Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Similar documents
Improving the Time Complexity of Matsui s Linear Cryptanalysis

A New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent

Linear Cryptanalysis of Reduced-Round PRESENT

Experimenting Linear Cryptanalysis

On Multiple Linear Approximations

Differential-Linear Cryptanalysis of Serpent

Linear Cryptanalysis Using Multiple Approximations

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

Linear Cryptanalysis

Differential Attack on Five Rounds of the SC2000 Block Cipher

New Results in the Linear Cryptanalysis of DES

Towards Provable Security of Substitution-Permutation Encryption Networks

Chapter 1 - Linear cryptanalysis.

Linear Cryptanalysis of RC5 and RC6

Bit-Pattern Based Integral Attack

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

How Biased Are Linear Biases

Improving the Algorithm 2 in Multidimensional Linear Cryptanalysis

Revisiting the Wrong-Key-Randomization Hypothesis

Algebraic Techniques in Differential Cryptanalysis

Subspace Trail Cryptanalysis and its Applications to AES

Block Cipher Cryptanalysis: An Overview

Impossible differential and square attacks: Cryptanalytic link and application to Skipjack

Linear Cryptanalysis of Reduced-Round Speck

Enhancing the Signal to Noise Ratio

Cryptanalysis of the Full DES and the Full 3DES Using a New Linear Property

3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis

Links Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

Linear Cryptanalysis of DES with Asymmetries

Linear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015

FFT-Based Key Recovery for the Integral Attack

Introduction to Symmetric Cryptography

jorge 2 LSI-TEC, PKI Certification department

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning

Correlation Attack to the Block Cipher RC5. and the Simplied Variants of RC6. 3 Fujitsu Laboratories LTD.

Linear Cryptanalysis Using Low-bias Linear Approximations

On Correlation Between the Order of S-boxes and the Strength of DES

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Linear Approximations for 2-round Trivium

DD2448 Foundations of Cryptography Lecture 3

New Combined Attacks on Block Ciphers

A Brief Comparison of Simon and Simeck

Improved Analysis of Some Simplified Variants of RC6

A Five-Round Algebraic Property of the Advanced Encryption Standard

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

This document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore.

Integral and Multidimensional Linear Distinguishers with Correlation Zero

Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Linear Cryptanalysis Using Multiple Linear Approximations

On the Security of NOEKEON against Side Channel Cube Attacks

Improved Linear Cryptanalysis of SMS4 Block Cipher

Key Difference Invariant Bias in Block Ciphers

Block Ciphers and Systems of Quadratic Equations

On the Masking Countermeasure and Higher-Order Power Analysis Attacks

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway

Complementing Feistel Ciphers

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

On the Wrong Key Randomisation and Key Equivalence Hypotheses in Matsui s Algorithm 2

Chapter 2 - Differential cryptanalysis.

Provable Security Against Differential and Linear Cryptanalysis

Linear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques

Concurrent Error Detection in S-boxes 1

Publication VII Springer Science+Business Media. Reprinted with kind permission from Springer Science and Business Media.

Lecture 12: Block ciphers

Differential Fault Analysis of Trivium

KFC - The Krazy Feistel Cipher

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

Statistical Analysis of chi-square A. Author(s)ISOGAI, Norihisa; MIYAJI, Atsuko; NO

Structural Cryptanalysis of SASAS

Extended Criterion for Absence of Fixed Points

Feistel Schemes and Bi-Linear Cryptanalysis (Long extended version of Crypto 2004 paper) Nicolas T. Courtois

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Siwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song

Provable Security Against Differential and Linear Cryptanalysis

Structural Cryptanalysis of SASAS

AES side channel attacks protection using random isomorphisms

Cryptanalysis of SP Networks with Partial Non-Linear Layers

Statistical and Algebraic Properties of DES

Effect of the Dependent Paths in Linear Hull

Cryptanalysis of Achterbahn

A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms

Differential and Rectangle Attacks on Reduced-Round SHACAL-1

Impossible Differential Cryptanalysis of Mini-AES

Cryptanalysis of PRESENT-like ciphers with secret S-boxes

Differential Fault Analysis of AES using a Single Multiple-Byte Fault

Public Key Cryptography

Algebraic Techniques in Differential Cryptanalysis

New Results on Boomerang and Rectangle Attacks

Improved Cascaded Stream Ciphers Using Feedback

A Unified Method for Finding Impossible Differentials of Block Cipher Structures

Impossible Differential Attacks on 13-Round CLEFIA-128

DK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,

Multidimensional Extension of Matsui s Algorithm 2

Cryptanalysis of the SIMON Family of Block Ciphers

Affine equivalence in the AES round function

Transcription:

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL Belgium FSE 2008 Collard B. (UCL Crypto Group) FSE 2008 1 / 31

Happy Birthday, Nathalie! Collard B. (UCL Crypto Group) FSE 2008 2 / 31

Outline Outline Various experimental attacks against reduced-round Serpent are presented. We used the framework proposed by Biryukov et al. at crypto 2004 [2] The purposes are the following : To confirm the relevance of their theoretical approach To show the practical improvements of multiple approximations To observe the consequences of linear dependancies in the approximations To compare the specificities of Matsui s Algorithm 1 and 2 Collard B. (UCL Crypto Group) FSE 2008 3 / 31

Table of content Table of content 1 Linear cryptanalysis 2 Preliminary remarks 3 Experimental attacks with Algorithm 1 4 Experimental attacks with Algorithm 2 5 Conclusion and further work Collard B. (UCL Crypto Group) FSE 2008 4 / 31

Linear cryptanalysis 1. Linear Cryptanalysis Collard B. (UCL Crypto Group) FSE 2008 5 / 31

Linear cryptanalysis Introduction Initially proposed by Matsui [8] in 1993 Exploits bias in the occurrence probability of a linear approximation Such expressions are obtained by linear approximations of the non-linear elements of the cipher Linear Approximation P[χ P ] C[χ C ] = K[χ K ] (1) P, C and K denote the plaintext, ciphertext and the secret key A[χ] stands for A a1 A a2... A an χ is usually denoted as a mask For a good approximation, the equation holds with a probability significantly different than 1/2 Collard B. (UCL Crypto Group) FSE 2008 6 / 31

Linear cryptanalysis Algorithms Given a r-round approximation P[χ P ] C[χ C ] = K[χ K ] with bias ɛ Algorithm 1 Algorithm 1 attacks r-round cipher by simply evaluating P[χ P ] C[χ C ] for a sufficiently large number of plaintext-ciphertext. The parity of K[χ K ] can then be guessed thanks to the probability of the left parity. This attack recovers one bit of key parity. Algorithm 2 Algorithm 2 targets (r+1)-rounds cipher by partially decrypting the last round with a key guess and then evaluates the experimental bias for each guess. Several bits can be recovered at the same time. In both cases, the data complexity is proportional to 1/ɛ 2 Collard B. (UCL Crypto Group) FSE 2008 7 / 31

Linear cryptanalysis Multiple linear cryptanalysis Multiple linear cryptanalysis Improves cryptanalysis by using multiple approximations Introduced by Kalisky and Robshaw [5] in 1994 Improved by Biryukov et al. [2] in 2004 Defines capacity as c 2 = 4 n i=1 ɛ2 i Decreases the data complexity to O(1/c 2 ) Collard B. (UCL Crypto Group) FSE 2008 8 / 31

Linear cryptanalysis Multiple linear cryptanalysis Theoretical framework Given m approximations on r rounds : P[χ i P ] C[χi C ] = K[χi K ] (1 i m), (2) We want to determine the value of the vector of parity : Z = (z 1, z 2,..., z m ) = (K[χ 1 K ], K[χ2 K ],..., K[χm K ]) (3) Define a counter T i for approximation i T i is incremented when the approximation is verified for a P-C pair The experimental biases ɛ i are evaluated as (T i N/2)/N A sorted list of the vector parity candidates is built according to the distance between theoretical and experimental biases The remaining unknown bits are guessed by exhaustive search. Collard B. (UCL Crypto Group) FSE 2008 9 / 31

Linear cryptanalysis Gain Definition (Gain) if an attack is used to recover an n-bit key and is expected to return the correct key after having checked M candidates in average, then the gain of the attack, expressed in bits, is defined as : γ = log 2 2 M 1 2 n (4) Intuitively, the gain is a measure of the remaining key candidates to test after a cryptanalysis has been performed. This gain is determined by the position of the correct vector of parity in the weighted list of candidates obtained during the analysis phase. Collard B. (UCL Crypto Group) FSE 2008 10 / 31

Preliminary remarks 2. Preliminary remarks Collard B. (UCL Crypto Group) FSE 2008 11 / 31

Preliminary remarks The cipher Serpent Serpent AES candidate - rated second behind Rijndael Designed by Anderson, Biham and Knudsen [1] Conservative design Architecture Substitution-Permutation Network (SPN) Composed of 32 rounds For each round : A subkey addition A passage through S-boxes A linear transformation Best known attack Linear-differential cryptanalysis on 11 rounds (Biham et al. [12] ). Collard B. (UCL Crypto Group) FSE 2008 12 / 31

Preliminary remarks Experiments with a single approximation Evolution of the experimental biases according to the data complexity : We used a 4-round linear approximation with a bias of 2 12 We evaluated the experimental bias with up to 16 2 24 texts The bias becomes stable after about 8/ɛ 2 texts. The underestimated theoretical bias suggests that the linear hull effect [4] is not negligible Collard B. (UCL Crypto Group) FSE 2008 13 / 31

Preliminary remarks Experiments with 64 approximations Evolution of the experimental bias according to the data complexity : We used 64 4-round linear approximations with various biases We evaluated the experimental biases for up to 1500 2 24 texts Approximations separate into 2 according to the sign of their bias Each approximation provides some information about the key Collard B. (UCL Crypto Group) FSE 2008 14 / 31

Experimental attacks with Algorithm 1 3. Experimental attacks with Algorithm 1 Collard B. (UCL Crypto Group) FSE 2008 15 / 31

Experimental attacks with Algorithm 1 Selection of the approximations Linear approximation search Generation of the approximation is computationally demanding A branch-and-bound algorithm was proposed by Matsui [10] We used a modified heuristic [3] Selection of the approximations With Algorithm 1, an adversary recovers linear combination of subkey bits This drawback can be partially relaxed using multiple approximations : The best linear approximation found is selected Then only the input/output masks of the linear trail are modified Finally, by carefully choosing the linear dependancies, the adversary ends up with an exploitable information on the cipher key. As the linear trail is the same for all the approximations except in the input/output, the adversary can easily recover first/last subkey bits. Collard B. (UCL Crypto Group) FSE 2008 16 / 31

Experimental attacks with Algorithm 1 Attack results Evolution of the distance between theoretical and experimental biases : We used 64 4-round linear approximations with various biases Between 2/c 2 and 128/c 2 texts were used Attack results improve with the number of texts A regular structure underlines the impact of the Hamming distance. Collard B. (UCL Crypto Group) FSE 2008 17 / 31

Experimental attacks with Algorithm 1 Attack results Same experiment using 4096/c 2 texts : 10 parity bits K[χ i K ] have to be guessed The regular structure is even more remarkable Collard B. (UCL Crypto Group) FSE 2008 18 / 31

Experimental attacks with Algorithm 1 Attack results Gain of three attacks with respectively 1, 10 and 64 approximations : Only 10 linearly independent approximations Gain with 64 approx. increases 8 times faster than with 10 approx. The graph shows no influence of the linear dependencies Collard B. (UCL Crypto Group) FSE 2008 19 / 31

Experimental attacks with Algorithm 1 Gain vs. success rate Definition (success rate) The success rate of an attack using n approximations is the percentage of parity bits guessed correctly among the n parities when they are choosen so as to minimize the distance between experimental and theoretical biases. Rationale Unlike the gain, it doesn t take the linear dependencies into account Comparison allows to determine the advantage of multiple approximations. Collard B. (UCL Crypto Group) FSE 2008 20 / 31

Experimental attacks with Algorithm 1 Gain vs. success rate Error Correcting code effect : Using 64 approximations, only 10 linearly independent The gain increases much faster than the succes rate Consequence of linear dependancies in the approximations The correct vector of parity must respect these dependancies This gives an efficient way to check a parity candidate Some parity candidates can be rejected a-priori. Collard B. (UCL Crypto Group) FSE 2008 21 / 31

Experimental attacks with Algorithm 1 Gain vs. success rate Suppose n out of the n approximations are guessed correctly : The success rate is n /n. The gain is evaluated according to the position of the correct parity vector in the list of parity candidates : Choose the first candidate so as to minimize the euclidian distance between theoretical and experimental biases. Assume one guess is incorrect ; choose one parity bit and take its complement ; try the ( n 1) possible candidates ; Assume two guesses are incorrect ; choose two parity bits and take their complements ; try the ( n 2) possible candidates ;... Assume n n guesses are incorrect ; choose n n parity bits and take their complements ; try the ( n n n ) possible candidates ; After n n steps, we have necessarily found the correct candidate Thus the gain of the attack equals : ( n n ( n ) ) i=0 i γ = log 2 2 n (5) Collard B. (UCL Crypto Group) FSE 2008 22 / 31

Experimental attacks with Algorithm 1 Gain vs. success rate Gain vs. Success rate (up to 416 approx. and 15 independent one) : Predictions (in black) assume independence of the approximations Observations fit well as long as the gains do not saturate For a given success rate, the gain increases with the number of approximations Collard B. (UCL Crypto Group) FSE 2008 23 / 31

Experimental attacks with Algorithm 2 4. Experimental attacks with Algorithm 2 Collard B. (UCL Crypto Group) FSE 2008 24 / 31

Experimental attacks with Algorithm 2 Difference between Algorithm 1 and Algorithm 2 Difference between Algorithm 1 and Algorithm 2 With Algorithm 1, parity guesses are choosen so as to minimize : min g m (ɛ i ( 1) g(i) ɛ i ) 2, (6) i=1 Algorithm 1 works even if the theoretical biases are underestimated. With Algorithm 2, subkey and parity guesses are choosen to minimize : ( min min k g m (ɛ i ( 1) g(i) ɛ i,k )2) (7) i=1 Algorithm 2 requires good theoretical estimations of experimental biases The framework of Biryukov cannot be directly applied in this context We look for the guess with the highest experimental bias instead Collard B. (UCL Crypto Group) FSE 2008 25 / 31

Experimental attacks with Algorithm 2 Attack results Attacks against 5-round Serpent using 32 approximations : Collard B. (UCL Crypto Group) FSE 2008 26 / 31

Gain of the attack : Experimental attacks with Algorithm 2 Attack results Multiple approximations allows to increase the gain of an attack Increasing the number of approximations does not involve reductions of the data complexity according to the capacity as for Algorithm 1. Collard B. (UCL Crypto Group) FSE 2008 27 / 31

Conclusion and further work 5. Conclusion and further work Collard B. (UCL Crypto Group) FSE 2008 28 / 31

Conclusion and further work We presented experimental results of multiple linear cryptanalysis against 4- and 5-round Serpent. In practice, our experiments confirmed the significant improvement of multiple linear cryptanalysis attacks compared to Matsui s original attack. As expected, Attack showed no influence of linear dependencies on the gain Collard B. (UCL Crypto Group) FSE 2008 29 / 31

Conclusion and further work By contrast with experiments against the DES, we observed a significant linear hull effect, with the following consequences : Optimal attacks using Matsui s Algorithm 1 closely followed the data complexities predicted with the capacity value, even if the theoretical biases of the approximations were underestimated. Optimal attacks using Matsui s Algorithm 2 did not lead to successful key recoveries because of the lack of good theoretical estimations of the biases. Modified heuristics allowed us to take advantage of multiple approximations. But the improvement is not following the predictions of the capacity values anymore. Collard B. (UCL Crypto Group) FSE 2008 30 / 31

Conclusion and further work Thanks for your attention! Collard B. (UCL Crypto Group) FSE 2008 31 / 31

References R. Anderson, E. Biham, L. Knudsen, Serpent : A Proposal for the Advanced Encryption Standard, in the proceedings of the First Advanced Encryption Standard (AES) Conference, Ventura, CA, 1998. A. Biryukov, C. De Cannière, M. Quisquater, On Multiple Linear Approximations, in the proceedings of CRYPTO 2004, Lecture Notes in Computer Science, vol. 3152, pp.1-22, Santa Barbara, California, USA, August 2004. B. Collard, F.-X. Standaert, J.-J. Quisquater, Improved and Multiple Linear Cryptanalysis of Reduced Round Serpent, in the proceedings of InsCrypt 2007, LNCS, pp. 47-61, Xining, China, September 2007. P. Junod, On the Complexity of Matsui s Attack, in the proceedings of SAC 2001, LNCS, vol. 2259, pp. 199-211, Toronto, Ontario, Canada, August 2001. B.S. Kaliski, M.J.B. Robshaw, Linear Cryptanalysis using Multiple Approximations, in the proceedings of CRYPTO 1994, Lecture Notes in Computer Sciences, vol. 839, pp. 26-39, Santa Barbara, California, USA, August 1994. L.R. Knudsen, Practically Secure Feistel Ciphers, in the proceedings of FSE 1993, LNCS, vol. 809, pp. 211-221, Cambridge, UK, December 1993. Collard B. (UCL Crypto Group) FSE 2008 31 / 31

References S. Kumar, C. Paar, J. Pelzl, G. Pfeiffer, M. Schimmler, Breaking Ciphers with COPACOBANA - A Cost-Optimized Parallel Code Breaker, in the proceedings of Cryptographic Hardware and Embedded Systems - CHES 2006, Lecture Notes in Computer Science, vol. 4249, Springer, 2006. M. Matsui, Linear cryptanalysis method for DES cipher, in the proceedings of Eurocrypt 1993, LNCS, vol. 765, pp. 386 397, Lofthus, Norway, May 1993. K. Nyberg, Linear Approximations of Block Ciphers, in the proceedings of Eurocrypt 1994, LNCS, vol. 950, pp. 439-444, Perugia, Italy, May 1994. M. Matsui, On Correlation Between the Order of S-boxes and the Strength of DES, in the proceedings of Eurocrypt 1994, Lecture Notes in Computer Science, vol. 950, pp. 366-375, Perugia, Italy, May 1994. S. Murphy, The Independence of Linear Approximations in Symmetric Cryptology, IEEE Transactions on Information Theory, Vol. 52, pp. 5510-5518, 2006. E. Biham, O. Dunkelman, N. Keller, Differential-linear Cryptanalysis of Serpent, in theproceedings of Fast Software Encryption 2003, Lecture Notes in Computer Science, vol. 2887, pp. 9-21, Springer, 2004. Collard B. (UCL Crypto Group) FSE 2008 31 / 31

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback