Differential Attacks on Generalized Feistel Schemes Val´ erie Nachef - Emmanuel Volte - Jacques Patarin CANS 2013 20 November 2013
Outline Introduction 1 State of the Art Our Contribution Definition of the schemes Attacks on Type-1 Feistel Schemes 2 Notation The first rounds : Simple Attacks Use of the variance Simulation results and Complexities Examples and Complexities for Type-2, Type-3 and Alternating 3 Schemes Type-2 Feistel Schemes Type-3 Feistel Schemes Alternating Feistel Schemes Conclusion 4
Introduction State of the Art Attacks on Type-1 Feistel Schemes Our Contribution Examples and Complexities for Type-2, Type-3 and Alternating Schemes Definition of the schemes Conclusion Outline 1 Introduction State of the Art Our Contribution Definition of the schemes 2 Attacks on Type-1 Feistel Schemes 3 Examples and Complexities for Type-2, Type-3 and Alternating Schemes 4 Conclusion Val´ erie Nachef - Emmanuel Volte - Jacques Patarin Differential Attacks on Generalized Feistel Schemes
Classical Feistel Schemes Encryption Decryption f 1 f n f 2 f n − 1 f n f 1
Introduction State of the Art Attacks on Type-1 Feistel Schemes Our Contribution Examples and Complexities for Type-2, Type-3 and Alternating Schemes Definition of the schemes Conclusion Generalization of Feistel Schemes Construction of permutations from { 0 , 1 } kn to { 0 , 1 } kn using different kinds of round functions: Contracting Feistel schemes, Expanding Feistel schemes. Type-1, Type-2, Type-3 Feistel schemes. Alternating Feistel schemes. Schemes used in: CAST 256, MARS, RC6, BEAR-LION.... Val´ erie Nachef - Emmanuel Volte - Jacques Patarin Differential Attacks on Generalized Feistel Schemes
Previous Attacks on Generalized Feistel Schemes Different kinds of attacks: Differential Attacks (KPA, CPA-1) on contracting and expanding Feistel Schemes. (Jutla, Patarin, Nachef, Volte, Berbain) Impossible Differential Attacks on Type 1, Type 2, Type-3 Feistel schemes. (Bouillaguet, Dunkelman, Fouque, Leurent, Kim, Hong, Lee, Lim, Sung) Impossible Boomerang Attacks on Type 1, Type 2, Type-3 Feistel schemes. (Choy, Yap)
Our aim Distinguish a random permutation from a permutation generated by the scheme. Determine the number of messages needed to distinguish according to the number of rounds in Known Plaintext Attacks (KPA) and Non Adaptive Chosen Plaintext Attacks (CPA-1). We need to impose conditions on the inputs and on the outputs. Provide the maximal number of rounds reached by the attacks.
Introduction State of the Art Attacks on Type-1 Feistel Schemes Our Contribution Examples and Complexities for Type-2, Type-3 and Alternating Schemes Definition of the schemes Conclusion Differential Attacks versus Impossible Differential Attacks Structure KPA CPA-1 Impossible Differential bijective any k 2 + 2 k − 2 k 2 + k − 1 k 2 + k − 1 k 2 Type-1 Type-2 2 k + 2 2 k + 1 2 k + 1 N/A k + ⌊ k 2 ⌋ + 1 Type-3 k + 1 k + 2 N/A Alternating 3 k 3 k N/A N/A Val´ erie Nachef - Emmanuel Volte - Jacques Patarin Differential Attacks on Generalized Feistel Schemes
Introduction State of the Art Attacks on Type-1 Feistel Schemes Our Contribution Examples and Complexities for Type-2, Type-3 and Alternating Schemes Definition of the schemes Conclusion Type-1 Feistel Schemes: First round n bits I 1 I 2 I 3 I k f 1 Val´ erie Nachef - Emmanuel Volte - Jacques Patarin Differential Attacks on Generalized Feistel Schemes
Introduction State of the Art Attacks on Type-1 Feistel Schemes Our Contribution Examples and Complexities for Type-2, Type-3 and Alternating Schemes Definition of the schemes Conclusion Type-2 Feistel Schemes: First round n bits I k I 1 I 2 I 3 I 4 f 1 f 1 f 1 k / 2 1 2 Val´ erie Nachef - Emmanuel Volte - Jacques Patarin Differential Attacks on Generalized Feistel Schemes
Introduction State of the Art Attacks on Type-1 Feistel Schemes Our Contribution Examples and Complexities for Type-2, Type-3 and Alternating Schemes Definition of the schemes Conclusion Type-3 Feistel Schemes: First round n bits I 1 I 2 I 3 I k f 1 f 1 f 1 f 1 k − 1 1 2 3 Val´ erie Nachef - Emmanuel Volte - Jacques Patarin Differential Attacks on Generalized Feistel Schemes
Introduction State of the Art Attacks on Type-1 Feistel Schemes Our Contribution Examples and Complexities for Type-2, Type-3 and Alternating Schemes Definition of the schemes Conclusion Alternating Feistel Schemes: First two rounds kn bits n ( k − 1) n Val´ erie Nachef - Emmanuel Volte - Jacques Patarin Differential Attacks on Generalized Feistel Schemes
Introduction Notation Attacks on Type-1 Feistel Schemes The first rounds : Simple Attacks Examples and Complexities for Type-2, Type-3 and Alternating Schemes Use of the variance Conclusion Simulation results and Complexities Outline Introduction 1 Attacks on Type-1 Feistel Schemes 2 Notation The first rounds : Simple Attacks Use of the variance Simulation results and Complexities Examples and Complexities for Type-2, Type-3 and Alternating 3 Schemes Conclusion 4 Val´ erie Nachef - Emmanuel Volte - Jacques Patarin Differential Attacks on Generalized Feistel Schemes
Introduction Notation Attacks on Type-1 Feistel Schemes The first rounds : Simple Attacks Examples and Complexities for Type-2, Type-3 and Alternating Schemes Use of the variance Conclusion Simulation results and Complexities Notation Input I = [ I 1 , I 2 , . . . , I k ]. → Output S = [ S 1 , S 2 , . . . , S k ] f 1 = first round function { 0 , 1 } n → { 0 , 1 } n Output= [ I 2 ⊕ f (1) ( I 1 ) , I 3 , I 4 , . . . , I k , I 1 ] Let X 1 = I 2 ⊕ f (1) ( I 1 ). X 1 is called an internal variable . Val´ erie Nachef - Emmanuel Volte - Jacques Patarin Differential Attacks on Generalized Feistel Schemes
Introduction Notation Attacks on Type-1 Feistel Schemes The first rounds : Simple Attacks Examples and Complexities for Type-2, Type-3 and Alternating Schemes Use of the variance Conclusion Simulation results and Complexities Internal Variables New Internal Variables X j at round j , where S 1 = X j 1 ≤ r ≤ k − 1 , X r = I r +1 ⊕ f r ( X r − 1 ) X k = I 1 ⊕ f k ( X k − 1 ) ∀ r , r ≥ 1 , ∀ j , 1 ≤ j ≤ k , X rk + j = X ( r − 1) k + j ⊕ f rk + j ( X rk + j − 1 ) Val´ erie Nachef - Emmanuel Volte - Jacques Patarin Differential Attacks on Generalized Feistel Schemes
Introduction Notation Attacks on Type-1 Feistel Schemes The first rounds : Simple Attacks Examples and Complexities for Type-2, Type-3 and Alternating Schemes Use of the variance Conclusion Simulation results and Complexities Differential Notation Plaintext/ciphertext pairs Input variables: [0 , 0 , 0 , ∆ 0 4 , . . . , ∆ 0 k ] KPA: For ( i , j ) , I 1 ( i ) = I 1 ( j ) , I 2 ( i ) = I 2 ( j ) and I 3 ( i ) = I 3 ( j ) CPA-1: I 1 , I 2 , I 3 are given constant values After r rounds Output Variables: [0 , ∆ 0 ℓ , ∆ r 3 , . . . , ∆ r k ] For ( i , j ) , S 1 ( i ) = S 1 ( j ) and S 2 ( i ) ⊕ S 2 ( j ) = I ℓ ( i ) ⊕ I ℓ ( j ) Val´ erie Nachef - Emmanuel Volte - Jacques Patarin Differential Attacks on Generalized Feistel Schemes
Introduction Notation Attacks on Type-1 Feistel Schemes The first rounds : Simple Attacks Examples and Complexities for Type-2, Type-3 and Alternating Schemes Use of the variance Conclusion Simulation results and Complexities Internal Variables and Differential Characteristics Intermediate round r , r ≥ k Output: [ X r , X r − k +1 , X r − k +2 , . . . , X r − 1 ] Condition imposed on this output: [0 , ∆ r 2 , ∆ r 3 , . . . , ∆ r k ] ⇒ for ( i , j ) , X r ( i ) = X r ( j ) Propagation of the differential characteristics: after round r + 1, [∆ r 2 , ∆ r 3 , . . . , ∆ r k , 0] Val´ erie Nachef - Emmanuel Volte - Jacques Patarin Differential Attacks on Generalized Feistel Schemes
Introduction Notation Attacks on Type-1 Feistel Schemes The first rounds : Simple Attacks Examples and Complexities for Type-2, Type-3 and Alternating Schemes Use of the variance Conclusion Simulation results and Complexities Overview of the Attacks Conditions on the inputs and the outputs Conditions on the internal variables ⇒ Propagation of the characteristics Count the number of plaintext/ciphertext pairs satisfying the input and output conditions N perm for a permutation and N scheme for a scheme Compute and compare the expectancies E ( N perm ) and E ( N scheme ) Val´ erie Nachef - Emmanuel Volte - Jacques Patarin Differential Attacks on Generalized Feistel Schemes
CPA-1 on 2 k − 2 rounds with 2 messages ∆ 0 round 0 0 0 ... 0 k ∆ 0 1 0 0 0 ... 0 k . . . ∆ 0 k − 2 0 0 . . . 0 0 k ∆ 0 k − 1 0 0 ... 0 0 k ∆ k ∆ 0 0 0 ... 0 k 1 k ∆ k +1 ∆ 0 ∆ k k + 1 0 0 ... 1 k 1 . . . ∆ 2 k − 2 ∆ 2 k − 4 ∆ 2 k − 3 ∆ 0 ∆ k 2 k − 2 ... 1 1 1 1 k
Introduction Notation Attacks on Type-1 Feistel Schemes The first rounds : Simple Attacks Examples and Complexities for Type-2, Type-3 and Alternating Schemes Use of the variance Conclusion Simulation results and Complexities Details of the Attack Choose 2 distinct messages I (1) and I (2) such that I 1 (1) = I 1 (2) , . . . I k − 1 (1) = I k − 1 (2) With a scheme : Pr [ S 2 (1) ⊕ S 2 (2) = I k (1) ⊕ I k (2)] = 1 With a random permutation: Pr [ S 2 (1) ⊕ S 2 (2) = I k (1) ⊕ I k (2)] = 1 2 n Val´ erie Nachef - Emmanuel Volte - Jacques Patarin Differential Attacks on Generalized Feistel Schemes
Recommend
More recommend