Distribution Cryptanalysis Kaisa Nyberg Department of Information - PowerPoint PPT Presentation

Distribution Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University School of Science kaisa.nyberg@aalto.fi June 11, 2013

Introduction Piling-Up Lemma Multidimensional Linear Cryptanalysis SSA Link Distinguishing Distributions Distribution Cryptanalysis Icebreak 2013 2/48

Introduction Distribution Cryptanalysis Icebreak 2013 3/48

Distribution Cryptanalysis ◮ Baignères, Junod, and Vaudenay, Asiacrypt 2004 developed distinguishing techniques based on χ 2 . ◮ Maximov developed computational techniques for computing distributions over ciphers round by round, see e.g. the paper by Englund and Maximov at Indocrypt 2005 ◮ Hermelin et al. 2008, developed a technique called Multidimensional Linear Cryptanalysis to compute estimates of distributions using strong linear approximations. ◮ Collard and Standaert 2009 introduced an heuristic cryptanalysis technique called Statistical Saturation Attack (SSA) ◮ Leander Eurocrypt 2011 showed that there is a mathematical link between SSA and Multidimensional LC Distribution Cryptanalysis Icebreak 2013 4/48

Using Multiple Linear Approximations ◮ My first lecture presented classical linear cryptanalysis based on a single linear approximation u · x + w · E k ( x ) and we learnt how to establish a good estimate of c x ( u · x + w · E k ( x )) 2 by collecting as many trails from u to w as we can. ◮ Already Matsui in 1994 studied the possibility of using multiple linear approximations (more than one u and w ) simultaneusly. ◮ Biryukov at al. developed statistical framework under the assumption that the linear approximations are statistically independent. ◮ Multidimensional linear cryptanalysis removes the assumption of independence [Hermelin et al. 2008]. The resulting statistical model leads to distribution cryptanalysis ◮ We start by introducing criterion of statistical independence of binary random variables. Distribution Cryptanalysis Icebreak 2013 5/48

Piling-up Lemma Distribution Cryptanalysis Icebreak 2013 6/48

Piling-Up Lemma Definition. Let T be a binary-valued random variable with p = P [ T = 0 ] . The quantity c = 2 p − 1 is called the correlation of T . Theorem. Suppose we have k binary-valued random variables T j , and let c j be the correlation of T j , j = 1 , 2 , . . . , k . Then T j , j = 1 , 2 , . . . , k , is a set of independent random variables if and only if for all subsets J of { 1 , 2 , . . . , k } , correlation of the binary random variable � T J = T j j ∈ J is equal to � c j j ∈ J The "only if" part of this theorem is known to cryptographers as Piling-up lemma. Distribution Cryptanalysis Icebreak 2013 7/48

Proof of Piling-Up Lemma Proof. We will give the proof for k = 2 and denote T 1 + T 2 by T . The general case follows by induction. By independency assumption P [ T = 0 ] = P [ T 1 = 0 ] P [ T 2 = 0 ] + P [ T 1 = 1 ] P [ T 2 = 1 ] = P [ T 1 = 0 ] P [ T 2 = 0 ] + ( 1 − P [ T 1 = 0 ])( 1 − P [ T 2 = 0 ]) = 2P [ T 1 = 0 ] P [ T 2 = 0 ] − P [ T 1 = 0 ] − P [ T 2 = 0 ] + 1 From this we get 2P [ T = 0 ] − 1 = 4 ( P [ T 1 = 0 ] P [ T 2 = 0 ] − 2P [ T 1 = 0 ] − 2P [ T 2 = 0 ] + 1 ) = ( 2P [ T 1 = 0 ] − 1 )( 2P [ T 2 = 0 ] − 1 ) = c 1 c 2 . Distribution Cryptanalysis Icebreak 2013 8/48

Piling-Up Lemma and Independence Example [Stinson] Let T 1 , T 2 and T 3 be independent random variables with correlations c 1 = c 2 = c 3 = 1 / 2. Denote T 1 + T 2 with correlation c 12 = c 1 c 2 = 1 T 12 = 4 , T 2 + T 3 with correlation c 23 = c 2 c 3 = 1 T 23 = 4 , T 1 + T 3 with correlation c 13 = c 1 c 3 = 1 T 13 = 4 . Then we can prove that T 12 and T 23 cannot be independent. If they would be independent, then by the Piling-up lemma the bias of T 13 = T 12 + T 23 would be equal to 1 4 · 1 1 4 = 16 which is not the case. To prove the converse of the Piling-up lemma, we introduce the Walsh-Hadamard transform, which allows us to establish a relationship between correlations and probability distributions of multidimensinal binary random variables. Distribution Cryptanalysis Icebreak 2013 9/48

Walsh-Hadamard Transform Definition Suppose f : { 0 , 1 } n → R is any real-valued function of bit strings of length n . The Walsh-Hadamard transform transforms f to a function F : { 0 , 1 } n → R defined as � f ( x )( − 1 ) w · x , w ∈ { 0 , 1 } n , F ( w ) = x ∈{ 0 , 1 } n where the sum is taken over R . Similarly as the Walsh transform, the Walsh-Hadamard transform can also be inverted. It is its own inverse (involution) up to a constant multiplier: F ( w )( − 1 ) w · x , for all x ∈ { 0 , 1 } n . 2 − n � f ( x ) = w ∈{ 0 , 1 } n Distribution Cryptanalysis Icebreak 2013 10/48

Probability Distribution and Correlation of ( T 1 , T 2 ) Suppose Z = ( T 1 , T 2 ) is a pair of binary random variables, a = ( a 1 , a 2 ) be a pair of bits and c a be the correlation of a · Z = a 1 T 1 + a 2 T 2 . Lemma � P [ Z = ( t 1 , t 2 )]( − 1 ) a 1 t 1 + a 2 t 2 c a = ( t 1 , t 2 ) Proof. Denote t = ( t 1 , t 2 ) and a · t = a 1 t 1 + a 2 t 2 . Then c a = 2P [ a · Z = 0 ] − 1 = P [ a · Z = 0 ] − P [ a · Z = 1 ] � � � P [ Z = t ]( − 1 ) a · t . = P [ Z = t ] − P [ Z = t ] = t t , a · t = 0 t , a · t = 1 Distribution Cryptanalysis Icebreak 2013 11/48

Probability Distribution and Correlation of ( T 1 , T 2 ) ◮ We saw that c a = F ( a ) is the Walsh-Hadamard transform of the real-valued function f ( t ) = P [ Z = t ] . ◮ Using the inverse Walsh-Hadamard transform we get the following P [ Z = t ] = 1 c a ( − 1 ) a 1 t 1 + a 2 t 2 = 1 � � c a ( − 1 ) a · t . 4 4 ( a 1 , a 2 ) a Distribution Cryptanalysis Icebreak 2013 12/48

Proof of the Converse of the Piling-Up Lemma, k = 2 Claim. If the correlation of T 1 + T 2 is equal to c 1 c 2 then T 1 and T 2 are independent. Proof. For a = ( a 1 , a 2 ) ∈ { 0 , 1 } 2 , we use c a to denote the correlation of a · Z = a 1 T 1 + a 2 T 2 . Then P [ T 1 = t 1 , T 2 = t 2 ] = 1 � c a ( − 1 ) a 1 t 1 + a 2 t 2 4 a = 1 4 ( c ( 0 , 0 ) + c ( 1 , 0 ) ( − 1 ) t 1 + c ( 0 , 1 ) ( − 1 ) t 2 + c ( 1 , 1 ) ( − 1 ) t 1 + t 2 ) = 1 4 ( 1 + c 1 ( − 1 ) t 1 + c 2 ( − 1 ) t 2 + c 1 c 2 ( − 1 ) t 1 ( − 1 ) t 2 ) = 1 4 ( c 1 ( − 1 ) t 1 + 1 )( c 2 ( − 1 ) t 2 + 1 ) = P [ T 1 = t 1 ] P [ T 2 = t 2 ] Distribution Cryptanalysis Icebreak 2013 13/48

Multidimensional Linear Cryptanalysis Distribution Cryptanalysis Icebreak 2013 14/48

Correlation and Distribution of Values of Functions f : F n 2 → F m 2 vectorial Boolean function. For η ∈ F m 2 we denote p η = 2 − n # { x ∈ F n 2 | f ( x ) = η } , and call the sequence p η , η ∈ F m 2 , the distribution of f . Theorem The correlations of masked vectorial Boolean function can be computed as Walsh-Hadamard transform of the distribution of the function: ( − 1 ) a · f ( x ) = c x ( a · f ( x )) = 2 − n � � p η ( − 1 ) a · η x ∈ F n η ∈ F m 2 2 And conversely, p η = 2 − m � ( − 1 ) a · η c x ( a · f ( x )) a ∈ F m 2 for all η ∈ F m 2 . Distribution Cryptanalysis Icebreak 2013 15/48

Multidimensional Linear Cryptanalysis Definition Let U and W be linear subspaces in F n 2 . Then the set of linear approximations u · x + w · E k ( x ) , u ∈ U , w ∈ W , is called multidimensional linear approximation of E k . In practice, the input space is split into two parts F n 2 = F s 2 × F t 2 and the 2 = F q output space is split into two parts F n 2 × F r 2 , and WLOG we assume that 2 × { 0 } and W = F q U = F s 2 × { 0 } . Assume that we have the correlations of the linear approximations c ( u , w ) = c x ( u · x + w · E k ( x )) , u ∈ U , w ∈ W . Then we can compute the distribution of values ( x s , y q ) , where x = ( x s , x t ) ∈ F s 2 × F t 2 , and E k ( x ) = y = ( y q , y r ) ∈ F q 2 × F r 2 . Distribution Cryptanalysis Icebreak 2013 16/48

Computing the Distribution Theorem Using the notation introduced above p ( ξ s ,η q ) = 2 − ( s + q ) � ( − 1 ) u · ξ + w · η c ( u , w ) , u ∈ U , w ∈ W 2 × F q for all ( ξ s , η q ) ∈ F s 2 . Proof. � p ( ξ s ,η q ) = p ( ξ, η ) ξ t ,η r � 2 − 2 n � ( − 1 ) a · ξ + b · η c ( a , b ) = ξ t ,η r a , b � 2 − 2 n � ( − 1 ) a s · ξ s + a t · ξ t + b q · η q + b r · η r c ( a , b ) = ξ t ,η r a , b = 2 − ( s + q ) � ( − 1 ) a s · ξ s + b q · η q c (( a s , 0 ) , ( b q , 0 )) , a s , b q from where we see the result. Distribution Cryptanalysis Icebreak 2013 17/48

Multidimensional Linear Cryptanalysis in Practice ◮ Find U and W such that there exists several linear approximations u · x + w · E k ( x ) , u ∈ U , w ∈ W , with large correlations c ( u , w ) . Linear approximations with significant smaller correlations cn be omitted. ◮ Compute probabilities p ( ξ s , η q ) from the correlations as shown above. ◮ The strength of the multidimensional linear approximations depends on the nonuniformity of the distribution p ( ξ s ,η q ) , 2 × F q ( ξ s , η q ) ∈ F s 2 ◮ Nonuniformity of p ( ξ s ,η q ) is measured in terms of capacity: p ( ξ s ,η q ) − 2 − ( s + q ) � 2 � � C = ξ s ,η q � c ( u , w ) 2 = ( u , w ) ∈ U × W \{ ( 0 , 0 ) } Distribution Cryptanalysis Icebreak 2013 18/48

Mathematical Link between SSA and Multidimensional LC Distribution Cryptanalysis Icebreak 2013 19/48

SSA Trail Distribution Cryptanalysis Icebreak 2013 20/48