A Linear Analysis of Blowfish and Khufu

1
A Linear Analysis of Blowfish and Khufu
Jorge Nakahara Jr Unisantos, Brazil jorge_nakah
ara_at_yahoo.com.br
2
Outline

• The Khufu and Blowfish Block Ciphers
• Linear Cryptanalysis
• Linear Attacks on Blowfish
• Linear Attacks on Khufu
• Conclusions

3
The Khufu Block Cipher

• Block cipher with Feistel Network structure
• Designed by R.C.Merkle in 1989
• 64-bit blocks (plaintext/ciphertext)
• Variable-length key up to 512 bits
• 8r rounds (1 r 8), where r is called octet
  (originally r 2 was suggested)
• One key-dependent 8x32-bit S-box per octet

4
The Khufu Block Cipher
5
The Blowfish Block Cipher

• Cipher with Feistel Network structure
• Designed by B. Schneier in 1993
• 64-bit blocks (plaintext/ciphertext)
• Variable-length key 32 bits up to 448 bits
• 16 rounds
• Key-dependent 8x32-bit S-boxes and a P-table

6
The Blowfish Block Cipher
7
Linear Cryptanalysis

• Developed by Mitsuru Matsui (Mitsubishi Corp.)
• Initially applied against DES (1990), FEAL-4 and
  FEAL-8 (1989)
• Known-plaintext (KP) attack setting
• Distinguisher tool linear relation involving
  plaintext, key and ciphertext bits with
  non-uniform parity (away from ½)
• (nonzero) bias of linear relations

8
Linear Cryptanalysis

• number of known-plaintexts for high success rate
  attack is proportional to bias-2
• general attack technique (applied to block and
  stream ciphers)
• variant techniques differential-linear, multiple
  linear relations, linear hulls

9
Linear Attacks on Blowfish

• - unlike previous DC, our LC attacks do not
  require the S-boxes to be non-injective mappings
• - 8x32-bit S-boxes are key-dependent, but always
  non-surjective mappings
• we exploit linear relations of the form 0??
  across the S-boxes, where ? is a non-zero bit
  mask.
• we choose ? 1 due to mixing of modular addition
  and exclusive-or in the round function,

10
Linear Attacks on Blowfish

• exploit the least significant bit positions (to
  avoid decreasing the bias due to carry and borrow
  bits)
• extend linear relations to full rounds, and to
  multiple rounds iterative linear relations
• we have found 2-round iterative linear relations
• construction of the linear distinguishers was
  heavily influenced by the design of Blowfish

11
Linear Attacks on Blowfish

• we derive one-bit of information on the
  key-dependent P-table
• (L0 L2t).1 (P1 P2 ... P2t1).1
• (R0 R2t).1 (P2 P4 ... P2t).1
• where (Li, Ri) are the left and right halves
  of the
• i-th round block, and is xor.

12
Linear Attacks on Blowfish

• the bias of linear relations depends on the key
  since the four S-boxes are key-dependent weak
  (user) keys

13
Linear Attacks on Khufu

• 8x32-bit key-dependent S-boxes
• again, S-boxes are non-surjective the bit mask
  has the form 0??, with ? non-zero
• bit-rotation in each round is by a multiple of 8
  bits
• this fact inspired rotation-invariant bit masks
  ? ltltlt 8t ?

14
Linear Attacks on Khufu

• thus, the masks do not change if they are rotated
  by 8-bit amounts (in either direction)
• more precisely, ? mmmm, m ? ?256
• we have looked for iterative linear relations
• we have found 2-round and 8-round iterative
  linear relations for rotation-symmetric masks

15
Linear Attacks on Khufu
16
Linear Attacks on Khufu

• ciphertext-only (CO) attacks exploit linear
  relations of the form 80000000x, 00800000x, ....
  80808080x and assuming the plaintext is ASCII
  text.
• CO attack is possible because of exclusive-or
  (diffusion is poor!)

17
Conclusions

• linear attacks on Blowfish and Khufu
• weak-key assumption (distinct from DC attack
  assumption)
• old, known attack technique on old ciphers,
• but new and better (known-plaintext and
  ciphertext-only) results, compared to previous
  attacks (DC, ID) that worked in a
  chosen-plaintext setting.

18
Conclusions