Miss in the Middle Attacks on IDEA and Khufu

Transcription

1 Mss n the Mddle Attacks on IDEA and Khufu El Bham Alex Bryukov Ad Shamr Abstract. In a recent paper we developed a new cryptanalytc technque based on mpossble dfferentals, and used t to attack the Skpjack encrypton algorthm reduced from 32 to 31 rounds. In ths paper we descrbe the applcaton of ths technque to the block cphers IDEA and Khufu. In both cases the new attacks cover more rounds than the best currently known attacks. Ths demonstrates the power of the new cryptanalytc technque, shows that t s applcable to a larger class of cryptosystems, and develops new techncal tools for applyng t n new stuatons. 1 Introducton In [5,17] a new cryptanalytc technque based on mpossble dfferentals was proposed, and ts applcaton to Skpjack [28] and DEAL [17] was descrbed. In ths paper we apply ths technque to the IDEA and Khufu cryptosystems. Our new attacks are much more effcent and cover more rounds than the best prevously known attacks on these cphers. The man dea behnd these new attacks s a bt counter-ntutve. Unlke tradtonal dfferental and lnear cryptanalyss whch predct and detect statstcal events of hghest possble probablty, our new approach s to search for events that never happen. Such mpossble events are then used to dstngush the cpher from a random permutaton, or to perform key elmnaton (a canddate key s obvously wrong f t leads to an mpossble event). The fact that mpossble events can be useful n cryptanalyss s an old dea (for example, some of the attacks on Engma were based on the observaton that letters can not be encrypted to themselves). However, these attacks tended to be hghly specfc, and there was no systematc analyss n the lterature of how to dentfy an mpossble behavor n a block cpher and how to explot t n order to derve the key. In ths paper we contnue to develop these attacks ncludng the general technque called mss n the mddle to construct mpossble events and a general sevng attack whch uses such events n order to cryptanalyze the block-cpher. We demonstrate these technques n the partcular cases of the IDEA and Khufu block cphers. The man dea s to fnd two events wth Computer Scence Department, Technon Israel Insttute of Technology, Hafa 32000, Israel, bham@cs.technon.ac.l, bham/. Appled Mathematcs Department, Technon Israel Insttute of Technology, Hafa 32000, Israel. Department of Appled Mathematcs and Computer Scence, Wezmann Insttute of Scence, Rehovot 76100, Israel, shamr@wsdom.wezmann.ac.l. L. Knudsen (Ed.): FSE 99, LNCS 1636, pp , c Sprnger-Verlag Berln Hedelberg 1999

2 Mss n the Mddle Attacks on IDEA and Khufu 125 Table 1. Summary of our attacks on IDEA wth reduced number of rounds compared to the best prevous results Year [Author] Rounds Type Chosen Tme of Plantexts Analyss 1993 [23] 2 dfferental [23] 2.5 dfferental [10] 2.5 dfferental [9] 3 dfferental-lnear [9] 3.5 truncated-dfferental Ths paper 3.5 mpossble-dfferental mpossble-dfferental mpossble-dfferental From the second to the mddle of the ffth round. From the second to the end of the ffth round. From the mddle of the frst to the end of the ffth round. probablty one, whose condtons cannot be met together. In ths case ther combnaton s the mpossble event that we are lookng for. Once the exstence of mpossble events n a cpher s proved, t can be used drectly as a dstngusher from a random permutaton. Furthermore, we can fnd the keys of a cpher by analyzng the rounds surroundng the mpossble event, and guessng the subkeys of these rounds. All the keys that lead to mpossblty are obvously wrong. The mpossble event n ths case plays the role of a seve, methodcally rejectng the wrong key guesses and leavng the correct key. We stress that the mss n the mddle technque s only one possble way to construct mpossble events and the sevng technque s only one possble way to explot them. In order to get a sense of the attack, consder a cpher E( ) wth n-bt blocks, a set of nput dfferences P of cardnalty 2 p and a correspondng set of output dfferences Q of cardnalty 2 q. Suppose that no dfference from P can cause an output dfference from Q. We ask how many chosen texts should be requested n order to dstngush E( ) from a random permutaton? In general about 2 n q pars wth dfferences from P are requred. Ths number can be reduced by usng structures (a standard technque for savng chosen plantexts n dfferental attacks, see [6]). In the optmal case we can use structures of 2 p texts whch contan about 2 2p 1 pars wth dfferences from P. In ths case 2 n q /2 2p 1 structures are requred, and the number of chosen texts used by ths dstngushng attack s about 2 n p q+1 (assumng that 2p <n q + 1). Thus, the hgher s p + q the better s the dstngusher based on the mpossble event. Ths paper s organzed as follows: In Secton 2 we propose attacks on IDEA [20]. We develop the best known attack on IDEA reduced to 3.5 rounds and the frst attacks on 4 and 4.5 rounds, as descrbed n Table 1. In Secton 3 we show that ths technque can also be appled to Khufu [24]. Secton 4 concludes the paper wth a dscusson of provable securty of cphers aganst dfferental attacks, and descrbes several mpossble dfferentals of DES, FEAL, and CAST-256.

3 126 E. Bham, A. Bryukov, A. Shamr 2 Cryptanalyss of IDEA The Internatonal Data Encrypton Algorthm (IDEA) s a 64-bt, 8.5-round non- Festel block cpher wth 128-bt keys, proposed by La and Massey n 1991 [20]. It s a modfed verson of a prevous desgn by the same authors [19], wth added strength aganst dfferental attacks [6]. Although almost a decade has passed snce ts ntroducton, IDEA ressted ntensve cryptanalytc efforts [23,10,11,13,16,9,14]. Progress n cryptanalyzng round-reduced varants was very slow, startng wth an attack on a two round varant of IDEA n 1993 [23] by Meer and leadng to the currently best attack on 3.5 rounds publshed n 1997 [9] by Borst et. al. In [18, page 79] IDEA reduced to four rounds was clamed to be secure aganst dfferental attacks. Table 1 summarzes the hstory of attacks on IDEA and our new results descrbed n ths paper (all attacks n ths table are chosen plantext attacks). In addton to these attacks two relatvely large easly detectable classes of weak keys were found: In [11] 2 51 weak keys out of the keys were found to be detectable wth 16 chosen plantexts and 2 17 steps usng dfferental membershp tests, and n [14] 2 65 weak keys were found to be detectable gven 20 chosen plantexts wth a neglgble complexty under dfferental-lnear membershp tests. Stll the chance of choosng a weak key at random s about 2 63 whch s extremely low. Related key attacks [7] on 3.5 rounds [16] and on 4 rounds [14] of IDEA were developed but these are manly of theoretcal nterest. Due to ts strength aganst cryptanalytc attacks, and due to ts ncluson n several popular cryptographc packages (such as PGP and SSH) IDEA became one of the best known and most wdely used cphers. Before we descrbe the attacks we ntroduce our notaton. IDEA s an 8.5- round cpher usng two dfferent half-round operatons: key mxng (whch we denote by T ) and M-mxng denoted by M = s MA, where MA denotes a multplcaton-addton structure and s denotes a swap of two mddle words. 1 Both MA and s are nvolutons. T dvdes the 64-bt block nto four 16-bt words and mxes the key wth the data usng multplcaton modulo (denoted by ) wth on words one and four, and usng addton modulo 2 16 (denoted by ) on words two and three. The full 8.5-round IDEA can be wrtten as IDEA = T s (s MA T ) 8 = T s (M T ) 8. We denote the nput to the key mxng step T n round by X, and ts output (the nput to M) byy. The rounds are numbered from one and the plantext s thus denoted by X 1. We later consder varants of IDEA wth a reduced number of rounds whch start wth M nstead of T. In these varants the plantext s denoted by Y 1 (and the output of M s then X 2 ). See Fgure 1 for a pcture of one round of IDEA. In the rest of ths secton we descrbe a 2.5-round mpossble dfferental of IDEA (n terms of XOR dfferences), and chosen plantext attacks on IDEA 1 As usual the composton of transformatons s appled from rght to left,.e., MA s appled frst, and the swap s s appled to the result.

4 Mss n the Mddle Attacks on IDEA and Khufu 127 Z 1 X 1 X 2 Z Z 2 3 X 3 X 4 Z 4 Y 1 Y 2 Z 5 Y 3 Y 4 MA Z 6 X X X 3 X Fg. 1. One round of IDEA reduced to 4 and 4.5 rounds usng ths mpossble dfferental, whch are faster than exhaustve search. We also descrbe a smlar attack on 3.5-rounds of IDEA, whch s more than 2 14 tmes faster than the best prevously known attack [9] and whch uses 2 17 tmes less chosen plantexts. One nterestng feature of these attacks s that they are ndependent of many of the desgn detals of IDEA: They work for any choce of the MA permutaton, and for any order of the and operatons n the key-mxng T. In addton they depend only margnally on the choce of the key-schedulng of IDEA. 2.1 A 2.5-Round Impossble Dfferental of IDEA Our man observaton s that IDEA has a 2.5-round dfferental wth probablty zero. Consder the 2.5 rounds M T M T M. Then the nput dfference (a, 0,a,0) (where 0 and a 0 are 16-bt words) cannot cause the output dfference (b, b, 0, 0) after 2.5 rounds for any b 0. To prove ths clam, we make the followng observatons: 1. Consder a par wth an nput dfference (a, 0,a,0) for a 0. In such a par, the nputs to the frst MA-structure have dfference zero, and the outputs of the frst MA have dfference zero. Thus, the dfference after the frst halfround (s MA)s(a, a, 0, 0) (after the swap of the two mddle words). After

5 128 E. Bham, A. Bryukov, A. Shamr the next half-round (T ) the dfference becomes (c, d, 0, 0) for some c 0 and d Smlarly, consder a par wth an output dfference (b, b, 0, 0) for b 0 after 2.5 rounds. In such a par the dfference before the last half-round (M) s (b, 0,b,0), and the dfference before the last T s of the form (e, 0,f,0) for some e 0 and f Therefore, f the nput and output dfferences are both as above, the nput dfference of the mddle half-round (M) s(c, d, 0, 0), and the output dfference of the same half-round s (e, 0,f,0). The dfference before the swap of the two mddle words s (e, f, 0, 0). From these dfferences we conclude that the dfferences of the nputs to the MA-structure n the mddle half-round s non-zero (c, d) =(e, f), whle the output dfference s (c e, d f) =(0, 0). Ths s a contradcton, as the MA-structure s a permutaton. Consequently, there are no pars satsfyng both the nput and the output dfferences smultaneously. Due to symmetry there s another mpossble 2.5-round dfferental, wth nput dfference (0, a,0, a) and output dfference (0, 0, b, b). 2.2 An Attack on 3.5-Round IDEA Consder the frst 3.5 rounds of IDEA T (M T ) 3. We denote the plantext by X 1 and the cphertext by Y 4. The attack s based on the 2.5-round mpossble dfferental wth two addtonal T half-rounds at the begnnng and end, and conssts of the followng steps: 1. Choose a structure of 2 32 plantexts X 1 wth dentcal X2 1, dentcal X4 1, and all possbltes of X1 1 and X Collect about 2 31 pars from the structure whose cphertext dfferences satsfy Y3 4 = 0 and Y4 4 =0. 3. For each such par a) Try all the 2 32 possble subkeys of the frst T half-round that affect X1 1 and X3 1, and partally encrypt X1 1 and X3 1 nto Y1 1 and Y3 1 n each of the two plantexts of the par. Collect about 2 16 possble 32-bt subkeys satsfyng Y1 1 = Y3 1. Ths step can be done effcently wth 2 16 tme and memory complexty. b) Try all the 2 32 possble subkeys of the last T half-round that affect X1 4 and X2 4, and partally decrypt Y1 4 and Y2 4 nto X1 4 and X2 4 n each of the two cphertexts of the par. Collect about 2 16 possble 32-bt subkeys satsfyng X1 4 = X2 4. Ths step can be done effcently wth 2 16 tme and memory complexty. c) Make a lst of all the bt subkeys combnng the prevous two steps. These subkeys cannot be the real value of the key, as f they do, there s a par satsfyng the dfferences of the mpossble dfferental. 4. Repeat ths analyss for each one of the 2 31 pars obtaned n each structure and use a total of about 90 structures. Each par defnes a lst of about 2 32

6 Mss n the Mddle Attacks on IDEA and Khufu 129 ncorrect keys. Compute the unon of the lsts of mpossble 64-bt subkeys they suggest. It s expected that after about 90 structures, the number of remanng wrong key values s: 2 64 ( ) e and thus the correct key can be dentfed as the only remanng value. 5. Complete the secret key by analyzng the second dfferental (0,a,0,a). Smlar analyss wll gve 46 new key bts (16 bts out of 64 are n common wth the bts that we already found, and two bts 17 and 18 are common between the 1st and 4th rounds of ths dfferental). Fnally guess the 18 bts that are stll not found to complete the 128-bt secret key. Ths attack requres about chosen plantexts and about 2 53 steps of analyss. A nave approach here (whch works for any key schedule) requres 2 64 steps and 2 64 memory. A memory-effcent mplementaton requres only 2 48 memory. In the partcular case of rounds 2 4 of the key schedule of IDEA the subkeys of the 2nd and the 4th rounds have 11 key bts n common. Usng ths observaton the attack requres only 2 53 steps and 2 37 memory. 2.3 An Attack on a 4-Round IDEA The attack s also applcable to IDEA reduced to 4 rounds: (M T ) 4, from second to the ffth round (nclusve). We denote the plantext by X 2 and the cphertext by X 6. Dependng on the startng round and on the dfferental beng used ((a, 0,a,0) or (0,a,0,a)), there s a varyng amount of overlap between the subkey bts. In the case of our choce (from second to the ffth round, wth the frst dfferental), we wll work wth subkeys: Z 2 1[ ],Z 2 3[ ],Z 5 1[ ],Z 5 2[ ],Z 5 5[ ],Z 5 6[ ], these have 69 dstnct key bts out of 6 16 = 96. The attack guesses the two subkeys Z 5 5,Z 5 6 of the last MA structure, and for each guess performs the prevous attack on 3.5 round IDEA. More precsely, 1. For each guess of Z 5 5,Z 5 6: a) Decrypt the last half round of all the structures, usng the guessed subkeys. b) For each structure fnd all pars wth zero dfferences n the thrd and fourth words, leavng about 2 31 pars per structure. c) For each par:. Notce that at ths pont we already know Z 2 3 due to the subkey overlap. Thus, we calculate the dfference of the thrd words: (Z 2 3 X 2 3 ) (Z 2 3 X 2 3 ), and fnd the key Z1, 2 whch produces the same dfference n the frst words: (Z1 2 X1 2 ) (Z1 2 X1 2 ). On average only one Z1 2 s suggested per par.

7 130 E. Bham, A. Bryukov, A. Shamr. Smlarly fnd the pars of keys Z 5 1 and Z 5 2 whch cause equal dfferences at the 5th round. Snce Z 2 1 and Z 5 2 share eleven key bts, we are left wth about 2 5 choces of subkey pars, and thus wth about 2 5 choces of newly found 37 subkey bts. These choces are mpossble. d) We need about 50 structures to flter out all the wrong keys (ths s because we fx many key bts at the outer-most loop): ) ( e After analyzng all the structures only a few possble subkey values reman. These values are verfed usng auxlary technques. Ths attack requres about chosen plantexts packed nto structures as n the prevous secton. The total complexty of ths attack conssts of about half-round decrypton (MA) steps whch are equvalent to about round encryptons plus about smple steps. When these steps are performed effcently, they are equvalent to about round encrypton steps, and thus the total tme complexty s about 2 70 encryptons. 2.4 An Attack on a 4.5-Round IDEA In ths secton we descrbe our strongest attack whch can be appled to the 4.5 rounds of IDEA descrbed by: M (T M) 4 whch start after the frst T halfround. We denote the plantext by Y 1 and the cphertext by X 6. In addton to the 64 key bts consdered n the prevous secton we now need to fnd the subkeys of the two addtonal M half-rounds. We observe however, that only 16 of these key bts are new, and the other 48 bts are ether shared wth the set we found n the prevous secton, or are shared between the frst and the last half-rounds. Therefore, t suffces to guess 80 key bts n order to verfy whether the mpossble dfferental occurs. These key bts are 12 43, , coverng the subkeys: Z 1 5[ ],Z 1 6[ ],Z 2 1[ ],Z 2 3[ ], Z 5 1[ ],Z 5 2[ ],Z 5 5[ ],Z 5 6[ ]. The attack conssts of the followng steps: 1. Get the cphertexts of all the 2 64 possble plantexts. 2. Defne a structure to be the set of all 2 32 encryptons n whch X 2 2 and X 2 4 are fxed to some arbtrary values, and X 2 1 and X 2 3 range over all the possble values. Unlke the prevous attacks, these structures are based on the ntermedate values rather than on the plantexts. 3. Try all the 2 80 possble values of the 80 bts of the subkeys. For each such subkey a) Prepare a structure, and use the tral key to partally decrypt t by one half-round wth the keys Z 1 5 and Z 1 6 to get the 2 32 plantexts.

8 Mss n the Mddle Attacks on IDEA and Khufu 131 b) For each plantext fnd the correspondng cphertext and partally decrypt the last two half-rounds by the tral subkeys (Z5,Z and Z1,Z 5 2). 5 Partally encrypt all pars n the structure wth the subkeys Z1 2 and Z3. 2 c) Check whether there s some par n the structure whch satsfes the 64-bt condton Y1 2 = Y3 2, X1 5 = X2 5, Y3 5 = 0, and Y4 5 =0. d) If there s such an mpossble par, the tral 80-bt value of the subkeys cannot be the rght value. e) If there s no such par n the structure, try agan wth another structure. f) If no pars are found after tryng 100 structures, the tral 80-bt value s the real value of the 80 bts of the key. 4. Assumng that an unque 80 bt value survves the prevous steps, the remanng 48 bts of the key can be found by exhaustve search. Ths attack requres 2 64 plantexts, and fnds the key wthn steps usng about 2 32 memory. Ths s about 2 16 tmes faster than exhaustve search. See Table 1 for a summary of our attacks on IDEA compared to the best prevous attacks. 3 Attacks on Khufu Khufu and Khafre are two 64-bt block 512-bt key cphers desgned by Merkle [24] wth a fast software mplementaton n mnd. Khufu s faster than Khafre due to a smaller number of rounds but has a much slower key-setup. The strength of Khufu s based on key-dependent 8x32-bt S-boxes. These are unknown to an attacker and thus defy analyss based on specfc propertes of the S-boxes. The only addtonal way n whch the key s used s at the begnnng and at the end of the cpher, where 64-bt subkeys are XORed to the plantext and to the cphertext. The cpher s a Festel cpher, so the nput to a round s splt nto two 32-bt halves L and R. Each round conssts of the followng smple steps: 1. Use the least sgnfcant byte of L as an nput to the S-box: S[LSB(L)]. 2. XOR the output of the S-box wth R: R = R S[LSB(L)]. 3. Rotate L by several bytes accordng to the rotaton schedule. 4. Swap L and R. The S-box s changed every eght rounds n order to avod attacks based on guessng a sngle S-box entry. The rotaton schedule of Khufu for every eght rounds s: 2, 2, 1, 1, 2, 2, 3, 3 (byte rotatons to the rght). Snce our attack works equally well for any rotaton schedule whch uses all four bytes of each word every eght consecutve rounds, we smplfy the descrpton of the attack by assumng that all the rotatons are by a sngle byte to the left. A descrpton of ths smplfed verson of Khufu can be found n Fgure 2. Khafre dffers from Khufu only n two aspects: ts S-boxes are known, and t XORs addtonal 64-bt subkeys to the data every eght rounds. The best currently known attack on Khafre s by Bham and Shamr [6], whch requres about 1500 chosen plantexts for attackng 16 rounds, and about 2 53 chosen plantexts for attackng 24 rounds. The best attack on Khufu s by Glbert and Chauvaud [12]. It attacks the

9 132 E. Bham, A. Bryukov, A. Shamr Aux Key 1 Aux Key 2 Repeat 8n tmes Aux Key 3 Aux Key 4 Fg. 2. Descrpton of Khufu and Khafre 16-round Khufu, and requres about 2 43 chosen plantexts and 2 43 operatons (prelmnary nformaton on the secret key can be derved wth about 2 31 chosen plantexts n 2 31 steps). It s beleved that Khufu s stronger than Khafre, snce Khufu has secret key-dependent S-boxes, whch prohbt attacks based on analyss of specfc S-boxes. Interestngly the approach descrbed n ths secton s not very senstve to the dfferences between these two cphers, and works well for both of them snce t s ndependent of the concrete choce of the S-boxes and (surprsngly) does not assume ther knowledge by an attacker. 3.1 Impossble Dfferentals of Khufu and Khafre In ths secton we descrbe long mpossble dfferentals for Khufu and Khafre. The mpossbltes stem manly from the fact that the avalanche effect of the dfference can be postponed by eght rounds. Ths leads to many eght round dfferentals wth probablty one, whose concatenaton s contradctory. Due to the byte-orented structure, these dfferentals come n sets of 256 or larger, and allow tght packng nto structures. We study manly the dfferentals wth an eght byte nput dfference , where 0 denotes a byte wth zero dfference, and + denotes a byte wth arbtrary non-zero dfference; * s later used to denote a byte wth any (zero or non-zero) dfference. However, two byte

10 Mss n the Mddle Attacks on IDEA and Khufu 133 Table 2. Impossble Dfferentals of Khufu and Khafre Rounds Input Output *00**00* **00* *000* * and three byte nput dfferences are possble as long as p + q remans constant (see the relevant dscusson n the Introducton). Notce that a XOR of two dfferent S-box entres necessarly looks lke ++++, snce the S-boxes are bult from four permutatons. Let us study one of these dfferentals n some more detal. To smplfy presentaton, we assume that Khufu and Khafre are mplemented wthout swaps, and that the S boxes are used alternatngly n the left half and the rght half. The dfferental we descrbe below spans 16 rounds of Khufu and Khafre. It covers a set of 256 nput dfferences for whch a set of 2 16 output dfferences s mpossble. 1. Consder a par of nputs wth dfference After eght rounds ths dfference s always of the form Smlarly consder a par wth the output dfference 000*000* after the 16th round. Ths output dfference can only be derved from a dfference 00*000*0 at the output of the 10th round, as the dfferng S bytes do not affect any S box between these rounds. 3. Therefore, the output dfference of the S box n round 9 has the form *=00+*. 4. However, the nput dfference of the S box n round 9 must be non-zero, and due to the desgn of the S boxes, the output dfferences must have the form ++++, whch contradcts the form 00+*. Ths mpossble dfferental s descrbed n Fgure 3. The above representaton ensures that we wrte ntermedate dfferences n the same order as n the fgure. A 17-round mpossble dfferental * s reached by addng one round to ths 16-round mpossble dfferental, whle cancelng the dfference n the left half of the cphertexts. The mpossble dfferentals of ths knd are summarzed n Table The New Attacks The best known attack aganst Khufu can attack up to 16 rounds and the best known attack aganst Khafre can attack up to 24 rounds. Usng the mpossble dfferental descrbed above, we can attack Khufu and Khafre wth up to 18 rounds. Consequently, the new 18-round attack s only nterestng n the case of Khufu. For the sake of smplcty, we descrbe only a less-complcated attack on Khufu wth 16 rounds whch requres 2 46 complexty.

11 134 E. Bham, A. Bryukov, A. Shamr Aux Key 1 Aux Key 2 Contradcton Aux Key 3 Aux Key 4 Fg. 3. The 16-Round Impossble Dfferental of Khufu and Khafre (smplfed by equal rotatons n all rounds). In ths fgure whte squares represent zero dfferences, gray squares represent the zero dfferences whch are also nput bytes to the S boxes, and black squares represent bytes of type + or *

12 Mss n the Mddle Attacks on IDEA and Khufu 135 Ths attack uses the 15-round mpossble dfferental **00*. Snce the S-boxes are unknown, we can always assume that the bytes of the last subkey can be arbtrarly set to zero, yeldng an equvalent (but modfed) descrpton of the correspondng S-boxes (and usng a modfed frst subkey). 1. Encrypt structures of 256 plantexts dfferng only n the 7th byte (we count the bytes of the block from left to rght). 2. Check all the 2 15 pars contaned n the structure and retan only those cphertext dfferences of the form +++*00+* (.e., dscard all the non-zero dfferences n the ffth and sxth bytes and all the zero dfferences n the second and thrd bytes of the cphertexts). On average about half a par remans for each structure. 3. Denote the nputs to the S-box used n the last round n a partcular par by and j. Denote the cphertext dfference by C = C 1,C 2,...,C 8. For each remanng par the followng constrant on the three frst bytes of S[] S[j] cannot be satsfed: (S[] S[j]) 1,2,3 = C 1,2,3 About two structures (2 9 chosen plantexts) suffce to fnd the frst such constrant. About 2 37 constrants are requred n order to actually derve the full descrpton of three of the four output bytes of an S-box. Thus, ths attack requres about 2 46 chosen plantexts. The rest of the S box nformaton can be derved by auxlary technques. It s nterestng to note that these attacks are partcularly senstve to redundancy n the plantexts. If the dstrbuton of the plantexts s not unform, then n some cases we can effcently convert these chosen message attacks nto known-plantext and even cphertext-only attacks, as descrbed n [8]. 4 Concludng Remarks Snce the ntroducton of dfferental cryptanalyss n 1990 varous approaches to the desgn of cphers wth provable securty aganst ths attack were suggested (see for example [2,27,22]). One way of provng a cpher to be secure aganst dfferental attack s to show an upper bound on the probablty of the best dfferental. For example n [27] for a Festel cpher wth a bjectve F functon the probablty of a three-round (or longer) dfferental was proved to be smaller than 2p 2, where p s the hghest probablty for a non-trval one-round dfferental. 2 Ths result makes t possble to construct Festel cphers wth few rounds whch are provably resstant aganst conventonal dfferental cryptanalyss (for example, four rounds wth best dfferental probablty 2 61 ). Examples of such cphers are KN [27] 3 and MISTY [21]. Notce however that any four and fve round Festel cpher has lots of mpossble dfferentals, whch are ndependent of the exact propertes of the round 2 A better bound of p 2 was proved later by Aok and Ohta. 3 Recently broken by hgh-order dfferental technques [29,15].

13 136 E. Bham, A. Bryukov, A. Shamr functon. For example, f the round functon s bjectve then for any value of a 0, we have an mpossble fve-round dfferental (a, 0) (a, 0), snce t causes a zero output dfference at the thrd round, but the round functon s bjectve and the nput dfference of ths round s non-zero (ths was already observed n [17] n the case of DEAL). Usng the propertes of the round functon one can usually extend the mpossble dfferentals to cover even more rounds of a cpher. In the case of DES we can devse 7-round mpossble dfferentals whch hold for any choce of the S boxes,.e., they stll hold even f the S boxes are replaced by arbtrary (possbly unknown or key dependent) choces, and even f ther order becomes key dependent (for example as n [4]), or the S boxes change from round to round. Let Θ be the (XOR) lnear subspace spanned by the elements of { x, x, x }, and let µ Θ and η Θ ξ, where ξ = x. Then, the dfferentals (µ, 0) (η, 0) and (η, 0) (µ, 0) are mpossble for any such choce of µ and η. Consder the plantext dfference (µ, 0) and the cphertext dfference (η, 0). The nput and output dfferences of the F functon n the frst round are zero. The nput dfference of the F functon n the second round s µ, and thus only one S box s actve n ths round. The output dfference of ths S box may actvate up to sx S boxes n the next round, not ncludng S3 and S8. As the actve bt n ξ enters S8, ths nput bt of the fourth round s not affected by nether µ nor by the output dfference of the thrd round. Smlarly, ths bt s affected by the cphertext dfference, as t s actve n η, and t cannot be canceled by the output dfference of the ffth round, due to the same reasons that t cannot be affected by the output dfference of the thrd round. Therefore, ths bt s both 0 and 1 n the nput of the fourth round, whch s a contradcton. FEAL [25,26] has three 3-round characterstcs wth probablty one. Usng two such characterstcs, wth addtonal three rounds n between results n the followng mpossble dfferental (where a subscrpt x denotes a hexadecmal number): ( x, x ) ( x, x ). In ths case the characterstcs wth probablty one ensure that the data after round three and before round seven have the same dfference: ( x, x ). Therefore, the output dfference of the F -functon n round fve s zero, and thus the nput dfference of F n ths round s zero as well (snce F n FEAL s bjectve). The nput dfference of F n round four s x and the output dfference must be x whch s mpossble n the F functon of FEAL (for example bt 19 of the output always dffers for the specfed nput dfference). CAST-256 [1] has 20-round mpossble dfferental (17 forward rounds and 3 backward rounds, or vce versa) wth nputs and outputs whch dffer only by one word. Another general belef s that large expandng S-boxes (n bts of nput, m bts of output, n m) offer ncreased securty aganst dfferental attacks. In partcular 8x32 bt S-boxes are very popular, and can be found n Khufu, Khafre,

14 Mss n the Mddle Attacks on IDEA and Khufu 137 CAST, Blowfsh, Twofsh and other cphers. However, the dfference dstrbuton tables of such S-boxes contan very few possble entres at most 2 15, and all the other pars of nput/output dfferences are mpossble. Ths facltates the constructon of mpossble dfferentals and can thus make such schemes more vulnerable to the new type of attacks descrbed n ths paper. 4 References 1. C. M. Adams, The CAST-256 Encrypton Algorthm, AES submsson, avalable at 2. C. M. Adams, S. E. Tavares, Desgnng S-boxes for Cphers Resstant to Dfferental Cryptanalyss, Proceedngs of the 3rd symposum on State and Progress of Research n Cryptography, pp , I. Ben-Aroya, E. Bham, Dfferental Cryptanalyss of Lucfer, Journal of Cryptology, Vol. 9, No. 1, pp , E. Bham, A. Bryukov, How to Strengthen DES Usng Exstng Hardware, Lecture Notes n Computer Scence 917, Advances n Cryptology - Proceedngs of ASIACRYPT 94, pp , Sprnger Verlag, E. Bham, A. Bryukov, A. Shamr, Cryptanalyss of Skpjack Reduced to 31 Rounds Usng Impossble Dfferentals, Lecture Notes n Computer Scence, Advances n Cryptology Proceedngs of EUROCRYPT 99, Sprnger-Verlag, E. Bham, A. Shamr, Dfferental Cryptanalyss of the Data Encrypton Standard, Sprnger-Verlag, E. Bham, New Types of Cryptanalytc Attacks Usng Related Keys, J. of Cryptology, Vol. 7, pp , A. Bryukov, E. Kushlevtz, From Dfferental Cryptanalyss to Cphertext-Only Attacks, Lecture Notes n Computer Scence 1462, Advances n Cryptology Proceedngs of CRYPTO 98, pp , Sprnger-Verlag, J. Borst, L. R. Knudsen, V. Rjmen, Two Attacks on Reduced IDEA (extended abstract), Lecture Notes n Computer Scence 1223, Advances n Cryptology Proceedngs of EUROCRYPT 97, pp. 1 13, Sprnger-Verlag, J. Daemen, R. Govaerts, J. Vandewalle, Cryptanalyss of 2,5 Rounds of IDEA (extended abstract), Techncal Report ESAT-COSIC Techncal Report 93/1, Department of Electrcal Engneerng, Katholeke Unverstet Leuven, March J. Daemen, R. Govaerts, J. Vandewalle, Weak Keys of IDEA, Lecture Notes n Computer Scence 773, Advances n Cryptology Proceedngs of CRYPTO 93, pp , Sprnger-Verlag, H. Glbert, P. Chauvaud, A chosen plantext attack of the 16-round Khufu cryptosystem, Lecture Notes n Computer Scence 839, Advances n Cryptology Proceedngs of CRYPTO 94, pp , Sprnger-Verlag, P. Hawkes, L. O Connor, On Applyng Lnear Cryptanalyss to IDEA, Lecture Notes n Computer Scence 1163, Advances n Cryptology Proceedngs of ASIACRYPT 96, pp , Sprnger-Verlag, P. Hawkes, Dfferental-Lnear Weak Key Classes of IDEA, Lecture Notes n Computer Scence 1403, Advances n Cryptology Proceedngs of EUROCRYPT 98, pp , Sprnger-Verlag, Ths also facltated the conventonal type of dfferental attacks on Khafre descrbed n [6].

15 138 E. Bham, A. Bryukov, A. Shamr 15. T. Jakobsen, Cryptanalyss of Block cphers wth probablstc Non-lnear relatons of Low Degree, Lecture Notes n Computer Scence 1462, Advances n Cryptology Proceedngs of CRYPTO 98, pp , Sprnger-Verlag J. Kelsey, B. Schneer, D. Wagner, Key-Schedule Cryptanalyss of IDEA, G-DES, GOST, SAFER, and Trple-DES, Lecture Notes n Computer Scence 1109, Advances n Cryptology Proceedngs of CRYPTO 96, pp , Sprnger-Verlag, L. R. Knudsen, DEAL - A 128-bt Block Cpher, AES submsson, avalable at larsr/papers/deal.ps, X. La, On the Desgn and Securty of Block Cphers, Ph.D. thess, Swss Federal Insttute of Technology, Zurch X. La, J. L. Massey, A Proposal for a New Block Encrypton Standard, Lecture Notes n Computer Scence 473, Advances n Cryptology Proceedngs of EU- ROCRYPT 90, pp , Sprnger-Verlag, X. La, J. L. Massey, S. Murphy, Markov Cphers and Dfferental Cryptanalyss, Lecture Notes n Computer Scence 547, Advances n Cryptology Proceedngs of EUROCRYPT 91, pp , Sprnger-Verlag, M. Matsu, New Block Encrypton Algorthm MISTY, Lecture Notes n Computer Scence 1267, Fast Software Encrypton - 4th Internatonal Workshop (FSE 97), pp , Sprnger-Verlag, M. Matsu, New Structure of Block Cphers wth Provable Securty Aganst Dfferental and Lnear Cryptanalyss, Lecture Notes n Computer Scence 1039, Fast Software Encrypton - 3rd Internatonal Workshop (FSE 96), pp , Sprnger Verlag, 1996, 23. W. Meer, On the Securty of the IDEA Block Cpher, Lecture Notes n Computer Scence 765, Advances n Cryptology Proceedngs of EUROCRYPT 93, pp , Sprnger-Verlag, R. C. Merkle, Fast Software Encrypton Functons, Lecture Notes n Computer Scence 537, Advances n Cryptology Proceedngs of CRYPTO 90, pp , Sprnger-Verlag, S. Myaguch, A. Shrash, A. Shmzu, Fast Data Encrypton Algorthm FEAL-8, Revew of Electrcal Communcatons Laboratores, Vol. 36, No. 4, pp , S. Myaguch, FEAL-N specfcatons, NTT, K. Nyberg and L. R. Knudsen, Provable Securty Aganst a Dfferental Attack, Journal of Cryptology, Vol. 8, No. 1, pp , Skpjack and KEA Algorthm Specfcatons, Verson 2.0, Avalable at the Natonal Insttute of Standards and Technology s web-page, T. Shmoyama, S. Mora, T. Kaneko, Improvng the Hgh Order Dfferental Attack and Cryptanalyss of the KN Cpher, Lecture Notes n Computer Scence 1396, Proceedngs of the Frst Internatonal Workshop on Informaton Securty (ISW 97) (Japan), pp , Sprnger-Verlag 1997.