Cryptanalysis of Block Ciphers Jiqiang Lu Technical Report RHUL–MA–2008–19 30 July 2008 Royal Holloway University of London Department of Mathematics Royal Holloway, University of London Egham, Surrey TW20 0EX, England http://www.rhul.ac.uk/mathematics/techreports CRYPTANALYSIS OF BLOCK CIPHERS JIQIANG LU Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics Royal Holloway, University of London 2008 Declaration These doctoral studies were conducted under the supervision of Prof. Chris Mitchell. The work presented in this thesis is the result of original research carried out by myself, in collaboration with others, whilst enrolled in the Information Security Group of Royal Holloway, University of London as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Jiqiang Lu July 2008 2 Acknowledgements First of all, I thank my supervisor Prof. Chris Mitchell for suggesting block cipher cryptanalysis as my research topic when I began my Ph.D. studies in September 2005. I had never done research in this challenging ¯eld before, but I soon found it to be really interesting. Every time I ¯nished a manuscript, Chris would give me detailed comments on it, both editorial and technical, which not only bene¯tted my research, but also improved my written English. Chris' comments are fantastic, and it is straightforward to follow them to make revisions. I thank my advisor Dr. Alex Dent for his constructive suggestions, although we work in very di®erent ¯elds. I thank Prof. Kenny Paterson, who is neither my supervisor nor my advisor, but who gave me many helpful suggestions, and shared useful information with me, including job opportunities. I thank Prof. Keith Martin for giving me some suggestions on writing a thesis, and Prof. Peter Wild for providing me some funding information. I thank my co-authors Orr Dunkelman, Nathan Keller, Jongsung Kim, and Changho- on Lee for many fruitful discussions, and my colleagues and friends for the happy time spent together and the help provided. I thank my PhD examiners Prof. Simon Blackburn and Prof. Lars R. Knudsen for their comments on the thesis. I thank my master's supervisor Prof. Xinmei Wang, Prof. Yumin Wang and Prof. Guozhen Xiao at Xidian University for initiating me into the ¯eld of cryptography during my master studies. Many thanks go to the administrative and technical sta® at the department and the university for their support. I am highly impressed by their understanding and high-quality services. Special thanks go to my wife Xiaoyan Yan for her support, who had to get accus- tomed to a rather di®erent culture, has experienced and is still to experience every moment of my happiness and sadness. Lastly, I am grateful for the British Chevening / Royal Holloway Scholarship awarded 3 to me before I started study, which removed all my concerns about living, and enabled me to concentrate solely on my research; more interestingly, it entitled me to a 30-day interrail pass around Europe. Without its generous sponsorship, I guess that my PhD study would have been unlikely. I also thank both the department and the ECRYPT (European Network of Excellence for Cryptology) project of the European Commission for supporting my travel around the world to attend a number of academic events, including conferences, workshops and summer schools. 4 Abstract The block cipher is one of the most important primitives in modern cryptogra- phy, information and network security; one of the primary purposes of such ciphers is to provide con¯dentiality for data transmitted in insecure communication en- vironments. To ensure that con¯dentiality is robustly provided, it is essential to investigate the security of a block cipher against a variety of cryptanalytic attacks. In this thesis, we propose a new extension of di®erential cryptanalysis, which we call the impossible boomerang attack. We describe the early abort technique for (related-key) impossible di®erential cryptanalysis and rectangle attacks. Finally, we analyse the security of a number of block ciphers that are currently being widely used or have recently been proposed for use in emerging cryptographic applications; our main cryptanalytic results are as follows. ² An impossible di®erential attack on 7-round AES when used with 128 or 192 key bits, and an impossible di®erential attack on 8-round AES when used with 256 key bits. An impossible boomerang attack on 6-round AES when used with 128 key bits, and an impossible boomerang attack on 7-round AES when used with 192 or 256 key bits. A related-key impossible boomerang attack on 8-round AES when used with 192 key bits, and a related-key impossible boomerang attack on 9-round AES when used with 256 key bits, both using two keys. ² An impossible di®erential attack on 11-round reduced Camellia when used with 128 key bits, an impossible di®erential attack on 12-round reduced Camellia when used with 192 key bits, and an impossible di®erential attack on 13-round reduced Camellia when used with 256 key bits. ² A related-key rectangle attack on the full Cobra-F64a, and a related-key dif- ferential attack on the full Cobra-F64b. ² A related-key rectangle attack on 44-round SHACAL-2. ² A related-key rectangle attack on 36-round XTEA. ² An impossible di®erential attack on 25-round reduced HIGHT, a related-key rectangle attack on 26-round reduced HIGHT, and a related-key impossible di®erential attack on 28-round reduced HIGHT. 5 In terms of either the attack complexity or the numbers of attacked rounds, the attacks presented in the thesis are better than any previously published cryptanalytic results for the block ciphers concerned, except in the case of AES; for AES, the presented impossible di®erential attacks on 7-round AES used with 128 key bits and 8-round AES used with 256 key bits are the best currently published results on AES in a single key attack scenario, and the presented related-key impossible boomerang attacks on 8-round AES used with 192 key bits and 9-round AES used with 256 key bits are the best currently published results on AES in a related-key attack scenario involving two keys. 6 Contents 1 Introduction 15 1.1 Motivation . 15 1.2 Contributions . 16 1.3 Organisation of Thesis . 17 1.4 Notation . 18 2 Block Cipher Cryptanalysis 20 2.1 Introduction . 20 2.2 Cryptanalytic Methods . 22 2.2.1 Cryptanalysis Scenarios . 23 2.2.2 Elementary Techniques . 24 2.2.3 Mathematical Background . 25 2.2.4 Di®erential Cryptanalysis . 28 2.2.5 Linear Cryptanalysis . 30 2.2.6 Di®erential-Linear Cryptanalysis . 31 2.2.7 Impossible Di®erential Cryptanalysis . 32 2.2.8 Boomerang and Rectangle Attacks . 33 2.2.9 Related-Key Cryptanalysis . 36 2.3 Summary . 40 3 The Impossible Boomerang Attack 42 3.1 Introduction . 42 3.2 The Impossible Boomerang Attack . 43 3.2.1 The Basic Impossible Boomerang Attack . 44 3.2.2 The Impossible Boomerang Attack Using More Tuples . 47 3.3 The Related-Key Impossible Boomerang Attack . 47 3.4 A Comparison . 48 3.5 Summary . 49 4 The Early Abort Technique 50 4.1 Introduction . 50 4.2 Early Abort for (Related-Key) Impossible Di®erential Cryptanalysis 51 4.3 Early Abort for the Rectangle Attack . 54 4.4 Early Abort for the Related-Key Rectangle Attack . 56 4.5 Summary . 58 5 Cryptanalysis of Reduced-Round AES 59 5.1 Introduction . 60 7 CONTENTS 5.2 The AES Block Cipher . 62 5.2.1 Notation . 62 5.2.2 Operations . 62 5.2.3 Generation of Subkeys . 63 5.2.4 Encryption Procedure . 64 5.3 Previous Cryptanalytic Results . 65 5.4 Impossible Di®erential Cryptanalysis of Reduced-Round AES . 66 5.4.1 General Observations . 67 5.4.2 Attacking 7-Round AES-128 . 72 5.4.3 Attacking 7-Round AES-192 . 77 5.4.4 Attacking 8-Round AES-256 . 83 5.5 Impossible Boomerang Attack on Reduced-Round AES . 91 5.5.1 4-Round Impossible Boomerang Distinguishers . 91 5.5.2 Attacking 6-Round AES-128 . 94 5.5.3 Attacking 7-Round AES-192 and 7-Round AES-256 . 96 5.6 Related-Key Impossible Boomerang Attack on Reduced-Round AES 99 5.6.1 Attacking 8-Round AES-192 Using Two Related Keys . 100 5.6.2 Attacking 9-Round AES-256 Using Two Related Keys . 101 5.7 Summary . 103 6 Impossible Di®erential Cryptanalysis of Reduced Camellia 105 6.1 Introduction . 106 6.2 The Camellia Block Cipher . 107 6.2.1 Notation . 107 6.2.2 Functions . 107 6.2.3 Generation of Subkeys . 108 6.2.4 Encryption Procedure . 108 6.3 Previous Cryptanalytic Results . 109 6.4 8-Round Impossible Di®erentials of Camellia . 110 6.5 Attacking 13-Round Camellia-256 without the FL Functions . 110 6.5.1 Preliminary Results . 111 6.5.2 Attack Description . 112 6.5.3 Complexity Analysis . 115 6.6 Attacking 12-Round Camellia-192 without the FL Functions . 116 6.7 Attacking 11-Round Camellia-128 without the FL Functions . 117 6.7.1 Attack Description . 117 6.7.2 Complexity Analysis . 118 6.8 Summary . 118 7 Related-Key Cryptanalysis of the Full Cobra-F64a and Cobra-F64b120 7.1 Introduction . 121 7.2 Cobra-F64a and Cobra-F64b . 122 7.2.1 Notation . 122 7.2.2 Functions and DDP-Boxes . 122 7.2.3 Generation of Subkeys .
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages222 Page
-
File Size-