Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our - PowerPoint PPT Presentation

FSE 2020 Multiple Linear Cryptanalysis Using Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI

Our contribution • improved and extended approach of multiple linear cryptanalysis[BCQ04] (exploit dominant statistically independent linear trails) • Algorithm 1 and Algorithm 2 style attacks • threshold based, rank based, combined • provide formulas for success probability and advantage in terms of data size, correlations of the trails, and threshold parameter • under some hypotheses on statistical independence of wrong key & right key statistics • application to full DES, exploiting 4 linear trails • get attacks with complexity better than or comparable with existing linear attacks on DES • provide strong experimental verification 2

Organization • Introduction and Preliminaries • Our multiple linear attacks • Application to DES • Generalization • Conclusion 3

Linear Trails and Linear Hulls • key-alternating iterative block cipher long key cipher 𝐹 Γ Γ Γ Γ Γ Γ 0 1 1 2 𝑆−1 𝑆 • linear trail Γ = [Γ 0 , … , Γ 𝑆 ] : sequence of linear masks • linear hull H (𝛿, 𝛿′) : the set of linear trails with the initial mask 𝛿 and final mask 𝛿′ 4

Linear Correlations 𝛿 𝛿′ 1 𝛿,𝑦 ⊕ 𝛿 ′ ,𝐺 𝑦 • 𝜁 𝛿, 𝛿 ′ ; 𝐺 ≔ 2 𝑚 𝑦 −1 𝐺 𝑚 → 𝔾 2 𝑛 w.r.t. pair of masks (𝛿, 𝛿’) linear correlation of 𝐺: 𝔾 2 𝛿 𝛿′ • 𝜁 𝛿, 𝛿 ′ ; 𝐹, 𝑠𝑙 ≔ 𝜁 𝛿, 𝛿 ′ ; 𝐹 𝑠𝑙,⋅ 𝐹(𝑠𝑙,⋅) linear correlation of a linear hull for a given long key 𝑠𝑙 𝑆−1 𝜁(Γ 𝑗 , Γ 𝑗+1 ; 𝐺 𝑗+1 ) • 𝐷 Γ; 𝐹 = 𝑗=0 (key-independent) linear correlation of a trail 1 𝜁 𝛿, 𝛿 ′ ; 𝛿,𝑄 ⊕ 𝛿′,𝐷 |𝐸| 𝑄,𝐷 ∈𝐸 −1 • 𝐹, 𝑠𝑙, 𝐸 ≔ undersampled correlation 𝐸 : data (consisting of plaintext-ciphertext pairs) 5

Linear Correlations parity bit determined by Λ and 𝑠𝑙 𝑆−1 Λ 𝑗 ,𝑠𝑙 𝑗 𝐷(Λ; 𝜁 𝛿, 𝛿 ′ ; 𝐹, 𝑠𝑙 = Λ∈ H 𝛿,𝛿 ′ −1 ⊕ 𝑗=0 𝐹) • Γ : a dominant trail 𝑆−1 Γ 𝑗 ,𝑠𝑙 𝑗 𝐷(Γ) , or • 𝜁 𝛿, 𝛿 ′ ; 𝑠𝑙 ≈ −1 ⊕ 𝑗=0 ⇒ regardless of 𝑠𝑙 𝑆−1 Γ 𝑗 ,𝑠𝑙 𝑗 𝜁 𝛿, 𝛿 ′ ; 𝑠𝑙 ≈ 𝐷(Γ) −1 ⊕ 𝑗=0 • Unless mentioned otherwise, we assume:- - Γ, Γ 𝑘 : dominant, fixed 𝑂 = |𝐸| ≪ 2 𝑜 , 𝑜 : block size - 𝐷 Γ , |𝐷 Γ 𝑘 | ≫ 2 −𝑜/2 - 𝐿 ∗ and 𝑠𝑙 ∗ (correct key, long key): fixed - 6

Algorithm 1 • Use a single dominant trail Γ = [Γ 0 , … , Γ 𝑆 ] 𝑄 • try to recover the parity bit 𝑆−1 Γ 𝛾 ∗ =⊕ 𝑗=0 Γ 0 ∗ 𝑗 , 𝑠𝑙 𝑗 ∗ 𝑠𝑙 0 𝐺 1 • Given a sample or data 𝐸 , ∗ 𝑠𝑙 1 Γ 1 compute the undersampled correlation 𝐺 2 𝜁 Γ 0 , Γ 𝑆−1 ; 𝑠𝑙 ∗ , 𝐸 • determine 𝛾 ∗ to be 0 ∗ 𝑠𝑙 𝑆−1 Γ 𝑆−1 𝑆−1 ; 𝑠𝑙 ∗ , 𝐸 𝐷 Γ >0 𝜁 Γ 0 , Γ iff 𝐺 𝑆 Γ 𝑆 𝜁 𝛿, 𝛿 ′ ; 𝑠𝑙, 𝐸 ≔ 1 𝐷 𝛿,𝑄 ⊕ 𝛿′,𝐷 −1 |𝐸| 𝑄,𝐷 ∈𝐸 7

Algorithm 1 • Right Key Hypothesis • Γ : dominant trail 𝑌 = −1 𝛾 ∗ 𝜁 𝛿, 𝛿 ′ ; 𝑠𝑙 ∗ , 𝐸 : random variable letting 𝐸 vary with 𝐸 = 𝑂 ⇒ 𝛾 ∗ =⊕ 𝑗=0 𝑆−1 Γ 𝑗 , 𝑠𝑙 𝑗 ∗ 𝑌~ N (𝜗, 1/𝑂) 𝜗 = 𝐷(Γ) • Success Probability • 𝑄 S = 𝑌~ N (𝜗,1/𝑂) (𝜗𝑌 > 0) = Φ Pr 𝑂 𝜗 8

Algorithm 2 𝑄 • Add outer rounds to a trail Γ = [Γ 𝑡 , … , Γ 𝑡+𝑠 ] 𝑡+𝑠 for the inner cipher 𝐹 | 𝑡 𝑌 𝑡 Γ 𝑡 • recover a parity bit and some outer round key bits 𝐺 𝑡+1 • Given 𝐸 , 𝑡+𝑠−1 Γ 𝑗 , 𝑠𝑙 𝑗 𝛾 ∗ =⊕ 𝑗=𝑡 ∗ Γ 𝑡+1 𝑡+𝑠 • Use the statistic −1 𝛾 𝜁 Γ, 𝑠𝑙 ∗ , 𝜆, 𝐸 𝛾 : indeterminate, binary 𝐹 𝐺 𝑡+2 𝜆 to pick out candidates for (𝛾 ∗ , 𝜆 ∗ ) 𝑡 threshold based or rank based • Proceed with trial encryption Γ 𝑡+𝑠−1 𝜆 : bit string obtained by concatenating outer 𝐺 𝑡+𝑠 𝜁 Γ, 𝑠𝑙 ∗ , 𝜆, 𝐸 ≔ 1 round key bits involved in the outer round −1 𝑕 𝜆,𝑄,𝐷 𝑌 𝑡+𝑠 Γ 𝑡+𝑠 𝐸 computation of Γ 𝑡 , 𝑌 𝑡 ⊕ Γ 𝑡+𝑠 , 𝑌 𝑡+𝑠 𝑄,𝐷 ∈𝐸 undersampled correlation gotten from 𝜆, 𝐸 𝐷 Γ 𝑡 , 𝑌 𝑡 ⊕ Γ 𝑡+𝑠+1 , 𝑌 𝑡+𝑠+1 = 𝑕(𝜆, 𝑄, 𝐷) 9

Algorithm 2 • Right Key Hypothesis (on the distribution of right key statistic) −1 𝛾 ∗ 1 𝜁 Γ, 𝜆 ∗ , 𝐸 ~ N (𝜗, 𝑂 ) • as 𝐸 varies with |𝐸| = 𝑂 • Wrong Key Hypothesis (on the distribution of wrong key statistic) 1 𝜁 Γ, 𝜆, 𝐸 ~ N (0, 𝑂 ) • as (𝜆, 𝐸) varies with 𝜆 ≠ 𝜆 ∗ • Hypothesis on independence [Sel08] • the order statistics for the wrong key statistics & the right key statistic are independent success probability, advantage can be estimated for threshold/rank based methods 10

Algorithm 2 style attacks (multiple appr.) 𝑄 • Γ 1 , Γ 2 , … , Γ 𝑛 : dominant, statistically independent trails 𝑌 𝑡 𝑘 • 𝜗 𝑘 = 𝐷(Γ 𝑘 ) ( 𝑘 = 1, … , 𝑛) , 𝜗 = 2 Γ 𝑡 𝑘 𝜗 𝑘 𝐺 𝑡+1 • Given data 𝐸 , recover 𝝀 ∗ , 𝜸 ∗ , 𝑡+𝑠 • 𝝀 ∗ : correct value of the outer key 𝝀 𝐹 𝐺 𝑡+2 𝜆 𝑘 𝝀 : bit string obtained by combining of 𝜆 𝑘 ’s (removing redundancy) 𝑡 ∗ =⊕ 𝑗=𝑡 𝑡+𝑠−1 ⟨Γ • 𝜸 ∗ = 𝛾 1 ∗ , 𝛾 𝑘 𝑘 , 𝑠𝑙 ∗ ⟩ ∗ , … , 𝛾 𝑛 𝑗 • Use the statistic 𝑈 𝝀, 𝜸, 𝐸 ≔ 𝑘 −1 𝛾 𝑘 𝜗 𝑘 𝜐 𝑘 𝜆 𝑘 , 𝐸 𝐺 𝑡+𝑠 𝑘 𝑌 𝑡+𝑠 Γ 𝑡+𝑠 𝜆 𝑘 : bit string obtained by concatenating outer 𝜁(Γ j , 𝜆 𝑘 , 𝐸) 𝜐 𝑘 𝜆 𝑘 , 𝐸 ≔ 𝑂 round key bits involved in the outer round 𝜸 = (𝛾 1 , … , 𝛾 𝑛 ) : any binary vector 𝐷 𝑘 , 𝑌 𝑡 ⊕ Γ 𝑡+𝑠 𝑘 computation of Γ 𝑡 , 𝑌 𝑡+𝑠 assume for simplicity that bits of 𝜆 𝑘 ’s are either identical or independent 11

Algorithm 2 style attacks (multiple appr.) −1 𝛾 𝑘 𝜗 𝑘 𝜐 𝑘 𝜆 𝑘 , 𝐸 𝑈 𝝀, 𝜸, 𝐸 ≔ 𝑘 • Algorithm 2MT (Threshold based): Pick out (𝝀, 𝜸) ’s with 𝑈 𝝀, 𝜸, 𝐸 ≥ 𝜄 = 𝑢𝑂 2 • Algorithm 2MR (Rank based): Rank (𝝀, 𝜸) ’ s according to 𝑈 𝝀, 𝜸, 𝐸 • Algorithm 2MC (Combined): Pick out candidates (𝝀, 𝜸) ’s with 𝑈 𝝀, 𝜸, 𝐸 ≥ 𝜄 and then rank them • yields better advantage than Algorithm 2MT for 𝑄 S ≈ 1 12

Algorithm 2 style attacks (multiple appr.) • Wrong key types • For 𝐾 𝑃 ⊊ 1, … , 𝑛 , ∗ } = 𝐾 𝑃 𝝀 is said to have the wrong key type 𝐾 𝑃 if {𝑘: 𝜆 𝑘 = 𝜆 𝑘 𝑋 𝐾 𝑃 : the set of 𝝀 ’s having the wrong key type 𝐾 𝑃 • For 𝐾 𝑃 , 𝐾 𝐽 ⊂ 1, … , 𝑛 s.t. 𝐾 𝑃 ≠ 1, … , 𝑛 or 𝐾 𝐽 ≠ 1, … , 𝑛 , (𝝀, 𝜸) is said to have the wrong key type (𝐾 𝑃 , 𝐾 𝐽 ) if • 𝝀 has the wrong key type 𝐾 𝑃 and 𝜸 has the type 𝐾 𝐽 For 𝐾 ⊂ 1, … , 𝑛 , ∗ = 𝐾 𝜸 is said to have the type 𝐾 if 𝑘: 𝛾 𝑘 = 𝛾 𝑘 If 𝜸 has the type 𝐾 , denote it by 𝜸 𝐾 𝑋 𝐾 𝑃 , 𝐾 𝐽 : the set of (𝝀, 𝜸) ’s having the wrong key type 𝐾 𝑃 , 𝐾 𝐽 13

Multivariate Normal Distributions 𝝂 ∈ ℝ 𝑛 , 𝚻 : positive definite 𝑛 × 𝑛 matrix over ℝ • An 𝑛 -variate random variable 𝒀 is said to have the normal distribution with mean vector 𝝂 and covariance matrix 𝚻 if it has the p.d.f. 𝒀 ~ N ( 𝝂 , 𝚻 ), 1/2 𝑓 − 𝒚−𝝂 𝑈 𝚻 −1 𝒚−𝝂 1 𝒚 ↦ 2 2𝜌 𝑛/2 det 𝚻 • Probability that an 𝑛 -variate normal random variable satisfies a linear inequality 𝚻 = 𝝉𝝉 𝑈 • 𝒀 ~ N ( 𝝂 , 𝚻 ), 𝒃 ∈ ℝ 𝑛 , 𝒃 ≠ 0 , 𝑐 ∈ ℝ Φ : c.d.f. of the std normal distribution 𝒃,𝝂 +𝑐 • Pr 𝒀 ( 𝒃, 𝒀 + 𝑐 ≥ 0) = Φ( 𝝉 𝑈 𝒃 ) 14

Algorithm 2 style attacks (multiple appr.) For each 𝐾 𝑃 ⊂ {1, … , 𝑛} • 𝒀 𝐾 𝑃 : vector-valued random variable having the distribution determined ∗ 𝜗 𝑛 𝜐 𝑛 𝜆 𝑛 , 𝐸 ) ∗ 𝜗 1 𝜐 1 𝜆 1 , 𝐸 , … , −1 𝛾 𝑛 by the values ( −1 𝛾 1 𝐸 = 𝑂 , 𝝀 ∈ 𝑋 𝐾 𝑃 • Hypothesis: 𝒀 𝐾 𝑃 ∼ N (𝝂 𝐾 𝑃 , 𝚻 𝐾 𝑃 ) 2 for 𝑘 ∈ 𝐾 𝑃 , 𝜈 𝑘 = 0 for 𝑘 ∉ 𝐾 𝑃 • 𝝂 𝐾 𝑃 = 𝜈 1 , … , 𝜈 𝑛 ; 𝜈 𝑘 = 𝑂𝜗 𝑘 2 ) 2 , … , 𝑂𝜗 𝑛 • 𝚻 𝐾 𝑃 = diag(𝑂𝜗 1 distribution D 𝐾 𝑃 15