Cryptanalysis of splay tree based encryption

We present a chosen-plaintext attack on KIST, a recently proposed encryption scheme based on splay trees. Our attack recovers a 128-bit key with approximately 2 bit operations and fewer than 2 chosen-plaintext queries. Splay trees are a type of binary search search trees discovered by Sleator and Tarjan in 1983 [1, 2]. Splay trees are self-adjusting, in the sense that a tree modifies itself at each access to a node—the modification being called “splaying”. In 1988, Jones proposed [3] a simplification of splay trees to compress data, and proposed to use splay trees to encrypt data using a similar method with as key a secret initial tree. The (rather old) word processor Lotus Ami Pro included a basic, deliberately insecure, version of splay tree based encryption to allow export [4]. As the basic version of splay tree based encryption is insecure, Jones proposed [5] two techniques to strengthen that scheme. Recently, Wei and Zeng argued [6] that Jones’ strengthened schemes are also insecure, and proposed a new encryption scheme based on splay trees, called KIST. Below we describe a chosen-plaintext attack for that new scheme. We refer to [6] for a description of KIST. Our attack is based on the following observations: • By doing 256 chosen-plaintext encryption queries with the bytes 0, 1, . . . , 255, one can determine the initial shape of the tree (that is, after initialization) and the value of its leaves, since the encoding of each byte gives the position of that byte (as a leaf) within the tree. • Generalizing the above technique, one can determine the shape of the tree after encrypting any sequence of bytes, in 2 chosen-plaintext queries. Note that one does not recover the labels of the inner nodes, but only those of the leaves. • Given the shape of the tree before and after a key injection step, one can determine the two inner nodes swapped, i.e., the j such that xj = Ki+16 = Ki ⊕ xk. One can also determine k, as it is the parent of the (known) last plaintext byte processed. If the parameter N is not maximal, then one can detect when no nodes were swapped (since key injection must change the position of at least two leaves). • Each subkey word Ki, i ≥ 17, has its jth bit, 1 ≤ j ≤ 8, depending only on the jth bit of K((i−1) mod 16)+1 and on the jth bits of at most b(i − 1)/16c inner node labels. Moreover, the dependencies are fully XOR-linear. • A (semi-rotation) splaying does not depend on the value of the inner nodes, but only on the shape of the tree. Given an initial tree shape and an encrypted byte, one can thus determine the new shape of the tree by making a sequence of semi-rotations. The proposed attack goes as follows: 1. Determine the initial shape of the tree, by doing 256 chosen-plaintext queries. 2. Assign arbitrary labels x1, . . . , x255 to each of the inner nodes. 3. Set m← λ (i.e., the empty message). 4. Initialize the equations counter c← 1. 5. Initialize the loops counter i← 1. 6. While c < 255 + 16 do (a) Select an arbitrary byte si. (b) Set m← m‖si. (c) Determine the shape of the tree after encrypting m, by doing 256 chosen-plaintext queries of the form m‖b, where b = 0, 1, . . . , 255. (d) Compare the shape obtained with the shape of the previous tree after splaying around si. If the trees are distinct (that is, key injection modified the tree), then i. Determine j and k such that the node xj = Ki⊕xk is used for key injection, and add this equation to the system of equations. ii. Set c← 1 + c. (e) Set i← 1 + i. 7. Simplify the system of equations by replacing Ki+16, i ≥ 1 by an XOR between K((i−1) mod 16)+1 and labels of inner nodes, as defined by the key generation and by the equations collected. 8. For each bit slice, solve the linear system of equations with as unknown the bits of K1, . . . , K16 and of the inner nodes’ labels, at a given position. The complexity of the attack depends on the parameter N , which determines the frequency of a key injection and thus the number of iterations of the “while” loop. If N is maximal a new equation is obtained at each loop (and so c = i). One thus has to determine 272 tree shapes, where each one costs at most 2 chosen-plaintext queries. About 2 chosenplaintext queries are thus necessary to collect enough equations when N is maximal. The analysis in [6] suggests that N should be such that at least 20 % of the key injections are effective. In this case, one will need approximately 1+5×(255+16) = 1356 tree shapes. One thus needs about 2 chosen-plaintext queries. In both cases, solving the linear systems costs about 8 × 271 ≈ 2 bit operations. Slightly more than 255 + 16 equations may be necessary, to deal with linearly dependent equations. For the 7-bit version proposed in [6, §4], solving the linear systems costs about 7× (127 + 16) ≈ 2 bit operations.