Cryptanalysis of Akelarre
Niels Ferguson Bruce Schneier
DigiCash bv Counterpane Systems
Kruislaan 419 101 E Minnehaha Parkway
1098 VA Amsterdam, Netherlands Minneap olis, MN 55419, USA
[email protected] [email protected]
July 23, 1997
Abstract
We showtwo practical attacks against the Akelarre blo ck cipher. The b est
42
attack retrieves the 128-bit key using less than 100 chosen plaintexts and 2
o -line trial encryptions. Our attacks use a weakness in the round function
that preserves the parity of the input, a set of 1-round di erential character-
istics with probability1, and the lackofavalanche and one-way prop erties
in the key-schedule. We suggest some ways of xing these immediate weak-
nesses, but conclude that the algorithm should be abandoned in favor of
b etter-studied alternatives.
1 Description of Akelarre
Akelarre [AGMP96A , AGMP96B ] is a 128-bit blo ck cipher that uses the same
overall structure as idea [LMM91 ]; instead of idea's 16-bit sub-blo cks Akelarre
uses 32-bit sub-blo cks. Furthermore, Akelarre do es not use mo dular multiplica-
tions, but instead uses a combination of a 128-bit key-dep endent rotate at the
b eginning of each round, and rep eated key additions and data-dep endent rota-
1
tions in its MA-b ox called an \addition-rotation structure" in Akelarre.
Akelarre is de ned for a variable-length key and a variable numb er of rounds. The
authors recommend using Akelarre with four rounds and a 128-bit key; this is the
version that we will cryptanalyze.
1.1 Encryption
An Akelarre encryption consists of an input transformation, a rep eated round
function, and an output transformation see gure 1.
The input transformation is de ned as follows:
1
Data-dep endent rotations were rst used by Madryga [Mad84 ] and more recently in RC5 [Riv95].
Figure 1: Overview of the Akelarre blo ck cipher
1 The 128-bit plaintext is divided into four 32-bit sub-blo cks: X , X , X ,
1 2 3
and X .
4
2 These sub-blo cks are combined with four sub-keys all subkeys are de ned
i
th
as Z , where i is the round and j indicates the j sub-key used in round i:
j
0 0
32
R := X + Z mo d 2
1
1 1
0 0
R := X Z
2
2 2
0 0
R := X Z
3
3 3
0 0
32
R := X + Z mo d 2
4
4 4
These four sub-blo cks provide the input to round 1.
Akelarre has v rounds. Each round i =1;::: ;v consists of the following steps:
i 1 i 1 i 1 i 1
1 The four input sub-blo cks R , R , R , and R are concate-
1 2 3 4
nated into one 128-bit blo ck.
2 The 128-bit blo ck is rotated left a variable number of bits determined by
i
the least signi cant seven bits of Z .
1
i i
3 The rotated 128-bit blo ckis divided into four 32-bit sub-blo cks: S , S ,
1 2
i i
S , and S .
3 4
4 Pairs of sub-blo cks are xored to provide inputs to the addition-rotation
structure:
i i i
P := S S
1 1 3
i i i
P := S S
2 2 4
i i i i i
and P are combined with twelve 32-bit sub-keys, Z ;Z ;::: ;Z , 5 P
1 2 2 3 13
according to the addition-rotation structure describ ed later. The output of
i i
this structure consists of two 32-bit sub-blo cks Q and Q .
1 2
6 The four sub-blo cks from Step 3 are xored with the outputs of the addition-
rotation structure:
i i i
R := S Q
1 1 2
i i i
R := S Q
2 2 1
i i i
:= S Q R
3 3 2
i i i
R := S Q
4 4 1
i i
The sub-blo cks R ;::: ;R form the output of the round function.
1 4
The output of the nal round forms the input to the output transformation, which
consists of the following steps:
th
1 The output blo cks of the v round are concatinated into one 128-bit blo ck.
2 The 128-bit blo ck is rotated left a variable number of bits determined by
v +1
the least signi cant seven bits of Z .
1
v +1 v +1
3 The rotated 128-bit blo ck is divided into four sub-blo cks: S , S ,
1 2
v +1 v +1
S , and S .
3 4
4 The four sub-blo cks are combined with four nal sub-keys:
v +1 v +1
32
Y := S + Z mo d 2
1
1 2
v +1 v +1
Z Y := S
2
3 2
v +1 v +1
Y := S Z
3
3 4
v +1 v +1
32
mo d 2 + Z Y := S
4
5 4
5 The four sub-blo cks, Y , Y , Y , and Y are concatenated to form the cipher-
1 2 3 4
text.
All that remains is to sp ecify the addition-rotation structure. We describ e this
for completeness sake; our attack do es not rely on any prop ertyof the addition-
i
rotation structure. The structure is formed bytwo columns; P is the input to
1
i
the rst column and P is the input to the second column. Each column works
2
as follows:
i
are rotated left a variable numb er of bits. 1 The high 31 bits of P
j
2 The 32-bit output of the previous step is added to a sub-key.
3 The low 31 bits of the result of the previous step are rotated left a variable
numb er of bits.
4 The 32-bit output of the previous step is added to a sub-key.
5 The high 31 bits of the result of the previous step are rotated left a variable
numb er of bits.
6 The 32-bit output of the previous step is added to a sub-key.
7 Steps 3 through 6 are rep eated until there have b een seven rotations and
six sub-key additions total.
i i
8 The outputs of the two column are Q and Q .
1 2
Figure 2: Overview of the Akelarre key schedule
i i i
; the sub-keys added ;::: Z ;Z The sub-keys added in the rst column are Z
13 9 8
i i i
in the second column are Z ;Z ;::: ;Z .
2 3 7
Let X [a::b] b e the numb er formed by taking bits a through b from the integer X
where we start our bit numb ering at 0 for the least signi cant bit. The rotation
i
amounts of the second column are determined by P : the rst rotation amount
1
i i
is P [4::0], the second rotation amountisP [9::5], the third rotation amountis
1 1
i i
P [14::10], the fourth rotation amount is P [19..15], the fth rotation amount
1 1
i i
is P [23..20], the sixth rotation amountisP [27..24], and the seventh rotation
1 1
i
[31::28]. The rotation amounts in the rst column are determined amountisP
1
i
in the same manner from Q .
2
1.2 Key Schedule
Akelarre requires 13v + 9 sub-keys four for the input transformation, 13 for each
of the v rounds, and ve for the output transformation. These 32-bit sub-keys
are derived from a master key. The length of the master key can b e anymultiple
of 64 bits, although we limit our discussion to 128-bit master keys, which is
the key size suggested in [AGMP96A ]. The description of the key schedule in
[AGMP96A ] and [AGMP96B ] are di erent; we base our discussion on the more
extensive description in [AGMP96A ].
An overview of the key schedule is shown in gure 2. First, the master key is
divided into eight 16-bit sub-blo cks, called k for i = 1;::: ;8. Each sub-blo ck
i
32
is squared yielding a 32-bit result, and then added mo d 2 to a constant,
1
2 32
A = A49ED284 and A = 735203DE . Let k := k + A mo d 2 and
0 1 0
16 16
i
i
0
1
32 2
+ A mo d 2 . k := k
1
i
i
1
The rst eight sub-keys are generated as follows: The outermost bytes of k i
0
1
form the two high-order bytes of sub-key K ; the outermost bytes of k
i
i mo d 8+1
form the two low-order bytes of sub-key K . Thus, sub-key K is a function of
i i
only k and k .
i
i mo d 8+1
1
32
The innermost bytes of k are squared and added mo dulo 2 to A to generate
0
i
0
2 1
32
k , and similarly the innermost bytes of k are squared and added mo dulo 2
i i
0
2
to A to generate k . The second eight sub-keys are generated in the same way
0
i
2
the rst eight were. For i =9;::: ;16, the outermost bytes of k form the two
i 8
0
2
high-order bytes of sub-key K ; the outermost bytes of k form the two
i
i mo d 8+1
low-order bytes of sub-key K .
i
This pro cess is rep eated, every round of the key schedule squares the middle
0
j j
bytes of the k and k values and generates 8 additional sub-keys, untill all 61
i i
required sub-keys have b een generated.
i
After calculating all the K sub-keys, they are read sequentially to ll the Z keys
i
j
required for encryption; decryption keys are derived from these keys as required.
2 Cryptanalysis of Akelarre
The pivotal observation is that the round function preserves the parity of the
input. The 128-bit rotate do es not in uence the parity. The subsequent addition-
rotation structure xors each of its outputs twice into the data blo cks, thus pre-
serving parity. The only op erations in Akelarre that a ect the parity of the input
are the input transformation and the output transformation. This allows us to
attack the key blo cks involved in those transformations irresp ectiveof the other
prop erties of the round function.
We implementa chosen plaintext attack in four phases. In the rst phase, we nd
most of the bits of two of the sub-keys of the output transformation. In the second
phase, we nd most of the bits of two of the sub-keys of the input transformation.
In the third phase, we exploit the key schedule to recover 80 bits of information
ab out the master key. In the fourth phase, we exhaustively search through all
remaining p ossible master keys.
2.1 Recovering Output Transformation Sub-Key Bits
We start by xing X = 0 and X = 0, and encrypting many blo cks with random
1 4
values for X and X . Let P ; ;::: denote the parity of the concatenation of all
2 3
its arguments sum all the bits mo dulo 2. We de ne:
0 0 0 0
k := P Z ;Z ;Z ;Z
1 2 3 4
x := P X ;X
2 3
0 0
;::: ;R r := P R
1 4
It is easy to see that r = k x.
v v
As the round function is parity-invariant, we have r = P R ;::: ;R after v
1 4
v +1 v +1
rounds, and thus r = P S ;::: ;S .
1 4
v +1 v +1
32 32
mo d 2 . This gives us mo d 2 , and K := Z Let K := Z
4 1
5 2
v +1 v +1
32 32
r = P Y + K mod2 ;Y Z ;Y Z ; Y + K mod2
1 1 2 3 4 4
3 4
Collecting all our formulae, we get
32 32 0
P Y + K mod2 ; Y + K mod2 =k x y 1
1 1 4 4
v +1 v +1
0
and y := P Y ;Y . We de ne for any K , ;Z where k := k PZ
2 3
4 3
K := K [30::0] to b e the numb er formed by the least signi cant 31 bits of K . By
splitting of the most signi cant bits of the sum we can rewrite equation 1 as
00 0
P Y + K ;Y + K =k x y 2
1 1 4 4
00 0 0 00
:= k K [31] K [31] and y := y Y [31] Y [31]. The value k where k
1 4 1 4
dep ends only on the key, and will be the same for all of our encryptions. The
0
values x and y are known, as they only dep end on the plaintext or ciphertext.
= i.e. Y If we nd two encryptions i and j whichhave the same value for Y
1
1;i
. We get Y , then we can derive a sum-parity relation for K
4
1;j
0 0
P Y + K PY + K =x x y y 3
i j
4;i 4 4;j 4 i j
5
Such an equation eliminates ab out half of the p ossible values for K . After 4 10
4
chosen plaintexts, we can exp ect ab out 37 separate collisions for Y , and thus
1
31
ab out 37 sum-parity relations for K . We can now exhaustively search the 2
4
p ossible values of K for a value that satis es all of the parity relations. Numerical
4
exp eriments indicate that 37 relations are usually enough to give a unique solution.
Once K has b een found, every encryption that was done provides an equivalent
4
. The , which allows us to exhaustively search for K sum-parity relations for K
1 1
order can of course b e reversed, with collisions on Y giving sum-parity relations
4
rst. , which allows us to recover K for K
1 1
5
Overall, this phase of the attack requires ab out 4 10 chosen plaintexts, and
32
2 exhaustive search steps to recover b oth K and K . Several re nements
1 4
32
are p ossible. The key schedule cannot generate all 2 p ossible sub-keys; this
information can be used to sp eed up the exhaustive search. As will be obvious
from the key schedule, the p ossible sub-key values can be enumerated by listing
the p ossible values for the two halves of the sub-key separately. This results in
25
ab out 2 p ossible values for the least signi cant 31 bits of the sub-keys in the
output transformation. This assumes a 4-round Akelarre. Due to the nature
of the key schedule, the entropy of the sub-keys in the output transformation
decreases as the numb er of rounds increases.
48
The last phase in our attack is an exhaustive searchover 2 p ossible master keys
see section 2.4, which requires a complete Akelarre encryption p er p ossible mas-
50
ter key. Checking 2 p ossible key values using sum-parity relations is certainly
going to b e a lot less work. This leads to the following improvement: Using only
60 chosen plaintexts, we search for for K and K in parallel using equation 2.
1 4
25
There are ab out 2 p ossible values for each of these two values, which gives us
50
a total of 2 p ossible values for the pair. We can exp ect to nd the rightvalues
49
that satisfy all the sum-parity relations in ab out 2 tries. The computational
e ort in this phase is still negligable compared to the e ort required in the last
phase of our attack, as each of the op erations in this phase is far less complex.
The search can be improved even further if we take the non-uniformity of the
key-blo ck distribution into account. From the key schedule it is easy to derive the
25
probabilities for each of the 2 p ossible sub-keys. This can b e done by computing
indep endent probabilities for each of the two halves of the sub-keys. Our results
indicate that this leaves ab out 23.5 bits of entropy for each of the K values. By
searching the high-probabilityvalues rst we can exp ect to nd the correct key
values so oner.
2.2 Recovering Input Transformation Sub-Key Bits
0 0
as well. We could, of and Z We can recover the 31 least signi cant bits of Z
4 1
course, p erform the analysis from the previous section on the decryption function,
but there are much more direct metho ds.
, we can recognise whether two encryptions and K Once we have recovered K
4 1
have the same parity during the rounds. We can decrypt enough of the output
transform; the key bits that we don't know a ect the parity in the same way
for each encryption. Cho ose xed values for X , X , and X , and p erform
1 2 3
0
encryptions for di erentvalues of X . This gives us sum-parity relations for Z
4
4
similar to equation 3. Using the same metho ds as in the previous step, we can
0 0
32
thus recover the 31 least signi cant bits of Z , and Z , using 2 exhaustive
4 1
search steps and ab out 80 chosen-plaintexts.
A more direct metho d is also p ossible, where every chosen plaintext encryption
0 0
reveals one bit of Z or Z . This eliminates the exhaustive searches for these
4 1
31-bit values, and reduces the number of chosen-plaintexts for this phase to 62.
The details of this metho d are left as an excersise to the reader.
2.3 Recovering Master Key Information from the Sub-Keys
We have recovered the 31 least signi cant bits of 4 of the sub-keys. Due to the
structure of the key schedule, each half of a sub-key dep ends on exactly 16 bits
of the master key.
Table 1 give the exp ected information provided by the partially known sub-keys
ab out the master key blo cks, assuming that the master key is chosen uniformly
Sub-key upp er half lower half
0
Z 11.99 bits ab out k 12.85 bits ab out k
1 2
1
0
Z 11.99 bits ab out k 12.85 bits ab out k
4 5
4
5
Z 11.52 bits ab out k 12.01 bits ab out k
2 3
2
5
Z 11.52 bits ab out k 12.01 bits ab out k
5 6
5
Table 1: Bits of information provided by sub-key ab out master sub-keys
at random. As the mapping from a master key blo ckto one half of a sub-key is
16
not bijective, not all 2 p ossible values of the sub-key half can o ccur. In fact,
each 32-bit sub-key has b etween 24.1 and 25.7 bits of entropy.
Some of the master key blo cks in uence two of the recovered sub-keys. In this
case we can exp ect to b e left with a single p ossible value for this master key blo ck.
As there are only 16 bits in a master key blo ck, we can't have more than 16 bits
of information ab out it.
An interesting observation is that the amount of information that we get ab out
the master key dep ends eratically on the numb er of rounds, due to the alignment
of the known sub-keys in the key schedule. In some cases the known sub-keys are
all derived from 4 of the master key blo cks, while in other cases they are derived
from 7 master key blo cks. If we increase the numb er of rounds to 5, we can exp ect
to get ab out 7 bits more information ab out the master key blo cks, making the
5-round Akelarre signi cantly weaker against our attack than the 4-round version.
2.4 Recovering the Entire Master Key
Adding up the information that we get, we can exp ect to have 80 bits of infor-
48
mation ab out the 128-bit key. This leaves ab out 2 p ossible master key values.
These are easy to enumerate: For each master key blo ck we create a list of all
p ossible values. For those master key blo cks that in uence some of the known
16
sub-keys, we try all 2 p ossible values and discard those that don't match the
known sub-key bits. We will b e left with 2 master key blo cks that are fully known,
4 master key blo cks that are partially known, and 2 master key blo cks that are
unknown. The cartesian pro duct of these 8 lists enumerates the p ossible values
for the master key.
Using an exhaustive searchover these p ossible master key values, we can exp ect
48
to nd the entire 128-bit master key after at most 2 tries, with an exp ected
47
workload of 2 tries.
3 A second attack
Our second attack uses the observation that the Akelarre round function has a lot
of excellent di erential characteristics. In fact, any 64-bit pattern rep eated once
to form a 128-bit word gives a di erential 1-round characteristic with probability
1, and the output di erential is a rotation of the input di erential. Thus, the
64
Akelarre round function has 2 1-round di erential characteristics with proba-
bility1.
The set of di erences we are particularly interested in are those with exactly 2
one bits, where the bits are 64 bit-p ositions apart. If such a di erential o ccurs
during the rounds we can easilly detect this from the ciphertext. So if we use an
input di erential that ips one bit in X and the corresp onding bit in X ,we can
3 1
detect if the ipp ed bit in X resulted in the same bit b eing ipp ed in the output
1
of the input transformation. This gives us one bit of information ab out the rst
key blo ck of the input transformation.
Using 63 chosen plaintexts, we can recover the same 62 bits of information ab out
the key of the input transformation as we did in the previous attack, but now
without any exhaustive searching. Once wehave these key bits, we can generate
all 62 di erentials we are interested in, and use these to recover the 62 bits of the
output transformation key we found in the rst attack, again without exhaustive
searching. Furthermore, we can observe the sum e ect of all the 128-bit rotates
mo dulo 64, which gives us 6 more bits of information ab out the expanded key.
Using some fairly straightforward precomputations this reduces the work load of
42
the exhaustive master-key search by a factor of 64, giving us a maximum of 2
41
tries and 2 tries on average b efore the key is found.
As ab out half of our di erential attempts in the rst half of this attack resulted
in the desired di erential pattern during the rounds, we don't have to regenerate
all 62 interesting di erentials to nd the 62 key bits of the output transformation,
but on average only 31 of them. This reduces the exp ected numb er of required
plaintexts to less than 100.
Further re nements are p ossible if we use the fact that the output transformation
key blo cks are not indep endent of the input transformation key blo cks. Using this
information, we can further reduce the numb er of required plaintexts.
4 Fixing Akelarre
There are three obvious weaknesses in Akelarre that we exploited in our attack.
The round function is parity-preserving, which allows us to attack the input and
output transformation keys irresp ective of the complexity of the addition-rotation
structure, and irresp ective of the number of rounds. The only elementary op er-
ation that Akelarre employs that is not parity-preserving is the addition mo dulo
32
2 . Replacing the xors used to mix the output of the addition-rotation structure
with the data blo cks by additions would eliminate this prop erty.
The di erential characteristics again work irresp ective of the numb er of rounds or
the complexityof the addition-rotation structure. These di erential characteris-
tics can b e broken up by replacing the rotation at the b eginning of a round with
a di erent function that do es not preserve our characteristic patterns.
The key schedule is esp ecially weak. Learning one bit of any sub-key gives im-
mediate information ab out the master-key, although the designers state that the
key schedule was explicitly designed to avoid this prop erty. The main problem is
the use of 16-bit blo cks without any di usion b etween the key blo cks. The 16-bit
blo ck size do es not allow any one-wayness prop erties. The only x would seem
to design an entirely new key schedule. One p ossible solution is to derive the
sub-keys from a cryptographically strong pseudo-random generator which uses
the master key as seed.
Even with these xes it is unclear how strong the xed Akelarre cipher would b e.
5 Conclusions
For a 128-bit blo ck cipher, Akelarre is disapp ointingly weak. The amountofwork
necessary for a successful attack is three or four orders of magnitude less than that
of attacking DES. As such, Akelarre is not suitable for applications that require
even a medium level of security. And while the algorithm may be repairable, it
do es not o er anyobvious sp eed advantages over more established alternatives.
The weaknesses that wehave found do not inspire con dence in the design pro cess
used to create Akelarre. Even if all these weaknesses were to b e xed, the resulting
cipher would still be tainted by an app erently ad-ho c design pro cess and leave
doubt ab out other as yet undiscovered weaknesses. Therefore, we recommend
that the Akelarre design b e abandoned.
Since the original publication the authors have published a new version with an
improved key schedule [AGMP97 ]. We have not investigated this new version in
any depth, but even the improved key schedule allows us to recover 31 bits of
information ab out the master key in a trivial manner.
6 Acknowledgements
Wewould like to thank Fausto Montoya for providing us with the gures describ-
ing Akelarre.
References
[AGMP96A] G. Alvarez, D. de la Gu a, F. Montoya, and A. Peinado, \Akelarre: a
new Blo ck Cipher Algorithm," ThirdAnnual Workshop on Selected
Areas in Cryptography SAC '96, Kingston, Ontario, 15{16 August
1996, pp. 1{14.
[AGMP96B] G. Alvares Maran ~ on, D. de la Gu a Mart nez, F. Montoya Vitini,
and Alb erto Peinado Dom nguez, \Akelarre: Nuevo Algoritmo de
Cifrado en Blo que," Actas de la IV Reuni on Espa~nola Sobra Crip-
tolog a, Universidad de Valladolid, Septemb er 1996, pp. 93{100. In
Spanish.
[AGMP97] G. Alvarez, D. de la Gu a, F. Montoya, and A. Peinado, \De-
scription of the new Blo ck Cipher Algorithm Akelarre", http://
www.iec.csic.es/fausto/papers/akelarre1.ps
[LMM91] X. Lai, J. Massey, and S. Murphy, \Markov Ciphers and Di erential
Cryptanalysis," Advances in Cryptology|CRYPTO '91, Springer-
Verlag, 1991, pp. 17{38.
[Mad84] W.E. Madryga, \A High Performance Encryption Algorithm,"
Computer Security: A Global Chal lenge, Elsevier Science Publish-
ers, 1984, pp. 557{570.
[Riv95] R.L. Rivest, \The RC5 Encryption Algorithm," Fast Software En-
cryption, Second International Workshop Proceedings, Springer-
Verlag, 1995, pp. 86{96.