Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT

Similar documents
Multiple Differential Cryptanalysis: Theory and Practice

Data complexity and success probability of statisticals cryptanalysis

Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers

Data Complexity and Success Probability for Various Cryptanalyses

and Céline Blondeau October 8, 2012 joint work with Benoît Gérard and Kaisa Nyberg Multiple differential cryptanalysis using LLR and October, 8 1/27

Cryptanalysis of SP Networks with Partial Non-Linear Layers

Similarities between encryption and decryption: how far can we go?

Algebraic Techniques in Differential Cryptanalysis

Cryptanalysis of PRESENT-like ciphers with secret S-boxes

Division Property: a New Attack Against Block Ciphers

Linear Cryptanalysis: Key Schedules and Tweakable Block Ciphers

Some attacks against block ciphers

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Block Cipher Cryptanalysis: An Overview

Linear Cryptanalysis of Reduced-Round PRESENT

Lecture 12: Block ciphers

Links Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities

Wieringa, Celine; Nyberg, Kaisa Improved Parameter Estimates for Correlation and Capacity Deviates in Linear Cryptanalysis

Differential Attacks: Using Alternative Operations

On the Wrong Key Randomisation and Key Equivalence Hypotheses in Matsui s Algorithm 2

On related-key attacks and KASUMI: the case of A5/3

Experimenting Linear Cryptanalysis

Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Improbable Differential Cryptanalysis and Undisturbed Bits

Towards Provable Security of Substitution-Permutation Encryption Networks

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

MasterMath Cryptology /2 - Cryptanalysis

On Distinct Known Plaintext Attacks

Linear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015

Linear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Enhancing the Signal to Noise Ratio

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia

Improved Multiple Impossible Differential Cryptanalysis of Midori128

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Multivariate Linear Cryptanalysis: The Past and Future of PRESENT

Subspace Trail Cryptanalysis and its Applications to AES

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

Differential Attack on Five Rounds of the SC2000 Block Cipher

Sieve-in-the-Middle: Improved MITM Attacks (Full Version )

Low Probability Differentials and the Cryptanalysis of Full-Round CLEFIA-128

Type 1.x Generalized Feistel Structures

Provable Security Against Differential and Linear Cryptanalysis

DD2448 Foundations of Cryptography Lecture 3

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning

Chapter 1 - Linear cryptanalysis.

Cryptanalysis of the Full DES and the Full 3DES Using a New Linear Property

Symmetric Crypto Systems

Analysis of cryptographic hash functions

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

The Improbable Differential Attack. Cryptanalysis of Reduced Round CLEFIA

S-box (Substitution box) is a basic component of symmetric

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis

Building Secure Block Ciphers on Generic Attacks Assumptions

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

FFT-Based Key Recovery for the Integral Attack

Revisiting the Wrong-Key-Randomization Hypothesis

Differential Fault Analysis on DES Middle Rounds

Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs

Some integral properties of Rijndael, Grøstl-512 and LANE-256

Complementing Feistel Ciphers

Algebraic properties of SHA-3 and notable cryptanalysis results

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Quantum Chosen-Ciphertext Attacks against Feistel Ciphers

Known and Chosen Key Differential Distinguishers for Block Ciphers

Zero-Sum Partitions of PHOTON Permutations

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Block Ciphers and Side Channel Protection

The Hash Function JH 1

Multiplicative complexity in block cipher design and analysis

Construction of Lightweight S-Boxes using Feistel and MISTY structures

Improved Slender-set Linear Cryptanalysis

MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers

Higher-order differential properties of Keccak and Luffa

Impossible differential and square attacks: Cryptanalytic link and application to Skipjack

Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs

BISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018

A New Algorithm to Construct. Secure Keys for AES

Key Difference Invariant Bias in Block Ciphers

Provable Security Against Differential and Linear Cryptanalysis

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Symmetric Crypto Systems

Linear Cryptanalysis

A Brief Comparison of Simon and Simeck

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Towards Understanding the Known-Key Security of Block Ciphers

Quantum Differential and Linear Cryptanalysis

Linear and Statistical Independence of Linear Approximations and their Correlations

LS-Designs. Bitslice Encryption for Efficient Masked Software Implementations

On Multiple Linear Approximations

Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256

A Five-Round Algebraic Property of the Advanced Encryption Standard

Another view of the division property

Transcription:

Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT Céline Blondeau, Benoît Gérard SECRET-Project-Team, INRIA, France TOOLS for Cryptanalysis - 23th June 2010 C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 1 / 24

Outline 1 Introduction 2 Differential Trails 3 Differential 4 Success Probability C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 2 / 24

Outline 1 Introduction 2 Differential Trails 3 Differential 4 Success Probability C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 3 / 24

Notation We consider iterative block ciphers (especially PRESENT) operating on m-bit messages; using a master key K; with round function F using subkeys K i ; Y def = Enc K (X) def = F Kr F Kr 1 F K1 (X). We focus on the particular case of key alternating ciphers. C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 4 / 24

Differential A r-round differential of a cipher is a couple (δ 0, δ r ) F m 2 F m 2. The probability of a r-round differential is p def = Pr X,K [Enc K (X) Enc K (X δ 0 ) = δ r ]. If p > 2 m, then we can distinguish F r K from a random permutation. Statistical Cryptanalysis. C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 5 / 24

PRESENT A 64-bit block cipher presented in [Bogdanov et al., CHES 2007]. 80-bit or 128-bit key schedule. Substitution Permutation Network (SPN). A single 4-bit Sbox. S15 S14 S13 S12 S11 S10 S9 S8 S7 S6 S5 S4 S3 S2 S1 S0 C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 6 / 24

SMALLPRESENT-[s] Proposed by Leander in 2009. s is the number of Sboxes thus SMALLPRESENT-[s] is a 4s-bit cipher. The permutation is similar to the one of PRESENT. 80-bit key schedule. All of the experiments but one are done on SMALLPRESENT-[4]. One round of SMALLPRESENT-[4]. S3 S2 S1 S0 C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 7 / 24

Key schedules We introduced 2 other key schedules: a 16-bit key schedule (all subkeys are equal). a 20-bit key schedule (similar to the 80-bit one): Master key: K = k 19 k 18...k 0. Round keys: K i = k 19 k 18...k 4. Updated as follows: 1 [k 19k 18... k 1k 0] = [k 6k 5... k 8k 7]; 2 [k 19k 18k 17k 16] = S[k 19k 18k 17k 16]; 3 [k 7k 6k 5k 4k 3] = [k 7k 6k 5k 4k 3] roundcounter. In this presentation, shown results are obtained using this last one. C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 8 / 24

Outline 1 Introduction 2 Differential Trails 3 Differential 4 Success Probability C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 9 / 24

Differential trails A differential trail of a cipher is a (r + 1)-tuple (β 0, β 1,, β r ) (F m 2 )r+1 of intermediate differences. The probability p β of a differential trail β = (β 0, β 1,, β r ) is: p β def = Pr X,K [ i F i K (X) F i K (X β 0) = β i ]. If the cipher is Markov and the round subkeys are independent, then, p t β def = r Pr X [F(X) F(X β i 1 ) = β i ]. i=1 C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 10 / 24

Key dependency (1/3) For a differential trail β: T K def = 1 2 # { X F i K (X) F i K (X β 0) = β i, 1 i r }, p β = 2 (m 1) E(T K ). S3 S2 S1 S0 S3 S2 S1 S0 S3 S2 S1 S0 T K 0 8 16 # 131072 524288 393216 p β = 10 2 (16 1). p t β = 8 2 (16 1) C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 11 / 24

Key dependency (2/3) 700 600 500 p t β = 2 17 p t β = 2 20 p t β = 2 23 p t β = 2 26 400 300 200 100 0-0.4-0.2 0 0.2 0.4 log 2 (p β ) log 2 (p t β) C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 12 / 24

Key dependency (3/3) 70 60 50 p t β = 2 17 p t β = 2 20 p t β = 2 23 p t β = 2 26 40 30 20 10 0 log 2 (3/4) -0.2 0 0.2 0.4 log 2 (p β ) log 2 (pβ) t log 2 (5/4) C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 13 / 24

Outline 1 Introduction 2 Differential Trails 3 Differential 4 Success Probability C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 14 / 24

Differential probability 0 log 2 ( p t β ) log 2(p ) -0.5-1 -1.5-2 -2.5-3 0 1 2 3 4 5 6 7 The probability p of a r-round differential (δ 0, δ r ) is p = p β. β=(δ 0,β 1,...,β r 1,δ r) log 2 (number of trails) Algorithm used: adaptation of [Biryukov et al., CRYPTO 2004]. C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 15 / 24

Remarks on [Wang, AFRICACRYPT 2008] Attack: 14-round differentials with probability (lower bounded by) 2 62. Obtained by iterating 3 times a 4-round differential trail. Remarks: 2 62 is the best probability for a 14-round differential trail. Considering the 2 12.2 best trails of the difference (pβ t 2 73 ). -57 p t = 2 57.53 2 62. log 2 ( p t β ) -58-59 -60-61 -62 0 2 4 6 8 10 12 log 2 (number of trails) C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 16 / 24

Key dependency [Daemen, Rijmen 2005] In the Sampling Model for key-alternating ciphers, variable D K follows a binomial distribution. D K def = 1 2 #{X F r K (X) F r K (X δ 0) = δ r }. 200000 150000 100000 50000 Plots for 5-round differentials of SMALLPRESENT-[4]. 0 0 5 10 15 20 C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 17 / 24

Outline 1 Introduction 2 Differential Trails 3 Differential 4 Success Probability C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 18 / 24

Success Probability (1/2) p def = Pr X,K [Enc K (X) Enc K (X δ 0 ) = δ r ]. The function P S (p) is the success probability of an attack with a fixed-key differential probability p. The new formula for the Success Probability that takes into account the sampling model is: P success [ ( )] def DK = E DK P S 2 m 1 2 m 1 ( ) [ i = P S (p ) i (1 p ) 2m 1 i i=0 2 m 1 ( 2 m 1 i )].(1) C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 19 / 24

Success Probability (2/2) 1.05 1 0.95 0.9 0.85 0.8 Experimental P S ( ) (1) Differential attack, SMALLPRESENT-[8], 11 rounds, 2 32 keys, 2 9 keys tried, 100 experiments. 0.75 29 29.2 29.4 29.6 29.8 30 30.2 log 2 (N) C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 20 / 24

Success Probability: choice of P S (1/2) [Selçuk, Journal of Cryptology 2007] P S Φ 1 (1 l n ) φ 0 (t) dt. [Blondeau, Gérard and Tillich, to appear in DCC] P S N i=f 1 (1 l 1 n 2) In the case of differential cryptanalysis, P[X 0 = i]. THE SECOND ONE IS TIGHTER!!! C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 21 / 24

Success Probability: choice of P S (2/2) 1 0.95 PS 0.9 0.85 0.8 Experimental [BGT10] [BGT10]+(1) 0.75 29 29.2 29.4 29.6 29.8 30 30.2 log 2 (N) C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 22 / 24

Success Probability: choice of P S (2/2) 1 0.95 PS 0.9 0.85 0.8 Experimental [BGT10] [BGT10]+(1) [Sel07]+(1) 0.75 29 29.2 29.4 29.6 29.8 30 30.2 log 2 (N) C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 22 / 24

Recommendations Use more than one trail when estimating a differential probability. For Wang s differential : p β 2 64 2 60.00 : 10s. p β 2 66 2 58.91 : 2m. p β 2 70 2 57.67 : 1h. p β 2 73 2 57.53 : 16h. Use the success probability formula given in this talk together with the one in [BGT10]. 1 0.95 PS 0.9 0.85 0.8 Experimental [BGT10] [BGT10]+(1) [Sel07]+(1) 0.75 29 29.2 29.4 29.6 29.8 30 30.2 log 2 (N) C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 23 / 24

Conclusion and further work For most of the trails p t β seems to be a good estimate for p β. Although p t β can be different from p β, it seems that p t β p. The Sampling Model seems to be well suited at least in the case of SMALLPRESENT-[4] and SMALLPRESENT-[8]. This leads to a new formula for the success probability of a differential attack. Results are obtained on SMALLPRESENT-[4] Trying to run experiments on SMALLPRESENT-[8] to extrapolate on the full PRESENT. Running experiments on other SPNs or Feistel networks. C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 24 / 24

Explanation on the 3-round trail S3 S2 S1 S0 S3 S2 S1 S0 S3 S2 S1 S0 0x1 0x3 implies red bits to 0. 0x3 0x6 implies green bit to 1. Two green key bits correspond to the same master key bit. Key bits 000 001 010 011 Probability of 1 1/2 1/2 1/2 1 Key bits 100 101 110 111 Probability of 1 1 1/2 1 0 C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 25 / 24

Finding differential trails Finding trails with probability > 10/2 6. 0x1 0x2 0x3 0x2 0x3 0x1 0x4 0x2 0x3 0x1 0x4 0x2 0x3 0x1 0x3 C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 26 / 24

Finding differential trails Finding trails with probability > 10/2 6. 0x1 1/2 2 3/2 2 2/2 4 2/2 4 3/2 4 9/2 4 4/2 6 4/2 6 2/2 6 6/2 6 1/2 6 9/2 6 18/2 6 18/2 6 C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 26 / 24

Finding differential trails Finding trails with probability > 10/2 6. 0x1 1/2 2 3/2 2 2/2 4 2/2 4 3/2 4 9/2 4 4/2 6 4/2 6 2/2 6 6/2 6 1/2 6 9/2 6 18/2 6 18/2 6 C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 26 / 24

Finding differential trails Finding trails with probability > 10/2 6. 0x1 1/2 2 3/2 2 2/2 4 2/2 4 3/2 4 9/2 4 4/2 6 4/2 6 2/2 6 6/2 6 1/2 6 9/2 6 18/2 6 18/2 6 C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 26 / 24

Finding differential trails Finding trails with probability > 10/2 6. 0x1 1/2 2 3/2 2 2/2 4 2/2 4 3/2 4 9/2 4 4/2 6 4/2 6 2/2 6 6/2 6 1/2 6 9/2 6 18/2 6 18/2 6 C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 26 / 24

Finding differential trails Finding trails with probability > 10/2 6. 0x1 1/2 2 3/2 2 2/2 4 2/2 4 3/2 4 9/2 4 4/2 6 4/2 6 2/2 6 6/2 6 1/2 6 9/2 6 18/2 6 18/2 6 C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 26 / 24

Finding differential trails Finding trails with probability > 10/2 6. 0x1 1/2 2 3/2 2 2/2 4 2/2 4 3/2 4 9/2 4 4/2 6 4/2 6 2/2 6 6/2 6 1/2 6 9/2 6 18/2 6 18/2 6 C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 26 / 24

Finding differential trails Finding trails with probability > 10/2 6. 0x1 1/2 2 3/2 2 2/2 4 2/2 4 3/2 4 9/2 4 4/2 6 4/2 6 2/2 6 6/2 6 1/2 6 9/2 6 18/2 6 18/2 6 C.Blondeau and B.Gérard. Links Between Theoretical and Effective Differential Probabilities 26 / 24

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback