Zero-Correlation Linear Cryptanalysis of Reduced Round ARIA with Partial-sum and FFT

Abstract

Block cipher ARIA was first proposed by some South Korean experts in 2003, and later, it was established as a Korean Standard block cipher algorithm by Korean Agency for Technology and Standards. In this paper, we focus on the security evaluation of ARIA block cipher against the recent zero-correlation linear cryptanalysis. In addition, Partial-sum technique and FFT (Fast Fourier Transform) technique are used to speed up the cryptanalysis, respectively. We first introduce some 4-round linear approximations of ARIA with zero-correlation, and then present some key-recovery attacks on 6/7-round ARIA-128/256 with the Partial-sum technique and FFT technique. The key-recovery attack with Partial-sum technique on 6-round ARIA-128 needs $2^{123.6}$ known plaintexts (KPs), $2^{121}$ encryptions and $2^{90.3}$ bytes memory, and the attack with FFT technique requires $2^{124.1}$ KPs, $2^{121.5}$ encryptions and $2^{90.3}$ bytes memory. Moreover, applying Partial-sum technique, we can attack 7-round ARIA-256 with $2^{124.6}$ KPs, $2^{203.5}$ encryptions and $2^{152}$ bytes memory and 7-round ARIA-256 employing FFT technique, requires $2^{124.7}$ KPs, $2^{209.5}$ encryptions and $2^{152}$ bytes memory. Our results are the first zero-correlation linear cryptanalysis results on ARIA.

1. Introduction

ARIA [1] is a block cipher designed by a group of Korean experts in 2003. In 2004, ARIA was established as a Korean Standard block cipher algorithm by the Ministry of Commerce, Industry and Energy. ARIA is a general-purpose involutional SPN(substitution permutation network) block cipher algorithm, optimized for both lightweight environments and hardware implementation. ARIA supports 128-bit block length with the key sizes of 128/192/256 bits, and the most interesting characteristic is its involution based on the special usage of neighbouring confusion layer and involutional diffusion layer.

The security of ARIA has been internally evaluated by the designers [1] with differential cryptanalysis, linear cryptanalysis, truncated differential cryptanalysis, impossible differential cryptanalysis, higher order differential cryptanalysis, square attack and interpolation attack. Biryukov et al.[2] performed an evaluation of ARIA with truncated differential cryptanalysis and dedicated linear cryptanalysis. For the first time, Wu et al.[3] found a non-trivial 4-round impossible differential and they gave an attack on 6-round ARIA requiring about 2121 chosen plaintexts and 2112 encryptions. Based on some properties of the binary matrix used in the diffusion layer, Li et al.[4] found some new 4-round impossible differentials of ARIA, and they gave an efficient attack on 6-round ARIA. Later, Fleischmann et al.[5] proposed the boomerang attack on 6-round ARIA and integral attacks[6] were introduced in the analysis of 7-round ARIA. Tang et al.[7] proposed the meet-in-the-middle attack on 7-round ARIA. Du et al.[8] proposed the impossible differentials on 7-round ARIA-256 and recently, Xie et al.[9] gave some improvements. Attack results on ARIA are summarized in Table 1.

Table 1.KP(CP) refer to the number of known(chosen) plaintexts, Enc refers to the number of encryptions.

In this paper, we apply the recent zero-correlation linear attacks to the block cipher ARIA. Zero-correlation linear cryptanalysis, proposed by Bogdanov and Rijmen[1], is a novel promising attack technique for block ciphers. It uses the linear approximation with correlation zero generally existing in block ciphers to distinguish the differences between a random permutation and a block cipher. The initial distinguishers [10] had some limitations in terms of data complexity, which needs at least half of the codebook. In FSE 2012, Bogdanov and Wang [11] proposed a more data-efficient distinguisher by making use of multiple linear approximations with correlation zero. The date complexity is reduced, however, the distinguishers rely on the assumption that all linear approximations with correlation zero are independent. To remove the unnecessary independency assumptions on the distinguishing side, multidimensional distinguishers [12] had been constructed for the zero-correlation property at AsiaCrypt 2012. Recently, the multidimensional zero-correlation linear cryptanalysis has been using in the attack of block ciphers CAST-256[12], Camellia[13], CLEFIA[13], HIGHT[14], LBlock[15] and E2[16], successfully.

Some improving techniques for zero-correlation linear cryptanalysis have been proposed, such as Partial-sum technique and FFT technique. Partial-sum technique was proposed by Ferguson et al. [17] to conduct the integral attacks on 6-round AES. The basic idea of Partial-sum technique is to partially compute the sum by guessing each key one after another instead of guessing all the keys one time. Since zero-correlation linear cryptanalysis use enormous plaintext-ciphertext pairs, thus, Partial-sum technique can also be used to reduce the computation complexity in the attack process. FFT technique of computational complexity reduction was first proposed by Collard et al.[18] in the linear attack on the AES candidate Serpent in 2007. It also relies on eliminating the redundant computations from the partial encryption/decryption in attack process. At SAC 2013, Bogdanov et al.[13] applied FFT technique to the zero-correlation linear cryptanalysis of Camellia.

In this paper, 4-round zero-correlation linear approximations of ARIA are discussed in detail. Furthermore, we investigate the security of 6/7-round ARIA-128/256 with both Partial-sum and FFT techniques. Our contributions can be summarized as follows:

1. We reveal some 4-round zero-correlation linear approximations of ARIA. If we treat the input/output masks as the input/output differentials, they are 4-round impossible differentials of ARIA owing that the diffusion layer of the round function is a diagonal matrix.

2. Based on those new linear approximations with zero-correlation, key-recovery attacks on 6/7-round ARIA-128/256 are proposed. In addition, we use Partial-sum technique and FFT technique to speed up the attacks. They are the first zero-correlation linear attacks on reduced-round ARIA.

The paper is organized as follows. Section 2 gives a brief description of block cipher ARIA and outlines the ideas of zero-correlation linear cryptanalysis. Some new zero-correlation linear approximations are shown in Section 3. Section 4 and Section 5 illustrate our attacks on 6/7-round ARIA-128/256 with Partial-sum and FFT technique, respectively. We conclude this paper in Section 6.

 

2. Preliminaries

2.1 Description of ARIA

ARIA is an SPN style block cipher and the number of the round is 12/14/16 corresponding to key of 128/192/256 bits. The round function consists of 3 basic operations: the substitution layer, the diffusion layer and the round key addition, which can be described as follows:

Round Key Addition(KA) : This is done by XORing the 128-bit round key, which is derived from the cipher key by means of the key schedule.

Substitution Layer(SL) : Applying the 8×8 S-boxes 16 times in parallel on each byte. There are two types of substitution layers to be used so as to make the cipher involution, see Fig. 1. For convenience, we denote by Sr ,k , the k -th S-box of r -th round and its inverse S-box.

Fig. 1.Substitution Layer of ARIA

Diffusion Layer(DL) : A linear map is given by

Note that the diffusion layer of the last round is replaced by a round key addition. We shall assume that the 6/7-round ARIA also has the last diffusion layer replaced by a round key addition in the attack of 6/7-round ARIA. In addition, our attacks do not utilize the round key relations, so we omit the details of ARIA's key schedule.

2.2 Basic ideas of zero-correlation linear cryptanalysis

In this section, we briefly recall the basic concepts of zero-correlation linear cryptanalysis, which is based on linear approximations determined by an input mask α and an output mask β. The linear approximation α → β of a vectorial function f with the correlation can be denoted as

where we denote the scalar product of binary vectors by

In zero-correlation linear cryptanalysis, distinguishers uses linear approximations with zero correlation for all keys ,while the classical linear cryptanalysis utilizes linear approx- imations with correlation far from zero. Zero-correlation linear cryptanalysis with multiple linear approximations was introduced in [11].

Let the number of available zero-correlation linear approximations for an n-bit block cipher be denoted by l. Let the number of required known plaintexts be N . For each of the l given linear approximation, the adversary computes the number Ti of times that linear approximation i is fulled on N plaintexts and ciphertexts, i∈{1,..., l} . Each Ti suggests an empirical correlation value ĉi = 2Ti / N-1. Under a statistical independency assumption, follows a X2 -distribution with mean μ0 = l / N and variance = 2l / N2 for the right key guess, while for the wrong key guess, it follows a X2 -distribution with mean μ1 = l / N +l / 2n and standard deviation If we denote the probability of false positives and the probability of false negatives to distinguish between a wrong key and a right key as β0 and β1 , respectively. We consider the decision threshold the number of known plaintexts N should be approximately:

where and are the respective quantiles of the standard normal distribution.

Recently, Bogdanov et al. [12] proposed a multidimensional zero-correlation linear distinguisher using l zero-correlation linear approximations to remove the statistical independency assumption, which requires known plaintexts, where n is the block size of a cipher. We treat the zero-correlation linear approximations available as a linear space spanned by m base zero-correlation linear approximations such that all l =2m non-zero linear combinations of them have zero correlation. For each of the 2m data values z∈ , the attacker initializes a counter V[z],z=0,1,...,2m-1 to value zero. Then, for each dis- tinct plaintext, the attacker computes the corresponding data value in by evaluating the m basis linear approximations and increments the counter V[z] of this data value by one. Then the attacker computes the statistic T :

The statistic T follows a X2 -distribution with mean μ0=(l-1)(2n - N) / (2n-1) and variance = 2(l-1)(2n-N)2 / (2n-1)2 for the right key guess, while for the wrong key guess, it follows a X2 - distribution with mean μ1=l-1 and variance = 2(l-1).

If we denote the probability of false positives and the probability of false negatives to distinguish between a wrong key and a right key as β0 and β1 , respectively. We consider the decision threshold then the number of known plaintexts N should be about

 

3. Some zero-correlation linear approximations for 4-round ARIA

In this section, we show some zero-correlation linear approximations for 4-round ARIA, following the properties on the propagation of linear masks over basic block cipher operations proposed in [10]. We consider 4-round linear approximations with zero-correlation, which is built in a miss-in-the-middle manner. Some 2-round linear approximations with nonzero bias is concatenated to some 2-round linear approximations with nonzero bias in the inverse direction, where the intermediate masks states contradict with each other.

We assert that the 4-round linear approximations

have zero-correlation, where b and h denote any non-zero value.

Consider that the input masks (0,0,0,0,b,0,0,0;0,0,0,0,0,0,0,0) for R2 will result that the output mask for R3 is (e0,e1,...,e14,e15) in the forward direction, where ei, 0≤i≤15 denotes any byte value. The three bytes e3,e4,e10 satisfy that e3⊕e4⊕e10=d5, and we know that b≠0 means that d5≠0, then e3⊕e4⊕e10≠0. In the backward direction, we can get that the input mask of R4 is (g0,g1,...,g14,g15) from the output (0,0,h,0,0,h,0,0;0,0 0,h,h,0,0,0) for R5 , where gi, 0≤i≤15 also denotes any byte value. We can deduce that g3=g4=g10=0, which leads that g3⊕g4⊕g10≠0 and it contradicts with e3⊕e4⊕e10≠0. Then, the linear hull is a zero-correlation linear hull, see Fig. 2. We also have the following 4-round linear approximations with zero-correlation,

Fig. 2.Zero-correlation linear approximations of 4-round ARIA

In addition, it is easy to see that the linear map P of diffusion layer can be treated as a diagonal matrix. If we treat the input /output masks as the input/output differentials, they are also 4-round impossible differentials.

 

4. Key-recovery attacks on 6-round ARIA with Partial-Sum and FFT

In this section, based on the first 4-round zero-correlation linear approximates, we present some key-recovery attacks on 6-round ARIA-128 with zero-correlation linear cryptanalysis. In the attack, the Partial-sum and FFT techniques are used to speed up, respectively.

4.1 Key-recovery attacks on 6-round ARIA with Partial-sum technique

To attack 6-round ARIA, the 4-round linear approximates with zero-correlation start from round 2 and end at round 5. One round is added before and one round is appended after the linear approximates, refer to Fig. 3. The partial encryption and decryption using the partial sum technique are proceeded as follows.

Fig. 3.Key-recovery Attacks on 6-Round ARIA

1. Allocate 40-bit counters V1[x1] for 288 possible values of x1=m1 [0,2,5,8,11,14,15] | m7 [2,5,11,12] and initialize them to zero. For the corresponding ciphertexts after 6 round encryption, extract the value of x1 and increment the corresponding counter V1[x1] . The time complexity of this step is N memory accesses to process the chosen plaintext-ciphertext pairs. We assume that processing each pair is equivalent to one round encryption, then the time complexity of this step is about N x1/ 6 6-round encryptions.

2. Allocate a counter V2[x2] for 288 possible values of and initialize them to zero. Guess k7 [2] and partially decrypt x1 to get the value of x2 , that is, compute then update the corresponding counter by V2[x2]+V1[x1]. The computation is about 288x28x1/16x1/ 6 6-round encryptions.

The following steps in the partial encryption and decryption phase are similar to Step 2, we use Table 2 to show the details of each partial encryption and decryption step. In Table 2, the second column stands for the counters should be allocated in this step. The subkey bytes that have to be guessed in each step are shown in the third column. the fourth column denotes the time complexity of corresponding step measured in 1/16x1/ 6 6-round encryption. The intermediate state values are shown in the last column.

Table 2.Partial Encryption and Decryption of the Attack on 6-Round ARIA-128

13. Allocate a counter vector V[z] of size 216 where each element is 120-bit length for 16-bit z ( z is the concatenation of evaluations of 16 basis zero-correlation masks). For 216 values of x12 , evaluate all basis zero-correlation masks on V12 and put the evaluations to the vector z , then add the corresponding V[z]: V[z]+ =V12[x12] . According Equation(2), compute if T ˂ τ , then the guessed key is a possible key candidate.

In the attack, we set the type-I error probability β0=2-2.7 and the type-II error probability β1=2-90. We have ≈ 1, ≈ 11, n =128 , l=216. According to Equation (3), the date complex N should be about 2123.6 and the decision threshold τ ≈ 215.9.

The complexity of Step 3 to Step 12 is no more than 2108.6 6-round ARIA encryptions and the complexity of Step 1 is about 2121 6-round ARIA encryptions which is also the dominant part of our attack. In total, the data complexity is about 2123.6 known plaintexts, the time complexity is about 2121 6-round ARIA encryptions and the memory requirement are about 290.3 bytes for counters.

4.2 Key-recovery attacks on 6-round ARIA with FFT technique

Using the FFT technique, we can attack 6-round AIRA-128 starting from the first round by placing the 4-round zero-correlation linear approximations in rounds 2 to 5. One round is added before and one round is appended after the linear approximates, also see Fig. 3.

In our attack, we guess the subkeys and evaluate the linear approximation

(0,0,0,0,b,0,0,0; 0,0,0,0,0,0,0,0)·m2⊕(0,0,h,0,0,h,0,0; 0,0,0,h,h,0,0,0)·m6 =0 that is ,

Let k6 = k6[2]⊕k6[5]⊕k6[11]⊕k6[13] and v=u⊕b·k6, then we have

Our attack is equivalent to evaluating the correlation of the linear approximation v = 0 . The correlation of the linear approximation v = 0 can be evaluated as the matrix vector product where the matrix is:

see [13] and [18] for detail. Then the attack is performed as follows:

1. Allocate the vector of counters Vk of the experimental correlation for every subkey candidate k=k1 [0,2,5,8,11,14,15] | k7 [2,5,11,12] .

2. For each of N PC pairs, extract the 88-bit value i=m1[0,2,5,8,11,14,15] |m7[2,5, 11,12]

and increment the counters xi according to the value of i .

3. For each of the 216 linear approximations,

(i). Perform the key counting phase and compute the first column of M using (4) and (5). As M is a 88-level circulant matrix, this information is sufficient to denote matrix M completely ,which requires 288 operations.

(ii). Evaluate the vector ε = M · x , which requires about 3x88x288 operations.

(iii). Let W =W + (ε / N)2, If W ˂ τ , then the corresponding k is a possible subkey candidate and all master keys are tested exhaustively.

After Step 3, we obtain 288 counters Vk , which are the sum of squares of correlations for 216 linear approximations under each k . The correct subkey is then selected from the candidates with Vk less than the thresholdτ . If we set β0=2-2.7 and β0=2-90 , we get ≈ 1 and ≈ 11. Since the block size n =128 and we have l= 216 linear approximations, according to Equation (1), the number of known plaintext-ciphertext pairs N should be about 2124.1 and the threshold τ ≈ 2-108.4. In Step 3, only the right guess is expected to survive for the 88-bit target subkeys. The complexities for Step 2, Step 3, are 2121.5 memory accesses, 216x4x88x288=2112.5 operators, respectively. If we assume that one time of memory access, one time of operators, one 6-round Camellia encryption are equivalent, then the total time complexity is about 2121.5 encryptions. The memory requirements are about 290.3 bytes.

 

5. Key-recovery attacks on 7-round ARIA with Partial-Sum and FFT

In this section, we describe some zero-correlation linear cryptanalysis of 7-round ARIA. The attack is based on the first 4-round zero-correlation linear approximates with additional one round in the begin and two rounds at the end, see Fig. 4. Partial-Sum and FFT are also used in the attack process, respectively.

Fig. 4.Key-recovery Attacks on 7-Round ARIA

5.1 Key-recovery attacks on 7-round ARIA with Partial-sum technique

Similarly to the attacks to 6-round ARIA, the partial encryption and decryption using the partial sum technique are proceeded as follows.

1. Allocate 8-bit counters V1[x1] for 2152 possible values of x1 = m1[0,2,5,8,11,14,15] |m8[1,2,3,4,6,7,9,10,11,12,14,15] and initialize them to zero. For the corresponding ciphertexts after 7 round encryption, extract the value of x1 and increment the corresponding counter V1[x1] . The time complexity of this step is N memory accesses to process the chosen plaintext-ciphertext pairs. We assume that processing each PC pair is equivalent to one round encryption, then the time complexity of this step is about N x1/ 7 7-round encryptions.

2. Allocate a counter V2[x2] for 2120 possible values of x2 = m1[2,5,8,11,14,15] |m8[11,12,14,15] and set them to zero. Guess k1 [0] and k8 [1,2,3,4,6,7,9,10] , and partially decrypt x1 to get the value of x2 , that is, compute then update the corresponding counter by V2[x2]+=V1[x1]. The computation in this step is no more than Nx272x1/16x1/7 7-round encryptions.

3. Allocate a counter V3[x3] for 2112 possible values of x3 = m1[2,5,8,11,14,15] |m8[12,14,15] | and initialize them to zero. Guess k8 [11] and partially decrypt x2 to get the value of x3 , that is, compute then update the corresponding counter by V3[x3]+=V2[x2]. The computation in this step is no more than 2120x280x1/16x1/7 7-round encryptions.

4. Allocate a counter V4[x4] for the 2104 possible values of x4 = m1[2,5,8,11,14,15] |m8[14,15] | and initialize them to zero. Guess k8 [12] and partially decrypt x3 to get the value of x4 , that is, compute then update the corresponding counter by V4[x4]+=V3[x3]. The computation in this step is no more than 2112x288x1/16x1/7 7-round encryptions.

5. Allocate a counter V5[x5] for the 296 possible values of x5 = m1[2,5,8,11,14,15] |m8[15] | and initialize them to zero. Guess k8 [14] and partially decrypt x4 to get the value of x5 , that is, compute then update the corresponding counter by V5[x5]+=V4[x4]. The computation in this step is no more than 2104x296x1/16x1/7 7-round encryptions.

6. Allocate a counter V6[x6] for the 288 possible values of x6 = m1[2,5,8,11,14,15] | and initialize them to zero. Guess k8 [15]and partially decrypt x5 to get the value of x6 , that is, compute then update the corresponding counter by V6[x6]+=V5[x5]. The computation in this step is no more than 296x2104x1/16x1/7 7-round encryptions.

Similarly, we use Table 3 to show the details of each partial encryption and decryption step, where we let k7,2=⊕i=1,4,6,10,11,12,15k7[i], k7,5=⊕i=1,3,4,9,10,14,15k7[i], k7,11=⊕i=2,3,4,7,9,12,14k7[i] and k7,12=⊕i=1,2,6,7,9,11,12k7[i]. After Step 16, we have reached the boundaries of the zero-correlation linear approximations over 7-round ARIA. We then proceed the following steps to recover the right key.

Table 3.Partial Encryption and Decryption of the Attack on 7-Round ARIA-256

17. Allocate a counter vector V[z] of size 216 where each element is 120-bit length for 16-bit z ( z is the concatenation of evaluations of 16 basis zero-correlation masks). For 216 values of x16 , evaluate all basis zero-correlation masks on V16 and put the evaluations to the vector z , then add the corresponding V[z] :V[z]+=V16 [x16] . According the Equation (2), compute if T ˂ τ , then the guessed keys are a possible key candidates.

In this attack, we set the type-I error probability β0= 2-2.7 and the type-II error probability β1= 2-186. We have ≈ 1, ≈ 15.7, n =128, l = 216. According to Equation (3), the date complex N is about 2124.6 and the decision threshold τ ≈ 215.9. There are 184 -bit key values guessed during the encryption phase, and only the right key candidates can survive in the wrong key filtration. The complexity of Step 3 to Step 16 is no more than 2203.5 7-round ARIA encryptions and In total, the data complexity is about 2124.6 known plaintexts, the time complexity is about 2203.5 7-round ARIA encryptions and the memory requirements are about 2152 bytes for counters.

5.2 Key-recovery attacks on 7-round ARIA with FFT technique

In our attack, one round is added before and two rounds are appended after the linear approximates with zero-correlation from rounds 2 to 5, see Fig. 4. We evaluate the linear approximations

that is ,

Let K7,2=⊕i=0,2,5,8,11,14,15K7[i], K7,5=⊕i=1,4,6,10,11,12,15K7[i], K7,11=⊕i=1,3,4,9,10,14,15K7[i], K7,12=⊕i=2,3,4,7,9,12,14K7[i], K6=k6[2]⊕k6[5]⊕k6[11]⊕k6[12], and v = u⊕b·K6, then we have

Our attack is equivalent to evaluating the correlation of the linear approximation v = 0, which can be evaluated as the matrix vector product where the matrix is:

Then the attack is performed as follows:

1. Allocate the vector of counters Vk of the experimental correlation for every subkey candidate. k= k1[0,2,5,8,11,14,15] |k8[1,2,3,4,6,7,9,10,11,12,14,15] |k7,2|k7,5|k7,11|k7,12

2. For each of N plaintext-ciphertext pairs, extract the 8-bit value i=m1 [0,2,5,8,11,8 14,15] |m8[1,2,3,4,6,7,9,10,11,12,14,15], increment the counters xi according to the value of i.

3. For each of the 216 linear approximations,

(i). Perform the key counting phase and compute the first column of M using (6) and (7). As M is a 184-level circulant matrix, this information is sufficient to denote M completely, which requires 2184 operations.

(ii). Evaluate the vector ε = M · x , which requires about 3x184x2184 operations.

(iii). Let W =W + (ε / N)2, If W ˂ τ , then the corresponding k is a possible subkey candidate and all master keys are tested exhaustively.

After Step 3, we obtain 2184 counters Vk which are the sum of squares of correlations for 216 linear approximations under each k . The correct subkey is then selected from the candidates with Vk less than the threshold τ . If we set β0=2-2.7 and β1=2-186 , we get ≈ 1 and ≈ 15.7. Since the block size n =128 and we have l = 216 linear approximations, according to Equation (1), the number of known plaintext-ciphertext pairs N should be about 2124.7 and the threshold τ ≈ 2-108.4 . In Step 3, only the right guess is expected to survive for the 184-bit target subkey. The complexities for Step 2, Step 3, are 2121.9 memory accesses, 216x4x184x2184=2209.5 operators, respectively. If we assume that one time of memory access, one time of operators, one 7-round Camellia encryption are equivalent, then the total time complexity is about 2209.5 encryptions. The memory requirements are about 2152 bytes.

 

6. Conclusion

In this paper, we evaluate the security of ARIA block cipher with respect to the technique of zero-correlation linear cryptanalysis. We deduce some 4-round zero-correlation linear approximations of ARIA, and based on those linear approximations, we give some keyrecovery attacks on 6/7 round ARIA-128/256 with Partial-sum technique and FFT technique taken into consideration. For the first time, we consider the security of ARIA against zero-correlation linear cryptanalysis. While two techniques are used in the attack, it also gives us a chance to compare the partial-sum technique and the FFT technique.