Match Box Meet-in-the-Middle Attack against KATAN Thomas Fuhr and - PowerPoint PPT Presentation

Match Box Meet-in-the-Middle Attack against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014

Plan 1 Match Box Meet-in-the-Middle Attacks Sieve-in-the-Middle Framework Match Box Cryptanalysis of KATAN 2 Description Cryptanalysis Summary of results

Match Box

Meet-in-the-Middle Attack PT CT K Whatever 1/ 18

Meet-in-the-Middle Attack � v PT CT K 1 Knowledge of a portion K 1 of the key allows to compute a part � v of the internal state at some intermediate round. 2/ 18

Meet-in-the-Middle Attack � v PT CT K 1 K 2 Assume this same � v can be computed from the ciphertext using K 2 . Then a meet-in-the-middle attack is possible. 2/ 18

Meet-in-the-Middle Attack � v PT CT K 1 K 2 Assume this same � v can be computed from the ciphertext using K 2 . Then a meet-in-the-middle attack is possible. This generally assumes a simple key schedule. Lightweight ciphers are prime targets. 2/ 18

Meet-in-the-Middle Attack � v PT CT K 1 K 2 1 Guess K ∩ = K 1 ∩ K 2 . • For each K ′ 1 = K 1 − K ∩ , compute � v . Store � v → { K ′ 1 } in a table T . • For each K ′ 2 = K 2 − K ∩ , compute � v . Retrieve K ′ 1 ’s that lead to the same � v from T . Each of these K ′ 1 ’s, merged with K ′ 2 , yields a candidate master key. 2 Test candidate master keys against a few plaintext/ciphertext pairs. 3/ 18

Meet-in-the-Middle Attack � v PT CT K 1 K 2 1 Guess K ∩ = K 1 ∩ K 2 . • For each K ′ 1 = K 1 − K ∩ , compute � v . Store � v → { K ′ 1 } in a table T . • For each K ′ 2 = K 2 − K ∩ , compute � v . Retrieve K ′ 1 ’s that lead to the same � v from T . Each of these K ′ 1 ’s, merged with K ′ 2 , yields a candidate master key. 2 Test candidate master keys against a few plaintext/ciphertext pairs. Benefit : complexity is | K ∩ | × ( | K ′ 1 | + | K ′ 2 | ) instead of | K ∩ | × ( | K ′ 1 | × | K ′ 2 | ) . 3/ 18

Sieve-in-the-Middle Framework � l � r PT CT K 1 K 2 Now we compute a distinct � l from the left and � r from the right. � l ,� Compatibility is expressed by some relation R ( r ) . Introduced by Canteaut, Naya-Plasencia and Vayssière at CRYPTO 2013. 4/ 18

Matching problem K ′ K ′ match ? 1 2 � r � l � r � l � � r l � r � l � r � l Problem : testing the relation R . K 1 × K 2 ≈ K : equivalent to brute force. Solution : Precomputation of compatibilities outside the loop K 1 = K ∩ ⊕ K ′ 1 K 2 = K ∩ ⊕ K ′ on K ∩ . 2 K = K ∩ ⊕ K ′ 1 ⊕ K ′ 2 5/ 18

Matching problem K ′ K ′ match ? 1 2 � r � l � r � l � � r l � r � l � r � l Problem : testing the relation R . K ∩ × K ′ 1 × K ′ 2 = entire key = brute force. K 1 = K ∩ ⊕ K ′ 1 K 2 = K ∩ ⊕ K ′ 2 K = K ∩ ⊕ K ′ 1 ⊕ K ′ 2 5/ 18

Matching problem K ′ K ′ match ? 1 2 � r � l � r � l � � r l � r � l � r � l Problem : testing the relation R . K ∩ × K ′ 1 × K ′ 2 = entire key = brute force. K 1 = K ∩ ⊕ K ′ 1 Solution : Precomputation of compatibilities K 2 = K ∩ ⊕ K ′ 2 outside the loop on K ∩ . K = K ∩ ⊕ K ′ 1 ⊕ K ′ 2 5/ 18

Example ⊕ k ( K ′ 1 ) � � r l ⊕ S K 1 K 2 K 1 = K ∩ ⊕ K ′ 1 K 2 = K ∩ ⊕ K ′ 2 K = K ∩ ⊕ K ′ 1 ⊕ K ′ 2 6/ 18

Example ⊕ k ( K ′ 1 ) � � r l ⊕ S K 1 K 2 Assuming the key schedule is linear, K = K 2 ⊕ K ′ 1 . Without loss of generality, we can assume k depends only on K ′ 1 . K 1 = K ∩ ⊕ K ′ 1 � r , K ′ S − 1 � � l ,� Compatibility : R ( 1 ) iff r K 2 = K ∩ ⊕ K ′ 2 K = K ∩ ⊕ K ′ 1 ⊕ K ′ 2 6/ 18

Example ⊕ k ( K ′ 1 ) � � r l ⊕ S K 1 K 2 Assuming the key schedule is linear, K = K 2 ⊕ K ′ 1 . Without loss of generality, we can assume k depends only on K ′ 1 . � ↾ { 0 , 1 } = � r , K ′ S − 1 � � r ⊕ k ( K ′ � Compatibility : R ( l ,� 1 ) 1 ) iff l 7/ 18

Match box ⊕ k ( K ′ 1 ) � � r l ⊕ S K 1 K 2 1 �→ � � Match box : ( K ′ r �→ { K ′ r , K ′ l ) �→ ( � l ,� 1 : R ( 1 ) } ) K 1 = K ∩ ⊕ K ′ 1 K 2 = K ∩ ⊕ K ′ 2 K = K ∩ ⊕ K ′ 1 ⊕ K ′ 2 8/ 18

Match box ⊕ k ( K ′ 1 ) � r � l ⊕ S K 1 K 2 1 �→ � � Match box : ( K ′ r �→ { K ′ r , K ′ l ) �→ ( � l ,� 1 : R ( 1 ) } ) l | | K ′ K 1 = K ∩ ⊕ K ′ � 1 | + | � r | + | K ′ Limited by the size of the table : 2 | 1 | 1 K 2 = K ∩ ⊕ K ′ 2 K = K ∩ ⊕ K ′ 1 ⊕ K ′ 2 8/ 18

Cryptanalysis of KATAN

KATAN Block cipher by De Cannière, Dunkelman, Kneževi´ c, CHES 2009. Ultralightweight. Barely more surface area than what is required to store the state and key. Based on Non-Linear Shift Feedback Registers. 254 rounds. Accomodates three block sizes : 32, 48 or 64 bits. 80-bit key. 9/ 18

Previous work on KATAN KATAN32 Conditional differential : 78 rounds by Knellwolf, Meier, Naya-Plasencia, ASIACRYPT 2010. Exhaustive differential : 115 rounds by Albrecht and Leander, SAC 2012. Meet-in-middle : 110 rounds by Isobe and Shibutani, SAC 2013. 10/ 18

KATAN32 + A 31 30 29 28 27 26 25 24 23 22 21 20 19 k 1 × + + + k 0 + B 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 × × + + + + 80-bit key loaded into an LFSR → k 0 , k 1 every round. Tours irréguliers déterminés par un second LFSR. 11/ 18

KATAN32 + A 31 30 29 28 27 26 25 24 23 22 21 20 19 k 1 × × IR + + + + k 0 + B 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 × × + + + + 80-bit key loaded into an LFSR → k 0 , k 1 every round. Irregular rounds scheduled by another LFSR. 11/ 18

Formal description of KATAN32 Definition Bit a i enters register A at round i . Bit b i enters register B at round i . = ⇒ At round n : A contains ( a n − 12 , . . . , a n ) , B contains ( b n − 18 , . . . , b n ) . 12/ 18

Formal description of KATAN32 Definition Bit a i enters register A at round i . Bit b i enters register B at round i . = ⇒ At round n : A contains ( a n − 12 , . . . , a n ) , B contains ( b n − 18 , . . . , b n ) . Plaintext = ( a − 13 , . . . , a − 1 , b − 19 , . . . , b − 1 ) . � a n = b n − 19 ⊕ b n − 8 ⊕ b n − 11 · b n − 13 ⊕ b n − 4 · b n − 9 ⊕ rk 2 n + 1 Encryption b n = a n − 13 ⊕ a n − 8 ⊕ c n · a n − 4 ⊕ a n − 6 · a n − 9 ⊕ rk 2 n Ciphertext = ( a 241 , . . . , a 253 , b 235 , . . . , b 253 ) . 12/ 18

Meet-in-the-Middle Attack on KATAN � v PT CT K 1 K 2 Small extras : Simultaneous matching : on several plaintext/ciphertext pairs. Indirect matching : removes key bits whose contribution is linear. 13/ 18

Meet-in-the-Middle Attack on KATAN � v PT CT K 1 K 2 Small extras : Simultaneous matching : on several plaintext/ciphertext pairs. Indirect matching : removes key bits whose contribution is linear. Result : attack on 121 rounds of KATAN32. K 1 : 75 bits, K 2 : 75 bits, K ∩ : 70 bits forward : 69 rounds, backward : 52 rounds 4 known plaintexts, complexity 2 77 . 5 . 13/ 18

Meet-in-the-Middle Attack on KATAN � v PT CT biclique K 1 K 2 Addition of a biclique. Originally introduced to attack SKEIN and AES [BKR11]. Makes it possible to extend a meet-in-the-middle attack. Either an accelerated key search, or a classical attack (we use the latter). 14/ 18

Meet-in-the-Middle Attack on KATAN � v PT CT biclique K 1 K 2 Addition of a biclique. Originally introduced to attack SKEIN and AES [BKR11]. Makes it possible to extend a meet-in-the-middle attack. Either an accelerated key search, or a classical attack (we use the latter). Result : attack on 131 rounds of KATAN32. Chosen plaintexts, low data requirements. 14/ 18

Meet-in-the-middle attack on KATAN � l � r PT CT match biclique K 1 K 2 box Addition of a « match box ». 15/ 18

Match Box on KATAN Meeting in the middle at b 62 : b 62 = x 0 ⊕ b 68 · b 70 , x 0 = a 81 ⊕ b 73 ⊕ b 72 · b 77 ⊕ rk 163 b 68 = x 1 ⊕ rk 175 , x 1 = a 87 ⊕ b 89 ⊕ b 76 · b 74 ⊕ b 83 · b 78 b 70 = x 2 ⊕ rk 179 , x 2 = a 89 ⊕ b 91 ⊕ b 78 · b 76 ⊕ b 85 · b 80 16/ 18

Match Box on KATAN Meeting in the middle at b 62 : b 62 = x 0 ⊕ b 68 · b 70 , x 0 = a 81 ⊕ b 73 ⊕ b 72 · b 77 ⊕ rk 163 b 68 = x 1 ⊕ rk 175 , x 1 = a 87 ⊕ b 89 ⊕ b 76 · b 74 ⊕ b 83 · b 78 b 70 = x 2 ⊕ rk 179 , x 2 = a 89 ⊕ b 91 ⊕ b 78 · b 76 ⊕ b 85 · b 80 n ⊕ rk 1 ′ Let us decompose rk n = rk 2 n along K 2 ⊕ K ′ 1 .  r 0 = x 0  � � r 1 = x 1 ⊕ rk 2 l 0 = b 62 � l r 175 r 2 = x 2 ⊕ rk 2  179 � r , K ′ l ,� Compatibility R ( 1 ) : l 0 = r 0 ⊕ ( r 1 ⊕ rk 1 ′ 175 ) · ( r 2 ⊕ rk 1 ′ 179 ) 16/ 18

Match Box on KATAN  r 0 = x 0  � r 1 = x 1 ⊕ rk 2 � � l l 0 = b 62 r 175 r 2 = x 2 ⊕ rk 2  179 � r , K ′ l ,� Compatibility R ( 1 ) : l 0 = r 0 ⊕ ( r 1 ⊕ rk 1 ′ 175 ) · ( r 2 ⊕ rk 1 ′ 179 ) Benefit : We no longer need to know k 1 ′ 175 and rk 1 ′ 179 from the right. ⇒ K 2 shrinks by 2. ⇒ We can add two brand new round keys to K 2 to add one more round to the attack. 17/ 18