1: \documentclass{elsart}

2: 

3: \usepackage{amsmath,amssymb,bm}

4: \usepackage{natbib,url}

5: 

6: \begin{document}

7: 

8: \begin{frontmatter}

9: 

10: \title{Security Problems with Improper Implementations of Improved FEA-M}

11: \thanks{This paper has been accepted by The \textit{Journal of Systems \& Software} in May 2005,

12: and corrected proof has been available online at

13: \url{http://dx.doi.org/10.1016/j.jss.2006.05.002}.}

14: 

15: \author{Shujun Li\corauthref{corr}} and

16: \author{Kwok-Tung Lo}

17: \address{Department of Electronic and Information Engineering, The

18: Hong Kong Polytechnic University, Hung Hom, Kowloon, Hong Kong SAR,

19: China}

20: 

21: \corauth[corr]{The corresponding author, personal web site:

22: \texttt{http://www.hooklee.com}.}

23: 

24: \begin{abstract}

25: This paper reports security problems with improper implementations

26: of an improved version of FEA-M (fast encryption algorithm for

27: multimedia). It is found that an implementation-dependent

28: differential chosen-plaintext attack or its chosen-ciphertext

29: counterpart can reveal the secret key of the cryptosystem, if the

30: involved (pseudo-)random process can be tampered (for example,

31: through a public time service). The implementation-dependent

32: differential attack is very efficient in complexity and needs only

33: $O(n^2)$ chosen plaintext or ciphertext bits. In addition, this

34: paper also points out a minor security problem with the selection of

35: the session key. In real implementations of the cryptosystem, these

36: security problems should be carefully avoided, or the cryptosystem

37: has to be further enhanced to work under such weak implementations.

38: \end{abstract}

39: \begin{keyword}

40: multimedia encryption \sep FEA-M \sep insecure implementation \sep

41: differential attack \sep chosen-plaintext attack \sep

42: chosen-ciphertext attack \sep pseudo-random process

43: \end{keyword}

44: 

45: \end{frontmatter}

46: 

47: \section{Introduction}

48: 

49: Multimedia data play important roles in today's digital world. In

50: many multimedia applications, such as pay-TV services, commercial

51: video conferences and medical imaging systems, fast and secure

52: encryption methods are required to protect the multimedia contents

53: against malicious attackers. In recent years, many different

54: multimedia encryption schemes have been proposed to fulfill such an

55: increasing demand \citep{Ahl:ImageVideoEncryption:Book2005,

56: Furht:ImageVideoEncryption:Handbook2004,

57: ShujunLi:ChaosImageVideoEncryption:Handbook2004}. In

58: \citep{Yi:FEA-M:IEEETCE2001}, a new fast encryption algorithm for

59: multimedia (FEA-M) was proposed, which bases the security on the

60: complexity of solving nonlinear Boolean equations. Later FEA-M was

61: employed to construct a key agreement protocol by the same authors

62: in \citep{Yi:FEA-M:IEEETCE2002}. Since then, some attacks of FEA-M

63: have been reported \citep{Mihaljevic:BreakingFEA-M:IEEECommL2002,

64: Mihaljevic:BreakingFEA-M:IEEETCE2003,

65: WuBaoDeng:BreakingFEA-M:LNCS2003,

66: Youssef:BreakingFEA-M:IEEETCE2003}, most of which can break the key

67: with a smaller complexity than the simple brute force attack

68: \citep{Mihaljevic:BreakingFEA-M:IEEECommL2002,

69: Mihaljevic:BreakingFEA-M:IEEETCE2003,

70: WuBaoDeng:BreakingFEA-M:LNCS2003}, and one of which can completely

71: break the whole cryptosystem with only one known and two chosen

72: plaintext blocks \citep{Youssef:BreakingFEA-M:IEEETCE2003}.

73: 

74: To enhance the security and to avoid some other defects, an improved

75: version of FEA-M was proposed in

76: \citep{Mihaljevic:BreakingFEA-M:IEEETCE2003}. This paper reports

77: some security problems with improper implementations of the

78: cryptosystem. We point out that the secret key of the cryptosystem

79: can be revealed by an implementation-dependent differential attack

80: if the involved (pseudo-)random process can be tampered. One of such

81: situations is when the pseudo-random process is uniquely controlled

82: by an external source (such as a public time service), though it

83: appears that such an implementation would not compromise the

84: security of the cryptosystem itself. The proposed differential

85: attack is very efficient, since only two pairs of chosen plaintext

86: blocks are needed to completely reveal the key. As a result, in a

87: real implementation of the cryptosystem, it should be ensured that

88: the embedded pseudo-random process cannot be controlled by illegal

89: users. Or, the improved FEA-M has to be further enhanced to resist

90: this implementation-dependent attack. In addition, a minor problem

91: with the selection of the session key is also discussed in this

92: paper.

93: 

94: \section{Improved FEA-M}

95: 

96: The original FEA-M \citep{Yi:FEA-M:IEEETCE2001} is a block cipher

97: with both plaintext and ciphertext feedback. It encrypts the

98: plaintext in the form of $n\times n$ Boolean matrices, by an

99: $n\times n$ Boolean key matrix. The elements of the matrices are

100: either 0 or 1 and all matrix operations are made over $GF(2)$, i.e.,

101: modulo 2. As a result, the ciphertext is also in the form of

102: $n\times n$ Boolean matrices.

103: 

104: Previous works have shown that the original FEA-M has the following

105: defects: 1) the key can be easily broken by an adaptive

106: chosen-plaintext attack proposed in

107: \citep{Youssef:BreakingFEA-M:IEEETCE2003}; 2) an efficient

108: known-plaintext attack can break it with a complexity smaller than

109: the brute force attack

110: \citep{Mihaljevic:BreakingFEA-M:IEEECommL2002,

111: Mihaljevic:BreakingFEA-M:IEEETCE2003,

112: WuBaoDeng:BreakingFEA-M:LNCS2003}; 3) it is sensitive to packet loss

113: \citep{Mihaljevic:BreakingFEA-M:IEEETCE2003} and channel errors due

114: to the use of plaintext feedback.

115: 

116: To overcome the above-mentioned security defects,

117: \citeauthor{Mihaljevic:BreakingFEA-M:IEEETCE2003} proposed an

118: improved FEA-M in \citeyear{Mihaljevic:BreakingFEA-M:IEEETCE2003}.

119: The improved scheme contains two stages: key distribution and

120: working stage. The first stage generates two $n\times n$ secret

121: Boolean matrices, a session key $\bm{K}$ and an initial matrix

122: $\bm{V}$, generally from a master key $\bm{K}_0$, which is also an

123: $n\times n$ Boolean matrix and known by both the sender and the

124: receiver. The key distribution protocol is actually the one used in

125: \citep{Yi:FEA-M:IEEETCE2002} and can be described as follows.

126: \begin{itemize}

127: \item

128: The sender selects $\bm{K}$ and $\bm{V}$ via a (pseudo-)random

129: process, and computes

130: \begin{eqnarray}

131: \bm{K}^* & = &

132: \bm{K}_0\bm{K}^{-1}\bm{K}_0,\label{equation:distributeK}\\

133: \bm{V}^* & = & \bm{K}_0\bm{V}\bm{K}_0,\label{equation:distributeV}

134: \end{eqnarray}

135: then sends $(\bm{K}^*,\bm{V}^*)$ to the receiver.

136: 

137: \item The receiver recovers $\bm{K}^{-1}$ and $\bm{V}$ by computing

138: \begin{eqnarray}

139: \bm{K}^{-1} & = &

140: \bm{K}_0^{-1}\bm{K}^*\bm{K}_0^{-1},\label{equation:distributeK2}\\

141: \bm{V} & = &

142: \bm{K}_0^{-1}\bm{V}^*\bm{K}_0^{-1}.\label{equation:distributeV2}

143: \end{eqnarray}

144: \end{itemize}

145: 

146: After the key distribution stage, the sender and the receiver sides

147: can start the encryption/decryption procedure with the session key

148: $\bm{K}$ and the initial matrix $\bm{V}$. Denoting the $i$-th

149: $n\times n$ plain-matrix by $\bm{P}_i$ and the $i$-th $n\times n$

150: cipher-matrix by $\bm{C}_i$, the encryption procedure is as follows:

151: \begin{eqnarray}

152: \bm{C}_i & = &

153: \bm{K}\left(\bm{P}_i+\bm{K}\bm{V}\bm{K}^i\right)\bm{K}^{n+i}+\bm{K}\bm{V}\bm{K}^i,\label{equation:encryption}

154: \end{eqnarray}

155: and the decryption procedure is

156: \begin{eqnarray}

157: \bm{P}_i & = &

158: \bm{K}^{-1}\left(\bm{C}_i+\bm{K}\bm{V}\bm{K}^i\right)\bm{K}^{-(n+i)}+\bm{K}\bm{V}\bm{K}^i.

159: \end{eqnarray}

160: The above procedure repeats for each plain/cipher-matrix until the

161: plaintext/ciphertext exhausts.

162: 

163: \section{Implementation-Dependent Differential Attack}

164: 

165: In this section, we describe an implementation-dependent

166: differential attack of the improved FEA-M. This attack works under

167: the conditions that one can tamper the involved (pseudo-)random

168: process of the improved FEA-M to use the same $\bm{K}$ and $\bm{V}$

169: in two separate encryption sessions.

170: 

171: Given two plain-matrices, $\bm{P}_i^{(1)}$ and $\bm{P}_i^{(2)}$, and

172: their corresponding cipher-matrices, $\bm{C}_i^{(1)}$ and

173: $\bm{C}_i^{(2)}$, we can get Eq.

174: (\ref{equation:DifferentialAnalysis}).

175: \begin{eqnarray}

176: \bm{C}_i^{(1)}+\bm{C}_i^{(2)} & = &

177: \left(\bm{K}\left(\bm{P}_i^{(1)}+\bm{K}\bm{V}\bm{K}^i\right)\bm{K}^{n+i}+\bm{K}\bm{V}\bm{K}^i\right)\nonumber\\

178: & & {}

179: +\left(\bm{K}\left(\bm{P}_i^{(2)}+\bm{K}\bm{V}\bm{K}^i\right)\bm{K}^{n+i}+\bm{K}\bm{V}\bm{K}^i\right)\nonumber\\

180: & = &

181: \bm{K}\left(\bm{P}_i^{(1)}+\bm{K}\bm{V}\bm{K}^i\right)\bm{K}^{n+i}%\nonumber\\

182: %& & {}

183: +\bm{K}\left(\bm{P}_i^{(2)}+\bm{K}\bm{V}\bm{K}^i\right)\bm{K}^{n+i}\label{equation:DifferentialAnalysis}\\

184: & = &

185: \bm{K}\left(\bm{P}_i^{(1)}+\bm{P}_i^{(2)}\right)\bm{K}^{n+i}\nonumber

186: \end{eqnarray}

187: Apparently, Eq. (\ref{equation:DifferentialAnalysis}) means a simple

188: relation between

189: $\Delta\bm{C}_i=\bm{C}_i^{(1)}+\bm{C}_i^{(2)}=\bm{C}_i^{(1)}-\bm{C}_i^{(2)}$

190: and

191: $\Delta\bm{P}_i=\bm{P}_i^{(1)}+\bm{P}_i^{(2)}=\bm{P}_i^{(1)}-\bm{P}_i^{(2)}$,

192: i.e., the plaintext and the ciphertext differentials (sums):

193: \begin{eqnarray}

194: \Delta\bm{C}_i & = &

195: \bm{K}\left(\Delta\bm{P}_i\right)\bm{K}^{n+i}.\label{equation:DeltaC=DeltaP}

196: \end{eqnarray}

197: As a result, for two consecutive plaintext-matrices, if we choose

198: $\Delta\bm{P}_{i+1}=\Delta\bm{P}_i$, we can immediately deduce:

199: \begin{eqnarray}

200: \Delta\bm{C}_{i+1} & = &

201: \bm{K}\left(\Delta\bm{P}_{i+1}\right)\bm{K}^{n+i}\nonumber\\

202: & = & \bm{K}\left(\Delta\bm{P}_i\right)\bm{K}^{n+i}\nonumber\\

203: & = & \Delta\bm{C}_i\bm{K}.

204: \end{eqnarray}

205: Thus, if $\Delta\bm{C}_i$ is invertible, the session key can be

206: derived easily as follows:

207: \begin{eqnarray}

208: \bm{K} & = & \left(\Delta\bm{C}_i\right)^{-1}\Delta\bm{C}_{i+1}.

209: \end{eqnarray}

210: To make $\Delta\bm{C}_i$ invertible, one should choose

211: $\Delta\bm{P}_i$ to be an invertible matrix over $GF(2)$, where note

212: that $\bm{K}$ is always invertible following the design of the

213: cryptosystem.

214: 

215: After $\bm{K}$ is broken, one can substitute it into Eq.

216: (\ref{equation:encryption}) to get a linear equation with $n^2$

217: unknown variables, i.e., the $n^2$ elements of the initial matrix

218: $\bm{V}$:

219: \begin{equation}

220: \bm{V}\bm{K}^{n+i}+\bm{K}^{-1}\bm{V}=

221: \bm{K}^{-2}\left(\bm{C}_i-\bm{K}\bm{P}_i\bm{K}^{n+i}\right)\bm{K}^{-i}.\label{equation:solveK-1}

222: \end{equation}

223: By solving this linear equation, it is easy to recover $\bm{V}$.

224: Actually, we can further reduce the linear equation to directly

225: deduce $\bm{V}$. Choosing two continuous plaintext matrices

226: $\bm{P}_i$, $\bm{P}_j$ and adding the two linear systems, one has

227: \begin{eqnarray}

228: \bm{V}\bm{K}^{n+i}\left(\bm{I}+\bm{K}^{j-i}\right) & = &

229: \bm{K}^{-2}\left(\bm{C}_i-\bm{K}\bm{P}_i\bm{K}^{n+i}\right)\bm{K}^{-i}\nonumber\\

230: & & {}+

231: \bm{K}^{-2}\left(\bm{C}_j-\bm{K}\bm{P}_j\bm{K}^{n+j}\right)\bm{K}^{-j}.\label{equation:solveK-2}

232: \end{eqnarray}

233: When $\bm{I}+\bm{K}^{j-i}$ is invertible, $\bm{V}$ can be

234: immediately solved by multiplying the right side by

235: $\left(\bm{I}+\bm{K}^{j-i}\right)^{-1}\bm{K}^{-(n+i)}$ at the end.

236: Note that $\bm{K}^{n+i}+\bm{K}^{n+j}$ may never be invertible over

237: $GF(2)$ (for example, when $\bm{K}=\bm{I}$), though the probability

238: is relatively small when $n$ is relatively high. Once such an event

239: occurs, one can turn to solve Eq. (\ref{equation:solveK-1}). If

240: $\bm{V}$ can still not be solved from Eq. (\ref{equation:solveK-1}),

241: one has to carry out the attack with some other different values of

242: $\bm{K}$ until $\bm{V}$ can be uniquely solved.

243: 

244: Once $\bm{K}$ and $\bm{V}$ are both known, one can use the method

245: proposed in Sec. III of \citep{Youssef:BreakingFEA-M:IEEETCE2003} to

246: recover the master key $\bm{K}_0$.

247: 

248: To carry out a successful attack, in most cases, the attacker only

249: needs to choose two plaintexts with four chosen plaintext matrices,

250: $\bm{P}_i^{(1)}$, $\bm{P}_{i+1}^{(1)}$, $\bm{P}_i^{(2)}$ and

251: $\bm{P}_{i+1}^{(2)}$, which satisfy

252: $\bm{P}_{i+1}^{(1)}-\bm{P}_{i+1}^{(2)}=\bm{P}_i^{(1)}-\bm{P}_i^{(2)}=\Delta\bm{P}$

253: and $\Delta\bm{P}$ is an invertible matrix. Considering each matrix

254: is a $n\times n$ Boolean matrix, $4n^2$ chosen plain-bits are

255: required in total. When $n=64$, as suggested in

256: \citep{Yi:FEA-M:IEEETCE2001, Yi:FEA-M:IEEETCE2002}, only 2048

257: plain-bytes are needed. In addition, the complexity of the proposed

258: attack is very small, actually it is of the same order as the one

259: proposed in \citep{Youssef:BreakingFEA-M:IEEETCE2003}. In the case

260: that $\bm{V}$ can not be solved with four chosen plaintext matrices,

261: more plaintext matrices have to be chosen, but the number of chosen

262: plaintext bits is still of the same order -- $O(n^2)$.

263: 

264: Next, let us see in which improper implementations an attacker can

265: manage to tamper the involved (pseudo-)random process to activate

266: the above differential attack. Apparently, the above attack requires

267: two encryption sessions with the same session key $\bm{K}$ and the

268: same initial matrix $\bm{V}$, one for encrypting the first plaintext

269: $\left\{\cdots,\bm{P}_i^{(1)},\bm{P}_{i+1}^{(1)}\right\}$ and the

270: other for encrypting the second plaintext

271: $\left\{\cdots,\bm{P}_i^{(2)},\bm{P}_{i+1}^{(2)}\right\}$. However,

272: in each encryption session, $\bm{K}$ and $\bm{V}$ have to be reset

273: at the sender side via a (pseudo-)random process and distributed to

274: the receiver side via the key distribution protocol. As a result,

275: generally two different sessions use different $\bm{K}$ and

276: $\bm{V}$. However, in real world the encryption scheme may be

277: improperly implemented such that the attacker can tamper the

278: (pseudo-)random process. As a typical example, let us assume that

279: the process is uniquely determined by the system clock\footnote{In

280: \citep{Yi:FEA-M:IEEETCE2001, Yi:FEA-M:IEEETCE2002,

281: Mihaljevic:BreakingFEA-M:IEEETCE2003}, it is not mentioned how to

282: realize the random process. One of the simplest (though maybe less

283: frequently-used) method to realize a pseudo-random process is to

284: initialize the seed of the pseudo-random number generator using the

285: current time stamp. A list of some other more complicated ways can

286: be found in Section ``The Collection of Data Used to Create a Seed

287: for Random Number" of \citep{RSAENH2005}.}. In chosen-plaintext

288: attacks, the attacker has a temporary access to the encryption

289: machine, so he can intentionally alter the system clock to control

290: the (pseudo-)random process before running each session to get the

291: same $\bm{K}$ and $\bm{V}$ for two separate sessions. In addition,

292: if the improved FEA-M is implemented in such an insecure way that

293: the second stage can restart without running the key distribution

294: stage, the attack becomes straightforward.

295: 

296: At last, it deserves mentioned that the above differential

297: chosen-plaintext attack can be easily to generalize to a

298: differential chosen-ciphertext attack, provided that the

299: (pseudo-)random process at the decryption machine can be tampered.

300: Rewrite Eq. (\ref{equation:DeltaC=DeltaP}) into the following form:

301: \begin{eqnarray}

302: \Delta\bm{P}_i & = &

303: \bm{K}^{-1}\left(\Delta\bm{C}_i\right)\bm{K}^{-(n+i)}.

304: \end{eqnarray}

305: Then, by choosing $\Delta\bm{C}_{i+1}=\Delta\bm{C}_i$, one has

306: \begin{eqnarray}

307: \Delta\bm{P}_{i+1} & = &

308: \bm{K}^{-1}\left(\Delta\bm{C}_{i+1}\right)\bm{K}^{-(n+i+1)}\nonumber\\

309: & = & \bm{K}^{-1}\left(\Delta\bm{C}_i\right)\bm{K}^{-(n+i)-1}\nonumber\\

310: & = & \Delta\bm{P}_i\bm{K}^{-1}.

311: \end{eqnarray}

312: Other steps are identical with the above differential

313: chosen-plaintext attack.

314: 

315: \section{A Minor Problem with Selection of Session Key}

316: 

317: It is noticed that $\bm{K}$ cannot be selected at random from all

318: invertible matrices over $GF(2)$. Since all $n\times n$ invertible

319: matrices form a general linear group $GL(n,2)$, whose order is

320: $O=\prod_{i=0}^{n-1}(2^n-2^i)$ \citep{GLG}. So, denoting the order

321: of $\bm{K}$ over $GL(n,2)$ by $o(\bm{K})$, it is true that

322: $o(\bm{K})\mid O$, i.e., $\bm{K}^{o(\bm{K})}=\bm{I}$, where $\bm{I}$

323: is the identity Boolean matrix \citep{Gilbert:Algebra2005}. It is

324: obvious that $o(\bm{K})$ actually corresponds to the periodicity of

325: the encryption/decryption function with respect to the

326: plaintext/ciphertext index $i$. Generally speaking, the periodicity

327: should not be too small to maintain an acceptable security level. As

328: an extreme example, when $\bm{K}=\bm{I}$, $o(\bm{K})=1$ and the

329: encryption procedure becomes $\bm{C}_i=\bm{P}_i$ (the cipher

330: vanishes). Thus, $\bm{K}$ should be selected randomly from all

331: invertible Boolean matrices with sufficiently large orders, which

332: means a significant reduction of the session key space.

333: 

334: \section{Conclusions}

335: 

336: This paper reports an implementation-dependent differential attack

337: of an improved fast encryption algorithm for multimedia (FEA-M)

338: proposed in \citep{Mihaljevic:BreakingFEA-M:IEEETCE2003}. The attack

339: works under the condition where the involved (pseudo-)random process

340: can be tampered by the attacker. In this case, the attack can reveal

341: the key with four or more chosen plaintext/ciphertext matrices,

342: i.e., $4n^2$ chosen plain/ciphertext bits, in two or more separate

343: encryption sessions. The result shows that a secure cryptosystem may

344: become totally insecure with seemingly-harmless implementation

345: details in real world \citep{Schneier:Secrets&Lies2000}. In

346: addition, a minor problem with the selection of the session key is

347: also discussed in this paper.

348: 

349: \section{Acknowledgements}

350: 

351: This research was supported by The Hong Kong Polytechnic

352: University's Postdoctoral Fellowships Scheme under grant no. G-YX63.

353: The authors thank the anonymous reviewers for their valuable

354: comments to enhance the quality of this paper.

355: 

356: \bibliographystyle{elsart-harv}

357: \bibliography{FEA-M}

358: 

359: \end{document}

360: