The Second International Conference on Emerging Security Information, Systems and Technologies

A Related- Attack on TREYFER

Aleksandar Kircanski and Amr M. Youssef Computer Security Laboratory Concordia Institute for Information Systems Engineering Concordia University, Montreal, Quebec, Canada, H3G 2W1

Abstract such as smart cards, RFIDs, and sensor networks. For example, TREYFER requires only 29 bytes of TREYFER is a lightweight designed for executable on the 8051 micro-controller. resource constrained environments. In this paper, The best known attack against TREYFER, pre- we a related-key attack that directly recovers sented by Alex Biryukov and David Wagner [7], is a 11 the secret key of TREYFER using about 2 chosen that requires 232 known , 244 . Our attack is based on a time for analysis and 232 memory. set of deterministic algebraic relationships between In this paper, we derive a set of determinis- TREYFER corresponding to related tic algebraic relationships between the ciphertexts plaintexts encrypted under circularly byte shifted corresponding to related plaintexts encrypted with versions of the same key. The attack complexity is TREYFER under circularly byte shifted versions of independent of the number of rounds of the cipher. the same key. Based on these relationships, we present a chosen related-key attack [8]-[14] that di- rectly recovers the secret key of TREYFER using about 211 chosen plaintext operations. 1 Introduction The attack complexity is independent of the number of rounds of the cipher. Despite its current implementation advances, the Ad- The rest of the paper is organized as follows. In sec- vanced Encryption Standard (AES) [1] may not al- tion 2 we briefly review the description of TREYFER. ways be the optimal choice for applications with tight The algebraic relationship between ciphertexts corre- resource constraints such as radio frequency identifi- sponding to related plaintexts encrypted under circu- cation (RFID) tags and tiny sensor networks. In fact, larly (byte-wise) shifted versions of the secret key is with the widespread applications of these resource- derived in section 3. Using this relationship, our at- constrained devices, the analysis and design of light- tack is described in section 4. weight encryption algorithms have started to gain a new momentum (e.g [2], [3].) TREYFER [4] is a 64 bit (and also 2 Description of TREYFER a MAC) proposed by Gideon Yuval, from Microsoft, at FSE’97. According to Gideon Yuval, TREYFER TREYFER can be seen as an iterative block cipher is targeting an environment for which even TEA [5] with the round function shown in Figure 1 where and SAFER [6] are “gross overdesign [4]”. The sim- <<< denotes a circular left shift by 1 bit, + de- ple and compact design of TREYFER makes it an at- notes addition mod 256 and SKi, i =0...7, de- tractive choice for resource constrained environments notes the key addition and s-box lookup operations

978-0-7695-3329-2/08 $25.00 © 2008 IEEE 213 DOI 10.1109/SECURWARE.2008.51 S[(x + Ki) mod 256] function. All operations are the same way at each round. byte-oriented, and there is a single 8 × 8-bit s-box. The following notation will be used throughout the In [4], the s-box is left undefined; it is suggested paper. that the implementation can simply use whatever • f denotes round function mapping of TREYFER data is available in memory. In each round, each byte (see Figure 1). has added to it the s-box value of the sum of a key byte and the previous data byte, then it is rotated • P = P0P1 ···P7 denotes the 8 byte plaintext in- left one bit. The design attempts to compensate for put the simplicity of this round transformation by using • K = K0K1 ···K7 denotes the 8 byte key a large number of rounds: 32. The pseudo code implementation of TREYFER is • C = C0C1 ···C7 denotes the 8 byte as follows: 3 Main Observations for(r =0;r

Proof: Let pi,i =0...7 denote i-th byte of  f(P1P2 ···P7P0,K1 ···K7K0). Then, by TREYFER definition, we have:   p1 =(P2 + S(P1,K1)) <<< 1=P2   p2 =(P3 + S(P2,K2)) <<< 1=P3 . . . .   p7 =(P0 + S(P7,K7)) <<< 1=P0 Figure 1: Round function of TREYFER, where    p0 =(P1 + S(P0,K0)) <<< 1=P1 SKi(x)=sbox((x + Ki) mod 256) The lemma holds by noting that  In order to obtain a more compact and faster ci- f(P1P2 ···P7P0,K1 ···K7K0)=p0 ···p7. pher under the assumed hardware constraints, the This observation can easily be extended to hold for K designer of TREYFER opted not to have any com- composition of multiple rounds. By P −→ C we will plex key scheduling. In particular, TREYFER simply denote the TRYEFER encryption of the plaintext P uses its user supplied key, K, byte by byte in exactly with a key, K.

214 Lemma 2 Let knows or chooses the relationship between keys, i.e., g(·), but not the actual key values. ··· −→K ··· P0 P7 C0 C7, Based on the relations derived in the above sec- tion, we describe a chosen-related-key attack against and   TREYFER. C ···C = f(C0 ···C7,K0 ···K7). K 0 7 Given the plaintext-ciphertext pair (P, C), P −→ Then C where K = K0 ···K7, the proposed attack pro- ceeds to recover K0 as follows:  rot(K,1)  P1P2 ···P7P0 −→ C1C2 ···C7C0 For( X =0;X<256; X ++){ Proof: Follows from previous Lemma and the fact n • ··· that TREYFER function is equal to f , n = 32. Encrypt the plaintext XP2 P7P0 under the ··· That way, for each TREYFER pair (P, C), we can key rot(K, 1) = K1 K7K0 derive another “similar” plaintext-ciphertext pair, • For each ciphertext in the form YC2 ···C7C0, encrypted by key circularly shifted to the left by determine K0 that satisfies one byte. Furthermore, if previous Lemma is applied  multiple times, we can get 7 such pairs, as given by X = P1 =(P1 + S[K0 + P0]) <<< 1, the following Theorem.  Y = C1 =(C1 + S[K0 + C0]) <<< 1. Theorem 1 Let rot(K, i) denote the left circular } shift of K by i bytes, then, for any

K P0 ···P7 −→ C0 ···C7 (1)   The process above finds P and C , second bytes of we have 1 1 f(P0 ···P7,K0 ···K7), and f(C0 ···C7,K0 ···K7), respectively.  rot(K,1)  Theoretically it is possible that there may exist an P1P2P3P4P5P6P7P0 −→ C1C2C3C4C5C6C7C0 (2)  rot(K)   rot(K,2)   X = P1 such that XP2 ···P7P0 −→ YC2 ···C7C0, P2P3P4P5P6P7P0P1 −→ C2C3C4C5C6C7C0C1 (3) leading to false information on K0. However, the . . probability that this will happen is practically negli- . . ≈ × −15        rot(K,7)        gible ( 3 10 ). −→ P7P0P1P2P3P4P5P6 C7C0C1C2C3C4C5C6 (8) If the s-box is bijective, then only one of the equations above can be used to uniquely determine It should be noted that the above presented prop- −1 K0 = S [(P >>> 1) − P1] − P0. In the case of non erty of TREYFER does not depend on any particular 1 bijective s-boxes, the above two steps can be repeated choice of the s-box. until K0 is uniquely determined. K1 to K6 can be sequentially recovered by perform- 4 The Attack ing the above steps using related plaintexts and keys, according to relations (3)-(8). Similarly, the last byte Related-key assumes that the attacker of the key, K7, can be recovered using relation (1) or learns the encryption of certain plaintexts not only simply by exhaustive search. under the original unknown key, K, but also under Thus, the attack requires about 8 × 256 = 211 cho- some related keys (e.g., K = g(K)). In a chosen- sen plaintext-ciphertext pairs, each 256 of them are related-key attack, the attacker specifies how the key encrypted under a key that is circularly bytes shifted is to be changed. It should be noted that the attacker version of the original secret key.

215 Remark 1 The above attack can be thought of as a tion (FSE ’97), pp. 205-209, Springer-Verlag, slide attack in which the sliding pairs are produced at 1997. the s-box level and not at the level of the whole round function. [5] David J. Wheeler and Roger M. Needham, TEA, a tiny encryption algorithm,Proc.of the 2nd workshop on Fast Software Encryption 5 Conclusion (FSE’94), pp. 363-366, Leuven, Belgium, 1994, Springer-Verlag. The simple, and compact design of TREYFER makes it a very attractive cipher for resource constrained de- [6] James L. Massey, SAFER K-64: A Byte- vices. On the other hand, the key scheduling of the Oriented Block-Ciphering Algorithm,Proc.of cipher seems to be oversimplified which has yielded to the first workshop on Fast Software Encryption several weaknesses. While it might be argued that it (FSE’93), pp. 1-17, Springer-Verlag. is unlikely that an attacker can persuade a human op- [7] Alex Biryukov and David Wagner, Slide At- erator to encrypt plaintexts under the 8 related keys, tacks, Proc, of the 6th International Workshop modern cryptography is implemented using complex on Fast Software Encryption (FSE ’99), pp. 245- protocols, and in some cases a related-key attack can 259, Rome: Springer-Verlag. be made feasible. In these scenarios, our attack can recover the secret keys in few milliseconds. It is inter- [8] E. Biham, New Types of Cryptanalytic Attacks esting to investigate if there are other permutations Using Related Keys, Advances in Cryptology, of plaintexts and keys that derive similar ciphertexts. EUROCRYPT ’93, Springer-Verlag, 1994, pp. It is also interesting to provide further analysis of 398-409. TREYFER which employs an enhanced key schedul- ing algorithm (e.g., by adding some round dependent [9] J. Kelsey, B. Schneier and D. Wagner, constants). Related-key cryptanalysis of 3-WAY, Biham- DES,CAST, DES-X, NewDES, RC2, and TEA, Proc. of Information and Communications Secu- References rity, LNCS 1334, 1997, pp. 233-246.

[1] National Institute of Standards and Technology, [10] W. Zhang, L. Zhang, W. Wu and D. Feng, FIPS-197: Advanced Encryption Standard,No- Related-Key Differential-Linear Attacks on Re- vember 2001. duced AES-192, Proc. of INDOCRYPT 2007, LNCS 4859, pp. 73-85. [2] A. Bogdanov, L.R. Knudsen, G. Leander, C. Paar, A. Poschmann, M.J.B. Robshaw, [11] E. Biham, O. Dunkelman and N. Keller, Related- Y. Seurin and C. Vikkelsoe, PRESENT: An Key Impossible Differential Attacks on 8-Round Ultra-Lightweight Block Cipher, CHES 2007, AES-192, Topics in Cryptolog: CT-RSA 2006, LNCS4727, pp.450- 466, Springer, 2007. LNCS 3860, 2006, pp. 21-33.

[3] M. Wang, Differential Cryptanalysis of [12] G. Sekar, S. Paul and B. Preneel, Related-Key PRESENT, In proc. of Africacrypt 2008, Attacks on the Py-Family of and an Ap- to appear, Also available at Cryptology ePrint proach to Repair the Weaknesses, Proc. of IN- Archive: Report 2007/408. DOCRYPT 2007, LNCS 4859, 2007, pp. 58-72.

[4] G. Yuval, Reinventing the Travois: Encryp- [13] S. Lucks, Ciphers Secure against Related-Key tion/MAC in 30 ROM Bytes, Proc. of the 4th In- Attacks, Proc. of Fast Software Encryption, ternational Workshop on Fast Software Encryp- LNCS 3017, 2004, pp. 359-370.

216 [14] E. Biham, O. Dunkelman and N. Keller, A Related-Key Rectangle Attack on the Full KA- SUMI, Proc. of ASIACRYPT 2005, LNCS 3788, 2005, pp. 443-461.

217