Impossible differential attacks on 4-round DES-like ciphers

Transcription

1 INENAIONA JOUNA OF COMPUES AND COMMUNICAIONS Volume 9, 2015 Impossble dfferental attacks on 4-round DES-lke cphers Pavol Zajac Abstract Data Encrypton Standard was a man publc encrypton standard for more than 20 years, but now t s consdered nsecure. However, there are stll numerous proposals of new lghtweght cpher desgns smlar to DES, some of them only consstng of 4 Festel rounds. It s known that there exst generc dstngushers for 4-round Festel cpher, but ther complexty scales exponentally wth the cpher sze. In the theoretcal analyss, an deal round functon s consdered. In ths artcle we focus on a model of Festel cphers wth desgn smlar to DES. he round functon conssts of bt expanson, S-box applcaton, and permutaton of bts. We show that practcal DES-lke desgns cannot have only 4-rounds, even f the S-boxes are key-dependent, due to the mpossble dfferental attacks. Keywords Festel cpher, cryptanalyss, DES. I. INODUCION AA Data Encrypton Standard (DES [4] was a publc Dsymmetrc encrypton standard for more than 20 years. Now t s consdered nsecure due to short 56-bt keys and only 64-bt block sze, and due to lnear [11] and dfferental [2] attacks. It was replaced by the Advanced Encrypton Standard (AES [12], but n many legacy applcatons t s stll n use, ether n the orgnal form, or as DEA, known also as rple DES. Many applcatons n the areas of moble computng, e-health servces, wreless sensor networks, etc. requre a smple way to secure communcaton channels. AES, as a current symmetrc encrypton standard provdes robust and secure encrypton. Its nce mathematcal descrpton provdes alternatve varants that can be adapted where publc standard s not sutable [5]. However, AES and ts varants can be too complex and costly for some applcatons, e.g., when only 80-bt securty s requred. he balancng ssues between cpher securty and mplementaton costs are the man object of study of the lghtweght cryptography. ghtweght cryptography focuses on a smple cpher desgns that provdes enough securty wth lower costs n hardware or software mplementatons. he queston of general lower bounds on mplementaton of cphers wth gven securty crtera s an open problem, although some results are known for specfc types of Boolean functons that are mportant buldng blocks of the cphers [6]. he research was supported by the Scence Grant Agency - project VEGA 1/0173/13. hus, desgn of lghtweght cphers s mostly nfluenced by the known standard cpher desgns, ncludng the DES. here are many promsng lghtweght varants of DES such as DES [9]. In [13], an extremely lghtweght verson of DES s proposed wth only 4 rounds of Festel encrypton. It s already known that such a desgn s nsecure from the theoretcal pont of vew [14], due to collson attacks. However, the complexty n/4 of these attacks s O (2, where n s the block sze. hus, t mght seem that problems wth 4-round DES-lke cpher can be avoded by large enough block sze. In ths paper we show a practcal key-reconstructon attack on generalzed 4-round DES-lke cpher. Its complexty depends on the S-box sze and expanson factor, both of whch cannot be ncreased too much (due to mplementaton constrants. hs leads to a concluson that 4-round DES-lke cpher constructons are nherently nsecure and should not be used n practce. II. PEIMINAIES In ths secton we summarze basc notatons and defntons. Frst, we ntroduce the DES-lke cphers as a generalzaton of the desgn of the orgnal Data Encrypton Standard. hen we provde basc prelmnares on dfferental cryptanalyss and mpossble dfferental attacks. A. DES-lke cphers nb nk nb et e: Z2 Z2 Z2 n -bt blocks and havng B be a block cpher operatng on n K bt key. We construct functon e as a composton of partal functons that denote the ndvdual steps of the encrypton algorthm. We call e a generalzed DES cpher, f t has a Festel structure, and ts round functon conssts of bt expanson, key addton, S-box evaluaton and bt permutaton layers. A cpher wth Festel structure works as follows: 1. Splt the nput strng nto left and rght half, 2. ransform rght part wth a (key-dependent round functon F and XO t nto the left part, 3. Swap the two parts. hs s repeated r tmes, where each repetton of ths process wll be denoted as a round (of encrypton. Mathematcally, let x= ( l r denote the nput strng. ISSN:

2 INENAIONA JOUNA OF COMPUES AND COMMUNICAIONS Volume 9, 2015 hen y = ( r l F ( r s an output strng of one Festel k round ( denotes XO operaton on bt strngs. et n 2m B = for some postve nteger m, and let n m, and let s be an nteger that dvdes both m, and n. nk n r KS : Z ( Z denote a key schedule algorthm. et 2 2 hs algorthm provdes r subkeys master key k. I.e., 1 2 r k, k,, k gven a 1 2 r KS( k = ( k, k,, k. Subkeys are used to defne key dependent round functons for Festel cpher. ns / ms / et σ : denote any Boolean functon. We defne S-box layer (contanng s parallel S-boxes as a n m functon S:, where Sx ( 0,, xns / 1, xns /,, xn 1 = σ ( x,, x,, σ ( x,, x. ( 1 0 ns / 1 s n ns / n 1 I.e., we apply s S-boxes n parallel on ( n/ s -bt substrngs of the nput, producng correspondng ( m/ s -bt substrngs of the output. et ε : Zn Zm, n> m, such that for every y Zm, there s at least one x Zn such that y = ε x. Bt expanson m n functon E: s defned as ( ε ε ε n Ex (, x,, x = x, x,, x. 0 1 m 1 (0 (1 ( 1 hs means that each nput bt s coped nto output bts (n any order, and some of the nput bts can occur n the output multple tmes (are duplcated, trplcated, etc.. et π : Zm Zm be a bjecton. Bt permutaton functon m m P: Z Z s defned as 2 2 ( π π π n Ex (, x,, x = x, x,, x. 0 1 m 1 (0 (1 ( 1 hs means that each nput bt s coped nto output bts n the order prescrbed by permutaton π. m n m ound functon F: Z2 of a generalzed DES cpher can be wrtten as F( xk, = PSEx ( ( ( k, n m m n where S: denotes the S-box layer, E: m m s the bt expanson, and P: s the bt permutaton. In non-mathematcal terms, generalzed DES s a Festel cpher, wth round functon that frst performs bt expanson (takes m nput bts, and reorders/copes them to n output bts, XOs the expanded nput wth the round key, apples S-boxes n parallel, and fnally mxes the output bts wth bt permutaton P. It s schematcally denoted n Fgure 2. B. Dfferental cryptanalyss Dfferental cryptanalyss was ntroduced by Bham and Shamr n 1991 [2]. hey attack DES-lke cphers by studyng the statstcal dstrbuton of dfferences durng the encrypton process. Classcal dfferental cryptanalyss requres the knowledge of S-boxes to produce a statstcal model of S-box dfferental response,.e., the probablty that a gven change of S-box nput produces a partcular S-box output dfference. A good overvew of the standard dfferental cryptanalyss s provded n [7]. he frst step n the attack s the study of S-boxes. he attacker computes a dfferental profle of the n m S-box S: by computng probabltes n pab, = 1/2 { xsx ; ( Sx ( a = b}, for each, 0 ab. Here p ab, s a probablty that for a random nput of the S-box and gven nput dfference a the S-box produces output dfference b. he attacker examnes the lnear parts of the cpher (n DES-lke cpher these are just expansons and bt permutatons, and the Festel scheme tself, and dentfes dfferental trajectores. A dfferental trajectory s a path of some selected dfference through the encrypton scheme under condton that some specfc nput-output dfference pars are realzed on S-boxes n ths path. Multplyng dfferental probabltes gves a good estmate for the probablty p d that gven nput dfference of the cpher causes the expected output dfference (correspondng to the studed trajectory. If p d s sgnfcantly hgher than the probablty that such an output dfference can occur randomly, t can be exploted n the dstngushng attack, or even n key recovery attacks. A tradtonal dfferental cryptanalyss requres the knowledge of S-boxes and the structure of the cpher to compute the dfferental profles and to search for sutable dfferental trajectores. When S-boxes are key dependent, or kept secret n other way, the standard technques of dfferental cryptanalyss are thwarted (or at least they are not so straghtforward. Stll, n the later secton we wll show that n generalzed DES we can adapt a method of mpossble dfferentals [3], n a way that does not requre the knowledge of concrete S-boxes. Impossble dfferental cryptanalyss s based on those dfferences whch have zero probablty to occur. In ths case we do not work wth ndvdual trajectores and dfferences, but nstead focus on the sets of dfferences. he attacker must dentfy a large set of mpossble dfferences. E.g., suppose that some specfc nput dfference can only change the even number of bts n the output. hen every output dfference wth odd Hammng weght becomes mpossble, and the set of all output dfferences wth odd Hammng weght becomes a set of mpossble dfferences. hs creates a dstngusher for the cpher, because n deal case (a random permutaton half of the dfferences can have odd Hammng weght. It s generally more dffcult to dentfy mpossble ISSN:

3 INENAIONA JOUNA OF COMPUES AND COMMUNICAIONS Volume 9, 2015 Fg. 1 he propagaton of a dfference n a 4-round Festel scheme. dfferentals n a cpher. o show that some set of dfferentals t s necessary to show that there s no way that the nput dfference can cause any of the mpossble output dfferences, so the attacker must rule out every possble dfferental trajectory. However, t s relatvely easy to dentfy mpossble dfferentals n cphers wth small number of rounds, or weak dffuson. One of possble technques to dentfy mpossble dfferences for cphers wth more rounds s the technque of Φ matrx used n [6]. Matrx Φ assocated wth some Boolean transformaton n n Boolean matrx that contans 1 n F: Z Z s a n n Ph f and only f a change of nput bt can 2 2 poston, j cause a change of output bt j for some nput x. I.e., ( Φ = ff F( x e F( x 0 for some x, where, j 1 ( e s a bt vector wth a sngle 1 at -th poston. et denote the Boolean product of matrces (wth AND nstead of multplcatons, and O nstead of addton. It s easy to show that Φ Ph have zeroes n those postons, where the -th nput of F F cannot nfluence j -th output of F F. hus, zeroes n Boolean powers of Φ dentfy potentally useful mpossble dfferental sets. III. IMPOSSIBE DIFFEENIA AACK ON 4-OUND DES- IKE CIPHE In ths secton we apply the mpossble dfferental attack to the generalzed DES-lke cpher. An attacker starts by encryptng two plantext pars, whch have a sutably selected sngle-bt dfference. By studyng the propagaton of ths dfference n the Festel scheme, and n the round functon, the attacker can effcently characterze a large set of mpossble output dfferences from the thrd round of the scheme. hs set of mpossble dfferences can then be used to elmnate wrong (partal key hypotheses, and to reduce the keyspace n an effcent way (as long as the sze of the S-box s small. A. Dfference propagaton on the Festel scheme level et us study the response of Festel cpher to a sngle bt change n the left half of nput. he stuaton s depcted n Fgure 1. Frst we encrypt any plantext ( x, x, gettng cphertext ( y, y. he attacker chooses a sngle bt m dfference δ Z2,.e., wh ( δ = 1. He then encrypts the plantext ( x δ, x, obtanng cphertext * * ( y, y = ( y d, y d. A good cpher should provde a strong avalanche effect,.e., the output dfferences d and d should be unpredctable (wth approxmately one half of bts equal to zero, and one half equal to one. If we study the encrypton n more detal, we can see that n the frst round the nput to round functon F s the same n x. hus, the dfference δ s unchanged, both encryptons ( and s only swapped to the rght sde (and zero dfference s swapped to the left sde. In the second round the nput to functon F s dfferent durng the two encryptons, t dffers k 2 exactly by the dfference δ. If we do not know more detals about the structure of F, we cannot predct how wll the outputs of F dffer. We wll denote the output dfference n k 2 ths second round. he dfference gets swapped to the rght sde, and the dfference δ back to the left sde. In the thrd round the nput dfference to F k 3 s, whch s unknown, thus we do not know the output dfference of F k 3 as well. However, we know that on rght sde s unchanged and gets swapped to the left sde. In the fourth round dfference s further changed by the output dfference of F k 4. Once the attacker obtans the cphertexts and learns dfferences d, and d, he can propagate them backwards. Dfference d s exactly the nput dfference of F k 4, and we can see that d d3 s the output dfference of F k 3. k 1 ISSN:

4 INENAIONA JOUNA OF COMPUES AND COMMUNICAIONS Volume 9, 2015 Dfference d s the XO sum of and the output dfference of F k 4. hus, f the attacker somehow knows subkey k 4, he can compute n the followng way: = d F y F y * k ( k (. 4 4 he dfference s an output dfference of F k 2 provded a sngle bt nput dfference δ. If F has a DES-lke structure descrbed n Secton \ref{s2}, only some of dfferences are possble. et us denote a set of mpossble dfferences by,.e., = ; Pr F ( X F ( X δ = = 0. { X ( k } 2 k2 Gven two P-C pars ((,,(, ( ( * * x,,(, δ x y y x x y y, and, attacker can use set to quckly dscard some of the potental subkeys used n the last round. he attacker chooses subkey value k, and computes * = d Fk ( y (. Fk y k = k, cannot belong to set, otherwse there s /2 m that belong to. hus,, the attacker mmedately knows that k k4. If 4 a chance proportonal to f hs allows the attacker quck computaton of the last subkey, whch s an effcent attack on cpher f the subkey leaks nformaton about the key, and f the subkey s not longer than the full cpher key. However, f the cpher has DES-lke cpher, we can do much better by studyng the structure of functon F n more detals. B. Impossble dfferentals n a round functon Frst, let us consder how the set s constructed. he attacker chooses a sngle bt dfference δ. et us suppose that the bt whch s changed has ndex. he expanson functon E propagates the change to all postons j such that ε ( j =. he only S-boxes that are nfluenced by the change are those, where the change s propagated to. We call these S- boxes actve, and other S-boxes nactve. Suppose that a= mn { j; ε ( j = }. he attacker wll choose n such a way that he gets at most a actve S-boxes (and s a nactve S-boxes. When S-box s nactve, ts nputs do not change between encryptons. hs means that also ts outputs do not change. he output dfference of nactve S-box can only contan zero bts. On the other hand, the output dfference bts of the actve S-box can be varous dfferent btstrngs. If an S-box s known, attacker can restrct Fg. 2 he propagaton of a sngle-bt dfference nsde a DES-lke round functon. the set of possble output dfferences by analyzng the set of output dfferences for a gven nput dfference,.e., { Sx ( Sx ( }. In the worst-case scenaro from the attacker's pont of vew, the S-box s unknown. Stll, the attacker can consder that any non-zero bt strng s a possble output dfference from an actve S-box. In ths harder case, when the attacker does not know the S-boxes, we cannot, and do not need to, model the dstrbuton of output dfferences from actve S-boxes. Stll, due to the presence of nactve S-boxes, we can be certan that the number of non-zero bts n dfference s at most a m/ s (out of possble m bts. In the last step of the round functon, the known zerodfference bts from the output of nactve S-boxes are further dstrbuted by permutaton functon P. A dfference, whch has non-zero bt n a poston that s an output of nactve S-box after permutaton P s mpossble dfference for the whole round functon. If permutaton P s secret, the attacker stll knows the mnmal number of zero bts that any output dfference can have. he scenaro wth secret P s however unlkely, as t can be easy to extract hdden wrng from hardware mplementatons, and t s much more dffcult to mplement key-dependent bt set of permutatons than a sngle fxed permutaton. et us suppose that E, and P are known, and S -boxes can reman hdden from the attacker. he attacker can characterze the set by assocatng t wth a bt mask µ, whch has 0 n those postons that correspond to outputs of actve S-box permuted by P, and 1 n a postons correspondng to per muted outputs of nactve S-boxes. he attacker can quckly test whether : compute btwse AND between and µ. If t s non-zero, the dfference s mpossble. Moreover, the attacker can test n parts: compute btwse AND just between a selected bts of and correspondng bts of µ. he non-zero result mmedately ISSN:

5 INENAIONA JOUNA OF COMPUES AND COMMUNICAIONS Volume 9, 2015 tells us that dfference s mpossble, regardless of the rest of the bts that were not tested. et us provde a small example. he smplfed stuaton s denoted n Fgure 2. he nput dfference δ = s expanded by E nto dfference hs dfference changes the nputs of the frst two S-boxes, whch become actve S-boxes. he remanng two S-boxes are nactve. he bts of output dfference correspondng to outputs of actve S-boxes can potentally have both zero and non-zero value, denoted by '*' n the pcture. he output dfferences are dstrbuted by permutaton P. Dependng on the key, and on the actual nputs, we can observe any output dfference n the form '**00 **00 *0*0 *00*'. For the attack, we characterze the mpossble dfferental set by the bt mask µ = C. Key extracton attack Once we compute the mask µ, we can focus on the attack on the last round subkey. We want to fnd all values of k that do not lead to mpossble dfferentals. We do not need to compute the whole output of F k to dscard some key, t suffces to fnd some part of that can be compared wth mask µ and dscarded. Key k s XO-ed to expanded nput * y, and y, respectvely, before computng the output of S- boxes. hus, to compute the m/ s bts of, we only need to guess n/ s bts of k, and the contents of a sngle S-box. If the S-box s key-dependent, we guess the correspondng key bts that are used to generate the S-boxes. After computng the correspondng m/ s bts of the dfference, we check t wth the correspondng part of the mask µ. If the dfference s mpossble, we know that the key guess was ncorrect. We can separate the search for a correct subkey and S boxes: Just work wth a sngle hypothess for S-boxes, and try to fnd the correct subkey. If the S-box hypothess s ncorrect, the mpossble dfferentals wll elmnate all subkeys, otherwse a correct subkey wll reman (and S-boxes are found. / For each part of the key, we test only 2 ns hypotheses / separately, for a total work of s 2 ns, nstead of 2 n tests, whch s an exponental speedup. E.g. for classcal DES, n = 48, and to fnd the subkey usng a whole, we would need tests. If we test 4-bt blocks of = 512 tests. o prevent ths separately, we only need attack, we would need to sgnfcantly ncrease the value n/ s. However, the sze of S-boxes s also exponental n n/ s, thus t s not possble to ncrease the sze due to mplementaton constrants. A sngle set of two P-C pars ((,,(, ( ( * * x,,(, δ x y y x x y y, and provdes only a partal reducton n possble key space. Suppose that we test 4-bt blocks ( m/ s = 4. If the correspondng part of mask µ s 0000, we cannot elmnate any key hypothess. We try to avod such blocks, or to test two or more blocks together n such a case (so that the correspondng mask does not contan only zeros. If the correspondng mask has a sngle bt equal to one, we can elmnate approxmately half of hypotheses. If the mask has all ones, only approxmately 1 out of 16 hypotheses s not elmnated. Furthermore, the attacker can provde dfferent sets of nput P-C pars, each of whch wll elmnate a fracton of remanng key hypotheses, untl at most one wll reman. he number of requred sets of P-C pars s logarthmc n the key / space (comparable to n/ s, nstead of 2 ns. hus the attack has very low complexty even for cphers wth large blocks and key szes. After the attack on the last round s successful, we can ether reconstruct the orgnal key (dependng on the key schedule, or adapt the attack to a smpler 3-round structure. IV. CONCUSIONS he famous results of uby and ackoff [10] show that usng Festel constructon one can transform a pseudorandom functon nto a pseudorandom permutaton wth three round Festel cpher. hese results were further extended to 4-round Festel constructons and further by Patarn [14]. hs does not however mean, that t s possble to use just 4-round Festel scheme to construct a secure cpher, such as proposed n [13], due to a requrement that the round functon s already an deal pseudorandom functon. In ths artcle we study the mpossble dfferental attacks on 4-round DES-lke cpher. We show that t s possble to mount a key recovery attack on such a cpher wth complexty scalng wth the sze of the S-box, nstead of wth the block sze. he attacker uses a slow dffuson of the Festel scheme, and a lmted local dffuson of a sngle round. he attack can work wthout the knowledge of the S-boxes, but can be made more effcent, f the S-boxes are known. It can be concluded that smlar desgns are nherently nsecure and should not be used n applcatons that requre secure communcaton. Stll, the 4-round constructon has relatvely good avalanche, thus t mght be possble to use t n place where only avalanche effect and not strong securty s requred, e.g., n steganographc systems [8]. It s possble to strengthen the cpher by ncreasng the number of rounds, but t s not clear how many rounds are requred to provde enough resstance aganst more sophstcated attacks than the one presented n ths paper. o study more advanced attacks, graph technques, smlar to [6] can be adapted to search for mpossble dfferental sets. From the securty pont of vew, the best recommendaton s ISSN:

6 INENAIONA JOUNA OF COMPUES AND COMMUNICAIONS Volume 9, 2015 to use standard cphers, such as AES [12] nstead of custom desgns, and try to conserve resources n other parts of the system. Alternatvely, t s possble to consder replacng block cpher wth a fast and smple stream cpher [1] (see also [15] for stream cpher overvew. EFEENCES [1] E. Antal, and V. Hromada, A New Stream Cpher Based on Falka M- 125, atra Mountans Mathematcal Publcatons, 57(4, 2013, pp [2] E. Bham, and A. Shamr, Dfferental Cryptanalyss of DES-lke Cryptosystems, Journal of Cryptology, 4(1, 1991, pp [3] E. Bham, A. Bryukov, and A. Shamr, Cryptanalyss of Skpjack educed to 31 ounds Usng Impossble Dfferentals, Proceedngs of EUOCYP'99, NCS 1592, 1999, pp [4] Data Encrypton Standard. FIPS pub 46. Appendx A, Federal Informaton Processng Standards Publcaton, [5] O. Grosek, P. Zajac, Effcent selecton of the AES-class MxColumns parameters, WSEAS ransactons on Informaton Scence and Applcatons 4(4, 2007, pp [6] O. Grosek, P. Zajac, Graphs connected wth block cphers, WSEAS ransactons on Informaton Scence and Applcatons 3(2, 2006, pp [7] H. Heys, A tutoral on near and Dfferental Cryptanalyss, Cryptologa, 26(3, 2002, pp [8] M. Jokay, he Desgn of a Steganographc System Based on the Internal MP4 Fle Structures, Internatonal Journal of Computers and Communcatons 5(4, 2012, pp [9] G. eander, C. Paar, A. Poschmann, and K. Schramm, New lghtweght DES varants, Fast Software Encrypton, Sprnger Berln Hedelberg, 2007, pp [10] M. uby, C. ackoff, How to construct pseudorandom permutatons from pseudorandom functons, SIAM Journal on Computng 17(2, 1988, pp [11] M. Matsu, he frst expermental cryptanalyss of the Data Encrypton Standard, Advances n Cryptology Crypto'94. Sprnger Berln Hedelberg, 1994, pp [12] Natonal Insttute of Standards and echnology, NIS FIPS PUB 197, Advanced Encrypton Standard, U.S. Department of Commerce [13] J. Pan, S., and Z. Xu, Securty mechansm for a wreless-sensornetwork-based healthcare montorng system, IE Communcatons 6 (18, 2012, pp [14] J. Patarn, New esults on Pseudorandom Permutaton Generators Based on the DES Scheme, CYPO 1991, pp [15] M. Vojvoda, A Survey of Securty Mechansms n Moble Communcaton Systems. atra Mountans Mathematcal Publcatons, 25, 2002, pp ISSN: