GENERALIZED NONLINEARITY OF S-BOXES. Sugata Gangopadhyay

Transcription

1 Volume X, No. 0X, 0xx, X XX doi:0.3934/amc.xx.xx.xx GENERALIZED NONLINEARITY OF -BOXE ugata Gangopadhyay Department of Computer cience and Engineering, Indian Institute of Technology Roorkee, Roorkee 47667, INDIA sugatfma@iitr.ac.in Goutam Paul Cryptology and ecurity Research Unit, R. C. Bose Centre for Cryptology and ecurity, Indian tatistical Institute, Kolkata 70008, INDIA goutam.paul@isical.ac.in Nishant inha Department of Computer cience and Engineering, Indian Institute of Technology Roorkee, Roorkee 47667, INDIA nishantsinha.iitr@gmail.com Pantelimon tănică Department of Applied Mathematics, Naval Postgraduate chool, Monterey, CA , UA pstanica@nps.edu (Communicated by the associate editor name) Abstract. While analyzing -boxes, or vectorial Boolean functions, it is of interest to approximate its component functions by affine functions. In the usual attack models, it is assumed that all input vectors to an -box are equiprobable. The nonlinearity of an -box is defined, subject to this assumption. In this paper, we explore the possibility of linear cryptanalysis of an -box by introducing biased inputs and thus propose a generalized notion of nonlinearity along with a generalization of the Walsh-Hadamard spectrum of an -box.. Introduction Let F be the finite field with two elements and Z be the ring of integers. For any n Z +, the set of positive integers, let [n] =,..., n}. The Cartesian product of n copies of F is F n = x = (x,..., x n ) : x i F, i [n]} which is an n-dimensional vector space over F. For any m, n Z +, a function F : F n F m is said to be an (n, m) vectorial Boolean function (in short, an (n, m)-function) or an n m -box. An (n, )-function is said to be a Boolean function in n variables. The -boxes are important components in block cipher designs, since usually they are the only sources of nonlinearity. DE -boxes have been studied for more than three decades and their analysis is still relevant today. imilarly, the AE -box is studied extensively. 00 Mathematics ubject Classification: Primary: 06E30, T7; econdary: 94A60. Key words and phrases: Nonlinearity, -box, Vectorial Boolean function, Walsh-Hadamard transform. Nishant inha thanks IIT Roorkee for supporting his research. Corresponding Author c 0xx AIM

2 . Gangopadhyay, G. Paul, N. inha and P. tănică Matsui [5] introduced the linear cryptanalysis of block ciphers which involves linear approximation of the -boxes employed in their designs. The component functions of the -boxes are approximated by linear Boolean functions by assuming all the input vectors to be equiprobable. In this paper, we generalize the notion of linear approximation of -boxes by introducing a framework where some of the input variables are biased although all the variables are independent. We sketch the possibility of a chosen-plaintext attack based on these considerations. Boolean functions with biased inputs, which we refer to as µ p -Boolean functions, is a common generalization of Boolean functions which stems from the theory of random graphs developed by []. The graph properties in a random graph expressed as such Boolean functions are used by Friedgut and Kalai []. For a detailed discussion on the Fourier analysis of µ p -Boolean functions we refer to [6, Chapter 8]. Biased analysis is recently considered for cryptanalysis of the stream ciphers E 0 and hannon cipher by Lu and Desmedt [4]. Generalized -box nonlinearity has been considered by Parker [7], using nega-hadamard spectrum of -boxes. The recent work [3] has shown the connection between Boolean functions with biased inputs and nega-hadamard spectra by resorting to quantum implementations of Boolean functions. Our current work establishes a new design criteria for cryptographically secure -boxes. We also believe that this is an important step towards developing cryptanalytic techniques based on Parker s theory [7].. Linear approximations of an -box An -box F can also be thought of as a sequence of Boolean functions written as F = (f,..., f m ) where each f i : F n F is a Boolean function. These are said to be coordinate functions of F. F -linear combinations of coordinate functions are said to be component functions. For any v F m, v F is a component function of F. The inner product is defined by x y = i [n] x iy i. The linear function corresponding to u F n is ϕ u (x) = u x, for all x F n. The intersection of two vectors x = (x,..., x n ), y = (y,..., y n ) in F n is defined by x y = (x y,..., x n y n ). The (Hamming) distance between two Boolean functions f, g : F n F is d(f, g) = x F n : f(x) g(x)}. Thus, the Hamming distance between the component function v F and the linear function ϕ u is () d(v F, ϕ u ) = x F n : v F (x) ϕ u (x)} = n x F n = n W F (u, v), v F (x)+ϕu(x) ( ) where W F (u, v) = x F ( ) v F (x)+ϕu(x). The nonlinearity of F : F n n F m is given by () nl(f ) = min u F n,v Fm uppose that max u F n,v Fm d(v F, ϕ u ) = n max u F n,v Fm W F (u, v) = W F (u 0, v 0 ). W F (u, v). If the value of W F (u 0, v 0 ) is high then the component function v 0 F (x) can be efficiently approximated by u 0 x or its complement. Volume X, No. X (0xx), X XX

3 Generalized Nonlinearity of -boxes 3 uppose that a plaintext block x = (x,..., x n ) F n XOR-ed to the key k = (k,..., k n ) F n after being acted upon by F produces the ciphertext y = (y,..., y m ) = F (x k) F m. Let X, Y, K be the random variables corresponding to plaintext, ciphertext and key, respectively. Then (3) Pr[u 0 K = v 0 Y u 0 X] = Pr[u 0 (X K) = v 0 Y] = n W F (u 0, v 0 ) n = n + W F (u 0, v 0 ) n = + n+ W F (u 0, v 0 ). Thus, if W F (u 0, v 0 ) 0 and (n+) W F (u 0, v 0 ) is close to then the equation u 0 K = v 0 Y u 0 X is true with a probability close to. imilarly, if W F (u 0, v 0 ) 0 and (n+) W F (u 0, v 0 ) is close to then the equation u 0 K = v 0 Y u 0 X is true with a probability close to. Thus if we have a large sample of the plaintextciphertext pairs we will be able to establish linear relationships between the key bits. This leads to linear cryptanalysis of block ciphers which was introduced by [5] for cryptanalysis of DE. 3. Linear approximation of an -box with respect to partially biased inputs Let [n]. X = (X,..., X n ), and K = (K,..., K n ) are n-tuples and Y = (Y,..., Y m ) is an m-tuple of random variables corresponding to plaintexts, chipertexts and keys, respectively, such that (4) Y = F (X K) where F : F n F m. 3.. Linear approximations when the inputs are partially biased. To simplify the notation assume that the input to F : F n F m is X = (X,..., X n ) having the following distribution. (5) Pr[X i = ] = p, if i p, if i, if i [n] \, Pr[X i = 0] =, if i [n] \. We say that a component function v F can be approximated by ϕ u if Pr[v F (X) = ϕ u (X)] is high. Let e i F n be the vector whose ith component is and remaining components are 0 s, for all i [n]. Define e = i e i. We introduce a notion of Volume X, No. X (0xx), X XX

4 4. Gangopadhyay, G. Paul, N. inha and P. tănică distance similar to that in [3] as follows: (6) where (7) d (p) (v F, ϕ u) = n Pr[v F (X) ϕ u (X)] = n (n ) p wt(e x) ( p) wt(e x) v F (x) u x = ( p) x F n = ( p) x F n = ( p) x F n ( ) wt(e x) p (( ) v F (x) ( ) u x ) p ( ) wt(e x) p ( ( ) v F (x) u x ) p ( ) wt(e x) p ( p) (u, v) p = ( p) n ( p) ( p) = n ( p) (u, v) ( p (u, v) = ( ) v F (x) u x p x F n (u, v) ) wt(e x) is a generalization of the Walsh Hadamard transform for vectorial Boolean functions (-boxes). As a side problem, we propose to the community that the transform defined in (7) be investigated for different -boxes. 3.. A chosen-plaintext attack model. Let the coordinates of K be i.i.d. (independent and identically distributed), i.e., (8) Pr[K i = ] = Pr[K i = 0] =, for all i [n]. If X i and K i had been independent, then assuming Pr[X i = 0] = q i, we would have Pr[X i K i = 0] = Pr[X i = 0, K i = 0] + Pr[X i =, K i = ] = Pr[X i = 0] Pr[K i = 0] + Pr[X i = ] Pr[K i = ] = q i + ( q i) =. In other words, the distribution of X i K i would have been unbiased, irrespective of the bias in X i. But since we make X i dependent on our guess of K i, the above result do not hold and we can bias the distribution of X i K i. If we guess the Volume X, No. X (0xx), X XX

5 Generalized Nonlinearity of -boxes 5 key-bits k i for all i, then for all i [n] we can simulate X i K i such that p, if i Pr[X i K i = 0] =, if i [n] \, (9) p, if i Pr[X i K i = ] =, if i [n] \, for any 0 p, by choosing X i s appropriately, and ensuring that X i K i are independent random variables. From the discussion above we observe that employing a chosen-plaintext model it is possible to ensure that the input to an -box (equivalently, the vectorial Boolean function) F is partially-biased. With respect to such a partially-biased input if a component function of F can be approximated by a linear function ϕ u or its complement then one may be able to apply linear cryptanalysis techniques on F. uppose that v 0 F is close to a linear function ϕ u when the inputs of the variables with indexes in 0 are biased. Then we can choose plaintexts x with respect to each guess of the key segment e 0 k such that the following equation is satisfied with high probability To be more precise (0) u 0 (x k) = v 0 y i.e., u 0 k = u 0 x v 0 y i.e., u 0 (e 0 k ( e 0 ) k) = u 0 x v 0 y i.e., u 0 (( e 0 ) k) = u 0 (e 0 k) u 0 x v 0 y Pr[u 0 (( e 0 ) K) = u 0 (e 0 K) u 0 X v 0 Y] = n 0 ( p) 0 0 (u 0, v 0 ) n = + 0 ( p) 0 n+ 0 (u 0, v 0 ) Thus the knowledge of u 0 (e 0 k), u 0 x and v 0 y allows us to derive relationships between the unknown key-bits of k which form the vector ( e 0 ) k. This might be translated to key recovery in time less than the exhaustive search Mounting a more efficient linear cryptanalysis. Let [n], u F n and v F m. Consider an -box F : F n F m. Then from Equation (3), we have Pr[u K = v Y u X] = + n+ W F (u, v). The absolute value of the bias of the above event is ɛ(u, v F ) = n+ W F (u, v). If the inputs follow the probability distribution (5), then from Equation (0), we have Pr[u (( e ) K) = u (e K) u X v Y] = + ( p) n+ (u, v) and the corresponding absolute value of the bias (u, v F ) = ( p) n+ (u, v). Volume X, No. X (0xx), X XX

6 6. Gangopadhyay, G. Paul, N. inha and P. tănică According to [5], if for an PN-based iterated block cipher we can pile-up the biases up to the last-but-one round, and we can form a linear equation involving a subset of the key bits with a probability q, then we can mount linear cryptanalysis to find the values of that subset of key bits independent of the other key bits. For a constant success probability, the number of samples (i.e., plaintext-ciphertext pairs) required is given by = (q ) δ, where δ = q. Now, for some -box F used in the block cipher, for some [n], if we can find a suitable p, 0 < p < and v F m, such that () max u F n (u, v F ) > max ɛ(u, v F ), then we can pile-up the biases such that the resulting bias q p (for biased inputs as per distribution (5)) of the subkey-dependent expression corresponding to the last-but-one round is larger than the usual bias q without biased input. Thus, δ p = q p would be greater than δ, thereby requiring less number of samples for the linear cryptanalysis using biased inputs. The reduced data complexity would also lead to reduced time complexity of the attack. Note that, as long as one is able to find at least one [n], one suitable p, 0 < p < such that Equation () holds, then one can mount a better attack. However, if one performs an offline exhaustive enumeration of all the biases by varying all the parameters, then one would be able to mount the optimal attack A Piling-up Lemma in the Biased Context. Let [n] and X i, i k, be independent random variables whose values are as in (5). We let p if i p i = / if i, and the bias of a random variable X with some probability distribution p is defined by ɛ X = p. Thus, for our X i, ɛ Xi = p i = p if i 0 if i u F n (we shall often write ɛ i in lieu of ɛ Xi, if it is clear from the context). Lemma 3. (Piling-up Lemma [8, p. 8]). Let [n] and X i, i k, be independent random variables whose values are as in (5). Then the probability that X X X k = 0 is Pr(X X X k = 0) = + k and therefore, the bias for X = X X X k is ɛ X = k k i= ɛ i. The following corollary is obvious. k i= ɛ i, Corollary. Pr(X X X k = 0) = with i. if and only if there exists i k Volume X, No. X (0xx), X XX

7 Generalized Nonlinearity of -boxes 7 4. Experimental Results with DE and AE -boxes In ection 3.3, we have discussed how to mount a more efficient attack with biased inputs, if we can have max u F n (u, v F ) > max ɛ(u, v F ) for some -box F used in a block cipher. In this section, we analyse some -boxes F by computing the following ordered pair (max u F n and listing them in a table. ɛ(u, v F ), max u F n u F n (u, v F )). 4.. Experiments with DE -box. Let F be the first DE -box. The truth table of e F is ( ). From the direct computation we observe that whereas max ɛ(u, e F ) 0.9, u F n () max ɛ (0.99) u F n,4,6} (u, e F ) uppose that max u F n ɛ (0.99),4,6} (u, e F ) = ɛ (0.99),4,6} (u 0, e F ). Therefore, Pr[u 0 (( e,4,6} ) K) = u 0 (e,4,6} K) u 0 X v Y] 0.994, 0.006}. It seems that if we assume values of e,4,6} K and choose X as described in the attack model, then the either or u 0 (( e,4,6} ) K) = u 0 (e,4,6} K) u 0 X v Y u 0 (( e,4,6} ) K) = u 0 (e,4,6} K) u 0 X v Y is true with probability 0.994, depending on whether W (0.99) F,,4,6} (u 0, e ) is positive or negative, respectively. In Table, we list max u F n ɛ(u, v F ) and max u F n (u, v F ) for all 8 DE -boxes. F max ɛ(u, v F ) u F n max u F n (u, v F ) Table. Maximum bias without and with biased inputs for all DE -boxes. Volume X, No. X (0xx), X XX

8 8. Gangopadhyay, G. Paul, N. inha and P. tănică 4.. Experiments with AE -box. Let F be the AE -box. The truth table of e F is ( ) From the direct computation we observe that whereas max ɛ(u, e F ) 0.063, u F n (3) max ɛ (0.99) u F n,3,5} (u, e F ) uppose that max u F n ɛ (0.99),3,5} (u, e F ) = ɛ (0.99),3,5} (u 0, e F ). Therefore, Pr[u 0 (( e,3,5} ) K) = u 0 (e,3,5} K) u 0 X v Y] 0.834, 0.66}. It seems that if we assume values of e,3,5} K and choose X as described in the attack model, then either or u 0 (( e,3,5} ) K) = u 0 (e,3,5} K) u 0 X v Y u 0 (( e,3,5} ) K) = u 0 (e,3,5} K) u 0 X v Y is true with probability 0.834, depending on whether W (0.99) F,,3,5} (u 0, e ) is positive or negative, respectively. 5. Conclusion Linear cryptanalysis of block ciphers involving -boxes requires approximation of component functions of some of the -boxes by affine functions. Typically, linear cryptanalysis assumes that the inputs to the -boxes are uniformly randomly distributed over the set of all binary strings of the same length as the data-width. Analysis of the -boxes, in case the input distribution is biased, has remained an open problem so far. In this paper, for the first time we generalized the concept of non-linearity of -boxes with biased inputs. We showed that the typical case of uniform distribution is a special case of our generalized analysis. Moreover, we outline a chosen-plaintext attack model that can exploit the above analysis. Our results establish a new design criteria for cryptographically secure -boxes. More research is needed in this direction to explore the possibility of efficient practical cryptanalysis using our approach. References [] P. Erdös and A. Rényi, On the evolution of random graphs, Publ. Math. Inst. Hungar. Acad. ci. 5 (960), 7 6. [] E. Friedgut and Gil Kalai, Every monotone graph property has a sharp threshold, Proc. AM 4 (0) (996), [3]. Gangopadhyay, A. Kar Gangopadhyay,. Pollatos and P. tănică, Cryptographic Boolean functions with biased inputs, Cryptography and Communications - Discrete tructures and equences 9: (07), [4] Y. Lu and Y. Desmedt, Bias analysis of a certain problem with applications to E0 and hannon ciper, ICIC 00, LNC 689, 0, pp Volume X, No. X (0xx), X XX

9 Generalized Nonlinearity of -boxes 9 [5] M. Matsui, Linear cryptanalysis method for DE cipher, EUROCRYPT 93, LNC 765, (pringer) 994, [6] R. O Donnell, Analysis of Boolean functions, Cambridge University Press, 04. [7] M. G. Parker, Generalised -box nonlinearity, NEIE Public Document,.0.03: NE/DOC/UIB/WP5/00/A. [8] D. R. tinson. Cryptography: Theory and Practice, Third Edition, Chapman and Hall/CRC, 005. Volume X, No. X (0xx), X XX