Cryptanalysis of Akelarre Niels Ferguson Bruce Schneier DigiCash bv Counterpane Systems Kruislaan 419 101 E Minnehaha Parkway 1098 VA Amsterdam, Netherlands Minneap olis, MN 55419, USA [email protected] [email protected] July 23, 1997 Abstract We showtwo practical attacks against the Akelarre blo ck cipher. The b est 42 attack retrieves the 128-bit key using less than 100 chosen plaintexts and 2 o -line trial encryptions. Our attacks use a weakness in the round function that preserves the parity of the input, a set of 1-round di erential character- istics with probability1, and the lackofavalanche and one-way prop erties in the key-schedule. We suggest some ways of xing these immediate weak- nesses, but conclude that the algorithm should be abandoned in favor of b etter-studied alternatives. 1 Description of Akelarre Akelarre [AGMP96A , AGMP96B ] is a 128-bit blo ck cipher that uses the same overall structure as idea [LMM91 ]; instead of idea's 16-bit sub-blo cks Akelarre uses 32-bit sub-blo cks. Furthermore, Akelarre do es not use mo dular multiplica- tions, but instead uses a combination of a 128-bit key-dep endent rotate at the b eginning of each round, and rep eated key additions and data-dep endent rota- 1 tions in its MA-b ox called an \addition-rotation structure" in Akelarre. Akelarre is de ned for a variable-length key and a variable numb er of rounds. The authors recommend using Akelarre with four rounds and a 128-bit key; this is the version that we will cryptanalyze. 1.1 Encryption An Akelarre encryption consists of an input transformation, a rep eated round function, and an output transformation see gure 1. The input transformation is de ned as follows: 1 Data-dep endent rotations were rst used by Madryga [Mad84 ] and more recently in RC5 [Riv95]. Figure 1: Overview of the Akelarre blo ck cipher 1 The 128-bit plaintext is divided into four 32-bit sub-blo cks: X , X , X , 1 2 3 and X . 4 2 These sub-blo cks are combined with four sub-keys all subkeys are de ned i th as Z , where i is the round and j indicates the j sub-key used in round i: j 0 0 32 R := X + Z mo d 2 1 1 1 0 0 R := X Z 2 2 2 0 0 R := X Z 3 3 3 0 0 32 R := X + Z mo d 2 4 4 4 These four sub-blo cks provide the input to round 1. Akelarre has v rounds. Each round i =1;::: ;v consists of the following steps: i1 i1 i1 i1 1 The four input sub-blo cks R , R , R , and R are concate- 1 2 3 4 nated into one 128-bit blo ck. 2 The 128-bit blo ck is rotated left a variable number of bits determined by i the least signi cant seven bits of Z . 1 i i 3 The rotated 128-bit blo ckis divided into four 32-bit sub-blo cks: S , S , 1 2 i i S , and S . 3 4 4 Pairs of sub-blo cks are xored to provide inputs to the addition-rotation structure: i i i P := S S 1 1 3 i i i P := S S 2 2 4 i i i i i and P are combined with twelve 32-bit sub-keys, Z ;Z ;::: ;Z , 5 P 1 2 2 3 13 according to the addition-rotation structure describ ed later. The output of i i this structure consists of two 32-bit sub-blo cks Q and Q . 1 2 6 The four sub-blo cks from Step 3 are xored with the outputs of the addition- rotation structure: i i i R := S Q 1 1 2 i i i R := S Q 2 2 1 i i i := S Q R 3 3 2 i i i R := S Q 4 4 1 i i The sub-blo cks R ;::: ;R form the output of the round function. 1 4 The output of the nal round forms the input to the output transformation, which consists of the following steps: th 1 The output blo cks of the v round are concatinated into one 128-bit blo ck. 2 The 128-bit blo ck is rotated left a variable number of bits determined by v +1 the least signi cant seven bits of Z . 1 v +1 v +1 3 The rotated 128-bit blo ck is divided into four sub-blo cks: S , S , 1 2 v +1 v +1 S , and S . 3 4 4 The four sub-blo cks are combined with four nal sub-keys: v +1 v +1 32 Y := S + Z mo d 2 1 1 2 v +1 v +1 Z Y := S 2 3 2 v +1 v +1 Y := S Z 3 3 4 v +1 v +1 32 mo d 2 + Z Y := S 4 5 4 5 The four sub-blo cks, Y , Y , Y , and Y are concatenated to form the cipher- 1 2 3 4 text. All that remains is to sp ecify the addition-rotation structure. We describ e this for completeness sake; our attack do es not rely on any prop ertyof the addition- i rotation structure. The structure is formed bytwo columns; P is the input to 1 i the rst column and P is the input to the second column. Each column works 2 as follows: i are rotated left a variable numb er of bits. 1 The high 31 bits of P j 2 The 32-bit output of the previous step is added to a sub-key. 3 The low 31 bits of the result of the previous step are rotated left a variable numb er of bits. 4 The 32-bit output of the previous step is added to a sub-key. 5 The high 31 bits of the result of the previous step are rotated left a variable numb er of bits. 6 The 32-bit output of the previous step is added to a sub-key. 7 Steps 3 through 6 are rep eated until there have b een seven rotations and six sub-key additions total. i i 8 The outputs of the two column are Q and Q . 1 2 Figure 2: Overview of the Akelarre key schedule i i i ; the sub-keys added ;::: Z ;Z The sub-keys added in the rst column are Z 13 9 8 i i i in the second column are Z ;Z ;::: ;Z . 2 3 7 Let X [a::b] b e the numb er formed by taking bits a through b from the integer X where we start our bit numb ering at 0 for the least signi cant bit. The rotation i amounts of the second column are determined by P : the rst rotation amount 1 i i is P [4::0], the second rotation amountisP [9::5], the third rotation amountis 1 1 i i P [14::10], the fourth rotation amount is P [19..15], the fth rotation amount 1 1 i i is P [23..20], the sixth rotation amountisP [27..24], and the seventh rotation 1 1 i [31::28]. The rotation amounts in the rst column are determined amountisP 1 i in the same manner from Q . 2 1.2 Key Schedule Akelarre requires 13v + 9 sub-keys four for the input transformation, 13 for each of the v rounds, and ve for the output transformation. These 32-bit sub-keys are derived from a master key. The length of the master key can b e anymultiple of 64 bits, although we limit our discussion to 128-bit master keys, which is the key size suggested in [AGMP96A ]. The description of the key schedule in [AGMP96A ] and [AGMP96B ] are di erent; we base our discussion on the more extensive description in [AGMP96A ]. An overview of the key schedule is shown in gure 2. First, the master key is divided into eight 16-bit sub-blo cks, called k for i = 1;::: ;8. Each sub-blo ck i 32 is squared yielding a 32-bit result, and then added mo d 2 to a constant, 1 2 32 A = A49ED284 and A = 735203DE . Let k := k + A mo d 2 and 0 1 0 16 16 i i 0 1 32 2 + A mo d 2 . k := k 1 i i 1 The rst eight sub-keys are generated as follows: The outermost bytes of k i 0 1 form the two high-order bytes of sub-key K ; the outermost bytes of k i i mo d 8+1 form the two low-order bytes of sub-key K . Thus, sub-key K is a function of i i only k and k . i i mo d 8+1 1 32 The innermost bytes of k are squared and added mo dulo 2 to A to generate 0 i 0 2 1 32 k , and similarly the innermost bytes of k are squared and added mo dulo 2 i i 0 2 to A to generate k . The second eight sub-keys are generated in the same way 0 i 2 the rst eight were. For i =9;::: ;16, the outermost bytes of k form the two i8 0 2 high-order bytes of sub-key K ; the outermost bytes of k form the two i i mo d 8+1 low-order bytes of sub-key K .