Organization: ESAT, K.U.Leuven, Belgium Date: Fri, 28 Aug 1998 11:36:03 +0200 (METDST) From: Johan Borst
Hello,
Regarding the call of NIST for comments on the AES-candidates here is a report of a preliminary analysis of CRYPTON, that identifies a class of weak keys. It is attached in gzipped postscript format.
Regards, Johan Borst.
------Johan Borst Katholieke Universiteit Leuven Departement Elektrotechniek-ESAT/COSIC Kardinaal Mercierlaan 94 B-3001 Heverlee Belgium
Tel.: ++ 32 16 321862 Fax : ++ 32 16 321986 email: [email protected] http://www.esat.kuleuven.ac.be/~borst
Weak Keys of CRYPTON
Johan Borst
K.U. Leuven, Dept. Elektrotechniek-ESAT/COSIC
Kardinaal Mercierlaan 94, B-3001 Heverlee Belgie
Abstract
The blo ck cipher CRYPTON is a candidate prop osal for the AES standard. In
32
this rep ort we describ e a class of 2 weak keys. This is mainly a consequence of
the use of linear op erations in the key schedule. These weak keys esp ecially have
consequences for the use of CRYPTON in certain hash function constructions.
1 Intro duction
The AES candidate CRYPTON is an iterated blo ck cipher with blo ck size 128. Its key
size is variable and can be chosen to be each whole number of bytes between 8 and
32. Hence, the key sizes 128, 192 and 256 are supp orted, as requested by NIST for the
AES standard. The design is based on SQUARE [DKR97].
32
In this rep ort we describ e a class of 2 weak 256-bit keys. When suchakey is used
for encryption plaintexts from certain subsets of the text space always have ciphertexts
in a sp eci ed subset. This is mainly caused by the use of linear transformations and
symmetrical constants in the key schedule. The weakness for example can b e exploited
to nd collisions when CRYPTON with a 256-bit key is used in the Davies-Meyer hash
function construction.
The rest of this rep ort is organized as follows. In Section 2 we describ e the features
of CRYPTON that are relevant for our analysis. In Section 3 we describ e the weak
key class and in Section 4 its consequences. We conclude in Section 5.
2 The Cipher
CRYPTON is de ned as a 12-round blo ck cipher preceded by an initial transformation
and followed by a nal output transformation. Each round transformation is comp osed
of four di erent, consecutive transformations. All transformations op erate on 16-byte
strings. The round transformations for odd and even rounds are slightly di erent,
though have a same structure. They are de ned as
A = A; odd rounds: r =1; 3;:::;
K K o o
r r
A = A; even rounds: r =2; 4;:::;
K K e e
r r 1
128
for K ;A 2 f0; 1g . The initial transformation is de ned by . The nal output
i K
0
transformation is de ned by . In the following we omit the o and e subscripts
e
as the prop erties we use hold for b oth even and o dd round transformations.
1
The round keys K each consist of four 32-bit words whichwe denote with K [4i +
i
3];K[4i +2];K[4i +1];K[4i]. The expanded keys are derived from the user key by a
key schedule as follows. The rst 8 expanded keys K [i];i = 0 :::7; are derived from
the user key via an invertible transformation. After that for each i 2 f0 :::7g each
expanded key K [i +8j ];j =1:::6 only dep ends on K [i].
For further details we refer to [Lim98].
3 The Weak Keys
The only op erations that are used in the second phase of the key scheduling are rota-
tions with a multiple of 8 and xoring with round constants of the form aaaa, where a
are byte values. This has as consequence that if for one of the rst eight expanded keys
K [i]=aaaa for some byte value a, then all derived expanded keys K [i +8j ]=bbbb for
some b, not necessarily the same b for all j . Furthermore, the xoring and rotations are
done in suchaway that, if for a pair i ;i 2f7; 5; 6; 4; 3; 1; 2; 0g the expanded
1 0
keys K [i ]=K [i ]= aaaa, then K [i +8j ]= K [i +8j ]= bbbb.
1 0 1 0
32
With the ab ove we can construct 2 user keys for which every round key is of the
form bbbbaaaabbbbaaaa. These user keys can be computed by inverting the rst phase
32
of the key schedule. In this way we nd 2 256-bit or 32-byte keys of which ab out
27:7
2 have an equivalent 31-byte userkey. We call this set of keys W .
We de ne three subsets of the text space as follows.
128
V = fx 2f0; 1g jx = g hg hef ef cdcdababg;
0
128
V = fx 2f0; 1g jx = g hef cdabef g habcdg and
1
128
V = fx 2f0; 1g jx = ef g habcdef g habcdg;
2
64
where a:::h are byte values. Each of the subsets contains 2 elements.
For the key addition with a round key of the form K = bbbbaaaabbbbaaaa as well
as for it holds that if x 2 V then also x 2 V and x 2 V , for all i. For the
i K i i
other two transformations the following holds. maps an elementofV to an element
0
of V , V to V and V to V . This is clari ed in App endix A. Finally, maps V to V ,
1 1 0 2 2 0 2
V to V and V to V .
1 1 2 0
From this it can be seen that a CRYPTON round with a round key of the form
bbbbaaaabbbbaaaa maps an elementofV , V and V to an element of resp ectively V , V
0 1 2 1 2
and V . Furthermore the nal output transformation maps V , V and V to resp ectively
0 0 1 2
V , V and V .
0 2 1
Hence, for each of the keys in W CRYPTON with 12 rounds will encrypt an
elementofV , V and V to an element of resp ectively V , V and V .
0 1 2 0 2 1
1
In [Lim98] a distinction is made between round keys for encryption and decryption, given by
i i
. As the prop erties describ ed here hold for b oth, we omit the subscript and lower the K and K
e
d
sup erscript. 2
4 Consequences
There is only a small probability that a weak key is used when a user key is generated
randomly. On the other hand with a few chosen plaintexts it can be easily tested if a
weak key of W is used for encryption. However, the weak key class certainly in uences
security if an attacker can cho ose the key. An example of that is the following.
In [Lim98]itwas mentioned that CRYPTON can b e used as underlying blo ck cipher
in the Davies-Meyer hash function construction. Here the hash H on a message
m
x x :::x is de ned recursively by
0 1 m
H = H E H ;
i i 1 x i 1
i
where H is an initial vector. If H 2 V for some i and x 2 W , then E H 2 V
0 i 1 0 i x i 1 0
i
and also H 2 V . In accordance with the birthday paradox by varying H 2 V and
i 0 0 0
16
x 2 W one nds a collision for H with probability 0:39 in 2 hash calculations. We
0 1
16
generated 1000 sets of 2 according to the ab ove metho d generated hash calculations.
427 sets contained at least one collision, which is slightly higher than exp ected. Note
that to mount a practical attack we should also have to allow an attacker to be able
to in uence the initial vector as the probability that an H 2 V is again very small.
i 0
Remark: Due to the non-linear rst phase of the key schedule, there is no obvious
way in which the algebraic prop erties of this section might b e used to mount an attack
on the Matyas-Meyer-Oseas or the Miyaguchi-Preneel hash function constructions.
5 Conclusion
32
We conclude that CRYPTON has a class of 2 weak 256-bit keys. Hence care has to b e
taken when CRYPTON with 256-bit keys is used in applications where an attacker can
cho ose the key, such as the Davies-Meyer hash function construction. Away to resolve
this weakness is to strengthen the key schedule. This can b e done byintro ducing more
non-linearityin the key schedule, as for example was done in Rijndael [DR98], whose
design also was based on SQUARE.
References
[DKR97] J. Daemen, L.R. Knudsen, V. Rijmen, \The blo ck cipher SQUARE," Fast
Software Encryption, Proc. Fourth International Workshop, LNCS 1267, Springer-
Verlag, 1997, pp. 149{165.
[DR98] J. Daemen and V. Rijmen, \AES Proposal: Rijndael,", AES Prop osal, 1998,
available via http://www.esat.kuleuven.ac.b e/~rijmen/rijndael/index.ht ml.
[Lim98] C. H. Lim, \CRYPTON: A New 128-bit Block Cipher,", AES Prop osal, 1998,
available via http://crypt.future.co.kr/~chlim. 3
A The Transformation
In this app endix we do not distinguish b etween the transformations of even and o dd
rounds as the prop erties we use hold for b oth. The transformations of CRYPTON can
be viewed up on as op erating on a 4 4 byte array. The transformation consists of
four separate transformations, which are transformations on the separate columns of
the array. We can thus write x ;x ;x ;x = x ; x ; x ; x , where
3 2 1 0 3 3 2 2 1 1 0 0
we notate the 4 4 arrayby its four columns. Now the following prop erties hold.
T T
For all i: abab =cdcd , where a:::d are byte values.
i
T T T T
If abcd =ef g h then abcd =g hef for all i.
i i+2 mo d 4
With this prop erties we can deduce the following.
For g hg hef ef cdcdabab 2 V it holds that
0
0 1 0 1
i m k o a b a b
B C B C
j n l p c d c d
B C B C