and Céline Blondeau October 8, 2012 joint work with Benoît Gérard and Kaisa Nyberg Multiple differential cryptanalysis using LLR and October, 8 1/27

Similar documents
Data complexity and success probability of statisticals cryptanalysis

Multiple Differential Cryptanalysis: Theory and Practice

Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT

The Improbable Differential Attack. Cryptanalysis of Reduced Round CLEFIA

Data Complexity and Success Probability for Various Cryptanalyses

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

Provable Security Against Differential and Linear Cryptanalysis

Links Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities

Improbable Differential Cryptanalysis and Undisturbed Bits

On Distinct Known Plaintext Attacks

Cryptanalysis of PRESENT-like ciphers with secret S-boxes

Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers

Experimenting Linear Cryptanalysis

Integrals go Statistical: Cryptanalysis of Full Skipjack Variants

Algebraic Techniques in Differential Cryptanalysis

Enhancing the Signal to Noise Ratio

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

Linear Cryptanalysis Using Multiple Linear Approximations

A New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent

Linear and Statistical Independence of Linear Approximations and their Correlations

Chapter 1 - Linear cryptanalysis.

Differential-Linear Cryptanalysis of Serpent

Integral and Multidimensional Linear Distinguishers with Correlation Zero

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning

Wieringa, Celine; Nyberg, Kaisa Improved Parameter Estimates for Correlation and Capacity Deviates in Linear Cryptanalysis

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway

Linear Cryptanalysis of Reduced-Round PRESENT

Block Cipher Cryptanalysis: An Overview

Multivariate Linear Cryptanalysis: The Past and Future of PRESENT

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

A Unified Method for Finding Impossible Differentials of Block Cipher Structures

Subspace Trail Cryptanalysis and its Applications to AES

Improved Multiple Impossible Differential Cryptanalysis of Midori128

Provable Security Against Differential and Linear Cryptanalysis

Linear Cryptanalysis

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Towards Provable Security of Substitution-Permutation Encryption Networks

Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Revisit and Cryptanalysis of a CAST Cipher

Some attacks against block ciphers

Hermelin, Miia; Cho, Joo Yeon; Nyberg, Kaisa Multidimensional Linear Cryptanalysis

Another Look at Normal Approximations in Cryptanalysis

Statistical and Algebraic Properties of DES

Linear Cryptanalysis of DES with Asymmetries

Improving the Time Complexity of Matsui s Linear Cryptanalysis

Chapter 2 - Differential cryptanalysis.

On the Wrong Key Randomisation and Key Equivalence Hypotheses in Matsui s Algorithm 2

Linear Cryptanalysis of RC5 and RC6

Publication VII Springer Science+Business Media. Reprinted with kind permission from Springer Science and Business Media.

Multidimensional Extension of Matsui s Algorithm 2

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Linear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015

On Multiple Linear Approximations

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

Division Property: a New Attack Against Block Ciphers

Revisiting the Wrong-Key-Randomization Hypothesis

Improved Cryptanalysis of Py

Differential Fault Analysis on DES Middle Rounds

S-box (Substitution box) is a basic component of symmetric

On Correlation Between the Order of S-boxes and the Strength of DES

Differential Attack on Five Rounds of the SC2000 Block Cipher

DK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Links among Impossible Differential, Integral and Zero Correlation Linear Cryptanalysis

Differential Analaysis of Block Ciphers SIMON and SPECK

MATH 509 Differential Cryptanalysis on DES

Impossible differential and square attacks: Cryptanalytic link and application to Skipjack

DES S-box Generator. 2 EPFL, Switzerland

Optimized Interpolation Attacks on LowMC

Impossible Differential Cryptanalysis of Mini-AES

Similarities between encryption and decryption: how far can we go?

Lecture 12: Block ciphers

KFC - The Krazy Feistel Cipher

BISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018

Thesis Research Notes

Complementing Feistel Ciphers

Linear Cryptanalysis of Reduced-Round Speck

A Five-Round Algebraic Property of the Advanced Encryption Standard

Cryptanalysis of the SIMON Family of Block Ciphers

Linear Cryptanalysis: Key Schedules and Tweakable Block Ciphers

The Invariant Set Attack 26th January 2017

Improved Impossible Differential Attack on Reduced Version of Camellia-192/256

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

New Results on Boomerang and Rectangle Attacks

Differential Attacks: Using Alternative Operations

Impossible Differential Attacks on 13-Round CLEFIA-128

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)

3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis

Abstract Differential and linear cryptanalysis, two of the most important techniques in modern block cipher cryptanalysis, still lack a sound, general

Linear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques

Bit-Pattern Based Integral Attack

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Algebraic properties of SHA-3 and notable cryptanalysis results

ON DISTINGUISHING ATTACK AGAINST THE REDUCED VERSION OF THE CIPHER NLSV2

Improved characteristics for differential cryptanalysis of hash functions based on block ciphers

Ciphertext-only Cryptanalysis of a Substitution Permutation Network

Cube Attacks on Stream Ciphers Based on Division Property

Distinguishers for the Compression Function and Output Transformation of Hamsi-256

Transcription:

Multiple differential cryptanalysis using LLR and Céline Blondeau joint work with Benoît Gérard and Kaisa Nyberg October 8, 2012 1/27

Outline Introduction Block Ciphers Differential Cryptanalysis Last Round Attacks Multiple Differential Cryptanalysis Definition Partitioning Function Complexities Experiments Experimental Results Analyse 2/27

Outline Introduction Block Ciphers Differential Cryptanalysis Last Round Attacks Multiple Differential Cryptanalysis Definition Partitioning Function Complexities Experiments Experimental Results Analyse 3/27

Block ciphers x- - - - - F K1 F K2 F Kr F Kr+1 y E K : F m 2! Fm 2 I K : Master key I F: Round function I K i : Round key cccc cccc cccc cccc S 3 S 2 S 1 S 0 P @ @ PPPPPPP @ @ @ @ @ @ @ cccc cccc cccc cccc S 3 S 2 S 1 S 0 P @ @ PPPPPPP @ @ @ @ @ @ @ cccc cccc cccc cccc S 3 S 2 S 1 S 0 @ P @ @ @ @ @ @ PPPPPPP @ @ cccc cccc cccc cccc SMALLPRESENT-[4] 4/27

Statistical Attacks Statistical attacks: I Take advantage of a non-uniform behavior of the cipher I Two families: Linear and Differential cryptanalysis Improvement of differential cryptanalysis I Differential cryptanalysis [Biham Shamir 91] I Truncated differential cryptanalysis [Knudsen 95] I Impossible differential cryptanalysis [Biham Biryukov Shamir 99] I igher order differential cryptanalysis [Lai 94] [Knudsen 95] I Multiple differential cryptanalysis (First approach) [BG 11] 5/27

Linear cryptanalysis cccc cccc cccc ccccc S 3 S 2 S 1 S 0 @ P @ @ @ @ @ @ PPPPPPP @ @ cccc cccc cccc ccccc S 3 S 2 S 1 S 0 @ P PPPPPPP @ @ @ @ @ @ @ @ cccc cccc cccc ccccc S 3 S 2 S 1 S 0 P @ @ PPPPPPP @ @ @ @ @ @ @ cccc cccc cccc cccc [Tardy-Gilbert91], [Matsui93] Linear relation using I plaintext bits, I key bits, I ciphertext bits. x apple K y = 0 with probability p = 1 2 + " 6/27

Differential Cryptanalysis Given an input difference between two plaintexts, some output differences occur more often than others. x - 6 E K - 6 y in out x 0?- E K?- y 0 Differential: pair of input and output difference ( in, out) Differential probability: p = P X,K [ E K (X) E K (X in) = out ] Uniform probability: = 2 m 7/27

Last Round Attack Distinguisher Plaintext F r K? r rounds Characteristic? Partial State 8/27

Last Round Attack Distinguisher F r K? r rounds Plaintext Characteristic? Partial State? S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 k 7 k 6 k 5 k 4 k 3 k 2 k 1 k 0 e e e e e e e e Substitution Layer Key addition Ciphertext 8/27

Related Work Linear Cryptanalysis: I Multiple linear cryptanalysis [Baignères, Junod, Vaudenay 04] I Multidimensional linear cryptanalysis [ermelin, Cho, Nyberg 08] Both use LLR and/or 2 statistical tests. Differential Cryptanalysis: I [Blondeau, Gérard 11]: The frequencies are sum up I ere: We study the LLR and/or 2 statistical tests. 9/27

Multiple differential cryptanalysis (First Approach) I Set of differences in (v), out (v) I With probabilities p v = P X,K [ E K (X) E K (X (v) (v) in )= out ]. I Set of input differences in (v) 2 in. I p = 1 in P v p v expected probability. I = 1 in Pv 1 2 m uniform probability. 10/27

Outline Introduction Block Ciphers Differential Cryptanalysis Last Round Attacks Multiple Differential Cryptanalysis Definition Partitioning Function Complexities Experiments Experimental Results Analyse 11/27

Multiple Differential Cryptanalysis I Fix input difference in (To simplify the analysis) I Vector of difference : V =[ (i) out ] after r rounds, I p =[p v ] v2v vector of expected probabilities. I =[ v ] v2v vector of uniform probabilities. 12/27

Discussion Parallel Work for small ciphers: [Albrecht Leander 2012] Whole distribution taken for SMALLPRESENT-[4] (16-bit cipher) Whole distribution taken for KATAN-32 (32-bit cipher) Limits: For actual ciphers the output size is too large (2 64 or 2 128 ) Application to real cipher: Introduction of partitioning functions. 13/27

Partitioning function We analyze two orthogonal cases I Unbalanced partitioning I Take a subset of simple differences I Balanced partitioning I Group the differences in order to be able to use information of the whole output space. 14/27

Unbalanced Partitioning Idea: Subset of simple differences I Output differences ( (i) out ) 1appleiappleA, I Counter for each of these differentials q k i. I As P A i=1 qk i 6= 1 I We have a trash counter q0 k differences. which gather all other output We increment the counter qi k if the difference (i) out is obtained after partial deciphering. 15/27

Unbalanced Partitioning: Last Round Attack in? V * Y V =[ (i) out ] i S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 Substitution Layer k 7 k 6 k 5 k 4 k 3 k 2 k 1 k 0 e e e e e e e e 16/27

Unbalanced Partitioning: Last Round Attack V * Y V =[ (i) out ] i S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 Active Sboxes k 7 k 6 k 5 k 4 k 3 k 2 k 1 k 0 e e e e e e e e 16/27

Unbalanced Partitioning: Last Round Attack V * Y S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 k 7 k 6 k 5 k 4 k 3 k 2 k 1 k 0 e e e e e e e e Sieving process Discard some ciphertext pairs 16/27

Unbalanced Partitioning: Last Round Attack V * Y @I 6 S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 k 7 e k 6 e k 5 e k 4 6 e k 3 6 e k 2 e k 1 6 e k 0 e For all key candidates, partially decipher 16/27

Unbalanced Partitioning: Last Round Attack V * Y @I 6 If = (i) out S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 Increment qi k k 7 e k 6 e k 5 e k 4 6 e k 3 6 e k 2 e k 1 6 e k 0 e Otherwise Increment q0 k 16/27

Unbalanced Partitioning: Last Round Attack V * Y @I 6 If = (i) out S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 Increment qi k k 7 e k 6 e k 5 e k 4 6 e k 3 6 e k 2 e k 1 6 e k 0 e Otherwise Increment q0 k Analyse the vectors q k for each key Scoring function 16/27

Unbalanced Partionning: Remarks Corresponding known/former attacks: I Differential cryptanalysis. Advantage: I A sieving process ) smaller time complexity Disadvantage: I Subset of output space ) not all information I Small Probabilities ) Non-tightness of the information 17/27

Balanced Partitioning Idea: Using information from all output differences by grouping them. Let V =[ (i) out ] i a subspace of F m 2 A group of differences (i) out = (i) out V ( V V = F m 2 ) A counter qi k for each group of differences. We increment the counter qi k if the difference 2 (i) out is obtained partial deciphering. 18/27

Balanced Partitioning: Last Round Attack in V?\ out = out V S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 Substitution Layer k 7 e k 6 e k 5 e k 4 e k 3 e k 2 e k 1 e k 0 e 19/27

Balanced Partitioning: Last Round Attack V \ out = out V S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 Active Sboxes k 7 e k 6 e k 5 e k 4 e k 3 e k 2 e k 1 e k 0 e 19/27

Balanced Partitioning: Last Round Attack V \ S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 k 7 e k 6 e k 5 e k 4 e k 3 e k 2 e k 1 e k 0 e No Sieving process Partially decipher for all pairs 19/27

Balanced Partitioning: Last Round Attack V \ S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 For all key candidates, k 7 e k 6 e k 5 e k 4 6 e k 3 6 e k 2 6 e k 1 e k 0 e partially decipher 19/27

Balanced Partitioning: Last Round Attack V \ * 6 Y S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 k 7 e k 6 e k 5 e k 4 6 e k 3 6 e k 2 6 e k 1 e k 0 e If 2 (i) out V Increment q k i 19/27

Balanced Partitioning: Last Round Attack V \ * 6 Y S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 k 7 e k 6 e k 5 e k 4 6 e k 3 6 e k 2 6 e k 1 e k 0 e If 2 (i) out V Increment q k i Analyse the vectors q k for each key Scoring function 19/27

Balanced Partitioning: Remarks Corresponding known/former attacks: I Truncated Differential cryptanalysis. Advantage: I Whole output space ) More information I Bigger Probabilities ) Tightness of the information Disadvantage: I No sieving process ) More time complexity 20/27

Statistical Tests Probability distribution vectors I Expected: p =[pv] v2v I Uniform: I Observed: q k (for a given key candidate) LLR test: requires the knowledge of the theoretical probability p. S k = LLR k (q k, p, ) def X p = Ns q v k v log. v2v v 2 test: Does not require the knowledge of p for the attack X S k = 2 k (qk, )=Ns v2v (q k v v) 2 v. 2 Statistics 21/27

Complexities Let S(k) be the statistic obtained for a key candidate k. S(k) =LLR k (q k, p, ) or = 2 k (qk, ) Then, In the paper: N (µr, 2 S(k) R ) if k = K r, N (µ W, 2 W ) otherwise. I Estimates of the value of µ R,µ W, R, w for both LLR and 2 statistical tests. I Estimates of the Data Complexity 22/27

Outline Introduction Block Ciphers Differential Cryptanalysis Last Round Attacks Multiple Differential Cryptanalysis Definition Partitioning Function Complexities Experiments Experimental Results Analyse 23/27

Using unbalanced partitioning Subset of output differences P S 0.9 0.8 0.7 0.6 0.5 20 22 24 26 28 30 log 2 (N) LLR : Ex. a = 4 Th. a = 4 Ex. a = 11 Th. a = 11 2 : Ex. a = 4 Th. a = 4 Ex. a = 11 Th. a = 11 24/27

Using balanced partitioning Set of groups of output differences P S 0.9 0.8 0.7 0.6 LLR : Ex. a = 4 Th. a = 4 Ex. a = 7 Th. a = 7 2 : Ex. a = 4 Th. a = 4 Ex. a = 7 Th. a = 7 0.5 19 21 23 25 27 log 2 (N) 25/27

Conclusions Balanced or Unbalanced partitioning? I Time Complexity: unbalanced ) faster attack. I Data Complexity: depends on the cipher. LLR or 2? I If we have a good estimate of the expected probabilities ) LLR provides better Data and Memory complexities I Otherwise LLR is not effective 26/27

Work in Progress Estimation of the Differential Probabilities In Theory I Estimation of truncated differential probabilities can be done correlations. In Practice I Estimation of the correlations are easy on PRESENT CO I We use them to compute the distribution vector. I We provide a multiple differential attack on PRESENT 27/27

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback