The Synchronous 8th-Order Differential Attack on 12 Rounds of the Block Cipher HyRAL

Transcription

1 The Synchronous 8th-Order Dfferental Attack on 12 Rounds of the Block Cpher HyRAL Yasutaka Igarash, Sej Fukushma, and Tomohro Hachno Kagoshma Unversty, Kagoshma, Japan Emal: {garash, fukushma, Naok Shbayama Japan Ar Self-Defense Force, Tokyo, Japan Toshnobu Kaneko Tokyo Unversty of Scence, Tokyo, Japan Emal: new synchronous 8th-order dfferental characterstcs of HyRAL n the 8th round, and show that 12 rounds of HyRAL can be attacked by explotng the characterstcs we found wth low complextes. In Secton V we conclude our artcle. Abstract We study the synchronous 8th-order dfferental attack on the 128-bt block cpher HyRAL proposed by Hrata of Laurel Intellgent Systems n HyRAL supports 128, 192, 256 bts of secret keys. We found the new synchronous 8th-order dfferental characterstcs of HyRAL n the 8th round of data-mxng part. Explotng the characterstcs we show that 12 rounds of HyRAL can be attacked wth blocks of chosen plan text and tmes of data encrypton. We have reduced data complexty to 1/28 and reduced computatonal complexty to 1/213 compared to the conventonal attack. Index Terms cryptanalyss, attack, block cpher, HyRAL I. hgher-order II. Fg. 1 shows data-mxng functons of HyRAL for a 128-bt key (a) and for a 192-bt or 256-bt key (b). They consst of 128-bt nput/output (I/O) functons, G1, G2, F1, and F2. RK ( = 1, 2,, 9) and IK ( = 1, 2,, 6) are 128-bt sub keys. The symbol ndcates an XOR operaton. X(0) denotes a 128-bt plan text. X(24) n (a) and X(32) n (b) denote 128-bt cpher texts. Fg. 2 and Fg. 3 show G1, G2, F1, and F2 where X() = () X1 X2() X3() X4() and IK = IK0 IK1 IK2 IK3. Xj() (j = 1, 2, 3, 4) and IKj (j = 0, 1, 2, 3) are 32-bt data. The symbol denotes a concatenaton of two data. G and F ( = 1, 2) consst of 4 teraton rounds, whch conssts of XOR and f wth 32-bt I/O ( = 1, 2,, 8). Fg. 4 shows f, whch conssts of the byte-wse swap, S, P, and XOR. The symbol 0x represents that ts followng value s hexadecmal. Assumng the I/O of the swap as 32-bt vectors x and x where x = x0 x1 x2 x3, x s gven by dfferental INTRODUCTION HyRAL s a 128-bt block cpher proposed by Hrata of Laurel Intellgent Systems n 2010 [1]. It supports 128, 192, and 256 bts of secret keys. HyRAL conssts of bytewse swaps, nonlnear layers, and lnear layers. It has been reported that a data-mxng functon of HyRAL s secure aganst dfferental attacks and lnear attacks [2], [3]. It has been also reported that 12 rounds of HyRAL out of 32 rounds can be attacked wth the 16th-order dfferental characterstcs, blocks of chosen plan text and tmes of data encrypton [4]. In ths artcle, we show the new synchronous 8th-order dfferental characterstcs of HyRAL n the 8th round we found. By explotng the characterstcs we show that 12 rounds of HyRAL can be attacked wth blocks of chosen plan text and tmes of data encrypton. We have reduced data complexty to 1/28 and reduced computatonal complexty to 1/213 compared to the conventonal attack [4]. In Secton II we descrbe the data-mxng functon of HyRAL and ts components. In Secton III we generally descrbe hgher-order dfferental [5] and ts attack equaton. In Secton IV we show the x1 x0 x1 x2 x3, x2 x1 x2 x3 x0, x3 x2 x3 x0 x1, x4 x3 x0 x1 x2, x x3 x2 x1 x0, x x2 x1 x0 x3, x x1 x0 x3 x2, x8 x0 x3 x2 x (1) 6 xj (j = 0, 1, 2, 3) s an 8-bt data. S denotes the S-box wth 8-bt I/O, whch s a bjectve nonlnear functon. P s a 4 4 non-sngular matrx gven by Manuscrpt receved Aprl 15, 2013; revsed July 17, do: /joee DATA-MIXING FUNCTION OF HYRAL 142

2 The multplcatons of a matrx and a vector are performed n GF(2 8 ) defned by the characterstc polynomal z 8 + z 4 + z 3 + z + 1. f can be equvalently modfed as shown n Fg. 5 where the number n a box represents multplcaton and y j (, j = 0, 1, 2, 3) represents an 8-bt ntermedate data of f. Fgure 1. Data-mxng functon of HyRAL Fgure 3. (a) F 1 and (b) F 2. Fgure 4. f. Fgure 2. (a) G 1 and (b) G P (2) III. HIGHER-ORDER DIFFERENTIAL In ths secton, we descrbe the defnton of hgherorder dfferental and some of ts propertes related to ths artcle [5], and we descrbe an attack equaton usng these propertes. Fg. 6 shows a block dagram of an encrypton process. E 1 and E 2 represent components of an encrypton process. K 1 GF(2) p and K 2 GF(2) q represent p bts and q bts of the extended keys used n E 1 and E 2, respectvely. P = (p 1, p 2,, p n ) and P GF(2) n represent n bts of nput plan text and nput dfference, respectvely. H GF(2) m represents m bts of the output of E 1. C(P P) 143

3 GF(2) represents bts of the output cpher text correspondng to (P P). We assume V order subspace of () and ( j ) E2 1 (C ( P); K2 ) 0 as an th- (7) Fgure 5. Equvalent f. Fgure 7. The synchronous 8th-order dfferental path of HyRAL. Equatons (6) and (7) are always correct f K2 s correct, whle they are stochastcally correct f K2 s ncorrect. Ths s why attacker can estmate K2 and check the correctness of K2 by (6) or (7). The ncorrect K2 can be elmnated by solvng some sets of the equaton (6) or (7) whose plan texts P are dfferent from each other. Actually, we have to solve at least q/m dfferent sets of (6) or (7). Such attack usng (6) or (7) s called a hgherorder dfferental attack. Equaton (6) or (7) s called an attack equaton. Fgure 6. Block dagram of an encrypton process. GF(2)n consstng of lnear ndependent vectors n GF(2)n ( n), and call t an nput dfferental. The thorder dfferental of E1(P; K1) wth respect to V() s defned by ()E1(P; K1) as follows ( ) E1 ( P; K1 ) P V E1 ( P P; K1 ) (3) ( ) denotes summaton of XOR. If the algebrac degree of E1(P; K1) wth respect to P s N ( n), the (N+1)thorder dfferental of E1(P; K1) becomes zero regardless of P and K1 as follow ( N 1) E1 ( P; K1 ) 0 IV. (4) In ths secton, we descrbe the new synchronous 8thorder dfferental characterstcs of HyRAL we found, and descrbe the attack equaton explotng the characterstcs. At the end we estmate the number of chosen plan texts and the number of encrypton operatons requred to dentfy the sub keys. Fg. 7 shows the new synchronous 8th-order dfferental path of HyRAL where f7 n the 8th round s equvalently modfed. Note that RK = RK0 RK1 RK2 RK3 where RKj (j = 0, 1, 2, 3) s a 32-bt sub key. P-1 s the nverse matrx of P. C s the constant addton correspondng to Fg. 4. We put the 8th-order dfferental nto the upper 8 bts of X3(0) shown as A n Fg. 7. Namely, all 28 knds of data from 0x00 to 0xff are put nto the upper 8 bts of X3(0). At ths tme the same Moreover, f the Boolean polynomal of E1(P; K1) does not nclude the jth-order term as j pt (1 t n), the 1 jth-order dfferental of E1(P; K1) correspondng to j pt becomes zero regardless of P and K1 as follow 1 ( j ) E1 ( P; K1 ) 0 (5) Snce E1(P; K1) = E2-1(C(P); K2), whch s the nverse functon of E2, (4) and (5) can be rewrtten as ( N 1) E2 1 (C ( P); K 2 ) P V ( N 1) E2 1 (C ( P P); K 2 ) 0 THE SYNCHRONOUS 8TH-ORDER DIFFERENTIAL CHARACTERISTICS OF HYRAL AND ITS ATTACK EQUATION (6) 144

4 dfference as the upper 8 bts of X (0) 3 s put nto the upper (0) 8 bts of X 4 shown as S n Fg. 7, whch we call synchronous. The remanng 14 bytes shown as C n Fg. 7 are set to take arbtrary constants. In ths case, we found that the 8th-order dfferentals of 32-bt A and 32- bt B n the 8th round take the same value regardless of a plan text and the sub keys n the prevous rounds. By explotng the characterstcs we can derve the followng attack equaton as A B 8 8 (3) (8) (3) (8) X V X V (9) B 2 (10) B 2 B (8) A S( f ( X RK ) ( X ) ( IK ) ) (9) B P X C 1 (11) 1 8 ( 2 ) B (10) X f ( f ( X RK ) X IK ) X (11) (9) (11) (12) (12) X f ( f ( X RK ) X IK ) X (12) (10) (12) (12) (12) X f ( f ( X RK ) X IK ) X (13) (11) (12) (12) (12) X ( X X ) X X X X (14) (12) (0) (0) (12) (12) (12) (12) RK RK RK, IK IK RK RK (15) IK IK RK, IK IK RK (16) IK IK RK (17) A 8 and B 8 denote the upper frst bytes of A and B n Fg. 7, respectvely. ( x) B denotes the upper th byte of data x. C denotes the constant addton n Fg. 7. X (12) (X (0) X (0) ) denotes the cpher text correspondng to the nput plan text X (0) X (0). We can dentfy total 232-bt sub B2 keys, RK 30, (IK ), RK 13 42, IK 21, RK 41, IK 22, RK 40, and IK 23 by solvng these attack equatons by an exhaustve search. Because (8) s 8 sets (bts) of system of Boolean equatons, t s satsfed wth probablty 2-8 even f the estmated sub keys are false. There are canddates of sub keys snce ts total bt sze s 232. Therefore we need to solve 30 (= (232/8)+1) sets of (8) wth dfferent X (0) n order to dentfy the true sub key where the probablty that a false sub key survves s 2-8 (= (2-8 ) ). Because we have to compute the 8th-order dfferental to prepare one set of (8), the number of chosen plan texts to prepare 30 dfferent sets of (8) s gven by D as follows: D (18) Next we study the number of tmes of data encryptons requred to solve 30 dfferent sets of (8). If we solve the frst set of (8) for all canddates of sub keys, the number of canddates s reduced to (= ). And then we solve the second set of (8) for the remanng canddates, ts number s reduced to (= ). By solvng 30 dfferent sets of (8), the last remanng key wll be the true key. 2 8 tmes of S-box operaton at f 7 n the 8th round s carred out to check the correctness of one canddate sub key. Because 12 rounds of data-mxng part nclude 80 S-boxes, the total number of operatons n (8) tmes 1/80 corresponds to the total number (T) of tmes of the data encryptons requred for ths attack as follows: T (19) 80 0 V. CONCLUSIONS We have nvestgated the new synchronous 8th-order dfferental attack on 12 rounds of HyRAL as part of securty evaluaton. We found the new synchronous 8thorder dfferental characterstcs at the 8th round of HyRAL. We equvalently modfed f 7 at the 8th round and derved the attack equatons. As a result, we showed that 12 rounds of HyRAL can be attacked wth blocks of chosen plan text and tmes of the data encrypton by explotng the new synchronous 8th-order dfferental characterstcs we found. However fullrounds of HyRAL s secure aganst our attack because the number of rounds s actually 32. REFERENCES [1] K. Hrata, The 128bt block cpher HyRAL (Hybrd Randomzaton Algorthm): Common key block cpher, n Proc. Internatonal Symposum on Intellgence Informaton Processng and Trusted Computng, IEEE Computer Socety Washngton, DC, USA, 2010, pp [2] Y. Takag, Y. Igarash, and T. Kaneko, Securty evaluaton of HyRAL aganst dfferental attack, n Proc. Symposum on Cryptography and Informaton Securty, no. 1D1-2, [3] Y. Igarash, Y. Takag, and T. Kaneko, Securty evaluaton of HyRAL aganst lnear cryptanalyss, n Proc. Symposum on Cryptography and Informaton Securty, no. 1D1-3, [4] Y. Igarash et al., The 16th-order dfferental attack on 12 rounds of HyRAL wth a 256-bt key, n Proc. RISP Internatonal Workshop on Nonlnear Crcuts, Communcatons and Sgnal Processng, 2013, pp [5] X. La, Hgher order dervatves and dfferental cryptanalyss, n Communcatons and Cryptography, Sprnger US, vol. 276, pp , Yasutaka Igarash receved the B.E., M.E., and Ph.D. degrees n nformaton and computer scences from Satama Unversty, Japan, n 2000, 2002, and He was a research fellow of the Japan Socety for the Promoton of Scence from 2004 to From 2006 to 2011, he was a research assocate of the Tokyo Unversty of Scence. Snce 2011, he has been an assstant professor of Kagoshma Unversty. Hs research s nvolved wth optcal CDMA communcaton systems and the cryptanalyss of symmetrc-key cryptography. Dr. Igarash s a member of IEICE and RISP. Naok Shbayama receved the B.E. degree from Department of Appled physcs, Unversty of Myazak, Japan, n 2004, the M.E. degree from Department of Electrcal Engneerng, Tokyo Unversty of Scence, Japan, n In 2004, he joned Japan Ar Self- Defense Force, Mnstry of Defense. Hs current research feld s cryptography, especally regardng to the cryptanalyss for symmetrc cphers. 145

5 Toshnobu Kaneko receved the B.E., M.E., and Ph.D. degrees all n Electrcal Engneerng from the Unversty of Tokyo, n 1971, 1973, and 1976, respectvely. In 1976, he joned the faculty of Scence and Technology, Tokyo Unversty of Scence, and snce then, as a faculty member, he has been engaged n educaton and research n the felds of codng theory and nformaton securty. Currently, he s a Professor of Department of Electrcal Engneerng of the unversty. Prof. Kaneko s a member of CRYPTREC and served as a charman of Symmetrc-Key Cryptography subcommttee n Prof. Kaneko s a member of IEICE, IEEJ, IPSJ, and IEEE. Sej Fukushma receved the B.S., M.S., and Ph.D. degrees n electrcal engneerng from Kyushu Unversty n 1984, 1986, and 1993, respectvely. He s currently a Professor at the Dept. of Electrcal and Electroncs Engneerng, Kagoshma Unversty. Hs research nterests nclude photoncs/rado hybrd communcaton systems and ther related devces. Prof. Fukushma s a member of IEICE, IEEE/Photonc Socety, Japan Socety of Appled Physcs, Japanese Lqud Crystal Socety, and Optcal Socety of Amerca. Tomohro Hachno receved the B.S., M.S., and Dr. Eng. degrees n electrcal engneerng from Kyushu Insttute of Technology n 1991, 1993, and 1996, respectvely. He s currently an Assocate Professor at the Dept. of Electrcal and Electroncs Engneerng, Kagoshma Unversty. Hs research nterests nclude nonlnear control and dentfcaton, sgnal processng, and evolutonary computaton. Dr. Hachno s a member of IEEJ, SICE, and ISCIE. 146