Differential Cryptanalysis of Nimbus

Transcription

1 Dfferental Cryptanalyss of Nmbus Vladmr Furman Computer Scence Department, Technon - Israel Insttute of Technology, Hafa 32000, Israel. vfurman@cs.technon.ac.l. Abstract. Nmbus s a block cpher submtted as a canddate to the NESSIE project by Alexs Machado.Lke many other cphers Nmbus combnes multplcaton operatons wth XOR operatons, a common technque to protect aganst varous knds of cryptanalyss.in ths paper we present two new dfferental propertes of multplcaton operatons wth probablty about 1/2 whch we use to desgn a one-round teratve characterstc of Nmbus.We terate t to a characterstc of the full cpher wth probablty 1/32, whch n turn we use to attack the full cpher and fnd all the key materal usng 256 chosen plantexts and 2 10 complexty.thus, we show that the ncluson of multplcaton operatons n a cpher does not necessarly protect aganst attacks. 1 Introducton Nmbus [2] s a block cpher submtted as a canddate to the NESSIE project by Alexs Machado.The cpher has 64-bt blocks and 128-bt keys.it conssts of fve rounds of the form Y = K odd g(y 1 K ), where s the round number, K and K odd are subkeys (K odd s always odd), s exclusve-or (XOR), g s the bt-reversal functon, s multplcaton modulo 2 64, Y 0 s the plantext, and Y 5 s the cphertext. The multplcaton operaton used n Nmbus was consdered to be a good operaton aganst dfferental cryptanalyss.the man bad property that was known about multplcaton operaton was that t preserves the least sgnfcant bts of form {{ for any.therefore, the cpher wth the multplcaton operaton together wth the bt-reversal functon were consdered to have a good defense aganst cryptanalyss. In ths paper we present two new dfferental propertes of the multplcaton operaton wth probablty slghtly larger than 1/2.In addton, the nput/output dfference n one of them has a palndromc form.hence ths dfferental property s not affected by the bt-reversal functon.we also descrbe a set of new The work descrbed n ths paper has been supported by the European Commsson through the IST Programme under Contract IST and by the fund for the promoton of research at the Technon. M. Matsu (Ed.): FSE 2001, LNCS 2355, pp , c Sprnger-Verlag Berln Hedelberg 2002

2 188 V.Furman dfferental propertes of the multplcaton operaton wth probabltes that are bgger than random probablty. We use these dfferental propertes to descrbe a 1-round teratve dfferental characterstc [1] wth probablty 1/2, whose teraton to the full cpher has a probablty of 1/32.We use ths characterstc to break Nmbus usng 256 chosen plantexts and 2 10 complexty. The paper s organzed as follows: In Secton 2 we descrbe the new dfferental propertes of multplcaton.in Secton 3 we use them to devse a 1-round teratve characterstc of Nmbus.In Secton 4 we present a chosen plantext attack on the full Nmbus, and n Secton 5 we show a chosen cphertext attack, whch s smlar to the chosen plantext attack.fnally, n Appendx A we descrbe a subkey recoverng procedure that s used n the attacks. 2 New Multplcaton Characterstcs Let A, B and K odd be n-bt random numbers, where K odd s odd. Lemma 1. [gven wthout a proof] Let A and B be n-bt ntegers. If the least sgnfcant bts of A and B are 0 then A B = A + B = , where the numbers on the rght hand sdes of the equaltes are gven n a bnary notaton. If the least sgnfcant bts of A and B are 1 then A B = A + B = n 1 Clam 1: Let A, B and K odd be n-bt random ntegers such that K odd s odd. Then A B = (A K odd ) (B K odd )= (1) holds wth probablty 1/2+2/2 n, and also A B = (A K odd ) (B K odd )= (2) n 1 n 1 holds wth the same probablty. Proof: Wthout loss of generalty, t s suffcent to prove the frst equaton; the proof for the second equaton s smlar. We observe that multplcaton by an odd number preserves the least sgnfcant bt.assume A B = There are two cases:

3 Dfferental Cryptanalyss of Nmbus The least sgnfcant bts of A and B are 0. By Lemma 1, the sum A + B s {{ 0 (.e., 2 n 1 2).Hence, the sum A K odd + B K odd =(A + B) K odd s (2 n 1 2) K odd for any odd K odd. On the other hand, when the rght hand sde of Equaton (1) holds, the same lemma ensures that (A+B) K odd =2 n 1 2.Therefore, (2 n 1 2) K odd = 2 n 1 2.Ths s satsfed when K odd s ether 1 or 2 n 1 +1.AsK odd can obtan 2 n 1 odd values, t happens wth a probablty of 2/2 n 1. 2.The least sgnfcant bts of A and B are 1. By Lemma 1, the sum A + B s {{ (.e., 2 n 1 ).Hence, the sum A n 1 K odd + B K odd =(A + B) K odd s 2 n 1 for any odd K odd.by the same lemma, (A K odd ) (B K odd )salways Therefore, t happens wth probablty 1. Each case happens wth a probablty of 1/2, so the total probablty s 1/2+ 2/2 n. We conclude that Equaton (1) and Equaton (2) are always (wth a probablty of 1) satsfed for K odd = 1 and K odd =2 n For all the other values of K odd they are satsfed wth probablty 1/2. Now we gve a more general clam, that may be proved n a smlar way. Clam 2: Let A, B and K odd be n-bt random varables such that K odd s odd, and let, j 0, + j n 2.Then A B = {{ j (A K odd ) (B K odd )= {{ j j j (3) holds { wth probablty 1/2 j+1 1/2 1 +1/2 j (1 2 (j+1) ), for 1, 1/2 j+1 +1/2 j (1 2 (j+1) ), for =0. In the case where the XOR dfference has a palndromc form we obtan the followng clam: Clam 3: Let A, B and K odd be n-bt random varables, and 0 2 n 4. Then A B = n 4 2 (A K odd ) (B K odd )= {{ n (4) holds wth probablty 1/ /2 (1 2 (+1) ).

4 190 V.Furman 3 A One-Round Iteratve Characterstc Nmbus has 64-bt words, so the characterstcs of the multplcaton operaton descrbed n Clam 2 have a probablty of 1/2+2/2 64.Moreover, the characterstcs probablty are key dependent: when the subkeys 1 and are used n the multplcaton operaton the characterstcs are always satsfed (probablty 1).When other subkeys are used n the multplcaton operaton the probablty of the characterstcs s exactly 1/2. The characterstc from Equaton (1) has a palndromc form, so the g functon always preserves the dfference {{ 0.Hence, we get a one-round teratve characterstc {{ wth a probablty of 1/2+2/2 64. Nmbus has fve rounds, so the characterstc ofthe full cpher has a probablty of (1/2+2/2 64 ) 5 = 2 5.For most keys the probablty of the characterstc s 2 5.There are, however, a few keys for whch the characterstc has probabltes 2 4,2 3,2 2,2 1, and 1. 4 A Chosen Plantext Attack Denote = We generate structures of 64 plantexts as follows: We randomly choose 32 plantexts whose least and most sgnfcant bts are 0.We XOR each of these plantexts wth, and get 32 pars of plantexts.then, we buld three addtonal structures by: 1.Complementng the most sgnfcant bts of all the plantexts. 2.Complementng the least sgnfcant bts of all the plantexts. 3.Complementng the most and the least sgnfcant bts of all the plantexts. We get four structures of 32 pars of plantexts each, and request to encrypt these 256 plantexts to ther cphertexts under the unknown key. Exactly two structures lead to dfference after one round.these two structures dffer only by complementng the least sgnfcant bts of ther plantexts. Exactly one structure from these two structures leads to dfference after two rounds.we call such structure -structure. The teratve characterstc descrbed n the prevous secton predcts that the pars of plantexts that belongs to the -structure, have dfference after fve rounds wth a probablty of 1/8.Thus, we have about 32 1/8 = 4 pars from ths structure that cause a dfference of after fve rounds accordng to the above characterstc.randomly, a par (from any structure) can lead to a dfference of after fve rounds wth a probablty of 2 64, so we do not expect any wrong par to lead to dfference after fve rounds.based on the cphertext dfferences we can easly determne the whch structure s the -structure.we can, therefore, conclude whch structure has dfference after one round, but

5 Dfferental Cryptanalyss of Nmbus 191 not after two rounds, and whch structures do not have a dfference of after one round. We contnue the analyss wth the 32 pars of the -structure.in ths step of the attack we use the two-round characterstc.we use ths characterstc startng from the thrd round.gven the cphertexts of the above structures we fnd the subkey K5 odd as follows: 1.The two-round characterstc has probablty 1/4, so a par wth dfference before the thrd round has dfference after round 4 wth probablty 1/4,.e., there are 8 pars on average wth dfference after round 4.Each such par does not lead to dfference after the ffth round wth probablty 1/2.Thus, we have 4 pars on average wth dfference after four rounds but wthout dfference after the ffth round.we call such a par a matchng par. 2.We can recognze the matchng pars by testng that the followng condton s satsfed, and dscardng all the pars that fal ths test. Condton 1: All the three crtera are satsfed for matchng pars: Multplcaton by an odd number preserves the least sgnfcant bts of the form {{, where 0.Thus, matchng pars must have the bts 10 as the two least sgnfcant bts of the cphertext XOR dfference. The matchng pars must have 0 as the least sgnfcant bt of the cphertexts (otherwse, t would lead to dfference after fve rounds as descrbed n Secton 2). All matchng pars must have the same thrd least sgnfcant bt of ther cphertext XOR dfference, because (for matchng pars) ths bt depends only on the second least sgnfcant bt of the subkey used n multplcaton. Note that we use ths crteron when, there s a majorty of matchng pars.hence, we can recognze the rght value of ths bt, and n wrong pars the correspondng bt equals to the rght value wth a probablty of 1/2. Ths condton s satsfed randomly wth a probablty of 1/4 1/2 1/2 = 1/16, hence we have about (32 8) 1/16 = 2 wrong pars that satsfy Condton 1. 3.We select the pars that satsfy Condton 1 (matchng and wrong pars).for each selected par we solve the equaton K = C 1 + C 2, where C 1, C 2 are the cphertexts of ths par.we have 4 matchng pars that must suggest the same K and only two wrong pars that may suggest other values.hence, we expect that K5 odd s the most frequently suggested K. Note that we do not know the most sgnfcant bt of K5 odd from the above equaton.so we actually have two possble subkeys K5 odd whch dffer by the

6 192 V.Furman most sgnfcant bt.it suffces to work only wth one of them, and choose the rght one n the later stage of the attack. Gven K5 odd we fnd the subkeys K 5 and K4 odd usng the one-round characterstc.we use the same structure as n the prevous stage, and decrypt the receved cphertexts by a half round usng the recovered K5 odd.we call these values partally decrypted values.each par leads to dfference after the thrd round, but does not lead to dfference after the 4th round wth a probablty of 1/2 1/4 =1/4.In ths stage of the attack such a par s called a matchng par.there are about 32 1/4 = 8 matchng pars.accordng to the partally decrypted values of the pars that lead to dfference after 4 rounds, we can fnd the least sgnfcant bt of K 5.Usng ths knowledge we select the pars accordng to Condton 1, except that here we are not lookng at cphertexts but at partally decrypted values.wrong pars may satsfy Condton 1 wth probablty 1/16.So only about (32 16) 1/16 = 1 wrong par s selected.for the selected pars (matchng and wrong), we have the followng equaton: { (A K ) K = C (B K ) K (5) = D where A, B, K and K are unknown values wth A B =, and C, D are the partally decrypted values.we use the procedure descrbed n Appendx A to fnd K and K.Ths procedure takes 4 pars, solves the system of the above equatons for these 4 pars, and returns a set of values (K,K ).There are about 9 selected pars (8 matchng and 1 wrong).we randomly take 4 pars (from the 9), run the procedure descrbed n Appendx A and obtan a set of values. Then we take another subgroup of 4 pars (from the 9), and run the procedure descrbed n Appendx A on these pars.if the returned set has an ntersecton wth a prevous set, we take the ntersecton as a new set nstead of these two sets.we contnue the process wth other subgroups untl the ntersecton of some sets gves the set of combnatons whch dffer only by bts that we cannot unquely dentfy by addtonal runnng of the procedure (see detaled descrpton n Appendx A).The receved set of canddates s expected to contan the correct value of (K4 odd,k 5 ), and t conssts of 512 combnatons on average.the probablty that the receved set of canddates does not contan the correct value s neglgble.on average, about 6 subsets should be analyzed to dentfy the set that contans the correct value of (K4 odd,k 5 ).We cannot dentfy the correct value unquely at ths stage.we dscard the wrong values from ths set later n the attack. All the other subkeys of rounds 1,...,4 can be found n a smlar way.we now show brefly how we do t effcently. For fndng K3 odd and K 4, we use the same structure as before.in ths stage of the attack, the pars causng dfference after two rounds and not after three rounds are called matchng pars.about half of the pars are matchng pars, so we have 32 1/2 = 16 matchng pars.all the pars from ths structure have dfference after two rounds, and those of them that have dfference after three rounds were used n the prevous stages of the attack.hence, all the

7 Dfferental Cryptanalyss of Nmbus 193 remanng pars (whch do not have dfference after round 3) are the matchng pars.at ths pont we have = 1024 possble combnatons of the subkeys (K4 odd,k 5,K5 odd ).The rght subkey must decrypt each matchng par to values wth an XOR dfference that has two least sgnfcant bts 10 (the frst crteron of Condton 1).A wrong subkey combnaton passes ths crteron wth probablty (2 2 ) 16 =2 32 (for all 16 matchng pars).thus, we can dscard all wrong subkey combnatons (K4 odd,k 5,K5 odd ), except for one wrong subkey combnaton that dffers from the rght subkey combnaton by the most sgnfcant bt of K4 odd. Ths bt does not nfluence the analyss n ths stage of the attack, so t s suffcent to contnue the analyss only wth one of the combnatons, and dentfy the rght combnaton n a later stage of the attack.gven the combnaton we choose to analyze, we decrypt the partally decrypted values by one more round. From now on, these values are called partally decrypted values.we run the procedure descrbed n Appendx A on 4 randomly chosen pars among the 16 matchng pars and ntersect the resultng sets as n the prevous case.about three runs of ths procedure are needed to obtan a set of values that are expected to contan the correct value of (K3 odd,k 4 ).The wrong values from the remanng set are dscarded later n the attack. For fndng K2 odd and K 3, we use the structure that leads to dfference after one round but not to dfference after two rounds.as n the prevous stage, we dscard almost all wrong subkey combnatons and have only two possbltes for (K3 odd,k 4,K4 odd,k 5,K5 odd ) whch dffer by the most sgnfcant bt of K3 odd.ths bt does not nfluence the analyss n ths stage of the attack, so t s suffcent to contnue the analyss only wth one of the combnatons, and dentfy the rght combnaton n a later stage of the attack.gven the combnaton we choose to analyze, we decrypt the partally decrypted values by one more round, and run Appendx A on four pars randomly chosen among the 32 pars from ths structure.about three runs of ths procedure are needed to obtan the set of values that are expected to contan the correct value of (K2 odd,k 3 ).The wrong values from ths set are dscarded later n the attack. Fnally, we have the equaton: { ((A K) K ) K = C ((B K) K ) K (6) = D. For fndng the remanng subkeys (K 1,K1 odd,k 2 ), we use the pars from the two structures that do not lead to dfference after one round.as n the prevous stage, we dscard almost all wrong subkey combnatons and have only two possbltes of (K2 odd,k 3,K3 odd,k 4,K4 odd,k 5,K5 odd ) whch dffer by the most sgnfcant bt of K2 odd.ths bt does not nfluence the analyss n ths stage of the attack, so t s suffcent to contnue the analyss only wth one of the combnatons, and dentfy the rght combnaton n a later stage of the attack.gven the combnaton we choose to analyze, we decrypt the partally decrypted values by one more round.equaton (6) s smlar to Equaton (5), so we fnd K and K by runnng Appendx A on four pars randomly chosen among the 64 pars from these structures.about three runs of ths procedure are needed to obtan the set

8 194 V.Furman of values that are expected to contan the correct value of (K1 odd,k 2 ).For each receved combnaton we can easly fnd an expected value of K 1.Thus we obtan a set of values that are expected to contan the correct value of (K 1,K1 odd,k 2 ). We fnally have = 1024 possble combnatons of all subkeys.the rght subkeys may be found by encryptng one or two plantexts. In ths attack we completely recover all the subkeys of Nmbus, whch suffce to encrypt and decrypt wthout knowng the orgnal key.the attack requres 256 chosen plantexts wth a complexty equvalent to 2 10 full cpher encryptons. 5 A Chosen Cphertext Attack The chosen cphertext attack works n a smlar way, except that we know exactly whch structures lead to dfference after one round, because n decrypton the multplcaton s the frst operaton.we need only two structures (n whch the least sgnfcant bt s 1),.e., only 128 cphertexts, to fnd all the subkeys, except for K 5, K5 odd.accordng to Appendx A, we need about 4 addtonal pars (8 cphertexts) n order to fnd these subkeys. Ths attack requres 136 chosen cphertexts, and ts complexty s at most 2 10 full cpher encryptons. References [1] El Bham, Ad Shamr, Dfferental Cryptanalyss of the Data Encrypton Standard, Sprnger Verlag, [2] Alexs Warner Machado, The Nmbus Cpher: A Proposal for NESSIE, NESSIE Proposal, September A Recoverng K and K Gven four pars, we recover a set of optons for K and K by solvng the system of eght equatons receved from combnaton of the Equaton (5) of the four pars.for par 0...3, the equatons are: { (A K ) K = C (B K ) K = D where A, B, K and K are unknown, and C, D are known values.in addton, we know that for all the pars A B =, K s an odd number, and the least sgnfcant bts of A and B are 0. K s an odd number, so ts least sgnfcant bt s 1, and thus the multplcaton of some number by K preserves the least sgnfcant bt of ths number. The least sgnfcant bt of A 0 and B 0 s 0, so we can easly fnd the least sgnfcant bt of K from C 0 and D 0.In contrast, we may get both values for the second least sgnfcant bt of K, and we cannot dentfy ths bt by ths procedure.we can fnd the second least sgnfcant bt of K n a determnstc

9 Dfferental Cryptanalyss of Nmbus 195 way: 1 the thrd least sgnfcant bt of (C 0 D 0 ).If ths bt s zero, then we can fnd the next (thrd) least sgnfcant bt of K n a smlar way usng the 4th least sgnfcant bts of C 0 and D 0.If the thrd least sgnfcant bt s zero as well, we can fnd the next (fourth) least sgnfcant bt of K n a smlar way, and so on tll the frst 1 appears.we denote the number of such found zero bts of K by Z.Note that for Z least sgnfcant bts of K, startng from the thrd least sgnfcant bt, we cannot dentfy the correct value usng ths procedure. When we meet the frst 1 we run the followng procedure: We need at least four pars for the followng operatons.we start by fndng the frst two bts of K that cannot be found n a prevous step.we fnd these bts n both numbers (K and K ) together, as follows: We guess the next 3 least sgnfcant bts of A 0 for one par and the next 2 least sgnfcant bts of K.Note that the most sgnfcant bt, among the guessed bts of A 0, s used only for better dentfyng the remanng bts, and s not remembered n the next step. From A 0 we get the 3 correspondng bts of B 0 (as we know A 0 B 0 = ), multply both numbers by the guessed K (.e., all the bts of K guessed so far) and check f the XOR dfference of results are equal to the XOR dfference of C 0 and D 0.If t s not equal, then we contnue wth the next guess.otherwse, we fnd the bts of K (K = C 0 (A 0 K )), decrypt the other pars usng the receved K and K, and check that the receved A and B have the requred XOR dfference. There are at most 31 such steps.in ths procedure, the followng bts may obtan any possble values: complementng any of the Z + 1 least sgnfcant bts of K (startng from the second least sgnfcant bt), complementng the most sgnfcant bt of K, replacng K by K (1...1 {{ (Z + 2)), 61 Z complementng the most sgnfcant bt of K. Hence we get 2 Z+4 possble combnatons of (K,K ), or about 512 possble combnatons on average.if the four gven pars were chosen badly, then we can obtan some nose - addtonal undentfed bts of (K,K ).We can dscard the wrong values of these bts by runnng ths procedure wth other pars.we need to run the procedure about 3 tmes on average to dscard the nose. All combnatons of (K,K ) returned by ths procedure have strong relatons wth themselves.if we have one of the possble combnatons of (K,K )wecan obtan the others by complementng the correspondng bts.so t s suffcent to fnd one of them and to calculate all the others. The whole procedure takes up to 31(steps) ( )(guesses) 8 (4 pars) = 2 13 operatons whch are equvalent to about 2 8 one-round computatons.