Multiple differential cryptanalysis using LLR and Céline Blondeau joint work with Benoît Gérard and Kaisa Nyberg October 8, 2012 1/27
Outline Introduction Block Ciphers Differential Cryptanalysis Last Round Attacks Multiple Differential Cryptanalysis Definition Partitioning Function Complexities Experiments Experimental Results Analyse 2/27
Outline Introduction Block Ciphers Differential Cryptanalysis Last Round Attacks Multiple Differential Cryptanalysis Definition Partitioning Function Complexities Experiments Experimental Results Analyse 3/27
Block ciphers x- - - - - F K1 F K2 F Kr F Kr+1 y E K : F m 2! Fm 2 I K : Master key I F: Round function I K i : Round key cccc cccc cccc cccc S 3 S 2 S 1 S 0 P @ @ PPPPPPP @ @ @ @ @ @ @ cccc cccc cccc cccc S 3 S 2 S 1 S 0 P @ @ PPPPPPP @ @ @ @ @ @ @ cccc cccc cccc cccc S 3 S 2 S 1 S 0 @ P @ @ @ @ @ @ PPPPPPP @ @ cccc cccc cccc cccc SMALLPRESENT-[4] 4/27
Statistical Attacks Statistical attacks: I Take advantage of a non-uniform behavior of the cipher I Two families: Linear and Differential cryptanalysis Improvement of differential cryptanalysis I Differential cryptanalysis [Biham Shamir 91] I Truncated differential cryptanalysis [Knudsen 95] I Impossible differential cryptanalysis [Biham Biryukov Shamir 99] I igher order differential cryptanalysis [Lai 94] [Knudsen 95] I Multiple differential cryptanalysis (First approach) [BG 11] 5/27
Linear cryptanalysis cccc cccc cccc ccccc S 3 S 2 S 1 S 0 @ P @ @ @ @ @ @ PPPPPPP @ @ cccc cccc cccc ccccc S 3 S 2 S 1 S 0 @ P PPPPPPP @ @ @ @ @ @ @ @ cccc cccc cccc ccccc S 3 S 2 S 1 S 0 P @ @ PPPPPPP @ @ @ @ @ @ @ cccc cccc cccc cccc [Tardy-Gilbert91], [Matsui93] Linear relation using I plaintext bits, I key bits, I ciphertext bits. x apple K y = 0 with probability p = 1 2 + " 6/27
Differential Cryptanalysis Given an input difference between two plaintexts, some output differences occur more often than others. x - 6 E K - 6 y in out x 0?- E K?- y 0 Differential: pair of input and output difference ( in, out) Differential probability: p = P X,K [ E K (X) E K (X in) = out ] Uniform probability: = 2 m 7/27
Last Round Attack Distinguisher Plaintext F r K? r rounds Characteristic? Partial State 8/27
Last Round Attack Distinguisher F r K? r rounds Plaintext Characteristic? Partial State? S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 k 7 k 6 k 5 k 4 k 3 k 2 k 1 k 0 e e e e e e e e Substitution Layer Key addition Ciphertext 8/27
Related Work Linear Cryptanalysis: I Multiple linear cryptanalysis [Baignères, Junod, Vaudenay 04] I Multidimensional linear cryptanalysis [ermelin, Cho, Nyberg 08] Both use LLR and/or 2 statistical tests. Differential Cryptanalysis: I [Blondeau, Gérard 11]: The frequencies are sum up I ere: We study the LLR and/or 2 statistical tests. 9/27
Multiple differential cryptanalysis (First Approach) I Set of differences in (v), out (v) I With probabilities p v = P X,K [ E K (X) E K (X (v) (v) in )= out ]. I Set of input differences in (v) 2 in. I p = 1 in P v p v expected probability. I = 1 in Pv 1 2 m uniform probability. 10/27
Outline Introduction Block Ciphers Differential Cryptanalysis Last Round Attacks Multiple Differential Cryptanalysis Definition Partitioning Function Complexities Experiments Experimental Results Analyse 11/27
Multiple Differential Cryptanalysis I Fix input difference in (To simplify the analysis) I Vector of difference : V =[ (i) out ] after r rounds, I p =[p v ] v2v vector of expected probabilities. I =[ v ] v2v vector of uniform probabilities. 12/27
Discussion Parallel Work for small ciphers: [Albrecht Leander 2012] Whole distribution taken for SMALLPRESENT-[4] (16-bit cipher) Whole distribution taken for KATAN-32 (32-bit cipher) Limits: For actual ciphers the output size is too large (2 64 or 2 128 ) Application to real cipher: Introduction of partitioning functions. 13/27
Partitioning function We analyze two orthogonal cases I Unbalanced partitioning I Take a subset of simple differences I Balanced partitioning I Group the differences in order to be able to use information of the whole output space. 14/27
Unbalanced Partitioning Idea: Subset of simple differences I Output differences ( (i) out ) 1appleiappleA, I Counter for each of these differentials q k i. I As P A i=1 qk i 6= 1 I We have a trash counter q0 k differences. which gather all other output We increment the counter qi k if the difference (i) out is obtained after partial deciphering. 15/27
Unbalanced Partitioning: Last Round Attack in? V * Y V =[ (i) out ] i S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 Substitution Layer k 7 k 6 k 5 k 4 k 3 k 2 k 1 k 0 e e e e e e e e 16/27
Unbalanced Partitioning: Last Round Attack V * Y V =[ (i) out ] i S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 Active Sboxes k 7 k 6 k 5 k 4 k 3 k 2 k 1 k 0 e e e e e e e e 16/27
Unbalanced Partitioning: Last Round Attack V * Y S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 k 7 k 6 k 5 k 4 k 3 k 2 k 1 k 0 e e e e e e e e Sieving process Discard some ciphertext pairs 16/27
Unbalanced Partitioning: Last Round Attack V * Y @I 6 S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 k 7 e k 6 e k 5 e k 4 6 e k 3 6 e k 2 e k 1 6 e k 0 e For all key candidates, partially decipher 16/27
Unbalanced Partitioning: Last Round Attack V * Y @I 6 If = (i) out S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 Increment qi k k 7 e k 6 e k 5 e k 4 6 e k 3 6 e k 2 e k 1 6 e k 0 e Otherwise Increment q0 k 16/27
Unbalanced Partitioning: Last Round Attack V * Y @I 6 If = (i) out S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 Increment qi k k 7 e k 6 e k 5 e k 4 6 e k 3 6 e k 2 e k 1 6 e k 0 e Otherwise Increment q0 k Analyse the vectors q k for each key Scoring function 16/27
Unbalanced Partionning: Remarks Corresponding known/former attacks: I Differential cryptanalysis. Advantage: I A sieving process ) smaller time complexity Disadvantage: I Subset of output space ) not all information I Small Probabilities ) Non-tightness of the information 17/27
Balanced Partitioning Idea: Using information from all output differences by grouping them. Let V =[ (i) out ] i a subspace of F m 2 A group of differences (i) out = (i) out V ( V V = F m 2 ) A counter qi k for each group of differences. We increment the counter qi k if the difference 2 (i) out is obtained partial deciphering. 18/27
Balanced Partitioning: Last Round Attack in V?\ out = out V S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 Substitution Layer k 7 e k 6 e k 5 e k 4 e k 3 e k 2 e k 1 e k 0 e 19/27
Balanced Partitioning: Last Round Attack V \ out = out V S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 Active Sboxes k 7 e k 6 e k 5 e k 4 e k 3 e k 2 e k 1 e k 0 e 19/27
Balanced Partitioning: Last Round Attack V \ S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 k 7 e k 6 e k 5 e k 4 e k 3 e k 2 e k 1 e k 0 e No Sieving process Partially decipher for all pairs 19/27
Balanced Partitioning: Last Round Attack V \ S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 For all key candidates, k 7 e k 6 e k 5 e k 4 6 e k 3 6 e k 2 6 e k 1 e k 0 e partially decipher 19/27
Balanced Partitioning: Last Round Attack V \ * 6 Y S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 k 7 e k 6 e k 5 e k 4 6 e k 3 6 e k 2 6 e k 1 e k 0 e If 2 (i) out V Increment q k i 19/27
Balanced Partitioning: Last Round Attack V \ * 6 Y S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 k 7 e k 6 e k 5 e k 4 6 e k 3 6 e k 2 6 e k 1 e k 0 e If 2 (i) out V Increment q k i Analyse the vectors q k for each key Scoring function 19/27
Balanced Partitioning: Remarks Corresponding known/former attacks: I Truncated Differential cryptanalysis. Advantage: I Whole output space ) More information I Bigger Probabilities ) Tightness of the information Disadvantage: I No sieving process ) More time complexity 20/27
Statistical Tests Probability distribution vectors I Expected: p =[pv] v2v I Uniform: I Observed: q k (for a given key candidate) LLR test: requires the knowledge of the theoretical probability p. S k = LLR k (q k, p, ) def X p = Ns q v k v log. v2v v 2 test: Does not require the knowledge of p for the attack X S k = 2 k (qk, )=Ns v2v (q k v v) 2 v. 2 Statistics 21/27
Complexities Let S(k) be the statistic obtained for a key candidate k. S(k) =LLR k (q k, p, ) or = 2 k (qk, ) Then, In the paper: N (µr, 2 S(k) R ) if k = K r, N (µ W, 2 W ) otherwise. I Estimates of the value of µ R,µ W, R, w for both LLR and 2 statistical tests. I Estimates of the Data Complexity 22/27
Outline Introduction Block Ciphers Differential Cryptanalysis Last Round Attacks Multiple Differential Cryptanalysis Definition Partitioning Function Complexities Experiments Experimental Results Analyse 23/27
Using unbalanced partitioning Subset of output differences P S 0.9 0.8 0.7 0.6 0.5 20 22 24 26 28 30 log 2 (N) LLR : Ex. a = 4 Th. a = 4 Ex. a = 11 Th. a = 11 2 : Ex. a = 4 Th. a = 4 Ex. a = 11 Th. a = 11 24/27
Using balanced partitioning Set of groups of output differences P S 0.9 0.8 0.7 0.6 LLR : Ex. a = 4 Th. a = 4 Ex. a = 7 Th. a = 7 2 : Ex. a = 4 Th. a = 4 Ex. a = 7 Th. a = 7 0.5 19 21 23 25 27 log 2 (N) 25/27
Conclusions Balanced or Unbalanced partitioning? I Time Complexity: unbalanced ) faster attack. I Data Complexity: depends on the cipher. LLR or 2? I If we have a good estimate of the expected probabilities ) LLR provides better Data and Memory complexities I Otherwise LLR is not effective 26/27
Work in Progress Estimation of the Differential Probabilities In Theory I Estimation of truncated differential probabilities can be done correlations. In Practice I Estimation of the correlations are easy on PRESENT CO I We use them to compute the distribution vector. I We provide a multiple differential attack on PRESENT 27/27