Related-Key Cryptanalysis of RAIDEN
Mohamed Karroumi, Christophe Malherbe
Thomson R&D France
Technology Group, Corporate Research, Security Laboratories
1 Avenue de Belle Fontaine, 35576 Cesson-Sévigné Cedex, France
mohamed.karroumi@thomson.net, christophe.malherbe@thomson.net
Abstract. RAIDEN is a recent light-weight 128-bit block cipher. We
report in this paper a very critical weakness in its key schedule. The
weakness allows us to mount a related-key attack with complexity 267 .
More precisely, the algorithm can be broken with one unknown plaintext,
at most 65 unknown related keys, and about 267 trial encryptions. This
is the first successful attack on RAIDEN. We also suggest some improvements for the key schedule so that our attack is no more applicable.
Keywords: RAIDEN, related-key attack.
1
Introduction
RAIDEN [5] is a block cipher that uses 32-bit blocks and a 128-bit key. The
design principles of this block cipher are easy implementation and simplicity in
order to minimize memory footprint and maximize speed. In this sense, it is very
similar to the design of TEA [7]. The main difference is that RAIDEN uses a
more sophisticated key schedule.
Related-key attacks [1, 2, 4] are family of attacks that can be applied to a
large number of encryption algorithms. In these attacks, it is assumed that the
adversary can obtain plaintext/ciphertext pairs using different keys. The values
of the keys are unknown, but the adversary knows some differences between the
keys. To mount related-key attacks, one needs to use related queries and this
does not lead to realistic attacks. Nevertheless, a block cipher is often used as
building block in hash functions. This is especially true in environments where
the memory space is lacking and where confidentiality and integrity are still
required. RAIDEN has been designed to suit these environments. It may then
be used in both encryption mode and hashing mode.
Although they are not really helpful in practice, related keys may have a greater
impact on the security if the block cipher is used in hashing mode and especially
with the Davies-Meyer construction [6]. Furthermore, related-key cryptanalysis
is not a strictly theoretical attack and examples of communication protocols
exist where simple key management scheme makes the attacks practicals [3].
2
Mohamed Karroumi, Christophe Malherbe
Our contribution. The main contribution of the paper is the finding of related
keys due to weaknesses in the key schedule algorithm of RAIDEN. If K[0..3] is
a 128-bit RAIDEN key value such that K[2] ≪ 27 = 0, its related-key is defined
to be K ∗ [0..3] according to the following relations:
1. (K ∗ [0] ⊕ K[0])(j) = 0 if (K[2] − K[3])(j) = 0, j ∈ {0 . . . 30} ;
2. K ∗ [1] = K[1],
K ∗ [2] = K[2],
K ∗ [3] = K[3] .
The above relations, allow us to set-up a simple related-key attack.
Outline. The rest of this paper is organized as follows. In the next section, we
present a short description of RAIDEN. In Section 3, we describe the weakness
found in the key schedule. Next, we explain how the weakness that can be
exploited to set-up a simple related-key attack on RAIDEN. In Section 4, we
suggest some improvements for preventing this attack. Finally, we conclude in
Section 5.
Notation. A l-bit integer x is an integer such that 2l−1 ≤ x < 2l . By x(j) we
mean the jth bit of x, the most significant bit (msb) is represented by j = l − 1
and j = 0 represents the least significant bit (lsb). By x(j..k) , j > k we mean the
integer represented by the j − k + 1 bits of x such that the jth bit of x is the msb
and the kth bit is the lsb. For instance, x(4..0) represents the 5 lsb of x integer
value. The binary operator ⊕ denotes the bitwise exclusive-or, and ¬x denotes
the bitwise complement of x. ei is the 32-bit word that has 0 in all bit positions
except for bit i. Symbol & denotes the bitwise AND operator. All calculations
(addition, substration,. . .) are done modulo 232 . For the sake of clarity, we will
avoid writing the moduli 232 .
2
Description of RAIDEN
A detailed description of RAIDEN can be found in [5]. It is a 128-bit Feistel block
cipher with 32 rounds, as shown in figure 1. Two rounds of RAIDEN applied to
blocks Yi , Zi , and using round key Wi consist of:
Yi+1 = Yi + F (Zi , Wi ) ,
Zi+1 = Zi + F (Yi+1 , Wi )
where the round function F is given by
F (X, W ) = ((W + X) ≪ 9) ⊕ (W − X) ⊕ ((W + X) ≫ 14) .
From a 128-bit master key K[0..3], the key schedule derives sixteen 32-bit
keys Wi with 0 ≤ i ≤ 15 as follows:
W0 = (K[0] + K[1]) + ((K[2] − K[3]) ⊕ (K[0] ≪ K[2])) ,
W1 = (W0 + K[1]) + ((K[2] − K[3]) ⊕ (W0 ≪ K[2])) ,
W2 = (W0 + W1 ) + ((K[2] − K[3]) ⊕ (W0 ≪ K[2])) ,
W3 = (W0 + W1 ) + ((W2 − K[3]) ⊕ (W0 ≪ W2 )) ,
and for i ∈ (4, . . . , 15),
Wi = (Wi−4 + Wi−3 ) + ((Wi−2 − Wi−1 ) ⊕ (Wi−4 ≪ Wi−2 )) .
Related-Key Cryptanalysis of RAIDEN
Zi
Wi
Yi
3
≪9
Wi + 1
¬
Wi
≫ 14
≫ 14
Wi
¬
Wi + 1
≪9
Wi
Yi+1
Zi+1
Fig. 1. Two Rounds of RAIDEN
Each round key is used in two consecutive rounds of RAIDEN, i.e. Wi is used
in round 2i and round 2i + 1.
3
3.1
Cryptanalysis
Weakness in the Key Schedule
As seen in Section 2, RAIDEN uses a master key from which round keys are
derived and used in different rounds. Our idea is then to find two different
master keys, with a particular relation, that encrypts a same plaintext into the
same ciphertext.
In RAIDEN, the derivation process is hierarchical and the computation of a
given round key depends on the value of the four preceding round keys, except
the first four round keys that depend on the master key K value. Hence, our
first basic stage consists in finding two different keys K and K ∗ that generate
the same first four round keys.
We try then to find K and K ∗ that differ only in the first 32 bits block (i.e.
K[0] 6= K ∗ [0] and K[i] = K ∗ [i] with 1 ≤ i ≤ 3), such that W0 = W0∗ where
W0 = (K[0] + K[1]) + ((K[2] − K[3]) ⊕ (K[0] ≪ K[2])) ,
W0∗ = (K ∗ [0] + K[1]) + ((K[2] − K[3]) ⊕ (K ∗ [0] ≪ K[2])) .
If we succeed in finding such keys, then all the round keys will be equal since
K[0] and K ∗ [0] are only involved in the computation of the first round key.
4
Mohamed Karroumi, Christophe Malherbe
More formally, let α = K[2], β = K[2] − K[3], x = K[0] and y = K ∗ [0]. This
yields the following equation:
(
x + β ⊕ (x ≪ α) = y + β ⊕ (y ≪ α) ,
(1)
x 6= y ,
4
where (x, y, α, β) ∈ Z/232 Z .
Remark 1. α and β are unknown 32-bit variables. There is no specific condition
on these two variables, they can be different or equal.
Proposition 1. Equation (1) has a solution if and only if α(4..0) = 0.
Proof. If α(4..0) = 0, then for all x and all β, (x, x ⊕ e31 , α, β) is a solution to
equation (1).
It can be remarked that the value of α specifies the number of positions that the
bits of x and y are to be shifted to the left in the equation. If α is greater than
32 then x and y are shifted by the remainder of the division of α by 32, i.e. by
α(4..0) the five lsb of α. The equality in Equation (1) can be then rewritten
x + β ⊕ (x ≪ α(4..0) ) = y + β ⊕ (y ≪ α(4..0) ) ,
m
x−y = β ⊕y−β ⊕x
if α(4..0) = 0 .
If x and y differ only on the msb, then we always have x−y = e31 (as e31 = − e31
mod 232 ). Besides, either the difference β ⊕ y − β ⊕ x is equal to e31 if msb of
β is 1, or equal to −e31 if msb of β is 0. Thus, x − y is equal to β ⊕ y − β ⊕ x
whatever the value of x and β when (α(4..0) ) = 0 and y = x ⊕ e31 .
Conversely, if (α(4..0) ) 6= 0, then at least the least significant bit (lsb) of
(y ≪ α) and (x ≪ α) is 0. Without loss of generality, suppose α(4..0) = 1. Then
the lsb of β ⊕ (y ≪ α) and of β ⊕ (x ≪ α) are equals. Thus, the lsb of the
difference β ⊕ (x ≪ α) − β ⊕ (y ≪ α) is 0, which implies that least significant
bit of x − y is also 0. Therefore, x and y have the same lsb.
We will prove now by recurrence that if x and y have n least significant bits in
common, then they have n + 1 least significant bits in common, and hence get
by induction that x = y.
Suppose that x and y have n least significant bits (lsbs) in common. Since
α(4..0) = 1, (y ≪ α) matches (x ≪ α) on the n + 1 lsbs. So, n + 1 lsbs of
β ⊕ (x ≪ α) − β ⊕ (y ≪ α) are 0. To get the equality x and y must have the
same n + 1 lsbs. We got then by induction x = y. The same reasoning holds for
α(4..0) > 1. In conclusion, if α(4..0) 6= 0 then x and y are equal and Equation (1)
has no solution.
⊓
⊔
Corollary 1. For any keys K there exists a key K ∗ = (K[0] ⊕ e31 , K[1], K[2],
K[3]), such that K and K ∗ encrypt any plaintext P to the same ciphertext C, if
and only if K[2](4..0) = 0.
Related-Key Cryptanalysis of RAIDEN
5
Actually, there are more than one related-key K ∗ for which Wi = Wi∗ holds
for all the 16 rounds in RAIDEN. This is formalized in Theorem 2.
Proposition 2. For 2123 keys K in RAIDEN , there exists at least one and on
average 216.5 keys K ∗ , different from K in the 32 most significant bits, such that
K and K ∗ encrypt any plaintext P to the same ciphertext C.
Proof. There are 2123 different keys K such that K[2](4..0) = 0.
Indeed, Equation (1) can be simplified as follows:
(
x+β⊕x=y+β⊕y ,
x 6= y .
(2)
As shown in the previous proof, (x, x ⊕ e31 , α, β) is a solution to Equation (2)
for all (x, β) ∈ (Z/232 Z)2 . In fact, Equation (2) has more than one solution.
Given the following property
a ⊕ b = a − b + 2(¬a&b) mod 232 ,
(3)
we can rewrite equation (2):
(
2(¬β&x − ¬β&y) = 0
x 6= y
⇔
(
¬β&x − ¬β&y = 0 or = e31
x 6= y
The solutions of this equation depends then on the value of β and verify the
following properties:
1. if (x, y) is a solution and (x ≪ 1) 6= (y ≪ 1) then (x ⊕ e31 , y) is also a
solution,
2. for every bit of ¬β that is equal to 1, the bit values of x and y at the same
position must be equal except for msb,
3. for every bit of ¬β that is equal to 0, the bits of x and y at the same position
can be equal or take different values.
Let h be the hamming weight of the 31 lsb of β, then Equation (2) has at most
2h+1 different solutions. If the keys are generated randomly then the frequency
of 1’s in the difference K[2] − K[3] = β is equal to 0’s frequency, i.e. h = 15.5 on
average.
⊓
⊔
Corollary 2. Let K and K ∗ two related keys such that K ∗ [0] 6= K[0] and
K ∗ [i] = K[i] for i = 1, 2, 3; then
(K[2] − K[3])(j) = 0 ⇒ (K ∗ [0] ⊕ K[0])(j) = 0 ,
for all j ∈ {0 . . . 30}.
6
Mohamed Karroumi, Christophe Malherbe
3.2
A Chosen-Related-Key Attack
In this section we describe a related-key attack. We use the following fault model:
the attacker induce errors in chosen positions of an unknown secret key before
the encryption. Any fault induced by the attacker effectively occurs and is a
bit-flip at the chosen positions, i.e. the fault inverts the value of the bits, either
from zero to one or from one to zero.
In the attack, RAIDEN is used to encrypt some unknown plaintext twice. As a
result, the attacker obtains two ciphertexts derived from the same (unknown)
plaintext using two different keys, where the first one is the correct key and
the second is corrupted by a single or multiple bit errors. Next, the attacker
compares the two ciphertexts, and if they are identical, he assumes that the two
keys, the correct key and the corrupted key are related.
Let K be the unknown secret key, P the unknown plaintext and C its associated ciphertext. The attack is carried out in four steps:
The first step consists in finding the five lsb of K[2].
Step 1. Encrypt P using K1 = (K[0]⊕e31 , K[1], K[2], K[3]) and obtain the
corresponding C1 . If C1 = C we have that K[2](4..0) = 0 from corollary 1.
Otherwise K[2](4..0) 6= 0 and repeat the following:
1. Query for the encryption of P under K (i) = (K[0], K[1], K[2]⊕i, K[3])
(i)
and K1 = (K[0]⊕e31 , K[1], K[2]⊕i, K[3]) with 1 ≤ i ≤ 31.
(i)
2. Compare the two ciphertexts C (i) and C1 , stop the encryption queries
if they are identical.
(I)
Let consider I such that C (I) = C1 at the end of Step 1, then K (I) and
(I)
K1 are the related-key found and I = K[2](4..0) . This step requires then 2
related keys and 2 ∗ 31 + 1 = 63 trial encryptions.
The second step permits to get K[2] − K[3](30..0) = β(30..0) .
Step 2. Let K2 = (K[0], K[1], K[2]⊕I, K[3]), which is the key K (I) found in
Step 1 and C2 the encryption of P under K2 . Repeat then 31 times the
following:
(i)
1. Ask for the encryption of P under K2 = (K[0]⊕ei , K[1], K[2]⊕I, K[3])
with 0 ≤ i ≤ 30.
(i)
2. Compare the two ciphertexts C2 and C2 , and if they are identical corollary 2 ensures that β(i) = 1. Otherwise β(i) = 0.
Consequently, β(30..0) is found using at most 31 related keys and same number of trial encryptions.
The third step consists in finding 25 bits of K[2].
Step 3. Let J a 32-bit integer, such that J(4..0) = I and J(31..5) = 0xffffffe0
(all the bits are 1), i.e. J = 0xffffffe0 ⊕ I. Let K3 = (K[0], K[1], K[2]⊕J, K[3])
and C3 the encryption of P under K3 .
Related-Key Cryptanalysis of RAIDEN
7
Since K3 [2](4..0) = 0, we can use step 2 to get 31 bits of K3 [2] − K3 [3] =
K[2]⊕J − K[3] = βJ . We have thus the following relations:
(
(
K[2] − K[3] = β
K[2] − K[3] = β
⇔
K[2]⊕J − K[3] = βJ
2 · K[2] = β − βJ − 1
This comes from the fact that K[2]⊕J = ¬K[2] and ¬K[2] = −K[2] − 1.
Since only 31 lsb of β and βJ are known, we are able to recover 31 lsb of
2 · K[2], which means we can recover the 30 bits K[2](29..0) . Since K[2](4..0)
was found at step 1, we then obtain in this step the 25 other remaining bits.
This step requires same number of trial encryptions as in step 2 plus one
additional encryption.
The last step consists in finding K[3](30..0) and in doing an exhaustive search
on the remaining bits.
Step 4. K[3](29..0) is obtained thanks to the relation K[3] = K[2] − β, where
β(30..0) was computed at step 2 and K[2](29..0) at step 3. Therefore, 128 −
2 ∗ 30 = 68 bits will remain unknown:
– all bits of K[0] and K[1],
– two msb of K[2],
– two msb of K[3].
Since 31 lsb of β are known (computed at step 2), if K[2](30) is known the
bit K[3](30) is obtained for free thanks to the relation K[3] = K[2] − β. It
suffices then to do an exhaustive search on the 67 other bits to get the value
of the key K. Step 4 requires then 267 trial encryptions.
For the entire attack, at most 2 + 25 − 1 + 25 = 65 related-key queries and
roughly 267 encryptions were needed to recover the entire RAIDEN key K.
4
Key Schedule Improvement
In this section we suggest modifications to RAIDEN’s key schedule so that above
attack is no longer effective.
The main weakness in the key schedule comes from the use of the left shift
operation (i.e. K[0] ≪ K[2]) in the computation of the first round key.
W0 = (K[0] + K[1]) + ((K[2] − K[3]) ⊕ (K[0] ≪ K[2])) ,
The first suggestion is to ensure that K[0] is always shifted by at least one
position. One can use one of the following formula:
?
W0 = (K[0] + K[1]) + ((K[2] − K[3]) ⊕ (K[0] ≪ ((K[2]&0x1f) = 0) + K[2]))) ,
W0 = (K[0] + K[1]) + ((K[2] − K[3]) ⊕ (K[0] ≪ (K[2]|1))) ,
8
Mohamed Karroumi, Christophe Malherbe
where | is the bitwise OR operator. In the first formula, if (K[2] ≪ 27) equal
zero then K[2] is incremented. With second formula, K[2] is always shifted by
an odd number of positions.
Our second suggestion is to slightly modify the key schedule by replacing
K[0] by K[1] in the computation of the first two round keys and Wi−4 by Wi−3
for other round keys. The sixteen 32-bit round keys Wi with 0 ≤ i ≤ 15 are then
computed from K[0..3] as follows
W0 = (K[0] + K[1]) + ((K[2] − K[3]) ⊕ (K[1] ≪ K[2])) ,
W1 = (W0 + K[1])
+ ((K[2] − K[3]) ⊕ (K[1] ≪ K[2])) ,
W2 = (W0 + W1 )
+ ((K[2] − K[3]) ⊕ (W1 ≪ K[2])) ,
W3 = (W0 + W1 )
+ ((W2 − K[3]) ⊕ (W1 ≪ W2 )) ,
and for i ∈ (4, . . . , 15),
Wi = (Wi−4 + Wi−3 ) + ((Wi−2 − Wi−1 ) ⊕ (Wi−3 ≪ Wi−2 )) .
With this modification, if we want two related keys K and K ∗ that are different only on the first 32 bits then, by taking the same notation as in Section 3,
we have to solve the following equation
(
x + β ⊕ (z ≪ α) = y + β ⊕ (z ≪ α) ,
(4)
x 6= y ,
5
where z = K[1] and (x, y, z, α, β) ∈ Z/232 Z . Equation (4) has no solutions
when α(4..0) = 0. Consequently, our method of finding related keys does not
work here.
5
Conclusion
In this paper we presented a simple related-key attack on RAIDEN. The attack
requires 65 related keys and has time complexity of 267 encryptions. The attack
arises from a weakness found in the key schedule algorithm. Its modification is
therefore necessary and we have proposed some suggestions. With the suggested
modifications, knew key schedule ensures that the round keys of two different
keys will always be different.
References
1. Eli Biham. New types of cryptanalytic attacks using related keys. J. Cryptology,
7(4):229–246, 1994.
2. Eli Biham and Adi Shamir. Differential fault analysis of secret key cryptosystems. In
Burton S. Kaliski Jr., editor, CRYPTO, volume 1294 of Lecture Notes in Computer
Science, pages 513–525. Springer, 1997.
3. John Kelsey, Bruce Schneier, and David Wagner. Key-schedule cryptoanalysis of
idea, g-des, gost, safer, and triple-des. In Neal Koblitz, editor, CRYPTO, volume
1109 of Lecture Notes in Computer Science, pages 237–251. Springer, 1996.
Related-Key Cryptanalysis of RAIDEN
9
4. John Kelsey, Bruce Schneier, and David Wagner. Related-key cryptanalysis of 3-way,
biham-des, cast, des-x, newdes, rc2, and tea. In Yongfei Han, Tatsuaki Okamoto,
and Sihan Qing, editors, ICICS, volume 1334 of Lecture Notes in Computer Science,
pages 233–246. Springer, 1997.
5. Javier Polimón, Julio César Hernández Castro, Juan M. Estévez-Tapiador, and Arturo Ribagorda. Automated design of a lightweight block cipher with genetic programming. KES Journal, 12(1):3–14, 2008.
6. C.H. Meyer S.M. Matyas and J. Oseas. Generating strong one-way functions with
cryptographic algorithm. Voi. 27(No. 10A):5658–5659, 1985.
7. David J. Wheeler and Roger M. Needham. Tea, a tiny encryption algorithm. In
Bart Preneel, editor, FSE, volume 1008 of Lecture Notes in Computer Science, pages
363–366. Springer, 1994.