Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers

Transcription

1 Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers Kaisa Nyberg Aalto University School of Science Luxemburg January 2017

2 Outline Introduction Iterated Permutation Linear Attack Estimating Statistics of Cipher Correlation Examining Trail Correlations Applications to EM Ciphers 2/37

3 Outline Introduction Iterated Permutation Linear Attack Estimating Statistics of Cipher Correlation Examining Trail Correlations Applications to EM Ciphers 3/37

4 Introduction Linear cryptanalysis on block ciphers based on iterated structures Theory for long-key block ciphers well developed [Nyberg 1994, Daemen 1994, Daemen-Rijmen 2006, Blondeau-Nyberg 2015] Statistics estimates based on signal-noise model [Bogdanov-Tischhauser 2013] Key-schedulings that imitate long-key properties [Leander 2016, Blondeau-Nyberg 2015] Focus of this presentation: extreme key-schedulings such as known-key ciphers We discuss how to apply known properties of long-key ciphers to permutation based ciphers such as EM ciphers 4/37

5 Permutation-Based Cipher K 1 P K 2 Figure : 1-EM cipher with permutation P and encryption key (K 1, K 2 ) Key-recovery attacks use some property over P. Problem. How to determine and evaluate a property over P? We present an approach to answer this problem for linear cryptanalysis and a permutation based on an iterated permutation. We make use of the noise-based statistical model of correlation. 5/37

6 Outline Introduction Iterated Permutation Linear Attack Estimating Statistics of Cipher Correlation Examining Trail Correlations Applications to EM Ciphers 6/37

7 Iterated Long-Key Cipher E (x; k 0, k 2... k r ) = g r ( (g 2 (g 1 (x + k 0 ) + k 1 ) + k 2 ) ) + k r where x, k 0, k 1,..., k r F n 2 and g i : F n 2 Fn 2 Iteration over r rounds 7/37

8 Key Scheduling Any r -round key-alternating cipher in F n 2 can be seen as an application of such E using key-scheduling KS : F L 2 F(r +1)n 2 which is an injective function that maps the initial key K F L 2 to (k 0, k 1,..., k r ). Then the cipher BC can be presented as where X is the plaintext. BC (X, K ) E (x; KS (K )) 8/37

9 Permutation by Iteration Any r -round permutation in F n 2 P(x) = g r ( (g 2 (g 1 (x))) ) can also been seen as an application of a long-key cipher E (X; k 0, k 2,..., k r ) = g r ( (g 2 (g 1 (X + k 0 ) + k 1 )+k 2 ) )+k r by setting k 0 = k 1 =... = k r = 0 9/37

10 Examples Typical key-alternating ciphers: (DES), AES, PRESENT, Simon,... Permutation-based ciphers: EM constructions, in practice, based on dedicated large permutations, or cipher with known fixed key. Example. Key-schedule of single-key 1-EM where permutation based on iterated long-key cipher KS (K ) = (K 1, 0, 0,..., 0, K 2 ) 10/37

11 Outline Introduction Iterated Permutation Linear Attack Estimating Statistics of Cipher Correlation Examining Trail Correlations Applications to EM Ciphers 11/37

12 Key-Recovery Setting k 0 k 1 k 2 k r 1 g 1 g 2 g r 1 g r k r Figure : Key-alternating block cipher of r rounds with round functions g i and expanded encryption key (k 0, k 1,..., k r ) Key guesses over some first and last rounds. Then the long-key cipher E is reduced to r rounds; denote it by E. x k i0 k i0 +1 k i0 +2 k i0 +r 1 g i0 +1 g i0 +2 g i0 +r 1 g i0 +r k i 0 +r y Figure : Property of key-alternating block cipher over r rounds with round functions g i and expanded encryption key (k i0, k i0 +1,..., k i0 +r ) 12/37

13 Linear Property u v n-bit mask on x n-bit mask on y BC r rounds of BC KS r rounds of KS Known linear property u x + v y with correlation c BC (K ) where c BC (K ) = #{ x u x + v BC(x, K ) = 0 } 13/37

14 Observed Correlation Given D, a data sample of size N of pairs (x, y), we call ĉ(d, K ) = 2 N #{(x, y)) D u x + v y = 0} 1 = 2 N Z (D, K ) 1 the observed correlation where we denoted For any fixed key K, Z (D, K ) = #{(x, y)) D u x + v y = 0} Z (D, K ) B(N, p(k )), where p(k ) is some apriori probability. By the normal approximation of the binomial distribution, we obtain that for any fixed K ĉ(d, K ) N (c(k ), 1 N (1 c(k )2 )) N (c(k ), 1 N ) where c(k ) = 2p(K ) 1. 14/37

15 Cipher and Random 1. y = BC(x, K ) = E(x; KS(K )) (cipher): Then c(k ) = c BC (K ) The parameters Exp K c BC (K ) and Var K c BC (K ) must be determined from the cipher in offline analysis. 2. y E(x; KS(K )) (random): Wrong-key randomization hypothesis: for each K, the bits u x + v y are computed from a random linear approximation, that is, see [Daemen-Rijmen 2006], Exp K c(k ) = 0 Var K c(k ) = 2 n. 15/37

16 Statistics of Observed Correlation ĉ(d, K ) c(k ) N ( 0, 1 ), for any fixed K. N In the right key (cipher) case, the distribution of the observed correlation has parameters Exp D,K ĉ(d, K ) = Exp K c BC (K ) Var D,K ĉ(d, K ) = 1 N + Var K c BC (K ) For random ĉ(d, K ) N (0, 1N ) + 2 n 16/37

17 Outline Introduction Iterated Permutation Linear Attack Estimating Statistics of Cipher Correlation Examining Trail Correlations Applications to EM Ciphers 17/37

18 Linear Approximations and Correlations u v τ n-bit mask on x n-bit mask on y L-bit mask on the key K Given r rounds of a cipher (x, K ) E(x; KS(K )) we define c(u, τ, v) = cor x,k (u x + v E(x; KS(K )) + τ K ). This is the trail correlation for trail τ. Then c(u, τ, v) = 2 L ( 1) τ K cor x (u x + v E(x; KS(K )). K 18/37

19 Correlation via Trail Correlations We have c BC (K ) = cor x (u x + v E(x; KS(K )) Taking the inverse Fourier transform we get c BC (K ) = τ ( 1) τ K c(u, τ, v) where the trail correlations c(u, τ, v) are independent of K, but hard to evaluate for a general iterated block cipher. But trail correlations can be evaluated for the corresponding long-key cipher. 19/37

20 Trail Correlations from Long-Key Cipher c(u, τ, v) = cor x,k (u x + v E(x; KS(K )) + τ K ) = cor K (τ K + W KS(K ))cor x,ki0...k (u x + v E(x; k i0 +r i 0... k i0 +r ) + W (k i0... k i0 +r W = cor K (τ K + W KS(K ))c E (u, W, v), W where c E (u, W, v) = cor x,ki0...k i0 +r (u x + v E(x; k i 0... k i0 +r ) + W (k i0... k i0 +r )) are the trail correlations of the iterated long-key cipher E over r rounds with (r + 1)n-bit masks W. 20/37

21 Correlation for Cipher BC This gives c BC (K ) = τ ( 1) τ K c(u, τ, v) = τ,w( 1) τ K cor Z (τ Z + W KS(Z ))c E (u, W, v) = W ( 1) W KS(K ) c E (u, W, v) 21/37

22 Outline Introduction Iterated Permutation Linear Attack Estimating Statistics of Cipher Correlation Examining Trail Correlations Applications to EM Ciphers 22/37

23 Trails over Long-Key Cipher E c BC (K ) = W ( 1) W KS(K ) c E (u, W, v) where c E (u, W, v) = r ( cor z wi0 +j 1 z + w i0 +j g i0 +j(z) ) j=1 W = (w i0, w i0 +1,..., w i0 +r ), and and u = w i0 and v = w i0 +r Use Matsui s algorithm to search for such trails over E that have correlation c E (u, W, v) of high absolute value. 23/37

24 Modelling the Correlation Noise-based approach [Bogdanov-Tischhauser 2013, Vejre et al. 2016] for long-key cipher E: There is a set S of identified (dominant) trails c E (k i0, k i k i0 +r ) = cor(u x + v E(x; k i0, k i k i0 +r ) = w S( 1) w (k i 0,k i k i0 +r ) c E (u, w, v) + R E (k i0, k i k i0 +r ) where R E (k i0, k i k i0 +r ) is normally distributed with mean zero. This approach has been tested in experiments for scaled PRESENT variants, and it seems to work. That is, cryptanalyst can collect many trails such that the remainder R E (k i0, k i0 +1,..., k i0 +r ) behaves like random and has variance 2 n. 24/37

25 Dominant Trails Over Cipher Our approach: Use the same set S also for the cipher BC with key-scheduling KS to estimate c BC (K ) = W ( 1) W KS(K ) c E (u, W, v) = W S( 1) W KS(K ) c E (u, W, v) + R BC (K ) What can we assume about the behaviour of R BC (K )? 25/37

26 Typical Key-Alternating Cipher... has a strong key-scheduling. Note. Here strong means something which behaves like the long-key cipher. Then one can use the estimated variance of to estimate the variance of c BC (K ) c E (k i0, k i k i0 +r ) Var K c BC (K ) w S c E (u, w, v) n This approach has been tested with scaled versions of SMALLPRESENT, see [Vejre et al 2016] and (with different key schedules) [Blondeau-Nyberg 2017] 26/37

27 Outline Introduction Iterated Permutation Linear Attack Estimating Statistics of Cipher Correlation Examining Trail Correlations Applications to EM Ciphers 27/37

28 Permutation-Based 1-EM Cipher Assume the permutation is based on an iterated structure E. Then the cipher has an can be represented like BC (x, K ) = E (x; K 1, k 1... k r 1, K 2 ) where K is the secret key and k 1... k r 1 are known constants (e.g. zero). Again we use the properties of E to examine the correlations of linear approximations of the cipher c BC (K ) = W ( 1) W (k i 0...k i0 +r ) c E (u, W, v) = W S( 1) W (k i 0...k i0 +r ) c E (u, W, v) + R BC (k i0... k i0 +r ), Given c E (u, W, v), W S, the sum over S has a fixed value, say c, which can be computed. The remainder R BC (k i0... k i0 +r ) also has a fixed value, but cannot be computed. 28/37

29 Modelling the Uncomputable Remainder We model the uncomputable remainder R BC (k i0... k i0 +r ) according to R E (k i0... k i0 +r ) Then we get Exp K c BC (K ) = c Var K c BC (K ) = 2 n This model should work when the permutation is based on a known-key PRESENT. Linear key-recovery attack with success probability > 1/2 and advantage > 1 possible if c 0. 29/37

30 Permutation-Based 2-EM Cipher K 1 P K P K 2 Figure : 2-EM block cipher with permutation P Assume the two instances of permutation P are based on an iterated structure with long keys, as before. After peeling off some first and last rounds, we consider linear properties over the following cipher BC(x, K ) = P 2 (P 1 (x; RK 1 ) K ; RK 2 ) where RK 1 and RK 2 are known constants. Now the underlying long-key cipher E is E(x; RK 1, K, RK 2 ) = P 2 (P 1 (x; RK 1 ) K ; RK 2 ) 30/37

31 Correlations over 2-EM Cipher Again we use the properties of E to examine the correlations of linear approximations of the cipher c BC (K ) = ( 1) W1 RK1+w K +W2 RK2 c E (u; W 1, w, W 2 ; v), W 1,w,W 2 where c E (u; W 1, w, W 2 ; v) = c P1 (u; W 1 ; w)c P2 (w; W 2 ; v). is independent of K. Hence Exp K c BC (K ) = 0 and Var K c BC (K ) = Exp K (c BC (K ) 2 ) 31/37

32 Variance Estimation Taking the noise-based approach, assume there exist sets S, S 1 S 2 and a random and independent remainder R such that c(rk 1, K, RK 2 ) = ( 1) W1 RK1+w K +W2 RK2 c P1 (u; W 1 ; w)c P2 (w; W 2 ; v) + R W 1 S 1,w S,W 2 S 2 = ( 1) w K ( 1) W1 RK1 c P1 (u; W 1 ; w) ( 1) W2 RK2 c P2 (w; W 2 ; v) w S W 1 S 1 W 2 S 2 +R... to obtain Var K c BC (K ) = 2 ( 1) W 1 RK 1 c P1 (u; W 1 ; w) 2 ( 1) W 2 RK 2 c P2 (w; W 2 ; v) + 2 n w S W 1 S 1 W 2 S 2 = c 1 (w) 2 c 2 (w) n w S 32/37

33 Attack Based on Variance Var K c BC (K ) = c 1 (w) 2 c 2 (w) n w S where c 1 (w) and c 1 (w) are the evaluated parts of the linear hull. This gives Exp D,K ĉ(d, K ) = 0 Var D,K ĉ(d, K ) = 1 N + c 1 (w) 2 c 2 (w) n w S N (0, σ 2 W ) 1.2 N (0, σ 2 R ) Example distribution of ĉ(d, K ) 1.4 Θ Θ Acceptance region Acceptance region for random (red solid line) and right key (blue dotted line) /37

34 On the Choice of Trails Question: When is S (or S S 1 S 2 ) sufficiently large? Possible answers: When Var ki0...k i0 +r (R E(k i0,..., k i0 +r )) = 2 n. How do we know if this has been reached? For permutation-based ciphers, when the value c is stable, that is, adding trails to S does not (essentially) change the value ( 1) w (k i 0...k i0 +r ) c E (u, w, v) w S 34/37

35 Security of 1-EM vs. 2-EM Assume 1-EM vs. 2-EM have the same total number r of rounds 2-EM has a secret key K after round r /2 while in 1-EM it is fixed to a known k r /2 Assume the same identified set S 1 S S 2 of trails over r rounds is used for both 2-EM q 2 EM (K ) = w S( 1) w K c 1 (w)c 2 (w) 1-EM q 1 EM = w S( 1) w k r /2 c1 (w)c 2 (w) = q 2 EM (k r /2) 35/37

36 Security of 1-EM vs. 2-EM It may be possible (?) to select k r /2 such that q 1 EM = 0 for all strong linear approximations (u, v). If this cannot be done, it may happen that the attacker finds a (u, v) such that q 1 EM = q 2 EM (k r /2) 0 or even more, For the c defined earlier, it holds Exp K (q 2 EM (K ) 2 ) < q 2 EM (k r /2) 2 c = q 1 EM Further denote σ = Exp K (q 2 EM (K ) 2 ) 36/37

37 Linear Attack on 1-EM vs. 2-EM a advantage N number of known plaintext-ciphertext pairs Φ standard normal Success probabilities: 1-EM P S = Φ ( c N Φ 1 (1 2 a ) ) 1 + N2 n 2-EM ( ) 1 + N2 P S = 2Φ Φ 1 (1 2 a 1 n ) 1 + N2 n + Nσ 2 For c = σ the attack on 1-EM is much stronger. 37/37