Abstract
This paper describes the first independent cryptanalysis of the full 8.5-round REESSE3+ block cipher, a large-block variant of the IDEA cipher. We show that large classes of weak keys exist in REESSE3+, just like in IDEA, under differential and linear attacks. Moreover, doubling the number of rounds is not enough to avoid weak keys. The existence of weak keys jeopardizes the use of REESSE3+ as a building block in the construction of other cryptographic primitives such as hash functions in modes such as Davies-Meyer’s. We also describe square and impossible differential attacks on reduced-round versions.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999)
Biham, E., Biryukov, A., Shamir, A.: Miss in the middle attacks on IDEA and Khufu. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, p. 124. Springer, Heidelberg (1999)
Biham, E., Dunkelman, O., Keller, N.: A new attack on 6-round IDEA. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 211–224. Springer, Heidelberg (2007)
Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer, New York (1993)
Biryukov, A., Nakahara Jr., J., Preneel, B., Vandewalle, J.: New weak-key classes of IDEA. In: Deng, R.H., Qing, S., Bao, F., Zhou, J. (eds.) ICICS 2002. LNCS, vol. 2513, pp. 315–326. Springer, Heidelberg (2002)
Biryukov, A., Wagner, D.: Slide attacks. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 245–259. Springer, Heidelberg (1999)
Borst, J.: Differential-linear cryptanalysis of IDEA. Technical report, ESAT Department, COSIC group, pp. 96–102 (1996)
Chen, S., Lampe, R., Lee, J., Seurin, Y., Steinberger, J.: Minimizing the two-round even-mansour cipher. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 39–56. Springer, Heidelberg (2014)
Daemen, J.: Limitations of the even-mansour construction. In: Matsumoto, T., Imai, H., Rivest, R.L. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 495–498. Springer, Heidelberg (1993)
Daemen, J., Govaerts, R., Vandewalle, J.: Weak keys for IDEA. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 224–231. Springer, Heidelberg (1994)
Daemen, J., Knudsen, L.R., Rijmen, V.: The block cipher SQUARE. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997)
Daemen, J., Rijmen, V.: AES Proposal: Rijndael. In: 1st AES Conference, California, USA (1998)
Demirci, H.: Square-like attacks on reduced rounds of IDEA. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 147–159. Springer, Heidelberg (2002)
Demirci, H., Ture, E., Selçuk, A.A.: A new meet-in-the-middle attack on the IDEA block cipher. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 117–129. Springer, Heidelberg (2004)
Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–162 (1997)
Garfinkel, S.: PGP: Pretty Good Privacy. O’Reilly and Associates, Sebastopol (1994)
Hawkes, P.M.: Asymptotic bounds on differential probabilities and an analysis of the block cipher IDEA. The University of Queensland, St. Lucia, Australia (1998)
Khovratovich, D., Leurent, G., Rechberger, C.: Narrow-bicliques: cryptanalysis of full IDEA. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 392–410. Springer, Heidelberg (2012)
Knudsen, L.R.: DEAL - a 128-bit block cipher. Technical report #151, University of Bergen, Department of Informatics, Norway (1998)
Lai, X.: On the design and security of block ciphers. In: Massey, J.L. (ed.) ETH Series in Information Processing, vol. 1. Hartung-Gorre Verlag, Konstanz (1995)
Lai, X., Massey, J.L.: Markov ciphers and differential cryptanalysis. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 17–38. Springer, Heidelberg (1991)
Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)
Meier, W.: On the security of the IDEA block cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 371–385. Springer, Heidelberg (1994)
Menezes, A.J., van Oorschot, P.C., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, Gary (1997)
Nakahara Jr., J., Preneel, B., Vandewalle, J.: A note on weak keys of PES, IDEA, and some extended variants. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 267–279. Springer, Heidelberg (2003)
Nakahara Jr., J., Preneel, B., Vandewalle, J.: The Biryukov-Demirci attack on reduced-round versions of IDEA and MESH ciphers. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 98–109. Springer, Heidelberg (2004)
Nakahara Jr., J., Rijmen, V., Preneel, B., Vandewalle, J.: The MESH block ciphers. In: Chae, K.-J., Yung, M. (eds.) WISA 2003. LNCS, vol. 2908, pp. 458–473. Springer, Heidelberg (2004)
Su, S., Lu, S.: A 128-bit block cipher based on three group arithmetics. IACR ePrint archive, 2014/704 (2014)
Yıldırım, H.M.: Some linear relations for block cipher IDEA. The Middle East Technical University (2002)
Acknowledgements
I would like to thank the anonymous reviewers who provided detailed and valuable comments, which improved the readability and helped correct several mistakes in this paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Biryukov-Demirci Attack
A Biryukov-Demirci Attack
The Biryukov-Demirci (BD) relation [14, 26] exploit a linear trail along two words in the middle of a block in the IDEA cipher framework, which are combined with intermediate cipher data only via \(\oplus \) and \(\boxplus \). For REESSE3+, the most promising linear trail involves the second and third words in the cipher framework (Fig. 1).
Let us denote the input plaintext block as \(P=(p_1,p_2,p_3,p_4,p_5,p_6,p_7,p_8)\), the corresponding ciphertext block as \(C=(c_1,c_2,c_3,c_4,c_5,c_6,c_7,c_8)\), and let the i-th MA-box output be denoted \((W_1^{(i)}\), \(W_2^{(i)}\), \(W_3^{(i)}\), \(W_4^{(i)})\). Then, from Fig. 1, there is a linear relation involving the least significant bits (lsb) of \(p_2\oplus p_3\). As an example, for a single round (plus the output transformation):
because there are only \(\oplus \) and \(\boxplus \) combined to \(p_2\) and \(p_3\) across 1.5 rounds, and the least significant bit of addition is not affected by carry bits. Likewise, similar relations can be derived for more rounds, leading to a key-dependent relation involving only two plaintext and two ciphertext bits, that hold with certainty.
The Biryukov-Demirci relation for r-round REESSE3+ is
This relation gives a 1-bit condition from the MA-box: lsb\((W_1^{(i)}\oplus W_2^{(i)})\), which changes from round to round, even though it is key-independent.
Unlike in IDEA, where this output bit from the MA-box could be traced back to the MA-box input (and a subkey), in REESSE3+, it is more involved, since (adapted from Sect. 2, with an indication to the i-th round): \(W_1^{(i)}=(T_1^{(i)}\odot T_2^{(i)})\boxplus ((T_1^{(i)}\odot T_2^{(i)})\boxplus T_3^{(i)})\odot T_4^{(i)}\) and \(W_2^{(i)}=T_1^{(i)}\boxplus ((T_1^{(i)}\odot T_2^{(i)})\boxplus T_3^{(i)})\odot T_4^{(i)}\).
That is, lsb\((W_1^{(i)}\oplus W_2^{(i)})=\text{ lsb }((T_1^{(i)}\odot T_2^{(i)})\oplus T_1^{(i)})\), where \(T_1^{(i)}\), \(T_2^{(i)}\) are the two leftmost inputs to the i-th MA-box.
The presence of the \(\odot \) operator makes the relation (7) in REESSE3+ much more involved than the one in IDEA [14, 26], even though there are no subkeys in the MA-box.
The approach of [3] is an interesting topic for further research on the security of REESSE3+.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Nakahara, J. (2015). Cryptanalysis of the Full 8.5-Round REESSE3+ Block Cipher. In: Lauter, K., Rodríguez-Henríquez, F. (eds) Progress in Cryptology -- LATINCRYPT 2015. LATINCRYPT 2015. Lecture Notes in Computer Science(), vol 9230. Springer, Cham. https://doi.org/10.1007/978-3-319-22174-8_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-22174-8_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-22173-1
Online ISBN: 978-3-319-22174-8
eBook Packages: Computer ScienceComputer Science (R0)