Skip to main content
SpringerLink
Log in

Revisiting key schedule’s diffusion in relation with round function’s diffusion

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

We study the weakness of key schedules from an observation: many existing attacks use the fact that the key schedules poorly distribute key bits in the diffusion path of round functions. This reminds us of the importance of the diffusion’s relation between key schedules and round functions. We present new cryptanalysis results by exploring such diffusion relation and propose a new criterion for necessary key schedule diffusion. We discuss potential attacks and summarize the causes for key schedules without satisfying this criterion. One major cause is that overlapping between the diffusion of key schedules and round functions leads to information leakage of key bits. Finally, a measure to estimate our criterion for recursive key schedules is presented. Today designing key schedule still lacks practical and necessary principles. For a practical key schedule with limited diffusion, our work adds more insight to its requirements and helps to maximize the security level.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

Notes

  1. Note that \(X_{0}\) and \(X_{s}\) are the notations in Definition 1, and \(X_{3,7}^{3}\) is the notation for Serpent.

  2. In the examples of this paper, we take the same notations as in the paper of original attacks.

  3. Note that this kind of key schedules can also use our algorithm, but this is unnecessary due to more inconvenience.

References

  1. Kelsey, J., Schneiery, B., Wagner, D.: Key Schedule Weaknesses in SAFER+. Second AES Candidate Conference (1999)

  2. Knudsen, Lars R.: Practically secure Feistel ciphers. FSE’93, LNCS, Vol. 809, pp. 211–221. Springer (1994)

  3. Kelsey, J., Schneier, B., Wagner, D.: Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. Advances in Cryptology-CRYPTO’96, pp. 237–251. Springer (1996)

  4. Kelsey, J., Schneier, B., Wagner, D.: Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. INFORMATION AND COMMUNICATIONS SECURITY 1997, LNCS, 1334, 233–246

  5. Kohno, T., Kelsey, J., Schneier, B.: Preliminary Cryptanalysis of Reduced-Round Serpent. Third AES Candidate Conference, pp. 195–211. (2000)

  6. Biham, E., Dunkelman, O., Keller, N., Shamir, A.: New Data-Efficient Attacks on Reduced-Round IDEA. http://eprint.iacr.org/2011/417

  7. Jia, K., Yu, H., Wang, X.: A Meet-in-the-Middle Attack on the Full KASUMI. http://eprint.iacr.org/2011/466

  8. Sun, X., Lai, X.: Improved Integral Attacks on MISTY1. In: Jacobson Jr., M.J. Rijmen, V., Safavi-Naini, R. (Eds.): SAC 2009, LNCS, vol. 5867, pp. 266C280. Springer, Heidelberg (2009)

  9. Sekar, G., Mouha, N., Velichkov, V., Preneel, B.: Meet-in-the-Middle Attacks on Reduced-Round XTEA. Topics in Cryptology - CT-RSA 2011, LNCS, Vol. 6558, pp. 250–267. Springer (2011)

  10. Kelsey, J., Schneier, B.: Key-Schedule Cryptanalysis of DEAL. SAC ’99 Proceedings of the 6th Annual International Workshop on Selected Areas in Cryptography pp. 118–134

  11. Daemen, J.: Rijmen. The Design of Rijndael AES - The Advanced Encryption Standard (2002)

  12. May, L., Henricksen, M., Millan, W.L., Carter, G., Dawson, E.: Strengthening the Key Schedule of the AES. In: Batten, L., Seberry, J. (eds.) ACISP 2002. LNCS, vol. 2384, pp. 226C240. Springer, Heidelberg (2002)

  13. Blumenthal, U., Bellovin, S.M.:A better key schedule for DES-like ciphers. Proceedings of PRAGOCRYPT’96, CTU Publishing House, 42–54 (1996)

  14. Carter, G., Dawson, E., Nielsen, L.: Key Schedules of Iterated Block Ciphers. In: Boyd, C., Dawson, E. (eds.) ACISP 1998. LNCS, vol. 1438, pp. 80C89. Springer, Heidelberg (1998)

  15. Brown L., Scberry J.: Key scheduling in DES—type cryptosystems. In: Advances in Cryptology, Proceedinos of AUSCRYPT ’90, LNCS, vol. 453, pp. 221–228. Springer-Vedag, Berlin (1990).

  16. Choy, J., Zhang, A., Khoo, K., Henricksen, M., Poschmann, A.: AES Variants Secure Against Related-Key Differential and Boomerang Attacks. WISTP 2011, LNCS, Vol. 6633, pp. 191–207, Springer (2011)

  17. J. Lu, Y. Wei, J. Kim, P.A. Fouque, Cryptanalysis of Reduced Versions of the Camellia Block Cipher, SAC (2011)

  18. Shin, Y., Kim, J., Kim, G., Hong, S., Lee, S.: Differential-linear type attacks on reduced rounds of SHACAL-2. Proceedings of ACISP04, H. Wang, J. Pieprzyk, and V. Varadharajan (eds.), LNCS, Vol. 3108, pp. 110C122. Springer-Verlag (2004)

  19. Wei, Y., Hu, Y., Chen, J.: Differential-nonlinear attack on 33-round SHACAL-2. Journal of Xidian University (2010)

  20. Handschuh, H., Naccache, D.: SHACAL : A Family of Block Ciphers. Submission to the NESSIE project, 2002, http://www.cryptonessie.org

  21. Bogdanov, A., Wang, M.: Zero Correlation Linear Cryptanalysis with Reduced Data Complexity. FSE, In (2012)

  22. Demirci, H., Selçuk, A.A.: A Meet-in-the-Middle Attack on 8-Round AES. In: Proceedings of Fast Software Encryption 15. LNCS, vol. 5806, pp. 116–26. Springer, Heidelberg (2008)

  23. Ferguson, N., Kelsey, J., Lucks, S., Schneier, B., Stay, M., Wagner D., Whiting, D.: Improved cryptanalysis of Rijndael. In B. Schneier, editor, Proceedings of FSE 2000, LNCS, pp. 213C230, Springer-Verlag, (2000)

  24. Piret, G. and Quisquater J.J.: Integral Cryptanalysis on reduced-round Safer++. IACR Cryptology ePrint Archive 33–33 (2003)

  25. Lai, X., Massey, J.L., Murphy, S.: Markov Ciphers and Differential Cryptanalysis. Advances in Cryptology, proceedings of EUROCRYPT 1991, LNCS 547, pages 17C38, Springer (1992)

  26. 3rd Generation Partnership Project, Technical Specification Group Services and System Aspects, 3G Security, Specification of the 3GPP Confidentiality and Integrity Algorithms; Document2: KASUMI Specification, V3.1.1 (2001)

  27. Matsui, M.: New block encryption algorithm MISTY. In: FSE97, LNCS 1267, p. 54C68 (1997).

  28. Aoki K., Ichikawa T., Kanda M., Matsui M., Moriai S., Nakajima J., Tokita T.: Camellia: a 128-bit block cipher suitable for multiple platformsdesign and analysis. In: Stinson D.R., Tavares S.E. (eds.) SAC 2000. LNCS, vol. 2012, pp. 39–56. Springer, Heidelberg (2001).

  29. Needham R.M., Wheeler D.J.: Tea Extensions, Technical Report.: Computer Laboratory, University of Cambridge. http://www.cix.co.uk/klockstonextea.pdf (1997).

  30. Meyer C.H., Matyas S.M.: Cryptography: A New Dimension in Data Security. Wiley, New York (1982).

  31. Anderson R., Biham E., Knudsen L.R.: Serpent: A Proposal for the Advanced Encryption Standard. NIST AES Proposal (1998).

  32. Massey J.L., Khachatrian G.H., Kuregian M.K.: Nomination of SAFER++ as Candidate Algorithm for NESSIE. http://www.cryptonessie.org (2000).

  33. Knudsen L.R.: A detailed analysis of SAFER K. J. Cryptol. 13(4), 417C436 (2000)

  34. Bogdanov A., Khovratovich D., Rechberger C.: Biclique cryptanalysis of the full AES. In: Lee D.H., Wang X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 344C371. Springer, Heidelberg (2011).

  35. Wheeler D.J., Needham R.M.: TEA, a tiny encryption algorithm. In: FSE 1994, vol. 1008, pp. 363–366, Springer, Heidelberg (1994).

  36. Sasaki Y., Wang L., Sakai Y., Sakiyama K., Ohta K.: Three-subset meet-in-the-middle attack on reduced XTEA. Prog. Cryptol. 7374, 138–154 (2012).

    Google Scholar 

  37. Isobe T., Shibutani K.: Security analysis of the lightweight block ciphers XTEA, LED and Piccolo. In: Susilo W., Mu Y., Seberry J. (eds.) ACISP. LNCS, vol. 7372, pp. 71–86. Springer, Heidelberg (2012).

  38. John B.K., George I.D.: Structured design of substitution–permutation encryption networks. IEEE Trans. Comput. C 28(10), 747–753 (1979).

    Google Scholar 

  39. Dunkelman O., Keller N., Shamir A.: Improved single-key attacks on 8-round AES-192 and AES-256. In: Advances in Cryptology-ASIACRYPT 2010. pp. 158–176. Springer, Heidelberg (2010).

Download references

Acknowledgments

This work was supported by the National Natural Science Foundation of China (61073149 and 61272440), and Research Fund for the Doctoral Program of Higher Education of China (20090073110027), State Key Laboratory of ASIC & System (11KF0020), Key Lab of Information Network Security, Ministry of Public Security (C11603).

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Shanghai Jiao Tong University, 3-314SEIEE Building, 800 Dongchuan Road, Shanghai, China

    Jialin Huang

  2. Department of Computer Science and Engineering, Shanghai Jiao Tong University, 3-423SEIEE Building, 800 Dongchuan Road, Shanghai, China

    Xuejia Lai

Authors
  1. Jialin Huang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xuejia Lai
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Xuejia Lai.

Additional information

Communicated by L. R. Knudsen.

Appendix 1

Appendix 1

See Fig. 5.

Fig. 5
figure 5

The backward calculation dependency path for \(L_{36}[0]\)

Full size image

Rights and permissions

Reprints and permissions

About this article

Cite this article

Huang, J., Lai, X. Revisiting key schedule’s diffusion in relation with round function’s diffusion. Des. Codes Cryptogr. 73, 85–103 (2014). https://doi.org/10.1007/s10623-013-9804-9

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-013-9804-9

Keywords

Mathematics Subject Classification (2010)

Search

Navigation