Cube Analysis of KATAN Family of Block Ciphers

Transcription

1 Cube Analysis of KATAN Family of Block Ciphers Speaker: Bingsheng Zhang University of Tartu, Estonia This talk covers partial results of the paper Algebraic, AIDA/Cube and Side Channel Analysis of KATAN Family of Block Ciphers by Gregory V. Bard, Nicolas T. Courtois, Jorge Nakahara Jr, Pouyan Sepehrdad and Bingsheng Zhang S

2 Outline S Introduction to AIDA/Cube attacks S KATAN family of block ciphers S Cube attack on reduced-round KATAN family S Side-channel attack against KATAN32 S Conclusion and further work

3 Introduction to Cube Attacks S Cube attack (see eprint.iacr.org/2008/385) is also claimed to be a remake of AIDA (Algebraic IV Differential Attack, see eprint.iacr.org/2007/413) S In this talk, we refer to Dinur and Shamir s version. S Cube attack is generic key-recovery attack that can be applied to cryptosystems in a black-box setting, i.e. the internal structure of the target cipher is unknown.

4 Introduction to Cube Attacks S A cryptosystem can be represented as multivariable polynomial over GF(2) in Algebraic Normal Form (ANF). x 1...x n k1. p i (x 1,...,x n,k 1,...,k m )=y i k m y 1...y n

5 Introduction to Cube Attacks S In chosen-plaintext/chosen-iv setting, the adversary can query p i (x 1,...,x n,k 1,...,k m )=y i with arbitrary public variables and fixed secret key variables, obtaining y i. x i S On the other hand, the polynomials can be decomposed as: p(x 1,...,x n,k 1,...,k m )=t I q I + r(x 1,...,x n,k 1,...,k m ) where t I = Y x i, for i 2 I [n] i q I does not contain x i as they are factored out. (x 2 i = x i )

6 Introduction to Cube Attacks S For example, let polynomial p(x 1,x 2,x 3,k 1,k 2,k 3,k 4 )= x 2 x 3 k 3 + x 1 x 2 k 1 + x 2 k 4 + x 1 x 3 k 2 k 3 + x 1 x 2 k 2 +1 S Let I = {1, 2}, so that t I = x 1 x 2 and we have: p(x 1,x 2,x 3,k 1,k 2,k 3,k 4 )=x 1 x 2 q I + r where q I = k 1 + k 2 and r = x 2 x 3 k 3 + x 2 k 4 + x 1 x 3 k 2 k 3 +1

7 Introduction to Cube Attacks S Main observation of cube attack: sum over GF(2) of all evaluations of p by assigning all possible binary values to the variables in I (and fixed value, usually 0, to all the public M variables not in I) is exactly q I. p(x 1,x 2,x 3,k 1,k 2,k 3,k 4 ) = p(0, 0,x 3,k 1,k 2,k 3,k 4 )+ x i,i2i p(0, 1,x 3,k 1,k 2,k 3,k 4 )+ p(1, 0,x 3,k 1,k 2,k 3,k 4 )+ p(1, 1,x 3,k 1,k 2,k 3,k 4 ) = k 1 + k 2 = q I

8 Introduction to Cube Attacks S Offline phase: S Gathering enough linear equations for key variables. S Linearity Test: S Extract the equations. f(0) + f(a)+f(b) =f(a + b) S Online phase: S Query the gathered equations S Perform some cheap computations to recover the key.

9 KATAN Cipher Family S KATAN is a family of lightweight, hardware-oriented block ciphers. S Three variants: 32, 48, 64 (block size). S 80-bit key and 254 rounds. S The design was inspired by Trivium.

10 KATAN Cipher Family S KATAN consists of two LFSR s, called L 1 and L 2. S Two nonlinear Boolean functions, f a and f b. S For KATAN48, f a and f b are applied twice per round, but the same pair of key bits are reused. S For KATAN64, f a and f b are applied 3 times.

11 KATAN Cipher Family f a (L 1 )=L 1 [x 1 ]+L 1 [x 2 ]+(L 1 [x 3 ] L 1 [x 4 ]+L 1 [x 5 ] IR + k a ) f b (L 2 )=L 2 [y 1 ]+L 2 [y 2 ]+(L 2 [y 3 ] L 2 [y 4 ]+L 2 [y 5 ] L 2 [y 6 ]+k b )

12 KATAN Cipher Family

13 KATAN Cipher Family S Key Schedule is a linear mapping that expands 80-bit key to 508 subkey bits according to ( K i, for 0 apple i apple 79 k i = k i 80 + k i 61 + k i 50 + k i 13, otherwise S The subkey of i-th round is k a k b = K 2i K 2i+1 S At least 40 rounds is needed before complete key diffusion.

14 Cube Attack Results Cipher # Rounds Time Data Attack KATAN CP AIDA/Cube CP AIDA/Cube KATAN CP AIDA/Cube KATAN CP AIDA/Cube Table 1: AIDA / Cube attack complexities on KATAN family.

15 Cube Attack Results Maxterm Degree Cube equation Cipher bit 0CB0C29808C k 5 c 44 2E A 16 k 4 c 7 10E k 1 + k 5 + k 12 c 47 0A k 8 + k 10 + k 19 c CC02C k 2 c 5 AE0C k 9 c C00 16 k 1 c 44 0E0864A20828A k 0 c k 7 c B12812A k 3 c A0D00305E08A 16 k 3 + k 10 c A k 6 c 9 439C00A k 3 + k 8 + k 17 c A0B k 1 + k 8 c C084049C k 0 + k 1 + k 2 + k 8 + k 11 c 8 3C C k 4 + k 15 c FD k 5 + k 9 + k 18 c 54

16 Side-channel Attack Against KATAN32 S Side-channel model S We use the side-channel cube attack model of Shamir. S Internal cipher data leaks after r round, r<254 S The data is supposed to be captured by some side channel information, such as power, timing analysis or electromagnetic emanations (a strong assumption). S We need only one bit of intermediate state. (Bit 19 after 40 rounds of KATAN32)

17 Side-channel Attack Against KATAN32 Cipher # Rounds Time Data Attack KATAN CP Side-Channel Table 1: Side-Channel attack on KATAN32

18 Side-channel Attack Against KATAN32 Maxterm Degree Cube equation Cipher bit k 4 c E14C 12 k 15 c 19 1EA k 5 +1 c 19 E k 1 + k 16 c 19 4A8E k 0 + k c 19 EBD k 3 + k c 19 A0867A0C 12 k 14 + k c 19 C0C34C43 12 k 4 + k 10 + k 19 c 19 E2A k 11 + k 15 + k 23 c 19 9C k 2 + k 7 + k 11 + k 16 + k 24 + k 26 c 19 bd30cb11 15 k 13 c 19 7c k 18 c 19 2cd5f k 6 + k c 19 b k 3 + k 18 + k 23 c 19

19 Strange Phenomena S Breaking 77 rounds of KATAN32 is much easier than 76 rounds. S attack on 76 rounds: 5.64 times faster than brute force. S attack on 77 rounds: times faster than brute force. S attack on 78 rounds: 3.49 times faster than brute force.

20 Conclusion and further work S Cube attacks for reduced-round KATAN32, KATAN48 and KATAN64. S Side-channel attack against full-round KATAN32. S After the acceptance of our paper, we tried to similar attack methods against KTANTAN block ciphers. S More rounds are broken since the key schedule is weaker.

21 Acknowledgement S Thanks for useful comments from reviewers, e.g. On page 3, you write close to be(ing) overdefined : that means, in fact, underdefined? It sounds to me like the girl who is a little bit pregnant.

22 Thanks