Differential Cryptanalysis of Madryga

Similar documents
On the Design of Secure Block Ciphers

Key Separation in Twofish

Elastic Block Ciphers: The Feistel Cipher Case

Related-key Attacks on Triple-DES and DESX Variants

CSC 474/574 Information Systems Security

Symmetric Cryptography. Chapter 6

Linear Cryptanalysis of Reduced Round Serpent

Strict Key Avalanche Criterion

Chapter 3 Block Ciphers and the Data Encryption Standard

A Weight Based Attack on the CIKS-1 Block Cipher

International Journal for Research in Applied Science & Engineering Technology (IJRASET) Performance Comparison of Cryptanalysis Techniques over DES

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

Elastic Block Ciphers: The Feistel Cipher Case

Weak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis

EEC-484/584 Computer Networks

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Plaintext (P) + F. Ciphertext (T)

Computer Security 3/23/18

Two Attacks on Reduced IDEA (Extended Abstract)

Hill Cipher with Parallel Processing Involving Column, Row Shuffling, Permutation and Iteration on Plaintext and Key

A SIMPLIFIED IDEA ALGORITHM

Integral Cryptanalysis of the BSPN Block Cipher

Fundamentals of Cryptography

Secret Key Cryptography

L3: Basic Cryptography II. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Differential Cryptanalysis

CRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Symmetric Encryption Algorithms

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

A New Technique for Sub-Key Generation in Block Ciphers

Other Systems Using Timing Attacks. Paul C. Kocher? EXTENDED ABSTRACT (7 December 1995)

UNIT - II Traditional Symmetric-Key Ciphers. Cryptography & Network Security - Behrouz A. Forouzan

A Related Key Attack on the Feistel Type Block Ciphers

Improved differential fault analysis on lightweight block cipher LBlock for wireless sensor networks

Self evaluation of FEAL-NX

Cryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles

CSCE 813 Internet Security Symmetric Cryptography

Lecture 3: Block Ciphers and the Data Encryption Standard. Lecture Notes on Computer and Network Security. by Avi Kak

Lecture 2: Secret Key Cryptography

Block Ciphers Tutorial. c Eli Biham - May 3, Block Ciphers Tutorial (5)

A Related-Key Cryptanalysis of RC4

Cryptanalysis of FROG

Cryptography and Network Security

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Secret Key Cryptography (Spring 2004)

Network Working Group Request for Comments: 1829 Category: Standards Track Piermont W. Simpson Daydreamer August 1995

Keywords :Avalanche effect,hamming distance, Polynomial for S-box, Symmetric encryption,swapping words in S-box

Lecture 3: Symmetric Key Encryption

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

Preliminary Cryptanalysis of Reduced-Round Serpent

DESIGNING S-BOXES FOR CIPHERS RESISTANT TO DIFFERENTIAL CRYPTANALYSIS (Extended Abstract)

Improved Truncated Differential Attacks on SAFER

Network Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar

Cryptography and Network Security. Sixth Edition by William Stallings

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

The RC5 Encryption Algorithm

A Block Cipher Basing Upon a Revisit to the Feistel Approach and the Modular Arithmetic Inverse of a Key Matrix

The signal to noise ratio in the differential cryptanalysis of 9 rounds of data encryption standard

Differential-Linear Cryptanalysis of Serpent

CSc 466/566. Computer Security. 6 : Cryptography Symmetric Key

H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)

The Security of Elastic Block Ciphers Against Key-Recovery Attacks

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

A General Analysis of the Security of Elastic Block Ciphers

P2_L6 Symmetric Encryption Page 1

A Chosen-Plaintext Linear Attack on DES

Performance of Symmetric Ciphers and One-way Hash Functions

Lecture 4: Symmetric Key Encryption

Analysis of Involutional Ciphers: Khazad and Anubis

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General Considerations:

Substitution Ciphers, continued. 3. Polyalphabetic: Use multiple maps from the plaintext alphabet to the ciphertext alphabet.

EEC-682/782 Computer Networks I

arxiv:cs/ v2 [cs.cr] 27 Aug 2006

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

Block Ciphers and the Data Encryption Standard (DES) Modified by: Dr. Ramzi Saifan

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Winter 2011 Josh Benaloh Brian LaMacchia

EE 595 (PMP) Introduction to Security and Privacy Homework 1 Solutions

Lecture 1 Applied Cryptography (Part 1)

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Introduction to Cryptography CS 136 Computer Security Peter Reiher October 9, 2014

On the Security of the 128-Bit Block Cipher DEAL

Technion - Computer Science Department - Technical Report CS

Public-key Cryptography: Theory and Practice

A Fault Attack Against the FOX Cipher Family

Some Thoughts on Time-Memory-Data Tradeoffs

Cryptanalysis. Andreas Klappenecker Texas A&M University

Using block ciphers 1

Journal of Discrete Mathematical Sciences & Cryptography Vol. ( ), No., pp. 1 10

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

New Attacks on Feistel Structures with Improved Memory Complexities

Analysis of the Use of Whirlpool s S-box, S1 and S2 SEED s S- box in AES Algorithm with SAC Test Novita Angraini, Bety Hayat Susanti, Magfirawaty

Computer and Data Security. Lecture 3 Block cipher and DES

Computational Security, Stream and Block Cipher Functions

Multiplicative Differentials

Cryptography (DES+RSA) by Amit Konar Dept. of Math and CS, UMSL

A Simple Power Analysis Attack Against the Key Schedule of the Camellia Block Cipher

Symmetric Cryptography CS461/ECE422

Transcription:

Differential Cryptanalysis of Madryga Ken Shirriff Address: Sun Microsystems Labs, 2550 Garcia Ave., MS UMTV29-112, Mountain View, CA 94043. Ken.Shirriff@eng.sun.com Abstract: The Madryga encryption algorithm is susceptible to differential cryptanalysis. The key can be determined with about 5000 chosen plaintexts. Keywords: block code, differential cryptanalysis, Madryga Introduction This paper describes an attack on the Madryga encryption algorithm [2] that uses differential cryptanalysis [1]. This attack can determine the key with about 5000 chosen plaintexts. The Madryga encryption algorithm The Madryga encryption algorithm [2] was designed as an alternative to DES that could be effiiciently implemented in software. To meet this goal, it performs byte operations (shifts and exclusive-ors) rather than bit operations. It encrypts a block of TL bytes using a key of typically 8 bytes. The algorithm is intended to combine transposition operations (via the shifts) with translation operations (via the exclusive-or with key bytes). The algorithm consists of two nested loops; the outer loop performs eight rounds of the inner loop, which iterates a base step TL times. Each base step operates on a working frame of three successive bytes (W 1, W 2, and W 3 ) of the block, which is viewed circularly. The inner loop starts with W 1, W 2, W 3 set to the last two bytes and the first byte respectively of the data block: D TL-1, D TL, D 1. Each successive iteration moves the working frame one byte to the right, so the last inner iteration ends with the last three bytes of the data block: D TL-2, D TL-1, D TL. For most of the analysis in this paper, a block size of TL=8 is assumed. The base step operates as shown in Figure 1. First, a shift value is obtained by anding W 3 with 7. The 16-bit value W 1 W 2 is rotated to the left by the number of bits specified by the shift value. DRAFT 1 October 19, 1995

Finally, W 3 is exclusive-ored with a key-generated byte to conclude the base step. The key-generated byte in each base step is formed by rotating the key to the right 3 bits, exclusive-oring it with a constant (0x0F1E2D3C4B5A6978), and taking the rightmost byte. The base step is shown in Figure 1. Key Rotate 3 bits New Key Hash constant Frame Data block... W 1 W 2 W 3... rotate by W 3 & 7 bits Key byte New data block W 1 W 2 W 3 New bytes in frame Figure 1. The base step of the Madryga algorithm. Each step modifies a three byte frame of the data block. First, W 1 W 2 is rotated by W 3 & 7 bits. Next, the key is rotated three bits and exclusiveored with a constant to generate the new key. Finally, the low-order byte of the new key is exclusive-ored with W 3. The attack The attack uses differential cryptanalysis on chosen plaintext. The key idea is to encrypt two plaintexts that differ in one bit. Occasionally, the encryptions of the two plaintexts will continue to differ only in one bit, until the final step, where this one bit will cause the last shifts to be different for the two blocks. By comparing the two ciphertexts, one bit of the final key-generated byte can be determined. Once three bits of the key-generated bytes have been obtained, the encryption can be unwound one step and the attack can be repeated. Through iterations of determining keygenerated bytes and unwinding the encryption successive steps, the entire sequence of key-generated bytes can be obtained, breaking the encryption. Figure 2 illustrates the attack in more detail. Let two plaintexts differing in one bit are encrypted. Suppose, that the single bit change fails to propagate until the input of the final step, where it is in one of the three low-order bits of the final byte. The final step operates on the last three bytes; call the input for the first block e 5, e 6, and e 7 and the output (i.e. the final ciphertext) E 5, E 6, E 7. Call DRAFT 2 October 19, 1995

the second block s input and output for the last step e 5, e 6, e 7 b and F 5, F 6, F 7 respectively, where b is the changed bit. As a result, e 5 e 6 will be shifted a different amount from f 5 f 6. Thus, E 5 E 6 and F 5 F 6 will differ by rotation while E 7 and F 7 will differ by the single bit b. To analyze this, call the (unknown) final key-generated byte K. Let S 0 be the shift for the first block (e 7 &7) so S 0 b is the shift for the second block ((e 7 b&7). Thus E 5 E 6 is e 5 e 6 shifted by S 0 and F 5 F 6 is e 5 e 6 shifted by S 0 b. By comparing E 5 E 6 to F 5 F 6, we can determine how much more one was shifted than the other, i.e. e 7 b-e 7, which will be +/- b. We can compute F 7 -E 7 from the ciphertext. If the two values are the same, then the corresponding bit (b) of K is 0; if the two values differ in sign, then the corresponding bit of K is 1. Thus, by finding suitable plaintext/ciphertext pairs, we can determine the three low-order bits of K, one at a time. First block Second block Example first block Example second block Last step input e 5 e 6 e 7 e 5 e 6 e 7 b 11100010 11111011 11000110 11100010 11111011 11000010 Shift shift e 5 e 6 by e 7 shift e 5 e 6 by e 7 b shift by 6, xor with 34 shift by 2, xor with 34 Xor xor e 7 with key K xor with key K 10111110 11111000 11110010 10001011 11101111 11110110 Final result E 5 E 6 E 7 F 5 F 6 F 7 10111110 11111000 11110010 10001011 11101111 11110110 shift -4 add 4 10001011 11101111 11110110 Figure 2. Cryptanalysis of a single step. In the example, b=4, K=34 (00010100). It can be observed that the second block was shifted 4 bits fewer to the left than the first, while the final byte is of the second block is 4 larger. Thus, it can be determined that bit 2 of K is set. These bits can then be used to unwind the algorithm one step, by rotating E 0 E 1 and F 0 F 1 to the right by the obtained value. Finally, exclusive-oring E 2 and F 2 with the obtained bits will yield values for e 2 and f 2 that are correct in the three low-order bits, but are still exclusive-ored with the top five bits of K. This operation can continue, working to the left in the ciphertext, obtaining low-order bits of successive K s and unwinding the algorithm. If we assume an eight-byte data block, the unwinding will work until the 7th step. At this point, the frame wraps around and E 0 and F 0 will be the final bytes of their respective blocks. Recall that we only obtained a value for this byte that is correct only in the low three bits since it is still exclusive-ored with the top five bits of the first K. However, by comparing E 0 E 1 to F 0 F 1 we still have enough good bits to determine the difference in shift. In addition, we can determine the top 5 bits of the first K. This comparison can be performed simply by trying the 6 different shifts (-1, -2, -4, DRAFT 3 October 19, 1995

+1, +2, +4) and 32 values for the first K to see if a match can be obtained. Thus, the decrypting step will reveal one bit of the current K and the top 5 bits of the K from 6 steps earlier. The encryption can then be unwound another step; now that the first K is completely determined, all bits of the final byte can be obtained, rather than just the low order bits, and used for the next step of the cryptanalysis. Cryptanalysis can similarly proceed backwards through all steps of the encryption, as shown in Figure 3. Step Data bytes Key bytes determined Ciphertext M M M M M D D D After step 1 M M M M D D D UL L After step 2 M M M D D D UL UL LL After step 3 M M D D D UL UL UL LLL After step 4 M D D D UL UL UL UL LLLL After step 5 D D D UL UL UL UL UL LLLLL After step 6 D D UL UL UL UL UL UL LLLLLL After step 7 D UL UL UL UL UL UL UD LLLLLLA After step 8 UL UL UL UL UL UL UD UD LLLLLLAA After step 9 UL UL UL UL UL UD UD UL LLLLLLAAA After step 10 UL UL UL UL UD UD UL UL LLLLLLAAAA After step 11 UL UL UL UD UD UL UL UL LLLLLLAAAAA......... Figure 3. Successive cryptanalytic steps. Bytes in the frame being cryptanalyzed are underlined. Bytes that match between the two encoded blocks are indicated with M. Bytes that are different are indicated with D. Once key-generated bytes are partially determined the encryption can be unwound successive steps to obtain bytes that are valid in the three low order bits; these are indicated by UL. Once key-generated bytes are fully determined, unwound bytes are correct in all bits; these are indicated with UD. Key-generated bytes are indicated with L if the low order bits are known and A if all the bits are known. For example, in the first step, the last three data bytes are examined, yielding for the key. The encryption can be unwound one step, so the last byte can be unwound revealing the low order bits. By continuing this process of determining the shift and unwinding the encryption, we can obtain the entire key sequence. This allows us to decrypt any block encrypted with that key sequence. Note that the specific algorithm used to generate the key sequence from the original key is irrelevant to this attack. If the standard Madryga key generation algorithm and key has are used, then the original key can be easily obtained. To determine the key, first generate the key sequence corresponding to a key of all zeros and exclusive-or this with the recovered key sequence. The result is the low byte of the original key, shifted three positions to the right each time. If the Madryga DRAFT 4 October 19, 1995

key hash is not known, it is not possible to recover all the bits of the the original key or the key hash. This can be shown by computing the 512x128 matrix showing the influence of each bit of the key and hash on each bit of the output sequence. This matrix is singular, with rank 72. Thus, only 72 of the 128 bits can be recovered. For instance, a key sequence of all zeros is generated if both the key and key hash are all zeros. But it is also generated by key 0x9080000000000000 with key hash 0x8290000000000000 or key 0x2101249240000000 with key hash 0x2521000008000000, or many other combinations. Analysis of the attack Empirical testing shows that on the average, about 10,000 chosen plaintext are required to cryptanalyze the algorithm. For efficiency, these plaintexts were generated as sets of 256 that differ only in one byte; each set of 256 yields 1024 pairs that differ in a single bit. Surprisingly, generating pairs from these sets was extremely inefficient for the first few rounds. It took a very large number of sets to get satisfactory pairs. The explanation is that because Madryga requires multiple rounds to sufficiently shuffle the input data, similar blocks are likely to produce similar output after two rounds. So if one pair in the set doesn t provide the needed single bit change, it is unlikely that the others will. Thus, it is considerably more efficient to generate unrelated pairs for the first few rounds. We can analyze the propagation of a single bit change in more detail. Intuitively, a single bit change will result in avalanche if it is in the low 3 bits (changing the shift) and will otherwise propagate, yielding a probability of approximately 5/8 or 62.5% of surviving a round. For a more detailed analysis, consider the matrix P where P ji is the probability that a single bit change in position i entering a round results in a single bit change in position j at the end of the round. The dominant eigenvector of the 64x64 matrix P shows the eventual distribution of a random bit change; good convergence to the eigenvector occurs after a single round. The dominant eigenvalue of the 64x64 matrix P is approximately 0.57 and shows that, after a couple rounds, a single bit change has about a 57% chance of survival. This is slightly lower than the 5/8 estimate because the distribution in the dominant eigenvector is not uniform; after one round, surviving single bit changes are in positions slightly more likely to avalanche in the next round. After 8 rounds, a single bit change has about a 1% chance of surviving. DRAFT 5 October 19, 1995

The complexity of the attack can be estimated from these values. To cryptanalyze the final step, we need pairs with single bit differences that survived seven rounds and then ended up in the last three bits of the last byte. The probability of a bit difference surviving eight rounds is approximately.57 8, and only 1 out of 64 differences will end up in the right position. Thus, an average of about 64/.57:8 or about 5700 pairs will be required for each of the last three bits, and a decreasing number of pairs will be required for successive bits. The difficulty of the attack is determined by the maximum number of pairs required for any bit; in practice this averages about 10000. Note that a set of 256 plaintexts that vary in one byte will generate 1024 pairs that differ in a single bit. This provides an efficient means of generating pairs with an average 1/4 plaintexts per pair, as opposed to the 2 plaintexts per pair from random pairs. Surprisingly, when the encryption has been unwound to leave 4 or fewer rounds, the set of 256 method is much less efficient than generating random pairs. The explanation is that after a small number of rounds, Madryga hasn t shuffled the data very much. Thus, the behavior of the 1024 pairs is highly correlated and bit differences tend to end up in the same places. Therefore, it is more efficient to generate individual pairs than sets to cryptanalyze the last few rounds. With this optimized pair generation, the algorithm requires about 5000 plaintexts on the average. Increasing the number of round will increase the resistance of the algorithm to this differential cryptanalytic attack, but only relatively slowly. Measurements show that each additional round increases the number of plaintexts required by a factor of about 1.6. Doubling the number of rounds to 16 only increases the number of required plaintexts to about 200,000. The Tcl language [5] was used to assist in analyzing Madryga. Tcl is an interactive interpreted programming language designed to run short scripts, while additional functions can be written in C and linked in. Tcl was used as a flexible testbed for performing operations such as encrypting a certain block of data for a certain number of steps, comparing this to the results of unwinding the data, searching for a pair of plaintexts satisfying a condition, and collecting various statistics. The encryption, search, and matrix operation routines were written in C for the speed advantage, while the interpreted nature of Tcl allowed different experiments to take place without the frequent recompilation that a C test program would require. Tcl may prove useful for other cryptographic analysis as it provides a convenient language for interactive experimentation while retaining the speed of a compiled language for computation-intensive operations such as encryption. DRAFT 6 October 19, 1995

Weaknesses in Madryga This attack reveals that Madryga is very weak in comparison to other block algorithms. For instance, the most effective known attack against DES (linear cryptanalysis) requires about 2 43 known plaintexts [3]. Several factors are responsible for the weakness of Madryga: ssingle bit changes in Madryga avalanch poorly, the algorithm can easily be unwound step-by-step, and Madryga has unfortunate parity properties. The fundamental problem is the failure of the bit avalanche property, which was detected by Gustafson et al [4]. In particular, a given output byte has about a 2.5% chance of being unchanged after a single bit change in the plaintext. This is a very high percentage; in comparison, DES will leave a byte unchanged with only the random chance of 1 in 256. The main problem with Madryga is that a bit change will avalanche only if the bit changes the rotation. Since only 3 of the 8 bits are used in a rotation, a bit change has about a 5/8 chance of not causing any change during a particular step of the inner loop and thus during an entire round. Once avalance does occur, it propagates rather slowly, two bytes to the left and an average of one byte to the right. (In contrast, a round of DES normally changes all the bytes.) Thus, even if avalanche occurs immediately, it typically takes 3 rounds before all bytes are affected. Because of this slow propagation, if avalanche is delayed a few rounds, it may not spread to all the bytes. Thus, the avalanche characteristics of Madryga suffer from several problems. First, each round has a high probability of being unaffected by a single bit change. Second, when avalanche does occur, it propagates slowly. Finally, the number of rounds is too small to ensure that sufficient avalanche will occur. A second fundamental problem is the ease of unwinding the algorithm step-by-step. Because only three bytes are affected in a simple way during a step, it is straightforward to determine what happend in the step and how to unwind the step. In addition, because the key-generated bytes are a fixed sequence, independent of the data, they are easy to obtain. If the key-generated bytes were a function of the data, the attack in this paper wouldn t work. Finally, Madryga suffers a parity problem because of the simple combination of the key with the data. As Biham found [3], the parity of the plaintext and ciphertext combined is fixed, for a given key. This can easily be seen from the algorithm since the plaintext and the fixed key sequence are DRAFT 7 October 19, 1995

combined with exclusive-or, without any opportunities for new bits. In fact, for an 8 bit key and data, the parity is always even. DES avoids this problem through the S-boxes, which substitute variable bits. References [1] E. Biham and A. Shamir. Differential cryptanalysis of DES-like cryptosystems. In Advances in cryptology, CRYPTO 90 Proceedings, Berlin: Springer-Verlag, pages 2 21, 1990. [2] W. E. Madryga. A High Performance Encryption Algorithm. In Computer Security: A Global Challenge. J. H. Finch and E. G. Dougall(eds.), North Holland: Elsevier Science Publishers, pages 557-570, 1984. [3] B. Schneier. Applied Cryptography. Wiley: New York, 1994. [4] H. Gustafson, E. Dawson, B. Caelli. Comparison of block ciphers. Advances in Cryptology AUSCRYPT 90 Proceedings, Berlin: Springer-Verlag, pages 208-220, 1990. [5] J. K. Ousterhout, Tcl and the Tk Toolkit, Addison-Wesley:Reading, Mass., 1994. Biographical Sketch Ken Shirriff is a staff engineer at Sun Labs. He received his Ph.D. in computer science from U.C. Berkeley in 1995. DRAFT 8 October 19, 1995

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback