Linear Cryptanalysis of FEAL - b-it cosec
Linear Cryptanalysis of FEAL - b-it cosec
Linear Cryptanalysis of FEAL - b-it cosec
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong><br />
Folker H<strong>of</strong>fmann<br />
Seminar: Block cipher cryptanalysis<br />
May 2, 2011
<strong>FEAL</strong><br />
Encryption w<strong>it</strong>h <strong>FEAL</strong><br />
Modification <strong>of</strong> <strong>FEAL</strong><br />
<strong>Linear</strong> <strong>Cryptanalysis</strong><br />
Idea<br />
Overview<br />
<strong>Linear</strong> equations in <strong>FEAL</strong><br />
Recovering the roundkeys<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 2
<strong>FEAL</strong><br />
Fast Data Encipherment Algor<strong>it</strong>hm<br />
Proposed in 1987<br />
Goal: It should be su<strong>it</strong>able for implementation in<br />
s<strong>of</strong>tware on smart cards<br />
Different versions:<br />
Number <strong>of</strong> rounds: 4, 8, N<br />
Block size: 64, 128<br />
Here: <strong>FEAL</strong>-4<br />
<strong>FEAL</strong>-N, <strong>FEAL</strong>-NX<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 3
Feistel cipher<br />
<strong>FEAL</strong>: Encryption<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 4
Use the keys in<br />
reverse<br />
<strong>FEAL</strong>: Decryption<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 5
The round function: f<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 6
The S-box<br />
Input: Two bytes X, Y + delta (0 or 1)<br />
Output: One byte<br />
S(X, Y, delta) = ROT2((X + Y + delta) mod 256 )<br />
Example: (delta = 1)<br />
00010011<br />
+ 10110011<br />
+ 1<br />
= 11000111 Rot2 00011111<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 7
Key schedule<br />
(Based on the image <strong>of</strong> the key schedule <strong>of</strong> <strong>FEAL</strong>-8 in: Shimizu & Miyaguchi: Fast<br />
Data Encipherment Algor<strong>it</strong>hm <strong>FEAL</strong>, 1988)<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 8
Rearrangement <strong>of</strong> <strong>FEAL</strong><br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 9
Rearrangement <strong>of</strong> <strong>FEAL</strong><br />
Key affects each byte<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 10
Rearrangement <strong>of</strong> <strong>FEAL</strong><br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 11
Rearrangement <strong>of</strong> <strong>FEAL</strong><br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 12
Rearrangement <strong>of</strong> <strong>FEAL</strong><br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 13
Rearrangement <strong>of</strong> <strong>FEAL</strong><br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 14
Example: fM<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 15
<strong>Linear</strong> <strong>Cryptanalysis</strong><br />
Known plaintext attack<br />
Basic idea: Find linear approximations <strong>of</strong> the<br />
cipher:<br />
C[i ] ⊕ C[i ] ⊕ ... ⊕ C[i ] ⊕ P[j ] ⊕ ... ⊕ P [j<br />
1 2 n 1<br />
⊕ K[k ] ⊕ ... ⊕ K[k ] fM(I<br />
1 t ⊕<br />
1 , k 1 )[f ] = 1 (or 0)<br />
1<br />
= C[i ,i , ..., i ] ⊕ P[j , ..., j ] ⊕ K[k<br />
1 2 n 1 m 1 , ..., k t ]<br />
fM(I 1 , k 1 )[f 1 ] = 1 (Or = 0)<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 16<br />
⊕<br />
m ]
<strong>Linear</strong> <strong>Cryptanalysis</strong><br />
C[i 1 ,i 2 , ..., i n ] P[j<br />
fM(I 1 , k 1 )[f 1 ] = 1 (Or = 0)<br />
For fixed k:<br />
C[i 1 ,i 2 , ..., i n ] P[j<br />
⊕ , ..., j ] ⊕ K[k<br />
1 m 1 , ..., k ] ⊕<br />
t<br />
⊕ , ..., j ] ⊕ fM(I<br />
1 m 1 , k 1 )[f ] =<br />
1<br />
const (0 or 1)<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 17
<strong>Linear</strong> approximation <strong>of</strong> fM<br />
O[26] = I[24] ⊕ K[24] ⊕<br />
O[16]<br />
O[26,16] = I[24] ⊕ K[24]<br />
Reminder: S0(X, Y) = ROT2((X + Y) mod 256 )<br />
101<br />
+ 011<br />
1000<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 18<br />
Xor
<strong>Linear</strong> approximation <strong>of</strong> fM<br />
On a similar way:<br />
O[2,8] = I[0] ⊕ K[0] ⊕ 1<br />
O[2,8,10,16] = I[8] ⊕ K[0,8] ⊕ 1<br />
O[10, 18, 26] = I[16] ⊕ K[16,24] ⊕ 1<br />
O[16,26] = I[24] ⊕ K[24]<br />
These equations are always true<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 19
<strong>Linear</strong> approximation <strong>of</strong> <strong>FEAL</strong><br />
O[10, 18, 26] = I[16] ⊕ K[16,24] ⊕ 1<br />
I [16] = fM(PL ⊕ PR, k )[16] PL[16]<br />
2 1 ⊕<br />
O [10, 18, 26] = k [16, 24] ⊕ 1<br />
2 2<br />
⊕ fM(PL ⊕ PR, k )[16] PL[16]<br />
1 ⊕<br />
L 2 [10, 18, 26] = PR[10, 18, 26]<br />
PL[10, 18, 26] ⊕ O [10, 18, 26]<br />
2<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 20<br />
⊕
<strong>Linear</strong> approximation <strong>of</strong> <strong>FEAL</strong><br />
O[10, 18, 26] = I[16] ⊕ K[16,24] ⊕ 1<br />
L 2 [10, 18, 26] = PR[10, 18, 26]<br />
PL[10, 18, 26] ⊕ k [16, 24] ⊕ 1<br />
2<br />
⊕ fM(PL ⊕ PR, k )[16] PL[16]<br />
1 ⊕<br />
R 3 [10, 18, 26] = L 2 [10, 18, 26]<br />
k 6 [10, 18, 26]<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 21<br />
⊕<br />
⊕
<strong>Linear</strong> approximation <strong>of</strong> <strong>FEAL</strong><br />
O[10, 18, 26] = I[16] ⊕ K[16,24] ⊕ 1<br />
I [16] = CR[16] ⊕ CL[16]<br />
4<br />
O [10, 18, 26] = CR[16] ⊕ CL[16] ⊕<br />
4<br />
k [16,24] ⊕<br />
1<br />
4<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 22
<strong>Linear</strong> approximation <strong>of</strong> <strong>FEAL</strong><br />
CL[10, 18, 26]<br />
= O [10, 18, 26] ⊕ R [10, 18, 26]<br />
4 3<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 23
<strong>Linear</strong> approximation <strong>of</strong> <strong>FEAL</strong><br />
fM(k , PL ⊕ PR)[16]<br />
1<br />
⊕ PL[10, 16, 18, 26] ⊕ PR[10, 18, 26]<br />
⊕ CR[16] ⊕ CL[10, 16, 18, 26]<br />
= k [16,24] ⊕ k [10,18,26] ⊕ k [16, 24]<br />
2 6 4<br />
= const (e<strong>it</strong>her 1 or 0 for a particular key)<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 24
fM(k , PL ⊕ PR)[16]<br />
1<br />
Recover k 1<br />
Determine k 1 , such that the previous equation holds<br />
Max: 2^16 operations. That is in a possible range.<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 25
Recover k 1<br />
Use the other approximations to recover the<br />
rest <strong>of</strong> k 1 :<br />
O[2,8] = I[0] ⊕ K[0] ⊕ 1<br />
O[2,8,10,16] = I[8] ⊕ K[0,8] ⊕ 1<br />
[ O[10, 18, 26] = I[16] ⊕ K[16,24] ⊕ 1 ]<br />
O[16,26] = I[24] ⊕<br />
K[24]<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 26
Recover the other subkeys<br />
k 2 , k 3 , k 4 are<br />
recovered in an<br />
equal way<br />
k 5 , k 6 then follow<br />
directly<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 27
Runtime <strong>of</strong> this attack<br />
Implemented by Matsui & Yamagishi<br />
w<strong>it</strong>h a 25 Mhz computer, 1992<br />
2 seconds w<strong>it</strong>h 10 known plaintexts<br />
350 seconds w<strong>it</strong>h 5 known plaintexts<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 28
Generalisation to more rounds<br />
<strong>FEAL</strong>-8 is breakable w<strong>it</strong>h this method<br />
Using 2^28 plaintexts<br />
Runtime: 2^50 subkeys are searched.<br />
Details: Matsui & Yamagishi, 1992, A New<br />
Method for Known Plaintext Attack <strong>of</strong> <strong>FEAL</strong><br />
cipher<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 29
<strong>FEAL</strong>-4<br />
Recap<strong>it</strong>ulation<br />
Modification <strong>of</strong> <strong>FEAL</strong>-4<br />
<strong>Linear</strong> cryptanalysis<br />
<strong>Linear</strong> equations in f<br />
<strong>Linear</strong> equations in <strong>FEAL</strong>-4 depending on k 1<br />
Exhaustive key search<br />
Repeat this for k 2 , k 3 , ...<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 30
Sources<br />
Shimizu & Miyaguchi: Fast Data Encipherment<br />
Algor<strong>it</strong>hm <strong>FEAL</strong>, 1988<br />
Advances in Cryptology, EUROCRYPT '87<br />
Matsui & Yamagishi: A New Method for Known<br />
Plaintext Attack <strong>of</strong> <strong>FEAL</strong> Cipher, 1993<br />
Advances in Cryptology – EUROCRYPT '92<br />
Stamp & Low: Applied <strong>Cryptanalysis</strong>: Breaking<br />
Ciphers in the Real World, 2007<br />
05/02/11 <strong>Linear</strong> <strong>Cryptanalysis</strong> <strong>of</strong> <strong>FEAL</strong> 31