A Practical-Time Related-Key Boomerang Attack on MMB · A Practical-Time Related-Key Boomerang...
Transcript of A Practical-Time Related-Key Boomerang Attack on MMB · A Practical-Time Related-Key Boomerang...
A Practical-Time Related-Key BoomerangAttack on MMB
Tomer Ashur Orr Dunkelman
29/10/2013
A Practical-Time Related-Key Boomerang Attack on MMB
Overview
1. Quick description of the MMB block cipher.
A Practical-Time Related-Key Boomerang Attack on MMB
Overview
1. Quick description of the MMB block cipher.
2. Short Explanation about cryptanalytic techniques used inthis paper.
A Practical-Time Related-Key Boomerang Attack on MMB
Overview
1. Quick description of the MMB block cipher.
2. Short Explanation about cryptanalytic techniques used inthis paper.
3. A related-key boomerang attack that recovers 62 key bitsfor MMB.
A Practical-Time Related-Key Boomerang Attack on MMB
Overview
1. Quick description of the MMB block cipher.
2. Short Explanation about cryptanalytic techniques used inthis paper.
3. A related-key boomerang attack that recovers 62 key bitsfor MMB.
4. Using the previously recovered 62 bits to recover another31 bits of the key.
A Practical-Time Related-Key Boomerang Attack on MMB
Overview
1. Quick description of the MMB block cipher.
2. Short Explanation about cryptanalytic techniques used inthis paper.
3. A related-key boomerang attack that recovers 62 key bitsfor MMB.
4. Using the previously recovered 62 bits to recover another31 bits of the key.
5. Recovering the last bits.
A Practical-Time Related-Key Boomerang Attack on MMB
Overview
1. Quick description of the MMB block cipher.
2. Short Explanation about cryptanalytic techniques used inthis paper.
3. A related-key boomerang attack that recovers 62 key bitsfor MMB.
4. Using the previously recovered 62 bits to recover another31 bits of the key.
5. Recovering the last bits.
6. Results of experimental verification.
A Practical-Time Related-Key Boomerang Attack on MMB
Overview
1. Quick description of the MMB block cipher.
2. Short Explanation about cryptanalytic techniques used inthis paper.
3. A related-key boomerang attack that recovers 62 key bitsfor MMB.
4. Using the previously recovered 62 bits to recover another31 bits of the key.
5. Recovering the last bits.
6. Results of experimental verification.
7. Possible extenstions of the attack.
A Practical-Time Related-Key Boomerang Attack on MMB
The Modular Multiplication Block (MMB) Cipher
◮ Invented in 1997, by Joan Daemen as an improvment forthe IDEA cipher.
A Practical-Time Related-Key Boomerang Attack on MMB
The Modular Multiplication Block (MMB) Cipher
◮ Invented in 1997, by Joan Daemen as an improvment forthe IDEA cipher.
◮ Block and key size of 128-bit.
A Practical-Time Related-Key Boomerang Attack on MMB
The Modular Multiplication Block (MMB) Cipher
◮ Invented in 1997, by Joan Daemen as an improvment forthe IDEA cipher.
◮ Block and key size of 128-bit.
◮ Six rounds, 4 operations:
A Practical-Time Related-Key Boomerang Attack on MMB
The Modular Multiplication Block (MMB) Cipher
◮ Invented in 1997, by Joan Daemen as an improvment forthe IDEA cipher.
◮ Block and key size of 128-bit.
◮ Six rounds, 4 operations:
◮ σ - key injection (xi ⊕ kj
i ).
A Practical-Time Related-Key Boomerang Attack on MMB
The Modular Multiplication Block (MMB) Cipher
◮ Invented in 1997, by Joan Daemen as an improvment forthe IDEA cipher.
◮ Block and key size of 128-bit.
◮ Six rounds, 4 operations:
◮ σ - key injection (xi ⊕ kj
i ).◮ γ - modular multiplication ((xi ∗Gi) mod (232 − 1)).
A Practical-Time Related-Key Boomerang Attack on MMB
The Modular Multiplication Block (MMB) Cipher
◮ Invented in 1997, by Joan Daemen as an improvment forthe IDEA cipher.
◮ Block and key size of 128-bit.
◮ Six rounds, 4 operations:
◮ σ - key injection (xi ⊕ kj
i ).◮ γ - modular multiplication ((xi ∗Gi) mod (232 − 1)).◮ η - data-dependent operation ((xi mod 2) ? (δ ⊕ xi) : xi).
A Practical-Time Related-Key Boomerang Attack on MMB
The Modular Multiplication Block (MMB) Cipher
◮ Invented in 1997, by Joan Daemen as an improvment forthe IDEA cipher.
◮ Block and key size of 128-bit.
◮ Six rounds, 4 operations:
◮ σ - key injection (xi ⊕ kj
i ).◮ γ - modular multiplication ((xi ∗Gi) mod (232 − 1)).◮ η - data-dependent operation ((xi mod 2) ? (δ ⊕ xi) : xi).◮ θ - matrix multiplication (xi−1 ⊕ xi ⊕ xi+1).
A Practical-Time Related-Key Boomerang Attack on MMB
MMB’s Round Function
G0 G1 G2 G3
kj0 k
j1 k
j2 k
j3
xj0 x
j1 x
j2 x
j3
⊕ ⊕ ⊕ ⊕
⊗ ⊗ ⊗ ⊗
⊕ ⊕LSB(x0) · δ LSB(x3) · δ
Θ
γ
σ
η
xj+10 x
j+11 x
j+12 x
j+13
A Practical-Time Related-Key Boomerang Attack on MMB
Differential Cryptanalysis and its Variants
◮ Differential cryptanalysis[BS91]
A Practical-Time Related-Key Boomerang Attack on MMB
Differential Cryptanalysis and its Variants
◮ Differential cryptanalysis[BS91]
◮ Related-key differential cryptanalysis[KSW96]
A Practical-Time Related-Key Boomerang Attack on MMB
Differential Cryptanalysis and its Variants
◮ Differential cryptanalysis[BS91]
◮ Related-key differential cryptanalysis[KSW96]
◮ Boomerang attack[W99]
A Practical-Time Related-Key Boomerang Attack on MMB
Differential Cryptanalysis and its Variants
◮ Differential cryptanalysis[BS91]
◮ Related-key differential cryptanalysis[KSW96]
◮ Boomerang attack[W99]
◮ Related-key boomerang attack[K+04,K+05,BDK05]
A Practical-Time Related-Key Boomerang Attack on MMB
Previous Work
◮ 2-round differential with probability 1 [WNS09]:
(0, 0̄, 0̄, 0)σ[k0]−−−→ (0, 0̄, 0̄, 0)
γ−→ (0, 0̄, 0̄, 0)
η−→ (0, 0̄, 0̄, 0)
θ−→ (0̄, 0, 0, 0̄)
σ[k1]−−−→ (0̄, 0, 0, 0̄)
γ−→ (0̄, 0, 0, 0̄)
η−→ (δ̄, 0, 0, δ̄)
θ−→ (0, δ̄, δ̄, 0)
A Practical-Time Related-Key Boomerang Attack on MMB
Previous Work
◮ 2-round differential with probability 1 [WNS09]:
(0, 0̄, 0̄, 0)σ[k0]−−−→ (0, 0̄, 0̄, 0)
γ−→ (0, 0̄, 0̄, 0)
η−→ (0, 0̄, 0̄, 0)
θ−→ (0̄, 0, 0, 0̄)
σ[k1]−−−→ (0̄, 0, 0, 0̄)
γ−→ (0̄, 0, 0, 0̄)
η−→ (δ̄, 0, 0, δ̄)
θ−→ (0, δ̄, δ̄, 0)
◮ 5-round distinguisher with probability 2−110 [WNS09].
◮ Full key recovery with time complexity of 2118 [WNS09].
A Practical-Time Related-Key Boomerang Attack on MMB
Previous Work
◮ 2-round differential with probability 1 [WNS09]:
(0, 0̄, 0̄, 0)σ[k0]−−−→ (0, 0̄, 0̄, 0)
γ−→ (0, 0̄, 0̄, 0)
η−→ (0, 0̄, 0̄, 0)
θ−→ (0̄, 0, 0, 0̄)
σ[k1]−−−→ (0̄, 0, 0, 0̄)
γ−→ (0̄, 0, 0, 0̄)
η−→ (δ̄, 0, 0, δ̄)
θ−→ (0, δ̄, δ̄, 0)
◮ 5-round distinguisher with probability 2−110 [WNS09].
◮ Full key recovery with time complexity of 2118 [WNS09].
◮ 5-round sandwich distinguisher with probability 1 [J+11].
◮ Full key recovery with time complexity of 240 [J+11].
A Practical-Time Related-Key Boomerang Attack on MMB
Description of the Differential Characteristics
3-round related-keydifferentialcharacteristic withprobability 1:△ =
(0, 0, 0̄, 0̄)(0,0,0̄,0̄)−−−−−→
(δ, 0̄, δ, δ̄) = △∗.Full Description
One additionalround can beprepended:(X, 0̄, 0, 0̄) → △
4-round related-keydifferentialcharacteristic withprobability 1:▽∗ =
(0, 0, 0̄, 0)(0,0,0̄,0)−−−−−→
(δ̄, δ̄, 0, δ̄) = ▽Full Description
One additionalround can beprepended:(0, 0̄, 0̄, Y ) → ▽∗
2-round related-keydifferentialcharacteristic withprobability 1:τ =
(0, 0, 0, 0̄)(0,0,0,0̄)−−−−−→
(0, 0̄, 0̄, 0̄) = τ∗
Full Description
A Practical-Time Related-Key Boomerang Attack on MMB
Description of B0
P1 P2(X, 0̄, 0, 0̄)
A Practical-Time Related-Key Boomerang Attack on MMB
Description of B0
P1 P2(X, 0̄, 0, 0̄)
1R
A Practical-Time Related-Key Boomerang Attack on MMB
Description of B0
P1 P2(X, 0̄, 0, 0̄)
1R
i1 i2
3R
(δ, 0̄, δ, δ̄)
A Practical-Time Related-Key Boomerang Attack on MMB
Description of B0
P1 P2(X, 0̄, 0, 0̄)
1R
i1 i2
3R
(δ, 0̄, δ, δ̄)
C1 C2
2R
A Practical-Time Related-Key Boomerang Attack on MMB
Description of B0
P1 P2(X, 0̄, 0, 0̄)
1R
i1 i2
3R
(δ, 0̄, δ, δ̄)
C1 C2
2R
C3 C4
(0,0, 0̄
, 0̄)
A Practical-Time Related-Key Boomerang Attack on MMB
Description of B0
P1 P2(X, 0̄, 0, 0̄)
1R
i1 i2
3R
(δ, 0̄, δ, δ̄)
C1 C2
2R
C3 C4
(0,0, 0̄
, 0̄)
i3 i4
2R
A Practical-Time Related-Key Boomerang Attack on MMB
Description of B0
P1 P2(X, 0̄, 0, 0̄)
1R
i1 i2
3R
(δ, 0̄, δ, δ̄)
C1 C2
2R
C3 C4
(0,0, 0̄
, 0̄)
i3 i4
2R(0,
0, 0, 0̄)
(δ, 0̄, δ, δ̄)
A Practical-Time Related-Key Boomerang Attack on MMB
Description of B0
P1 P2(X, 0̄, 0, 0̄)
1R
i1 i2
3R
(δ, 0̄, δ, δ̄)
C1 C2
2R
C3 C4
(0,0, 0̄
, 0̄)
i3 i4
2R(0,
0, 0, 0̄)
(δ, 0̄, δ, δ̄)
P3 P4
4R
A Practical-Time Related-Key Boomerang Attack on MMB
Description of B0
P1 P2(X, 0̄, 0, 0̄)
1R
i1 i2
3R
(δ, 0̄, δ, δ̄)
C1 C2
2R
C3 C4
(0,0, 0̄
, 0̄)
i3 i4
2R(0,
0, 0, 0̄)
(δ, 0̄, δ, δ̄)
P3 P4
4R
A Practical-Time Related-Key Boomerang Attack on MMB
Identifying right pairs
◮ Store all decrypted data in a hash-table
A Practical-Time Related-Key Boomerang Attack on MMB
Identifying right pairs
◮ Store all decrypted data in a hash-table
◮ Right pairs can be identified by their collision in theappropriate 96 bits.
A Practical-Time Related-Key Boomerang Attack on MMB
Identifying right pairs
◮ Store all decrypted data in a hash-table
◮ Right pairs can be identified by their collision in theappropriate 96 bits.
◮ It is expected that 4 right pairs will be identified.
A Practical-Time Related-Key Boomerang Attack on MMB
Key Recovery
◮ To recover k0 and k3 we iterate over all possible values forthat key word.
A Practical-Time Related-Key Boomerang Attack on MMB
Key Recovery
◮ To recover k0 and k3 we iterate over all possible values forthat key word.
◮ It is enough to iterate over half of the space.
A Practical-Time Related-Key Boomerang Attack on MMB
Key Recovery
◮ To recover k0 and k3 we iterate over all possible values forthat key word.
◮ It is enough to iterate over half of the space.
◮ Using a right pair, calculate ωi = (xi ⊕ ki)⊗Gi fori ∈ {1, 3}. if ωi = δ̄ suggest ki and k̄i as possible keys.
A Practical-Time Related-Key Boomerang Attack on MMB
Key Recovery
◮ To recover k0 and k3 we iterate over all possible values forthat key word.
◮ It is enough to iterate over half of the space.
◮ Using a right pair, calculate ωi = (xi ⊕ ki)⊗Gi fori ∈ {1, 3}. if ωi = δ̄ suggest ki and k̄i as possible keys.
◮ Verify using another right pair.
A Practical-Time Related-Key Boomerang Attack on MMB
Recovering More Key Bits
◮ Note that ▽∗ → ▽ can be extended to cover 5 rounds ofMMB with probability 1, i.e., all right pairs with regards toB1 are follow this path.
A Practical-Time Related-Key Boomerang Attack on MMB
Recovering More Key Bits
◮ Note that ▽∗ → ▽ can be extended to cover 5 rounds ofMMB with probability 1, i.e., all right pairs with regards toB1 are follow this path.
◮ Let (p1, p2) be a right pair with respect to ▽∗ → ▽, and let(c1, c2) be their respective ciphertexts.
A Practical-Time Related-Key Boomerang Attack on MMB
Recovering More Key Bits
◮ Note that ▽∗ → ▽ can be extended to cover 5 rounds ofMMB with probability 1, i.e., all right pairs with regards toB1 are follow this path.
◮ Let (p1, p2) be a right pair with respect to ▽∗ → ▽, and let(c1, c2) be their respective ciphertexts.
◮ Due to the differential characteristic, the values entering γ
in the fifth round are known to be (δ̄, δ̄, 0, δ̄).
A Practical-Time Related-Key Boomerang Attack on MMB
Recovering More Key Bits
◮ Note that ▽∗ → ▽ can be extended to cover 5 rounds ofMMB with probability 1, i.e., all right pairs with regards toB1 are follow this path.
◮ Let (p1, p2) be a right pair with respect to ▽∗ → ▽, and let(c1, c2) be their respective ciphertexts.
◮ Due to the differential characteristic, the values entering γ
in the fifth round are known to be (δ̄, δ̄, 0, δ̄).
◮ By using the two known key words, and iterating the valueof k62 we can reverse the last encryption round. The rightkey word (and its inverse) will lead to δ̄ in the second word.
A Practical-Time Related-Key Boomerang Attack on MMB
Finding the last key word
◮ The last key word can be found by trying all possible keyvalues for it, checking if some plaintext indeed leads to itsciphertext.
A Practical-Time Related-Key Boomerang Attack on MMB
Finding the last key word
◮ The last key word can be found by trying all possible keyvalues for it, checking if some plaintext indeed leads to itsciphertext.
◮ To distinguish the real key from its negation, this phasemust try all possible assignments.
A Practical-Time Related-Key Boomerang Attack on MMB
Complexity
◮ Time: 2 · (4 · 217 + 16 · 231) + 1
6 · 231 + 8 · 232 = 235
A Practical-Time Related-Key Boomerang Attack on MMB
Complexity
◮ Time: 2 · (4 · 217 + 16 · 231) + 1
6 · 231 + 8 · 232 = 235
◮ Memory (bytes): 4 · 4 · 217 + 4 · 217 = 221.3
A Practical-Time Related-Key Boomerang Attack on MMB
Complexity
◮ Time: 2 · (4 · 217 + 16 · 231) + 1
6 · 231 + 8 · 232 = 235
◮ Memory (bytes): 4 · 4 · 217 + 4 · 217 = 221.3
◮ Data: 2 · 2 · 2 · 217 = 220
A Practical-Time Related-Key Boomerang Attack on MMB
Complexity
◮ Time: 2 · (4 · 217 + 16 · 231) + 1
6 · 231 + 8 · 232 = 235
◮ Memory (bytes): 4 · 4 · 217 + 4 · 217 = 221.3
◮ Data: 2 · 2 · 2 · 217 = 220
◮ Related-keys: 4
A Practical-Time Related-Key Boomerang Attack on MMB
Experimental Verification
◮ All attacks has been verified using a hybrid C and Pythoncode.
◮ The attack has a success rate of 98%.
◮ It takes less than 15 minutes on average to recover the fullkey of MMB.
A Practical-Time Related-Key Boomerang Attack on MMB
Improvements
◮ Recovering 62 key bits for variants of MMB with 7 and 8rounds.
A Practical-Time Related-Key Boomerang Attack on MMB
Improvements
◮ Recovering 62 key bits for variants of MMB with 7 and 8rounds.
◮ Recovering 31 key bits for a variant of MMB with 9 rounds.
A Practical-Time Related-Key Boomerang Attack on MMB
Improvements
◮ Recovering 62 key bits for variants of MMB with 7 and 8rounds.
◮ Recovering 31 key bits for a variant of MMB with 9 rounds.
◮ Time memory trade-off.
A Practical-Time Related-Key Boomerang Attack on MMB
Thank you for your time. Questions?
A Practical-Time Related-Key Boomerang Attack on MMB
Full Description of △ → △∗
△ =
(0, 0, 0̄, 0̄)σ[k1]
−−−−−→(0,0,0̄,0̄)
(0, 0, 0, 0)γ−→ (0, 0, 0, 0)
η−→ (0, 0, 0, 0)
θ−→ (0, 0, 0, 0)
σ[k2]−−−−−→(0,0̄,0̄,0)
(0, 0̄, 0̄, 0)γ−→ (0, 0̄, 0̄, 0)
η−→ (0, 0̄, 0̄, 0)
θ−→ (0̄, 0, 0, 0̄)
σ[k3]−−−−−→(0̄,0̄,0,0)
(0, 0̄, 0, 0̄)γ−→ (0, 0̄, 0, 0̄)
η−→ (0, 0̄, 0, δ̄)
θ−→ (δ, 0̄, δ, δ̄) = △∗
Back
A Practical-Time Related-Key Boomerang Attack on MMB
Full Description of ▽∗ → ▽
▽ =
(0, 0, 0̄, 0)σ[k1]
−−−−−→(0,0,0̄,0)
(0, 0, 0, 0)γ−→ (0, 0, 0, 0)
η−→ (0, 0, 0, 0)
θ−→ (0, 0, 0, 0)
σ[k2]−−−−−→(0,0̄,0,0)
(0, 0̄, 0, 0)γ−→ (0, 0̄, 0, 0)
η−→ (0, 0̄, 0, 0)
θ−→ (0̄, 0̄, 0̄, 0)
σ[k3]−−−−−→(0̄,0,0,0)
(0, 0̄, 0̄, 0)γ−→ (0, 0̄, 0̄, 0)
η−→ (0, 0̄, 0̄, 0)
θ−→ (0̄, 0, 0, 0̄)
σ[k4]−−−−−→(0,0,0,0̄)
(0̄, 0, 0, 0)γ−→ (0̄, 0, 0, 0)
η−→ (δ̄, 0, 0, 0)
θ−→ (δ̄, δ̄, 0, δ̄)
Back
A Practical-Time Related-Key Boomerang Attack on MMB
Full Description of τ → τ ∗
τ =
(0, 0, 0, 0̄)σ[k4]
−−−−−→(0,0,0,0̄)
(0, 0, 0, 0)γ−→ (0, 0, 0, 0)
η−→ (0, 0, 0, 0)
θ−→ (0, 0, 0, 0)
σ[k5]−−−−−→(0,0,0̄,0)
γ−→ (0, 0, 0̄, 0)
η−→ (0, 0, 0̄, 0)
θ−→ (0, 0̄, 0̄, 0̄) = τ∗
Back