A Practical-Time Related-Key Boomerang Attack on MMB Tomer Ashur Orr Dunkelman 29/10/2013 A Practical-Time Related-Key Boomerang Attack on MMB Overview 1. Quick description of the MMB block cipher. A Practical-Time Related-Key Boomerang Attack on MMB Overview 1. Quick description of the MMB block cipher. 2. Short Explanation about cryptanalytic techniques used in this paper. A Practical-Time Related-Key Boomerang Attack on MMB Overview 1. Quick description of the MMB block cipher. 2. Short Explanation about cryptanalytic techniques used in this paper. 3. A related-key boomerang attack that recovers 62 key bits for MMB. A Practical-Time Related-Key Boomerang Attack on MMB Overview 1. Quick description of the MMB block cipher. 2. Short Explanation about cryptanalytic techniques used in this paper. 3. A related-key boomerang attack that recovers 62 key bits for MMB. 4. Using the previously recovered 62 bits to recover another 31 bits of the key. A Practical-Time Related-Key Boomerang Attack on MMB Overview 1. Quick description of the MMB block cipher. 2. Short Explanation about cryptanalytic techniques used in this paper. 3. A related-key boomerang attack that recovers 62 key bits for MMB. 4. Using the previously recovered 62 bits to recover another 31 bits of the key. 5. Recovering the last bits. A Practical-Time Related-Key Boomerang Attack on MMB Overview 1. Quick description of the MMB block cipher. 2. Short Explanation about cryptanalytic techniques used in this paper. 3. A related-key boomerang attack that recovers 62 key bits for MMB. 4. Using the previously recovered 62 bits to recover another 31 bits of the key. 5. Recovering the last bits. 6. Results of experimental verification. A Practical-Time Related-Key Boomerang Attack on MMB Overview 1. Quick description of the MMB block cipher. 2. Short Explanation about cryptanalytic techniques used in this paper. 3. A related-key boomerang attack that recovers 62 key bits for MMB. 4. Using the previously recovered 62 bits to recover another 31 bits of the key. 5. Recovering the last bits. 6. Results of experimental verification. 7. Possible extenstions of the attack. A Practical-Time Related-Key Boomerang Attack on MMB The Modular Multiplication Block (MMB) Cipher ◮ Invented in 1997, by Joan Daemen as an improvment for the IDEA cipher. A Practical-Time Related-Key Boomerang Attack on MMB The Modular Multiplication Block (MMB) Cipher ◮ Invented in 1997, by Joan Daemen as an improvment for the IDEA cipher. ◮ Block and key size of 128-bit. A Practical-Time Related-Key Boomerang Attack on MMB The Modular Multiplication Block (MMB) Cipher ◮ Invented in 1997, by Joan Daemen as an improvment for the IDEA cipher. ◮ Block and key size of 128-bit. ◮ Six rounds, 4 operations: A Practical-Time Related-Key Boomerang Attack on MMB The Modular Multiplication Block (MMB) Cipher ◮ Invented in 1997, by Joan Daemen as an improvment for the IDEA cipher. ◮ Block and key size of 128-bit. ◮ Six rounds, 4 operations: ◮ j σ - key injection (xi ⊕ ki ). A Practical-Time Related-Key Boomerang Attack on MMB The Modular Multiplication Block (MMB) Cipher ◮ Invented in 1997, by Joan Daemen as an improvment for the IDEA cipher. ◮ Block and key size of 128-bit. ◮ Six rounds, 4 operations: ◮ j σ - key injection (xi ⊕ ki ). 32 ◮ γ - modular multiplication ((xi ∗ Gi) mod (2 − 1)). A Practical-Time Related-Key Boomerang Attack on MMB The Modular Multiplication Block (MMB) Cipher ◮ Invented in 1997, by Joan Daemen as an improvment for the IDEA cipher. ◮ Block and key size of 128-bit. ◮ Six rounds, 4 operations: ◮ j σ - key injection (xi ⊕ ki ). 32 ◮ γ - modular multiplication ((xi ∗ Gi) mod (2 − 1)). ◮ η - data-dependent operation ((xi mod 2) ? (δ ⊕ xi): xi). A Practical-Time Related-Key Boomerang Attack on MMB The Modular Multiplication Block (MMB) Cipher ◮ Invented in 1997, by Joan Daemen as an improvment for the IDEA cipher. ◮ Block and key size of 128-bit. ◮ Six rounds, 4 operations: ◮ j σ - key injection (xi ⊕ ki ). 32 ◮ γ - modular multiplication ((xi ∗ Gi) mod (2 − 1)). ◮ η - data-dependent operation ((xi mod 2) ? (δ ⊕ xi): xi). ◮ θ - matrix multiplication (xi−1 ⊕ xi ⊕ xi+1). A Practical-Time Related-Key Boomerang Attack on MMB MMB’s Round Function j j j j x0 x1 x2 x3 j j j j σ k0 Lk1 Lk2 Lk3 L γ G0 NG1 NG2 NG3 N η L LSB(x0) · δ LSB(x3) · δ L Θ j+1 j+1 j+1 j+1 x0 x1 x2 x3 A Practical-Time Related-Key Boomerang Attack on MMB Differential Cryptanalysis and its Variants ◮ Differential cryptanalysis[BS91] A Practical-Time Related-Key Boomerang Attack on MMB Differential Cryptanalysis and its Variants ◮ Differential cryptanalysis[BS91] ◮ Related-key differential cryptanalysis[KSW96] A Practical-Time Related-Key Boomerang Attack on MMB Differential Cryptanalysis and its Variants ◮ Differential cryptanalysis[BS91] ◮ Related-key differential cryptanalysis[KSW96] ◮ Boomerang attack[W99] A Practical-Time Related-Key Boomerang Attack on MMB Differential Cryptanalysis and its Variants ◮ Differential cryptanalysis[BS91] ◮ Related-key differential cryptanalysis[KSW96] ◮ Boomerang attack[W99] ◮ Related-key boomerang attack[K+04,K+05,BDK05] A Practical-Time Related-Key Boomerang Attack on MMB Previous Work ◮ 2-round differential with probability 1 [WNS09]: σ[k0] γ η θ (0, 0¯, 0¯, 0) −−−→ (0, 0¯, 0¯, 0) −→ (0, 0¯, 0¯, 0) −→ (0, 0¯, 0¯, 0) −→ (0¯, 0, 0, 0)¯ σ[k1] γ η θ −−−→ (0¯, 0, 0, 0)¯ −→ (0¯, 0, 0, 0)¯ −→ (δ,¯ 0, 0, δ¯) −→ (0, δ,¯ δ,¯ 0) A Practical-Time Related-Key Boomerang Attack on MMB Previous Work ◮ 2-round differential with probability 1 [WNS09]: σ[k0] γ η θ (0, 0¯, 0¯, 0) −−−→ (0, 0¯, 0¯, 0) −→ (0, 0¯, 0¯, 0) −→ (0, 0¯, 0¯, 0) −→ (0¯, 0, 0, 0)¯ σ[k1] γ η θ −−−→ (0¯, 0, 0, 0)¯ −→ (0¯, 0, 0, 0)¯ −→ (δ,¯ 0, 0, δ¯) −→ (0, δ,¯ δ,¯ 0) ◮ 5-round distinguisher with probability 2−110 [WNS09]. ◮ Full key recovery with time complexity of 2118 [WNS09]. A Practical-Time Related-Key Boomerang Attack on MMB Previous Work ◮ 2-round differential with probability 1 [WNS09]: σ[k0] γ η θ (0, 0¯, 0¯, 0) −−−→ (0, 0¯, 0¯, 0) −→ (0, 0¯, 0¯, 0) −→ (0, 0¯, 0¯, 0) −→ (0¯, 0, 0, 0)¯ σ[k1] γ η θ −−−→ (0¯, 0, 0, 0)¯ −→ (0¯, 0, 0, 0)¯ −→ (δ,¯ 0, 0, δ¯) −→ (0, δ,¯ δ,¯ 0) ◮ 5-round distinguisher with probability 2−110 [WNS09]. ◮ Full key recovery with time complexity of 2118 [WNS09]. ◮ 5-round sandwich distinguisher with probability 1 [J+11]. ◮ Full key recovery with time complexity of 240 [J+11]. A Practical-Time Related-Key Boomerang Attack on MMB Description of the Differential Characteristics 3-round related-key 4-round related-key differential differential 2-round related-key characteristic with characteristic with differential probability 1: probability 1: characteristic with △ = ▽∗ = probability 1: (0,0,0¯,0)¯ (0,0,0¯,0) τ = (0, 0, 0¯, 0)¯ −−−−−→ (0, 0, 0¯, 0) −−−−−→ (0,0,0,0)¯ ∗ (0, 0, 0, 0)¯ −−−−−→ (δ, 0¯, δ, δ¯)= △ . (δ,¯ δ,¯ 0, δ¯)= ▽ ∗ (0, 0¯, 0¯, 0)¯ = τ Full Description Full Description Full Description One additional One additional round can be round can be prepended: prepended: (X, 0¯, 0, 0)¯ →△ (0, 0¯, 0¯,Y ) →▽∗ A Practical-Time Related-Key Boomerang Attack on MMB Description of B0 P1 P2 (X, 0¯, 0, 0)¯ A Practical-Time Related-Key Boomerang Attack on MMB Description of B0 P1 P2 (X, 0¯, 0, 0)¯ 1R A Practical-Time Related-Key Boomerang Attack on MMB Description of B0 P1 P2 (X, 0¯, 0, 0)¯ 1R 3R i1 i2 (δ, 0¯, δ, δ¯) A Practical-Time Related-Key Boomerang Attack on MMB Description of B0 P1 P2 (X, 0¯, 0, 0)¯ 1R 3R i1 i2 (δ, 0¯, δ, δ¯) 2R C1 C2 A Practical-Time Related-Key Boomerang Attack on MMB Description of B0 P1 P2 (X, 0¯, 0, 0)¯ 1R 3R i1 i2 (δ, 0¯, δ, δ¯) 2R C3 C4 ¯ ¯0, 0) C1 C2 0, (0, A Practical-Time Related-Key Boomerang Attack on MMB Description of B0 P1 P2 (X, 0¯, 0, 0)¯ 1R 3R i3 i4 i1 i2 (δ, 0¯, δ, δ¯) 2R 2R C3 C4 ¯ ¯0, 0) C1 C2 0, (0, A Practical-Time Related-Key Boomerang Attack on MMB Description of B0 P1 P2 (X, 0¯, 0, 0)¯ 1R 3R i3 i4 (δ, 0¯, δ, δ¯) ,¯0) i i 0, 0 1 2 (0, (δ, 0¯, δ, δ¯) 2R 2R C3 C4 ¯ ¯0, 0) C1 C2 0, (0, A Practical-Time Related-Key Boomerang Attack on MMB Description of B0 P1 P3 P2 P4 (X, 0¯, 0, 0)¯ 1R 4R 3R i3 i4 (δ, 0¯, δ, δ¯) ,¯0) i i 0, 0 1 2 (0, (δ, 0¯, δ, δ¯) 2R 2R C3 C4 ¯ ¯0, 0) C1 C2 0, (0, A Practical-Time Related-Key Boomerang Attack on MMB Description of B0 P1 P3 P2 P4 (X, 0¯, 0, 0)¯ 1R 4R 3R i3 i4 (δ, 0¯, δ, δ¯) ,¯0) i i 0, 0 1 2 (0, (δ, 0¯, δ, δ¯) 2R 2R C3 C4 ¯ ¯0, 0) C1 C2 0, (0, A Practical-Time Related-Key Boomerang Attack on MMB Identifying right pairs ◮ Store all decrypted data in a hash-table A Practical-Time Related-Key Boomerang Attack on MMB Identifying right pairs ◮ Store all decrypted data in a hash-table ◮ Right pairs can be identified by their collision in the appropriate 96 bits. A Practical-Time Related-Key Boomerang Attack on MMB Identifying right pairs ◮ Store all decrypted data in a hash-table ◮ Right pairs can be identified by their collision in the appropriate 96 bits.