On Improving Data Complexity of Attacks on RC5 A. Biryukov V. - PowerPoint PPT Presentation

Motivation Previous Work Improved Filter Conclusion On Improving Data Complexity of Attacks on RC5 A. Biryukov V. Velichkov Laboratory of Algorithmics, Cryptology and Security (LACS) University of Luxembourg Early Symmetric Crypto 2015 12-16 January, Clervaux, Luxembourg (LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 1 / 35

Motivation Previous Work Improved Filter Conclusion Motivation 1 Previous Work 2 Improved Filter 3 Conclusion 4 (LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 2 / 35

Motivation Previous Work Improved Filter Conclusion Outline Motivation 1 Previous Work 2 Improved Filter 3 Conclusion 4 (LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 3 / 35

Motivation Previous Work Improved Filter Conclusion Block Cipher RC5 − w / r / b Block cipher proposed by Rivest at FSE 1994. RC5 − w / r / b w - word size in bits r - number of rounds b - size of key in bytes Block size: 64-bit ( w = 32) or 128-bit ( w = 64). Nominal choice of parameters: RC5 − 32 / 12 / 16. Feistel network with r rounds (2 r half-rounds). Round function: modular addition, XOR, bit rotation. Notable feature: data-dependent rotations. (LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 4 / 35

Motivation Previous Work Improved Filter Conclusion RC5 − 32 / 12 / 16 L 0 R 0 L i R i S 0 S 1 R i [ 4 : 0 ] S 2 half round 1 ≪ . . . . . . 24 half rounds S i + 1 S 25 half round 24 L i + 1 = R i R i + 1 L 25 R 25 S i : round keys derived from the 16-byte master key. (LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 5 / 35

Motivation Previous Work Improved Filter Conclusion Cryptanalytic Status and Why Do We (Still) Care RC5 is academically broken, but best attack requires 2 44 CP (impractical in many settings). Still widely used due to its small memory footprint and high energy efficiency. Preferred cipher in sensor networks (e.g. TinyOS). Many new results on energy efficient implementations. None on cryptanalytic improvements. (LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 6 / 35

RC5 Top Citations: Years 2000 – 2015

Motivation Previous Work Improved Filter Conclusion Outline Motivation 1 Previous Work 2 Improved Filter 3 Conclusion 4 (LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 8 / 35

Motivation Previous Work Improved Filter Conclusion Previous Work Data complexity (number of chosen plaintexts) of existing differential attacks on RC5 − 32: Biryukov- Knudsen- Kaliski- r Kushilevitz ’98 Meier ’96 Yin ’95 2 16 2 24 2 32 6 2 28 2 38 2 40 8 2 36 2 46 2 51 10 2 44 2 54 2 63 12 Goal of this research Further decrease the data requirements of the best attack. (LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 9 / 35

Motivation Previous Work Improved Filter Conclusion Attack by Kaliski-Yin ’95 Single half-round characteristics used in the attack by Kaliski and Yin: ( e s – XOR difference with single active bit at position s ) ∆ ∆ IN ∆ OUT ( 0 , e s ) ( e s , e s ) Ω 1 ( e s , e s ) ( e s , 0 ) Ω 2 ( e s , 0 ) ( 0 , e t ) Ω 3 ( 0 , e s ) ( e s , e t ) Ω 4 ( e s , e t ) ( e t , e u ⊕ e v ) Ω 5 Concatenate several Ω i to form a characteristic on more rounds. (LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 10 / 35

3 Half-Round Iterative Characteristic: Ω 2 + Ω 3 + Ω 1 80000000 80000000 r 1 ≪ S 1 80000000 00000000 r 2 ≪ S 2 00000000 00100000 r 3 ≪ S 3 00100000 00100000

Motivation Previous Work Improved Filter Conclusion Attack by Knudsen-Meier ’96 Use the same characteristics as Kaliski-Yin + two new ideas: Impose conditions on log 2 ( w ) bits of left and right plaintext 1 ⇒ Zero rotation for top two half-rounds. Notice that HW of diffs. in bottom rounds propagates as Fibonacci 2 sequence ⇒ Find better last round characteristics. Higher probability of characteristics ⇒ lower data. 3 (LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 12 / 35

Motivation Previous Work Improved Filter Conclusion Attack by Biryukov-Kushilevitz ’98 Main observation Pairs with zero difference in the rotation constants occur with high probability. Partial differentials Only the log 2 ( w ) LS bits of the differences matter and must be zero. Thus any rotation amount is allowed, BUT... ...both halves of the pair must have the same rotation constant, No other restrictions are imposed on the differences. (LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 13 / 35

Motivation Previous Work Improved Filter Conclusion Good Pairs, Bad Pairs and Oracles Good Pair A pair of plaintexts, whose encryption results in equal rotation constants in all rounds. Noise (bad pairs) All pairs that are suspected to be good, but differ in the rotation constants in some rounds. Space Oracle A good pair acts as a (plaintext) space oracle for finding more good pairs. (LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 14 / 35

Motivation Previous Work Improved Filter Conclusion Space Oracle: The Mushroom Analogy (LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 15 / 35

Motivation Previous Work Improved Filter Conclusion Space Oracle: The Mushroom Analogy (LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 16 / 35

Motivation Previous Work Improved Filter Conclusion Biryukov-Kushilevitz (BK) Oracle Let ( P L , P R ) , ( P L ⊕ ∆ L , P R ⊕ ∆ R ) be a good pair of plaintexts. A candidate good pair ( A L , A R ) , ( A ∗ L , A ∗ R ) is constructed as follow: A R ← ( random � P R [ 4 : 0 ]) A L ← A R ⊕ ( P L ⊕ P R ) ( A ∗ L , A ∗ R ) ← ( A L ⊕ ∆ L , A R ⊕ ∆ R ) Gains top five half-rounds for “free”. (LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 17 / 35

Motivation Previous Work Improved Filter Conclusion Knudsen-Meier (KM) Oracle Let ( P L , P R ) , ( P L ⊕ ∆ L , P R ⊕ ∆ R ) be a good pair of plaintexts. A candidate good pair ( A L , A R ) , ( A ∗ L , A ∗ R ) is constructed as follow: A R ← ( random � P R [ 4 : 0 ]) A L ← ( random � P L [ 4 : 0 ]) ( A ∗ L , A ∗ R ) ← ( A L ⊕ ∆ L , A R ⊕ ∆ R ) Gains top two half-rounds for “free”. (LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 18 / 35

Motivation Previous Work Improved Filter Conclusion GoUP Filter: Detecting Good Pairs from Noise . . . . . . C L , C ∗ ∆ n − 1 ∆ n − 2 ∆ n − 1 ∆ n − 3 ∆ n − 2 L T n − 1 T n − 2 C L [ 4 : 0 ] ≫ ≫ ≫ ∆ X n − 1 ∆ X n − 2 ∆ x n − 3 = ∆ n − 1 S n − 1 S i + 1 S n C L , C ∗ C R , C ∗ C L , C ∗ ∆ n − 1 ∆ n − 2 ∆ n − 1 L R L ∆ n ∆ n + 1 Bottom three rounds of RC5 (leftmost is last). The filter covers 7 rounds in total. (LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 19 / 35

Motivation Previous Work Improved Filter Conclusion GoUP Filter Note 1 The filter applies Hamming weight thresholds on the differences. The thresholds are set according to (corrected) Fibonacci sequence. Note 2 Rotation constants T are guessed at every round except the last. (LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 20 / 35

Motivation Previous Work Improved Filter Conclusion Outline Motivation 1 Previous Work 2 Improved Filter 3 Conclusion 4 (LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 21 / 35

Motivation Previous Work Improved Filter Conclusion Differential Expansion of Addition Expanding the addition operation into a set of possible output differences with probability ≥ p thres : { ∆ } K X , X ∗ { ∆ } : DP ( x , x ∗ → ∆) = # { k : ( x − k ) ⊕ ( x ∗ − k ) = ∆ } > p thres # { k } (LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 22 / 35

Motivation Previous Work Improved Filter Conclusion Differential Expansion of Addition: Bitwise Algorithm Algorithm 1 Differential Expansion of ADD . Input: p thres , x , x ∗ . Output: D 1: procedure expand_add_bitwise( i , x , x ∗ ) do if ( i = word_size ) then 2: add ∆ to D 3: return 4: for j ∈ { 0 , 1 } do 5: ∆[ i ] ← j ; p i ← DP ( x [ i : 0 ] , x ∗ [ i : 0 ] → ∆[ i : 0 ]) 6: if p i > p thres then 7: expand_add_bitwise( i + 1 , x , x ∗ ) 8: return D 9: (LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 23 / 35

Motivation Previous Work Improved Filter Conclusion Non-linear GoUP Filter . . . . . . C L , C ∗ ∆ n − 1 ∆ n − 2 ∆ n − 1 ∆ n − 3 ∆ n − 2 L T n − 1 T n − 2 C L [ 4 : 0 ] ≫ ≫ ≫ ∆ x n − 3 = ∆ n − 1 { ∆ X n − 1 } { ∆ X n − 2 } S n − 1 S i + 1 S n C L , C ∗ C R , C ∗ C L , C ∗ ∆ n − 1 ∆ n − 2 ∆ n − 1 L R L ∆ n + 1 ∆ n Bottom three rounds of RC5 (leftmost is last). (LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 24 / 35