Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Similar documents
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Block Cipher Cryptanalysis: An Overview

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis

Security of the SMS4 Block Cipher Against Differential Cryptanalysis

Lecture 12: Block ciphers

Type 1.x Generalized Feistel Structures

Practically Secure against Differential Cryptanalysis for Block Cipher SMS4

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Impossible Differential Attacks on 13-Round CLEFIA-128

Division Property: a New Attack Against Block Ciphers

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Module 2 Advanced Symmetric Ciphers

Linear Cryptanalysis

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway

A Unified Method for Finding Impossible Differentials of Block Cipher Structures

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher

Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT

FFT-Based Key Recovery for the Integral Attack

Linear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015

Revisit and Cryptanalysis of a CAST Cipher

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Provable Security Against Differential and Linear Cryptanalysis

Siwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song

Towards Provable Security of Substitution-Permutation Encryption Networks

Structural Evaluation by Generalized Integral Property

Block Ciphers and Systems of Quadratic Equations

Truncated and Higher Order Differentials

Using MILP in Analysis of Feistel Structures and Improving Type II GFS by Switching Mechanism

Cryptanalysis of SP Networks with Partial Non-Linear Layers

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

New Insights on AES-Like SPN Ciphers

Some attacks against block ciphers

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

Impossible Boomerang Attack for Block Cipher Structures

Specification on a Block Cipher : Hierocrypt L1

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

On the Design of Trivium

On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds

Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

DK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,

Subspace Trail Cryptanalysis and its Applications to AES

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

DD2448 Foundations of Cryptography Lecture 3

Linear Cryptanalysis of Reduced-Round PRESENT

MILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics

A Five-Round Algebraic Property of the Advanced Encryption Standard

MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Cryptography Lecture 4 Block ciphers, DES, breaking DES

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

Links among Impossible Differential, Integral and Zero Correlation Linear Cryptanalysis

Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA

Virtual isomorphisms of ciphers: is AES secure against differential / linear attack?

New Combined Attacks on Block Ciphers

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Complementing Feistel Ciphers

jorge 2 LSI-TEC, PKI Certification department

Perfect Diffusion Primitives for Block Ciphers

Integrals go Statistical: Cryptanalysis of Full Skipjack Variants

S-box (Substitution box) is a basic component of symmetric

Algebraic Aspects of Symmetric-key Cryptography

Extended Criterion for Absence of Fixed Points

New Observation on Camellia

MATH 509 Differential Cryptanalysis on DES

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

Improved characteristics for differential cryptanalysis of hash functions based on block ciphers

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia

Algebraic Techniques in Differential Cryptanalysis

Matrix Power S-Box Construction

Chapter 1 - Linear cryptanalysis.

Mixed-integer Programming based Differential and Linear Cryptanalysis

Attacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3

A New Distinguisher on Grain v1 for 106 rounds

Cryptographically Robust Large Boolean Functions. Debdeep Mukhopadhyay CSE, IIT Kharagpur

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

ON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD

How Biased Are Linear Biases

Symmetric Crypto Systems

Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)

(Solution to Odd-Numbered Problems) Number of rounds. rounds

Multiplicative complexity in block cipher design and analysis

A New Algorithm to Construct. Secure Keys for AES

Low Probability Differentials and the Cryptanalysis of Full-Round CLEFIA-128

The Improbable Differential Attack. Cryptanalysis of Reduced Round CLEFIA

On Feistel Structures Using a Diffusion Switching Mechanism

Lecture 4: DES and block ciphers

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers

Key Difference Invariant Bias in Block Ciphers

Analysing Relations involving small number of Monomials in AES S- Box

Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs

On Pseudo Randomness from Block Ciphers

Differential Attack on Five Rounds of the SC2000 Block Cipher

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Transcription:

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li, Bing Sun, Chao Li, Longjiang Qu National University of Defense Technology, Changsha, China ACISP 2010, Sydney, Australia 5 th July, 2010

Outline Backgrounds and n-cell GF-NLFSR Integral and Impossible Differential Non-surjective Attack Conclusion 2

Outline Backgrounds and n-cell GF-NLFSR Integral and Impossible Differential Non-surjective Attack Conclusion 3

Backgrounds and n-cell GF-NLFSR High-level Structures of Block Ciphers Feistel MISTY SPN Lai-Massay Generalized Unbalanced Feistel Network Others? 4

Backgrounds and n-cell GF-NLFSR x (i) 0 x (i) 1 (i) () x2 x i n 1 k k i i ' F ACISP 2009 n-cell GF-NLFSR ( i 1) x ( i 1 ) 0 x ( i1) ( i x 1) 1 n 2 xn 1 5

Backgrounds and n-cell GF-NLFSR Provable Security Against DC and LC The differential (linear hull) probability of every n+1 rounds of n-cell GF-NLFSR is upper bounded by p 2 (q 2 ), provided that the corresponding probability of the round function is p (q). Application: Design of Block Ciphers n=4, Four-Cell (ACISP 2009) n=4, p-sms4 (Africacrypt 2010) n=2, p-camellia (Africacrypt 2010) 6

Backgrounds and n-cell GF-NLFSR In this talk, we concentrate several cryptanalysis on n-cell GF-NLFSR, especially 1Integral Distinguisher 2Impossible Differential Distinguisher 3Non-surjective Attack 7

Outline Backgrounds and n-cell GF-NLFSR Integral and Impossible Differential Non-surjective Attack Conclusion 8

Integral and Impossible Differential Integral Cryptanalysis V Ek() Ek( x) x V Impossible Differential Cryptanalysis st.. x, E( x) E( x) k k 9

Integral and Impossible Differential Known Results for n-cell GF-NLFSR 3n1 rounds Integral ( ACC,,, C) ( C,?,?,,?) 3n1 2n1 rounds Impossible Differential (,, ) (,,,,0 ) 2n1 10

Integral Empirical Methods Some Notations Active (A) Constant (C) Balanced (B) Unknown (?) a i aj ai a0 2 b 1 i0 a i 0 11

Integral Empirical Methods Some Criteria Propagation through the non-linear part Propagation through the linear part Active S-box Active Active + Active = Balanced A + A = B Balanced? S-box S-box?? Active + Balanced = Balanced A + B = B Unknown + Unknown = Unknown? +? =? 12

Integral Empirical Methods 3-round integral distinguisher of AES AK SB SR MC AK SB SR MC AK SB SR MC AK XOR = 0 A + A + A + A = B 13

Integral Algebraic Methods The Active, Balanced, Constant, and Unknown states are treated as some polynomial functions f(x) over the finite field, thus more accurate information could be obtained. Further story for algebraic methods The algebraic degree influences the integral distinguisher. Bing Sun, Ruilin Li, Longjiang Qu, Chao Li. SQUARE attack on block ciphers with low algebraic degree. Science in China, Information Science, 2010.6,777-785. 14

Integral Active (A, x, y) Balanced (B, x y) A B = B A B = A x (x y) = y Example 1 15

Integral Active (A, x) Unknown (?, t)?? =??? = A t (x t) = x Example 2 16

Algebraic Methods Integral Active (A, x, y, z) Balanced (B, x y) Unknown (?, t) A+ A= C x + (x+c) = c A+ B= A x + (x+y) = y B+ B= A (x+y) + (x+y+z) = z B+ B= C (x+y) + (x+y+c) = c?+?= A (x+t) + t = x?+?= B (x+y+t) + t = x+y?+?= C (c+t) + t = c 17

Integral 16-round Integral of 4-Cell ( t t y z C ) ( t t t t y z w C ) 3 1 16 4 3 2 1 17 ( t t t w u C ) ( t uvc ) 5 4 2 18 5 19 v C C C C v C ( active, x, y, z, w, u,v constant, C )( unknown, t ) 16 17 18 19 20 ) i i 18

Integral What about the generalized case? Main Observation Output of n-cell GF-NLFSR by every n rounds 19

Integral n 2 round Integral A ( ACC,,, C) ( S, S, S,, S ) 2 n 0 1 2 n 1 n 2 +n2 round Higher-Order Integral B ( A, A, A, C) ( S S, S, S ), n,, n n2 n n 0 1 2 2 0 1 1 1 20

Impossible Differential A Direct Extension: n 2 +n2 rounds Impossible Differential (, 0,, 0) n (,,,, ) 0 1 n2 n1 2 ( AC,, C, C) n ( S, S,, S n, S n ) 2 0 2 2 1 δ0 δ1 δn-2 δn-1 0 (0,, 0,, ) n 2 (,, 0,, 0) 21

Impossible Differential Further story for n=2, n 2 +n-2=4. Take p-camellia (Africacrypt 2010) as an example, based on the matrix theory on finite fields and by studying its linear transformation, we have found 5/6/7-round impossible differentials using the technique from http://eprint.iacr.org/2010/307. Camellia p-camellia 22

Integral and Impossible Differential Distinguishers for n-cell GF-NLFSR Integral Higher-Order Integral Impossible Differential Source 3n1 2n1 Choy et al. n 2 +n2 Wu et al. n 2 n 2 +n2 n 2 +n2 Ours 23

Outline Backgrounds and n-cell GF-NLFSR Integral and Impossible Differential Non-surjective Attack Conclusion 24

Non-surjective Attack Non-surjective Attack Davies & Murphy Pairs and triples of DES S-boxes. Journal of Cryptology, 1995. Rijmen, Preneel, De Win On weakness of non-surjective round functions. Designs, Codes, and Cryptography, 1997. Exploiting the statistical bias of some expression derived from the non-surjective (non-uniform) round function. 25

Non-surjective Attack x (i) 0 x (i) 1 (i) () x2 x i n 1 K i F n-cell VGF-NLFSR ( i 1) x ( i 1 ) 0 x ( i1) ( i x 1) 1 n 2 xn 1 26

Distinguisher Non-surjective Attack { f( x) x }, f 2 2 wheref ( x) F( x) xandfisthebijectiveroundfunction. b b c, st.., x, q'( x) c b b f 2 2 27

Non-surjective Attack Main Observation A 2 b is fixed X X israndomlychosen 2 b X c A X c { xc xx} b b A 2 Pr ( c b s. tx. ca) 2 / p 2 X X X b A If X A, p 2 b 2 28

Non-surjective Attack Key Recovery Attack on n 2 +n'rounds Q { q' ( x ) x } rk rk i i 2 b c, st.. Q 2 c b rk f f { F( x) x x b } Q rk f 2 29

Non-surjective Attack Complexity Analysis Numberof wrongkeycandidates : ( n1) b 2 1 b Lett Q rk f 0.632, Qrk Q rk c f Thuswrongkeycandidatespassthetestwithprobability ( n1) b b b t nb t P err (2 1) 2 f /2 2 0.63 2 3 3 t nb 2 2 30

Non-surjective Attack Data Complexity Time Complexity 3 3 t nb 2 2 3 3 ( n1) b b nb nb (2 ) 0.632 u( nb ) 2 u 2 2 Space Complexity f 0.632 b 31

Non-surjective Attack Parameters of a 18-round Toy Cipher b=8, n=4 Round function is the S-box of AES. Practically secure against DC and LC p=q=2 6 The differential (linear) characteristic probability for 15 rounds is upper bounded by ((2 6 ) 2 ) 3 =2 36 < 2 32. 32

Non-surjective Attack Experimental Results on the Toy Cipher Parameter Chosen plaintext t b Success probability p 2 27 0.474 4 30 0.758 6 33 0.873 8 36 0.965 10 39 0.992 33

Outline Backgrounds and n-cell GF-NLFSR Integral and Impossible Differential Non-surjective Attack Conclusion 34

Conclusion 1 Strong asymmetry between encryption and decryption 2 Slow Diffusion rate in the encryption direction Four-Cell 25-round 1~5, SP 6~20,SPS 21~25,SP Four-Cell+ 30-round 1~10, SP 11~20,SPS 21~30,SP 35

Conclusion Given a scheme, how can we provide its resistance against integral and impossible differential cryptanalysis? How to apply this kind of non-surjective attack to other crypto schemes? It must be a challenging work to design an efficient as well as secure high-level structure! 36

Thank you! Q & A 37

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback