applying milp method to searching integral distinguishers
play

Applying MILP Method to Searching Integral Distinguishers Based on - PowerPoint PPT Presentation

Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6 Lightweight Block Ciphers Zejun Xiang Wentao Zhang Zhenzhen Bao Dongdai Lin Institute of Information Engineering, CAS, Beijing, China December 7, 2016.


  1. Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6 Lightweight Block Ciphers Zejun Xiang Wentao Zhang Zhenzhen Bao Dongdai Lin Institute of Information Engineering, CAS, Beijing, China December 7, 2016. Hanoi 1 / 74

  2. Overview Division Property 1 Combining MILP with Division Property 2 Further Study on Division Property Modeling Basic Operations Initial Division Property Objective Function Search Algorithm and Applications 3 Search Algorithm Applications 2 / 74

  3. Division Property Preliminary Definition (Bit-Product Function [Todo, EUROCRYPT 2015]) For any fixed u ∈ ( F n 0 2 × F n 1 n m − 1 2 × · · · × F ), 2 n m − 1 π u ( x ) :( F n 0 2 × F n 1 2 × · · · × F → F 2 ) − 2 n i − 1 m − 1 � � x i [ j ] u i [ j ] ) ( x 0 , x 1 , · · · , x m − 1 ) �− → ( i =0 j =0 3 / 74

  4. Division Property Preliminary Definition (Bit-Product Function [Todo, EUROCRYPT 2015]) For any fixed u ∈ ( F n 0 2 × F n 1 n m − 1 2 × · · · × F ), 2 n m − 1 π u ( x ) :( F n 0 2 × F n 1 2 × · · · × F → F 2 ) − 2 n i − 1 m − 1 � � x i [ j ] u i [ j ] ) ( x 0 , x 1 , · · · , x m − 1 ) �− → ( i =0 j =0 Example: n = 4 , m = 2 u = ( u 0 0 || u 1 0 || u 2 0 || u 3 0 , u 0 1 || u 1 1 || u 2 1 || u 3 1 ) = (0 || 1 || 1 || 0 , 1 || 0 || 1 || 1) x = ( x 0 0 || x 1 0 || x 2 0 || x 3 0 , x 0 1 || x 1 1 || x 2 1 || x 3 1 ) = (0 || 1 || 1 || 1 , 1 || 1 || 0 || 1) π u ( x ) = (0 0 1 1 1 1 1 0 )(1 1 1 0 0 1 1 1 ) = 0 4 / 74

  5. Division Property Preliminary Definition (Bit-Product Function [Todo, EUROCRYPT 2015]) For any fixed u ∈ ( F n 0 2 × F n 1 n m − 1 2 × · · · × F ), 2 n m − 1 π u ( x ) :( F n 0 2 × F n 1 2 × · · · × F → F 2 ) − 2 n i − 1 m − 1 � � x i [ j ] u i [ j ] ) ( x 0 , x 1 , · · · , x m − 1 ) �− → ( i =0 j =0 Example: n = 4 , m = 2 u = ( u 0 0 || u 1 0 || u 2 0 || u 3 0 , u 0 1 || u 1 1 || u 2 1 || u 3 1 ) = (0 || 1 || 1 || 0 , 1 || 0 || 1 || 1) x = ( x 0 0 || x 1 0 || x 2 0 || x 3 0 , x 0 1 || x 1 1 || x 2 1 || x 3 1 ) = (0 || 1 || 1 || 1 , 1 || 1 || 0 || 1) π u ( x ) = (0 0 1 1 1 1 1 0 )(1 1 1 0 0 1 1 1 ) = 0 Definition ([Todo, EUROCRYPT 2015]) Define k � k ∗ if k i ≥ k ∗ i holds for all i = 0 , 1 , · · · , m − 1. Otherwise we denote k � k ∗ . 5 / 74

  6. Division Property Definition Division Property is introduced by Todo at EUROCRYPT 2015, it’s a generalized integral property. 6 / 74

  7. Division Property Definition Division Property is introduced by Todo at EUROCRYPT 2015, it’s a generalized integral property. Definition ( Division Property [Todo, EUROCRYPT 2015]) 2 ) m , and k (i) ∈ { 0 , 1 , · · · , n } m . X has the division property D n , m Let X ⊂ ( F n k (0) , k (1) , ··· , k (q − 1) , if � x ∈ X π u ( x ) = 0 for any � 2 ) m | W ( u ) � k (0) , · · · , W ( u ) � k (q − 1) � ( u 0 , u 1 , · · · , u m − 1 ) ∈ ( F n u ∈ , among which, W ( u ) = (wt( u 0 ) , wt( u 1 ) , · · · , wt( u m − 1 )) . 7 / 74

  8. Division Property Using Division Property 8 / 74

  9. Division Property Using Division Property Construct an input set with division property D n , m K 0 . 1 9 / 74

  10. Division Property Using Division Property Construct an input set with division property D n , m K 0 . 1 Propagate the initial division property r rounds to get the dividion property of 2 r-round output D n , m K r . 10 / 74

  11. Division Property Using Division Property Construct an input set with division property D n , m K 0 . 1 Propagate the initial division property r rounds to get the dividion property of 2 r-round output D n , m K r . Extract some useful integral property from D n , m K r . 3 11 / 74

  12. Division Property Propagations of Division Property 12 / 74

  13. Division Property Propagations of Division Property Copy Xor And [Todo, CRYPTO 2015] [Todo, CRYPTO 2015] [Xiang, IWSEC 2016] F n F n 2 × F n F n 2 × F n F n F n 2 × F n F n − → − → − → 2 2 2 2 2 2 x �− → ( x , x ) ( x 0 , x 1 ) �− → x 0 ⊕ x 1 ( x 0 , x 1 ) �− → x 0 & x 1 X �− → Copy( X ) X �− → Xor( X ) X �− → And( X ) D n D 2 , n D n D n D n D n �− → �− → �− → k ( k 0 , k 1 ) k 0 + k 1 ( k 0 , k 1 ) max( k 0 , k 1 ) (0 , k ) , (1 , k − 1) , ··· , ( k , 0) 13 / 74

  14. Division Property Bit-based Division Property The division property is defined and computed on ( F n 2 ) m . If n = 1, this is the bit-based division property [Todo, FSE 2016]. 14 / 74

  15. Division Property Bit-based Division Property The division property is defined and computed on ( F n 2 ) m . If n = 1, this is the bit-based division property [Todo, FSE 2016]. Advantages Detailed division property Longer distinguishers Better results. 15 / 74

  16. Division Property Bit-based Division Property The division property is defined and computed on ( F n 2 ) m . If n = 1, this is the bit-based division property [Todo, FSE 2016]. Disadvantages Advantages More computation Detailed division property Upper bounded by O (2 n ) Longer distinguishers Only small size cipher. Better results. 16 / 74

  17. Division Property Bit-based Division Property The division property is defined and computed on ( F n 2 ) m . If n = 1, this is the bit-based division property [Todo, FSE 2016]. Disadvantages Advantages More computation Detailed division property Upper bounded by O (2 n ) Longer distinguishers Only small size cipher. Better results. How to compute bit-based division property efficiently? 17 / 74

  18. Combining MILP with Division Property Basic Strategy We will use Mixed Integer Linear Programming (MILP) method to characterize the division property propagations. 18 / 74

  19. Combining MILP with Division Property Basic Strategy We will use Mixed Integer Linear Programming (MILP) method to characterize the division property propagations. Mixed Integer Linear Programming, MILP Minimize or (Maximize) : a T · x Subject To : Mx > = 0 part of or all the variables in x are restricted in integers. 19 / 74

  20. Combining MILP with Division Property Basic Strategy Two issues need to be addressed: 20 / 74

  21. Combining MILP with Division Property Basic Strategy Two issues need to be addressed: 1 Describe the division propagations by linear (in)equalities. 21 / 74

  22. Combining MILP with Division Property Basic Strategy Two issues need to be addressed: 1 Describe the division propagations by linear (in)equalities. 2 Convert search problem to estimate the minimal value of the objective function. 22 / 74

  23. Combining MILP with Division Property Further Study on Division Property Division Trail Definition (Division Trail) Assume the input set to the block cipher has initial division property D n , m , and denote k the division property after i -round encryption by D n , m K i . Thus, we have the following chain of division property propagations: def f r f r f r { k } = K 0 − → K 1 − → K 2 − → · · · For ( k 0 , k 1 , · · · , k r ) ∈ K 0 × K 1 × · · · × K r , if k i − 1 can propagate to k i for all i ∈ { 1 , 2 , · · · , r } by propagation rules, we call ( k 0 , k 1 , · · · , k r ) an r -round division trail . 23 / 74

  24. Combining MILP with Division Property Further Study on Division Property Division Trail Definition (Division Trail) Assume the input set to the block cipher has initial division property D n , m , and denote k the division property after i -round encryption by D n , m K i . Thus, we have the following chain of division property propagations: def f r f r f r { k } = K 0 − → K 1 − → K 2 − → · · · For ( k 0 , k 1 , · · · , k r ) ∈ K 0 × K 1 × · · · × K r , if k i − 1 can propagate to k i for all i ∈ { 1 , 2 , · · · , r } by propagation rules, we call ( k 0 , k 1 , · · · , k r ) an r -round division trail . Proposition The set of the last vectors of all r-round division trails which start with k is equal to K r . 24 / 74

  25. Combining MILP with Division Property Further Study on Division Property Set without Integral Property Proposition (Set without Integral Property) Assume X is a set with division property D 1 , n K , then X does not have integral property if and only if K contains all the n unit vectors. 25 / 74

  26. Combining MILP with Division Property Further Study on Division Property Set without Integral Property Proposition (Set without Integral Property) Assume X is a set with division property D 1 , n K , then X does not have integral property if and only if K contains all the n unit vectors. Given initial division property D n , m and round number r , there doesn’t exist r -round k distinguisher if and only if there exists n division trails which start with the initial division property and ends up with the n different unit vectors. 26 / 74

  27. Combining MILP with Division Property Further Study on Division Property Basic Strategy Two issues need to be addressed: 1 Describe the division propagations by linear (in)equalities. 2 Convert search problem to estimate the minimal value of the objective function. 27 / 74

  28. Combining MILP with Division Property Modeling Basic Operations Modeling Copy 28 / 74

  29. Combining MILP with Division Property Modeling Basic Operations Modeling Copy D n → D 2 , n k �− General Rule: (0 , k ) , (1 , k − 1) , ··· , ( k , 0) . 29 / 74

Recommend


More recommend