The Key-Dependent Attack on Block Ciphers

Transcription

1 The Key-Dependent Attack on Block Cphers Xaoru Sun and Xueja La Department of Computer Scence Shangha Jao Tong Unversty Shangha, , Chna Abstract. In ths paper, we formalze an attack scheme usng the key-dependent property, called key-dependent attack. In ths attack, the ntermedate value, whose dstrbuton s key-dependent, s consdered. The attack determnes whether a key s rght by conductng statstcal hypothess test of the ntermedate value. The tme and data complexty of the key-dependent attack s also dscussed. We also apply key-dependent attack on reduced-round IDEA. Ths attack s based on the key-dependent dstrbuton of certan tems n Bryukov-Demrc Equaton. The attack on 5.5-round varant of IDEA requres 2 21 chosen plantexts and encryptons. The attack on 6-round varant requres 2 49 chosen plantexts and encryptons. Compared wth the prevous attacks, the key-dependent attacks on 5.5-round and 6-round IDEA have the lowest tme and data complexty, respectvely. Key words: Block Cpher, Key-Dependent Attack, IDEA 1 Introducton In current cryptanalyss on block cphers, wdespread attacks use specal probablty dstrbutons of certan ntermedate values. These probablty dstrbutons are consdered as nvarant under dfferent keys used. For example, dfferental cryptanalyss [7] makes use of the probablty of the ntermedate dfferental wth hgh probablty. Its value s assumed not to vary remarkably wth dfferent keys. Lnear cryptanalyss [23] s based on the bas of the lnear approxmaton, whch s also generally constant for dfferent keys. Instead of concentratng on the probablty dstrbuton whch s nvarant for dfferent keys, Ben-Aroya and Bham frst proposed the key-dependent property n [2]. Key-dependent property means that the probablty dstrbuton of ntermedate value vares for dfferent keys. In [2], an attack on Lucfer usng key-dependent dfferental was presented. Knudsen and Rjmen also used smlar dea to attack DFC n [20]. In ths paper, we consder the key-dependent property further. The dstrbuton of ntermedate value whch s key-dependent s called key-dependent dstrbuton. Assume that there are some randomly chosen encryptons. For the ntermedate values calculated from these encryptons wth the actual key, they should conform to key-dependent dstrbuton. On the other hand, f we use a wrong key to calculate the ntermedate values, they are assumed to conform to random dstrbuton. Basng on key-dependent dstrbuton, we formalze a scheme of dscoverng the actual key by performng statstcal hypothess test [17] on possble keys, and we call ths scheme key-dependent attack. For a gven key, the null hypothess of the test s that the ntermedate value conforms to the key-dependent dstrbuton determned by the key. The samples of the test are the ntermedate values calculated from a few encryptons. If the test s passed, the gven key s concluded to be the actual key, otherwse t s dscarded. For the keys that share the same key-dependent dstrbuton Ths work was supported by NSFC Grant No , and 11th PRP of Shangha Jao Tong Unversty.

2 and the same ntermedate value calculaton, the correspondng hypothess tests can be merged to reduce the tme needed. By ths crteron, the whole key space s dvded nto several key-dependent subsets. Due to the scheme of the key-dependent attack, the tme complexty of the attack s determned by the tme for dstngushng between the random dstrbuton and the key-dependent dstrbuton. The tme needed reles on the entropy of the key-dependent dstrbuton: the closer the key-dependent dstrbuton s to the random dstrbuton, the more encryptons are needed. For each key-dependent subset, the number of encryptons and the crtera of rejectng hypothess can be chosen so that the attack on ths subset s optmzed. The expected tme of the attack on each subset s also obtaned. The total expected tme complexty can be calculated from the expected tme on each keydependent subset. Dfferent orders of the key-dependent subsets attacked have dfferent expected tme complextes. The order wth mnmal expected tme complexty s presented. The total expected tme complexty s also mnmzed n ths way f the actual key s supposed to be chosen unformly from the whole key space. Ths paper also presents a key-dependent attack on block cpher IDEA. The block cpher IDEA (Internatonal Data Encrypton Algorthm) was proposed n [21, 22]. The cryptanalyss of IDEA was dscussed n [1, 3 6, 8, 9, 11 16, 18, 19, 24, 25], and no attack on full verson IDEA s faster than exhaustve search so far. We nvestgate the Bryukov-Demrc Equaton, whch s wdely used n recent attacks on IDEA [1, 5, 6, 13, 16, 18]. We fnd that partcular tems of Bryukov-Demrc Equaton satsfy key-dependent dstrbuton under some specfc constrants. Ths makes t possble to perform the key-dependent attack on IDEA. Bryukov-Demrc Equaton s used to recover the ntermedate values from encryptons. Our key-dependent attack on 5.5-round varant of IDEA requres 2 21 chosen plantexts and has a tme complexty of encryptons. Our key-dependent attack on the 6-round varant of IDEA requres 2 49 chosen plantexts and has a tme complexty of encryptons. These attacks use both fewer chosen plantexts and less tme than all the prevous correspondng attacks. We also gve two key-dependent attacks on 5-round IDEA startng from the frst round. One requres 2 17 chosen plantexts and needs encryptons.the other one requres 2 64 known plantexts and Rounds Attack type Data Tme Ref. 4.5 Impossble Dfferental 2 64 CP [3] 4.5 Lnear 16 CP [5] 5 Meet-n-the-Mddle 2 24 CP [13] 5 Meet-n-the-Mddle CP [1] 5 Lnear KP [6] 5 Lnear 2 19 KP [5] 5 Lnear 16 KP [6] 5.5 Hgher-Order Dfferental-Lnear 2 32 CP [6] 6 Hgher-Order Dfferental-Lnear KP [6] 5 Key-Dependent 2 17 CP Secton Key-Dependent 2 64 KP Secton Key-Dependent 2 21 CP Secton Key-Dependent 2 49 CP Secton 5.2 CP - Chosen Plantext, KP - Known Plantext Attack on IDEA startng from the frst round Table 1. Selected Results of attacks on IDEA

3 needs encryptons.we summarze our attacks and prevous attacks n Table 1, where the data complexty s measured n the number of plantexts and the tme complexty s measured n the number of encryptons needed n the attack. The paper s organzed as follows: In Secton 2 we gve a general vew of the key-dependent attack. In Secton 3 we gve a bref descrpton of IDEA block cpher. In Secton 4 we show that the probablty dstrbuton of some tems of the Bryukov-Demrc Equaton s a key-dependent dstrbuton. In Secton 5 we present two key-dependent attacks on reduced-round IDEA. Secton 6 concludes ths paper. 2 The Key-Dependent Attack In [2], Ben-Aroya and Bham frst proposed the key-dependent property and mplemented a keydependent dfferental attack on Lucfer. Knudsen and Rjmen also used smlar dea to attack DFC n [20]. In ths secton, we formalze a scheme of dentfyng the actual key usng the followng keydependent property (wth hgh success probablty). Defnton 1. For a block cpher, f the probablty dstrbuton of an ntermedate value vares for dfferent keys under some specfc constrants, then ths probablty dstrbuton s defned as key-dependent dstrbuton. Consder some randomly chosen encryptons satsfyng the specfc constrants. If one uses the actual key to calculate the ntermedate value, t should conform to key-dependent dstrbuton. If one uses a wrong key to calculate the ntermedate value, t s assumed to be randomly dstrbuted. Wth such a property, determnng whether a gven key s rght can be done by dstngushng whch dstrbuton the ntermedate value conforms to, the key-dependent dstrbuton or the random dstrbuton. We propose an attack scheme, called key-dependent attack, usng key-dependent dstrbuton. The attack uses statstcal hypothess test, whose dea s also used n dfferental and lnear attack [17], to dstngush between key-dependent dstrbuton and random dstrbuton. For a key, the null hypothess of the test s that the ntermedate value conforms to the key-dependent dstrbuton determned by the key. Then the attack uses some samples to determne whether the hypothess s rght. The samples of the statstcal hypothess test are the ntermedate values obtaned from the encryptons satsfyng the specfc constrants. If the key passes the hypothess test, the attack concludes that the key s rght, otherwse the key s judged to be wrong. For the keys that share the same key-dependent dstrbuton and the same ntermedate value calculaton, the correspondng hypothess tests can be merged. Hence the whole key space s dvded nto several key-dependent subsets. (Smlar dea s proposed n [2].) Defnton 2. A key-dependent subset s a tuple (P, U), where P s a fxed key-dependent dstrbuton of ntermedate value, and U s a set of keys that share the same key-dependent dstrbuton P and the same ntermedate value calculaton. Defnton 3. The key fracton (f) of a key-dependent subset s the rato between the sze of U and the sze of the whole key space.

4 The key-dependent attack determnes whch key-dependent subset the actual key s n by conductng hypothess tests on each key-dependent subset. Such process on a key-dependent subset (P, U), called ndvdual attack, can be descrbed as the followng four phases: 1. Parameter Determnng Phase Determne the sze of the samples and the crtera of rejectng the hypothess that the ntermedate values conform to P. 2. Data Collectng Phase Randomly choose some encryptons accordng to the specfc constrants Judgement Phase Calculate the ntermedate values from the collected encryptons. If the results satsfy the crtera of rejecton, then dscard ths key-dependent subset, otherwse enter the next phase. 4. Exhaustve Search Phase Exhaustvely search U to fnd the whole key. If the exhaustve search does not fnd the whole actual key, then start another ndvdual attack on the next key-dependent subset. The tme complexty of the key-dependent attack s determned by the tme complexty of each ndvdual attack and the order of performng these ndvdual attacks. For a key-dependent subset (P, U), the tme needed for ndvdual attacks reles on the entropy of P : the closer P s to the random dstrbuton, the more dffcult the attack s to ensure the same probablty of makng the rght judgement, the attack needs more encryptons. Ths ndcates that ndvdual attacks for dfferent key-dependent subsets have dfferent tme complextes. The tme complexty of each ndvdual attack s determned by correspondng key-dependent dstrbuton P. For each key-dependent subset, the number of encryptons and the crtera of rejectng hypothess are then chosen to mnmze the tme complexty of ths ndvdual attack. To mnmze the tme complexty of an ndvdual attack, the attack should consder the probablty of commttng two types of errors: Type I error and Type II error. Type I error occurs when the hypothess s rejected for a key-dependent subset whle n fact the actual key s n U, and the attack wll fal to fnd the actual key n ths case. The probablty of Type I error s also defned as sgnfcant level, denoted as α. Type II error occurs when the test s passed whle n fact t s not rght, and n ths case the attack wll come nto the exhaustve search phase, but wll not fnd the actual key. The probablty of Type II error s denoted as β. Wth a fxed sze of samples (denoted as N) and the sgnfcance level α, the crtera of rejectng the hypothess s determned, and the probablty of Type II error β s also fxed. For a fxed sze of samples, t s mpossble to reduce both α and β smultaneously. In order to reduce both α and β, the attack has to use a larger sze of samples, but tme and data complexty wll ncrease. Hence, an ndvdual attack needs to balance between the sze of samples, and the probablty of makng wrong judgement. For a key-dependent subset (P, U), f the actual key s not n ths subset, the expected tme complexty (measured by the number of encryptons) of the ndvdual attack on ths subset s W = N + β U (1) If the actual key s n ths subset, the expected tme of the ndvdual attack on ths subset s R = N + (1 α) U 2 1 Though each ndvdual attack chooses encryptons randomly, one encrypton can be used for many ndvdual attacks thus to reduces the total data complexty.

5 Snce the tme complexty s domnated by attackng on wrong key-dependent subsets (there s only one key-dependent subset contanng the actual key), the attack only needs to mnmze the tme complexty of the ndvdual attack for each wrong key-dependent subset to mnmze the total tme complexty. Although α does not appear n Equaton (1), α affects the success probablty of the attack, so α should also be consdered. We set one upper bound of α to ensure that the success probablty s above a fxed value, and then choose such sze of samples that Equaton (1) s mnmzed, n order to mnmze the tme complexty of ndvdual attacks. In addton, t s entrely possble that some key-dependent dstrbutons s so close to random dstrbuton that the expected tme for performng hypothess tests s longer than drectly searchng the subsets. For these key-dependent subsets, the attack exhaustvely searches the subset drectly nstead of usng statstcal hypothess test method. On the other hand, the tme complexty of the key-dependent attack s also affected by the order of performng ndvdual attacks on dfferent key-dependent subsets. Because the expected tme complextes of ndvdual attacks are dfferent, dfferent sequences of performng ndvdual attacks result n dfferent total expected tme complexty. Assume that a key-dependent attack performs ndvdual attacks on m key-dependent subsets n the order of (P 1, U 1 ),..., (P m, U m ). Let R denote the expected tme for (P, U ) f the actual key s n U, and W denote the expected tme f the actual key s not n U. We have followng result: Theorem 1. The expected tme for the whole key-dependent attack s mnmal f the followng condton s satsfed f 1 f 2 f m W 1 W 2 W m Proof. The expected tme of the attack n the order of (P 1, U 1 ),..., (P m, U m ) s Φ =f 1 [R 1 + α(w 2 + W W m )] + f 2 [W 1 + R 2 + α(w W m ))] + f 3 [W 1 + W 2 + R 3 + α(w W m )] + + f m (W 1 + W W m 1 + R m ) m m 1 m m = f R + (f W j ) + α (f W j ) =1 =1 j=1 =1 j=+1 (2) If the attack s performed n the order of (P s1, U s1 ), (P s2, U s2 ),..., (P sm, U sm ), where s 1, s 2,..., s m s a permutaton of 1, 2,..., m. The expected tme s Φ = m f s R s + m m m W sj ) + α (f s W sj ) (f s 1 =1 =1 j=1 =1 j=+1 f W j + αf j W occurs n Φ f and only f j < and occurs n Φ f and only f j < where s = and s j = j. Hence Φ Φ = (f W j + αf j W f j W αf W j ) j< and j > Snce α 1 and f W j f j W 0 for j <, Φ Φ 0 for any permutaton s 1, s 2,... s m. In the followng sectons of ths paper, we present a concrete key-dependent attack on the block cpher IDEA.

6 X1 X2 X3 X4 Z1 Z2 Z3 Z4 Y1 Y2 Y3 Y4 Z 5 p q s t u X +1 1 X +1 2 X +1 3 X +1 4 Z 6 Fg. 1. Round of IDEA 3 The IDEA Block Cpher In ths secton, we gve a bref ntroducton of IDEA and notatons used later n ths paper. IDEA block cpher encrypts a 64-bt plantext wth a 128-bt key by an 8.5-round encrypton. The ffty-two 16-bt subkeys are generated from the 128-bt key Z by key-schedule algorthm. The subkeys are generated n the order Z1 1,Z1 2,...,Z1 6,Z2 1,...,Z8 6, Z9 1,...,Z9 4. The key Z s parttoned nto eght 16-bt words whch are used as the frst eght subkeys. The key Z s then cyclcally shfted to the left by 25 bts, and then generate the followng eght subkeys. Ths process s repeated untl all the subkeys are obtaned. In Table 3, the correspondence between the subkeys and the key Z s drectly gven. The block cpher parttons the 64-bt plantext nto four 16-bt words and uses three dfferent group operatons on pars of 16-bt words: exclusve OR, denoted by ; modular addton 2 16, denoted by and modular multplcaton (0 s treated as 2 16 ), denoted by. As Fgure 1, each round of IDEA contans three layers: KA layer, MA layer and Permutaton layer. We denote the 64-bt nput of round by X = (X1, X 2, X 3, X 4 ). In the KA layer, the frst and the fourth words are modular multpled wth Z1 and Z 4 respectvely. The second and the thrd words are modular added wth Z2 and Z 3 respectvely. The output of the KA layer s denoted by Y = (Y1, Y 2, Y 3, Y 4 ).

7 Round Z1 Z2 Z3 Z4 Z5 Z Table 2. The Key-Schedule of IDEA In the MA layer, two ntermedate values p = Y1 Y 3 and q = Y2 Y 4 These two values are processed to gve u and t, u = (p Z 5) t are computed frst. t = ((p Z 5) q ) Z 6 We denote s the ntermedate value p Z5 for convenence. The output of the MA layer s then permutated to gve the output of ths round (Y1 u, Y3 u, Y2 t, Y4 t ), whch s also the nput of round + 1, denoted by (X1 +1, X2 +1, X3 +1, X4 +1 ). The complete dffuson, whch means every bt of (X1 +1, X2 +1, X3 +1, X4 +1 ) s affected by every bt of (Y1, Y 2, Y 3, Y 4 ), s obtaned n the MA layer. In ths paper, we wll use P = (P 1, P 2, P 3, P 4 ) and P = (P 1, P 2, P 3, P 4 ) to denote a par of plantexts, where P and P are 16-bt words. C = (C 1, C 2, C 3, C 4 ) and C = (C 1, C 2, C 3, C 4 ) are ther cphertexts respectvely. We also use the symbol to dstngush the ntermedate values correspondng to P from to P. For example, s s obtaned from plantext P and P wll generate s. The notaton wll denote the XOR dfference, for nstance, s s equal to s s. 4 The Key-Dependent Dstrbuton of IDEA In ths secton, we descrbe the key-dependent dstrbuton of the block cpher IDEA, whch wll be used n our attack later. The notatons used are the same as n [6]. The Bryukov-Demrc relaton was frst proposed by Bryukov [16] and Demrc [13]. Many papers have dscussed attackng on IDEA usng ths relaton, such as [1, 5, 6, 13, 16, 18]. The relaton can be wrtten n followng form (LSB denotes the least sgnfcant bt) LSB(C 2 C 3 ) =LSB(P 2 P 3 Z2 1 Z3 1 s 1 Z2 2 Z3 2 s 2 Z2 3 Z3 3 s 3 Z2 4 Z3 4 s 4 Z2 5 Z3 5 s 5 Z2 6 Z3 6 s 6 Z2 7 Z3 7 s 7 Z2 8 Z3 8 s 8 Z2 9 Z3) 9 (3)

8 It s shown n [5] that, for two pars of plantext and cphertext (P, C) and (P, C ), XOR ther correspondng Bryukov-Demrc relaton, we wll obtan from Equaton (3) LSB(C 2 C 3 C 2 C 3) =LSB(P 2 P 3 P 2 P 3 s 1 s 2 s 3 s 4 s 5 s 6 s 7 s 8 ) (4) We call Equaton (4) Bryukov-Demrc Equaton. The followng theorem shows that the probablty dstrbuton of LSB( s ) n Bryukov-Demrc Equaton s a key-dependent dstrbuton. Theorem 2. Consder round of IDEA. If one par of ntermedate value (p, p ) satsfes p = 8000 x, then the probablty of LSB( s ) = LSB(8000 x Z 5 ) s Prob(LSB( s ) = LSB(8000 x Z 5)) = #W 2 15 (5) where W s the set of all such 16-bt words w that 1 w 8000 x and that (w Z 5) + (8000 x Z 5) < where * s defned as a b = { a b f a b f a b = 0 Proof. Consder every ntermedate par (p, p ) whch satsfes p = 8000 x, excludng (0, 8000 x ). We have p = p x or p = p x. Wthout losng generalty, assume p = p x, where 1 p < 8000 x and 8000 x < p < If we consder only the least sgnfcant bt, LSB(s ) = LSB(p Z5 ). The followng equatons also hold LSB(s ) =LSB(p Z5) =LSB(p Z5) =LSB((p x ) Z5) =LSB(((p Z5) + (8000 x Z5)) (mod )) (6) In the specal case when (p, p ) s (0, 8000 x ), let p = 8000 x, and p = 0. The Equatons (6) also holds, because p = 0 s actually treated as 2 16 for nputs of and. If (p Z 5 )+(8000 x Z 5 ) s smaller than , then LSB(s ) = LSB(s ) LSB(8000 x Z 5 ) holds because of the equvalence of XOR and modular addton for the least sgnfcant bt. Moreover, LSB( s ) = LSB(8000 x Z 5 ) s satsfed, whch means LSB( s ) = LSB(8000 x Z 5 ) Otherwse, LSB(s ) s equal to LSB(s ) LSB(8000 x Z 5 ) 1 because of the carry. So LSB( s ) equals to LSB(8000 x Z 5 ) 1. Therefore, we may conclude that LSB( s ) = LSB(8000 x Z 5 ) f and only f the par (p, p ) satsfes (w Z 5 ) + (8000 x Z 5 ) < , where w s ether p or p, whchever between 1 and 8000 x. And there are at most 2 15 such w, hence Equaton (6) holds. Ths completes the proof.

9 Prob(LSB( s) = 1) The key dependent dstrbuton The random dstrbuton Z5 Fg. 2. The key-dependent dstrbuton of P rob(lsb( s) = 1) on the value of Z5 Remark 1. Fgure 2 plots the relaton between the subkey Z5 and the probablty of LSB( s ) = 1. As shown n Fgure 2, for most Z5, the probablty of LSB( s ) = 1 s dfferent from random dstrbuton. Hence, t s possble to perform key-dependent attack on IDEA usng ths key-dependent dstrbuton. For most Z5, there are general four cases for the probablty of LSB( s ) = 1 as Z5 grows from 0 to 216 1, whch can be roughly approxmated as followng: Z 5 last two bts of Z5 = Z5 last two bts of Z = P rob(lsb( s ) = 1) (7) Z5 = last two bts of Z Z last two bts of Z5 = 11 From Equaton (7), followng approxmaton also holds for most Z5 ( Z 5 LSB(Z5 ) = 0 17, mn{p rob(lsb( s ) = 0), P rob(lsb( s ) = 1)} 2 Z , LSB(Z5 ) = 1 (8) Calculaton shows that, for only 219 out of all 216 possble Z5, the dfference between the approxmaton (Equaton (7) or (8)) and the accurate provablty s larger than Equaton (8) ndcates that we can approxmate left hand sde of Equaton (8) by fxng several most sgnfcant bts and the least sgnfcant bt. In followng sectons, we wll show that we only

10 need to dstngush the approxmate probablty dstrbuton from random dstrbuton. Hence, for most Z5, ths approxmaton s close enough to the accurate value. For Z 5 that can not be approxmated n ths way, we use other methods to deal wth ths stuaton. 5 The Key-Dependent Attack on IDEA In ths secton, we wll present two key-dependent attacks on reduced-round IDEA. In Secton 5.1, we wll gve a basc attack on the 5.5-round varant of IDEA and then extend t to 6-round varant n Secton 5.2. We also gve two key-dependent attacks on 5-round IDEA startng from the frst round n Secton The Attack on 5.5-Round Varant of IDEA We frst present one key-dependent attack on the 5.5-round varant of IDEA. The attack starts from the thrd round and ends before the MA layer of the eghth round. The man dea of ths attack s to perform key-dependent attack based on the key-dependent dstrbuton of s 4 descrbed n Theorem 2. Consder the 5.5-round varant of IDEA startng from the thrd round, the Bryukov-Demrc Equaton can be rewrtten as LSB( s 4 ) = LSB(P 2 P 3 P 2 P 3 C 2 C 3 C 2 C 3 s 3 s 5 s 6 s 7 ) (9) Where P and P are equvalent to X 3 and X 3, C and C are equvalent to Y 8 and Y 8 by the varant of IDEA. We frst construct a par of plantexts satsfyng the specfc constrant p 4 = 8000x. The constructon s based on the followng lemma. Lemma 1. For any α, f two 16-bt words x and x have the same least 15 sgnfcant bts, then x α and x α have the same least 15 sgnfcant bts, x α and x α have the same least 15 sgnfcant bts. Based on Lemma 1, the followng proposton can be obtaned. Proposton 1. If a par of ntermedate values Y 3 and Y 3 satsfy the followng condtons: a. Y1 3 = Y 3 3 = 0 b. Y2 3 = 8000 x c. Y2 3 Y 4 3 = Y 2 3 Y 4 3 then s 3 = 0 and the probablty of LSB( s 4 ) = 0 can be determned by Equaton (5). Proof. From Condton (a), Y1 3 = Y 3 3 = 0, p3 s equal to p 3. Then s 3 = 0 s qute straghtforward. From Condton (c), q 3 s equal to q 3. If p 3 and q 3 are fxed, u 3 and t 3 are also fxed wth respect to any Z5 3 and Z3 6. It ndcates that X4 1 = Y 3. Note that Y 4 and Y 4 1 u3 = X 1 4 and X 4 1 wth the same Z4 1, hence Y 1 4 modular-multplyng X1 4 s equal to Y 4 1. On the other hand, Y2 3 = 8000 x means that the least sgnfcant 15 bts of Y2 3 and that of Y are the results of are equal to those of Y 2 3 and the most sgnfcant bt of Y2 3 2 are dfferent. Because u 3 s fxed, by Lemma 1, the least sgnfcant 15 bts of X3 4 are equal to those of X 4 3. Then X4 3 s equal to 8000 x and Y3 4 x s obtaned by modular addton wth the same Z3 4. From Y 4 1 = 0 and Y 4 3 = 8000 x, p 4 s 8000 x. By Theorem 2, the concluson s obtaned.

11 In our attack, we use the plantext pars satsfyng Proposton 1. We obtan Condton (a) by lettng P 1 = P 3 = 0. By Lemma 2, P 2 and P 2 are fxed to have the same least sgnfcant 15 bts, and hence Y2 1 = 8000 x. In order to fulfll Condton (c), we have to guess Z4 3 and then accordng to ths guess, to choose P 4 and P 4 whch satsfy Y 3 4 = 8000 x. By Proposton 1, s 3 s equal to zero. In order to get the rght hand sde of Equaton (9), we stll need to get s 5, s 6, s 7. We need to guess Z5 5, Z6 1, Z6 2, Z6 5, Z6 6, Z7 1, Z7 2, Z7 3, Z7 4 Z7 5, Z7 6, Z1 8, Z8 2, Z8 3, Z8 4. As shown n [6], one can partally decrypt one par of encryptons usng these 15 subkeys to calculate the values of s 5, s 6, s 7. These 15 subkeys only take key bts and also cover the subkey Z4 3. Hence, for one guessed 103 key bts, we can calculate the value of s4 from a specal par of encryptons. We also note that these 103 bts also cover the key Z5 4, whch determne the key-dependent dstrbuton on s 4 accordng to Theorem 2. Therefore, we can perform the key-dependent attack on 5.5-round varant of IDEA. As descrbed n Secton 2, the key space can be dvded nto key-dependent subsets by the 103 key bts, each contans 2 25 keys. For a key-dependent subset (P, U), let p denote the probablty of LSB( s 4 ) = LSB(8000 x Z5 4 ). For smplcty, n the followng analyss, we assume that p 0.5, the case when p > 0.5 s smlar. Assume the sze of the samples s n pars of encryptons that satsfy the specfc constrant on ths key-dependent subset, and t of them satsfy LSB( s 4 ) = LSB(8000 x Z5 4 ). The crtera for not rejectng the hypothess s that t s smaller or equal to a fxed value k. The probablty of Type I error s n ( ) n α = p (1 p) n Type II error s =k+1 β = k =0 ( ) n 0.5 n If (P, U) s a wrong key-dependent subset, the expected tme complexty of checkng ths subset s W = 2n β (10) As shown n Secton 2, the attack sets α smaller than or equal to 0.01 to ensure that the probablty of the false rejecton wll not exceed Under ths precondton, the attack chooses n and β so that α < 0.01 and mnmzes Equaton (10) to mnmze the tme complexty on each key-dependent subset (P, U). By Secton 2, we mnmze the total expected tme complexty wth ths method. Because ths choce s related only to the key Z5 4, so we only need to get n and k for 2 16 dfferent values. For example, for a key-dependent subset (P, U) wth Z5 4 = 8001 x, p s about The attack checks every possble n and k to fnd the mnmzed expected tme complexty of the ndvdual attack for ths subset. As shown n Secton 2, the expected tme complexty for each subset s upper bounded by exhaustve search on the subset, whch s 2 25 n ths attack. Hence, the attack only checks all the n and k smaller than The expected tme s mnmzed wth precondton α < 0.01 when n = 425 and k = 164. In ths case, α = , β = and W = Snce all the key-dependent subsets have the same key fracton, the order of performng ndvdual attacks wth mnmal expected tme complexty becomes the ascendng order of W for all key-dependent subsets due to Theorem 1. Fgure 3 plots the number of encryptons used and expected tme complexty for all the ndvdual attacks.

12 Encryptons Number of encryptons used Expected tme complexty for the ndvdual attack (W ) * th Indvdual Attack (wth the Performng Order) Fg. 3. The number of encryptons used and expected tme complexty for ndvdual attacks The total expected tme complexty of the attack, descrbed as Equaton (2), becomes Φ = m f R + =1 = ( 2103 m =1 m m W j ) + α (f W j ) (f 1 j=1 1 R + =1 103 ( =1 j= = =1 j=1 = W j W j j= =1 j= =1 j=+1 = ( ( )W ) =1 wth 99% success probablty f the attack chooses n and β for each key-dependent set and determnes the order of performng ndvdual attacks as shown above. The number of pars needed n one test s about 2 19 n the worst case. The attack uses a set of 2 21 plantexts, whch can provde 2 20 plantext pars satsfyng the condtons n Proposton 1 for each key-dependent subset. The attack s summarzed as follows: W j ) W j )

13 1. For every possble Z5 4, calculate the correspondng number of plantext pars needed n and the crtera of not rejectng the hypothess k. 2. Suppose S s an empty set. Randomly enumerate a 16-bt word s, nsert s and s 8000 x nto the set S. Repeat ths enumeraton untl set S contans 2 5 dfferent words. Ask for the encrypton of all the plantexts of the form (A, B, C, D), where A and C are fxed to two arbtrary constants, B takes all the values n S and D takes all the 16-bt possble values. 3. Enumerate the key-dependent sets n ascendng order of W : (a) Randomly choose a set of plantext pars wth cardnalty n from the known encryptons. The plantext pars must satsfy the requrements of Proposton 1. (b) Partally decrypt all the selected encrypton pars and count the occurrence of LSB( s 4 ) = 1. (c) Test the hypothess. If the hypothess s not rejected, perform exhaustve search for the remanng 25 key bts. 5.2 The Attack on 6-Round Varant of IDEA We now extend the 5.5-round attack to an attack on the 6-round varant of IDEA startng before the MA layer of the second round. The data complexty of the attack s 2 49 and the tme complexty s As shown n [6], Z5 2 and Z2 6 are ncluded n the 103 key bts n the 5.5-round attack. Hence, we can add ths half round to the 5.5-round attack wthout enlargng the tme complexty. It s more dffcult to construct rght plantext pars satsfyng Proposton 1. Consder a par of ntermedate values X 3 and X 3 before the thrd round, whch satsfy Proposton 1. If we partally decrypt X 3 and X 3 usng any possble Z5 2 and Z2 6, the only fact we know s that all the results have the same XOR of the frst and thrd words. The attack hence selects all the plantexts P where the least 15 sgnfcant bts of P 1 P 3 are fxed to an arbtrary 15-bt constant. The total number of selected plantexts s It s possble to provde 2 48 plantext pars satsfyng the condtons n Proposton 1 n the test for any Z5 2, Z2 6 and Z3 4. Ths number s suffcent n any stuaton. 5.3 Two Key-Dependent Attacks on 5-Round IDEA Startng From the Frst Round We apply the key-dependent attack to the 5-round IDEA startng from the frst round. Bryukov- Demrc Equaton s reduced to LSB( s 2 ) = LSB(P 2 P 3 P 2 P 3 C 2 C 3 C 2 C 3 s 1 s 3 s 4 s 5 ) (11) We choose the plantext pars to satsfy Proposton 1 before the frst round by guessng Z4 1, and then s 1 s equal to 0 as shown n Secton 5.1. In order to determne the rght hand sde of Equaton (11), we need to know Z5 3, Z4 1, Z4 2, Z4 5, Z4 6, Z5 1, Z5 2, Z5 3, Z5 4, Z5 5, Z5 6. These 12 subkeys take the bts from key Z. These 119 bts only cover the most sgnfcant nne bts of Z5 2, whch determnes the probablty dstrbuton of LSB( s 2 ). It s not necessary to guess the complete subkey Z5 2. The attack contnues to guess the least sgnfcant bt of Z5 2 (the 72nd bt of Z), and estmates the probablty of LSB( s 2 ) = 1 by Remark 1 nstead. Hence, the attack dvdes the key space nto key-dependent subsets by the 120 key bts, and performs the ndvdual attacks on each keydependent subset. The attack uses statstcal hypothess test method to determne whch subset

14 the actual key s n. For the subkeys Z 2 5 of whch P rob(lsb( s2 ) = 1) can not be approxmated by Remark 1 as shown n Secton 4, the attack exhaustvely searches the remanng key bts. In ths attack, t s possble that the expected tme of ndvdual attacks are larger than exhaustvely search drectly for some key-dependent subsets, whch means 2n + β Under ths condton, the attack also uses exhaustve key search to determne the remanng eght key bts to make sure the tme needed not exceed exhaustve search. Ths attack also choose α 0.01 to ensure that the attack successes wth 99% probablty. In ths case, the total expected tme complexty s encryptons. Our experment shows that the attack needs at most 75 pars of encryptons for one test. We ask for 2 17 encryptons whch can provde 2 16 pars of encryptons, whch s suffcent for the test. Ths data complexty(2 17 ) s the least out of all the known attacks on the 5-round IDEA startng from the frst round. In the second attack, we try to obtan the plantext pars satsfyng Proposton 1 before the second round. In order to determne LSB( s 3 ), we need to know the least sgnfcant bts of s 1, s 2, s 4 and s 5. Hence, the subkeys we need to know are Z1 1, Z1 2, Z1 3, Z1 4, Z1 5, Z1 6, Z2 4, Z3 5. Z4 5, Z1 5, Z5 2, Z5 5 and Z5 6. These 13 subkeys only cover 107 bts of key Z(0-106). For every guessed 107 key bts, we use smlar technque as before. The expected tme complexty s , whch s the least tme complexty out of all the known attacks on the 5-round IDEA startng from the frst round. Because t s not possble to predct the plantext pars whch produces the ntermedate pars satsfyng Proposton 1 before the second round, the encryptons of all the 2 64 plantexts are requred. 6 Conclusons In ths paper, we formalzed a scheme of dentfyng the actual key usng the key-dependent dstrbuton, called key-dependent attack. How to mnmze the tme complexty of the key-dependent attack was also dscussed. Wth the key-dependent attack, we could mprove known cryptanalyss results and obtan more powerful attacks. We presented two key-dependent attacks on IDEA. Our attack on 5.5-round and 6-round varant of IDEA has the least tme and data complextes compared wth the prevous attacks. We only mplemented a tentatve exploraton of the key-dependent dstrbuton. How to make full use of the key-dependent dstrbuton, especally how to use the key-dependent dstrbuton to mprove exstng attacks, s worth further studyng. The attack on IDEA makes use of the relaton between XOR, modular addton and modular multplcaton. We beleve that the operaton XOR and modular multplcaton have more propertes that can be explored further [10]. Smlar relatons among other operatons are also valuable to research. The way of makng full use of the Bryukov-Demrc Equaton to mprove attacks on IDEA s also nterestng.

15 References 1. Eyüp Serdar Ayaz and Al Aydn Selçuk. Improved DST Cryptanalyss of IDEA. In El Bham and Amr M. Youssef, edtors, Selected Areas n Cryptography, volume 4356 of Lecture Notes n Computer Scence, pages Sprnger, Isha Ben-Aroya and El Bham. Dfferental Cryptanalyss of Lucfer. J. Cryptology, 9(1):21 34, El Bham, Alex Bryukov, and Ad Shamr. Mss n the Mddle Attacks on IDEA and Khufu. In Lars R. Knudsen, edtor, FSE, volume 1636 of Lecture Notes n Computer Scence, pages Sprnger, El Bham, Orr Dunkelman, and Nathan Keller. Related-Key Boomerang and Rectangle Attacks. In Ronald Cramer, edtor, EUROCRYPT, volume 3494 of Lecture Notes n Computer Scence, pages Sprnger, El Bham, Orr Dunkelman, and Nathan Keller. New Cryptanalytc Results on IDEA. In Xueja La and Kefe Chen, edtors, ASIACRYPT, volume 4284 of Lecture Notes n Computer Scence, pages Sprnger, El Bham, Orr Dunkelman, and Nathan Keller. A New Attack on 6-Round IDEA. In Alex Bryukov, edtor, FSE, volume 4593 of Lecture Notes n Computer Scence, pages Sprnger, El Bham and Ad Shamr. Dfferental Cryptanalyss of DES-lke Cryptosystems. In Alfred Menezes and Scott A. Vanstone, edtors, CRYPTO, volume 537 of Lecture Notes n Computer Scence, pages Sprnger, Alex Bryukov, Jorge Nakahara Jr., Bart Preneel, and Joos Vandewalle. New Weak-Key Classes of IDEA. In Robert H. Deng, Shan Qng, Feng Bao, and Janyng Zhou, edtors, ICICS, volume 2513 of Lecture Notes n Computer Scence, pages Sprnger, Johan Borst, Lars R. Knudsen, and Vncent Rjmen. Two Attacks on Reduced IDEA. In Walter Fumy, edtor, EUROCRYPT, volume 1233 of Lecture Notes n Computer Scence, pages Sprnger, Scott Contn, Ronald L. Rvest, Matthew J. B. Robshaw, and Yqun Lsa Yn. Improved Analyss of Some Smplfed Varants of RC6. In Lars R. Knudsen, edtor, FSE, volume 1636 of Lecture Notes n Computer Scence, pages Sprnger, Joan Daemen, René Govaerts, and Joos Vandewalle. Weak Keys for IDEA. In Douglas R. Stnson, edtor, CRYPTO, volume 773 of Lecture Notes n Computer Scence, pages Sprnger, Hüseyn Demrc. Square-lke Attacks on Reduced Rounds of IDEA. In Kasa Nyberg and Howard M. Heys, edtors, Selected Areas n Cryptography, volume 2595 of Lecture Notes n Computer Scence, pages Sprnger, Hüseyn Demrc, Al Aydn Selçuk, and Erkan Türe. A New Meet-n-the-Mddle Attack on the IDEA Block Cpher. In Mtsuru Matsu and Robert J. Zuccherato, edtors, Selected Areas n Cryptography, volume 3006 of Lecture Notes n Computer Scence, pages Sprnger, Phlp Hawkes. Dfferental-Lnear Weak Key Classes of IDEA. In Kasa Nyberg, edtor, EUROCRYPT, volume 1403 of Lecture Notes n Computer Scence, pages Sprnger, Phlp Hawkes and Luke O Connor. On Applyng Lnear Cryptanalyss to IDEA. In Kwangjo Km and Tsutomu Matsumoto, edtors, ASIACRYPT, volume 1163 of Lecture Notes n Computer Scence, pages Sprnger, Jorge Nakahara Jr., Bart Preneel, and Joos Vandewalle. The Bryukov-Demrc Attack on Reduced-Round Versons of IDEA and MESH Cphers. In Huaxong Wang, Josef Peprzyk, and Vjay Varadharajan, edtors, ACISP, volume 3108 of Lecture Notes n Computer Scence, pages Sprnger, Pascal Junod. On the Optmalty of Lnear, Dfferental, and Sequental Dstngushers. In El Bham, edtor, EUROCRYPT, volume 2656 of Lecture Notes n Computer Scence, pages Sprnger, Pascal Junod. New Attacks Aganst Reduced-Round Versons of IDEA. In Henr Glbert and Helena Handschuh, edtors, FSE, volume 3557 of Lecture Notes n Computer Scence, pages Sprnger, John Kelsey, Bruce Schneer, and Davd Wagner. Key-Schedule Cryptoanalyss of IDEA, G-DES, GOST, SAFER, and Trple-DES. In Neal Kobltz, edtor, CRYPTO, volume 1109 of Lecture Notes n Computer Scence, pages Sprnger, Lars R. Knudsen and Vncent Rjmen. On the Decorrelated Fast Cpher (DFC) and Its Theory. In Lars R. Knudsen, edtor, FSE, volume 1636 of Lecture Notes n Computer Scence, pages Sprnger, Xueja La. On the Desgn and Securty of Block Cphers. ETH Seres n Informaton Processng, Konstanz: Harturg-Gorre Verlag, Xueja La and James L. Massey. A Proposal for a New Block Encrypton Standard. In Ivan Damgård, edtor, EUROCRYPT, volume 473 of Lecture Notes n Computer Scence, pages Sprnger, Mtsuru Matsu. Lnear Cryptoanalyss Method for DES Cpher. In G. Goos and J. Hartmans, edtors, EURO- CRYPT, volume 765 of Lecture Notes n Computer Scence, pages Sprnger, 1993.

16 24. Wll Meer. On the Securty of the IDEA Block Cpher. In G. Goos and J. Hartmans, edtors, EUROCRYPT, volume 765 of Lecture Notes n Computer Scence, pages Sprnger, Håvard Raddum. Cryptanalyss of IDEA-X/2. In Thomas Johansson, edtor, FSE, volume 2887 of Lecture Notes n Computer Scence, pages 1 8. Sprnger, 2003.