Cryptanalysis of Akelarre 1 Description of Akelarre

Home , Akelarre (cipher), Madryga

Cryptanalysis of Akelarre

Niels Ferguson Bruce Schneier

DigiCash bv Counterpane Systems

Kruislaan 419 101 E Minnehaha Parkway

1098 VA Amsterdam, Netherlands Minneap olis, MN 55419, USA

[email protected] [email protected]

July 23, 1997

Abstract

We showtwo practical attacks against the Akelarre blo ck cipher. The b est

attack retrieves the 128-bit key using less than 100 chosen plaintexts and 2

o -line trial encryptions. Our attacks use a weakness in the round function

that preserves the parity of the input, a set of 1-round di erential character-

istics with probability1, and the lackofavalanche and one-way prop erties

in the key-schedule. We suggest some ways of xing these immediate weak-

nesses, but conclude that the algorithm should be abandoned in favor of

b etter-studied alternatives.

1 Description of Akelarre

Akelarre [AGMP96A , AGMP96B ] is a 128-bit blo ck cipher that uses the same

overall structure as idea [LMM91 ]; instead of idea's 16-bit sub-blo cks Akelarre

uses 32-bit sub-blo cks. Furthermore, Akelarre do es not use mo dular multiplica-

tions, but instead uses a combination of a 128-bit key-dep endent rotate at the

b eginning of each round, and rep eated key additions and data-dep endent rota-

tions in its MA-b ox called an \addition-rotation structure" in Akelarre.

Akelarre is de ned for a variable-length key and a variable numb er of rounds. The

authors recommend using Akelarre with four rounds and a 128-bit key; this is the

version that we will cryptanalyze.

1.1 Encryption

An Akelarre encryption consists of an input transformation, a rep eated round

function, and an output transformation see gure 1.

The input transformation is de ned as follows:

Data-dep endent rotations were rst used by Madryga [Mad84 ] and more recently in RC5 [Riv95].

Figure 1: Overview of the Akelarre blo ck cipher

1 The 128-bit plaintext is divided into four 32-bit sub-blo cks: X , X , X ,

1 2 3

and X .

2 These sub-blo cks are combined with four sub-keys all subkeys are de ned

as Z , where i is the round and j indicates the j sub-key used in round i:

0 0

R := X + Z mo d 2

1 1

0 0

R := X Z

2 2

0 0

R := X Z

3 3

0 0

R := X + Z mo d 2

4 4

These four sub-blo cks provide the input to round 1.

Akelarre has v rounds. Each round i =1;::: ;v consists of the following steps:

i1 i1 i1 i1

1 The four input sub-blo cks R , R , R , and R are concate-

1 2 3 4

nated into one 128-bit blo ck.

2 The 128-bit blo ck is rotated left a variable number of bits determined by

the least signi cant seven bits of Z .

i i

3 The rotated 128-bit blo ckis divided into four 32-bit sub-blo cks: S , S ,

1 2

i i

S , and S .

3 4

4 Pairs of sub-blo cks are xored to provide inputs to the addition-rotation

structure:

i i i

P := S S

1 1 3

i i i

P := S S

2 2 4

i i i i i

and P are combined with twelve 32-bit sub-keys, Z ;Z ;::: ;Z , 5 P

1 2 2 3 13

according to the addition-rotation structure describ ed later. The output of

i i

this structure consists of two 32-bit sub-blo cks Q and Q .

1 2

6 The four sub-blo cks from Step 3 are xored with the outputs of the addition-

rotation structure:

i i i

R := S Q

1 1 2

i i i

R := S Q

2 2 1

i i i

:= S Q R

3 3 2

i i i

R := S Q

4 4 1

i i

The sub-blo cks R ;::: ;R form the output of the round function.

1 4

The output of the nal round forms the input to the output transformation, which

consists of the following steps:

1 The output blo cks of the v round are concatinated into one 128-bit blo ck.

2 The 128-bit blo ck is rotated left a variable number of bits determined by

v +1

the least signi cant seven bits of Z .

v +1 v +1

3 The rotated 128-bit blo ck is divided into four sub-blo cks: S , S ,

1 2

v +1 v +1

S , and S .

3 4

4 The four sub-blo cks are combined with four nal sub-keys:

v +1 v +1

Y := S + Z mo d 2

1 2

v +1 v +1

Z Y := S

3 2

v +1 v +1

Y := S Z

3 4

v +1 v +1

mo d 2 + Z Y := S

5 4

5 The four sub-blo cks, Y , Y , Y , and Y are concatenated to form the cipher-

1 2 3 4

text.

All that remains is to sp ecify the addition-rotation structure. We describ e this

for completeness sake; our attack do es not rely on any prop ertyof the addition-

rotation structure. The structure is formed bytwo columns; P is the input to

the rst column and P is the input to the second column. Each column works

as follows:

are rotated left a variable numb er of bits. 1 The high 31 bits of P

2 The 32-bit output of the previous step is added to a sub-key.

3 The low 31 bits of the result of the previous step are rotated left a variable

numb er of bits.

4 The 32-bit output of the previous step is added to a sub-key.

5 The high 31 bits of the result of the previous step are rotated left a variable

numb er of bits.

6 The 32-bit output of the previous step is added to a sub-key.

7 Steps 3 through 6 are rep eated until there have b een seven rotations and

six sub-key additions total.

i i

8 The outputs of the two column are Q and Q .

1 2

Figure 2: Overview of the Akelarre key schedule

i i i

; the sub-keys added ;::: Z ;Z The sub-keys added in the rst column are Z

13 9 8

i i i

in the second column are Z ;Z ;::: ;Z .

2 3 7

Let X [a::b] b e the numb er formed by taking bits a through b from the integer X

where we start our bit numb ering at 0 for the least signi cant bit. The rotation

amounts of the second column are determined by P : the rst rotation amount

i i

is P [4::0], the second rotation amountisP [9::5], the third rotation amountis

1 1

i i

P [14::10], the fourth rotation amount is P [19..15], the fth rotation amount

1 1

i i

is P [23..20], the sixth rotation amountisP [27..24], and the seventh rotation

1 1

[31::28]. The rotation amounts in the rst column are determined amountisP

in the same manner from Q .

1.2 Key Schedule

Akelarre requires 13v + 9 sub-keys four for the input transformation, 13 for each

of the v rounds, and ve for the output transformation. These 32-bit sub-keys

are derived from a master key. The length of the master key can b e anymultiple

of 64 bits, although we limit our discussion to 128-bit master keys, which is

the key size suggested in [AGMP96A ]. The description of the key schedule in

[AGMP96A ] and [AGMP96B ] are di erent; we base our discussion on the more

extensive description in [AGMP96A ].

An overview of the key schedule is shown in gure 2. First, the master key is

divided into eight 16-bit sub-blo cks, called k for i = 1;::: ;8. Each sub-blo ck

is squared yielding a 32-bit result, and then added mo d 2 to a constant,

2 32

A = A49ED284 and A = 735203DE . Let k := k + A mo d 2 and

0 1 0

16 16

32 2

+ A mo d 2 . k := k

The rst eight sub-keys are generated as follows: The outermost bytes of k i

form the two high-order bytes of sub-key K ; the outermost bytes of k

i mo d 8+1

form the two low-order bytes of sub-key K . Thus, sub-key K is a function of

i i

only k and k .

i mo d 8+1

The innermost bytes of k are squared and added mo dulo 2 to A to generate

2 1

k , and similarly the innermost bytes of k are squared and added mo dulo 2

i i

to A to generate k . The second eight sub-keys are generated in the same way

the rst eight were. For i =9;::: ;16, the outermost bytes of k form the two

high-order bytes of sub-key K ; the outermost bytes of k form the two

i mo d 8+1

low-order bytes of sub-key K .

This pro cess is rep eated, every round of the key schedule squares the middle

j j

bytes of the k and k values and generates 8 additional sub-keys, untill all 61

i i

required sub-keys have b een generated.

After calculating all the K sub-keys, they are read sequentially to ll the Z keys

required for encryption; decryption keys are derived from these keys as required.

2 Cryptanalysis of Akelarre

The pivotal observation is that the round function preserves the parity of the

input. The 128-bit rotate do es not in uence the parity. The subsequent addition-

rotation structure xors each of its outputs twice into the data blo cks, thus pre-

serving parity. The only op erations in Akelarre that a ect the parity of the input

are the input transformation and the output transformation. This allows us to

attack the key blo cks involved in those transformations irresp ectiveof the other

prop erties of the round function.

We implementa chosen plaintext attack in four phases. In the rst phase, we nd

most of the bits of two of the sub-keys of the output transformation. In the second

phase, we nd most of the bits of two of the sub-keys of the input transformation.

In the third phase, we exploit the key schedule to recover 80 bits of information

ab out the master key. In the fourth phase, we exhaustively search through all

remaining p ossible master keys.

2.1 Recovering Output Transformation Sub-Key Bits

We start by xing X = 0 and X = 0, and encrypting many blo cks with random

1 4

values for X and X . Let P ; ;::: denote the parity of the concatenation of all

2 3

its arguments sum all the bits mo dulo 2. We de ne:

0 0 0 0

k := P Z ;Z ;Z ;Z

1 2 3 4

x := P X ;X

2 3

0 0

;::: ;R r := P R

1 4

It is easy to see that r = k x.

v v

As the round function is parity-invariant, we have r = P R ;::: ;R after v

1 4

v +1 v +1

rounds, and thus r = P S ;::: ;S .

1 4

v +1 v +1

32 32

mo d 2 . This gives us mo d 2 , and K := Z Let K := Z

4 1

5 2

v +1 v +1

32 32

r = P Y + K mod2 ;Y Z ;Y Z ; Y + K mod2

1 1 2 3 4 4

3 4

Collecting all our formulae, we get

32 32 0

P Y + K mod2 ; Y + K mod2 =k x y 1

1 1 4 4

v +1 v +1

and y := P Y ;Y . We de ne for any K , ;Z where k := k PZ

2 3

4 3

K := K [30::0] to b e the numb er formed by the least signi cant 31 bits of K . By

splitting of the most signi cant bits of the sum we can rewrite equation 1 as

00 0

P Y + K ;Y + K =k x y 2

1 1 4 4

00 0 0 00

:= k K [31] K [31] and y := y Y [31] Y [31]. The value k where k

1 4 1 4

dep ends only on the key, and will be the same for all of our encryptions. The

values x and y are known, as they only dep end on the plaintext or ciphertext.

= i.e. Y If we nd two encryptions i and j whichhave the same value for Y

1;i

. We get Y , then we can derive a sum-parity relation for K

1;j

0 0

P Y + K PY + K =x x y y 3

i j

4;i 4 4;j 4 i j

Such an equation eliminates ab out half of the p ossible values for K . After 4 10

chosen plaintexts, we can exp ect ab out 37 separate collisions for Y , and thus

ab out 37 sum-parity relations for K . We can now exhaustively search the 2

p ossible values of K for a value that satis es all of the parity relations. Numerical

exp eriments indicate that 37 relations are usually enough to give a unique solution.

Once K has b een found, every encryption that was done provides an equivalent

. The , which allows us to exhaustively search for K sum-parity relations for K

1 1

order can of course b e reversed, with collisions on Y giving sum-parity relations

rst. , which allows us to recover K for K

1 1

Overall, this phase of the attack requires ab out 4 10 chosen plaintexts, and

2 exhaustive search steps to recover b oth K and K . Several re nements

1 4

are p ossible. The key schedule cannot generate all 2 p ossible sub-keys; this

information can be used to sp eed up the exhaustive search. As will be obvious

from the key schedule, the p ossible sub-key values can be enumerated by listing

the p ossible values for the two halves of the sub-key separately. This results in

ab out 2 p ossible values for the least signi cant 31 bits of the sub-keys in the

output transformation. This assumes a 4-round Akelarre. Due to the nature

of the key schedule, the entropy of the sub-keys in the output transformation

decreases as the numb er of rounds increases.

The last phase in our attack is an exhaustive searchover 2 p ossible master keys

see section 2.4, which requires a complete Akelarre encryption p er p ossible mas-

ter key. Checking 2 p ossible key values using sum-parity relations is certainly

going to b e a lot less work. This leads to the following improvement: Using only

60 chosen plaintexts, we search for for K and K in parallel using equation 2.

1 4

There are ab out 2 p ossible values for each of these two values, which gives us

a total of 2 p ossible values for the pair. We can exp ect to nd the rightvalues

that satisfy all the sum-parity relations in ab out 2 tries. The computational

e ort in this phase is still negligable compared to the e ort required in the last

phase of our attack, as each of the op erations in this phase is far less complex.

The search can be improved even further if we take the non-uniformity of the

key-blo ck distribution into account. From the key schedule it is easy to derive the

probabilities for each of the 2 p ossible sub-keys. This can b e done by computing

indep endent probabilities for each of the two halves of the sub-keys. Our results

indicate that this leaves ab out 23.5 bits of entropy for each of the K values. By

searching the high-probabilityvalues rst we can exp ect to nd the correct key

values so oner.

2.2 Recovering Input Transformation Sub-Key Bits

0 0

as well. We could, of and Z We can recover the 31 least signi cant bits of Z

4 1

course, p erform the analysis from the previous section on the decryption function,

but there are much more direct metho ds.

, we can recognise whether two encryptions and K Once we have recovered K

4 1

have the same parity during the rounds. We can decrypt enough of the output

transform; the key bits that we don't know a ect the parity in the same way

for each encryption. Cho ose xed values for X , X , and X , and p erform

1 2 3

encryptions for di erentvalues of X . This gives us sum-parity relations for Z

similar to equation 3. Using the same metho ds as in the previous step, we can

0 0

thus recover the 31 least signi cant bits of Z , and Z , using 2 exhaustive

4 1

search steps and ab out 80 chosen-plaintexts.

A more direct metho d is also p ossible, where every chosen plaintext encryption

0 0

reveals one bit of Z or Z . This eliminates the exhaustive searches for these

4 1

31-bit values, and reduces the number of chosen-plaintexts for this phase to 62.

The details of this metho d are left as an excersise to the reader.

2.3 Recovering Master Key Information from the Sub-Keys

We have recovered the 31 least signi cant bits of 4 of the sub-keys. Due to the

structure of the key schedule, each half of a sub-key dep ends on exactly 16 bits

of the master key.

Table 1 give the exp ected information provided by the partially known sub-keys

ab out the master key blo cks, assuming that the master key is chosen uniformly

Sub-key upp er half lower half

Z 11.99 bits ab out k 12.85 bits ab out k

1 2

Z 11.99 bits ab out k 12.85 bits ab out k

4 5

Z 11.52 bits ab out k 12.01 bits ab out k

2 3

Z 11.52 bits ab out k 12.01 bits ab out k

5 6

Table 1: Bits of information provided by sub-key ab out master sub-keys

at random. As the mapping from a master key blo ckto one half of a sub-key is

not bijective, not all 2 p ossible values of the sub-key half can o ccur. In fact,

each 32-bit sub-key has b etween 24.1 and 25.7 bits of entropy.

Some of the master key blo cks in uence two of the recovered sub-keys. In this

case we can exp ect to b e left with a single p ossible value for this master key blo ck.

As there are only 16 bits in a master key blo ck, we can't have more than 16 bits

of information ab out it.

An interesting observation is that the amount of information that we get ab out

the master key dep ends eratically on the numb er of rounds, due to the alignment

of the known sub-keys in the key schedule. In some cases the known sub-keys are

all derived from 4 of the master key blo cks, while in other cases they are derived

from 7 master key blo cks. If we increase the numb er of rounds to 5, we can exp ect

to get ab out 7 bits more information ab out the master key blo cks, making the

5-round Akelarre signi cantly weaker against our attack than the 4-round version.

2.4 Recovering the Entire Master Key

Adding up the information that we get, we can exp ect to have 80 bits of infor-

mation ab out the 128-bit key. This leaves ab out 2 p ossible master key values.

These are easy to enumerate: For each master key blo ck we create a list of all

p ossible values. For those master key blo cks that in uence some of the known

sub-keys, we try all 2 p ossible values and discard those that don't match the

known sub-key bits. We will b e left with 2 master key blo cks that are fully known,

4 master key blo cks that are partially known, and 2 master key blo cks that are

unknown. The cartesian pro duct of these 8 lists enumerates the p ossible values

for the master key.

Using an exhaustive searchover these p ossible master key values, we can exp ect

to nd the entire 128-bit master key after at most 2 tries, with an exp ected

workload of 2 tries.

3 A second attack

Our second attack uses the observation that the Akelarre round function has a lot

of excellent di erential characteristics. In fact, any 64-bit pattern rep eated once

to form a 128-bit word gives a di erential 1-round characteristic with probability

1, and the output di erential is a rotation of the input di erential. Thus, the

Akelarre round function has 2 1-round di erential characteristics with proba-

bility1.

The set of di erences we are particularly interested in are those with exactly 2

one bits, where the bits are 64 bit-p ositions apart. If such a di erential o ccurs

during the rounds we can easilly detect this from the ciphertext. So if we use an

input di erential that ips one bit in X and the corresp onding bit in X ,we can

3 1

detect if the ipp ed bit in X resulted in the same bit b eing ipp ed in the output

of the input transformation. This gives us one bit of information ab out the rst

key blo ck of the input transformation.

Using 63 chosen plaintexts, we can recover the same 62 bits of information ab out

the key of the input transformation as we did in the previous attack, but now

without any exhaustive searching. Once wehave these key bits, we can generate

all 62 di erentials we are interested in, and use these to recover the 62 bits of the

output transformation key we found in the rst attack, again without exhaustive

searching. Furthermore, we can observe the sum e ect of all the 128-bit rotates

mo dulo 64, which gives us 6 more bits of information ab out the expanded key.

Using some fairly straightforward precomputations this reduces the work load of

the exhaustive master-key search by a factor of 64, giving us a maximum of 2

tries and 2 tries on average b efore the key is found.

As ab out half of our di erential attempts in the rst half of this attack resulted

in the desired di erential pattern during the rounds, we don't have to regenerate

all 62 interesting di erentials to nd the 62 key bits of the output transformation,

but on average only 31 of them. This reduces the exp ected numb er of required

plaintexts to less than 100.

Further re nements are p ossible if we use the fact that the output transformation

key blo cks are not indep endent of the input transformation key blo cks. Using this

information, we can further reduce the numb er of required plaintexts.

4 Fixing Akelarre

There are three obvious weaknesses in Akelarre that we exploited in our attack.

The round function is parity-preserving, which allows us to attack the input and

output transformation keys irresp ective of the complexity of the addition-rotation

structure, and irresp ective of the number of rounds. The only elementary op er-

ation that Akelarre employs that is not parity-preserving is the addition mo dulo

2 . Replacing the xors used to mix the output of the addition-rotation structure

with the data blo cks by additions would eliminate this prop erty.

The di erential characteristics again work irresp ective of the numb er of rounds or

the complexityof the addition-rotation structure. These di erential characteris-

tics can b e broken up by replacing the rotation at the b eginning of a round with

a di erent function that do es not preserve our characteristic patterns.

The key schedule is esp ecially weak. Learning one bit of any sub-key gives im-

mediate information ab out the master-key, although the designers state that the

key schedule was explicitly designed to avoid this prop erty. The main problem is

the use of 16-bit blo cks without any di usion b etween the key blo cks. The 16-bit

blo ck size do es not allow any one-wayness prop erties. The only x would seem

to design an entirely new key schedule. One p ossible solution is to derive the

sub-keys from a cryptographically strong pseudo-random generator which uses

the master key as seed.

Even with these xes it is unclear how strong the xed Akelarre cipher would b e.

5 Conclusions

For a 128-bit blo ck cipher, Akelarre is disapp ointingly weak. The amountofwork

necessary for a successful attack is three or four orders of magnitude less than that

of attacking DES. As such, Akelarre is not suitable for applications that require

even a medium level of security. And while the algorithm may be repairable, it

do es not o er anyobvious sp eed advantages over more established alternatives.

The weaknesses that wehave found do not inspire con dence in the design pro cess

used to create Akelarre. Even if all these weaknesses were to b e xed, the resulting

cipher would still be tainted by an app erently ad-ho c design pro cess and leave

doubt ab out other as yet undiscovered weaknesses. Therefore, we recommend

that the Akelarre design b e abandoned.

Since the original publication the authors have published a new version with an

improved key schedule [AGMP97 ]. We have not investigated this new version in

any depth, but even the improved key schedule allows us to recover 31 bits of

information ab out the master key in a trivial manner.

6 Acknowledgements

Wewould like to thank Fausto Montoya for providing us with the gures describ-

ing Akelarre.

References

[AGMP96A] G. Alvarez, D. de la Gu a, F. Montoya, and A. Peinado, \Akelarre: a

new Blo ck Cipher Algorithm," ThirdAnnual Workshop on Selected

Areas in Cryptography SAC '96, Kingston, Ontario, 15{16 August

1996, pp. 1{14.

[AGMP96B] G. Alvares Maran ~ on, D. de la Gu a Mart nez, F. Montoya Vitini,

and Alb erto Peinado Dom nguez, \Akelarre: Nuevo Algoritmo de

Cifrado en Blo que," Actas de la IV Reuni on Espa~nola Sobra Crip-

tolog a, Universidad de Valladolid, Septemb er 1996, pp. 93{100. In

Spanish.

[AGMP97] G. Alvarez, D. de la Gu a, F. Montoya, and A. Peinado, \De-

scription of the new Blo ck Cipher Algorithm Akelarre", http://

www.iec.csic.es/fausto/papers/akelarre1.ps

[LMM91] X. Lai, J. Massey, and S. Murphy, \Markov Ciphers and Di erential

Cryptanalysis," Advances in Cryptology|CRYPTO '91, Springer-

Verlag, 1991, pp. 17{38.

[Mad84] W.E. Madryga, \A High Performance Encryption Algorithm,"

Computer Security: A Global Chal lenge, Elsevier Science Publish-

ers, 1984, pp. 557{570.

[Riv95] R.L. Rivest, \The RC5 Encryption Algorithm," Fast Software En-

cryption, Second International Workshop Proceedings, Springer-

Verlag, 1995, pp. 86{96.