On nonlinear approximations and the linear hull effect Anne - PowerPoint PPT Presentation

On nonlinear approximations and the linear hull effect Anne Canteaut Inria, Paris, France joint work with Christof Beierle and Gregor Leander ASK 2018, Kolkota

Linear approximations 1

Linear approximations Pr[ α · x + β · F ( x ) = 0] far from 1 2 quantified by: cor F ( α, β ) = 2 − n � ( − 1) α · x + β · F ( x ) x ∈ F n 2 since Pr[ α · x + β · F ( x ) = 0] = 1 2 (1 + cor F ( α, β )) 2

Linear approximations with correlation ± 1 F has a linear approximation with correlation ± 1 iff it has a component of degree 1 . ⇒ This never occurs for one-round SPN (except for trivial Sboxes) An alternative formulation: cor F ( α, β ) = − 1 + 2 − n +2 # { x ∈ � α � ⊥ such that F ( x ) ∈ � β � ⊥ } ⇒ cor F ( α, β ) = ± 1 iff F ( � α � ⊥ ) = � β � ⊥ or F n 2 \ � β � ⊥ . 3

Linear approximations over several rounds [Daemen 95][Nyberg 01] � cor G ◦ F ( α, β ) = cor F ( α, γ ) cor G ( γ, β ) . γ ∈ F n 2 If one dominant trail ( α, γ 0 , β ) : cor G ◦ F ( α, β ) ≃ cor F ( α, γ 0 ) cor G ( γ 0 , β ) . Otherwise, linear hull effect. 4

Two-round approximations with correlation ± 1 For a two-round SPN cor S ( α, γ ) cor L ( γ, β ) = cor S ( α, L T ( β )) . � cor L ◦ S ( α, β ) = γ ∈ F n 2 ( − 1) k · γ cor S ( α, L T ( γ )) cor S ( γ, L T ( β )) . � cor R◦ Add k ◦R ( α, β ) = γ ∈ F n 2 Question: can we get a correlation ± 1 for a two-round approximation for some fixed k ? 5

Nonlinear approximations and invariants 6

Nonlinear approximations Let g and h be two balanced Boolean functions of n variables. Pr[ g ( x ) + h ( F ( x )) = 0] far from 1 2 . quantified by: cor F ( g, h ) = 2 − n � ( − 1) g ( x )+ h ( F ( x )) x ∈ F n 2 7

Nonlinear invariants [Todo-Leander-Sasaki 16] Non-trivial partition of F n 2 invariant under F : F n F n 2 2 S : any subset of F n 2 F ( S ) = S F ✧ ❜ ❜ ❜ ✧ ❜ ✧ ❜ ✧ ✲ ✧ ❜ ✧ or F ( S ) = F n 2 \ S S S ✧ ❜❜ ❜✧✧ ❜❜ ✧ ❜✧✧ Equivalently: Let g ( x ) := 1 iff x ∈ S g ( F ( x )) = g ( x ) or g ( F ( x )) = g ( x ) + 1 Such a g is called an invariant for F . 8

The nonlinear invariant attack [Todo-Leander-Sasaki 16] Non-trivial partition of F n 2 invariant under F : F n F n 2 2 S : any subset of F n 2 F ( S ) = S F ✧ ❜ ❜ ❜ ✧ ❜ ✧ ❜ ✧ ✲ ✧ ❜ ✧ or F ( S ) = F n 2 \ S S S ✧ ❜❜ ❜✧✧ ❜❜ ✧ ❜✧✧ Equivalently: Let g be the Boolean function defined by g ( x ) := 1 iff x ∈ S ∀ x ∈ F n 2 , g ( F ( x )) = g ( x ) or ∀ x ∈ F n 2 , g ( F ( x )) = g ( x ) + 1 Such a g is called an invariant for F . 9

Nonlinear approximations with correlation ± 1 g is an invariant for F if and only if ( − 1) g ( x )+ g ( F ( x )) = ± 1 cor F ( g, g ) = 2 − n � x ∈ F n 2 10

Nonlinear approximations as a combination of linear approximations cor g ( γ ) cor F ( γ, γ ′ ) cor h ( γ ′ ) . � cor F ( g, h ) = γ,γ ′ ∈ F n 2 If g = ℓ α and h = ℓ β , then cor F ( g, h ) = cor F ( α, β ) . Otherwise, we gather together several linear approximations. 11

Nonlinear approximations and the linear hull effect 12

Transforming nonlinear invariants into linear approximations Let g be a balanced nonlinear invariant for F . We can always define a permutation G such that α · G ( x ) = g ( x ) . Then, g ( x ) + g ( F ( x )) = α · G ( x ) + α · ( G ◦ F )( x ) = α · y + α · ( G ◦ F ◦ G − 1 )( y ) The nonlinear approximation of F defined by ( g, g ) corresponds to the linear approximation ( α, α ) of F G , G − 1 = G ◦ F ◦ G − 1 . � cor F G , G− 1 ( α, α ) = cor G α ( γ 1 ) cor F ( γ 1 , γ 2 ) cor G α ( γ 2 ) γ 1 ,γ 2 ∈ F n 2 The other components of G do not matter! 13

G -shifted trails E G , G − 1 ( k 0 ,...,k t ) = G ◦ R k t ◦ R k t − 1 ◦ · · · ◦ R k 0 ◦ G − 1 = R G , G − 1 ◦ R G , G − 1 ◦ · · · ◦ R G , G − 1 . k t k t − 1 k 0 t − 1 � � cor ( α, β ) = cor ( γ i , γ i +1 ) . E G , G− 1 R G , G− 1 γ 1 ,...,γ t − 1 ∈ F n ( k 0 ,...,kt ) ki i =0 2 14

A one-round G -shifted trail on Midori-64 G = ( G, . . . , G ) where G is a bijection on 4 bits such that � 8 , G ( x ) � = g ( x ) with g ( x ) = x 3 x 2 + x 2 + x 1 + x 0 invariant for the Sbox, i.e. | cor S G,G − 1 ( 8 , 8 ) | = 1 . | cor M G , G− 1 (( 8 , . . . , 8 ) , ( 8 , . . . , 8 )) | = 1 . ⇒ Iterative one-round trail with correlation ± 1 : 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 P G , G− 1 = P Add G , G− 1 S G , G− 1 M G , G− 1 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 k 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 | cor | = 1 | cor | = 1 | cor | = 1 cor = 1 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 for k ∈ WK 15

A two-round shifted trail on Midori-64 [Beyne 18] For g ( x ) = x 0 x 2 + x 0 + x 1 + x 3 and α = 0x5 , the Sbox satisfies g ( S ( x )) + α · x = 1 . We choose a 4 -bit bijection G such that � 8 , G ( x ) � = g ( x ) . Equivalently, cor S ( ℓ α , g ) = cor G ◦ S ( α, 8) = − 1 . | cor M G , G− 1 (( 8 , . . . , 8 ) , ( 8 , . . . , 8 )) | = 1 . 16

A two-round shifted trail on Midori-64 [Beyne 18] 5 5 5 5 8 8 8 8 8 8 8 8 8 8 8 8 P G , G− 1 M G , G− 1 5 5 5 5 G ◦ S 8 8 8 8 8 8 8 8 8 8 8 8 5 5 5 5 8 8 8 8 8 8 8 8 8 8 8 8 | cor | = 1 | cor | = 1 cor = 1 5 5 5 5 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 5 5 5 5 5 5 5 5 5 5 5 5 Add G , G− 1 S ◦ G − 1 8 8 8 8 5 5 5 5 P 5 5 5 5 M 5 5 5 5 k with k ∈ WK ′ 8 8 8 8 5 5 5 5 5 5 5 5 5 5 5 5 | cor | = 1 | cor | = 1 cor = 1 cor = 1 8 8 8 8 5 5 5 5 5 5 5 5 5 5 5 5 This is a two-round linear approximation with correlation ± 1 ! 17

A two-round shifted trail on Midori-64 [Beyne 18] 5 5 5 5 8 8 8 8 8 8 8 8 8 8 8 8 P G , G− 1 M G , G− 1 5 5 5 5 G ◦ S 8 8 8 8 8 8 8 8 8 8 8 8 5 5 5 5 8 8 8 8 8 8 8 8 8 8 8 8 | cor | = 1 | cor | = 1 cor = 1 5 5 5 5 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 5 5 5 5 5 5 5 5 5 5 5 5 Add G , G− 1 S ◦ G − 1 8 8 8 8 5 5 5 5 P 5 5 5 5 M 5 5 5 5 k with k ∈ WK ′ 8 8 8 8 5 5 5 5 5 5 5 5 5 5 5 5 | cor | = 1 | cor | = 1 cor = 1 cor = 1 8 8 8 8 5 5 5 5 5 5 5 5 5 5 5 5 This is a two-round linear approximation with correlation ± 1 ! 18

A 4-round G -shifted trail on Midori-64 G is a bijection on 4 bits such that � 8 , G ( x ) � = g ( x ) with g ( x ) = x 3 x 2 x 1 + x 3 x 1 + x 3 + x 2 + x 1 + x 0 invariant for the Sbox: | cor S G,G − 1 ( 8 , 8 ) | = 1 . But, | cor M G , G − 1 ( α, M α ) | = 11 32 if α � = (0 , 0 , 0 , 0) and all α i ∈ { 0 , 8 } . 19

A 4-round G -shifted trail on Midori-64 8 8 8 S G , G− 1 P G , G− 1 M G , G− 1 8 8 8 8 8 8 8 8 8 k 0 8 8 8 8 8 8 8 8 8 � 11 � 3 | cor | = 1 cor = 1 cor = 32 for k 0 ∈ WK ′ 8 8 8 8 8 8 8 8 8 0 8 8 8 S G , G− 1 P G , G− 1 M G , G− 1 8 8 8 k 1 8 � 11 � 1 | cor | = 1 cor = cor = 1 32 8 for k 1 ∈ WK ′ 8 8 1 8 S G , G− 1 P G , G− 1 M G , G− 1 8 8 8 k 2 8 � 11 � 1 | cor | = 1 cor = 1 cor = 32 for k 2 ∈ WK ′ 8 2 8 8 8 8 8 S G , G− 1 P G , G− 1 M G , G− 1 8 8 8 8 8 k 3 8 8 8 8 8 � 11 � 3 | cor | = 1 cor = cor = 1 32 for k 3 ∈ WK ′ 8 8 8 20 3

A 4-round G -shifted trail on Midori-64 The weak keys are those equal to 0 or 1 in all active cells. Correlation of the trail: � 8 � 11 = 2 − 12 . 325 32 Correlation of the approximation: cor ( R k 3 ◦ ... R k 0 ) G , G− 1 ( α,α ) ≃ 2 − 12 . 16 What’s about the other trails? For the first 2 rounds: • For G 1 = [ 0 , 8 , c , 4 , a , 2 , 6 , e , 9 , 1 , d , 5 , 3 , b , f , 7 ] , 35 , 937 G 1 -shifted linear trails having a nonzero correlation • For G 2 = [ 0 , 9 , a , 1 , 8 , 2 , 3 , f , c , 4 , d , 5 , 6 , e , b , 7 ] , 282 , 184 G 2 -shifted linear trails having a nonzero correlation 21

Another 1-round G -shifted trail on Midori-64 G = ( G ′ , G, . . . , G ) where G is a bijection on 4 bits such that � 8 , G ( x ) � = g ( x ) with g ( x ) = x 3 x 2 + x 2 + x 1 + x 0 invariant for S , � 8 , G ′ ( x ) � = g ′ ( x ) with g ′ ( x ) = x 3 x 2 x 1 + x 3 x 1 + x 3 + x 2 + x 1 + x 0 . � 1 if k ∈ { 0 , 1 } | cor ( 8 , 8 ) | = . S G ′ ,G ′− 1 2 − 1 if k / ∈ { 0 , 1 } k | cor M G , G− 1 (( 8 , . . . , 8 ) , ( 8 , . . . , 8 )) | ≃ 2 − 0 . 83 22

Another 1-round G -shifted trail on Midori-64 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 S G , G− 1 P G , G− 1 = P S G , G− 1 M G , G− 1 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 k k 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 | cor | ≥ 2 − 1 | cor | ≈ 2 − 0 . 83 | cor | ≥ 2 − 1 cor = 1 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 for k ∈ WK ′′ for k ∈ WK ′′ Correlation of the 16-round trail: 2 − 1 . 83 � 16 = 2 − 29 . 28 � ≥ Correlation over 16 rounds: different from the correlation of the trail. 23