Organization: ESAT, K.U.Leuven, Belgium Date: Fri, 28 Aug 1998 11

Home , Vincent Rijmen

Organization: ESAT, K.U.Leuven, Belgium Date: Fri, 28 Aug 1998 11:36:03 +0200 (METDST) From: Johan Borst Reply-To: Johan Borst To: [email protected] cc: Bart Preneel , Vincent Rijmen , Bart Van Rompay Subject: analysis CRYPTON

Hello,

Regarding the call of NIST for comments on the AES-candidates here is a report of a preliminary analysis of CRYPTON, that identifies a class of weak keys. It is attached in gzipped postscript format.

Regards, Johan Borst.

------Johan Borst Katholieke Universiteit Leuven Departement Elektrotechniek-ESAT/COSIC Kardinaal Mercierlaan 94 B-3001 Heverlee Belgium

Tel.: ++ 32 16 321862 Fax : ++ 32 16 321986 email: [email protected] http://www.esat.kuleuven.ac.be/~borst

Weak Keys of CRYPTON

Johan Borst

K.U. Leuven, Dept. Elektrotechniek-ESAT/COSIC

Kardinaal Mercierlaan 94, B-3001 Heverlee Belgie

[email protected] e

Abstract

The blo ck cipher CRYPTON is a candidate prop osal for the AES standard. In

this rep ort we describ e a class of 2 weak keys. This is mainly a consequence of

the use of linear op erations in the key schedule. These weak keys esp ecially have

consequences for the use of CRYPTON in certain hash function constructions.

1 Intro duction

The AES candidate CRYPTON is an iterated blo ck cipher with blo ck size 128. Its key

size is variable and can be chosen to be each whole number of bytes between 8 and

32. Hence, the key sizes 128, 192 and 256 are supp orted, as requested by NIST for the

AES standard. The design is based on SQUARE [DKR97].

In this rep ort we describ e a class of 2 weak 256-bit keys. When suchakey is used

for encryption plaintexts from certain subsets of the text space always have ciphertexts

in a sp eci ed subset. This is mainly caused by the use of linear transformations and

symmetrical constants in the key schedule. The weakness for example can b e exploited

to nd collisions when CRYPTON with a 256-bit key is used in the Davies-Meyer hash

function construction.

The rest of this rep ort is organized as follows. In Section 2 we describ e the features

of CRYPTON that are relevant for our analysis. In Section 3 we describ e the weak

key class and in Section 4 its consequences. We conclude in Section 5.

2 The Cipher

CRYPTON is de ned as a 12-round blo ck cipher preceded by an initial transformation

and followed by a nal output transformation. Each round transformation is comp osed

of four di erent, consecutive transformations. All transformations op erate on 16-byte

strings. The round transformations for odd and even rounds are slightly di erent,

though have a same structure. They are de ned as

A = A; odd rounds: r =1; 3;:::;

K K o o

r r

A = A; even rounds: r =2; 4;:::;

K K e e

r r 1

128

for K ;A 2 f0; 1g . The initial transformation is de ned by . The nal output

i K

transformation is de ned by . In the following we omit the o and e subscripts

as the prop erties we use hold for b oth even and o dd round transformations.

The round keys K each consist of four 32-bit words whichwe denote with K [4i +

3];K[4i +2];K[4i +1];K[4i]. The expanded keys are derived from the user key by a

key schedule as follows. The rst 8 expanded keys K [i];i = 0 :::7; are derived from

the user key via an invertible transformation. After that for each i 2 f0 :::7g each

expanded key K [i +8j ];j =1:::6 only dep ends on K [i].

For further details we refer to [Lim98].

3 The Weak Keys

The only op erations that are used in the second phase of the key scheduling are rota-

tions with a multiple of 8 and xoring with round constants of the form aaaa, where a

are byte values. This has as consequence that if for one of the rst eight expanded keys

K [i]=aaaa for some byte value a, then all derived expanded keys K [i +8j ]=bbbb for

some b, not necessarily the same b for all j . Furthermore, the xoring and rotations are

done in suchaway that, if for a pair i ;i 2f7; 5; 6; 4; 3; 1; 2; 0g the expanded

1 0

keys K [i ]=K [i ]= aaaa, then K [i +8j ]= K [i +8j ]= bbbb.

1 0 1 0

With the ab ove we can construct 2 user keys for which every round key is of the

form bbbbaaaabbbbaaaa. These user keys can be computed by inverting the rst phase

of the key schedule. In this way we nd 2 256-bit or 32-byte keys of which ab out

27:7

2 have an equivalent 31-byte userkey. We call this set of keys W .

We de ne three subsets of the text space as follows.

128

V = fx 2f0; 1g jx = g hg hef ef cdcdababg;

128

V = fx 2f0; 1g jx = g hef cdabef g habcdg and

128

V = fx 2f0; 1g jx = ef g habcdef g habcdg;

where a:::h are byte values. Each of the subsets contains 2 elements.

For the key addition with a round key of the form K = bbbbaaaabbbbaaaa as well

as for it holds that if x 2 V then also x 2 V and x 2 V , for all i. For the

i K i i

other two transformations the following holds. maps an elementofV to an element

of V , V to V and V to V . This is clari ed in App endix A. Finally, maps V to V ,

1 1 0 2 2 0 2

V to V and V to V .

1 1 2 0

From this it can be seen that a CRYPTON round with a round key of the form

bbbbaaaabbbbaaaa maps an elementofV , V and V to an element of resp ectively V , V

0 1 2 1 2

and V . Furthermore the nal output transformation maps V , V and V to resp ectively

0 0 1 2

V , V and V .

0 2 1

Hence, for each of the keys in W CRYPTON with 12 rounds will encrypt an

elementofV , V and V to an element of resp ectively V , V and V .

0 1 2 0 2 1

In [Lim98] a distinction is made between round keys for encryption and decryption, given by

i i

. As the prop erties describ ed here hold for b oth, we omit the subscript and lower the K and K

sup erscript. 2

4 Consequences

There is only a small probability that a weak key is used when a user key is generated

randomly. On the other hand with a few chosen plaintexts it can be easily tested if a

weak key of W is used for encryption. However, the weak key class certainly in uences

security if an attacker can cho ose the key. An example of that is the following.

In [Lim98]itwas mentioned that CRYPTON can b e used as underlying blo ck cipher

in the Davies-Meyer hash function construction. Here the hash H on a message

x x :::x is de ned recursively by

0 1 m

H = H E H ;

i i1 x i1

where H is an initial vector. If H 2 V for some i and x 2 W , then E H 2 V

0 i1 0 i x i1 0

and also H 2 V . In accordance with the birthday paradox by varying H 2 V and

i 0 0 0

x 2 W one nds a collision for H with probability 0:39 in 2 hash calculations. We

0 1

generated 1000 sets of 2 according to the ab ove metho d generated hash calculations.

427 sets contained at least one collision, which is slightly higher than exp ected. Note

that to mount a practical attack we should also have to allow an attacker to be able

to in uence the initial vector as the probability that an H 2 V is again very small.

i 0

Remark: Due to the non-linear rst phase of the key schedule, there is no obvious

way in which the algebraic prop erties of this section might b e used to mount an attack

on the Matyas-Meyer-Oseas or the Miyaguchi-Preneel hash function constructions.

5 Conclusion

We conclude that CRYPTON has a class of 2 weak 256-bit keys. Hence care has to b e

taken when CRYPTON with 256-bit keys is used in applications where an attacker can

cho ose the key, such as the Davies-Meyer hash function construction. Away to resolve

this weakness is to strengthen the key schedule. This can b e done byintro ducing more

non-linearityin the key schedule, as for example was done in Rijndael [DR98], whose

design also was based on SQUARE.

References

[DKR97] J. Daemen, L.R. Knudsen, V. Rijmen, \The blo ck cipher SQUARE," Fast

Software Encryption, Proc. Fourth International Workshop, LNCS 1267, Springer-

Verlag, 1997, pp. 149{165.

[DR98] J. Daemen and V. Rijmen, \AES Proposal: Rijndael,", AES Prop osal, 1998,

available via http://www.esat.kuleuven.ac.b e/~rijmen/rijndael/index.ht ml.

[Lim98] C. H. Lim, \CRYPTON: A New 128-bit Block Cipher,", AES Prop osal, 1998,

available via http://crypt.future.co.kr/~chlim. 3

A The Transformation

In this app endix we do not distinguish b etween the transformations of even and o dd

rounds as the prop erties we use hold for b oth. The transformations of CRYPTON can

be viewed up on as op erating on a 4 4 byte array. The transformation consists of

four separate transformations, which are transformations on the separate columns of

the array. We can thus write x ;x ;x ;x = x ; x ; x ; x , where

3 2 1 0 3 3 2 2 1 1 0 0

we notate the 4 4 arrayby its four columns. Now the following prop erties hold.

T T

For all i: abab =cdcd , where a:::d are byte values.

T T T T

If abcd =ef g h then abcd =g hef for all i.

i i+2 mo d 4

With this prop erties we can deduce the following.

For g hg hef ef cdcdabab 2 V it holds that

0 1 0 1

i m k o a b a b

B C B C

j n l p c d c d

B C B C

! B C 2 V : B C

@ A @ A

k o i m e f e f

l p j n g h g h

For g hef cdabef g habcd 2 V it holds that

1 1 0 0

i m i m a b c d

C C B B

j n j n e f g h

C C B B

C 2 V : C ! B B

A A @ @

k o k o c d a b

l p l p g h e f

For ef g habcdef g habcd 2 V it holds that

1 1 0 0

i k m o a b c d

C C B B

j l n p e f g h

C C B B

C 2 V : C ! B B

A A @ @

i k m o a b c d

j l n p e f g h 4