![Page 1: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/1.jpg)
Improved All-Subkeys Recovery
Attacks on FOX, KATAN
and SHACAL-2 Block Ciphers
Takanori Isobe and Kyoji Shibutani
Sony Corporation
FSE 2014 @ London, UK
3 March 2014
![Page 2: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/2.jpg)
Sony Corporation
Background
All-Subkeys Recovery Attacks Proposed at SAC 2012 by Isobe and Shibutani
Recover all subkeys instead of user-provided key
Applied to CAST-128, KATAN32/48/64, SHACAL-2, Blowfish, FOX
Function Reduction Technique Proposed at ASIACRYPT 2013 by Isobe and Shinbutani
Advanced Technique for All-Subkeys Recovery Attack
Applied to Feistel Construction
• Improved generic attacks on several Feistel constructions
• 8-round attack on CAST-128 (best attack w.r.t. # attacked rounds)
• Extremely-Low data attacks on 8/10/12-round Camellia-128/192/256
![Page 3: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/3.jpg)
Sony Corporation
Our Contribution
Improve “All-Subkeys Recovery Attack”
Extend “Function Reduction” to other constructions • Exploit structure-dependent properties of Lai-Massey and LFSR-type
Utilize “Repetitive All-Subkeys Recovery Attack” • Reduce data requirement in each inner ASR attacks
– Variant of inner loop technique
Apply to FOX64/128, KATAN32/48/64, SHACAL-2 • FOX64/128 : Lai-Massey construction
• KATAN32/48/64 : Stream-type (LFSR) construction
• SHACAL-2 : Source-heavy Generalized Feistel construction
![Page 4: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/4.jpg)
Sony Corporation
Our Results
Target # Attacked rounds
Attack Type Time Memory Data Paper
FOX64
5 Integral 2109.4 Not given 29 [26]
5 Impossible differential 271 Not given 290 [27]
6 ASR 2124 2124 15 Ours
7 ASR 2124 2124 230.9 Ours
FOX128
5 Integral 2205.6 Not given 2116.3 [26]
5 Impossible differential 2135 Not given 28 [27]
5 ASR 2228 2228 14 [16]
6 ASR 2124 2124 15 Ours
7 ASR 2124 2124 230.9 Ours
KATAN32
110 ASR 277 275.1 138 [16]
114 Differential 277 Not given 231.9 [2]
119 ASR 279.1 279.1 144 Ours
KATAN48
100 ASR 278 278 128 [16]
105 ASR 279.1 279.1 144 Ours
KATAN64
94 ASR 277.1 279.1 116 [16]
99 ASR 279.1 279.1 142 Ours
SHACAL-2
41 ASR 2500 2492 244 [16]
42 ASR 2508 2508 225 Ours
![Page 5: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/5.jpg)
Sony Corporation
Agenda
1. All-Subkeys Recovery Attacks
2. Function reduction technique
3. Improved Attacks on FOX-64/128
4. Improved Attacks on KATAN-32/48/64
5. Improved Attacks on SHACAL-2
6. Conclusion
![Page 6: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/6.jpg)
Sony Corporation
All-Subkeys Recovery Attack
Find all subkeys instead of user-provided key
“Finding all subkeys” ≒ “Finding user-provided key”
Advantage
Analyzing KSF is not necessary
• Easy to apply to complex KSF!
Focus only on data processing part
• Work on any KSF (even ideal KSF) => generic attack!
Plaintext
Ciphertext
KSF Key Ideal
SK1
SK2
SKN
Round 1
Round 2
Round N
Sony Corporation
![Page 7: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/7.jpg)
Sony Corporation
How to Recover All Subkeys
Based on Meet-in-the-Middle Approach Example: 7-round Feistel Cipher w/ k (=2n)-bit key and n-bit block
Sony Corporation
K1 F
F
F
F
F
F
F
K2
K3
K4
K5
K6
K7
Plaintext
Ciphertext
n /2
n
key KSF k
P
C
![Page 8: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/8.jpg)
Sony Corporation
How to Recover All Subkeys
Based on Meet-in-the-Middle Approach Example: 7-round Feistel Cipher w/ k (=2n)-bit key and n-bit block
Sony Corporation
K1 F
F
F
F
F
F
F
K2
K3
K4
K5
K6
K7
Plaintext
Ciphertext
n /2
n P
C
![Page 9: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/9.jpg)
Sony Corporation
How to Recover All Subkeys
Based on Meet-in-the-Middle Approach Example: 7-round Feistel Cipher w/ k (=2n)-bit key and n-bit block
1. Choose s -bit matching state S
Sony Corporation
K1 F
F
F
F
F
F
F
K2
K3
K4
K5
K6
K7
Plaintext
Ciphertext
S
n /2
n P
C
![Page 10: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/10.jpg)
Sony Corporation
How to Recover All Subkeys
Based on Meet-in-the-Middle Approach Example: 7-round Feistel Cipher w/ k (=2n)-bit key and n-bit block
1. Choose s -bit matching state S
2. Compute S = F(f)(K(f), P) with all K(f)
and Make Table of (s, K(f)) pairs
Sony Corporation
K1 F
F
F
F
F
F
F
K2
K3
K4
K5
K6
K7
Plaintext
Ciphertext
S
K(f)
n /2
n P
C
![Page 11: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/11.jpg)
Sony Corporation
How to Recover All Subkeys
Based on Meet-in-the-Middle Approach Example: 7-round Feistel Cipher w/ k (=2n)-bit key and n-bit block
1. Choose s -bit matching state S
2. Compute S = F(f)(K(f), P) with all K(f)
and Make Table of (s, K(f)) pairs
3. Compute S ’ = F(f)(K(b), C) with all K(b)
Sony Corporation
K1 F
F
F
F
F
F
F
K2
K3
K4
K5
K6
K7
Plaintext
Ciphertext
S
K(b)
K(f)
n /2
n P
C
![Page 12: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/12.jpg)
Sony Corporation
How to Recover All Subkeys
Based on Meet-in-the-Middle Approach Example: 7-round Feistel Cipher w/ k (=2n)-bit key and n-bit block
1. Choose s -bit matching state S
2. Compute S = F(f)(K(f), P) with all K(f)
and Make Table of (s, K(f)) pairs
3. Compute S ’ = F(f)(K(b), C) with all K(b)
4. If S = S ’, regard it as key candidate
Sony Corporation
K1 F
F
F
F
F
F
F
K2
K3
K4
K5
K6
K7
Plaintext
Ciphertext
S
K(b)
K(f)
# surviving key candidates : 26n/2 – n/2 = 25n/2
|K(f)| = 3n/2
|K(b)| = 3n/2
n /2
n P
C
![Page 13: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/13.jpg)
Sony Corporation
How to Recover All Subkeys
Based on Meet-in-the-Middle Approach Example: 7-round Feistel Cipher w/ k (=2n)-bit key and n-bit block
1. Choose s -bit matching state S
2. Compute S = F(f)(K(f), P) with all K(f)
and Make Table of (s, K(f)) pairs
3. Compute S ’ = F(f)(K(b), C) with all K(b)
4. If S = S ’, regard it as key candidate
Sony Corporation
K1 F
F
F
F
F
F
F
K2
K3
K4
K5
K6
K7
Plaintext
Ciphertext
S
K(b)
K(f)
# surviving key candidates : 26n/2 – n/2 = 25n/2
For successful attack we need to reduce key space
n /2
n P
C
![Page 14: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/14.jpg)
Sony Corporation
Parallel MitM attack
Given N (4) plaintext/ciphertexts
K(f)
K(b)
P1 P2 P4
C1 C2 C4
E1 E1 E1
E2 E2 E2
# surviving key candidates : 26n/2 – 4・n/2 = 2n (=2k/2)
n/2 bit n/2 bit n/2 bit
Filter out wrong keys by using N (4) matching state
P3
C3
E1
E2
n/2 bit
![Page 15: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/15.jpg)
Sony Corporation
Evaluation
Sony Corporation
-Time complexity :
max (2|K(f)|, 2|K(b)|)×N
= max (23n/2, 23n/2)×4
= 23n/2 +2 = 23n/4 +2 < 2k
K1 F
F
F
F
F
F
F
K2
K3
K4
K5
K6
K7
Plaintext
Ciphertext
S
|K(f)| = 3n/2
|K(b)| = 3n/2
Point for successful attack : Reduce involved keys K(f) and K(b) in forward and backward computation
Time complexity for filtering wrong keys
K(b)
K(f)
n /2
n P
C
![Page 16: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/16.jpg)
Sony Corporation
Agenda
1. All-Subkeys Recovery Attacks
2. Function reduction technique
3. Improved Attacks on FOX-64/128
4. Improved Attacks on KATAN-32/48/64
5. Improved Attacks on SHACAL-2
6. Conclusion
![Page 17: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/17.jpg)
Sony Corporation
Function Reduction Technique [IS 2013]
Technique to reduce bits used in K(f) and K(b)
Using degree of freedom of plaintext/ciphertext
Sony Corporation
![Page 18: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/18.jpg)
Sony Corporation
Function Reduction Technique [IS 2013]
Technique to reduce bits used in K(f) and K(b)
Using degree of freedom of plaintext/ciphertext
Sony Corporation
F
F
k1
k2
F k3
F k4
L1 R1
4×n/2 bits
3×n/2 bits
![Page 19: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/19.jpg)
Sony Corporation
Function Reduction Technique [IS 2013]
Technique to reduce bits used in K(f) and K(b)
Using degree of freedom of plaintext/ciphertext
Sony Corporation
F
F
k1
k2
F k3
F k4
L1 R1
4×n/2 bits
3×n/2 bits
F
k’1
k2
F k3
F k4
CON R1
k’1=F(CON k1)
![Page 20: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/20.jpg)
Sony Corporation
Function Reduction Technique [IS 2013]
Technique to reduce bits used in K(f) and K(b)
Using degree of freedom of plaintext/ciphertext
Sony Corporation
F
F
k1
k2
F k3
F k4
L1 R1
4×n/2 bits
3×n/2 bits
F
k’1
k2
F k3
F k4
CON R1
F k’2
F k3
F k’4
CON R1
k’1=F(CON k1) k’2=k’1 k2
k’4=k’1 k4
3×n/2 bits
3×n/2 bits
k’1
Reduced!!
![Page 21: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/21.jpg)
Sony Corporation
Agenda
1. All-Subkeys Recovery Attacks
2. Function reduction technique
3. Improved Attacks on FOX-64/128
4. Improved Attacks on KATAN-32/48/64
5. Improved Attacks on SHACAL-2
6. Conclusion
![Page 22: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/22.jpg)
Sony Corporation
FOX
Proposed by Junod and Vaudenay @ SAC 2004
Also known as IDEA NXT (successor of IDEA)
Based on Lai-Massey scheme
Strong key scheduling function
Two Variants
FOX 64 : 64-bit block and 128-bit key
FOX 128 : 128-bit block and 256-bit key
f32
OR
K1 f64 K1
FOX 64 FOX 128
![Page 23: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/23.jpg)
Sony Corporation
Function Reduction of FOX 64
f32
or
K1
L0 R0 = L0 ^ CON
Choose plaintext s.t., R0 = L0 ^ CON Input to f32 is fixed to constant CON
![Page 24: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/24.jpg)
Sony Corporation
Function Reduction of FOX 64
f32
or
K1 f32
or
K1
L0 L0 R0 = L0 ^ CON
CON
R0 = L0 ^ CON
Choose plaintext s.t., R0 = L0 ^ CON Input to f32 is fixed to constant CON
![Page 25: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/25.jpg)
Sony Corporation
Function Reduction of FOX 64
f32
or
K1 f32
or
K1
L0 L0 R0 = L0 ^ CON
CON
or
K’1
L0
K’1
R0 = L0 ^ CON R0 = L0 ^ CON
Choose plaintext s.t., R0 = L0 ^ CON Input to f32 is fixed to constant CON
K’1 = f32(CON, K1)
depend only on key bits
![Page 26: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/26.jpg)
Sony Corporation
Function Reduction of FOX 64
f32
or
K1 f32
or
K1
L0 L0 R0 = L0 ^ CON
CON
or
OK’1
L0
K’1
R0 = L0 ^ CON R0 = L0 ^ CON
Choose plaintext s.t., R0 = L0 ^ CON Input to f32 is fixed to constant CON
K’1 = f32(CON, K1) OK’1 = or (f32(CON, K1))
![Page 27: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/27.jpg)
Sony Corporation
3-round Function Reduction of FOX64
f32
or
K1
L0
f32
or
K2
f32
or
K3
or
OK’1
L0
f32
or
K2
f32
or
K3
R0 = L0 ^ CON
R0 = L0 ^ CON
K’1
K’1 = f32(CON, K1) OK’1 = or (f32(CON, K1))
![Page 28: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/28.jpg)
Sony Corporation
3-round Function Reduction of FOX64
f32
or
K1
L0
f32
or
K2
f32
or
K3
or
OK’’’1
L0
f32
or
K’2
f32
or
K’3
R0 = L0 ^ CON
R0 = L0 ^ CON
K’’’1
K’1 = f32(CON, K1) OK’1 = or (f32(CON, K1)) LK’2 = LK2 ^ OK’1 ^ K’1
K’’1 = K’1 ^ LK2
OK’’1 =or (OK’1 ^ LK2) K’2 = LK2 || RK2 LK’3 = LK3 ^ OK’’1 ^ K’’1
K’’’1 = K’’1 ^ LK3
OK’’’1 =or (OK’’1 ^ LK3) K’3 = LK3 || RK3
S S S
S S S S
LK’3
RK3
S
Matrix
![Page 29: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/29.jpg)
Sony Corporation
6-round Attack on FOX 64
3-round Function Reduction in forward direction
3 rounds
1 round
2 rounds
L0 R0 = L0 ^ CON
L6 R6
![Page 30: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/30.jpg)
Sony Corporation
6-round Attack on FOX 64
3-round Function Reduction in forward direction
3 rounds
1 round
2 rounds
L0 R0 = L0 ^ CON
L6 R6
f32
or
K1
R3 L3
R4 L4
One-round keyless relation L3 R3 = or-1(L4) R4
![Page 31: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/31.jpg)
Sony Corporation
6-round Attack on FOX 64
3-round Function Reduction in forward direction
3 rounds
1 round
2 rounds
|K(f)| = 120
|K(b)| = 120
L0 R0 = L0 ^ CON
L6 R6
f32
or
K1
R3 L3
R4 L4
One-round keyless relation L3 R3 = or-1(L4) R4
lower 16 bits are used for the matching
![Page 32: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/32.jpg)
Sony Corporation
6-round Attack on FOX 64
3-round Function Reduction in forward direction
3 rounds
1 round
2 rounds
|K(f)| = 120
|K(b)| = 120
L0 R0 = L0 ^ CON
L6 R6
Given 15 data (15 parallel ASR attacks),
2240 candidates are reduced to 20(2240 – 16・15) = 1
Time : 2120 × 15 = 2124
Data : 15 Memory : 2120×14 = 2124
![Page 33: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/33.jpg)
Sony Corporation
7-round Attack on FOX64
3-round Function Reduction in both directions
3 rounds
1 round
3 rounds
|K(f)| = 120
|K(b)| = 120
L0 R0 = L0 ^ CON
L6 R6 = L6 ^ CON
Require 15 plaintext/ciphertext pairs s.t. - Plaintext = L0||L0 ^ CON (32 bit condition) - Ciphertext = L6||L6 ^ CON (32 bit condition) To find these data, it requires more than 232 plaintexts satisfying L0||L0 ^ CON (32 bit condition). However, degree of freedom of plaintext is only 32 bit L0
![Page 34: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/34.jpg)
Sony Corporation
7-round Attack on FOX64
3-round Function Reduction in both directions
3 rounds
1 round
3 rounds
|K(f)| = 120
|K(b)| = 120
L0 R0 = L0 ^ CON
L6 R6 = L6 ^ CON Repetitive ASR approach
Require 15 plaintext/ciphertext pairs s.t. - Plaintext = L0||L0 ^ CON (32 bit condition) - Ciphertext = L6||L6 ^ CON (32 bit condition) To find these data, it requires more than 232 plaintexts satisfying L0||L0 ^ CON (32 bit condition). However, degree of freedom of plaintext is only 32 bit L0
![Page 35: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/35.jpg)
Sony Corporation
Repetitive All-Subkeys Recovery Attack
Divide Parallel MitM into M parts
Enable mounting each ASR with less data
Example : M = 2 (8 and 7)
K(f)
K(b)
P1 P2 P8
C1 C2 C8
E1 E1 E1
E2 E2 E2
s-bit s-bit s-bit
K(f)
K(b)
P9 P10 P15
C9 C10 C15
E1 E1 E1
E2 E2 E2
s-bit s-bit s-bit
8 desired data can be obtained from 231 ciphertexts
![Page 36: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/36.jpg)
Sony Corporation
Repetitive All-Subkeys Recovery Attack
Divide Parallel MitM into M parts
Enable mounting each ASR with less data
Example : M = 2 (8 and 7)
Surviving keys
Surviving keys
Matching
K(f)
K(b)
P1 P2 P8
C1 C2 C8
E1 E1 E1
E2 E2 E2
s-bit s-bit s-bit
K(f)
K(b)
P9 P10 P15
C9 C10 C15
E1 E1 E1
E2 E2 E2
s-bit s-bit s-bit
8 plaintext /ciphertexts 7 plaintext /ciphertexts
![Page 37: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/37.jpg)
Sony Corporation
7-round Attack on FOX64
3-round Function Reduction in both directions
3 rounds
1 round
3 rounds
|K(f)| = 120
|K(b)| = 120
L0 R0 = L0 ^ CON
L6 R6 = L6 ^ CON
Time : 2120 × 8 + 2120 × 7 = 2124
Data : 231
Memory : 2120×14 = 2123
![Page 38: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/38.jpg)
Sony Corporation
Results
Target #Attack round
Attack Type Time Memory Data Paper
FOX64
5 Integral 2109.4 Not given 29 [26]
5 Impossible differential 271 Not given 290 [27]
6 ASR 2124 2124 15 Ours
7 ASR 2124 2124 230.9 Ours
FOX128
5 Integral 2205.6 Not given 2116.3 [26]
5 Impossible differential 2135 Not given 28 [27]
5 ASR 2228 2228 14 [16]
6 ASR 2124 2124 15 Ours
7 ASR 2124 2124 230.9 Ours
Update best single-key attacks on FOX64 and FOX128 w.r.t. number of attacked rounds
![Page 39: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/39.jpg)
Sony Corporation
Agenda
1. All-Subkeys Recovery Attacks
2. Function reduction technique
3. Improved Attacks on FOX-64/128
4. Improved Attacks on KATAN-32/48/64
5. Improved Attacks on SHACAL-2
6. Conclusion
![Page 40: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/40.jpg)
Sony Corporation
KATAN Family
Ultra lightweight block cipher (CHES 2010)
block size : 32/48/64 bits, key size : 80 bits
Based on Stream cipher Trivium
254-round LFSR-type construction
0 1 2 3 4 5 6 7 8 9 10 11 12
18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
IR k2i
k2i+1
Round constant
Round key
Round key
XOR
AND
L1
L2
![Page 41: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/41.jpg)
Sony Corporation
Function Reduction of KATAN32
0 1 2 3 4 5 6 7 8 9 10 11 12
18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
IR k0
k1
i = 0
![Page 42: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/42.jpg)
Sony Corporation
Function Reduction of KATAN32
0 1 2 3 4 5 6 7 8 9 10 11 12
18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
IR k0
k1
i = 0
constant X[0]
![Page 43: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/43.jpg)
Sony Corporation
Function Reduction of KATAN32
0 1 2 3 4 5 6 7 8 9 10 11 12
18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
IR k2
k3
i = 1 k’1 =k1 ^ X[0]
![Page 44: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/44.jpg)
Sony Corporation
Function Reduction of KATAN32
0 1 2 3 4 5 6 7 8 9 10 11 12
18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
IR k4
k5
i = 2 k’1
![Page 45: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/45.jpg)
Sony Corporation
Function Reduction of KATAN32
0 1 2 3 4 5 6 7 8 9 10 11 12
18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
IR k6
k7
i = 3 k’1
![Page 46: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/46.jpg)
Sony Corporation
Function Reduction of KATAN32
0 1 2 3 4 5 6 7 8 9 10 11 12
18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
IR k8
k9
i = 4 k’1
![Page 47: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/47.jpg)
Sony Corporation
Function Reduction of KATAN32
0 1 2 3 4 5 6 7 8 9 10 11 12
18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
IR k8
k9
i = 4 k’1
k’8 = k8 ^ (k’1・IR)
![Page 48: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/48.jpg)
Sony Corporation
Function Reduction of KATAN32
0 1 2 3 4 5 6 7 8 9 10 11 12
18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
IR k10
k11
i = 5 k’1
k’8
![Page 49: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/49.jpg)
Sony Corporation
Function Reduction of KATAN32
0 1 2 3 4 5 6 7 8 9 10 11 12
18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
IR k12
k13
i = 6 k’1 A
k’8
constant
![Page 50: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/50.jpg)
Sony Corporation
Function Reduction of KATAN32
0 1 2 3 4 5 6 7 8 9 10 11 12
18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
IR k12
k13
i = 6 k’1 A
k’12 = k12 ^ (k’1・A)
k’8
constant
![Page 51: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/51.jpg)
Sony Corporation
Function Reduction of KATAN32
0 1 2 3 4 5 6 7 8 9 10 11 12
18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
IR k14
k15
i = 7 k’1
k’12 k’8
![Page 52: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/52.jpg)
Sony Corporation
Function Reduction of KATAN32
0 1 2 3 4 5 6 7 8 9 10 11 12
18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
IR k16
k17
i = 8 k’1
k’16 = k16 ^ k’1
k’12 k’8
![Page 53: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/53.jpg)
Sony Corporation
Function Reduction of KATAN32
0 1 2 3 4 5 6 7 8 9 10 11 12
18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
IR k18
k19
i = 9 k’1
k’16
B
k’18 = k18 ^ (k’1・B)
k’12 k’8
constant
![Page 54: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/54.jpg)
Sony Corporation
Function Reduction of KATAN32
0 1 2 3 4 5 6 7 8 9 10 11 12
18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
IR k20
k21
i = 10 k’1
k’16 k’12 k’8 k’18
![Page 55: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/55.jpg)
Sony Corporation
Function Reduction of KATAN32
0 1 2 3 4 5 6 7 8 9 10 11 12
18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
IR k22
k23
i = 11 k’1
k’16 k’12 k’8 k’18
![Page 56: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/56.jpg)
Sony Corporation
Function Reduction of KATAN32
0 1 2 3 4 5 6 7 8 9 10 11 12
18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
IR k24
k25
i = 12 k’1
k’16 k’12 k’8 k’18
![Page 57: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/57.jpg)
Sony Corporation
Function Reduction of KATAN32
0 1 2 3 4 5 6 7 8 9 10 11 12
18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
IR k26
k27
i = 13 k’1
k’26 = k26 ^ k’1
k’16 k’12 k’8 k’18
![Page 58: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/58.jpg)
Sony Corporation
Function Reduction of KATAN32
0 1 2 3 4 5 6 7 8 9 10 11 12
18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
IR k4
k5
i = 13
k’26 k’16 k’12 k’8 k’18
![Page 59: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/59.jpg)
Sony Corporation
Function Reduction of KATAN32
0 1 2 3 4 5 6 7 8 9 10 11 12
18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
IR k4
k5
i = 13
k’26 k’12 k’8
If X[0], A and B are fixed, k1 is disregarded
by defining new keys k’8, k’12, k’16, k’18, k’26
k’16 k’18
![Page 60: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/60.jpg)
Sony Corporation
119-round Attack on KATAN32
8-bit function reduction in forward direction
by controlling 23 bits of plaintexts
Plaintext
69 round
50 round
Ciphertext
L2[18]
|Kf| = 72
|Kb| = 72
Given 144 data,
2144 candidates are reduced to 20(2240 – 1・144) = 1
Time : 272 × 144 = 279.1
Data : 144 Memory : 272×144 = 279.1
![Page 61: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/61.jpg)
Sony Corporation
Results
Target #Attack round
Attack Type Time Memory Data Paper
KATAN32
110 ASR 277 275.1 138 [16]
114 Differential 277 Not given 231.9 [2]
119 ASR 279.1 279.1 144 Ours
KATAN48
100 ASR 278 278 128 [16]
105 ASR 279.1 279.1 144 Ours
KATAN64
94 ASR 277.1 279.1 116 [16]
99 ASR 279.1 279.1 142 Ours
Update best single-key attacks on KATAN 32/48/64 w.r.t. number of attacked rounds
![Page 62: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/62.jpg)
Sony Corporation
Agenda
1. All-Subkeys Recovery Attacks
2. Function reduction technique
3. Improved Attacks on FOX-64/128
4. Improved Attacks on KATAN-32/48/64
5. Improved Attacks on SHACAL-2
6. Conclusion
![Page 63: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/63.jpg)
Sony Corporation
SHACAL-2
Selected by NESSIE portfolio
block size : 256 bits, key size : <= 512 bits
Based on SHA-256 compression function
64-round GFN like construction
Best Attack : 41 round ASR attack
![Page 64: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/64.jpg)
Sony Corporation
Key Linearization of SHACAL-2
Key Linearization w/ splice-and-cut
18
14
0
0
32
14
18
Splice-and-Cut
![Page 65: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/65.jpg)
Sony Corporation
42-round Attack on SHACAL-2
Splice-and-Cut approach Plaintext
17 rounds
25 rounds
Ciphertext
L2[18]
|K(f)| = 498
|K(b)| = 498
Given 996 data,
2996 candidates are reduced to 20(2240 – 1・144) = 1
Time : 2498 ×996 = 2508
Data : 225
Memory : 2498 ×996 = 2508
![Page 66: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/66.jpg)
Sony Corporation
Conclusion
Improved “All-Subkeys Recovery Attack”
Extended “Function Reduction” to other constructions • Exploit structure-dependent properties of Lai-Massey and LFSR-type
Utilized “Repetitive All-Subkeys Recovery Attack”
Updated best single-key attacks of FOX64/128, KATAN32/48/64, SHACAL-2
• 7-round attacks on FOX64/128
• 119/110/99-round attacks on KATAN32/48/64
• 42-round attack on SHACAL-2
![Page 67: Improved All-Subkeys Recovery Attacks on FOX, … · Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers Takanori Isobe and Kyoji Shibutani Sony Corporation](https://reader034.vdocuments.net/reader034/viewer/2022051802/5aeabeaa7f8b9a3b2e8d1ea5/html5/thumbnails/67.jpg)
Sony Corporation
Thank you for your attention!