 Welcome to this presentation of my paper, Cryptanalysis of the Sodarx Cipher for HF Radio Automatic Link Establishment. My name is Markus Tonsarje, and I'm a PhD student at the Swedish Defence University and the University of Sjövde. My primary research interest concerns security in radio-based communication systems. The Sodarx Cipher is specified in US federal and military standards, as well as in a NATO standardization agreement. It has been standardized since the early 1990s, but despite this, there does not appear to exist any public cryptanalysis of the cipher. It was created to encrypt automatic link establishment messages sent between high-frequency radios. HF Radio is unique in that it can be used to transmit messages globally without any infrastructure. For that reason, it is used by military, diplomatic, and emergency agencies, as well as by aid organizations throughout the world. Establishing HF Radio connections requires a fair bit of skill from the radio operator, and ALE was developed to automate much or all of this work. The second generation of ALE was the first standardized version, and the first to use the cipher described here. Despite developments of third and fourth generations, the second remains the most commonly used. ALE is an OSI layer 2 protocol that only controls the setup and tear-down of calls. Data or audio transmissions are handled by other protocols. The SODARC cipher is a 24-bit block cipher that uses a 56-bit key and a 64-bit tweak. In second generation ALE, the cipher has eight rounds, and this was extended to 16 rounds in third generation ALE. The cipher performs all operations on three 8-bit state bytes, and all operations are linear, except for lookups in an 8x8 bit S-box. In second generation ALE, the cipher is actually called the LATIS algorithm, but I've chosen not to use that name in order to avoid confusion with LATIS cryptography. This slide summarizes the results of the attacks presented in the paper. The six and seven round attacks can be considered pre-lose to the attack on the full 8 round SODARC used in second generation ALE. In a known plaintext setting, the average expected attack time is 2 to the power of 45.7. 2 to the power of 12.7 plaintext ciphertext tweak tuples are required for a 50% probability of success. The known ciphertext attacks can be adapted to chosen ciphertext attacks that require significantly less data. In addition to the attacks presented in the paper, up to five rounds of the cipher are vulnerable to meet in the middle attacks that can be performed using any three plaintext ciphertext tweak tuples. When it comes to the SODARC S-box, no public information has been found regarding its design criteria. The properties of the S-box have therefore been studied in an attempt to reverse engineer any such criteria. And here the methods described by Biryukov and Perrin were used. The reverse engineering attempts were unsuccessful. A Kolmogorov-Smirnov test of the linear bias and differential uniformity of the S-box showed a high level of conformity with what would be expected for a random permutation. Although both the linear bias and differential uniformity are higher than the average for a random permutation, the differences are not statistically significant. In conclusion, no evidence has been found that point to the S-box being anything other than a randomly selected permutation. This slide describes the notation used in the definition of the round function and the subsequent cryptanalysis. SODARC uses three state bytes A, B and C, and the inputs and outputs of the different rounds are denoted by superset numbers in parenthesis. The seven key bytes are denoted by a lowercase k with the byte number subset. The same goes for the eight tweak bytes, which are denoted by lowercase t. Bitwise exclusive OR is denoted by a circle plus sign. And for applications of the S-box, the functional notation shown here is used. The cryptanalysis uses differences between two parallel encryptions in a lot of cases. And the delta character is used as a shorthand for this as shown here. And here is the definition of the round function. The illustration to the right shows the first two rounds of the cipher. Each byte of the round keys shown here with lowercase letters is created by exclusive ORing one key byte with one tweak byte. Each state byte is exclusive ORed with a round key byte and one or two other state bytes before applying the S-box. Despite its simplicity, the so dark key schedule prevents many standard attacks on block ciphers. Since the number of key and tweak bytes are relatively prime, the round keys don't repeat until after 56 rounds, preventing slide attacks. One of the main weaknesses of the cipher is that each round only uses three bytes of the key, and that the rounds can be partially decrypted using a single key byte. There is no mechanism in the ALE standard for transferring the tweak along with the cipher text. For that reason, the tweak is generated using information already known to the sender and receiver. This includes the date and time of day, as well as the frequency of transmission as shown in the table here. Since precise time synchronization between radios in an HF network can be hard to achieve, a system setting called the protection interval, PI, governs the granularity of the time fields. The highest granularity corresponds to second level accuracy. To ensure that a different tweak is used for all encryptions, the word number field is incremented for each 24-bit word in a frame. This fact is important for crypt analysis, since it means that any two tweaks used for encrypting words in a frame will differ only in the fifth tweak byte. The known plain text attacks presented here all start from the observation that for any round the differences in the state variables after the previous round can be calculated without any key guessing using the formulas shown here. These formulas are derived directly from the definition of the round function. Now, in attacking six rounds, we consider the case where we are provided with two plain text cipher text tweak tuples, such that the cipher texts are equal, and where the tweaks only differ in the fifth tweak byte, as previously mentioned. Since the tweaks, and possibly also the plain texts, are different, the collision must have occurred for the plain text to be equal. In this case, it's possible to calculate the difference in one of the state variables after the third round by using the formulas on the previous slide, along with the fact that an S-box input difference of zero will always yield an output difference of zero as well. The specifics of that calculation is shown here, as we can see. Equal cipher texts after the sixth round implies that one of the state variables after the third round must have been equal to the difference between the fifth bytes of the tweaks. All this follows from what was presented in the previous slide. It is now possible to search for partial keys that cause a particular difference for the plain texts and tweaks in question. This is illustrated by the figure to the right. Only six of the key bytes are used in the calculation of that difference. Additionally, many of the calculations can be cashed, speeding up things even further. This figure also shows the differences that are known with certainty, and how they propagate through the third and fourth rounds. The attack on six rounds can easily be extended to seven rounds by using the technique presented earlier on calculating the difference in the previous round. Instead of looking for equal cipher texts, we look for cipher texts that imply an equal state after the next to last round. Eight rounds corresponds to the full cipher as used by second generation ALE. It is not possible to identify pairs of plain text cipher text tweak tuples where collisions have occurred after the fourth round just by studying the differences in the cipher text after the eighth round. However, it is possible through a fast filtering operation to reject all pairs that have zero probability of satisfying the requirements for the attack. The filtering is performed in two steps. In the first step, the difference after the seventh round is calculated in the same way as previously. Pairs, where the difference in state bytes A and C are not zero, are immediately excluded. Most pairs are excluded in this step. In the second step, all 256 possible values of key byte 3 are tested to see if they lead to the required difference after the sixth round. When they do, this indicates a possible collision and a search for partial keys that cause the requisite difference after the third round is performed in the same manner as before. The search will however be much faster than in the attacks on six and seven rounds because the possible values of the third key byte are already known. For the attacks to work, a particular difference in the output of the third round has to exist. Assuming the cipher's randomization properties are good, the probability of this happening is 2 to the power of negative 24. In the ALE standard, each transmitted frame contains at least three 24-bit words. This means that each transmitted frame causes three plaintext ciphertext tweak pairs with the required difference. Under these conditions, 2 to the power of 21.9 frames are required for 50% probability of success. A call between two ALE radios requires them to transmit at least four frames between them. This translates to about a million intercepted calls for 50% probability of success. As we have seen, the known plaintext attacks presented here require a relatively large amount of data. They can however be converted to chosen ciphertext attacks with very low data complexities. This is possible since it is easy to generate pairs of ciphertexts that will cause the required collision with high probability. In fact, only one pair of ciphertexts is required for each candidate value for key byte 3. So in other words, with 256 generated pairs, the probability of success of the chosen ciphertext attack is 100%. In addition to this, the attack complexity compared to the known plaintext attack is slightly lower. As described in the paper, have been implemented in C and the CUDA framework for NVIDIA GPUs. A bit-slice brute-force implementation has also been developed and used to benchmark the attacks. On a computer with six mid-range GPUs, a brute-force attack takes about five days. The attacks implemented here take 42 minutes to perform on the same computer. The programs for generating test data have also been developed and all code is available to download from GitHub under an open-source license. When it comes to future work, attacks on the 16-round version of the cipher, which is used in third-generation ALE, have not been developed. The attacks presented here may be possible to extend to more rounds. In third-generation ALE, a 48-bit version of the cipher is also introduced. In addition to the larger block size, that version also has a slightly modified round function. There does not appear to exist a cryptanalysis of that cipher. In the latest version of the standard, a cipher developed for fourth-generation ALE is also introduced. A half-loop. It's based in part on AES, but has many differences that include a different block size and another key schedule that's compared to AES. With that, I conclude my presentation and I thank you for your attention.