Cryptanalysis of Zorro - Cryptology ePrint Archive
Cryptanalysis of Zorro Jian Guo, Ivica Nikoli´c, Thomas Peyrin, and Lei Wang Nanyang Technological University, Singapore [email protected], {inikolic,thomas.peyrin, wang.lei}@ntu.edu.sg
Abstract. At CHES 2013 was presented a new block cipher called Zorro. Although it uses only 4 S-boxes per round, the designers showed the resistance of the cipher against various attacks, and concluded the cipher has a large security margin. In this paper, we give a key recovery attack on the full cipher in the single-key model that works for 264 out of 2128 keys. Our analysis is based precisely on the fact that the non-linear layer has only 4 S-boxes. We exploit this twice in a two-stage attack: first, we show that Zorro has an equivalent description that does not have constants in the rounds, and then, we launch an internal differential attack on the newly described cipher. With computer verifications we confirm the correctness of the analysis. Our attack is the first to use internal differentials for block ciphers, thus we adapt Daemen’s attack on Even-Mansour construction to the case of internal differentials (instead of differentials), which allows us to recovery to full key. This work provides as well insights on alternative descriptions of general Zorro-type ciphers (incomplete non-linear layers), the importance of well chosen constants, and the advantages of Daemen’s attack.
Keywords: Zorro, cryptanalysis, block cipher, internal differentials
1
Introduction
The Advanced Encryption Standard (AES) is the current de facto block cipher standard, known for its elegant and simple design, high security, and efficiency. More than a decade ago, these features motivated NIST to chose the cipher as a standard, and even now, most of the design decisions of AES are considered optimal from the point of view of both efficiency and security. The advances in the field of cryptography, however, suggest that some peculiar details of the design can be improved. One research direction emerged after the discovery of the related-key attacks on AES-192 and AES-256 [2, 1], and to make the cipher secure in the related-key model, patches of the key schedule were proposed [3, 13]. Another line of research focuses on countermeasures for preventing side-channel attacks on the cipher, and investigates tweaks of the non-linear operations in the cipher that lead to efficient masking methods. In this paper, we analyze the security of the block cipher Zorro published at CHES’13 [7], designed by G´erard, Grosso, Naya-Plasencia, and Standaert, and proposed to improve the side-channel resistance of AES. The main tweak introduced by Zorro is in the non-linear layer (SubBytes) of AES, and includes defining a new S-box and reducing the application of the S-box per round, from 16 to only 4. The remaining tweaks include increasing the number of rounds from 10 to 24, reordering the round transformations, moving the constants from the key schedule to the rounds, and simplifying the key schedule by adding the master key only after each 4 rounds (as in the block cipher LED-64 [8]). How risky is the new design? A round of Zorro is very similar to a round of AES, except that is has only 4 S-boxes. Thus the 24-round Zorro compared to the 10-round AES, has 40% less non-linear operations, but 140% more linear. This tradeoff does not provide an actual proof of security and therefore in the submission paper the designers address the main security concerns and give an extensive analysis of Zorro. They stress that, due to
the intended use of the cipher, related-key attacks are of no interest. In the single-key model they require full 128-bit security and thus provide rigorous analysis against various attacks: differential, linear, meet-in-the-middle, impossible differential, etc. Interestingly, due to the modified SubBytes, the designers cannot use the simple bounds on number of active S-boxes in linear and differential characteristics, and instead, they come up with a dedicated approach, and successfully prove that no characteristic suitable for attacks exists on more then 14-16 rounds of Zorro. The best found attacks, in both the secret and the open key models, reach only 12 rounds, which allows the designers to conclude that the 24-round Zorro has comfortable security margin. Our contribution. We present a key-recovery attack on the full 24-round cipher in the single-key model that works for a fraction of the keys (for 264 keys out of 2128 possible). Our attack model and the results of the analysis are similar to Leander et al. [11] attack published at CRYPTO’11 on the lightweight cipher PRINTcipher [10]: both are single-key attacks on the full ciphers under the weak-key assumption. However, the attack techniques are completely different. Our attack is based on the idea of redefining the block cipher and then launching internal differential attack [14] – these two steps can be achieved only due to the new S-box layer. We show a surprising feature of Zorro: the cipher has another, equivalent description, with constants added not in the rounds, but to the keys. We obtain the new description first for a single step (defined as four rounds), and then for the whole cipher. For the step, we put side by side four rounds with and without constants, and show that a specifically chosen difference at the input of these two steps, deterministically propagates to another difference at the output. The 16 bytes of the input difference are the solution of a linear system of 16 equations – each equation corresponds to one condition on an intermediate byte difference, imposed by one of the 16 S-boxes contained in a step. It means that one step described as in Zorro, can be seen as a step that has no constants in the rounds, if we add one value to the input and one at the output of the step (the values are indeed the above input and the output differences, and are constant). We elevate this new description to the whole cipher, by merging two consecutive values and moving them to the key (which now becomes a subkey) that is added between the steps. By the new description, a round of Zorro has no constants, thus same as a round of AES or any other cipher with three arbitrarily defined S-box, ShiftRows, MixColumns, maintains the following property: if at the input of the round the two halves (the first two columns and the last two columns) of the state are equal, then they will be equal at the output as well. We model this property as internal differential characteristic [14] that holds with probability 1, and try to extended it to as many rounds as possible. But after each four rounds (a step) we have the addition of a subkey, which may or may not permit the free flow of the characteristic. Thus we use three different strategies to pass the steps: in the first, we use the above probability 1 internal differential characteristic, in the second, lower probability characteristic, and in the third we apply a special technique, inspired by the attacks of Mendel et al. [12] on the cipher LED [8], and based on Daemen’s attack [4] on Even-Mansour construction [6]. In optimal complexity attacks, it is beneficial to have more steps passed using the probability 1 characteristic, thus to achieve two such steps, we focus on the case when the secret key is chosen uniformly at random from a set of 264 keys, and provide key recovery attack on the full cipher in 254.3 time, data, and memory. We extensively verify the attack on a computer: in 228.5 time produce inputs conforming to the 20-round characteristic used in the attack, test and confirm the idea based on the Daemen’s attack, and launch the whole attack on reduced-size Zorro-like cipher.
R
Q0
P K
Q1 K
R
R
R
Q2 K
Q3 K
Q4 K
Q5 K
C K
Fig. 1. A graphical view of Zorro. The cipher uses 6 steps (denoted as Q0 , . . . , Q5 ) of 4 rounds each. The rounds differ only in the constants that are added to the state.
2
Description of Zorro
The block cipher Zorro has 128-bit key and 128-bit state. The cipher has 24 rounds divided into 6 steps of 4 rounds each. The steps do not use the key, and Zorro does not have a key schedule. Instead, before each step the master key is bitwisely added to the state, and the same addition is done after the last step. In Zorro, as in AES, the state is regarded as 4 × 4 matrix of bytes, and one round consists of four distinct transformations: SB ∗ , AC, SR, M C. The first transformation SB ∗ is the S-box layer (as SubBytes in AES) and consists of applying the same S-box to the bytes of the first row only. Next, AC is addition of round constants – in round i, the four constants (i, i, i, i 2−128 ), extended with an additional round of DKF (where it is irrelevant that the characteristic has 16 active S-boxes), we have a key recovery on 4-round AES based on differentials. The impact of DKF is even stronger in ciphers such as LED and Zorro, where the last public permutation consists of several rounds grouped into a step – the whole last step can be skipped if the characteristic on the previous steps is with higher probability. Thus when analyzing the resistance of the cipher against differentials, we should keep in mind that a differential attack is at least on one step longer than the best characteristic. In the case of Zorro, it is not excluded the existence of a characteristic on 12 rounds (as the probability has not yet reached 2−128 ), thus a 16-round attack based on classical differential analysis may be possible.
Acknowledgements The authors would like to thank Fran¸cois-Xavier Standaert for helpful comments and discussions. The work in this paper is supported by the Singapore National Research Foundation Fellowship 2012 (NRF-NRFF2012-06).
References 1. A. Biryukov and D. Khovratovich. Related-key cryptanalysis of the full AES-192 and AES-256. In M. Matsui, editor, ASIACRYPT, volume 5912 of Lecture Notes in Computer Science, pages 1–18. Springer, 2009. 2. A. Biryukov, D. Khovratovich, and I. Nikolic. Distinguisher and related-key attack on the full AES256. In S. Halevi, editor, CRYPTO, volume 5677 of Lecture Notes in Computer Science, pages 231–249. Springer, 2009. 3. J. Choy, A. Zhang, K. Khoo, M. Henricksen, and A. Poschmann. AES variants secure against relatedkey differential and boomerang attacks. In C. A. Ardagna and J. Zhou, editors, WISTP, volume 6633 of Lecture Notes in Computer Science, pages 191–207. Springer, 2011. 4. J. Daemen. Limitations of the Even-Mansour construction. In Imai et al. [9], pages 495–498. 5. O. Dunkelman, N. Keller, and A. Shamir. Minimalism in cryptography: The Even-Mansour scheme revisited. In D. Pointcheval and T. Johansson, editors, EUROCRYPT, volume 7237 of Lecture Notes in Computer Science, pages 336–354. Springer, 2012. 6. S. Even and Y. Mansour. A construction of a cioher from a single pseudorandom permutation. In Imai et al. [9], pages 210–224. 7. B. G´erard, V. Grosso, M. Naya-Plasencia, and F.-X. Standaert. Block ciphers that are easier to mask: How far can we go? In G. Bertoni and J.-S. Coron, editors, CHES, volume 8086 of Lecture Notes in Computer Science, pages 383–399. Springer, 2013. 8. J. Guo, T. Peyrin, A. Poschmann, and M. J. B. Robshaw. The LED block cipher. In B. Preneel and T. Takagi, editors, CHES, volume 6917 of Lecture Notes in Computer Science, pages 326–341. Springer, 2011. 9. H. Imai, R. L. Rivest, and T. Matsumoto, editors. Advances in Cryptology - ASIACRYPT ’91, International Conference on the Theory and Applications of Cryptology, Fujiyoshida, Japan, November 11-14, 1991, Proceedings, volume 739 of Lecture Notes in Computer Science. Springer, 1993. 10. L. R. Knudsen, G. Leander, A. Poschmann, and M. J. B. Robshaw. PRINTcipher: A block cipher for ic-printing. In S. Mangard and F.-X. Standaert, editors, CHES, volume 6225 of Lecture Notes in Computer Science, pages 16–32. Springer, 2010. 11. G. Leander, M. A. Abdelraheem, H. AlKhzaimi, and E. Zenner. A cryptanalysis of PRINTcipher: The invariant subspace attack. In P. Rogaway, editor, CRYPTO, volume 6841 of Lecture Notes in Computer Science, pages 206–221. Springer, 2011. 12. F. Mendel, V. Rijmen, D. Toz, and K. Varici. Differential analysis of the LED block cipher. In X. Wang and K. Sako, editors, ASIACRYPT, volume 7658 of Lecture Notes in Computer Science, pages 190–207. Springer, 2012. 13. I. Nikolic. Tweaking AES. In A. Biryukov, G. Gong, and D. R. Stinson, editors, Selected Areas in Cryptography, volume 6544 of Lecture Notes in Computer Science, pages 198–210. Springer, 2010. 14. T. Peyrin. Improved differential attacks for ECHO and Grøstl. In T. Rabin, editor, CRYPTO, volume 6223 of Lecture Notes in Computer Science, pages 370–392. Springer, 2010.
A
The Values of the Constants νi , µi , τi
Table 1. The values of the constants νi , µi , τi .
00 99 c2 7a
ν0 00 00 b4 bd a6 b2 29 ef
00 80 5f 05
00 99 c2 7a
τ0 = ν 0 00 00 b4 bd a6 b2 29 ef
00 ef 93 9f
ν1 00 00 ab 7d 58 b8 8a e7
00 16 c5 7d
02 8f 8c f6
µ0 58 02 70 f8 bb b4 ec 4e
4a 4d 3c 93
τ1 02 60 1f 69
= µ0 ⊕ ν 1 58 02 4a db 85 5b e3 0c f9 66 a9 ee
00 75 60 ab
ν2 00 00 8a 26 41 a6 74 ff
00 b7 70 f5
3d 3a 40 8e
µ1 e8 3d 6b c0 3b b3 79 70
c1 df 73 4d
τ2 3d 4f 20 25
= µ1 ⊕ ν 2 e8 3d c1 e1 e6 68 7a 15 03 0d 8f b8
00 03 31 4e
ν3 00 00 95 e6 bf ac d7 f7
00 21 ea 8d
7c fe 0f 06
µ2 23 7c 46 88 a0 ba dd 32
47 72 a2 34
τ3 7c fd 3e 48
= µ2 ⊕ ν 3 23 7c 47 d3 6e 53 1f 16 48 0a c5 b9
00 5a 9d c3
ν4 00 00 c8 90 73 9a 93 cf
00 ee 01 fe
43 4b c3 7e
µ3 93 43 5d b0 20 bd 48 0c
cc e0 ed ea
τ4 43 11 5e bd
= µ3 ⊕ ν 4 93 43 cc 95 20 0e 53 27 ec db c3 14
00 2c cc 26
ν5 00 00 d7 50 8d 90 30 c7
00 78 9b 86
fe 6d 91 0d
µ4 ae fe 1c 18 8d a8 8e b6
50 33 1b c6
τ5 fe 41 5d 2b
= µ4 ⊕ ν 5 ae fe 50 cb 48 4b 00 38 80 be 71 40
c1 d8 5d 75
µ5 1e c1 07 20 0d af 1b 88
db a1 54 18
c1 d8 5d 75
τ 6 = µ5 1e c1 07 20 0d af 1b 88
00 80 5f 05
db a1 54 18
B
The 5-Step Characteristic Used in the Attack
The internal differences of the constants τi , i = 0, . . . , 6 are: 00 24 70 95
00 00 34 , e5 f9 13 c0 2c
00 12 80 , a9 1a 35 aa 88
00 29 89 , 93 79 28 8d b5
00 64 80 , 31 57 79 7e b3
00 5f 9b , 09 bf 65 5a cf
00 fe 80 , f8 80 f2 fd fe
c5 a6 . 59 03
The internal difference in the master key K is ∆(K) = ∆(τ3 ). Therefore, the differences in the 7 subkeys K ⊕ τi are: 00 b7 58 18
00 64 b4 , 76 ae 3b 4d 9f
00 76 00 , 3a 4d 1d 27 3b
00 4d 09 , 00 2e 00 00 06
00 00 00 , a2 00 51 f3 00
00 3b 1b , 9a e8 4d d7 7c
00 9a 00 , 6b d7 da 70 4d
a1 26 . 0e b0
The 5-step characteristic is: 00 14 f4 de 00 0c 26 a6 00 3a 1d 27 00 00 00 00 00 00 00 00 00 b3 57 8b
00 64 ⊕∆(τ0 )⊕∆(τ3 ) a3 0a − −−−−−−−−−→ ac 96 c6 ea fd 00 ⊕∆(τ1 )⊕∆(τ3 ) 7a 7d − −−−−−−−−−→ 54 1d a1 eb 4d 00 ⊕∆(τ2 )⊕∆(τ3 ) 00 09 − −−−−−−−−−→ 2e 00 06 00 00 00 ⊕∆(τ3 )⊕∆(τ3 ) 00 00 − −−−−−−−−−→ 00 00 00 00 00 00 ⊕∆(τ4 )⊕∆(τ3 ) a2 00 − −−−−−−−−−→ 51 00 00 f3 0f 00 ⊕∆(τ5 )⊕∆(τ3 ) 29 97 − −−−−−−−−−→ ad 1a f5 5c
00 00 be −−−→ fd 38 1R 62 f8 75 00 8b 47 7d 2−6 −− −→ 19 1R f2 4f 9a 00 00 00 −−−→ 00 00 1R 00 00 00 00 00 00 −−−→ 00 00 1R 00 00 00 3b 00 1b b9 2−6 −− −→ e8 1R 3d 7c b2 95 97 7a b8
00 00 d3 −−−→ 17 82 1R 03 a9 0c 00 24 e7 18 2−5.4 − −−→ 42 1R 92 45 da 00 00 00 −−−→ 00 00 1R 00 00 00 00 00 00 −−−→ 00 00 1R 00 00 00 c9 00 15 6f 2−5 −− −→ fd 1R 69 02 2c
00 66 82 84 2−5.4 − −−→ f1 1R 25 b4 94 00 00 65 −−−→ 5a 70 1R 1d 3d 8d 00 00 00 −−−→ 00 00 1R 00 00 00 00 00 00 −−−→ 00 00 1R 00 00 00 7a 00 38 ea 2−5 −− −→ 6a 1R 89 21 13
00 e8 −4.66 46 2−−−→ 0c c7 1R 26 a6 ef 07 00 00 3a 2−7 −− −→ c8 1R 1d 1d 27 00 00 00 −−−→ 00 00 1R 00 00 00 00 00 00 −−−→ 00 00 1R 00 00 00 00 00 ba −−−→ b3 39 1R 57 5c 8b
fd 7d 54 a1 4d 09 2e 06 00 00 00 00 00 00 00 00 0f 97 ad f5
C
Examples for the 5-step Characteristic
Table 2. Examples of tuples (plaintext,key,ciphertext) that follow the 5-step characteristic. ∆ stands for internal difference. Example 1
Example 2
Example 3
∆
Plaintext
4e 45 f3 a8
dc df fa d5
4e 51 07 76
b8 d5 6c 3f
f5 62 57 4a
de db 3b a7
f5 76 a3 94
ba d1 ad 4d
24 13 3d 95
0e 5a bd e6
24 07 c9 4b
6a 50 2b 0c
00 14 f4 de
64 0a 96 ea
Key
fe 59 51 c5
e8 40 d9 e4
fe ca 79 48
8c c0 8e 57
56 5c 72 b1
65 e8 1d ee
56 cf 5a 3c
01 68 4a 5d
fc 8b 03 8d
c8 be 85 4d
fc 18 2b 00
ac 3e d2 fe
00 93 28 8d
64 80 57 b3
03 60 Ciphertext 2b 16
1b 8e 72 03
03 49 31 4a
8e 19 08 bb
68 15 15 6b
81 c2 07 4e
68 3c 0f 37
14 55 7d f6
b8 e5 9b f6
97 3b d5 64
b8 cc 81 aa
02 ac af dc
00 29 1a 5c
95 97 7a b8
Abstract. At CHES 2013 was presented a new block cipher called Zorro. Although it uses only 4 S-boxes per round, the designers showed the resistance of the cipher against various attacks, and concluded the cipher has a large security margin. In this paper, we give a key recovery attack on the full cipher in the single-key model that works for 264 out of 2128 keys. Our analysis is based precisely on the fact that the non-linear layer has only 4 S-boxes. We exploit this twice in a two-stage attack: first, we show that Zorro has an equivalent description that does not have constants in the rounds, and then, we launch an internal differential attack on the newly described cipher. With computer verifications we confirm the correctness of the analysis. Our attack is the first to use internal differentials for block ciphers, thus we adapt Daemen’s attack on Even-Mansour construction to the case of internal differentials (instead of differentials), which allows us to recovery to full key. This work provides as well insights on alternative descriptions of general Zorro-type ciphers (incomplete non-linear layers), the importance of well chosen constants, and the advantages of Daemen’s attack.
Keywords: Zorro, cryptanalysis, block cipher, internal differentials
1
Introduction
The Advanced Encryption Standard (AES) is the current de facto block cipher standard, known for its elegant and simple design, high security, and efficiency. More than a decade ago, these features motivated NIST to chose the cipher as a standard, and even now, most of the design decisions of AES are considered optimal from the point of view of both efficiency and security. The advances in the field of cryptography, however, suggest that some peculiar details of the design can be improved. One research direction emerged after the discovery of the related-key attacks on AES-192 and AES-256 [2, 1], and to make the cipher secure in the related-key model, patches of the key schedule were proposed [3, 13]. Another line of research focuses on countermeasures for preventing side-channel attacks on the cipher, and investigates tweaks of the non-linear operations in the cipher that lead to efficient masking methods. In this paper, we analyze the security of the block cipher Zorro published at CHES’13 [7], designed by G´erard, Grosso, Naya-Plasencia, and Standaert, and proposed to improve the side-channel resistance of AES. The main tweak introduced by Zorro is in the non-linear layer (SubBytes) of AES, and includes defining a new S-box and reducing the application of the S-box per round, from 16 to only 4. The remaining tweaks include increasing the number of rounds from 10 to 24, reordering the round transformations, moving the constants from the key schedule to the rounds, and simplifying the key schedule by adding the master key only after each 4 rounds (as in the block cipher LED-64 [8]). How risky is the new design? A round of Zorro is very similar to a round of AES, except that is has only 4 S-boxes. Thus the 24-round Zorro compared to the 10-round AES, has 40% less non-linear operations, but 140% more linear. This tradeoff does not provide an actual proof of security and therefore in the submission paper the designers address the main security concerns and give an extensive analysis of Zorro. They stress that, due to
the intended use of the cipher, related-key attacks are of no interest. In the single-key model they require full 128-bit security and thus provide rigorous analysis against various attacks: differential, linear, meet-in-the-middle, impossible differential, etc. Interestingly, due to the modified SubBytes, the designers cannot use the simple bounds on number of active S-boxes in linear and differential characteristics, and instead, they come up with a dedicated approach, and successfully prove that no characteristic suitable for attacks exists on more then 14-16 rounds of Zorro. The best found attacks, in both the secret and the open key models, reach only 12 rounds, which allows the designers to conclude that the 24-round Zorro has comfortable security margin. Our contribution. We present a key-recovery attack on the full 24-round cipher in the single-key model that works for a fraction of the keys (for 264 keys out of 2128 possible). Our attack model and the results of the analysis are similar to Leander et al. [11] attack published at CRYPTO’11 on the lightweight cipher PRINTcipher [10]: both are single-key attacks on the full ciphers under the weak-key assumption. However, the attack techniques are completely different. Our attack is based on the idea of redefining the block cipher and then launching internal differential attack [14] – these two steps can be achieved only due to the new S-box layer. We show a surprising feature of Zorro: the cipher has another, equivalent description, with constants added not in the rounds, but to the keys. We obtain the new description first for a single step (defined as four rounds), and then for the whole cipher. For the step, we put side by side four rounds with and without constants, and show that a specifically chosen difference at the input of these two steps, deterministically propagates to another difference at the output. The 16 bytes of the input difference are the solution of a linear system of 16 equations – each equation corresponds to one condition on an intermediate byte difference, imposed by one of the 16 S-boxes contained in a step. It means that one step described as in Zorro, can be seen as a step that has no constants in the rounds, if we add one value to the input and one at the output of the step (the values are indeed the above input and the output differences, and are constant). We elevate this new description to the whole cipher, by merging two consecutive values and moving them to the key (which now becomes a subkey) that is added between the steps. By the new description, a round of Zorro has no constants, thus same as a round of AES or any other cipher with three arbitrarily defined S-box, ShiftRows, MixColumns, maintains the following property: if at the input of the round the two halves (the first two columns and the last two columns) of the state are equal, then they will be equal at the output as well. We model this property as internal differential characteristic [14] that holds with probability 1, and try to extended it to as many rounds as possible. But after each four rounds (a step) we have the addition of a subkey, which may or may not permit the free flow of the characteristic. Thus we use three different strategies to pass the steps: in the first, we use the above probability 1 internal differential characteristic, in the second, lower probability characteristic, and in the third we apply a special technique, inspired by the attacks of Mendel et al. [12] on the cipher LED [8], and based on Daemen’s attack [4] on Even-Mansour construction [6]. In optimal complexity attacks, it is beneficial to have more steps passed using the probability 1 characteristic, thus to achieve two such steps, we focus on the case when the secret key is chosen uniformly at random from a set of 264 keys, and provide key recovery attack on the full cipher in 254.3 time, data, and memory. We extensively verify the attack on a computer: in 228.5 time produce inputs conforming to the 20-round characteristic used in the attack, test and confirm the idea based on the Daemen’s attack, and launch the whole attack on reduced-size Zorro-like cipher.
R
Q0
P K
Q1 K
R
R
R
Q2 K
Q3 K
Q4 K
Q5 K
C K
Fig. 1. A graphical view of Zorro. The cipher uses 6 steps (denoted as Q0 , . . . , Q5 ) of 4 rounds each. The rounds differ only in the constants that are added to the state.
2
Description of Zorro
The block cipher Zorro has 128-bit key and 128-bit state. The cipher has 24 rounds divided into 6 steps of 4 rounds each. The steps do not use the key, and Zorro does not have a key schedule. Instead, before each step the master key is bitwisely added to the state, and the same addition is done after the last step. In Zorro, as in AES, the state is regarded as 4 × 4 matrix of bytes, and one round consists of four distinct transformations: SB ∗ , AC, SR, M C. The first transformation SB ∗ is the S-box layer (as SubBytes in AES) and consists of applying the same S-box to the bytes of the first row only. Next, AC is addition of round constants – in round i, the four constants (i, i, i, i 2−128 ), extended with an additional round of DKF (where it is irrelevant that the characteristic has 16 active S-boxes), we have a key recovery on 4-round AES based on differentials. The impact of DKF is even stronger in ciphers such as LED and Zorro, where the last public permutation consists of several rounds grouped into a step – the whole last step can be skipped if the characteristic on the previous steps is with higher probability. Thus when analyzing the resistance of the cipher against differentials, we should keep in mind that a differential attack is at least on one step longer than the best characteristic. In the case of Zorro, it is not excluded the existence of a characteristic on 12 rounds (as the probability has not yet reached 2−128 ), thus a 16-round attack based on classical differential analysis may be possible.
Acknowledgements The authors would like to thank Fran¸cois-Xavier Standaert for helpful comments and discussions. The work in this paper is supported by the Singapore National Research Foundation Fellowship 2012 (NRF-NRFF2012-06).
References 1. A. Biryukov and D. Khovratovich. Related-key cryptanalysis of the full AES-192 and AES-256. In M. Matsui, editor, ASIACRYPT, volume 5912 of Lecture Notes in Computer Science, pages 1–18. Springer, 2009. 2. A. Biryukov, D. Khovratovich, and I. Nikolic. Distinguisher and related-key attack on the full AES256. In S. Halevi, editor, CRYPTO, volume 5677 of Lecture Notes in Computer Science, pages 231–249. Springer, 2009. 3. J. Choy, A. Zhang, K. Khoo, M. Henricksen, and A. Poschmann. AES variants secure against relatedkey differential and boomerang attacks. In C. A. Ardagna and J. Zhou, editors, WISTP, volume 6633 of Lecture Notes in Computer Science, pages 191–207. Springer, 2011. 4. J. Daemen. Limitations of the Even-Mansour construction. In Imai et al. [9], pages 495–498. 5. O. Dunkelman, N. Keller, and A. Shamir. Minimalism in cryptography: The Even-Mansour scheme revisited. In D. Pointcheval and T. Johansson, editors, EUROCRYPT, volume 7237 of Lecture Notes in Computer Science, pages 336–354. Springer, 2012. 6. S. Even and Y. Mansour. A construction of a cioher from a single pseudorandom permutation. In Imai et al. [9], pages 210–224. 7. B. G´erard, V. Grosso, M. Naya-Plasencia, and F.-X. Standaert. Block ciphers that are easier to mask: How far can we go? In G. Bertoni and J.-S. Coron, editors, CHES, volume 8086 of Lecture Notes in Computer Science, pages 383–399. Springer, 2013. 8. J. Guo, T. Peyrin, A. Poschmann, and M. J. B. Robshaw. The LED block cipher. In B. Preneel and T. Takagi, editors, CHES, volume 6917 of Lecture Notes in Computer Science, pages 326–341. Springer, 2011. 9. H. Imai, R. L. Rivest, and T. Matsumoto, editors. Advances in Cryptology - ASIACRYPT ’91, International Conference on the Theory and Applications of Cryptology, Fujiyoshida, Japan, November 11-14, 1991, Proceedings, volume 739 of Lecture Notes in Computer Science. Springer, 1993. 10. L. R. Knudsen, G. Leander, A. Poschmann, and M. J. B. Robshaw. PRINTcipher: A block cipher for ic-printing. In S. Mangard and F.-X. Standaert, editors, CHES, volume 6225 of Lecture Notes in Computer Science, pages 16–32. Springer, 2010. 11. G. Leander, M. A. Abdelraheem, H. AlKhzaimi, and E. Zenner. A cryptanalysis of PRINTcipher: The invariant subspace attack. In P. Rogaway, editor, CRYPTO, volume 6841 of Lecture Notes in Computer Science, pages 206–221. Springer, 2011. 12. F. Mendel, V. Rijmen, D. Toz, and K. Varici. Differential analysis of the LED block cipher. In X. Wang and K. Sako, editors, ASIACRYPT, volume 7658 of Lecture Notes in Computer Science, pages 190–207. Springer, 2012. 13. I. Nikolic. Tweaking AES. In A. Biryukov, G. Gong, and D. R. Stinson, editors, Selected Areas in Cryptography, volume 6544 of Lecture Notes in Computer Science, pages 198–210. Springer, 2010. 14. T. Peyrin. Improved differential attacks for ECHO and Grøstl. In T. Rabin, editor, CRYPTO, volume 6223 of Lecture Notes in Computer Science, pages 370–392. Springer, 2010.
A
The Values of the Constants νi , µi , τi
Table 1. The values of the constants νi , µi , τi .
00 99 c2 7a
ν0 00 00 b4 bd a6 b2 29 ef
00 80 5f 05
00 99 c2 7a
τ0 = ν 0 00 00 b4 bd a6 b2 29 ef
00 ef 93 9f
ν1 00 00 ab 7d 58 b8 8a e7
00 16 c5 7d
02 8f 8c f6
µ0 58 02 70 f8 bb b4 ec 4e
4a 4d 3c 93
τ1 02 60 1f 69
= µ0 ⊕ ν 1 58 02 4a db 85 5b e3 0c f9 66 a9 ee
00 75 60 ab
ν2 00 00 8a 26 41 a6 74 ff
00 b7 70 f5
3d 3a 40 8e
µ1 e8 3d 6b c0 3b b3 79 70
c1 df 73 4d
τ2 3d 4f 20 25
= µ1 ⊕ ν 2 e8 3d c1 e1 e6 68 7a 15 03 0d 8f b8
00 03 31 4e
ν3 00 00 95 e6 bf ac d7 f7
00 21 ea 8d
7c fe 0f 06
µ2 23 7c 46 88 a0 ba dd 32
47 72 a2 34
τ3 7c fd 3e 48
= µ2 ⊕ ν 3 23 7c 47 d3 6e 53 1f 16 48 0a c5 b9
00 5a 9d c3
ν4 00 00 c8 90 73 9a 93 cf
00 ee 01 fe
43 4b c3 7e
µ3 93 43 5d b0 20 bd 48 0c
cc e0 ed ea
τ4 43 11 5e bd
= µ3 ⊕ ν 4 93 43 cc 95 20 0e 53 27 ec db c3 14
00 2c cc 26
ν5 00 00 d7 50 8d 90 30 c7
00 78 9b 86
fe 6d 91 0d
µ4 ae fe 1c 18 8d a8 8e b6
50 33 1b c6
τ5 fe 41 5d 2b
= µ4 ⊕ ν 5 ae fe 50 cb 48 4b 00 38 80 be 71 40
c1 d8 5d 75
µ5 1e c1 07 20 0d af 1b 88
db a1 54 18
c1 d8 5d 75
τ 6 = µ5 1e c1 07 20 0d af 1b 88
00 80 5f 05
db a1 54 18
B
The 5-Step Characteristic Used in the Attack
The internal differences of the constants τi , i = 0, . . . , 6 are: 00 24 70 95
00 00 34 , e5 f9 13 c0 2c
00 12 80 , a9 1a 35 aa 88
00 29 89 , 93 79 28 8d b5
00 64 80 , 31 57 79 7e b3
00 5f 9b , 09 bf 65 5a cf
00 fe 80 , f8 80 f2 fd fe
c5 a6 . 59 03
The internal difference in the master key K is ∆(K) = ∆(τ3 ). Therefore, the differences in the 7 subkeys K ⊕ τi are: 00 b7 58 18
00 64 b4 , 76 ae 3b 4d 9f
00 76 00 , 3a 4d 1d 27 3b
00 4d 09 , 00 2e 00 00 06
00 00 00 , a2 00 51 f3 00
00 3b 1b , 9a e8 4d d7 7c
00 9a 00 , 6b d7 da 70 4d
a1 26 . 0e b0
The 5-step characteristic is: 00 14 f4 de 00 0c 26 a6 00 3a 1d 27 00 00 00 00 00 00 00 00 00 b3 57 8b
00 64 ⊕∆(τ0 )⊕∆(τ3 ) a3 0a − −−−−−−−−−→ ac 96 c6 ea fd 00 ⊕∆(τ1 )⊕∆(τ3 ) 7a 7d − −−−−−−−−−→ 54 1d a1 eb 4d 00 ⊕∆(τ2 )⊕∆(τ3 ) 00 09 − −−−−−−−−−→ 2e 00 06 00 00 00 ⊕∆(τ3 )⊕∆(τ3 ) 00 00 − −−−−−−−−−→ 00 00 00 00 00 00 ⊕∆(τ4 )⊕∆(τ3 ) a2 00 − −−−−−−−−−→ 51 00 00 f3 0f 00 ⊕∆(τ5 )⊕∆(τ3 ) 29 97 − −−−−−−−−−→ ad 1a f5 5c
00 00 be −−−→ fd 38 1R 62 f8 75 00 8b 47 7d 2−6 −− −→ 19 1R f2 4f 9a 00 00 00 −−−→ 00 00 1R 00 00 00 00 00 00 −−−→ 00 00 1R 00 00 00 3b 00 1b b9 2−6 −− −→ e8 1R 3d 7c b2 95 97 7a b8
00 00 d3 −−−→ 17 82 1R 03 a9 0c 00 24 e7 18 2−5.4 − −−→ 42 1R 92 45 da 00 00 00 −−−→ 00 00 1R 00 00 00 00 00 00 −−−→ 00 00 1R 00 00 00 c9 00 15 6f 2−5 −− −→ fd 1R 69 02 2c
00 66 82 84 2−5.4 − −−→ f1 1R 25 b4 94 00 00 65 −−−→ 5a 70 1R 1d 3d 8d 00 00 00 −−−→ 00 00 1R 00 00 00 00 00 00 −−−→ 00 00 1R 00 00 00 7a 00 38 ea 2−5 −− −→ 6a 1R 89 21 13
00 e8 −4.66 46 2−−−→ 0c c7 1R 26 a6 ef 07 00 00 3a 2−7 −− −→ c8 1R 1d 1d 27 00 00 00 −−−→ 00 00 1R 00 00 00 00 00 00 −−−→ 00 00 1R 00 00 00 00 00 ba −−−→ b3 39 1R 57 5c 8b
fd 7d 54 a1 4d 09 2e 06 00 00 00 00 00 00 00 00 0f 97 ad f5
C
Examples for the 5-step Characteristic
Table 2. Examples of tuples (plaintext,key,ciphertext) that follow the 5-step characteristic. ∆ stands for internal difference. Example 1
Example 2
Example 3
∆
Plaintext
4e 45 f3 a8
dc df fa d5
4e 51 07 76
b8 d5 6c 3f
f5 62 57 4a
de db 3b a7
f5 76 a3 94
ba d1 ad 4d
24 13 3d 95
0e 5a bd e6
24 07 c9 4b
6a 50 2b 0c
00 14 f4 de
64 0a 96 ea
Key
fe 59 51 c5
e8 40 d9 e4
fe ca 79 48
8c c0 8e 57
56 5c 72 b1
65 e8 1d ee
56 cf 5a 3c
01 68 4a 5d
fc 8b 03 8d
c8 be 85 4d
fc 18 2b 00
ac 3e d2 fe
00 93 28 8d
64 80 57 b3
03 60 Ciphertext 2b 16
1b 8e 72 03
03 49 31 4a
8e 19 08 bb
68 15 15 6b
81 c2 07 4e
68 3c 0f 37
14 55 7d f6
b8 e5 9b f6
97 3b d5 64
b8 cc 81 aa
02 ac af dc
00 29 1a 5c
95 97 7a b8
