Cryptanalysis of Round-Reduced LED Ivica Nikoli, Lei Wang and Shuang - PowerPoint PPT Presentation

Cryptanalysis of Round-Reduced LED Ivica Nikolić, Lei Wang and Shuang Wu FSE 2013 Singapore March 11, 2013 1

Outline • Backgrounds  Specification  Previous Analysis • Slidex Attack Application • Multicollision Application • Distinguishers  Differential Property  Random-difference Distinguisher • Conclusion 2

Outline • Backgrounds  Specification  Previous Analysis • Slidex Attack Application • Multicollision Application • Distinguishers  Differential Property  Random-difference Distinguisher • Conclusion 3

LED • Designed by Guo et al. at CHES 2011 • L ight E ncryption D evice  64-bit block  64- or 128-bit key (primarily) • Conservative security, e.g. concerning  Related-key attack  Distinguishers in hash function setting 4

Specification (1/2) • Extremely simple key schedule  Denote the secret key as K  LED-64: K as each round key  LED-128: K=K 0 ||K 1 , then K 0 and K 1 as round keys alternatively K 0 K 1 K t … P C F 0 F 1 F t 5

Specification (2/2) • LED-64: 8 steps; LED-128: 12 steps • Step functions  AES like  4 rounds and each round as below  Differ in round constants. 6

Timeline of Previous Analysis • Guo et al. at CHES 2011  Distinguishers on 3.75/6.75-step LED-64/-128  Super-Sbox cryptanalysis • Isobe and Shibutani at ACISP 2012  Key recovery on 2/4-step LED-64/-128  Meet-in-the-middle cryptanalysis • Mendel et al. at ASIACRYPT 2012  Key recovery on 4-step LED-128  Related-key key recovery on 4/6-step LED-64/-128  Guess-then-recover, local collision, characteristics and differentials of step functions 7

Security State of LED • The number of attacked steps Key Recovery Distinguisher Single-key Related-key LED-64 2 4 3.75 (8 steps) LED-128 4 6 6.75 (12 steps) 8

Outline • Backgrounds  Specification  Previous Analysis • Slidex Attack Application • Multicollision Application • Distinguishers  Differential Property  Random-difference Distinguisher • Conclusion 9

Security State of LED • The number of attacked steps Key Recovery Distinguisher Single-key Related-key LED-64 2 4 3.75 (8 steps) LED-128 4 6 6.75 (12 steps) 10

Slidex Attack • Dunkelman et al. at EUROCRYPT 2012 • Known -plaintext attack • Wok for any public permutation E • Time*Data=2 n  K is n bits long K K P E C 11

Application to 4-Step LED-128 • Guess K 0 K 0 K 0 F 0 F 3 P P' C C' • Recover K 1 E K 1 K 1 K 0 F 1 F 2 C' P' 12

Comparison • Model  Ours: known -plaintext  Previous: chosen -plaintext • Complexity Data Time 2 16 2 112 IS12 2 64 2 96 MRT+12 2 32 2 96 Ours 13

Outline • Backgrounds  Specification  Previous Analysis • Slidex Attack Application • Multicollision Application • Distinguishers  Differential Property  Random-difference Distinguisher • Conclusion 14

A 2-Step Even-Mansour • K is n bits long • E 0 and E 1 are public permutations K K K E 0 E 1 P C 15

A 2-Step Even-Mansour • K is n bits long • E 0 and E 1 are public permutations Can we recover K with a complexity less than 2 n ? K K K E 0 E 1 P C 16

An Observation (1/7) • K = P X • K = E 0 (X) E 1 -1 (Y) • K = Y C K K K E 0 E 1 Y X P C 17

An Observation (2/7) • K = P X • K = E 0 (X) E 1 -1 (Y) • K = Y C We recover X for some P, which gives us K immediately. K K K E 0 E 1 Y X P C 18

An Observation (3/7) • K = P X • K = E 0 (X) E 1 -1 (Y) • K = Y C P = -1 (P C X) E 0 (X) E 1 X 19

An Observation (4/7) • K = P X • K = E 0 (X) E 1 -1 (Y) • K = Y C P = -1 ( P C X) E 0 (X) E 1 X 20

An Observation (5/7) • For a t-multicollision on P C, namely = … = = const P 1 C 1 P t C t we get P i = -1 (const X i ) E 0 (X i ) E 1 X i 21

An Observation (6/7) • For a t-multicollision on P C, namely = … = = const P 1 C 1 P t C t we get P i = -1 (const X i ) E 0 (X i ) E 1 X i denoted as P i = G(X i ) 22

An Observation (7/7) • For a t-multicollision on P C, namely = … = = const P 1 C 1 P t C t we recover a X i with a complexity 2 n /t  try 2 n /t random values as X, and match G(X) to {P 1 , P 2 , …, P t }. 23

Application to 6-Step LED-128 • Guess K 0 K 0 K 0 F 0 F 5 C' P P' C • Recover K 1 E 0 E 1 K 1 K 1 K 1 K 0 K 0 F 1 F 2 F 3 F 4 P' C' 24

Outline • Backgrounds  Specification  Previous Analysis • Slidex Attack Application • Multicollision Application • Distinguishers  Differential Property  Random-difference Distinguisher • Conclusion 25

Differential vs Characteristic • Differential ∆ in ∆ out ? ? ? ? • Characteristic ∆ in ∆ out ∆ 1 ∆ 2 ∆ 3 ∆ 4  The characteristic probability on an active step function is upper bounded by 2 -50 . 26

Differential on 2-step LED-64 • For a differential �∆ 1 , ∆ 2 ) → ∆ 3  what is the complexity of finding a solution (P, K)? ∆ 2 ∆ 2 ∆ 2 ∆ 3 ∆ 1 F 0 F 1 27

Differential on 2-step LED-64 • Meet-in-the-middle approach  One solution with a birthday complexity • Differential multicollision distinguisher ∆ 2 ∆ 2 ∆ 2 ∆ 3 ∆ 1 F 0 F 1 28

Extend to 4-Step LED-64 • Chosen differentials �∆, ∆� → ∆  Complexity of birthday bound to find a solution (P, K). ∆ ∆ ∆ ∆ ∆ ∆ ∆ F 0 F 1 F 2 F 3 prob=1 prob=1 29

Application to 8-Step LED-128 • Set a random value to K 1 and ∆K 1 =0 K 1 G i F 2*i F 2*i+1 • Set ∆P=∆K 0 =∆, and find a solution �P, K 0 ) ∆ ∆ ∆ ∆ ∆ ∆ ∆ G 0 G 1 G 2 G 3 30

Application to 8-Step LED-128 • Set a random value to K 1 and ∆K 1 =0 K 1 Exploit the freedom of both K 0 and K 1 G i F 2*i F 2*i+1 • Set ∆P=∆K 0 =∆, and find a solution �P, K 0 ) ∆ ∆ ∆ ∆ ∆ ∆ ∆ G 0 G 1 G 2 G 3 31

Random-Difference Distinguisher • On a random difference ∆  Set ∆K 0 =∆, ∆K 1 =0, ∆P=∆ and ∆C=∆  The complexity of finding a solution?  Ideal case: 2 n (n=64) ∆K 0 = ∆ ∆K 1 = 0 LED-128 ∆P= ∆ ∆C= ∆ 32

Distinguisher on 10 Steps • Difference propagation  Passive step function  Active step function ∆ 0 0 0 0 0 ∆ ∆ ∆ ∆ ∆ ∆ ∆ 33

Attack Procedure (1/3) • Phase 1 : find solutions for differentials on F 2 and F 3 , and on F 6 and F 7 .  Exploit the freedom of K 1  At Phase 1, the value of K 1 is chosen. ∆ 0 0 0 0 0 ∆ ∆ ∆ ∆ ∆ ∆ ∆ 34

Phase 1 • Find a set of (K 1 , X i , Y i )s such that  all K 1 s are equal  (K 1 , X i )s follows differential on F 2 and F 3  (K 1 , Y i )s follows differential on F 6 and F 7 ∆K 1 =0 ∆K 1 =0 ∆X=∆ ∆Y=∆ ∆ ∆ F 2 F 3 F 6 F 7 Find collision on K 1 35

Attack Procedure (2/3) • Phase 2 : match a solution on F 2 and F 3 to a solution on F 6 and F 7  Exploit the freedom of K 0  At Phase 2, the value of K 0 is chosen. ∆ 0 0 0 0 0 ∆ ∆ ∆ ∆ ∆ ∆ ∆ 36

Phase 2 • Similar with the key-recovery attack on single-key 1-step Even-Mansour  Utilize the set {(K 1 , X i , Y i )} from Phase 1. E K 0 K 0 K 1 F 4 F 5 X i Y i 37

Attack Procedure (3/3) • Phase 3 : compute P to obtain a solution (P, K 0 , K 1 ). ∆ 0 0 0 0 0 ∆ ∆ ∆ ∆ ∆ ∆ ∆ Prob=1 Prob=1 38

Distinguisher • The complexity of our attack is 2 60.3 , which is smaller than 2 64  10-step LED-128 is “ non- ideal” • Irrespective to the specification of step function. 39

Outline • Backgrounds  Specification  Previous Analysis • Slidex Attack Application • Multicollision Application • Distinguishers  Differential Property  Random-difference Distinguisher • Conclusion 40

Updated State of LED • The number of attacked steps Key Recovery Distinguisher Single-key Related-key LED-64 2 4 �.�� → � (8 steps) LED-128 � → � 6 �.�� → �� (12 steps) 41

Thank you for your attention!