sbseg 2007, nce/ufrj, rio de janeiro linear analysis of reduced- round cast-128 and cast-256 jorge...
TRANSCRIPT
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Linear Analysis of reduced-round CAST-128 and CAST-256
Jorge Nakahara Jr1
Mads Rasmussen2
1 UNISANTOS, Brazil2 LSI-TEC, PKI Certification department
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Summary
• The CAST-128 and CAST-256 Block Ciphers
• Linear Cryptanalysis: brief overview
• Linear Analysis of CAST-128 and CAST-256
• Attack Details
• Conclusions and Open Problems
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
CAST-128
• 64-bit iterated block cipher• key: 40 bits up to 128 bits (increments of 8 bits)• 12 up to 16 rounds• Feistel Network structure• designed by C. Adams and S.Tavares (1996)• S-box design procedure patented by Entrust
Technologies Inc: U.S. patent 5,511,123, filed Aug. 4, 1994, issued Apr. 3, 1996
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
CAST-128
• CAST-128 is part of the GnuPG suite of cryptographic algorithms (nicknamed CAST-5)
• CAST-128 uses fixed 8x32-bit S-boxes: for encryption and decryption (S1, S2, S3, S4) and for the key schedule (S5, S6, S7, S8)
• round operations: +, -, <<<, • three round functions: f1, f2 and f3
• An official algorithm for use with the Canadian Government:
http://www.cse-cst.gc.ca/services/crypto-services/crypto-algorithms-e.html
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
CAST-256
• a former candidate to the Advanced Encryption Standard (AES) Development Process (1997)
• 128-bit iterated block cipher• 128-, 192- and 256-bit key• 48 rounds for all key sizes• generalized Feistel Network structure• S-box design procedure patented by Entrust
Technologies Inc: U.S. patent 5,511,123, filed Aug. 4, 1994, issued Apr. 3, 1996
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
CAST-256
• full CAST-256: six quad-rounds + six inverse quad-rounds
one inverse quad-round=one quad-roundupside down
f1
f2
f1
f3
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Linear Cryptanalysis
• developed by Mitsuru Matsui (Mitsubishi Corp)• first ideas: Adi Shamir (DES S-boxes’ parity),
1994• applied to FEAL-4 cipher (Sean Murphy, 1989),
then to FEAL-8, DES (Matsui, 1991-1993)• known-plaintext (KP) attack (sometimes, can
also work in a ciphertext-only setting)• general cryptanalytic technique: used against
block ciphers, stream ciphers, and other crypto algorithms
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Linear Cryptanalysis
• basic tool: (some notions)• linear relation, a linear combination of bits of
plaintext, ciphertext and key• linear approximation: Boolean function holding
with non-uniform parity (away from ½)• bias: difference between 0-parity and ½• the higher the bias, the more effective the linear
approximation• number of KP for a high success attack: bias-2
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Linear Cryptanalysis
• strategy: derive linear approximations for each individual cipher components
• non-linear components are the main targets• combine linear approximations of consecutive
components, until reach a full round• for multiple rounds, use Matsui’s Piling-Up
Lemma• this Lemma assumes all round approximations
are independent, which is not always true (but is usually good enough for practical purposes, e.g. DES)
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Linear Analysis of CAST-128
• 8x32-bit S-boxes are always non-surjective mappings
• Modular addition and substraction in round function F
• motivation for linear approximations of the form 08 32, across the S-box, where 32 is a nonzero bit mask
• bias for all S-boxes S1,...,S4 with mask 32=1 is 2-5
• we use 32=1 (least significant bit) to bypass the modular addition and subtraction after the S-boxes in the round function
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Linear Analysis of CAST-128
• iterative linear relations: input and output bit masks are identical, so that it can be concatenated to itself, with a fixed decrease in the bias
• for CAST-128: 2-round iterative linear relations w 1 active F
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Linear Analysis of CAST-128
• iterative linear relations: input and output bit masks are identical, so that it can be concatenated to itself, with a fixed decrease in the bias
• for CAST-128: 2-round iterative linear relations w 1 active F
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Linear Analysis of CAST-256
• CAST-256 S-boxes are the same as for CAST-128
• thus, the same bit masks are used: 0 1• similarly, we look for iterative linear relations• result: 4-round iterative linear relations, or one
quad-round iterative linear relations.
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Attack Results on reduced-round CAST-128
#Rounds Data/Memory Time Comments
2 237 237 distinguishing attack
3 237 237 distinguishing attack
4 237 272.5 key-recovery attack
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Attack Results on reduced-round CAST-256
#Rounds Data/Memory Time Comments
4 237 237 distinguishing attack
5 237 271.7 key-recovery attack
8 269 269 distinguishing attack
9 269 2103 key-recovery attack
12 2101 2101 distinguishing attack
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Conclusions
• first known-plaintext attack reported on (reduced-round) CAST-128 and CAST-256
• attacks exploit non-surjectivity of 8x32-bit S- boxes (happens for any such mappings)
SBSeg 2007, NCE/UFRJ, Rio de Janeiro
Open Problems
• we found quadratic equations for all four S-boxes S1,...,S4 of CAST-128/CAST-256.
The question is: can we use them in a (pure) algebraic attack?
• what about combining linear and quadratic equations??