Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion Impossible Differential Cryptanalysis of TEA, XTEA and HIGHT Jiazhe Chen1;2 Meiqin Wang1;2 Bart Preneel2 1Shangdong University, China 2KU Leuven, ESAT/COSIC and IBBT, Belgium AfricaCrypt 2012 July 10, 2012 1 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion Preliminaries Impossible Differential Attack TEA, XTEA and HIGHT Impossible Differential Attacks on TEA and XTEA Deriving Impossible Differentials for TEA and XTEA Key Recovery Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Impossible Differential Attacks on HIGHT Conclusion 2 / 27 I Pr(∆A ! ∆B) = 1, Pr(∆G ! ∆F) = 1, ∆B 6= ∆F, Pr(∆A ! ∆G) = 0 I Extend the impossible differential forward and backward to attack a block cipher I Guess subkeys in Part I and Part II, if there is a pair meets ∆A and ∆G, then the subkey guess must be wrong P I A B F G II C Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion Impossible Differential Attack Impossible Differential Attack 3 / 27 I Pr(∆A ! ∆B) = 1, Pr(∆G ! ∆F) = 1, ∆B 6= ∆F, Pr(∆A ! ∆G) = 0 I Extend the impossible differential forward and backward to attack a block cipher I Guess subkeys in Part I and Part II, if there is a pair meets ∆A and ∆G, then the subkey guess must be wrong P I A B F G II C Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion Impossible Differential Attack Impossible Differential Attack 3 / 27 P I Pr(∆A ! ∆B) = 1, Pr(∆G ! ∆F) = 1, I ∆B 6= ∆F, A Pr(∆A ! ∆G) = 0 I Extend the impossible differential B forward and backward to attack a block cipher F I Guess subkeys in Part I and Part II, if there is a pair meets ∆A and ∆G, then G the subkey guess must be wrong II C Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion Impossible Differential Attack Impossible Differential Attack 3 / 27 P I A I Extend the impossible differential B forward and backward to attack a block cipher F I Guess subkeys in Part I and Part II, if there is a pair meets ∆A and ∆G, then G the subkey guess must be wrong II C Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion Impossible Differential Attack Impossible Differential Attack I Pr(∆A ! ∆B) = 1, Pr(∆G ! ∆F) = 1, ∆B 6= ∆F, Pr(∆A ! ∆G) = 0 3 / 27 P I A B F I Guess subkeys in Part I and Part II, if there is a pair meets ∆A and ∆G, then G the subkey guess must be wrong II C Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion Impossible Differential Attack Impossible Differential Attack I Pr(∆A ! ∆B) = 1, Pr(∆G ! ∆F) = 1, ∆B 6= ∆F, Pr(∆A ! ∆G) = 0 I Extend the impossible differential forward and backward to attack a block cipher 3 / 27 P I A B F G II C Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion Impossible Differential Attack Impossible Differential Attack I Pr(∆A ! ∆B) = 1, Pr(∆G ! ∆F) = 1, ∆B 6= ∆F, Pr(∆A ! ∆G) = 0 I Extend the impossible differential forward and backward to attack a block cipher I Guess subkeys in Part I and Part II, if there is a pair meets ∆A and ∆G, then the subkey guess must be wrong 3 / 27 I TEA was used in Microsoft’s Xbox gaming console I Both TEA and XTEA are implemented in the Linux kernel Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion TEA, XTEA and HIGHT TEA and XTEA Li Ri+1 F Li Ri K[0] F <<4 <<4 i·δ K[(i·δ>>11)&3] δ Ͱ Ͱ Ͱ >>5 K[1] >>5 Li+1 Ri+1 TEA Li+1 Ri+1 XTEA I 64 rounds; block size: 64 bits; key size: 128 bits 4 / 27 I Both TEA and XTEA are implemented in the Linux kernel Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion TEA, XTEA and HIGHT TEA and XTEA Li Ri+1 F Li Ri K[0] F <<4 <<4 i·δ K[(i·δ>>11)&3] δ Ͱ Ͱ Ͱ >>5 K[1] >>5 Li+1 Ri+1 TEA Li+1 Ri+1 XTEA I 64 rounds; block size: 64 bits; key size: 128 bits I TEA was used in Microsoft’s Xbox gaming console 4 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion TEA, XTEA and HIGHT TEA and XTEA Li Ri+1 F Li Ri K[0] F <<4 <<4 i·δ K[(i·δ>>11)&3] δ Ͱ Ͱ Ͱ >>5 K[1] >>5 Li+1 Ri+1 TEA Li+1 Ri+1 XTEA I 64 rounds; block size: 64 bits; key size: 128 bits I TEA was used in Microsoft’s Xbox gaming console I Both TEA and XTEA are implemented in the Linux kernel 4 / 27 I HIGHT is adopted as an International Standard by ISO/IEC 18033-3 I A common property of TEA, XTEA and HIGHT: the subkeys intervene after the confusion and diffusion Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion TEA, XTEA and HIGHT HIGHT i i i i i Xi Xi Xi X 7 X 6 X 5 X 4 X 3 2 1 0 SK4( i+1)- 1 SK4(i+1 )-2 SK4(i+1)-3 SK4(i+1)-4 F0 F1 F0 F1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 X7 X6 X5 X4 X3 X2 X1 X0 F0(x) = (x n 1) ⊕ (x n 2) ⊕ (x n 7), F1(x) = (x n 3) ⊕ (x n 4) ⊕ (x n 6) I 32 rounds; block size: 64 bits; key size: 128 bits 5 / 27 I A common property of TEA, XTEA and HIGHT: the subkeys intervene after the confusion and diffusion Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion TEA, XTEA and HIGHT HIGHT i i i i i Xi Xi Xi X 7 X 6 X 5 X 4 X 3 2 1 0 SK4( i+1)- 1 SK4(i+1 )-2 SK4(i+1)-3 SK4(i+1)-4 F0 F1 F0 F1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 X7 X6 X5 X4 X3 X2 X1 X0 F0(x) = (x n 1) ⊕ (x n 2) ⊕ (x n 7), F1(x) = (x n 3) ⊕ (x n 4) ⊕ (x n 6) I 32 rounds; block size: 64 bits; key size: 128 bits I HIGHT is adopted as an International Standard by ISO/IEC 18033-3 5 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion TEA, XTEA and HIGHT HIGHT i i i i i Xi Xi Xi X 7 X 6 X 5 X 4 X 3 2 1 0 SK4( i+1)- 1 SK4(i+1 )-2 SK4(i+1)-3 SK4(i+1)-4 F0 F1 F0 F1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 i+1 X7 X6 X5 X4 X3 X2 X1 X0 F0(x) = (x n 1) ⊕ (x n 2) ⊕ (x n 7), F1(x) = (x n 3) ⊕ (x n 4) ⊕ (x n 6) I 32 rounds; block size: 64 bits; key size: 128 bits I HIGHT is adopted as an International Standard by ISO/IEC 18033-3 I A common property of TEA, XTEA and HIGHT: the subkeys intervene after the confusion and diffusion 5 / 27 I D[i]: a 32-bit difference where the i-th bit is 1, the first to the (i − 1)-th bits are 0, and the (i + 1)-th to 32-th bits are indeterminate. For i < 0, D[i] means that all the 32 bits of the difference are indeterminate. Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion Deriving Impossible Differentials for TEA and XTEA Some Notations I e0: (???????0)2, e1: (???????1)2, e4: (?????100)2 6 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion Deriving Impossible Differentials for TEA and XTEA Some Notations I e0: (???????0)2, e1: (???????1)2, e4: (?????100)2 I D[i]: a 32-bit difference where the i-th bit is 1, the first to the (i − 1)-th bits are 0, and the (i + 1)-th to 32-th bits are indeterminate. For i < 0, D[i] means that all the 32 bits of the difference are indeterminate. 6 / 27 Property If the input difference of the i-th round of XTEA (TEA) is (D[m]; D[n]), where (m > n − 5), then the output difference is (D[n]; D[n − 5]). Vice versa, if the output difference of the j-th round of XTEA (TEA) is (D[p]; D[q]), where (q > p − 5), then the input difference is (D[p − 5]; D[p]). Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion Deriving Impossible Differentials for TEA and XTEA Impossible Differential for ARX (ASX) type cipher: looking for one-bit contradiction. Property If the input difference of the i-th round of XTEA (TEA) is (0; D[n]), then the output difference is (D[n]; D[n − 5]).