On Improving Data Complexity of Attacks on RC5 A. Biryukov V. - - PowerPoint PPT Presentation

Motivation Previous Work Improved Filter Conclusion

On Improving Data Complexity of Attacks on RC5

• A. Biryukov
• V. Velichkov

Laboratory of Algorithmics, Cryptology and Security (LACS)

University of Luxembourg

Early Symmetric Crypto 2015 12-16 January, Clervaux, Luxembourg

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 1 / 35

Motivation Previous Work Improved Filter Conclusion

1

Motivation

2

Previous Work

3

Improved Filter

4

Conclusion

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 2 / 35

Motivation Previous Work Improved Filter Conclusion

Outline

1

Motivation

2

Previous Work

3

Improved Filter

4

Conclusion

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 3 / 35

Motivation Previous Work Improved Filter Conclusion

Block Cipher RC5−w/r/b

Block cipher proposed by Rivest at FSE 1994. RC5−w/r/b

w - word size in bits r - number of rounds b - size of key in bytes

Block size: 64-bit (w = 32) or 128-bit (w = 64). Nominal choice of parameters: RC5−32/12/16. Feistel network with r rounds (2r half-rounds). Round function: modular addition, XOR, bit rotation. Notable feature: data-dependent rotations.

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 4 / 35

Motivation Previous Work Improved Filter Conclusion

RC5−32/12/16

Li Ri ≪ Si+1

Ri[4 : 0]

Li+1 = Ri Ri+1 L0 R0 S0 S1 S2

half round 1

. . . . . .

24 half rounds

S25

half round 24

L25 R25 Si: round keys derived from the 16-byte master key.

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 5 / 35

Motivation Previous Work Improved Filter Conclusion

Cryptanalytic Status and Why Do We (Still) Care

RC5 is academically broken, but best attack requires 244 CP (impractical in many settings). Still widely used due to its small memory footprint and high energy efficiency. Preferred cipher in sensor networks (e.g. TinyOS). Many new results on energy efficient implementations. None on cryptanalytic improvements.

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 6 / 35

RC5 Top Citations: Years 2000 – 2015

Motivation Previous Work Improved Filter Conclusion

Outline

1

Motivation

2

Previous Work

3

Improved Filter

4

Conclusion

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 8 / 35

Motivation Previous Work Improved Filter Conclusion

Previous Work

Data complexity (number of chosen plaintexts) of existing differential attacks on RC5−32: Biryukov- Knudsen- Kaliski- r Kushilevitz ’98 Meier ’96 Yin ’95 6 216 224 232 8 228 238 240 10 236 246 251 12 244 254 263 Goal of this research Further decrease the data requirements of the best attack.

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 9 / 35

Motivation Previous Work Improved Filter Conclusion

Attack by Kaliski-Yin ’95

Single half-round characteristics used in the attack by Kaliski and Yin: (es – XOR difference with single active bit at position s) ∆ ∆IN ∆OUT Ω1 (0, es) (es, es) Ω2 (es, es) (es, 0) Ω3 (es, 0) (0, et) Ω4 (0, es) (es, et) Ω5 (es, et) (et, eu ⊕ ev) Concatenate several Ωi to form a characteristic on more rounds.

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 10 / 35

3 Half-Round Iterative Characteristic: Ω2 + Ω3 + Ω1

80000000 80000000

≪ S1

r1 80000000 00000000

≪ S2

r2 00000000 00100000

≪ S3

r3 00100000 00100000

Motivation Previous Work Improved Filter Conclusion

Attack by Knudsen-Meier ’96

Use the same characteristics as Kaliski-Yin + two new ideas:

1

Impose conditions on log2(w) bits of left and right plaintext

⇒ Zero rotation for top two half-rounds.

2

Notice that HW of diffs. in bottom rounds propagates as Fibonacci sequence

⇒ Find better last round characteristics.

3

Higher probability of characteristics ⇒ lower data.

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 12 / 35

Motivation Previous Work Improved Filter Conclusion

Attack by Biryukov-Kushilevitz ’98

Main observation Pairs with zero difference in the rotation constants occur with high probability. Partial differentials Only the log2(w) LS bits of the differences matter and must be zero. Thus any rotation amount is allowed, BUT... ...both halves of the pair must have the same rotation constant, No other restrictions are imposed on the differences.

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 13 / 35

Motivation Previous Work Improved Filter Conclusion

Good Pairs, Bad Pairs and Oracles

Good Pair A pair of plaintexts, whose encryption results in equal rotation constants in all rounds. Noise (bad pairs) All pairs that are suspected to be good, but differ in the rotation constants in some rounds. Space Oracle A good pair acts as a (plaintext) space oracle for finding more good pairs.

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 14 / 35

Motivation Previous Work Improved Filter Conclusion

Space Oracle: The Mushroom Analogy

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 15 / 35

Motivation Previous Work Improved Filter Conclusion

Space Oracle: The Mushroom Analogy

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 16 / 35

Motivation Previous Work Improved Filter Conclusion

Biryukov-Kushilevitz (BK) Oracle

Let (PL, PR), (PL ⊕ ∆L, PR ⊕ ∆R) be a good pair of plaintexts. A candidate good pair (AL, AR), (A∗

L, A∗ R) is constructed as follow:

AR ← (random PR[4 : 0]) AL ← AR ⊕ (PL ⊕ PR) (A∗

L, A∗ R) ← (AL ⊕ ∆L, AR ⊕ ∆R)

Gains top five half-rounds for “free”.

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 17 / 35

Motivation Previous Work Improved Filter Conclusion

Knudsen-Meier (KM) Oracle

Let (PL, PR), (PL ⊕ ∆L, PR ⊕ ∆R) be a good pair of plaintexts. A candidate good pair (AL, AR), (A∗

L, A∗ R) is constructed as follow:

AR ← (random PR[4 : 0]) AL ← (random PL[4 : 0]) (A∗

L, A∗ R) ← (AL ⊕ ∆L, AR ⊕ ∆R)

Gains top two half-rounds for “free”.

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 18 / 35

Motivation Previous Work Improved Filter Conclusion

GoUP Filter: Detecting Good Pairs from Noise

∆n−1 CL, C∗

L

≫ Sn

∆Xn−1 CL[4 : 0]

CL, C∗

L

CR, C∗

R

∆n ∆n+1 ∆n−2 ∆n−1 ≫ Sn−1

∆Xn−2

Tn−1 ∆n−1 CL, C∗

L

∆n−3 ∆n−2 ≫ Si+1

∆xn−3 = ∆n−1

Tn−2 ∆n−2 ∆n−1 . . . . . . Bottom three rounds of RC5 (leftmost is last). The filter covers 7 rounds in total.

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 19 / 35

Motivation Previous Work Improved Filter Conclusion

GoUP Filter

Note 1 The filter applies Hamming weight thresholds on the differences. The thresholds are set according to (corrected) Fibonacci sequence. Note 2 Rotation constants T are guessed at every round except the last.

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 20 / 35

Motivation Previous Work Improved Filter Conclusion

Outline

1

Motivation

2

Previous Work

3

Improved Filter

4

Conclusion

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 21 / 35

Motivation Previous Work Improved Filter Conclusion

Differential Expansion of Addition

Expanding the addition operation into a set of possible output differences with probability ≥ pthres: K {∆} X, X ∗ {∆} : DP(x, x∗ → ∆) = #{k : (x − k) ⊕ (x∗ − k) = ∆} #{k} > pthres

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 22 / 35

Motivation Previous Work Improved Filter Conclusion

Differential Expansion of Addition: Bitwise Algorithm

Algorithm 1 Differential Expansion of ADD. Input: pthres, x, x∗. Output: D

1: procedure expand_add_bitwise(i, x, x∗) do 2:

if (i = word_size) then

3:

add ∆ to D

4:

return

5:

for j ∈ {0, 1} do

6:

∆[i] ← j; pi ← DP(x[i : 0], x∗[i : 0] → ∆[i : 0])

7:

if pi > pthres then

8:

expand_add_bitwise(i + 1, x, x∗)

9:

return D

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 23 / 35

Motivation Previous Work Improved Filter Conclusion

Non-linear GoUP Filter

∆n−1 CL, C∗

L

≫ Sn

{∆Xn−1} CL[4 : 0]

CL, C∗

L

CR, C∗

R

∆n ∆n+1 ∆n−2 ∆n−1 ≫ Sn−1

{∆Xn−2}

Tn−1 ∆n−1 CL, C∗

L

∆n−3 ∆n−2 ≫ Si+1

∆xn−3 = ∆n−1

Tn−2 ∆n−2 ∆n−1 . . . . . . Bottom three rounds of RC5 (leftmost is last).

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 24 / 35

Full Filtration Procedure: First Pass

Algorithm 2 First Pass Filter Procedure for RC5−32/8/16. Input: δ1, δ2 . . . = 0x80000000, 0x40000000 . . . Output: Set of candidate good pairs F1.

1: S ← structure of 224 CP and corresponding ciphertexts 2: P ← set of 24 · 223 pairs

• (P, P∗), (C, C∗)
• : (P, C), (P∗, C∗) ∈ S

3: for all pairs in P do 4:

if TRUE = b_good ← GoUP_NL(C, C∗) then

5:

add

• (P, P∗), (C, C∗)
• to F1

6: return F1

Full Filtration Procedure: Second Pass

Algorithm 3 Second Pass Filter Procedure for RC5−32/8/16. Input: F1; δ1, δ2, . . . = 0x80000000, 0x40000000 . . . Output: Set of candidate good pairs F2.

1: for each (X, X ∗) ∈ F1 do 2:

Apply BK oracle on (X, X ∗)

3:

Si ← structure of 222 CP and corresponding ciphertexts

4:

Pi ← set of 22 · 221 pairs

• (P, P∗), (C, C∗)
• : (P, C), (P∗, C∗) ∈ S

5:

for all pairs in Pi do

6:

if TRUE = b_good ← GoUP_NL(C, C∗) then

7:

add

• (P, P∗), (C, C∗)
• to F2

8: return F2

RC5−32/8/16: 1st pass Filter, 50 keys

5 10 15 20 25 30 35 40 45 50 55 60 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52 Number of pairs Experiments RC5: 224 Chosen Plaintexts (Structures); 8 Rounds, Pdiff = 2-20.4 Good Pairs Total Filtered Pairs Good Filtered Good Filt. Average Bad Filt. Average

RC5−32/8/16: 2nd pass Filter, 50 keys

5 10 15 20 25 30 35 40 45 50 55 60 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52 Number of pairs Experiments RC5: 222 Chosen Plaintexts (BK Oracle + Structures); 8 Rounds, Pdiff = 2-20.4 Good Pairs Total (2nd pass) Filtered Pairs (2nd pass) Good Filtered (2nd pass) Good Filt. Average (2nd pass) Bad Filt. Average (2nd pass)

Motivation Previous Work Improved Filter Conclusion

Towards a New Oracle

Observation Partial differential trails favour very small or very big rot. const. r e.g.: w = 32 : (r ≥ 26) ∨ (r ≤ 2); w = 64 : (r ≥ 56) ∨ (r ≤ 4) Conjecture If (PL, PR) s.t. (r1, r2, r3, r4 ≥ 56) ∨ (r1, r2, r3, r4 ≤ 4), where r1 = (PR + S1) mod 2w r2 = ((PL + S0) ⊕ (PR + S1) ≪ r1) + S2 = A mod 2w r3 = (((PR + S1) ⊕ A) ≪ r2) + S3 = B mod 2w r4 = ((A ⊕ B) ≪ r3) + S4 = C mod 2w then (PL, PR) is a good pair with high probability.

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 29 / 35

Towards a New Oracle: Experimental Verification

1 2 4 8 16 32 64 128 256 512 1024 2048 4096 2 4 6 8 10 12 14 16 18 20 22 24 26

• Num. Good Pairs

Key New Space Oracle, 26 keys Oracle No Oracle

Motivation Previous Work Improved Filter Conclusion

Results

Number of chosen plaintexts for differential attacks on RC5−32/R/16. #R GF / BF Our Biryukov- Knudsen- Kaliski- (S / N) Results Kushilevitz ’98 Meier ’96 Yin ’95 6 7/0 215.58 216 224 232 8 15/2 225.32 228 238 240 10 10/10 234.65 236 246 251 12 242.65 (∗) 244 254 263 (∗) = estimation.

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 31 / 35

Motivation Previous Work Improved Filter Conclusion

Outline

1

Motivation

2

Previous Work

3

Improved Filter

4

Conclusion

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 32 / 35

Motivation Previous Work Improved Filter Conclusion

Summary of Contributions

Contribution Improved filtration procedure for differential attacks on RC5. Analyzes the original cipher (as opposed to XOR-linear model) Based on the idea of differential expansion of addition.

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 33 / 35

Motivation Previous Work Improved Filter Conclusion

Limitations and Future Work

Limitations The complexity of the improved filter is exponential in the prob. thresholds. Lower thresholds ⇒ more output diffs. ⇒ more options for a pair to pass the filter ⇒ more noise. Future Work Improve the efficiency of GoUP_NL e.g. don’t guess all rot. const. Research on better oracles. Apply the technique to RC5-64

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 34 / 35

Motivation Previous Work Improved Filter Conclusion

Questions? Thank you for your attention!

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 35 / 35

First Pass Filter

Algorithm 4 Full Filter Procedure for RC5−32/8/16. Input: δ1, δ2, δ3 . . . = 0x80000000, 0x40000000 . . . Output: List of candidate good pairs

• (P, P∗), (C, C∗)
• .

1: AL ← rand; AR ← rand; AL ← {AL, AL ⊕ δ1, AL ⊕ δ1 ⊕ δ2, . . .}; AR ←

{AR, AR ⊕ δ1, AR ⊕ δ1 ⊕ δ2, . . .}

2: A1 ← {AL, AR} = { structure of 224 chosen plaintexts } 3: S1 ← {(P, C) : P ∈ A1, C = ENCRYPT(P) } = { set of 224 plaintext,

ciphertext pairs }

4: from S1 construct P1 = { set of 24 · 223 pairs

• (P, P∗), (C, C∗)
• :

(P, C) ∈ S1, (P∗, C∗) ∈ S1 };

5: for all pairs in P1 do 6:

if TRUE = b_good ← GoUP_NL(C, C∗) then

7:

add

• (P, P∗), (C, C∗)
• to F1

8: return F1

Second Pass Filter

Algorithm 5 Full Filter Procedure for RC5−32/8/16. Input: F1, δ1, δ2, . . . = 0x80000000, 0x40000000 . . . Output: List of candidate good pairs

• (P, P∗), (C, C∗)
• .

1: for each (P, P∗) ∈ F1 do 2:

fix rLSB ← PR[4 : 0] and ∆LR ← PL ⊕ PR

3:

AR[31 : 5] ← rand; AR[4 : 0] ← rLSB; AR ← (AR[31 : 5] AR[4 : 0]); AL ← AR ⊕ ∆LR;

4:

AL ← {AL, AL ⊕ δ1, AL ⊕ δ1 ⊕ δ2, . . .}; AR ← {AR, AR ⊕ δ1, AR ⊕ δ1 ⊕ δ2, . . .}

5:

Ai ← {AL, AR} = { structure of 222 chosen plaintexts }; Si . . .

6:

from Si construct Pi = { set of 22 · 221 pairs

• (P, P∗), (C, C∗)
• :

(P, C) ∈ Si, (P∗, C∗) ∈ Si };

7:

for all pairs in Pi do

8:

if TRUE = b_good ← GoUP_NL(C, C∗) then

9:

add

• (P, P∗), (C, C∗)
• to F2

10: return F2