New Observations On Piccolo Block Cipher - RSA … · SESSION ID: CRYP‐F01 New Observations On Piccolo Block Cipher Yanfeng Wang Yanfeng Wang and WenlingWu Ph.D Candidate, TCA,Institute

SESSION ID: CRYP‐F01

New Observations On Piccolo Block Cipher

Yanfeng Wang

pYanfeng Wang and Wenling Wu

Ph.D Candidate,TCA, Institute of Software,

#RSAC

TCA, Institute of Software, Chinese Academy of [email protected]

#RSAC

Outline

Introduction

Description of Piccolo

Linear‐Reflection Weak Keys of Piccolo

New Observations on Piccolo‐128

C l iConclusion

#RSAC

Outline

Introduction




C l iConclusion

#RSAC

Introduction

New lightweight block ciphers with very simple key‐schedules or even without key‐schedule have been proposedeven without key schedule, have been proposed.

Avoiding MITM(Meet‐in‐the‐Middle) attacks, related‐key differential attack and key bits leakage are three main goals indifferential attack and key bits leakage are three main goals in the design of key schedules.

However the choice of round constants makes no influence onHowever, the choice of round constants makes no influence on the security of block ciphers against the above three attacks.

4

#RSAC

Introduction

Related attacks: slide cryptanalysis, probabilistic slide cryptanalysis(FSE 2014) and invariant subspace attack(CRYPTOcryptanalysis(FSE 2014) and invariant subspace attack(CRYPTO 2011).

All attacks can be prevented by a careful choice of roundAll attacks can be prevented by a careful choice of round constants.

In this paper we take the Piccolo block cipher as a target cipherIn this paper, we take the Piccolo block cipher as a target cipher to reveal some new design principles on round constants.

5

#RSAC

Outline

Introduction




C l iConclusion

#RSAC


A lightweight block cipher proposed in CHES 2011 by SONY.Structure : GFNStructure : GFN

Block size : 64‐bit

Key length 80 /128 bitKey length : 80‐/128‐bit

Number of rounds: 25/31

Encryption Algorithm

Key Schedule Algorithm

7

#RSAC

Encryption Algorithm(64)P

0wk 1wkF 0rk 1rk

k

0wk 1F S

S

SM

S

S

S1 6

4 1 64

4

4

4

4

:F

2rk 3rk

F F S S 44

2 2rrk 2 1rrk

2wk 3wk F F

2 7 4 1 6 3 0 5

0 1 2 3 4 5 6 7

:RP

8(64)C

#RSAC


9

#RSAC


10

#RSAC

Outline

Introduction




C l iConclusion

#RSAC


12

#RSAC


0 1 2 3 4 5 6 7

:RP2 7 4 1 6 3 0 5

13

#RSAC


0P 1P 2P 3P0X

4 4 32X X 0C 1C2C 3C

kP C 32 kC P

0rk 1rk 0rk 1rk0

X

4 4 32X X

3 3 32X X

2rk 3rk 2rk 3rk1X

2X2 2X X

4rk 5rk 4rk 5rk2

3X1 1 32X X

14

6rk 7rk 6rk 7rk

0P 1P 2P 3P0C 1C 2C 3C

3

4X 0 0X X

#RSAC


0 6rk rkk k

1 7

2 5

rk rkrk rk

kP C3 4

4 2

rk rkrk rk

32 k

P CC P

5 3

6 1

rk rkrk rk

15

7 0rk rk

#RSAC


0P 1P 2P 3P0X 4X 0C 1C 2C 3C

kP C 3 2 kC P

F 0rk 1rk

2rk 3rk

F

F F

F 0rk 1rk

2rk 3rk

F

F F

1X3X

2 3

4rk 5rkF F

2 3

4rk 5rk F F2X

2X

X

6rk 7rkF F 6rk 7rk F F

P P P P C C C C

3X

4X

1X

0X

16

0P 1P 2P 3P 0C 1C 2C 3C

#RSAC


0 6rk rkk k

1 7

2 5 2 5

rk rkrk rk rk rk

3 4 3 4

4 2 4 2

rk rk rk rkrk rk rk rk

5 3 5 3

6 1

rk rk rk rkrk rk

17

7 0rk rk

#RSAC

Searching Weak Keys for Piccolo

18

#RSAC

Weak Keys of Piccolo‐80

0 1 0 26230 022

k k xk k x a

1 0

2 4

3 4

0 0220 3800 1 07

k k x ak k x ek k x c

3 4

4 3

4 2

0 0 290 2 20

k k x ek k x a

19

0 0

1 1

0 3800 1 07

k k x ek k x c

#RSAC


0 1 2 3 0 1 2 3

0 1 2 3 0 1 2 3

( , , , ) ( , , , )

( , , , ) ( , , , )

k

k

P P P P C C C C

P P P P C C C C

( , 0 3 24, 0 380 , 0 1 07, )( 0 380 0 2623 0 2 20 0 0 29 )

k x x x a y x e y x c zk

0 1 2 3 0 1 2 3( ) ( )

2 3 3 2 0 1 2 3, 0 353 0 071 , , 0 3 12 0 293P C C k x a k x c C C k x f k x d

( 0 380 , 0 2623, 0 2 20, 0 0 29, )k x x e x x z x a z x e y

2 3 0 1

0 1 2 2 2 3 3 3

( , 0 0401, , 0 2008),, 0 071 0 3 12, , 0 293 0 353

C C y z x C C y z xC P P k x c k x f P P k x d k x a

20

0 1 2 3( , 0 2 20, , 0 0 29).P P y z x a P P y z x e

#RSAC


0 8 1k k xf c 0 8 5k k xe c 4 5

5 4

0 8 10 80 5816

k k xf ck k x cdck k x

0 7

3 6

4 2

0 8 50 00 1806

k k xe ck k xfcck k x

6 6

7 1

2 5

0 58160 2 00 0 3

k k xk k x c bk k xf c

4 2

5 1

6 7

0 18060 0 030 80

k k xk k x ck k x df

2 5

1 4

6 0

0 0 30 4 60 1806

k k xf ck k xe ck k x

6 7

1 6

4 4

0 4 20 5816

fk k xf ck k x

21

6 0

7 3 0 0 03k k x c 4 4

5 5 0 2 0k k x c b

#RSAC


( 0 781 , 0 0, 0 0802, 0 4 2,, 0 4 , 0 1004, 0 4 2)

k x x e x xbcd x x x xb dx x xd ca x x x xf c

, 0 4 , 0 1004, 0 4 2)

( 0 0802, 0 8 9, 0 1806, 0 8 1, 0 5816, 0 8 1, 0 4812, 0 90 )

x x xd ca x x x xf ck x x x xd c x x x xf c

x x x xf c x x x x db

, , , )f

2 3 7 2 0 1 2 3, 0 8181 0 6 45, , 0 3553 0 8P C C k x k x d C C k x k xad a

2 3 0 1

0 1 2 2 2 3 3 7

( , , , 0 681 ),, 0 6 45 0 3553, , 0 8 0 8181

C C C C x aC P P k x d k x P P k xad a k x

22

0 1 2 3( , 0 4812, , 0 0802).P P x P P x

#RSAC

Outline

Introduction




C l iConclusion

#RSAC



24

#RSAC


128bit master key is noted by (even,odd)(k k k k )even(k0,k2,k4,k6)even

(k1,k3,k5,k7)odd

Similarity between different keysFor a fixed (even,odd), there exist 31 different keys such that the

d k f 30 d l t th t d ( dd)round keys for 30 rounds are equal to that under (even,odd).

25

#RSAC


26

#RSAC


RP should not be allowed to be self‐inverse.

27

#RSAC


P P P P P P P P0P 1P 2P 3P

0wk 1wk0P 1P 2P

3P

0wk 1wk0X 0X

k k

RP

rk rk

RP30X 30X

28

60rk 61rk

0C 1C 2C 3C

2wk 3wk 60rk 61rk

0C 1C 2C 3C

2wk 3wk

#RSAC


0 0 1( ( || ), ( ( || )) 0 9 79,

( || ) ( ( || )) 0 594)

L R L R

L R L R

P RP C e o F C e o C e x d

C o e F C o e C o xd

2 2 3( || ), ( ( || )) 0 594)

( || ,0, || ,0),L R L R

C o e F C o e C o xd

e o o e

* * *0 0 1

* * *

( ( || ), ( ( || )) 0 9 79,

( || ) ( ( || ))

L R L R

L R L R

C P e o F P e o P e x d

P o e F P o e P o

0 594)xd2 2 3( || ), ( ( || ))P o e F P o e P o

*

0 594),

(( ) ( || 0 || 0))L R L R

xd

where P RP P P P P e o o e

29

0 1 2 3 (( , , , ) ( || ,0, || ,0)).where P RP P P P P e o o e

#RSAC


Security of hash function based on full‐round Piccolo‐128 is insufficientinsufficient.

30

#RSAC


DM mode:

- 11 -Let , and be the input message , the input chaining value, and the output; the new chaining value is computed as:

i i i

i

M H HH

1 1 1 ( ) .ii M i iH E H H

k

k

k

31

#RSAC

Outline

Introduction




C l iConclusion

#RSAC

Conclusion

Evaluate the security of Piccolo block cipher from the known and chosen key respective.and chosen key respective.

Define linear‐reflection weak keys.F k k k fi d th l t d k k k′ hFor one weak key k, we can find another related weak key k′ such that the cipher with k′ can be completely determined by thecipher under k.

7‐round Piccolo‐80 (Observation 2)

10‐round Piccolo‐128 (Observation 3)

33

#RSAC

Conclusion

Summarize some interesting characteristics of key schedule algorithm for Piccolo‐128.algorithm for Piccolo 128.

RP should not be allowed to be self‐inverse (Observation 4)

Security of hash function based on full‐round Piccolo‐128 isSecurity of hash function based on full round Piccolo 128 is insufficient (Observation 5)

We expect that the results of our paper may guide the design ofWe expect that the results of our paper may guide the design of round constants for some simple key schedules.

34

#RSAC

Thanks For Your Attention!

New Observations On Piccolo Block Cipher - RSA … · SESSION ID: CRYP‐F01 New Observations On Piccolo Block Cipher Yanfeng Wang Yanfeng Wang and WenlingWu Ph.D Candidate, TCA,Institute

Documents