MILP Modeling for (Large) S-boxes to Optimize Probability of - PowerPoint PPT Presentation

MILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics Ahmed Abdelkhalek 1 , Yu Sasaki 2 , Yosuke Todo 2 , Mohamed Tolba 1 , and Amr M. Youssef 1 1:Concordia University, 2: NTT Talk @ ASK2017, 10 December 2017

Summary New MILP model for 8-bit S-boxes • New method to model truncated DDT • New method to evaluate probability in DDT Applications • SKINNY-128 : the max diff prob reaches 2 -128 with 14 rounds (prev. 15 rounds) • AES-round based Func from FSE2016 : improved the max probability of diff trail 1

MILP for Differential Cryptanalysis Mouha et al. at Inscrypt 2011: Problem of finding Optimization optimal differential problem in MILP trail convert Advantage: Speed of solving MILP has been researched a lot. We can exploit their effort to search for differential propagation trails. 2

Mixed Integer Linear Programming (MILP) Optimize objective function within the solution range satisfying all the constraints. Minimize Constraints 3

MILP Model for 3-Round Toy Cipher 𝑦 12 𝑦 0 𝑦 6 𝑇 𝑇 𝑦 13 𝑦 1 𝑦 7 𝑦 14 𝑦 2 𝑦 8 𝑦 15 𝑦 3 𝑦 9 𝑇 𝑇 𝑦 4 𝑦 10 𝑦 16 𝑦 5 𝑦 11 𝑦 17 6-bit round function: 3-bit S-box, 3-bit xor, swap To make the MILP model, define a binary variable 𝑦 𝑗 ∈ {0,1} for each round; • 𝑦 𝑗 = 0 denotes the bit 𝑗 has no difference • 𝑦 𝑗 = 1 denotes the bit 𝑗 has difference Minimize: 𝑦 0 + 𝑦 1 + ⋯ + 𝑦 6𝑠−1 Objective Function 4

Constraints for Linear Operations 𝑦 12 𝑦 0 𝑧 0 𝑦 6 𝑦 9 𝑧 6 𝑦 15 𝑇 𝑇 𝑦 13 𝑦 1 𝑧 1 𝑦 7 𝑦 10 𝑧 7 𝑦 16 𝑦 14 𝑦 2 𝑧 2 𝑦 8 𝑦 11 𝑧 8 𝑦 17 𝑦 15 𝑦 3 𝑧 3 𝑦 9 𝑦 6 𝑧 9 𝑦 12 𝑇 𝑇 𝑦 4 𝑦 10 𝑦 16 𝑧 4 𝑦 7 𝑧 10 𝑦 13 𝑦 5 𝑦 11 𝑦 17 𝑧 5 𝑦 8 𝑧 11 𝑦 14 𝑏 ⊕ 𝑐 = 𝑑 can be modeled with 4 inequalities by removing each impossible (𝑏, 𝑐, 𝑑) . 𝑏, 𝑐, 𝑑 ≠ 0,0,1 ⟸ 𝑏 + 𝑐 − 𝑑 ≥ 0 𝑏, 𝑐, 𝑑 ≠ 0,1,0 ⟸ 𝑏 − 𝑐 + 𝑑 ≥ 0 𝑏, 𝑐, 𝑑 ≠ 1,0,0 ⟸ − 𝑏 + 𝑐 + 𝑑 ≥ 0 𝑏, 𝑐, 𝑑 ≠ 1,1,1 ⟸ − 𝑏 − 𝑐 − 𝑑 ≥ −2 5

Differential Distribution Table (DDT) We compute the probability that Δ𝑦 𝑦 𝑧 𝑇 propagates to Δ𝑧 for each (Δ𝑦, Δ𝑧) . 𝑦 ⊕ Δ𝑦 𝑧 ⊕ Δ𝑧 6

Truncated DDT ( ∗ -DDT) To count the # of active S-boxes, we only care whether each pattern is possible (non-zero probability) or impossible (zero probability). We call it “ ∗ - DDT”. 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 7

Two Methods of Modeling ∗ -DDT H-representation Logical condition of convex hull model (Sun et al.) tool SAGE Math N/A support alg greedy Sub MILP greedy Sub MILP optimal optimal type heuristic heuristic any integer {-1, 0, 1} coefficients small #inequ. large infeasible ? 8-bit S-box Our Focus 8

Logical Condition Model for S-box 𝑦 0 𝑧 0 𝑇 𝑦 1 𝑧 1 𝑦 2 𝑧 2 ∗ -DDT tells impossible patterns of (𝑦 2 𝑦 1 𝑦 0 𝑧 2 𝑧 1 𝑧 0 ) . Each impossible pattern can be removed one inequality. Example: 𝑄𝑠 Δ 𝑗 , Δ 𝑃 = 0𝑦1,0𝑦2 = 0 𝑦 2 𝑦 1 𝑦 0 = 001, 𝑧 2 𝑧 1 𝑧 0 = 010 𝑦 2 + 𝑦 1 − 𝑦 0 + 𝑧 2 − 𝑧 1 + 𝑧 0 ≥ −1 Out of 64 entries of ∗ -DDT, about 32 entries are impossible. Each S-box can be modeled with about 32 inequalities. 9

Reducing the Number of Inequalities 𝑦 0 𝑧 0 𝑇 𝑦 1 𝑧 1 𝑦 2 𝑧 2 Sun et al. pointed out that several impossible patterns of 𝑦 2 𝑦 1 𝑦 0 𝑧 2 𝑧 1 𝑧 0 can be removed simultaneously. Example: 𝑄𝑠 Δ 𝑗 , Δ 𝑃 = 0𝑦1,0𝑦2 = 𝑄𝑠 Δ 𝑗 , Δ 𝑃 = 0𝑦1,0𝑦6 = 0 𝑦 2 𝑦 1 𝑦 0 𝑧 2 𝑧 1 𝑧 0 = 001𝟏10 𝑦 2 𝑦 1 𝑦 0 𝑧 2 𝑧 1 𝑧 0 = 001𝟐10 𝑦 2 + 𝑦 1 − 𝑦 0 − 𝑧 1 + 𝑧 0 ≥ −1 Each S-box can be modeled with less than 32 inequalities. 10

Two Issues of the Previous S-box Model 1. The number of constraints for each S-box is exponential to the S-box size. • 5-bit to 5-bit S-box: feasible • 6-bit to 4-bit S-box: feasible • 8-bit to 8-bit S-box: infeasible (folklore) 2. Probability of differential transition is ignored. An attempt was proposed by Sun et al. in 2014: • feasible only up to 4-bit to 4-bit S-box Probability must be 2 −𝑦 where 𝑦 is an integer. • 11

New Method to Model ∗ -DDT

Core Observation Finding the minimum Minimizing related product-of-sum constraints for representation of a ∗ -DDT Boolean function a well-studied topic!! 13

∗ -DDT to Product-of-Sum Representation • Define a 2𝑜 -bit to 1-bit Boolean function that outputs 1 only when the propagation is possible. • This can be achieved by listing impossible propagations as a term of product-of-sum or the Conjunctive Normal Form (CNF) • Indeed, for 𝑔 to be 1, even a single term must not be 0, i.e. 2𝑜 variables must avoid impossible patterns. 𝑔 𝑦 2 , 𝑦 1 , 𝑦 0 , 𝑧 2 , 𝑧 1 , 𝑧 0 = 𝑦 2 ∨ 𝑦 1 ∨ 𝑦 0 ∨ 𝑧 2 ∨ 𝑧 1 ∨ 𝑧 0 ∧ 𝑦 2 ∨ 𝑦 1 ∨ 𝑦 0 ∨ 𝑧 2 ∨ 𝑧 1 ∨ 𝑧 0 ∧ 𝑦 2 ∨ 𝑦 1 ∨ 𝑦 0 ∨ 𝑧 2 ∨ 𝑧 1 ∨ 𝑧 0 ∧ 𝑦 2 ∨ 𝑦 1 ∨ 𝑦 0 ∨ 𝑧 2 ∨ 𝑧 1 ∨ 𝑧 0 ∧ ⋯ ∧ 𝑦 2 ∨ 𝑦 1 ∨ 𝑦 0 ∨ 𝑧 2 ∨ 𝑧 1 ∨ 𝑧 0 ∧ 𝑦 2 ∨ 𝑦 1 ∨ 𝑦 0 ∨ 𝑧 2 ∨ 𝑧 1 ∨ 𝑧 0 14

QM, Espresso and LogicFriday • Finding min. representation of product-of-sum (NP-hard) is well studied in computer science. • Quine-McCluskey algorithm [Qui52,Qui55,McC56] provides optimal solution and the Espresso algorithm is the heuristic algorithm. • The freeware called LogicFriday can execute both QM and Espresso. # inequalities to represent ∗ -DDT of 8-bit S-boxes 15

Demo Generating constraints for ∗ -DDT of PRESENT S-box by using Logic Friday 16

Summary for Modeling ∗ -DDT H-representation Logical condition of convex hull model (Sun et al.) QM tool SAGE Math LogicFriday espresso aux alg greedy Sub MILP no need optimal type heuristic any integer {-1, 0, 1} coefficients small #inequ. large infeasible feasible 8-bit S-box 17

New Methods to Evaluate Probability

Core Observation • Separate DDT to multiple tables so that each table contains entries with the same probability. 1 if the entry in DDT has probability 𝑞𝑐 𝑞𝑐 -DDT 0 otherwise • Use conditional constraints (with the big-M method) to activate only a single 𝑞𝑐 -DDT. 19

DDT 𝟑 −𝟐 -DDT 𝟑 −𝟑 -DDT 20

Experimental Data for 𝑞𝑐 -DDT Num. of zero entries 21

Representing Probability of each S-box Activeness variable • 𝑜 𝑗 : 1 if the 𝑗 -th Sbox is active, 0 otherwise. Probability Variables • 𝑅 𝑗,𝑞𝑐 𝑘 : 1 if the 𝑗 -th Sbox is active and its differential probability is 𝑞𝑐 𝑘 , 0 otherwise. E.g. 𝑅 𝑗,2 −1 and 𝑅 𝑗,2 −2 in the above 3-bit S-box. The probability when the 𝑗 -th S-box is active is modeled by 𝑅 𝑗,𝑞𝑐 𝑘 = 𝑜 𝑗 E.g. 𝑅 𝑗,2 −1 + 𝑅 𝑗,2 −2 = 𝑜 𝑗 𝑘 Objective Function E.g. 𝑅 𝑗,2 −1 + 2𝑅 𝑗,2 −2 −log(𝑞𝑐 𝑘 ) × 𝑅 𝑗,𝑞𝑐 𝑘 minimize 𝑗,𝑘 22

Activating Inequalities only When Necessary • We model 𝑞𝑐 𝑘 -DDT independently for all 𝑘 . 𝟑 −𝟐 -DDT Inequality to model 𝑞𝑐 𝑘 -DDT is given by the following form: 𝑏 0 𝑦 2 + 𝑏 1 𝑦 1 + 𝑏 2 𝑦 0 + 𝑏 3 𝑧 2 + 𝑏 4 𝑧 1 + 𝑏 5 𝑧 0 ≥ 𝑐 where, 𝑏 0 , 𝑏 1 , ⋯ , 𝑏 5 ∈ {−1, 0 , 1} , 𝑐 ≤ −1 . • Inequalities to model 𝑞𝑐 𝑘 -DDT should be meaningful only when 𝑞𝑐 𝑘 = 1 . • big- 𝑁 method 𝑏 0 𝑦 2 + 𝑏 1 𝑦 1 + 𝑏 2 𝑦 0 + 𝑏 3 𝑧 2 + 𝑏 4 𝑧 1 + 𝑏 5 𝑧 0 + 𝑁(1 − 𝑅 𝑗,𝑞𝑐 𝑘 ) ≥ 𝑐 𝑁 is a sufficiently big constant. 23

Summary of Probability Modeling 1. Separate the DDT into 𝑞𝑐 -DDTs. 2. Add an inequality to represent probability. 3. Model all 𝑞𝑐 -DDTs with QM or espresso. 4. Add a term for Big-M in each inequality. Example: actual lp file for SKINNY-128 24

Applications to SKINNY-128

SKINNY • Proposed at CRYPTO2016 by Beierle et al. • Tweakable block cipher supporting 𝑜 -bit block and 𝑜 -, 2𝑜 -, and 3𝑜 -bit tweakey, where 𝑜 ∈ {64,128} . • In this talk, we focus our attention on the single-key analysis of SKINNY-128. 26

SKINNY-128: Round Function AES-like Round Function • SubCells (SC): Application of an 8-bit Sbox Max differential probability of the S-box is 2 −2 . • AddConstants and AddRoundTweakey • ShiftRows (SR): Rotate row 𝑗 by 𝑗 bytes to right • MixColumns (MC): Multiply the state by a binary matrix 27

Previous Bounds • Lower bounds can be given by #𝐵𝑇𝑐𝑝𝑦 × 2 −2 . • Block size is 128 bits. We are targeting differential trails with prob higher than 2 −128 (64 active S-boxes). • 15 rounds are secure. 28

Simple Upper Bounds • We then derived simple upper bounds by assuming all the active S-boxes output the same difference (cancellation by XOR occurs with probability 1) • Gap exists from 9 rounds to 14 rounds. • Up to 13 rounds can be attacked simply. • Is 14-round secure or insecure? 29