The Improved 96Th-Order Differential Attack on 11 Rounds of the Block Cipher CLEFIA

International Journal of Electrical Energy, Vol. 1, No. 3, September 2013

The Improved 96th-Order Differential Attack on 11 Rounds of the Block Cipher CLEFIA

Yasutaka Igarashi, Seiji Fukushima, and Tomohiro Hachino Kagoshima University, Kagoshima, Japan Email: {igarashi, fukushima, hachino}@eee.kagoshima-u.ac.jp

Toshinobu Kaneko Tokyo University of Science, Chiba, Japan Email: [email protected]

Abstract—CLEFIA is a 128-bit block cipher proposed by differential attack [6] on 11 rounds of CLEFIA with 298.3 Shirai of SONY et al. in 2007. Its key size is 128, 192, or 256 blocks of plain text and 2159 times of data processing [7]. bits. The number of the round of data processing part In the article we reduce the number of times of data depends on a key size, viz. it is 18, 22, or 26 rounds for 128, processing for the 96th-order differential attack by using 192, or 256 bits of a key size, respectively. Such a a modulo 2 occurrence distribution (MOD) of the characteristic of CLEFIA have been known that the 96th- order differential of 64 bits out of 128 bits of the 8th-round's intermediate data of data processing part. MOD is derived output is zero. With this characteristic, we reported the by using a partial sum technique proposed by Ferguson et 96th-order differential attack on 11 rounds of CLEFIA that al. [8]. Moreover we reduce the number of the times by requires 298.3 blocks of plain text and 2159 times of data applying a nested structure of iterative computation to the encryption. In this paper, we reduce this number of the attack algorithm and optimizing the order of the nest. times of the encryption, (viz. computational complexity) by As a result we show that the 96th-order differential applying a partial sum technique proposed by Ferguson et attack can be performed with 299.8 blocks of plain text and al. With the technique, we sequentially derive a modulo 2 2106.6 times of data processing, which is 1/252.4 of occurrence distribution of intermediate data of computational complexity compared to the conventional cryptanalysis. We also reduce the complexity by introducing a nested structure of iterative computations to the attack attack. Note that the best known higher-order differential algorithm. As a result we reduce the complexity to 2106.6, attack on CLEFA is the 105th-order differential attack on 108.5 which is 1/252.4 of the conventional complexity. 14 rounds of CLEFIA with 2 blocks of plain text and 223.0 2 times of data processing so far [9]. Index Terms—cryptanalysis, higher-order differential attack, block cipher, CLEFIA II. DATA PROCESSING PART OF CLEFIA

In this section we describe the data processing part of I. INTRODUCTION CLEFIA. We omit the detail specification of CLEFIA [2] being not required for the article. CLEFIA is a 128-bit block cipher proposed by Shirai Fig. 1 shows an 11-round data processing part of of SONY et al. in 2007 [1], [2]. A data processing part of CLEFIA where input plain text and output cipher text are CLEFIA consists of some rounds of 4-branch type-2 128 bits represented by Xi and Ci(11) (i = 0, 1, 2, 3), generalized Feistel structure, where two similar nonlinear functions are placed in parallel. CLEFIA supports 128, respectively. A bit size of Xi and Ci(11) is 32. Ci(j) (j = 1, 2, 192, and 256 bits of secret keys. The number of round of , 11) represents 32-bit output of the jth round given by data processing part depends on a key size, viz. it is 18, j)(  j)( j)( j)( CCCCC )( ),,,( Tj (1) 22, or 26 rounds for 128, 192, or 256 bits of secret key, i i0 i1 i2 i3 (j) respectively. CLEFIA has been applied and evaluated for where C ik (k= 0, 1, 2, 3) is an 8-bit data. The superscript cryptographic techniques towards the revision of the e- T represents transposition of a vector or a matrix. The Government Recommended Ciphers List in FY 2013 in symbol  represents an XOR operation. WKi (i = 0, 1) is Japan [3]. It has been known that the synchronous 8th-order a 32-bit whitening key, and RK (i = 0, 1, 2, , 21) is a differential of 24 bits out of 128 bits becomes zero at the 6th-round output of the data processing part [4]. It has 32-bit round key used in Fi (i = 0, 1). Fi is a bijective been also known that the 96th-order differential of 64 bits nonlinear function with 32-bit input/output (I/O) adopting out of 128 bits becomes zero at the 8th-round output [5]. SP structure. 4-branch 32-bit data Xi is mixed by XOR Exploiting this property we reported the 96th-order and substituted by a nonlinear function. Such a structure is called 4-branch generalized Feistel.

Manuscript received April 28, 2013; revised July 17, 2013

M 00 1 2 4 6  M 2 1 6 4 (3) 01  M 0  M 02 4 6 1 2  M 03 6 4 2 1

M10   281 a     (4)  M11   a 218  M   1 M   a 812   12         M13  a 182  where “a” is a hexadecimal number. The multiplications of a vector and a matrix are performed in GF(28) defined by the primitive polynomial z8 + z4 + z3 + z2 + 1.

III. THE 96TH-ORDER DIFFERENTIAL CHARACTERISTICS OF CLEFIA AND ITS ATTACK EQUATION In this section we show the 96th-order differential characteristics of CLEFIA and its attack equation.

First we focus on an input plain text (see Fig. 1). We Figure 1. 11-round data processing part of CLEFIA. set X0 or X2 to take arbitrary constant, and input the 96th- order differential to the three remaining Xi. Namely, all the 296 kinds of data from 0 to 296 -1 are put into the three (9) Xi. At this time the 96th-order differentials of C10 and (9) S0(C00 RK16,0) becomes the same value [7] (see Fig. 3 that shows the equivalently modified data processing part -1 from the 9th round to the 11th round). M0 is the inverse -1 matrix of M0 that is given by M0 = M0. There is the -1 product of the matrices M0 and M1 at the right side of the 11th round that is given by

25 2e 22 28  2e 25 28 22 (5) MM1  0122 28 25 2e  28 22 2e 25 By using the 96th-order differential characteristics the following attack equations can be derived:

(9) (9) (6) S0() C 00 RK 16,0 C10 XV  (96) XV  (96)

(9) (10) (11) (11) C10 C 00  W 20 28 S0 ( C 23  RK 21,3 ) (7)

(11) (11) (11) W20 W 10 22 S1 ( C 22  RK 21,2 ) (8)

Figure 2. (a) F0 and (b) F1. (11) (11) (11) W10 W 00 2 eS0 ( C 21  RK 21,1) (9) Fig. 2 shows (a) F0 and (b) F1 where its input and output data are represented by an 8-bit xi and an 8-bit yi (i (11) (11) (11) W00 C' 30 25 S1 ( C 20  RK 21,0 ) (10) = 0, 1, 2, 3), respectively. RK,i (i = 0, 1, 2, 3) is an 8-bit C'(11) C (11) 2 C (11)  4 C (11)  6 C (11) (11) key satisfying the following equation: RK = (RK,0, RK,1, 30 30 31 32 33 T RK,2, RK,3) . S0 and S1 are bijective nonlinear functions (9) (10) (10) C00 W 20  a S 0() C 23  RK 19,3 (12) with 8-bit I/O. Their output is represented by x'i. M0 and (10) (10) (10) M1 are 44 nonsingular matrices given by W20 W 10 2 S 1 ( C 22  RK 19,2 ) (13) T  yyyy 3210  (10) (10) (10) (2) W W 8 S ( C  RK ) (14) T 10 00 0 21 19,1  M i  x'x'x'x' 3210  i  1,0( ), (10) (10) (10) (10) (11)

W00 C 30  S 1( C 20  RK 19,0), C 30 C 20 (15)

(10) (11) T (11) (6)-(22), which is sequentially derived by using a partial CU2 2 (6,4,2,1)S1 ( C 03 RK 20,3 ) (16) sum technique proposed by Ferguson et al. [8]. The (11) (11) T (11) advantages of using MOD are as follows. Even number UU2 1 (4,6,1,2)S0 ( C 02 RK 20,2 ) (17) of XOR operations of a certain variable x is zero, while

Figure 3. Equivalently-modified data processing part from the 9th round to the 11th round.

(j) (j) (11) (11) T (11) Figure 4. Equivalent circuit whose inputs are C0 , C1 , and RK2j-2. The UU (2,1,6,4)S ( C RK ) (18) (j-1) 1 0 1 01 20,1 output is C2 .

(11) (11) T (11)

UC0 1 (1,2,4,6)S0 ( C 00 RK 20,0 ) (19) where

( j)()()()() j j j j T UUUUUi (,,,) i0 i 1 i 2 i 3 (20)

( j)()()()() j j j j T (21) WWWWWi (,,,) i0 i 1 i 2 i 3

()j C0 ()j C (22) C ()j ()XX   1 C ()j 2 ()j C3 C(j)(XX) is the jth-round 128-bit output corresponding to the input plain text (XX) where X is (j) (j) an input difference. Ui and Wi are 32-bit intermediate data of the equivalent circuit shown in Fig. 4 and Fig. 5 where the hexadecimal number in a box represents multiplication. Because (6) is 8 sets of Boolean equation, it holds with probability 2-8 even if a guessed key is false. On the other hand it holds with probability 1 if the guessed key is correct. Therefore attacker can recover the total 104 bits of the round keys, RK16,0, RK19, RK20, and RK21 in (6)-(22) by analyzing (6)-(22) for sufficient number of times. (j) (j) Figure 5. Equivalent circuit whose inputs are C2 , C3 , and RK2j-1. The (j-1) output is C0 . IV. ATTACK ALGORITHM AND COST ESTIMATION In this section we show the attack algorithm to recover Odd number of them is x. Therefore even number of the total 104 bits of round keys, and estimate the cost of XOR operations of x becomes unnecessary and odd the attack. We reduce the computational complexity of number of them can be substituted with x by using MOD. the attack by exploiting MOD for intermediate data of These advantages result in complexity reduction.

Next we show the attack algorithm exploiting MOD as S0 operation and the following multiplication, which follows. corresponds to (14). The number of elements of MOD9 is at most 224 and the average is 223. A. Attack Algorithm 8) Guess 8-bit RK21,1, and make MOD of the total 24- (11) (11) (11) (11) (11) 0) Make MOD of the total 72-bit data, C0 , C1 , and bit data, C , C , and W (MOD10) from (11) (10) 22 23 10 C20 (= C30 ) (name as MOD1) and MOD of the MOD8 through the equivalent circuit shown in Fig. (11) (11) 32 31 total 40-bit data, C2 and C’30 (name as MOD2) 5 with at most 2 times and the average 2 times of 96 (11) from the 2 blocks of cipher text C (XX) S0 operation and the following multiplication, which where X  V(96). The number of elements of corresponds to (9). The number of elements of MOD1 is at most 272 and the average is 271. The MOD10 is at most 224 and the average is 223. 40 number of elements of MOD2 is at most 2 and the 9) Guess 8-bit RK19,2, and make MOD of the total 16- 39 (10) (10) average is 2 . bit data, C23 and W20 (MOD11) from MOD9 1) Guess 8-bit RK20,0, and make MOD of the total 64- through the equivalent circuit shown in Fig. 5 with (11) (11) (11) (11) (10) 24 23 bit data, C01 , C02 , C03 , U0 , and C30 at most 2 times and the average 2 times of S1 (MOD3) from MOD1 through the equivalent circuit operation and the following multiplication, which shown in Fig. 4 with at most 272 times and the corresponds to (13). The number of elements of 71 16 15 average 2 times of S0 operation and the following MOD11 is at most 2 and the average is 2 . multiplications, which corresponds to (19). The 10) Guess 8-bit RK21,2, and make MOD of the total 16- 64 (11) (11) number of elements of MOD3 is at most 2 and the bit data, C23 and W20 (MOD12) from MOD10 average is 263. through the equivalent circuit shown in Fig. 5 with 24 23 2) Guess 8-bit RK20,1, and make MOD of the total 56- at most 2 times and the average 2 times of S1 (11) (11) (11) (10) bit data, C02 , C03 , U1 , and C30 (MOD4) operation and the following multiplication, which from MOD3 through the equivalent circuit shown in corresponds to (8). The number of elements of Fig. 4 with at most 264 times and the average 263 MOD12 is at most 216 and the average is 215. times of S1 operation and the following 11) Guess 8-bit RK19,3, and make MOD of the total 8-bit (9) multiplications, which corresponds to (18). The data C00 (MOD13) from MOD11 through the number of elements of MOD4 is at most 256 and the equivalent circuit shown in Fig. 5 with at most 216 55 15 average is 2 . times and the average 2 times of S0 operation and 3) Guess 8-bit RK20,2, and make MOD of the total 48- the following multiplication, which corresponds to (11) (11) (10) bit data, C03 , U2 , and C30 (MOD5) from (12). The number of elements of MOD13 is at most MOD4 through the equivalent circuit shown in Fig. 28 and the average is 27. 56 55 4 with at most 2 times and the average 2 times of 12) Guess 8-bit RK21,3, and compute the right-hand side S0 operation and the following multiplications, of (6) via (7) from MOD12 through the equivalent which corresponds to (17). The number of elements circuit shown in Fig. 5 with at most 216 times and 48 47 15 of MOD5 is at most 2 and the average is 2 . the average 2 times of S0 operation and the 4) Guess 8-bit RK20,3, and make MOD of the total 40- following multiplication. (10) (10) bit data, C2 and C30 (MOD6) from MOD5 13) Guess 8-bit RK16,0, and compute the left-hand side through the equivalent circuit shown in Fig. 4 with of (6) from MOD13 with at most 28 times and the 48 47 7 at most 2 times and the average 2 times of S1 average 2 times of S0 operation. The guessed keys operation and the following multiplications, which at the steps 1-13 are the candidate of correct key if corresponds to (16). The number of elements of (6) holds, otherwise they are false keys. 40 39 MOD6 is at most 2 and the average is 2 . Attacker guesses all the 2104 kinds of the round key at 5) Guess 8-bit RK19,0, and make MOD of the total 32- the steps 1-13. Attacker executes step 0 one time. Steps (10) (10) (10) (10) bit data, C21 , C22 , C23 , and W00 (MOD7) 1-13 are executed by using a nested structure of loop from MOD6 through the equivalent circuit shown in 40 39 iterations. Fig. 5 with at most 2 times and the average 2 Step 1 is an outermost loop, and step 13 is an innermost times of S1 operation corresponding to (15). The 32 loop. number of elements of MOD7 is at most 2 and the 104 31 First, attacker confirms the authenticity of the total 2 average is 2 . sets of the guessed key by computing (6). And then, the 6) Guess 8-bit RK21,0, and make MOD of the total 32- 96 104 -8 (11) (11) (11) (11) number of candidate keys is reduced to 2 (= 2  2 ). bit data, C , C , C , and W (MOD8) 96 21 22 23 00 Second, attacker confirms the authenticity of 2 sets of from MOD2 through the equivalent circuit shown in the guessed keys by computing (6) again where the plain Fig. 5 with at most 240 times and the average 239 text X is different from the one at the first time. And then, times of S1 operation and the following 88 multiplication, which corresponds to (10). The the number of candidate keys is reduced to 2 . Attacker 32 repeats this confirmation 14 times, and then the average number of elements of MOD8 is at most 2 and the -8 104 - average is 231. number of candidate keys is reduced to 2 (= 2  (2 8)14) where the last key shall be a correct key. Because 7) Guess 8-bit RK19,1, and make MOD of the total 24- (10) (10) (10) attacker has to compute the 96ht-order differential to bit data, C22 , C23 , and W10 (MOD9) from MOD7 through the equivalent circuit shown in Fig. prepare one set of (6), the number of chosen plain texts to 5 with at most 232 times and the average 231 times of prepare 14 different sets of (6) is given by D as follows:

D 14  296  2 99.8 (23) [6] X. Lai, “Higher order derivatives and differential cryptanalysis,” in Communications and Cryptography, Springer US, vol. 276, pp. The maximum number (Tmax) of data processing of 11- 227-233, 1994. round CLEFIA, which include 88 sets of S (i = 0, 1), for [7] N. Shibayama, Y. Igarashi, T. Kaneko, and S. Hangai, “Security i evaluation of CLEFIA against saturation cryptanalysis,” in Proc. the attack algorithm are given by Symposium on Cryptography and Information Security, no. 2B1-

13 4, 2011. TT28i /88 2106.6 (24) [8] N. Ferguson, J. Kelsey, S. Lucks, B. Schneier, M. Stay, D. max  1 Wagner, and D. Whiting, “Improved cryptanalysis of Rijndael,” i0 in Lecture Notes in Computer Science, Springer, vol. 1978, 2001, 8 72 8 64 8 56 pp. 136-141. TTTTTT2(2  ),  2(2  ),  2(2  ) (25) 1 2 2 3 3 4 [9] N. Shibayama and T. Kaneko, “New higher order diﬀerential

8 48 8 40 8 40 property of CLEFIA,” in Proc Symposium on Cryptography and

TTTTTT4 2(2 5 ), 5  2(2 6 ), 6  2(2  7 ) (26) Information Security, no. 2B4-2, 2013.

8 32 8 32

TTTT7 2 (2 8 ), 8  2 (2  9 ) (27)

8 24 8 24 Yasutaka Igarashi received the B.E., M.E., and Ph.D. TTTT9 2 (2 10 ), 10  2 (2  11 ) (28) degrees in information and computer sciences from T 8 2(2 16 ), TT 8 2(2 16 ), TT  88 .22 (29) Saitama University, Japan, in 2000, 2002, and 2005. He 11 1212 1313 is currently an assistant professor of Kagoshima University. His research is involved with optical CDMA Ti (i = 1, 2, , 13) is the number of Si (i = 0, 1) and the cryptanalysis of symmetric-key cryptography. operations for the nested loops from step i to step 13. Dr. Igarashi is a member of IEICE and RISP.

V. CONCLUSIOINS We have studied the 96th-order differential attack on Toshinobu Kaneko received the B.E., M.E., and Ph.D. degrees in Electrical Engineering from the University of 11 rounds of CLEFIA. We reduced the number of times Tokyo, in 1971, 1973, and 1976, respectively. He is of data processing for the attack by applying a partial sum currently a Professor of Tokyo University of Science. He technique proposed by Ferguson et al. With the technique, has been engaged in coding theory and information we sequentially derived MOD of intermediate data of the security. Prof. Kaneko is a member of CRYPTREC and served as a chairman of Symmetric-Key Cryptography data processing part. Moreover we reduced the number of subcommittee in 2001--2003. Prof. Kaneko is a member of IEICE, IEEJ, the times by applying a nested structure of iterative IPSJ, and IEEE. computation to the attack algorithm and optimizing the order of the nest. As a result we showed that the 96th- 99.8 order differential attack can be performed with 2 Seiji Fukushima received the B.S., M.S., and Ph.D. 106.6 blocks of plain text and 2 times of data processing, degrees in electrical engineering from Kyushu which is 1/252.4 of computational complexity compared to University in 1984, 1986, and 1993, respectively. He is the conventional attack. The future work is to apply our currently a Professor at Kagoshima University. His research interests include photonics/radio hybrid attack algorithm to [4]. communication systems and their related devices. Prof. Fukushima is a member of IEICE, IEEE/Photonic Society, Japan REFERENCES Society of Applied Physics, Japanese Liquid Crystal Society, and Optical Society of America. [1] T. Shirai, K. Shibutani, T. Akishita, S. Moriai, and T. Iwata, “The 128-bit blockcipher CLEFIA (Extended abstract),” in Lecture Notes in Computer Science, Springer-Verlag, vol. 4593, pp. 181- 195, 2007. Tomohiro Hachino received the B.S., M.S., and Dr. [2] CLEFIA The 128-bit Blockcipher. [Online]. Available: Eng. degrees in electrical engineering from Kyushu http://www.sony.net/Products/cryptography/clefia/ Institute of Technology in 1991, 1993, and 1996, [3] CRYPTREC topics. [Oline]. Available: respectively. He is currently an Associate Professor at http://www.cryptrec.go.jp/english/topics/cryptrec_20101001_call Kagoshima University. His research interests include forattack.html nonlinear control and identification, signal processing, [4] N. Shibayama and T. Kaneko, “A peculiar higher order and evolutionary computation. Dr. Hachino is a member differential of CLEFIA,” in Proc. International Symposium on of IEEJ, SICE, and ISCIE. Information Theory and its Applications, 2012, pp. 526-530. [5] Y. Tsunoo, E. Tsujihara, H. Kubo, M. Shigeri, and T. Kawabata, “Saturation characteristics of generalized Feistel structure,” IEICE Trans. Fundamentals, vol. J93-A, no. 4, pp. 269-276. 2010.