OBAKE Cryptanalysis: Related-Key


In this model, the attacker checks similarities between the blocks of several cryptographic operations through the optics of the "known keys", searching for a relation/constant that allows the future discovery of new keys through the propagation - usually by XOR - of this constant. In other words, in some algorithms it is possible to establish a constant that, through the XOR characteristic (if A = B xor C then C = A xor B) it is possible to discover the key used, implementing this constant in each block. We see this in attacks on the WEP (WiFi/Wired Equivalent Privacy) protocol where the 24 bits of table IV are concatenated with the WEP key and replicated in all data blocks, in this case acting as such a constant.

The first attacks of this type were developed independently by Biham and Knudsen and the notion of a related key attack was defined by Biham. The idea of the attack is that the attacker knows (or chooses) a relation between several keys and is given access to encryption functions with such related keys. The goal of the attacker is to find the keys themselves. If the relation is known but cannot be changed by the attacker, the attack is called a known related key; and if the attacker may choose the relation, it is called a chosen related key attack.

The scenario of the attack is very powerful in terms of the attacker’s capabilities and thus quite unrealistic in practice. Still these attacks may be seen as important certificational weaknesses for the key-schedule of a cipher. A line of ciphers have been shown to have weaknesses in this attack scenario namely: IDEA, GOST, G-DES, SAFER, Triple-DES, 3-WAY, Biham–BiryukovDES, CAST, DES-X, NewDES, RC2, and TEA. Recently a new type of cryptanalytic attack called SLIDE attack has been developed.

OBAKE-512 is designed to resist this type of attack, as explained below:

  • OBAKE-512 works with multiple keys and some of them being random. This way, there is no type of correlation that can act as a "constant", even in the case where the same data is encrypted with the same keys. You can take a look on this capability at this page and this page.

  • OBAKE-512 uses MACs (message authentication code) that are encrypted with one or more keys before being appended to the encrypted result. Thus, equivalence cannot be established by the XOR rule, since several different operations participate in different stages and portions of the cipher block (.

  • OBAKE-512 uses 512-bit "Rainbow-proof" and "Lookup-proof" hashes in some stages in order to mask the key entered, thus avoiding other existing attacks on HASH templates or equivalence or correlation attacks.

Bibliographic references

H.C.A. Tilborg et al., "Encyclopedia of Cryptography and Security", H. C. A. v. Tilborg Ed., SpringerScience+Business Media LLC, 2011.

J. Kelsey, B. Schneier, D. Wagner, Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. International Conference on Information and Communications Security, ICICS97, Computer Science vol. 1334, Springer-Verlag, Berlin, 1997

J. Kelsey, B. Schneier, and D. Wagner, Keyschedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. Advances in Cryptology CRYPTO96, Lecture Notes in Computer Science, vol. 1109, Springer-Verlag, Berlin, 1996.

E. Biham, New types of cryptanalytic attacks using related keys. Journal of Cryptology, number 4, 1994.