A Unified Approach to Related-Key Attacks [chapter]

Eli Biham, Orr Dunkelman, Nathan Keller
Lecture Notes in Computer Science  
This paper introduces a new framework and a generalization of the various flavors of related-key attacks. The new framework allows for combining all the previous related-key attacks into a complex, but much more powerful attack. The new attack is independent of the number of rounds of the cipher. This property holds even when the round functions of the cipher use different subkeys. The strength of our new method is demonstrated by an attack on 4r-round IDEA, for any r. This attack is the first
more » ... ttack on a widely deployed block cipher which is independent of the number of rounds. The variant of the attack with r = 2 is the first known attack on 8-round IDEA. as building blocks, e.g., hash functions. A famous example for this claim is the block cipher TEA [45] . A related-key property of TEA [33] was used in hacking Microsoft's Xbox architecture, which uses a Davies-Meyer hash function employing TEA as the underlying block cipher [46] . Another security concern is the fact that such a cipher cannot be used in protocols which allow key manipulation, such as the ones used in most inter-bank communications in the US which increment the key by one in each transaction. Sometimes, the security of the mode of operation of the block cipher is closely related to the immunity of the cipher to related-key attacks (as in the 3GPP case, as was shown in [29] ). There are two classes of related-key attacks: The first class, originally presented by Biham [3] and independently by Knudsen [36], are attacks that use related-key plaintext pairs. These attacks use pairs of keys for which most of the encryption function is equivalent. Such relations exist when the key schedule is very simple. Also, in order for the attacks to succeed, the round functions have to be relatively weak (i.e., there exists a known plaintext attack on the round function given one or two input/output pairs). On the other hand, once such a relation can be found, it can be used to devise an attack on the cipher, where the attack is independent of the number of rounds. The second class of related-key attacks, originally presented by Kelsey et al. [32, 33] is composed of attacks that treat the key relation as another freedom level in the examination of statistical properties of the cipher. Besides relatedkey differentials, where the key difference is used to control the evolution of differences, this class contains variants of most of the known cryptanalytic techniques: The SQUARE attack [20] was treated in the related-key model in [23] and used to extend the best known SQUARE attack against AES into a relatedkey attack that uses 256 related keys. The boomerang attack [44] and the rectangle attack [5] were combined with related-key differentials to introduce the related-key boomerang and related-key rectangle attacks [7, 28, 35] . Finally, linear cryptanalysis [38] was also combined with related-key attacks to produce a related-key attack on 7.5-round IDEA [8] . The second class of attacks can deal with much more complex key schedules and round functions, but their effectiveness (usually) drops with the number of rounds. In this paper we unify the main ideas from the two classes of related-key attacks into one framework. The new framework has two main advantages:
doi:10.1007/978-3-540-71039-4_5 fatcat:c4rlwgr7lnb53gunnvmlfjgs34