Post on 03-Feb-2022
transcript
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
1/27
Multiple differential cryptanalysis using LLR
and �2 Statistics
Celine Blondeaujoint work with Benoıt Gerard and Kaisa Nyberg
October 8, 2012
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
2/27
Outline
IntroductionBlock CiphersDifferential CryptanalysisLast Round Attacks
Multiple Differential CryptanalysisDefinitionPartitioning FunctionComplexities
ExperimentsExperimental ResultsAnalyse
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
3/27
Outline
IntroductionBlock CiphersDifferential CryptanalysisLast Round Attacks
Multiple Differential CryptanalysisDefinitionPartitioning FunctionComplexities
ExperimentsExperimental ResultsAnalyse
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
4/27
Block ciphers
--
--
-
x
y
F
K1
F
K2
F
K
r
F
K
r+1
E
K
: Fm
2 ! Fm
2
IK : Master key
IF : Round function
IK
i
: Round key
cccc cccc cccc cccc
cccc cccc cccc cccc
cccc cccc cccc cccc
cccc cccc cccc cccc
S3 S2 S1 S0
S3 S2 S1 S0
S3 S2 S1 S0
���
������
⇣⇣⇣⇣⇣⇣⇣⇣
@@
@
���
������
HHHHHH
@@
@
���
PPPPPPPP
HHHHHH
@@
@
���
������
⇣⇣⇣⇣⇣⇣⇣⇣
@@
@
���
������
HHHHHH
@@
@
���
PPPPPPPP
HHHHHH
@@
@
���
������
⇣⇣⇣⇣⇣⇣⇣⇣
@@
@
���
������
HHHHHH
@@
@
���
PPPPPPPP
HHHHHH
@@
@
SMALLPRESENT-[4]
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
5/27
Statistical Attacks
Statistical attacks:I Take advantage of a non-uniform behavior of the cipherI Two families: Linear and Differential cryptanalysis
Improvement of differential cryptanalysis
I Differential cryptanalysis [Biham Shamir 91]I Truncated differential cryptanalysis [Knudsen 95]I Impossible differential cryptanalysis [Biham Biryukov Shamir
99]I Higher order differential cryptanalysis [Lai 94] [Knudsen 95]I Multiple differential cryptanalysis (First approach) [BG 11]
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
6/27
Linear cryptanalysis
cccc cccc cccc ccccS3 S2 S1 S0
c
���
������
⇣⇣⇣⇣⇣⇣⇣⇣
@@
@
���
������
HHHHHH
@@
@
���
PPPPPPPP
HHHHHH
@@
@
cccc cccc cccc ccccS3 S2 S1 S0
c
���
������
⇣⇣⇣⇣⇣⇣⇣⇣
@@
@
���
������
HHHHHH
@@
@
���
PPPPPPPP
HHHHHH
@@
@
cccc cccc cccc ccccS3 S2 S1 S0
c
���
������
⇣⇣⇣⇣⇣⇣⇣⇣
@@
@
���
������
HHHHHH
@@
@
���
PPPPPPPP
HHHHHH
@@
@
cccc cccc cccc ccccc
[Tardy-Gilbert91], [Matsui93]Linear relation using
I plaintext bits,I key bits,I ciphertext bits.
⇡ · x � · K � � · y = 0
with probability p = 12 + "
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
7/27
Differential CryptanalysisGiven an input difference between two plaintexts, some outputdifferences occur more often than others.
-
-
-
-
E
K
E
K
x
x
0
y
y
0
6
?
6
?
�in �out
Differential: pair of input and output difference (�in, �out)
Differential probability: p = P
X ,K [ E
K
(X )� E
K
(X � �in) = �out ]
Uniform probability: ✓ = 2�m
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
8/27
Last Round Attack
Plaintext
Characteristic
Partial State??
r roundsF
r
K
Distinguisher
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
8/27
Last Round Attack
Plaintext
Characteristic
Partial State??
r roundsF
r
K
Distinguisher
?Substitution Layer
Key addition
S7 S6 S5 S4 S3 S2 S1 S0
k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eCiphertext
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
9/27
Related WorkLinear Cryptanalysis:
I Multiple linear cryptanalysis [Baigneres, Junod, Vaudenay 04]
I Multidimensional linear cryptanalysis [Hermelin, Cho, Nyberg08]
Both use LLR and/or �2 statistical tests.
Differential Cryptanalysis:
I [Blondeau, Gerard 11]:The frequencies are sum up
I Here:We study the LLR and/or �2 statistical tests.
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
10/27
Multiple differential cryptanalysis (First Approach)
I Set of differences �in(v), �out
(v)
I With probabilities p
v
= P
X ,K [ E
K
(X )� E
K
(X � �(v)in ) = �(v)out ].
I Set of input differences �in(v) 2 �
in
.
Ip = 1
�in
Pv
p
v
expected probability.
I ✓ = 1�
in
Pv
12m
uniform probability.
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
11/27
Outline
IntroductionBlock CiphersDifferential CryptanalysisLast Round Attacks
Multiple Differential CryptanalysisDefinitionPartitioning FunctionComplexities
ExperimentsExperimental ResultsAnalyse
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
12/27
Multiple Differential Cryptanalysis
I Fix input difference �in (To simplify the analysis)
I Vector of “difference”: V = [�(i)out] after r rounds,
Ip = [p
v
]v2V
vector of expected probabilities.
I ✓ = [✓v
]v2V
vector of uniform probabilities.
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
13/27
Discussion
Parallel Work for small ciphers: [Albrecht Leander 2012]
Whole distribution taken for SMALLPRESENT-[4] (16-bit cipher)Whole distribution taken for KATAN-32 (32-bit cipher)
Limits:
For actual ciphers the output size is too large (264 or 2128)
Application to real cipher:
Introduction of partitioning functions.
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
14/27
Partitioning function
We analyze two “orthogonal” cases
I Unbalanced partitioning
I Take a subset of simple differences
I Balanced partitioning
I Group the differences in order to be able to use information ofthe whole output space.
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
15/27
Unbalanced Partitioning
Idea: Subset of simple differences
I Output differences (�(i)out
)1iA
,I Counter for each of these differentials q
k
i
.
I AsP
A
i=1 q
k
i
6= 1I We have a “trash” counter q
k
0 which gather all other outputdifferences.
We increment the counter q
k
i
if the difference �(i)out
is obtained after partial deciphering.
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
16/27
Unbalanced Partitioning: Last Round Attack
�in
?V = [�(i)out]i
��* HHYV
Substitution LayerS7 S6 S5 S4 S3 S2 S1 S0
k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e e
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
16/27
Unbalanced Partitioning: Last Round Attack
V = [�(i)out]i
��* HHYV
S7 S6 S5 S4 S3 S2 S1 S0
k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eS4 S3 S1 Active Sboxes
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
16/27
Unbalanced Partitioning: Last Round Attack
��* HHYV
S7 S6 S5 S4 S3 S2 S1 S0
k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eS4 S3 S1
Sieving processDiscard some ciphertext pairs
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
16/27
Unbalanced Partitioning: Last Round Attack
��* HHYV
S7 S6 S5 S4 S3 S2 S1 S0
k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eS4 S3 S1
6e 6e 6e For all key candidates,partially decipherk4 k3 k1
6�✓@I
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
16/27
Unbalanced Partitioning: Last Round Attack
��* HHYV
S7 S6 S5 S4 S3 S2 S1 S0
k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eS4 S3 S1
6e 6e 6ek4 k3 k1
6�✓@I If � = �(i)outIncrement q
k
i
OtherwiseIncrement q
k
0
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
16/27
Unbalanced Partitioning: Last Round Attack
��* HHYV
S7 S6 S5 S4 S3 S2 S1 S0
k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eS4 S3 S1
6e 6e 6ek4 k3 k1
6�✓@I If � = �(i)outIncrement q
k
i
OtherwiseIncrement q
k
0
Analyse the vectors q
k for each keyScoring function
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
17/27
Unbalanced Partionning: Remarks
Corresponding known/former attacks:I Differential cryptanalysis.
Advantage:I A sieving process ) “smaller” time complexity
Disadvantage:I Subset of output space ) not all informationI Small Probabilities ) Non-tightness of the information
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
18/27
Balanced Partitioning
Idea: Using information from all output differences by groupingthem.
Let V = [�(i)out]i a subspace of Fm
2
A group of differences �(i)out = �(i)out � V (V � V = Fm
2 )
A counter q
k
i
for each group of differences.We increment the counter q
k
i
if the difference � 2 �(i)out
is obtained partial deciphering.
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
19/27
Balanced Partitioning: Last Round Attack
�in
?\V
�out = �out � V
Substitution LayerS7 S6 S5 S4 S3 S2 S1 S0
e e e e e e e ek7 k6 k5 k4 k3 k2 k1 k0
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
19/27
Balanced Partitioning: Last Round Attack
\V
�out = �out � V
S7 S6 S5 S4 S3 S2 S1 S0
e e e e e e e ek7 k6 k5 k4 k3 k2 k1 k0
S7 S6 S5 S4 S3 S2 S1 S0 Active Sboxes
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
19/27
Balanced Partitioning: Last Round Attack
\V
S7 S6 S5 S4 S3 S2 S1 S0
e e e e e e e ek7 k6 k5 k4 k3 k2 k1 k0
S7 S6 S5 S4 S3 S2 S1 S0
No Sieving processPartially decipher for all pairs
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
19/27
Balanced Partitioning: Last Round Attack
\V
S7 S6 S5 S4 S3 S2 S1 S0
e e e e e e e ek7 k6 k5 k4 k3 k2 k1 k0
S7 S6 S5 S4 S3 S2 S1 S0For all key candidates,
partially decipherk4 k3 k26e 6e 6eS4 S3 S2
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
19/27
Balanced Partitioning: Last Round Attack
\V
S7 S6 S5 S4 S3 S2 S1 S0
e e e e e e e ek7 k6 k5 k4 k3 k2 k1 k0
S7 S6 S5 S4 S3 S2 S1 S0
k4 k3 k26e 6e 6eS4 S3 S2
��*6HHYIf � 2 �(i)out � V
Increment q
k
i
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
19/27
Balanced Partitioning: Last Round Attack
\V
S7 S6 S5 S4 S3 S2 S1 S0
e e e e e e e ek7 k6 k5 k4 k3 k2 k1 k0
S7 S6 S5 S4 S3 S2 S1 S0
k4 k3 k26e 6e 6eS4 S3 S2
��*6HHYIf � 2 �(i)out � V
Increment q
k
i
Analyse the vectors q
k for each keyScoring function
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
20/27
Balanced Partitioning: Remarks
Corresponding known/former attacks:I Truncated Differential cryptanalysis.
Advantage:I Whole output space ) More informationI Bigger Probabilities ) Tightness of the information
Disadvantage:I No sieving process ) More time complexity
Mul
tiple
diff
eren
tialc
rypt
anal
ysis
usin
gLLR
and�
2S
tatis
tics
Oct
ober
,821
/27
Sta
tistic
alTe
sts
Pro
babi
lity
dist
ribut
ion
vect
ors
IE
xpec
ted:
p=
[pv
] v2
V
IU
nifo
rm:✓
IO
bser
ved:
q
k
(fora
give
nke
yca
ndid
ate)
LLR
test
:req
uire
sth
ekn
owle
dge
ofth
eth
eore
tical
prob
abili
typ
.
S
k
=LLR
k
(qk
,p,✓)
def
=N
s
X
v2
V
q
k
v
log✓
p
v ✓ v
◆.
�2
test
:Doe
sno
treq
uire
the
know
ledg
eof
pfo
rthe
atta
ck
S
k
=�
2 k
(qk
,✓)=
N
s
X
v2
V
(qk
v
�✓ v)2
✓ v.
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
22/27
Complexities
Let S(k) be the statistic obtained for a key candidate k .
S(k) = LLRk
(qk , p, ✓) or = �2k
(qk , ✓)
Then,
S(k) ⇠⇢N (µ
R
,�2R
) if k = K
r
,N (µ
W
,�2W
) otherwise.
In the paper:I Estimates of the value of µ
R
, µW
,�R
,�w
for both LLR and �2
statistical tests.I Estimates of the Data Complexity
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
23/27
Outline
IntroductionBlock CiphersDifferential CryptanalysisLast Round Attacks
Multiple Differential CryptanalysisDefinitionPartitioning FunctionComplexities
ExperimentsExperimental ResultsAnalyse
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
24/27
Using unbalanced partitioning
Subset of output differences
0.5
0.6
0.7
0.8
0.9
20 22 24 26 28 30
P
S
log2(N)
LLR : Ex. a = 4Th. a = 4Ex. a = 11Th. a = 11
�2 : Ex. a = 4Th. a = 4Ex. a = 11Th. a = 11
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
25/27
Using balanced partitioning
Set of groups of output differences
0.5
0.6
0.7
0.8
0.9
19 21 23 25 27
P
S
log2(N)
LLR : Ex. a = 4Th. a = 4Ex. a = 7Th. a = 7
�2 : Ex. a = 4Th. a = 4Ex. a = 7Th. a = 7
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
26/27
Conclusions
Balanced or Unbalanced partitioning ?I Time Complexity: unbalanced ) faster attack.I Data Complexity: depends on the cipher.
LLR or �2?I If we have a good estimate of the expected probabilities
) LLR provides better Data and Memory complexitiesI Otherwise LLR is not effective
Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8
27/27
Work in Progress
Estimation of the Differential Probabilities
In TheoryI Estimation of truncated differential probabilities can be done
correlations.
In PracticeI Estimation of the correlations are “easy” on PRESENT CHOI We use them to compute the distribution vector.I We provide a multiple differential attack on PRESENT