Linear Cryptanalysis of FEAL - b-it cosec

Linear Cryptanalysis of FEAL
Folker Hoffmann
Seminar: Block cipher cryptanalysis
May 2, 2011

FEAL
Encryption with FEAL
Modification of FEAL
Linear Cryptanalysis
Idea
Overview
Linear equations in FEAL
Recovering the roundkeys
05/02/11 Linear Cryptanalysis of FEAL 2

FEAL
Fast Data Encipherment Algorithm
Proposed in 1987
Goal: It should be suitable for implementation in
software on smart cards
Different versions:
Number of rounds: 4, 8, N
Block size: 64, 128
Here: FEAL-4
FEAL-N, FEAL-NX
05/02/11 Linear Cryptanalysis of FEAL 3

Feistel cipher
FEAL: Encryption
05/02/11 Linear Cryptanalysis of FEAL 4

Use the keys in
reverse
FEAL: Decryption
05/02/11 Linear Cryptanalysis of FEAL 5

The round function: f
05/02/11 Linear Cryptanalysis of FEAL 6

The S-box
Input: Two bytes X, Y + delta (0 or 1)
Output: One byte
S(X, Y, delta) = ROT2((X + Y + delta) mod 256 )
Example: (delta = 1)
00010011
+ 10110011
+ 1
= 11000111 Rot2 00011111
05/02/11 Linear Cryptanalysis of FEAL 7

Key schedule
(Based on the image of the key schedule of FEAL-8 in: Shimizu & Miyaguchi: Fast
Data Encipherment Algorithm FEAL, 1988)
05/02/11 Linear Cryptanalysis of FEAL 8

Rearrangement of FEAL
05/02/11 Linear Cryptanalysis of FEAL 9

Rearrangement of FEAL
Key affects each byte
05/02/11 Linear Cryptanalysis of FEAL 10

Rearrangement of FEAL
05/02/11 Linear Cryptanalysis of FEAL 11

Rearrangement of FEAL
05/02/11 Linear Cryptanalysis of FEAL 12

Rearrangement of FEAL
05/02/11 Linear Cryptanalysis of FEAL 13

Rearrangement of FEAL
05/02/11 Linear Cryptanalysis of FEAL 14

Example: fM
05/02/11 Linear Cryptanalysis of FEAL 15

Linear Cryptanalysis
Known plaintext attack
Basic idea: Find linear approximations of the
cipher:
C[i ] ⊕ C[i ] ⊕ ... ⊕ C[i ] ⊕ P[j ] ⊕ ... ⊕ P [j
1 2 n 1
⊕ K[k ] ⊕ ... ⊕ K[k ] fM(I
1 t ⊕
1 , k 1 )[f ] = 1 (or 0)
1
= C[i ,i , ..., i ] ⊕ P[j , ..., j ] ⊕ K[k
1 2 n 1 m 1 , ..., k t ]
fM(I 1 , k 1 )[f 1 ] = 1 (Or = 0)
05/02/11 Linear Cryptanalysis of FEAL 16
⊕
m ]

Linear Cryptanalysis
C[i 1 ,i 2 , ..., i n ] P[j
fM(I 1 , k 1 )[f 1 ] = 1 (Or = 0)
For fixed k:
C[i 1 ,i 2 , ..., i n ] P[j
⊕ , ..., j ] ⊕ K[k
1 m 1 , ..., k ] ⊕
t
⊕ , ..., j ] ⊕ fM(I
1 m 1 , k 1 )[f ] =
1
const (0 or 1)
05/02/11 Linear Cryptanalysis of FEAL 17

Linear approximation of fM
O[26] = I[24] ⊕ K[24] ⊕
O[16]
O[26,16] = I[24] ⊕ K[24]
Reminder: S0(X, Y) = ROT2((X + Y) mod 256 )
101
+ 011
1000
05/02/11 Linear Cryptanalysis of FEAL 18
Xor

Linear approximation of fM
On a similar way:
O[2,8] = I[0] ⊕ K[0] ⊕ 1
O[2,8,10,16] = I[8] ⊕ K[0,8] ⊕ 1
O[10, 18, 26] = I[16] ⊕ K[16,24] ⊕ 1
O[16,26] = I[24] ⊕ K[24]
These equations are always true
05/02/11 Linear Cryptanalysis of FEAL 19

Linear approximation of FEAL
O[10, 18, 26] = I[16] ⊕ K[16,24] ⊕ 1
I [16] = fM(PL ⊕ PR, k )[16] PL[16]
2 1 ⊕
O [10, 18, 26] = k [16, 24] ⊕ 1
2 2
⊕ fM(PL ⊕ PR, k )[16] PL[16]
1 ⊕
L 2 [10, 18, 26] = PR[10, 18, 26]
PL[10, 18, 26] ⊕ O [10, 18, 26]
2
05/02/11 Linear Cryptanalysis of FEAL 20
⊕

Linear approximation of FEAL
O[10, 18, 26] = I[16] ⊕ K[16,24] ⊕ 1
L 2 [10, 18, 26] = PR[10, 18, 26]
PL[10, 18, 26] ⊕ k [16, 24] ⊕ 1
2
⊕ fM(PL ⊕ PR, k )[16] PL[16]
1 ⊕
R 3 [10, 18, 26] = L 2 [10, 18, 26]
k 6 [10, 18, 26]
05/02/11 Linear Cryptanalysis of FEAL 21
⊕
⊕

Linear approximation of FEAL
O[10, 18, 26] = I[16] ⊕ K[16,24] ⊕ 1
I [16] = CR[16] ⊕ CL[16]
4
O [10, 18, 26] = CR[16] ⊕ CL[16] ⊕
4
k [16,24] ⊕
1
4
05/02/11 Linear Cryptanalysis of FEAL 22

Linear approximation of FEAL
CL[10, 18, 26]
= O [10, 18, 26] ⊕ R [10, 18, 26]
4 3
05/02/11 Linear Cryptanalysis of FEAL 23

Linear approximation of FEAL
fM(k , PL ⊕ PR)[16]
1
⊕ PL[10, 16, 18, 26] ⊕ PR[10, 18, 26]
⊕ CR[16] ⊕ CL[10, 16, 18, 26]
= k [16,24] ⊕ k [10,18,26] ⊕ k [16, 24]
2 6 4
= const (either 1 or 0 for a particular key)
05/02/11 Linear Cryptanalysis of FEAL 24

fM(k , PL ⊕ PR)[16]
1
Recover k 1
Determine k 1 , such that the previous equation holds
Max: 2^16 operations. That is in a possible range.
05/02/11 Linear Cryptanalysis of FEAL 25

Recover k 1
Use the other approximations to recover the
rest of k 1 :
O[2,8] = I[0] ⊕ K[0] ⊕ 1
O[2,8,10,16] = I[8] ⊕ K[0,8] ⊕ 1
[ O[10, 18, 26] = I[16] ⊕ K[16,24] ⊕ 1 ]
O[16,26] = I[24] ⊕
K[24]
05/02/11 Linear Cryptanalysis of FEAL 26

Recover the other subkeys
k 2 , k 3 , k 4 are
recovered in an
equal way
k 5 , k 6 then follow
directly
05/02/11 Linear Cryptanalysis of FEAL 27

Runtime of this attack
Implemented by Matsui & Yamagishi
with a 25 Mhz computer, 1992
2 seconds with 10 known plaintexts
350 seconds with 5 known plaintexts
05/02/11 Linear Cryptanalysis of FEAL 28

Generalisation to more rounds
FEAL-8 is breakable with this method
Using 2^28 plaintexts
Runtime: 2^50 subkeys are searched.
Details: Matsui & Yamagishi, 1992, A New
Method for Known Plaintext Attack of FEAL
cipher
05/02/11 Linear Cryptanalysis of FEAL 29

FEAL-4
Recapitulation
Modification of FEAL-4
Linear cryptanalysis
Linear equations in f
Linear equations in FEAL-4 depending on k 1
Exhaustive key search
Repeat this for k 2 , k 3 , ...
05/02/11 Linear Cryptanalysis of FEAL 30

Sources
Shimizu & Miyaguchi: Fast Data Encipherment
Algorithm FEAL, 1988
Advances in Cryptology, EUROCRYPT '87
Matsui & Yamagishi: A New Method for Known
Plaintext Attack of FEAL Cipher, 1993
Advances in Cryptology – EUROCRYPT '92
Stamp & Low: Applied Cryptanalysis: Breaking
Ciphers in the Real World, 2007
05/02/11 Linear Cryptanalysis of FEAL 31