International Journal of Network Security, Vol.8, No.3, PP.221{226, May 2009 221 A Related Key Attack on the Feistel Type Block Ciphers Ali Bagherzandi1;2, Mahmoud Salmasizadeh2, and Javad Mohajeri2 (Corresponding author: Ali Bagherzandi) Computer Engineering Department, Sharif University of Technology1 Electronic Research Center, Sharif University of Technology2 P. O. Box 11155-8639 Azadi Avenue 14588 Tehran, Iran (Email: [email protected]) (Received Jan. 3, 2006; revised and accepted Mar. 3, 2006) Abstract related-key attacks. In order to strengthen DES, several extensions have In this paper we show that Biham's chosen key attack can been developed including Triple-DES, DES-X, Biham- be generalized to include any block cipher and we give a DES, DES-X and NewDES. These extensions improved low complexity chosen key attack on any Feistel type ci- the resistance of DES against exhaustive search, linear pher. Then we show that the irregularities in the shift cryptanalysis and di®erential cryptanalysis; but not any pattern of DES key schedule algorithm is not su±cient signi¯cant improvement has been gained against related- for the cryptosystem to resist against related key attacks. key attacks and several related-key cryptanalysis have We have realized our proposition by a counter example been developed against these extensions [8, 9]. Even in in which the E-box of DES is slightly modi¯ed whiles the case of DES-X there has been introduced some novel other components and among those, the shift pattern in key related attacks [9]. It is believed that the irregularities key schedule algorithm is kept unchanged. We have ap- in the shift pattern of DES key schedule algorithm makes plied a new related key attack on the resulting DES-like DES immune against related key attacks [2]. Recently, it cryptosystem and demonstrated that the security of the has been shown that 1-bit shift in some less number of system decreases drastically. rounds in DES key schedule makes DES vulnerable to a Keywords: Chosen key attack, di®erential related key at- related-key attack [7]. tack, DES, feistel type cipher In this paper we show that Biham's chosen key attack can be generalized to include any block cipher. Though this attack is applicable to the ciphers having block length 1 Introduction less than key size, it leads to a low complexity chosen key attack against any Feistel type cipher. Then we show The major attacks on Feistel type block ciphers fall into that the resistance of DES against di®erential related key three groups of di®erential analysis [1], linear analysis [10] attack is not merely upon the irregularities in the shift and related-key attacks [2]. The related key attack intro- pattern of its key schedule algorithm which is widely be- duced by Biham [2] is a chosen key attack assaulting the lieved since the time it was mentioned in [2]. We have key schedule algorithm of the cipher. In this attack, at- realized our proposition by mounting a di®erential related tacker obtains the encryption of certain plaintexts under key attack similar to that of [7] against a DES-like cipher several keys having certain relationships with each other. with the same key schedule algorithm as the original DES The goal in this type of attack is to reveal the secret key to demonstrate that the security of the system decreases of the cryptosystem and it can be accomplished whenever drastically. Our variant of DES is di®erent from the origi- the attacker can chose the relationship between unknown nal DES in one index of its E-box. This makes it nonsense keys. So, it is best practical on key-exchange protocols to build the immunity of DES against related key attacks where key-integrity is not guaranteed thus an attacker can merely upon shift pattern irregularities. flip the key bits without knowing the key itself [6, 8, 9]. In Section 2 we formalize the chosen key attack and In di®erential related-key attacks [6], the relationship be- give a low complexity attack scenario against Feistel type tween the unknown keys is their di®erence; adversary can ciphers. Then in Section 3 we discuss the original DES choose the di®erence between the keys and seek for the algorithm and its mixed transformation representation keys themselves. The plaintext ciphertext pairs can be in brief and introduce our DES-like encryption scheme. chosen or known which categorizes the related key attack Then in Section 4 we discuss our di®erential related key into two groups of known-related-key attacks and chosen- attack against the proposed DES-like system. International Journal of Network Security, Vol.8, No.3, PP.221{226, May 2009 222 2 Generalized Biham Chosen Key one can found k1 satisfying both conditions above and 0 0 0 consider (c; c ) satisfying c = F (c; k1) since p = F (p; k1), Attack 0 k1 is the ¯rst and last subkey of the keys K and K re- The chosen key attack is based on the observation that spectively. Reversing the encryption process one gets the 0 in many block ciphers we can view the key scheduling al- intermediate encryptions of p one round shifted as that gorithm as a set of algorithms each of which extracts one of p. particular subkey from the subkeys of previous rounds. If n Proposition 2: By 2 2 random n-bit plaintext-ciphertext all the algorithms of extracting the subkeys of the various n pair encrypted under key K and 2 2 plaintext-ciphertext rounds are the same then for a given a key we can shift pair encrypted under key K0 one expects to ¯nd a slid all the subkeys one round backwards and get a new set pair. of valid subkeys which can be derived from some other keys [12]. These keys are called related. The same argu- Proof. Consider plaintexts selected to encrypt under K ment is true for slide attacks introduced in [3, 4]. Slide and K0 as the set X and Y respectively. According to attacks can be viewed as a particular case of related-key birthday paradox the sets X and Y have a common ele- attack in which the relation is between the key and itself ment (so two elements with a determined relation) with a 1 [1]. Extending this idea, in this section, we introduce a probability greater than 2 . Thus, exposing to encryption generalization of chosen key attack to include any block under K and K0 we expect to have a slid pair. cipher and give low complexity attack scenarios against n Feistel type ciphers. Several related key analysis of block Proposition 3: By 2 4 random n-bit plaintext-ciphertext pair of the form Pi = Li k X encrypted under key K by a ciphers can be found in [2, 6, 8, 9]. n Feistel type cipher and 2 4 plaintext-ciphertext pair of the 0 De¯nition 1. (Block cipher): Our abstraction of block form Pj = X k Rj encrypted under key K one expects cipher is a triple C(n; r; K) in which n is the data block to ¯nd a slid pair. length, r the number of rounds and K the underlying key. Proof. Apply the birthday paradox to the half of the data We also write K ! (k1; k2; : : : ; kr) to denote the deriva- block. tion of round keys and F (x; ki) to denote the round func- K tion of C(n; r; K). we also write p!c to indicate the en- Attack model for general case: cryption process. n 2 0 1) Acquire 2 plaintext-ciphertext pair encrypted un- De¯nition 2. (Slid keys): The keys (K; K ) are called n der key K and 2 2 plaintext-ciphertext pair encrypted slid keys if they led to the same derivation of round keys under key K0: but one round out of phase. More formally (K; K0) are 0 0 called slid pairs if 2) For each pair½ ((p; c); (p ; c )) solve the simultaneous F (p; k) = p0 0 equation: K ! (k1; k2; : : : ; kr) () K ! (k2; k3; : : : ; kr; kr+1): F (c; k) = c0 0 If kr+1 = k1 then we call (K; K ) strong slid keys. According to Proposition 1 if the system has solution k then ((p; c); (p0; c0)) is a slid pair. And according to De¯nition 3. (Slid pair): A pair of plaintext-ciphertext Proposition 2 there is at list one slid pair. Thus in worst pairs ((p; c); (p0; c0)) in which p and p0 are encrypted under case performing O(2n) task, one can retrieve k . the keys K and K0 respectively, is called slid pair if: 1 1) (K; K0) are strong slid keys, Attack model for special case of Feistel ciphers: In Feistel ciphers the round function is F (L k R) = 0 2) P = F (P; k1). (R k L © f(R)). So the slid pair can be recognized more easily. Theorem 1. (Birthday Paradox): Let H : M ! C be m n a random function in which jCj = 2 and let X and Y be 1) Acquire 2 2 plaintext-ciphertext pair encrypted un- n two randomly chosen subsets of M with jXj = jY j = n. 2 m der key K and 2 plaintext-ciphertext pair encrypted If n ¸ 2 2 then the probability of ¯nding one collision under key K0. 1 between sets X and Y exceeds 2 . [11] 2) Sort (pi; ci) encrypted with key K according to right Proposition 1: The pair ((p; c); (p0; c0)) is slid pair if and 0 0 halves of pi and ci and sort (pi; ci) encrypted with only if it satis¯es the following conditions.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages6 Page
-
File Size-