on improving data complexity of attacks on rc5 - · pdf filemotivation previous work improved...
TRANSCRIPT
Motivation Previous Work Improved Filter Conclusion
On Improving Data Complexity of Attacks on RC5
A. Biryukov V. Velichkov
Laboratory of Algorithmics, Cryptology and Security (LACS)University of Luxembourg
Early Symmetric Crypto 201512-16 January, Clervaux, Luxembourg
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 1 / 35
Motivation Previous Work Improved Filter Conclusion
1 Motivation
2 Previous Work
3 Improved Filter
4 Conclusion
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 2 / 35
Motivation Previous Work Improved Filter Conclusion
Outline
1 Motivation
2 Previous Work
3 Improved Filter
4 Conclusion
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 3 / 35
Motivation Previous Work Improved Filter Conclusion
Block Cipher RC5−w/r/b
Block cipher proposed by Rivest at FSE 1994.
RC5−w/r/bw - word size in bitsr - number of roundsb - size of key in bytes
Block size: 64-bit (w = 32) or 128-bit (w = 64).
Nominal choice of parameters: RC5−32/12/16.
Feistel network with r rounds (2r half-rounds).
Round function: modular addition, XOR, bit rotation.
Notable feature: data-dependent rotations.
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 4 / 35
Motivation Previous Work Improved Filter Conclusion
RC5−32/12/16
Li Ri
≪
Si+1
Ri [4 : 0]
Li+1 = Ri Ri+1
L0 R0
S0 S1
S2 half round 1
. . . . . .24 half rounds
S25 half round 24
L25 R25
Si : round keys derived from the 16-byte master key.
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 5 / 35
Motivation Previous Work Improved Filter Conclusion
Cryptanalytic Status and Why Do We (Still) Care
RC5 is academically broken, but best attack requires 244 CP(impractical in many settings).
Still widely used due to its small memory footprint and high energyefficiency.
Preferred cipher in sensor networks (e.g. TinyOS).
Many new results on energy efficient implementations.
None on cryptanalytic improvements.
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 6 / 35
RC5 Top Citations: Years 2000 – 2015
Motivation Previous Work Improved Filter Conclusion
Outline
1 Motivation
2 Previous Work
3 Improved Filter
4 Conclusion
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 8 / 35
Motivation Previous Work Improved Filter Conclusion
Previous Work
Data complexity (number of chosen plaintexts) of existing differentialattacks on RC5−32:
Biryukov- Knudsen- Kaliski-r Kushilevitz ’98 Meier ’96 Yin ’95
6 216 224 232
8 228 238 240
10 236 246 251
12 244 254 263
Goal of this research
Further decrease the data requirements of the best attack.
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 9 / 35
Motivation Previous Work Improved Filter Conclusion
Attack by Kaliski-Yin ’95
Single half-round characteristics used in the attack by Kaliski and Yin:(es – XOR difference with single active bit at position s)
∆ ∆IN ∆OUT
Ω1 (0, es) (es, es)
Ω2 (es, es) (es, 0)Ω3 (es, 0) (0, et)
Ω4 (0, es) (es, et)Ω5 (es, et) (et , eu ⊕ ev )
Concatenate several Ωi to form a characteristic on more rounds.
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 10 / 35
3 Half-Round Iterative Characteristic: Ω2 + Ω3 + Ω1
80000000 80000000
≪
S1
r1
80000000 00000000
≪
S2
r2
00000000 00100000
≪
S3
r3
00100000 00100000
Motivation Previous Work Improved Filter Conclusion
Attack by Knudsen-Meier ’96
Use the same characteristics as Kaliski-Yin + two new ideas:
1 Impose conditions on log2(w) bits of left and right plaintext
⇒ Zero rotation for top two half-rounds.
2 Notice that HW of diffs. in bottom rounds propagates as Fibonaccisequence
⇒ Find better last round characteristics.
3 Higher probability of characteristics⇒ lower data.
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 12 / 35
Motivation Previous Work Improved Filter Conclusion
Attack by Biryukov-Kushilevitz ’98
Main observation
Pairs with zero difference in the rotation constants occur with highprobability.
Partial differentials
Only the log2(w) LS bits of the differences matter and must be zero.
Thus any rotation amount is allowed, BUT...
...both halves of the pair must have the same rotation constant,
No other restrictions are imposed on the differences.
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 13 / 35
Motivation Previous Work Improved Filter Conclusion
Good Pairs, Bad Pairs and Oracles
Good Pair
A pair of plaintexts, whose encryption results in equal rotationconstants in all rounds.
Noise (bad pairs)
All pairs that are suspected to be good, but differ in the rotationconstants in some rounds.
Space Oracle
A good pair acts as a (plaintext) space oracle for finding more goodpairs.
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 14 / 35
Motivation Previous Work Improved Filter Conclusion
Space Oracle: The Mushroom Analogy
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 15 / 35
Motivation Previous Work Improved Filter Conclusion
Space Oracle: The Mushroom Analogy
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 16 / 35
Motivation Previous Work Improved Filter Conclusion
Biryukov-Kushilevitz (BK) Oracle
Let (PL,PR), (PL ⊕∆L,PR ⊕∆R) be a good pair of plaintexts.
A candidate good pair (AL,AR), (A∗
L,A∗
R) is constructed as follow:
AR ← (random ‖ PR[4 : 0])
AL ← AR ⊕ (PL ⊕ PR)
(A∗
L,A∗
R)← (AL ⊕∆L,AR ⊕∆R)
Gains top five half-rounds for “free”.
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 17 / 35
Motivation Previous Work Improved Filter Conclusion
Knudsen-Meier (KM) Oracle
Let (PL,PR), (PL ⊕∆L,PR ⊕∆R) be a good pair of plaintexts.
A candidate good pair (AL,AR), (A∗
L,A∗
R) is constructed as follow:
AR ← (random ‖ PR[4 : 0])
AL ← (random ‖ PL[4 : 0])
(A∗
L,A∗
R)← (AL ⊕∆L,AR ⊕∆R)
Gains top two half-rounds for “free”.
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 18 / 35
Motivation Previous Work Improved Filter Conclusion
GoUP Filter: Detecting Good Pairs from Noise
∆n−1 CL,C∗
L
≫
Sn
∆Xn−1
CL[4 : 0]
CL,C∗
L CR, C∗
R∆n ∆n+1
∆n−2 ∆n−1
≫
Sn−1
∆Xn−2
Tn−1
∆n−1 CL,C∗
L
∆n−3 ∆n−2
≫
Si+1
∆xn−3 = ∆n−1
Tn−2
∆n−2 ∆n−1
. . . . . .
Bottom three rounds of RC5 (leftmost is last). The filter covers 7rounds in total.
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 19 / 35
Motivation Previous Work Improved Filter Conclusion
GoUP Filter
Note 1
The filter applies Hamming weight thresholds on the differences. Thethresholds are set according to (corrected) Fibonacci sequence.
Note 2Rotation constants T are guessed at every round except the last.
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 20 / 35
Motivation Previous Work Improved Filter Conclusion
Outline
1 Motivation
2 Previous Work
3 Improved Filter
4 Conclusion
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 21 / 35
Motivation Previous Work Improved Filter Conclusion
Differential Expansion of Addition
Expanding the addition operation into a set of possible outputdifferences with probability ≥ pthres:
K∆
X , X ∗
∆ : DP(x , x∗ → ∆) =#k : (x − k)⊕ (x∗ − k) = ∆
#k> pthres
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 22 / 35
Motivation Previous Work Improved Filter Conclusion
Differential Expansion of Addition: Bitwise Algorithm
Algorithm 1 Differential Expansion of ADD.Input: pthres, x , x∗.Output: D
1: procedure expand_add_bitwise(i , x , x∗) do2: if (i = word_size) then3: add ∆ to D4: return5: for j ∈ 0, 1 do6: ∆[i]← j ; pi ← DP(x [i : 0], x∗[i : 0]→ ∆[i : 0])7: if pi > pthres then8: expand_add_bitwise(i + 1, x , x∗)9: return D
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 23 / 35
Motivation Previous Work Improved Filter Conclusion
Non-linear GoUP Filter
∆n−1 CL,C∗
L
≫
Sn
∆Xn−1
CL[4 : 0]
CL,C∗
L CR, C∗
R∆n ∆n+1
∆n−2 ∆n−1
≫
Sn−1
∆Xn−2
Tn−1
∆n−1 CL,C∗
L
∆n−3 ∆n−2
≫
Si+1
∆xn−3 = ∆n−1
Tn−2
∆n−2 ∆n−1
. . . . . .
Bottom three rounds of RC5 (leftmost is last).
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 24 / 35
Full Filtration Procedure: First Pass
Algorithm 2 First Pass Filter Procedure for RC5−32/8/16.Input: δ1, δ2 . . . = 0x80000000,0x40000000 . . .Output: Set of candidate good pairs F1.
1: S ← structure of 224 CP and corresponding ciphertexts2: P ← set of 24 · 223 pairs
(
(P,P∗), (C,C∗))
: (P,C), (P∗,C∗) ∈ S
3: for all pairs in P do4: if TRUE = b_good← GoUP_NL(C,C∗) then5: add
(
(P,P∗), (C,C∗))
to F1
6: return F1
Full Filtration Procedure: Second Pass
Algorithm 3 Second Pass Filter Procedure for RC5−32/8/16.Input: F1; δ1, δ2, . . . = 0x80000000,0x40000000 . . .Output: Set of candidate good pairs F2.
1: for each (X ,X ∗) ∈ F1 do2: Apply BK oracle on (X ,X ∗)3: Si ← structure of 222 CP and corresponding ciphertexts4: Pi ← set of 22 · 221 pairs
(
(P,P∗), (C,C∗))
: (P,C), (P∗,C∗) ∈ S
5: for all pairs in Pi do6: if TRUE = b_good← GoUP_NL(C,C∗) then7: add
(
(P,P∗), (C,C∗))
to F2
8: return F2
RC5−32/8/16: 1st pass Filter, 50 keys
0
5
10
15
20
25
30
35
40
45
50
55
60
0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52
Num
ber
of p
airs
Experiments
RC5: 224 Chosen Plaintexts (Structures); 8 Rounds, Pdiff = 2-20.4
Good Pairs TotalFiltered PairsGood Filtered
Good Filt. AverageBad Filt. Average
RC5−32/8/16: 2nd pass Filter, 50 keys
0
5
10
15
20
25
30
35
40
45
50
55
60
0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50 52
Num
ber
of p
airs
Experiments
RC5: 222 Chosen Plaintexts (BK Oracle + Structures); 8 Rounds, Pdiff = 2-20.4
Good Pairs Total (2nd pass)Filtered Pairs (2nd pass)Good Filtered (2nd pass)
Good Filt. Average (2nd pass)Bad Filt. Average (2nd pass)
Motivation Previous Work Improved Filter Conclusion
Towards a New Oracle
Observation
Partial differential trails favour very small or very big rot. const. r e.g.:
w = 32 : (r ≥ 26) ∨ (r ≤ 2); w = 64 : (r ≥ 56) ∨ (r ≤ 4)
Conjecture
If (PL,PR) s.t. (r1, r2, r3, r4 ≥ 56) ∨ (r1, r2, r3, r4 ≤ 4), where
r1 = (PR + S1) mod 2w
r2 = ((PL + S0)⊕ (PR + S1) ≪ r1) + S2 = A mod 2w
r3 = (((PR + S1)⊕ A) ≪ r2) + S3 = B mod 2w
r4 = ((A⊕ B) ≪ r3) + S4 = C mod 2w
then (PL,PR) is a good pair with high probability.
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 29 / 35
Towards a New Oracle: Experimental Verification
1
2
4
8
16
32
64
128
256
512
1024
2048
4096
0 2 4 6 8 10 12 14 16 18 20 22 24 26
Num
. Goo
d P
airs
Key
New Space Oracle, 26 keys
OracleNo Oracle
Motivation Previous Work Improved Filter Conclusion
Results
Number of chosen plaintexts for differential attacks on RC5−32/R/16.
#R GF / BF Our Biryukov- Knudsen- Kaliski-(S / N) Results Kushilevitz ’98 Meier ’96 Yin ’95
6 7/0 215.58 216 224 232
8 15/2 225.32 228 238 240
10 10/10 234.65 236 246 251
12 242.65 (∗) 244 254 263
(∗) = estimation.
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 31 / 35
Motivation Previous Work Improved Filter Conclusion
Outline
1 Motivation
2 Previous Work
3 Improved Filter
4 Conclusion
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 32 / 35
Motivation Previous Work Improved Filter Conclusion
Summary of Contributions
Contribution
Improved filtration procedure for differential attacks on RC5.
Analyzes the original cipher (as opposed to XOR-linear model)
Based on the idea of differential expansion of addition.
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 33 / 35
Motivation Previous Work Improved Filter Conclusion
Limitations and Future Work
Limitations
The complexity of the improved filter is exponential in the prob.thresholds.
Lower thresholds⇒ more output diffs. ⇒ more options for a pairto pass the filter⇒ more noise.
Future Work
Improve the efficiency of GoUP_NL e.g. don’t guess all rot. const.
Research on better oracles.
Apply the technique to RC5-64
(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 34 / 35
Motivation Previous Work Improved Filter Conclusion
Questions?
Thank you for your attention!(LACS, University of Luxembourg) On Improving the Data of Attacks on RC5 ESC 2015 35 / 35
First Pass Filter
Algorithm 4 Full Filter Procedure for RC5−32/8/16.Input: δ1, δ2, δ3 . . . = 0x80000000,0x40000000 . . .Output: List of candidate good pairs
(
(P,P∗), (C,C∗))
.1: AL ← rand; AR ← rand; AL ← AL,AL ⊕ δ1,AL ⊕ δ1 ⊕ δ2, . . .; AR ←AR,AR ⊕ δ1,AR ⊕ δ1 ⊕ δ2, . . .
2: A1 ← AL,AR = structure of 224 chosen plaintexts 3: S1 ← (P,C) : P ∈ A1, C = ENCRYPT(P) = set of 224 plaintext,
ciphertext pairs 4: from S1 construct P1 = set of 24 · 223 pairs
(
(P,P∗), (C,C∗))
:(P,C) ∈ S1, (P∗,C∗) ∈ S1 ;
5: for all pairs in P1 do6: if TRUE = b_good← GoUP_NL(C,C∗) then7: add
(
(P,P∗), (C,C∗))
to F1
8: return F1
Second Pass Filter
Algorithm 5 Full Filter Procedure for RC5−32/8/16.Input: F1, δ1, δ2, . . . = 0x80000000,0x40000000 . . .Output: List of candidate good pairs
(
(P,P∗), (C,C∗))
.1: for each (P,P∗) ∈ F1 do2: fix rLSB ← PR[4 : 0] and ∆LR ← PL ⊕ PR
3: AR[31 : 5] ← rand; AR[4 : 0] ← rLSB; AR ← (AR[31 : 5] ‖ AR[4 :0]); AL ← AR ⊕∆LR;
4: AL ← AL,AL ⊕ δ1,AL ⊕ δ1 ⊕ δ2, . . .; AR ← AR,AR ⊕ δ1,AR ⊕δ1 ⊕ δ2, . . .
5: Ai ← AL,AR = structure of 222 chosen plaintexts ; Si . . .6: from Si construct Pi = set of 22 ·221 pairs
(
(P,P∗), (C,C∗))
:(P,C) ∈ Si , (P∗,C∗) ∈ Si ;
7: for all pairs in Pi do8: if TRUE = b_good← GoUP_NL(C,C∗) then9: add
(
(P,P∗), (C,C∗))
to F2
10: return F2