A New Approach to χ 2 Cryptanalysis of Block Ciphers Jorge Nakahara Jr 1 , Daniel Santana de Freitas 2 , Gautham Sekar 4 , 5 , Chang Chiann 3 , Ramon Hugo de Souza 2 , Bart Preneel 4 , 5 1 EPFL, Lausanne, Switzerland jorge.nakahara@epfl.ch 2 Federal University of Santa Catarina, Brazil { santana,ramonh } @inf.ufsc.br 3 University of S˜ ao Paulo, Brazil chang@ime.usp.br 4 Interdisciplinary Institute for BroadBand Technology (IBBT), Belgium 5 Katholieke Universiteit Leuven, Belgium { gautham.sekar,bart.preneel } @esat.kuleuven.be ISC’09, Pisa, Italy
Outline Outline Contributions χ 2 Attacks Target Ciphers: RC6, ERC6 and MRC6 Linear Relations Experimental Results Conclusions
Outline Outline Contributions A new approach χ 2 attack that combines linear and square/integral/saturation attacks: (adaptive) CP setting exploit weak diffusion in some block ciphers χ 2 attack preceeded by linear analysis (also used by Knudsen/Meier in RC6) our targets: RC6, ERC6 and MRC6 improved results on 2- and 4-round RC6: lower data complexity and faster attacks first cryptanalytic results on ERC6 and MRC6 distinguish-from-random attacks (no key recovery)
Outline Outline χ 2 Attacks Methodology statistical technique applied against DES, M6, SEAL, MX, RC5P , RC5, RC6 and several variants k outcomes of an event o 1 ,..., o k : observed freq.s; x 1 ,..., x k : expected freq.s ( o i − x i ) 2 distance measure: Q = � k i = 1 x i two hypothesis: H 0 and H 1 H 0 is rejected if Q > χ 2 1 − α, k − 1 with 100 α % error 90% confidence interval; minCI: lower endpoint of interval we accept H 1 if minCI > χ 2 1 − α, k − 1
Outline Outline Target Ciphers: RC6, ERC6 and MRC6 RC6 designed by Rivest et al. , 1998, patented algorithm generalized Feistel Network structure RC6-w/r/b, w = word size, r = # rounds, b = # key bytes with w ∈ { 16 , 32 , 64 } , r ∈ { 0 , 1 , 2 ,..., 255 } , b ∈ { 0 , 1 , 2 ,..., 255 } submitted to NESSIE (Europe) and CRYPTREC (Japan) for the AES competition: w = 32 (128-bit block), r = 20, b ∈ { 16 , 24 , 32 } 32-bit operations: ⊞ mod 2 32 , ⊕ , ≪ , * mod2 32 round function: F ( X ) = [ X ∗ ( 2 ∗ X ⊞ 1 ) mod 2 w ] ≪ log 2 w
Outline Outline Target Ciphers: RC6, ERC6 and MRC6 Computational graph of RC6 for encryption
Outline Outline Target Ciphers: RC6, ERC6 and MRC6 Key Schedule of RC6
Outline Outline Target Ciphers: RC6, ERC6 and MRC6 ERC6 designed by Ragab et al. , 2001 generalized Feistel Network structure ERC6-w/r/b, w = word size, r = # rounds, b = # key bytes suggested values: w = 32, r = 16 and b = 16 32-bit operations: ⊞ mod 2 32 , ⊕ , ≪ , * mod2 32 on Pentium-III, ERC6-32 / 16 / 16 encrypts at 17.3 MB/sec (1.7 times faster than RC6) no attacks reported
Outline Outline Target Ciphers: RC6, ERC6 and MRC6 Computational graph of ERC6 for encryption
Outline Outline Target Ciphers: RC6, ERC6 and MRC6 MRC6 designed by El-Fishawy et al. , 2004 generalized Feistel Network structure MRC6-w/r/b, w = word size, r = # rounds, b = # key bytes suggested values: w = 32, r = 16 and b = 16 on Pentium-III, MRC6-32 / 16 / 16 encrypts at 19.5 MB/sec (twice as fast as RC6) 32-bit operations: ⊞ mod 2 32 , ⊕ , ≪ , * mod2 32 no attacks reported
Outline Outline Target Ciphers: RC6, ERC6 and MRC6 Computational graph of MRC6 for encryption
Outline Outline Linear Relations 2-round iterative linear relations Type-I approximations (c.f. Contini et al. ): e i = 2 i , 0 ≤ i < 5 RC6: A i · e t 1 ⊕ C i · e t 2 = A i + 2 · e t 3 ⊕ C i + 2 · e t 4 ERC6: A i · e t 1 ⊕ C i · e t 2 ⊕ E i · e t 3 ⊕ G i · e t 4 = A i + 2 · e t 5 ⊕ C i + 2 · e t 6 ⊕ E i + 2 · e t 7 ⊕ G i + 2 · e t 8 MRC6: A i · e t 1 ⊕ C i · e t 2 ⊕ E i · e t 3 ⊕ G i · e t 4 ⊕ I i · e t 5 ⊕ K i · e t 6 ⊕ M i · e t 7 ⊕ O i · e t 8 = A i + 2 · e t 9 ⊕ C i + 2 · e t 10 ⊕ E i + 2 · e t 11 ⊕ G i + 2 · e t 12 ⊕ I i + 2 · e t 13 ⊕ K i + 2 · e t 14 ⊕ M i + 2 · e t 15 ⊕ O i + 2 · e t 16
Outline Outline Linear Relations Pictorially: linear trails in MRC6
Outline Outline Experimental Results RC6 analysis of 10 bits: lsb 5 ( A 2 i ) || lsb 5 ( C 2 i ) 2 rounds: 2 3 CP (versus 2 14 CP for Knudsen/Meier) 4 rounds: 2 19 CP (versus 2 30 CP for Knudsen/Meier) 6 rounds: non conclusive (up to 2 37 CP)
Outline Outline Experimental Results ERC6 analysis of 4 bits: lsb 1 ( A 2 i ) || lsb 1 ( C 2 i ) || lsb 1 ( E 2 i ) || lsb 1 ( G 2 i ) complexity: 2 5 . 5 r − 9 CP for r rounds attacks on up to 44 rounds analysis of 8 bits: lsb 2 ( A 2 i ) || lsb 2 ( C 2 i ) || lsb 2 ( E 2 i ) || lsb 2 ( G 2 i ) complexity: 2 6 r − 12 CP for r rounds attacks on up to 42 rounds
Outline Outline Experimental Results MRC6 analysis of 8 bits: lsb 1 ( A 2 i ) || lsb 1 ( C 2 i ) || lsb 1 ( E 2 i ) || lsb 1 ( G 2 i ) || lsb 1 ( I 2 i ) || lsb 1 ( K 2 i ) || lsb 1 ( M 2 i ) || lsb 1 ( O 2 i ) complexity: 2 5 r − 21 CP for r rounds attacks on up to 98 rounds analysis of 16 bits: lsb 2 ( A 2 i ) || lsb 2 ( C 2 i ) || lsb 2 ( E 2 i ) || lsb 2 ( G 2 i ) || lsb 2 ( I 2 i ) || lsb 2 ( K 2 i ) || lsb 2 ( M 2 i ) || lsb 2 ( O 2 i ) complexity: 2 5 r − 18 CP for r rounds attacks on up to 98 rounds
Outline Outline Conclusions new approach to χ 2 attacks: combines square and linear analysis adaptive chosen-plaintex attacks no weak-key assumptions, no mini ciphers conclusions based on empirical results targets: RC6, ERC6, MRC6 more efficient attacks attacks for 2- and 4-round RC6 attacks on 44-round ERC6 and 98-round MRC6 future work: key-recovery attacks
Outline Outline Acknowledgements Thanks We would like to thank the anonymous ISC’09 referees for their many useful comments and suggestions. This work was supported in part by European Commission through the ICT Programme under contract ICT-2007-216676 ECRYPT II. Gautham Sekar was supported by the IAP Programme P6/26 BCRYPT of the Belgian State (Belgian Science Policy) and an FWO Project.
Recommend
More recommend
