Efficient Algorithms for Differential Properties of Addition Helger - PowerPoint PPT Presentation

Efficient Algorithms for Differential Properties of Addition Helger Lipmaa Helsinki University of Technology (Finland) helger@tml.hut.fi Shiho Moriai NTT Laboratories (Japan) shiho@isl.ntt.co.jp FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 1

Outline • Motivations • Our contributions • RAM model • Algorithm for differential probability of addition • Conclusion FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 2

Differential Cryptanalysis • DC: one of best known general attacks against block ciphers • Security against DC is one of main criteria for new ciphers • Known how to construct DC-secure ciphers • . . . but this knowledge is rather limited • Reason: hard to find good differentials in “real” ciphers FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 3

Motivations: Differential Properties of Addition • Bottom-up approach: ⋆ Start from the primitive cornerstones ⋆ Work your way up to the whole cipher • It is hard to DC-analyse + w.r.t. ⊕ • Some block ciphers use this by intermingling ⊕ and + to create “con- fusion” both in Shannon’s and layman’s sense • Makes the ciphers harder to analyse — but does it make them more secure? FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 4

Our Goals • To throughoutly analyse + w.r.t. ⊕ • Hopefully results in a bottom-up approach to give us ⋆ Tighter proofs of security of some ciphers ⋆ Better attacks against others ⋆ New ciphers? FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 5

What is a Bottom-Up Approach? (1) X 1 X 1 X 1 X 1 1 2 3 4 ⊙ + + ⊙ Z 1 Z 1 Z 1 Z 1 1 2 2 4 ⊕ ⊕ ⊙ + Z 1 5 + ⊙ Z 1 6 ⊕ ⊕ ⊕ ⊕ X 2 X 2 X 2 X 2 1 2 3 4 FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 6

What is a Bottom-Up Approach? (2) X 1 X 1 X 1 X 1 1 2 3 4 ⊙ + + ⊙ Z 1 Z 1 Z 1 Z 1 1 2 2 4 ⊕ ⊕ ⊙ + Z 1 5 + ⊙ Z 1 6 ⊕ ⊕ ⊕ ⊕ X 2 X 2 X 2 X 2 1 2 3 4 FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 7

Some differential properties of addition DP + ( α, β �→ γ ) def := P x,y [( x + y ) ⊕ (( x ⊕ α )+( y ⊕ β )) = γ ] FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 8

Some differential properties of addition DP + ( α, β �→ γ ) def := P x,y [( x + y ) ⊕ (( x ⊕ α )+( y ⊕ β )) = γ ] Let δ = ( α, β �→ γ ) . Equivalently, := ♯ { x, y ∈ { 0 , 1 } n : ( x + y ) ⊕ (( x ⊕ α )+( y ⊕ β )) = γ } DP + ( δ ) def . 2 2 n ⇒ Trivial algorithm works in time 2 2 n . FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 9

Some differential properties of addition DP + ( α, β �→ γ ) def := P x,y [( x + y ) ⊕ (( x ⊕ α )+( y ⊕ β )) = γ ] max ( α, β ) def DP + DP + ( α, β �→ γ ) := max γ def opt + ( α, β ) := γ in previous formula FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 10

Some differential properties of addition DP + ( α, β �→ γ ) def := P x,y [( x + y ) ⊕ (( x ⊕ α )+( y ⊕ β )) = γ ] max ( α, β ) def DP + DP + ( α, β �→ γ ) := max γ def opt + ( α, β ) := γ in previous formula def DP + β,γ DP + ( α, β �→ γ ) 2max ( α ) := max def opt + ( α ) :=( β, γ ) in previous formula FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 11

More differential properties of addition def := δ �→ DP + ( δ ) , then find If δ = ( α, β �→ γ ) and X  k = 0 , density of impossible differentials ,  P [ X = k ] = k � = 0 , in general .  and def � E [ X ] := X · P [ X = k ] k var [ X ] def := E [ X 2 ] − E [ X ] 2 . More generally, what is the distribution of X ? Our contributions : We give efficient answers to all these questions! FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 12

The RAM model • We are interested in the software speed ⋆ Use the unit-cost RAM model • Minimal set of unit-cost operations: Boolean operations, addition, left and right shifts, equality tests, (conditional) jumps • This model is surprisingly powerful! FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 13

Example: Hamming weight Hamming weight: given x = � x i 2 i , compute � x i . Traditional algorithm of Θ( n ) complexity: w = 0; for(i = 0; i < n; i++) if(word & (1<<i)) w++; FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 14

Example: Hamming weight Hamming weight: given x = � x i 2 i , compute � x i . A RAM-model algorithm of Θ(log n ) complexity (for n = 32 ): w = x; w = (w & 0x55555555) + ((w >> 1) & 0x55555555); w = (w & 0x33333333) + ((w >> 2) & 0x33333333); w = (w & 0x0f0f0f0f) + ((w >> 4) & 0x0f0f0f0f); w = (w & 0x00ff00ff) + ((w >> 8) & 0x00ff00ff); w = (w & 0x0000ffff) + ((w >> 16) & 0x0000ffff); FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 15

Algorithm for DP + ( δ ) def Definition. DP + ( α, β �→ γ ) := P x,y [( x + y ) ⊕ (( x ⊕ α )+( y ⊕ β )) = γ ] . Let eq ( α, β, γ ) i = 1 iff α i = β i = γ i . Theorem . We say δ = ( α, β �→ γ ) is “good” if eq ( α ≪ 1 , β ≪ 1 , γ ≪ 1) ∧ ( α ⊕ β ⊕ γ ⊕ ( β ≪ 1)) = 0 . Then  0 , δ is not “good”,  DP + ( δ ) = 2 − w h ( ¬ eq ( α,β,γ ) ∧ (2 n − 1 − 1)) , otherwise .  DP + ( δ ) can be computed in time Θ(log n ) for any δ . Hence, DP + is either 0 or 2 − k for 0 ≤ k < n − 1 . FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 16

DP + ( δ ) : How it works? • Replace + with a XOR with carry, x + y = x ⊕ y ⊕ carry ( x, y ) . Then DP + ( δ ) = P x,y [ carry ( x, y ) ⊕ carry ( x ⊕ α, y ⊕ β ) = α ⊕ β ⊕ γ ] � �� � � �� � c c ∗ • Then DP + ( δ ) = � n − 1 i =0 P x,y [ c i ⊕ c ∗ i = α i ⊕ β i ⊕ γ i ] • Compute the multiplicand probabilities • We prove that if δ is “good” then P x,y [ c i ⊕ c ∗ i = α i ⊕ β i ⊕ γ i ] = 1 if α i = β i = γ i or = 1 / 2 otherwise FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 17

“Possibility” of DP + ( δ ) : Pictorially 0 1 0 1 0 0 1 α 1 1 0 0 0 0 1 β 0 1 1 1 0 0 0 γ FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 18

“Possibility” of DP + ( δ ) : Pictorially 0 1 0 1 0 0 1 α 1 1 0 0 0 0 1 β 0 1 1 1 0 0 0 γ ⊕ ? = 0 The LSB of carry must be 0 FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 19

“Possibility” of DP + ( δ ) : Pictorially 0 1 0 1 0 0 1 α 1 1 0 0 0 0 1 β 0 1 1 1 0 0 0 γ = = = 1 0 0 Find all columns with equal bits. FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 20

“Possibility” of DP + ( δ ) : Pictorially 0 1 0 1 0 0 1 α 1 1 0 0 0 0 1 β 0 1 1 1 0 0 0 γ ⊕ ⊕ ⊕ 1 0 0 = = = 1 0 0 Compute ⊕ of previous columns and compare. FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 21

DP + ( δ ) : Pictorially 0 1 0 1 0 0 1 α 1 1 0 0 0 0 1 β 0 1 1 1 0 0 0 γ � = � = � = w h = 3 • Establish that δ is possible • w h = ♯ { columns that have both 0 and 1 entries } • Return 2 − w h FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 22

Statistical properties of DP + (1/2) P δ [ DP + ( δ ) � = 0] = P δ [ δ is not “good” ] = P δ [ eq ( α ≪ 1 , β ≪ 1 , γ ≪ 1) ∧ ( . . . ) = 0] . . . = 1 2 · (7 / 8) n − 1 . Other properties: similar approach (calculate the probability that the algo- rithm for DP + does “something”) FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 23

Statistical properties of DP + (2/2) • X : δ �→ DP + ( δ ) is a sum of two distributions, X = X 0 + X 1 • X 0 is defined on impossible differentials. X 1 is defined on possible differentials • X 0 is a constant distribution, − log 2 X 1 is a binomial distribution with p = 6 / 7 • It is now easy to calculate probabilities that for random δ , DP + ( δ ) ≥ 2 − k for any k . But how to find suitable differentials? FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 24

Maximum Differential Probability There exists a Θ(log n ) -time algorithm that finds a γ , s.t. Theorem . DP + ( α, β �→ γ ) = DP + max ( α, β ) . Improves upon the trivial algorithm of Θ(2 3 n ) Theorem . There exists a Θ(log n ) -time algorithm that finds a ( β, γ ) s.t. DP + ( α, β �→ γ ) = DP + 2max ( α ) . Improves upon the trivial algorithm of Θ(2 4 n ) Both algorithm use complicated RAM-model algorithms that are interesting by themselves FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 25