Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li, Bing Sun, Chao Li, Longjiang Qu National University of Defense Technology, Changsha, China ACISP 2010, Sydney, Australia 5 th July, 2010
Outline Backgrounds and n-cell GF-NLFSR Integral and Impossible Differential Non-surjective Attack Conclusion 2
Outline Backgrounds and n-cell GF-NLFSR Integral and Impossible Differential Non-surjective Attack Conclusion 3
Backgrounds and n-cell GF-NLFSR High-level Structures of Block Ciphers Feistel MISTY SPN Lai-Massay Generalized Unbalanced Feistel Network Others? 4
Backgrounds and n-cell GF-NLFSR x (i) 0 x (i) 1 (i) () x2 x i n 1 k k i i ' F ACISP 2009 n-cell GF-NLFSR ( i 1) x ( i 1 ) 0 x ( i1) ( i x 1) 1 n 2 xn 1 5
Backgrounds and n-cell GF-NLFSR Provable Security Against DC and LC The differential (linear hull) probability of every n+1 rounds of n-cell GF-NLFSR is upper bounded by p 2 (q 2 ), provided that the corresponding probability of the round function is p (q). Application: Design of Block Ciphers n=4, Four-Cell (ACISP 2009) n=4, p-sms4 (Africacrypt 2010) n=2, p-camellia (Africacrypt 2010) 6
Backgrounds and n-cell GF-NLFSR In this talk, we concentrate several cryptanalysis on n-cell GF-NLFSR, especially 1Integral Distinguisher 2Impossible Differential Distinguisher 3Non-surjective Attack 7
Outline Backgrounds and n-cell GF-NLFSR Integral and Impossible Differential Non-surjective Attack Conclusion 8
Integral and Impossible Differential Integral Cryptanalysis V Ek() Ek( x) x V Impossible Differential Cryptanalysis st.. x, E( x) E( x) k k 9
Integral and Impossible Differential Known Results for n-cell GF-NLFSR 3n1 rounds Integral ( ACC,,, C) ( C,?,?,,?) 3n1 2n1 rounds Impossible Differential (,, ) (,,,,0 ) 2n1 10
Integral Empirical Methods Some Notations Active (A) Constant (C) Balanced (B) Unknown (?) a i aj ai a0 2 b 1 i0 a i 0 11
Integral Empirical Methods Some Criteria Propagation through the non-linear part Propagation through the linear part Active S-box Active Active + Active = Balanced A + A = B Balanced? S-box S-box?? Active + Balanced = Balanced A + B = B Unknown + Unknown = Unknown? +? =? 12
Integral Empirical Methods 3-round integral distinguisher of AES AK SB SR MC AK SB SR MC AK SB SR MC AK XOR = 0 A + A + A + A = B 13
Integral Algebraic Methods The Active, Balanced, Constant, and Unknown states are treated as some polynomial functions f(x) over the finite field, thus more accurate information could be obtained. Further story for algebraic methods The algebraic degree influences the integral distinguisher. Bing Sun, Ruilin Li, Longjiang Qu, Chao Li. SQUARE attack on block ciphers with low algebraic degree. Science in China, Information Science, 2010.6,777-785. 14
Integral Active (A, x, y) Balanced (B, x y) A B = B A B = A x (x y) = y Example 1 15
Integral Active (A, x) Unknown (?, t)?? =??? = A t (x t) = x Example 2 16
Algebraic Methods Integral Active (A, x, y, z) Balanced (B, x y) Unknown (?, t) A+ A= C x + (x+c) = c A+ B= A x + (x+y) = y B+ B= A (x+y) + (x+y+z) = z B+ B= C (x+y) + (x+y+c) = c?+?= A (x+t) + t = x?+?= B (x+y+t) + t = x+y?+?= C (c+t) + t = c 17
Integral 16-round Integral of 4-Cell ( t t y z C ) ( t t t t y z w C ) 3 1 16 4 3 2 1 17 ( t t t w u C ) ( t uvc ) 5 4 2 18 5 19 v C C C C v C ( active, x, y, z, w, u,v constant, C )( unknown, t ) 16 17 18 19 20 ) i i 18
Integral What about the generalized case? Main Observation Output of n-cell GF-NLFSR by every n rounds 19
Integral n 2 round Integral A ( ACC,,, C) ( S, S, S,, S ) 2 n 0 1 2 n 1 n 2 +n2 round Higher-Order Integral B ( A, A, A, C) ( S S, S, S ), n,, n n2 n n 0 1 2 2 0 1 1 1 20
Impossible Differential A Direct Extension: n 2 +n2 rounds Impossible Differential (, 0,, 0) n (,,,, ) 0 1 n2 n1 2 ( AC,, C, C) n ( S, S,, S n, S n ) 2 0 2 2 1 δ0 δ1 δn-2 δn-1 0 (0,, 0,, ) n 2 (,, 0,, 0) 21
Impossible Differential Further story for n=2, n 2 +n-2=4. Take p-camellia (Africacrypt 2010) as an example, based on the matrix theory on finite fields and by studying its linear transformation, we have found 5/6/7-round impossible differentials using the technique from http://eprint.iacr.org/2010/307. Camellia p-camellia 22
Integral and Impossible Differential Distinguishers for n-cell GF-NLFSR Integral Higher-Order Integral Impossible Differential Source 3n1 2n1 Choy et al. n 2 +n2 Wu et al. n 2 n 2 +n2 n 2 +n2 Ours 23
Outline Backgrounds and n-cell GF-NLFSR Integral and Impossible Differential Non-surjective Attack Conclusion 24
Non-surjective Attack Non-surjective Attack Davies & Murphy Pairs and triples of DES S-boxes. Journal of Cryptology, 1995. Rijmen, Preneel, De Win On weakness of non-surjective round functions. Designs, Codes, and Cryptography, 1997. Exploiting the statistical bias of some expression derived from the non-surjective (non-uniform) round function. 25
Non-surjective Attack x (i) 0 x (i) 1 (i) () x2 x i n 1 K i F n-cell VGF-NLFSR ( i 1) x ( i 1 ) 0 x ( i1) ( i x 1) 1 n 2 xn 1 26
Distinguisher Non-surjective Attack { f( x) x }, f 2 2 wheref ( x) F( x) xandfisthebijectiveroundfunction. b b c, st.., x, q'( x) c b b f 2 2 27
Non-surjective Attack Main Observation A 2 b is fixed X X israndomlychosen 2 b X c A X c { xc xx} b b A 2 Pr ( c b s. tx. ca) 2 / p 2 X X X b A If X A, p 2 b 2 28
Non-surjective Attack Key Recovery Attack on n 2 +n'rounds Q { q' ( x ) x } rk rk i i 2 b c, st.. Q 2 c b rk f f { F( x) x x b } Q rk f 2 29
Non-surjective Attack Complexity Analysis Numberof wrongkeycandidates : ( n1) b 2 1 b Lett Q rk f 0.632, Qrk Q rk c f Thuswrongkeycandidatespassthetestwithprobability ( n1) b b b t nb t P err (2 1) 2 f /2 2 0.63 2 3 3 t nb 2 2 30
Non-surjective Attack Data Complexity Time Complexity 3 3 t nb 2 2 3 3 ( n1) b b nb nb (2 ) 0.632 u( nb ) 2 u 2 2 Space Complexity f 0.632 b 31
Non-surjective Attack Parameters of a 18-round Toy Cipher b=8, n=4 Round function is the S-box of AES. Practically secure against DC and LC p=q=2 6 The differential (linear) characteristic probability for 15 rounds is upper bounded by ((2 6 ) 2 ) 3 =2 36 < 2 32. 32
Non-surjective Attack Experimental Results on the Toy Cipher Parameter Chosen plaintext t b Success probability p 2 27 0.474 4 30 0.758 6 33 0.873 8 36 0.965 10 39 0.992 33
Outline Backgrounds and n-cell GF-NLFSR Integral and Impossible Differential Non-surjective Attack Conclusion 34
Conclusion 1 Strong asymmetry between encryption and decryption 2 Slow Diffusion rate in the encryption direction Four-Cell 25-round 1~5, SP 6~20,SPS 21~25,SP Four-Cell+ 30-round 1~10, SP 11~20,SPS 21~30,SP 35
Conclusion Given a scheme, how can we provide its resistance against integral and impossible differential cryptanalysis? How to apply this kind of non-surjective attack to other crypto schemes? It must be a challenging work to design an efficient as well as secure high-level structure! 36
Thank you! Q & A 37