new observations on piccolo block cipher - rsa … · session id: cryp‐f01 new observations on...
TRANSCRIPT
SESSION ID: CRYP‐F01
New Observations On Piccolo Block Cipher
Yanfeng Wang
pYanfeng Wang and Wenling Wu
Ph.D Candidate,TCA, Institute of Software,
#RSAC
TCA, Institute of Software, Chinese Academy of [email protected]
#RSAC
Outline
Introduction
Description of Piccolo
Linear‐Reflection Weak Keys of Piccolo
New Observations on Piccolo‐128
C l iConclusion
#RSAC
Outline
Introduction
Description of Piccolo
Linear‐Reflection Weak Keys of Piccolo
New Observations on Piccolo‐128
C l iConclusion
#RSAC
Introduction
New lightweight block ciphers with very simple key‐schedules or even without key‐schedule have been proposedeven without key schedule, have been proposed.
Avoiding MITM(Meet‐in‐the‐Middle) attacks, related‐key differential attack and key bits leakage are three main goals indifferential attack and key bits leakage are three main goals in the design of key schedules.
However the choice of round constants makes no influence onHowever, the choice of round constants makes no influence on the security of block ciphers against the above three attacks.
4
#RSAC
Introduction
Related attacks: slide cryptanalysis, probabilistic slide cryptanalysis(FSE 2014) and invariant subspace attack(CRYPTOcryptanalysis(FSE 2014) and invariant subspace attack(CRYPTO 2011).
All attacks can be prevented by a careful choice of roundAll attacks can be prevented by a careful choice of round constants.
In this paper we take the Piccolo block cipher as a target cipherIn this paper, we take the Piccolo block cipher as a target cipher to reveal some new design principles on round constants.
5
#RSAC
Outline
Introduction
Description of Piccolo
Linear‐Reflection Weak Keys of Piccolo
New Observations on Piccolo‐128
C l iConclusion
#RSAC
Description of Piccolo
A lightweight block cipher proposed in CHES 2011 by SONY.Structure : GFNStructure : GFN
Block size : 64‐bit
Key length 80 /128 bitKey length : 80‐/128‐bit
Number of rounds: 25/31
Encryption Algorithm
Key Schedule Algorithm
7
#RSAC
Encryption Algorithm(64)P
0wk 1wkF 0rk 1rk
k
0wk 1F S
S
SM
S
S
S1 6
4 1 64
4
4
4
4
:F
2rk 3rk
F F S S 44
2 2rrk 2 1rrk
2wk 3wk F F
2 7 4 1 6 3 0 5
0 1 2 3 4 5 6 7
:RP
8(64)C
#RSAC
Outline
Introduction
Description of Piccolo
Linear‐Reflection Weak Keys of Piccolo
New Observations on Piccolo‐128
C l iConclusion
#RSAC
Linear‐Reflection Weak Keys of Piccolo
0P 1P 2P 3P0X
4 4 32X X 0C 1C2C 3C
kP C 32 kC P
0rk 1rk 0rk 1rk0
X
4 4 32X X
3 3 32X X
2rk 3rk 2rk 3rk1X
2X2 2X X
4rk 5rk 4rk 5rk2
3X1 1 32X X
14
6rk 7rk 6rk 7rk
0P 1P 2P 3P0C 1C 2C 3C
3
4X 0 0X X
#RSAC
Linear‐Reflection Weak Keys of Piccolo
0 6rk rkk k
1 7
2 5
rk rkrk rk
kP C3 4
4 2
rk rkrk rk
32 k
P CC P
5 3
6 1
rk rkrk rk
15
7 0rk rk
#RSAC
Linear‐Reflection Weak Keys of Piccolo
0P 1P 2P 3P0X 4X 0C 1C 2C 3C
kP C 3 2 kC P
F 0rk 1rk
2rk 3rk
F
F F
F 0rk 1rk
2rk 3rk
F
F F
1X3X
2 3
4rk 5rkF F
2 3
4rk 5rk F F2X
2X
X
6rk 7rkF F 6rk 7rk F F
P P P P C C C C
3X
4X
1X
0X
16
0P 1P 2P 3P 0C 1C 2C 3C
#RSAC
Linear‐Reflection Weak Keys of Piccolo
0 6rk rkk k
1 7
2 5 2 5
rk rkrk rk rk rk
3 4 3 4
4 2 4 2
rk rk rk rkrk rk rk rk
5 3 5 3
6 1
rk rk rk rkrk rk
17
7 0rk rk
#RSAC
Weak Keys of Piccolo‐80
0 1 0 26230 022
k k xk k x a
1 0
2 4
3 4
0 0220 3800 1 07
k k x ak k x ek k x c
3 4
4 3
4 2
0 0 290 2 20
k k x ek k x a
19
0 0
1 1
0 3800 1 07
k k x ek k x c
#RSAC
Weak Keys of Piccolo‐80
0 1 2 3 0 1 2 3
0 1 2 3 0 1 2 3
( , , , ) ( , , , )
( , , , ) ( , , , )
k
k
P P P P C C C C
P P P P C C C C
( , 0 3 24, 0 380 , 0 1 07, )( 0 380 0 2623 0 2 20 0 0 29 )
k x x x a y x e y x c zk
0 1 2 3 0 1 2 3( ) ( )
2 3 3 2 0 1 2 3, 0 353 0 071 , , 0 3 12 0 293P C C k x a k x c C C k x f k x d
( 0 380 , 0 2623, 0 2 20, 0 0 29, )k x x e x x z x a z x e y
2 3 0 1
0 1 2 2 2 3 3 3
( , 0 0401, , 0 2008),, 0 071 0 3 12, , 0 293 0 353
C C y z x C C y z xC P P k x c k x f P P k x d k x a
20
0 1 2 3( , 0 2 20, , 0 0 29).P P y z x a P P y z x e
#RSAC
Weak Keys of Piccolo‐128
0 8 1k k xf c 0 8 5k k xe c 4 5
5 4
0 8 10 80 5816
k k xf ck k x cdck k x
0 7
3 6
4 2
0 8 50 00 1806
k k xe ck k xfcck k x
6 6
7 1
2 5
0 58160 2 00 0 3
k k xk k x c bk k xf c
4 2
5 1
6 7
0 18060 0 030 80
k k xk k x ck k x df
2 5
1 4
6 0
0 0 30 4 60 1806
k k xf ck k xe ck k x
6 7
1 6
4 4
0 4 20 5816
fk k xf ck k x
21
6 0
7 3 0 0 03k k x c 4 4
5 5 0 2 0k k x c b
#RSAC
Weak Keys of Piccolo‐128
( 0 781 , 0 0, 0 0802, 0 4 2,, 0 4 , 0 1004, 0 4 2)
k x x e x xbcd x x x xb dx x xd ca x x x xf c
, 0 4 , 0 1004, 0 4 2)
( 0 0802, 0 8 9, 0 1806, 0 8 1, 0 5816, 0 8 1, 0 4812, 0 90 )
x x xd ca x x x xf ck x x x xd c x x x xf c
x x x xf c x x x x db
, , , )f
2 3 7 2 0 1 2 3, 0 8181 0 6 45, , 0 3553 0 8P C C k x k x d C C k x k xad a
2 3 0 1
0 1 2 2 2 3 3 7
( , , , 0 681 ),, 0 6 45 0 3553, , 0 8 0 8181
C C C C x aC P P k x d k x P P k xad a k x
22
0 1 2 3( , 0 4812, , 0 0802).P P x P P x
#RSAC
Outline
Introduction
Description of Piccolo
Linear‐Reflection Weak Keys of Piccolo
New Observations on Piccolo‐128
C l iConclusion
#RSAC
New Observations on Piccolo‐128
128bit master key is noted by (even,odd)(k k k k )even(k0,k2,k4,k6)even
(k1,k3,k5,k7)odd
Similarity between different keysFor a fixed (even,odd), there exist 31 different keys such that the
d k f 30 d l t th t d ( dd)round keys for 30 rounds are equal to that under (even,odd).
25
#RSAC
New Observations on Piccolo‐128
P P P P P P P P0P 1P 2P 3P
0wk 1wk0P 1P 2P
3P
0wk 1wk0X 0X
k k
RP
rk rk
RP30X 30X
28
60rk 61rk
0C 1C 2C 3C
2wk 3wk 60rk 61rk
0C 1C 2C 3C
2wk 3wk
#RSAC
New Observations on Piccolo‐128
0 0 1( ( || ), ( ( || )) 0 9 79,
( || ) ( ( || )) 0 594)
L R L R
L R L R
P RP C e o F C e o C e x d
C o e F C o e C o xd
2 2 3( || ), ( ( || )) 0 594)
( || ,0, || ,0),L R L R
C o e F C o e C o xd
e o o e
* * *0 0 1
* * *
( ( || ), ( ( || )) 0 9 79,
( || ) ( ( || ))
L R L R
L R L R
C P e o F P e o P e x d
P o e F P o e P o
0 594)xd2 2 3( || ), ( ( || ))P o e F P o e P o
*
0 594),
(( ) ( || 0 || 0))L R L R
xd
where P RP P P P P e o o e
29
0 1 2 3 (( , , , ) ( || ,0, || ,0)).where P RP P P P P e o o e
#RSAC
New Observations on Piccolo‐128
Security of hash function based on full‐round Piccolo‐128 is insufficientinsufficient.
30
#RSAC
New Observations on Piccolo‐128
DM mode:
- 11 -Let , and be the input message , the input chaining value, and the output; the new chaining value is computed as:
i i i
i
M H HH
1 1 1 ( ) .ii M i iH E H H
k
k
k
31
#RSAC
Outline
Introduction
Description of Piccolo
Linear‐Reflection Weak Keys of Piccolo
New Observations on Piccolo‐128
C l iConclusion
#RSAC
Conclusion
Evaluate the security of Piccolo block cipher from the known and chosen key respective.and chosen key respective.
Define linear‐reflection weak keys.F k k k fi d th l t d k k k′ hFor one weak key k, we can find another related weak key k′ such that the cipher with k′ can be completely determined by thecipher under k.
7‐round Piccolo‐80 (Observation 2)
10‐round Piccolo‐128 (Observation 3)
33
#RSAC
Conclusion
Summarize some interesting characteristics of key schedule algorithm for Piccolo‐128.algorithm for Piccolo 128.
RP should not be allowed to be self‐inverse (Observation 4)
Security of hash function based on full‐round Piccolo‐128 isSecurity of hash function based on full round Piccolo 128 is insufficient (Observation 5)
We expect that the results of our paper may guide the design ofWe expect that the results of our paper may guide the design of round constants for some simple key schedules.
34