Improved Slide AttackUCL Seminar, 19th December 20061/32
Improved Slide Attacks
Eli Biham, Orr Dunkelman, Nathan Keller
Computer Science Dept. Technion, IsraelDept. of Electrical Engineering ESATSCD/COSIC, Katholieke Universitiet Leuven, BelgiumEinstein Institute of Mathematics, Hebrew University, Israel
Improved Slide AttackUCL Seminar, 19th December 20062/32
Topics of the TalkDescription of the slide attacksVarious improvementsStudying the cycle structureApplication to GOSTSummary
Improved Slide AttackUCL Seminar, 19th December 20063/32
Slide Attacks [BW99]
Applied to ciphers with the same applied keyed permutation
fk
fk
fk
fk
Improved Slide AttackUCL Seminar, 19th December 20064/32
Slide Attacks
Seek slid pairs (P,P') s.t.
fk
fk
fk
fk
fk
fk
fk
fk
fk
fk
PP'
P' C'C
C
Improved Slide AttackUCL Seminar, 19th December 20065/32
Slide Attacks
If fk is ''simple'' enough, given one
slid pair the key k can be foundThe attack is independent of the number of times f
k is applied
simple = can be broken using two input/output pairs
Improved Slide AttackUCL Seminar, 19th December 20066/32
Genreating Slid Pairs
Using birthday paradox (requires ~2n/2 KP)Identification can be done by treating each pair as a slid pair and analyzing itTime complexity 2n applications of the attack on f
k
Improved Slide AttackUCL Seminar, 19th December 20067/32
Genreating Slid Pairs in Feistel Block Ciphers
For Feistel block ciphers it can be reduced to ~2n/4 CP
Pick 2n/4 CP of the form (for a fixed A)Pick 2n/4 CP of the formDue to the birthday paradox, a slid pair is expected
Identification of the slid pair is also easier
Improved Slide AttackUCL Seminar, 19th December 20068/32
Making ''Simple'' More Complex
In [BW00] some advanced slide techniques were presentedThe aim of these techniques – to allow attacking ciphers with more complex round functions
Improved Slide AttackUCL Seminar, 19th December 20069/32
Complementation Slide
Consider a 2round Feistel with two independent subkeys A regular slide by 1round is not possible due to the different keysHowever ... it is possible to slide with a difference, i.e., where is the key difference
Improved Slide AttackUCL Seminar, 19th December 200610/32
Complementation Slide (cont.)
Assume that the subkey is XORed into the data before the nonlinear functionThen, the difference assures that the inputs to the nonlinear function is the same for all shared roundsThus,
Improved Slide AttackUCL Seminar, 19th December 200611/32
Complementation Slide (cont.)
Data complexity ~2n/2 KPTime complexity ~2n/2 applications of the attack on f
k
(There are 2n possible pairs, each suggesting an n/2bit value for , which gives indication whether the ciphertexts can form a slid pair)
Improved Slide AttackUCL Seminar, 19th December 200612/32
Sliding with a Twist
In the same case, encryption under is closely related to decrpytion underThus, the slid pair is generated from the encryption under one key, and decryption under the second key
Improved Slide AttackUCL Seminar, 19th December 200613/32
Twisted Complemented Slide
Both improvements can be combined to attack f
k of 4round Feistel structure with
independent subkeysConsider the sequences of subkeys:
If we have a difference to the inputs in the slid pair of the form , the slid property can be preserved
Improved Slide AttackUCL Seminar, 19th December 200614/32
A Different Approach
What if there is no good attack on fk
that uses only two input/output pairs?Most interesting property observed [BW00,F01]:
If (P,P') is a slid pair, then so does (E
k(P),E
k(P'))
Improved Slide AttackUCL Seminar, 19th December 200615/32
Allowing More Complex ''Simple'' Functions
It is possible to use the observation to attack f
k using a KP attack (that uses m
KP)Take ~2n/2 KP, and iteratively encrypt each of them m timesTry all pairs among the 2n/2 starting pointsApply the KP attack with m pairs for each candidate slid pair (T.C. = m2n)
Improved Slide AttackUCL Seminar, 19th December 200616/32
Allowing More Complex ''Simple'' Functions (cont.)Data complexity: ~m2n/2 adaptive chosen plaintextsTime complexity: 2n applications of the known plaintext attack on f
k
For Feistel Ciphers:Data complexity: ~2n/2 known plaintexts + 2m daptive chosen plaintextsTime complexity: 1 application of the attack
Improved Slide AttackUCL Seminar, 19th December 200617/32
Making the Complex Real
Our technique solves two problems:Finding the slid pairs easilyAllowing chosen plaintext attacks (even ACPC)
How?
Improved Slide AttackUCL Seminar, 19th December 200618/32
Making the Complex Become Real – Considering CyclesLetChoose randomlyIteratively encrypt until is obtained again
Improved Slide AttackUCL Seminar, 19th December 200619/32
Making the Complex Become Real – Considering CyclesThe cycle is actually also a multiple of the cycle of f
k as well!
Let Then j*m = C*r for some constant Cif gcd(m,r)=1, then r=j
Improved Slide AttackUCL Seminar, 19th December 200620/32
So You Have Cycles...So What?!
The information on the cycle can be used to find slid pairsOnce one slid pair is found, we can find as many pairs as there plaintexts in the cycleWe can use CP attacks (and even ACPC attacks) on f
k
Improved Slide AttackUCL Seminar, 19th December 200621/32
Data and Time Complexities
Data complexity: ~2n known plaintexts/~2n1 adaptive chosen plaintextsTime complexity: 1 application of the attack on f
k
Improved Slide AttackUCL Seminar, 19th December 200622/32
GOST
Russian encryption standard32round Feistel construction64bit block, 256bit keyRound function consists of key addition, eight 4x4 Sboxes, rotate to the left by 11Sboxes are unknown...
Improved Slide AttackUCL Seminar, 19th December 200623/32
GOST
Simple key schedule:rounds 18: rounds 916: rounds 1724: rounds 2532:
Improved Slide AttackUCL Seminar, 19th December 200624/32
24Round GOST in our attack
As there are 3 iterations of the same function – we can find slid pairsAll that is needed is an 8round attack on GOST, when the Sboxes are not known ...
Improved Slide AttackUCL Seminar, 19th December 200625/32
8Round Attack with Unknown Sboxes
We use a 7round truncated differential (with probability 0.495) that predicts four bits.Given sufficiently enough pairs, we can use partial decryption to verify what is the probablity of the differential being satisfied.But we can't decrypt! The Sboxes are unknown!
Improved Slide AttackUCL Seminar, 19th December 200626/32
8Round Attack with Unknown Sboxes (cont.)
We start by using only two entries in the Sbox S4To do so, we use only ''ciphertexts'' with a fixed value that enters this S4We also fix the bits before to be 0 (to reduce the chance of carry)
Improved Slide AttackUCL Seminar, 19th December 200627/32
8Round Attack with Unknown Sboxes (cont.)
Now, we guess the outputs of the S4 in these two entriesFor a succesful guess* – the truncated differential holds with probability 0.494, otherwise 1/16
* actually, for a succesful guess of the difference in the output
Improved Slide AttackUCL Seminar, 19th December 200628/32
8Round Attack with Unknown Sboxes (cont.)
Repeat for other entries of S4, and you can reconstruct S4 up to:
the keythe exact values (you know all the relative values)
Use a shifted version of the differential to find the same information on other Sboxes
Improved Slide AttackUCL Seminar, 19th December 200629/32
8Round Attack with Unknown Sboxes (cont.)
Data Complexity: 263 ACPC or almost 264 KPTime Complexity: ~264
Improved Slide AttackUCL Seminar, 19th December 200630/32
30Round GOST (Known Sboxes)
Guess subkey of last six roundsPartially decrypt all ciphertexts 6 roundsApply the 24round attackData Complexity: almost 264 KPTime Complexity: ~2254
Improved Slide AttackUCL Seminar, 19th December 200631/32
Summary
Improved Slide AttackUCL Seminar, 19th December 200632/32
Questions?
Thank you!