a practical-time related-key boomerang attack on mmb · a practical-time related-key boomerang...

A Practical-Time Related-Key BoomerangAttack on MMB

Tomer Ashur Orr Dunkelman

29/10/2013

A Practical-Time Related-Key Boomerang Attack on MMB

Overview

1. Quick description of the MMB block cipher.


Overview


2. Short Explanation about cryptanalytic techniques used inthis paper.


Overview



3. A related-key boomerang attack that recovers 62 key bitsfor MMB.


Overview




4. Using the previously recovered 62 bits to recover another31 bits of the key.


Overview





5. Recovering the last bits.


Overview






6. Results of experimental verification.


Overview






6. Results of experimental verification.

7. Possible extenstions of the attack.


The Modular Multiplication Block (MMB) Cipher

◮ Invented in 1997, by Joan Daemen as an improvment forthe IDEA cipher.




◮ Block and key size of 128-bit.





◮ Six rounds, 4 operations:






◮ σ - key injection (xi ⊕ kj

i ).







i ).◮ γ - modular multiplication ((xi ∗Gi) mod (232 − 1)).







i ).◮ γ - modular multiplication ((xi ∗Gi) mod (232 − 1)).◮ η - data-dependent operation ((xi mod 2) ? (δ ⊕ xi) : xi).







i ).◮ γ - modular multiplication ((xi ∗Gi) mod (232 − 1)).◮ η - data-dependent operation ((xi mod 2) ? (δ ⊕ xi) : xi).◮ θ - matrix multiplication (xi−1 ⊕ xi ⊕ xi+1).


MMB’s Round Function

G0 G1 G2 G3

kj0 k

j1 k

j2 k

j3

xj0 x

j1 x

j2 x

j3

⊕ ⊕ ⊕ ⊕

⊗ ⊗ ⊗ ⊗

⊕ ⊕LSB(x0) · δ LSB(x3) · δ

Θ

γ

σ

η

xj+10 x

j+11 x

j+12 x

j+13


Differential Cryptanalysis and its Variants

◮ Differential cryptanalysis[BS91]




◮ Related-key differential cryptanalysis[KSW96]





◮ Boomerang attack[W99]





◮ Boomerang attack[W99]

◮ Related-key boomerang attack[K+04,K+05,BDK05]


Previous Work

◮ 2-round differential with probability 1 [WNS09]:

(0, 0̄, 0̄, 0)σ[k0]−−−→ (0, 0̄, 0̄, 0)

γ−→ (0, 0̄, 0̄, 0)

η−→ (0, 0̄, 0̄, 0)

θ−→ (0̄, 0, 0, 0̄)

σ[k1]−−−→ (0̄, 0, 0, 0̄)

γ−→ (0̄, 0, 0, 0̄)

η−→ (δ̄, 0, 0, δ̄)

θ−→ (0, δ̄, δ̄, 0)


Previous Work


(0, 0̄, 0̄, 0)σ[k0]−−−→ (0, 0̄, 0̄, 0)

γ−→ (0, 0̄, 0̄, 0)

η−→ (0, 0̄, 0̄, 0)

θ−→ (0̄, 0, 0, 0̄)

σ[k1]−−−→ (0̄, 0, 0, 0̄)

γ−→ (0̄, 0, 0, 0̄)

η−→ (δ̄, 0, 0, δ̄)

θ−→ (0, δ̄, δ̄, 0)

◮ 5-round distinguisher with probability 2−110 [WNS09].

◮ Full key recovery with time complexity of 2118 [WNS09].


Previous Work


(0, 0̄, 0̄, 0)σ[k0]−−−→ (0, 0̄, 0̄, 0)

γ−→ (0, 0̄, 0̄, 0)

η−→ (0, 0̄, 0̄, 0)

θ−→ (0̄, 0, 0, 0̄)

σ[k1]−−−→ (0̄, 0, 0, 0̄)

γ−→ (0̄, 0, 0, 0̄)

η−→ (δ̄, 0, 0, δ̄)

θ−→ (0, δ̄, δ̄, 0)

◮ 5-round distinguisher with probability 2−110 [WNS09].

◮ Full key recovery with time complexity of 2118 [WNS09].

◮ 5-round sandwich distinguisher with probability 1 [J+11].

◮ Full key recovery with time complexity of 240 [J+11].


Description of the Differential Characteristics

3-round related-keydifferentialcharacteristic withprobability 1:△ =

(0, 0, 0̄, 0̄)(0,0,0̄,0̄)−−−−−→

(δ, 0̄, δ, δ̄) = △∗.Full Description

One additionalround can beprepended:(X, 0̄, 0, 0̄) → △

4-round related-keydifferentialcharacteristic withprobability 1:▽∗ =

(0, 0, 0̄, 0)(0,0,0̄,0)−−−−−→

(δ̄, δ̄, 0, δ̄) = ▽Full Description

One additionalround can beprepended:(0, 0̄, 0̄, Y ) → ▽∗

2-round related-keydifferentialcharacteristic withprobability 1:τ =

(0, 0, 0, 0̄)(0,0,0,0̄)−−−−−→

(0, 0̄, 0̄, 0̄) = τ∗

Full Description


Description of B0

P1 P2(X, 0̄, 0, 0̄)


Description of B0

P1 P2(X, 0̄, 0, 0̄)

1R


Description of B0

P1 P2(X, 0̄, 0, 0̄)

1R

i1 i2

3R

(δ, 0̄, δ, δ̄)


Description of B0

P1 P2(X, 0̄, 0, 0̄)

1R

i1 i2

3R

(δ, 0̄, δ, δ̄)

C1 C2

2R


Description of B0

P1 P2(X, 0̄, 0, 0̄)

1R

i1 i2

3R

(δ, 0̄, δ, δ̄)

C1 C2

2R

C3 C4

(0,0, 0̄

, 0̄)


Description of B0

P1 P2(X, 0̄, 0, 0̄)

1R

i1 i2

3R

(δ, 0̄, δ, δ̄)

C1 C2

2R

C3 C4

(0,0, 0̄

, 0̄)

i3 i4

2R


Description of B0

P1 P2(X, 0̄, 0, 0̄)

1R

i1 i2

3R

(δ, 0̄, δ, δ̄)

C1 C2

2R

C3 C4

(0,0, 0̄

, 0̄)

i3 i4

2R(0,

0, 0, 0̄)

(δ, 0̄, δ, δ̄)


Description of B0

P1 P2(X, 0̄, 0, 0̄)

1R

i1 i2

3R

(δ, 0̄, δ, δ̄)

C1 C2

2R

C3 C4

(0,0, 0̄

, 0̄)

i3 i4

2R(0,

0, 0, 0̄)

(δ, 0̄, δ, δ̄)

P3 P4

4R


Identifying right pairs

◮ Store all decrypted data in a hash-table




◮ Right pairs can be identified by their collision in theappropriate 96 bits.




◮ Right pairs can be identified by their collision in theappropriate 96 bits.

◮ It is expected that 4 right pairs will be identified.


Key Recovery

◮ To recover k0 and k3 we iterate over all possible values forthat key word.


Key Recovery


◮ It is enough to iterate over half of the space.


Key Recovery



◮ Using a right pair, calculate ωi = (xi ⊕ ki)⊗Gi fori ∈ {1, 3}. if ωi = δ̄ suggest ki and k̄i as possible keys.


Key Recovery



◮ Using a right pair, calculate ωi = (xi ⊕ ki)⊗Gi fori ∈ {1, 3}. if ωi = δ̄ suggest ki and k̄i as possible keys.

◮ Verify using another right pair.


Recovering More Key Bits

◮ Note that ▽∗ → ▽ can be extended to cover 5 rounds ofMMB with probability 1, i.e., all right pairs with regards toB1 are follow this path.




◮ Let (p1, p2) be a right pair with respect to ▽∗ → ▽, and let(c1, c2) be their respective ciphertexts.





◮ Due to the differential characteristic, the values entering γ

in the fifth round are known to be (δ̄, δ̄, 0, δ̄).





◮ Due to the differential characteristic, the values entering γ

in the fifth round are known to be (δ̄, δ̄, 0, δ̄).

◮ By using the two known key words, and iterating the valueof k62 we can reverse the last encryption round. The rightkey word (and its inverse) will lead to δ̄ in the second word.


Finding the last key word

◮ The last key word can be found by trying all possible keyvalues for it, checking if some plaintext indeed leads to itsciphertext.


Finding the last key word

◮ The last key word can be found by trying all possible keyvalues for it, checking if some plaintext indeed leads to itsciphertext.

◮ To distinguish the real key from its negation, this phasemust try all possible assignments.


Complexity

◮ Time: 2 · (4 · 217 + 16 · 231) + 1

6 · 231 + 8 · 232 = 235


Complexity

◮ Time: 2 · (4 · 217 + 16 · 231) + 1

6 · 231 + 8 · 232 = 235

◮ Memory (bytes): 4 · 4 · 217 + 4 · 217 = 221.3


Complexity

◮ Time: 2 · (4 · 217 + 16 · 231) + 1

6 · 231 + 8 · 232 = 235

◮ Memory (bytes): 4 · 4 · 217 + 4 · 217 = 221.3

◮ Data: 2 · 2 · 2 · 217 = 220


Complexity

◮ Time: 2 · (4 · 217 + 16 · 231) + 1

6 · 231 + 8 · 232 = 235

◮ Memory (bytes): 4 · 4 · 217 + 4 · 217 = 221.3

◮ Data: 2 · 2 · 2 · 217 = 220

◮ Related-keys: 4


Experimental Verification

◮ All attacks has been verified using a hybrid C and Pythoncode.

◮ The attack has a success rate of 98%.

◮ It takes less than 15 minutes on average to recover the fullkey of MMB.


Improvements

◮ Recovering 62 key bits for variants of MMB with 7 and 8rounds.


Improvements


◮ Recovering 31 key bits for a variant of MMB with 9 rounds.


Improvements


◮ Recovering 31 key bits for a variant of MMB with 9 rounds.

◮ Time memory trade-off.


Thank you for your time. Questions?


Full Description of △ → △∗

△ =

(0, 0, 0̄, 0̄)σ[k1]

−−−−−→(0,0,0̄,0̄)

(0, 0, 0, 0)γ−→ (0, 0, 0, 0)

η−→ (0, 0, 0, 0)

θ−→ (0, 0, 0, 0)

σ[k2]−−−−−→(0,0̄,0̄,0)

(0, 0̄, 0̄, 0)γ−→ (0, 0̄, 0̄, 0)

η−→ (0, 0̄, 0̄, 0)

θ−→ (0̄, 0, 0, 0̄)

σ[k3]−−−−−→(0̄,0̄,0,0)

(0, 0̄, 0, 0̄)γ−→ (0, 0̄, 0, 0̄)

η−→ (0, 0̄, 0, δ̄)

θ−→ (δ, 0̄, δ, δ̄) = △∗

Back


Full Description of ▽∗ → ▽

▽ =

(0, 0, 0̄, 0)σ[k1]

−−−−−→(0,0,0̄,0)

(0, 0, 0, 0)γ−→ (0, 0, 0, 0)

η−→ (0, 0, 0, 0)

θ−→ (0, 0, 0, 0)

σ[k2]−−−−−→(0,0̄,0,0)

(0, 0̄, 0, 0)γ−→ (0, 0̄, 0, 0)

η−→ (0, 0̄, 0, 0)

θ−→ (0̄, 0̄, 0̄, 0)

σ[k3]−−−−−→(0̄,0,0,0)

(0, 0̄, 0̄, 0)γ−→ (0, 0̄, 0̄, 0)

η−→ (0, 0̄, 0̄, 0)

θ−→ (0̄, 0, 0, 0̄)

σ[k4]−−−−−→(0,0,0,0̄)

(0̄, 0, 0, 0)γ−→ (0̄, 0, 0, 0)

η−→ (δ̄, 0, 0, 0)

θ−→ (δ̄, δ̄, 0, δ̄)

Back


Full Description of τ → τ ∗

τ =

(0, 0, 0, 0̄)σ[k4]

−−−−−→(0,0,0,0̄)

(0, 0, 0, 0)γ−→ (0, 0, 0, 0)

η−→ (0, 0, 0, 0)

θ−→ (0, 0, 0, 0)

σ[k5]−−−−−→(0,0,0̄,0)

γ−→ (0, 0, 0̄, 0)

η−→ (0, 0, 0̄, 0)

θ−→ (0, 0̄, 0̄, 0̄) = τ∗

Back

a practical-time related-key boomerang attack on mmb · a practical-time related-key boomerang...

Documents