Linear Cryptanalysis of FEAL

Folker Hoffmann

Seminar: Block cipher cryptanalysis

May 2, 2011

05/02/11 Linear Cryptanalysis of FEAL 2

Overview

FEAL Encryption with FEAL Modification of FEAL

Linear Cryptanalysis Idea Linear equations in FEAL Recovering the roundkeys

05/02/11 Linear Cryptanalysis of FEAL 3

FEAL

Fast Data Encipherment Algorithm Proposed in 1987 Goal: It should be suitable for implementation in

software on smart cards Different versions:

Number of rounds: 4, 8, N Block size: 64, 128

FEAL-N, FEAL-NX

Here: FEAL-4

05/02/11 Linear Cryptanalysis of FEAL 4

FEAL: Encryption

Feistel cipher

05/02/11 Linear Cryptanalysis of FEAL 5

FEAL: Decryption

Use the keys in reverse

05/02/11 Linear Cryptanalysis of FEAL 6

The round function: f

05/02/11 Linear Cryptanalysis of FEAL 7

The S-box

Input: Two bytes X, Y + delta (0 or 1) Output: One byte

Example: (delta = 1)

S(X, Y, delta) = ROT2((X + Y + delta) mod 256 )

00010011+ 10110011+ 1= 11000111 Rot2 00011111

05/02/11 Linear Cryptanalysis of FEAL 8

Key schedule

(Based on the image of the key schedule of FEAL-8 in: Shimizu & Miyaguchi: Fast Data Encipherment Algorithm FEAL, 1988)

05/02/11 Linear Cryptanalysis of FEAL 9

Rearrangement of FEAL

05/02/11 Linear Cryptanalysis of FEAL 10

Rearrangement of FEAL

Key affects each byte

05/02/11 Linear Cryptanalysis of FEAL 11

Rearrangement of FEAL

05/02/11 Linear Cryptanalysis of FEAL 12

Rearrangement of FEAL

05/02/11 Linear Cryptanalysis of FEAL 13

Rearrangement of FEAL

05/02/11 Linear Cryptanalysis of FEAL 14

Rearrangement of FEAL

05/02/11 Linear Cryptanalysis of FEAL 15

Example: fM

05/02/11 Linear Cryptanalysis of FEAL 16

Linear Cryptanalysis

Known plaintext attack Basic idea: Find linear approximations of the

cipher:

C[i1] C[i⊕

2] ... C[i⊕ ⊕

n] P[j⊕

1] ... P [j⊕ ⊕

m]

⊕ K[k1] ... K[k⊕ ⊕

t] fM(I⊕

1, k

1)[f

1] = 1 (or 0)

= C[i1,i

2, ..., i

n] P[j⊕

1, ..., j

m] K[k⊕

1, ..., k

t] ⊕

fM(I1, k

1)[f

1] = 1 (Or = 0)

05/02/11 Linear Cryptanalysis of FEAL 17

Linear Cryptanalysis

C[i1,i

2, ..., i

n] P[j⊕

1, ..., j

m] K[k⊕

1, ..., k

t] ⊕

fM(I1, k

1)[f

1] = 1 (Or = 0)

For fixed k:

C[i1,i

2, ..., i

n] P[j⊕

1, ..., j

m] fM(I⊕

1, k

1)[f

1] =

const (0 or 1)

05/02/11 Linear Cryptanalysis of FEAL 18

Linear approximation of fM

O[26,16] = I[24] K[24]⊕

Reminder: S0(X, Y) = ROT2((X + Y) mod 256 )

101+ 011 1000

Xor

O[26] = I[24] K[24] O[16]⊕ ⊕

05/02/11 Linear Cryptanalysis of FEAL 19

Linear approximation of fM

On a similar way: O[2,8] = I[0] K[0] 1⊕ ⊕ O[2,8,10,16] = I[8] K[0,8] 1⊕ ⊕ O[10, 18, 26] = I[16] K[16,24] 1⊕ ⊕ O[16,26] = I[24] K[24] ⊕

These equations are always true

05/02/11 Linear Cryptanalysis of FEAL 20

Linear approximation of FEAL

O[10, 18, 26] = I[16] K[16,24] 1⊕ ⊕

I2[16] = fM(PL PR, k⊕

1)[16] PL[16]⊕

O2[10, 18, 26] = k

2[16, 24] 1 ⊕

⊕ fM(PL PR, k⊕1)[16] PL[16]⊕

L2[10, 18, 26]

= PR[10, 18, 26] ⊕

PL[10, 18, 26] O⊕2[10, 18, 26]

05/02/11 Linear Cryptanalysis of FEAL 21

Linear approximation of FEAL

O[10, 18, 26] = I[16] K[16,24] 1⊕ ⊕

L2[10, 18, 26]

= PR[10, 18, 26] ⊕

PL[10, 18, 26] k⊕2[16, 24] 1 ⊕

⊕ fM(PL PR, k⊕1)[16] PL[16]⊕

R3 [10, 18, 26] = L

2 [10, 18, 26] ⊕

k6[10, 18, 26]

05/02/11 Linear Cryptanalysis of FEAL 22

Linear approximation of FEAL

O[10, 18, 26] = I[16] K[16,24] 1⊕ ⊕

I4[16] = CR[16] CL[16]⊕

O4[10, 18, 26] = CR[16] CL[16] ⊕ ⊕

k4[16,24] 1⊕

05/02/11 Linear Cryptanalysis of FEAL 23

Linear approximation of FEAL

CL[10, 18, 26]

= O4 [10, 18, 26] R⊕

3[10, 18, 26]

05/02/11 Linear Cryptanalysis of FEAL 24

Linear approximation of FEAL

fM(k1, PL PR⊕ )[16]

⊕ PL[10, 16, 18, 26] PR[10, 18, 26]⊕

⊕ CR[16] CL[10, 16, 18, 26]⊕

= k2[16,24] k⊕

6[10,18,26] k⊕

4[16, 24]

= const (either 1 or 0 for a particular key)

05/02/11 Linear Cryptanalysis of FEAL 25

Recover k1

fM(k1, PL PR)[16]⊕

Determine k1, such that the previous equation holds

Max: 2^16 operations. That is in a possible range.

05/02/11 Linear Cryptanalysis of FEAL 26

Recover k1

Use the other approximations to recover the

rest of k1:

O[2,8] = I[0] K[0] 1⊕ ⊕ O[2,8,10,16] = I[8] K[0,8] 1⊕ ⊕ [ O[10, 18, 26] = I[16] K[16,24] 1 ]⊕ ⊕ O[16,26] = I[24] K[24] ⊕

05/02/11 Linear Cryptanalysis of FEAL 27

Recover the other subkeys

k2, k

3, k

4 are

recovered in an equal way

k5, k

6 then follow

directly

05/02/11 Linear Cryptanalysis of FEAL 28

Runtime of this attack

Implemented by Matsui & Yamagishi with a 25 Mhz computer, 1992

2 seconds with 10 known plaintexts 350 seconds with 5 known plaintexts

05/02/11 Linear Cryptanalysis of FEAL 29

Generalisation to more rounds

FEAL-8 is breakable with this method Using 2^28 plaintexts Runtime: 2^50 subkeys are searched. Details: Matsui & Yamagishi, 1992, A New

Method for Known Plaintext Attack of FEAL cipher

05/02/11 Linear Cryptanalysis of FEAL 30

Recapitulation

FEAL-4 Modification of FEAL-4 Linear cryptanalysis

Linear equations in f

Linear equations in FEAL-4 depending on k1

Exhaustive key search

Repeat this for k2, k

3, ...

05/02/11 Linear Cryptanalysis of FEAL 31

Sources

Shimizu & Miyaguchi: Fast Data Encipherment Algorithm FEAL, 1988

Advances in Cryptology, EUROCRYPT '87 Matsui & Yamagishi: A New Method for Known

Plaintext Attack of FEAL Cipher, 1993

Advances in Cryptology – EUROCRYPT '92 Stamp & Low: Applied Cryptanalysis: Breaking

Ciphers in the Real World, 2007