On Improving Data Complexity of Attacks on RC5 - · PDF fileMotivation Previous Work Improved...

Motivation Previous Work Improved Filter Conclusion

On Improving Data Complexity of Attacks on RC5

A. Biryukov V. Velichkov

Laboratory of Algorithmics, Cryptology and Security (LACS)University of Luxembourg

Early Symmetric Crypto 201512-16 January, Clervaux, Luxembourg

(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 1 / 35


1 Motivation

2 Previous Work

3 Improved Filter

4 Conclusion



Outline

1 Motivation

2 Previous Work

3 Improved Filter

4 Conclusion



Block Cipher RC5−w/r/b

Block cipher proposed by Rivest at FSE 1994.

RC5−w/r/bw - word size in bitsr - number of roundsb - size of key in bytes

Block size: 64-bit (w = 32) or 128-bit (w = 64).

Nominal choice of parameters: RC5−32/12/16.

Feistel network with r rounds (2r half-rounds).

Round function: modular addition, XOR, bit rotation.

Notable feature: data-dependent rotations.



RC5−32/12/16

Li Ri

≪

Si+1

Ri [4 : 0]

Li+1 = Ri Ri+1

L0 R0

S0 S1

S2 half round 1

. . . . . .24 half rounds

S25 half round 24

L25 R25

Si : round keys derived from the 16-byte master key.



Cryptanalytic Status and Why Do We (Still) Care

RC5 is academically broken, but best attack requires 244 CP(impractical in many settings).

Still widely used due to its small memory footprint and high energyefficiency.

Preferred cipher in sensor networks (e.g. TinyOS).

Many new results on energy efficient implementations.

None on cryptanalytic improvements.


RC5 Top Citations: Years 2000 – 2015


Outline

1 Motivation

2 Previous Work

3 Improved Filter

4 Conclusion



Previous Work

Data complexity (number of chosen plaintexts) of existing differentialattacks on RC5−32:

Biryukov- Knudsen- Kaliski-r Kushilevitz ’98 Meier ’96 Yin ’95

6 216 224 232

8 228 238 240

10 236 246 251

12 244 254 263

Goal of this research

Further decrease the data requirements of the best attack.



Attack by Kaliski-Yin ’95

Single half-round characteristics used in the attack by Kaliski and Yin:(es – XOR difference with single active bit at position s)

∆ ∆IN ∆OUT

Ω1 (0, es) (es, es)

Ω2 (es, es) (es, 0)Ω3 (es, 0) (0, et)

Ω4 (0, es) (es, et)Ω5 (es, et) (et , eu ⊕ ev )

Concatenate several Ωi to form a characteristic on more rounds.


3 Half-Round Iterative Characteristic: Ω2 + Ω3 + Ω1

80000000 80000000

≪

S1

r1

80000000 00000000

≪

S2

r2

00000000 00100000

≪

S3

r3

00100000 00100000


Attack by Knudsen-Meier ’96

Use the same characteristics as Kaliski-Yin + two new ideas:

1 Impose conditions on log2(w) bits of left and right plaintext

⇒ Zero rotation for top two half-rounds.

2 Notice that HW of diffs. in bottom rounds propagates as Fibonaccisequence

⇒ Find better last round characteristics.

3 Higher probability of characteristics⇒ lower data.



Attack by Biryukov-Kushilevitz ’98

Main observation

Pairs with zero difference in the rotation constants occur with highprobability.

Partial differentials

Only the log2(w) LS bits of the differences matter and must be zero.

Thus any rotation amount is allowed, BUT...

...both halves of the pair must have the same rotation constant,

No other restrictions are imposed on the differences.



Good Pairs, Bad Pairs and Oracles

Good Pair

A pair of plaintexts, whose encryption results in equal rotationconstants in all rounds.

Noise (bad pairs)

All pairs that are suspected to be good, but differ in the rotationconstants in some rounds.

Space Oracle

A good pair acts as a (plaintext) space oracle for finding more goodpairs.



Space Oracle: The Mushroom Analogy



Biryukov-Kushilevitz (BK) Oracle

Let (PL,PR), (PL ⊕∆L,PR ⊕∆R) be a good pair of plaintexts.

A candidate good pair (AL,AR), (A∗

L,A∗

R) is constructed as follow:

AR ← (random ‖ PR[4 : 0])

AL ← AR ⊕ (PL ⊕ PR)

(A∗

L,A∗

R)← (AL ⊕∆L,AR ⊕∆R)

Gains top five half-rounds for “free”.



Knudsen-Meier (KM) Oracle

Let (PL,PR), (PL ⊕∆L,PR ⊕∆R) be a good pair of plaintexts.

A candidate good pair (AL,AR), (A∗

L,A∗

R) is constructed as follow:

AR ← (random ‖ PR[4 : 0])

AL ← (random ‖ PL[4 : 0])

(A∗

L,A∗

R)← (AL ⊕∆L,AR ⊕∆R)

Gains top two half-rounds for “free”.



GoUP Filter: Detecting Good Pairs from Noise

∆n−1 CL,C∗

L

≫

Sn

∆Xn−1

CL[4 : 0]

CL,C∗

L CR, C∗

R∆n ∆n+1

∆n−2 ∆n−1

≫

Sn−1

∆Xn−2

Tn−1

∆n−1 CL,C∗

L

∆n−3 ∆n−2

≫

Si+1

∆xn−3 = ∆n−1

Tn−2

∆n−2 ∆n−1

. . . . . .

Bottom three rounds of RC5 (leftmost is last). The filter covers 7rounds in total.



GoUP Filter

Note 1

The filter applies Hamming weight thresholds on the differences. Thethresholds are set according to (corrected) Fibonacci sequence.

Note 2Rotation constants T are guessed at every round except the last.



Outline

1 Motivation

2 Previous Work

3 Improved Filter

4 Conclusion



Differential Expansion of Addition

Expanding the addition operation into a set of possible outputdifferences with probability ≥ pthres:

K∆

X , X ∗

∆ : DP(x , x∗ → ∆) =#k : (x − k)⊕ (x∗ − k) = ∆

#k> pthres



Differential Expansion of Addition: Bitwise Algorithm

Algorithm 1 Differential Expansion of ADD.Input: pthres, x , x∗.Output: D

1: procedure expand_add_bitwise(i , x , x∗) do2: if (i = word_size) then3: add ∆ to D4: return5: for j ∈ 0, 1 do6: ∆[i]← j ; pi ← DP(x [i : 0], x∗[i : 0]→ ∆[i : 0])7: if pi > pthres then8: expand_add_bitwise(i + 1, x , x∗)9: return D



Non-linear GoUP Filter

∆n−1 CL,C∗

L

≫

Sn

∆Xn−1

CL[4 : 0]

CL,C∗

L CR, C∗

R∆n ∆n+1

∆n−2 ∆n−1

≫

Sn−1

∆Xn−2

Tn−1

∆n−1 CL,C∗

L

∆n−3 ∆n−2

≫

Si+1

∆xn−3 = ∆n−1

Tn−2

∆n−2 ∆n−1

. . . . . .

Bottom three rounds of RC5 (leftmost is last).


Full Filtration Procedure: First Pass

Algorithm 2 First Pass Filter Procedure for RC5−32/8/16.Input: δ1, δ2 . . . = 0x80000000,0x40000000 . . .Output: Set of candidate good pairs F1.

1: S ← structure of 224 CP and corresponding ciphertexts2: P ← set of 24 · 223 pairs

(

(P,P∗), (C,C∗))

: (P,C), (P∗,C∗) ∈ S

3: for all pairs in P do4: if TRUE = b_good← GoUP_NL(C,C∗) then5: add

(

(P,P∗), (C,C∗))

to F1

6: return F1

Full Filtration Procedure: Second Pass

Algorithm 3 Second Pass Filter Procedure for RC5−32/8/16.Input: F1; δ1, δ2, . . . = 0x80000000,0x40000000 . . .Output: Set of candidate good pairs F2.

1: for each (X ,X ∗) ∈ F1 do2: Apply BK oracle on (X ,X ∗)3: Si ← structure of 222 CP and corresponding ciphertexts4: Pi ← set of 22 · 221 pairs

(

(P,P∗), (C,C∗))

: (P,C), (P∗,C∗) ∈ S

5: for all pairs in Pi do6: if TRUE = b_good← GoUP_NL(C,C∗) then7: add

(

(P,P∗), (C,C∗))

to F2

8: return F2

RC5−32/8/16: 1st pass Filter, 50 keys

0

5

10

15

20

25

30

35

40

45

50

55

60

0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52

Num

ber

of p

airs

Experiments

RC5: 224 Chosen Plaintexts (Structures); 8 Rounds, Pdiff = 2-20.4

Good Pairs TotalFiltered PairsGood Filtered

Good Filt. AverageBad Filt. Average

RC5−32/8/16: 2nd pass Filter, 50 keys

0

5

10

15

20

25

30

35

40

45

50

55

60

0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52

Num

ber

of p

airs

Experiments

RC5: 222 Chosen Plaintexts (BK Oracle + Structures); 8 Rounds, Pdiff = 2-20.4

Good Pairs Total (2nd pass)Filtered Pairs (2nd pass)Good Filtered (2nd pass)

Good Filt. Average (2nd pass)Bad Filt. Average (2nd pass)


Towards a New Oracle

Observation

Partial differential trails favour very small or very big rot. const. r e.g.:

w = 32 : (r ≥ 26) ∨ (r ≤ 2); w = 64 : (r ≥ 56) ∨ (r ≤ 4)

Conjecture

If (PL,PR) s.t. (r1, r2, r3, r4 ≥ 56) ∨ (r1, r2, r3, r4 ≤ 4), where

r1 = (PR + S1) mod 2w

r2 = ((PL + S0)⊕ (PR + S1) ≪ r1) + S2 = A mod 2w

r3 = (((PR + S1)⊕ A) ≪ r2) + S3 = B mod 2w

r4 = ((A⊕ B) ≪ r3) + S4 = C mod 2w

then (PL,PR) is a good pair with high probability.


Towards a New Oracle: Experimental Verification

1

2

4

8

16

32

64

128

256

512

1024

2048

4096

0 2 4 6 8 10 12 14 16 18 20 22 24 26

Num

. Goo

d P

airs

Key

New Space Oracle, 26 keys

OracleNo Oracle


Results

Number of chosen plaintexts for differential attacks on RC5−32/R/16.

#R GF / BF Our Biryukov- Knudsen- Kaliski-(S / N) Results Kushilevitz ’98 Meier ’96 Yin ’95

6 7/0 215.58 216 224 232

8 15/2 225.32 228 238 240

10 10/10 234.65 236 246 251

12 242.65 (∗) 244 254 263

(∗) = estimation.



Outline

1 Motivation

2 Previous Work

3 Improved Filter

4 Conclusion



Summary of Contributions

Contribution

Improved filtration procedure for differential attacks on RC5.

Analyzes the original cipher (as opposed to XOR-linear model)

Based on the idea of differential expansion of addition.



Limitations and Future Work

Limitations

The complexity of the improved filter is exponential in the prob.thresholds.

Lower thresholds⇒ more output diffs. ⇒ more options for a pairto pass the filter⇒ more noise.

Future Work

Improve the efficiency of GoUP_NL e.g. don’t guess all rot. const.

Research on better oracles.

Apply the technique to RC5-64



Questions?

Thank you for your attention!(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 35 / 35

First Pass Filter

Algorithm 4 Full Filter Procedure for RC5−32/8/16.Input: δ1, δ2, δ3 . . . = 0x80000000,0x40000000 . . .Output: List of candidate good pairs

(

(P,P∗), (C,C∗))

.1: AL ← rand; AR ← rand; AL ← AL,AL ⊕ δ1,AL ⊕ δ1 ⊕ δ2, . . .; AR ←AR,AR ⊕ δ1,AR ⊕ δ1 ⊕ δ2, . . .

2: A1 ← AL,AR = structure of 224 chosen plaintexts 3: S1 ← (P,C) : P ∈ A1, C = ENCRYPT(P) = set of 224 plaintext,

ciphertext pairs 4: from S1 construct P1 = set of 24 · 223 pairs

(

(P,P∗), (C,C∗))

:(P,C) ∈ S1, (P∗,C∗) ∈ S1 ;

5: for all pairs in P1 do6: if TRUE = b_good← GoUP_NL(C,C∗) then7: add

(

(P,P∗), (C,C∗))

to F1

8: return F1

Second Pass Filter

Algorithm 5 Full Filter Procedure for RC5−32/8/16.Input: F1, δ1, δ2, . . . = 0x80000000,0x40000000 . . .Output: List of candidate good pairs

(

(P,P∗), (C,C∗))

.1: for each (P,P∗) ∈ F1 do2: fix rLSB ← PR[4 : 0] and ∆LR ← PL ⊕ PR

3: AR[31 : 5] ← rand; AR[4 : 0] ← rLSB; AR ← (AR[31 : 5] ‖ AR[4 :0]); AL ← AR ⊕∆LR;

4: AL ← AL,AL ⊕ δ1,AL ⊕ δ1 ⊕ δ2, . . .; AR ← AR,AR ⊕ δ1,AR ⊕δ1 ⊕ δ2, . . .

5: Ai ← AL,AR = structure of 222 chosen plaintexts ; Si . . .6: from Si construct Pi = set of 22 ·221 pairs

(

(P,P∗), (C,C∗))

:(P,C) ∈ Si , (P∗,C∗) ∈ Si ;

7: for all pairs in Pi do8: if TRUE = b_good← GoUP_NL(C,C∗) then9: add

(

(P,P∗), (C,C∗))

to F2

10: return F2

On Improving Data Complexity of Attacks on RC5 - · PDF fileMotivation Previous Work Improved...

Documents

Transcript of On Improving Data Complexity of Attacks on RC5 - · PDF fileMotivation Previous Work Improved...