Data Complexity and Success Probability for Various Cryptanalyses

Transcription

1 Data Complexity and Success Probability for Various Cryptanalyses Céline Blondeau, Benoît Gérard and Jean Pierre Tillich INRIA project-team SECRET, France Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 1 / 47

2 Outline 1 Introduction 2 Approximations of Binomial Tails 3 On the Data Complexity 4 On the Success Probability 5 Relationship between Data Complexity and Success Probability Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 2 / 47

3 Outline 1 Introduction 2 Approximations of Binomial Tails 3 On the Data Complexity 4 On the Success Probability 5 Relationship between Data Complexity and Success Probability Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 3 / 47

4 Context We focus on symmetric cryptography. Block cipher Block of ciphertext are function of block of plaintext and key. Stream cipher Bits of ciphertext are obtained by a XOR between bits of plaintext and bits of pseudo random keystream. Hash function Arbitrary block of data are reduced to a fixed-size bit string. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 4 / 47

5 Statistical Attacks Some statistical attacks against stream ciphers and hash functions. Some known statistical cryptanalyses against block ciphers: linear cryptanalysis [Matsui 93]; differential cryptanalysis [Biham Shamir 91]; truncated differential cryptanalysis [Knudsen 94]; higher order differential cryptanalysis [Knudsen 94]; impossible differential cryptanalysis [Biham Biryukov Shamir 99];... Statistical Attacks More generally a statistical attack aims at distinguishing two probability distributions to obtain information on the key of the cipher. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 5 / 47

6 Linear Cryptanalysis Approximation of the form: π I (I) π K (K) = π O (O) F Probability of a linear approximation: 1 + ε with ε small. 2 Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 6 / 47

7 Differential Cryptanalysis I I 1 I 2 Equation of the form F(x) + F(x + I ) = O K F O 1 O 2 O Probability of a differential equation: c with c large. 2s Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 7 / 47

8 Truncated Differential Cryptanalysis 1?10?..?1 I 1 I 2 Equation of the form a such that π I (a) = A π O (F(x) + F(x + a)) = b K F O 1 O 2 0???0..?? Probability of a truncated differential equation c with c small. 2t Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 8 / 47

9 Notation We have N samples: S 1,, S N. The composition of the sample depends on the type of cryptanalysis: One couple of known plaintext ciphertext (linear cryptanalysis). Two couples of chosen plaintext ciphertext (differential cryptanalysis).... Subkey: Studied bits of the key. Candidate: A possible subkey. n: Number of candidates k 0...k n 1. k 0 : The good candidate. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 9 / 47

10 Steps of Statistical Attacks 1 Distillation phase: some statistic Σ is extracted from the available data. 2 Analysis phase: from Σ, the likelihood of each possible subkey is computed and a list L of the likeliest keys is suggested. 3 Search phase: for each subkey in L, all the possible corresponding master keys are exhaustively tried until the good one is found. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 10 / 47

11 Using a Characteristic Let χ be some characteristic on a given cipher. { 1 if χ occurs in sample Si, X i = 0 otherwise. N samples k = k 0 k k 0 differential, linear differential-linear truncated differential, impossible differential,... Characteristic (X 1,...X N ) P(X i = 1 k = k 0) = p 0 (X 1,...X N ) P(X i = 1 k k 0) = p S k0 = N i=1 X i follows a binomial law of parameters (N, p 0 ). k k 0, S k = N i=1 X i follows a binomial law of parameters (N, p). Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 11 / 47

12 Problematic Important quantities in statistical cryptanalysis: N: Data Complexity P S : Success Probability l = #L: Size of the list of kept keys Aim Evaluate the data complexity, the success probability and relate both quantities. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 12 / 47

13 Paradigm Fixed threshold (T) Fixed size of list (l) L = {k i, S ki > T }. l def = #L, k L, k / L S k > S k α def = Pr[k 0 L]. β def = Pr[k k 0, k L]. P S def = Pr[k 0 L]. l/n: ratio of kept keys. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 13 / 47

14 Outline 1 Introduction 2 Approximations of Binomial Tails 3 On the Data Complexity 4 On the Success Probability 5 Relationship between Data Complexity and Success Probability Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 14 / 47

15 Gaussian Approximation of Binomial Tails P [S k T] T/N 1 e N(x p) 2πNp(1 p) 2 2p(1 p) dx Classically used in linear cryptanalysis: [Matsui 93,94]; [Gilbert 97]; [Junod 01,03,05]; [Selçuk 08] But not accurate for any N p. For instance, when N p is too small as in differential cryptanalysis [Selçuk 08]. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 15 / 47

16 Poisson Approximation of Binomial Tails P [S k T] T i=0 e Np (Np)i i! Implicitly used in differential cryptanalysis: [Biham Shamir 91,93]; [Gilbert 97]; [Selçuk 08] But not accurate for any N p. For instance, when N p is too big as in linear cryptanalysis. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 16 / 47

17 Good Approximation of Binomial Tails Binomial tail: P [S k Nτ] = Nτ i=0 ( ) N p i (1 p) N i i Theorem P(S k Nτ) N p 1 τ (p τ) 2πNτ 2 N D(τ p). Where the Kullback-Leibler divergence is defined by: D (p q) def = p log 2 ( p q ) + (1 p)log 2 ( 1 p 1 q ). Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 17 / 47

18 Comparison Exact Poisson Gaussian Ours Lin Crypt: p = 0.5 p 0 = Diff Crypt: p = 2 27 p 0 = 2 20 Trunc Diff(1): p = 2 4 p 0 = Trunc Diff(2): p = 2 15 p 0 = β α β α β α β α Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 18 / 47

19 Outline 1 Introduction 2 Approximations of Binomial Tails 3 On the Data Complexity 4 On the Success Probability 5 Relationship between Data Complexity and Success Probability Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 19 / 47

20 Fixed Threshold Method Neyman-Pearson (optimal) test: Accept a candidate k if P(X 1, X 2,...,X N k = k 0 ) P(X 1, X 2,...,X N k k 0 ) > t. This (likelihood) ratio only depends on S k = N i=1 X i, p 0 and p and is increasing in S k. Thus, the acceptance condition becomes, for some threshold 0 < T < N, If S k T then k L else k / L Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 20 / 47

21 Error Probabilities Non-detection error probability p 0 1 τ P(k 0 / L) = P(S k0 < T) N (p 0 τ) 2πNτ 2 N D(τ p0) ; False alarm error probability (1 p) τ k k 0 P(k L) = P(S k T) N (τ p) 2πN(1 τ) 2 N D(τ p). τ def = T/N: Relative threshold Aim Finding N minimal such that it exists T such that P(S k0 < T) α and P(S k T, k k 0 ) β for given values of α and β. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 21 / 47

22 Algorithm for finding N (1/2) Some properties: For a fixed τ = T, error probabilities decrease when N increases. N For a fixed N, non-detection error increases with τ. For a fixed N, false alarm error decreases when τ increases. Idea Dichotomic search for τ. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 22 / 47

23 Algorithm for finding N (2/2) Input: (α,β) and (p 0,p) Output: N and τ the minimum number of samples and the corresponding relative threshold to reach error probabilities less than (α,β). τ min p and τ max p 0. repeat τ τ min + τ max. 2 Compute N nd such that N > N nd, P(S k0 < Nτ) α. Compute N fa such that N > N fa, P(S k Nτ, k k 0 ) β. if N nd > N fa then τ max = τ else τ min = τ until N nd = N fa. return N and τ. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 23 / 47

24 Approximation of the Data Complexity (1) Aim: Finding a simple formula to estimate the data complexity. Fixing τ = p 0 simplifies the problem. Thus α is close to 50%. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 24 / 47

25 Approximation of the Data Complexity (2) β = (1 p) p 0 (p 0 p) 2πN(1 p 0 ) 2 N D(p 0 p). N = f (N) = log(λβ N) D (p 0 p) where λ = (p 0 p) 2π(1 p 0 ) (1 p) p 0. N i+1 = f (N i ), N 1 = 1 Theorem [ ( ) ] N 3 = N 1 λβ = log log ( log(λβ)) D (p 0 p) D (p0 p) Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 25 / 47

26 Approximation of the Data Complexity (3) Theorem with θ = N N N [ 1 + [ log(λβ) log ( log(λβ) D(p 0 p))] 1. ] (θ 1)log(θ) log(n, ) This is a good approximation of N when β tends to 0. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 26 / 47

27 Experimental Results (1) log 2 (N) Our Gauss Poisson N log 2 (N) Our Gauss Poisson N log 2 (β) log 2 (β) Differential cryptanalysis of DES Linear cryptanalysis of DES p 0 = , p = 2 64 p 0 = , p = 0.5 Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 27 / 47

28 Experimental Results (2) Our N 22.5 Our N log 2 (N) log 2 (β) log 2 (N) log 2 (β) Truncated differential (1) Truncated differential (2) p 0 = , p = 2 4 p 0 = , p = 2 15 Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 28 / 47

29 Simplified Formula for the Data Complexity Recall that: [ ( ) ] N 1 λβ = log log ( log(λβ)) D (p 0 p) D (p0 p) Using Taylor series, 1 D (p0 p) 2 π λ. Theorem N N N = log(2 πβ) D (p 0 p). Rule The best cryptanalysis is the one with the largest D (p 0 p). Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 29 / 47

30 Behavior of the Data Complexity for Statistical Attacks (1) Attack Classical results 1 D (p 0 p) Linear Differential Differential-linear 1 1 (p 0 p) 2 2(p 0 p) p 0 p 0 log 2 (p 0 /p) p (p 0 p) 2 2(p 0 p) 2 Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 30 / 47

31 Behavior of the Data Complexity for Statistical Attacks (2) Attack Classical results 1 D (p 0 p) Truncated differential unknown 2p (p 0 p) 2 Impossible differential implicitly: 1 p 1 p k-th order differential 1 1 log 2 p Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 31 / 47

32 Outline 1 Introduction 2 Approximations of Binomial Tails 3 On the Data Complexity 4 On the Success Probability 5 Relationship between Data Complexity and Success Probability Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 32 / 47

33 Notation We have n possible candidates: k 0, the correct one; k 1,...,k n 1. For all random variables, S kj { B(N, p0 ) if j = 0, B(N, p) if j 0. P s = P(k 0 L) Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 33 / 47

34 Order Statistic Tools We want to keep a list L of size l which contains the most likely candidates. k / L, k L S k < S k We sort S k1,...,s kn 1 in decreasing order S k 1,...S k n 1. P S = P[k 0 L] = P[S k l < S k0 ]. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 34 / 47

35 [Selçuk 2008] s Result Using a normal approximation: S k0 S k0 def N(Np 0, Np 0 (1 p 0 )), density ϕ 0 (t) k k 0, S k S k def N(Np, Np(1 p)), density ϕ(t) P S Φ 1 (1 l/n) ϕ 0 (t) dt. Φ(u) def = u ϕ(t)dt, Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 35 / 47

36 Our Result Without approximation: S k0 B(N, p 0 ), k k 0 S k B(N, p). Theorem N P S P[S k0 = i]. i=f 1 (1 (l 1)/(n 2)) Where F 1 (y) def = min x N {P[S k k 0 x] y}. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 36 / 47

37 Comparison Using a normal approximation: P S P( S k0 > τ) where P( S k < τ) = 1 l n. Without approximation: P S P(S k0 > τ) where P(S k < τ) = 1 l 1 n 2. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 37 / 47

38 Experimental Result and Comparison with Selçuk Type of Parameters Experimental cryptanalysis N = 2 48 n = 2 20 results Ours Selcuk Linear l = Linear l = Differential l = Differential l = Linear: p = 0.5 and p 0 = Differential: p = 2 64 and p 0 = Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 38 / 47

39 Sketch of Proof (1/2) S k 1,...S k n 1 : Order statistics P S = P[S k l < S k0 ]. For j 0, F(x) def = P[S kj x]. The function F is increasing: P S = P [ F(S k l ) < F(S k0 ) ]. And, F(S kj ) U([0; 1]) = F(S k l ) Beta(n l 1, l 1). Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 39 / 47

40 Sketch of Proof (2/2) g(t) def = (n 1) ( ) l 1 t n l 1 (1 t) l 1. n 2 P S = N P[S k0 = i] i=0 F(i) 0 g(t) dt. P[X0 = i] F(i) 0 g(t) dt The maximum of g is reached in t 0 = 1 l 1 n 2. Step in the figure at point i = F 1 (t 0 ). Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 40 / 47

41 Error Term P[X0 = i] F(i) 0 g(t) dt Selçuk: no error term δ def = F 1 (1 l 1 n 2 ) 1 i=0 P[S k0 = i] Theorem ( ) ln(l/δ P S = 1 δ + O δ 2 ) + 1 l l n Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 41 / 47

42 Outline 1 Introduction 2 Approximations of Binomial Tails 3 On the Data Complexity 4 On the Success Probability 5 Relationship between Data Complexity and Success Probability Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 42 / 47

43 Data Complexity With fixed threshold method, we obtain: An accurate algorithm A formula with an error estimate [ ( ) ] N 1 λβ = log log ( log(λβ)), D (p 0 p) D (p0 p) A simpler formula N = log(2 πβ) D (p 0 p). Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 43 / 47

44 Success Probability With a list of fixed size method, we obtain: a generalization of Selçuk s formula; an error term. ( ) ln(l/δ P S = 1 δ + O δ 2 ) + 1 l l n δ def = F 1 (1 l 1 n 2 ) 1 i=0 P[S k0 = i], Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 44 / 47

45 Link Idea β probability to kept a bad key. l/n ratio of kept keys. Taking N with N = c ( log 2 π l ) n. D (p 0 p) Link between P S and N We notice that using N of the previous form, gives us that P S only depends on the constant c. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 45 / 47

46 Experimental Results c = 1 c = 1.5 l l L L TD TD D D Success probability express in percent for: Linear, Differential and Truncated Differential cryptanalysis Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 46 / 47

47 Conclusion Removing the Gaussian or Poisson assumption, this work provides: An accurate algorithm for computing the data complexity; The asymptotic formula of the data complexity; The asymptotic behavior of the data complexity for some statistical attacks; A general formula expressing the success probability; A link between the data complexity and the success probability. Perspectives: Generalizing this work to other distributions than Bernoulli; Studying stream ciphers and hash functions. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 47 / 47