Weak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis

Similar documents
A Methodology for Differential-Linear Cryptanalysis and Its Applications

The Rectangle Attack

New Cryptanalytic Results on IDEA

Differential-Linear Cryptanalysis of Serpent

New Cryptanalytic Results on IDEA

Linear Cryptanalysis of Reduced Round Serpent

Attack on DES. Jing Li

Meet-in-the-Middle Attack on Reduced Versions of the Camellia Block Cipher

Attacks on Advanced Encryption Standard: Results and Perspectives

PAPER Attacking 44 Rounds of the SHACAL-2 Block Cipher Using Related-Key Rectangle Cryptanalysis

Dierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

Meet-in-the-Middle Attack on 8 Rounds of the AES Block Cipher under 192 Key Bits

Syrvey on block ciphers

Cryptanalysis of Block Ciphers: A Survey

Few Other Cryptanalytic Techniques

New Attacks against Reduced-Round Versions of IDEA

CSC 474/574 Information Systems Security

Differential Cryptanalysis

Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers

Linear Cryptanalysis of FEAL 8X Winning the FEAL 25 Years Challenge

CSCE 813 Internet Security Symmetric Cryptography

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

An Improved Truncated Differential Cryptanalysis of KLEIN

Key Separation in Twofish

Chapter 3 Block Ciphers and the Data Encryption Standard

Two Attacks on Reduced IDEA (Extended Abstract)

Preliminary Cryptanalysis of Reduced-Round Serpent

Symmetric Cryptography. Chapter 6

Symmetric key cryptography

Report on Present State of CIPHERUNICORN-A Cipher Evaluation (full evaluation)

A Brief Outlook at Block Ciphers

Improved Integral Attacks on MISTY1

Narrow-Bicliques: Cryptanalysis of Full IDEA. Gaetan Leurent, University of Luxembourg Christian Rechberger, DTU MAT

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

Secret Key Algorithms (DES)

Cryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles

Computer Security 3/23/18

A Practical Related-Key Boomerang Attack for the Full MMB Block Cipher

A Chosen-Plaintext Linear Attack on DES

Network Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar

Related-key Attacks on Triple-DES and DESX Variants

Fundamentals of Cryptography

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Improved Integral Attacks on MISTY1

Complementing Feistel Ciphers

RECTIFIED DIFFERENTIAL CRYPTANALYSIS OF 16 ROUND PRESENT

Some Aspects of Block Ciphers

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

7. Symmetric encryption. symmetric cryptography 1

Cryptanalysis. Andreas Klappenecker Texas A&M University

Block Ciphers and Stream Ciphers. Block Ciphers. Stream Ciphers. Block Ciphers

Improved Truncated Differential Attacks on SAFER

Key Recovery Attacks of Practical Complexity on AES-256 Variants With Up To 10 Rounds

International Journal for Research in Applied Science & Engineering Technology (IJRASET) Performance Comparison of Cryptanalysis Techniques over DES

1-7 Attacks on Cryptosystems

New Attacks on Feistel Structures with Improved Memory Complexities

Block Ciphers Introduction

Computer Security CS 526

A Chosen-key Distinguishing Attack on Phelix

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

A Related-Key Attack on TREYFER

A SIMPLIFIED IDEA ALGORITHM

Elastic Block Ciphers: The Feistel Cipher Case

On the Security of the 128-Bit Block Cipher DEAL

Some Thoughts on Time-Memory-Data Tradeoffs

Content of this part

A Meet-in-the-Middle Attack on 8-Round AES

Biclique Cryptanalysis of the Full AES

Symmetric Encryption Algorithms

Encryption Details COMP620

Enhanced Cryptanalysis of Substitution Cipher Chaining mode (SCC-128)

c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4) c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4)

EEC-484/584 Computer Networks

Wenling Wu, Lei Zhang

New Kid on the Block Practical Construction of Block Ciphers. Table of contents

Data Encryption Standard

PUFFIN: A Novel Compact Block Cipher Targeted to Embedded Digital Systems

Report on Present State of CIPHERUNICORN-E Cipher Evaluation (full evaluation)

Improved Key Recovery Attacks on Reduced-Round AES with Practical Data and Memory Complexities

The MESH Block Ciphers

Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN

Block Ciphers and the Data Encryption Standard (DES) Modified by: Dr. Ramzi Saifan

P2_L6 Symmetric Encryption Page 1

External Encodings Do not Prevent Transient Fault Analysis

Differential Cryptanalysis of Madryga

Secret Key Cryptography

Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers: Application to AES, Camellia, Khazad and Others

A New Technique for Sub-Key Generation in Block Ciphers

Plaintext (P) + F. Ciphertext (T)

The signal to noise ratio in the differential cryptanalysis of 9 rounds of data encryption standard

Lecture 4: Symmetric Key Encryption

Data Encryption Standard

Elastic Block Ciphers: The Feistel Cipher Case

Does Lightweight Cryptography Imply Slightsecurity?

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

Cryptography and Network Security. Sixth Edition by William Stallings

Evaluation of security level of CLEFIA

An Overview of Cryptanalysis Research for the Advanced Encryption Standard

Transcription:

3. 2 13.57 Weak eys for a Related-ey Differential Attack Weak eys of the Full MISTY1 Block Cipher for Related-ey Cryptanalysis Institute for Infocomm Research, Agency for Science, Technology and Research, 1 Fusionopolis Way, Singapore 138632 jlu@i2r.a-star.edu.sg, lvjiqiang@hotmail.com Joint work with Wun-She Yap and Yongzhuang Wei. 28 March 212

3. 2 13.57 Weak eys for a Related-ey Differential Attack Outline: 1 Block Cipher Cryptanalysis 2 The MISTY1 Block Cipher 3 2 13.57 Weak eys for a Related-ey Differential Attack 4 2 92 Weak eys for a Related-ey Amplified Boomerang Attack 5 Conclusions

3. 2 13.57 Weak eys for a Related-ey Differential Attack 1.1 Block Cipher 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques An important primitive in symmetric-key cryptography. * Main purpose: provide confidentiality A most fundamental security goal. An algorithm that transforms a fixed-length data block into another data block of the same length under a secret user key. * Input: plaintext. * Output: ciphertext. * Three sub-algorithms: encryption, decryption, key schedule. Constructed by repeating a simple function many times, known as the iterated method. * An iteration: a round. * The repeated function: the round function. * The key used in a round: a round subkey. * The number of iterations: the number of rounds. * The round subkeys are generated from the user key under a key schedule algorithm.

3. 2 13.57 Weak eys for a Related-ey Differential Attack 1.2 A Cryptanalytic Attack 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques An algorithm that distinguishes a cryptosystem from a random function. Usually measured using the following three metrics: * Data complexity The numbers of plaintexts and/or ciphertexts required. * Memory (storage) complexity The amount of memory required. * Time (computational) complexity The amount of computation or time required, how many encryptions/decryptions or memory accesses. Goals: * Break a cryptosystem (ideally, in a practical complexity). * Enable more secure cryptosystems to be designed.

3. 2 13.57 Weak eys for a Related-ey Differential Attack 1.3 Four Cryptanalysis Scenarios 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques Ciphertext-only attack scenario * Have access to a number of ciphertexts. nown-plaintext attack scenario * Have access to a number of ciphertexts and the corresponding plaintexts. Chosen-plaintext/cipertext attack scenario * Can choose a number of plaintexts (or ciphertexts), and be given the corresponding ciphertexts (or plaintexts). Adaptive chosen plaintext and ciphertext attack scenario * Can choose plaintexts (or ciphertexts) and be given the corresponding ciphertexts (or plaintexts). Based on the information obtained, the attacker can then choose further plaintexts/ciphertexts, and be given the corresponding ciphertexts/plaintexts...

3. 2 13.57 Weak eys for a Related-ey Differential Attack 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques 1.4 Three Elementary Cryptanalysis Techniques Assume an n-bit block cipher with a k-bit user key E ( ). A dictionary attack * Build a table of all possible ciphertexts corresponding to one particular plaintext, with one entry for each possible key: C i = E i (P). * Data: 2 k ciphertexts, Memory: 2 k n-bit, Time: negligible. A codebook attack: * Build a table of the ciphertexts for all the plaintexts encrypted using one unknown key: C i = E (P i ). * Data: 2 n plaintext-ciphertext pairs, Memory: 2 n n-bit, Time: negligible. An exhaustive key search (or brute force search) attack: * Try every possible key, given a known plaintext-ciphertext pair. The correct key will yield the correct correspondence: E i (P)? C. * Data: negligible, Memory: negligible, Time: 2 k encryptions.

3. 2 13.57 Weak eys for a Related-ey Differential Attack 1.5 Advanced Cryptanalysis Techniques 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques An attack is commonly regarded as effective if it is faster than an exhaustive key search. A trade-off between data, time and/or memory. Meet-in-the-middle attack * Reflection-meet-in-the-middle attack, Higher-order meet-in-the-middle attack Differential cryptanalysis * Truncated differential, Higher-order differential, Impossible differential * Boomerang, Amplified boomerang, Rectangle attacks, Impossible boomerang Linear cryptanalysis Differential-linear cryptanalysis Integral cryptanalysis * Square attack, Saturation attack Slide attack, Reflection attack Related-key attack Algebraic cryptanalysis

3. 2 13.57 Weak eys for a Related-ey Differential Attack 1.5.1 Differential Cryptanalysis Introduced in 199 by Biham and Shamir. 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques Work in a chosen-plaintext/ciphertext attack scenario. Take advantage of how a specific difference in a pair of plaintexts can affect a difference in the pair of ciphertexts (under the same key). A differential is the combination of the input difference and the output difference. The probability of the differential (α, β) for an n-bit block cipher E, written α β, is Pr E ( α β) = Pr P {,1} n(e(p) E(P α) = β). For a random function, the expected probability of any differential is 2 n. If Pr E ( α β) > 2 n, we can use the differential to distinguish E from a random function.

3. 2 13.57 Weak eys for a Related-ey Differential Attack 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques 1.5.2 Related-ey (Differential) Cryptanalysis Independently introduced by nudsen in 1992 and Biham in 1993. Different from differential cryptanalysis: The pair of ciphertexts are obtained by encrypting the pair of plaintexts using two different keys with a particular relationship, e.g. certain difference. Probability of a related-key differential: Pr E,E ( α β) = Pr P {,1} n(e (P) E (P α) = β). For a random function, the expected probability of any related-key differential is 2 n. If Pr E,E ( α β) > 2 n, we can use the related-key differential to distinguish E from a random function.

3. 2 13.57 Weak eys for a Related-ey Differential Attack 1.5.3 Amplified Boomerang Attack 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques Introduced in 2 by elsey, ohno and Schneier (as a variant of the boomerang attack). Work in a chosen-plaintext/ciphertext attack scenario. Based on an amplified boomerang distinguisher: * Treat a block cipher E as a cascade of two sub-ciphers E = E E 1. * Defined to be a pair of differentials ( α β, γ δ): α β for E with probability p; γ δ for E 1 with probability q. * Concerned event: E(P) E(P ) = δ and E(P α) E(P α) = δ * Probability: p 2 q 2 2 n approximately (under assumptions). For a random function, the expected probability of any amplified boomerang distinguisher is 2 2n. If p 2 q 2 > 2 n, we can use the distinguisher to distinguish between E and a random function.

3. 2 13.57 Weak eys for a Related-ey Differential Attack An Amplified Boomerang Distinguisher 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques P α P P α P E E E E β γ γ β E 1 E 1 E 1 E 1 C C δ δ C C concerned

3. 2 13.57 Weak eys for a Related-ey Differential Attack 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques 1.5.4 Related-ey Amplified Boomerang Attack A combination of the amplified boomerang attack and related-key cryptanalysis. Based on a related-key amplified boomerang distinguisher. * Treat a block cipher E as E = E E 1. * Work typically in a related-key attack scenario with four related keys A, B, C, D : A B = C D ; A C = B D. * Consist of four related-key differentials. * Concerned event: E A (P) E C (P ) = δ and E B (P α) E D (P α) = δ. * Probability: p 2 q 2 2 n approximately (under assumptions). For a random function, the expected probability of any related-key amplified boomerang distinguisher is 2 2n. If p 2 q 2 > 2 n, we can use the distinguisher to distinguish between E and a random function.

3. 2 13.57 Weak eys for a Related-ey Differential Attack 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques A Related-ey Amplified Boomerang Distinguisher P α P P α P E B E D E A E C β γ γ β E 1 B E 1 D E 1 A E 1 C C C δ δ C C concerned

3. 2 13.57 Weak eys for a Related-ey Differential Attack 2.1 Introduction 2.1 Introduction 2.2 Structure 2.3 ey Schedule 2.4 Security Designed by Mitsubishi (Matsui et al.), published in 1995. A 64-bit block cipher, a user key of 128 bits, and a recommended number of 8 rounds, with a total of 1 key-dependent logical functions FL: * two FL functions at the beginning; * two FL functions inserted after every two rounds. A Japanese CRYPTREC-recommended e-government cipher, an European NESSIE selected cipher, an ISO international standard. Widely used in Mitsubishi products as well as in Japanese military.

3. 2 13.57 Weak eys for a Related-ey Differential Attack 2.2 Structure 2.1 Introduction 2.2 Structure 2.3 ey Schedule 2.4 Security I ij2 FL 1 FL 2 L i1 L i2 Extnd Trunc Extnd S 9 S 7 S 9 FO 1 FO 2 (a) : FL i I ij1 (b) : FI ij FL 3 FL 4 FO 3. FL 9 FL 1 O i1 O i2 O i3 O i4 FI i1 FI i2 FI i3 (c) : FO i (d) : MISTY1

3. 2 13.57 Weak eys for a Related-ey Differential Attack 2.3 ey Schedule 2.1 Introduction 2.2 Structure 2.3 ey Schedule 2.4 Security 1. Represent a user key as eight 16-bit words = ( 1, 2,, 8 ). 2. Generate a different set of eight 16-bit words 1, 2,, 8 by 3. Subkeys: i = FI( i, i+1 ), for i = 1, 2,, 8. O i1 = i, O i2 = i+2, O i3 = i+7, O i4 = i+4 ; I i1 = i+5, I i2 = i+1, I i3 = i+3; L i = i+1 i+1 +6, for i = 1, 3, 5, 7, 9; otherwise, L i = i +2 i +4. 2 2 2 2

3. 2 13.57 Weak eys for a Related-ey Differential Attack 2.4 Security 2.1 Introduction 2.2 Structure 2.3 ey Schedule 2.4 Security Has been extensively analysed against a variety of cryptanalytic methods. No whatever cryptanalytic attack on the full version.

3. 2 13.57 Weak eys for a Related-ey Differential Attack 3.1 Related Work 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of 2 12.57 Weak eys Dai and Chen s related-key differential attack on 8-round MISTY1 with only the last 8 FL functions (INSCRYPT 211). A class of 2 15 weak keys. * A weak key is a user key under which a cipher is more vulnerable to be attacked. A 7-round related-key differential characteristic with probability 2 6. Attacking the 8-round reduced version under weak keys. * Attack procedure is straightforward, by conducting a key recovery on FO 1 in a way similar to the early abort technique for impossible differential cryptanalysis. * Data complexity: 2 63 chosen ciphertexts. * Memory complexity: 2 35 bytes. * Time complexity: 2 86.6 encryptions.

3. 2 13.57 Weak eys for a Related-ey Differential Attack 3.1.1 A Class of 2 15 Weak eys Three binary constants: * 7-bit a = 1; * 16-bit b = 11; * 16-bit c = 1. Let A, B be two 128-bit user keys: 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of 2 12.57 Weak eys A = ( 1, 2, 3, 4, 5, 6, 7, 8), B = ( 1, 2, 3, 4, 5, 6, 7, 8). Let A, B be the corresponding 128-bit words generated by the key schedule: A = ( 1, 2, 3, 4, 5, 6, 7, 8 ), B = ( 1, 2, 3, 4, 5, 6, 7, 8 ). The class of weak keys is defined to be the set of all possible ( A, B ) satisfying the following 1 conditions: 6 6 = c, 5 5 = b, 6 6 = c, 6,12 =, 7,3 = 1, 7,12 =, 8,3 = 1, 4,3 = 1, 4,12 = 1, 7,3 =. The number: 1 = 2 16, 2 = 2 16, 3 = 2 16, ( 4, 5) = 2 3, ( 6, 7, 8) = 2 27. Therefore, a total of 2 15 weak keys.

2 3 1 b 3 4 5 c S 9 S7 S 9 I 311 S 9 S7 6 = c I 312 I 412 S 9 I 411 I 512 S 9 S7 S 9 I 511 I 612 S 9 S7 S 9 I 611 5 6 = c 7 8 S 9 S7 I 322 S 9 I 321 I 422 = ( 2 a) S 9 S7 S 9 2 a I 421 = a S 9 S7 S 9 S7 I 522 = S 9 I 521 = a I 622 S 9 I 621 b 2 3 4 5 S 9 S7 I 332 = S 9 S7 S 9 I 331 = a S 9 S7 S 9 S7 I 432 S 9 I 431 I 632 I 631 I 532 I 531 S 9 S 9 4 8,3 = 1 5 2 7 8 c P r = 2 S 9 S7 S 9 S7 S 9 S7 I 212 S 9 I 211 I 712 S 9 I 711 c 4 1 S 9 S7 S 9 S7 I 222 S 9 I 221 I 722 S 9 I 721 c c 1 I 232 = ( 2 a) S 9 S7 S 9 2 a I 231 = a 7 8 1 2 6 = c I 732 3 S 9 S7 S 9 I 731 4,3 = 1, 4,12 = 1, 6,12 = P r = 2 8 R 4,3 = 1, R 4,12 = 1, 7,3 = 1, 7,12 = 6 = c P r = 2 16 c P r = 2 8 I 812 = ( 2 a) S 9 I 811 = a 2 S 9 S7 I 822 S 9 I 821 7 S 9 S7 I 832 S 9 I 831 c 6 = c b 4 7,3 = 5 = b 7 b b 6 = c c 8 1 1. Block Cipher Cryptanalysis 3. 2 13.57 Weak eys for a Related-ey Differential Attack 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of 2 12.57 Weak eys 3.1.2 A 7-Round Related-ey Differential Characteristic b 16 16 c 16 P r = 2 8 Round 2 8 4 16 b P r = 2 1 Round 3 Round 4 P r = 2 2 9 a b Round 5 Round 6 c 16 2 c c P r = 2 1 Round 7 Round 8 c 16 3 7 c 16

3. 2 13.57 Weak eys for a Related-ey Differential Attack 3.2 A Corrected Class of Weak eys 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of 2 12.57 Weak eys Focus on the 7-round related-key differential characteristic. P r = 2 16 c P r = 2 8 c Round 2 2 I 212 b S 9 S7 S 9 I 211 c 4 I 222 S 9 S7 S 9 I 221 c I 232 = ( 2 1 a) S 9 S7 S 9 2 a I 231 = a 6 = c Not all the 2 15 possible 7 (i.e. I 21 ) defined by the weak key class make Pr FI21 ( b c) >! The number of 7 defined by the weak key class is 2 15, the number of 7 satisfying Pr FI21 ( b c) > is about 2 14.57. The number of 7 defined by the weak key class & satisfying Pr FI21 ( b c) > is about 2 13.57. Pr FI21 ( b c) = 2 15 /2 14 /2 13.42.

3. 2 13.57 Weak eys for a Related-ey Differential Attack 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of 2 12.57 Weak eys P r = 2 16 c Round 7 I 7 712 S 9 S7 S 9 I 1 722 S 9 S7 S 9 6 = c I 732 3 S 9 S7 S 9 I 711 I 721 I 731 Not all the 2 16 possible 2 (i.e. I 73 ) defined by the weak key class make Pr FI73 ( c c) >! The number of 2 defined by the weak key class is 2 16, the number of 2 satisfying Pr FI21 ( b c) > is 2 15. The number of 2 defined by the weak key class & satisfying Pr FI73 ( c c) > is 2 15. Pr FI73 ( c c) = 2 15.

3. 2 13.57 Weak eys for a Related-ey Differential Attack 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of 2 12.57 Weak eys As a result, A class of 2 12.57 weak keys: 1 = 2 16, ( 2, 3 ) = 2 31, ( 4, 5 ) = 2 3, ( 6, 7, 8 ) 2 25.57 * 3 = 2 16, 5 = 2 16. * 7 = 213.57 ; 7, 212 ( 6, 8). * 2,8 16 = 28, 3 = 216, 4,8 16 = 28. A 7-round related-key differential with probability 2 58. * (b 32 c) ( 32 c 16 ).

3. 2 13.57 Weak eys for a Related-ey Differential Attack 3.3.1 Precomputation 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of 2 12.57 Weak eys Hash table T 1 : (x, x η): The left halves of a plaintext pair 32 bits {}}{ Only three possible input differences η =?? X: output difference of FI 12 Store satisfying ( 1, 3, 2,8 16) into Table T 1 indexed by (x, η, X) (x, x η) 1 7 3 5 16 c c 9 a Round 1 I 112 = 1 S 9 S7 S 9 I 111 = a b I 122 / 3 2,8 16 S 9 S7 S 9 I 121 X I 8 132 S 9 S7 S 9 I 131 Y 5 b 16 16 c Memory complexity: 2 75.91 bytes; Time complexity: 2 73.59 FI computations. For every (x, η, X), there are 2 23 satisfying ( 1, 3, 2,8 16) on average.

3. 2 13.57 Weak eys for a Related-ey Differential Attack Hash table T 2 : 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of 2 12.57 Weak eys Y : output difference of FI 13 Store satisfying ( 6, 7, 8 ) into Table T 2 indexed by (x, η, Y, 1, 4,8 16) (x, x η) 1 7 3 5 16 c c 9 a X ( 9 a) Round 1 I 112 / 6,8 16 = 1 3 I 122 S 9 S7 b S 9 S 9 S7 S 9 I 111 / 6,1 7 = a I 121 X I 132 / 8 4,8 16 S 9 S7 S 9 I 131 Y 5 b 16 16 c Memory complexity: 2 84.74 bytes; Time complexity: 2 84.16 FI computations. For every (x, η, Y, 1, 4,8 16), there are 2 9.57 satisfying ( 6, 7, 8 ) on average.

3. 2 13.57 Weak eys for a Related-ey Differential Attack 3.3.2 Attack Outline 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of 2 12.57 Weak eys η? FL 1 1 7 16 c Output difference of FL 2 : (X c) (X Y ( 9 a)) 3 5 FL 2 Round 1 c 9 a X ( 9 a) I 112 = 1 I 122 I FI 11 3 FI 12 8 FI 132 13 S 9 S7 b S 9 S 9 S7 S 9 S 9 S7 S 9 I 111 = a I 121 X I 131 Y X Y ( 9 a) 5 X ( 9 a) b 16 Step 1: Choose 2 6 ciphertext pairs with difference ( 32 c 16 ). Step 2: eep plaintext pairs with difference (η?) Step 3: Focus on FL 2. Guess ( 3, 5 ), compute X, Y. Step 4: Focus on FL 1 and FI 12. Obtain satisfying ( 1, 3, 2,8 16) from Table T 1. Step 5: Retrieve 4 from 3 = FI( 3, 4 ), compute 4 = FI( 4, 5 ). Step 6: Focus on FL 1, FI 11 and FI 13. Obtain satisfying ( 6, 7, 8 ) from Table T 2. Step 7: Increase 1 to counters for ( 1, 2,8 16, 3, 4, 5, 6, 7, 8 ). Step 8: For a subkey guess whose counter number is larger than or equal to 3, exhaustively search the remaining 7 key bits. 16 c

3. 2 13.57 Weak eys for a Related-ey Differential Attack 3.3.3 Attack Complexity 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of 2 12.57 Weak eys Data complexity: 2 61 chosen ciphertexts. Memory complexity: 2 99.2 bytes. Time complexity: 2 87.94 encryptions. Success probability: 76%.

3. 2 13.57 Weak eys for a Related-ey Differential Attack 3.4 Another Class of 2 12.57 Weak eys Focus on the 7-round related-key differential characteristic: 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of 2 12.57 Weak eys b 16 16 c P r = 2 16 c P r = 2 8 c Round 2 I 2 212 b S 9 S7 S 9 c I 4 222 S 9 S7 S 9 c I 232 = ( 2 1 a) S 9 S7 S 9 6 = c I 211 I 221 2 a I 231 = a. c 16 P r = 2 8 Round 8 I 812 = ( 2 a) 8 c S 9 S7 S 9 I 2 822 S 9 S7 S 9 I 7 832 S 9 S7 S 9 4 I 811 = a I 821 I 831 FL9 5 3 Consider the other possible value of 7,3, further classified by 1,3: 7,3 = 1, 1,3 = 1, = c c 7,3 = 1, 1,3 =, = 16 c FL1 7 7,3 = 1 c 16 13.57

3. 2 13.57 Weak eys for a Related-ey Differential Attack 4.1 Related Work 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys Chen and Dai s related-key amplified boomerang attack on 8-round MISTY1 with only the first 8 FL functions (CHINACRYPT 211). A class of 2 9 weak keys. A 7-round related-key amplified boomerang distinguisher with probability 2 118. Attacking the 8-round reduced version under weak keys. * Attack procedure is straightforward, by conducting a key recovery on FO 8 in a way similar to the early abort technique. * Data complexity: 2 63 chosen plaintexts. * Memory complexity: 2 65 bytes. * Time complexity: 2 7 encryptions.

3. 2 13.57 Weak eys for a Related-ey Differential Attack 4.1.1 A Class of 2 9 Weak eys 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys Let A, B, C, D be four 128-bit user keys: A = ( 1, 2, 3, 4, 5, 6, 7, 8), B = ( 1, 2, 3, 4, 5, 6, 7, 8), C = ( 1, 2, 3, 4, 5, 6, 7, 8), D = ( 1, 2, 3, 4, 5, 6, 7, 8). Let A, B, C, D be the corresponding 128-bit words generated by the key schedule: A = ( 1, 2, 3, 4, 5, 6, 7, 8 ), B = ( 1, 2, 3, 4, 5, 6, 7, 8 ), C = ( 1, 2, 3, 4, 5, 6, 7, 8 ), D = ( 1, 2, 3, 4, 5, 6, 7, 8 ). The class of weak keys is defined to be the set of all possible ( A, B, C, D ) satisfying the following 12 conditions: 2 2 = c, 6 6 = c, 1 1 = b, 5 5 = b, 2 2 = c, 6 6 = c, 5,3 = 1, 5,12 =, 4,3 =, 7,3 = 1, 7,12 =, 8,3 =. The number: 1 = 2 16, ( 2, 3) = 2 16, ( 4, 5) = 2 29, ( 6, 7) = 2 14, 8 = 2 15. Therefore, a total of 2 9 weak keys.

3. 2 13.57 Weak eys for a Related-ey Differential Attack 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys 4.1.2 A 7-Round Related-ey Amp. Boo. Distinguisher A 7-round related-key amplified boomerang distinguisher with probability p 2 q 2 2 n = 1 2 (2 27 ) 2 2 64 = 2 118 under weak keys. * E : Rounds 1 2, including FL 4 but excluding FL 3. * E 1: Rounds 3 7, including FL 3 (but excluding FL 4). * Related-key differential α β for E : ( 48 b) ( 32 c 16 ) with probability 1. * Related-key differential γ δ for E 1: ( 48 b) with probability 2 27.

1 c 2 = 8 1 3 4 3 1 = 5 2 = c c S 9 S7 S 9 I 311 S 9 S7 6 = c I 312 I 412 = S 9 I 411 = I 512 = S 9 S7 S 9 I 511 = I 612 S 9 S7 S 9 I 611 5 6 = c 7 8 S 9 S7 I 322 S 9 I 321 I 422 = ( 2 a) S 9 S7 S 9 2 a I 421 = a S 9 S7 S 9 S7 I 522 = S 9 I 521 = a I 622 S 9 I 621 b 2 = 3 4 5 S 9 S7 S 9 I 331 = a S 9 S7 S 9 S7 S 9 S7 I 332 = I 432 S 9 I 431 I 532 I 531 S 9 I 632 = S 9 I 631 = 4 8,3 = 2 = 7 S 9 S7 S 9 S7 S 9 S7 I 112 = S 9 I 111 = I 212 S 9 I 211 I 712 S 9 I 711 3 4 1 S 9 S7 S 9 S7 S 9 S7 I 122 = S 9 I 121 = a I 222 S 9 I 221 I 722 S 9 I 721 b 8 1 S 9 S7 S 9 S7 I 132 S 9 I 131 I 232 = S 9 I 231 = 5,3 = 1, 5,12 = 7 8 1 2 = 6 = c I 732 = 3 S 9 S7 S 9 I 731 = 5 4,3 = P r = 2 8 R 4,3 = 1, R 4,12 = 1, 7,3 = 1, 7,12 = 6 = P r = 2 16 c b b 5 4 6 = b 5 = b 7 b b 6 = c c 8 P r = 2 2 P r = 2 1 1. Block Cipher Cryptanalysis 3. 2 13.57 Weak eys for a Related-ey Differential Attack 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys The Two Related-ey Differentials Used 16 b 7 3 9 a b Round 1 Round 2 c 16 c 16 (a): The related-key differential for Rounds 1 2 16 b Round 3 Round 4 Round 5 9 a b Round 6 c 16 16 c Round 7 (b): The related-key differential for Rounds 3 7

3. 2 13.57 Weak eys for a Related-ey Differential Attack 4.2 An Improved 7-Round Distinguisher Focus on the second related-key differential: 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys P r = 2 16 c Round 7 I 7 712 S 9 S7 S 9 I 1 722 S 9 S7 S 9 6 = c I 732 = 3 S 9 S7 S 9 I 711 I 721 I 731 = Surprisingly, all the possible ( 2, 2 ) (i.e. I 73 ) defined by the weak key class make Pr FI73 ( c c) >! Pr FI73 ( c c) = 2 15. Thus, a 7-round related-key amplified boomerang distinguisher with probability 2 116.

3. 2 13.57 Weak eys for a Related-ey Differential Attack 4.3.1 Precomputation 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys Hash table T 1 : x {, 1} 32 : Input of FO 8 without 8. X: The right 9 bits of the output difference of FL 81 Y : Output difference of FL 83 Store satisfying x into Table T 1 indexed by ( 3, 5, 7, X, Y ). Round 8 a X a X Y (a X) 8 5 = b 1 = 2 = 7 3 4 FI 81 FI 82 FI 83 a X Y a X 5 3? I 812 = ( 2 a) S 9 S7 S 9 a I 811 = a Memory complexity: 2 79 bytes; Time complexity: 2 71 FI computations. For every ( 3, 5, 7, X, Y ), there are 2 8 satisfying x on average. a X 7 1

3. 2 13.57 Weak eys for a Related-ey Differential Attack Hash table T 2 : 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys x {, 1} 32 : Input of FL 1 1. λ: Output of FL 1 1 after being xored with ( 8 16 ). Store ( 1, 8 ) into Table T 2 indexed first by 7 and then by (x, λ). Round 8 8 5 = b 1 = 2 = 7 3 FI 81 FI 82 FI 83 4 5 3 7 1 FL 1? Memory complexity: 2 78 bytes; Time complexity: 2 76 FL computations. Set a binary marker, up and down, to the set of 2 32 (x, λ) under each ( 7, 1, 8 ).

3. 2 13.57 Weak eys for a Related-ey Differential Attack 4.3.2 Attack Outline 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys a X a X Y (a X) 8 5 = b 1 = 2 = 7 3 FI 81 FI 82 FI 83 a X Y 4 a X a X Y (a X) 5 3 7 1 FL 9 FL 1? Step 1: Choose two sets of 2 58.5 plaintext pairs with difference ( 48 b). Step 2: eep the quartets such that each ciphertext pair has difference (? ). Step 3: Focus on FL 9. Guess 3, keep the quartets such that each pair has 7-bit difference a. Step 4: Focus on FL 9. Guess 5, compute (X, Y ) and (X, Y ). Step 5: Guess 7, get the two possible values for 6, and compute 5. Step 6: Focus on FI 81 and FI 83. Obtain possible inputs to FO 8 excluding XOR with 8 from Table T 1. Step 7: Focus on FL 1. Obtain ( 1, 8) from Table T 2. Step 8: For a subkey guess whose counter is non-zero, exhaustively search the remaining key bits.

3. 2 13.57 Weak eys for a Related-ey Differential Attack 4.3.3 Attack Complexity 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys Data complexity: 2 6.5 chosen plaintexts. Memory complexity: 2 8.7 bytes. * On-line: 2 78.23 ; * Off-line: 2 79.58. Time complexity: 2 8.18 encryptions. Success probability: 86%.

3. 2 13.57 Weak eys for a Related-ey Differential Attack 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys 4.4 Three Other Classes of 2 9 Weak eys Focus on the first related-key differential: Consider the three other possible combinations of (5,3, 5,12), further classified by ( 3,3, 3,12) FL1 Round 1 16 b 1 3 7 5,3 = 1, 5,12 = 5 b I 112 = 1 I 122 = 3 I 8 132 5 S b 9 S7 S b 9 S 9 S7 S 9 S 9 S7 S 9 I 111 = I 121 = a I 131 FL2 9 a b Round 2 c 16 I 2 = c 212 c S 9 S7 S 9 I 4 222 S 9 S7 S 9 1 I 232 = S 9 S7 S 9 6 = I 211 I 221 I 231 = 4 4,3 = 6 = c 16 Thus, a total of 2 92 weak keys.

3. 2 13.57 Weak eys for a Related-ey Differential Attack Have presented related-key differential and amplified boomerang attacks on the full MISTY1 algorithm under certain weak key assumptions. * Have described 2 13.57 weak keys for a related-key differential attack on the full MISTY1. * Have described 2 92 weak keys for a related-key amplified boomerang attack on the full MISTY1. * Quite theoretical, for the attacks work under the assumptions of weak-key and related-key scenarios and their complexities are very high. The MISTY1 cipher does not behave like a random function (in the related-key model), and cannot be regarded to be an ideal cipher.

3. 2 13.57 Weak eys for a Related-ey Differential Attack Summary of Main Cryptanalytic Results #Rounds FL #eys Attack Type Data Time Year 6 (1 6) yes 2 128 Impossible differential 2 51 CP 2 123.4 Enc. 28 6 (1 6) yes 2 128 Higher-order differential 2 53.7 CP 2 64.4 Enc. 28 6 (3 8) yes 2 128 Integral 2 32 CC 2 126.1 Enc. 29 7 (1 7) yes 2 128 Higher-order differential 2 54.1 CP 2 12.7 Enc. 28 7 (2 8) yes 2 73 Related-key amplified boomerang 2 54 CP 2 55.3 Enc. 28 8 (1 8) yes 2 9 Related-key amplified boomerang 2 63 CP 2 7 Enc. 211 8 (1 8) yes 2 15 Related-key differential 2 63 CC 2 86.6 Enc. 211 full yes 2 13.57 Related-key differential 2 61 CC 2 87.94 Enc. 212 2 92 Related-key amplified boomerang 2 6.5 CP 2 8.18 Enc. 212 CP: Chosen Plaintexts, CC: Chosen Ciphertexts, Enc.: Encryptions, : Exclude the first/last layer of two FL functions, : There is a flaw.

3. 2 13.57 Weak eys for a Related-ey Differential Attack Thank you! Questions or Comments?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback