Another Look at Complementation Properties

  • Charles Bouillaguet
  • Orr Dunkelman
  • Gaëtan Leurent
  • Pierre-Alain Fouque
Conference paper

DOI: 10.1007/978-3-642-13858-4_20

Part of the Lecture Notes in Computer Science book series (LNCS, volume 6147)
Cite this paper as:
Bouillaguet C., Dunkelman O., Leurent G., Fouque PA. (2010) Another Look at Complementation Properties. In: Hong S., Iwata T. (eds) Fast Software Encryption. FSE 2010. Lecture Notes in Computer Science, vol 6147. Springer, Berlin, Heidelberg

Abstract

In this paper we present a collection of attacks based on generalisations of the complementation property of DES. We find symmetry relations in the key schedule and in the actual rounds, and we use these symmetries to build distinguishers for any number of rounds when the relation is deterministic. This can be seen as a generalisation of the complementation property of DES or of slide/related-key attacks, using different kinds of relations. We further explore these properties, and show that if the relations have easily found fixed points, a new kind of attacks can be applied.

Our main result is a self-similarity property on the SHA-3 candidate Lesamnta, which gives a very surprising result on its compression function. Despite the use of round constants which were designed to thwart any such attack, we show a distinguisher on the full compression function which needs only one query, and works for any number of rounds. We also show how to use this self-similarity property to find collisions on the full compression function of Lesamnta much faster than generic attacks. The main reason for this is the structure found in these round constants, which introduce an interesting and unexpected symmetry relation. This casts some doubt on the use of highly structured constants, as it is the case in many designs, including the AES and several SHA-3 candidates.

Our second main contribution is a new related-key differential attack on round-reduced versions of the XTEA block-cipher. We exploit the weakness of the key-schedule to suggest an iterative related-key differential. It can be used to recover the secret key faster than exhaustive search using two related keys on 37 rounds. We then isolate a big class of weak keys for which we can attack 51 rounds out of the cipher’s 64 rounds.

We also apply our techniques to ESSENCE and \(\mathcal{PURE}\).

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Charles Bouillaguet
    • 1
  • Orr Dunkelman
    • 1
    • 2
  • Gaëtan Leurent
    • 1
  • Pierre-Alain Fouque
    • 1
  1. 1.Département d’InformatiqueÉcole normale supérieureParisFrance
  2. 2.Faculty of Mathematics and Computer ScienceWeizmann Institute of ScienceRehovotIsrael

Personalised recommendations