Known and Chosen Key Differential Distinguishers for Block Ciphers

Transcription

1 1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011

2 2/19 Outline Outline 1 2 Collisions For Cryptographic Hash Functions 3 Conclusions

3 3/19 Block Ciphers SP Network Our results are focused on Substitution Permutation Network (SPN) based designs.

4 3/19 Block Ciphers SP Network Our results are focused on Substitution Permutation Network (SPN) based designs. Example: Square

5 4/19 Differential Distinguishers Distinguisher for a cipher A Distinguisher D for a block cipher is a randomized algorithm interacting with two primitives: an Ideal Cipher IC and the analysed block cipher E K, and in polynomially bounded time decides which primitive is E K, where K is an encryption key.

6 4/19 Differential Distinguishers Distinguisher for a cipher A Distinguisher D for a block cipher is a randomized algorithm interacting with two primitives: an Ideal Cipher IC and the analysed block cipher E K, and in polynomially bounded time decides which primitive is E K, where K is an encryption key. Differential Distinguishers Based on construction of differential trails P for the block cipher E K. Standard Differential Distinguisher encryption key K is random,

7 4/19 Differential Distinguishers Distinguisher for a cipher A Distinguisher D for a block cipher is a randomized algorithm interacting with two primitives: an Ideal Cipher IC and the analysed block cipher E K, and in polynomially bounded time decides which primitive is E K, where K is an encryption key. Differential Distinguishers Based on construction of differential trails P for the block cipher E K. Standard Differential Distinguisher encryption key K is random, Open key Differential Distinguishers encryption key K is known or chosen and we consider trails ( P, K ), where P = P 1 P 2, K = K 1 K 2 for pairs of plain texts P 1, P 2 and keys K 1, K 2 and = E K1 (P 1 ) E K2 (P 2 ).

8 5/19 Why Open key Model For Block Cipher? Cryptographic Hash Function A Cryptographic Hash Function F : {0, 1} {0, 1} n is a transformation that maps arbitrary length input into fixed-length output and is designed to achieve certain security properties, such as: preimage resistance, second preimage resistance, collision resistance.

9 5/19 Why Open key Model For Block Cipher? Cryptographic Hash Function A Cryptographic Hash Function F : {0, 1} {0, 1} n is a transformation that maps arbitrary length input into fixed-length output and is designed to achieve certain security properties, such as: preimage resistance, second preimage resistance, collision resistance. Merkle-Damgård structure

10 6/19 Hash Modes Single Block mode (ı) h 1 E h (m) m 2 E h (h m) h m 3 E h (m) h m 4 E h (h m) m 5 E m(h) h 6 E m(h m) h m 7 E m(h) h m 8 E m(h m) h 9 E h m (m) m 10 E h m (h) h 11 E h m (m) h 12 E h m (h) m Double Block mode (h, g ) A-DM T-DM DBL MDC-2 h = E g,m(h) h g = E m,h (ḡ) g h = E g,m(h) h g = E m,eg,m(h)(g) g h = E h m (g c) g c g = E h m (g) g h = (E h (m) m) L (E g (m) m) R g = (E g (m) m) L (E h (m) m) R

11 7/19 Differential Trail Example of a differential trail: Square

12 8/19 Rebound Attack

13 8/19 Rebound Attack

14 8/19 Rebound Attack

15 9/19 Results Truncated differential trails Crypton, Hierocript-3, Square Example: Square The total probability of the differential trail is 2 48.

16 10/19 Results Standard differential trail for 6.5 rounds of SAFER++ for chosen-key distinguisher and 128-bit key with probability 2 112

17 11/19 Results Lemma Let D I, D O denote subsets of {0, 1} n, which are closed under, i.e. x y D I (respectively D O ) for x, y D I (resp. D O ). For any attacker making queries to a random n-bit permutation π and its inverse π 1, the complexity (measured in expected number of oracle queries) of finding a pair of inputs (x, y), where x y D I, D I = 2 c I, such that π(x) π(y) D O, D O = 2 c O, is lower bounded as Q min(2 n 2 2, 2 n (c I +c O ) 3 ). A 1 = A 2 = D I B 1 = B 2 = B 3 = B 4 = D O A 1 A 2 = B 1 B 4 = {0, 1} n

18 11/19 Results Lemma Let D I, D O denote subsets of {0, 1} n, which are closed under, i.e. x y D I (respectively D O ) for x, y D I (resp. D O ). For any attacker making queries to a random n-bit permutation π and its inverse π 1, the complexity (measured in expected number of oracle queries) of finding a pair of inputs (x, y), where x y D I, D I = 2 c I, such that π(x) π(y) D O, D O = 2 c O, is lower bounded as Q min(2 n 2 2, 2 n (c I +c O ) 3 ). A 1 = A 2 = D I B 1 = B 2 = B 3 = B 4 = D O A 1 A 2 = B 1 B 4 = {0, 1} n

19 11/19 Results Lemma Let D I, D O denote subsets of {0, 1} n, which are closed under, i.e. x y D I (respectively D O ) for x, y D I (resp. D O ). For any attacker making queries to a random n-bit permutation π and its inverse π 1, the complexity (measured in expected number of oracle queries) of finding a pair of inputs (x, y), where x y D I, D I = 2 c I, such that π(x) π(y) D O, D O = 2 c O, is lower bounded as Q min(2 n 2 2, 2 n (c I +c O ) 3 ). A 1 = A 2 = D I B 1 = B 2 = B 3 = B 4 = D O A 1 A 2 = B 1 B 4 = {0, 1} n

20 11/19 Results Lemma Let D I, D O denote subsets of {0, 1} n, which are closed under, i.e. x y D I (respectively D O ) for x, y D I (resp. D O ). For any attacker making queries to a random n-bit permutation π and its inverse π 1, the complexity (measured in expected number of oracle queries) of finding a pair of inputs (x, y), where x y D I, D I = 2 c I, such that π(x) π(y) D O, D O = 2 c O, is lower bounded as Q min(2 n 2 2, 2 n (c I +c O ) 3 ). A 1 = A 2 = D I B 1 = B 2 = B 3 = B 4 = D O A 1 A 2 = B 1 B 4 = {0, 1} n

21 12/19 Results Cipher Distinguisher Rounds Encryptions Lower bound Crypton Known-key Chosen-key Hierocrypt-3 Known-key Chosen-key SAFER++ Known-key Chosen-key Square Known-key Chosen-key n-bit Feistel Diff. attack r 2 c with k-bit key Known-key r c Chosen-key r + 2k n 2c

22 13/19 Collisions For Cryptographic Hash Functions Cryptographic Hash Function Collisions 1 Collisions for a fixed chaining value H 0, the adversary tries to find two distinct messages M 1, M 2 such that f (H 0, M 1 ) = f (H 0, M 2 ). 2 Pseudo collisions for a message M, the adversary wishes to find two distinct chaining values H 1, H 2 such that f (H 1, M) = f (H 2, M). 3 Semi-free start collisions the adversary attempts to find two distinct messages M 1, M 2 and a chaining value H such that f (H, M 1 ) = f (H, M 2 ). 4 Free start collisions the adversary tries to find two distinct chaining values H 1, H 2, and two distinct messages M 1, M 2 such that f (H 1, M 1 ) = f (H 2, M 2 ).

23 14/19 Collisions For Cryptographic Hash Functions Semi Free Start Collision For E h (m) m Example: Square

24 Collisions For Cryptographic Hash Functions Results: Hash Modes mode (ı) h plain text key plain text and key 1 E h (m) m C, SFSC PC a FSC 2 E h (h m) h m C, SFSC PC PC, FSC 3 E h (m) h m C, SFSC PC FSC 4 E h (h m) m C, SFSC PC PC, FSC 5 E m (h) h PC C a, SFSC a FSC 6 E m (h m) h m PC FSC C, SFSC, FSC 7 E m (h) h m PC C, SFSC FSC 8 E m (h m) h PC FSC C, SFSC, FSC 9 E h m (m) m FSC PC a C, SFSC, FSC 10 E h m (h) h FSC C a, SFSC a PC, FSC 11 E h m (m) h FSC PC C, SFSC, FSC 12 E h m (h) m FSC C, SFSC C, PC, FSC a When key collisions exist in the cipher. 15/19

25 16/19 Collisions For Cryptographic Hash Functions Results: Double Hash Modes mode (h, g ) plain text key A-DM T-DM DBL MDC-2 plain text and key C, SFSC PC h = E g,m(h) h g = E m,h (ḡ) g FSC C, SFSC PC, FSC h = E g,m(h) h g = E m,eg,m(h)(g) g FSC C, SFSC PC, FSC h = E h m (g c) g c C, PC, g PC = E h m (g) g SFSC, FSC PC, FSC h = (E h (m) m) L (E g (m) m) R g = (E g (m) m) L a FSC (E h (m) m) R a When key collisions exist in the cipher.

26 Conclusions 17/19 Conclusions Results We have presented differential distinguishers for Crypton, Hierocrypt-3, SAFER++, and Square, We have showed lower bound of constructing pair that follows a truncated trail in the case of a random permutation, We have examined the application of the differential trails in analysis of ciphers that are used for compression function constructions.

27 Conclusions 18/19 Open Problems 1 The area of open-key distinguishers is largely unexplored, 2 Finding similar distinguishers based on related-key differentials remains an open problem.

28 Questions 19/19 Questions