ISC09, Pisa, Italy Outline Outline Contributions 2 Attacks - - PowerPoint PPT Presentation

▶

Jan 13, 2023 363 likes •556 views

A New Approach to 2 Cryptanalysis of Block Ciphers Jorge Nakahara Jr 1 , Daniel Santana de Freitas 2 , Gautham Sekar 4 , 5 , Chang Chiann 3 , Ramon Hugo de Souza 2 , Bart Preneel 4 , 5 1 EPFL, Lausanne, Switzerland jorge.nakahara@epfl.ch 2

SLIDE 1

A New Approach to χ2 Cryptanalysis of Block Ciphers Jorge Nakahara Jr1, Daniel Santana de Freitas2, Gautham Sekar4,5, Chang Chiann3, Ramon Hugo de Souza2, Bart Preneel4,5

1EPFL, Lausanne, Switzerland

jorge.nakahara@epfl.ch

2Federal University of Santa Catarina, Brazil

{santana,ramonh}@inf.ufsc.br

3University of S˜

ao Paulo, Brazil chang@ime.usp.br

4Interdisciplinary Institute for BroadBand Technology (IBBT), Belgium 5Katholieke Universiteit Leuven, Belgium

{gautham.sekar,bart.preneel}@esat.kuleuven.be

ISC’09, Pisa, Italy

SLIDE 2

Outline

Contributions

χ2 Attacks

Target Ciphers: RC6, ERC6 and MRC6 Linear Relations Experimental Results Conclusions

SLIDE 3

Outline

Contributions

A new approach

χ2 attack that combines linear and square/integral/saturation

attacks: (adaptive) CP setting exploit weak diffusion in some block ciphers

χ2 attack preceeded by linear analysis (also used by

Knudsen/Meier in RC6)

ur targets: RC6, ERC6 and MRC6

improved results on 2- and 4-round RC6: lower data complexity and faster attacks first cryptanalytic results on ERC6 and MRC6 distinguish-from-random attacks (no key recovery)

SLIDE 4

Outline

χ2 Attacks

Methodology statistical technique applied against DES, M6, SEAL, MX, RC5P , RC5, RC6 and several variants k outcomes of an event

1,...,ok: observed freq.s;

x1,...,xk: expected freq.s distance measure: Q = k

i=1 (oi−xi)2 xi

two hypothesis: H0 and H1 H0 is rejected if Q > χ2

1−α,k−1 with 100α% error

90% confidence interval; minCI: lower endpoint of interval we accept H1 if minCI > χ2

1−α,k−1

SLIDE 5

Outline

Target Ciphers: RC6, ERC6 and MRC6

RC6 designed by Rivest et al., 1998, patented algorithm generalized Feistel Network structure RC6-w/r/b, w = word size, r = # rounds, b = # key bytes with w ∈ {16,32,64}, r ∈ {0,1,2,...,255}, b ∈ {0,1,2,...,255} submitted to NESSIE (Europe) and CRYPTREC (Japan) for the AES competition: w = 32 (128-bit block), r = 20, b ∈ {16,24,32} 32-bit operations: ⊞ mod 232, ⊕, ≪, * mod232 round function: F(X) = [X ∗(2∗X ⊞1) mod 2w] ≪ log2w

SLIDE 6

Outline

Target Ciphers: RC6, ERC6 and MRC6

Computational graph of RC6 for encryption

SLIDE 7

Outline

Target Ciphers: RC6, ERC6 and MRC6

Key Schedule of RC6

SLIDE 8

Outline

Target Ciphers: RC6, ERC6 and MRC6

ERC6 designed by Ragab et al., 2001 generalized Feistel Network structure ERC6-w/r/b, w = word size, r = # rounds, b = # key bytes suggested values: w = 32, r = 16 and b = 16 32-bit operations: ⊞ mod 232, ⊕, ≪, * mod232

n Pentium-III, ERC6-32/16/16 encrypts at 17.3 MB/sec (1.7

times faster than RC6) no attacks reported

SLIDE 9

Outline

Target Ciphers: RC6, ERC6 and MRC6

Computational graph of ERC6 for encryption

SLIDE 10

Outline

Target Ciphers: RC6, ERC6 and MRC6

MRC6 designed by El-Fishawy et al., 2004 generalized Feistel Network structure MRC6-w/r/b, w = word size, r = # rounds, b = # key bytes suggested values: w = 32, r = 16 and b = 16

n Pentium-III, MRC6-32/16/16 encrypts at 19.5 MB/sec

(twice as fast as RC6) 32-bit operations: ⊞ mod 232, ⊕, ≪, * mod232 no attacks reported

SLIDE 11

Outline

Target Ciphers: RC6, ERC6 and MRC6

Computational graph of MRC6 for encryption

SLIDE 12

Outline

Linear Relations

2-round iterative linear relations Type-I approximations (c.f. Contini et al.): ei = 2i, 0 ≤ i < 5 RC6: Ai ·et1 ⊕Ci ·et2 = Ai+2 ·et3 ⊕Ci+2 ·et4 ERC6: Ai ·et1 ⊕Ci ·et2 ⊕Ei ·et3 ⊕Gi ·et4 = Ai+2 ·et5 ⊕Ci+2 ·et6 ⊕Ei+2 ·et7 ⊕Gi+2 ·et8 MRC6: Ai ·et1 ⊕Ci ·et2 ⊕Ei ·et3 ⊕Gi ·et4 ⊕Ii ·et5 ⊕Ki ·et6 ⊕Mi ·et7 ⊕ Oi ·et8 = Ai+2 ·et9 ⊕Ci+2 ·et10 ⊕Ei+2 ·et11 ⊕Gi+2 ·et12 ⊕ Ii+2 ·et13 ⊕Ki+2 ·et14 ⊕Mi+2 ·et15 ⊕Oi+2 ·et16

SLIDE 13

Outline

Linear Relations

Pictorially: linear trails in MRC6

SLIDE 14

Outline

Experimental Results

RC6 analysis of 10 bits: lsb5(A2i)|| lsb5(C2i) 2 rounds: 23 CP (versus 214 CP for Knudsen/Meier) 4 rounds: 219 CP (versus 230 CP for Knudsen/Meier) 6 rounds: non conclusive (up to 237 CP)

SLIDE 15

Outline

Experimental Results

ERC6 analysis of 4 bits: lsb1(A2i)|| lsb1(C2i)|| lsb1(E2i)|| lsb1(G2i) complexity: 25.5r−9 CP for r rounds attacks on up to 44 rounds analysis of 8 bits: lsb2(A2i)|| lsb2(C2i)|| lsb2(E2i)|| lsb2(G2i) complexity: 26r−12 CP for r rounds attacks on up to 42 rounds

SLIDE 16

Outline

Experimental Results

MRC6 analysis of 8 bits: lsb1(A2i)|| lsb1(C2i)|| lsb1(E2i)|| lsb1(G2i)|| lsb1(I2i)|| lsb1(K2i)|| lsb1(M2i)|| lsb1(O2i) complexity: 25r−21 CP for r rounds attacks on up to 98 rounds analysis of 16 bits: lsb2(A2i)|| lsb2(C2i)|| lsb2(E2i)|| lsb2(G2i)|| lsb2(I2i)|| lsb2(K2i)|| lsb2(M2i)|| lsb2(O2i) complexity: 25r−18 CP for r rounds attacks on up to 98 rounds

SLIDE 17

Outline

Conclusions

new approach to χ2 attacks: combines square and linear analysis adaptive chosen-plaintex attacks no weak-key assumptions, no mini ciphers conclusions based on empirical results targets: RC6, ERC6, MRC6 more efficient attacks attacks for 2- and 4-round RC6 attacks on 44-round ERC6 and 98-round MRC6 future work: key-recovery attacks

SLIDE 18

Outline

Acknowledgements

Thanks We would like to thank the anonymous ISC’09 referees for their many useful comments and suggestions. This work was supported in part by European Commission through the ICT Programme under contract ICT-2007-216676 ECRYPT II. Gautham Sekar was supported by the IAP Programme P6/26 BCRYPT of the Belgian State (Belgian Science Policy) and an FWO Project.