A Related-Key Attack on TREYFER

Similar documents
Improved Truncated Differential Attacks on SAFER

Wenling Wu, Lei Zhang

RECTIFIED DIFFERENTIAL CRYPTANALYSIS OF 16 ROUND PRESENT

Related-key Attacks on Triple-DES and DESX Variants

Truncated Differential Analysis of Round-Reduced RoadRunneR Block Cipher

Differential-Linear Cryptanalysis of Serpent

A New Improved Key-Scheduling for Khudra

PUFFIN: A Novel Compact Block Cipher Targeted to Embedded Digital Systems

A Related Key Attack on the Feistel Type Block Ciphers

Small-Footprint Block Cipher Design -How far can you go?

A Meet-in-the-Middle Attack on 8-Round AES

Slide Attacks. 1 Introduction. Alex Biryukov and David Wagner

Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN

Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN

Dierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel

A Chosen-Plaintext Linear Attack on DES

Cryptography for Resource Constrained Devices: A Survey

An Improved Truncated Differential Cryptanalysis of KLEIN

Linear Cryptanalysis of Reduced Round Serpent

Hybrid Lightweight and Robust Encryption Design for Security in IoT

Two Attacks on Reduced IDEA (Extended Abstract)

Integral Cryptanalysis of the BSPN Block Cipher

Algebraic-Differential Cryptanalysis of DES

Weak Keys. References

Analysis of Involutional Ciphers: Khazad and Anubis

A New Technique for Sub-Key Generation in Block Ciphers

Encription using low cost microcontrollers

Lightweight Crypto Design Principles - Approaches and Limitations

New Results of Related-key Attacks on All Py-Family of Stream Ciphers

Efficient Implementation of Grand Cru with TI C6x+ Processor

Weak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis

Cryptanalysis of TWIS Block Cipher

PRESENT An Ultra-Lightweight Block Cipher

A Brief Outlook at Block Ciphers

A Meet in the Middle Attack on Reduced Round Kuznyechik

Design and Implementation of New Lightweight Encryption Technique

Analysis of MARS. January 12, 2001

A New Meet-in-the-Middle Attack on the IDEA Block Cipher

Fortification of AES with Dynamic Mix-Column Transformation

AES Variants Secure Against Related-Key Differential and Boomerang Attacks

Update on Tiger. Kasteelpark Arenberg 10, B 3001 Heverlee, Belgium

FeW: A Lightweight Block Cipher

Generalized MitM Attacks on Full TWINE

Elastic Block Ciphers: The Feistel Cipher Case

Recent Meet-in-the-Middle Attacks on Block Ciphers

On the Security of Stream Cipher CryptMT v3

Differential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy

On the Applicability of Distinguishing Attacks Against Stream Ciphers

Chapter 6: Contemporary Symmetric Ciphers

Block Ciphers Tutorial. c Eli Biham - May 3, Block Ciphers Tutorial (5)

Improved differential fault analysis on lightweight block cipher LBlock for wireless sensor networks

Chosen Ciphertext Attack on SSS

A Chosen-key Distinguishing Attack on Phelix

A SIMPLIFIED IDEA ALGORITHM

Biclique Attack of the Full ARIA-256

Cryptanalysis of PRESENT-like Ciphers with Secret S-boxes

Improved Meet-in-the-Middle Attacks on AES-192 and PRINCE

Evaluation of security level of CLEFIA

Few Other Cryptanalytic Techniques

LIGHTWEIGHT CRYPTOGRAPHY: A SURVEY

Key Separation in Twofish

The CS 2 Block Cipher

Improved Impossible Differential Attacks against Round-Reduced LBlock

Some Thoughts on Time-Memory-Data Tradeoffs

The MESH Block Ciphers

New Attacks against Reduced-Round Versions of IDEA

Designing a New Lightweight Image Encryption and Decryption to Strengthen Security

Hill Cipher with Parallel Processing Involving Column, Row Shuffling, Permutation and Iteration on Plaintext and Key

Distinguisher and Related-Key Attack on the Full AES-256

A 3-Subset Meet-in-the-Middle Attack: Cryptanalysis of the Lightweight Block Cipher KTANTAN

FPGA Implementation of WG Stream Cipher

This document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore.

The New Approach of AES Key Schedule for Lightweight Block Ciphers

Security Analysis of Extended Sponge Functions. Thomas Peyrin

Algebraic Techniques in Differential Cryptanalysis

The Security of Elastic Block Ciphers Against Key-Recovery Attacks

Efficient FPGA Implementations of PRINT CIPHER

Enhancing Security of Improved RC4 Stream Cipher by Converting into Product Cipher

Meet-in-the-Middle Attack on 8 Rounds of the AES Block Cipher under 192 Key Bits

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

Fault-propagation Pattern Based DFA on SPN Structure Block Ciphers using Bitwise Permutation, with Application to PRESENT and PRINTcipher

New Cryptanalytic Results on IDEA

New Cryptanalytic Results on IDEA

Secret Key Cryptography

All Subkeys Recovery Attack on Block Ciphers: Extending Meet-in-the-Middle Approach

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

PAPER Attacking 44 Rounds of the SHACAL-2 Block Cipher Using Related-Key Rectangle Cryptanalysis

COZMO - A New Lightweight Stream Cipher

AN INTEGRATED BLOCK AND STREAM CIPHER APPROACH FOR KEY ENHANCEMENT

CSC 474/574 Information Systems Security

The Rectangle Attack

Journal of Global Research in Computer Science A UNIFIED BLOCK AND STREAM CIPHER BASED FILE ENCRYPTION

Private-Key Encryption

Elastic Block Ciphers: The Feistel Cipher Case

Differential Cryptanalysis

Zero-Correlation Linear Cryptanalysis of Reduced-Round SIMON

City, University of London Institutional Repository

BORON: an ultra-lightweight and low power encryption design for pervasive computing

International Journal for Research in Applied Science & Engineering Technology (IJRASET) Performance Comparison of Cryptanalysis Techniques over DES

I-PRESENT TM : An Involutive Lightweight Block Cipher

Transcription:

The Second International Conference on Emerging Security Information, Systems and Technologies A Related-ey Attack on TREYFER Aleksandar ircanski and Amr M Youssef Computer Security Laboratory Concordia Institute for Information Systems Engineering Concordia University, Montreal, Quebec, Canada, H3G 2W1 Abstract TREYFER is a lightweight cipher designed for resource constrained environments In this paper, we present a related-key attack that directly recovers the secret key of TREYFER using about 2 11 chosen plaintext encryptions Our attack is based on a set of deterministic algebraic relationships between TREYFER ciphertexts corresponding to related plaintexts encrypted under circularly byte shifted versions of the same key The attack complexity is independent of the number of rounds of the cipher 1 Introduction Despite its current implementation advances, the Advanced Encryption Standard (AES) [1] may not always be the optimal choice for applications with tight resource constraints such as radio frequency identification (RFID) tags and tiny sensor networks In fact, with the widespread applications of these resourceconstrained devices, the analysis and design of lightweight encryption algorithms have started to gain a new momentum (eg [2], [3]) TREYFER [4] is a 64 bit block cipher (and also a MAC) proposed by Gideon Yuval, from Microsoft, at FSE 97 According to Gideon Yuval, TREYFER is targeting an environment for which even TEA [5] and SAFER [6] are gross overdesign [4] The simple and compact design of TREYFER makes it an attractive choice for resource constrained environments such as smart cards, RFIDs, and sensor networks For example, TREYFER requires only 29 bytes of executable code on the 8051 micro-controller The best known attack against TREYFER, presented by Alex Biryukov and David Wagner [7], is a slide attack that requires 2 32 known plaintexts, 2 44 time for analysis and 2 32 memory In this paper, we derive a set of deterministic algebraic relationships between the ciphertexts corresponding to related plaintexts encrypted with TREYFER under circularly byte shifted versions of the same key Based on these relationships, we present a chosen related-key attack [8]-[14] that directly recovers the secret key of TREYFER using about 2 11 chosen plaintext encryption operations The attack complexity is independent of the number of rounds of the cipher The rest of the paper is organized as follows In section 2 we briefly review the description of TREYFER The algebraic relationship between ciphertexts corresponding to related plaintexts encrypted under circularly (byte-wise) shifted versions of the secret key is derived in section 3 Using this relationship, our attack is described in section 4 2 Description of TREYFER TREYFER can be seen as an iterative block cipher with the round function shown in Figure 1 where <<< denotes a circular left shift by 1 bit, + denotes addition mod 256 and Si, i = 07, denotes the key addition and s-box lookup operations 978-0-7695-3329-2/08 $2500 2008 IEEE DOI 101109/SECURWARE200851 213

S[(x + i ) mod 256] function All operations are byte-oriented, and there is a single 8 8-bit s-box In [4], the s-box is left undefined; it is suggested that the implementation can simply use whatever data is available in memory In each round, each byte has added to it the s-box value of the sum of a key byte and the previous data byte, then it is rotated left one bit The design attempts to compensate for the simplicity of this round transformation by using a large number of rounds: 32 The pseudo code implementation of TREYFER is as follows: for(r =0;r<NumRounds; r ++){ text[8] = text[0]; for(i =0;i<8; i ++) text[i +1]= (text[i +1]+S[(key[i]+text[i])%256]) <<< 1; text[0] = text[8]; } the same way at each round The following notation will be used throughout the paper f denotes round function mapping of TREYFER (see Figure 1) P = P 0 P 1 P 7 denotes the 8 byte plaintext input = 0 1 7 denotes the 8 byte key C = C 0 C 1 C 7 denotes the 8 byte ciphertext 3 Main Observations In this section, we derive an algebraic relationship between the ciphertexts corresponding to related plaintexts encrypted under circularly (byte-wise) shifted versions of the secret key Lemma 1 Let and P 0P 1 P 7 = f(p 0 P 7, 0 7 ) P 0 P 1 P 7 = f 2 (P 0 P 7, 0 7 ) Then we have f(p 1P 2 P 7 P 0, 1 7 0 )=P 1 P 2 P 7P 0 Proof: Let p i,i = 07 denote i-th byte of f(p 1P 2 P 7 P 0, 1 7 0 ) Then, by TREYFER definition, we have: p 1 =(P 2 + S(P 1, 1 )) <<< 1=P 2 p 2 =(P 3 + S(P 2, 2 )) <<< 1=P 3 Figure 1: Round function of TREYFER, where Si(x) =sbox((x + i ) mod 256) In order to obtain a more compact and faster cipher under the assumed hardware constraints, the designer of TREYFER opted not to have any complex key scheduling In particular, TREYFER simply uses its user supplied key,, byte by byte in exactly p 7 =(P 0 + S(P 7, 7 )) <<< 1=P 0 p 0 =(P 1 + S(P 0, 0 )) <<< 1=P 1 The lemma holds by noting that f(p 1P 2 P 7 P 0, 1 7 0 )=p 0 p 7 This observation can easily be extended to hold for composition of multiple rounds By P C we will denote the TRYEFER encryption of the plaintext P with a key, 214

Lemma 2 Let and Then P 0 P 7 C0 C 7, C 0 C 7 = f(c 0 C 7, 0 7 ) P 1P 2 P 7 P 0 rot(,1) C 1C 2 C 7 C 0 Proof: Follows from previous Lemma and the fact that TREYFER function is equal to f n, n = 32 That way, for each TREYFER pair (P, C), we can derive another similar plaintext-ciphertext pair, encrypted by key circularly shifted to the left by one byte Furthermore, if previous Lemma is applied multiple times, we can get 7 such pairs, as given by the following Theorem Theorem 1 Let rot(, i) denote the left circular shift of by i bytes, then, for any knows or chooses the relationship between keys, ie, g( ), but not the actual key values Based on the relations derived in the above section, we describe a chosen-related-key attack against TREYFER Given the plaintext-ciphertext pair (P, C), P C where = 0 7, the proposed attack proceeds to recover 0 as follows: For( X =0;X<256; X ++){ Encrypt the plaintext XP 2 P 7 P 0 under the key rot(, 1) = 1 7 0 For each ciphertext in the form YC 2 C 7 C 0, determine 0 that satisfies } X = P 1 =(P 1 + S[ 0 + P 0 ]) <<< 1, Y = C 1 =(C 1 + S[ 0 + C 0 ]) <<< 1 P 0 P 7 C0 C 7 (1) The process above finds P we have 1 and C 1, second bytes of f(p 0 P 7, 0 7 ), and f(c 0 C 7, 0 7 ), respectively P 1P rot(,1) 2 P 3 P 4 P 5 P 6 P 7 P 0 C 1C 2 C 3 C 4 C 5 C 6 C 7 C 0 (2) Theoretically it is possible that there may exist an P 2P 3 P 4 P 5 P 6 P 7 P 0 P rot(,2) X P rot() 1 C 2C 3 C 4 C 5 C 6 C 7 C 0 C 1 such that XP 2 P 7 P 0 YC 2 C 7 C 0, 1 (3) leading to false information on 0 However, the probability that this will happen is practically negligible ( 3 10 15 ) P 7P 0 P 1P 2P 3P 4P 5P rot(,7) 6 C 7C 0 C 1C 2C 3C 4C 5C 6 (8) If the s-box is bijective, then only one of the equations above can be used to uniquely determine It should be noted that the above presented property of TREYFER does not depend on any particular 0 = S 1 [(P 1 >>> 1) P 1 ] P 0 In the case of non bijective s-boxes, the above two steps can be repeated choice of the s-box until 0 is uniquely determined 1 to 6 can be sequentially recovered by performing the above steps using related plaintexts and keys, 4 The Attack according to relations (3)-(8) Similarly, the last byte Related-key cryptanalysis assumes that the attacker of the key, 7, can be recovered using relation (1) or learns the encryption of certain plaintexts not only simply by exhaustive search under the original unknown key,, but also under Thus, the attack requires about 8 256 = 2 11 chosen plaintext-ciphertext pairs, each 256 of them are some related keys (eg, = g()) In a chosenrelated-key attack, the attacker specifies how the key encrypted under a key that is circularly bytes shifted is to be changed It should be noted that the attacker version of the original secret key 215

Remark 1 The above attack can be thought of as a slide attack in which the sliding pairs are produced at the s-box level and not at the level of the whole round function 5 Conclusion The simple, and compact design of TREYFER makes it a very attractive cipher for resource constrained devices On the other hand, the key scheduling of the cipher seems to be oversimplified which has yielded to several weaknesses While it might be argued that it is unlikely that an attacker can persuade a human operator to encrypt plaintexts under the 8 related keys, modern cryptography is implemented using complex protocols, and in some cases a related-key attack can be made feasible In these scenarios, our attack can recover the secret keys in few milliseconds It is interesting to investigate if there are other permutations of plaintexts and keys that derive similar ciphertexts It is also interesting to provide further analysis of TREYFER which employs an enhanced key scheduling algorithm (eg, by adding some round dependent constants) References [1] National Institute of Standards and Technology, FIPS-197: Advanced Encryption Standard, November 2001 [2] A Bogdanov, LR nudsen, G Leander, C Paar, A Poschmann, MJB Robshaw, Y Seurin and C Vikkelsoe, PRESENT: An Ultra-Lightweight Block Cipher, CHES 2007, LNCS4727, pp450-466, Springer, 2007 [3] M Wang, Differential Cryptanalysis of PRESENT, In proc of Africacrypt 2008, to appear, Also available at Cryptology eprint Archive: Report 2007/408 [4] G Yuval, Reinventing the Travois: Encryption/MAC in 30 ROM Bytes, Proc of the 4th International Workshop on Fast Software Encryption (FSE 97), pp 205-209, Springer-Verlag, 1997 [5] David J Wheeler and Roger M Needham, TEA, a tiny encryption algorithm, Proc of the 2nd workshop on Fast Software Encryption (FSE 94), pp 363-366, Leuven, Belgium, 1994, Springer-Verlag [6] James L Massey, SAFER -64: A Byte- Oriented Block-Ciphering Algorithm, Proc of the first workshop on Fast Software Encryption (FSE 93), pp 1-17, Springer-Verlag [7] Alex Biryukov and David Wagner, Slide Attacks, Proc, of the 6th International Workshop on Fast Software Encryption (FSE 99), pp 245-259, Rome: Springer-Verlag [8] E Biham, New Types of Cryptanalytic Attacks Using Related eys, Advances in Cryptology, EUROCRYPT 93, Springer-Verlag, 1994, pp 398-409 [9] J elsey, B Schneier and D Wagner, Related-key cryptanalysis of 3-WAY, Biham- DES,CAST, DES-X, NewDES, RC2, and TEA, Proc of Information and Communications Security, LNCS 1334, 1997, pp 233-246 [10] W Zhang, L Zhang, W Wu and D Feng, Related-ey Differential-Linear Attacks on Reduced AES-192, Proc of INDOCRYPT 2007, LNCS 4859, pp 73-85 [11] E Biham, O Dunkelman and N eller, Related- ey Impossible Differential Attacks on 8-Round AES-192, Topics in Cryptolog: CT-RSA 2006, LNCS 3860, 2006, pp 21-33 [12] G Sekar, S Paul and B Preneel, Related-ey Attacks on the Py-Family of Ciphers and an Approach to Repair the Weaknesses, Proc of IN- DOCRYPT 2007, LNCS 4859, 2007, pp 58-72 [13] S Lucks, Ciphers Secure against Related-ey Attacks, Proc of Fast Software Encryption, LNCS 3017, 2004, pp 359-370 216

[14] E Biham, O Dunkelman and N eller, A Related-ey Rectangle Attack on the Full A- SUMI, Proc of ASIACRYPT 2005, LNCS 3788, 2005, pp 443-461 217

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback