Related-key Boomerang Attack on Block Cipher SQUARE 2010. 2. Bonwook Koo1, Yongjin Yeom1, Junghwan Song2 1 : Attached Inistitute of ETRI, 2 : Hanyang Univ. Boomerang and Rectangle Attacks Boomerang and Rectangle Attacks Boomerang and Rectangle Attacks Boomerang and Rectangle Attacks Boomerang and Rectangle Attacks COCONUT98 Khufu FEAL-6 CAST-256 MARS SERPENT …….. Boomerang and Rectangle Attacks COCONUT98 Khufu FEAL-6 CAST-256 MARS SERPENT …….. SERPENT SHACAL SHACAL-1 …….. Related-Key Boomerang and Rectangle Attacks Related-Key Boomerang and Rectangle Attacks Related-Key Boomerang and Rectangle Attacks SHACAL-1 AES-192 AES-256 IDEA KASUMI …….. Related-Key Boomerang and Rectangle Attacks SHACAL-1 AES-192 AES-256 IDEA KASUMI …….. COCONUT98 IDEA …….. Related-Key Sandwich Attack Related-Key Sandwich Attack Related-Key Sandwich Attack Related-Key Sandwich Attack KASUMI Related-Key Sandwich Attack KASUMI PRACTICAL !! Our Contribution Our Contribution Our Contribution Our Contribution SQUARE Block Cipher SQUARE • A predecessor of AES-128 • What about AES-128? • 8-round SPN structure • 10-round SPN structure • Round functions consist of • Round functions consist of • : Linear Transformation Transpose • MixColumns • : S-boxes The same • SubBytes Similar • : Transposition • ShiftRows The same • : Key addition • AddRoundKey • If a round function [rki] = [rki] о о о , then SQUARE[k]=[rk8]о[rk7]о[rk6]о[rk5]о[rk4]о[rk3]о[rk2]о[rk1]о[rki]о-1 Block Cipher SQUARE • What about Key Schedule? rk0 rotl C0 C0 C1 C2 1 s rk s s Rotl Rotl Rotl s rotl C1 rk2 rk0 rk1 rk2 rk3 rotl C2 rk3 Key schedule of AES-128 Key schedule of SQUARE Transpose and Remove S-boxes Local Collision of SQUARE Byte difference values i-th round = ∈ { 0a, 11, 17, 1d, 20, 3b, 4d, 53, 73, 76, 7c, 87, i+1-th round 9d, a4, a8, ae, p = 1 c6, d2, d5, e0, ee, fc} i+2-th round p = 2-28 = 2 = 3 i+3-th round p = 1 = 0 Differential Trails for Distinguisher Drk1 Drk5 p = 1 Drk2 \S0,1 p = 1 Drk 6 p = 1 Drk3 p = 2-28 Drk7 p = 2-28 Drk4 p = 1 Drk8 p = 1 p = 1 S0,1 Differential Trail for E0 Differential Trail for E1 Differential Trails for Distinguisher Drk0 (Drk0) DP DX Differential Trail for the first round T y y y y y y y y DK=Drk0 Drk1 Drk2 Drk3 Drk4 Drk5 Drk6 Drk7 Drk8 y y y y y y y y ÑK=Ñrk0 Ñrk1 Ñrk2 Ñrk3 Ñrk4 Ñrk5 Ñrk6 Ñrk7 Ñrk8 Differential Trail for Round Keys 7-Round Distinguisher of SQUARE P3 DQ P4 The locally amplified probability T P T P1 K3 D P2 K4 of distinguisher is X3 X4 DX T T K1 K2 2 ~2 2 X1 X2 p q r DX i E0 E0 i K3 p=2-28 K4 p=2-28 E0K1 E0K2 So we have a probability of 7-round DY Y3 Y4 distinguisher of SQUARE as ÑY DY ÑY Y1 i i Y2 126 -7 r =2-7 ri=2 i 282 282 ÑD E1K3 ÑD E1K4 2 2 ri i0 E1 E1 K1 K2 ~ ~q=2-28 q=2-28 2112 (212 126214) 2119 ÑC C3 ÑC C4 C1 C2 Attack for Full SQUARE T’ We can recover the first two y bytes of (K1), (K2), (K3), and (K4) with the following p = 2-7 complexities. y y Data Complexity of this attack is y y p = 2-28 1041711 123 E0 E1 2 2 Time Complexity of this attack is y p = 2-28 y 231625 36 2 2 The S/N of this attack is y y m3311916 m102 2 2 2 2 9 2 2m811416 2m111 27 Thanks to you all and my actors .