New Results on Boomerang and Rectangle Attacks

Transcription

1 New Results on Boomerang and Rectangle Attacks Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haia 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department, Technion. Haia 32000, Israel nkeller@tx.technion.ac.il Abstract. The boomerang attack is a new and very powerul cryptanalytic technique. However, due to the adaptive chosen plaintext and ciphertext nature o the attack, boomerang key recovery attacks that retrieve key material on both sides o the boomerang distinguisher are hard to mount. We also present a method or using a boomerang distinguisher, which enables retrieving subkey bits on both sides o the boomerang distinguisher. The rectangle attack evolved rom the boomerang attack.in this paper we present a new algorithm which improves the results o the rectangle attack. Using these improvements we can attack 3.5-round SC2000 with 2 67 adaptive chosen plaintexts and ciphertexts, and 10-round Serpent with time complexity o memory accesses (which are equivalent to Serpent encryptions) with data complexity o chosen plaintexts. 1 Introduction Dierential cryptanalysis [3] is based on studying the propagation o dierences through an encryption unction. Since its introduction many techniques based on it were introduced. Some o these techniques, like the truncated dierentials [11] and the higher order dierentials [2, 11], are generalizations o the dierential attack. Some other techniques like dierential-linear attack [14] and the boomerang attack [18] use the dierential attack as a building block. The boomerang attack is an adaptive chosen plaintext and ciphertext attack. It is based on a pair o short dierential characteristics used in a specially built quartet. In the attack a pair o plaintexts with a given input dierence are encrypted. Their ciphertexts are used to compute two other ciphertexts according to some other dierence, these new ciphertexts are then decrypted, and the dierence ater the decryption is compared to some (ixed known) value. The work described in this paper has been supported by the European Commission through the IST Programme under Contract IST

2 2 The boomerang attack was urther developed in [10] into a chosen plaintext attack called the ampliied boomerang attack. Later, the ampliied boomerang attack was urther developed into the rectangle attack [7]. In the transition rom the boomerang attack to the rectangle attack the probability o the distinguisher is reduced (in exchange or easing the requirements rom adaptive chosen plaintext and ciphertext attack to a chosen plaintext attack). The reduction in the distinguisher s probability results in higher data complexity requirements. For example, the data requirements or distinguishing a 2.5-round SC2000 [17] rom a random permutation using a rectangle distinguisher is chosen plaintext blocks, whereas only adaptive chosen plaintext and ciphertext blocks are required or the boomerang distinguisher. In this paper we present a method to retrieve more subkey bits in key recovery boomerang attacks. We also present a better algorithm to perorm rectangle attacks. These improvements result in better key recovery attacks which require less data or time (or both) and are more eective. The improvement to the generic rectangle attack reduces the time complexity o attacking 10-round Serpent rom memory accesses 1 to memory accesses which are equivalent to about round Serpent encryptions. We also prove that these key recovery attacks succeed (with very high probability) assuming that the distinguishers are successul. The paper is organized as ollows: In Section 2 we briely describe the boomerang and the rectangle attacks. In Section 3 we present our new optimized generic rectangle attack and analyze its application to generic ciphers and to SC2000 and Serpent. In Section 4 we present our optimized generic boomerang attack and analyze its application to both a generic cipher and real blockciphers like SC2000 and Serpent. Section 5 describes a new technique to transorm a boomerang distinguisher into a key recovery attack that retrieves more subkey material. We summarize this paper and our new results in Section 6. 2 Introduction to Boomerang and Rectangle Attacks 2.1 The Boomerang Attack The boomerang attack was introduced in [18]. The main idea behind the boomerang attack is to use two short dierentials with high probabilities instead o one dierential o more rounds with low probability. The motivation or such an attack is quite apparent, as it is easier to ind short dierentials with a high probability than inding a long one with a high enough probability. We assume that a block cipher E : {0, 1} n {0, 1} k {0, 1} n can be described as a cascade E = E 1 E 0, such that or E 0 there exists a dierential α β with probability p, and or E 1 there exists a dierential γ δ with probability q. The boomerang attack uses the irst characteristic (α β) or E 0 with respect to the pairs (P 1, P 2 ) and (P 3, P 4 ), and uses the second characteristic 1 In [7] it was claimed to be due to an error that occurred in the analysis.

3 3 (γ δ) or E 1 with respect to the pairs (C 1, C 3 ) and (C 2, C 4 ). The attack is based on the ollowing boomerang process: Ask or the encryption o a pair o plaintexts (P 1, P 2 ) such that P 1 P 2 = α and denote the corresponding ciphertexts by (C 1, C 2 ). Calculate C 3 = C 1 δ and C 4 = C 2 δ, and ask or the decryption o the pair (C 3, C 4 ). Denote the corresponding plaintexts by (P 3, P 4 ). Check whether P 3 P 4 = α. We call these steps (encryption, XOR by δ and then decryption) a δ shit. For a random permutation the probability that the last condition is satisied is 2 n. For E, however, the probability that the pair (P 1, P 2 ) is a right pair with respect to the irst dierential (α β) is p. The probability that both pairs (C 1, C 3 ) and (C 2, C 4 ) are right pairs with respect to the second dierential is q 2. I all these are right pairs, then they satisy E1 1 (C 3) E1 1 (C 4) = β = E 0 (P 3 ) E 0 (P 4 ), and thus, with probability p also P 3 P 4 = α. Thereore, the probability o this quartet o plaintexts and ciphertexts to satisy the boomerang conditions is (pq) 2. Thereore, pq > 2 n/2 must hold or the boomerang distinguisher (and the boomerang key recovery attacks) to work. The attack can be mounted or all possible β s and γ s simultaneously (as long as β γ), thus, a right quartet or E is built with probability (ˆpˆq) 2, where: ˆp = Pr 2 [α β] and ˆq = Pr 2 [γ δ]. β α β γ γ δ We reer the reader to [18, 7] or the complete description and the analysis. 2.2 The Rectangle Attack Converting adaptive chosen plaintext and ciphertext distinguishers into key recovery attacks pose several diiculties. Unlike the regular known plaintext, chosen plaintext, or chosen ciphertext distinguishers, using the regular methods o [3, 15, 11, 4, 5, 14] to use adaptive chosen plaintext and ciphertext distinguishers in key recovery attacks ail, as these techniques require the ability to directly control either the input or the output o the encryption unction. In [10] the ampliied boomerang attack is presented. This is a method or eliminating the need o adaptive chosen plaintexts and ciphertexts. The ampliied boomerang attack achieves this goal by encrypting many pairs with input dierence α, and looking or a quartet (pair o pairs) or which, C 1 C 3 = C 2 C 4 = δ when P 1 P 2 = P 3 P 4 = α. Given the same decomposition o E as beore, and the same basic dierentials α β, γ δ, the analysis shows that the probability o a quartet to be a right quartet is 2 (n+1)/2 pq. The reason or the lower probability is that no one can guarantee that the γ dierence (in the middle o the encryption; needed or the quartet to be a right boomerang quartet) is achieved. The lower probability makes the additional

4 4 problem (already mentioned earlier) o inding and identiying the right quartets even more diicult. The rectangle attack [7] shows that it is possible to count over all the possible β s and γ s, and presents additional improvements over the ampliied boomerang attack. The improvements presented in the rectangle attack improve the probability o a quartet to be a right rectangle quartet to 2 n/2 ˆpˆq. 2 3 Improving the Rectangle Attack The main problem dealt in previous works is the large number o possible quartets. Unlike in the boomerang attack, in which the identiication o possible quartets is relatively simple, it is hard to ind the right quartets in the rectangle attacks since the attacker encrypts a large number o pairs (or structures) and then has to ind the right quartets through analysis o the ciphertexts. As the number o possible quartets is quadratic in the number o pairs 3, and as the attacker has to test all the quartets, it is evident that the time complexity o the attack is very large. In this section we present an algorithm which solves the above problem by exploiting the properties o a right quartet, and which tests only a small part o the possible quartets. The new algorithm is presented on a generic cipher with the ollowing parameters: Let E be a cipher which can be described as a cascade E = E E 1 E 0 E b, and assume that E 0 and E 1 satisy the properties o E 0 and E 1 presented in Section 2 (i.e., there exist dierentials α β with probability p o E 0 and γ δ with probability q o E 1 ). An outline o such an E is presented in Figure 1. We can treat this E as composed o E = E 1 E 0 (or which we have a distinguisher) surrounded by the additional rounds o E b and E. As mentioned in Section 2, or suiciently high probabilities ˆp, ˆq, we can distinguish E 1 E 0 rom a random permutation using either a boomerang or a rectangle distinguisher. However, we also like to mount key recovery attacks on the ull E. Recall that the rectangle distinguisher parameters are α, δ, ˆp, and ˆq. Given these parameters, the rectangle distinguisher o the cipher E = E 1 E 0 can easily be constructed. Beore we continue we introduce some additional notations: Let X b be the set o all plaintext dierences that may cause a dierence α ater E b. Let V b be the space spanned by the values in X b. Note that usually n r b bits are set to 0 or all the values in V b. Let r b = log 2 V b and t b = log 2 X b (r b and t b are not necessarily integers). Let m b be the number o subkey bits which enter E b and aect the dierence o the plaintexts by decrypting pairs whose dierence ater 2 This is a lower bound or the probability. For urther analysis see [7]. 3 In the rectangle attack the quartet [(x, y), (z, w)] diers rom the quartet [(x, y), (w, z)].

5 5 E E Plaintext E E E E b 0 1 Ciphertext Fig. 1. Outline o E E b is α, or ormally { m b = K w(k ) = 1 and K, x : E 1 b K (x) E 1 E 1 b K K } b K (x α) (x α) (x) E 1 b K K where w(x) denotes the hamming weight o x. Similarly, let X is the set o all ciphertext dierences that a dierence δ beore E may cause. Let V denote the space spanned by the values o X and denote r = log 2 V. Let t = log 2 X. Let m be the number o subkey bits which enter E and aect the dierence when encrypting a pair with dierence δ or ormally { m = K w(k ) = 1 and K, x : E } K (x) E K (x α). E K K (x) E K K (x α) We outline all these notations in Figure 2. Our new algorithm or using rectangle distinguisher in a key recovery attack is as ollows: 1. Create Y = 2 n/2+2 r b /ˆpˆq structures o 2 r b plaintexts each. In each structure choose P 0 randomly and let L = P 0 V b be the set o plaintexts in the structure. 2. Initialize an array o 2 m b+m counters. Each counter corresponds to a dierent guess o the m b subkey bits o E b and the m subkey bits o E. 3. Insert the N = Y 2 r b ciphertexts into a hash table according to the n r ciphertext bits that are set to 0 in V. I a pair agrees on these n r bits, check whether the ciphertext dierence is in X. 4. For each collision (C 1, C 2 ) which remains, denote C i s structure by S Ci and attach to C 1 the index o S C2 and vice versa. 5. In each structure S we search or two ciphertexts C 1 and C 2 which are attached to some other S. When we ind such a pair we check that the P 1 P 2 (the corresponding plaintexts) is in X b, and check the same or the plaintexts which P 1 and P 2 are related to.

6 6 m : subkey bits b m :subkey bits X :possible b values lead to α dierence. V b:set o all dierences in the active bits in X b E E E E b 0 1 X :possible values cuased by δ dierence. V :set o all dierences in the active bits in X α dierence between δ dierence between (P,P ) and (P,P ). (C,C ) and (C,C ) Fig. 2. The Notations Used in This Paper 6. For all the quartets which passed the last test denote by (P 1, P 2, P 3, P 4 ) the plaintexts o a quartet and by (C 1, C 2, C 3, C 4 ) the corresponding ciphertexts. Increment the counters which correspond to all subkeys K b, K (actually their bits which aect the α and δ dierences, respectively) or which E bkb (P 1 ) E bkb (P 2 ) = E bkb (P 3 ) E bkb (P 4 ) = α and E 1 K (C 1 ) E 1 K (C 3 ) = E 1 K (C 2 ) E 1 K (C 4 ) = δ. 7. Output the subkey with maximal number o hits. The data complexity o the attack is N = 2 r b Y = 2 r b 2 n/2+2 r b /ˆpˆq chosen plaintexts. The time complexity o Step 1 (the data collection step) is N encryptions. The time complexity o Step 2 is 2 m b+m memory accesses in a trivial implementation and only one memory access using a more suitable data structures (like B-trees). Step 3 requires N memory accesses or the insertion o the ciphertexts into a hash table (indexed by the n r bits which are set to 0 in V ). The number o colliding pairs is about N 2 2 r n /2 as there are N plaintexts divided into 2 n r bins (each bin correspond to a value o the n r bits). Note that we not necessarily use all the bins due to large memory requirements (i.e., we can hash only according the irst 30 bits set to 0 in V ). For each collision we check whether the dierence o the ciphertexts o the colliding pair belongs to X. We keep all the 2 t values o X in a hash table, and thus, the check requires one memory access or each colliding pair. Out o the 2 r possible dierences or a colliding pair, only 2 t dierences are in X (i.e., can occur in a right quartet), and thus, about N 2 2 t n 1 pairs remain. The time complexity o this step is N + N 2 2 r n 1 memory accesses on average. Step 4 requires one memory access or each pair which passes the iltering o Step 3. In a real implementation it is wiser to implement Step 4 as part o Step 3, but we separate these steps or the sake o simpler analysis. As there are

7 7 N 2 2 t n 1 such pairs, the time complexity o this step is on average N 2 2 t n 1 memory accesses. Step 5 implements a search or possible quartets. In a right quartet both (P 1, P 2 ) and (P 3, P 4 ) must satisy that E b (P 1 ) E b (P 2 ) = E b (P 3 ) E b (P 4 ) = α, and thus any right quartet must be combined rom some P 1, P 2 S and P 3, P 4 S where S and S are two (not necessarily distinct) structures. Moreover, a right quartet satisies that E 1 (C 1) E 1 (C 3) = E 1 (C 2) E 1 (C 4) = δ, and thus C 1 is attached to S C3 and C 2 is attached to S C4 and as P 3, P 4 are rom the same structure then S C3 = S C4. Thereore, in each structure S we search or colliding attachments, i.e., pairs o ciphertexts in S which are attached to the same (other) structure S. The N 2 2 t n 1 attachments (colliding pairs) are distributed over Y structures, and we get that approximately (N 2 t +r b n 1 ) 2 /Y possible quartets are suggested in each structure (where a quartet corresponds to a pair o plaintexts rom some structure attached to the same structure). We implement the test in the same manner as in Step 3, i.e., keeping a hash table H S or each structure S and inserting each ciphertext C to H SC according to the index o the structure attached to C. Denoting the plaintexts o the suggested quartet by (P 1, P 2, P 3, P 4 ) and their corresponding ciphertexts by (C 1, C 2, C 3, C 4 ), we irst check that P 1 P 2 X b. This test requires one memory access or each possible quartet. The probability that the value P 1 P 2 is in X b is 2 t b r b. A quartet which ails this test can be discarded immediately. Thereore, out o the N 2 2 2t +2r b 2n 2 possible quartets only N 2 2 2t +r b +t b 2n 2 quartets remain. As stated beore, this iltering requires one memory accesses or each candidate quartet, thus the algorithm requires N 2 2 2t +2r b 2n 2 memory accesses. We can discard more quartets by testing whether P 3 P 4 X b. In total this step requires N 2 2 2t +2r b 2n 2 (1 + 2 t b r b ) memory accesses and about N 2 2 2t +2t b 2n 2 quartets remain ater this step. In Step 6 we try to deduce the right subkey rom the remaining quartets. Recall that a right quartet satisies E b (P 1 ) E b (P 2 ) = α = E b (P 3 ) E b (P 4 ). Both pairs are encrypted by the same subkey, hence, a right quartet must agree on K b (the m b subkey bits which enter E b and aect the output dierence α). There are 2 t b possible input dierences that lead to α dierence ater E b, thereore, 2 m b t b subkeys on average take one o these values into the dierence α. As each pair suggests 2 m b t b subkeys, they agree on average on (2 m b t b ) 2 /2(2 m b ) = 2 m b 2t b 1 subkeys or E b. We can ind these options by keeping in a precomputed table either the possible values or any pair on its own, or or the whole quartet. Repeating the analysis or E, (C 1, C 3 ), and (C 2, C 4 ) we get about 2 m 2t 1 subkeys suggestions rom each quartet. Thus, each o the remaining quartets suggests 2 m b+m 2t 2t b 2 possible subkeys. There are 2 m b+m possible subkeys and N 2 22t +2t b 2n 2 2 m b+m 2t 2 b 2 = N 2 2m b+m 2n 4 hits. The expected number o hits or a (wrong) subkey is about N 2 2 2n 4. Since N 2 n is the number o plaintexts the expected number o hits per wrong subkey is less than 2 4 = 1/16, and we can conclude that the attack almost always succeeds in recovering subkey bits (since the number o expected hits or the right subkey is 4), or at least reduces the number o candidates or the right subkey. We

8 8 can insert the 2 m b t b subkeys suggested by (P 1, P 2 ) into a hash table, and or each subkey suggested by the pair (P 3, P 4 ) we can check whether it was already suggested. Doing the same or E we get that or each quartet we need 3 2 m b t b m t memory accesses. We can optimize this a little bit by storing in advance a table and a list or each dierence in X b and save the time o building the hash table. This method saves 1/3 o the number o memory accesses. Using this method this step requires about N 2 2 2t +2t b 2n 3 (2 m b 2t b 2 m 2t ) = N 2 2 2n 3 (2 m b+2t + 2 m +2t b ) memory accesses or the entire attack. Step 7 requires 2 m b+m memory accesses using a trivial implementation, which can be reduced to 1 4 memory accesses using a more eicient data structure (e.g., B-trees or dynamic hash tables). Overall, this algorithm requires N = 2 r b Y = 2 r b 2 n/2+2 r b /ˆpˆq chosen plaintexts, and time complexity o N + N 2 (2 r n t n + 2 2t +2r b 2n m b+t b +2t 2n m +2t b +t 2n 1 ) memory accesses. The memory complexity is N + 2 t b + 2 t + 2 m b+m. Table 1 summarizes the time complexity o each step and the number o plaintexts / pairs / quartets that remain ater each step o the algorithm. Step Short Time # Remaining Texts/ No. Description Complexity Pairs/Quartets 1 Data generation N encryptions N plaintexts 2 Subkey counters init. 1 MA No change 3 First iltering N + N 2 2 r n 1 MA N 2 2 t n 1 pairs 4 Suggesting quartets N 2 2 t n 1 MA No change 5 Eliminating quartets N 2 2 2t +2r b 2n 2 MA N 2 2 2t +2t b 2n 2 qts. 6 Subkey detection N 2 2 t b+t 2n 1 (2 m b+t +2 m +t b )MA No change 7 Printing subkey 1 4 MA No change MA - Memory Accesses Table 1. The Rectangle Attack Steps and their Eect Using this algorithm we can break 3.5-round SC2000, using the ollowing decomposition: E b consists o the irst S4 layer, the ollowing 1.25 rounds are E 0, the next 1.25 rounds are E 1, and the inal S4 layer is E. For this decomposition the ollowing properties were presented in [8]: r b = r = m b = m = 40, t b = 27, t = 27.9, n = 128, ˆp = , ˆq = Thus, we conclude that the data complexity is N = chosen plaintexts and that the time complexity is memory accesses, which slightly improves the results in [8]. We can also break 10-round Serpent using the ollowing decomposition: E b consists o round 0. The ollowing 4 rounds are E 0, the next 4 rounds are E 1, and round 9 is E. For this decomposition the ollowing properties are presented

9 9 in [7]: 4 r b = m b = 76, r = m = 20, t b = 48.85, t = 13.6, n = 128, ˆp = , ˆq = Thus, we conclude that the data complexity is N = chosen plaintexts and that the time complexity is memory accesses. Note that the time complexity o the attack presented in [7] is memory accesses using memory cells (or memory accesses with memory cells). Note that we can use the above algorithm in several other scenarios. One o them is a chosen ciphertext scenario, where the above algorithm is applied on E 1 = E 1 b E0 1 E1 1 E 1. The analysis o this case is the same as beore as long as we replace in the above equations all the sub-scripts b by and vice versa. Sometimes, we might want to attack a cipher E with additional rounds only at one side, i.e., to divide E to E = E 1 E 0 E b (or E = E E 1 E b ). In this case our analysis still holds with m = r = t = 0. 4 A Key Recovery Attack Based on Boomerang Distinguisher In this section we apply our ideas rom the previous section to the boomerang attack. We generalized the results o [18, 8]. Like the rectangle attack, we have ound that whenever the boomerang distinguisher succeeds then the key recovery attack also succeeds. There are various standard techniques to use distinguishers or a key recovery attack [3, 15, 11, 4, 5]. The basic idea is to try all subkeys which aect the dierence (or the approximation) beore and ater the distinguishers (i.e., in E b and E ), and to deduce that the correct subkey is the one or which the statistical distinguisher has the best results. However, this basic idea can be very expensive in terms o time and memory complexities. Moreover, due to the adaptive chosen plaintext and ciphertext requirement, using a boomerang distinguisher in a key recovery attack can be done i either E b or E is present but not when both exist. As both boomerang and rectangle distinguishers exploit the same α and δ, we use the same notations o E = E E 1 E 0 E b, m b, r b, t b, m, r, and t as in the earlier sections. The generic boomerang attack on E = E 1 E 0 E b is as ollows: 1. Initialize an array o 2 m b counters. Each counter corresponds to a dierent guess o the m b subkey bits o E b. 2. Generate a structure F o plaintexts, choose P 0 randomly and let F = P 0 V b be the set o plaintexts in the structure. 3. Ask or the encryption o F and denote the set o ciphertexts by G. 4. For each ciphertext c G compute c = c δ, and deine the set H = {c δ c G}. 5. Ask or the decryption o H, and denote the plaintexts set by I. 4 As stated earlier, in [7] it was mistakenly claimed that t b = 64. We use the correct value o 76, and derive the correct time complexity.

10 10 6. Insert all the plaintexts in I into a hash table according to the n r b plaintext bits which are set to 0 in V b. 7. In case o a collision o plaintexts in the hash table: (a) Denote the plaintexts which collide in the hash table by (P 3, P 4 ), and test whether P 3 P 4 X b. I this condition is satisied denote the plaintexts rom F which correspond to (P 3, P 4 ) by (P 1, P 2 ). Test whether P 1 P 2 X b. I any o the tests ails, discard this quartet. (b) For a quartet (P 1, P 2, P 3, P 4 ) which passes the above iltering we check all possible K b which enter E b (actually its bits which aect the α) and increment the counters which correspond to the subkeys or which E bkb (P 1 ) E bkb (P 2 ) = E bkb (P 3 ) E bkb (P 4 ) = α. 8. Repeat Steps 2 7 until a subkey is suggested 4 times. Steps 2 5 perorm a δ-shit on structures (and not on the pairs directly). From the analysis in [18] and the properties o the algorithm it is evident that the data complexity o the attack is about 8(ˆpˆq) 2. However, we generate at least 2 rb+1 plaintexts and ciphertexts, and thus the data complexity o the attack is N = max{2 rb+1, 8(ˆpˆq) 2 }. The time complexity o Step 1 is equivalent to 2 m b memory accesses. However, we can keep the counters in more eicient data structures (like B-trees, or dynamic hash tables) or which Step 1 takes only one memory access. In steps 2 5 we encrypt N/2 plaintexts, compute N/2 XOR operations and decrypt N/2 ciphertexts. Thus, the total time complexity o Steps 2 5 or the whole attack is N encryptions/decryptions. Repeating the analysis rom the previous section, we restrict our attention to time complexity analysis or each F independently o other F s, as each execution o Steps 6 7 or a given structure is independent o the execution o these steps or other structures. As we insert the plaintexts into a hash tables, each plaintext in I requires one memory access. Thus, the time complexity o Step 6 is 2 r b memory accesses per structure, and thereore N/2 memory accesses or the entire attack. Repeating the analysis rom the previous section (with the relevant minor changes), we get that Step 7 or each structure I (and thereore, or each F ) requires about 2 3rb n 1 memory accesses. For the entire N/2 rb+1 structures this step requires 2 3r b n 1 N/2 rb+1 = N 2 2rb n 1 memory accesses. Using the same arguing about right quartets (as in right quartet both (P 1, P 2 ) and (P 3, P 4 ) have an α dierence ater E b ), we get that each pair suggests 2 m b t b subkeys, and both pairs agree on (2 m b t b ) 2 /2(2 m b ) = 2 m b 2t b 1 subkeys or E b on average. Hence, the expected number o memory accesses in Step 7(b) is 2 t b+m b +r b n or each structure. We conclude that the total time complexity o Step 7(b) is expected to be N 2 t b+m b n 1 memory accesses or the whole attack. Each structure F induces about 2 2t b+r b n 1 2 m b 2t b 1 = 2 r b+m b n 2 subkey hits. As there are N/2 rb+1 structures, the total number o subkey hits is expected to be N 2 mb n 3, which are distributed over 2 m b subkeys. Thus, the expected number o hits or each subkey is N 2 n 3. As N 2 n, the expected number o hits or a wrong subkey is less then 1/8 while the right subkey is expected to

11 11 get 4 hits. This is suicient or either recovering the right subkey, or to reduce the subkey candidates space by a very large actor. In Step 8 we check whether one o the counters has the value o 4 (or more). This has to be done whenever we inish Step 7(b) or some F. We can implement this step as part o Step 7(b). Whenever a counter is increased we check that it has not exceeded 4. However, this method results in enlarging the time o Step 7(b). Using more appropriate data structures, we can perorm the check once whenever we replace the F structure we work with. This yields a time complexity o N/2 r b+1 memory accesses. We conclude that the attack requires N = max{2 r b+1, 8(ˆpˆq) 2 } adaptive chosen plaintexts and ciphertexts and time complexity o about N(1+2 2r b n t b+m b n 1 ) memory accesses. Table 2 summarizes the time complexity o each step and the number o plaintexts / pairs / quartets that remain ater each step o the algorithm. Step Short Time # o Remaining Plaintexts/ No. Description Complexity Pairs/ Quartets 1 Subkey counters init. 1 MA 2+3 Data generation N/2 encryptions N/2 plaintexts 4 Data generation N/2 MA No change 5 Data generation N/2 decryptions N plaintexts 6 Finding possible quartets N/2 MA N 2 2rb n 2 quartets 7(a) Eliminating quartets N 2 2rb n 2 MA N 2 2tb n 2 quartets 7(b) Subkey detection N 2 r b+m b n 1 MA No change 8 Printing subkey N/2 rb+1 MA No change MA - Memory Accesses Table 2. The Basic Boomerang Attack Steps and their Eect Using this algorithm, we can break 3-round SC2000, using the ollowing decomposition: E b consists o the irst S4 layer, the ollowing 1.25 rounds are E 0 and the next 1.25 rounds are E 1. For this decomposition the ollowing properties were presented in [8]: r b = m b = 40, t b = 27, n = 128, ˆp = , ˆq = Thus, we conclude that the data complexity o the attack is N = 2 41 adaptive chosen plaintexts and ciphertexts. The time complexity o the attack is about 2 41 memory accesses. We attack 9-round Serpent, using this algorithm and the ollowing decomposition: E b consists o round 0, the ollowing 4 rounds are E 0, and the next 4 rounds are E 1. For this decomposition the ollowing properties were presented in [7]: r b = m b = 76, t b = 48.85, n = 128, ˆp = , ˆq = The data complexity o the attack is N = adaptive chosen plaintexts and ciphertexts, with time complexity o memory accesses. We can also attack rounds 1 9 o Serpent using the decomposition used in the previous section. In this attack we are attacking rounds 9 1 (i.e., the attack is on E0 1 E1 1 E 1 ). For this

12 12 decomposition we get: r = m = 20, t = 13.6, n = 128, ˆp = , ˆq = Obviously the data complexity does not change, as we use the same underlying distinguisher. However, the time complexity o this attack drops to memory accesses (instead o ). 5 Enhancing the Boomerang Attack In this section we present a new method to use the boomerang attack with both E b and E. Recall that the main step o the boomerang attack is the δ-shit (encryption o each plaintext, XORing o the corresponding ciphertext with δ, and decryption o the outcome). Our method uses a generalization o the δ-shit. The new algorithm to attack E E 1 E 0 E b is as ollows: 1. Initialize an array o 2 m b+m counters. Each counter corresponds to a dierent guess o the m b subkey bits o E b and the m bits o E. 2. Generate a structure F o plaintexts, choose P 0 randomly and let F = P 0 V b be the set o plaintexts in the structure. 3. Ask or the encryption o F and denote the set o ciphertexts by G. 4. For each c G and ɛ X compute c = c ɛ, and deine the set H = {c ɛ c G and ɛ X }. 5. Ask or the decryption o H, and denote the plaintexts set by I. 6. Insert all the plaintexts in I into a hash table according to the n r b plaintext bits which are set to 0 in V b. 7. In case o a collision o plaintexts in the hash table: (a) Denote the plaintexts which collide in the hash table by (P 3, P 4 ), and test whether P 3 P 4 X b. I this condition is satisied denote the plaintexts rom F which correspond to (P 3, P 4 ) by (P 1, P 2 ). Test whether P 1 P 2 X b. I any o the tests ails, discard this quartet. (b) For a quartet (P 1, P 2, P 3, P 4 ) which passes the above iltering we obtain rom a precomputed table the possible values or the m b subkey bits which enter E b and aect the α dierence. We also obtain rom a precomputed table the possible values or the m subkey bits which enter E and aect the δ dierence. The speciic implementation aspects o this step are described later on. We increment counters which correspond to subkeys K b, K or which E bkb (P 1 ) E bkb (P 2 ) = E bkb (P 3 ) E bkb (P 4 ) = α and E 1 K (C 1 ) E 1 K (C 3 ) = E 1 K (C 2 ) E 1 K (C 4 ) = δ. 8. Repeat Steps 2 7 until a subkey is suggested 4 times. We call Steps 2 5 an ɛ-shit as each plaintext is encrypted, then shited by all possible ɛ s and the values o the shited ciphertexts are decrypted. The time complexity o Step 1 is equivalent to 2 m b+m memory accesses. However, we can keep the counters in a more eicient data structures (like B- trees, or dynamic hash tables), or which Step 1 takes only one memory access. Each F induces a set o 2 r b ciphertexts in G, and each ciphertext is shited by 2 t possible values, hence H = I = 2 r b+t. Even though we expand the

13 13 number o possible quartets (by multiplying the size o I by 2 t ), the number o right quartets does not change. Hence, we still need about 8(ˆpˆq) 2 /2 rb+1 structures. The data complexity o the attack is N = 2 r b+t 8(ˆpˆq) 2 /2 rb+1. However, we might get that N > 2 n. We can implement these cases in one o two ways. The irst way is to ask or the encryption/decryption N (not necessarily dierent) oracle queries. The second way to implement this is to store the already encrypted/decrypted values in a table, and test or each encryption/decryption i it is already in the table, in order to save most o the encryptions/decryptions. This way the attack requires 2 n known plaintexts and N memory accesses. Like in the previous section we perorm the time complexity analysis or each F independently o other F s, as each execution o Steps 6 7 or a given structure is independent o the execution o these steps or some other structure. Like in the previous section, Step 6 inserts into a hash table the plaintexts. Thus, the time complexity o Step 6 is 2 r b+t memory accesses per structure, and N memory accesses in total. Since each collision in the hash table o Step 6 suggests a quartet, we have in this step about 2 3r b+2t n 1 memory accesses or each structure F, and the expected number o remaining quartets is 2 3r b+2t n 1 (2 t b r b ) 2 = 2 2t b+r b +2t n 1. Since there are N/2 r b+t structures we conclude that or the whole attack this step requires about N 2 2r b+t n 1 memory accesses. We recover subkey material both in E b and E. By repeating the analysis rom Section 3, each remaining quartet suggests 2 m b+m 2t b 2t 2 subkeys or E b and E, and thus, we get 2 r b+m b +m n 3 hits (on average) rom each structure and N 2 m b+m n t 3 subkey hits in total. We conclude that Step 7(b) requires N 2 t b+t n 1 (2 m b+t +2 m +t b ) memory accesses or the whole attack. As there are about N 2 m b+m t n 3 subkey hits in total, the expected number o hits per subkey is about N 2 t n 3. Note that N might be bigger than 2 n but on the same time, N 2 n+t (as we take at most 2 n ciphertexts and shit them by 2 t values). We again ind that the number o hits per wrong subkey is 1/8. In Step 8 we check whether one o the counters has the value o 4 (or more). Using the same methods as in the previous section, we can use more appropriate data structures which reduce the time complexity o this step to 1 memory accesses or each F, and or the entire attack N/2 r b+t memory accesses. The data complexity o the attack is N = 2 r b+t 8(ˆpˆq) 2 /2 rb+1 adaptive chosen plaintexts and ciphertexts (and as stated earlier i N > 2 n we can replace it by 2 n known plaintexts using a table o size 2 n ). The expected time complexity o the attack is N(2+2 2r b+t n 1 +2 m b+t b +2t n 1 +2 m +2t b +t n 1 ) memory accesses. The memory complexity o the attack is 2 m b+m + 2 r b+t. Table 3 summarizes the time complexity o each step and the number o plaintexts / pairs / quartets that remain ater each step o the algorithm. We use the same decomposition o 3.5-round SC2000 as in Section 3. For this decomposition the ollowing properties were presented in [8]: r b = r = m b = m = 40, t b = 27, t = 27.9, n = 128, ˆp = , ˆq = Hence, the data

14 14 Step Short Time # Remaining Texts/ No. Description Complexity Pairs/ Quartets 1 Subkey counters init. 1 MA 2+3 Data generation N/2 t encryptions N/2 t plaintexts 4 Data generation N MA No change 5 Data generation N decryptions N Plaintexts 6 Eliminating wrong pairs N MA N2 2r b+2t n 2 qts. 7(a) Eliminating quartets N2 2r b+t n 1 MA N2 2t b+2t n 2 qts. 7(b) Subkey detection N2 t b+t n 2 (2 m b+t +2 m +t b )MA No change 8 Printing subkey N/2 r b+t MA No change MA - Memory Accesses Table 3. The Steps o the Improved Boomerang Attack and Their Eect complexity o the attack is adaptive chosen plaintexts and ciphertexts (this complexity can be reduced to 2 67 by attacking E 1 ). The attack requires memory cells (when we attack E 1 it requires only 2 67 memory cells). The time complexity o the attack is memory accesses (the attack on E 1 requires 2 68 memory accesses). We also use the same decomposition o 10-round Serpent like in Section 3. For this decomposition the ollowing properties were presented in [7]: r b = m b = 76, r = m = 20, t b = 48.85, t = 13.6, n = 128, ˆp = , ˆq = The data complexity o the attack is N = = As mentioned beore, we can either treat this as queries to the encryption/decryption oracle (o course not distinct queries) or we can just ask the encryption/decryption o any plaintext/ciphertext we need, and store it in a table. The attack requires memory accesses. 6 Summary This paper presents several contributions. The irst contribution is an improved generic rectangle attack. The improved attack algorithm can attack 10-round Serpent with data complexity o chosen plaintexts and time complexity o memory accesses. This new result enables attacking 10-round Serpent with 192-bit subkeys. We also have shown that the algorithm is very successul and almost always reduces the number o candidate subkeys. The second contribution is a generic boomerang key recovery attack. The attack uses similar techniques as in the rectangle key recovery attack and the result is an eicient algorithm or retrieving subkey material. In the analysis o this attack we ound out that this attack also almost always succeeds. The third contribution is extending the generic boomerang key recovery attack to attack more rounds. This contribution allows or the boomerang attack to attack as many rounds as the rectangle attack despite its adaptive chosen plaintext and ciphertext nature. This allows to attack 10-round Serpent with

15 15 the enhanced boomerang attack using adaptive chosen plaintexts and ciphertexts (or known plaintexts), and memory accesses. In Table 4 we compare the requirements o the generic attacks, and in Table 5 we present our new results on Serpent and SC2000. For comparison, we also include the previous boomerang and rectangle results and the best known attacks against these ciphers. Attack Rectangle Boomerang Enhanced (Section 3) (Section 4) Boomerang (Section 5) Cipher s parts E E 1 E 0 E b E 1 E 0 E b E E 1 E 0 E b being attacked Type o Chosen Plaintext Adaptive Chosen Adaptive Chosen Attack Plaintext and Ciphert. Plaint. and Ciphertext Data max{2 r b, 2 n/2+2 /ˆpˆq} max{8(ˆpˆq) 2, 2 r b } 2 t max{2 r b, 8(ˆpˆq) 2 } Complexity (N) Memory N 2 (2 r n t n N( rb n 2 + N( r b+t n 1 + Accesses +2 2t +2r b 2n 2 2 t b+m b n 1 ) 2 m b+t b +2t n m b+2t +t b 2n 1 2 m +t +2t b n 1 ) +2 m +2t b +t 2n 1 ) +N Memory Cells 2 m b+m + N 2 r b + 2 m b 2 r b+t + 2 m b+m Subkey Bits m b + m m b m b + m Hits per 1/16 1/8 1/8 Wrong Subkey Table 4. Comparison o the Boomerang and the Rectangle Generic Attacks Reerences 1. Ross Anderson, Eli Biham, Lars R. Knudsen, Serpent: A Proposal or the Advanced Encryption Standard, NIST AES Proposal, Eli Biham, Higher Order Dierential Cryptanalysis, unpublished paper, Eli Biham, Adi Shamir, Dierential Cryptanalysis o the Data Encryption Standard, Springer-Verlag, Eli Biham, Alex Biryukov, Adi Shamir, Cryptanalysis o Skipjack reduced to 31 rounds, Advances in Cryptology, proceedings o EUROCRYPT 99, LNCS 1592, pp , Springer-Verlag, Eli Biham, Alex Biryukov, Adi Shamir, Miss in the Middle Attacks on IDEA and Khuu, proceedings o Fast Sotware Encryption 6, LNCS 1636, pp , Springer-Verlag, Eli Biham, Orr Dunkelman, Nathan Keller, Linear Cryptanalysis o Reduced Round Serpent, proceedings o Fast Sotware Encryption 8, 2001, to appear. 7. Eli Biham, Orr Dunkelman, Nathan Keller, The Rectangle Attack Rectangling the Serpent, Advances in Cryptology, proceedings o EUROCRYPT 01, LNCS 2045, pp , Springer-Verlag, 2001.

16 16 Cipher Attack Number Complexity o Rounds Data Time Memory SC2000 Rectangle this paper CP MA Boomerang this paper ACPC 2 41 MA 2 40 Boomerang this paper ACPC 2 67 MA 2 67 best Linear [19] KP MA 2 80 Serpent Amp. Boomerang[10] CP MA Rectangle[7] CP MA Rectangle[7] CP MA Boomerang this paper ACPC MA Boomerang this paper KP MA 2 96 Rectangle this paper CP MA best Linear [6] KP MA 2 85 MA - Memory Accesses CP - Chosen Plaintexts, KP - Known Plaintexts ACPC - Adaptive Chosen Plaintexts and Ciphertexts Table 5. New Boomerang and Rectangle Results on SC2000 and Serpent 8. Orr Dunkelman, Nathan Keller, Boomerang and Rectangle Attacks on SC2000, preproceedings o the NESSIE second workshop, Louis Granboulan, Flaws in Dierential Cryptanalysis o Skipjack, proceedings o Fast Sotware Encryption 8, 2001, to appear. 10. John Kelsey, Tadayoshi Kohno, Bruce Schneier, Ampliied Boomerang Attacks Against Reduced-Round MARS and Serpent, proceedings o Fast Sotware Encryption 7, LNCS 1978, pp , Springer-Verlag, Lars Knudsen, Truncated and Higher Order Dierentials, proceedings o Fast Sotware Encryption 2, LNCS 1008, pp , Springer-Verlag, Lars Knudsen, Håvard Raddum, A Dierential Attack on Reduced-Round SC2000, preproceedings o the NESSIE second workshop, Lars Knudsen, Matt J.B. Robshaw, David Wagner, Truncated Dierentials and Skipjack, Advances in Cryptology, proceedings o CRYPTO 99, LNCS 1666, pp , Springer-Verlag, Suzan K. Langord, Martin E. Hellman, Dierential-Linear Cryptanalysis, Advances in Cryptology, proceedings o CRYPTO 94, LNCS 839, pp , Springer- Verlag, Mitsuru Matsui, Linear Cryptanalysis Method or DES Cipher, Advances in Cryptology, proceedings o EUROCRYPT 93, LNCS 765, pp , Springer-Verlag, NESSIE - New European Schemes or Signatures, Integrity and Encryption Takeshi Shimoyama, Hitoshi Yanami, Kazuhiro Yokoyama, Masahiko Takenaka, Kouichi Itoh, Jun Yajima, Naoya Torii, Hidema Tanaka, The Block Cipher SC2000, proceedings o Fast Sotware Encryption 8, 2001, to appear. 18. David Wagner, The Boomerang Attack, proceedings o Fast Sotware Encryption 6, LNCS 1636, pp , Springer-Verlag, Hitoshi Yanami, Takeshi Shimoyama, Orr Dunkelman, Dierential and Linear Cryptanalysis o a Reduced-Round SC2000, these proceedings.