a framework for automated biclique cryptanalysis of block
play

A Framework for Automated Biclique Cryptanalysis of Block Ciphers - PowerPoint PPT Presentation

Motivation Biclique Cryptanalysis Our Framework Results A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S. Lucks J. Wenzel Bauhaus-Universit at Weimar FSE 2013, Singapore 13.03.2013 F.


  1. Motivation Biclique Cryptanalysis Our Framework Results A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S. Lucks J. Wenzel Bauhaus-Universit¨ at Weimar FSE 2013, Singapore 13.03.2013 F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 1 / 20

  2. Motivation Biclique Cryptanalysis Our Framework Results Biclique Cryptanalysis Biclique = complete bipartite graph, connecting each in a set of starting states S with each in a set of ending states C over a sub-cipher Introduced by Khovratovich, Rechberger, and Savelieva [KRS11] as formalization of initial structures in splice-and-cut MitM attacks First used for preimage attacks on round-reduced SHA-2, Skein and their compression functions Adapted for key-recovery attacks on the AES by Bogdanov, Khovratovich and Rechberger [BKR11] F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 2 / 20

  3. Motivation Biclique Cryptanalysis Our Framework Results Biclique Cryptanalysis Many more key-recovery attacks followed since then on SQUARE by Mala [Mal11] on ARIA-256 by Chen and Xue [CX12] on Piccolo by Wang et al. [WWY12] on IDEA by Khovratovich, Leurent, and Rechberger [KLR12] HIGHT [HKK11], TWINE by C ¸oban et al. [cKOB12], L-Block by Wang et al. [WWYZ12], PRESENT and LED by Jeong et al. [JKL + 12], KLEIN-64 by Ahmadian et al. [ASA13] Several approaches and improvements Independent and long bicliques [KRS11, BKR11], probabilistic bicliques [KLR12], bicliques for permutations [Kho12] F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 3 / 20

  4. Motivation Biclique Cryptanalysis Our Framework Results Motivation Initial aim to completely understand the attacks by Bogdanov et al. Small framework to help the cryptanalyst to find independent bicliques of maximal length Consider independent bicliques: generic, independency of differentials = formalized criterion to test F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 4 / 20

  5. Motivation Biclique Cryptanalysis Our Framework Results Agenda 1 Motivation 2 Biclique Cryptanalysis 3 Our Framework 4 Results F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 5 / 20

  6. Motivation Biclique Cryptanalysis Our Framework Results Biclique Cryptanalysis – Brief Recall F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 6 / 20

  7. Motivation Biclique Cryptanalysis Our Framework Results Given a primitive E , define splitting as in splice-and-cut attack, e.g., E = B ◦ E 2 ◦ E 1 Construct biclique around starting state, here over B F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 7 / 20

  8. Motivation Biclique Cryptanalysis Our Framework Results Choose a base computation { S 0 , K [ 0 , 0 ] , C 0 } : K [ 0 , 0 ] − − − → S 0 C 0 B F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 7 / 20

  9. Motivation Biclique Cryptanalysis Our Framework Results Find 2 d good (forward) ∆ i -differentials, and compute 2 d times: K [ 0 , 0 ] ⊕ ∆ K K [ i , 0 ] i S 0 − − − → C i ≡ S 0 − − − − − − − → C 0 ⊕ ∆ i B B F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 7 / 20

  10. Motivation Biclique Cryptanalysis Our Framework Results Find 2 d good (backward) ∇ j -differentials, and compute 2 d times: K [ 0 , 0 ] ⊕∇ K K [ 0 , j ] j S j ← − − − C 0 ≡ S 0 ⊕ ∇ j ← − − − − − − − C 0 B B F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 7 / 20

  11. Motivation Biclique Cryptanalysis Our Framework Results If the trails are independent (do not share active non-linear operations), it applies ∀ i , j ∈ { 0 , . . . , 2 d − 1 } : K [ 0 , 0 ] ⊕ ∆ K i ⊕∇ K K [ i , j ] j S j − − − → C i ≡ S 0 ⊕ ∇ j − − − − − − − − − − → C 0 ⊕ ∆ i B B F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 7 / 20

  12. Motivation Biclique Cryptanalysis Our Framework Results Test 2 2 d keys with only 2 · 2 d computations in the biclique F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 7 / 20

  13. Motivation Biclique Cryptanalysis Our Framework Results For 2 d ciphertexts C i , request the corresponding plaintexts P i from an oracle F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 7 / 20

  14. Motivation Biclique Cryptanalysis Our Framework Results Compute and store 2 d values v i , 0 in forward direction Compute and store 2 d values v 0 , j in backward direction − → ← − K [ i , 0 ] K [ 0 , j ] ∀ i : − − − → and ∀ j : ← − − − P i v i , 0 v 0 , j S j . E − 1 E 1 2 F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 7 / 20

  15. Motivation Biclique Cryptanalysis Our Framework Results For remaining 2 2 d − 2 · 2 d key candidates K [ i , j ] , only recompute the parts, where the trails with K [ i , j ] differ from those with K [ i , 0 ] or K [ 0 , j ] K [ i , j ] − → ← − K [ i , j ] ∀ i , j � = 0 : − − − → and ← − − − P i v i , j v i , j S j . E − 1 E 1 2 F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 7 / 20

  16. Motivation Biclique Cryptanalysis Our Framework Results Relevance Low computational advantage if using exhaustive matching-with-precomputations, usually factor of 2-16 “Bruteforce-like cryptanalysis is not able to conclude that a particular target has a cryptanalytic weakness” (Jia, Rechberger, and Wang [JRW11]) More general, to derive a lower computational bound for individiual ciphers F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 8 / 20

  17. Motivation Biclique Cryptanalysis Our Framework Results Our Framework F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 9 / 20

  18. Motivation Biclique Cryptanalysis Our Framework Results Structure <<system>> Framework for Independent-Biclique Cryptanalysis <<component>> Common Components Biclique Search <<interface>> <<class>> <<class>> <<class>> RoundBased- Differential- BicliqueFinder- BicliqueFinder SymmetricCipher Builder Context <<interface>> <<class>> <<class>> Differential- DeltaThread NablaThread Comparator <<component>> <<component>> Matching Rendering <<class>> <<class>> <<class>> <<class>> MatchingDiffe- MatchingPhase- MatchingContext BicliqueRenderer rentialBuilder Renderer <<class>> <<interface>> <<interface>> Complexity- Differential- StateRenderer Calculator Renderer F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 10 / 20

  19. Motivation Biclique Cryptanalysis Our Framework Results Biclique Search Forward differential Backward differential Combined S j S 0 S 0 Round 8 Round 8 Round 8 $8 $8 $8 Round 9 Round 9 Round 9 $9 $9 $9 Round 10 Round 10 Round 10 $10 $10 $10 C C C i i 0 Finding a pair of differentials (∆ i , ∇ j ) , which share no active components in non-linear operations F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 11 / 20

  20. Motivation Biclique Cryptanalysis Our Framework Results Biclique Search (cont’d) Number of possible differentials Example: for a key size k = 128 bits and a biclique dimension d = 8, one could test � � � � k k ! 128 ≈ 1 . 43 · 10 12 = d !( k − d )! = 8 d Reduce time and memory complexity by considering nibble- or byte-wise operating primitives Nibble-wise primitives: � ⌈ k / 4 ⌉ = � 32 � � = 496 ⌈ d / 4 ⌉ 2 Byte-wise primitives: � ⌈ k / 8 ⌉ = � 16 � � = 16 ⌈ d / 8 ⌉ 1 F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 12 / 20

  21. Motivation Biclique Cryptanalysis Our Framework Results How to Insert Key Differences ∆ i K C i ∆ i S j ∆ j K ∆ j Affect as little parts of the state as possible ⇒ inject sub-key differences with least possible hamming weight at the beginning of ∆ - and at the end of ∇ -differentials If | k | > n , regard k consecutive sub-key bits as starting key difference F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 13 / 20

Recommend


More recommend