Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf ·...

transcript

Improved Slide AttackUCL Seminar, 19th December 20061/32

Improved Slide Attacks

Eli Biham, Orr Dunkelman, Nathan Keller

Computer Science Dept. Technion, IsraelDept. of Electrical Engineering ESATSCD/COSIC, Katholieke Universitiet Leuven, BelgiumEinstein Institute of Mathematics, Hebrew University, Israel

Topics of the TalkDescription of the slide attacksVarious improvementsStudying the cycle structureApplication to GOSTSummary

Slide Attacks [BW99]

Applied to ciphers with the same applied keyed permutation

Slide Attacks

Seek slid pairs (P,P') s.t.

P' C'C

Slide Attacks

If fk is ''simple'' enough, given one

slid pair the key k can be foundThe attack is independent of the number of times f

k is applied

simple = can be broken using two input/output pairs

Genreating Slid Pairs

Using birthday paradox (requires ~2n/2 KP)Identification can be done by treating each pair as a slid pair and analyzing itTime complexity 2n applications of the attack on f

Genreating Slid Pairs in Feistel Block Ciphers

For Feistel block ciphers it can be reduced to ~2n/4 CP

Pick 2n/4 CP of the form (for a fixed A)Pick 2n/4 CP of the formDue to the birthday paradox, a slid pair is expected

Identification of the slid pair is also easier

Making ''Simple'' More Complex

In [BW00] some advanced slide techniques were presentedThe aim of these techniques – to allow attacking ciphers with more complex round functions

Complementation Slide

Consider a 2round Feistel with two independent subkeys A regular slide by 1round is not possible due to the different keysHowever ... it is possible to slide with a difference, i.e., where is the key difference

Complementation Slide (cont.)

Assume that the subkey is XORed into the data before the nonlinear functionThen, the difference assures that the inputs to the nonlinear function is the same for all shared roundsThus,

Complementation Slide (cont.)

Data complexity ~2n/2 KPTime complexity ~2n/2 applications of the attack on f

(There are 2n possible pairs, each suggesting an n/2bit value for , which gives indication whether the ciphertexts can form a slid pair)

Sliding with a Twist

In the same case, encryption under is closely related to decrpytion underThus, the slid pair is generated from the encryption under one key, and decryption under the second key

Twisted Complemented Slide

Both improvements can be combined to attack f

k of 4round Feistel structure with

independent subkeysConsider the sequences of subkeys:

If we have a difference to the inputs in the slid pair of the form , the slid property can be preserved

A Different Approach

What if there is no good attack on fk

that uses only two input/output pairs?Most interesting property observed [BW00,F01]:

If (P,P') is a slid pair, then so does (E

k(P),E

k(P'))

Allowing More Complex ''Simple'' Functions

It is possible to use the observation to attack f

k using a KP attack (that uses m

KP)Take ~2n/2 KP, and iteratively encrypt each of them m timesTry all pairs among the 2n/2 starting pointsApply the KP attack with m pairs for each candidate slid pair (T.C. = m2n)

Allowing More Complex ''Simple'' Functions (cont.)Data complexity: ~m2n/2 adaptive chosen plaintextsTime complexity: 2n applications of the known plaintext attack on f

For Feistel Ciphers:Data complexity: ~2n/2 known plaintexts + 2m daptive chosen plaintextsTime complexity: 1 application of the attack

Making the Complex Real

Our technique solves two problems:Finding the slid pairs easilyAllowing chosen plaintext attacks (even ACPC)

Making the Complex Become Real – Considering CyclesLetChoose randomlyIteratively encrypt until is obtained again

Making the Complex Become Real – Considering CyclesThe cycle is actually also a multiple of the cycle of f

k as well!

Let Then j*m = C*r for some constant Cif gcd(m,r)=1, then r=j

So You Have Cycles...So What?!

The information on the cycle can be used to find slid pairsOnce one slid pair is found, we can find as many pairs as there plaintexts in the cycleWe can use CP attacks (and even ACPC attacks) on f

Data and Time Complexities

Data complexity: ~2n known plaintexts/~2n1 adaptive chosen plaintextsTime complexity: 1 application of the attack on f

Russian encryption standard32round Feistel construction64bit block, 256bit keyRound function consists of key addition, eight 4x4 Sboxes, rotate to the left by 11Sboxes are unknown...

Simple key schedule:rounds 18: rounds 916: rounds 1724: rounds 2532:

24Round GOST in our attack

As there are 3 iterations of the same function – we can find slid pairsAll that is needed is an 8round attack on GOST, when the Sboxes are not known ...

8Round Attack with Unknown Sboxes

We use a 7round truncated differential (with probability 0.495) that predicts four bits.Given sufficiently enough pairs, we can use partial decryption to verify what is the probablity of the differential being satisfied.But we can't decrypt! The Sboxes are unknown!

8Round Attack with Unknown Sboxes (cont.)

We start by using only two entries in the Sbox S4To do so, we use only ''ciphertexts'' with a fixed value that enters this S4We also fix the bits before to be 0 (to reduce the chance of carry)

Now, we guess the outputs of the S4 in these two entriesFor a succesful guess* – the truncated differential holds with probability 0.494, otherwise 1/16

* actually, for a succesful guess of the difference in the output

Repeat for other entries of S4, and you can reconstruct S4 up to:

the keythe exact values (you know all the relative values)

Use a shifted version of the differential to find the same information on other Sboxes

Data Complexity: 263 ACPC or almost 264 KPTime Complexity: ~264

30Round GOST (Known Sboxes)

Guess subkey of last six roundsPartially decrypt all ciphertexts 6 roundsApply the 24round attackData Complexity: almost 264 KPTime Complexity: ~2254

Summary

Questions?

Thank you!

Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf ·...

Documents