Combined Attacks from Boomerangs to Sandwiches and - PowerPoint PPT Presentation

Introduction Boomerang Diff-Lin Summary Combined Attacks — from Boomerangs to Sandwiches and Differential-Linear Orr Dunkelman Department of Computer Science, University of Haifa June 5th, 2014 Orr Dunkelman Combined Attacks 1/ 36

Introduction Boomerang Diff-Lin Summary Outline 1 A Quick Introduction Differential Cryptanalysis Linear Cryptanalysis 2 The Boomerang Attack The Boomerang Attack The Amplified Boomerang Attack Independence Assumptions The Sandwich Attack 3 Differential-Linear Cryptanalysis The Basic Concept A Differential-Linear Attack on 8-Round DES Several Extensions to Differential-Linear Cryptanalysis 4 Summary Orr Dunkelman Combined Attacks 2/ 36

Differential Linear Introduction Boomerang Diff-Lin Summary Differential Cryptanalysis ◮ Considers the development of differences through the encryption process. ◮ The core of the attack: a differential characteristic (a prediction of the development of differences through the encryption process). ◮ Given a differential characteristic with probability p , the adversary asks for O (1 / p ) pairs of plaintexts ( P , P ∗ = P ⊕ Ω P ). ◮ The attack tries to locate “right pairs”, i.e., a pair whose corresponding ciphertexts satisfy C ∗ = C ⊕ Ω C . ◮ Information about the key can be learnt from the right pair. Orr Dunkelman Combined Attacks 3/ 36

Differential Linear Introduction Boomerang Diff-Lin Summary Differential Cryptanalysis (cont.) ◮ To attack more rounds of the cipher than in the differential characteristic: ◮ Guess subkey material in the additional rounds, ◮ Partially encrypt/decrypt the plaintext/ciphertext pairs, ◮ Count how many “right pairs” exist, ◮ The counter for the right subkey is expected to be the highest. ◮ In such attacks, we care less about “which pair is a right pair”, and more about how many such pairs exist. ◮ Hence, for this sort of attacks, we are only interested in the input and output differences. ◮ This set of (Ω P , Ω C ) and the associated probability is called a differential. Its probability is the sum of the probabilities of all differential characteristics that share Ω P and Ω C . Orr Dunkelman Combined Attacks 4/ 36

Differential Linear Introduction Boomerang Diff-Lin Summary Differential Characteristic of DES A three-round differential characteristic of DES with probability 1/16: Ω P = 40 08 00 00 04 00 00 00 x A ′ = 40 08 00 00 x a ′ = 04 00 00 00 x p = 1 F 4 B ′ = 0 x b ′ = 0 x p = 1 F C ′ = 40 08 00 00 x c ′ = 04 00 00 00 x p = 1 F 4 Ω T = 40 08 00 00 04 00 00 00 x Orr Dunkelman Combined Attacks 5/ 36

Differential Linear Introduction Boomerang Diff-Lin Summary Differential Characteristic of DES (cont.) A 3-round truncated differential characteristic of DES: Ω P = 40 00 00 00 00 00 00 00 x A ′ = 0 a ′ = 0 p = 1 F B ′ = 00 W 0 XY 0 Z x b ′ = 40 00 00 00 x p = 1 F = P ( V 0 00 00 00 x ) C ′ =?? ?? M ? ?? x c ′ = 00 W 0 XY 0 Z x p = 1 F = P (0? ?? ?? 0? x ) Ω T =?? ?? M ? ?? 00 W 0 XY 0 Z x Orr Dunkelman Combined Attacks 6/ 36

Differential Linear Introduction Boomerang Diff-Lin Summary Linear Cryptanalysis ◮ Tries to approximate the cipher (or a reduced-round variant of it) as a linear equation: λ P · P ⊕ λ C · C = λ K · K with probability 1 / 2 + ǫ . ◮ Collect N = O ( ǫ − 2 ) known plaintext/ciphertext pairs. The majority are expected to satisfy λ P · P ⊕ λ C · C = λ K · K (when ǫ > 0). ◮ To attack more rounds than in the linear approximation: ◮ Guess subkey material in the additional rounds, ◮ Partially encrypt/decrypt the plaintext/ciphertext pairs, ◮ Count how many times λ P · P ⊕ λ C · C = 0, ◮ The counter for the right subkey is expected to be more biased. Orr Dunkelman Combined Attacks 7/ 36

Differential Linear Introduction Boomerang Diff-Lin Summary Linear Cryptanalysis (cont.) ◮ The attack is actually a random process. ◮ Consider the following scenario: ◮ There are 2 s possible subkeys. ◮ We want the right subkey to be among the 2 a most biased ones. x 2 π e − x 2 / 2 dx . ◮ Let Φ( x ) = � 1 √ −∞ ◮ A linear attack with N = c /ǫ 2 known plaintexts has a success probability of 2 c − Φ − 1 � 1 − 2 − a − 1 �� � P s = Φ . To achieve a success probability of P s , set � Φ − 1 ( P s ) + Φ − 1 (1 − 2 − a − 1 ) � 2 · ǫ − 2 . N = 2 Orr Dunkelman Combined Attacks 8/ 36

Differential Linear Introduction Boomerang Diff-Lin Summary Linear Approximation of DES A three-round linear approximation of DES with bias 64 ) 2 = 1 / 2 + 25 1 / 2 + 2 · ( 20 128 : λ T = 21 04 00 80 00 00 80 00 x A ′ = 21 04 00 80 x a ′ = 00 00 80 00 x 1 / 2 − 20 F 64 = P (00 00 F 0 00 x ) B ′ = 0 b ′ = 0 1/2+1/2 F C ′ = 21 04 00 80 x c ′ = 00 00 80 00 x 1 / 2 − 20 F 64 = P (00 00 F 0 00 x ) λ C = λ T = 21 04 00 80 00 00 80 00 x Orr Dunkelman Combined Attacks 9/ 36

Differential Linear Introduction Boomerang Diff-Lin Summary Some General Comments ◮ Finding good differential characteristics/linear approximation is a hard task. ◮ Some automatic tools exist (Matsui’s method), but it is better to study the algorithm. ◮ Sometimes, a better attack is obtained when using differentials (approximations) of lower probability (bias). ◮ Many optimizations for both attacks exist. Consider differential cryptanalysis: ◮ Structures of plaintexts, ◮ Discarding wrong pairs (early abort), ◮ Using multiple differentials, Orr Dunkelman Combined Attacks 10/ 36

Boomerang Amp. Boom. Independence Sandwich Introduction Boomerang Diff-Lin Summary The Boomerang Attack ◮ Introduced by [W99]. P 1 P 3 α α ◮ Targets ciphers with good short P 2 P 4 differentials, but bad long ones. ◮ The core idea: Treat the cipher as a γ E 0 cascade of two sub-ciphers. Where T 1 T 3 β β in the first sub-cipher a differential γ E 0 α − → β exists, and a differential T 2 T 4 E 1 γ − → δ exists for the second. E 1 ◮ The process starts with a pair of C 1 C 3 plaintexts: P 1 , P 2 = P 1 ⊕ α . δ ◮ After the first sub-cipher, C 2 C 4 δ T 1 ⊕ T 2 = β . ◮ But the encryption process Orr Dunkelman Combined Attacks 11/ 36

Boomerang Amp. Boom. Independence Sandwich Introduction Boomerang Diff-Lin Summary The Boomerang Attack — Some Details ◮ If the probability of the first differential is p , and of the second differential is q , the total probability of the boomerang quartet is Pr[ α → β ] 2 · Pr[ γ → δ ] 2 = ( pq ) 2 . ◮ Note that we use three out of the four differentials in the backward direction. ◮ For regular differentials, the probability is the same. ◮ However, for truncated differentials, the probability is not necessarily the same. Orr Dunkelman Combined Attacks 12/ 36

Boomerang Amp. Boom. Independence Sandwich Introduction Boomerang Diff-Lin Summary The Boomerang Attack — Some More Details ◮ A right boomerang quartet discloses information about the key. ◮ At the same time, the attack is an adaptive chosen plaintext and ciphertext attack. ◮ This prevents us from using many of the cryptanalytic techniques that were proposed over the years. ◮ To overcome this, we need to transform the attack into a chosen plaintext attack. Orr Dunkelman Combined Attacks 13/ 36

Boomerang Amp. Boom. Independence Sandwich Introduction Boomerang Diff-Lin Summary The Amplified Boomerang Attack ◮ Introduced by [KKS00]. P i P j 1 1 α α ◮ Similar idea to the boomerang P i P j attack, but in a chosen plaintext 2 2 scenario. γ E 0 ◮ Again, assume the existence of two T i T j 1 1 β β E 0 differentials: α − → β for the first γ E 1 T i T j sub-cipher and γ − → δ for the 2 2 second. E 1 ◮ Take many pairs of plaintext with C i C j 1 1 difference α : P i 1 , P i 2 = P i δ 1 ⊕ α . C j ◮ After the first sub-cipher, for some C i 2 2 δ of them T i 1 ⊕ T i 2 = β . ◮ If we have many pairs Orr Dunkelman Combined Attacks 14/ 36

Boomerang Amp. Boom. Independence Sandwich Introduction Boomerang Diff-Lin Summary The Amplified Boomerang Attack — Some Details ◮ If the probability of the first differential is p , and of the second differential is q , the total probability of the amplified boomerang quartet is Pr[ α → β ] 2 · Pr[ γ → δ ] 2 · 2 − n = ( pq ) 2 · 2 − n . ◮ In other words, the probability is less than 2 − n ! Orr Dunkelman Combined Attacks 15/ 36

Boomerang Amp. Boom. Independence Sandwich Introduction Boomerang Diff-Lin Summary The Amplified Boomerang Attack — Some Details (cont.) ◮ If we take N pair with input difference α , we obtain about N 2 / 2 quartets. ◮ Hence, we expect N 2 / 2 · ( pq ) 2 · 2 − n right amplified boomerang quartets. ◮ Start with N = O (2 n / 2 / pq ) pairs. ◮ As long as ( pq ) > 2 − n / 2 , we can have enough data to run the attack. ◮ Which is the same condition as for the boomerang attack. . . Orr Dunkelman Combined Attacks 16/ 36