A Unified Approach to Related-Key Attacks Orr Dunkelman - - PowerPoint PPT Presentation

a unified approach to related key attacks
SMART_READER_LITE
LIVE PREVIEW

A Unified Approach to Related-Key Attacks Orr Dunkelman - - PowerPoint PPT Presentation

Mar 06, 2024 132 likes •607 views

A Unified Approach to Related-Key Attacks Orr Dunkelman Katholieke Universitiet Leuven, Dept. of Electrical Engineering ESAT- SCD/COSIC joint work with Eli Biham and Nathan Keller 1/46 Outline of the Talk Previous Results: Original

slide-1
SLIDE 1

1/46

A Unified Approach to Related-Key Attacks

Orr Dunkelman

Katholieke Universitiet Leuven,

  • Dept. of Electrical Engineering ESAT-

SCD/COSIC joint work with Eli Biham and Nathan Keller

slide-2
SLIDE 2

2/46

Outline of the Talk

Previous Results:

Original Related-Key Attacks Slide Attacks The ''Newer'' Related-Key Attacks

The Unified Approach Attack on 4r-round IDEA Summary

slide-3
SLIDE 3

3/46

Related-Key Attacks

Presented by Biham [B93] and independently by Knudsen [K93] Useful when the key schedule algorithm is very simple And when the round function is ''weak''

slide-4
SLIDE 4

4/46

Related-Key Attack on modified DES

Consider the Data Encryption Standard (DES):

Feistel block cipher 64-bit block, 56-bit key 16 rounds Subkeys are permutated subsets of the

  • riginal supplied key
slide-5
SLIDE 5

5/46

Related-Key Attack on modified DES (cont.)

Plaintext P F F F F Ciphertext C Key K PC-1 PC-2

C D ROL2 ROL2

PC-2

C D ROL2 ROL2

PC-2

C D ROL2 ROL2

PC-2

C D

K1 K2 Kr K16

slide-6
SLIDE 6

6/46

Related-Key Attack on modified DES (cont.)

Consider two keys such that for the derived subkeys Assume we find two plaintexts such that The corresponding ciphertexts satisfy We call this pair a related-key plaintext pair (RKPP)

slide-7
SLIDE 7

7/46

Related-Key Attack on modified DES (cont.)

Having two input/output pairs to the round function of DES is sufficient to retrieve the key Even if the number of rounds is increased, the attack still works!

slide-8
SLIDE 8

8/46

The Slide Attack [BW99]

Sometimes, the need for two keys can be reduced Assume that all subkeys are the same, i.e., Then, the encryption process is

slide-9
SLIDE 9

9/46

The Slide Attack (cont.)

Assume you find two plaintexts such that Such a pair is called a slid pair, and it satisfies

fk fk fk fk fk fk fk fk fk fk P1 P2 P2 C2 C1 C1

slide-10
SLIDE 10

10/46

The Slide Attack (cont.)

If is simple enough, then again it can be broken using one slid pair Open questions (applicable to related-key plaintext pairs as well):

How to generate slid pairs? How to identify slid pairs? What to do with not so weak functions?

slide-11
SLIDE 11

11/46

Generating & Identifying Slid Pairs

For a general round function, best approach is birthday paradox:

Take 2n/2 known plaintexts Try all 2n possible pairs as a candidate slid pair, and apply the attack If the attack succeeds – the right key is found, and the slid pair is identified

slide-12
SLIDE 12

12/46

Making the ''Simple'' More Complex

In [BW00] some advanced slide techniques were presented Most interesting property observed:

If is a slid pair, then so does

Hence, finding one slid pair gives many slid pairs ...

slide-13
SLIDE 13

13/46

Making the ''Simple'' More Complex (cont.)

This allows applying known plaintext attacks on If the attack requires m known plaintexts, then for each plaintext P, ask for its encryptions For each candidate slid pair apply the attack on using the suggested set of slid pairs

slide-14
SLIDE 14

14/46

Related-Key Differential Attack [KSW96]

Adaptation of the differential cryptanalysis into the related-key model The probability of a regular differential is For a related-key differential the probability is

slide-15
SLIDE 15

15/46

Related-Key Differential Attacks

The key difference (or relation) is chosen such that the subkey differences are known If the key does not mixes well enough, it is easy to predict all subkey differences These difference can be used to cancel difference that enter nonlinear parts of the cipher

slide-16
SLIDE 16

16/46

The Example of TEA

TEA (Tiny Encryption Algorithm) is a 64-bit block cipher, with 128-bit key TEA is a Feistel cipher with 64 rounds

The figure was taken from wikipedia

slide-17
SLIDE 17

17/46

The Example of TEA

Consider a plaintext difference and a key difference In each round, the subkey differnece are canceled, and the zero difference between the encryptions remain This happens with probability 1

slide-18
SLIDE 18

18/46

Several More Related-Key Attacks

Related-Key Square attack [F+00] Related-Key Impossible Differential attack [JD03,BDK06,ZZF06] Related-Key Rectangle attack [K+04,K+05,BDK05] Related-Key linear attacks [BDK06] ...

slide-19
SLIDE 19

19/46

The Downside of Related- Key Differential Attacks

Related-Key differential attacks (usually) lose their efficiency when the number of rounds is increased:

More rounds -> lower probability More rounds -> less chance for the subkey differences to be predicted correctly

slide-20
SLIDE 20

20/46

Comparison Between Related-Key Attacks

Original Related-Key (Type A) Independent in number of rounds Assume weak ''rounds'' Require a really simple key schedule Related-Key Differential (Type B) Usually dependent in number of rounds Very useful when the round is ''strong'' Require a simple key schedule

slide-21
SLIDE 21

21/46

The Unified Approach

We suggest using a Type A attack to be independent in number of rounds While using Type B attack on the round function. Result: independent in the number of rounds, even when the round function is very strong!

slide-22
SLIDE 22

22/46

1st Mission – Finding Many Related-Key Plaintext Pairs

Let be RKPP with respect to the keys , i.e., Then, to continue the encryption and

  • btain another RKPP, we need for

which This starts to become complicated ...

slide-23
SLIDE 23

23/46

Finding Multiple Related-Key Plaintext Pairs

The solution to the problem is to use chains of related-keys. Let be a key that satisfied the previous relation If satisfies Then is a RKPP under

slide-24
SLIDE 24

24/46

Finding Multiple Related-Key Plaintext Pairs (cont.)

If for some t: we can find another RKPP for the keys Conditions: t should be small, should have cycles that contain the

  • riginal keys
slide-25
SLIDE 25

25/46

Study Case: IDEA

IDEA's key schedule is very simple. The 128-bit key is used as the first 8 subkeys Then the key is rotated to the left by 25, and used as the following 8 subkeys Again, and again...

slide-26
SLIDE 26

26/46

Study Case: IDEA (cont.)

Each round uses six subkeys. Thus, after four rounds, the key is used from the ''correct'' spot, but rotated 75 bits to the left. If IDEA had 8 rounds (and not 8.5), then let be 4-round IDEA, then

slide-27
SLIDE 27

27/46

Study Case: IDEA (cont.)

Thus, if then We conclude that if is a RKPP, then so does (both with respect to the function )

slide-28
SLIDE 28

28/46

Unifying the Related-Key Framework

In case there was a good 4-round attack

  • n IDEA, we could have stopped here.

There isn't. But there is a good related-key attack (type B) on 4-round IDEA

slide-29
SLIDE 29

29/46

Unifying the Related-Key Framework (cont.)

Assume there is a related-key attack of type B on 4-round IDEA Let the key difference be Then it is possible to generate two chains of RKPP – one for and one for

slide-30
SLIDE 30

30/46

Unifying the Related-Key Framework (cont.)

The main problem is now we have to identify the RKPP twice! Standard approach – try all possible pairs as RKPP Finding it twice (or more) is very time consuming

slide-31
SLIDE 31

31/46

IDEA

64-bit block, 128-bit key block cipher Presented by Lai and Massey in 1991 Widely used in many applications

slide-32
SLIDE 32

32/46

IDEA (cont.)

p

i

q

i

t

i

u

i

s

i

slide-33
SLIDE 33

33/46

IDEA (cont.)

slide-34
SLIDE 34

34/46

IDEA (cont.)

slide-35
SLIDE 35

35/46

A 4-Round Related-Key Truncated Differential of IDEA

Key difference: Input difference: Additional condition: First round: prob. ½ Second round: prob. 2-16 Third round: prob. 1 Fourth round: prob. 1

slide-36
SLIDE 36

36/46

The Keys Involved in the Attack

The unknown key - The key for obtaining RKPP - The related-key (type B) - Its related key (type A) -

slide-37
SLIDE 37

37/46

The Chains of Plaintexts

slide-38
SLIDE 38

38/46

Basic Idea Behind the Attack

Find one RKPP (=> we found many RKPPs!) Use the differential to find an RKPP (=> again, many RKPPs!) Use the pairs in a related-key differential attack on 4-round IDEA

slide-39
SLIDE 39

39/46

Naive Implementation

Fix , for any candidate :

Check whether is a RKPP

Main problem: There are 232 (a,b) combinations + Prob. of success is

  • nly 2-17
slide-40
SLIDE 40

40/46

Improved Implementation

Locate a set of 236 plaintext pairs satisfying that the fourth word is 1 Find the list of such that For each store in a hash table

slide-41
SLIDE 41

41/46

Improved Implementation (cont.)

For each candidate check whether appears in the table (up to the difference) If so, assume that are all RKPP Apply the RK attack on 4-round IDEA with two input/output pairs

slide-42
SLIDE 42

42/46

Complexity of the Attack

The attack uses 4 chains, each contains the entire code book, encrypted under 64 keys = 272 plaintexts (256 keys) Time complexity - 2100

slide-43
SLIDE 43

43/46

So What?!?

Our attack can be used when the number of rounds is increased Only changes – the way the chains are generated (sometimes less keys would be used => lower data complexity) If a better 4-round attack on IDEA is found – just plug it into our model

slide-44
SLIDE 44

44/46

Summary

Unification of the two related-key attacks A way to generate many RKPP A way to use a RK attack of any type (including type B) in a type A RK attack First attack on a widely used cipher which continues to work when number

  • f rounds is increased
slide-45
SLIDE 45

45/46

Open Problems

Is there a better 4-round RK attack on IDEA? Better ways to identify RKPP? Better ways to correlate RKPP from different chains? How to deal with slightly modified functions (round constants)?

slide-46
SLIDE 46

46/46

Thank You!

多謝