Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC - PowerPoint PPT Presentation

Description of LAC Differentials and Characteristics Forgery attack Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . . Gaëtan Leurent Inria, France DIAC 2014

2 / 9 Description of LAC DIAC 2014 Differentials and Characteristics Cryptanalysis of LAC Forgery attack Description of LAC G. Leurent (Inria) . . . . . . . . 80 KS KS KS K 64 Init Final T N 64 G G G . leak leak leak . . . . . . . . . . . . . . . . . . . . . . . . 48 48 m 1 m 2 m 3 c 1 c 2 c 3 ▶ Designed by Chinese Academy of Science researchers ▶ Lei Zhang, Wenling Wu, Yanfeng Wang, Shengbao Wu, Jian Zhang ▶ Follows the structure of ALE ▶ G based on modified LBlock. ▶ 80bit key, 64bit state, 48bit leak

2 / 9 Description of LAC DIAC 2014 Differentials and Characteristics Cryptanalysis of LAC Forgery attack Description of LAC G. Leurent (Inria) “any forgery attack with an unused tuple Security claims . . . . . . . . 80 KS KS KS K 64 Init Final T N 64 G G G . leak leak leak . . . . . . . . . . . . . . . . . . . . . . . . 48 48 m 1 m 2 m 3 c 1 c 2 c 3 ▶ Confidentiality: 80 bits ▶ Authenticity: 64 bits has a success probability at most 2 − 64 ”

3 / 9 Description of LAC DIAC 2014 Differentials and Characteristics Cryptanalysis of LAC Forgery attack Inside LBlock-s G. Leurent (Inria) . . . . . . . . ▶ Feistel structure . . . . . . . . . . . . . 2 ▶ 16 rounds . . . . ▶ Key addition . ▶ Nibble Sbox . . ▶ Nibble permutation ▶ Best characteristics ▶ 35 active Sboxes . . . ▶ Proba ≤ 2 − 70

4 / 9 Description of LAC DIAC 2014 Differentials and Characteristics Cryptanalysis of LAC Forgery attack Truncated differential characteristic G. Leurent (Inria) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2 . . . . R1 R5 . . . . F F . . . . . . . . 2 2 . . . . R2 R6 . . . . F F . . . . . . . . 2 2 . . R3 R7 . . . . F F . . . . . . . . 2 2 . . . . R4 R8 F . . F . . . . . . . . .

4 / 9 Description of LAC DIAC 2014 Differentials and Characteristics Cryptanalysis of LAC Forgery attack Truncated differential characteristic G. Leurent (Inria) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2 R9 . . . . R13 . . . . F F . . . . . . . . 2 2 . . . . R10 R14 . . . . F F . . . . . . . . 2 2 . . R11 R15 . . . . F F . . . . . . . . 2 2 . . . . R12 R16 F . . F . . . . . . . . .

5 / 9 Description of LAC DIAC 2014 Differentials and Characteristics Cryptanalysis of LAC Forgery attack Differential and characteristics G. Leurent (Inria) . . . . . . . . Differential 𝛽 � 𝛾 Characteristic 𝛽 0 → 𝛽 1 → ⋯ 𝛽 n = 𝛾 ▶ Common assumption: A single characteristic dominates the differential ▶ Modifying one step leads to significantly different characteristics ▶ Not necessarily true for bytewise designs ▶ Given a truncated characteristics, there are many instantiated characteristics with the same input/output difference.

5 / 9 Description of LAC DIAC 2014 Differentials and Characteristics Cryptanalysis of LAC Forgery attack Differential and characteristics G. Leurent (Inria) . . . . . . . . Differential 𝛽 � 𝛾 Characteristic 𝛽 0 → 𝛽 1 → ⋯ 𝛽 n = 𝛾 ▶ Common assumption: A single characteristic dominates the differential ▶ Modifying one step leads to significantly different characteristics ▶ Not necessarily true for bytewise designs ▶ Given a truncated characteristics, there are many instantiated characteristics with the same input/output difference.

6 / 9 Description of LAC DIAC 2014 Differentials and Characteristics Cryptanalysis of LAC Forgery attack A simple example G. Leurent (Inria) 𝛽 𝛿 𝛽 𝛾 𝛿 . . . . . . . . ▶ Fixed differential (𝛽, 𝛽) → ( 0 , 𝛾) ▶ Many characteristics: all possible 𝛿 . . . . . 2 ⋅ Pr 􏿯𝛿 → 𝛾􏿲 Pr 􏿯(𝛽, 𝛽) → ( 0 , 𝛾)􏿲 = 􏾝 Pr 􏿯𝛽 → 𝛿􏿲 ▶ If Sbox has a flat differential table, ≈ 2 n characteristics with probability ≈ 2 − 3 n 0 ▶ Can we evaluate the sum of all the characteristics following a truncated characteristic?

7 / 9 Description of LAC DIAC 2014 Differentials and Characteristics Cryptanalysis of LAC Forgery attack Computing aggregation G. Leurent (Inria) 𝛽 . . . . . . . . ▶ Consider a fixed truncated characteristic D ▶ D i is the first i rounds of D ▶ Pr 􏿯 D ∶ 𝛽 � 𝛾􏿲 probability that 𝛽 � 𝛾 following D ▶ Pr 􏿯 D ∶ 𝛽 � 𝛾􏿲 ≤ Pr 􏿯𝛽 � 𝛾􏿲 Computing Pr 􏿯 D ∶ 𝛽 � 𝛾􏿲 1 Compute Pr [ D 1 ∶ 𝛽 � x ] for all x following D 1 2 Compute Pr [ D i ∶ 𝛽 � x ] for all x following D i iteratively: Pr [ D i ∶ 𝛽 � x ] = ∑ x ′ Pr [ D i − 1 ∶ 𝛽 � x ′ ] × Pr [ x ′ � x ] . .

7 / 9 Description of LAC DIAC 2014 Differentials and Characteristics Cryptanalysis of LAC Forgery attack Computing aggregation G. Leurent (Inria) 𝛽 . . . . . . . . ▶ Consider a fixed truncated characteristic D ▶ D i is the first i rounds of D ▶ Pr 􏿯 D ∶ 𝛽 � 𝛾􏿲 probability that 𝛽 � 𝛾 following D ▶ Pr 􏿯 D ∶ 𝛽 � 𝛾􏿲 ≤ Pr 􏿯𝛽 � 𝛾􏿲 Computing Pr 􏿯 D ∶ 𝛽 � 𝛾􏿲 1 Compute Pr [ D 1 ∶ 𝛽 � x ] for all x following D 1 2 Compute Pr [ D i ∶ 𝛽 � x ] for all x following D i iteratively: Pr [ D i ∶ 𝛽 � x ] = ∑ x ′ Pr [ D i − 1 ∶ 𝛽 � x ′ ] × Pr [ x ′ � x ] . . .

7 / 9 Description of LAC DIAC 2014 Differentials and Characteristics Cryptanalysis of LAC Forgery attack Computing aggregation G. Leurent (Inria) 𝛽 . . . . . . . . ▶ Consider a fixed truncated characteristic D ▶ D i is the first i rounds of D ▶ Pr 􏿯 D ∶ 𝛽 � 𝛾􏿲 probability that 𝛽 � 𝛾 following D ▶ Pr 􏿯 D ∶ 𝛽 � 𝛾􏿲 ≤ Pr 􏿯𝛽 � 𝛾􏿲 Computing Pr 􏿯 D ∶ 𝛽 � 𝛾􏿲 1 Compute Pr [ D 1 ∶ 𝛽 � x ] for all x following D 1 2 Compute Pr [ D i ∶ 𝛽 � x ] for all x following D i iteratively: Pr [ D i ∶ 𝛽 � x ] = ∑ x ′ Pr [ D i − 1 ∶ 𝛽 � x ′ ] × Pr [ x ′ � x ] . . .

7 / 9 Description of LAC DIAC 2014 Differentials and Characteristics Cryptanalysis of LAC Forgery attack Computing aggregation G. Leurent (Inria) 𝛽 . . . . . . . . ▶ Consider a fixed truncated characteristic D ▶ D i is the first i rounds of D ▶ Pr 􏿯 D ∶ 𝛽 � 𝛾􏿲 probability that 𝛽 � 𝛾 following D ▶ Pr 􏿯 D ∶ 𝛽 � 𝛾􏿲 ≤ Pr 􏿯𝛽 � 𝛾􏿲 Computing Pr 􏿯 D ∶ 𝛽 � 𝛾􏿲 1 Compute Pr [ D 1 ∶ 𝛽 � x ] for all x following D 1 2 Compute Pr [ D i ∶ 𝛽 � x ] for all x following D i iteratively: Pr [ D i ∶ 𝛽 � x ] = ∑ x ′ Pr [ D i − 1 ∶ 𝛽 � x ′ ] × Pr [ x ′ � x ] . . .

7 / 9 Description of LAC DIAC 2014 Differentials and Characteristics Cryptanalysis of LAC Forgery attack Computing aggregation G. Leurent (Inria) 𝛽 . . . . . . . . ▶ Consider a fixed truncated characteristic D ▶ D i is the first i rounds of D ▶ Pr 􏿯 D ∶ 𝛽 � 𝛾􏿲 probability that 𝛽 � 𝛾 following D ▶ Pr 􏿯 D ∶ 𝛽 � 𝛾􏿲 ≤ Pr 􏿯𝛽 � 𝛾􏿲 Computing Pr 􏿯 D ∶ 𝛽 � 𝛾􏿲 1 Compute Pr [ D 1 ∶ 𝛽 � x ] for all x following D 1 2 Compute Pr [ D i ∶ 𝛽 � x ] for all x following D i iteratively: Pr [ D i ∶ 𝛽 � x ] = ∑ x ′ Pr [ D i − 1 ∶ 𝛽 � x ′ ] × Pr [ x ′ � x ] . . .

7 / 9 Description of LAC DIAC 2014 Differentials and Characteristics Cryptanalysis of LAC Forgery attack Computing aggregation G. Leurent (Inria) 𝛽 . . . . . . . . ▶ Consider a fixed truncated characteristic D ▶ D i is the first i rounds of D ▶ Pr 􏿯 D ∶ 𝛽 � 𝛾􏿲 probability that 𝛽 � 𝛾 following D ▶ Pr 􏿯 D ∶ 𝛽 � 𝛾􏿲 ≤ Pr 􏿯𝛽 � 𝛾􏿲 Computing Pr 􏿯 D ∶ 𝛽 � 𝛾􏿲 1 Compute Pr [ D 1 ∶ 𝛽 � x ] for all x following D 1 2 Compute Pr [ D i ∶ 𝛽 � x ] for all x following D i iteratively: Pr [ D i ∶ 𝛽 � x ] = ∑ x ′ Pr [ D i − 1 ∶ 𝛽 � x ′ ] × Pr [ x ′ � x ] 𝛾 4 𝛾 3 𝛾 2 𝛾 1 . . . . . . . 𝛾 0

8 / 9 Description of LAC DIAC 2014 Differentials and Characteristics Cryptanalysis of LAC Forgery attack Application to LAC G. Leurent (Inria) Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . F ▶ At most 6 active nibbles . . . . ▶ Storage 2 24 2 ▶ At most 3 active Sboxes . . . . F ▶ At most 2 9 transitions ▶ Time 2 37 . . . . 2 . . . F 17512 differentials with p > 2 − 64 . . . . Best differentials found: 2 p ≥ 2 − 61 . 52 . . F . . . . . .