match box meet-in-the-middle attack against katan · 2015. 5. 2. · against katan thomas fuhr and...
TRANSCRIPT
![Page 1: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/1.jpg)
Match Box Meet-in-the-Middle Attackagainst KATAN
Thomas Fuhr and Brice Minaud
ANSSI, France
FSE, March 3-5 2014
![Page 2: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/2.jpg)
Plan
1 Match BoxMeet-in-the-Middle AttacksSieve-in-the-Middle FrameworkMatch Box
2 Cryptanalysis of KATANDescriptionCryptanalysisSummary of results
![Page 3: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/3.jpg)
Match Box
![Page 4: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/4.jpg)
Meet-in-the-Middle Attack
PT CT
K
Whatever
1/ 18
![Page 5: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/5.jpg)
Meet-in-the-Middle Attack
PT CT
K1
~v
Knowledge of a portion K1 of the key allows to compute a part~v of the internal state at some intermediate round.
2/ 18
![Page 6: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/6.jpg)
Meet-in-the-Middle Attack
PT CT
K1
~v
K2
Assume this same ~v can be computed from the ciphertextusing K2. Then a meet-in-the-middle attack is possible.
This generally assumes a simple key schedule. Lightweightciphers are prime targets.
2/ 18
![Page 7: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/7.jpg)
Meet-in-the-Middle Attack
PT CT
K1
~v
K2
Assume this same ~v can be computed from the ciphertextusing K2. Then a meet-in-the-middle attack is possible.
This generally assumes a simple key schedule. Lightweightciphers are prime targets.
2/ 18
![Page 8: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/8.jpg)
Meet-in-the-Middle Attack
PT CT
K1
~v
K2
1 Guess K∩ = K1 ∩ K2.• For each K ′
1 = K1 − K∩, compute ~v .Store ~v → {K ′
1} in a table T .• For each K ′
2 = K2 − K∩, compute ~v .Retrieve K ′
1’s that lead to the same ~v from T . Each of theseK ′
1’s, merged with K ′2, yields a candidate master key.
2 Test candidate master keys against a fewplaintext/ciphertext pairs.
Benefit : complexity is |K∩| × (|K ′1|+ |K ′2|) instead of|K∩| × (|K ′1| × |K ′2|).
3/ 18
![Page 9: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/9.jpg)
Meet-in-the-Middle Attack
PT CT
K1
~v
K2
1 Guess K∩ = K1 ∩ K2.• For each K ′
1 = K1 − K∩, compute ~v .Store ~v → {K ′
1} in a table T .• For each K ′
2 = K2 − K∩, compute ~v .Retrieve K ′
1’s that lead to the same ~v from T . Each of theseK ′
1’s, merged with K ′2, yields a candidate master key.
2 Test candidate master keys against a fewplaintext/ciphertext pairs.
Benefit : complexity is |K∩| × (|K ′1|+ |K ′2|) instead of|K∩| × (|K ′1| × |K ′2|).
3/ 18
![Page 10: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/10.jpg)
Sieve-in-the-Middle Framework
PT
K1
CT
K2
~l ~r
Now we compute a distinct~l from the left and ~r from the right.Compatibility is expressed by some relation R(~l ,~r).
Introduced by Canteaut, Naya-Plasencia and Vayssière atCRYPTO 2013.
4/ 18
![Page 11: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/11.jpg)
Matching problem
K ′1 K ′
2match ?
~l ~r
~l ~r
~l ~r
~l ~r
~l ~r
Problem : testing the relation R.K1 × K2 ≈ K : equivalent to brute force.Solution : Precomputation of compatibilities outside the loop
on K∩.K1 = K∩ ⊕ K ′1K2 = K∩ ⊕ K ′2K = K∩ ⊕ K ′1 ⊕ K ′25/ 18
![Page 12: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/12.jpg)
Matching problem
K ′1 K ′
2match ?
~l ~r
~l ~r
~l ~r
~l ~r
~l ~r
Problem : testing the relation R.K∩ × K ′1 × K ′2 = entire key = brute force.
K1 = K∩ ⊕ K ′1K2 = K∩ ⊕ K ′2K = K∩ ⊕ K ′1 ⊕ K ′2
Solution : Precomputation of compatibilitiesoutside the loop on K∩.
5/ 18
![Page 13: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/13.jpg)
Matching problem
K ′1 K ′
2match ?
~l ~r
~l ~r
~l ~r
~l ~r
~l ~r
Problem : testing the relation R.K∩ × K ′1 × K ′2 = entire key = brute force.
K1 = K∩ ⊕ K ′1K2 = K∩ ⊕ K ′2K = K∩ ⊕ K ′1 ⊕ K ′2
Solution : Precomputation of compatibilitiesoutside the loop on K∩.
5/ 18
![Page 14: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/14.jpg)
Example
S
~r~l
⊕
⊕k(K ′1)
K1 K2
K1 = K∩ ⊕ K ′1K2 = K∩ ⊕ K ′2K = K∩ ⊕ K ′1 ⊕ K ′2
Assuming the key schedule is linear, K = K2 ⊕ K ′1. Without lossof generality, we can assume k depends only on K ′1.
Compatibility : R(~l ,~r ,K ′1) iff S−1(~r
6/ 18
![Page 15: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/15.jpg)
Example
S
~r~l
⊕
⊕k(K ′1)
K1 K2
K1 = K∩ ⊕ K ′1K2 = K∩ ⊕ K ′2K = K∩ ⊕ K ′1 ⊕ K ′2
Assuming the key schedule is linear, K = K2 ⊕ K ′1. Without lossof generality, we can assume k depends only on K ′1.
Compatibility : R(~l ,~r ,K ′1) iff S−1(~r6/ 18
![Page 16: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/16.jpg)
Example
S
~r~l
⊕
⊕k(K ′1)
K1 K2
Assuming the key schedule is linear, K = K2 ⊕ K ′1. Without lossof generality, we can assume k depends only on K ′1.
Compatibility : R(~l ,~r ,K ′1) iff S−1(~r ⊕ k(K ′1))�{0,1} =
~l
7/ 18
![Page 17: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/17.jpg)
Match box
S
~r~l
⊕
⊕k(K ′1)
K1 K2
Match box : (K ′1 7→~l) 7→ (~r 7→ {K ′1 : R(~l ,~r ,K ′1)})
K1 = K∩ ⊕ K ′1K2 = K∩ ⊕ K ′2K = K∩ ⊕ K ′1 ⊕ K ′2
Limited by the size of the table : 2|~l||K ′
1|+|~r |+|K ′1|
8/ 18
![Page 18: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/18.jpg)
Match box
S
~r~l
⊕
⊕k(K ′1)
K1 K2
Match box : (K ′1 7→~l) 7→ (~r 7→ {K ′1 : R(~l ,~r ,K ′1)})
K1 = K∩ ⊕ K ′1K2 = K∩ ⊕ K ′2K = K∩ ⊕ K ′1 ⊕ K ′2
Limited by the size of the table : 2|~l||K ′
1|+|~r |+|K ′1|
8/ 18
![Page 19: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/19.jpg)
Cryptanalysis of KATAN
![Page 20: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/20.jpg)
KATAN
Block cipher by De Cannière, Dunkelman, Kneževic, CHES2009.
Ultralightweight. Barely more surface area than what is requiredto store the state and key.
Based on Non-Linear Shift Feedback Registers. 254 rounds.
Accomodates three block sizes : 32, 48 or 64 bits.80-bit key.
9/ 18
![Page 21: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/21.jpg)
Previous work on KATAN
KATAN32
Conditional differential : 78 roundsby Knellwolf, Meier, Naya-Plasencia, ASIACRYPT 2010.Exhaustive differential : 115 roundsby Albrecht and Leander, SAC 2012.Meet-in-middle : 110 roundsby Isobe and Shibutani, SAC 2013.
10/ 18
![Page 22: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/22.jpg)
KATAN32
+k0
+ + +
×
+
k1
+ + + +
× ×
A
B 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
31 30 29 28 27 26 25 24 23 22 21 20 19
80-bit key loaded into an LFSR→ k0, k1 every round.Tours irréguliers déterminés par un second LFSR.
11/ 18
![Page 23: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/23.jpg)
KATAN32
+k0
+ + + +
× × IR
+
k1
+ + + +
× ×
A
B 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
31 30 29 28 27 26 25 24 23 22 21 20 19
80-bit key loaded into an LFSR→ k0, k1 every round.Irregular rounds scheduled by another LFSR.
11/ 18
![Page 24: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/24.jpg)
Formal description of KATAN32
DefinitionBit ai enters register A at round i .Bit bi enters register B at round i .
=⇒ At round n :A contains (an−12, . . . ,an), B contains (bn−18, . . . ,bn).
Plaintext = (a−13, . . . ,a−1,b−19, . . . ,b−1).
Encryption{
an = bn−19 ⊕ bn−8 ⊕ bn−11 · bn−13 ⊕ bn−4 · bn−9 ⊕ rk2n+1bn = an−13 ⊕ an−8 ⊕ cn · an−4 ⊕ an−6 · an−9 ⊕ rk2n
Ciphertext = (a241, . . . ,a253,b235, . . . ,b253).
12/ 18
![Page 25: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/25.jpg)
Formal description of KATAN32
DefinitionBit ai enters register A at round i .Bit bi enters register B at round i .
=⇒ At round n :A contains (an−12, . . . ,an), B contains (bn−18, . . . ,bn).
Plaintext = (a−13, . . . ,a−1,b−19, . . . ,b−1).
Encryption{
an = bn−19 ⊕ bn−8 ⊕ bn−11 · bn−13 ⊕ bn−4 · bn−9 ⊕ rk2n+1bn = an−13 ⊕ an−8 ⊕ cn · an−4 ⊕ an−6 · an−9 ⊕ rk2n
Ciphertext = (a241, . . . ,a253,b235, . . . ,b253).
12/ 18
![Page 26: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/26.jpg)
Meet-in-the-Middle Attack on KATAN
PT CT
K1
~v
K2
Small extras :Simultaneous matching : on several plaintext/ciphertextpairs.Indirect matching : removes key bits whose contributionis linear.
Result : attack on 121 rounds of KATAN32.K1 : 75 bits, K2 : 75 bits, K∩ : 70 bits
forward : 69 rounds, backward : 52 rounds4 known plaintexts, complexity 277.5.
13/ 18
![Page 27: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/27.jpg)
Meet-in-the-Middle Attack on KATAN
PT CT
K1
~v
K2
Small extras :Simultaneous matching : on several plaintext/ciphertextpairs.Indirect matching : removes key bits whose contributionis linear.
Result : attack on 121 rounds of KATAN32.K1 : 75 bits, K2 : 75 bits, K∩ : 70 bits
forward : 69 rounds, backward : 52 rounds4 known plaintexts, complexity 277.5.
13/ 18
![Page 28: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/28.jpg)
Meet-in-the-Middle Attack on KATAN
CT
K1
~v
K2
PT
biclique
Addition of a biclique.
Originally introduced to attack SKEIN and AES [BKR11].
Makes it possible to extend a meet-in-the-middle attack. Eitheran accelerated key search, or a classical attack (we use thelatter).
Result : attack on 131 rounds of KATAN32.Chosen plaintexts, low data requirements.
14/ 18
![Page 29: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/29.jpg)
Meet-in-the-Middle Attack on KATAN
CT
K1
~v
K2
PT
biclique
Addition of a biclique.
Originally introduced to attack SKEIN and AES [BKR11].
Makes it possible to extend a meet-in-the-middle attack. Eitheran accelerated key search, or a classical attack (we use thelatter).
Result : attack on 131 rounds of KATAN32.Chosen plaintexts, low data requirements.
14/ 18
![Page 30: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/30.jpg)
Meet-in-the-middle attack on KATAN
K1
PT
biclique
CT
K2
~l ~r
matchbox
Addition of a « match box ».
15/ 18
![Page 31: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/31.jpg)
Match Box on KATAN
Meeting in the middle at b62 :
b62 = x0 ⊕ b68 · b70, x0 = a81 ⊕ b73 ⊕ b72 · b77 ⊕ rk163
b68 = x1 ⊕ rk175, x1 = a87 ⊕ b89 ⊕ b76 · b74 ⊕ b83 · b78b70 = x2 ⊕ rk179, x2 = a89 ⊕ b91 ⊕ b78 · b76 ⊕ b85 · b80
Let us decompose rkn = rk2n ⊕ rk1′
n along K2 ⊕ K ′1.
~l{
l0 = b62 ~r
r0 = x0r1 = x1 ⊕ rk2
175r2 = x2 ⊕ rk2
179
Compatibility R(~l ,~r ,K ′1) :
l0 = r0 ⊕ (r1 ⊕ rk1′
175) · (r2 ⊕ rk1′
179)
16/ 18
![Page 32: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/32.jpg)
Match Box on KATAN
Meeting in the middle at b62 :
b62 = x0 ⊕ b68 · b70, x0 = a81 ⊕ b73 ⊕ b72 · b77 ⊕ rk163
b68 = x1 ⊕ rk175, x1 = a87 ⊕ b89 ⊕ b76 · b74 ⊕ b83 · b78b70 = x2 ⊕ rk179, x2 = a89 ⊕ b91 ⊕ b78 · b76 ⊕ b85 · b80
Let us decompose rkn = rk2n ⊕ rk1′
n along K2 ⊕ K ′1.
~l{
l0 = b62 ~r
r0 = x0r1 = x1 ⊕ rk2
175r2 = x2 ⊕ rk2
179
Compatibility R(~l ,~r ,K ′1) :
l0 = r0 ⊕ (r1 ⊕ rk1′
175) · (r2 ⊕ rk1′
179)
16/ 18
![Page 33: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/33.jpg)
Match Box on KATAN
~l{
l0 = b62 ~r
r0 = x0r1 = x1 ⊕ rk2
175r2 = x2 ⊕ rk2
179
Compatibility R(~l ,~r ,K ′1) :
l0 = r0 ⊕ (r1 ⊕ rk1′
175) · (r2 ⊕ rk1′
179)
Benefit :We no longer need to know k1′
175 and rk1′
179 from the right.⇒ K2 shrinks by 2.⇒We can add two brand new round keys to K2 to add onemore round to the attack.
17/ 18
![Page 34: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/34.jpg)
Summary of resultsRounds Model Data Memory Time Reference
K32
78 CP 222 − 222 [KMN10]115 CP 232 − 279 [AL12]110 KP 27 275 277 [IS13]121 KP 22 − 277.5 Base131 CP 27 − 277.5 Biclique153 CP 25 276 278.5 M. box
K48
70 CP 234 − 234 [KMN10]100 KP 27 278 278 [IS13]110 KP 22 − 277.5 Base114 CP 26 − 277.5 Biclique129 CP 25 276 278.5 M. box
K64
68 CP 235 − 235 [KMN10]94 KP 27 277.5 277.5 [IS13]
102 KP 22 − 277.5 Base107 CP 27 − 277.5 Biclique119 CP 25 274 278.5 M. box
18/ 18
![Page 35: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/35.jpg)
Conclusion
Thank you for your attention.
Questions ?
![Page 36: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/36.jpg)
Biclique
A0 C0
Ai Ci
B0 K∗,0 K0,∗
Bj K∗,j
Ki,∗Ki,j
biclique
Biclique : ∀i , j , Enc0→bKi,j
(Ai) = Bj .
Ki,∗ = information on the key common to Ki,j ∀j .K∗,j = information on the key common to Ki,j ∀i .Compatibility : v can be computed from (Bj ,K∗,j), and also(Ci ,Ki,∗).
![Page 37: Match Box Meet-in-the-Middle Attack against KATAN · 2015. 5. 2. · against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014. Plan 1 Match Box Meet-in-the-Middle](https://reader036.vdocument.in/reader036/viewer/2022071509/612a1e147c1fb442677485b5/html5/thumbnails/37.jpg)
Biclique
A0 C0
Ai Ci
B0 K∗,0 K0,∗
Bj K∗,j
Ki,∗Ki,j v
match
chiffrement dechiffrementbiclique
Biclique : ∀i , j , Enc0→bKi,j
(Ai) = Bj .
Ki,∗ = information on the key common to Ki,j ∀j .K∗,j = information on the key common to Ki,j ∀i .Compatibility : v can be computed from (Bj ,K∗,j), and also(Ci ,Ki,∗).