Multiple Differential Cryptanalysis: Theory and Practice C´ eline Blondeau, Benoˆ ıt G´ erard SECRET-Project-Team, INRIA, France aaa FSE, February 14th, 2011 C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 1/ 20
Outline Multiple differential cryptanalysis 1 Data complexity and success probability 2 Attack on PRESENT 3 C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 2/ 20
Outline Multiple differential cryptanalysis 1 Data complexity and success probability 2 Attack on PRESENT 3 C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 3/ 20
Differential cryptanalysis [Biham-Shamir 1990] Differential ✲ ✲ F K r ◦ · · · ◦ F K 1 ✻ ✻ δ 0 δ r ❄ ❄ ✲ ✲ F K r ◦ · · · ◦ F K 1 C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 4/ 20
Differential cryptanalysis [Biham-Shamir 1990] Differential ✲ ✲ F K r ◦ · · · ◦ F K 1 ✻ ✻ δ 0 δ r ❄ ❄ ✲ ✲ F K r ◦ · · · ◦ F K 1 Differential probability Pr [ δ 0 → δ r ] def = Pr X , K [ F r K ( x ) ⊕ F r K ( x ⊕ δ 0 ) = δ r ] . C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 4/ 20
Differential cryptanalysis [Biham-Shamir 1990] Differential cryptanalysis ✲ ✲ ✲ ✲ y x F K r ◦ · · · ◦ F K 1 F K r +1 ? ✻ δ 0 ❄ ✲ ✲ ✲ ✲ x ′ = x ⊕ δ 0 y ′ F K r ◦ · · · ◦ F K 1 F K r +1 ? C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 4/ 20
Differential cryptanalysis [Biham-Shamir 1990] ✬ ✩ Last round attack F − 1 k ❄ ✲ ✲ ✲ ✲ y x F K r ◦ · · · ◦ F K 1 F K r +1 ? ✻ ✻ δ 0 δ r ❄ ❄ ✲ ✲ ✲ ✲ x ′ = x ⊕ δ 0 y ′ F K r ◦ · · · ◦ F K 1 F K r +1 ? ✻ F − 1 ✫ ✪ k C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 4/ 20
Differential cryptanalysis [Biham-Shamir 1990] ✬ ✩ Last round attack F − 1 k ❄ ✲ ✲ ✲ ✲ y x F K r ◦ · · · ◦ F K 1 F K r +1 ? ✻ ✻ δ 0 δ r ❄ ❄ ✲ ✲ ✲ ✲ x ′ = x ⊕ δ 0 y ′ F K r ◦ · · · ◦ F K 1 F K r +1 ? ✻ F − 1 ✫ ✪ k Basic Principle: For each last-round subkey candidate k , compute C ( k ) = # { ( y , y ′ ) such that F − 1 k ( y ) ⊕ F − 1 k ( y ′ ) = δ r } C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 4/ 20
Wrong Key Randomization Hypothesis 1 if F − 1 k ( y ) ⊕ F − 1 k ( y ′ ) = δ r , � C x ( k ) def = 0 otherwise . C ( k ) def � = C x ( k ) . x Hypothesis � p ∗ if k = K r +1 , F − 1 ( y ) ⊕ F − 1 � ( y ′ ) = δ r � Pr X = k k p if k � = K r +1 . Counters C x ( k ) follows a Bernoulli distribution of parameter p ∗ or p . ⇒ C ( k ) follows a Binomial distribution. C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 5/ 20
Previous Works Previous works using many differentials: [Biham Shamir 1990] Collection of differentials with same output difference. [Knudsen 1994] Collection of differentials with same input difference. [Sugita et al. 2000] Same set of output differences for each input difference. C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 6/ 20
Multiple differential cryptanalysis Collection of differentials δ (1) ( δ (1) 0 , δ (1 , 1) ) ( δ (1) 0 , δ (1 , 2) ( δ (1) 0 , δ (1 , 5) ) · · · ) 0 r r r δ (2) ( δ (2) 0 , δ (2 , 1) ) ( δ (2) 0 , δ (2 , 2) ( δ (2) 0 , δ (2 , 9) ∆ 0 ) · · · ) 0 r r r δ (3) ( δ (3) 0 , δ (3 , 1) ) ( δ (3) 0 , δ (3 , 2) ( δ (3) 0 , δ (3 , 7) ) · · · ) 0 r r r C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 7/ 20
Multiple differential cryptanalysis Collection of differentials δ (1) ( δ (1) 0 , δ (1 , 1) ) ( δ (1) 0 , δ (1 , 2) ( δ (1) 0 , δ (1 , 5) ) · · · ) 0 r r r δ (2) ( δ (2) 0 , δ (2 , 1) ) ( δ (2) 0 , δ (2 , 2) ( δ (2) 0 , δ (2 , 9) ∆ 0 ) · · · ) 0 r r r δ (3) ( δ (3) 0 , δ (3 , 1) ) ( δ (3) 0 , δ (3 , 2) ( δ (3) 0 , δ (3 , 7) ) · · · ) 0 r r r p ( i , j ) : Probability of the differential ( δ ( i ) 0 , δ ( i , j ) ) ∗ r C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 7/ 20
Multiple differential cryptanalysis Collection of differentials δ (1) ( δ (1) 0 , δ (1 , 1) ) ( δ (1) 0 , δ (1 , 2) ( δ (1) 0 , δ (1 , 5) ) · · · ) 0 r r r δ (2) ( δ (2) 0 , δ (2 , 1) ) ( δ (2) 0 , δ (2 , 2) ( δ (2) 0 , δ (2 , 9) ∆ 0 ) · · · ) 0 r r r δ (3) ( δ (3) 0 , δ (3 , 1) ) ( δ (3) 0 , δ (3 , 2) ( δ (3) 0 , δ (3 , 7) ) · · · ) 0 r r r p ( i , j ) : Probability of the differential ( δ ( i ) 0 , δ ( i , j ) ) ∗ r ∆ ( i ) r : Set of output differences for the i-th input difference. ∆ 0 : Set of input differences. C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 7/ 20
The counters � E K ∗ ( x ⊕ δ ( i ) ∈ ∆ ( i ) 1 if F − 1 ⊕ F − 1 � � � � E K ∗ ( x ) 0 ) r , C ( i ) x ( k ) def = k k 0 . #∆ 0 C x ( k ) def C ( i ) C ( k ) def � � = x ( k ) and = C x ( k ) . x i =1 C ( i ) x ( k ) follows a Bernoulli distribution of parameter p ( i ) or p ( i ) where ∗ #∆ ( i ) r p ( i ) = #∆ ( i ) p ( i ) p ( i , j ) � · 2 − m . = and ∗ ∗ r j =1 What is the distribution of C ( k )? C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 8/ 20
Outline Multiple differential cryptanalysis 1 Data complexity and success probability 2 Attack on PRESENT 3 C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 9/ 20
Poisson approximation [Le Cam 1960]: Let C ( i ) x ( k ) be some independent Bernoulli random variables with probability p ( i ) . Then C x ( k ) def i =1 C ( i ) = � #∆ 0 x ( k ) follows a distribution close to a Poisson distribution of parameters λ = � #∆ 0 i =1 p ( i ) . #∆ 0 #∆ 0 � � � � p ( i ) � � p ( i ) C ( K r +1 ) approx P ∼ N , C ( k ) approx P ∼ N . ∗ i =0 i =0 The cumulative function G P is not a good estimate for the tails of the distribution of the counters !!! C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 10/ 20
Tails of the cumulative functions i p ( i ) i p ( i ) � � def ∗ p def = = p ∗ and #∆ 0 #∆ 0 Using [Gallager 1968]: G − ( τ, q ) def = Pr [ C ( k ) ≤ τ #∆ 0 N ] � � � q (1 − τ ) 1 ≈ e − #∆ 0 · N · KL ( τ || q ) · ( q − τ ) √ 2 πτ #∆ 0 N + √ 8 πτ #∆ 0 N Where q = p ∗ or p . � � � � 1 − τ KL ( τ || q ) = τ log τ + (1 − τ ) log . q 1 − q C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 11/ 20
Data complexity In [Blondeau-G´ erard-Tillich-2010], the data complexity is computed by approximating one tail of binomial cumulative function with: (1 − p ) √ τ 1 − e − N · KL ( τ || p ) . � ( τ − p ) 2 π N (1 − τ ) C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 12/ 20
Data complexity Here one tail of the cumulative function of the counters is: (1 − p ) √ τ � � 1 G + ( τ, p ) ≈ 1 − e − #∆ 0 N · KL ( τ || p ) √ 8 π #∆ 0 N τ + . � ( τ − p ) 2 π N (1 − τ ) C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 12/ 20
Data complexity Here one tail of the cumulative function of the counters is: (1 − p ) √ τ � � 1 G + ( τ, p ) ≈ 1 − e − #∆ 0 N · KL ( τ || p ) √ 8 π #∆ 0 N τ + . � ( τ − p ) 2 π N (1 − τ ) With similar arguments, the data complexity is N ≈ − 2 · ln(2 √ πℓ 2 − n ) #∆ 0 KL ( p ∗ || p ) . Where: n : Number of bits of the subkey, ℓ : Size of the list of kept candidates. C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 12/ 20
Success probability Success probability: � � 1 − ℓ − 1 � � G − 1 P s ≈ 1 − G ∗ − 1 , 2 n − 2 where G and G ∗ are the cumulative functions of the distri- bution of the random variables. For G and G ∗ we can take: Normal distribution ([Sel¸ cuk2007]) Poisson distribution (First Idea) C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 13/ 20
Experiments on SMALLPRESENT-[8] 1 0.8 0.6 P S 0.4 Poisson Normal 0.2 Experimental 0 28.5 29 29.5 30 30.5 31 log 2 ( N ) C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 14/ 20
Distribution of the counters We use the following estimate for the cumulative function of the C ( k )’s: � G − ( x , q ) if x < q − 3 · q / N , G ∗ ( x ) = G ( x , p ∗ ) � G ( x , q ) = G + ( x , q ) if x > q + 3 · q / N , G ( x ) = G ( x , p ) G P ( x , q ) otherwise. G ( τ, q ) τ C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 15/ 20
Experiments on SMALLPRESENT-[8] 1 0.8 0.6 P S 0.4 Ours Poisson 0.2 Normal Experimental 0 28.5 29 29.5 30 30.5 31 log 2 ( N ) C.Blondeau and B.G´ erard. Multiple differential cryptanalysis 16/ 20
Recommend
More recommend
