Presentation is loading. Please wait.

Presentation is loading. Please wait.

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of reduced- round CAST-128 and CAST-256 Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2.

Similar presentations


Presentation on theme: "SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of reduced- round CAST-128 and CAST-256 Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2."— Presentation transcript:

1 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of reduced- round CAST-128 and CAST-256 Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2 LSI-TEC, PKI Certification department

2 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Summary The CAST-128 and CAST-256 Block Ciphers Linear Cryptanalysis: brief overview Linear Analysis of CAST-128 and CAST-256 Attack Details Conclusions and Open Problems

3 SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST bit iterated block cipher key: 40 bits up to 128 bits (increments of 8 bits) 12 up to 16 rounds Feistel Network structure designed by C. Adams and S.Tavares (1996) S-box design procedure patented by Entrust Technologies Inc: U.S. patent 5,511,123, filed Aug. 4, 1994, issued Apr. 3, 1996

4 SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-128 CAST-128 is part of the GnuPG suite of cryptographic algorithms (nicknamed CAST-5) CAST-128 uses fixed 8x32-bit S-boxes: for encryption and decryption (S 1, S 2, S 3, S 4 ) and for the key schedule (S 5, S 6, S 7, S 8 ) round operations: +, -, <<<,  three round functions: f 1, f 2 and f 3 An official algorithm for use with the Canadian Government:

5 SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-128 f1f1 f2f2 f3f3 Round functions

6 SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-256 a former candidate to the Advanced Encryption Standard (AES) Development Process (1997) 128-bit iterated block cipher 128-, 192- and 256-bit key 48 rounds for all key sizes generalized Feistel Network structure S-box design procedure patented by Entrust Technologies Inc: U.S. patent 5,511,123, filed Aug. 4, 1994, issued Apr. 3, 1996

7 SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-256 one quad-round f1f1 f1f1 f2f2 f3f3

8 SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-256 full CAST-256: six quad-rounds + six inverse quad-rounds one inverse quad-round = one quad-round upside down f1f1 f2f2 f1f1 f3f3

9 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Cryptanalysis developed by Mitsuru Matsui (Mitsubishi Corp) first ideas: Adi Shamir (DES S-boxes’ parity), 1994 applied to FEAL-4 cipher (Sean Murphy, 1989), then to FEAL-8, DES (Matsui, ) known-plaintext (KP) attack (sometimes, can also work in a ciphertext-only setting) general cryptanalytic technique: used against block ciphers, stream ciphers, and other crypto algorithms

10 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Cryptanalysis basic tool: (some notions) linear relation, a linear combination of bits of plaintext, ciphertext and key linear approximation: Boolean function holding with non-uniform parity (away from ½) bias: difference between 0-parity and ½ the higher the bias, the more effective the linear approximation number of KP for a high success attack:  bias -2

11 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Cryptanalysis strategy: derive linear approximations for each individual cipher components non-linear components are the main targets combine linear approximations of consecutive components, until reach a full round for multiple rounds, use Matsui’s Piling-Up Lemma this Lemma assumes all round approximations are independent, which is not always true (but is usually good enough for practical purposes, e.g. DES)

12 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-128 8x32-bit S-boxes are always non-surjective mappings Modular addition and substraction in round function F motivation for linear approximations of the form 0 8   32, across the S-box, where  32 is a nonzero bit mask bias for all S-boxes S 1,...,S 4 with mask  32 =1 is 2 -5 we use  32 =1 (least significant bit) to bypass the modular addition and subtraction after the S- boxes in the round function

13 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-128 f1f1

14 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-128 iterative linear relations: input and output bit masks are identical, so that it can be concatenated to itself, with a fixed decrease in the bias for CAST-128: 2-round iterative linear relations w 1 active F

15 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-128 iterative linear relations: input and output bit masks are identical, so that it can be concatenated to itself, with a fixed decrease in the bias for CAST-128: 2-round iterative linear relations w 1 active F

16 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-256 CAST-256 S-boxes are the same as for CAST- 128 thus, the same bit masks are used: 0  1 similarly, we look for iterative linear relations result: 4-round iterative linear relations, or one quad-round iterative linear relations.

17 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-256

18 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST active F per quad-round

19 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-256 Other combinations

20 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-256 Bit mask controls active F

21 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Attack Results on reduced-round CAST-128 #RoundsData/MemoryTimeComments distinguishing attack distinguishing attack key-recovery attack

22 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Attack Results on reduced-round CAST-256 #RoundsData/MemoryTimeComments distinguishing attack key-recovery attack distinguishing attack key-recovery attack distinguishing attack

23 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Conclusions first known-plaintext attack reported on (reduced-round) CAST-128 and CAST-256 attacks exploit non-surjectivity of 8x32-bit S- boxes (happens for any such mappings)

24 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Open Problems we found quadratic equations for all four S- boxes S 1,...,S 4 of CAST-128/CAST-256. The question is: can we use them in a (pure) algebraic attack? what about combining linear and quadratic equations??

25 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of reduced- round CAST-128 and CAST-256 Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2 LSI-TEC, PKI Certification department


Download ppt "SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of reduced- round CAST-128 and CAST-256 Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2."

Similar presentations


Ads by Google