Algebraic, AIDA/Cube and Side Channel Analysis of KATAN Family of Block Ciphers

  • Gregory V. Bard
  • Nicolas T. Courtois
  • Jorge NakaharaJr
  • Pouyan Sepehrdad
  • Bingsheng Zhang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6498)

Abstract

This paper presents the first results on AIDA/cube, algebraic and side-channel attacks on variable number of rounds of all members of the KATAN family of block ciphers. Our cube attacks reach 60, 40 and 30 rounds of KATAN32, KATAN48 and KATAN64, respectively. In our algebraic attacks, we use SAT solvers as a tool to solve the quadratic equations representation of all KATAN ciphers. We introduced a novel pre-processing stage on the equations system before feeding it to the SAT solver. This way, we could break 79, 64 and 60 rounds of KATAN32, KATAN48, KATAN64, respectively. We show how to perform side channel attacks on the full 254-round KATAN32 with one-bit information leakage from the internal state by cube attacks. Finally, we show how to reduce the attack complexity by combining the cube attack with the algebraic attack to recover the full 80-bit key. Further contributions include new phenomena observed in cube, algebraic and side-channel attacks on the KATAN ciphers. For the cube attacks, we observed that the same maxterms suggested more than one cube equation, thus reducing the overall data and time complexities. For the algebraic attacks, a novel pre-processing step led to a speed up of the SAT solver program. For the side-channel attacks, 29 linearly independent cube equations were recovered after 40-round KATAN32. Finally, the combined algebraic and cube attack, a leakage of key bits after 71 rounds led to a speed up of the algebraic attack.

Keywords

algebraic cube side-channel attacks cryptanalysis lightweight block ciphers for RFID tags 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Ars, G., Faugère, J.-C.: An Algebraic Cryptanalysis of Nonlinear Filter Generators using Gröbner Bases. Technical report, INRIA research report (2003), https://hal.ccsd.cnrs.fr/
  2. 2.
    Aumasson, J.P., Dinur, I., Meier, W., Shamir, A.: Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium. In: Dunkelman, O. (ed.) Fast Software Encryption. LNCS, vol. 5665, pp. 1–22. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  3. 3.
    Bard, G.: Algebraic Cryptanalysis. Springer, Heidelberg (2009)CrossRefMATHGoogle Scholar
  4. 4.
    Bard, G., Courtois, N., Jefferson, C.: Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers. Presented at ECRYPT workshop Tools for Cryptanalysis eprint/2007/024 (2007) Google Scholar
  5. 5.
    Blum, M., Luby, M., Rubinfeld, R.: Self testing/correcting with applications to numerical problems. In: ACM STOC, pp. 73–83 (1990)Google Scholar
  6. 6.
    Buchberger, B.: An Algorithm for Finding the Basis Elements of the Residue Class Ring of a Zero Dimensional Polynomial Ideal. PhD thesis, Johannes Kepler University of Linz, JKU (1965)Google Scholar
  7. 7.
    Courtois, N., Bard, G., Wagner, D.: Algebraic and Slide Attacks on Keeloq. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 97–115. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  8. 8.
    Courtois, N., Bard, G.V.: Algebraic Cryptanalysis of the Data Encryption Standard. In: Galbraith, S.D. (ed.) IMA Int. Conf 2007. LNCS, vol. 4887, pp. 152–169. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Courtois, N., Meier, W.: Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. 10.
    Courtois, N., O’Neil, S., Quisquater, J.: Practical Algebraic Attacks on the Hitag2 Stream Cipher. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 167–176. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  11. 11.
    Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Courtois, N., Shamir, A., Patarin, J., Klimov, A.: Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  13. 13.
    De Canniére, C., Dunkelman, O., Knezević, M.: Katan and ktantan - a family of small and efficient hardware-oriented block ciphers. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 272–288. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  14. 14.
    De Canniére, C., Preneel, B.: Trivium. In: Robshaw, M.J.B., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 244–266. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. 15.
    Ding, J., Buchmann, J., Mohamed, M.S.E., Mohamed, W.S.A., Weinmann, R.-P.: MutantXL algorithm. In: Proceedings of the 1st International Conference in Symbolic Computation and Cryptography, pp. 16–22 (2008)Google Scholar
  16. 16.
    Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2010)Google Scholar
  17. 17.
    Dinur, I., Shamir, A.: Side Channel Cube Attacks on Block Ciphers. IACR ePrint Archive, ePrint 127 (2009)Google Scholar
  18. 18.
    Een, N., Sorensson, N.: Minisat - A SAT Solver with Conflict-Clause Minimization. In: Giunchiglia, E., Tacchella, A. (eds.) SAT 2003. LNCS, vol. 2919, pp. 502–518. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  19. 19.
    Faugère, J.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: Symbolic and Algebraic Computation - ISSAC, pp. 75–83 (2002)Google Scholar
  20. 20.
    Faugère, J.C.: A new effcient algorithm for computing Gröbner bases (F4). Journal of Pure and Applied Algebra 139(1), 61–88 (1999)MathSciNetCrossRefMATHGoogle Scholar
  21. 21.
    Indesteege, S., Keller, N., Dunkelman, O., Biham, E., Preneel, B.: A Practical Attack on Keeloq. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 1–18. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  22. 22.
    Lazard, D.: Gröbner-bases, Gaussian elimination and resolution of systems of algebraic equations. In: van Hulzen, J.A. (ed.) ISSAC 1983 and EUROCAL 1983. LNCS, vol. 162, Springer, Heidelberg (1983)CrossRefGoogle Scholar
  23. 23.
    Macaulay, F.S.: The algebraic theory of modular systems. Cambridge Mathematical Library (1916)Google Scholar
  24. 24.
    Markovitz, H.M.: The Elimination Form of the Inverse and Its Application to Linear Programming. Management Science, 225–269 (1957)Google Scholar
  25. 25.
    Mohamed, M.S.E., Mohamed, W.S.A.E., Ding, J., Buchmann, J.: MXL2: Solving Polynomial Equations over GF(2) using an Improved Mutant Strategy. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 203–215. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  26. 26.
    Nohl, K., Soos, M.: Solving Low-Complexity Ciphers with Optimized SAT Solvers. In: EUROCRYPT (2009)Google Scholar
  27. 27.
    Raddum, H., Semaev, I.: New technique for solving sparse equation systems. In: Cryptology ePrint Archive (2006), http://eprint.iacr.org/2006/475
  28. 28.
    SAT. Sat Race Competition, http://www.satcompetition.org/
  29. 29.
    Shannon, C.E.: Claude Elwood Shannon Collected Papers. Wiley-IEEE Press, Piscataway (1993)MATHGoogle Scholar
  30. 30.
    Vielhaber, M.: Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack. In: Cryptology ePrint Archive, report 413 (2007)Google Scholar
  31. 31.
    Wong, K.K.H., Bard, G.: Improved Algebraic Cryptanalysis of QUAD, Bivium and Trivium via Graph Partitioning on Equation Systems. In: ACISP (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Gregory V. Bard
    • 1
  • Nicolas T. Courtois
    • 2
  • Jorge NakaharaJr
    • 3
  • Pouyan Sepehrdad
    • 3
  • Bingsheng Zhang
    • 4
  1. 1.Fordham UniversityUSA
  2. 2.University College LondonLondonUK
  3. 3.EPFLLausanneSwitzerland
  4. 4.Cybernetica ASEstonia and University of TartuEstonia

Personalised recommendations