New Types of Cryptanalytic Attacks Using Related Keys Revised version 1 Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa Israel Abstract In this pap er we study the inuence of key scheduling algorithms on the strength of blo ckciphers We show that the key scheduling algorithms of many blo ckciphers inherit obvious relationships b etween keys and use these key re lations to attack the blo ckciphers Two new types of attacks are describ ed New chosen plaintext reductions of the complexity of exhaustive search attacks and the faster variants based on complementation prop erties and new low complexity chosen key attacks These attacks are indep endent of the number of rounds of the cryptosystems and of the details of the F function and may have very small complexities These attacks show that the key scheduling algorithm should b e carefully designed and that its structure should not b e to o simple These attacks are applicable to b oth variants of LOKI and to Lucifer DES is not vulnerable to the related keys attacks since the shift pattern in the key scheduling algorithm is not the same in all the rounds Key words Key scheduling algorithm DESlike cryptosystems Chosen key attacks Chosen plaintext attacks LOKI Data Encryption Standard Introduction In this pap er we describ e new types of attacks on blo ckciphers chosen plaintext reductions of the complexity of exhaustive search and chosen key attacks in which Technion - Computer Science Department Technical Report CS0753 1992 only the relations b etween pairs of related keys are chosen by the attacker who do es not know the keys themselves The chosen plaintext attacks reduce the complexity of 1 Acknowledgment This research was supp orted by the fund for the promotion of research at the Technion exhaustive search and the complexity of the faster chosen plaintext attacks based on complementation prop erties by a factor of three The chosen key attacks have very low complexities however they can b e used only whenever the attacker can choose the relationships b etween unknown keys and wish to know the keys themselves These attacks are based on the observation that in many blo ckciphers we can view the key scheduling algorithm as a set of algorithms each of which extracts one particular subkey from the subkeys of the previous few rounds If all the algorithms of extracting the subkeys of the various rounds are the same then given a key we can shift all the subkeys one round backwards and get a new set of valid subkeys which can b e derived from some other key We call these keys related keys An interesting feature of the attacks based on related keys is that they are inde p endent of the number of rounds of the attacked cryptosystem These attacks are applicable to b oth variants of LOKI and to Lucifer Nevertheless they are not applicable to DES due to the observation that the number of shifts of the key registers C and D in the key scheduling algorithm is not the same in all the rounds However if the shifts by one bit in the key scheduling of DES would b e replaced by shifts by two bits DES would b ecome vulnerable to this kind of attack as well Another p otential application of related keys is to analyze hash functions either hash functions based on blo ckciphers or general hash functions It may b e p ossible in such functions to choose the message in a way that the related keys prop erty suggest an additional message with the same hash value Currently we are not aware of a particular such application to hash functions but designers of hash functions should b e careful to design their functions immune to this weakness The results of the attacks are as follows The complexity of a chosen plaintext 54 attack on LOKI is ab out which is almost three times faster than previously rep orted chosen plaintext attacks The chosen key chosen plaintext attack takes a few 17 seconds on a p ersonal computer and its complexity is ab out and the complexity of 32 the chosen key known plaintext attack is ab out The corresp onding complexities 61 32 48 of the attacks on the newer LOKI are and resp ectively The 33 complexity of the chosen key chosen plaintext attack on Lucifer is ab out The DES the IDEA cipher and the FEAL cipher are not vulnerable to these attacks Recently Lars Ramkilde Knudsen found indep endently the basic concept of the chosen plaintext related keys attacks and applied it to LOKI However his 62 attack whose complexity is is still slower than the corresp onding attack we present in this pap er Technion - Computer Science Department Technical Report CS0753 1992 P K K K1 ESP ROL12 K2 ESP ROL12 K3 ESP ROL12 K4 ESP ROL12 Ki ESP ROL12 K14 ESP ROL12 K15 ESP ROL12 K16 ESP ROL12 swap(K) C Figure Outline of LOKI Description of LOKI and LOKI LOKI is a family of blo ckciphers with two variants The original LOKI cipher which was renamed to LOKI and the newer variant LOKI Both variants have a structure similar to DES with replaced F function and initial and nal p ermuta tions and a replaced key scheduling algorithm The new F function XORs the right Technion - Computer Science Department Technical Report CS0753 1992 half of the data with the subkey and expands the result to bits which enter into four bit to bit S b oxes The output of the S b oxes is concatenated and p ermuted to form the output of the F function In LOKI see Figure the initial and the nal p ermutations are replaced by transformations which exclusiveor the data P K K1 ESP ROL12 K2 ESP ROL13 K3 ESP ROL12 K4 ESP ROL13 Ki ESP ROL12 Ki+1 ESP ROL13 K15 ESP ROL12 K16 ESP C Figure Outline of LOKI with the key the initial transformation XORs the plaintext with the key itself and the nal transformation XORs the data with the swapped key whose two halves are exchanged The key scheduling algorithm takes a bit key declares its left half as the value of K and its right half as the value of K Each other subkey Ki out of K K is dened by rotating the subkey Kj of round j i by bits to the left Ki ROLKj Thus all the subkeys of the o dd rounds share the same bits and all the subkeys of the even rounds share the same bits LOKI see Figure diers from LOKI by the choice of the S b oxes which are chosen to hold b etter against dierential cryptanalysis The initial and the nal Technion - Computer Science Department Technical Report CS0753 1992 p ermutations are eliminated The new key scheduling algorithm declares the value of the left half of the key to b e K and the same value rotated bits to the left is declared to b e K The value of the right half of the key is declared to b e K and the same value rotated bits to the left is declared as K Each other subkey Ki out of K K is dened by rotating the subkey Kj of round j i by bits to the left Ki ROLK j Still the subkeys share bits with a very structured order The Chosen Key Attacks In the chosen key attacks two related keys with certain relationship are used and several plaintexts are encrypted under each of them The attacker knows only the relationship b etween the two keys but not the keys themselves He receives the ciphertexts and use them to nd b oth keys Two kinds of chosen key attacks are studied a chosen key known plaintext attack in which only the relation b etween the keys is chosen by the attacker and a chosen key chosen plaintext attack in which the attacker chooses the relation b etween the keys as well as the plaintexts to b e encrypted These attacks are indep endent of the exact number of rounds of the attacked cryptosystem and even if the number of rounds is enlarged and esp ecially if doubled the resulting cryptosystem remains vulnerable to the same attack LOKI In LOKI every choice of two subkeys one from an o dd round and one from an even round have a corresp onding bit key Since all the algorithms of deriving the subkeys from the two preceding subkeys are the same the p osition of the rounds in which two subkeys present do es not aect the derivation of the following subkeys nor the preceding ones If we only x two subkeys K and K of a key K and dene a second key K by choosing K K and K K then the values of the subkeys Ki of the key K are the same as of the following subkeys Ki of the key K In this case K K K K ROLK Therefore the following prop erty holds R L for any two such related keys If the data b efore the second round in an encryption under the key K equals the data b efore the rst round in an encryption under the key K then the data and the inputs of the F functions are the same in b oth executions shifted by one round In this case if the plaintext P is encrypted under the key K then the data b efore the second round is P K P K F P K K This R R L L R R L data equals the data b efore the rst round in the other encryption under the key K whose value is P K P K P ROLK and thus in such a pair R L L R P P P K ROLK F P K K R L L L R R L We see that the right half of P equals the left half of P and that the relation b etween the other halves dep ends on the keys In such a pair there is also a similar a relation Technion - Computer Science Department Technical Report CS0753 1992 b etween the ciphertexts C C K ROLK F C K K C R L L L R L L K K* K1 ROL12 K2 K1* ROL12 ROL12 K3 K2* ROL12 ROL12 K4 K3* ROL12 ROL12 Ki Ki-1* ROL12 ROL12 Ki+1 Ki* ROL12 ROL12 K15 K14* ROL12 ROL12 K16 K15* ROL12 ROL12 K16* Swap(K) ROL12 Swap(K*) Figure Relations of subkeys in the key scheduling algorithm of LOKI Figures and describ es the relations b etween the subkeys