with Cube Attack

Vignesh Meenakshi Sundaram, Faculty of Mathematics and Computer Science, University of Tartu, Tartu, Estonia [email protected]

Abstract. Cube Attack is a recent type of attack under algebraic cryptanalysis, proposed by Shamir et al. in EUROCRYPT 2009. It can be carried out on any cipher irrespective of the corresponding block and lengths. Simplified DES, developed by Professor Edward Schaefer of Santa Clara University has similar properties and structure to DES with much smaller parameters. PRESENT is an ultra-lightweight , proposed by A. Bogdanov et al. in CHES 2007. In this report, section 1 gives an introduction to Cryptanalysis using Cube Attack, section 2 contains a brief description of Simplified DES; section 3 explains the PRESENT cipher, section 4 describes the Cube Attack in brief, while section 5 covers Cube Attack on the SDES cipher and section 6 discusses Cube Attack on the PRESENT cipher. Keywords: block cipher, lightweight, cryptanalysis, cube attack.

1 Introduction

Of the various types of attacks under algebraic cryptanalysis, Cube Attack is a recent attack. In EUROCRYPT 2009, Itai and Shamir proposed this attack. Cube attack aids in deriving the key-bits of a key when used in a cipher. It can be used to attack any in which even a single bit can be represented by a low degree multivariate polynomial in the key and plaintext variables. It can be carried out on any cipher irrespective of the corresponding block and key lengths. Cube attack reduces the complexity of the attack, as even the knowledge of a single key bit can prove efficient as the rest of the key-bits can be obtained by brute-force. The Simplified DES or SDES is a lighter version of the Data Standard and is used for educational purposes. In this report, we perform the cube attack on SDES and also go to show how it can be implemented in the PRESENT cipher. The PRESENT cipher is an ultra-lightweight cipher which can be efficiently used in constrained environments which demand security guarantee such as RFID tags and sensor networks. As the popularity of these lightweight devices continues to rise, so will the security measures and guarantees and therefore, using lightweight ciphers is advisable and beneficial too. 2 Simplified DES

Simplified or Simplified DES, is also known as SDES. It was developed by Professor Edward Schaefer of Santa Clara University. SDES has similar properties and structure to DES (Data Encryption Standard) with much smaller parameters. It is an educational [1] rather than a secure encryption algorithm.

2.1 How SDES works

SDES operates on an 8-bit plaintext, and a 10-bit key to yield an 8-bit . The encryption algorithm involves five functions:

1. An initial permutation (IP). 2. A complex function labeled fK, which involves both permutation and substitution operations and depends on a key input. 3. A simple permutation function that switches (SW) the two halves of the data. 4. The function fK again. 5. A permutation function that is the inverse of the initial permutation (IP–1).

The encryption algorithm can be written as follows:

-1  ciphertext = IP ( fK2 ( SW ( fK1 ( IP ( plaintext ) ) ) ) )

 K1 = P8 ( Shift ( P10 ( key ) ) )

 K2 = P8 ( Shift ( Shift ( P10 ( key ) ) ) )

The decryption algorithm follows as:

-1  plaintext = IP ( fK1 ( SW ( fK2 ( IP ( ciphertext ) ) ) ) )

Key Schedule:

Let the 10-bit key be designated as (k1, k2, k3, k4, k5, k6, k7, k8, k9, k10)

Step 1: The key is permuted according to Table 1:

P10 3 5 2 7 4 10 1 9 8 6

Table 1: The SDES P10 Table

P10 (k1, k2, k3, k4, k5, k6, k7, k8, k9, k10) = (k3, k5, k2, k7, k4, k10, k1, k9, k8, k6) Step 2: P8 is applied, which picks out and permutes 8 of the 10 bits according to the following rule (Table 2):

P8 6 3 7 4 8 5 10 9

Table 2: The SDES P8 Table

Encryption:

Initial Permutation:

The 8-bit block of plaintext is permuted using the IP function according to Table 3:

IP 2 6 3 1 4 8 5 7

Table 3: The SDES IP Table

The Function fK:

This is the most complex component of SDES and consists of a combination of permutation and substitution functions, expressed as follows: Let L and R be the leftmost and rightmost bits of the input and let F be a mapping from 4-bit strings to 4-bit strings. Then

FK(L, R) = ( L ⊕ F ( R, SK ), R ) where SK is a subkey and ⊕ is the bit-wise exclusive-OR function.

The Switch Function:

The left and right 4 bits are interchanged so that the second instance of fK operates on a different set of 4 bits. In this second instance, the key input is K2.

Final Permutation:

The 8-bit input is permuted using the IP-1 function according to Table 4:

IP-1 4 1 3 5 7 2 8 6

Table 3: The SDES IP Table

10-bit key

ENCRYPTION DECRYPTION

P10

8-bit plaintext 8-bit plaintext

Shift

IP IP-1

P8

fK fK

Shift

SW SW

P8

f K f K

IP-1 IP

8-bit ciphertext 8-bit ciphertext

Figure C.1 Simplified DES Scheme 2.2 Comparison between SDES and DES

Parameter SDES DES Blocksize 8-bit 64-bit Key 10-bit 56-bit -1 -1 Encryption IP ( fK2 ( SW ( fK1 ( IP ) ) ) ) IP ( fK16 ( SW ( fK15 ( SW (…( SW ( Scheme fK1 ( IP ) ) )…) ) ) ) ) Inputs to F 4-bit (n1, n2, n3, n4) 32-bit (n1…n32)

Table 4: SDES vs DES

3 The PRESENT Cipher

In CHES 2007, A. Bogdanov et al. proposed an ultra-lightweight block cipher called PRESENT. The primary focus of PRESENT is to facilitate easy hardware optimization [2], such that constrained environments such as RFID tags and sensor networks can be easily implemented in the same.

3.1 How PRESENT works

PRESENT operates on a 64-bit plaintext, and an 80-bit or a 128-bit key. In this report, we will be focusing on 80-bit key length. PRESENT consists of 31 rounds.

Key Schedule:

Step 1: The 80-bit key provided by the user is stored in the K, which is the key register.

K = k79k78…k0.

Step 2: For i = 1 to 32, do:

th Set sub keys Ki as the round key for the i round,

63 62 0 Ki = Ki Ki …Ki = k79k78…k16.

Update key register K = k79k78…k1k0 accordingly as:

[k79k78…k1k0] = [k18k17…k20k19], [k79k78k77k76] = S [k79k78k77k76],

[k19k18k17k16k15] = [k19k18k17k16k15] ⊕ roundcounter.

Encryption:

Each of the 31 rounds in PRESENT includes the following stages:

i) addRoundKey:

j bj → bj ⊕ Ki , where; j th bj, (0 ≤ j ≤ 63) is the current state bit and Ki , (1 ≤ i ≤ 32, 0 ≤ j ≤ 63) is the j subkey bit of round key Ki .

ii) sBoxLayer:

This layer consists of 16 parallel versions of a 4-bit to 4-bit S-Box as given in Table 4:

X 0 1 2 3 4 5 6 7 8 9 A B C D E F S[x] C 5 6 B 9 0 A D 3 E F 8 4 7 1 2

Table 4: The PRESENT S-Box Table

iii) pLayer : This is the bit permutation layer where the bit i is moved to the bit P(i) by the pLayer as given in Table 5:

i 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 P(i) 0 16 32 48 1 17 33 49 2 18 34 50 3 19 35 51 i 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 P(i) 4 20 36 52 5 21 37 53 6 22 38 54 7 23 39 55 i 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 P(i) 8 24 40 56 9 25 41 57 10 26 42 58 11 27 43 59 i 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 P(i) 12 28 44 60 13 29 45 61 14 30 46 62 15 31 47 63

Table 5: The PRESENT pLayer Table

4 Brief description of Cube Attack

Cube attack is a recent type of attack, which falls under the category of algebraic cryptanalysis. In Cube attack, the cryptosystem is considered as a black box [2]. It exploits the fact that the cryptosystem comprises of low-degree equations in which even a single bit of ciphertext or inter-mediary bit can be represented as a low-degree multivariate polynomial of the key and plaintext variables. The attacker is given a black box that evaluates an unknown polynomial p over GF(2) of n + m inputs bits (x1,..,xn,v1,..,vm) and outputs a single bit. The polynomial is assumed to be in Algebraic Normal Form, namely, the sum of products of variables. The input bits x1,..,xn are the secret variables, while v1,..,vm are the public variables. Instead of distinguishing between the secret and public variables, we can denote 2 them by x1,..,xn. Since xi = xi modulo 2, a subset I belonging to the set {1,..,n} of the variables (multiplied together) can be formed, in which the terms tI in the polynomial can be indexed. Given a multivariate polynomial p and any index subset I, we can factor the common subterm tI out of some of the terms in p, and represent the polynomial as the sum of terms which are supersets of I and terms which are not supersets of I:

p(x1,..,xn) = tI . pS(I) + q(x1,..,xn)

Here, pS(I) is called as the superpoly of I in p. For any p and I, the superpoly of I in p is a polynomial that does not contain any common variable with tI, and each term in q(x1,..,xn) misses at least one variable from I. For example, let us assume the following:

p(x1, x2, x3, x4, x5) = x1x2x3 + x1x2x4 + x2x4x5 + x1x2 + x2 + x3x5 + x5 + 1

that is, p is a polynomial of degree 3 in 5 variables, and let I = {1,2} be the index subset of size 2. Then, p can be represented as:

p(x1, x2, x3, x4, x5) = x1x2(x3+x4 + 1) + (x2x4x5 + x3x5 + x2 + x5 + 1)

where

tI = x1x2 pS(I) = x3 + x4 + 1 q(x1, x2, x3, x4, x5) = x2x4x5 + x3x5 + x2 + x5 + 1

The cryptanalytic process can be divided into two stages, namely the Preprocessing Phase and the On-line Phase.

The Pro-Processing Phase: In this phase, the attacker is allowed to set the values of all the variables (x1,..,xn,v1,..,vm) and to use the black box in order to evaluate the corresponding output bit of p. The objective of this phase is to identify which queries should be made to the black box during the on-line phase of the attack, that is, the contributing key bits to the i’th bit of the ciphertext.

The On-line Phase: In this phase, we deduce a series of linear equations by querying to a black box polynomial with tweakable public variables (e.g. chosen plaintexts attack). Then the attacker solves a system of linear equations to recover the secret key bits.

5 Cube Attack on SDES

This section briefly describes the Cube Attack performed on SDES. As SDES was mainly meant for educational purposes, so is the Cube Attack on the SDES cipher. Since SDES has a 10-bit key, it can easily be brute-forced. Towards the end, we discuss about performing Cube Attack on the PRESENT cipher, which has a relative significance on a higher level.

5.1 Algorithm of the attack on SDES

Since our first objective is to find the contributing key bits to the i’th bit of the ciphertext, we do this by the following algorithm:

 Specify the degree of the cube.

 Choose random plaintext bits (equal to the cube degree) of.

 Generate random Keys Ka and Kb and compute K0 = 00…00 and Kc = Ka ⊕ Kb ⊕ K0.

 Linearity Check: Linearity is determined by obeserving which ciphertext bit yields the same output when using two different keys. For i = 1 to 1000, do: Vary the plaintext bits from 00...00 to 11...11 and each time, encrypt with Ka, Kb and Kc,

Perform bit-wise XOR operation of the as:

For each i in ciphertext, do:

hat hat Encryption (p, K)[i] = Encryption (p, K)[i] ⊕ Encryption(p, K)[i]

Let Encryptionhat(p, K) be denoted as Ehat(p, K)

Then check if: hat hat hat hat E (p, Ka)[i] ⊕ E (p, Kb)[i] ⊕ E (p, K0)[i] = E (p, Kc)[i]

If true, mark the corresponding ith bit as linear. hat freetermp = E (p, K0)

After obtaining the linear bits, we proceed to find which of the key bits participate in the formation of this bit. We do this by first setting the key to 00...00 and then replacing each of them with 1 to see which of the key bits is in the ciphertext bit. This is done from the following algorithm:

hat th If E (p, K0(flipped)) ⊕ freetermp = freetermp, the i bit is not in the equation.

Finally we get get the required equations consisting of the key bits in the corresponding cipher bit.

5.2 Results for SDES

Since our In the preprocessing phase, 15 maxterms equations were found with linearly independent bits corresponding to bits 3, 4, 6 and 7 respectively, when performing an attack on cube 2 and cube 3. The cube and maxterms for bits 3, 4, 6 and 7 are shown in Table 6:

Cube Indices Cipher Bit Maxterm Equations 3,4 7 K7 + 1 3,6 7 K7 + 1 3,7 7 K2 + K9 + 1 4,7 7 K5 6,7 7 K5 3,4,6 3 K8 + 1 4 K7 6 K8 3,4,7 3 K0 4 K9 6 K0 3,6,7 3 K3 4 K2 + 1 6 K3 4,6,7 4 K5 + 1

Table 5: Equations for Cube Attack on SDES

Thus, we can pick k5, k7, k2 + k9 for degree 2, and k2, k8 and k0 for degree 3.

This gives us 6 equations in all, from which we can deduce k0, k2, k5, k7, k8, and k9. Therefore, in the online phase, we can choose the plaintexts determined in the preprocessing phase and solve the system of equations with 6 equations.

After getting keys k0, k2, k5, k7, k8, and k9, brute-forcing the rest of the key bits (k1, k3, 4 k4 and k6) takes 2 = 16 complexity. Under normal, circumstances, it would take a complexity of 210 to brute force a SDES key. With cube attack, we have managed to reduce the complexity to 24.

6 Conclusion

The noteworthy aspect of the cube attack is gaining a single output bit represented as a low-degree polynomial and determining the cubes leading to the corresponding maxterms and maxterm equations efficiently. Cube attack thus effectively helps in reducing the complexity in attacking the cryptosystem. With the knowledge of even a few keybits, the attack can prove to be efficient when compared to a brute-force attack. Due to time constraints, a successful cube attack on the PRESENT cipher was not possible. Since, SDES requires only a 10-bit key, brute-force is easily possible, and therefore the effect of the cube attack cannot be fully shown. With a rather powerful and bigger cipher such as the PRESENT 80-keybit cipher, the cube attack can prove to be much more efficient. Therefore, progress is being made towards the same and a successful attack on the PRESENT 80-bit cipher is possible when showing the demonstration of the cube attack.

References

1. E. Schaefer. A simplified data encryption algorithm. Cryptologia, 20(1):77–84, 1996. 2. Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: An Ultra-Lightweight Block Cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007) 3. Dinur, I., Shamir, A.: Cube Attacks on Tweakable Black Box Polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009)