Cryptanalysis of block EnRUPT

Similar documents
Complementing Feistel Ciphers

Cryptanalysis of EnRUPT

Lecture 4: DES and block ciphers

Technion - Computer Science Department - Technical Report CS0816.revised

Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)

ECS 189A Final Cryptography Spring 2011

Differential-Linear Cryptanalysis of Serpent

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Benes and Butterfly schemes revisited

Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512

A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms

Attacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3

FFT-Based Key Recovery for the Integral Attack

Avoiding collisions Cryptographic hash functions. Table of contents

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Known and Chosen Key Differential Distinguishers for Block Ciphers

The Pseudorandomness of Elastic Block Ciphers

Truncated and Higher Order Differentials

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

APPLYING QUANTUM SEARCH TO A KNOWN- PLAINTEXT ATTACK ON TWO-KEY TRIPLE ENCRYPTION

Public-key Cryptography: Theory and Practice

The Artin-Feistel Symmetric Cipher

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

Sieve-in-the-Middle: Improved MITM Attacks (Full Version )

Cube Attacks on Stream Ciphers Based on Division Property

Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function

Cryptanalysis of the SIMON Family of Block Ciphers

CPA-Security. Definition: A private-key encryption scheme

A Weak Cipher that Generates the Symmetric Group

Overtaking VEST. 45, avenue des États-Unis, Versailles Cedex, France 3 DCSSI Crypto Lab

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

New Preimage Attack on MDC-4

Improved Cascaded Stream Ciphers Using Feedback

Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA

Quantum Chosen-Ciphertext Attacks against Feistel Ciphers

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Security of the SMS4 Block Cipher Against Differential Cryptanalysis

Building Secure Block Ciphers on Generic Attacks Assumptions

Breaking Plain ElGamal and Plain RSA Encryption

Improved Multiple Impossible Differential Cryptanalysis of Midori128

XMX: A Firmware-oriented Block Cipher Based on Modular Multiplications

5199/IOC5063 Theory of Cryptology, 2014 Fall

Biomedical Security. Overview 9/15/2017. Erwin M. Bakker

Linear Cryptanalysis of Reduced-Round Speck

3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Collision Attack on Boole

Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis

Improved characteristics for differential cryptanalysis of hash functions based on block ciphers

Exercise Sheet Cryptography 1, 2011

Solution of Exercise Sheet 7

A Five-Round Algebraic Property of the Advanced Encryption Standard

Low Probability Differentials and the Cryptanalysis of Full-Round CLEFIA-128

THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Discrete Logarithm Problem

Lecture 12: Block ciphers

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Module 2 Advanced Symmetric Ciphers

How Fast can be Algebraic Attacks on Block Ciphers?

The Hash Function JH 1

IIT KHARAGPUR FDTC September 23, South Korea, Busan. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

On the pseudo-random generator ISAAC

Impossible Differential Attacks on 13-Round CLEFIA-128

Further improving security of Vector Stream Cipher

Related-key Attacks Against Full Hummingbird-2

Distinguishers for the Compression Function and Output Transformation of Hamsi-256

Bias in the LEVIATHAN Stream Cipher

Weaknesses in the HAS-V Compression Function

A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix

A Brief Comparison of Simon and Simeck

Chapter 1 - Linear cryptanalysis.

Cryptanalysis of a Multistage Encryption System

Attacks on Hash Functions based on Generalized Feistel Application to Reduced-Round Lesamnta and SHAvite-3 512

Cryptanalysis of Hiji-bij-bij (HBB)

A Unified Method for Finding Impossible Differentials of Block Cipher Structures

Cryptanalysis of the Stream Cipher DECIM

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning

Differential Fault Analysis on the families of SIMON and SPECK ciphers

APPLYING QUANTUM SEARCH TO A KNOWN- PLAINTEXT ATTACK ON TWO-KEY TRIPLE ENCRYPTION

Public Key Cryptography

Truncated differential cryptanalysis of five rounds of Salsa20

Message Authentication (MAC) Algorithm For The VMPC-R (RC4-like) Stream Cipher

Klein s and PTW Attacks on WEP

MasterMath Cryptology /2 - Cryptanalysis

9 Knapsack Cryptography

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

Block Cipher Cryptanalysis: An Overview

Algebraic Techniques in Differential Cryptanalysis

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Computers and Mathematics with Applications

New Preimage Attacks Against Reduced SHA-1

Asymmetric Encryption

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway

Transcription:

Cryptanalysis of block EnRUPT Elias Yarrkov 2010-10-08 (revised 2010-10-12) Abstract EnRUPT is a cryptographic primitive with a variable block and key length. We show several attacks on it that stem from properties of its keying, including a very fast related-key attack. 1 Introduction EnRUPT[5] is a simple symmetric algorithm with several modes, allowing it to perform as different types of cryptographic primitives. One mode of EnRUPT was previously attacked in [3] and [2]. This paper presents cryptanalysis of the 32-bit block cipher mode, though the same methods are expected to work for the 64-bit version. 2 EnRUPT description EnRUPT is an unbalanced source-heavy Feistel network similar to XXTEA[7, 6]. The block consists of a variable number of 32- or 64-bit words, as does the key. The algorithm linearly loops through block and key words, XORing to the current block word a function of its neighbors, the current key word, and the round number. The block and the key are viewed as circular arrays; that is, for an n-word block and key, x r = x r+n and k r = k r+n. The EnRUPT round function is x r x r F (x r 1, x r+1, k r, r), where F (a, b, k, r) = ((((a 1) b r k) 8) 9) k. The number of rounds is defined s (w 0 2 + w 1 ), where w 0 is block width in words and w 1 is key width in words. s is a security parameter, defaulted to 4. yarrkov@gmail.com, http://cipherdev.org/ 1

Algorithm 1 EnRUPT block cipher implementation 1 #d e f i n e r o t r ( a, b ) ( ( ( a)>>(b ) ) ( ( a)<<(32 (b ) ) ) ) void EnRUPT( uint32_t x, i n t xw, uint32_t k, i n t kw) { i n t r ; f o r ( r =1; r <=4 (2 xw+kw ) ; r++) { uint32_ t t, rk ; t = ( x [ ( r 1+xw)%xw ] << 1) ^ x [ ( r+1)%xw ] ; rk = k [ r%kw ] ; x [ r%xw ] ^= r o t r ( t ^ rk ^ r, 8) 9 ^ rk ; } } 3 Attacks The approaches used for XXTEA in [8] seem to be ineffective against EnRUPT. However, the keying is vulnerable to various things. 3.1 Key collisions The round function of EnRUPT is not bijective for the given key word. Thus, we can attempt to find a difference Δ so that F (a, b, k Δ, r) = F (a, b, k, r) with some probability. Using a simple solving algorithm, Δ = 0x02128292 comes out as probably the best choice, giving a collision at probability 2 9.15. If two keys differ in a single word, the difference will be encountered only once per cycle through the key words. For example, for a 128-bit block and 512-bit key, the number of full cycles over the key is 6; we need to pass 5 to get a right pair. In this scenario, the probability of the full characteristic is thus about 2 45.75. We can request about 2 46 encryptions under the original key, as well as a related key with Δ in k 0. This is expected to result in about one case where the direct ciphertext and its respective related-key ciphertext collide in x 1, x 2 and x 3, which is recognized as a right pair. Knowing (x 3 1) x 1 and the difference in x 0, we can proceed to recover candidates for k 0, used for x 0. Though this immediately gives an advantage over brute force, effectively extending to the full key seems to require a bit more queries with Δ in different key words. These key collisions also lead to hash collisions, if the block cipher is used in a construction such as Davies-Meyer. 1 derived from a public domain implementation at http://www.enrupt.com/ 2

3.2 A p=1 related-key differential characteristic Consider the round function, ((((x r 1 1) x r+1 r k) 8) 9) k. Observe that we can fully cancel the difference 0x80000080 in (x r 1 1) x r+1 with the difference 0x80000000 in k. We can achieve the appropriate difference in (x r 1 1) x r+1 with the difference 0x7F F F F F 80 in x r 1 and x r+1. This immediately leads to a distinguisher. Specifically, we can use that difference in every block word, and the appropriate key difference in every key word; the ciphertext block difference will be equal to the plaintext block difference. 3.3 A chosen-plaintext attack The previously mentioned property can be adapted into a simple chosen-plaintext attack similar to that for DES[4] due to its complementation property[1]. For this attack description, the block length will be considered equal to the key length. We define and alternative form to view the block in: o r = (x r 1 1) x r+1 for r in [0, w 1], where w = w 0 = w 1. Notice that o is a bijection of x. We can set a difference either 0 or 0x80000080 in each word in o, giving 2 w possible differences in total. We can linearly solve those values back to the form used in x, and use the key difference 0x80000000 where the matching o difference is 0x80000080. Consider Δ a all of the different block differences and a the respective key differences, with a in [0, 2 w 1]. To turn this into a chosen-plaintext attack, we first do 2 w chosen-plaintext queries to get the ciphertext E k (Δ a ) for each of Δ a, and we set the key E k (Δ a ) Δ a to point to value a in a fast lookup table. Notice that E k (0) E k a (Δ a ) = Δ a E k a (0) E k (Δ a ) = Δ a E k a (0) = E k (Δ a ) Δ a We can use this to accelerate exhaustive search. We encrypt a zero-block with all possible keys, except we always leave the highest bit of each key word zero. After each block encryption with trial key k t, we test for a match in the lookup table. If the ciphertext is found to point to a value a in the table, then probably k = k t a. As an optimization to reduce memory requirements, we don t need to store E k (Δ a ) Δ a entirely, only enough to keep the rate of false positives low. In total, the work required for exhaustive search is reduced by at most w bits with 2 w chosen-plaintext queries and memory proportional to storing 2 w blocks. Generalizing to cases where the block length does not equal the key length, the reduction in work is gcd(w 0, w 1 ) bits. Simplistically, it could be said that the work*memory complexity doesn t actually change from exhaustive search. However, the cost of a single EnRUPT circuit (including the block) is larger than the cost of just storing a block or part of it, so this is expected to give a cheaper attack than plain exhaustive search. 3

3.4 Fast key recovery The previously shown family of characteristics can t be directly used to recover the key, but we can weaken it to get key dependency, thus allowing efficient key recovery. The differences Δo r = 0x40000040 and Δk r = 0x40000000 cancel out with probability about 2 0.85. We can set the difference 0x40000040 in one word in the o-form, and 0 or 0x80000080 in the others. For example, for eight block and key words: Δx = {0x4CCCCC80, 0, 0x19999980, 0, 0x73333340, 0, 0x66666600, 0} Δk = {0, 0x80000000, 0, 0x40000000, 0, 0x80000000, 0, 0x80000000} When the number of key words equals the number of block words, the number of cycles to perform over the block is 12, as in this example. Naively, we d then calculate the right pair probability as 2 0.85 11. However, the probability of the characteristic failing at the appropriate place is 2 1.17, which is not negligible. In addition, when the characteristic does break, the output difference from F will be 0x80000000; this will not spread further during the same cycle, because the next round s input from the current word will be shifted up by one. Thus, the probability is 2 0.85 10 1.17. This results in a requirement of about 2 10.67 queries, under two keys in total. When we have a right pair, all input to the final call of F, except the used key word, is visible. The difference in the output is also visible. This leads to straightforward recovery of candidate key words. More than one right pair will help key recovery. A test implementation recovers the full key in minutes with about four right pairs per key word. In this scenario, that means about 2 15.67 queries. This could be further improved. 4 Conclusions Flaws were shown in the block cipher keying of EnRUPT that lead to several attacks. Problems stemming from one property are strong enough to allow easily experimentally performing full key recovery. EnRUPT is thus not a secure family of pseudorandom permutations, as an optimal block cipher would be. References [1] M. E. Hellman, R. Merkle, R. Schroeppel, L. Washington, W. Diffie, S. Pohlig, and P. Schweitzer. Results of an initial attempt to cryptanalyze the NBS data encryption standard. Technical Report SEL 76 042, Stanford University, 1976. [2] Sebastiaan Indesteege and Bart Preneel. Practical collisions for enrupt. pages 246 259, 2009. [3] Dmitry Khovratovich and Ivica Nikolic. Cryptanalysis of enrupt. Cryptology eprint Archive, Report 2008/467, 2008. http://eprint.iacr.org/. 4

[4] Sara Kiesler and Jennifer Goetz. National bureau of standards: Data encryption standard. Technical report, 1977. [5] Sean O Neil. Enrupt: First all-in-one symmetric cryptographic primitive. The State of the Art of Stream Ciphers (SASC), 2008. [6] D J Wheeler and R J Needham. Correction of xtea. unpublished manuscript. In Computer Laboratory, Cambridge University, 1998. [7] David J Wheeler and Robert M Needham. Tea extensions. Technical report, 1997. [8] Elias Yarrkov. Cryptanalysis of xxtea. Cryptology eprint Archive, Report 2010/254, 2010. http://eprint.iacr.org/. 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback