 Preliminaries

In this section we give the notation used throughout this paper, and then briefly describe differential cryptanalysis and the SC2000 cipher.

2.1 Notation In all descriptions we assume that the bits of a n-bit value are numbered from 0 to n−1 from left to right, the most significant bit is the 0-th bit, a number without a prefix expresses a decimal number, and a number with prefix 0x expresses a hexadecimal number. We use the following notation.

⊕ bitwise logical exclusive OR (XOR) operation ∧ bitwise logical AND operation ◦ functional composition. When composing functions X and Y, X ◦ Y deno- tes the function obtained by first applying X and then applying Y ./ exchange of the left and right halves of a bit string X bitwise logical complement of a bit string X

2.2 Differential Cryptanalysis Differential cryptanalysis [5] takes advantage of how a specific difference in a pair of inputs of a cipher can affect a difference in the pair of outputs of the cipher, where the pair of outputs are obtained by encrypting the pair of inputs using the same key. The notion of difference can be defined in several ways; the most widely discussed is with respect to the XOR operation. The difference between the inputs is called the input difference, and the difference between the outputs of a function is called the output difference. The combination of the input difference and the output difference is called a differential. The probability of a differential is defined as follows. Definition 1. If α and β are n-bit blocks, then the probability of the differential (α, β) for a block cipher E, written ∆α → ∆β, is defined to be

PrE(∆α → ∆β) = Pr (E(P ) ⊕ E(P ⊕ α) = β). P ∈{0,1}n

For a random function, the expected probability of a differential for any pair −n −n (α, β) is 2 . Therefore, if PrE(∆α → ∆β) is larger than 2 , we can use the differential to distinguish E from a random function, given a sufficient number of chosen plaintext pairs.

2.3 The SC2000 Block Cipher SC2000 takes as input a 128-bit plaintext. For simplicity, we describe the plain- text P as four 32-bit words (d, c, b, a). The following three elementary functions I, B and R are used to define the SC2000 round function, as shown in Fig. 1. 4

I 128 B 128 I

32 32 32 32 S6 mask S5 ⊕ ⊕ ∧ M S5 S L 5 S5

S6

S6

S5 ⊕ ⊕ ∧ M S5 S5 mask S5

R function S6

R function

Fig. 1. The round function of SC2000

– The I function: the bitwise logical XOR (⊕) operation of the 128-bit input with a 128-bit round subkey of four 32-bit words. – The B function: a non-linear substitution, which applies the same 4 × 4 S- 0 0 0 0 box S4 32 times in parallel to the input. For a 128-bit input (d , c , b , a ), 00 00 00 00 00 00 00 00 the output (d , c , b , a ) is obtained in the following way: (dk, ck, bk, ak) = 0 0 0 0 ≤ ≤ S4(dk, ck, bk, ak), where Xk is the k-th bit of the word X (0 k 31). – The R function: a substitution-permutation Feistel structure, which consists of three subfunctions S, M and L. Each of the right two 32-bit words of the input to the R function is divided into 6 groups containing 6, 5, 5, 5, 5 and 6 bits, respectively. These six groups are then passed sequentially through the S function, consisting of two 6× 6 S-boxes S6 and four 5× 5 S-boxes S5, and the linear M function that consists of 32 32-bit words (M[0], ··· ,M[31]). Given an input a, the output of the M function is defined as a0 × M[0] ⊕ · · · ⊕ a31 × M[31]. The outputs of the two M functions are then input to the L function. For a 64-bit input (a∗, b∗) the output of the L function is defined as ((a∗ ∧mask)⊕b∗, (b∗ ∧mask)⊕a∗), where mask is a constant (and mask is the complement of mask). Two masks 0x55555555 and 0x33333333 5

are used in SC2000, in the even and odd rounds, respectively. Finally, the output of the L function is XORed with the left two 32-bit words of the input to the R function, respectively. We denote the L and R functions with mask 0x55555555 as L5 and R5, respectively, and the L and R functions with mask 0x33333333 as L3 and R3, respectively.

The round function of SC200 is made up of two I functions, one B function i and two R functions. We write Kj for the subkey used in the jth I function of i i ≤ ≤ ≤ Round i, and write Kj,l for the l-th bit of Kj, where 0 i 6, j = 0, 1, 0 l ≤ 127. The full 6.5-round encryption procedure of SC2000 can be described as: I 0 ◦B ◦I 0 ◦R ./ R ◦I 1 ◦B ◦I 1 ◦R ./ R ◦I 2 ◦B ◦I 2 ◦R ./ R ◦I 3 ◦ K0 K1 5 5 K0 K1 3 3 K0 K1 5 5 K0 B ◦I 3 ◦R ./ R ◦I 4 ◦B ◦I 4 ◦R ./ R ◦I 5 ◦B ◦I 5 ◦R ./ R ◦I 6 ◦B ◦I 6 . K1 3 3 K0 K1 5 5 K0 K1 3 3 K0 K1 Note that we refer to the first round as Round 0. See [2] for its key schedule.

3 4.75-Round Differential Characteristics of SC2000

In this section we describe the 4.75-round differential characteristics.

3.1 2-Round Iterative Differential Characteristic of Yanami et al.

In 2002, Yanami et al. [12] described the results of a search over all the possible two-round iterative differential characteristics with only one active S function in every round for any two consecutive rounds I ◦ B ◦ I ◦ R5 ./ R5 ◦ I ◦ B ◦ I ◦ R3 ./ R3. Their result is that the best two-round iterative differential characteristic (i.e. that with the highest probability) is (α, β, β, 0) → (α, β, β, 0) with prob- I◦B◦I/2−15 R ./R /2−16 I◦B◦I/2−11 ability 2−58:(α, β, β, 0) −→ (0, β, 0, 0) 5 −→5 (β, γ, 0, β) −→ R ./R /2−16 (β, 0, 0, 0) 3 −→3 (α, β, β, 0), where α = 0x01120000, β = 0x01124400 and γ = 0x00020000.

3.2 The 4.75-Round Differential Characteristics

As a result, we can obtain a 4-round differential characteristic (α, β, β, 0) → (α, β, β, 0) with probability 2−116 by concatenating the above two-round iter- ative differential twice. It is essential to try to exploit an efficient (i.e. with a relatively high probability) differential operating over more than four rounds in order to break more rounds of SC2000. However, this 4-round differential cannot be extended to a differential characteristic operating over more than four rounds −128 with a probability larger than 2 , as appending even a half round R3 ./ R3 at the beginning will cost a probability of 2−16 and appending a B function at the end will cost at least a probability of 2−13. Nevertheless, observe that from the above two-round iterative differential characteristic it follows that two-round iterative differential characteristic (β, γ, 0, β) → (β, γ, 0, β) for any two consecutive rounds I ◦ B ◦ I ◦ R3 ./ R3 ◦ I ◦ ◦ ◦ −11 −58 I B I/2 B ◦ I ◦ R5 ./ R5 also holds with a probability of 2 :(β, γ, 0, β) −→ 6

(0x01124400, 0, 0, 0x01124400) M − S I ◦ B ◦ I 2 10 ⊕ L3 1 (0x01124400, 0, 0, 0) M S M S ⊕ L3 1 M S M S − ⊕ L3 2 16 MS M S (0x01120000, 0x01124400, 0x01124400, 0) L − ⊕ 3 2 16 − M S I ◦ B ◦ I 2 15

(0x01120000, 0x01124400, 0x01124400, 0) (0, 0x01124400, 0, 0)

− I ◦ B ◦ I 2 15 M S (0, 0x01124400, 0, 0) ⊕ 1 L5 M S M S ⊕ L5 1 M S M S − ⊕ L5 2 16 M S M S − ⊕ L5 2 16 (0x01124400, 0x00020000, 0, 0x01124400)

M S − I ◦ B ◦ I 2 11 x , x , , x (0 01124400 0 00020000 0 0 01124400) (0x01124400, 0, 0, 0) − I ◦ B ◦ I 2 11 M S (0x01124400, 0, 0, 0) ⊕ L3 1 M S (0x01124400, 0) (0, 0)

Fig. 2. A 4.75-round differential characteristic with probability 2−126

R ./R /2−16 I◦B◦I/2−15 R ./R /2−16 (β, 0, 0, 0) 3 −→3 (α, β, β, 0) −→ (0, β, 0, 0) 5 −→5 (β, γ, 0, β). It might seem counter-intuitive at first, but there is a major difference between this and the previous iterative 2-round differential characteristic: we can ap- ◦ ◦ ◦ pend a 0.75-round differential characteristic (β, γ, 0, β) I B→I R3 (β, 0, 0, 0) with a probability of 2−11 at the end of this differential characteristic! Therefore, we can obtain a 4.75-round differential characteristic (β, γ, 0, β) → (β, 0, 0, 0) with probability 2−127. By changing the input difference to the difference (β, 0, 0, β) we can get a 4.75-round differential characteristic with probability 2−126, and this 4.75-round differential characteristic is depicted in Fig. 2. When we change the input difference for only one of the five active S4 S-boxes to a value in {0x1, 0x2, 0x6, 0x7, 0xD, 0xF }, we get a total of thirty 4.75-round differential 7 characteristics with probability 2−127. We denote by Ω the set of the 31 input differences for the thirty-one 4.75-round differential characteristics. The differ- ential distribution table of the S4 S-box is given in [12], and the differential distribution table of the S5 S-box is shown in Table 2 in Appendix A. (The characteristics do not make an active S6 S-box, so we do not give its differential distribution table.) In a natural way, we might try to find a better differential characteristic on greater than four rounds by first exploiting short differentials with similar structures and then concatenating them, for the above 4.75-round differential obtained from the two-round iterative differential is just a special case among these. Motivated by this idea, we perform a computer search over all the possi- ble differentials for such one round R ./ R ◦ I ◦ B ◦ I with only one R function active and the right two 32-bit input differences and one of the left two 32- bit input differences being zero; moreover, in order to ensure that the resulting differential is capable of being concatenated with itself, we also require that the right two 32-bit output words and one of the left two 32-bit output words have a zero difference. Surprisingly, we find that the differential characteristics ◦ ◦ ◦ ◦ ◦ ◦ (β, 0, 0, 0) R3./R−→3 I B I (0, β, 0, 0) and (0, β, 0, 0) R5./R−→5 I B I (β, 0, 0, 0) in the above two-round iterative differential are the best (i.e. with the highest prob- abilities) among those with the same forms, respectively. Our search for other similar forms gives no better result.

4 Differential Attack on 5-Round SC2000

In this section, we present a differential cryptanalysis attack on 5 rounds of SC2000 when used with a 128-bit key.

4.1 Preliminary Results

We first concentrate on the propagation of the output difference of the 4.75- round differential characteristic described above through the following R ◦ I 6 3 K0 operation. The output difference (β, 0, 0, 0) will definitely propagate to a differ- ence with the form (∆Y ∧ 0x33333333, ∆Y, β, 0) after the following R3 function, 32 where Y ∈ GF (2 ). Since the S5 function has a uniform differential probability of 2−4, there are totally 216 possible values for ∆Y ; we denote the set of all the 216 possible differences (∆Y ∧ 0x33333333, ∆Y, β, 0) by Γ. The difference (∆Y ∧ 0x33333333, ∆Y, β, 0) will be kept after the following linear I 6 function. K0 On the other hand, having known the 128-bit difference after the I 6 function K0 6 ··· 6 for a ciphertext pair, we only need to guess the 64 subkey bits (K0,64, ,K0,127) 6 of K0 to check whether this pair could produce the difference (β, 0, 0, 0) just before the adjacent R3 function. For our case, as a candidate difference just after the I 6 function should be with the form (∆Y ∧ 0x33333333, ∆Y, β, 0), we K0 6 ··· 6 only need to guess the 20 subkey bits K0,70, ,K0,89 corresponding to the four active S5 S-Boxes in the adjacent R3 function to determine whether a ciphertext 8 pair with a candidate difference could produce the output difference of the above 4.75-round differential characteristics.

4.2 Attack Procedure

By using the 4.75-round differential characteristics, we can mount a differential attack on the following 5 rounds of SC2000: I 1 ◦B◦I 1 ◦R ./ R ◦I 2 ◦B◦I 2 ◦ K0 K1 3 3 K0 K1 R ./ R ◦I 3 ◦B ◦I 3 ◦R ./ R ◦I 4 ◦B ◦I 4 ◦R ./ R ◦I 5 ◦B ◦I 5 ◦R ./ 5 5 K0 K1 3 3 K0 K1 5 5 K0 K1 3 1 R ◦ I 6 . The attack procedure is as follows. 3 K0

1. Choose 2107 structures, where a structure is defined to be a set of 220 plain- texts with the 20 bits for the five active S4 S-boxes taking all the possible values and the other 108 bits fixed. In a chosen-plaintext attack scenario, obtain the corresponding ciphertexts. Keep only the plaintext pairs that have a difference belonging to the set Ω and whose ciphertext pairs have a difference belonging to the set Γ. 6 6 6 2. Guess the 20 subkey bits (K , ··· ,K ) of K in the I 6 function, and 0,70 0,89 0 K0 do as follows. (a) For every remaining ciphertext pair: Partially decrypt the correspond- ing 20 bits of the two ciphertexts through the I 6 function and the four K0 active S5 S-boxes in the adjacent R3 operation, compute the 64-bit dif- ference just after the L3 operation in the R3 operation, then XOR it with the left 64-bit difference of the ciphertext pair, and finally check whether the resultant 64-bit difference is zero. (b) Count the number of the ciphertext pairs with the 64-bit difference com- puted in Step 2(a) being zero, and record this number for the guessed 6 ··· 6 (K0,70, ,K0,89). Repeat Step 2 with another guess; and go to Step 3 if all the guesses are tested. 6 ··· 6 3. For each of the top m ranking guesses for (K0,70, ,K0,89) according to the numbers recorded in Step 2(b), (specific values of m will be given below), exhaustively search for the remaining 108 key bits with two known plain- text/ciphertext pairs. If a 128-bit key is suggested, output it as the user key of the 5-round SC2000.

4.3 Complexity Analysis

The attack requires 2127 chosen plaintexts. Typically, encrypting chosen plain- texts is assumed to be done by some “challenger” who holds the user key (i.e. the challenger’s running time), and is not counted as part of the time complexity 20 2 107 × (2 ) × 31 ≈ 130.96 of an attack. In Step 1, it is expected that 2 2 165 2 plaintext 130.96 × 216 18.96 pairs remain after the filtering condition about Ω, and 2 2128 = 2 ci- phertext pairs remain after the filtering condition about Γ; and it requires about 31 × 2127 ≈ 2132 memory accesses to filter out the satisfying ciphertext pairs.

1 Strictly speaking, this is a little more than 5 rounds. 9

The time complexity of Step 2 is dominated by the partial decryptions, which is · 20 · 18.96 · 1 · 1 ≈ 36 approximately 2 2 2 4 5 2 5-round SC2000 encryptions. Step 3 has a time complexity of m × 2108 5-round SC2000 encryptions. The signal-to-noise 30 ×2−127+ 1 ×2−126 31 31 ≈ 1.04 ratio for the attack is 2−128 2 . In Step 2(b), for the correct key guess the number of the ciphertext pairs with the 64-bit difference computed 130.96 × 30 × −127 1 × −126 in Step 2(a) being zero is expected to be 2 ( 31 2 + 31 2 ) = 16. According to Theorem 3 of [13], we have that the success probability for the attack is about 67% when m = 1, and is about 98.7% when m = 215.

5 Conclusions

SC2000 is a 128-bit block cipher, which is one of the CRYPTREC e-Government Recommended Ciphers. In this paper we have described a few 4.75-round differ- ential characteristics with a probability of larger than 2−128. Finally, using the 4.75-round differential characteristics we have presented a differential attack on 5-round SC2000 when used with 128 key bits. The presented attack is theoret- ical, like most cryptanalytic attacks on block ciphers; and from a cryptanalytic view it suggests for the first time that the safety margin of SC2000 with a 128-bit key decreases within one and a half rounds.

Acknowledgments

The author is very grateful to Prof. Chris Mitchell and the anonymous referees for their editorial comments.

References

1. Shimoyama, T., Yanami, H., Yokoyama, K., Takenaka, M., Itoh, K., Yajima, J., Torii, N., Tanaka, H.: The SC2000 block cipher. In Proceedings of the First Open NESSIE Workshop, 2000. 2. Shimoyama, T., Yanami, H., Yokoyama, K., Takenaka, M., Itoh, K., Yajima, J., Torii, N., Tanaka, H.: The block cipher SC2000. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 312–327. Springer, Heidelberg (2002) 3. Fujitsu Laboratories, http://jp.fujitsu.com/group/labs/en/techinfo/techno te/crypto/sc2000.html 4. Cryptography Research and Evaluatin Committees — CRYPTREC Report 2002. Available at http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html 5. Biham, E., Shamir, A.: Differential cryptanalysis of the Data Encryption Standard. Springer-Verlag (1993). 6. Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994) 7. Raddum, H., Knudsen, L.R.: A differential attack on reduced-round SC2000. In: Vaudenay, S., Youssef, A. (eds.) SAC 2001. LNCS, vol. 2259, pp. 190–198. Springer, Heidelberg (2001) 10

8. Biham, E., Dunkelman, O., Keller, N.: New results on boomerang and rectangle attacks. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 1–16. Springer, Heidelberg (2002) 9. Wagner, D.: The boomerang attack. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999) 10. Biham, E., Dunkelman, O., Keller, N.: The rectangle attack — rectangling the Serpent. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 340– 357. Springer, Heidelberg (2001) 11. Dunkelman, O., Keller, N.: Boomerang and rectangle attacks on SC2000. In Pro- ceedings of the Second Open NESSIE Workshop, 2001. 12. Yanami, H., Shimoyama, T., Dunkelman, O.: Differential and linear cryptanalysis of a reduced-round SC2000. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 34–48. Springer, Heidelberg (2002) 13. Sel¸cuk,A.A.: On probability of success in linear and differential cryptanalysis. Journal of Cryptology 21(1), 131–147 (2008)

A The Differential Distribution Table of the S5 S-box 11

Table 2. The differential distribution table of the S5 S-box input 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 0 320000000000000000000000000000000 1 00022200200200202220202020022022 2 00022220202022002002000002220222 3 00000020002222200222202022202200 4 00022022020002002020222200222200 5 00000222220202200200020220200222 6 00000202222020000022222202002022 7 00022002022220202202020222020000 8 02222220022020200200202200000202 9 02200020222220002020000220022220 10 02200000220002202202202202220020 11 02222200020202000022000222202002 12 02200202002022202220020000222002 13 02222002202222000000222020200020 14 02222022200000200222020002002220 15 02200222000200002002222022020202 16 02002220222202020202220000022000 17 02020020022002222022022020000022 18 02020000020220022200220002202222 19 02002200220020220020022022220200 20 02020202202200022222002200200200 21 02002002002000220002200220222222 22 02002022000222020220002202020022 23 02020222200022222000200222002000 24 00220000200222220002022200022202 25 00202200000022022222220220000220 26 00202220002200222000022202202020 27 00220020202000020220220222220002 28 00202022220220222022200000200002 29 00220222020020020202002020222020 30 00220202022202220020200002020220 31 00202002222002022200002022002202