ChapterPDF Available

The interpolation attack on block ciphers

Authors:

Abstract

In this paper we introduce a new method of attacks on block ciphers, the interpolation attack. This new method is useful for attacking ciphers using simple algebraic functions (in particular quadratic functions) as S-boxes. Also, ciphers of low non-linear order are vulnerable to attacks based on higher order differentials. Recently, Knudsen and Nyberg presented a 6-round prototype cipher which is provably secure against ordinary differential cryptanalysis. We show how to attack the cipher by using higher order differentials and a variant of the cipher by the interpolation attack. It is possible to successfully cryptanalyse up to 32 rounds of the variant using about 232 chosen plaintexts with a running time less than 264. Using higher order differentials, a new design concept for block ciphers by Kiefer is also shown to be insecure. Rijmen et al presented a design strategy for block ciphers and the cipher SHARK. We show that there exist ciphers constructed according to this design strategy which can be broken faster than claimed. In particular, we cryptanalyse 5 rounds of a variant of SHARK, which deviates only slightly from the proposed SHARK.
The Interpolation Attack on Block Ciphers*
Thomas Jakobsen 1, Lars R. Knudsen ~
1 Department of Mathematics, Building 303, Technical University of Denmark,
DK-2800 Lyngby, Denmark, eraas : j akobsen@mat, dtu. dk.
2 Katholieke Universiteit Leuven, Dept. Electrical Engineering-ESAT, Kardinaal
Mercierlaan 94, B-3001 Heverlee, Belgium, eraail : knudsen@esat, kuleuven, ac. be.
Abstract. In this paper we introduce a new method of attacks on block
ciphers, the interpolation attack. This new method is useful for attacking
ciphers using simple algebraic functions (in particular quadratic func-
tions) as S-boxes. Also, ciphers of low non-linear order are vulnerable
to attacks based on higher order differentials. Recently, Knudsen and
Nyberg presented a 6-round prototype cipher which is provably secure
against ordinary differential cryptanalysis. We show how to attack the
cipher by using higher order differentials and a variant of the cipher by
the interpolation attack. It is possible to successfully cryptanalyse up to
32 rounds of the variant using about
232
chosen plaintexts with a running
time less than 264 . Using higher order differentials, a new design concept
for block ciphers by Kiefer is also shown to be insecure. Rijmen et al
presented a design strategy for block ciphers and the cipher SHARK. We
show that there exist ciphers constructed according to this design strategy
which can be broken faster than claimed. In particular, we cryptanalyse
5 rounds of a variant of SHARK, which deviates only slightly from the
proposed SHARK.
1 Introduction
In an r-round iterated cipher the ciphertext is computed by iteratively applying
in r rounds a
round function G
to the plaintext, s.t.
ci = a(Ki,
where Co is the plaintext,
Ki
is the ith round key, and Cr is the eiphertext. A
special kind of iterated ciphers are the Feistel ciphers. A Feistel cipher with
block size 2n and r rounds is defined as follows. Let C L and Co R be the left and
right hand halves of the plaintext, respectively, each of n bits. The round function
G operates as follows
cy=C R_I
Ci R F(Ki,Cin_l) C L
* The work in this paper was initiated while the authors were visiting the Isaac Newton
Institute, Cambridge, U.K., February 1996.
The Interpolation Attack on Block Ciphers 29
and the ciphertext is the concatenation of C~ and C L. Note that F can be any
function taking as arguments an n-bit text and a round key Ki and producing
n bits. is a commutative group operation on the set of n bit blocks. For the
remainder of this paper we will assume that '+' is the exclusive-or operation (d)).
Based on the use of a quadratic function over a Galois field, Knudsen and
Nyberg demonstrated in [10] how to construct a cipher which is provably se-
cure against differential cryptanalysis [1]. The cipher is a Feistel cipher with the
function F given by F : GF(232) --+ GF(23~) with
F(k, x) = d(f(e(x) 9 k)),
where f : GF(2 ha) --+ GF(233), f(x) = x a, k e GF(2aa), e : GF(2 a2) --+ GF(233)
is a function which extends its argument by concatenation with an affine com-
bination of the input bits, and d : GF(2 ha) --~ GF(232) discards one bit from its
argument. We call this cipher/C2(.
Also, we will consider the cipher with round function given by
Fk (z) = f(z |
k) where f: GF(2 a2) --+ GF(2a2),
f(z)
= x a, i.e., the cubing function's input is
not extended and the output not truncated as in the previous case. We call this
cipher
"PUTIs
Both ciphers are secure against differential attacks [10]. Also, both ciphers
are secure against the linear attack [7], which follows from [9].
In [10] the cipher/CA; is defined to be used with 6 rounds and since f(x) is
differentially 2-uniform, it is possible to prove that this yields a provably secure
cipher (secure against conventional differential cryptanalysis). The same holds
for 7~b/7~E. However, in both cases the non-linear order of the output is low with
respect to the input and this can be exploited to mount an attack.
In the following, z = (ZL, zR) denotes the plaintext where XL and zR denote
the left and right hand side of x, respectively. Similarly, y =
(YL, YR)
denotes
the ciphertext. By the
reduced cipher,
we denote the cipher that one gets by
removing the final round of the original cipher. The output from this cipher is
denoted ~
= (,~L, YR)"
The attacks presented in this paper are classified according to the taxonomy
of [4]. That is, by a
key-recovery attack
we mean that an attacker finds the secret
key. By a
global deduction
we mean that an attacker finds an algorithm, which
encrypts any plaintext into a valid ciphertext without knowing the secret key.
By an
instance deduction
we mean that an attacker finds an Mgorithm, which
encrypts a subset of all plaintexts into vMid ciphertexts without knowing the
secret key. In the key-recovery attacks we try to guess the last-round key. The
guess is then used to decrypt the ciphertext by one round and in this way one
(hopefully) obtains the output from the reduced cipher. If there exists a method
to distinguish whether this is the actual output from the reduced cipher or not,
then we can find the last-round key. Once this key has been found, attacks similar
to the ones we present can be mounted on a cipher one round shorter than the
original. As the measurement of the time needed by an attack, we use the total
number of encryptions of the attacked block cipher.
This paper is organised as follows. In w 2 we give new attacks based on higher
order differentials. We apply the attacks to the cipher /CA/" by Knudsen and
30 Thomas Jakobsen, Lars R. Knudsen
Nyberg [10] and to a cipher by Kiefer [3]. In w 3 we present our new attack on
block ciphers, the interpolation attack. We apply the attack to a cipher, provably
secure against differential and linear attacks. Also, we apply our methods to a
slightly modified version of the cipher SHARK [11]. We conclude in w 4.
2 Attacks Using Higher Order Differentials
In [6] Lai gave a definition of higher order derivatives of discrete functions. Later
Knudsen used higher order differentials to cryptanalyse ciphers presumably se-
cure against conventional differential attacks, i.e. attacks based on first order
differentials [5]. In this section we give an extension of Knudsen's attacks and
apply it in an attack on the cipher/CA/'. We refer to [6, 5] for the definitions of
higher order differentials.
Consider a Feistel cipher with block size 2n. Suppose that xR is kept constant
and consider the right hand side .~R of the output from the reduced cipher. Since
zR is a constant, the bits in .Ya are all expressible as polynomials GF(2)[zl, z2, 9 z,]
in the bits of XL = (z:, x2,...,
Xn).
Assume that these polynomials have degree
not higher than d. Then according to [6, Proposition 2] (see also [5]), we have
Z ;(XL) = C,
(1)
XLEZd
where /:d denotes a d-dimensional subspace of GF(2) ~, c is the same for any
space parallel to s and p is a function which computes the output from the
reduced cipher. It follows that
O'(W) = Z p(XL
+ W) : 0 for all
w G GF(2) n
(2)
xLEs
if and only if
p(x)
is a polynomial of degree d or lower. In the following algorithm,
the variables x
= (XL, xR)
and y
=
(YL, YR)
hold the plaintext and the ciphertext,
respectively. L is a full rank (d + 1) x n matrix over GF(2) and F the round
function.
1. Let zR and w be n-bit constants.
2. For all a e GF(2)4+1:
(a) Let
XL :
aL + w.
(b) Obtain the ciphertext
y(a)
of plaintext
(XL, xR).
3. For all values, k, of the last-round key:
(a) Let c~ = 0.
(b) For all a E GF(2)d+I:
i. Let y =
y(a).
ii. Let OR =
YL @ F(k, YR).
iii. Let ~ = ~ @ YR.
The Interpolation Attack on Block Ciphers 31
The key for which c~ ends up being zero is the correct last-round key with a
high probability. Consequently, for every possible value k of the last-round key,
we check whether the corresponding value of cr is zero, and if it is, then we have
found the correct key with high probability. If one wants a higher level of certainty,
the algorithm is simply repeated with another choice of w. This method is easily
generalised to an iterated cipher, and we get the following result, extending that
of [5, Th. 11].
Theorem 1.
Given an iterated block cipher, let d denote the polynomial degree
of the ciphertext bits of the round next to the last as a function of the plaintext
bits. Furthermore, let b denote the number of last-round key bits. Assume that
the polynomial degree of the ciphertext bits increases with the number of rounds.
Then there exists a d-th order differential attack of average time complexity 2 b+d
requiring
2 d+l
chosen plaintexts which will successfully recover the last-round
key.
Proof.
We give the proof in the case of a Feistel cipher, from which the general
case follows. Consider the iteration (3b). Let k denote the correct value of the
last-round key, and let k I denote any wrong value. Then
= yL 9 F(k,
= yL 9 F(k',
= 9 F(k, 9 F(k I, yR).
The difference between YR, obtained using the correct key, and Y~R, obtained
with a wrong key, is two applications of the function F. Since by assumption the
polynomial degree increases with the number of rounds, one can expect that ~r will
be zero only for the correct value of the last-round key with a high probability.
Running an algorithm similar to the one above takes 2 d+l steps for each value of
the last-round key. On the average, we have to test half of the keys before finding
the correct one, from which the time complexity follows.
The attack can be improved by a factor of two, if the constant of Equation (1)
can be predicted. In that case the iterations (2) and (3b) of the above algorithm
are performed only for all a E GF(2d). The key for which ~r = c will be the correct
key with a high probability. For most ciphers, depending on the
F-function,
there
are possible extensions to the above attack. It may be possible to perform the
attack for only a subset of the last-round key, and also it may be possible to
search for (a subset of) the first-round key.
In the following we apply the attack to the cipher K:Af. We choose plaintexts
where the right halves are fixed. Since the output bits from the round function
are only quadratic in the input bits, the polynomials in the attack described
above on the 6 round version have degree not higher than 8. Therefore the attack
requires only 2 s+l = 512 chosen plaintexts and an average running time of order
241. A variant of the attack guessing for the keys in the last two rounds requires
about 32 chosen plaintexts and an average running time of order 27~ Similarly,
there are attacks on the 7 and 8 rounds versions of/(:Af, the complexities are
32 Thomas Jakobsen, Lars R. Knudsen
I
# Rounds # Chosen plaintexts Running time I
6 2 ~ 241
6 2 s 27~
7 217
249
7 29 2
TM
8 215' 2 s2
Table 1. Higher order differential attacks on the Knudsen-Nyberg cipher.
given in Table 1. The attack on /CAr using higher order differentials has been
implemented, and it recovers the last round key as predicted. Note that these
attacks are applicable to ciphers with any block size 2n, as long as the number
of chosen plaintexts is less than 2 n. The bigger the block size the more rounds
can be attacked.
We now attack the scheme by Kiefer [3] by the use of higher order differentials 3.
The cipher is probabilistic and uses the following encryption rule:
mi ~-~ (F(k) @ ri, fk(ri) @ mi),
(3)
where F: GF(2 n) --+ GF(2 n) is a one-way function,
fk
: GF(2 n) --~ GF(2 n) is a
function depending on the key k E GF(2") in some complex way, r~ E GF(2 n)
is a random value, and mi E GF(2 '~) is a message block. The function
fk has
the form
fk = 7rk o g
where ~rk : GF(2 n) -4 GF(2 n) is a hitwise linear transform
depending on k and g : GF(2 ") -+ GF(2 ~) is a public, almost perfectly non-linear
function of the form
g(x) = x ~'+1
for some s.
Assume that we know enough plaintext to have four pairs on the form
(ai, bi) = (F(k) 9 ri, fk(ri)),
i = 1,..., 4 (4)
such that a, @ a2 = a3 @ a4. Define fl = ~4=i bi and
7 = (~i4=1 g(ri).
Then
= = g(ri = (5)
i=1
Since
{al,...,a4}
is a two-dimensional subspace of GF(2n), the elements in
{rl,...,
r4} also constitute a two-dimensional subspace. Note also that the Ham-
ming weight of the exponent in the definition of g expressed as a binary number
is only two, implying that the output bits are only quadratic in the input bits.
By Equation (1), this implies that we can compute the value of 3`.
If repeated n times, we will have n corresponding pairs of/3 and 3'. This
makes it possible to solve Equation (5) with respect to the unknown function
rrk (it is a linear transform). After having found rr~, we can invert fk and thus
obtain a value of ri. Using this, we compute
F(k)
and the system is broken.
It remains to compute the minimum number t of known plaintexts needed
to obtain n times four pairs
(ai, bi)
with the required property; recall that the
3 This attack was presented at the rump session of Pragocrypt'96.
The Interpolation Attack on Block Ciphers 33
cipher is probabilistic and thus we have no control over the values of ri. By using
a birthday paradox type argument it can be shown that t ~ (n 9 2 n+2) 88 For a
typical block size of n = 64 this gives t .~ 218.
3 The Interpolation Attack
In this section, we introduce a new attack on block ciphers. The attack is based
on the following well-known formula.
Let R be a field. Given 2n elements xl, 9 9 xn, Yl,. 9 yn E R, where the xis
are distinct. Define
n
H
x-x
i=1 l<j<n,j#i Xi -- xj" (6)
Then f(x) is the only polynomial over R of degree at most n - 1 such that
f(xi) = yi for i = 1,..., n. Equation (6) is known as the Lagrange interpolation
formula (see e.g. [2, page 185]).
In the interpolation attacks presented in this paper we construct polynomials
using pairs of plaintexts and ciphertexts. We will assume that the time needed
to construct these polynomials is small compared to the time needed to do the
encryptions of the plaintexts needed in the attack.
3.1 Global and instance deduction
Consider the cipher 7)UT~s with r rounds. We exploit the fact that the exclusive-
or operation used in the cipher corresponds to addition over a finite field with
characteristic 2. Consequently, the cipher consists of simple algebraic operations
only, and hence each of the two halves of the ciphertext y, e.g., the left hand part,
can be described as a polynomial p(xL, xR) E GF(232)[XL, XR] of the plaintext
with at most 32r- 1 +3 r +3~-1 + 1 coefficients. Note, that degrees of xR and XL are
at most 3 ~ and 3 *-1, respectively. Thus, we can reconstruct this polynomial by
considering at most 32~-1 + 3 r + 3 r-1 + 1 plaintext/ciphertext pairs (p/c-pairs)
using, e.g., Lagrange interpolation. With r = 6 the attack needs at most 2 is
known p/c-pairs, which yields an algorithm for a global deduction. Note that the
number of coefficients will be lower than specified, since not all elements i j
XL~ R
for 0 < i < 3 ~ and 0 _< j _< 3 ~- 1 will appear in the polynomial.
We have the following more general theorem.
Theorem 2. Consider an iterated block cipher with block size m. Express the
eiphertext as a polynomial of the plaintext and let n denote the number of coeffi-
cients in the polynomial. If n <_ 2 m, then there exists an interpolation attack of
time complexity n requiring n known plaintexts encrypted with a secret key K,
which finds an algorithm equivalent to encryption (or decryption) with K.
In a chosen plaintext variant of this attack it is possible for an attacker to es-
tablish polynomials with a reduced number of coefficients by fixing some of the
bits in the chosen plaintexts. In that case, the result is an instance deduction,
34 Thomas Jakobsen, Lars R. Knudsen
since the obtained algorithm can only encrypt plaintexts for which a number
of bits are fixed to a certain value. As as example, :PUT4g can be attacked in
such a way using only 730 chosen p/c-pairs. Subsequently, the attacker has an
algorithm, which encrypts 232 plaintexts without knowing the secret key.
3.2 Key-recovery
In this section we extend the method of the previous section to a key-recovery
attack.
Consider first a known plaintext attack. Instead of specifying the ciphertext
as a function of the plaintext, we express the output from the reduced cipher
as a polynomial
p(x) E
GF(2"~)[x] of the plaintext. Assume that this polynomial
has degree d and that (d+ 1) known p/c-pairs are available. Then for all values of
the last-round key one decrypts the ciphertexts one round and tries to construct
the polynomial. With one extra p/c-pair one checks whether the polynomial is
correct. If this is the case, then the correct value of the last-round key has been
found with a high probability, by reasoning similarly as in the proof of Theorem 1.
The chosen plaintext variant of this attack is quite similar. Let us illustrate
the method with an example. Once again, consider the cipher •/dT4g with 6
rounds. Assume that the right hand half xR of the plaintext is fixed (that is,
we consider a chosen plaintext attack), and consider the right hand side of the
output
YR = p(xL)
from the reduced cipher expressed as a polynomial
p(xL) E
GF(2a~)[XL]. This polynomial has degree at most 33 = 27 since the degree does
not increase in the first round and since
tyR
equals the left half of the output of
the fourth round. Consequently, 28 pairs of corresponding values of
XL
and ~ are
enough to determine it uniquely (using Lagrange interpolation).
We then test whether ~ is actually output from the reduced cipher or not.
This is done by verifying whether a 29-th p/c-pair agrees with the obtained
polynomial. If it does, then we assume that we have found the correct key. The
average time complexity is 29 232-1 ~, 236.
More generally, we have the following theorem.
Theorem 3.
Consider an iterated block cipher of size m. Express the output
from the round next to the last as a polynomial of the plaintext and let n denote
the number of coefficients in the polynomial. Furthermore, let b denote the num-
ber of last-round key bits. Then there exists an interpolation attack of average
time complexity 2b-l(n +
1)
requiring n + 1 known (or chosen) plaintexts which
will successfully recover the last-round key.
Similar to the attack of Theorem 1 it may be possible to perform the attack for
only a subset of the last-round key, and also it may be possible to search for (a
subset of) the first-round key, depending on the structure of the round function.
3.3 Meet-in-the-middle approach
The attacks described in this section are extensions of the attacks in the previous
sections using a meet-in-the-middle technique. We describe only the extension
The Interpolation Attack on Block Ciphers 35
of the key-recovery attack; the extension of the global and instance deductions
follow easily.
Once more, we try guessing the correct last-round key and use this to (hope-
fully) obtain ~, the output from the reduced cipher. In the following, only the
verification of ~ is described. Given an iterated cipher of r rounds, let z denote
the output of round s, where s < (r - 1). The value of z is expressible via the
plaintext x as a polynomial g(x) E GF(2m)[x] where m is the block size. Sim-
ilarly, z can be expressed as a polynomial h(~) E GF(2m)[~] of the output ~ of
the reduced cipher. Let the degree ofg(x) be
dg,
the degree of h(~) be
dh
and let
dgh -- dg --}- dh.
Thus, the following equation
g(x)
= h(~) (7)
has at
most
dgh
"+- 2 unknowns. The equation is solvable up to a multiplication
and an addition of both 9 and h with a constant. Therefore, to ensure that we
obtain a non-trivial and unique solution, we set the coefficient corresponding to
the highest exponent equal to 1 and the constant term equal to 0. After this,
we solve the equation by using dgh known or chosen plaintexts. We then check
whether yet another p/c-pair (x, ~) obeys g(x) = h(~). If it does, then we assume
that we have guessed the correct value of the last-round key.
Again, let us illustrate the attack on the cipher 7~U7~$ with 6 rounds. As-
sume that the right hand half xR of the plaintext is fixed (that is we con-
sider a chosen plaintext attack.) Let
ZL
denote the left half of the output from
round four. The value of
ZL
is expressible via the plaintext as a polynomial
g(xL) E
GF(232)[XL]. This polynomial has degree at most 32, i.e. there are at
most 10 non-zero coefficients in
g(XL).
Similarly, ZL can be expressed as a poly-
nomial
h(~tL,~R) E
GF(232)[~L, YR] of the output from the reduced cipher. It
follows that
h(~L , ~tR) = y3L @ aY2L @ b~L (~ e 9 ~IR,
where a, b, and c are some key-
dependent constants. Thus, there are at most 10 + 3 = 13 unknown coefficients
of the equation
g(XL ) = h(~lL, ~IR)
(8)
Setting the constant term of g to equal 0 (the coefficient corresponding to the
highest exponent in h has already been found to equal 1), we proceed to solve the
resulting system of equations by using 12 p/c-pairs from the reduced cipher. This
gives us the polynomials g and h. We then check whether yet another p/c-pair
(x, ~) obeys
g(xL) = h(~lL, ~IR).
If it does, then we assume that we have guessed
the correct key.
Similar attacks can be applied to versions of 7~3/T~g with up to 32 rounds.
Consider the version with 32 rounds. Let
g(xL) E
GF(232)[XL] be an expression
of the left half
ZL
of the output from round 22. The degree of this polynomial is at
most 32~ Let
h(~L, ~R) E
GF(232)[~)L, !)R] be an expression of
ZL
from the output
of the reduced cipher. In the algebraic normal form of
h(~L,
YR), the number of
exponents in YL and YR is at most (39 + 1) and (3 l~ + 1), respectively. Thus the
number of coefficients in
h(~L, Yn)
is at most (39 + 1)(31~ + 1) ~ 319. This means
that the number of coefficients in Equation (8) is at most 32~ + 319 ~ 232. I.e.,
36 Thomas Jakobsen, Lars R. Knudsen
the average time complexity for this attack is about 263 and it requires about 232
chosen plaintexts.
We obtain the following general result.
Theorem 4.
Consider an iterated block cipher of block size m with r rounds.
Express the output from round s, s <
r-l,
as a polynomial of the plaintext and let
nl denote the number of coeJ~cients in the polynomial. Also, express the output
from round s as a polynomial of the output from round (r-
1),
and let n2 denote
the number of coefficients in the polynomial. Furthermore, set n = nl + n2 and
let b denote the number of last-round key bits. Then there exists an interpolation
attack of average time complexity
2b-l(n - 1)
requiring (n -
1)
known (chosen)
plaintexts which will successfully recover the last-round key.
In the following section we describe a variant of the interpolation attack.
3.4 Attacks on modified SHARK
The iterated cipher SHARK was described by Rijmen, Daemen, et al in [11].
The cipher has block size
nm
bits and each round has a non-linear layer and a
diffusion layer. The non-linear layer consists of n parallel m-bit S-boxes. The
diffusion layer consists of an am-bit linear mapping constructed from the Reed-
Solomon code. There are two suggested ways to introduce the keys into the cipher.
The first is by a simple exclusive-or with the inputs to the S-boxes, the other uses
a key-dependent affine mapping. Also, an output transformation is applied after
the last round of SHARK. The transformation consists of a key addition and an
inverse diffusion layer.
The design strategy of SHARK is to consider each component of the cipher
separately. It is argued "The non-linear layer has uniform non-linear properties,
such that when measuring the resistance of the cipher against cryptanalysis we
don't have to take the details of the interaction between the non-linear and the
diffusion layer into account." [11]. Furthermore, "If, for example, the S-boxes are
replaced by other S-boxes, with equivalent non-linearity properties, the resistance
of the cipher remains constant" [11].
We will denote by SHARK(n, m, r) the version with block size
nm
bits using
n parallel m-bit S-boxes in r rounds. In [11] an implementation SHARK(S, 8, r)
(64 bit blocks) is given. The 8 S-boxes are identical and constructed from the
permutation f : GF(2 m) -~ GF(2 m) given by
f(x)
= x -1 . The cipher is analysed
with respect to linear and differential attacks, and it is argued that 8 rounds
of SHARK(8, 8, r) give a security level comparable to that of triple-DES, and
from [11, Table 1] it follows that 4 rounds of this version give a security level
comparable to that of DES.
In the following we will show that there are many instances of SHARK that
can be broken significantly faster than expected.
First of all, the number of rounds of SHARK must be determined with respect
to the non-linear order of the S-boxes. Assume that the outputs of the S-box
have non-linear order d in the input bits. Since the S-boxes represent the only
The Interpolation Attack on Block Ciphers 37
non-linear component in SHARK, the non-linear order of the ciphertexts after r
rounds of encryption will be at most d r. To avoid attacks based on higher order
differentials it must be ensured that d r is high, preferably that
d r > nm.
Thus,
for a 64 bit block cipher, if d = 2, e.g. using the cubing function in a Galois field,
the number of rounds must be at least 6.
We consider in the following versions of SHARK where the keys are mixed
with the texts by the exclusive-or operation. Once again, we make use of the fact,
that exclusive-or is equivalent to addition over a finite field of characteristic 2. We
will show that there are instances of SHARK(n, m, r), for which the interpolation
attacks are applicable. We consider 64-bit versions using as S-box
f(x) = x -1
in
GF(2m). This is the S-box suggested in [11], but, as it is also said "To remove
the fixed points 0 -~ 0 and 1 -~ 1 an invertible transformation is applied to the
output bits of the S-box." In what we are about to show, these fixed points play
no role, so according to the design strategy of SHARK, variants with
f(x)
as
S-box without the invertible transformation should give equivalent security. We
stress that the attacks we are about to present are not applicable to the specific
instance of SHARK presented in [11].
The interpolation attack described so far in this paper work well for ciphers
of low algebraic degree. The inverse permutation in a Galois field has a high
algebraic degree, note that
f(x)
= x -1 = x 2"-2 in GF(2m). However, as we
will show, there are variants of the interpolation attack, which work for these
functions. These attacks depend only on the number of S-boxes and of the number
of rounds in the cipher.
Consider first a version with n = 1. It follows by easy calculations that
the ciphertext
y after any number of rounds
can be expressed as a fraction of
polynomials of the plaintext x (or similarly, x can be expressed as a polynomial
of y) as follows
x(~a
Y = bx @ c
(9)
where a, b, c are key-dependent constants. These three constants can be found
using the interpolation attack with only 4 known p/c-pairs 4 by considering and
solving
y. (bx G c) -- (x (~ a).
The result is a global deduction, i.e. an algorithm
that encrypts (decrypts) any plaintext (ciphertext).
Next consider a version with n -- 2. Let
XL
and xR denote the left and right
halves of the plaintext, respectively, and let
Yi,L
and YI,R denote the left and right
halves of the ciphertext after i rounds of encryption. In general we get
pi,l(XL, XR)
(10)
Yi,L -- pi,2(XL, XR)
and similarly for Yi,R, where pi,], pi,2 E GF(232)[x/, xn]. It remains to show how
many coefficients there are in the two polynomials. First note that the number
of coefficients in Pi,1 is at most the number of coefficients in pi,2. Consider the
4 In [8] a similar cipher was investigated. It was explained that this cipher could be
solved with a number of known plaintexts linear in the number of rounds. Our results
shows that this number is a constant.
38 Thomas Jakobsen, Lars R. Knudsen
algebraic normal form of
Pi,2
and assume that the largest exponents of
X L
and
XR are
ei~L
respectively e~ Ri . Then the number of coefficients in Pi,2 is at most
(e~L + 1) 9 (,R+e i 1). From the description of SHARK [11] it follows that
al a2
Yi,z = @
(11)
Y(i-1),L @
ki,1 Y(i-1),R @ ki,2
Pi,1 (12)
(Y(i-I),L ~ ki,1) "
(Y(i-1),R G ki,2) '
where ki,j are the round keys and al, a2 some constants. Now it is easy to see
i < 2 i- 1 and
that fori> 1 e,Li _< 2.e~ Li-landsincee lxL = el~R-- 1, onegets e~L _
e~ Ri _< 2 i-1. Therefore, the number of coefficients in Pi,2 is at most (2 i-1 + 1) 2,
which also upper bounds the number of coefficients in Pi,1. In order to be able to
solve Equation (10) one would need at most 2 -(2 I-1 + 1) 2 plaintexts and their
corresponding ciphertexts. Note that the same pairs can be used to solve a similar
equation for
Yi,l~.
Consider versions of the cipher with n S-boxes. One finds by
calculations
similar as above that the number of known plaintexts needed to solve
Equation (10) is 2 9 (n ~-1 -t- 1)". The number of coefficients in the polynomials
used in our attacks increases with the number of diffusion layers in the cipher.
Note that because of the inverse diffusion layer in the output transformation there
are only r - 1 diffusion layers in an r-round version of SHARK. To sum up, the
number of known plaintexts for the interpolation attack on an r-round version
yielding a global deduction is
2. (n r-2 + 1)".
It follows that the attack is independent of the sizes of the S-boxes, and it depends
only the number of S-boxes and the number of rounds.
The interpolation attack with the meet-in-the-middle technique can be applied
also for these ciphers. We consider the interpolation attack with known plaintexts.
One first establishes
qj,l(Yl,...,Y,) pi,l(Xl,...,Xn)
= (13)
qj,2(Yl,..., Y,) pi,2(Xl,..., Xn)'
i.e., expressions of the ciphertexts in one middle round, where
i+j = r-
1, using
polynomials of both the plaintext and the ciphertext. Subsequently, one can solve
the following systems of equations
qj,l(Yl,..., Yn) " Pi,2(Xl,...
(,
Xn) : pi,l(Xl,... Xn) ' qj,2(Yl,..., Y,).
(14)
The number of known plaintexts required to solve (14) is
2. (n r1-1 + 1)". (n "2-' + 1)",
where rl + r2 = r- 1 and rl,r= _> 1.
The round keys for SHARK are typically quite big, so the general key-recovery
attack described earlier in this paper may be impractical. However, it is possible
to perform the attack for only a subset of the first-round and/or last-round keys.
The Interpolation Attack on Block Ciphers 39
Rounds # S-boxes Known plaintexts
any 1 3
6 2 29
6 4 227
(+)
3 8 217 (+)
4 8 235
(+)
5 8 ~52
(+)
6 8 275 (q-)
7 8 29s (+)
8 8 2121 (+)
Table 2. Complexities of the interpolation attack on variants of SHARK using as S-box
f(x) = x -1.
(+) Meet-in-the-middle approach.
As an example, one can repeat the attack for all values of the first s words of the
first-round key and express the ciphertext (of a middle round) as a polynomial
pi,l(S(xl @ kl),..., S(x8 D ks), x~+l,...x~), where S(.) are the S-boxes and xi
are the plaintext words. The values of the key words for which the interpolation
succeeds are candidates for the secret key, and the attack is repeated sufficiently
many times until one value of the secret key is found.
In Table 2 we give the complexities of the interpolation attack on variants of
SHARK using as S-box f(z) = z -1 ir~ GF(2m). It follows that using 8 S-boxes,
the 64-bit variant with up to 5 rounds and the 128-bit variant with up to 8 rounds
are (theoretically) vulnerable to our attacks. The number of required plaintexts
of the key-recovery attack is a little less than indicated variants and the workload
of the attack is a little higher. We will not go into further details here.
In a chosen plaintext attack the number of coefficients in the polynomials used
in the attack can be reduced by fixing some plaintext bits. As examples, there
exist interpolation attacks on the variant with 8 S-boxes and 4 rounds using about
221 chosen plaintexts and on the variant with 8 S-boxes and 7 rounds using about
261 chosen plaintexts. In this attack we fix four of the eight plaintext words, so
for a 64-bit block cipher the interpolation will work only if the needed number of
plaintexts is less than 232 and for a 128-bit block cipher less than 264 plaintexts.
We have demonstrated that certain instantiations of SHARK are insecure.
Our results also demonstrate a case where the use of bigger and fewer S-boxes
does not result in more secure ciphers. Finally, we note that the designers of
SHARK expressed their concern with the use of the inverse in a Galois field as
S-boxes: "This may create uneasy feelings, but we are not aware of any vulner-
ability caused by this property. For the time being we challenge cryptanalysts to
demonstrate any vulnerability caused by this property." [11]. Challenge taken!
4 Concluding Remarks
We introduced a new attack on block ciphers, the interpolation attack. We demon-
strated the attack on slightly modified versions of a cipher proposed by Knudsen
40 Thomas Jakobsen, Lars R. Knudsen
and Nyberg and of a cipher proposed by Rijmen, Daemen et al. These modi-
fications do not violate the design principles of the original ciphers and are as
secure with respect to the security measures proposed by the authors. Also, we
presented an improved variant of differential attacks based on higher order dif-
ferentials, which was used to cryptanalyse the (unmodified) cipher by Knudsen
and Nyberg and a cipher by Kiefer.
One might try to find a probabilistic version of the interpolation attack that
would also work when the output of the cipher is expressible as a polynomial
of low degree in only a fraction of the cases. However, it looks like this attack
would require an effective maximum likelihood decoding algorithm for higher
order Reed-Muller codes and such an algorithm is not known to exist.
Finally, it should be mentioned that with the use of Newton interpolation
instead of Lagrange interpolation one can speed up the attacks slightly.
References
1. E. Biham and A. Shamir. Differential Cryptanalysis of the Data Encryption Stand-
ard. Springer Verlag, 1993.
2. P.M. Cohn. Algebra, Volume 1. John Wiley & Sons, 1982.
3. K. Kiefer. A New Design Concept for Building Secure Block Ciphers. In J. Pribyl,
editor, Proceedings of the 1st International Conference on the Theory and Applic-
ations of Cryptology, PRAGOCRYPT'96, Prague, Czech Republic, pages 30-41.
CTU Publishing House, 1996.
4. L.R. Knudsen. Block Ciphers - Analysis, Design and Applications. PhD thesis,
Aarhus University, Denmark, 1994.
5. L.R. Knudsen. Truncated and higher order differentials. In B. Preneel, editor, Fast
Software Encryption . Second International Workshop, Leuven, Belgium, LNCS
1008, pages 196-211. Springer Verlag, 1995.
6. X. Lai. Higher order derivatives and differential cryptanalysis. In Proc. "Sym-
posium on Communication, Coding and Cryptography", in honor of James L. Mas-
sey on the occasion of his 60'th birthday, Feb. 10-13, 1994, Monte- Verita, Ascona,
Switzerland, 1994.
7. M. Matsui. Linear cryptanalysis method for DES cipher. In T. Helleseth, editor,
Advances in Cryptology . Proc. Eurocrypt'93, LNCS 765, pages 386-397. Springer
Verlag, 1993.
8. K. Nyberg. Differentially uniform mappings for cryptography. In T. Helleseth,
editor, Advances in Cryptology- Proc. Eurocrypt'93, LNCS 765, pages 55-64.
Springer Verlag, 1993.
9. K. Nyberg. Linear approximations of block ciphers. In A. De Santis, editor, Ad-
vances in Cryptology - Proc. Eurocrypt'94, LNCS 950, pages 439-444. Springer
Verlag, 1994.
10. K. Nyberg and L.R. Knudsen. Provable security against a differential attack. The
Journal of Cryptology, 8(1):27-38, 1995.
11. V. Rijmen, 3. Daemen, B. Preneel, A. Bosselaers, and E. De Win. The cipher
SHARK. In Gollmarm D., editor, Fast Software Encryption, Third International
Workshop, Cambridge, U.K., February 1996, LNCS 1039, pages 99-112. Springer
Verlag, 1996.
... В работе [1] Якобсеном и Кнудсеном был предложен метод криптоанализа блочных шифров, названный ими «Интерполяционный криптоанализ». Авторами было показано, что атака эффективна, когда степень полинома раундовой функции блочного шифра над конечным полем невелика. ...
... Для решения полученных систем булевых уравнений используются SAT-решатели. [1] Jakobsen T., Knudsen L.R. ...
Article
Full-text available
В работе предлагается метод построения раундовой функции в виде полинома одной переменной над конечным полем. Предложенный метод основан на вычислении исходного криптографического преобразования в специальных точках конечного поля и последующем обращении матрицы Вандермонда. Для этого класса матриц существуют алгоритмы вычисления обратной матрицы, которые значительно эффективнее стандартного алгоритма обращения с помощью метода Гаусса. В работе был использован алгоритм Трауба, вычислительная сложность которого пропорциональна квадрату размера заданной матрицы. Метод применим для блочных итеративных шифров специального вида (SP-сеть). Для этого класса шифров приведены математические оценки алгебраических параметров полиномов раундовых функций над конечным полем. Количественные значения оценок посчитаны для актуального российского стандарта шифрования «Кузнечик». Представлены оценки вычислительной сложности предлагаемого метода. Проведены практические вычисления полиномов одной переменной для преобразования над конечными полями с различными характеристиками. Приведены практические результаты измерений времени работы при построении полиномов в конечных полях различной размерности. С помощью представленного метода в явном виде вычислен многочлен одной переменной над конечным полем раундовой функции блочного шифра PRESENT.
... When analysing a block cipher, the goal of a cryptanalyst is to find a pair of plaintexts ( 1 , 2 ) with a difference = 1 ⊕ 2 that leads to a pair of ciphertexts ( 1 , 2 ) with a difference = 1 ⊕ 2 . Here, we define a difference as an XOR difference but there are also other variants such as rotational differences [26]. The probabilistic propagation of an input difference to an output difference, → through the cipher is known as a differential trail or differential characteristic. ...
Article
Full-text available
Chaos-based cryptography has yet to achieve practical, real-world applications despite extensive research. A major challenge is the difficulty in analysing the security of these cryptosystems, which often appear ad hoc in design. Unlike conventional cryptography, evaluating the security margins of chaos-based encryption against attacks such as differential cryptanalysis is complex. This paper introduces a straightforward approach of using chaotic maps in cryptographic algorithms in a way that facilitates cryptanalysis. We demonstrate how a chaos-based substitution function can be constructed using fixed-point representation, enabling the application of conventional cryptanalysis tools such as the difference distribution table. As a proof-of-concept, we apply our method to the logistic map, showing that differential properties vary based on the initial state and number of iterations. Our findings demonstrate the feasibility of designing analysable chaos-based cryptographic components with well-understood security margins.
... A boolean function is considered constant if no algebraic term is active in the algebraic normal form (ANF) [81]. The number of terms in the ANF must be higher to resist interpolation attacks [82,83]. Ideally, the frequency of affine and quadratic equations must be zero to thwart linear structures in the cryptographic permutations. ...
Conference Paper
In this paper we’re going to explore the ways in which security proofs can fail, and their broader lessons for security engineering. To mention just one example, Larry Paulson proved the security of SSL/TLS using his theorem prover Isabelle in 1999, yet it’s sprung multiple leaks since then, from timing attacks to Heartbleed. We will go through a number of other examples in the hope of elucidating general principles. Proofs can be irrelevant, they can be opaque, they can be misleading and they can even be wrong. So we can look to the philosophy of mathematics for illumination. But the problem is more general. What happens, for example, when we have a choice between relying on mathematics and on physics? The security proofs claimed for quantum cryptosystems based on entanglement raise some pointed questions and may engage the philosophy of physics. And then there’s the other varieties of assurance; we will recall the reliance placed on FIPS-140 evaluations, which API attacks suggested may have been overblown. Where the defenders focus their assurance effort on a subsystem or a model that cannot capture the whole attack surface they may just tell the attacker where to focus their effort. However, we think it’s deeper and broader than that. The models of proof and assurance on which we try to rely have a social aspect, which we can try to understand from other perspectives ranging from the philosophy or sociology of science to the psychology of shared attention. These perspectives suggest, in various ways, how the management of errors and exceptions may be particularly poor. They do not merely relate to failure modes that the designers failed to consider properly or at all; they also relate to failure modes that the designers (or perhaps the verifiers) did not want to consider for institutional and cultural reasons.
Article
Full-text available
High-order derivatives of multi-variable functions are studied in this paper as a natural generalization of the basic concept used in differential cryptanalysis. Possible applications of such derivatives in cryptology are discussed.
Article
Full-text available
. We present the new block cipher SHARK. This cipher combines highly non-linear substitution boxes and maximum distance separable error correcting codes (MDS-codes) to guarantee a good diffusion. The cipher is resistant against differential and linear cryptanalysis after a small number of rounds. The structure of SHARK is such that a fast software implementation is possible, both for the encryption and the decryption. Our C-implementation of SHARK runs more than four times faster than SAFER and IDEA on a 64-bit architecture. 1 Introduction The best known and most used block cipher today is the DES [FIPS46]. The operation of the DES can be described in the following way: the message input X is divided into two halves X 1 and X 2 . These halves are then processed in 16 rounds. The odd-numbered rounds perform the following transformation: Y 1 = X 1 Phi F (K; X 2 ) Y 2 = X 2 ; while in even-numbered rounds: Y 1 = X 1 Y 2 = X 2 Phi F (K; X 1 ) : After the last round, both halves a...
Book
DES, the Data Encryption Standard, is one of several cryptographic standards. The authors of this text detail their cryptanalytic "attack" upon DES and several other systems, using creative and novel tactics to demonstrate how they broke DES up into 16 rounds of coding. The methodology used offers valuable insights to cryptographers and cryptanalysts alike in creating new encryption standards, strengthening current ones, and exploring new ways to test important data protection schemes. This book introduces a new cryptographic method, called differential cryptanalysis, which can be applied to analyze cryptosystems. It describes the cryptanalysis of DES, deals with the influence of its building blocks on security, and analyzes modified variants. The differential cryptanalysis of "Feal" and several other cryptosystems is also described. This method can also be used to cryptanalyze hash functions, as is exemplified by the cryptanalysis of "Snefru".
Article
In this thesis we study cryptanalysis, applications and design of secret key block ciphers. In particular, the important class of Feistel ciphers is studied, which has a number of rounds, where in each round one applies a cryptographically weak function.
Conference Paper
We introduce a new method for cryptanalysis of DES cipher, which is essentially a known-plaintext attack. As a result, it is possible to break 8-round DES cipher with 221 known-plaintexts and 16-round DES cipher with 2 47 known-plaintexts, respectively. Moreover, this method is applicable to an only-ciphertext attack in certain situations. For example, if plaintexts consist of natural English sentences represented by ASCII codes, 8-round DES cipher is breakable with 229 ciphertexts only.
Conference Paper
This work is motivated by the observation that in DES-like ciphers it is possible to choose the round functions in such a way that every non-trivial one-round characteristic has small probability. This gives rise to the following definition. A mapping is called differentially uniform if for every non-zero input difference and any output difference the number of possible inputs has a uniform upper bound. The examples of differentially uniform mappings provided in this paper have also other desirable cryptographic properties: large distance from affine functions, high nonlinear order and efficient computability.
Conference Paper
The results of this paper give the theoretical fundaments on which Matsui's linear cryptanalysis of the DES is based. As a result we obtain precise information on the assumptions explicitely or implicitely stated in [2] and show that the success of Algorithm 2 is underestimated in [2]. We also derive a formula for the strength of Algorithm 2 for DES-like ciphers and see what is its dependence on the plaintext distribution. Finally, it is shown how to achieve proven resistance against linear cryptanalysis.
Article
. In [6] higher order derivatives of discrete functions were considered and the concept of higher order differentials was introduced. We introduce the concept of truncated differentials and present attacks on ciphers presumably secure against differential attacks, but vulnerable to attacks using higher order and truncated differentials. Also we give a differential attack using truncated differentials on DES reduced to 6 rounds using only 46 chosen plaintexts with an expected running time of about the time of 3,500 encryptions. Finally it is shown how to find a minimum nonlinear order of a block cipher using higher order differentials. 1 Introduction Differential cryptanalysis [1] was introduced by Biham and Shamir. Lai considered higher order derivatives of discrete functions [6] and the concept of higher order differentials was introduced. As a special case binary functions were considered, which is relevant for cryptanalysis of block ciphers. The cryptographic significance of highe...