Weak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis

Transcription

1 Weak eys for a Related-ey Differential Attack Weak eys of the Full MISTY1 Block Cipher for Related-ey Cryptanalysis Institute for Infocomm Research, Agency for Science, Technology and Research, 1 Fusionopolis Way, Singapore jlu@i2r.a-star.edu.sg, lvjiqiang@hotmail.com Joint work with Wun-She Yap and Yongzhuang Wei. 28 March 212

2 Weak eys for a Related-ey Differential Attack Outline: 1 Block Cipher Cryptanalysis 2 The MISTY1 Block Cipher Weak eys for a Related-ey Differential Attack Weak eys for a Related-ey Amplified Boomerang Attack 5 Conclusions

3 Weak eys for a Related-ey Differential Attack 1.1 Block Cipher 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques An important primitive in symmetric-key cryptography. * Main purpose: provide confidentiality A most fundamental security goal. An algorithm that transforms a fixed-length data block into another data block of the same length under a secret user key. * Input: plaintext. * Output: ciphertext. * Three sub-algorithms: encryption, decryption, key schedule. Constructed by repeating a simple function many times, known as the iterated method. * An iteration: a round. * The repeated function: the round function. * The key used in a round: a round subkey. * The number of iterations: the number of rounds. * The round subkeys are generated from the user key under a key schedule algorithm.

4 Weak eys for a Related-ey Differential Attack 1.2 A Cryptanalytic Attack 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques An algorithm that distinguishes a cryptosystem from a random function. Usually measured using the following three metrics: * Data complexity The numbers of plaintexts and/or ciphertexts required. * Memory (storage) complexity The amount of memory required. * Time (computational) complexity The amount of computation or time required, how many encryptions/decryptions or memory accesses. Goals: * Break a cryptosystem (ideally, in a practical complexity). * Enable more secure cryptosystems to be designed.

5 Weak eys for a Related-ey Differential Attack 1.3 Four Cryptanalysis Scenarios 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques Ciphertext-only attack scenario * Have access to a number of ciphertexts. nown-plaintext attack scenario * Have access to a number of ciphertexts and the corresponding plaintexts. Chosen-plaintext/cipertext attack scenario * Can choose a number of plaintexts (or ciphertexts), and be given the corresponding ciphertexts (or plaintexts). Adaptive chosen plaintext and ciphertext attack scenario * Can choose plaintexts (or ciphertexts) and be given the corresponding ciphertexts (or plaintexts). Based on the information obtained, the attacker can then choose further plaintexts/ciphertexts, and be given the corresponding ciphertexts/plaintexts...

6 Weak eys for a Related-ey Differential Attack 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques 1.4 Three Elementary Cryptanalysis Techniques Assume an n-bit block cipher with a k-bit user key E ( ). A dictionary attack * Build a table of all possible ciphertexts corresponding to one particular plaintext, with one entry for each possible key: C i = E i (P). * Data: 2 k ciphertexts, Memory: 2 k n-bit, Time: negligible. A codebook attack: * Build a table of the ciphertexts for all the plaintexts encrypted using one unknown key: C i = E (P i ). * Data: 2 n plaintext-ciphertext pairs, Memory: 2 n n-bit, Time: negligible. An exhaustive key search (or brute force search) attack: * Try every possible key, given a known plaintext-ciphertext pair. The correct key will yield the correct correspondence: E i (P)? C. * Data: negligible, Memory: negligible, Time: 2 k encryptions.

7 Weak eys for a Related-ey Differential Attack 1.5 Advanced Cryptanalysis Techniques 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques An attack is commonly regarded as effective if it is faster than an exhaustive key search. A trade-off between data, time and/or memory. Meet-in-the-middle attack * Reflection-meet-in-the-middle attack, Higher-order meet-in-the-middle attack Differential cryptanalysis * Truncated differential, Higher-order differential, Impossible differential * Boomerang, Amplified boomerang, Rectangle attacks, Impossible boomerang Linear cryptanalysis Differential-linear cryptanalysis Integral cryptanalysis * Square attack, Saturation attack Slide attack, Reflection attack Related-key attack Algebraic cryptanalysis

8 Weak eys for a Related-ey Differential Attack Differential Cryptanalysis Introduced in 199 by Biham and Shamir. 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques Work in a chosen-plaintext/ciphertext attack scenario. Take advantage of how a specific difference in a pair of plaintexts can affect a difference in the pair of ciphertexts (under the same key). A differential is the combination of the input difference and the output difference. The probability of the differential (α, β) for an n-bit block cipher E, written α β, is Pr E ( α β) = Pr P {,1} n(e(p) E(P α) = β). For a random function, the expected probability of any differential is 2 n. If Pr E ( α β) > 2 n, we can use the differential to distinguish E from a random function.

9 Weak eys for a Related-ey Differential Attack 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques Related-ey (Differential) Cryptanalysis Independently introduced by nudsen in 1992 and Biham in Different from differential cryptanalysis: The pair of ciphertexts are obtained by encrypting the pair of plaintexts using two different keys with a particular relationship, e.g. certain difference. Probability of a related-key differential: Pr E,E ( α β) = Pr P {,1} n(e (P) E (P α) = β). For a random function, the expected probability of any related-key differential is 2 n. If Pr E,E ( α β) > 2 n, we can use the related-key differential to distinguish E from a random function.

10 Weak eys for a Related-ey Differential Attack Amplified Boomerang Attack 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques Introduced in 2 by elsey, ohno and Schneier (as a variant of the boomerang attack). Work in a chosen-plaintext/ciphertext attack scenario. Based on an amplified boomerang distinguisher: * Treat a block cipher E as a cascade of two sub-ciphers E = E E 1. * Defined to be a pair of differentials ( α β, γ δ): α β for E with probability p; γ δ for E 1 with probability q. * Concerned event: E(P) E(P ) = δ and E(P α) E(P α) = δ * Probability: p 2 q 2 2 n approximately (under assumptions). For a random function, the expected probability of any amplified boomerang distinguisher is 2 2n. If p 2 q 2 > 2 n, we can use the distinguisher to distinguish between E and a random function.

11 Weak eys for a Related-ey Differential Attack An Amplified Boomerang Distinguisher 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques P α P P α P E E E E β γ γ β E 1 E 1 E 1 E 1 C C δ δ C C concerned

12 Weak eys for a Related-ey Differential Attack 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques Related-ey Amplified Boomerang Attack A combination of the amplified boomerang attack and related-key cryptanalysis. Based on a related-key amplified boomerang distinguisher. * Treat a block cipher E as E = E E 1. * Work typically in a related-key attack scenario with four related keys A, B, C, D : A B = C D ; A C = B D. * Consist of four related-key differentials. * Concerned event: E A (P) E C (P ) = δ and E B (P α) E D (P α) = δ. * Probability: p 2 q 2 2 n approximately (under assumptions). For a random function, the expected probability of any related-key amplified boomerang distinguisher is 2 2n. If p 2 q 2 > 2 n, we can use the distinguisher to distinguish between E and a random function.

13 Weak eys for a Related-ey Differential Attack 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques A Related-ey Amplified Boomerang Distinguisher P α P P α P E B E D E A E C β γ γ β E 1 B E 1 D E 1 A E 1 C C C δ δ C C concerned

14 Weak eys for a Related-ey Differential Attack 2.1 Introduction 2.1 Introduction 2.2 Structure 2.3 ey Schedule 2.4 Security Designed by Mitsubishi (Matsui et al.), published in A 64-bit block cipher, a user key of 128 bits, and a recommended number of 8 rounds, with a total of 1 key-dependent logical functions FL: * two FL functions at the beginning; * two FL functions inserted after every two rounds. A Japanese CRYPTREC-recommended e-government cipher, an European NESSIE selected cipher, an ISO international standard. Widely used in Mitsubishi products as well as in Japanese military.

15 Weak eys for a Related-ey Differential Attack 2.2 Structure 2.1 Introduction 2.2 Structure 2.3 ey Schedule 2.4 Security I ij2 FL 1 FL 2 L i1 L i2 Extnd Trunc Extnd S 9 S 7 S 9 FO 1 FO 2 (a) : FL i I ij1 (b) : FI ij FL 3 FL 4 FO 3. FL 9 FL 1 O i1 O i2 O i3 O i4 FI i1 FI i2 FI i3 (c) : FO i (d) : MISTY1

16 Weak eys for a Related-ey Differential Attack 2.3 ey Schedule 2.1 Introduction 2.2 Structure 2.3 ey Schedule 2.4 Security 1. Represent a user key as eight 16-bit words = ( 1, 2,, 8 ). 2. Generate a different set of eight 16-bit words 1, 2,, 8 by 3. Subkeys: i = FI( i, i+1 ), for i = 1, 2,, 8. O i1 = i, O i2 = i+2, O i3 = i+7, O i4 = i+4 ; I i1 = i+5, I i2 = i+1, I i3 = i+3; L i = i+1 i+1 +6, for i = 1, 3, 5, 7, 9; otherwise, L i = i +2 i

17 Weak eys for a Related-ey Differential Attack 2.4 Security 2.1 Introduction 2.2 Structure 2.3 ey Schedule 2.4 Security Has been extensively analysed against a variety of cryptanalytic methods. No whatever cryptanalytic attack on the full version.

18 Weak eys for a Related-ey Differential Attack 3.1 Related Work 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of Weak eys Dai and Chen s related-key differential attack on 8-round MISTY1 with only the last 8 FL functions (INSCRYPT 211). A class of 2 15 weak keys. * A weak key is a user key under which a cipher is more vulnerable to be attacked. A 7-round related-key differential characteristic with probability 2 6. Attacking the 8-round reduced version under weak keys. * Attack procedure is straightforward, by conducting a key recovery on FO 1 in a way similar to the early abort technique for impossible differential cryptanalysis. * Data complexity: 2 63 chosen ciphertexts. * Memory complexity: 2 35 bytes. * Time complexity: encryptions.

19 Weak eys for a Related-ey Differential Attack A Class of 2 15 Weak eys Three binary constants: * 7-bit a = 1; * 16-bit b = 11; * 16-bit c = 1. Let A, B be two 128-bit user keys: 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of Weak eys A = ( 1, 2, 3, 4, 5, 6, 7, 8), B = ( 1, 2, 3, 4, 5, 6, 7, 8). Let A, B be the corresponding 128-bit words generated by the key schedule: A = ( 1, 2, 3, 4, 5, 6, 7, 8 ), B = ( 1, 2, 3, 4, 5, 6, 7, 8 ). The class of weak keys is defined to be the set of all possible ( A, B ) satisfying the following 1 conditions: 6 6 = c, 5 5 = b, 6 6 = c, 6,12 =, 7,3 = 1, 7,12 =, 8,3 = 1, 4,3 = 1, 4,12 = 1, 7,3 =. The number: 1 = 2 16, 2 = 2 16, 3 = 2 16, ( 4, 5) = 2 3, ( 6, 7, 8) = Therefore, a total of 2 15 weak keys.

20 2 3 1 b c S 9 S7 S 9 I 311 S 9 S7 6 = c I 312 I 412 S 9 I 411 I 512 S 9 S7 S 9 I 511 I 612 S 9 S7 S 9 I = c 7 8 S 9 S7 I 322 S 9 I 321 I 422 = ( 2 a) S 9 S7 S 9 2 a I 421 = a S 9 S7 S 9 S7 I 522 = S 9 I 521 = a I 622 S 9 I 621 b S 9 S7 I 332 = S 9 S7 S 9 I 331 = a S 9 S7 S 9 S7 I 432 S 9 I 431 I 632 I 631 I 532 I 531 S 9 S 9 4 8,3 = c P r = 2 S 9 S7 S 9 S7 S 9 S7 I 212 S 9 I 211 I 712 S 9 I 711 c 4 1 S 9 S7 S 9 S7 I 222 S 9 I 221 I 722 S 9 I 721 c c 1 I 232 = ( 2 a) S 9 S7 S 9 2 a I 231 = a = c I S 9 S7 S 9 I 731 4,3 = 1, 4,12 = 1, 6,12 = P r = 2 8 R 4,3 = 1, R 4,12 = 1, 7,3 = 1, 7,12 = 6 = c P r = 2 16 c P r = 2 8 I 812 = ( 2 a) S 9 I 811 = a 2 S 9 S7 I 822 S 9 I S 9 S7 I 832 S 9 I 831 c 6 = c b 4 7,3 = 5 = b 7 b b 6 = c c Block Cipher Cryptanalysis Weak eys for a Related-ey Differential Attack 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of Weak eys A 7-Round Related-ey Differential Characteristic b c 16 P r = 2 8 Round b P r = 2 1 Round 3 Round 4 P r = a b Round 5 Round 6 c 16 2 c c P r = 2 1 Round 7 Round 8 c c 16

21 Weak eys for a Related-ey Differential Attack 3.2 A Corrected Class of Weak eys 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of Weak eys Focus on the 7-round related-key differential characteristic. P r = 2 16 c P r = 2 8 c Round 2 2 I 212 b S 9 S7 S 9 I 211 c 4 I 222 S 9 S7 S 9 I 221 c I 232 = ( 2 1 a) S 9 S7 S 9 2 a I 231 = a 6 = c Not all the 2 15 possible 7 (i.e. I 21 ) defined by the weak key class make Pr FI21 ( b c) >! The number of 7 defined by the weak key class is 2 15, the number of 7 satisfying Pr FI21 ( b c) > is about The number of 7 defined by the weak key class & satisfying Pr FI21 ( b c) > is about Pr FI21 ( b c) = 2 15 /2 14 /

22 Weak eys for a Related-ey Differential Attack 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of Weak eys P r = 2 16 c Round 7 I S 9 S7 S 9 I S 9 S7 S 9 6 = c I S 9 S7 S 9 I 711 I 721 I 731 Not all the 2 16 possible 2 (i.e. I 73 ) defined by the weak key class make Pr FI73 ( c c) >! The number of 2 defined by the weak key class is 2 16, the number of 2 satisfying Pr FI21 ( b c) > is The number of 2 defined by the weak key class & satisfying Pr FI73 ( c c) > is Pr FI73 ( c c) = 2 15.

23 Weak eys for a Related-ey Differential Attack 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of Weak eys As a result, A class of weak keys: 1 = 2 16, ( 2, 3 ) = 2 31, ( 4, 5 ) = 2 3, ( 6, 7, 8 ) * 3 = 2 16, 5 = * 7 = ; 7, 212 ( 6, 8). * 2,8 16 = 28, 3 = 216, 4,8 16 = 28. A 7-round related-key differential with probability * (b 32 c) ( 32 c 16 ).

24 Weak eys for a Related-ey Differential Attack Precomputation 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of Weak eys Hash table T 1 : (x, x η): The left halves of a plaintext pair 32 bits {}}{ Only three possible input differences η =?? X: output difference of FI 12 Store satisfying ( 1, 3, 2,8 16) into Table T 1 indexed by (x, η, X) (x, x η) c c 9 a Round 1 I 112 = 1 S 9 S7 S 9 I 111 = a b I 122 / 3 2,8 16 S 9 S7 S 9 I 121 X I S 9 S7 S 9 I 131 Y 5 b c Memory complexity: bytes; Time complexity: FI computations. For every (x, η, X), there are 2 23 satisfying ( 1, 3, 2,8 16) on average.

25 Weak eys for a Related-ey Differential Attack Hash table T 2 : 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of Weak eys Y : output difference of FI 13 Store satisfying ( 6, 7, 8 ) into Table T 2 indexed by (x, η, Y, 1, 4,8 16) (x, x η) c c 9 a X ( 9 a) Round 1 I 112 / 6,8 16 = 1 3 I 122 S 9 S7 b S 9 S 9 S7 S 9 I 111 / 6,1 7 = a I 121 X I 132 / 8 4,8 16 S 9 S7 S 9 I 131 Y 5 b c Memory complexity: bytes; Time complexity: FI computations. For every (x, η, Y, 1, 4,8 16), there are satisfying ( 6, 7, 8 ) on average.

26 Weak eys for a Related-ey Differential Attack Attack Outline 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of Weak eys η? FL c Output difference of FL 2 : (X c) (X Y ( 9 a)) 3 5 FL 2 Round 1 c 9 a X ( 9 a) I 112 = 1 I 122 I FI 11 3 FI 12 8 FI S 9 S7 b S 9 S 9 S7 S 9 S 9 S7 S 9 I 111 = a I 121 X I 131 Y X Y ( 9 a) 5 X ( 9 a) b 16 Step 1: Choose 2 6 ciphertext pairs with difference ( 32 c 16 ). Step 2: eep plaintext pairs with difference (η?) Step 3: Focus on FL 2. Guess ( 3, 5 ), compute X, Y. Step 4: Focus on FL 1 and FI 12. Obtain satisfying ( 1, 3, 2,8 16) from Table T 1. Step 5: Retrieve 4 from 3 = FI( 3, 4 ), compute 4 = FI( 4, 5 ). Step 6: Focus on FL 1, FI 11 and FI 13. Obtain satisfying ( 6, 7, 8 ) from Table T 2. Step 7: Increase 1 to counters for ( 1, 2,8 16, 3, 4, 5, 6, 7, 8 ). Step 8: For a subkey guess whose counter number is larger than or equal to 3, exhaustively search the remaining 7 key bits. 16 c

27 Weak eys for a Related-ey Differential Attack Attack Complexity 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of Weak eys Data complexity: 2 61 chosen ciphertexts. Memory complexity: bytes. Time complexity: encryptions. Success probability: 76%.

28 Weak eys for a Related-ey Differential Attack 3.4 Another Class of Weak eys Focus on the 7-round related-key differential characteristic: 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of Weak eys b c P r = 2 16 c P r = 2 8 c Round 2 I b S 9 S7 S 9 c I S 9 S7 S 9 c I 232 = ( 2 1 a) S 9 S7 S 9 6 = c I 211 I a I 231 = a. c 16 P r = 2 8 Round 8 I 812 = ( 2 a) 8 c S 9 S7 S 9 I S 9 S7 S 9 I S 9 S7 S 9 4 I 811 = a I 821 I 831 FL9 5 3 Consider the other possible value of 7,3, further classified by 1,3: 7,3 = 1, 1,3 = 1, = c c 7,3 = 1, 1,3 =, = 16 c FL1 7 7,3 = 1 c

29 Weak eys for a Related-ey Differential Attack 4.1 Related Work 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys Chen and Dai s related-key amplified boomerang attack on 8-round MISTY1 with only the first 8 FL functions (CHINACRYPT 211). A class of 2 9 weak keys. A 7-round related-key amplified boomerang distinguisher with probability Attacking the 8-round reduced version under weak keys. * Attack procedure is straightforward, by conducting a key recovery on FO 8 in a way similar to the early abort technique. * Data complexity: 2 63 chosen plaintexts. * Memory complexity: 2 65 bytes. * Time complexity: 2 7 encryptions.

30 Weak eys for a Related-ey Differential Attack A Class of 2 9 Weak eys 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys Let A, B, C, D be four 128-bit user keys: A = ( 1, 2, 3, 4, 5, 6, 7, 8), B = ( 1, 2, 3, 4, 5, 6, 7, 8), C = ( 1, 2, 3, 4, 5, 6, 7, 8), D = ( 1, 2, 3, 4, 5, 6, 7, 8). Let A, B, C, D be the corresponding 128-bit words generated by the key schedule: A = ( 1, 2, 3, 4, 5, 6, 7, 8 ), B = ( 1, 2, 3, 4, 5, 6, 7, 8 ), C = ( 1, 2, 3, 4, 5, 6, 7, 8 ), D = ( 1, 2, 3, 4, 5, 6, 7, 8 ). The class of weak keys is defined to be the set of all possible ( A, B, C, D ) satisfying the following 12 conditions: 2 2 = c, 6 6 = c, 1 1 = b, 5 5 = b, 2 2 = c, 6 6 = c, 5,3 = 1, 5,12 =, 4,3 =, 7,3 = 1, 7,12 =, 8,3 =. The number: 1 = 2 16, ( 2, 3) = 2 16, ( 4, 5) = 2 29, ( 6, 7) = 2 14, 8 = Therefore, a total of 2 9 weak keys.

31 Weak eys for a Related-ey Differential Attack 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys A 7-Round Related-ey Amp. Boo. Distinguisher A 7-round related-key amplified boomerang distinguisher with probability p 2 q 2 2 n = 1 2 (2 27 ) = under weak keys. * E : Rounds 1 2, including FL 4 but excluding FL 3. * E 1: Rounds 3 7, including FL 3 (but excluding FL 4). * Related-key differential α β for E : ( 48 b) ( 32 c 16 ) with probability 1. * Related-key differential γ δ for E 1: ( 48 b) with probability 2 27.

32 1 c 2 = = 5 2 = c c S 9 S7 S 9 I 311 S 9 S7 6 = c I 312 I 412 = S 9 I 411 = I 512 = S 9 S7 S 9 I 511 = I 612 S 9 S7 S 9 I = c 7 8 S 9 S7 I 322 S 9 I 321 I 422 = ( 2 a) S 9 S7 S 9 2 a I 421 = a S 9 S7 S 9 S7 I 522 = S 9 I 521 = a I 622 S 9 I 621 b 2 = S 9 S7 S 9 I 331 = a S 9 S7 S 9 S7 S 9 S7 I 332 = I 432 S 9 I 431 I 532 I 531 S 9 I 632 = S 9 I 631 = 4 8,3 = 2 = 7 S 9 S7 S 9 S7 S 9 S7 I 112 = S 9 I 111 = I 212 S 9 I 211 I 712 S 9 I S 9 S7 S 9 S7 S 9 S7 I 122 = S 9 I 121 = a I 222 S 9 I 221 I 722 S 9 I 721 b 8 1 S 9 S7 S 9 S7 I 132 S 9 I 131 I 232 = S 9 I 231 = 5,3 = 1, 5,12 = = 6 = c I 732 = 3 S 9 S7 S 9 I 731 = 5 4,3 = P r = 2 8 R 4,3 = 1, R 4,12 = 1, 7,3 = 1, 7,12 = 6 = P r = 2 16 c b b = b 5 = b 7 b b 6 = c c 8 P r = 2 2 P r = Block Cipher Cryptanalysis Weak eys for a Related-ey Differential Attack 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys The Two Related-ey Differentials Used 16 b a b Round 1 Round 2 c 16 c 16 (a): The related-key differential for Rounds b Round 3 Round 4 Round 5 9 a b Round 6 c c Round 7 (b): The related-key differential for Rounds 3 7

33 Weak eys for a Related-ey Differential Attack 4.2 An Improved 7-Round Distinguisher Focus on the second related-key differential: 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys P r = 2 16 c Round 7 I S 9 S7 S 9 I S 9 S7 S 9 6 = c I 732 = 3 S 9 S7 S 9 I 711 I 721 I 731 = Surprisingly, all the possible ( 2, 2 ) (i.e. I 73 ) defined by the weak key class make Pr FI73 ( c c) >! Pr FI73 ( c c) = Thus, a 7-round related-key amplified boomerang distinguisher with probability

34 Weak eys for a Related-ey Differential Attack Precomputation 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys Hash table T 1 : x {, 1} 32 : Input of FO 8 without 8. X: The right 9 bits of the output difference of FL 81 Y : Output difference of FL 83 Store satisfying x into Table T 1 indexed by ( 3, 5, 7, X, Y ). Round 8 a X a X Y (a X) 8 5 = b 1 = 2 = FI 81 FI 82 FI 83 a X Y a X 5 3? I 812 = ( 2 a) S 9 S7 S 9 a I 811 = a Memory complexity: 2 79 bytes; Time complexity: 2 71 FI computations. For every ( 3, 5, 7, X, Y ), there are 2 8 satisfying x on average. a X 7 1

35 Weak eys for a Related-ey Differential Attack Hash table T 2 : 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys x {, 1} 32 : Input of FL 1 1. λ: Output of FL 1 1 after being xored with ( 8 16 ). Store ( 1, 8 ) into Table T 2 indexed first by 7 and then by (x, λ). Round = b 1 = 2 = 7 3 FI 81 FI 82 FI FL 1? Memory complexity: 2 78 bytes; Time complexity: 2 76 FL computations. Set a binary marker, up and down, to the set of 2 32 (x, λ) under each ( 7, 1, 8 ).

36 Weak eys for a Related-ey Differential Attack Attack Outline 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys a X a X Y (a X) 8 5 = b 1 = 2 = 7 3 FI 81 FI 82 FI 83 a X Y 4 a X a X Y (a X) FL 9 FL 1? Step 1: Choose two sets of plaintext pairs with difference ( 48 b). Step 2: eep the quartets such that each ciphertext pair has difference (? ). Step 3: Focus on FL 9. Guess 3, keep the quartets such that each pair has 7-bit difference a. Step 4: Focus on FL 9. Guess 5, compute (X, Y ) and (X, Y ). Step 5: Guess 7, get the two possible values for 6, and compute 5. Step 6: Focus on FI 81 and FI 83. Obtain possible inputs to FO 8 excluding XOR with 8 from Table T 1. Step 7: Focus on FL 1. Obtain ( 1, 8) from Table T 2. Step 8: For a subkey guess whose counter is non-zero, exhaustively search the remaining key bits.

37 Weak eys for a Related-ey Differential Attack Attack Complexity 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys Data complexity: chosen plaintexts. Memory complexity: bytes. * On-line: ; * Off-line: Time complexity: encryptions. Success probability: 86%.

38 Weak eys for a Related-ey Differential Attack 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys 4.4 Three Other Classes of 2 9 Weak eys Focus on the first related-key differential: Consider the three other possible combinations of (5,3, 5,12), further classified by ( 3,3, 3,12) FL1 Round 1 16 b ,3 = 1, 5,12 = 5 b I 112 = 1 I 122 = 3 I S b 9 S7 S b 9 S 9 S7 S 9 S 9 S7 S 9 I 111 = I 121 = a I 131 FL2 9 a b Round 2 c 16 I 2 = c 212 c S 9 S7 S 9 I S 9 S7 S 9 1 I 232 = S 9 S7 S 9 6 = I 211 I 221 I 231 = 4 4,3 = 6 = c 16 Thus, a total of 2 92 weak keys.

39 Weak eys for a Related-ey Differential Attack Have presented related-key differential and amplified boomerang attacks on the full MISTY1 algorithm under certain weak key assumptions. * Have described weak keys for a related-key differential attack on the full MISTY1. * Have described 2 92 weak keys for a related-key amplified boomerang attack on the full MISTY1. * Quite theoretical, for the attacks work under the assumptions of weak-key and related-key scenarios and their complexities are very high. The MISTY1 cipher does not behave like a random function (in the related-key model), and cannot be regarded to be an ideal cipher.

40 Weak eys for a Related-ey Differential Attack Summary of Main Cryptanalytic Results #Rounds FL #eys Attack Type Data Time Year 6 (1 6) yes Impossible differential 2 51 CP Enc (1 6) yes Higher-order differential CP Enc (3 8) yes Integral 2 32 CC Enc (1 7) yes Higher-order differential CP Enc (2 8) yes 2 73 Related-key amplified boomerang 2 54 CP Enc (1 8) yes 2 9 Related-key amplified boomerang 2 63 CP 2 7 Enc (1 8) yes 2 15 Related-key differential 2 63 CC Enc. 211 full yes Related-key differential 2 61 CC Enc Related-key amplified boomerang CP Enc. 212 CP: Chosen Plaintexts, CC: Chosen Ciphertexts, Enc.: Encryptions, : Exclude the first/last layer of two FL functions, : There is a flaw.

41 Weak eys for a Related-ey Differential Attack Thank you! Questions or Comments?