KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Impossible Differential Cryptanalysis on DVB-CSA

  • Zhang, Kai (Information Science and Technology Institute) ;
  • Guan, Jie (Information Science and Technology Institute) ;
  • Hu, Bin (Information Science and Technology Institute)
  • Received : 2015.03.13
  • Accepted : 2016.03.13
  • Published : 2016.04.30
Download PDF
⟨ Previous Next ⟩

Abstract

The Digital Video Broadcasting-Common Scrambling Algorithm is an ETSI-designated algorithm designed for protecting MPEG-2 signal streams, and it is universally used. Its structure is a typical hybrid symmetric cipher which contains stream part and block part within a symmetric cipher, although the entropy is 64 bits, there haven't any effective cryptanalytic results up to now. This paper studies the security level of CSA against impossible differential cryptanalysis, a 20-round impossible differential for the block cipher part is proposed and a flaw in the cipher structure is revealed. When we attack the block cipher part alone, to recover 16 bits of the initial key, the data complexity of the attack is O(244.5), computational complexity is O(222.7) and memory complexity is O(210.5) when we attack CSA-BC reduced to 21 rounds. According to the structure flaw, an attack on CSA with block cipher part reduced to 21 rounds is proposed, the computational complexity is O(221.7), data complexity is O(243.5) and memory complexity is O(210.5), we can recover 8 bits of the key accordingly. Taking both the block cipher part and stream cipher part of CSA into consideration, it is currently the best result on CSA which is accessible as far as we know.

Keywords

1. Introduction

DVB-CSA, which is short for Digital Video Broadcasting Common Scrambling Algorithm, has been used to protect content in MPEG2 (Such as digitally transmitted Pay-TV). In May 1994, it was accepted by the DVB consortium. During 1994 to 2002, the algorithm is confidential and only accessible under a NDA (Non-Disclosure Agreement) from European Telecommunications Standards Institute custodian (ETSI). For CSA, implementation in software is forbidden for security reasons. In 2002, a software program called FreeDec, which has CSA implemented in software, appeared on the internet and it was quickly reverse-engineered, by then the details of the CSA algorithm was to the public.

In 2004, based on the idea of guess-and-determine attack, Ralf-Phillip Weinmann and Kai Wirt presented an analysis on the stream cipher part of CSA(CSA-SC)[1] and the complexity of the attack is less than 245, based on their cipher representation and predicated on the state cycle structure of one of the registers during keystream generation. In ICCSA 2005, based on the idea of fault attack, Kai Wirt presented an attack on the block cipher part of the algorithm(CSA-BC)[2] by introducing a random error in the last round, the attack can be applied to the whole algorithm in real time, but the attack assumption is too strong and it is hard to achieve. In 2009, Simpson et al. pointed an error in [1], what’s more, the total complexity of the attack after correction is worse than exhaustive search. Otherwise, Simpson modified the representation of CSA-SC and presented time memory trade-off attacks on CSA-SC [3], the results are as follows:

In 2011, using the idea of rainbow tables, Erik Tews, Julian Walde, and Michael Weiner proposed a time memory trade-off attack for 48 bit of entropy version of CSA [4]. In this reduced version, the effort needed for an exhaustive search reduces from 264 to 248 trial decryptions and this version can be broken in real time, using standard PC hardware if precomputed tables are available. However, these precomputations will cost several years on a standard PC. The authors also pointed that "Using the 64 instead of 48 independent bits for a key would render time memory tradeoffs inefficient". In 2015, Kai Zhang and Jie Guan proposed a distinguishing attack on the CSA-SC based on the idea of slide resynchronization attack [15], according to the distinguishing attack, the 64 bit initial key can be recovered with computational complexity of O(255).

Impossible differential cryptanalysis was independently proposed by Knudsen to attack the DEAL cipher [5] and further by Biham et al. against Skipjack [6]. The basic idea of impossible differential cryptanalysis is using the impossible differential to sieve some key bits. There are usually two phases for a typical impossible differential cryptanalysis, impossible differentials constructing phase and candidate key sieving phase. Impossible differential cryptanalysis has proven to be very effective against a wide variety of ciphers [8-14].

Usually, an impossible differential is constructed by miss-in-the-middle method, more precisely, if the input difference is α, with probability one we can go forward for several rounds to get the internal difference γ, at the same time, from the output difference β, with probability one we can go backward for several rounds to get another internal difference δ, if there are contradictions between γ and δ, an impossible difference is constructed.

In this paper, we firstly find a 20-round impossible differential for CSA-BC, then an impossible differential attack on 21-round CSA-BC is proposed, to recover 16 bits of the key, the data complexity is O(244.5), computational complexity is O(222.7) and memory complexity is O(210.5). On the other hand, we find a structure flaw on CSA, using this flaw we can extended part of the attack on CSA-BC to the whole algorithm, when we attack CSA with block cipher part reduced to 21 rounds, the computational complexity is O(221.7), data complexity is O(243.5) and memory complexity is O(210.5), we can recover 8 bits of the key accordingly.

This paper is organized as follows. In Section 2, we give an explanation for the notations used in this paper. In Section 3, we give a description on CSA algorithm. In Section 4, on one hand, we propose an impossible differential attack on 21-round CSA-BC, one the other hand, we reveal a flaw on the structure of CSA and propose an impossible differential attack on CSA with block cipher part reduced to 21 rounds, followed by conclusion in Section 5.

 

2. Notation

In this paper, we will use the following notations:

 

3. Description of CSA

Algorithm CSA can be regarded as two layer encryptions, firstly a block cipher encryption and then a stream cipher encryption. The two ciphers share the same 64-bit key K, and the key is called the common key. Figure 1 below depicts the encryption process of CSA. To encrypt the payload of an m-byte packet, the message is divided into eight bytes each which are denoted as blocks (DB0, DB1, ⋅⋅⋅, DBn-1). The last block whose length is not a multiple of eight bytes is called residue (Denoted as R).

Fig. 1.Structure of CSA

The block cipher part of CSA is used in CBC mode with reversed order, and the output of the last block IB0 is used as a nonce for the stream cipher part. Then the encrypted blocks for the block cipher part are then XORed with the keystream generated by the stream cipher part of CSA, the residue of the block cipher part directly XORed with the keystream without block cipher encryption.

As CSA-SC hardly relates to our work, we will not introduce the details of it here, for more details on the structure of CSA-SC we refer the readers to the reference [1].

CSA-BC is an iterated block cipher, it operates on eight-byte blocks of data, and the key of CSA-BC is the 64-bit common key K. First of all, the 64-bit common key K is expanded into a 448-bit running key which will be used as the round key for CSA-BC encryption. Then the message is encrypted with the same round transformation φ, the input of φ is 8-type vector and one single byte expanded key, and the output of φ is an 8-type vector. There are altogether 56 times iterations of φ for CSA-BC, the details of the CSA-BC encryption and decryption round functions are depicted in Figure 2 and Figure 3 below.

Fig. 2.Structure of the Round Function φ

Fig. 3.Structure of the Inverse Round Function φ-1

CSA-BC includes two parts: The Key Schedule algorithm and round function φ, next we will introduce them separately.

The key schedule A bit permutation on 64-bit vector is denoted as ρ. Then the running key can be calculated using the following recursive algorithm.

The expression 0x0i0i0i0i0i0i0i0i can be regarded as a hexadecimal constant.

The permutation ρ is illustrated in the table below:

Table 1.Permutation ρ

The Round Function φ For the 8-byte vector of each round permutation, S=(s0,⋅⋅⋅,s7) represents the input of the round function in arbitrary round, then the output of the round function φ refresh the state of S with the following function.

Correspondingly, the inverse round transformation φ−1 can be illustrated as follows:

The round function φ applies two nonlinear permutations π and π', the relation between these two permutations is π' = σ o π, among which

Permutationπcan be viewed as an S-Box below:

Table 2.Permutation π

Remark: The figures in the table are hexadecimal, lower nibble is on horizontal and upper is on vertical.

Encryption/Decryption A plaintext P=(p0,…,p7) is encrypted according to:

And the C=(c0,…,c7) is the ciphertext produced.

Similarly, the decryption process is as follows:

 

4. Impossible Differential Attack on CSA

Impossible differential cryptanalysis is a technique using the differential characters which never occur to eliminate the false keys. Through analyzing the structure and round function of CSA-BC, we find that a single active byte can be kept to 7 rounds at most. Combining this character, we construct a 20-round impossible differential with miss-in-the-middle technique and propose an attack for 21-round CSA-BC.

4.1 20-round impossible differential for CSA-BC

Proposition 1 is a 20-round impossible differential for CSA-BC.

Proof Firstly, study the differential diffusion character from encryption side.

Define Δ(i) represents the differential at the ith round, Δ(0) represents the differential of the plaintext. Suppose Δ(0)=(0|0|0|0|0|0|α|0), among which α≠0. According to the structure of CSA-BC, we can get the differential for 1 to 12 rounds:

Then, study the differential diffusion character from decryption side.

Suppose the differential for the ciphertext (i.e. the output differential of the 20 round) is Δ(20)=(0|β|β|β|0|0|0|β), among which β≠0. According to the structure of CSA-BC, we can get the differential for 19 to 12 rounds:

According to the differential character above, we can get the following equation:

(0|α⊕Δp◦s(α)|α⊕Δp◦s◦s(α)|Δs(α)⊕Δp◦s(α⊕Δs◦s(α))|α⊕Δs◦s(α)⊕Δp◦s◦s(α⊕Δs◦s(α))|

Δs(α⊕Δs◦s(α))⊕Δp◦s◦s◦s(α⊕Δs◦s(α))|Δs◦s(α⊕Δs◦s(α))|Δs◦s◦s(α⊕Δs◦s(α)))

=(Δs(β)|0|Δs(β)|Δs(β)|Δs(β)|0|Δp◦s(β)|β).

Compare the two sides of the equation, we can get a contradiction that Δs(β)=0 which validates the correctness of the proposition. ■

4.2 Impossible Differential Attack for 21-round CSA-BC

In this subsection, we will propose an impossible differential attack on 21-round CSA-BC. The attack is based on the 20-round impossible differential above with additional one round at the end or at the top which are illustrated in Fig.4 and Fig.5 below.

Fig. 4.Impossible Differential path used to recover the subkey for the 20th round

Figure 5Impossible Differential path used to recover the subkey for the first round

The key recover procedure is as follows:

Complexities of the Attack

First of all, let us calculate the complexities to recover the subkey In Phase 4 of Algorithm 1, the number of false keys left after 2N structure is (28-1)×(1-2-8)2N-33. As (28-1)×(1-2-8)210.5 ≈ 0.88, with about 243.5 structures which pass Phase 3, all false keys can be regarded as being eliminated. In Phase 3, we totally need 2×210.5×28×{1+(1-2-8)+(1-2-8)2+⋅⋅⋅+ (1-2-8)210.5-1}≈227.5 1-round decryption, i.e. about 221.7 CSA-BC encryption. Otherwise, we need to store 2N-33=210.5 pairs of plaintext and ciphertext. At the same time, we need to store 28 key candidates.

So, the data complexity to recover is O(243.5), computational complexity is O(221.7) and memory complexity is O(210.5). According to the key schedule we can recover 8 bits initial key k32-k39.

Similarly, we can recover the subkey for the first round, the impossible differential path used is depicted in Fig.5 below.

The key recover procedure is as follows:

Complexities of the Attack

First of all, let us calculate the complexities to recover the subkey . In Phase 4 of Algorithm 2, the number of false keys left after 2N structure is (28-1)×(1-2-8)2N-33. As (28-1)×(1-2-8)210.5 ≈ 0.88, with about 243.5 structures which pass Phase 3, all false keys can be regarded as being eliminated. In Phase 3, we totally need 2×210.5×28×{1+(1-2-8)+(1-2-8)2+⋅⋅⋅+ (1-2-8)210.5-1}≈227.5 1-round encryption, i.e. about 221.7 CSA-BC encryption. Otherwise, we need to store 2N-33=210.5 pairs of plaintext and ciphertext. What’s more, we need to store 28 key candidates.

So, the data complexity to recover is O(243.5), computational complexity is O(221.7) and memory complexity is O(210.5).

All in all, to recover 16 bits of the key, the total data complexity is O(244.5), computational complexity is O(222.7) and memory complexity is O(210.5). The subkeys k0-k7 and k32-k39 can be recovered accordingly.

4.3 Structure flaw on CSA

According to the structure of CSA(Fig. 1), as the sequence of 8-byte blocks is encrypted in reverse order with the block cipher in CBC mode, and the last output of the chain IB0 is used as a nonce for the stream cipher which is directly output as part of the ciphertext, we can get the output of the last block. So if we just induce difference in the first block of the plaintext (DB0), the difference of other blocks are zero, we can only control the differential of the first block of the plaintext and get the ciphertext of the first block if we want to attack the whole algorithm. This process is depicted in Fig.6 below. We should notice that we can not control the input of the first block.

Fig. 6.A Differential Character of CSA

The structure flaw above can make some statistical cryptanalytic methods on CSA-BC extend to the cryptanalysis of the whole algorithm, such as differential cryptanalysis, impossible differential cryptanalysis, integral attack and so on. So this flaw is an important problem for CSA which may lead to better cryptanalytic results. Part of the result in section 4.2 can be applied to the whole algorithm according to this flaw.

As the attacker can only control the differential of DB0 rather than control the actual input of the block cipher, only Algorithm 1 in section 4.1 can be used if we attack the whole algorithm. That is to say, when we attack CSA(with block cipher part reduced to 21 rounds), we can recover 8 bits of the key(k32 - k39) with data complexity O(243.5), computational complexity O(221.7) and memory complexity O(210.5).

Although the result is not as good when compared to the application on CSA-BC, the successful application on CSA indicates that when we design a hybrid symmetric cipher, improper structure design can make security level of a hybrid symmetric cipher reduce to the security level of its stream cipher part or block cipher part, and this indicates that structure design is an important part of the hybrid cipher design which deserves further exploration.

 

5. Conclusion

Being the ETSI-specified algorithm since 1994, there hasn’t any fatal flaw for the 64-bit algorithm CSA so far, the specification and design criteria are still confidential to the public. For the unique and deliberate design of CSA, if we probe into the design criteria and security level of CSA, it will enhance the development of symmetric ciphers obviously. In this paper, a 20-round impossible differential for CSA-BC is presented, and an impossible differential cryptanalysis on CSA-BC reduced to 21 rounds is proposed, to recover 16 bits of the key, the data complexity is O(244.5), computational complexity is O(222.7) and memory complexity is O(210.5). What’s more, we reveal a flaw on the structure of CSA which makes the impossible differential attack can be applied to the whole algorithm. When we attack CSA with block cipher part reduced to 21 rounds, the data complexity is O(243.5), computational complexity is O(221.7) and memory complexity is O(210.5), we can recover 8 bits of the key accordingly. How to make full use of this structure flaw and evaluate CSA against other cryptanalysis techniques is still further to be studied.

References

  1. R.P. Weinmann and K. Wirt, "Analysis of the DVB Common Scrambling Algorithm," in Proc. of IFIP International Federation for Information Processing 2005, Volume 175/2005, pp.195-207, 2005. Article (CrossRef Link).
  2. K. Wirt, "Fault attack on the DVB Common Scrambling Algorithm," in Proc. of Computational science and its applications-ICCSA 2005, Volume 3481, pp.511-517, 2005. Article (CrossRef Link).
  3. L. Simpson, M. Henricksen and W.S. Yap, "Improved Cryptanalysis of the Common Scambling Algorithm Stream Cipher," in Proc. of the 14th Australasian Conference on Information Security and Privacy 2009, pp.108-121, 2009. Article (CrossRef Link).
  4. E. Tews, J. Walde and M. Weiner, "Breaking DVB-CSA," in Proc. of West European Workshop on Research in Cryptography 2011, pp.41-45, 2011. Article (CrossRef Link).
  5. L.R. Knudsen, "DEAL-A 128-bit Block Cipher," Technical Report 151, Department of Informatics, University of Bergen, Bergen, Norway, Feb. 1998. Article (CrossRef Link).
  6. E. Biham, A. Biryukov, "A. Shamir. Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials," in Proc. of Eurocrypt'99. Berlin: Springer-Verlag, LNCS, 1999. 1592: pp. 12-23, 1999. Article (CrossRef Link).
  7. E. Biham and A. Shamir, “Differential Cryptanalysis of DES-like Cryptosystems,” Journal of Cryptology, Vol 3, pp. 3-72, 1991. Article (CrossRef Link) https://doi.org/10.1007/BF00630563
  8. E. Biham and N. Keller, "Cryptanalysis of Reduced Variants of Rijndael," 3rd AES Conference, 2000. Article (CrossRef Link)
  9. W. Zhang, W. Wu, L. Zhang, D. Feng, "Improved related-key impossible differential attacks on reduced-round AES-192," in Proc. of Selected Areas in Cryptography (SAC 2006), Montreal, Canada, Springer-Verlag, August 17-18, pp. 168-181, 2006. Article (CrossRef Link)
  10. W. Wu, W. Zhang, D. Feng, “Impossible differential cryptanalysis of reduced-round ARIA and Camellia,” Journal of computer science and technology, 22(3): 449-456, 2007. Article (CrossRef Link) https://doi.org/10.1007/s11390-007-9056-0
  11. W. Wu, L. Zhang, W. Zhang, "Improved Impossible Differential Cryptanalysis of Reduced- Round Camellia," in Proc. of Selected Areas in Cryptography (SAC 2008), Springer-Verlag, LNCS vol. 5381, pp. 442-456, 2009. Article (CrossRef Link)
  12. J. Chen, K. Jia, H. Yu, X. Wang, "New Impossible Differential Attacks of Reduced-Round Camellia-192 and Camellia-256," in Proc. of Information Security and Privacy, Springer-Verlag, LNCS vol. 6812, pp. 16-33, 2011. Article (CrossRef Link)
  13. C. Du, J. Chen, "Impossible Differential Cryptanalysis of ARIA Reduced to 7 Rounds," in Proc. of Cryptology and Network Security, LNCS vol. 6467, pp. 20-30, 2010. Article (CrossRef Link)
  14. S. Li, C. Song, "Improved Impossible Differential Cryptanalysis of ARIA," in Proc. of Information Security and Assurance, ISA 2008, pp. 129-132, 2008. Article (CrossRef Link)
  15. K. Zhang, J. Guan “Distinguishing Attack on Common Scrambling Algorithm,” The International Arab Journal of Information Technology, 12(4), 410-414, 2015.