Cryptographic Security Analysis of T-310∗
Total Page:16
File Type:pdf, Size:1020Kb
Cryptographic Security Analysis of T-310∗ Nicolas T. Courtois1, Klaus Schmeh3, J¨orgDrobick5, Jacques Patarin2, Maria-Bristena Oprisanu1, Matteo Scarlata1;4, Om Bhallamudi1 1University College London, Gower Street, London, UK 2 UVSQ, CNRS, Universit´ede Paris-Saclay, France 3 cryptovision, Gelsenkirchen, Germany 4 Computer Science, University of Pisa, Italy 5 Harnekop NVA Museum, Pr¨otzel,Germany Abstract. T-310 is an important Cold War cipher [98]. It was the prin- cipal encryption algorithm used to protect various state communication lines in Eastern Germany throughout the 1980s. The cipher seems to be quite robust, and until now, no cryptography researcher has proposed an attack on T-310. In this paper we provide a detailed analysis of T-310 in the context of modern cryptography research and other important or similar ciphers developed in the same period. We introduce new nota- tions which show the peculiar internal structure of this cipher in a new light. We point out a number of significant strong and weak properties of this cipher. Finally we propose several new attacks on T-310. * This is our \master paper" on T-310. It can be seen as an extended version of several papers which appear in Cryptologia in 2017 and 2018. This eprint paper is our extended monography paper which shows how different questions and different attacks are related and connected to each other. It contains a substantial amount of additional research and technical details. Recent Updates: This paper is no longer guaranteed to be completely up-to-date with recent developments. Important recent additions are non-linear invariant attacks in Section 23 and Appendix I.3 on the cipher stepping. Key Words: Cold War, block ciphers, T-310, SKS V/1, unbalanced com- pressing Feistel ciphers, algebraic cryptanalysis, ElimLin, SAT Solvers, Differen- tial Cryptanalysis, Linear Cryptanalysis, correlation attacks, slide attacks, self- similarity attacks, ciphertext-only attacks, polynomial invariant attacks, related- key differential attacks. Acknowledgments. We thank Bernd Lippmann, Jens Raeder, Bernhard Esslinger, Marek Grajek, Philippe Guillot, Nathan Keller, Jean-Jacques Quisquater, Angela Sasse, Mate Soos, Kristina Zatylna and Bingsheng Zhang for their com- ments and suggestions. Some of this work was done by UCL students doing project work for GA18 Cryptanalysis course taught at University College London in 2014-2018. Students who participated are: Om Bhallamudi, Simon Boehm, Kwok Cheng, Killian Davitt, Maxine Emuobosa, Mario D'Onghia, Mark Daniels, Lizhou Feng, Istvan Hoffer, Gaixin Hong, Marios Georgiou, Tereza Loffelman- nova, Alexios Nikos, Maria-Bristena Oprisanu, Nikolai Rozanov, Matteo Scar- lata, Qin Tang, Varnavas Papaioannou, Rei Valera, Moyu Wang, Dongni Zhang. 2 N. T. Courtois et. al., https://ia.cr/2017/440/ March 27, 2019 Table of Contents 0 Abstract ::::::::::::::::::::::::::::::::::::::::::::::::: 1 1 Basic Facts and History of T-310 9 1.1 Chronology on T-310 . 9 2 A Block Cipher in A Stream Cipher Mode 10 2.1 A First Look At the T-310 Block cipher Internals . 11 3 Feistel and Generalized Feistel Ciphers vs. T-310 12 3.1 T-310 vs. Other Contemporary Block Ciphers . 12 3.2 Weak or Strong - Cryptanalysis . 13 4 Feistel Ciphers and High-Level Structure of T-310 14 4.1 Long-Term Keys - Notation . 14 4.2 The Importance of Long-Term Keys . 15 4.3 Basic LZS Classification . 15 4.4 Unbalanced Feistel Reinforced with a Permutation . 16 4.5 Permutation D and Chosen Long-Term Key Attacks . 16 5 Alterations to the Unbalanced Feistel Construction 18 5.1 Mainstream T-310: Non-Bijective D . 18 5.2 Consequences of D(i)=0..................... 18 5.3 Unbalanced Feistel vs. KT1 Keys (Most Common Case) . 19 5.4 The High-Level Structure of KT1 Keys . 19 5.5 Comparison to SKS Ciphers and How It Impacts T-310 Ciphers 21 5.6 Alterations to the Unbalanced Feistel Construction with KT2 Keys . 22 6 Detailed Description of T-310 23 7 Construction of One Encryption Round φ 25 7.1 Compact High-Level Description of One Round φ . 25 7.2 Definition of P ........................... 25 7.3 Definition of T ........................... 26 7.4 Definition of D ........................... 26 7.5 Summary: Main Part of φ ..................... 27 7.6 A Potential Serious Vulnerability - Divide And Conquer Attacks on Key Space . 29 8 Long Term Keys D, P 30 8.1 Example of D, P of Popular Type KT1 . 30 8.2 Properties of KT1 Keys . 30 Cryptographic Security Analysis of T-310 3 8.3 On Strength of Real-Life Cold War Keys . 31 8.4 KT2 Key Class . 31 8.5 Other Keys and Key Classes . 31 8.6 Key Sizes for the Long Term Keys . 32 8.7 Long Term Keys vs. Security . 32 9 Detailed Description of T () Inside One Round 33 9.1 Design of T and Alternative Descriptions . 34 9.2 Design Criteria of T ........................ 34 9.3 Another Point of View on T and One Round φ . 34 9.4 Observations on T () . 35 9.5 Vulnerabilities of the Whole T Component . 35 9.6 Observations on T () Combined with Final XORs . 36 10 The Non-Linear Component of T-310 37 10.1 Description of the Boolean Function Z . 37 10.2 Implementation of the Boolean Function Z . 37 10.3 Design Criteria for the Boolean Function Z from 1973 . 37 10.4 Another Set of Design Criteria From 1975 . 38 11 Properties of T-310 Round Function φ 39 11.1 Is One Encryption Round φ a Permutation? . 39 11.2 Another Result on φ ........................ 39 12 Differential Attacks and Vulnerabilities in T-310 40 12.1 Structural Differential Attacks vs. S-boxes . 40 12.2 Missing Bits - Serious Differential Vulnerability of T for Any P 40 12.3 Missing Bits - Applications . 41 12.4 Missing Bits - Application to Related-Key Differential Attacks 42 12.5 Examples of Differential Attacks on T-310 . 45 12.6 Differential Vulnerabilities with Different IVs . 45 12.7 Differential vs. Linear Cryptanalysis . 46 13 Key and IV Scheduling Parts in T-310 47 13.1 Basic Facts About T-310 Keys . 47 13.2 Key Scheduling and sm;1−2 .................... 47 13.3 On Parity Bits . 47 13.4 IV Generation and Transmission in T-310 . 47 13.5 IV Expansion and fm ....................... 47 13.6 A Zero-Attack on IV Expansion and fm . 47 14 T-310 Keystream Generation Process 48 14.1 Bit Selection For Encryption . 48 14.2 Discussion - Low-Rate Extraction . 48 15 Estimating the Strength of T-310 Against Direct Software Algebraic Attacks 49 4 N. T. Courtois et. al., https://ia.cr/2017/440/ March 27, 2019 15.1 Attacks on 1 Bit - How to Access u127,α . 49 15.2 Attacks on Full State or P/C Pairs . 50 15.3 Computer Simulations . 50 16 Encryption in T-310 - Double One-Time Pad 52 16.1 On the Choice of α ......................... 52 17 Basic Observations and Basic Attacks on T-310 Encryption Process 53 17.1 Timing and Side Channel Attacks on T-310 . 53 17.2 A Known Plaintext Attack on T-310 . 53 17.3 The Zero Value Attacks on T-310 . 54 17.4 Bad News - Tentative Applications of Zero-Value Attack . 54 18 Preliminary Analysis for Correlation Attacks and the Space Shrinking Properties 56 18.1 Useful Natural Language Statistics . 56 18.2 Correlation Attack vs. Weak Keys in T-310 . 57 18.3 A Specific Reason Why Correlations Exist . 57 18.4 A Method for Fast Estimation of Output Space . 57 18.5 Space Shrinking - Original Keys vs. Special Keys . 59 18.6 Shrinking vs. Choice of Key and IV Bits - Key 208 . 59 18.7 Weaker Rank-Deficient Keys in KT2b Style . 60 18.8 Class KT3d - More Weak LZS Keys Generated At Random . 61 18.9 How Output Space Reduction Produces Bias . 62 18.10Application to SKS V/1 . 64 19 On Chosen LZS Attacks 65 19.1 A Problematic LZS Question . 65 19.2 On Rank Deficiency of Some Otherwise Well-Formed Keys . 65 20 A Ciphertext-Only Faulty LZS Correlation Attack 67 20.1 On Key Scheduling in T-310 . 67 20.2 A Ciphertext-Only Correlation Attack on T-310 . 68 20.3 A Ciphertext-Only Correlation Attack on SKS V/1 . 70 21 T-310 and Linear Cryptanalysis 71 21.1 Historical Background . 71 21.2 Application to Several Rounds of T-310 . 72 21.3 Invariant Linear Characteristics for T-310 . 73 21.4 Generating Very Weak Long Term Keys for LC . 73 21.5 LC-Weak Keys with One-Bit Correlations . 75 21.6 A Short Explanation for Key 741 . 76 21.7 A Classification of One-Bit Correlations α ! α . 78 21.8 Specific Types of Near-Bit Correlations . 78 21.9 A Detailed Example of How T-310 Can Be Weak w.r.t. LC . 79 Cryptographic Security Analysis of T-310 5 21.10Can More KT1 Keys be Pathological? . 80 21.11Generation of KT1 Keys [General or LC-Weak] . 80 21.12More Complex Periodic Properties . 81 21.13Periodic Properties which Involve Key Bits . 81 21.14Strongly Pathological LC-Weak Keys . 82 21.15Weak LZS with 8 Round Properties . 83 21.16More Pathological LC-Weak Keys Not KT1 . 84 21.17Keys With Self-Similarity and Level 2 Linear Cryptanalysis . 85 21.18First Classification of LC-Weak KT1 Keys . 86 21.19A More Detailed Classification of LC-Weak KT1 Keys . 86 21.20On Frequency of LC-Vulnerable KT1 Keys . 86 21.21How to Avoid LC-Weak KT1 Keys . 86 21.22Pre-Conditions for Selected LC-Weak KT1 Keys . 87 21.23Software for KT1 Key Generation Tool and LC-Weak Keys .