New Types of Cryptanalytic Attacks

Using Related Keys

Revised version

1

Eli Biham

Computer Science Department

Technion Israel Institute of Technology

Haifa Israel

Abstract

In this pap er we study the inuence of key scheduling algorithms on the

strength of blo ckciphers We show that the key scheduling algorithms of many

blo ckciphers inherit obvious relationships b etween keys and use these key re

lations to attack the blo ckciphers Two new types of attacks are describ ed

New chosen plaintext reductions of the complexity of exhaustive search attacks

and the faster variants based on complementation prop erties and new low

complexity chosen key attacks These attacks are indep endent of the number of

rounds of the cryptosystems and of the details of the F function and may have

very small complexities These attacks show that the key scheduling algorithm

should b e carefully designed and that its structure should not b e to o simple

These attacks are applicable to b oth variants of LOKI and to Lucifer DES

is not vulnerable to the related keys attacks since the shift pattern in the key

scheduling algorithm is not the same in all the rounds

Key words Key scheduling algorithm DESlike cryptosystems Chosen

key attacks Chosen plaintext attacks LOKI Data Encryption Standard

Introduction

In this pap er we describ e new types of attacks on blo ckciphers chosen plaintext

reductions of the complexity of exhaustive search and chosen key attacks in which

Technion - Computer Science Department Technical Report CS0753 1992

only the relations b etween pairs of related keys are chosen by the attacker who do es

not know the keys themselves The chosen plaintext attacks reduce the complexity of

1

Acknowledgment This research was supp orted by the fund for the promotion of research at the

Technion

exhaustive search and the complexity of the faster chosen plaintext attacks based on

complementation prop erties by a factor of three The chosen key attacks have very

low complexities however they can b e used only whenever the attacker can choose

the relationships b etween unknown keys and wish to know the keys themselves

These attacks are based on the observation that in many blo ckciphers we can

view the key scheduling algorithm as a set of algorithms each of which extracts one

particular subkey from the subkeys of the previous few rounds If all the algorithms

of extracting the subkeys of the various rounds are the same then given a key we can

shift all the subkeys one round backwards and get a new set of valid subkeys which

can b e derived from some other key We call these keys related keys

An interesting feature of the attacks based on related keys is that they are inde

p endent of the number of rounds of the attacked cryptosystem These attacks are

applicable to b oth variants of LOKI and to Lucifer Nevertheless they are

not applicable to DES due to the observation that the number of shifts of the key

registers C and D in the key scheduling algorithm is not the same in all the rounds

However if the shifts by one bit in the key scheduling of DES would b e replaced by

shifts by two bits DES would b ecome vulnerable to this kind of attack as well

Another p otential application of related keys is to analyze hash functions either

hash functions based on blo ckciphers or general hash functions It may b e p ossible in

such functions to choose the message in a way that the related keys prop erty suggest

an additional message with the same hash value Currently we are not aware of a

particular such application to hash functions but designers of hash functions should

b e careful to design their functions immune to this weakness

The results of the attacks are as follows The complexity of a chosen plaintext

54

attack on LOKI is ab out which is almost three times faster than previously

rep orted chosen plaintext attacks The chosen key chosen plaintext attack takes a few

17

seconds on a p ersonal computer and its complexity is ab out and the complexity of

32

the chosen key known plaintext attack is ab out The corresp onding complexities

61 32 48

of the attacks on the newer LOKI are and resp ectively The

33

complexity of the chosen key chosen plaintext attack on Lucifer is ab out The

DES the IDEA cipher and the FEAL cipher are not vulnerable to these

attacks

Recently Lars Ramkilde Knudsen found indep endently the basic concept of

the chosen plaintext related keys attacks and applied it to LOKI However his

62

attack whose complexity is is still slower than the corresp onding attack we present in this pap er

Technion - Computer Science Department Technical Report CS0753 1992 P K

K

K1

ESP ROL12

K2

ESP ROL12

K3

ESP ROL12

K4

ESP ROL12

Ki

ESP ROL12

K14

ESP ROL12

K15

ESP ROL12

K16

ESP ROL12

swap(K)

C

Figure Outline of LOKI

Description of LOKI and LOKI

LOKI is a family of blo ckciphers with two variants The original LOKI cipher which

was renamed to LOKI and the newer variant LOKI Both variants have a

structure similar to DES with replaced F function and initial and nal p ermuta

tions and a replaced key scheduling algorithm The new F function XORs the right

Technion - Computer Science Department Technical Report CS0753 1992

half of the data with the subkey and expands the result to bits which enter into

four bit to bit S b oxes The output of the S b oxes is concatenated and p ermuted

to form the output of the F function In LOKI see Figure the initial and

the nal p ermutations are replaced by transformations which exclusiveor the data P K

K1

ESP ROL12

K2

ESP ROL13

K3

ESP ROL12

K4

ESP ROL13

Ki

ESP ROL12

Ki+1

ESP ROL13

K15

ESP ROL12

K16

ESP

C

Figure Outline of LOKI

with the key the initial transformation XORs the plaintext with the key itself and

the nal transformation XORs the data with the swapped key whose two halves are

exchanged The key scheduling algorithm takes a bit key declares its left half as

the value of K and its right half as the value of K Each other subkey Ki out of

K K is dened by rotating the subkey Kj of round j i by bits to the

left Ki ROLKj Thus all the subkeys of the o dd rounds share the same bits

and all the subkeys of the even rounds share the same bits

LOKI see Figure diers from LOKI by the choice of the S b oxes which

are chosen to hold b etter against dierential cryptanalysis The initial and the nal

Technion - Computer Science Department Technical Report CS0753 1992

p ermutations are eliminated The new key scheduling algorithm declares the value

of the left half of the key to b e K and the same value rotated bits to the left is

declared to b e K The value of the right half of the key is declared to b e K and the

same value rotated bits to the left is declared as K Each other subkey Ki out of

K K is dened by rotating the subkey Kj of round j i by bits to the

left Ki ROLK j Still the subkeys share bits with a very structured order

The Chosen Key Attacks

In the chosen key attacks two related keys with certain relationship are used and

several plaintexts are encrypted under each of them The attacker knows only the

relationship b etween the two keys but not the keys themselves He receives the

ciphertexts and use them to nd b oth keys Two kinds of chosen key attacks are

studied a chosen key known plaintext attack in which only the relation b etween the

keys is chosen by the attacker and a chosen key chosen plaintext attack in which

the attacker chooses the relation b etween the keys as well as the plaintexts to b e

encrypted These attacks are indep endent of the exact number of rounds of the

attacked cryptosystem and even if the number of rounds is enlarged and esp ecially

if doubled the resulting cryptosystem remains vulnerable to the same attack

LOKI

In LOKI every choice of two subkeys one from an o dd round and one from an

even round have a corresp onding bit key Since all the algorithms of deriving the

subkeys from the two preceding subkeys are the same the p osition of the rounds in

which two subkeys present do es not aect the derivation of the following subkeys nor

the preceding ones If we only x two subkeys K and K of a key K and dene a

second key K by choosing K K and K K then the values of the subkeys

Ki of the key K are the same as of the following subkeys Ki of the key K In this

case K K K K ROLK Therefore the following prop erty holds

R L

for any two such related keys If the data b efore the second round in an encryption

under the key K equals the data b efore the rst round in an encryption under the key

K then the data and the inputs of the F functions are the same in b oth executions

shifted by one round In this case if the plaintext P is encrypted under the key K

then the data b efore the second round is P K P K F P K K This

R R L L R R L

data equals the data b efore the rst round in the other encryption under the key K

whose value is P K P K P ROLK and thus in such a pair

R L

L R

P P P K ROLK F P K K

R L L L R R L

We see that the right half of P equals the left half of P and that the relation b etween

the other halves dep ends on the keys In such a pair there is also a similar a relation

Technion - Computer Science Department Technical Report CS0753 1992

b etween the ciphertexts

C C K ROLK F C K K C

R L L L R L L K

K* K1

ROL12

K2 K1*

ROL12 ROL12

K3 K2*

ROL12 ROL12

K4 K3*

ROL12 ROL12

Ki Ki-1*

ROL12 ROL12

Ki+1 Ki*

ROL12 ROL12

K15 K14*

ROL12 ROL12

K16 K15*

ROL12 ROL12

K16*

Swap(K) ROL12

Swap(K*)

Figure Relations of subkeys in the key scheduling algorithm of LOKI

Figures and describ es the relations b etween the subkeys of the two keys and the

relations b etween the values during the two encryptions

A chosen key chosen plaintext attack based on this prop erty chooses a bit

16

value P plaintexts P P whose right halves equal P and whose bit

R 0 65535 R

16

left halves are randomly chosen and plaintexts P P whose left halves

0 65535

equal P and whose bit right halves are randomly chosen Two unknown related R

Technion - Computer Science Department Technical Report CS0753 1992

keys are used to encrypt these plaintexts on the target machine a key K is used to

16

encrypt the rst plaintexts and the key K K ROLK is used to encrypt

R L

16

we are guaranteed that the other plaintexts In every pair of plaintexts P and P

i

j P

K P* K1

ESP K*

K2 K1* ESP ESP

K3 K2* ESP ESP

K4 K3* ESP ESP

Ki Ki-1* ESP ESP

Ki+1 Ki* ESP ESP

K15 K14* ESP ESP

K16 K15* ESP ESP

K16*

Swap(K) ESP

C Swap(K*)

C*

Figure Relations during LOKI encryption

P P and by the birthday paradox with a high probability there exist two

iR

j L

plaintexts P and P such that P P K ROLK F P K K

i iL L L iR R L

j j R

In such a pair the data is the same in b oth executions shifted by one round It is

easy to identify this pair if it exists by checking whether C C This test has a

L

R

32

Technion - Computer Science Department Technical Report CS0753 1992

probability of to pass accidentally and thus only few pairs may pass this test

A pair with this prop erty relates the values of the two plaintexts and of the two

ciphertexts to the key by equations and Thus such a pair reveals the value of

F P K K F C K K P P C C

R R L L R L L R

R L

32

in which the only unknown value is K K Out of the p ossible values of

L R

K K only few values satisfy the equation Using dierential cryptanalytic

L R

optimization techniques such as dierence distribution tables and storing the p ossible

pairs of each of their entries in a sp ecial prepro cessed table the identication of the

value of K K can b e done in few op erations After we nd K K it is easy to

L R L R

calculate K ROLK by equations and and to derive K and K

L L

32

A similar chosen key known plaintext attack uses known plaintexts P en

i

32

crypted under an unknown key K and known plaintexts P encrypted under the

j

related key K K ROLK By the birthday paradox there is a high prob

R L

ability to have a pair in which the prop erty holds It is easy to identify this pair

by the common bits of the plaintexts and the common bits of the ciphertexts

This pair may b e used to reveal the keys in the same way as in the chosen key chosen

plaintext attack

LOKI

The key scheduling algorithm of LOKI derives the subkeys of the even rounds in

a dierent way than the subkeys of the o dd rounds In particular the subkey of an

even round i is just a rotated value of the subkey of the previous round i and it

is indep endent of the value of round i Thus we cannot shift the subkeys and the

data by one round in the second execution without changing their values However

we can shift them by two rounds instead In this case we dene the second set of

subkeys to b e K K K K and so on The keys themselves are K and

K K ROLK Since the shift is increased to two rounds we cannot easily

R L

identify the pair we are lo oking for Luckily the two subkeys K and K share the

same bits and thus given a plaintext P we have only to guess bits of the key

in order to nd the data b efore the third round which we dene as P

In the chosen key chosen plaintext attack the attacker chooses a random plaintext

32

P For each one of the p ossible values of K and K he calculates the data

32

b efore the third round and denes these values as P Given the ciphertexts

i

C LOKI P K and C LOKIP K he searches for the plaintext P

i i i

which was dened by the real values of K and K by verifying the relationships

b etween the ciphertexts The subkeys K and K share the bits of K and K

which he has already guessed Thus it is easy to nd the real values of K and K

by calculating further from C into C by each p ossibility and only the p ossibilities i

Technion - Computer Science Department Technical Report CS0753 1992

might have the real value After we nd which result with the encrypted value of C

i

these bits of the keys it is easy to nd the other bits by exhaustive search

16

The b est choice of a chosen key known plaintext attack uses plaintexts P and

i

48

plaintexts P With high probability there is a pair P and P for which P

i

j j j

equals the data b efore the third round during the encryption of P The attacker can

i

identify the key by guessing the bits of K and K and verifying which of which

is p ossible in a way similar to the chosen key chosen plaintext attack

The Chosen plaintext attacks

In this section we describ e a chosen plaintext attack which reduces the complexity of

exhaustive search using related keys This attack can b e combined with the attacks

based on complementation prop erties and its fastest variant is almost three times

faster than the corresp onding attacks based only on complementation prop erties

32 37

When this attack is used against bit blo ckciphers it requires ab out chosen

plaintexts whose corresp onding ciphertexts are to b e stored in random access memory

during the analysis

The idea is similar to the attack based on the complementation prop erty of DES

The complementation prop erty of DES suggests that whenever a plaintext P is en

crypted under a key K into a ciphertext C DESP K then the complement of P

is encrypted by the complement of K into the complement of C C DES P K

The attack chooses a complementary pair of plaintexts P and P P Given their

1 2 1

ciphertexts C DESP K and C DESP K under the same key K the at

1 1 2 2

tacker searches for the key K by trying all the keys K whose most signicant bits

are zero ie half of the key space For each such key he encrypts P into C by

1

C DESP K If C C it is very likely that K K In addition the attacker

1 1

can predict the ciphertext of P under the key K to b e C without an additional

1 2

encryption If C C it is very likely that K K since due to the complemen

2

tation prop erty C DESP K Otherwise neither K nor K can b e the key K

2 1

This attack can b e carried out even under a known plaintext attack given ab out

33

known plaintexts since it is very likely that two complementary plaintexts exist

33

within random plaintexts due to the birthday paradox

LOKI has several complementation prop erties A key complementa

tion prop erty causes any key to have equivalent keys which encrypt any plaintext

to the same ciphertext These keys are the original key XORed with the p ossible

bit hexadecimal numbers whose digits are identical Encryption with these keys

results with the same inputs to the F functions in all the executions Therefore

most of the keys are redundant and a known plaintext attack can b e carried out with

60 64

a complexity of rather than

Another complementation prop erty of LOKI is due to the observation that

Technion - Computer Science Department Technical Report CS0753 1992

XORing the key with an hexadecimal value g g g g g g g g hhhhhhhh and XORing the

x

plaintext by iiiiiiiiiiiiiiii where g f F g h f F g and i g h

x x x x x

results in XORing the ciphertext by iiiiiiiiiiiiiiii This prop erty can b e used to

x

56

reduce the complexity of a chosen plaintext attack by a further factor of to

using the following algorithm

Cho ose any plaintext P and calculate the plaintexts P i f F g

0 i x x

by P P iiiiiiiiiiiiiiii

i 0 x

Given the ciphertexts fC g of the plaintexts P under an unknown key K

i i

56

try all the keys K in which eight bits are zero the four most signicant bits

of the left half K and the four most signicant bits of the right half K

L R

Encrypt the plaintext P by each trial key K

0

if the result equals one of the values C iiiiiiiiiiiiiiii the original key is likely

i x

to b e either K K iiiiiiii or any one of its equivalent keys

x

The attack we present in this section can predict the values of additional ci

phertexts generated from additional plaintexts under related keys Let P b e any

plaintext K b e any key and C b e the ciphertext C LOKIP K Let K

K ROLK and let P b e the plaintext whose data b efore the rst round of

R L

the encryption under K is the same as the data b efore the second round during

the original encryption of P under K Then the rst rounds of the encryption

C LOKIP K have exactly the same data and subkeys as the last rounds

of the original encryption of P and the right half of C equals the left half of C ie

C C

L

R

For each key there is one equivalent key whose four most signicant bits are zero

and one complement key whose four most signicant bits of its b oth halves are zero

In the following denition the next op eration rotates an halfkey by bits as is

done in the key scheduling algorithm every round and nds the supp osed equivalent

value of the result

Denition The next op eration of LOKI takes a bit value rotates it bits

to the left ROL and XORs it with an bit hexadecimal number whose all digits

are equal such that the four most signicant bits of the result are zero

Table shows the cycle size number of cycles and the total number of elements in

the cycles generated by the next op eration of LOKI We see that almost all the

cycles have the maximal size eight

For simplicity and clarity we start showing a variant of the related keys attack

55

which halves the complexity of a chosen plaintext attack into For this attack we

27

prepro cess a list of ab out bit p otential halfkeys fL g with the prop erties i

Technion - Computer Science Department Technical Report CS0753 1992

The four most signicant bits of all the values in the list are zero

The list contains at least one value from any pair L and L for which L

i j i

nextL ie L ROLL hhhhhhhh for some hexadecimal digit h

j i j x

Cycle Size Number of Cycles Number of Elements in the Cycles

y

Total

y 28

Table Cycles of halfkeys for LOKI

The list is minimal according to the ab ove prop erties

27

In Figure we show a program that creates such a list with values A similar

program was used to verify Table by counting the number of cycles rather than

inserting to the list and was run in ab out an hour on a p ersonal computer The

27 29

list can either b e stored in memory using ab out bytes or stored as a

28 25 2 36

bitmap using bytes The attack itself requires chosen plaintexts

39

which should b e stored in a random access memory whose size is bytes The

attack is as follows

Cho ose any plaintext P

0

calculate the plaintexts P i f F g by P P iiiiiiiiiiiiiiii

i x x i 0 x

32

For each plaintext P choose the additional plaintexts P P P k

i ik iR iL

whose left halves are the right half of P and whose right halves receive all the

i

p ossible values by XORing all the p ossible bit values k to the left half of P

i

55

Given the ciphertexts fC g fC g try all the keys K of the forms K

i ik

L L and K ROLL RORL

i j i j

Encrypt the plaintext P under each trial key K into C LOKIP K

0 0

If C equals one of the values C iiiiiiiiiiiiiiii the original key is likely to b e

i x

either K K iiiiiiii or any one of its equivalent keys

x

The output of the F function in the rst round of the encryption of P under

0

equals one of the values C iiiiiiii continue K equals exactly one k If C

ik R x

L

encryption of P with a seventeenth round just calculate one additional round

0

from C using the subkey K which can b e easily derived from the key K

and if the result C equals C iiiiiiiiiiiiiiii then the original key is likely

ik x

to b e K K ROLK iiiiiiii or any one of its equivalent keys

x

R L

Technion - Computer Science Department Technical Report CS0753 1992

2

We have also devised an additional algorithm which chooses the trial keys on the y and do es

not require a list of p otential halfkeys However due to technical details the eciency of the attack

is reduced Since the memory space required by the attack is much larger than the list of p otential

halfkeys this list do es not aect the space complexity of the attack

define ROLv b vb vb

define nexti ROLi lmaski xF

unsigned long lmask

xL xL xL xL

xL xL xL xL

xL xL xAAAAAAAAL xBBBBBBBBL

xCCCCCCCCL xDDDDDDDDL xEEEEEEEEL xFFFFFFFFL

main

unsigned long i

fori iL i

unsigned long i nexti

unsigned long i nexti

unsigned long i nexti

unsigned long i nexti

unsigned long i nexti

unsigned long i nexti

unsigned long i nexti

ifi mini i i i i i i i

Insert i to the list

ifi i Insert i to the list

ifi i Insert i and i to the list

Figure A program to create the list of p otential halfkeys

The encryption key K must b e recognized by either step or step Since the

comparisons in steps and are much faster than a trial encryption the complexity

55

of the attack is the total complexity of step which is

The complexity of this attack can b e reduced further using the observation that

the shift of one round of the data and the subkeys can b e done b oth in the backward

and forward directions rather than in one direction only Therefore each trial key can

Technion - Computer Science Department Technical Report CS0753 1992

predict ciphertexts under three related keys and thus the attack requires to try ab out

a third of the number of keys required by the attack based on the complementation

prop erties Usually it is not p ossible to nd a subset of the keys which satisfy the

related keys conditions and contain exactly a third of all the keys The b est choice

25

for LOKI is to try of the keys We prepro cess a list of ab out halfkeys fL g

i

with the prop erties

The four most signicant bits of all the values in the list are zero

The list contains exactly one value from each cycle of the next op eration

The program which creates the list for this attack is very similar to the program

describ ed in Figure The dierence b etween them is only that instead of inserting

several values from each cycle only one value i is inserted to the list by this

program

37

The attack itself requires chosen plaintexts which should b e stored in a random

40

access memory whose size is bytes The attack is as follows

Cho ose any plaintext P and calculate the plaintexts P i f F g

0 i x x

by P P iiiiiiiiiiiiiiii

i 0 x

32

For each plaintext P choose the additional plaintexts P P P k

i ik iR iL

whose left halves are the right half of P and whose right halves receive all the

i

p ossible values by XORing all the p ossible bit values k to the left half of P

i

32

For each plaintext P choose the additional plaintexts P P k P

i iR iL

ik

whose right halves are the left half of P and whose left halves receive all the

i

p ossible values by XORing all the p ossible bit values k to the right half of

P

i

Given the ciphertexts fC g fC g fC g try for each pair of halfkeys L L

i ik i j

ik

all the keys K of the form K RORmL ROLnL where m is a

i j

multiple of four and n is either n m n m or n m Figure

shows the choice of such trial keys which are denoted by y All the keys

are covered by the trial keys The trial keys K are covered by themselves The

other keys are covered by the key relation prop erty by trial keys created from

L L These keys are surrounded together with the swapped value of their

j i

trial keys Examples of four such triples are marked in gray The keys denoted

by are covered by two trial keys The gure should b e interpreted cyclically

through its edges This is the b est coverage p ossible for LOKI

Encrypt the plaintext P under each trial key K into C LOKIP K

0 0

If C equals one of the values C iiiiiiiiiiiiiiii the original key is likely to b e

i x

Technion - Computer Science Department Technical Report CS0753 1992

either K K iiiiiiii or any one of its equivalent keys

x

Fix k to b e the output of the F function in the rst round of the encryption of

P under the key K If C equals one of the values C iiiiiiii continue

0 ik R x

L Rotation Count of the Right Half 0 12 24 4 16 28 8 20

0 ²² ²² ²² **

12 ²² ²² ** ²²

24 ²² ²² ** ²²

4 ²² ²² ** ²²

16 ²² ** ²² ²²

28 ²² ** ²² ²²

Rotation Count of the Left Half 8 ²² ** ²² ²²

20 ** ²² ²² ²²

y The trial keys

Keys covered by two trial keys

Figure The choice of the trial keys

encryption of P with a seventeenth round just calculate one additional round

0

from C using the subkey K which can b e easily derived from the key K

and if the result C equals C iiiiiiiiiiiiiiii then the original key is likely

ik x

iiiiiiii or any one of its equivalent keys ROLK to b e K K

x

L R

Calculate one additional round backwards from P using the subkey K which

0

can b e easily derived from the key K and x k to b e the output of the F function

in this round If the data after the fteenth round during the encryption of P

0

under the key K equals one of the values C iiiiiiiiiiiiiiii for some i

ik x

the original key is likely to b e K RORK K iiiiiiii or any one of

x

R L

3

its equivalent keys

The encryption key K must b e recognized by either step step or step Since the

comparisons in steps and are much faster than trial encryptions the complexity

of the attack is the total complexity of step If the number of elements in each cycle

would have b een divisible by three the complexity of the attack would decrease 0

Technion - Computer Science Department Technical Report CS0753 1992 3

This part of the algorithm requires the calculation of one additional round for any trial key K

which slows the attack by a factor of = In parallel hardware implementations this b ehavior

can b e solved easily In software it can also b e solved by using large hash tables and checking the

existence of ciphertexts b efore the calculation of the additional round

Cycle Size Number of Cycles Number of Elements in the Cycles

y

Total

y 31

Table Cycles of halfkeys for LOKI

relatively to the attack based on complementation prop erties by a factor of In

the case of LOKI this factor is only and the complexity of the attack

28 2 54 4

is trial encryptions

The application of this attack to LOKI is similar The two main dierences are

The plaintexts are chosen with resp ect to changes in the half of the key which

aects the rst two rounds rather than changing the plaintexts halves directly since

we must change the two halves of the plaintexts in this case by predicting the data

after two rounds The trial keys generated in step of the attack cover only half

of the keys since there is only one complementation prop erty Thus we use twice as

many trial keys namely the original trial keys and the same trial keys whose right

halves are complemented Table shows the number of cycles with each cycle size and

the total number of elements in the cycles of the next op eration of LOKI Almost

all the cycles have the maximal size The complexity of this attack on LOKI is

61

which is ab out times faster than exhaustive search

Application to DES

DES is not vulnerable to the related keys attacks since the number of shifts in

the key scheduling algorithm is not the same in all the rounds While usually the key

registers are shifted by two bits after each round they are shifted only by one bit after

the rst the ninth and the fteenth rounds However if we mo dify this shift pattern

to shift the key registers by the same number of bits in all the rounds either one or

two or any other number including seven which was suggested in the resultant

cryptosystem b ecomes vulnerable to the related keys attacks Table describ es the

numbers of shifts b efore each round in the key scheduling algorithm of DES and a

variant with mo died shift numbers which is vulnerable to the related keys attacks

Technion - Computer Science Department Technical Report CS0753 1992

4

If we choose carefully the order of trying the trial keys we can reduce the average case complexity

53

slightly from :
by ab out

Round

Shifts

Mo died variant

Table The numbers of shifts in the key scheduling algorithm of DES and a

mo died variant vulnerable to the related keys attacks

Applications to Other Ciphers

The applicability of the related keys attacks to additional cryptosystems suggested

in the cryptographic literature are studied in this section Many such cryptosystems

are vulnerable to these attacks while several others are not Examples of several

such cryptosystems are given b elow The details of these vulnerabilities and the

invulnerabilities may suggest some ideas on how to immune against these attacks

In Lucifer the subkeys are derived by shifting the key by a xed number of

bits every round and selecting sp ecic bits as the subkeys and thus the derivation

algorithm of the subkeys from the previous subkeys is the same in all the rounds

Therefore chosen key attacks similar to the attacks on LOKI are applicable but

33

since the blo cksize and the size of the key are bits the complexities b ecome

65

for the chosen key chosen plaintext attack and for the chosen key known plaintext

attack Lucifer has no complementation prop erties and thus the complexity of the

126

chosen plaintext attack is

The other variant of Lucifer has no sp ecic denition of the key scheduling

algorithm an well as of several other parameters of the cipher If the key scheduling

algorithm is similar to the one of the preceding variant and the blo cksize is also

bits a chosen key chosen plaintext attack similar to the one on LOKI but

which shifts only one round which nds the rst bit subkey is applicable with

32

complexity Since the subkeys are very short relatively to the key we can relate

keys which shift two rounds backward and forward in addition to the oneround

32

shifts We can also choose four sets of chosen plaintexts and nd key bits

34

with a total complexity of A chosen key known plaintext attack is applicable

66

with complexity The complexity of the chosen plaintext attack can b e even

126

smaller than since more than two additional keys can b e veried by each

trial encryption again since the subkeys are short

The IDEA cipher is one of the more promising ciphers to day The key

scheduling algorithm of IDEA has key relation prop erties but these relations must

shift the subkeys by multiples of four rounds and thus make the attacks impractical

In addition several other prop erties of IDEA prohibit the related keys attacks

Technion - Computer Science Department Technical Report CS0753 1992

Since IDEA do es not swap the two halves of the data the complexity of a

k 2

chosen key chosen plaintext attack would b e at least which for IDEA is

64 k 4

rather than

IDEA do es not allow easy identication of the related pairs In DESlike ciphers

the identication can b e based on the swapping structure and the fact that one

half in one ciphertext or a simple function of it has the same value as the

other half in the other ciphertext or the same simple function of it

The round op erations are used in a more complex way the output of one

op eration b ecomes the input to another op eration in the same round and thus

the analysis and identication of the pairs b ecome less eective

FEAL is not vulnerable to the related keys attacks although its key pro cess

ing uses the same algorithms to derive the subkeys from the previous subkeys since

most lists of related subkeys are not derivable from some key due to the initialization

of the key pro cessing and since the initial and the nal transformations use subkeys

calculated in a complex way from the key so the identication of the related pairs

b ecomes intractable

Summary

In this pap er we describ ed new cryptanalytic attacks which are applicable to the LOKI

family of blo ckciphers and to Lucifer These new attacks are based on the structure

of the key scheduling algorithms Since we assume that in all the intermediate rounds

the data and the subkeys are the same in b oth executions with a dierence of one

or two rounds this attack is indep endent of the number of the rounds of the cipher

The same attacks could b e applicable to DES if only minor changes would b e made

to the shift pattern of its key scheduling algorithm and thus these attacks show how

so small p oints in the design of a cipher can contribute to its strength The results

of the related keys attacks are summarized in table

Op en Problem The reduction of the complexity of exhaustive search of

DES by a chosen plaintext attack using the complementation prop erty can b e

converted into a known plaintext attack with the same complexity It is an op en

problem whether the chosen plaintext attack describ ed in this pap er can b e converted

into a known plaintext attack

References

Eli Biham Adi Shamir Dierential Cryptanalysis of the Data Encryption

Standard SpringerVerlag

Technion - Computer Science Department Technical Report CS0753 1992

Eli Biham Adi Shamir Dierential Cryptanalysis of DESlike Cryptosystems

Journal of Cryptology Vol No pp

LOKI LOKI Lucifer Mo died DES

Chosen Plaintext Related Keys

54 61 126 53

Complexity of Attack

37 34 65 34

Chosen Plaintexts Required

Chosen Key

17 32 33 17

Chosen Plaintexts

33 48 65 33

Known Plaintexts

Previously known attacks

47

Dierential Cryptanalysis

y 56 63 55

Complementation Prop erties

z 60 64 128 56

Exhaustive Search

The shift pattern of the key registers in the key scheduling algorithm is

mo died to have the same number of shifts in all the rounds see Table

y 33

Either two chosen plaintexts required or known plaintexts For

LOKI chosen plaintexts are required to achieve this complexity

z

One known plaintext required

Table Results of the related keys attacks

Eli Biham Adi Shamir Dierential Cryptanalysis of Snefru Khafre REDOC

II LOKI and Lucifer technical rep ort CS Department of Applied

Mathematics and Computer Science The Weizmann Institute of Science

The extended abstract app ears in Lecture Notes in Computer Science Advances

in Cryptology pro ceedings of CRYPTO pp

Lawrence Brown Matthew Kwan Josef Pieprzyk Jennifer Seb erry Improving

Resistance to Dierential Cryptanalysis and the Redesign of LOKI Lecture Notes

in Computer Science Advances in Cryptology pro ceedings of ASIACRYPT

pp

Lawrence Brown Josef Pieprzyk Jennifer Seb erry LOKI A Cryptographic

Primitive for Authentication and Secrecy Applications Lecture Notes in Computer

Science Advances in Cryptology pro ceedings of AUSCRYPT pp

Lawrence Brown Jennifer Seb erry Key Scheduling in DES Type Cryptosystems

Lecture Notes in Computer Science Advances in Cryptology pro ceedings of

AUSCRYPT pp

Technion - Computer Science Department Technical Report CS0753 1992

H Feistel Cryptography and Data Security Scientic American Vol No

pp May

M E Hellman R Merkle R Schroppel L Washington W Die S Pohlig

and P Schweitzer Results of an Initial Attempt to Cryptanalyze the NBS

Data Encryption Standard Technical Rep ort SEL Stanford university

September

Lars Ramkilde Knudsen Crypanalysis of LOKI Lecture Notes in Computer

Science Advances in Cryptology pro ceedings of ASIACRYPT

Lars Ramkilde Knudsen Crypanalysis of LOKI Lecture Notes in Computer

Science Advances in Cryptology pro ceedings of AUSCRYPT

Matthew Kwan Josef Pieprzyk A General Purpose Technique for Locating Key

Scheduling Weakness in DESLike Cryptosystems Lecture Notes in Computer

Science Advances in Cryptology pro ceedings of ASIACRYPT

Xuejia Lai James L Massey Sean Murphy Markov Ciphers and Dierential

Cryptanalysis Lecture Notes in Computer Science Advances in Cryptology

pro ceedings of EUROCRYPT pp

Xuejia Lai On the Design and Security of Block Ciphers PhD thesis Swiss

Federal Institue of Technology Zurich

Sho ji Miyaguchi Akira Shiraishi Akihiro Shimizu Fast Data Encryption

Algorithm FEAL Review of electrical communications lab oratories Vol

No pp

National Bureau of Standards Data Encryption Standard US Department of

Commerce FIPS pub January

Akihiro Shimizu Sho ji Miyaguchi Fast Data Encryption Algorithm FEAL

Lecture Notes in Computer Science Advances in Cryptology pro ceedings of

EUROCRYPT pp

Arthur Sorkin Lucifer a Cryptographic Algorithm Cryptologia Vol No

pp January

Technion - Computer Science Department Technical Report CS0753 1992