Cryptanalysis of the Full 8.5-Round REESSE3+ Block Cipher

Abstract

This paper describes the first independent cryptanalysis of the full 8.5-round REESSE3+ block cipher, a large-block variant of the IDEA cipher. We show that large classes of weak keys exist in REESSE3+, just like in IDEA, under differential and linear attacks. Moreover, doubling the number of rounds is not enough to avoid weak keys. The existence of weak keys jeopardizes the use of REESSE3+ as a building block in the construction of other cryptographic primitives such as hash functions in modes such as Davies-Meyer’s. We also describe square and impossible differential attacks on reduced-round versions.

A Biryukov-Demirci Attack

The Biryukov-Demirci (BD) relation [14, 26] exploit a linear trail along two words in the middle of a block in the IDEA cipher framework, which are combined with intermediate cipher data only via \(\oplus \) and \(\boxplus \). For REESSE3+, the most promising linear trail involves the second and third words in the cipher framework (Fig. 1).

Let us denote the input plaintext block as \(P=(p_1,p_2,p_3,p_4,p_5,p_6,p_7,p_8)\), the corresponding ciphertext block as \(C=(c_1,c_2,c_3,c_4,c_5,c_6,c_7,c_8)\), and let the i-th MA-box output be denoted \((W_1^{(i)}\), \(W_2^{(i)}\), \(W_3^{(i)}\), \(W_4^{(i)})\). Then, from Fig. 1, there is a linear relation involving the least significant bits (lsb) of \(p_2\oplus p_3\). As an example, for a single round (plus the output transformation):

$$\begin{aligned} \text{ lsb }(p_2\oplus p_3)=\text{ lsb }(Z_2^{(i)}\oplus Z_3^{(i)}\oplus W_1^{(1)}\oplus W_2^{(1)}\oplus c_2\oplus c_3), \end{aligned}$$

(6)

because there are only \(\oplus \) and \(\boxplus \) combined to \(p_2\) and \(p_3\) across 1.5 rounds, and the least significant bit of addition is not affected by carry bits. Likewise, similar relations can be derived for more rounds, leading to a key-dependent relation involving only two plaintext and two ciphertext bits, that hold with certainty.

The Biryukov-Demirci relation for r-round REESSE3+ is

$$\begin{aligned} \text {lsb}(p_2\oplus p_3\oplus c_2\oplus c_3) = \text {lsb}\bigoplus _{i=1}^r(Z_2^{(i)}\oplus Z_3^{(i)}\oplus W_1^{(i)}\oplus W_{2}^{(i)}), \end{aligned}$$

(7)

This relation gives a 1-bit condition from the MA-box: lsb\((W_1^{(i)}\oplus W_2^{(i)})\), which changes from round to round, even though it is key-independent.

Unlike in IDEA, where this output bit from the MA-box could be traced back to the MA-box input (and a subkey), in REESSE3+, it is more involved, since (adapted from Sect. 2, with an indication to the i-th round): \(W_1^{(i)}=(T_1^{(i)}\odot T_2^{(i)})\boxplus ((T_1^{(i)}\odot T_2^{(i)})\boxplus T_3^{(i)})\odot T_4^{(i)}\) and \(W_2^{(i)}=T_1^{(i)}\boxplus ((T_1^{(i)}\odot T_2^{(i)})\boxplus T_3^{(i)})\odot T_4^{(i)}\).

That is, lsb\((W_1^{(i)}\oplus W_2^{(i)})=\text{ lsb }((T_1^{(i)}\odot T_2^{(i)})\oplus T_1^{(i)})\), where \(T_1^{(i)}\), \(T_2^{(i)}\) are the two leftmost inputs to the i-th MA-box.

The presence of the \(\odot \) operator makes the relation (7) in REESSE3+ much more involved than the one in IDEA [14, 26], even though there are no subkeys in the MA-box.

The approach of [3] is an interesting topic for further research on the security of REESSE3+.