folker hoffmann seminar: block cipher … hoffmann seminar: block cipher cryptanalysis may 2, 2011 ....
TRANSCRIPT
![Page 1: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/1.jpg)
Linear Cryptanalysis of FEAL
Folker Hoffmann
Seminar: Block cipher cryptanalysis
May 2, 2011
![Page 2: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/2.jpg)
05/02/11 Linear Cryptanalysis of FEAL 2
Overview
FEAL Encryption with FEAL Modification of FEAL
Linear Cryptanalysis Idea Linear equations in FEAL Recovering the roundkeys
![Page 3: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/3.jpg)
05/02/11 Linear Cryptanalysis of FEAL 3
FEAL
Fast Data Encipherment Algorithm Proposed in 1987 Goal: It should be suitable for implementation in
software on smart cards Different versions:
Number of rounds: 4, 8, N Block size: 64, 128
FEAL-N, FEAL-NX
Here: FEAL-4
![Page 4: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/4.jpg)
05/02/11 Linear Cryptanalysis of FEAL 4
FEAL: Encryption
Feistel cipher
![Page 5: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/5.jpg)
05/02/11 Linear Cryptanalysis of FEAL 5
FEAL: Decryption
Use the keys in reverse
![Page 6: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/6.jpg)
05/02/11 Linear Cryptanalysis of FEAL 6
The round function: f
![Page 7: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/7.jpg)
05/02/11 Linear Cryptanalysis of FEAL 7
The S-box
Input: Two bytes X, Y + delta (0 or 1) Output: One byte
Example: (delta = 1)
S(X, Y, delta) = ROT2((X + Y + delta) mod 256 )
00010011+ 10110011+ 1= 11000111 Rot2 00011111
![Page 8: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/8.jpg)
05/02/11 Linear Cryptanalysis of FEAL 8
Key schedule
(Based on the image of the key schedule of FEAL-8 in: Shimizu & Miyaguchi: Fast Data Encipherment Algorithm FEAL, 1988)
![Page 9: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/9.jpg)
05/02/11 Linear Cryptanalysis of FEAL 9
Rearrangement of FEAL
![Page 10: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/10.jpg)
05/02/11 Linear Cryptanalysis of FEAL 10
Rearrangement of FEAL
Key affects each byte
![Page 11: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/11.jpg)
05/02/11 Linear Cryptanalysis of FEAL 11
Rearrangement of FEAL
![Page 12: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/12.jpg)
05/02/11 Linear Cryptanalysis of FEAL 12
Rearrangement of FEAL
![Page 13: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/13.jpg)
05/02/11 Linear Cryptanalysis of FEAL 13
Rearrangement of FEAL
![Page 14: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/14.jpg)
05/02/11 Linear Cryptanalysis of FEAL 14
Rearrangement of FEAL
![Page 15: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/15.jpg)
05/02/11 Linear Cryptanalysis of FEAL 15
Example: fM
![Page 16: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/16.jpg)
05/02/11 Linear Cryptanalysis of FEAL 16
Linear Cryptanalysis
Known plaintext attack Basic idea: Find linear approximations of the
cipher:
C[i1] C[i⊕
2] ... C[i⊕ ⊕
n] P[j⊕
1] ... P [j⊕ ⊕
m]
⊕ K[k1] ... K[k⊕ ⊕
t] fM(I⊕
1, k
1)[f
1] = 1 (or 0)
= C[i1,i
2, ..., i
n] P[j⊕
1, ..., j
m] K[k⊕
1, ..., k
t] ⊕
fM(I1, k
1)[f
1] = 1 (Or = 0)
![Page 17: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/17.jpg)
05/02/11 Linear Cryptanalysis of FEAL 17
Linear Cryptanalysis
C[i1,i
2, ..., i
n] P[j⊕
1, ..., j
m] K[k⊕
1, ..., k
t] ⊕
fM(I1, k
1)[f
1] = 1 (Or = 0)
For fixed k:
C[i1,i
2, ..., i
n] P[j⊕
1, ..., j
m] fM(I⊕
1, k
1)[f
1] =
const (0 or 1)
![Page 18: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/18.jpg)
05/02/11 Linear Cryptanalysis of FEAL 18
Linear approximation of fM
O[26,16] = I[24] K[24]⊕
Reminder: S0(X, Y) = ROT2((X + Y) mod 256 )
101+ 011 1000
Xor
O[26] = I[24] K[24] O[16]⊕ ⊕
![Page 19: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/19.jpg)
05/02/11 Linear Cryptanalysis of FEAL 19
Linear approximation of fM
On a similar way: O[2,8] = I[0] K[0] 1⊕ ⊕ O[2,8,10,16] = I[8] K[0,8] 1⊕ ⊕ O[10, 18, 26] = I[16] K[16,24] 1⊕ ⊕ O[16,26] = I[24] K[24] ⊕
These equations are always true
![Page 20: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/20.jpg)
05/02/11 Linear Cryptanalysis of FEAL 20
Linear approximation of FEAL
O[10, 18, 26] = I[16] K[16,24] 1⊕ ⊕
I2[16] = fM(PL PR, k⊕
1)[16] PL[16]⊕
O2[10, 18, 26] = k
2[16, 24] 1 ⊕
⊕ fM(PL PR, k⊕1)[16] PL[16]⊕
L2[10, 18, 26]
= PR[10, 18, 26] ⊕
PL[10, 18, 26] O⊕2[10, 18, 26]
![Page 21: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/21.jpg)
05/02/11 Linear Cryptanalysis of FEAL 21
Linear approximation of FEAL
O[10, 18, 26] = I[16] K[16,24] 1⊕ ⊕
L2[10, 18, 26]
= PR[10, 18, 26] ⊕
PL[10, 18, 26] k⊕2[16, 24] 1 ⊕
⊕ fM(PL PR, k⊕1)[16] PL[16]⊕
R3 [10, 18, 26] = L
2 [10, 18, 26] ⊕
k6[10, 18, 26]
![Page 22: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/22.jpg)
05/02/11 Linear Cryptanalysis of FEAL 22
Linear approximation of FEAL
O[10, 18, 26] = I[16] K[16,24] 1⊕ ⊕
I4[16] = CR[16] CL[16]⊕
O4[10, 18, 26] = CR[16] CL[16] ⊕ ⊕
k4[16,24] 1⊕
![Page 23: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/23.jpg)
05/02/11 Linear Cryptanalysis of FEAL 23
Linear approximation of FEAL
CL[10, 18, 26]
= O4 [10, 18, 26] R⊕
3[10, 18, 26]
![Page 24: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/24.jpg)
05/02/11 Linear Cryptanalysis of FEAL 24
Linear approximation of FEAL
fM(k1, PL PR⊕ )[16]
⊕ PL[10, 16, 18, 26] PR[10, 18, 26]⊕
⊕ CR[16] CL[10, 16, 18, 26]⊕
= k2[16,24] k⊕
6[10,18,26] k⊕
4[16, 24]
= const (either 1 or 0 for a particular key)
![Page 25: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/25.jpg)
05/02/11 Linear Cryptanalysis of FEAL 25
Recover k1
fM(k1, PL PR)[16]⊕
Determine k1, such that the previous equation holds
Max: 2^16 operations. That is in a possible range.
![Page 26: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/26.jpg)
05/02/11 Linear Cryptanalysis of FEAL 26
Recover k1
Use the other approximations to recover the
rest of k1:
O[2,8] = I[0] K[0] 1⊕ ⊕ O[2,8,10,16] = I[8] K[0,8] 1⊕ ⊕ [ O[10, 18, 26] = I[16] K[16,24] 1 ]⊕ ⊕ O[16,26] = I[24] K[24] ⊕
![Page 27: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/27.jpg)
05/02/11 Linear Cryptanalysis of FEAL 27
Recover the other subkeys
k2, k
3, k
4 are
recovered in an equal way
k5, k
6 then follow
directly
![Page 28: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/28.jpg)
05/02/11 Linear Cryptanalysis of FEAL 28
Runtime of this attack
Implemented by Matsui & Yamagishi with a 25 Mhz computer, 1992
2 seconds with 10 known plaintexts 350 seconds with 5 known plaintexts
![Page 29: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/29.jpg)
05/02/11 Linear Cryptanalysis of FEAL 29
Generalisation to more rounds
FEAL-8 is breakable with this method Using 2^28 plaintexts Runtime: 2^50 subkeys are searched. Details: Matsui & Yamagishi, 1992, A New
Method for Known Plaintext Attack of FEAL cipher
![Page 30: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/30.jpg)
05/02/11 Linear Cryptanalysis of FEAL 30
Recapitulation
FEAL-4 Modification of FEAL-4 Linear cryptanalysis
Linear equations in f
Linear equations in FEAL-4 depending on k1
Exhaustive key search
Repeat this for k2, k
3, ...
![Page 31: Folker Hoffmann Seminar: Block cipher … Hoffmann Seminar: Block cipher cryptanalysis May 2, 2011 . 05/02/11 Linear Cryptanalysis of FEAL 2 Overview ... Rearrangement of FEAL](https://reader031.vdocuments.mx/reader031/viewer/2022021504/5ab666257f8b9a86428d98d1/html5/thumbnails/31.jpg)
05/02/11 Linear Cryptanalysis of FEAL 31
Sources
Shimizu & Miyaguchi: Fast Data Encipherment Algorithm FEAL, 1988
Advances in Cryptology, EUROCRYPT '87 Matsui & Yamagishi: A New Method for Known
Plaintext Attack of FEAL Cipher, 1993
Advances in Cryptology – EUROCRYPT '92 Stamp & Low: Applied Cryptanalysis: Breaking
Ciphers in the Real World, 2007