Another view of the division property Christina Boura and Anne - PowerPoint PPT Presentation

Another view of the division property Christina Boura and Anne Canteaut Université de Versailles-St Quentin, France Inria Paris, France Dagstuhl seminar, January 2016

Motivation E K : block cipher with block size n Choose a set of inputs X ⊆ F n 2 Aim: find a distinguishing property of { E K ( x ) , x ∈ X } valid for all K At Eurocrypt 2015, Yosuke Todo introduced the division property as a generalization of integral and higher-order differential distinguishers. 1

Outline • Characterizing a set by its parity-set • Propagation of a parity-set through a block cipher • Application to Present 2

Monomials of n variables For x and u in F n 2 , n x u = x u i � i i =1 Example: For u = (0101) , x u = x 0 4 x 1 3 x 0 2 x 1 1 = x 3 x 1 Evaluation at Point x = (0011) : 0 0 0 1 1 0 1 1 = 1011 = 0 Evaluation of a monomial: x u = 1 if and only if u � x i.e., u i ≤ x i for all 1 ≤ i ≤ n . 3

Parity set of a set Let X ⊆ F n Definition. 2 . Its parity set is x u = 1 � u ∈ F n � � U ( X ) = 2 : x ∈ X Example: X = { 000 , 010 , 011 } U (000) = { 000 } U (010) = { 000 , 010 } U (011) = { 000 , 010 , 001 , 011 } Then U ( X ) = { 000 , 001 , 011 } 4

Correspondence between a set and its parity-set Incidence vector of a set X ⊆ F n 2 : v X : vector of length 2 n having a 1 at all positions x ∈ X Proposition. Gv X = v U ( X ) where G is the binary square matrix such that G a,b = b a or equivalently i.e. G a,b = 1 if and only if a � b 5

Matrix G for n = 3 Gv X = v U ( X ) 0 0 1 0 2 0 3 0 4 0 5 0 6 0 7 0   0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1     0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2     0 3 1 3 2 3 3 3 4 3 5 3 6 3 7 3       0 4 1 4 2 4 3 4 4 4 5 4 6 4 7 4     0 5 1 5 2 5 3 5 4 5 5 5 6 5 7 5       0 6 1 6 2 6 3 6 4 6 5 6 6 6 7 6     0 7 1 7 2 7 3 7 4 7 5 7 6 7 7 7 6

Matrix G for n = 3 Gv X = v U ( X )   1 1 1 1 1 1 1 1 0 1 0 1 0 1 0 1       0 0 1 1 0 0 1 1     0 0 0 1 0 0 0 1      0 0 0 0 1 1 1 1      0 0 0 0 0 1 0 1     0 0 0 0 0 0 1 1     0 0 0 0 0 0 0 1 The Reed-Muller code of length 2 n and order r , RM ( r, n ) , Definition. is the set of all ( f ( x ) , x ∈ F n 2 ) with deg f ≤ r . ⇒ G : generator matrix of RM ( n, n ) 7

Unicity of the parity set Gv X = v U ( X ) G has full-rank and G − 1 = G For any U ⊆ F n 2 , there exists a unique X ⊆ F n Theorem. 2 such that U = U ( X ) Examples: • U ( X ) = ∅ if and only if X = ∅ . • U ( X ) = { u : u � x } if and only if X = { x } . • U ( X ) = { u } if and only if X is the subspace of dimension wt ( u ) defined by X = { x : x � u } . • U ( X ) = { 1111 } if and only if X = F n 2 8

Division property [Todo 15] X ⊆ F n 2 fulfills the division property D n k , where 0 ≤ k ≤ n Definition. if U ( X ) ⊆ { u ∈ F n 2 : wt ( u ) ≥ k } The rows of G defined by the exponents u with wt ( u ) < k form a generator matrix of the Reed-Muller code of order ( k − 1) . X ⊆ F n 2 fulfills the division property D n Corollary. k if and only if its incidence vector belongs to RM ( k − 1 , n ) ⊥ = RM ( n − k, n ) . 9

Some direct consequences Corollary. [Sun et al. 15] If X fulfills D n k , then | X | ≥ 2 k . Equality holds if and only if X is an affine subspace of dimension k . Some specific cases: • X fulfills D n 1 : | X | is even. • X fulfills D n 2 : � x ∈ X x = 0 [BALANCED] • X fulfills D n n : U ( X ) = { 1 ... 1 } ⇔ X = F n 2 [ALL] • X fulfills D n n − 1 : v X ∈ RM (1 , n ) or equivalently X is an (affine) hyperplane. 10

Propagation of a parity set through a block cipher 11

Determining U ( S ( X )) from U ( X ) S v ( x ) = 1 � v ∈ U ( S ( X )) ⇔ x ∈ X implies that the ANF of S v ( x ) contains some x u with u ∈ U ( X ) Proposition. Let V S ( u ) = { v ∈ F n 2 : S v ( x ) contains x u } Then, � U ( S ( X )) ⊆ V S ( u ) u ∈U ( X ) 12

V S ( u ) for Present Sbox 0 1 2 4 8 3 5 9 6 a c 7 b d e f 0 x x x x 1 x x x x 2 x x x x 4 x x x x 8 x x x x x x 3 x x x x x x x x 5 x x x 9 x x x x x x 6 x x x x x x a x x x x x x x x x x c x x x x 7 x x x x x x x b x x x x x x x x x x d x x x x x x x e x x x x x x f x 13

Computing V S ( u ) from the inverse Sbox Let S ∗ : x �→ S − 1 ( x ) . Theorem. Then, S ( x ) v contains x u if and only if S ∗ ( x ) u contains x v . ⇒ V s ( u ) = { v : [ S ∗ ( x )] u contains x v } Example: The 1st coordinate of S ∗ is: 1 + x 1 + x 2 + x 3 + x 4 + x 2 x 4 ⇒ V S (1110) = { 0101 , 0111 , 1011 , 1101 , 1110 , 1111 } 14

Propagation through key addition ( x ⊕ k ) v = x u k v ⊕ u � u � v Then, { v ∈ F n � U (Add K ( X )) ⊆ 2 : v � u } u ∈U ( X ) 15

Application to Present 16

Division distinguisher on a 3-round SPN with 4-bit Sboxes [Todo 15] Integral attack: X = C C C C C C C C C C C C C A A A • invariant under the key addition and the first Sbox layer • Let F = first linear layer + rounds 2 and 3. Since deg F ≤ 9 and dim X = 12 , E K ( X ) is balanced. 17

Division distinguisher on a 3-round SPN with 4-bit Sboxes [Todo 15] X = C C C C C C C C C C C C C A A A In terms of parity sets: X = α + V where V = { x : x � 0000000000000fff } ⇒ U ( X ) ⊆ { u : u � 0000000000000fff } • For each Sbox, V S ( f ) = { v : S v ( x ) contains x f } = { f } . After the first Sbox layer, U ⊆ { u : u � 0000000000000fff } . • After F with deg F ≤ 9 : � U ( E K ( X )) ⊆ V F ( u ) u ∈ U But V F ( u ) = { v : F v ( x ) contains x u } contains no v with wt ( v ) ≤ 1 when wt ( u ) ≥ 12 . ⇒ U ( E K ( X )) ⊆ { v : wt ( v ) ≥ 2 } 18

Division distinguisher on 4 rounds exploiting the linear layer X = C C C C C C C C C C C C A A A C U ( X ) = { u : u � 0000000000000fff0 } • invariant under the 1st Sbox layer: • After the 1st linear layer: U = { u : u � 000e000e000e000e } → 4 active superboxes • After the 3rd Sbox layer: U ⊆ { u : wt ( u ) ≥ 4 } • After the 3rd linear layer: U ⊆ { u with ≥ 2 active nibbles } ∪ { 00 . . . 0f , . . . , f00 . . . 0 } • invariant under the 4th Sbox layer ⇒ U ( E K ( X )) ⊆ { v : wt ( v ) ≥ 2 } 19

Does not work on 5 rounds u ∈ U 0 0 0 0 0 0 0 0 0 0 0 0 f f f 0 after 1st S-layer 0 0 0 0 0 0 0 0 0 0 0 0 f f f 0 after 1st P-layer 0 0 0 e 0 0 0 e 0 0 0 e 0 0 0 e after 2nd S-layer 0 0 0 2 0 0 0 1 0 0 0 1 0 0 0 1 after 2nd P-layer 0 0 0 0 0 0 0 0 1 0 0 0 0 1 1 1 after 3rd S-layer 0 0 0 0 0 0 0 0 1 0 0 0 0 1 1 1 after 3rd P-layer 0 0 0 0 0 0 0 0 0 0 0 0 0 0 8 7 after 4th S-layer 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 8 after 4th P-layer 0 0 0 3 0 0 0 0 0 0 0 0 0 0 0 0 after 5th S-layer 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 20

Conclusions The notion of parity set enables us to capture more situations than the division property. Further improvements. We can use some other properties of the output parity set: for any fixed u , the probability that u ∈ U ( X ) is 1 / 2 . 21