International Workshop on Cloud Computing and Information Security (CCIS 2013)
Integral Attacks on Feistel-SP Structure Block Cipher
Yanjun Li Wenling Wu, Lei Zhang, and Liting Zhang The Department of Information Security State Key Laboratory of Information Security Beijing Electronic Science and Technology Institute Institute of Software, Chinese Academy of Sciences Beijing, P.R. China Beijing, P.R. China [email protected]
Abstract-In this paper, a method is presented to extend the 11-round Camellia-128 with the data complexity of 2120 length of integral distinguisher of Feistel-SP structure, based and the time complexity of 2125.5, and 12-round on which a new 8-round distinguisher for the block cipher Camellia-256 with the data complexity of 2120 and the Camellia is proposed. Moreover, integral attacks on time complexity of 2214.3. The result is the best integral -1 round-reduced Camellia without FL/FL are improved. We attack on round-reduced Camellia so far. attack 11-round Camellia-128 with the data complexity of This paper is organized as follows: Section II provides 2120 and the time complexity of 2125.5, and attack 12-round Camellia-256 with the data complexity of 2120 and the time a brief description of preliminaries. Section III describes a complexity of 2214.3. These attacks are the best integral method to extend the length of the distinguisher. Section attacks on round-reduced Camellia so far. IV describes the attacks on 11/12-round Camellia. Finally, Section V concludes this paper. Keywords-block cipher, distinguisher, integral attack, camellia, partial sum technique II. PRELIMINARIES A. Description of Camellia I. INTRODUCTION Camellia is a Feistel-SP style block cipher with The block cipher Camellia was proposed by NTT and 1 Mitsubishi in 2000[1]. It is based on Feistel structure with FL/ FL layers, and the number of rounds are 18/24/24 SP-type F function and FL/FL-1 functions layers, and it corresponding to key length of 128/192/256 bits. 1 supports the block length of 128 bits and a variable key Additionally, FL/ FL function is inserted every 6 length of 128/192/256 bits. Camellia was accepted by rounds (Fig.1). The round keys are derived from the ISO/IEC as an international standard[6]. It is also a winner master key by means of key scheduling.The key schedule of NESSIE, CRYPTREC project and IETF. The security constants are listed in Table 1. In this paper the input and of Camellia was initially analyzed by the algorithm output of round function are treated as two 8-byte vectors designers. Efficient attacks on Camellia include linear over F 8 . 28 cryptanalysis[14], differential cryptanalysis[13,14], [15, 17] P impossible differential cryptanalysis , truncated X1 X0 [7, 9,15] K F differential cryptanalysis , higher order differential K 1 cryptanalysis[5], collision attack[16] and Square attack[3, 19, 20] -1 . The best attacks on Camellia without FL/FL function 6-Round X 2 F2 layer were impossible differential cryptanalysis [18], which can attack 12-round Camellia-128 and 16- round -1 FL FL-1 Camellia-256 without FL/FL . X3 F3 Integral attack was extended from Square attack, [2] which is one of the best attacks on AES . Ferguson et al. 6-Round X in [4] improved this attack to 8 rounds version of 4 F4 Rijndael-128 with the partial sum technique and the herd technique. Knudsen and Wagner first proposed the FL FL-1 X5 F5 definition of integral and analyzed it as a dual to differential attacks particularly applicable to block 6-round [8] ciphers with bijective components . Several years later, X 6 F6 Reza Z'aba et al. presented bit pattern based integral K K attack [12]. The integral attack applied to many kinds of [11] [10] block ciphers so far, such as Rijndael , ARIA , and C Serpent [12]. Higher order differential attack and Square Fig. 1. The Structure of Camellia-128 attack are different from integral attack. However, the length of their distinguisher can be extended by using the The round function of Camellia includes three basic integral property. In this paper a method is presented to operations: Round Key Addition, Substitution Layer and extend the length of Camellia’s distinguisher, based on Diffusion Layer (Fig.2). These three basic operations are which the effect of integral attack will be improved. defined as follows: Moreover, this method can also be used even on any Round Key Addition (RKA): The 64-bit round key is Feistel-SP structure. Then a new 8-round distinguisher of Xored to the state. Camellia without FL/FL-1 is proposed. Finally, we attack Substitution Layer (SL): A non-linear byte substitution
© 2013. The authors - Published by Atlantis Press 156 operation is applied to each byte of the state and Round Key Addition Layer will not affect this independently. In Camellia this is implemented by 4 property of saturation. However, the linear transformation S-boxes with the relationship as follows. influences the length of the integral distinguisher. Integral
s21( a ) s ( a ) 1; attack considers a particular collection of m bytes in the s( a ) s ( a ) 1; plaintexts and ciphertexts. In [8], Knudsen and Wagner 31 also generalized this approach to higher order integrals: s( a ) s ( a 1). d 41 the original set to consider becomes a set of m vectors Diffusion Layer (DL): The diffusion layer is a function which differ in d components where the sum of this set is PFF: 88 , which is given by 2288 predictable after a certain number of rounds. The sum of this set is called a d th -order integral. In this paper we m1 x 1 x 3 x 4 x 6 x 7 x 8 m x x x x x x not only pay attention to the sum, but also to the 2 1 2 4 5 7 8 appearing times of the sum value. m3 x 1 x 2 x 3 x 5 x 6 x 8 The Partial Sum Technique. In our attack we will
m4 x 2 x 3 x 4 x 5 x 6 x 7 use the partial sum technique. For a value c0,,,, c 1 c 2 cl , we define m5 x 1 x 2 x 6 x 7 x 8 u m6 x 2 x 3 x 5 x 7 x 8 xu :[] Sj c j k j . j0 m7 x 3 x 4 x 5 x 6 x 8 Guessing the values of k0 and k1 ,we will complete m8 x 1 x 4 x 5 x 6 x 7 the transformation B. Notations (,,,,)c0 c 1 c 2 cl (,,,)x12 c cl . In the following, we introduce some notations used in Guessing the values of ki , we will complete the this paper. The plaintext are denoted as (,)XX10, where transformation
Xi ( x i,1 , x i ,2 , , x i ,8 ), ir0, , 1 . Other notations (,,,,)xi11 c i c i c l (,,,)xi c i1 c l . that will be used in this paper are described as follows: In order to obtain the value of xl , l-1 steps of
Br: the output of RKA in r -th round. processing are required. If ci s are in byte pattern, the time 8l 16 Or: the output of SL in r -th round. complexity of the count of xl is 2 2 (l 1) times
Mr: the output of DL in r -th round. S-box lookups. For the details of the complexities of each step, the readers can refer to [4]. ki8 m si8 i8 xi8 s1 ki7 III. INTEGRAL DISTINGUISHERS BASED ON si7 mi7 xi7 s4 FEISTEL-SP STRUCTURE ki6 k s i8 i6 mi6 In this section we first explain how to construct a xi6 s3 ki5 2nd-order 5-round integral distinguishers (Sec. 2.1), then si5 m i5 introduce a method to extend the length of integral xi5 s2 ki4 distinguishers and the proof is also given in detail (Sec. si4 mi4 xi4 s4 2.2). ki3 si3 mi3 A. The 2nd-Order 5-Round Integral Distinguisher xi3 s3 ki2 si2 The idea of constructing a 2nd-order 5-round integral x s mi2 i2 2 distinguisher is like that of constructing 5-round higher ki1 si1 x m order differential distinguishers in [5]. i1 s1 i1 Lemma 1 [5]. Let the bytes of xx, are active, and 0,1 0,2 Fig. 2. The Round Function of Camellia other bytes of XX01, are constants, each value of t appears even times. 1 Kr : the subkey of the r -th round. t s3( x 6,6 k 6,6 ) [ P ( X7 )] 6 . bri, : the i 1-th byte of Br . B. A Method to Extend the Length of Integral o : the i 1-th byte of O . ri, r Distinguisher mri, : the i 1-th byte of M r . In the structure of Feistel-SP, the Xor operation and
kri, : the i 1-th byte of Kr . the permutation P are linear transformations (Fig.3), which can influence the general integral property and also : the active bytes. i can be used to extend the integral distinguisher. Let some
C. Higher Order Integral Attack and the Partial Sum bytes of X 0 be active, and the bytes of X1 be constant, Technique and then the input of a known t -round integral
Higher Order Integral Attack. The integral attack distinguisher is (,)XX10. Now we extend it backward has many interesting features. It can saturate S-Box Layer
157 by one round using the following formula: denoted as x1,,,,,,,, x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 , and all XFXXPSKXX1 ()0 1 ( (0 )) 1 constants be denoted as 0. Let the active bytes of . 1 1 PSKXPX[ ( (01 )) ( )] (XPX11 , ( )) be denoted as y3,,, y 4 y 1 y 2 . One
Choose X 1 , which satisfying that the bytes of round encryption will be decrypted as the following 1 equations. PX()1 corresponding to the no-constant bytes of xy11 SKX( (0 )) are active and other bytes are constants. Such xy (,)XX will lead to several sets of (,)XX after 22 01 10 s() x k x y one-round encryption, and we will obtain a t 1-round 1 1 1 3 4 integral distinguisher. The related proof will be presented s2() x 1 x 2 k 2 x 4 y 3 in Lemma 2. s3() x 1 x 2 k 3 x 5 y 3 y 4 Take Camellia for example, the input of a 2nd order s() x k x y y 4 2 4 6 3 4 5-round distinguisher is (,)XX10, where the bytes of s2() x 1 x 2 k 5 x 7 y 3 y 4 xx0,1, 0,2 are active and other bytes are constants. s() x k x y Extending three more rounds forward and we will obtain 3 2 6 8 4 the following: s1() x 1 k 8 x 9 y 3 Simplifying the above equations, we will obtain the X0 X-1 K equivalent equations as follows.
xy11 S P xy 22 s() x k x y 1 1 1 3 4 s2() x 1 x 2 k 2 x 4 y 3 X 1 X0 s()() x k x s x x k x 1 1 1 3 2 1 2 2 4 s3( x 1 x 2 k 3 ) x 5 0 t-Round Integral Distinguisher s1()() x 1 k 1 x 3 s 2 x 1 x 2 k 2 x 4 Fig. 3. The Feistel-SP Structure s4( x 2 k 4 ) x 6 0 s1()() x 1 k 1 x 3 s 2 x 1 x 2 k 2 x 4 X P(,,,,,,,) c c c c c c , 1 2 3 s( x x k ) x 0 2 1 2 5 7 XP2 (,,,,,,,) 4 5 6 7 8 9c 10 , s1()() x 1 k 1 x 3 s 3 x 2 k 6 x8 0 XP (,,,,,,,) . 3 11 12 13 14 15 16 17 18 s2( x 1 x 2 k 2 ) x 4 s 1 ( x 1 k 8 ) x 9 0 where si,0 18 are active bytes. Because all bytes i According to the simplified equations above, we of X are active, we can't further improve it any more. 32 3 find that there is only one solution. For 2 values Then the following lemma is obtained. of y,,, y y y , we get a set of 232 solutions, and 1 3 4 1 2 Lemma 2. Let the 7th byte of PX()2 be constant and each value of x5,,,, x 6 x 7 x 8 x 9 is determined by other 15 bytes of (PXX1 ( ), ) be active. After 3 23 x,,, x x x . After taking over all 240 values of 104 1 2 3 4 rounds iterative encryption we will obtain 2 sets and in 40 72 x5,,,, x 6 x 7 x 8 x 9 , 2 sets will be obtained, i.e. 2 each set the bytes of xx0,1, 0,2 are active and other bytes are values of x,,,,,,,, x x x x x x x x leads to 240 constants. 1 2 3 4 5 6 7 8 9 Proof. We will proof this lemma in three steps as follows: sets after one round encryption, in each set the bytes 32 16 of y1,,, y 2 y 3 y 4 are active. 1) The 2 values of (,)XX11 will lead to 2 sets of 3) The 2120 values of (,)XXwill lead to 248 sets of (,)XX10 after one-round encryption, in each set the 23 (,)XX after one round encryption, and in each first two bytes of X1 are active and other bytes are 12 11 constant. set the nine bytes of (PXPX (21 ), ( )) are active, The proof of this step is just like that of example 1 and other bytes are constants. and omitted here. The proof of this step is just like that of the above 72 40 2) The 2 values of (,)XX12will lead to 2 sets step. of (,)XX after one round encryption. In each After processing the three steps above, we will 11 104 120 1 obtain 2 sets of from 2 values of set xx1,0, 1,1 and the first two bytes of PX() 1 (,)XX described in the lemma 2. In each set the are active, and other bytes are constants. 23 11 bytes of xx0,1, 0,2 are active and other bytes are constant. Let all active bytes of (PXPX (12 ), ( )) be □
158 Utilizing Lemma 1 and Lemma 2, we can construct a 8-Round th new 15 order 8-round distinguisher of Camellia as Distinguisher depicted in Theorem 1. K S P Theorem 1. Let (,)XX10 be the input of Camellia x xx10,2,, 10,3 1 1 9,6 without FL/ FL . If the bytes of PX()17 are constants x10,5,, x 10,6 x 10,8 and other bytes of (,)XX take all values of F15 , then x,,, x x 10 28 10,2 10,3 10,5 1 K S P x10,6,, x 10,7 x 10,8 each value of t s3( x 9,6 k9,6 )() P X10 6 will appear even times. IV. ATTACKS ON ROUND-REDUCED CAMELLIA K S P A. Integral Attack on 10/11-Round Camellia-128 x12,2,,, x 12,3 x 12,5 x11,1,,,, x 11,2 x 11,3 x 11,4 Based on the 15th-order 8-round distinguisher x,, x x x,,, x x x described above, we will attack 10 rounds of 12,6 12,7 12,8 11,5 11,6 11,7 11,8 Camellia-128 without FL/ FL1 functions now, which is Fig.4. Integral Attacks on Round-reduced Camellia illustrated in Fig.4. For the values of x,,,,, x x x x x , the 1) Choose a structure of plaintexts (,)XX which 11,6 10,2 10,3 10,5 10,7 10,8 10 number of which appear odd times, we do the following satisfies steps: XP1 (,,,,,,,) 4 5 6 7 8 9c 10 , (a) Guess the two bytes of k10,2 and k10,3 , and we obtain the XP0 (,,,,,,,) 11 12 13 14 15 16 17 18 , corresponding 5-byte value (,,,,)x1 x 10,5 x 10,7 x 10,8 x 11,6 . where i ( 4i 18 ) are active bytes, and c is a 15 (b)-(e) Guess the value of k10,5 , k10,7 , k10,8 , k9,6 constant. (,)XX takes all values of F 8 . Encrypt all 10 2 respectively, and then we obtain 1 byte value x . 56 5 these plaintexts and set 2 counters for the seven bytes 1 3) The values of x5 and [PX (10 )] 6 are summed over of x11,6,,, x 10,2 x 10,3 xx10,5,, 10,6 xx10,7, 10,8 . Once a 56-bit value all the encryptions, and check if the value of t appears is obtained, the corresponding counter is increased by even times. If each value of t appears even times, the one. guessed key bytes are correct, otherwise they are wrong. 2) For the 256 values of ciphertexts, there are at most In Step 1, we choose 2120 plaintexts and need encrypt 256 values in bytes of x,,,, x x x x , 11,6 10,2 10,3 10,5 10,6 2120 times. In Step 2-(a), we guess 16 bits key, and 48 64 x10,7 , x10,8 . We choose those values that counters are odd process 2 ciphertexts, which cost 2 S-box times (the Xor value of the same value is zero). applications. Step 2-(b) costs 2216 8 2240 64
Guessing the key bytes of k10,2,,,, k 10,3 k 10,5 k 10,7 k10,8 and computations at most. This is same as the other phases of Step 2, so the work factor of Step 2 is 2564 S-box k9,6 , we do a partial decrypt to the single value of t .In this phase we need the partial sum technique in order to lookups. There are also additional cost to compute 1 reduce the work factor of computing the value [PX (10 )] 6 in each phase of Step 2. However, using of s3() x 9,6 k 9,6 . rough equivalence of 8 S-box applications to one-round encryption with a new key, the complexity to compute t[ P1 ( X )] s ( x k ) 10 6 3 9,6 9,6 can be ignored. For a wrong key, the 1 [(,,,,)]P x10,2 x 10,3 x 10,5 x 10,6 x 10,8 6 s 3 [( s 2 x 10,2 k 10,2 ) probability that each value of t appears even times is less 169 s3( x 10,3 k 10,3 ) s 2 ( x 10,5 k 10,5 ) s 4 ( x 10,7 k 10,7 ) (2) than 2 . After analyzing a structure of plaintexts, we expect 248 2 169 2 121 wrong key that would pass s1() x 10,8 k 10,8 x 11,6 k 9,6 ]. 120 Step 2. So the data complexity of 2 is enough and the time complexity is 248 2 16 5/ (2 3 10) 260 encryptions. We can also improve this attack by adding one more round. For 11-round Camellia-128, the key schedule could be used. The total time complexity is 2132 /(2 3 11) 2125.5 encryptions.
B. Integral Attacks on Camellia-192/256 In this subsection, we describe improved integral attacks on 11-round Camellia-192 and 12-round Camellia-256. The key schedule can't be used here. We add 1 round after 10-round Camellia, and guess all bytes of K11, and decrypt the last round, where the work factor
159 is the equivalent of 264 2 64 2 128 F function operations [2] Daemen, J., Knudsen, L., and Rijmen, V.: The block cipher 64 48 48 160 Square. In: Biham, E.(ed.) FSE 1997. LNCS, vol. 1267, pp. and 222 2 Xor operations. The rest work 149-165. Springer, Heidelberg (1997) factor can be ignored, so the main time complexity of the [3] Duo, L., Li, C., and Feng, K.Q.: Square Like Attack on Camellia. attack on 11 rounds Camellia-192/256 is In: Qing, S., Imai, H., and Wang, G.(eds.) ICICS 2007. LNCS, 160 6 150.5 vol. 4861, pp. 269-283. Springer, Heidelberg (2007) 2 / (2 11) 2 . In a similar way the time [4] Ferguson, N., Kelsey, J., Lucks, S., Schneier, B., Stay, M., complexity of the attack on 12 rounds Camellia-256 is Wagner, D., Whiting, D.: Improved cryptanalysis of Rijndael. In: 214.3 Schneier, B.(ed.) FSE 2000. LNCS, vol. 1978, pp. 213-230. 2 . No relation of subkeys can be used. Springer, Heidelberg (2001) [5] Hatano, Y., Sekine, H., Kaneko, T.: Higher order differential V. CONCLUSION attack of Camellia (II). In: Nyberg, K., Heys, H.M.(eds.) SAC 2002. LNCS, vol. 2595, pp. 129-164. Springer, Heidelberg (2003) The improved integral attacks on round-reduced [6] International Standardization of Organization (ISO), International Camellia are described in this paper. We propose a Standard-ISO/IEC 18033-3, Information technology-Security method of forward-extending the length of integral techniques-Encryption algorithms-Part 3: Block ciphers, July, distinguisher, by which a new 8-round integral 2005. [7] Kanda, M., Matsumoto., T.: Security of Camellia against distinguisher for Camellia is proposed. Then we attack truncated differential cryptanalysis. In: Matsui, M. (ed.) FSE 11-round Camellia-128 and 11/12-round 2001. LNCS, vol. 2355, pp. 119-137. Springer, Heidelberg (2002) Camellia-192/256 with the partial sum technique. Table 1 [8] Knudsen, L. and Wagner, D.: Integral cryptanalysis. In: Daemen, summarizes our integral attacks together with the J., Rijmen, V.(eds.) FSE 2002. LNCS, vol. 2365, pp. 112-127. Springer, Heidelberg (2002) previously known integral-like attacks on Camellia. [9] Lee, S., Hong, S., Lee, S., Lim, J., and Yoon, S.: Truncated differential cryptanalysis of Camellia. In: Kim, K.-c.(ed.) ICISC Table 1. Results of Integral-like Attacks on Camellia 2001. LNCS, vol. 2288, pp. 32-38. Springer, Heidelberg (2002) Camellia-b Rounds Method Data Time Notes [10] Li, Y., Wu, W., and Zhang, L.: Integral Attacks on Camellia-128 8 SA 248 2116 [19] Reduced-Round ARIA Block Cipher. In: Kwak, J., et al. (eds.) 9 SLA 266 284.8 [3] ISPEC 2010. LNCS, vol. 6047, pp. 19-29, Springer, Heidelberg (2010) 10 IntA 2120 2120 Sec3.1 120 123.9 [11] Li, Y., Wu, W., Zhang, L., and Zhang, L.: Improved Integral 11 IntA 2 2 Sec3.1 Attack on Rijndael. Journal of Information Science and 21 188 Camellia-192 9 HODC 2 2 [5] Engineering (JISE), to appear. /256 9 SA 260.5 2202 [19] [12] Reza Z'aba, M., and Raddum, H., Henricksen, M., and Dawson, 10 SLA 266 2167.3 [3] E.: Bit-Pattern Based Integral Attack. In: Nyberg, K. (ed.), FSE 11 SLA 266 2211.6 [3] 2008. LNCS, vol. 5086, pp. 363-381. Springer, Heidelberg (2008) [13] Shirai, T., Kanamaru, S., and Abe, G.: Improved upper bounds of 11 HODC 266 2255.6 [5] 120 150.5 differential and linear characteristic probability for Camellia. In: 11 IntA 2 2 Sec3.2 Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 12 SLA 266 2249.6 [3] 147-151. Springer, Heidelberg (2002) 12 IntA 2120 2214.3 Sec3.2 [14] Shirai, T.: Differential, linear, boomerang and rectangle Note 1. D-Rounds: Distinguisher Rounds; SA: Square Attack; IntA: cryptanalysis of reduced-round Camellia. In: Proceedings of 3rd Integral Attack; HODC: Higher Order Differential Attack; SLA: Square NESSIE workshop (November 2002) Like Attack. [15] Sugita, M., Kobara, K., and Imai, H.: Security of reduced version Note 2. Time complexity is measured in encryption units. of the block cipher Camellia against truncated and impossible differential cryptanalysis. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 193-207. Springer, Heidelberg (2001) According to Table 1, the integral attacks presented in [16] Wu, W., Feng, D., and Chen, H.: Collision attack and this paper make significant improvements on both data pseudorandomness of reduced round Camellia. In: Handschuh, and time complexities. However, the full-round Camellia H., Hasan, M.A.(eds.) SAC 2004. LNCS, vol. 3357, pp. 256-270. provides a sufficient safety margin. Our new method also Springer, Heidelberg (2004) [17] Wu, W., Zhang, W. and Feng, D.: Impossible differential can be used for any Feistel-SP structure, which raises a cryptanalysis of Reduced-Round ARIA and Camellia. In: Journal natural open problem: How to evaluate the security of of Compute Science and Technology 22(3), pp. 449-456, Springer, Feistel-SP structure against integral attack? This will be Heidelberg (2007) our future work. [18] Wu, W., Zhang, L., and Zhang, W.: Improved impossible differential cryptanalysis of reduced-round Camellia. In: Avanzi, R., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. ACKNOWLEDGMENTS 442-456. Springer, Heidelberg(2009) We would like to thank Dr. Bozhan Su and Dr. Jian [19] Yeom, Y., Park, S., and Kim, I.: On the security of Camellia Zou for their helpful comments and suggestions. The against the Square attack. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 89-99. Springer, Heidelberg (2002) research presented in this paper is supported by the [20] Yeom, Y., Park, S., and Kim, I.: A study of integral type National Natural Science Foundation of China cryptanalysis on Camellia. In Proceedings of the 2003 (No.60873259 and No. 60903212), and the Foundation Symposium on Cryptography and Information Security, pp. Research Funds for the Central Universities (YQNJ1003). 453-456 (2003)
REFERENCES [1] Aoki, K., Ichikawa, T., Kanda, M., et al.: Camellia: A 128-Bit block cipher suitable for multiple platforms design and analysis. In: Ito, T., Abadi, M. (eds.) TACS 1997. LNCS, vol. 1281, pp. 39-56. Springer, Heidelberg (1997)
160