Cryptanalysis of C2 Julia Borghoff , Lars R. Knudsen, Gregor Leander, - - PowerPoint PPT Presentation

cryptanalysis of c2
SMART_READER_LITE
LIVE PREVIEW

Cryptanalysis of C2 Julia Borghoff , Lars R. Knudsen, Gregor Leander, - - PowerPoint PPT Presentation

Jul 15, 2023 608 likes •985 views

Outline C2 - description Attack scenarios Conclusion Cryptanalysis of C2 Julia Borghoff , Lars R. Knudsen, Gregor Leander, Krystian Matusiewicz CRYPTO 2009 1 / 19 Outline C2 - description Attack scenarios Conclusion C2 - description 1

slide-1
SLIDE 1

Outline C2 - description Attack scenarios Conclusion

Cryptanalysis of C2

Julia Borghoff, Lars R. Knudsen, Gregor Leander, Krystian Matusiewicz CRYPTO 2009

1 / 19

slide-2
SLIDE 2

Outline C2 - description Attack scenarios Conclusion

1

C2 - description

2

Attack scenarios The S-box recovery attack Key recovery attack Key and S-box recovery attack

3

Conclusion

2 / 19

slide-3
SLIDE 3

Outline C2 - description Attack scenarios Conclusion

The block cipher C2

64-bit block cipher with 56-bit key 8-to-8 S-box is kept secret ⇒ 2048 additional secret bits 10-round Feistel cipher Designed by 4C Entity (IBM, Intel, Matsushita and Toshiba) Used in CPRM/CPPM Digital Rights Management scheme DVD-Audio, SD-cards

3 / 19

slide-4
SLIDE 4

Outline C2 - description Attack scenarios Conclusion

C2: round function

10 Feistel rounds

S

9 22 1

rki

5 2

C

Ri Li Li+1 Ri+1

4 / 19

slide-5
SLIDE 5

Outline C2 - description Attack scenarios Conclusion

C2: round function

10 Feistel rounds

S

9 22 1

rki

5 2

C

Ri Li Li+1 Ri+1

4 / 19

slide-6
SLIDE 6

Outline C2 - description Attack scenarios Conclusion

C2: round function

10 Feistel rounds

S

9 22 1

rki

5 2

C

Ri Li Li+1 Ri+1

4 / 19

slide-7
SLIDE 7

Outline C2 - description Attack scenarios Conclusion

C2: round function

10 Feistel rounds

S

9 22 1

rki

5 2

C

Ri Li Li+1 Ri+1

4 / 19

slide-8
SLIDE 8

Outline C2 - description Attack scenarios Conclusion

C2: round function

10 Feistel rounds

S

9 22 1

rki

5 2

C

Ri Li Li+1 Ri+1

4 / 19

slide-9
SLIDE 9

Outline C2 - description Attack scenarios Conclusion

C2: round function

10 Feistel rounds

S

9 22 1

rki

5 2

C

Ri Li Li+1 Ri+1

4 / 19

slide-10
SLIDE 10

Outline C2 - description Attack scenarios Conclusion

C2: round function

10 Feistel rounds

S

9 22 1

rki

5 2

C

Ri Li Li+1 Ri+1

4 / 19

slide-11
SLIDE 11

Outline C2 - description Attack scenarios Conclusion

C2: round function

10 Feistel rounds

S

9 22 1

rki

5 2

C

Ri Li Li+1 Ri+1

4 / 19

slide-12
SLIDE 12

Outline C2 - description Attack scenarios Conclusion

C2: round function

10 Feistel rounds

S

9 22 1

rki

5 2

C

Ri Li Li+1 Ri+1

4 / 19

slide-13
SLIDE 13

Outline C2 - description Attack scenarios Conclusion

C2: round function

10 Feistel rounds

S

9 22 1

rki

5 2

C

Ri Li Li+1 Ri+1

4 / 19

slide-14
SLIDE 14

Outline C2 - description Attack scenarios Conclusion

C2: round function

The GF(2)-linear part is not relevant for the attack

S

rki

Ri Li Li+1 Ri+1

GF(2)-linear function

4 / 19

slide-15
SLIDE 15

Outline C2 - description Attack scenarios Conclusion

C2: key scheduling

Produces 10 round keys rki out of 56-bit master key K

rki

S

32

×16 i 17 · i

56

K

5 / 19

slide-16
SLIDE 16

Outline C2 - description Attack scenarios Conclusion The S-box recovery attack Key recovery attack Key and S-box recovery attack

Possible attacks

There are three possible attack scenarios provided we can . . . recover 1. set the key and query the device S-box 2. query the device and know the S-box the secret key 3. query the device S-box and secret key

6 / 19

slide-17
SLIDE 17

Outline C2 - description Attack scenarios Conclusion The S-box recovery attack Key recovery attack Key and S-box recovery attack

Previous work

Japanese distributed cracking effort in 2004. Brute force over key space for a guessed S-box. Guess was wrong and the project failed. Algebraic S-box recovery attack for 8 out of 10 rounds (R.-P. Weinmann).

7 / 19

slide-18
SLIDE 18

Outline C2 - description Attack scenarios Conclusion The S-box recovery attack Key recovery attack Key and S-box recovery attack

Complexity

The three attacks and their complexities provided we can . . . recover complexity 1. set key + query device S-box 224 2. query device + know S-box key 248 3. query the device S-box +key 253.5

8 / 19

slide-19
SLIDE 19

Outline C2 - description Attack scenarios Conclusion The S-box recovery attack Key recovery attack Key and S-box recovery attack

Idea of attack 1

One encryption generates 20 inputs to the S-box 10 in the key schedule 10 in the encryption algorithm There are 220×8 = 2160 possibilities if we guess the S-box entries. Try to minimize the S-box entries we have to guess

9 / 19

slide-20
SLIDE 20

Outline C2 - description Attack scenarios Conclusion The S-box recovery attack Key recovery attack Key and S-box recovery attack

Outline of the attack 1

Construct Trial & Test Error preprocessing

  • nline

Preprocessing-phase

masterkeys which generate only 3 distinct S-box inputs in key schedule Find plaintexts which generate only the same 3 S-box inputs in first 7 rounds

Online-phase

Encrypt each plaintext (one plaintext for each guess of the S-box outputs) Check if the ciphertext after 7 rounds is the expected. If yes, determine 3 S-box entries.

10 / 19

slide-21
SLIDE 21

Outline C2 - description Attack scenarios Conclusion The S-box recovery attack Key recovery attack Key and S-box recovery attack

Master key

Fix the master key to 0x40, 0x84, 0x88, 0x40, 0x02, 0x80,0x09. This key generates only the inputs 0x88, 0x04, 0x27, 0x27, 0x04, 0x04, 0x27, 0x27, 0x88, 0x88 to the S-box in the key schedule.

11 / 19

slide-22
SLIDE 22

Outline C2 - description Attack scenarios Conclusion The S-box recovery attack Key recovery attack Key and S-box recovery attack

Generating plaintexts

Fix the input to the S-boxes of 4 rounds

rk0 C

R0 L0

rk1 C rk2 C

R2 L2 R1 L1 L3 R3

X0 X1 X2 X3

L4

rk3 C

R4

S

GF(2)-linear function

S

GF(2)-linear function

S

GF(2)-linear function

S

GF(2)-linear function 12 / 19

slide-23
SLIDE 23

Outline C2 - description Attack scenarios Conclusion The S-box recovery attack Key recovery attack Key and S-box recovery attack

Generating plaintexts

Calculate backwards

S

rki

C

Ri Li Li+1 Ri+1 Ri,0···7 Xi

GF(2)-linear function

12 / 19

slide-24
SLIDE 24

Outline C2 - description Attack scenarios Conclusion The S-box recovery attack Key recovery attack Key and S-box recovery attack

Generating plaintexts

For every 8-bit vector z holds F(X ⊕ (z ≪ 23))0..7 = F(X)0..7 ⊕ z

S

9 22 1

rki

C

Ri Li Li+1 Ri+1 Xi Ui

F maps Xi to Ui

5 2 12 / 19

slide-25
SLIDE 25

Outline C2 - description Attack scenarios Conclusion The S-box recovery attack Key recovery attack Key and S-box recovery attack

Generating plaintexts

For every 8-bit vector z holds F(X ⊕ (z ≪ 23))0..7 = F(X)0..7 ⊕ z

S

9 22 1

rki

C

Ri Li Li+1 Ri+1 Xi Ui

F maps Xi to Ui

5 2 12 / 19

slide-26
SLIDE 26

Outline C2 - description Attack scenarios Conclusion The S-box recovery attack Key recovery attack Key and S-box recovery attack

Generating plaintexts

Find z1 and z2

rk0 C

R0 L0

9 22 rk1 C 9 22 rk2 C

R2 L2 R1 L1 L3 R3

X0 X1 X2 X3

L4

rk3 C

R4

F(X1 ⊕ (z1 ≪ 23)) F(X2 ⊕ (z2 ≪ 23))

S

GF(2)-linear function

S

GF(2)-linear function

S

1 5 2

S

1 5 2 12 / 19

slide-27
SLIDE 27

Outline C2 - description Attack scenarios Conclusion The S-box recovery attack Key recovery attack Key and S-box recovery attack

Generating plaintexts

Choose L′

2 = (X1 ⊕ (z1 ≪ 23) ⊕ C) ⊟ rk1

R′

2 = (X2 ⊕ (z2 ≪ 23) ⊕ C) ⊟ rk2

Decrypt 2 rounds, then the plaintext will satisfy the condition for 4 rounds. Complexity of generating a plaintext that also fits in round 5-7 is 256

3

3 = 219 encryptions by trial-and-error.

12 / 19

slide-28
SLIDE 28

Outline C2 - description Attack scenarios Conclusion The S-box recovery attack Key recovery attack Key and S-box recovery attack

Attacking a device

Encrypt every plaintext Check whether ciphertext after 7 rounds is the expected one (three round test) If yes, 3 S-box entries are recovered Find plaintext which does not use unknown S-box entries in first 6 rounds and recover S-box entries of remaining rounds Complexity (in encryptions):

224 for the first 3 entries 220 for the remaining entries

13 / 19

slide-29
SLIDE 29

Outline C2 - description Attack scenarios Conclusion The S-box recovery attack Key recovery attack Key and S-box recovery attack

Outline of attack 2

Find a characteristic for en- and decryption independent of the S-box with high probability Use this characteristic to build a boomerang Mount boomerang attack to recover parts of the first round key

14 / 19

slide-30
SLIDE 30

Outline C2 - description Attack scenarios Conclusion The S-box recovery attack Key recovery attack Key and S-box recovery attack

Characteristics

S-box and modular addition are nonlinear over GF(2) Differential behavior of the S-box may vary Search for characteristic in the linearized model of C2 5-round characteristic independent of the S-box with probability 2−12 (2−11)

15 / 19

slide-31
SLIDE 31

Outline C2 - description Attack scenarios Conclusion The S-box recovery attack Key recovery attack Key and S-box recovery attack

Boomerang attack

E0 E0 E1 E1 E0 E0 E1 E1

P P′ A A′ B B′ Q′ Q C D C ′ D′

∆ ∆ ∆′ ∆′ ∇ ∇ ∇′ ∇′

Assume S-box is known Use the 5-round characteristic to mount boomerang attack Boomerangs exist with average probability of 2−44.5 All boomerangs follow the characteristic for the first round Use boomerang attack to recover 22 bits of the first round key Complexity: 248 encryptions and 244.5 chosen plaintext/ciphertext pairs

16 / 19

slide-32
SLIDE 32

Outline C2 - description Attack scenarios Conclusion The S-box recovery attack Key recovery attack Key and S-box recovery attack

Examples for boomerangs

∆ = 00020800 80200100 → 80200100 00020800 S-box used key (hex) plaintext AES

00 00 00 00 00 00 00 5707aec0 48a9c942 00 30 20 08 00 20 28 0f42cd03 b7b5f077 ’c’ ’r’ ’y’ ’p’ ’t’ ’0’ ’9’ b4b32db5 589913dc

C2 facsimile

00 00 00 00 00 00 00 3af32bac 960693e1 ee 9b 7f 2b 7c 26 cd 69676fdc 339879d4 ’c’ ’r’ ’y’ ’p’ ’t’ ’0’ ’9’ d6b44956 36771c9d

17 / 19

slide-33
SLIDE 33

Outline C2 - description Attack scenarios Conclusion The S-box recovery attack Key recovery attack Key and S-box recovery attack

Key and S-box recovery attack (Attack 3)

Combines the ideas of the first two attacks Complexity: 253.5 encryptions

18 / 19

slide-34
SLIDE 34

Outline C2 - description Attack scenarios Conclusion

Conclusion

The three attacks and their complexities provided we can . . . recover complexity 1. set key + query device S-box 224 2. query device + know S-box key 248 3. query the device S-box +key 253.5

19 / 19

slide-35
SLIDE 35

Outline C2 - description Attack scenarios Conclusion

Conclusion

The three attacks and their complexities provided we can . . . recover complexity 1. set key + query device S-box 224 2. query device + know S-box key 248 3. query the device S-box +key 253.5 What is new? Recover the S-box when we are able to set the key Boomerang is independent of the S-box

19 / 19

slide-36
SLIDE 36

Outline C2 - description Attack scenarios Conclusion

Conclusion

The three attacks and their complexities provided we can . . . recover complexity 1. set key + query device S-box 224 2. query device + know S-box key 248 3. query the device S-box +key 253.5 What is new? Recover the S-box when we are able to set the key Boomerang is independent of the S-box

Thank you!

19 / 19