Differential Attack on Five Rounds of the SC2000 Block Cipher

Transcription

1 Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands Abstract. SC2 is a 28-bit block cipher with a user key of 28, 92 or 256 bits, which employs a total of 6.5 rounds if a 28-bit user key is used. It is a CRYPTREC recommended e-government cipher. In this paper we describe one 4.75-round differential characteristic with probability 2 26 of SC2 and thirty 4.75-round differential characteristics with probability Finally, we exploit these 4.75-round differentials to conduct a differential cryptanalysis attack on a 5-round reduced version of SC2 when used with a 28-bit key. The attack suggests for the first time that the safety margin of SC2 with a 28-bit key decreases below one and a half rounds. Key words: Block cipher, SC2, Differential cryptanalysis Introduction The SC2 block cipher [, 2] has a 28-bit block size and a user key of 28, 92 or 256 bits, which employs a total of 6.5 rounds for a 28-bit user key, and a total of 7.5 rounds for a 92 or 256-bit key. It was designed to have high performance on a wide range of platforms from the low-end processors used in smart cards and mobilephones to the high-end ones that will be available in the near future by suitably implementing it in each platform, and also to have high security [3]. In 22, SC2 became a CRYPTREC recommended e- government cipher [4], after a thorough analysis of its security and performance. In this paper we consider the version of SC2 that uses 28 key bits. The SC2 designers [, 2] first analysed the security of SC2 against differential cryptanalysis [5] as well as certain other cryptanalytic methods, such The work was done when the author was with Royal Holloway, University of London (UK). This paper was published in Postproceedings of INSCRYPT 9 The 5th China International Conference on Information Security and Cryptology, Beijing, CHINA, Feng Bao, Moti Yung, Dongdai Lin and Jiwu Jing (eds), Volume 65 of Lecture Notes in Computer Science, pp. 5 59, Springer-Verlag, 2.

2 2 Table. Cryptanalytic results on SC2 Attack T ype Rounds Data T ime Source Boomerang attack ACPC 2 67 Memory accesses [8] Rectangle attack CP Memory accesses [8] Linear attack KP Memory accesses [2] KP Memory accesses [2] Differential attack CP 2 Encryptions [7] CP 2 2 Memory accesses [2] CP 2 32 Memory accesses This paper as linear cryptanalysis [6]. In 2, Raddum and Knudsen [7] presented a differential attack on 4.5-round SC2, which is based on two 3.5-round differential characteristics with probabilities 2 6 and 2 7, respectively. In 22, by exploiting a few short differentials with large probabilities, Biham et al. [8] presented boomerang [9] and rectangle [] attacks on 3.5-round SC2, following the work described in []. In the same year, Yanami et al. [2] described a 2-round iterative differential characteristic with probability 2 58, and obtained a 3.5-round differential characteristic with probability 2 by concatenating the 2-round differential twice and then removing the first half round; finally they presented a differential attack on 4.5-round SC2 with a time complexity smaller than that of the attack of Raddum and Knudsen. Yanami et al. also presented linear attacks on 4.5-round SC2. These are the best previously published cryptanalytic results on SC2 in terms of the numbers of attacked rounds. In this paper we describe one 4.75-round differential characteristic with probability 2 26 and thirty 4.75-round differential characteristics with probability 2 27, building on the two-round iterative differential characteristic with probability 2 58 of Yanami et al. Finally, using these 4.75-round differential characteristics we present a differential cryptanalysis attack on 5-round SC2, faster than an exhaustive key search. The attack is the first published attack on 5- round SC2. Table sumarises both the previous and our new cryptanalytic results on SC2, where ACPC, CP and KP respectively refer to the required numbers of adaptive chosen plaintexts and ciphertexts, chosen plaintexts, and known plaintexts. The remainder of this paper is organised as follows. In the next section, we give the notation, and describe differential cryptanalysis and the SC2 block cipher. In Section 3, we give the 4.75-round differential characteristics. In Section 4, we present our differential attack on 5-round SC2. Section 5 concludes the paper.

3 3 2 Preliminaries In this section we give the notation used throughout this paper, and then briefly describe differential cryptanalysis and the SC2 cipher. 2. Notation In all descriptions we assume that the bits of a n-bit value are numbered from to n from left to right, the most significant bit is the -th bit, a number without a prefix expresses a decimal number, and a number with prefix x expresses a hexadecimal number. We use the following notation. bitwise logical exclusive OR (XOR) operation bitwise logical AND operation functional composition. When composing functions X and Y, X Y denotes the function obtained by first applying X and then applying Y exchange of the left and right halves of a bit string X bitwise logical complement of a bit string X 2.2 Differential Cryptanalysis Differential cryptanalysis [5] takes advantage of how a specific difference in a pair of inputs of a cipher can affect a difference in the pair of outputs of the cipher, where the pair of outputs are obtained by encrypting the pair of inputs using the same key. The notion of difference can be defined in several ways; the most widely discussed is with respect to the XOR operation. The difference between the inputs is called the input difference, and the difference between the outputs of a function is called the output difference. The combination of the input difference and the output difference is called a differential. The probability of a differential is defined as follows. Definition. If α and β are n-bit blocks, then the probability of the differential (α, β) for a block cipher E, written α β, is defined to be Pr E ( α β) = Pr P {,} n(e(p ) E(P α) = β). For a random function, the expected probability of a differential for any pair (α, β) is 2 n. Therefore, if Pr E ( α β) is larger than 2 n, we can use the differential to distinguish E from a random function, given a sufficient number of chosen plaintext pairs. 2.3 The SC2 Block Cipher SC2 takes as input a 28-bit plaintext. For simplicity, we describe the plaintext P as four 32-bit words (d, c, b, a). The following three elementary functions I, B and R are used to define the SC2 round function, as shown in Fig..

4 4 I B I S mask M L S 6 S 6 M mask R function S 6 R function Fig.. The round function of SC2 The I function: the bitwise logical XOR () operation of the 28-bit input with a 28-bit round subkey of four 32-bit words. The B function: a non-linear substitution, which applies the same 4 4 S- box S 4 32 times in parallel to the input. For a 28-bit input (d, c, b, a ), the output (d, c, b, a ) is obtained in the following way: (d k, c k, b k, a k ) = S 4 (d k, c k, b k, a k ), where X k is the k-th bit of the word X ( k 3). The R function: a substitution-permutation Feistel structure, which consists of three subfunctions S, M and L. Each of the right two 32-bit words of the input to the R function is divided into 6 groups containing 6, 5, 5, 5, 5 and 6 bits, respectively. These six groups are then passed sequentially through the S function, consisting of two 6 6 S-boxes S 6 and four 5 5 S-boxes, and the linear M function that consists of bit words (M[],, M[3]). Given an input a, the output of the M function is defined as a M[] a 3 M[3]. The outputs of the two M functions are then input to the L function. For a 64-bit input (a, b ) the output of the L function is defined as ((a mask)b, (b mask)a ), where mask is a constant (and mask is the complement of mask). Two masks x and x

5 5 are used in SC2, in the even and odd rounds, respectively. Finally, the output of the L function is XORed with the left two 32-bit words of the input to the R function, respectively. We denote the L and R functions with mask x as L 5 and R 5, respectively, and the L and R functions with mask x as L 3 and R 3, respectively. The round function of SC2 is made up of two I functions, one B function and two R functions. We write Kj i for the subkey used in the jth I function of Round i, and write Kj,l i for the l-th bit of Ki j, where i 6, j =,, l 27. The full 6.5-round encryption procedure of SC2 can be described as: I K B I K R 5 R 5 I K B I K R 3 R 3 I K 2 B I K 2 R 5 R 5 I K 3 B I K 3 R 3 R 3 I K 4 B I K 4 R 5 R 5 I K 5 B I K 5 R 3 R 3 I K 6 B I K 6. Note that we refer to the first round as Round. See [2] for its key schedule Round Differential Characteristics of SC2 In this section we describe the 4.75-round differential characteristics Round Iterative Differential Characteristic of Yanami et al. In 22, Yanami et al. [2] described the results of a search over all the possible two-round iterative differential characteristics with only one active S function in every round for any two consecutive rounds I B I R 5 R 5 I B I R 3 R 3. Their result is that the best two-round iterative differential characteristic (i.e. that with the highest probability) is (α, β, β, ) (α, β, β, ) with probability 2 58 : (α, β, β, ) I B I/2 5 (β,,, ) R 3 R 3 /2 6 γ = x2. (, β,, ) R5 R5/2 6 (β, γ,, β) I B I/2 (α, β, β, ), where α = x2, β = x244 and 3.2 The 4.75-Round Differential Characteristics As a result, we can obtain a 4-round differential characteristic (α, β, β, ) (α, β, β, ) with probability 2 6 by concatenating the above two-round iterative differential twice. It is essential to try to exploit an efficient (i.e. with a relatively high probability) differential operating over more than four rounds in order to break more rounds of SC2. However, this 4-round differential cannot be extended to a differential characteristic operating over more than four rounds with a probability larger than 2 28, as appending even a half round R 3 R 3 at the beginning will cost a probability of 2 6 and appending a B function at the end will cost at least a probability of 2 3. Nevertheless, observe that from the above two-round iterative differential characteristic it follows that two-round iterative differential characteristic (β, γ,, β) (β, γ,, β) for any two consecutive rounds I B I R 3 R 3 I B I R 5 R 5 also holds with a probability of 2 58 : (β, γ,, β) I B I/2

6 6 (x244,,, x244) L 3 L 3 L 5 L 5 I B I (x244,,, ) (x2, x244, x244, ) I B I (, x244,, ) (x244, x2,, x244) I B I (x244,,, ) L 3 L 3 L 5 L 5 (x2, x244, x244, ) I B I (, x244,, ) (x244, x2,, x244) I B I (x244,,, ) L 3 (x244, ) (, ) Fig. 2. A 4.75-round differential characteristic with probability 2 26 (β,,, ) R3 R3/2 6 (α, β, β, ) I B I/2 5 (, β,, ) R5 R5/2 6 (β, γ,, β). It might seem counter-intuitive at first, but there is a major difference between this and the previous iterative 2-round differential characteristic: we can append a.75-round differential characteristic (β, γ,, β) I B I R3 (β,,, ) with a probability of 2 at the end of this differential characteristic! Therefore, we can obtain a 4.75-round differential characteristic (β, γ,, β) (β,,, ) with probability By changing the input difference to the difference (β,,, β) we can get a 4.75-round differential characteristic with probability 2 26, and this 4.75-round differential characteristic is depicted in Fig. 2. When we change the input difference for only one of the five active S 4 S-boxes to a value in {x, x2, x6, x7, xd, xf }, we get a total of thirty 4.75-round differential

7 7 characteristics with probability We denote by Ω the set of the 3 input differences for the thirty-one 4.75-round differential characteristics. The differential distribution table of the S 4 S-box is given in [2], and the differential distribution table of the S-box is shown in Table 2 in Appendix A. (The characteristics do not make an active S 6 S-box, so we do not give its differential distribution table.) In a natural way, we might try to find a better differential characteristic on greater than four rounds by first exploiting short differentials with similar structures and then concatenating them, for the above 4.75-round differential obtained from the two-round iterative differential is just a special case among these. Motivated by this idea, we perform a computer search over all the possible differentials for such one round R R I B I with only one R function active and the right two 32-bit input differences and one of the left two 32- bit input differences being zero; moreover, in order to ensure that the resulting differential is capable of being concatenated with itself, we also require that the right two 32-bit output words and one of the left two 32-bit output words have a zero difference. Surprisingly, we find that the differential characteristics (β,,, ) R 3 R 3 I B I (, β,, ) and (, β,, ) R 5 R 5 I B I (β,,, ) in the above two-round iterative differential are the best (i.e. with the highest probabilities) among those with the same forms, respectively. Our search for other similar forms gives no better result. 4 Differential Attack on 5-Round SC2 In this section, we present a differential cryptanalysis attack on 5 rounds of SC2 when used with a 28-bit key. 4. Preliminary Results We first concentrate on the propagation of the output difference of the round differential characteristic described above through the following R 3 I K 6 operation. The output difference (β,,, ) will definitely propagate to a difference with the form ( Y x , Y, β, ) after the following R 3 function, where Y GF (2 32 ). Since the function has a uniform differential probability of 2 4, there are totally 2 6 possible values for Y ; we denote the set of all the 2 6 possible differences ( Y x , Y, β, ) by Γ. The difference ( Y x , Y, β, ) will be kept after the following linear I K 6 function. On the other hand, having known the 28-bit difference after the I K 6 function for a ciphertext pair, we only need to guess the 64 subkey bits (K,64, 6, K,27) 6 of K 6 to check whether this pair could produce the difference (β,,, ) just before the adjacent R 3 function. For our case, as a candidate difference just after the I K 6 function should be with the form ( Y x , Y, β, ), we only need to guess the 2 subkey bits K,7, 6, K,89 6 corresponding to the four active S-Boxes in the adjacent R 3 function to determine whether a ciphertext

8 8 pair with a candidate difference could produce the output difference of the above 4.75-round differential characteristics. 4.2 Attack Procedure By using the 4.75-round differential characteristics, we can mount a differential attack on the following 5 rounds of SC2: I K B I K R 3 R 3 I K 2 B I K 2 R 5 R 5 I K 3 B I K 3 R 3 R 3 I K 4 B I K 4 R 5 R 5 I K 5 B I K 5 R 3 R 3 I K 6. The attack procedure is as follows.. Choose 2 7 structures, where a structure is defined to be a set of 2 2 plaintexts with the 2 bits for the five active S 4 S-boxes taking all the possible values and the other 8 bits fixed. In a chosen-plaintext attack scenario, obtain the corresponding ciphertexts. Keep only the plaintext pairs that have a difference belonging to the set Ω and whose ciphertext pairs have a difference belonging to the set Γ. 2. Guess the 2 subkey bits (K,7, 6, K,89) 6 of K 6 in the I K 6 function, and do as follows. (a) For every remaining ciphertext pair: Partially decrypt the corresponding 2 bits of the two ciphertexts through the I K 6 function and the four active S-boxes in the adjacent R 3 operation, compute the 64-bit difference just after the L 3 operation in the R 3 operation, then XOR it with the left 64-bit difference of the ciphertext pair, and finally check whether the resultant 64-bit difference is zero. (b) Count the number of the ciphertext pairs with the 64-bit difference computed in Step 2(a) being zero, and record this number for the guessed (K,7, 6, K,89). 6 Repeat Step 2 with another guess; and go to Step 3 if all the guesses are tested. 3. For each of the top m ranking guesses for (K,7, 6, K,89) 6 according to the numbers recorded in Step 2(b), (specific values of m will be given below), exhaustively search for the remaining 8 key bits with two known plaintext/ciphertext pairs. If a 28-bit key is suggested, output it as the user key of the 5-round SC Complexity Analysis The attack requires 2 27 chosen plaintexts. Typically, encrypting chosen plaintexts is assumed to be done by some challenger who holds the user key (i.e. the challenger s running time), and is not counted as part of the time complexity of an attack. In Step, it is expected that 2 7 (22 ) plaintext 5 pairs remain after the filtering condition about Ω, and = ciphertext pairs remain after the filtering condition about Γ; and it requires about memory accesses to filter out the satisfying ciphertext pairs. Strictly speaking, this is a little more than 5 rounds.

9 9 The time complexity of Step 2 is dominated by the partial decryptions, which is approximately round SC2 encryptions. Step 3 has a time complexity of m round SC2 encryptions. The signal-to-noise ratio for the attack is In Step 2(b), for the correct 28 key guess the number of the ciphertext pairs with the 64-bit difference computed in Step 2(a) being zero is expected to be ( ) = 6. According to Theorem 3 of [3], we have that the success probability for the attack is about 67% when m =, and is about 98.7% when m = Conclusions SC2 is a 28-bit block cipher, which is one of the CRYPTREC e-government Recommended Ciphers. In this paper we have described a few 4.75-round differential characteristics with a probability of larger than Finally, using the 4.75-round differential characteristics we have presented a differential attack on 5-round SC2 when used with 28 key bits. The presented attack is theoretical, like most cryptanalytic attacks on block ciphers; and from a cryptanalytic view it suggests for the first time that the safety margin of SC2 with a 28-bit key decreases within one and a half rounds. Acknowledgments The author is very grateful to Prof. Chris Mitchell and the anonymous referees for their editorial comments. References. Shimoyama, T., Yanami, H., Yokoyama, K., Takenaka, M., Itoh, K., Yajima, J., Torii, N., Tanaka, H.: The SC2 block cipher. In Proceedings of the First Open NESSIE Workshop, Shimoyama, T., Yanami, H., Yokoyama, K., Takenaka, M., Itoh, K., Yajima, J., Torii, N., Tanaka, H.: The block cipher SC2. In: Matsui, M. (ed.) FSE 2. LNCS, vol. 2355, pp Springer, Heidelberg (22) 3. Fujitsu Laboratories, te/crypto/sc2.html 4. Cryptography Research and Evaluatin Committees CRYPTREC Report 22. Available at 5. Biham, E., Shamir, A.: Differential cryptanalysis of the Data Encryption Standard. Springer-Verlag (993). 6. Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 993. LNCS, vol. 765, pp Springer, Heidelberg (994) 7. Raddum, H., Knudsen, L.R.: A differential attack on reduced-round SC2. In: Vaudenay, S., Youssef, A. (eds.) SAC 2. LNCS, vol. 2259, pp Springer, Heidelberg (2)

10 8. Biham, E., Dunkelman, O., Keller, N.: New results on boomerang and rectangle attacks. In: Daemen, J., Rijmen, V. (eds.) FSE 22. LNCS, vol. 2365, pp. 6. Springer, Heidelberg (22) 9. Wagner, D.: The boomerang attack. In: Knudsen, L.R. (ed.) FSE 999. LNCS, vol. 636, pp Springer, Heidelberg (999). Biham, E., Dunkelman, O., Keller, N.: The rectangle attack rectangling the Serpent. In: Pfitzmann, B. (ed.) EUROCRYPT 2. LNCS, vol. 245, pp Springer, Heidelberg (2). Dunkelman, O., Keller, N.: Boomerang and rectangle attacks on SC2. In Proceedings of the Second Open NESSIE Workshop, Yanami, H., Shimoyama, T., Dunkelman, O.: Differential and linear cryptanalysis of a reduced-round SC2. In: Daemen, J., Rijmen, V. (eds.) FSE 22. LNCS, vol. 2365, pp Springer, Heidelberg (22) 3. Selçuk, A.A.: On probability of success in linear and differential cryptanalysis. Journal of Cryptology 2(), 3 47 (28) A The Differential Distribution Table of the S-box

11 Table 2. The differential distribution table of the S-box input