Multiple Limited-Birthday Distinguishers and Applications Jrmy Jean 1 - PowerPoint PPT Presentation

Limited Birthday Multiple Limited-Birthday Our Algorithm Applications The End Multiple Limited-Birthday Distinguishers and Applications Jérémy Jean 1 María Naya-Plasencia 2 Thomas Peyrin 3 1 École Normale Supérieure, France 2 SECRET Project-Team - INRIA Paris-Rocquencourt, France 3 Nanyang Technological University, Singapore SAC’2013 – August 16, 2013 SAC’2013 – J. Jean, M. Naya-Plasencia, T. Peyrin – MLB Distinguishers and Applications 1/16

Limited Birthday Multiple Limited-Birthday Our Algorithm Applications The End Open-Key Distinguishers Block-cipher E ∼ = family of PRPs E : K × D − → D . Known-key model: introduced by Knudsen and Rijmen in [KR-A07] Let ∆ IN and ∆ OUT two truncated differences. A Known-key Distinguisher Let K a key and E K the associated permutation. Find ( P , P ′ ) s.t. P ⊕ P ′ ∈ ∆ IN and E K ( P ) ⊕ E K ( P ′ ) ∈ ∆ OUT . A Chosen-key Distinguisher Find K , ( P , P ′ ) s.t. P ⊕ P ′ ∈ ∆ IN and E K ( P ) ⊕ E K ( P ′ ) ∈ ∆ OUT . Example: AES E K ∆ IN ∆ OUT SAC’2013 – J. Jean, M. Naya-Plasencia, T. Peyrin – MLB Distinguishers and Applications 2/16

Limited Birthday Multiple Limited-Birthday Our Algorithm Applications The End Limited Birthday Algorithm [GP-FSE10] Conjecture: best generic algorithm to solve the LB problem. Limited Birthday What is the generic complexity for mapping i fixed-difference bits to j fixed-difference bits with a random n -bit permutation π ? n π n − i n − j j Algorithm: sequential applications of the birthday algorithm. Time complexity: C ( i , j ) (assuming i ≤ j ) � j / 2 , if: j ≤ 2 ( n − i ) , � � log 2 C ( i , j ) = i + j − n , if: j > 2 ( n − i ) . SAC’2013 – J. Jean, M. Naya-Plasencia, T. Peyrin – MLB Distinguishers and Applications 3/16

Limited Birthday Multiple Limited-Birthday Our Algorithm Applications The End Our Contributions � We add more than one valid truncated differences ∆ IN and ∆ OUT � We consider this extended LB problem as Multiple Limited-Birthday � We provide the best known algorithm to solve the MLB problem � We apply it to several AES -like primitives SAC’2013 – J. Jean, M. Naya-Plasencia, T. Peyrin – MLB Distinguishers and Applications 4/16

Limited Birthday Multiple Limited-Birthday Our Algorithm Applications The End Intuitions (1/2) Obs.: the gap between generic and distinguishing complexities is often big Rebound-based distinguishing algorithms � Two phases: inbound (deterministic) and outbound (probabilistic) � We do not elaborate on the inbound phase � In the outbound, constrained truncated probabilistic transitions. = ⇒ output positions can be relaxed Probabilistic transition p = 2 − 3 × 8 LB Problem applied to AES 2 − 24 ˜ π 2 − 16 ∆ IN ∆ OUT Inbound Phase P outbound = 2 − 40 SAC’2013 – J. Jean, M. Naya-Plasencia, T. Peyrin – MLB Distinguishers and Applications 5/16

Limited Birthday Multiple Limited-Birthday Our Algorithm Applications The End Intuitions (2/2) Relaxation ◮ A t → c transition leads to � t � possibilities c ◮ The probability is � t � higher c Example � 4 � 4 � Possible inputs π � Possible outputs 1 2 P outbound = 24 × 2 − 40 ≈ 2 − 35 . 4 SAC’2013 – J. Jean, M. Naya-Plasencia, T. Peyrin – MLB Distinguishers and Applications 6/16

Limited Birthday Multiple Limited-Birthday Our Algorithm Applications The End Generic Problem Generic problem ◮ Relaxing the positions changes the generic algorithm (MLB) ◮ The algorithm due to [GP-FSE10] is not optimal = ⇒ Need to commit to a fixed ∆ IN (or ∆ OUT ) ◮ We restric ourselves to: ◮ geometries of square size t × t ( AES : t = 4), ◮ n B active diagonals for ∆ IN ◮ n F active anti-diagonals for ∆ OUT � t � Let ∆ IN be the set of truncated patterns containing all the possible n B ways to choose n B active diagonals among the t ones. Let ∆ OUT defined similarly with n F active anti-diagonals. Multiple Limited Birthday (MLB) Given F , ∆ IN and ∆ OUT , find a pair ( m , m ′ ) of inputs to F such that m ⊕ m ′ ∈ ∆ IN and F ( m ) ⊕ F ( m ′ ) ∈ ∆ OUT . SAC’2013 – J. Jean, M. Naya-Plasencia, T. Peyrin – MLB Distinguishers and Applications 7/16

Limited Birthday Multiple Limited-Birthday Our Algorithm Applications The End Lower Bounding the Generic Time Complexity Lower bound on the time complexity T ◮ MLB with differences (∆ IN , ∆ OUT ) is at least as hard as LB on the equivalent parameters ( IN , OUT ) ◮ Indeed, LB is made easier with less constraints and more possible input pairs C ( IN , OUT ) ≤ T MLB Example ( t = 4 , c = 8 ) ∆ ′ 1 ∆ 1 ∆ ′ 2 ∆ IN ∆ OUT ∆ ′ ∆ 2 3 n B = 1 π n F = 2 � t � t ∆ 3 ∆ ′ � 4 � 2 c · t · n B 2 c · t · n F IN = OUT = n B n F ∆ 4 ∆ ′ 5 ∆ ′ 6 SAC’2013 – J. Jean, M. Naya-Plasencia, T. Peyrin – MLB Distinguishers and Applications 8/16

Limited Birthday Multiple Limited-Birthday Our Algorithm Applications The End Upper Bounding the Generic Time Complexity Upper bound on the time complexity T ◮ A first algorithm to solve MLB is based on independent applications of the generic algorithm for LB ◮ Take one random input ∆ i of size IN , and apply LB ( IN , OUT ) until one solution is found � � T ≤ min C ( IN , OUT ) , C ( IN , OUT ) MLB Example ( t = 4 , c = 8 ) ∆ ′ 1 ∆ 1 ∆ ′ 2 ∆ IN ∆ OUT ∆ 2 ∆ ′ 3 n B = 1 π n F = 2 � t ∆ ′ � t ∆ 3 4 � � 2 c · t · n B 2 c · t · n F IN = OUT = n B n F ∆ 4 ∆ ′ 5 IN = 2 c · t · n B OUT = 2 c · t · n F ∆ ′ 6 SAC’2013 – J. Jean, M. Naya-Plasencia, T. Peyrin – MLB Distinguishers and Applications 9/16

Limited Birthday Multiple Limited-Birthday Our Algorithm Applications The End Improving the Generic Time Complexity Bounds � � C ( IN , OUT ) ≤ T ≤ min C ( IN , OUT ) , C ( IN , OUT ) Our algorithm ◮ Solves the generic MLB problem with time complexity T ◮ We conjecture its optimality ◮ In the sequel, we explain the forward direction ◮ We compare our time complexities to the lower bound C ( IN , OUT ) SAC’2013 – J. Jean, M. Naya-Plasencia, T. Peyrin – MLB Distinguishers and Applications 10/16

Limited Birthday Multiple Limited-Birthday Our Algorithm Applications The End Data Notes Structure of Input Data ◮ A random pair is a right pair with proba. D 0 D 1 D 2 D 3 � t 2 − t ( t − n F ) c � P out = n F � � � � ◮ We need (at least) P − 1 out pairs at the input � � B assume 2 ct values � � ◮ D 1 , . . . , D n ′ � � � ◮ D 0 assume 2 y < 2 ct values � � � n ′ B � � n B � � ◮ n B = 2, n ′ B = 3 Number of Pairs �� 2 n B ct � n ′ � 2 y 2 ( n ′ def B B − n B ) tc N pairs ( n ′ B , y ) = n B 2 �� 2 y +( n B − 1 ) ct � n ′ � 2 ( n ′ B B − ( n B − 1 )) ct + n B − 1 2 B , y ) = P − 1 Then: Solve N pairs ( n ′ out to get ( n ′ B , y ) . SAC’2013 – J. Jean, M. Naya-Plasencia, T. Peyrin – MLB Distinguishers and Applications 11/16

Limited Birthday Multiple Limited-Birthday Our Algorithm Applications The End Online Phase Online Phase ◮ Query the 2 y + ctn ′ B outputs to the permutation π ◮ Sort them, and: ◮ check for a valid output pattern ◮ then, check for a valid input pattern Time Complexity 2 y + ctn ′ B + 2 2 ( y + ctn ′ B ) − 1 P out ≈ 2 y + ctn ′ B Improvements: constant memory with collision-finding algorithms. SAC’2013 – J. Jean, M. Naya-Plasencia, T. Peyrin – MLB Distinguishers and Applications 12/16

Limited Birthday Multiple Limited-Birthday Our Algorithm Applications The End AES in the Known-Key Model AES : 10 rounds, t = 4, c = 8. AES : Known-Key Distinguisher for 8R 1R 1R 1R 1R 1R 1R 1R 1R 1R 1R 1R S 2 S 3 S 4 S 5 1R 1R 1R 1R 1R 1R S 0 S 1 S 6 S 7 S 8 Details ◮ Super-SBox technique [GP-FSE10]: S 2 → S 5 = 1 operation on av. ◮ Total cost: 2 24 / 4 · 2 24 / 4 = 2 44 computations (prev: 2 48 ). ◮ Lower bound for generic complexity: 2 61 computations. SAC’2013 – J. Jean, M. Naya-Plasencia, T. Peyrin – MLB Distinguishers and Applications 13/16

Limited Birthday Multiple Limited-Birthday Our Algorithm Applications The End Collision on 6-Round AES in Davies-Meyer Mode Reduced AES : 6 rounds, t = 4, c = 8. AES : 6-Round Collision in DM 1R 1R 1R 1R 1R 1R S 0 S 1 S 2 S 3 S 4 S 5 S 6 Details ◮ Technique from [DFJ-INDO12]: S 1 → S 6 = 1 operation on av. ◮ Total cost: 2 24 × 2 8 = 2 32 computations (position constrained). ◮ Lower bound for generic complexity: 2 64 computations. SAC’2013 – J. Jean, M. Naya-Plasencia, T. Peyrin – MLB Distinguishers and Applications 14/16

Limited Birthday Multiple Limited-Birthday Our Algorithm Applications The End Improved Distinguisher of Whirlpool CF Whirlpool : 10 rounds, t = 8, c = 8. Compression Function (CF): h ( H , M ) = E H ( M ) ⊕ M ⊕ H . Whirlpool : 10-Round Truncated Characteristic 1R 1R 1R � 8 � 8 1R 1R 1R 1R 1R � � 4 4 S 2 S 3 S 4 S 5 S 6 S 7 1R 1R 1R S 0 S 1 S 8 S 9 S 10 Details ◮ Inbound from [LMRRS-09]: S 2 → S 7 = 2 64 computations on av. = 2 51 . 74 computations. � 8 � 8 ◮ Cost outbound: 2 32 / � × 2 32 / � 4 4 ◮ Total cost: 2 64 × 2 51 . 74 = 2 115 . 74 computations ◮ Lower bound for generic complexity: 2 125 computations. ◮ Previous: 2 176 computations – Ideal: 2 384 . SAC’2013 – J. Jean, M. Naya-Plasencia, T. Peyrin – MLB Distinguishers and Applications 15/16