[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

*To*: [email protected]*Subject*: Cryptanalysis of S-1*From*: [email protected] (David A. Wagner)*Date*: 25 Aug 1995 19:05:39 GMT*Cc*: [email protected]*Newsgroups*: sci.crypt.research*Organization*: Princeton University*Sender*: [email protected]

I just got back from vacation in time to see the brouhaha over S-1. My, my. So I'll describe an attack on S-1 which takes 2^32 known plaintexts and 2^64 operations, assuming that F, G, clear_family, and cipher_family are known (but arbitrary). Tradeoffs are possible: a similar attack breaks S-1 with 2^48 known plaintexts and 2^48 operations. This adds weight to the hypothesis that S-1 is a hoax (assuming that the NSA was trying to design a strong cipher!)... I should point out that this attack works for an arbitrary number of rounds. It shows that increasing the number of rounds will never make S-1 secure. To fix S-1, the key schedule must be repaired. Anyhow, here's the attack. Several people have noted that the S-1 round keys repeat every 5 rounds. I'll take advantage of this with an attack reminiscent of related-key techniques (but I don't need any related-keys, Mind you!). If P is a known plaintext, let P_i denote the intermediate block after i rounds. I'm going to look for a pair of matching plaintexts P,Q: a pair for which P_5 = Q_0. Then we'll have P_{5+j} = Q_j for all j. Pictorially: P_0 P_1 P_2 P_3 P_4 P_5 Q_0 P_6 Q_1 ... ... P_31 Q_26 P_32 Q_27 Q_28 Q_29 Q_30 Q_31 Q_32 The birthday paradox says that with 2^32 known plaintexts, there should be at a matching pair P,Q. If I can recognize it, I can exploit it as follows. Note that (P_0,Q_0) and (P_32,Q_32) are two known plaintext-ciphertext pairs for 5-round S-1. These two known plaintexts for 5-round S-1 are enough to find the 5 round subkeys by standard methods (since we know the inputs and outputs to almost all the F boxes in these two examples). Thus, each pair P,Q will suggest one key value, and the right (matching) pair will suggest the correct key value (which can be easily recognized with one trial decryption). I don't know how to recognize matching pairs directly, but I can try all 2^32 * 2^32 possible pairs, and I'm guaranteed to find the matching plaintext pair if there is one after 2^64 trial decryptions. That's the basic attack. Here's a sketch of how to trade off known plaintexts for time. I'd really like to be able to detect matching pairs easily, because then I'd be able to use a hash table (or sorted list) to find a matching pair more efficiently. So I'll note that I can detect matching pairs pretty accurately if P,Q are in a particular form. I'll construct an oracle which can quickly tell if two plaintext-ciphertext pairs (X,Y) (X',Y') for 5-round S-1 were enciphered with the same key, if they're in a special form. Let A,A' be the 32 bits from X,X' entering the F boxes in round 2; let B,B' be the 16 bits output from the F boxes in round 2; let C,D,C',D' be the 16 bits affected by the F boxes in round 2 from X,Y,X',Y' -- so that D = C ^ B = C ^ f(A ^ K_2) D' = C' ^ B' = C' ^ f(A' ^ K'_2). If K_2 = K'_2 and A = A', then D ^ C should equal D' ^ C'. So this is how I'll construct the oracle: it insists that (X,Y) (X',Y') be of a form so that A = A', and it reports that (X,Y) (X',Y') were enciphered with the same key when D ^ C = D' ^ C'. The oracle will always answer correctly if they were enciphered with the same key, and will answer incorrectly 2^{-16} of the time when the were enciphered with different keys. So now we are considering (X,Y) = (P_0,P_5) = (P_0,Q_0) and (X',Y') = (Q_27,Q_32) = (P_32,Q_32). The oracle's precondition means that 32 bits of P_0 equal a corresponding 32 bits of P_32. The tradeoff attack follows from this. Get 2^48 known plaintexts. Consider only those known plaintext-ciphertext pairs (P_0,P_32) which meet the 32 bit oracle precondition as possibilities for P. There will be 2^16 possibilities for P. Let Q range over all 2^48 possibilities. Then we expect there to be some right matching pair P,Q: the oracle is guaranteed to detect it, and also another 2^48 wrong pairs. Each possible pair P,Q will suggest a key value, so the wrong pairs can be filtered out with a total of 2^48 trial encryptions, leaving only the right pair and the right key value. This would seem to require 2^16 * 2^48 oracle computations since there are 2^16 values for P and 2^48 possibilities for Q. But wait: the oracle can be implemented more efficiently as a table lookup. Store all 2^16 possibilities for P in a lookup table, keyed on the 16 bit value D^C used by the oracle. For each Q, calculate the 16 bit value D' ^ C' and search in the table for a matching D ^ C value (which gives you a possible matching pair P,Q). This technique requires a total of 2^48 table lookups, 2^48 trial decryptions, 2^16 space, and 2^48 known plaintexts. Further tradeoffs between # of known plaintexts and time appear to be possible... I've ignored the issue of the G box throughout. Actually, it does change the number a little bit -- but just by random luck, the two G box outputs should match 1 in 2^2 times, so we only need to increase the complexity of this attack by about 2^2 to account for the G box. The G box didn't add much strength. ------------------------------------------------------------------------------- David Wagner [email protected]

**Follow-Ups**:

- Prev by Date:
**SOLVED: Re: for perl experts: brclient problem** - Next by Date:
**Re: Cryptanalysis of S-1** - Prev by thread:
**Re: ssl challenge** - Next by thread:
**Re: Cryptanalysis of S-1** - Index(es):