Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6 Lightweight Block Ciphers Zejun Xiang Wentao Zhang Zhenzhen Bao Dongdai Lin Institute of Information Engineering, CAS, Beijing, China December 7, 2016. Hanoi 1 / 74
Overview Division Property 1 Combining MILP with Division Property 2 Further Study on Division Property Modeling Basic Operations Initial Division Property Objective Function Search Algorithm and Applications 3 Search Algorithm Applications 2 / 74
Division Property Preliminary Definition (Bit-Product Function [Todo, EUROCRYPT 2015]) For any fixed u ∈ ( F n 0 2 × F n 1 n m − 1 2 × · · · × F ), 2 n m − 1 π u ( x ) :( F n 0 2 × F n 1 2 × · · · × F → F 2 ) − 2 n i − 1 m − 1 � � x i [ j ] u i [ j ] ) ( x 0 , x 1 , · · · , x m − 1 ) �− → ( i =0 j =0 3 / 74
Division Property Preliminary Definition (Bit-Product Function [Todo, EUROCRYPT 2015]) For any fixed u ∈ ( F n 0 2 × F n 1 n m − 1 2 × · · · × F ), 2 n m − 1 π u ( x ) :( F n 0 2 × F n 1 2 × · · · × F → F 2 ) − 2 n i − 1 m − 1 � � x i [ j ] u i [ j ] ) ( x 0 , x 1 , · · · , x m − 1 ) �− → ( i =0 j =0 Example: n = 4 , m = 2 u = ( u 0 0 || u 1 0 || u 2 0 || u 3 0 , u 0 1 || u 1 1 || u 2 1 || u 3 1 ) = (0 || 1 || 1 || 0 , 1 || 0 || 1 || 1) x = ( x 0 0 || x 1 0 || x 2 0 || x 3 0 , x 0 1 || x 1 1 || x 2 1 || x 3 1 ) = (0 || 1 || 1 || 1 , 1 || 1 || 0 || 1) π u ( x ) = (0 0 1 1 1 1 1 0 )(1 1 1 0 0 1 1 1 ) = 0 4 / 74
Division Property Preliminary Definition (Bit-Product Function [Todo, EUROCRYPT 2015]) For any fixed u ∈ ( F n 0 2 × F n 1 n m − 1 2 × · · · × F ), 2 n m − 1 π u ( x ) :( F n 0 2 × F n 1 2 × · · · × F → F 2 ) − 2 n i − 1 m − 1 � � x i [ j ] u i [ j ] ) ( x 0 , x 1 , · · · , x m − 1 ) �− → ( i =0 j =0 Example: n = 4 , m = 2 u = ( u 0 0 || u 1 0 || u 2 0 || u 3 0 , u 0 1 || u 1 1 || u 2 1 || u 3 1 ) = (0 || 1 || 1 || 0 , 1 || 0 || 1 || 1) x = ( x 0 0 || x 1 0 || x 2 0 || x 3 0 , x 0 1 || x 1 1 || x 2 1 || x 3 1 ) = (0 || 1 || 1 || 1 , 1 || 1 || 0 || 1) π u ( x ) = (0 0 1 1 1 1 1 0 )(1 1 1 0 0 1 1 1 ) = 0 Definition ([Todo, EUROCRYPT 2015]) Define k � k ∗ if k i ≥ k ∗ i holds for all i = 0 , 1 , · · · , m − 1. Otherwise we denote k � k ∗ . 5 / 74
Division Property Definition Division Property is introduced by Todo at EUROCRYPT 2015, it’s a generalized integral property. 6 / 74
Division Property Definition Division Property is introduced by Todo at EUROCRYPT 2015, it’s a generalized integral property. Definition ( Division Property [Todo, EUROCRYPT 2015]) 2 ) m , and k (i) ∈ { 0 , 1 , · · · , n } m . X has the division property D n , m Let X ⊂ ( F n k (0) , k (1) , ··· , k (q − 1) , if � x ∈ X π u ( x ) = 0 for any � 2 ) m | W ( u ) � k (0) , · · · , W ( u ) � k (q − 1) � ( u 0 , u 1 , · · · , u m − 1 ) ∈ ( F n u ∈ , among which, W ( u ) = (wt( u 0 ) , wt( u 1 ) , · · · , wt( u m − 1 )) . 7 / 74
Division Property Using Division Property 8 / 74
Division Property Using Division Property Construct an input set with division property D n , m K 0 . 1 9 / 74
Division Property Using Division Property Construct an input set with division property D n , m K 0 . 1 Propagate the initial division property r rounds to get the dividion property of 2 r-round output D n , m K r . 10 / 74
Division Property Using Division Property Construct an input set with division property D n , m K 0 . 1 Propagate the initial division property r rounds to get the dividion property of 2 r-round output D n , m K r . Extract some useful integral property from D n , m K r . 3 11 / 74
Division Property Propagations of Division Property 12 / 74
Division Property Propagations of Division Property Copy Xor And [Todo, CRYPTO 2015] [Todo, CRYPTO 2015] [Xiang, IWSEC 2016] F n F n 2 × F n F n 2 × F n F n F n 2 × F n F n − → − → − → 2 2 2 2 2 2 x �− → ( x , x ) ( x 0 , x 1 ) �− → x 0 ⊕ x 1 ( x 0 , x 1 ) �− → x 0 & x 1 X �− → Copy( X ) X �− → Xor( X ) X �− → And( X ) D n D 2 , n D n D n D n D n �− → �− → �− → k ( k 0 , k 1 ) k 0 + k 1 ( k 0 , k 1 ) max( k 0 , k 1 ) (0 , k ) , (1 , k − 1) , ··· , ( k , 0) 13 / 74
Division Property Bit-based Division Property The division property is defined and computed on ( F n 2 ) m . If n = 1, this is the bit-based division property [Todo, FSE 2016]. 14 / 74
Division Property Bit-based Division Property The division property is defined and computed on ( F n 2 ) m . If n = 1, this is the bit-based division property [Todo, FSE 2016]. Advantages Detailed division property Longer distinguishers Better results. 15 / 74
Division Property Bit-based Division Property The division property is defined and computed on ( F n 2 ) m . If n = 1, this is the bit-based division property [Todo, FSE 2016]. Disadvantages Advantages More computation Detailed division property Upper bounded by O (2 n ) Longer distinguishers Only small size cipher. Better results. 16 / 74
Division Property Bit-based Division Property The division property is defined and computed on ( F n 2 ) m . If n = 1, this is the bit-based division property [Todo, FSE 2016]. Disadvantages Advantages More computation Detailed division property Upper bounded by O (2 n ) Longer distinguishers Only small size cipher. Better results. How to compute bit-based division property efficiently? 17 / 74
Combining MILP with Division Property Basic Strategy We will use Mixed Integer Linear Programming (MILP) method to characterize the division property propagations. 18 / 74
Combining MILP with Division Property Basic Strategy We will use Mixed Integer Linear Programming (MILP) method to characterize the division property propagations. Mixed Integer Linear Programming, MILP Minimize or (Maximize) : a T · x Subject To : Mx > = 0 part of or all the variables in x are restricted in integers. 19 / 74
Combining MILP with Division Property Basic Strategy Two issues need to be addressed: 20 / 74
Combining MILP with Division Property Basic Strategy Two issues need to be addressed: 1 Describe the division propagations by linear (in)equalities. 21 / 74
Combining MILP with Division Property Basic Strategy Two issues need to be addressed: 1 Describe the division propagations by linear (in)equalities. 2 Convert search problem to estimate the minimal value of the objective function. 22 / 74
Combining MILP with Division Property Further Study on Division Property Division Trail Definition (Division Trail) Assume the input set to the block cipher has initial division property D n , m , and denote k the division property after i -round encryption by D n , m K i . Thus, we have the following chain of division property propagations: def f r f r f r { k } = K 0 − → K 1 − → K 2 − → · · · For ( k 0 , k 1 , · · · , k r ) ∈ K 0 × K 1 × · · · × K r , if k i − 1 can propagate to k i for all i ∈ { 1 , 2 , · · · , r } by propagation rules, we call ( k 0 , k 1 , · · · , k r ) an r -round division trail . 23 / 74
Combining MILP with Division Property Further Study on Division Property Division Trail Definition (Division Trail) Assume the input set to the block cipher has initial division property D n , m , and denote k the division property after i -round encryption by D n , m K i . Thus, we have the following chain of division property propagations: def f r f r f r { k } = K 0 − → K 1 − → K 2 − → · · · For ( k 0 , k 1 , · · · , k r ) ∈ K 0 × K 1 × · · · × K r , if k i − 1 can propagate to k i for all i ∈ { 1 , 2 , · · · , r } by propagation rules, we call ( k 0 , k 1 , · · · , k r ) an r -round division trail . Proposition The set of the last vectors of all r-round division trails which start with k is equal to K r . 24 / 74
Combining MILP with Division Property Further Study on Division Property Set without Integral Property Proposition (Set without Integral Property) Assume X is a set with division property D 1 , n K , then X does not have integral property if and only if K contains all the n unit vectors. 25 / 74
Combining MILP with Division Property Further Study on Division Property Set without Integral Property Proposition (Set without Integral Property) Assume X is a set with division property D 1 , n K , then X does not have integral property if and only if K contains all the n unit vectors. Given initial division property D n , m and round number r , there doesn’t exist r -round k distinguisher if and only if there exists n division trails which start with the initial division property and ends up with the n different unit vectors. 26 / 74
Combining MILP with Division Property Further Study on Division Property Basic Strategy Two issues need to be addressed: 1 Describe the division propagations by linear (in)equalities. 2 Convert search problem to estimate the minimal value of the objective function. 27 / 74
Combining MILP with Division Property Modeling Basic Operations Modeling Copy 28 / 74
Combining MILP with Division Property Modeling Basic Operations Modeling Copy D n → D 2 , n k �− General Rule: (0 , k ) , (1 , k − 1) , ··· , ( k , 0) . 29 / 74
Recommend
More recommend