Multiple differential-zero correlation linear cryptanalysis of reduced-round CAST-256

1 Introduction

CAST-256 (CAST6) is a symmetric-key block cipher invented in June 1998. It was submitted as a candidate for the Advanced Encryption Standard (AES); however, it was not among the five AES finalists. It is an extension of an earlier cipher, CAST-128; both were designed according to the “CAST”.

CAST-256 is an extension of the CAST-128 cipher and uses the same elements as CAST-128, including S-boxes, but is adapted for a block size of 128 bits – twice the size of its 64-bit predecessor. CAST-256 is composed of 48 rounds, sometimes described as 12 “quad-rounds”, arranged in a generalized Feistel network.

Differential cryptanalysis is usually a chosen plaintext attack applicable primarily to block ciphers. It was invented in 1990 by Biham and Shamir [2]. Linear cryptanalysis has been introduced by Matsui [10]. It is a known plaintext attack proposed in 1993 to break Data Encryption Standard (DES).

Linear and differential cryptanalysis are a basic tool to evaluate the security of block ciphers. Both cryptanalytic methods were applied to attack the block cipher DES faster than an exhaustive key search [3, 9]. Both of these attacks have been identified as effective techniques for breaking large-class symmetric cipher.

A differential linear attack is a combination of both linear and differential cryptanalysis. It has been introduced by Hellman and Langford [8] in 1994 and applied it to break 8-round DES. The attack uses a differential characteristic over part of the cipher with a probability of 1. The rounds immediately following the differential characteristic have a defined linear approximation, and we expect that for each chosen plaintext pair, the probability of the linear approximation holding for one chosen plaintext but not the other will be lower for the correct key. The attack was generalized by Biham, Dunkelman, and Keller [1] in 2002 to use differential characteristics with probability less than 1.

A zero-correlation linear attack is a novel promising key recovery technique for block ciphers developed by Bogdanov in [6, 7]. It is a novel extension of linear cryptanalysis and based on linear approximations with probability of exactly 12, which corresponds to the zero correlation. We propose a new cryptanalytic method called multiple differential-zero correlation linear attack, which combines differential and linear cryptanalysis with zero correlation.

The best cryptanalysis so far in the classical single-key model without the weak-key assumption has been a linear attack on 32 rounds. We find 30-round differential-zero correlation linear distinguisher for CAST-256 and attack 33 rounds of CAST-256 using multidimensional differential-zero correlation linear cryptanalysis. Our attack is the best-known attack on CAST-256 according to the number of rounds without the weak-key assumption.

In this paper, we will propose a new method, the multiple differential-zero correlation linear attack, to analyze the CAST-256 block cipher. By constructing a 30-round distinguisher, using the new method, we propose an attack on 33-round CAST-256 with data complexity of 2115.63 and time complexity of 2238.26. Table 1 summarizes and compares the attacks on CAST-256.

Our paper is organized as follows: Section 2 provides a brief description of CAST-256. Section 3 introduces our new method of multiple differential-zero correlation linear attack. In Section 4, we present details of the 30-round multiple differential-zero correlation linear distinguisher. The 33-round multiple differential-zero correlation linear attack on CAST-256 is discussed in detail in Section 5. We summarize our results in Section 6.

2 Description of CAST-256

CAST-256 is designed based on CAST-128. It is capable of using cryptographic keys of 128, 160, 192, or 256 bits to encrypt and decrypt data in blocks of 128 bits. Its S-boxes Si, 1≤i≤4, are non-surjective with 8- and 32-bit output. CAST-256 has 48 rounds for all key sizes, sometimes described as 12 “quad-rounds”, arranged in a generalized Feistel network with four branches and consists of six forward quad-rounds, six reverse quad-rounds, and three different round functions denoted by F1, F2, and F3, respectively. If I=(I1,I2,I3,I4) and O are the 32-bit input and output of the round function, kr and km are the 5-bit, rotation subkey, and the 32-bit masking subkey for the current round, we can describe F1, F2, and F3 as follows:

where +, -, ⊕, and ≪ are the addition and subtraction modulo 232, bit-wise exclusive-OR, and the left rotation, respectively.

Figure 1

Forward quad-round of CAST-256.

Figure 2

Design of CAST-256.

Let β=(A,B,C,D) be a 128-bit block of CAST-256, where A, B, C, and D are 32 bits each, for the inputs of different round functions Fi, 1≤i≤3.

The forward quad-round β:=Q⁢(β), as shown in Figure 1, is defined as follows:

The reverse quad-round β:=Q′⁢(β) is defined as follows:

Here kr⁢ji and km⁢ji (1≤j≤4, 1≤i≤12) are the rotation subkey and the masking subkey in the j-th round of the i-th quad-round, respectively. The design of CAST-256 illustrated in Figure 2.

3 Multiple differential-zero correlation linear attack

We propose a new cryptanalytic method, called multiple differential-zero correlation linear attack, which combines differential and multiple linear cryptanalysis with correlation exactly zero.

To define a differential-linear distinguisher, we need to treat the block cipher E (=E1∘E0) as a cascade of two sub-ciphers E0 and E1. If Δ⁢α→Δ⁢β is a (truncated) differential with probability 1 for E0 and Γ⁢γ→Γ⁢δ is a linear approximation with bias 0 for E1 where Δ⁢β.Γ⁢γ=0, then a differential-zero correlation linear distinguisher is defined to be a pair (Δ⁢α→Δ⁢β,Γ⁢γ→Γ⁢δ) consisting of a (truncated) differential and a linear approximation.

Let p and p* be two plaintexts satisfying p⊕p*=Δ⁢α. Since E0⁢(p)⊕E0⁢(p*)=Δ⁢β, we have

with probability 1. The differential-zero correlation linear distinguisher is concerned with the event

By the assumptions used in [8] we have

Let zi=〈ui⁢a〉+〈wi⁢b〉, i=1,…,m, be m linear equations, where a∈F2n is plaintext and b∈F2m is some part of data in the encryption process. Instead of considering each such bit and its distribution independently as a varies, we focus on the analysis of the distribution of the m-tuples z=(z1,…,zm).

We have the following relationship between the probability distribution of z and the correlations cγ of all linear equations where γ∈F2m:

We assume that the correlations of all linear equations and their nonzero linear combinations are equal to zero. It follows that cγ=0 for all γ≠0. When substituting this information in the formula of Pr⁡[z], we determine that z has a uniform distribution in F2m.

We select N distinct (p,p*) for an n-bit block cipher E (=E1∘E0), where Δ⁢α→Δ⁢β is a (truncated) differential with probability 1 for E0 and m linear approximations Γ⁢γ→Γ⁢δ with bias zero for E1 such that Δ⁢β.Γ⁢γ=0 and all their nonzero linear combinations have correlation zero. We compute

Then we can construct, as shown above, a function f:F2n→F2m whose outputs z=(z1,…,zm), computed for all chosen plaintexts, are uniformly distributed m-tuples of bits in F2m. Such a completely uniform distribution is very unlikely to have been obtained from selecting the values at random in F2m, even if the probability of each value is equal. Then we can distinguish the non-random behavior of the cipher data already with much less data than the full codebook (distribution of the cipher data follows a multivariate hypergeometric distribution, while the data drawn at random from a uniform distribution on F2m follows a multinomial distribution [5]).

A counter V⁢[z]=0 is initialized for each of the 2m data value z∈F2m. Then, for each distinct plaintext pairs (p,p*) we compute the corresponding data value in F2m (by evaluating the m basis linear approximations) and increment the counter V⁢[z] of this data value by one. Now we compute the statistic T for this distribution as

For sufficiently large sample size N and number l of zero-correlation linear approximations given for the cipher, the statistic T will have two distinct distributions:

1. For the cipher exhibiting zero-correlation, the statistic T follows a χ2-distribution with mean μ0 and variance σ02 as follows:

   μ0=(l-1)⁢2n-N2n-1,σ02=2⁢(l-1)⁢(2n-N2n-1)2.

2. For a randomly drawn permutation which is our wrong-key, the statistic T follows a χ2-distribution with mean μ0=l-1 and variance σ02=2⁢(l-1)

The proof of this proposition is available in [4].

4 The 30-round differential-zero correlation linear distinguisher

In this section, we first present a 30-round differential-linear distinguisher, which consists of a 2-round differential characteristic with probability 1 followed by a 28-round linear approximation with correlation 0.

The 30-round differential-zero correlation linear distinguisher is made of a 28-round linear approximation Γ⁢γ→Γ⁢δ with correlation 0 for round 5 to 32 (four forward quad-rounds followed by three reverse quad-rounds, or rounds 5 to 32) and the 2-round truncated differentials Δ⁢α→Δ⁢β that meet Δ⁢β.Γ⁢γ=0, for round 3 to 4. If the input mask is (0,0,0,L) and the output mask is (0,0,0,L), then the correlation of the linear approximation for the 24-round CAST-256 is zero.

4.1 The 2-round differential characteristic

The 2-round truncated differential Δ⁢α→Δ⁢β with probability 1 is (0,0,α,0)→(0,0,α,0) as illustrated in Figure 3.

Figure 3

Truncated differential (0,0,α,0)→(0,0,α,0) with probability 1.

4.2 The 28-round zero correlation linear characteristic

The construction of a 28-round linear characteristic is illustrated in Figure 4, which is from round 9 to round 36 (four forward quad-rounds followed by three reverse quad-rounds).

Figure 4

The 28-round zero correlation linear characteristic.

5 Key recovery attack on 33-round CAST-256

We use the 30-round differential zero-correlation linear approximations to attack 33 rounds of CAST-256.

The attack works as follows:

1. Choose λ structures Si, i=0,1,…,2λ-1, where a structure is defined to be a set of 264 plaintexts Pi,j with the 64 bits taking all the possible values and the other 64 bits fixed, j=0,1,…,264-1. In a chosen-plaintext attack scenario, obtain all the ciphertexts for the 264 plaintexts in each of the λ structures; we denote the ciphertext for plaintext Pi,j by Ci,j.

2. Allocate a 32-bit global counter V⁢[z] for each of 232 possible values of the 32-bit vector z and set it to 0. V⁢[z] will contain the number of times the vector value z occurs for the current key guess. The vector z is the evaluations of 32 basis zero-correlation masks.

3. Guess a value for (kr⁢11,km⁢11,kr⁢21,km⁢21) and do as follows:

   1. Partially encrypt every plaintext Pi,j with the guessed (kr⁢11,km⁢11,kr⁢21,km⁢21) to get its intermediate value immediately after 2 rounds, and we denote it by εi,j.

   2. Compute εi,j⊕(0,0,α,0), and we denote the resulting value by ε^i,j.

   3. Partially decrypt ε^i,j with the guessed (kr⁢11,km⁢11,kr⁢21,km⁢21) to get its plaintext, and find the plaintext in Si, and we denote it by P^i,j; the corresponding ciphertext for P^i,j is denoted by C^i,j.

   4. Guess a value for (kr⁢19,km⁢19) and do as follows:

      1. For each pair (Ci,j,C^i,j) of ciphertext, partially decrypt it with the guessed (kr⁢19,km⁢19) to get the pair of the 32 bits concerned by the output mask, compute Γ⁢δ.(F1-1⁢(Ci⁢j))⊕Γ⁢δ.(F1-1⁢(C^i⁢j)), i=1,232-1, and increment V[z] when Γ⁢δ.(F1-1⁢(Ci⁢j))⊕Γ⁢δ.(F1-1⁢(C^i⁢j)) is zero.

      2. Compute the statistic

         T=∑i=0232-1(V⁢[z]-N⁢2-m)2N⁢2-m⁢(1-2-m)

         for this distribution.

      3. If the guess for (kr⁢11,km⁢11,kr⁢21,km⁢21,kr⁢19,km⁢19) belongs to the first ϕ guesses for (kr⁢11,km⁢11,kr⁢21,km⁢21,kr⁢19,km⁢19), then record the guess; otherwise, remove the guess with the smallest deviation from the ϕ guesses.

In this attack, we set α0=2-10 (type I error probability, the probability to miss the right key) and α1=2-20 (type II error probability, the probability to accept a wrong key).

The data complexity suggested by Bogdanov in [5, Corollary 2] is 2115.63 distinct plaintext-ciphertexts with those parameters λ=251.63. The success probability of the entire attack is 0.99%.

The time complexity of steps 2(a), 2(c) is λ×2×263×237×2≈2189.63.

The time complexity of step 2(d) is λ×264×237×2×237≈2238.26.

Since α1=2-20 and the total number of recovered key is 111 bits, the number of the remaining subkey values is 2-20×2111=291. Then we exhaustively search other 256-111=145 subkey bits, and the time complexity will be 291+145=2236 times of 33-round encryptions.

6 Conclusions

In this paper, we present a new attack, the multiple differential-zero correlation linear attack. By analyzing the property of the concatenation between forward quad-round and reverse quad-round, we construct a 30-round distinguisher for CAST-256. Based on the distinguisher, we propose a first 33-round attack on CAST-256 according to the number of rounds without the weak-key assumption with data complexity of 2115.63 and time complexity2238.26. In the end, the 111-bit subkey is recovering.