using multiple differentials
TRANSCRIPT
Using Multiple Differentials...
1/28
Using Multiple Differentials...
On the LLR and χ2 Statistical Tests in Differential Context
Celine Blondeau
Aalto University
Luxembourg, January 2013
joint work with Benoıt Gerard and Kaisa Nyberg
Using Multiple Differentials...
2/28
Outline
IntroductionDifferential CryptanalysisMultiple Differential Cryptanalysis
Partitioning the Output DifferencesSet of Simple DifferencesSpecial set of Truncated Differentials
Analysing InformationLLR Statistical Testχ2 Statistical Test
ExperimentsExperimental ResultsDiscussion
Using Multiple Differentials...
3/28
Outline
IntroductionDifferential CryptanalysisMultiple Differential Cryptanalysis
Partitioning the Output DifferencesSet of Simple DifferencesSpecial set of Truncated Differentials
Analysing InformationLLR Statistical Testχ2 Statistical Test
ExperimentsExperimental ResultsDiscussion
Using Multiple Differentials...
4/28
Block ciphers
--
--
-
x
y
FK1
FK2
FKr
FKr+1
EK : Fm2 → Fm
2
I K : Master keyI F : Round functionI Ki : Round key
cccc cccc cccc cccc
cccc cccc cccc cccc
cccc cccc cccc cccc
cccc cccc cccc cccc
S3 S2 S1 S0
S3 S2 S1 S0
S3 S2 S1 S0
���
������
����
����
@@@
���
������
HHHH
HH
@@@
���
PPPP
PPPP
HHHH
HH
@@@
���
���
���
����
����
@@@
���
������
HHH
HHH
@@@
���
PPPP
PPPP
HHHH
HH
@@@
���
���
���
����
����
@@@
���
������
HHH
HHH
@@@
���
PPPP
PPPP
HHH
HHH
@@@
SMALLPRESENT-[4]
Using Multiple Differentials...
5/28
Statistical Attacks
Statistical attacks:I Take advantage of a non-uniform behavior of the cipherI Two families: Linear and Differential cryptanalysis
Improvement of differential cryptanalysis
I Differential cryptanalysis [Biham Shamir 91]I Truncated differential cryptanalysis [Knudsen 95]I Impossible differential cryptanalysis [Biham Biryukov Shamir
99]I Higher order differential cryptanalysis [Lai 94] [Knudsen 95]I Bulk Multiple differential cryptanalysis [Blondeau Gerard 11]
Using Multiple Differentials...
6/28
Differential CryptanalysisGiven an input difference between two plaintexts, some outputdifferences occur more often than others.
-
-
-
-
EK
EK
x
x ′
y
y ′
6
?
6
?
δin δout
Differential: pair of input and output difference (δin, δout)
Differential probability: p = PX ,K [ EK (x)⊕ Ek (x ⊕ δin) = δout ]
Uniform probability: θ = 2−m
Using Multiple Differentials...
7/28
Using Multiple differentials...
I Truncated differential cryptanalysisI Impossible differential cryptanalysisI Higher order differential cryptanalysisI Bulk differential cryptanalysis
One non-uniform probability is used for comparison with uniformprobability
Using Multiple Differentials...
7/28
Using Multiple differentials...
I Truncated differential cryptanalysisI Impossible differential cryptanalysisI Higher order differential cryptanalysisI Bulk differential cryptanalysis
One non-uniform probability is used for comparison with uniformprobability
Using Multiple Differentials...
8/28
Bulk differential cryptanalysis [FSE 2011]
I Set of differences (δin(v), δout
(v)), with probabilities pv .
I p = 1∆in
∑v pv expected probability.
I θ = 1∆in
∑v
12m uniform probability.
Frequencies are summed up.
How to use the probability of each differential individually?
Using Multiple Differentials...
8/28
Bulk differential cryptanalysis [FSE 2011]
I Set of differences (δin(v), δout
(v)), with probabilities pv .
I p = 1∆in
∑v pv expected probability.
I θ = 1∆in
∑v
12m uniform probability.
Frequencies are summed up.
How to use the probability of each differential individually?
Using Multiple Differentials...
8/28
Bulk differential cryptanalysis [FSE 2011]
I Set of differences (δin(v), δout
(v)), with probabilities pv .
I p = 1∆in
∑v pv expected probability.
I θ = 1∆in
∑v
12m uniform probability.
Frequencies are summed up.
How to use the probability of each differential individually?
Using Multiple Differentials...
9/28
Related Work
Linear Cryptanalysis [Matsui 93]:
I Multiple linear cryptanalysis [Baigneres Junod Vaudenay 04]
I Multidimensional linear cryptanalysis [Hermelin Cho Nyberg08]
Both use LLR and/or χ2 statistical tests.
Differential Cryptanalysis:
Recently :
I How to apply LLR and/or χ2 statistical tests?I How to partition the output differences?
Using Multiple Differentials...
10/28
Multiple Differential Cryptanalysis
I Fixed input difference δin (To simplify the analysis)
I Vector of “differences”: V = [δ(v)out ] after r rounds,
I p = [pv ]v∈V vector of expected probabilities.
I θ = [θv ]v∈V vector of uniform probabilities.
I qk = [qkv ]v∈V vector of observed probabilities for the key k .
Using Multiple Differentials...
11/28
Recent Work
[Albrecht Leander 12]
LLR statistical test
Application to SMALLPRESENT-[4] (m = 16) and KATAN-32(m = 32)
[Blondeau Gerard Nyberg 12]
LLR and χ2 statistical tests.
What to do when m > 32 ?
⇒ Introduction of partitioning functions
Using Multiple Differentials...
12/28
Outline
IntroductionDifferential CryptanalysisMultiple Differential Cryptanalysis
Partitioning the Output DifferencesSet of Simple DifferencesSpecial set of Truncated Differentials
Analysing InformationLLR Statistical Testχ2 Statistical Test
ExperimentsExperimental ResultsDiscussion
Using Multiple Differentials...
13/28
Partitioning Functions
We analyze two “orthogonal” cases
I Unbalanced partitioningI Take a subset of simple differences
I Balanced partitioningI Group the differences in order to be able to use information of
the whole output space.
Aim:I Compare Time, Memory and Data complexity of the different
methods.
Using Multiple Differentials...
13/28
Partitioning Functions
We analyze two “orthogonal” cases
I Unbalanced partitioningI Take a subset of simple differences
I Balanced partitioningI Group the differences in order to be able to use information of
the whole output space.
Aim:I Compare Time, Memory and Data complexity of the different
methods.
Using Multiple Differentials...
14/28
Last Round Attack
Plaintext
Characteristic
Partial State??
r roundsF rK
Distinguisher
Using Multiple Differentials...
14/28
Last Round Attack
Plaintext
Characteristic
Partial State??
r roundsF rK
Distinguisher
?Substitution Layer
Key addition
S7 S6 S5 S4 S3 S2 S1 S0
k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eCiphertext
Using Multiple Differentials...
15/28
Unbalanced Partitioning
Idea: Subset of simple differences
I Output differences (δ(v)out )1≤v≤A,
I Counter for each of these differentials qkv .
I As∑A
i=1 qkv 6= 1
I We have a “trash” counter qk0 which gathers all other output
differences.
Last Round Attack: We increment the counter qkv
if the difference δ(v)out is obtained after partial deciphering.
Using Multiple Differentials...
16/28
Unbalanced Partitioning: Last Round Attack
δin
?
V = [δ(v)out ]v
��* HHYV
Substitution LayerS7 S6 S5 S4 S3 S2 S1 S0
k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e e
Using Multiple Differentials...
16/28
Unbalanced Partitioning: Last Round Attack
V = [δ(v)out ]v
��* HHYV
S7 S6 S5 S4 S3 S2 S1 S0
k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eS4 S3 S1 Active Sboxes
Using Multiple Differentials...
16/28
Unbalanced Partitioning: Last Round Attack
��* HHYV
S7 S6 S5 S4 S3 S2 S1 S0
k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eS4 S3 S1
Sieving processDiscard some ciphertext pairs
Using Multiple Differentials...
16/28
Unbalanced Partitioning: Last Round Attack
��* HHYV
S7 S6 S5 S4 S3 S2 S1 S0
k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eS4 S3 S1
6e 6e 6e For all key candidates,partially decipherk4 k3 k1
6��@I
Using Multiple Differentials...
16/28
Unbalanced Partitioning: Last Round Attack
��* HHYV
S7 S6 S5 S4 S3 S2 S1 S0
k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eS4 S3 S1
6e 6e 6ek4 k3 k1
6��@I If δ = δ(v)out
Increment qkv
OtherwiseIncrement qk
0
Using Multiple Differentials...
16/28
Unbalanced Partitioning: Last Round Attack
��* HHYV
S7 S6 S5 S4 S3 S2 S1 S0
k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eS4 S3 S1
6e 6e 6ek4 k3 k1
6��@I If δ = δ(v)out
Increment qkv
OtherwiseIncrement qk
0
Analyse the vectors qk for each key
Using Multiple Differentials...
17/28
Unbalanced Partionning: Remarks
Corresponding known/former attacks:I Differential cryptanalysis.
Advantage:I A sieving process⇒ “smaller” time complexity
Disadvantage:I Subset of output space⇒ Not all informationI Small probabilities⇒ Non-tightness of the information
Using Multiple Differentials...
18/28
Balanced Partitioning
Idea: Using information from all differences by grouping them.
Let V = [δ(v)out ]v a subspace of Fm
2
A group of differences ∆(v)out = δ
(v)out ⊕ V (V ⊕ V = Fm
2 )
A counter qkv for each group of differences.
Using Multiple Differentials...
19/28
Balanced Partitioning: Last Round Attack
δin
?
V
∆out = δout ⊕ V
Substitution LayerS7 S6 S5 S4 S3 S2 S1 S0e e e e e e e ek7 k6 k5 k4 k3 k2 k1 k0
Using Multiple Differentials...
19/28
Balanced Partitioning: Last Round Attack
V
∆out = δout ⊕ V
S7 S6 S5 S4 S3 S2 S1 S0e e e e e e e ek7 k6 k5 k4 k3 k2 k1 k0
S7 S6 S5 S4 S3 S2 S1 S0 Active Sboxes
Using Multiple Differentials...
19/28
Balanced Partitioning: Last Round Attack
V
S7 S6 S5 S4 S3 S2 S1 S0e e e e e e e ek7 k6 k5 k4 k3 k2 k1 k0
S7 S6 S5 S4 S3 S2 S1 S0
No sieving processPartially decipher for all pairs
Using Multiple Differentials...
19/28
Balanced Partitioning: Last Round Attack
V
S7 S6 S5 S4 S3 S2 S1 S0e e e e e e e ek7 k6 k5 k4 k3 k2 k1 k0
S7 S6 S5 S4 S3 S2 S1 S0For all key candidates,
partially decipherk4 k3 k26e 6e 6eS4 S3 S2
Using Multiple Differentials...
19/28
Balanced Partitioning: Last Round Attack
V
S7 S6 S5 S4 S3 S2 S1 S0e e e e e e e ek7 k6 k5 k4 k3 k2 k1 k0
S7 S6 S5 S4 S3 S2 S1 S0
k4 k3 k26e 6e 6eS4 S3 S2
��*6HHYIf δ ∈ δ(v)
out ⊕ VIncrement qk
v
Using Multiple Differentials...
19/28
Balanced Partitioning: Last Round Attack
V
S7 S6 S5 S4 S3 S2 S1 S0e e e e e e e ek7 k6 k5 k4 k3 k2 k1 k0
S7 S6 S5 S4 S3 S2 S1 S0
k4 k3 k26e 6e 6eS4 S3 S2
��*6HHYIf δ ∈ δ(v)
out ⊕ VIncrement qk
v
Analyse the vectors qk for each key
Using Multiple Differentials...
20/28
Balanced Partitioning: Remarks
Corresponding known/former attacks:I Truncated Differential cryptanalysis.
Advantage:I Whole output space⇒ More informationI Bigger Probabilities⇒ Tightness of the information
Disadvantage:I No sieving process⇒ Larger time complexity
Using Multiple Differentials...
21/28
Outline
IntroductionDifferential CryptanalysisMultiple Differential Cryptanalysis
Partitioning the Output DifferencesSet of Simple DifferencesSpecial set of Truncated Differentials
Analysing InformationLLR Statistical Testχ2 Statistical Test
ExperimentsExperimental ResultsDiscussion
Using Multiple Differentials...
22/28
Statistical TestsProbability distribution vectors
I Expected: p = [pv ]v∈V
I Uniform: θ = [θv ]v∈V
I Observed: qk (for a given key candidate k )
LLR test: requires the knowledge of the theoretical probability p.
Sk = LLRk (qk ,p, θ)def= Ns
∑v∈V
qkv log
(pv
θv
).
χ2 test: Does not require the knowledge of p for the attack
Sk = χ2k (qk , θ) = Ns
∑v∈V
(qkv − θv )2
θv.
Using Multiple Differentials...
23/28
Complexities
Let S(k) be the statistic obtained for a key candidate k .
Sk = LLRk (qk ,p, θ) or = χ2k (qk , θ)
Then,
Sk ∼{N (µR, σ
2R) if k = Kr ,
N (µW , σ2W ) otherwise.
[Selcuk 07]:I Estimates of the value of µR, µW , σR, σw for both LLR and χ2
statistical tests.I Estimates of the Data Complexity
Using Multiple Differentials...
24/28
Asymptotic Complexity when PS = 0.5
a: AdvantageΦ0,1 : cumulative function of standard normal distribution
LLR test:
N ≈Varp(log(p
θ ))[Ep(log(p
θ ))− Eθ(log(pθ ))]2 Φ−2
0,1(1− 2−a)
χ2 test:
N ≈√
2|V |C(p)
Φ−10,1(1− 2−a)
where C(p) =∑
v∈V
(pv−θv )2
θv
Using Multiple Differentials...
25/28
Outline
IntroductionDifferential CryptanalysisMultiple Differential Cryptanalysis
Partitioning the Output DifferencesSet of Simple DifferencesSpecial set of Truncated Differentials
Analysing InformationLLR Statistical Testχ2 Statistical Test
ExperimentsExperimental ResultsDiscussion
Using Multiple Differentials...
26/28
Unbalanced Partitioning: Simple differences
0.5
0.6
0.7
0.8
0.9
20 22 24 26 28 30
PS
log2(N)
LLR : Ex. a = 4Th. a = 4Ex. a = 11Th. a = 11
χ2 : Ex. a = 4Th. a = 4Ex. a = 11Th. a = 11
Using Multiple Differentials...
27/28
Balanced Partitioning: Group of output differences
0.5
0.6
0.7
0.8
0.9
19 21 23 25 27
PS
log2(N)
LLR : Ex. a = 4Th. a = 4Ex. a = 7Th. a = 7
χ2 : Ex. a = 4Th. a = 4Ex. a = 7Th. a = 7
Using Multiple Differentials...
28/28
Conclusions
Balanced or Unbalanced partitioning ?I Time Complexity: unbalanced⇒ faster attack.I Data Complexity: depends of the cipher.
LLR or χ2?I If we have a good estimate of the expected probabilities⇒ LLR provides better Data and Memory complexities
I Otherwise LLR is not effective