narrow bicliquesppt

Dmitry Khovratovich, Gaëtan Leurent, and Christian Rechberger. 2012. NarrowBicliques:

cryptanalysis of full IDEA. In Proceedings of the 31st Annual international conference on Theory

and Applications of Cryptographic Techniques (EUROCRYPT'12), David Pointcheval and

Thomas Johansson (Eds.). SpringerVerlag,

Berlin, Heidelberg, 392410.

1

Rifad MMM (138229C)Mumtaz MAM (138218R)

The biclique attack framework was recently introduced as a way to add more rounds to a Meet in the middle attack while potentially keeping the same time complexity.

2

Given: A block cipher

Goal: find the single unknown key

Cryptanalyst is allowed to choose plaintexts

and ask for their ciphertexts (CPA)

3

The Meet in the Middle attack attempts to find a value using both of the range (ciphertext) and domain (plaintext) of the composition of several functions.

Key guesses faster than brute force

4

International Data Encryption Standard

Designed by Lai and Massey, 91

64-bit blocks, 128-bit key

Widely implemented

5

Crypto 2011 Rump Session, Biham et al.:

MITM attacks on up to 6 (middle) rounds

Example: variant with 2 plaintext/ciphertext

pairs

– Time: about 2-123

6

A biclique is a set of internal states, which are constructed in the first or in the last rounds of a cipher and mapped to each other by specifically chosen keys.

7

The idea behind this attack is to break the block cipher key sets into set of keys, where each key in the group is tested using meet in the middle technique.

The key space is partitioned as three sets of key bits: Kb, Kf , and Kg.

8

Let f be the mapping describing the first cipher rounds, then a biclique for a group Kg is a set of states {Pi}, {Sj} such that

9

Keys in a group are tested as follows. A cryptanalyst asks for the encryption of plaintexts Pi and gets ciphertexts Ci.

Then he checks if

where g maps states Sj to ciphertexts.

A biclique is said to have dimension d, if both Kb and Kf have d bits.

10

To test the keys within a group, a variable v is calculated in both directions as depicted by the following equations. In this case the mapping function is called as chunks (g1 and g2).

11

The following figure depicts key testing with biclique of three plaintexts and three internal states.

12

A narrow biclique technique limits the length of a biclique to the number of rounds needed for the full diffusion.

Efficiently, for every key group, find internal state variables such that resulting plaintexts collide in as many bits as possible

13

14