Upload
doanliem
View
228
Download
2
Embed Size (px)
Citation preview
Linear Cryptanalysis of FEAL
Folker Hoffmann
Seminar: Block cipher cryptanalysis
May 2, 2011
05/02/11 Linear Cryptanalysis of FEAL 2
Overview
FEAL Encryption with FEAL Modification of FEAL
Linear Cryptanalysis Idea Linear equations in FEAL Recovering the roundkeys
05/02/11 Linear Cryptanalysis of FEAL 3
FEAL
Fast Data Encipherment Algorithm Proposed in 1987 Goal: It should be suitable for implementation in
software on smart cards Different versions:
Number of rounds: 4, 8, N Block size: 64, 128
FEAL-N, FEAL-NX
Here: FEAL-4
05/02/11 Linear Cryptanalysis of FEAL 4
FEAL: Encryption
Feistel cipher
05/02/11 Linear Cryptanalysis of FEAL 5
FEAL: Decryption
Use the keys in reverse
05/02/11 Linear Cryptanalysis of FEAL 6
The round function: f
05/02/11 Linear Cryptanalysis of FEAL 7
The S-box
Input: Two bytes X, Y + delta (0 or 1) Output: One byte
Example: (delta = 1)
S(X, Y, delta) = ROT2((X + Y + delta) mod 256 )
00010011+ 10110011+ 1= 11000111 Rot2 00011111
05/02/11 Linear Cryptanalysis of FEAL 8
Key schedule
(Based on the image of the key schedule of FEAL-8 in: Shimizu & Miyaguchi: Fast Data Encipherment Algorithm FEAL, 1988)
05/02/11 Linear Cryptanalysis of FEAL 9
Rearrangement of FEAL
05/02/11 Linear Cryptanalysis of FEAL 10
Rearrangement of FEAL
Key affects each byte
05/02/11 Linear Cryptanalysis of FEAL 11
Rearrangement of FEAL
05/02/11 Linear Cryptanalysis of FEAL 12
Rearrangement of FEAL
05/02/11 Linear Cryptanalysis of FEAL 13
Rearrangement of FEAL
05/02/11 Linear Cryptanalysis of FEAL 14
Rearrangement of FEAL
05/02/11 Linear Cryptanalysis of FEAL 15
Example: fM
05/02/11 Linear Cryptanalysis of FEAL 16
Linear Cryptanalysis
Known plaintext attack Basic idea: Find linear approximations of the
cipher:
C[i1] C[i⊕
2] ... C[i⊕ ⊕
n] P[j⊕
1] ... P [j⊕ ⊕
m]
⊕ K[k1] ... K[k⊕ ⊕
t] fM(I⊕
1, k
1)[f
1] = 1 (or 0)
= C[i1,i
2, ..., i
n] P[j⊕
1, ..., j
m] K[k⊕
1, ..., k
t] ⊕
fM(I1, k
1)[f
1] = 1 (Or = 0)
05/02/11 Linear Cryptanalysis of FEAL 17
Linear Cryptanalysis
C[i1,i
2, ..., i
n] P[j⊕
1, ..., j
m] K[k⊕
1, ..., k
t] ⊕
fM(I1, k
1)[f
1] = 1 (Or = 0)
For fixed k:
C[i1,i
2, ..., i
n] P[j⊕
1, ..., j
m] fM(I⊕
1, k
1)[f
1] =
const (0 or 1)
05/02/11 Linear Cryptanalysis of FEAL 18
Linear approximation of fM
O[26,16] = I[24] K[24]⊕
Reminder: S0(X, Y) = ROT2((X + Y) mod 256 )
101+ 011 1000
Xor
O[26] = I[24] K[24] O[16]⊕ ⊕
05/02/11 Linear Cryptanalysis of FEAL 19
Linear approximation of fM
On a similar way: O[2,8] = I[0] K[0] 1⊕ ⊕ O[2,8,10,16] = I[8] K[0,8] 1⊕ ⊕ O[10, 18, 26] = I[16] K[16,24] 1⊕ ⊕ O[16,26] = I[24] K[24] ⊕
These equations are always true
05/02/11 Linear Cryptanalysis of FEAL 20
Linear approximation of FEAL
O[10, 18, 26] = I[16] K[16,24] 1⊕ ⊕
I2[16] = fM(PL PR, k⊕
1)[16] PL[16]⊕
O2[10, 18, 26] = k
2[16, 24] 1 ⊕
⊕ fM(PL PR, k⊕1)[16] PL[16]⊕
L2[10, 18, 26]
= PR[10, 18, 26] ⊕
PL[10, 18, 26] O⊕2[10, 18, 26]
05/02/11 Linear Cryptanalysis of FEAL 21
Linear approximation of FEAL
O[10, 18, 26] = I[16] K[16,24] 1⊕ ⊕
L2[10, 18, 26]
= PR[10, 18, 26] ⊕
PL[10, 18, 26] k⊕2[16, 24] 1 ⊕
⊕ fM(PL PR, k⊕1)[16] PL[16]⊕
R3 [10, 18, 26] = L
2 [10, 18, 26] ⊕
k6[10, 18, 26]
05/02/11 Linear Cryptanalysis of FEAL 22
Linear approximation of FEAL
O[10, 18, 26] = I[16] K[16,24] 1⊕ ⊕
I4[16] = CR[16] CL[16]⊕
O4[10, 18, 26] = CR[16] CL[16] ⊕ ⊕
k4[16,24] 1⊕
05/02/11 Linear Cryptanalysis of FEAL 23
Linear approximation of FEAL
CL[10, 18, 26]
= O4 [10, 18, 26] R⊕
3[10, 18, 26]
05/02/11 Linear Cryptanalysis of FEAL 24
Linear approximation of FEAL
fM(k1, PL PR⊕ )[16]
⊕ PL[10, 16, 18, 26] PR[10, 18, 26]⊕
⊕ CR[16] CL[10, 16, 18, 26]⊕
= k2[16,24] k⊕
6[10,18,26] k⊕
4[16, 24]
= const (either 1 or 0 for a particular key)
05/02/11 Linear Cryptanalysis of FEAL 25
Recover k1
fM(k1, PL PR)[16]⊕
Determine k1, such that the previous equation holds
Max: 2^16 operations. That is in a possible range.
05/02/11 Linear Cryptanalysis of FEAL 26
Recover k1
Use the other approximations to recover the
rest of k1:
O[2,8] = I[0] K[0] 1⊕ ⊕ O[2,8,10,16] = I[8] K[0,8] 1⊕ ⊕ [ O[10, 18, 26] = I[16] K[16,24] 1 ]⊕ ⊕ O[16,26] = I[24] K[24] ⊕
05/02/11 Linear Cryptanalysis of FEAL 27
Recover the other subkeys
k2, k
3, k
4 are
recovered in an equal way
k5, k
6 then follow
directly
05/02/11 Linear Cryptanalysis of FEAL 28
Runtime of this attack
Implemented by Matsui & Yamagishi with a 25 Mhz computer, 1992
2 seconds with 10 known plaintexts 350 seconds with 5 known plaintexts
05/02/11 Linear Cryptanalysis of FEAL 29
Generalisation to more rounds
FEAL-8 is breakable with this method Using 2^28 plaintexts Runtime: 2^50 subkeys are searched. Details: Matsui & Yamagishi, 1992, A New
Method for Known Plaintext Attack of FEAL cipher
05/02/11 Linear Cryptanalysis of FEAL 30
Recapitulation
FEAL-4 Modification of FEAL-4 Linear cryptanalysis
Linear equations in f
Linear equations in FEAL-4 depending on k1
Exhaustive key search
Repeat this for k2, k
3, ...
05/02/11 Linear Cryptanalysis of FEAL 31
Sources
Shimizu & Miyaguchi: Fast Data Encipherment Algorithm FEAL, 1988
Advances in Cryptology, EUROCRYPT '87 Matsui & Yamagishi: A New Method for Known
Plaintext Attack of FEAL Cipher, 1993
Advances in Cryptology – EUROCRYPT '92 Stamp & Low: Applied Cryptanalysis: Breaking
Ciphers in the Real World, 2007