Integrals go Statistical: Cryptanalysis of Full Skipjack Variants

Size: px

Start display at page:

Download "Integrals go Statistical: Cryptanalysis of Full Skipjack Variants"

Amie Fox
5 years ago
Views:

Integrals go Statistical: Cryptanalysis of ull Skipjack Variants Meiqin Wang mqwang@sdu.edu.

1 Integrals go Statistical: Cryptanalysis of ull Skipjack Variants Meiqin Wang Joint Work with Tingting Cui, Huaifeng Chen, Ling Sun, Long Wen, Andrey Bogdanov Shandong University, China; DTU SE Bochum, ermany

2 Background and Contributions 1 Background and Contributions 2 Statistical Integral Distinguisher 3 Experimental Results 4 Key Recovery Attacks to Skipjack-BABABABA 5 Summarize Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 2 / 23

3 Background and Contributions Background Integral Distinguisher Proposed by Knudsen to attack against Square SE 97 Unified by Knudsen and Wagner as Integral SE 2 Saturation Distinguisher by SE 1 Multiset Distinguisher by Biryukov and EUROCRYPT 1 Based upon balancedness property or zero-sum property Integral Zero-Correlation Distinguisher Proposed by Bogdanov et ASIACRYPT 12 Conditional equivalence of zero-correlation and integral (balancedness) distinguisher Statistical Saturation Distinguisher Proposed by Collard and CT-RSA 9 Utilize advantage (bias or capacity) on the output side Complexity estimation by EUROCRYPT 11 Targets PRESENT and PUIN etc. where integral attack is less efficient Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 3 / 23

4 Background and Contributions Motivations and Contributions Motivations: or integral distinguisher, data complexity is determined by taking all values at certain input bits often the bottleneck of an integral attack is the data complexity desirable (possible) to tradeoff from data towards time Contributions: Propose a novel statistical integral distinguisher which requires less data Traverse s bits at the input and consider balance of t bits at the output, data complexity O(2 s ) O(2 s t/2 ) ull-round cryptanalysis of Skpjack-BABABABA for the first time Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 4 / 23

5 Statistical Integral Distinguisher 1 Background and Contributions 2 Statistical Integral Distinguisher 3 Experimental Results 4 Key Recovery Attacks to Skipjack-BABABABA 5 Summarize Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 5 / 23

6 Statistical Integral Distinguisher Integral Distinguisher Target Cipher Decomposition H : n 2 n 2 is a (part of) cipher: H : r 2 s 2 t 2 u 2, Denote T λ as H(x,y) = ( H1 (x,y) H 2 (x,y) ). r x n s y H(x,y) T λ : s 2 t 2, Integral Distinguisher T λ (y) = H 1 (λ,y). H 1 H 2 If y takes all possible values of s 2, T λ (y) is uniformly distributed with probability one. Towards Statistical Integral Distinguisher If y takes considerable number (but not all) of values in s 2, the distribution of T λ (y) for the cipher can be distinguished from a distribution for a random permutation. t m u Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 6 / 23

7 Statistical Integral Distinguisher Statistical Integral Distinguisher Different Distributions T λ : s 2 t 2, distribution. T λ (y) = H 1 (λ,y) follows multivariate hypergeometric t-bit value chosen randomly from an uniform distribution follows multinomial distribution. Towards Distinguish Different Distributions Suppose N different values of y are needed to distinguish the above two distributions. t-bit value T λ (y) t 2 is computed for each y. Counter vector V[T λ (y)]: the number of each value T λ (y). Consider the following statistic: 2 t 1 (V[T C = λ (y)] N 2 t ) 2 N 2 T λ (y)= t. (1) Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 7 / 23

8 Statistical Integral Distinguisher Statistical Integral Distinguisher 2 t 1 (V[T C = λ (y)] N 2 t ) 2 N 2 T λ (y)= t Based on the well-known Pearson s χ 2 statistical result, we can get: or right key guess: 2 s 1 2 s N C cipher χ 2 (2 t 1) or wrong key guess: C random χ 2 (2 t 1) act Suppose that χl 2 is the χ2 -distribution with degree of freedom l. or sufficiently large l, χl 2 converges to the normal distribution. That is, ( χl 2 appro N l, ) 2l. Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 8 / 23

9 Statistical Integral Distinguisher Statistical Integral Distinguisher Statistic C follows different distributions for an actual cipher (right key guess) and a random permutation (wrong key guess). Proposition or sufficiently large N and t, the statistic C follows a normal distribution for the cipher approximately with mean and variance µ = Exp(C cipher ) = (2 t 1) 2s N 2 s 1 and σ 2 = Var(C cipher) = 2(2 t 1)( 2s N 2 s 1 )2 and for a randomly drawn permutation with mean and variance µ 1 = Exp(C random ) = 2 t 1 and σ 2 1 = Var(C random) = 2(2 t 1). Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 9 / 23

10 Statistical Integral Distinguisher Data Complexity Corollary or type-i error probability α (the probability to wrongfully discard the cipher), type-ii error probability α 1 (the probability to wrongfully accept a randomly chosen permutation as the cipher), to distinguish a cipher and a randomly chosen permutation based on t-bit outputs when fixing r-bit inputs and randomly choosing values for s-bit inputs, the data complexity can be approximated by N = (2s 1)(q 1 α + q 1 α1 ) (2 t 1)/2 + q 1 α + 1, where q 1 α and q 1 α1 are the respective quantiles of the standard normal distribution. The statistic test is based on the decision threshold τ = µ + σ q 1 α1, if C τ, output cipher ; if C > τ, output random. Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 1 / 23

11 Experimental Results 1 Background and Contributions 2 Statistical Integral Distinguisher 3 Experimental Results 4 Key Recovery Attacks to Skipjack-BABABABA 5 Summarize Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 11 / 23

12 Experimental Results Experimental Results on AES Mini Variant of AES A brief introduction of AES Block size: 64 bits Cell size: 4 bits SB: S in LBlock SR: same to AES MC: the matrix used in MC M = The integral distinguisher used in our experiment is illustrated on the right. A 1 1 C C C A 1 R1: C A 1 1 C C C A 1 2 C C C C A 1 3 C SB C A 1 1 C C C A 1 2 C C C C A 1 C C C A 1 3 C SR A 1 1 C C C 2 C C C A 1 4 C C C A 1 3 C C C AK MC A 1 2 C C C A 1 4 A 1 3 C C C 4 C C C A 1 4 C C C A 1 1 C C C A 1 R2: A 1 1 C C C A 1 2 C C C A 1 3 C C C SB A 1 1 C C C A 1 1A 1 2A 1 3A 1 2 C C C A 1 A 1 3 C C C SR C C C A C C A 1 4 C C C A 1 3 C AK MC A 2 1A 2 2A 2 3A 2 4 A 3 1A 3 2A 3 3A 3 4 C C C C A C C A 4 1A 4 2A 4 3A 4 4 A 1 1A 1 2A 1 3A 1 4 A 1 1A 1 2A 1 3A 1 R3: A 2 1A 2 2A 2 3A 2 4 A 1 1A 2 1A 3 1A 4 4 A 3 1A 3 2A 3 3A 3 SB A 2 1A 2 2A 2 3A 2 1 A 1 1A 2 1A 3 1A A 3 1A 3 2A 3 3A 3 SR A 1 2A 2 2A 3 2A A 4 1A 4 2A 4 3A 4 4 A 1 3A 2 3A 3 3A 4 AK MC A 1 2A 2 2A 3 2A A 4 1A 4 2A 4 3A 4 3 A 1 3A 2 3A 3 3A 4 4 A 1 4A 2 4A 3 4A A 1 4A 2 4A 3 4A 4 4 A 1 1A 2 1A 3 1A 4 1 A 1 1A 2 1A 3 1A 4 R4: A 1 2A 2 2A 3 2A 4 1 A 1 1A 2 1A 3 1A 4 2 A 1 3A 2 3A 3 3A 4 SB A 1 2A 2 2A 3 2A 4 1 A 1 1A 2 1A 3 1A A 1 3A 2 3A 3 3A 4 SR A 2 2A 3 2A 4 2A A 1 4A 2 4A 3 4A 4 3 A 3 3A 4 3A 1 3A 2 AK A 2 2A 3 2A 4 2A A 1 4A 2 4A 3 4A 4 3 A 3 3A 4 3A 1 3A 2 4 A 4 4A 1 4A 2 4A A 4 4A 1 4A 2 4A 3 4 ig. 1: Integral property for 4-round AES* (The MC operation in the last round is omitted.) probabilities ˆα and ˆα1. The experiment results for ˆα and ˆα1 are compared with the theoretical values α and α1 in igure 2, which shows that the test results for the error probabilities are in good accordance with those for theoretical model. Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 12 / 23

13 Experimental Results Experimental Results on AES Mini Variant of AES s = 16, t = 8; Set theoretical α =.2, and different values for N; Calculate theoretical α 1 and τ with Corollary; Compare the theoretical α, α 1 with empirical αˆ, αˆ 1..8 α.7 α1 ˆα.6 ˆα1 error probability log(n) The test results for the error probabilities are in good accordance with those for theoretical model. Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 13 / 23

14 Key Recovery Attacks on Skipjack-BABABABA 1 Background and Contributions 2 Statistical Integral Distinguisher 3 Experimental Results 4 Key Recovery Attacks to Skipjack-BABABABA 5 Summarize Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 14 / 23

15 Key Recovery Attacks on Skipjack-BABABABA Skipjack-BABABABA Designed by NSA 32 rounds 64-bit block size 8-bit key size unbalanced eistel network Rule A and Rule B Original: Skipjack-AABBAABB 24-round impossible differential 31-round attack by Biham et al. Variant: Skipjack-BABABABA 21-round impossible differential 3-round zero-correlation linear approximation 31-round attack by Bogdanov et al. Rule B Rule A Rule B Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 15 / 23

16 3-Round Integral Distinguisher of Skipjack-BABABABA L1 L1 Rule B Rule A Rule B M1 M1 Rule A M2 M2 M3 M3 M3 M4 Rule B L1 M1 M2 M2 +M5 R1 M4 M5 Rule A Rule B Rule A M6 M7 M6 M6 L2 L2 L2 M5 = Contradiction! At ASIACRYPT 212, Bogdanov et al. proposed 3-round ZC linear approximations for Skipjack-BABABABA, which are (L 1,,,L 1 ) (,L 2,L 2,) for non-zero L 1 and L 2. Conditional equivalence between ZC distinguisher and integral distinguisher gives the following 3-round integral distinguisher. Taking all 2 48 possible values for the input of round 2 (α 2,β 2,γ 2,δ 2 ),δ 2 = α 2, the set of all corresponding values for the output of round 31 β 32 γ 32 is balanced. M4 R2 R1 M5

17 Key Recovery Attacks on Skipjack-BABABABA Key Recovery Attack on ull-round Skipjack-BABABABA Consider only the integral property of the right half 8-bit of β 32 γ 32, namely βr 32 γ32 R s = 48, t = 8 Set α = 2 2.7, α 1 = 2 4 Need N = (α 2,β 2,γ 2,δ 2 = α 2 ) k 1 k 2 k 3 α 1 β 1 γ 1 δ 1 k 3-round Integral Zero-correlation Distinguisher k 4 a k 5 b d k 6 c k 7 1 α 2 β 2 γ 2 δ 2 (?) (S) (?) (?) 31 α 32 β 32 γ 32 δ α 33 β 33 γ 33 δ 33 Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 17 / 23

18 Key Recovery Attacks on Skipjack-BABABABA Key Recovery Attack on ull-round Skipjack-BABABABA 1 for all values of (α 1, β 1, γ 1, δ 1 ) do 2 Store the plaintext-ciphertext. 3 for all 2 32 values of k, k 1, k 2, k 3 do 4 Compute α 2. 5 Construct (α 1, β 1, γ 1, α 2 ). 6 Ask the ciphertexts and increase V 1 [β 33 γr 33]. 7 for all 2 16 values of k 6, k 7 do 8 Update V 2 [d c γr 33]. 9 for all 2 8 values of k 5 do 1 Update V 3 [βr 33 γ33 R ]. 11 Compute the χ 2 -statistic C. 12 if C τ then 13 Search all right key candidates. Data: CP Time: Memory: Bytes k 1 k 2 k 3 32 α 1 β 1 γ 1 δ 1 k 3-round Integral Zero-correlation Distinguisher k 4 a k 5 b d k 6 c k 7 1 α 2 β 2 γ 2 δ 2 (?) (S) (?) (?) 31 α 32 β 32 γ 32 δ 32 α 33 β 33 γ 33 δ 33 Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 18 / 23

19 Key Recovery Attacks on Skipjack-BABABABA k k 1 k 2 Key Recovery Attack on 31-Round Skipjack-BABABABA 1 Consider only the integral property of the right half 8-bit of β 32 γ 32, namely βr 32 γ32 R s = 48, t = 8 Set α = 2 3.7, α 1 = 2 16 Need N = (α 2,β 2,γ 2,δ 2 = α 2 ) 1 for all values of (α 2, β 2, γ 2, δ 2 = α 2 ) do 2 Ask the ciphertexts. 3 Increase V [β 33 γl 33] and V 1[β 33 γr 33]. 4 for all 2 16 values of k 6, k 7 do 5 Update V 2 [d c γr 33]. 6 for all 2 8 values of k 5 do 7 Update V 3 [β 32 γr 32]. 8 Compute the χ 2 -statistic C. if C τ then 9 Search all the right key candidates. k 3 32 α 2 β 2 γ 2 δ 2 3-round Integral Zero-correlation Distinguisher (?) (S) (?) (?) 31 α 32 β 32 γ 32 δ 32 k 4 a k 5 b d k 6 c k 7 α 33 β 33 γ 33 δ 33 Data: CP Time: 2 48 Memory: Bytes Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 19 / 23

20 Key Recovery Attacks on Skipjack-BABABABA Summary of Key Recovery Attacks on Skipjack-BABABABA Attack Rounds Data Time Memory Ref. Integral ZC CP AISACRYPT 12 Statistical ingetral CP Here Statistical ingetral CP Here Memory measured in Bytes CP: Chosen Plaintext. Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 2 / 23

21 Summarize 1 Background and Contributions 2 Statistical Integral Distinguisher 3 Experimental Results 4 Key Recovery Attacks to Skipjack-BABABABA 5 Summarize Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 21 / 23

22 Summarize Summarize A new statistical integral distinguisher is proposed with reduced data complexity. The statistical distinguisher model is verified by experiments. The first attack on full-round Skipjack-BABABABA. Improve the integral attack on 31-round Skipjack-BABABABA. Meiqin Wang (Shandong Univeristy) Statistical Integral Distinguisher SE Bochum, ermany 22 / 23

23 Thanks for Your Attention!

Integral and Multidimensional Linear Distinguishers with Correlation Zero

Integral and Multidimensional Linear Distinguishers with Correlation Zero Andrey Bogdanov 1, regor Leander 2, Kaisa yberg 3, Meiqin Wang 4 1 KU Leuven, ESAT/SCD/COSIC and IBBT, Belgium 2 Technical University