a unified approach to related key attacks
play

A Unified Approach to Related-Key Attacks Orr Dunkelman - PowerPoint PPT Presentation

A Unified Approach to Related-Key Attacks Orr Dunkelman Katholieke Universitiet Leuven, Dept. of Electrical Engineering ESAT- SCD/COSIC joint work with Eli Biham and Nathan Keller 1/46 Outline of the Talk Previous Results: Original


  1. A Unified Approach to Related-Key Attacks Orr Dunkelman Katholieke Universitiet Leuven, Dept. of Electrical Engineering ESAT- SCD/COSIC joint work with Eli Biham and Nathan Keller 1/46

  2. Outline of the Talk Previous Results: Original Related-Key Attacks Slide Attacks The ''Newer'' Related-Key Attacks The Unified Approach Attack on 4r-round IDEA Summary 2/46

  3. Related-Key Attacks Presented by Biham [B93] and independently by Knudsen [K93] Useful when the key schedule algorithm is very simple And when the round function is ''weak'' 3/46

  4. Related-Key Attack on modified DES Consider the Data Encryption Standard (DES): Feistel block cipher 64-bit block, 56-bit key 16 rounds Subkeys are permutated subsets of the original supplied key 4/46

  5. Related-Key Attack on modified DES (cont.) Key K Plaintext P PC-1 D C K 1 PC-2 ROL2 ROL2 F D C K 2 PC-2 ROL2 ROL2 F D C K r PC-2 ROL2 ROL2 F D C K 16 PC-2 F Ciphertext C 5/46

  6. Related-Key Attack on modified DES (cont.) Consider two keys such that for the derived subkeys Assume we find two plaintexts such that The corresponding ciphertexts satisfy We call this pair a related-key plaintext pair (RKPP) 6/46

  7. Related-Key Attack on modified DES (cont.) Having two input/output pairs to the round function of DES is sufficient to retrieve the key Even if the number of rounds is increased, the attack still works! 7/46

  8. The Slide Attack [BW99] Sometimes, the need for two keys can be reduced Assume that all subkeys are the same, i.e., Then, the encryption process is 8/46

  9. The Slide Attack (cont.) Assume you find two plaintexts such that Such a pair is called a slid pair, and it satisfies P 2 P 1 C 1 f k f k f k f k f k C 1 P 2 C 2 f k f k f k f k f k 9/46

  10. The Slide Attack (cont.) If is simple enough, then again it can be broken using one slid pair Open questions (applicable to related-key plaintext pairs as well): How to generate slid pairs? How to identify slid pairs? What to do with not so weak functions? 10/46

  11. Generating & Identifying Slid Pairs For a general round function, best approach is birthday paradox: Take 2 n/2 known plaintexts Try all 2 n possible pairs as a candidate slid pair, and apply the attack If the attack succeeds – the right key is found, and the slid pair is identified 11/46

  12. Making the ''Simple'' More Complex In [BW00] some advanced slide techniques were presented Most interesting property observed: If is a slid pair, then so does Hence, finding one slid pair gives many slid pairs ... 12/46

  13. Making the ''Simple'' More Complex (cont.) This allows applying known plaintext attacks on If the attack requires m known plaintexts, then for each plaintext P , ask for its encryptions For each candidate slid pair apply the attack on using the suggested set of slid pairs 13/46

  14. Related-Key Differential Attack [KSW96] Adaptation of the differential cryptanalysis into the related-key model The probability of a regular differential is For a related-key differential the probability is 14/46

  15. Related-Key Differential Attacks The key difference (or relation) is chosen such that the subkey differences are known If the key does not mixes well enough, it is easy to predict all subkey differences These difference can be used to cancel difference that enter nonlinear parts of the cipher 15/46

  16. The Example of TEA TEA (Tiny Encryption Algorithm) is a 64-bit block cipher, with 128-bit key TEA is a Feistel cipher with 64 rounds The figure was taken from wikipedia 16/46

  17. The Example of TEA Consider a plaintext difference and a key difference In each round, the subkey differnece are canceled, and the zero difference between the encryptions remain This happens with probability 1 17/46

  18. Several More Related-Key Attacks Related-Key Square attack [F+00] Related-Key Impossible Differential attack [JD03,BDK06,ZZF06] Related-Key Rectangle attack [K+04,K+05,BDK05] Related-Key linear attacks [BDK06] ... 18/46

  19. The Downside of Related- Key Differential Attacks Related-Key differential attacks (usually) lose their efficiency when the number of rounds is increased: More rounds -> lower probability More rounds -> less chance for the subkey differences to be predicted correctly 19/46

  20. Comparison Between Related-Key Attacks Original Related-Key Related-Key Differential (Type A) (Type B) Independent in Usually dependent in number of rounds number of rounds Assume weak Very useful when the ''rounds'' round is ''strong'' Require a really Require a simple key simple key schedule schedule 20/46

  21. The Unified Approach We suggest using a Type A attack to be independent in number of rounds While using Type B attack on the round function. Result: independent in the number of rounds, even when the round function is very strong! 21/46

  22. 1 st Mission – Finding Many Related-Key Plaintext Pairs Let be RKPP with respect to the keys , i.e., Then, to continue the encryption and obtain another RKPP, we need for which This starts to become complicated ... 22/46

  23. Finding Multiple Related-Key Plaintext Pairs The solution to the problem is to use chains of related-keys. Let be a key that satisfied the previous relation If satisfies Then is a RKPP under 23/46

  24. Finding Multiple Related-Key Plaintext Pairs (cont.) If for some t: we can find another RKPP for the keys Conditions: t should be small, should have cycles that contain the original keys 24/46

  25. Study Case: IDEA IDEA's key schedule is very simple. The 128-bit key is used as the first 8 subkeys Then the key is rotated to the left by 25, and used as the following 8 subkeys Again, and again... 25/46

  26. Study Case: IDEA (cont.) Each round uses six subkeys. Thus, after four rounds, the key is used from the ''correct'' spot, but rotated 75 bits to the left. If IDEA had 8 rounds (and not 8.5), then let be 4-round IDEA, then 26/46

  27. Study Case: IDEA (cont.) Thus, if then We conclude that if is a RKPP, then so does (both with respect to the function ) 27/46

  28. Unifying the Related-Key Framework In case there was a good 4-round attack on IDEA, we could have stopped here. There isn't. But there is a good related-key attack (type B) on 4-round IDEA 28/46

  29. Unifying the Related-Key Framework (cont.) Assume there is a related-key attack of type B on 4-round IDEA Let the key difference be Then it is possible to generate two chains of RKPP – one for and one for 29/46

  30. Unifying the Related-Key Framework (cont.) The main problem is now we have to identify the RKPP twice! Standard approach – try all possible pairs as RKPP Finding it twice (or more) is very time consuming 30/46

  31. IDEA 64-bit block, 128-bit key block cipher Presented by Lai and Massey in 1991 Widely used in many applications 31/46

  32. IDEA (cont.) i i p q i s i i u t 32/46

  33. IDEA (cont.) 33/46

  34. IDEA (cont.) 34/46

  35. A 4-Round Related-Key Truncated Differential of IDEA Key difference: Input difference: Additional condition: First round: prob. ½ Second round: prob. 2 -16 Third round: prob. 1 Fourth round: prob. 1 35/46

  36. The Keys Involved in the Attack The unknown key - The key for obtaining RKPP - The related-key (type B) - Its related key (type A) - 36/46

  37. The Chains of Plaintexts 37/46

  38. Basic Idea Behind the Attack Find one RKPP (=> we found many RKPPs!) Use the differential to find an RKPP (=> again, many RKPPs!) Use the pairs in a related-key differential attack on 4-round IDEA 38/46

  39. Naive Implementation Fix , for any candidate : Check whether is a RKPP Main problem: There are 2 32 (a,b) combinations + Prob. of success is only 2 -17 39/46

  40. Improved Implementation Locate a set of 2 36 plaintext pairs satisfying that the fourth word is 1 Find the list of such that For each store in a hash table 40/46

  41. Improved Implementation (cont.) For each candidate check whether appears in the table (up to the difference) If so, assume that are all RKPP Apply the RK attack on 4-round IDEA with two input/output pairs 41/46

  42. Complexity of the Attack The attack uses 4 chains, each contains the entire code book, encrypted under 64 keys = 2 72 plaintexts (256 keys) Time complexity - 2 100 42/46

  43. So What?!? Our attack can be used when the number of rounds is increased Only changes – the way the chains are generated (sometimes less keys would be used => lower data complexity) If a better 4-round attack on IDEA is found – just plug it into our model 43/46

  44. Summary Unification of the two related-key attacks A way to generate many RKPP A way to use a RK attack of any type (including type B) in a type A RK attack First attack on a widely used cipher which continues to work when number of rounds is increased 44/46

Recommend


More recommend