Key classification attack on block ciphers

Similar documents
A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony

Differential Attack on Five Rounds of the SC2000 Block Cipher

Cryptanalysis of Hummingbird-2

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Improved Impossible Differential Attack on Reduced Version of Camellia-192/256

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

On related-key attacks and KASUMI: the case of A5/3

Impossible Boomerang Attack for Block Cipher Structures

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia

Diffusion Analysis of F-function on KASUMI Algorithm Rizki Yugitama, Bety Hayat Susanti, Magfirawaty

Impossible Differential Attacks on 13-Round CLEFIA-128

Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256

Differential-Linear Cryptanalysis of Serpent

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher

Block Ciphers and Feistel cipher

Linear Cryptanalysis of Reduced-Round PRESENT

3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis

Block Cipher Cryptanalysis: An Overview

Lecture 12: Block ciphers

Enhancing the Signal to Noise Ratio

Bit-Pattern Based Integral Attack

Concurrent Error Detection in S-boxes 1

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Impossible Differential Cryptanalysis of Mini-AES

Lecture 4: DES and block ciphers

Cryptography Lecture 4 Block ciphers, DES, breaking DES

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Linear Cryptanalysis

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway

Division Property: a New Attack Against Block Ciphers

Weaknesses in the HAS-V Compression Function

Block Ciphers and Systems of Quadratic Equations

A Weak Cipher that Generates the Symmetric Group

Ciphertext-only Cryptanalysis of a Substitution Permutation Network

Structural Cryptanalysis of SASAS

Linear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques

Provable Security Against Differential and Linear Cryptanalysis

Algebraic Techniques in Differential Cryptanalysis

Complementing Feistel Ciphers

Improving the Time Complexity of Matsui s Linear Cryptanalysis

Using MILP in Analysis of Feistel Structures and Improving Type II GFS by Switching Mechanism

Extended Criterion for Absence of Fixed Points

Security of the SMS4 Block Cipher Against Differential Cryptanalysis

Related-Key Rectangle Attack on 42-Round SHACAL-2

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Improved Linear Cryptanalysis of reduced-round SIMON-32 and SIMON-48

Differential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy

Public-key Cryptography: Theory and Practice

Structural Cryptanalysis of SASAS

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

A Brief Comparison of Simon and Simeck

Classical Cryptography

Cryptography - Session 2

Advanced differential-style cryptanalysis of the NSA's skipjack block cipher

Linear Cryptanalysis Using Multiple Approximations

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Distinguishers for the Compression Function and Output Transformation of Hamsi-256

A Large Block Cipher Involving Key Dependent Permutation, Interlacing and Iteration

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

Symmetric key cryptography over non-binary algebraic structures

DK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

A New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent

Specification on a Block Cipher : Hierocrypt L1

DES S-box Generator. 2 EPFL, Switzerland

Towards Provable Security of Substitution-Permutation Encryption Networks

Module 2 Advanced Symmetric Ciphers

Differential and Rectangle Attacks on Reduced-Round SHACAL-1

Practically Secure against Differential Cryptanalysis for Block Cipher SMS4

S-box (Substitution box) is a basic component of symmetric

AES side channel attacks protection using random isomorphisms

Statistical and Algebraic Properties of DES

A Five-Round Algebraic Property of the Advanced Encryption Standard

Cryptanalysis of the SIMON Family of Block Ciphers

A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

Overtaking VEST. 45, avenue des États-Unis, Versailles Cedex, France 3 DCSSI Crypto Lab

A Unified Method for Finding Impossible Differentials of Block Cipher Structures

ACORN: A Lightweight Authenticated Cipher (v3)

Attacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3

Virtual isomorphisms of ciphers: is AES secure against differential / linear attack?

Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

Chapter 2 Symmetric Encryption Algorithms

Quadratic Equations from APN Power Functions

Chapter 2 - Differential cryptanalysis.

Revisit and Cryptanalysis of a CAST Cipher

Public Key Cryptography

A Pseudo-Random Encryption Mode

APPLYING QUANTUM SEARCH TO A KNOWN- PLAINTEXT ATTACK ON TWO-KEY TRIPLE ENCRYPTION

MATH 509 Differential Cryptanalysis on DES

Low Complexity Differential Cryptanalysis and Fault Analysis of AES

New Combined Attacks on Block Ciphers

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Symmetric Crypto Systems

Cryptanalysis of SP Networks with Partial Non-Linear Layers

New Observation on Camellia

Transcription:

Key classification attack on block ciphers Maghsood Parviz Mathematical Sciences Department Sharif University of Technology Tehran, IAN maghsoudparviz@alum.sharif.ir Saeed Mirahmadi Pooyesh Educational Institute, Qom, IAN Seyed Hassan Mousavi Mathematical Sciences Department Isfahan University of Technology Isfahan, IAN shnmousavi_iut@yahoo.fr Abstract- In this paper, security analysis of block ciphers with key length greater than block length is proposed. When key length is significantly greater than block length and the statistical distribution of cipher system is like a uniform distribution, there are more than one key which map fixed input to fixed output. If a block cipher designed sufficiently random, it is expected that the key space can be classified into same classes. Using such classes of keys, our proposed algorithm would be able to recover the key of block cipher with complexity ( { n k n O max, } where n is block length and k is key length. We applied our algorithm to - round KASUMI block cipher as sample block cipher by using weakness of functions that used in KASUMI. Keywords: Block cipher, Key classes, key length, block length, KASUMI I. INTODUCTION In design of secure block cipher, one of the main steps is selection of key and input block length. There are some standard block ciphers like KASUMI, IDEA, DES, AES-56 which have block length smaller than key length. Since these ciphers have considered as pseudo-random generator, their key space can be classified into equivalency class of keys with the same number of elements. For instance, assuming randomness of KASUMI s output, the key space would have key classes which each contains different keys. In our proposed attack algorithm, we assumed that there is an efficient algorithm which computes the equivalency class of an arbitrary key. As an application of this method, we propose an efficient algorithm for computing equivalency class of arbitrary key for one-round and -round KASUMI block cipher which can be extended to full round KASUMI. Hence, in the rest, we give a short introduction to KASUMI block cipher. KASUMI is modified version of the block cipher MISTY [], which is optimized for hardware performance. In the past few years, it has received a lot of attentions from the cryptographic researcher. Kuhn introduced the impossible differential attack on 6-round KASUMI [], which has been recently extended to 7-round KASUMI[]. In 7, a higher order differential attack has been published on 5-round KASUMI with practical complexity [4]. Since the key schedule of KASUMI is linear, many related-key attacks have published. A related-key differential attack on 6-round KASUMI has presented in [5]. The first related-key attack on the full 8- round KASUMI was proposed by Biham et al.with encryptions [6], which was improved to a practical related-key attack on the full KASUMI by Dunkelman et al.[7] However, assumption for these kinds of attacks is controlling over the differences of two or more related keys in all the 8 key bits. With this assumption, resulting attack is inapplicable in most real-world usage scenarios [8]. In this paper, we proposed a new attack based on relation between key length and block length of a block cipher. When key length is significantly greater than block length and cipher system has a statistical properties like an uniform distribution, 76.

there is a key classes with P,K = C k n members K in which E(, for every fixed (,C E : {, } n {, } k {, } n P pair, where is corresponding encryption algorithm[9]. Using this observation, we construct an equivalency class of those keys satisfied in E( P,K = C. In the rest of this paper, we assume that for every block cipher algorithm E, there is an algorithm which computes efficiently the equivalency class of an arbitrary key. Our method can be applied to block cipher like KASUMI, IDEA, AES-56, DES, etc. In this paper, first we introduce our new method and then it will apply to reduced-round KASUMI block cipher. In section II, we introduce details of our method. In section III, the method has applied to KASUMI. In section V, we propose an algorithm for generating equivalency classes of KASUMI key space. Finally, after experimental results, we will give some suggestions and recommendations for future works. We use pseudo-randomness properties of encryption algorithm and it is expected that there is exactly one key such n n P,K = C i, i + [ ] that E( for every interval ( k n and i. For finding equivalence key, it would be n sufficient to search whole keys in [, ]. It can be done using rainbow-tables and time-memory-data-trade-off methods with complexity lower than n. K K, generate the keys of. Since [ ] P, c class[ K] P, c. If an arbitrary key decrypts at least three pair (cipher-text, plain-text correctly, select it as main unknown key. III. A KEY CASSICATION ATTACK ON KASUMI - OUNDS BOCK CIPHE II. OU POPOSED ATTACK Consider a block cipher algorithm E : {, } n {, } k {, } n in which n is block length and k is key length. When key length is significantly greater than block length and the statistical distribution of cipher system is like a uniform k n distribution, there are keys K such that ( P,K = C E For every fixed ( { } n { } n P.,C,, It simply can prove that the following relation is an equivalency relation. K ~ K' iff E( P,K = E( P,K' = C ( P,C,. For all { } n In the rest of the paper, [ ], c for { } k K P is Equivalency relation K,. For every block cipher algorithm E, suppose that there is an algorithm which efficiently computes the equivalency class of an arbitrary key. Following algorithm will be able to recover the unknown key K such that E( P,K = C, for known ( P,C with complexity n. Algorithm : E P,K = C.. Select the key K such that ( In this section, we apply our proposed method to -rounds KASUMI block cipher. By finding some weakness in FO and F functions, we will improve our method by using them. In the rest, first we introduce briefly the general structure of KASUMI block cipher and then properties of functions that used in KASUMI are discussed. A. KASUMI block cipher KASUMI is a block cipher used in the security of GPP systems such as UMTS, GSM and GPS. Both the confidentiality (f8 and integrity function (f9 in UMTS are based on KASUMI. In GSM, KASUMI is used in the A5/ algorithm for generating key stream and in GPS in the GEA key stream generator. KASUMI is an 8-round Feistel block cipher algorithm; it operates on bit input to produce bit output under a 8- bit key. In each round, there are two functions: the FO function which is a -round, -bit Feistel structure, and the F function which receives -bit as input and produces -bit output. The order of using two mentioned functions in the cipher is affected by the round number. In the odd round the first function is F and in the even round the FO function is used first. The FO function also uses four-round Feistel function in a recursive structure. The function receives 6-bit as input and produce 6-bit as output. It uses two S-boxes S7 ( 7-bit to 7-bit permutation and S9 (9-bit to 9-bit permutation. Using a simple key schedule of figure, the round function uses a round key which consists of eight 6-bit sub keys derived from the original 8-bit key. The F function uses - bit sub-keys K in round I where j= or. The FO i, j function uses 96-bit sub-keys KOi, j and i, j KI. The 8-bit key K is divided into eight 6-bit sub keys Ki:

Figure. Key schedule for KASUMI block cipher Figure. function One of the main functions used in KASUMI block cipher is {, } 6 {, } 6 { } 6 :, As figure show, there are two -boxes S7 (7-bit to 7-bit permutation and S9 (9-bit to 9-bit permutation. In the following, we give some properties for the function.. ( x,ki = ( KI ( x where is above half of the function before the key KI affects and is below half of the function after the key KI affects. Figure. structure of KASUMI block cipher We start with function which is the core function for giving non-linearity to the cipher algorithm. B. function properties It is clear that and are invertible functions that are not depended on key.. Suppose that ( x,ki = y ( Where x, y and KI are input, output and key. Having two members of the set {x,y,ki}, the third one is uniquely computed efficiently. In fact, if {x,ki} or {y,ki} is known, using encryption and decryption algorithm, ( holds. If {x,y} is known, then KI = ( x ( y. {( x, KI ; ( x,ki = y } = for every { } 6 y,.

x, x', such that 4. Find KI and KI' for every { } 6 ( x,ki = ( x',ki' In fact, it is sufficient to find keys such that ( x ( x' KI KI' = ( It is clear that the number of keys which ( hold are 6. 5. There are some key pairs KI, KI' such that ( x,ki = ( x',ki' = y x, x', y,. For all { } 6 Using the results of part, there are two keys pair with above properties. C. FO function properties {, } {, } 96 { } FO :, is one of the core functions that used in KASUMI block cipher ( X KO, KI ( Y = Y (4 ( X ( X KO,KI KO, KI Equation (4 can be rewritten as follow. ( Y Y,KI KO = X ( X KO, KI (5 Finally, we have ( X KO,KI = X Y ( X KO, KI ( Y Y,KI KO = When input and output of the FO function (X,Y are known, then there are keys K such that FO(X,K=Y. (6 KI,KO,KI,KI,, For arbitrary values of { } 6 KO, can be computed efficiently and uniquely. KO D. F function properties Figure 5. F function Figure 4. FO function Suppose X = ( X, and Y = ( Y, X are input and output of FO function, then Y = X ( X KO, KI Y F function { } { } { }, F :,, is one the simple components in the KASUMI block cipher. We introduce some properties of F function.. By fixing F sub-keys, the function is one-to-one related to the input. But this isn't correct for the subkeys by fixing the input.. If X = ( X, X, = ( Y, Y of the F function, and = ( K, Y are input, output K K is the corresponding sub-key, then

( Y X = Y K (7 >> >> ( Y X = X K Using (7, it is possible to classify all the F sub-keys. IV. AN AGOITHM FO GENEATING EQUIVAENCE KEYS IN THE ST OUND In this section, using mentioned properties for function that used in KASUMI, we propose an efficient algorithm for finding class of keys which map fixed input P to fixed output P ( C is the output of the first round before substitution of two halves C for,c {, } Algorithm : Given = ( P,P,C = ( C, C P Find every { } 8 K, such that KASUMI round ( P,K = C For ( { } 96 K,K,KO,KI,KI,KI, do find ( KO,KO {, } such that P FO( F( P,K,KI,KO = C Using FO function properties, we will be able to search efficiently desired key values. KO = ( KO,KO,, = ( KI,KI, There KASUMI KO KI. KI 96 are different keys K that round ( P,K = C for fixed P { },C,. KO,KO, can be computed efficiently for every guess of subkeys ( K,K,KO,KI,KI,KI {, } 96. Therefore current algorithm is efficient since the complexity of algorithm 96 is and this is the best complexity with regard to the number of key bits. The sub-keys values ( { } V. AN AGOITHM FO GENEATING EQUIVAENCE KEYS IN THE SECOND OUND We extend our algorithm to -rounds KASUMI. expected that there are {, } members in [ K] P, c It is for fixed P,C ( C is the output of the second round before substitution of two halves. Since we are in the initial rounds of KASUMI and the statistical properties of the cipher algorithm are not complete, the number of elements of class [ K ] P, c may not be similar to that we expected. According to cipher structure, there are some relations between input and output of -round KASUMI block cipher as follow. C P = FO C P = F ( F( P,K,KO,KI ( FO( C,KO,KI,K Where K is the sub-key of first round for K. Consequently, it needs to solve a system of equations for recovering unknown sub-keys. Based on key schedule, if K is known, the sub-key K of the first round and KI of the second round, etc will be known, where K = ( K,K,K,K4,K5,K6,K7, K8 is the main key of the cipher for producing key schedule. In our algorithm, we guess F function sub-keys for the first two round, then using FO function equations (-6, the other sub-keys can be computed. In fact, in the first two rounds, these F sub-keys are K,K,K, K4. We represent our proposed algorithm in which the unknown key values show by capital letters. Algorithm : Given = ( P,P,C = ( C, C P Find every K {, } 8 s.t round ( P,K = C KASUMI For ( k { },k,k,k4, a : = F ( P, ; do K b : = C P ; c : = C ; d : = F ( C P,K ; Solve the following equations, a << 5 << 8 ( a k,k' = b ( a K, k' 5 << = K7 c ( b b,k' << 5 << 8 ( c k,k' = d ( c K, K' 6 << = K 8 8 6 ( d d,k' It can be shown that if we would be able to find some part of keys, the other part of key can be computed uniquely. In this 7 4 5

algorithm, when we find K 6, sub-key K5 can be computed from the first equation of algorithm. Using the second equation of algorithm, K 7,K8 can be computed. For correctness, these sub-key values should be check with the additional check equation in the second part of the first equation of algorithm. It should be noted that, in algorithm, solving strategy can be every appropriate strategy for solving equations. For example we can replace this strategy with exhaustive search or algebraic methods to find K 6 and then compute the rest of sub-key values. Complexity of the algorithm depends on solving strategy. In the worst case, if exhaustive search method is used, the complexity of algorithm will be 8 which is the best one with regards to number of key bits. VI. EXPEIMENTA ESUTS Since KASUMI block cipher has -bit block length and 8-bit key length, based on birthday paradox, when a fixed input encrypts with different keys, there will be at least two equal cipher-text with probability more than ½. With P= (plain-text with bit zero, there are at least two keys that encryption of P lead to same cipher-text. Using such keys, we get output of the sixth round KASUMI; we wrote equations for last two round and the results are compared. We run our algorithm on 4,6,7-rounds KASUMI separately and obtain some equivalence keys. For 6- round KASUMI, we found three keys with same cipher-text. It can be inferred that 6-round KASUMI shows more nonrandom properties and it can be vulnerability for KASUMI block cipher, since we expected two keys with same cipher with considering different keys. VII. CONCUSIONS In this respect, we proposed a new attack on block cipher algorithms with key length greater than block length, if it would be possible to efficiently classify the key space of corresponding block cipher. In fact, the complexity of attack will be ( { n k n O max, } where n is block length and k is key length. Some recommendations for continuing this work are as follow.. Extend our algorithm to higher rounds of KASUMI block cipher.. Solving algebraic equations obtained by -rounds KASUMI in an efficient way. p for i > j where. Compute ( C = C' C = C' i C j i i j C, are the output of i'th-round KASUMI with same plain-text and different keys. 4. Cryptanalysis of 4-rounds KASUMI block cipher with complexity of. 5. Classification of the key space of other cipher algorithms such as IDEA, DES, AES-56 with key length greater than block length. 6. Combining this method with other known attack to achieve a near practical attack algorithm. EFEENCES [] Matsui, M.: Block Encryption Algorithm MISTY. In: Biham, E. (ed. FSE 997. NCS, vol. 67, pp. 74.Springer, Heidelberg (997 [] Kuhn, U.: Cryptanalysis of educed-ound MISTY. In: Pfitzmann, B. (ed. EUOCYPT. NCS, vol.45, pp. 5 9. Springer, Heidelberg ( [] Jia, K., i,., echberger, C., Chen, C., Wang, X.: Improved Cryptanalysis of the Block Cipher KASUMI. In:Knudsen,.., Wu, H. (eds. SAC. NCS, vol. 777, pp.. Springer, Heidelberg ( [4] Sugio, N., Aono, H., Hongo, S., Kaneko, T.: A Study on Higher Order Differential Attack of KASUMI. IEICE Transactions 9-A(, pp. 4- (7 [5] Blunden, M., Escott, A.: elated Key Attacks on educed ound KASUMI. In: Matsui, M. (ed. FSE.NCS, vol. 55, pp. 77 85. Springer, Heidelberg ( [6] Biham, E., Dunkelman, O., Keller, N.: A elated-key ectangle Attack on the Full KASUMI. In: oy, B. (ed. ASIACYPT 5. NCS, vol. 788, pp. 44 46. Springer, Heidelberg (5 [7] Dunkelman, O., Keller, N., Shamir, A.: A Practical-Time elated-key Attack on the KASUMI Cryptosystem Used in GSM and G Telephony. In: abin, T. (ed. CYPTO. NCS 6, pp. 9 4. Springer,Heidelberg ( [8] K.Jia,.i, C.echberger, J. Chen, X.Wang, Keting Jia, Christian echberger, Xiaoyun Wang, Green Cryptanalysis: Meet-in-the-Middle Key-ecovery for the Full KASUMI Cipher,. [9] Blog.ddream.ir/classattack.html, (in Farsi. APPENDIX. Plain-text= Key=xFD9459CA8B685DACB8A794 Cipher-text=xDBCDA8D84CDAD86 --->> c: left=, right=db6eed5 --->> c: left=db6eed5, right=48d7eb6 --->> c: left=48d7eb6, right=ebddad4 --->> c4: left=ebddad4, right=7b6cf8 j

--->> c5: left=7b6cf8, right=d885ffd --->> c6: left=d885ffd, right=9f57e58 --->> c7: left=9f57e58, right=84cdad86 --->> c8: left=84cdad86, right=dbcda8d Where ci is the output of round I in the KASUMI block cipher. Plain-text= Key= xcaff6ac87a7c456ac98ce9f Cipher-text= xdbcda8d84cdad86 --->> c: left=, right=aa89 --->> c: left=aa89, right=ece85a9 --->> c: left=ece85a9, right=9e5e7b --->> c4: left=9e5e7b, right=8ffb --->> c5: left=8ffb, right=bdcc6 --->> c6: left=bdcc6, right=9b7deee --->> c7: left=9b7deee, right=84cdad86 --->> c8: left=84cdad86, right=dbcda8d

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback