1 / 25

Linear Analysis of reduced-round CAST-128 and CAST-256

Linear Analysis of reduced-round CAST-128 and CAST-256. Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2 LSI-TEC, PKI Certification department. Summary. The CAST-128 and CAST-256 Block Ciphers Linear Cryptanalysis: brief overview Linear Analysis of CAST-128 and CAST-256

miyoko
Download Presentation

Linear Analysis of reduced-round CAST-128 and CAST-256

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Linear Analysis of reduced-round CAST-128 and CAST-256 Jorge Nakahara Jr1 Mads Rasmussen2 1 UNISANTOS, Brazil 2 LSI-TEC, PKI Certification department

  2. Summary • The CAST-128 and CAST-256 Block Ciphers • Linear Cryptanalysis: brief overview • Linear Analysis of CAST-128 and CAST-256 • Attack Details • Conclusions and Open Problems

  3. CAST-128 • 64-bit iterated block cipher • key: 40 bits up to 128 bits (increments of 8 bits) • 12 up to 16 rounds • Feistel Network structure • designed by C. Adams and S.Tavares (1996) • S-box design procedure patented by Entrust Technologies Inc: U.S. patent 5,511,123, filed Aug. 4, 1994, issued Apr. 3, 1996

  4. CAST-128 • CAST-128 is part of the GnuPG suite of cryptographic algorithms (nicknamed CAST-5) • CAST-128 uses fixed 8x32-bit S-boxes: for encryption and decryption (S1, S2, S3, S4) and for the key schedule (S5, S6, S7, S8) • round operations: +, -, <<<,  • three round functions: f1, f2 and f3 • An official algorithm for use with the Canadian Government: http://www.cse-cst.gc.ca/services/crypto-services/crypto-algorithms-e.html

  5. CAST-128 f1 f2 Round functions f3

  6. CAST-256 • a former candidate to the Advanced Encryption Standard (AES) Development Process (1997) • 128-bit iterated block cipher • 128-, 192- and 256-bit key • 48 rounds for all key sizes • generalized Feistel Network structure • S-box design procedure patented by Entrust Technologies Inc: U.S. patent 5,511,123, filed Aug. 4, 1994, issued Apr. 3, 1996

  7. CAST-256 one quad-round f2 f3 f1 f1

  8. CAST-256 • full CAST-256: six quad-rounds + six inverse quad-rounds f1 one inverse quad-round = one quad-round upside down f3 f2 f1

  9. Linear Cryptanalysis • developed by Mitsuru Matsui (Mitsubishi Corp) • first ideas: Adi Shamir (DES S-boxes’ parity), 1994 • applied to FEAL-4 cipher (Sean Murphy, 1989), then to FEAL-8, DES (Matsui, 1991-1993) • known-plaintext (KP) attack (sometimes, can also work in a ciphertext-only setting) • general cryptanalytic technique: used against block ciphers, stream ciphers, and other crypto algorithms

  10. Linear Cryptanalysis • basic tool: (some notions) • linear relation, a linear combination of bits of plaintext, ciphertext and key • linear approximation: Boolean function holding with non-uniform parity (away from ½) • bias: difference between 0-parity and ½ • the higher the bias, the more effective the linear approximation • number of KP for a high success attack:  bias-2

  11. Linear Cryptanalysis • strategy: derive linear approximations for each individual cipher components • non-linear components are the main targets • combine linear approximations of consecutive components, until reach a full round • for multiple rounds, use Matsui’s Piling-Up Lemma • this Lemma assumes all round approximations are independent, which is not always true (but is usually good enough for practical purposes, e.g. DES)

  12. Linear Analysis of CAST-128 • 8x32-bit S-boxes are always non-surjective mappings • Modular addition and substraction in round function F • motivation for linear approximations of the form 08 32, across the S-box, where 32 is a nonzero bit mask • bias for all S-boxes S1,...,S4 with mask 32=1 is 2-5 • we use32=1 (least significant bit) to bypass the modular addition and subtraction after the S-boxes in the round function

  13. Linear Analysis of CAST-128 f1

  14. Linear Analysis of CAST-128 • iterative linear relations: input and output bit masks are identical, so that it can be concatenated to itself, with a fixed decrease in the bias • for CAST-128: 2-round iterative linear relations w 1 active F

  15. Linear Analysis of CAST-128 • iterative linear relations: input and output bit masks are identical, so that it can be concatenated to itself, with a fixed decrease in the bias • for CAST-128: 2-round iterative linear relations w 1 active F

  16. Linear Analysis of CAST-256 • CAST-256 S-boxes are the same as for CAST-128 • thus, the same bit masks are used: 0  1 • similarly, we look for iterative linear relations • result: 4-round iterative linear relations, or one quad-round iterative linear relations.

  17. Linear Analysis of CAST-256

  18. Linear Analysis of CAST-256 1 active F per quad-round

  19. Linear Analysis of CAST-256 Other combinations

  20. Linear Analysis of CAST-256 Bit mask controls active F

  21. Attack Results on reduced-round CAST-128

  22. Attack Results on reduced-round CAST-256

  23. Conclusions • first known-plaintext attack reported on (reduced-round) CAST-128 and CAST-256 • attacks exploit non-surjectivity of 8x32-bit S- boxes (happens for any such mappings)

  24. Open Problems • we found quadratic equations for all four S-boxes S1,...,S4 of CAST-128/CAST-256. The question is: can we use them in a (pure) algebraic attack? • what about combining linear and quadratic equations??

  25. Linear Analysis of reduced-round CAST-128 and CAST-256 Jorge Nakahara Jr1 Mads Rasmussen2 1 UNISANTOS, Brazil 2 LSI-TEC, PKI Certification department

More Related