nach oben

Erschienen in:

2015 | OriginalPaper | Buchkapitel

New Attacks on Feistel Structures with Improved Memory Complexities

verfasst von : Itai Dinur, Orr Dunkelman, Nathan Keller, Adi Shamir

Erschienen in: Advances in Cryptology -- CRYPTO 2015

Verlag: Springer Berlin Heidelberg

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Feistel structures are an extremely important and extensively researched type of cryptographic schemes. In this paper we describe improved attacks on Feistel structures with more than 4 rounds. We achieve this by a new attack that combines the main benefits of meet-in-the-middle attacks (which can reduce the time complexity by comparing only half blocks in the middle) and dissection attacks (which can reduce the memory complexity but have to guess full blocks in the middle in order to perform independent attacks above and below it). For example, for a 7-round Feistel structure on n-bit inputs with seven independent round keys of n / 2 bits each, a MITM attack can use (\(2^{1.5n}\), \(2^{1.5n}\)) time and memory, while dissection requires (\(2^{2n}\), \(2^{n}\)) time and memory. Our new attack requires only (\(2^{1.5n}\), \(2^{n}\)) time and memory, using a few known plaintext/ciphertext pairs. When we are allowed to use more known plaintexts, we develop new techniques which rely on the existence of multicollisions and differential properties deep in the structure in order to further reduce the memory complexity.

Our new attacks are not just theoretical generic constructions — in fact, we can use them to improve the best known attacks on several concrete cryptosystems such as round-reduced CAST-128 (where we reduce the memory complexity from \(2^{111} \) to \(2^{64}\)) and full DEAL-256 (where we reduce the memory complexity from \(2^{200}\) to \(2^{144}\)), without affecting their time and data complexities. An extension of our techniques applies even to some non-Feistel structures — for example, in the case of FOX, we reduce the memory complexity of all the best known attacks by a factor of \(2^{16}\).

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Integral Cryptanalysis on Full MISTY1

Nächstes Kapitel Known-Key Distinguisher on Full PRESENT

Nur mit Berechtigung zugänglich

We alert the reader that similarly to [9], we concentrate on asymptotic complexity and ignore small polynomial factors in n. Moreover, we treat \(\ell \) as a (possibly big) constant, and therefore disregard all multiplicative factors related to \(\ell \) (and r).

The precise generic formula for the memory complexity of dissection is less relevant here. Note that such an attack has to treat every two consecutive Feistel rounds as a single round with an n-bit block and an n-bit key, and it is the last “half-round” which makes it suboptimal.

We consider attacks on less than 7 rounds in Sect. 3.

We note that \(K_4\) can also be found by a precomputed table instead of guessing, but this will not make a big difference as will be explained in the sequel.

Some useful relations between subkeys may exist if they are derived from a master key using a simple key schedule. However, in this paper, we focus on the most general Feistel constructions and do not assume the existence of such relations.

Roughly speaking, given D data, we have about \(D^r\) different r-tuples of the 0.5n-bit value \(R_{3r}\). For each r-tuple, the probability that all the values of \(R_{3r}\) are equal is \(2^{-0.5n \cdot (r-1)}\). Therefore, we require \(D^r = 2^{0.5n \cdot (r-1)}\) or \(D=2^{((r-1)/r) \cdot 0.5n}\).

The computation of \((L_{2r}^i,R_{2r}^i)\) for all \(i=1,\ldots ,r\) is feasible, since by the assumption that \((P^1,C^1),\ldots ,(P^r,C^r)\) is an r-multi-collision, the value \(R_{4r-2}^1\) along with the externally guessed values are sufficient for obtaining the values \(R_{4r-2}^2,\ldots ,R_{4r-2}^r\).

We guess 3n bits in Step 2, giving rise to 3n constraints on 7.5n key bits.

A gain of j is first achieved when attacking \(5j + 2\sum _{i=1}^{j-1} \lfloor i/2 \rfloor \) rounds.

Although they reach fewer rounds, the advantage of MITM attacks over other attacks on Camellia (namely, impossible differential attacks [5]) is their low data complexity.

Adams, C.: The CAST-128 Encryption Algorithm. RFC 2144 (1997). https://tools.ietf.org/html/rfc2144

Aoki, K., Sasaki, Y.: Preimage attacks on one-block MD4, 63-step MD5 and more. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 103–119. Springer, Heidelberg (2009) CrossRef

Bogdanov, A., Khovratovich, D., Rechberger, C.: Biclique cryptanalysis of the full AES. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 344–371. Springer, Heidelberg (2011) CrossRef

Bogdanov, A., Rechberger, C.: A 3-subset meet-in-the-middle attack: cryptanalysis of the lightweight block cipher KTANTAN. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 229–240. Springer, Heidelberg (2011) CrossRef

Boura, C., Naya-Plasencia, M., Suder, V.: Scrutinizing and improving impossible differential attacks: applications to CLEFIA, Camellia, LBlock and Simon. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 179–199. Springer, Heidelberg (2014)

Canteaut, A., Naya-Plasencia, M., Vayssière, B.: Sieve-in-the-middle: improved MITM attacks. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 222–240. Springer, Heidelberg (2013) CrossRef

Chaum, D., Evertse, J.-H.: Cryptanalysis of DES with a reduced number of rounds: sequences of linear factors in block ciphers. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 192–211. Springer, Heidelberg (1986)

Diffie, W., Hellman, M.E.: Cryptanalysis of the NBS data encryption standard. Computer 10(6), 74–84 (1977)CrossRef

Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: Efficient dissection of composite problems, with applications to cryptanalysis, knapsacks, and combinatorial search problems. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 719–740. Springer, Heidelberg (2012) CrossRef

10.

Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: New attacks on Feistel structures with improved memory complexities. IACR Cryptology ePrint Arch. 2015, 146 (2015)

11.

Guo, J., Jean, J., Nikolić, I., Sasaki, Y.: Meet-in-the-middle attacks on generic Feistel constructions. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 458–477. Springer, Heidelberg (2014)

12.

Isobe, T., Shibutani, K.: Generic key recovery attack on Feistel scheme. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 464–485. Springer, Heidelberg (2013) CrossRef

13.

Isobe, T., Shibutani, K.: Improved All-subkeys recovery attacks on FOX, KATAN and SHACAL-2 block ciphers. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 104–126. Springer, Heidelberg (2015)

14.

Junod, P., Vaudenay, S.: FOX : a new family of block ciphers. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 114–129. Springer, Heidelberg (2004) CrossRef

15.

Khovratovich, D., Rechberger, C., Savelieva, A.: Bicliques for preimages: attacks on skein-512 and the SHA-2 family. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 244–263. Springer, Heidelberg (2012) CrossRef

16.

Knudsen, L.: DEAL - A 128-bit Block Cipher. NIST AES Proposal (1998)

17.

Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)MathSciNetCrossRefMATH

18.

National Bureau of Standards. Data encryption standard. Federal Information Processing Standards Publications (FIPS) 46 (1977)

19.

Sarkar, P., Iwata, T. (eds.): Advances in Cryptology - ASIACRYPT 2014–20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7–11, 2014. Proceedings, Part I. Lecture Notes in Computer Science, vol. 8873. Springer, Heidelberg (2014)

20.

Wang, L., Sasaki, Y.: Finding preimages of tiger up to 23 steps. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 116–133. Springer, Heidelberg (2010) CrossRef

21.

Wang, M., Wang, X., Chow, K., Hui, L.C.K.: New Differential Cryptanalytic Results for Reduced-Round CAST-128. IEICE Trans. 93(12), 2744–2754 (2010)CrossRef

Titel: New Attacks on Feistel Structures with Improved Memory Complexities
verfasst von: Itai Dinur
Orr Dunkelman
Nathan Keller
Adi Shamir
Verlag: Springer Berlin Heidelberg
Buch: Advances in Cryptology -- CRYPTO 2015
Print ISBN: 978-3-662-47988-9

Electronic ISBN: 978-3-662-47989-6

Copyright-Jahr: 2015
DOI: https://doi.org/10.1007/978-3-662-47989-6_21

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"