Boomerang Connectivity Table Revisited Ling Song 1,2 , Xianrui Qin 3 , Lei Hu 2 1. Nanyang Technological University, Singapore 2. Institute of Information Engineering, CAS, China 3. Shandong University, China FSE 2019 @ Paris
Boomerang Attacks Proposed by [Wag99] to π π 3 1 combine two diff. trails: π½ π½ π 2 π πΉ 0 πΉ 0 4 β’ πΉ 0 : Pr π½ β πΎ = π πΏ β’ πΉ 1 : Pr πΏ β π = π πΉ 0 πΉ 0 πΎ Distinguishing probability: πΎ πΉ 1 πΉ 1 π 2 π 2 πΏ πΉ 1 πΉ 1 π π· 1 π· 3 π· 2 π π· 4 2 /24
Boomerang Attacks Proposed by [Wag99] to π π 3 1 combine two diff. trails: π½ π½ π 2 π πΉ 0 πΉ 0 4 β’ πΉ 0 : Pr π½ β πΎ = π πΏ β’ πΉ 1 : Pr πΏ β π = π πΉ 0 πΉ 0 πΎ Distinguishing probability: πΎ πΉ 1 πΉ 1 π 2 π 2 πΏ πΉ 1 πΉ 1 Bo Boomer merang ang at attacks tacks: When you π π· 1 π· 3 send it properly, it always comes back to you. π· 2 π π· 4 https://www.australiathegift.com.au/shop/boomerang-with-stand/ 2 /24
Boomerang Attacks Proposed by [Wag99] to π π 3 1 combine two diff. trails: π½ π½ π 2 π πΉ 0 πΉ 0 4 β’ πΉ 0 : Pr π½ β πΎ = π πΏ β’ πΉ 1 : Pr πΏ β π = π πΉ 0 πΉ 0 πΎ Distinguishing probability: πΎ πΉ 1 πΉ 1 π 2 π 2 πΏ πΉ 1 πΉ 1 Bo Boomer merang ang at attacks tacks: When you π π· 1 π· 3 send it properly, it always comes back to you. π· 2 π π· 4 https://www.australiathegift.com.au/shop/boomerang-with-stand/ [Wag99]: Assumed two trails are independent . 2 /24 NOT always correct
Two Trails in Boomerang Attacks Dependency can help attackers [BDD03]: Middle-round S-box trick β’ [BK09]: Boomerang switch: Ladder switch / β’ Feistel switch / S-box switch Dependency can spoil attacks. [Mer09]: Incompatible trails β’ 3 /24
Sandwich Attacks [DKS10] π π 3 1 π½ π½ Decompose the cipher into π 2 π ΰ·¨ ΰ·¨ πΉ 0 πΉ 0 4 three parts ΰ·¨ ΰ·¨ πΉ 0 πΉ 0 β’ πΉ π handles the dependency. π¦ 1 π¦ 3 πΎ πΎ ΰ·¨ πΉ π πΉ π πΉ 0 β πΉ 0 \πΉ π : Pr π½ β πΎ = ΰ·€ π β’ π¦ 2 π¦ 4 π§ 1 π§ 3 πΏ ΰ·¨ πΉ 1 β πΉ 1 \πΉ π : Pr πΏ β π = ΰ·€ π β’ πΉ π πΉ π π§ 2 π§ 4 ΰ·¨ ΰ·¨ πΉ 1 πΉ 1 πΏ Distinguishing probability: ΰ·¨ ΰ·¨ πΉ 1 πΉ 1 π π· 3 π· 1 π 2 ΰ·€ π 2 π ΰ·€ π π· 2 π· 4 4 /24
Sandwich Attacks [DKS10] π π 3 1 π½ π½ Decompose the cipher into π 2 π ΰ·¨ ΰ·¨ πΉ 0 πΉ 0 4 three parts ΰ·¨ ΰ·¨ πΉ 0 πΉ 0 β’ πΉ π handles the dependency. π¦ 1 π¦ 3 πΈ? πΎ ΰ·¨ πΉ π πΉ π πΉ 0 β πΉ 0 \πΉ π : Pr π½ β πΎ = ΰ·€ π β’ π¦ 2 π¦ 4 π§ 1 π§ 3 πΏ ΰ·¨ πΉ 1 β πΉ 1 \πΉ π : Pr πΏ β π = ΰ·€ π β’ πΉ π πΉ π π§ 2 π§ 4 ΰ·¨ ΰ·¨ πΉ 1 πΉ 1 πΏ Distinguishing probability: ΰ·¨ ΰ·¨ πΉ 1 πΉ 1 π π· 3 π· 1 π 2 ΰ·€ π 2 π ΰ·€ π π· 2 π· 4 π = Pr[π¦ 3 β π¦ 4 = πΎ|(π¦ 1 β π¦ 2 = πΎ)β(π§ 1 β π§ 3 = πΏ)β(π§ 2 β π§ 4 = πΏ)] 4 /24
BCT [CHP+18] Boomerang Connectivity Table (BCT) Calculate π theoretically when πΉ π is composed of a β’ single Sβbox layer . Unify previous observations on the S-box (incompa- β’ tibilities and switches) π¦ 1 π¦ 3 π½ π½ π¦ 2 π¦ 4 π π π π πΎ π§ 1 π§ 3 π§ 2 π§ 4 πΎ 5 /24
Our Work Motivation The actual boundaries of πΉ π which contains β’ dependency How to calculate π when πΉ π contains multiple β’ rounds? Contribution Generalized framework of BCT β’ β Determine the boundaries of πΉ π Calculate π of πΉ π in the sandwich attack β 6 /24
DDT: Difference Distribution Table πΈπΈπ π½, πΎ = #{π¦ β {0,1} π |π π¦ β¨π π¦β¨π½ = πΎ } πΎ π½ SKINNYβs 4 -bit S-box 7 /24
BCT: Boomerang Connectivity Table πΆπ·π π½, πΎ = #{π¦ β {0,1} π |π β1 (π π¦ β πΎ)β¨π β1 (π π¦β¨π½ β πΎ) = π½ } πΎ π¦ 1 π¦ 3 π½ π½ π¦ 2 π¦ 4 π π πΎ π π π§ 1 π§ 3 πΎ π§ 2 π§ 4 π½ SKINNYβs 4 -bit S-box 8 /24
Relation between DDT and BCT Let 9 /24
Relation between DDT and BCT Let 9 /24
Relation between DDT and BCT Let Eq. 1 can be re-written as 9 /24
New Explanation of BCT π for πΉ π with one S-box layer at the boundary of E 0 and E 1 10 /24
New Explanation of BCT π for πΉ π with one S-box layer at the boundary of E 0 and E 1 Similarly, 10 /24
New Explanation of BCT π for πΉ π with one S-box layer at the boundary of E 0 and E 1 Similarly, In this case, π½ and πΎ are regarded as fixed. 10 /24
Generalization: S-box in E 0 or E 1 Upper crossing difference Lower crossing difference S-box in E 0 S-box in E 1 11 /24
Generalization: S-box in E 0 or E 1 Upper crossing difference Lower crossing difference S-box in E 0 S-box in E 1 What if π½ or πΎ (crossing differences) are not fixed? 11 /24
Generalization: S-box in E 0 12 /24
Generalization: S-box in E 0 (1) πΎ is independent of the upper trail 12 /24
Generalization: S-box in E 0 (1) πΎ is independent of the upper trail (2) πΎ is uniformly distributed which becomes identical to π 2 π 2 in the classical boomerang attack. 12 /24
Generalization: S-box in E 1 (1) π½ is independent of the lower trail (2) π½ is uniformly distributed which becomes identical to π 2 π 2 in the classical boomerang attack. 13 /24
Generalization: Interrelated S-boxes Lower crossing diff. ( πΎ ) of A comes from B. Upper crossing diff. ( π½β² ) of B comes from A. S-boxes A and B are interrelated. 14 /24
Generalization: Interrelated S-boxes Lower crossing diff. ( πΎ ) of A comes from B. Upper crossing diff. ( π½β² ) of B comes from A. S-boxes A and B are interrelated. 14 /24
Generalization: Interrelated S-boxes Lower crossing diff. ( πΎ ) of A comes from B. Upper crossing diff. ( π½β² ) of B comes from A. S-boxes A and B are interrelated. 14 /24
Generalized Framework of BCT πππ‘π’ . πππ π‘π’ ||πΉ 0 1. Initialization: πΉ π β πΉ 1 πΉ 0 πΎ ββ’ , β β(πΏ β πΉ 1 π) . πΉ 1 πΉ 0 2. Extend both trails: π½ β Pr = 1 Pr = 1 3. Prepend πΉ π with one more round a) If the lower crossing differences are distributed uni formly, peel off the first round and go to Step 4. b) Go to Step 3 4. Append πΉ π with one more round a) If the upper crossing differences are distributed uni formly, peel off the last round and go to Step 5. b) Go to Step 4. 5. Calculate r using formulas in the previous slides Boundaries of πΉ π : where crossing differences are distr ibuted (almost) uniformly. 15 /24
Applications Re-evaluate prob of four BM dist. of SKINNY π 2 ΰ· Prev: prob evaluated by ΖΈ π 2 β’ New: prob evaluated by the generalized BCT β’ Construct related-subkey BM dist. Of AES-128 Prev: related-subkey BM dist. Of AES-192/256 β’ New: 6-round related-subkey BM dist. Of AES- β’ 128 with 2 β109.42 16 /24
SKINNY SKINNY [BJK+16] is an SPN cipher, with a linear key schedule. SKINNY-n-t where n is block size and t β’ tweakey size Example πΉ π of SKINNY-64-128 in the related- tweakey setting Upper trail: 2 rounds, 2 β8 β’ Lower trail: 4 rounds, 2 β14 β’ π 2 π 2 = 2 β44 β’ 17 /24
π π with 6 Middle Rounds Rd Diff before and after SB βK β K Pr. R1 2 β2 0,0,0,0, 0,0,0,0, 0,0,0,b, 0,0,0,0 0,0,0,0, 0,0,0,0 b,0,0,0, 0,0,0,0 0,0,0,0, 0,0,0,0, 0,0,0,1, 0,0,0,0 R2 2 β2β3 0,1,0,0, 0,0,0,0, 0,1,0,0, 0,1,0,0 0,0,0,0, 0,c,0,0 0,0,0,0, 5,0,0,0 0,8,0,0, 0,0,0,0, 0,8,0,0, 0,8,0,0 R3 2 β2 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,2 0,0,0,0, 0,0,0,0 0,0,3,0, 0,0,0,0 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,3 R4 2 β3β2 0,0,0,0, 0,0,3,0, 0,0,0,0, 0,0,3,0 0,0,0,3, 0,0,0,0 0,0,0,0, 0,0,9,0 0,0,0,0, 0,0,d,0, 0,0,0,0, 0,0,c,0 R5 2 β2β2 0,c,0,0, 0,0,0,0, 0,0,0,4, 0,0,0,0 0,0,0,0, 0,0,0,0 0,0,0,0, 2,0,0,0 0,2,0,0, 0,0,0,0, 0,0,0,2, 0,0,0,0 R6 2 β2 0,0,0,0, 0,2,0,0, 0,0,0,0, 0,0,0,0 0,0,0,0, 0,0,0,d 0,0,0,0, 0,1,0,0 0,0,0,0, 0,1,0,0, 0,0,0,0, 0,0,0,0 18 /24
Evaluation of π Rounds π (new) π π π π π π ΰ· π π ΰ· 1+1 2 β16 2 β8.41 2 β2 2+1 β¦ 2 β20 2 β2.79 2+2 β¦ 2 β32 2 β5.69 2+3 β¦ 2 β40 2 β10.56 2+4 2 β44 2 β29.91 2 β12.96 Experiments confirm the results of π . 19 /24
ΖΈ Summary of the results on SKINNY Prob. of BM dist. and comparison π = ΰ·© π π β π π β ΰ·© π π π π Ver. n π 2 ΰ·€ π 2 ΰ· π 2 [LGS17] π 2 π | π π | π | πΉ | ΰ·€ 2 β12.96 2 β48.72 2 β29.78 64 6(13) 17 n-2n 2 β11.45 2 β103.84 2 β77.83 128 5(12) 18 2 β10.50 2 β54.94 2 β42.98 64 5(17) 22 n-3n 2 β9.88 2 β76.84 2 β48.30 128 5(17) 22 Take seconds to calculate π β’ 20 /24
Recommend
More recommend