Applying Conditional Linear Cryptanalysis to Ciphers with Key- Dependant Operations

Applying Conditional Linear Cryptanalysis to Ciphers with Key- Dependant Operations

Applying Conditional Linear Cryptanalysis to Ciphers with Key- Dependant Operations REINER DOJEN TOM COFFEY Data Communications Security Laboratory Department of Electronic and Computer Engineering University of Limerick IRELAND Abstract: - Linear cryptanalysis has been proven to be a powerful attack that can be applied to a number of symmetric block ciphers. However, conventional linear cryptanalysis is ineffective in attacking ciphers that use key-dependent operations, such as ICE, Lucifer and SAFER. In this paper conditional linear cryptanalysis, which uses characteristics that depend on some key-bit values, is introduced. This technique and its application to symmetric ciphers are analysed. The consequences of using key-dependent characteristics are explained and a formal notation of conditional linear cryptanalysis is presented. As a case study, conditional linear cryptanalysis is applied to the ICE cipher, which uses key-dependant operations to improve resistance against cryptanalysis. A successful attack on ThinICE using the new technique is presented. Further, experimental work supporting the effectiveness of conditional linear cryptanalysis is also detailed., Key-Words: - Cryptography, Cryptanalysis, Linear cryptanalysis, Symmetric ciphers, Attack 1 Introduction In contrast to differential cryptanalysis, linear As the volume of data transmitted over the world's cryptanalysis uses linear approximations to describe expanding communication networks increases so the F-function of a block cipher. Thus, if some also does the demand for data security services such plaintext bits and ciphertext bits are XORed as confidentiality and integrity. This protection can together, then the result equals the XOR of some be achieved by using either a public key cipher or a bits of the key (with a probability p, for the key) and symmetric cipher. Due to their superior speed, any random plaintext/ciphertext pair. symmetric ciphers are particularly suited for With this method the adversary can deduce part of securely handling large amounts of data. the key. The remaining key bits can be obtained by In the early 1990's two statistical attacks on a brute force search. Linear cryptanalysis is a symmetric ciphers, differential [1] and linear known-plaintext attack, as the adversary only has to cryptanalysis [2][3][4], were invented. know, rather than to choose, the plaintext and Differential cryptanalysis examines pairs of ciphertext pairs. Ciphers susceptible to linear plaintext with a particular difference and analyses cryptanalysis include SC2000 [5], Serpent [10], these differences throughout the encipher process. SAFER[11], RC6[12], RC5[13]. Looking at the resulting differences in the This paper presents conditional linear ciphertext, the key, or parts of the key, can be cryptanalysis, which is a derivation on linear deduced. Differential cryptanalysis is a chosen- cryptanalysis. Conditional linear cryptanalysis is plaintext attack, as both the plaintext and the useful for attacks on block ciphers that employ key- ciphertext are known to the attacker and the dependent operations in their F-function. The plaintexts have to satisfy particular properties. A process of applying conditional linear cryptanalysis chosen-plaintext attack can be changed to a known- to ciphers with key-dependant operations is detailed. plaintext attack, by increasing the amount of the As a case study, conditional linear cryptanalysis is plaintexts, assuming that within the known applied to ICE. It is shown that a conditional linear plaintexts sufficient pairs with the needed properties attack can be successfully applied to ThinICE, while are available. Ciphers with weaknesses against standard ICE appears to be secure. The results of an differential cryptanalysis include SC2000 [5], experimental attack, which support the effectiveness SAFER+[6], RC5 [7], KHF [8], ICE[9]. of conditional linear cryptanalysis, are also presented. 2 Conditional Linear Cryptanalysis assumption is correct. If the key used is outside the Symmetric block ciphers sometimes use key- covered key-space, the attack will fail. dependant operations (other than simple XOR) to At a first glance this seems to render the attack prevent the application of cryptanalysis. Examples useless, as the size of the covered key-space for such key-dependant operations include the keyed decreases exponentially with the number of fixed permutation of ICE [14], the exchange of nibbles in key bits. However, multiple conditional Lucifer [15] and the combination of bytes with sub- characteristics can be used simultaneously to keys in SAFER [16]. In Lucifer and ICE certain increase the overall covered key-space significantly. parts of data are exchanged according to some sub- In order to maximize the effectiveness of the key bits. As a result, the exact path of the data-bits attack, it is advisable to use characteristics that are through the cipher can only be determined if the key affected by as few key-bits as possible. Further care is known (if the part of the key that controls the key- must be taken in combining multiple rounds, to dependant operation is known). Conventional linear ensure that none of the assumptions contradict each cryptanalysis cannot be applied to such key- other. As most ciphers expand their key into sub- dependant ciphers, as a requirement for this attack is keys, the same key-bit most likely will affect the ability to trace the exact path of bits through the multiple key-dependant operations in several cipher. Here conditional linear cryptanalysis is rounds. Hence, the attacker must be careful not to presented as an enhancement of linear cryptanalysis. use characteristics that assume opposite values for Conditional linear cryptanalysis uses key-dependant the same key-bit. characteristics to circumvent the problems introduced by the key-dependant operations. 2.3 Formal Notation of Conditional Linear Cryptanalysis 2.1 The Operation of Conditional Linear Conditional linear cryptanalysis is formally notated Cryptanalysis as follows: Conditional linear cryptanalysis, like conventional P The plaintext (the data before the linear cryptanalysis, is a known plaintext attack and first round = L0R0). is detailed as follows: A characteristic with a C The ciphertext (the data after the last sufficiently high bias is selected and those key bits round). (or sub-key bits) that affect the bits of the chosen Lr, Rr The left/right data half after round r. characteristic with regard to the key-dependant K The secret key. operation are determined. In the next step, fixed SKr The sub-key used in round r. values are assigned to these key bits. The F(Rr-1, SKr) The F-function as applied in round r. assignment of values to key bits turns the used A[i] The i-th bit of the binary vector A. characteristic into a conditional characteristic. The A[i,j,...,k] The binary XOR of the named bits, conditional characteristic is valid, only if the key i.e. A[i] ⊕ A[j] ⊕ … ⊕ A[k] used for encryption satisfies the condition that the | i,j,....,k Condition on key bits: ‘i’ indicates selected bits have the assigned values, otherwise it K[i]=1, ‘~i’ indicates K[i]=0. is void. This assignment effectively divides the key- space in two parts: The first part, also called the A conditional linear characteristic is expressed as: covered key-space, contains all the keys for which ⊕ = P[i1 ,i2 ,...,ia ] C[ j1 , j2 ,..., jb ] the characteristic is valid, the second contains all the keys for which the characteristic is void. Under the K[k1 ,k2 ,...,kc ] | c1 ,c2 ,...,cd assumption that the assignment of key bits is correct where i1,i2,…,ia, j1,j2,...,jb and k1,k2,...,kc denote fixed the attacker knows the exact path of the selected bits bit locations and the c1,c2, …,cn indicate the through the cipher. This knowledge allows the conditions on the used key K. The notation for a attacker to continue the attack according to single-round characteristic and a multi-round conventional linear cryptanalysis. characteristic is basically the same. Any intermediate terms in a multi-round characteristic 2.2 The Consequences of Applying appear twice and hence are cancelled out. The Conditional Characteristics conditions on intermediate terms cannot be When using a conditional characteristic, the attacker neglected and need to be added to the list of assumes that some key bits have a fixed value. conditions. Hence, this list increases with every Hence, the attack can only succeed if this non-trivial round. In the above equation for a conditional linear characteristic sub-key bits can be used instead of key bits. However, if the key- the trivial characteristic. However, it will be shown, schedule is not invertible, sub-key bits must be used, that some characteristics can be combined with the as the sub-key governs the key-dependant operation. trivial characteristic to form three-round The above characteristic can also be expressed as: characteristics. Even though this decreases the overall bias, as only one in three rounds is a trivial P[i ,i ,..,i ] ⊕ C[ j , j ,.., j ] = SK [k ,k ,..,k ] ⊕ round (rather than every second round when 1 2 a 1 2 b 1 11 12 1c ...⊕ SK [k ,k ,..,k ] | c ,c ,..,c multiple-bit characteristics are employed), this r k1 k 2 kd 1 2 e approach is preferred as the decrease of the bias is linear. In contrast to this, using multiple-bit Note that in this equation, c1,c2,…,ce express characteristics would result in an exponential conditions on sub-key bits, rather than on key bits. decrease in the covered key-space. As mentioned before, care must be taken to ensure that the conditions of the used characteristics do not 3 Case Study: Conditional Linear contradict each other. The linear equation for 3- Cryptanalysis Applied to ICE round conditional linear characteristics becomes: In this section we present a case study of the α ⊕ β = γ ⊕ δ ν ν application of conditional linear cryptanalysis. A L0 [ ] L3[ ] SK1[ ] SK 2 [ ] | α , β theoretical analysis of the ICE algorithm is detailed.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    6 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us