On the behaviors of affine equivalent Sboxes regarding differential - PowerPoint PPT Presentation

On the behaviors of affine equivalent Sboxes regarding differential and linear cryptanalysis Anne Canteaut Inria, France Anne.Canteaut@inria.fr http://www-rocq.inria.fr/secret/Anne.Canteaut/ joint work with Joëlle Roué ESC 2015, Clervaux, January 2015

Outline • Motivation: computing the MEDP and MELP for an SPN • New upper and lower bounds on the 2 -round MEDP and MELP • Multiplicative invariance for Sboxes 1

Round function of SPN( m, t, S, M ) S : a permutation of F m 2 M : a linear permutation mixing the outputs of t copies of S x ( i ) ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ S S S S S S S S S S ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ M ✓✏ ❄ k i + ✲ ✒✑ ❄ x ( i +1) The AES superbox corresponds to two rounds of SPN(8 , 4 , S, MixColumns ) 2

Differential properties over r rounds DP[ k ]( a, b ) = Pr X [ E k ( X ) + E k ( X + a ) = b ] Fixed-key results. probability of the 2 -round characteristics [Daemen-Rijmen 07, 09] Average over all keys. EDP r ( a, b ) = 2 − κ � Pr X [ E k ( X ) + E k ( X + a ) = b ] . k ∈ F κ 2 Maximum expected differential probability for r rounds: MEDP r = max a � =0 ,b EDP r ( a, b ) 3

Expected probability of 2 -round characteristics Difference table of S . δ ( a, b ) = # { x ∈ F m 2 , S ( x + a ) + S ( x ) = b } . Differential uniformity of S : ∆( S ) = max a � =0 ,b δ ( a, b ) Differential branch number of M over F m 2 . d = d min ( C M ) where C M = { ( x, M ( x )) , x ∈ (F m 2 ) t } Then, t t δ ( a i , c i ) δ ( M ( c ) j , b j ) � d � 2 − m ∆( S ) � � EDP(( a, c, b )) = ≤ 2 m 2 m i =1 i = j 4

From characteristics to differentials � EDP 2 ( a, b ) = EDP(( a, c, b )) c ∈ F mt 2 Find an upper bound on MEDP 2 [Hong et al00][Daemen-Rijmen02]: � d − 1 � 2 − m ∆( S ) MEDP 2 ≤ ⇒ MEDP 2 ≤ 2 − 24 = Compute the exact value of MEDP 2 [Keliher-Sui 07]. MEDP 2 = 53 × 2 − 34 For 4 rounds of the AES: MEDP 4 ≤ 2 − 113 instead of 2 − 96 with the general bound 5

FSE 2003 bound [Park et al. 03]   MEDP 2 ≤ 2 − md max δ ( a, γ ) d , δ ( γ, b ) d � �  max max   a ∈ (F m 2 ) ∗ b ∈ (F m 2 ) ∗  γ ∈ (F m γ ∈ (F m 2 ) ∗ 2 ) ∗ For the AES: 4 5 + 126 × 2 5 � MEDP 2 ≤ 2 − 40 � = 79 × 2 − 34 6

Example with a 4 -bit Sbox 1 2 3 4 5 6 7 8 9 a b c d e f 1 2 2 2 4 0 2 0 0 2 0 0 0 0 0 2 2 4 2 0 0 0 0 2 0 0 0 2 2 2 0 2 3 0 2 4 0 2 0 0 2 2 0 2 0 2 0 0 4 0 4 0 2 0 2 0 0 0 2 2 0 2 2 0 5 0 2 0 2 2 4 2 2 0 0 0 2 0 0 0 6 0 0 2 0 2 2 2 0 0 2 0 0 2 0 4 7 2 0 0 0 2 2 2 0 4 0 2 0 0 2 0 8 0 0 0 2 0 0 2 2 2 0 0 0 2 4 2 9 2 0 0 0 0 2 0 2 2 2 0 2 4 0 0 a 2 2 0 0 4 0 0 2 0 2 0 0 0 2 2 b 2 0 2 2 2 0 0 0 0 0 0 4 2 2 0 c 0 0 0 2 2 0 0 0 2 4 2 2 0 0 2 d 0 0 2 0 0 2 0 2 0 0 4 2 0 2 2 e 2 0 2 2 0 0 2 4 0 2 2 0 0 0 0 f 0 2 2 0 0 0 4 0 2 2 0 2 0 2 0 7

Invariance   MEDP 2 ≤ 2 − md max δ ( a, γ ) d , δ ( γ, b ) d � �  max max   a ∈ (F m b ∈ (F m 2 ) ∗ 2 ) ∗  γ ∈ (F m 2 ) ∗ γ ∈ (F m 2 ) ∗ This bound only depends on the affine equivalence class of S : { A 2 ◦ S ◦ A 1 , A 1 , A 2 ∈ GA (F m 2 ) } This is not the case of the exact values of MEDP 2 : • AES Sbox S ( x ) = A ( x 254 ) : MEDP 2 = 53 × 2 − 34 [Keliher-Sui 07] • Naive Sbox S ( x ) = x 254 : MEDP 2 = 79 × 2 − 34 (= FSE 2003 bound). 8

Motivations Conjecture [Daemen et al. 09] For any r , the MEDP r of the AES is smaller than the MEDP r of the AES variant with the naive Sbox. Related issues: • How does the composition of S with affine permutations affect MEDP 2 ? • Does this depend on the choice of the linear layer? 9

Linear properties over r rounds Correlation of an r -round mask ( u, v ) : C[ k ]( u, v ) = 2 − n � ( − 1) u · x + v · E k ( x ) x ∈ F n 2 For an SPN with independent round keys: � C[ k ]( u, v ) = 0 for any nonzero masks k ∈ F κ 2 Expected square correlation (linear potential): 2   ELP r ( u, v ) = 2 − 2 n − κ � ( − 1) u · x + v · E k ( x ) � .     k ∈ F κ x ∈ F n 2 2 Maximum expected square correlation for r rounds MELP r = max u,v � =0 ELP r ( u, v ) 10

Expected 2 -round linear potential Walsh transform of S . ( − 1) u · x + v · S ( x ) . � W ( u, v ) = x ∈ F m 2 Linearity of S : L ( S ) = max u,v � =0 |W ( u, v ) | Linear branch number of M over F m 2 . d ⊥ = d min ( C ⊥ M ) where C M = { ( x, M ( x )) , x ∈ F mt 2 } General bound [Hong et al. 00][Daemen Rijmen 02] � 2( d ⊥ − 1) � 2 − m L ( S ) MELP 2 ≤ 11

FSE 2003 bound [Park et al. 03]  � 2 d ⊥  � 2 d ⊥ � W ( u, γ ) � W ( γ, v ) � � MELP 2 ≤ max  max , max   2 m 2 m u ∈ (F m v ∈ (F m 2 ) ∗ 2 ) ∗  γ ∈ (F m 2 ) ∗ γ ∈ (F m 2 ) ∗ For the AES: MELP 2 ≤ 2 . 873 × 2 − 28 Exact values: • AES Sbox: MELP 2 = 1 . 638 × 2 − 28 [Keliher-Sui 07] • Naive Sbox: MELP 2 = 2 . 873 × 2 − 28 (= FSE 2003 bound). 12

GF -representation SPN F ( m, t, S , M ) M : an F 2 m -linear permutation of (F 2 m ) t S : a permutation of F 2 m Link between both representations: For a given basis ( α 0 , . . . , α m − 1 ) of F 2 m m − 1 ϕ : ( x 0 , . . . , x m − 1 ) ∈ F m � 2 �− → x i α i ∈ F 2 m i =0 Then, S = ϕ ◦ S ◦ ϕ − 1 and M = ( ϕ, . . . , ϕ ) ◦ M ◦ ( ϕ − 1 , . . . , ϕ − 1 ) 13

GF -representation [Daemen Rijmen 11] EDP( a, b ) and ELP( a, b ) can be expressed by means of S and M : δ F ( α, β ) ∆ = # { x ∈ F 2 m , S ( x + α ) + S ( x ) = β } = δ ( ϕ − 1 ( α ) , ϕ − 1 ( β )) W F ( α, β ) ∆ ( − 1) Tr( αx + β S ( x )) = W ( ψ − 1 ( α ) , ψ − 1 ( β )) � = x ∈ F 2 m where ψ : F m 2 → F 2 m is defined by the dual basis ( β 0 , . . . , β m − 1 ) with � 1 if i = j Tr( α i β j ) = 0 otherwise FSE 2003 bound for SPN F ( m, t, S , M ) :   MEDP 2 ≤ 2 − md max δ F ( a, γ ) d , max δ F ( γ, b ) d � �  max   a ∈ F ∗ b ∈ F ∗  2 m 2 m γ ∈ F ∗ γ ∈ F ∗ 2 m 2 m 14

The choice of the basis does not affect MEDP r and MELP r ❄ ϕ − 1 ϕ − 1 ϕ − 1 ϕ − 1 S S S S ❄ S S S S ϕ ϕ ϕ ϕ ϕ − 1 ϕ − 1 ϕ − 1 ϕ − 1 ❄ M M ϕ ϕ ϕ ϕ ❄ ϕ − 1 ϕ − 1 ϕ − 1 ϕ − 1 Add F ( k F ) Add( k ) ϕ ϕ ϕ ϕ ❄ ❄ 15

New bounds on MEDP2 and MELP2 16

New upper bounds For SPN F ( m, t, S , M ) where M is an F 2 m -linear Theorem. permutation, we define for µ ∈ F 2 m δ F ( α, γ ) u δ F ( γλ + µ, β ) ( d − u ) � B ( µ ) = max max α,β,λ ∈ F ∗ 1 ≤ u<d 2 m γ ∈ F ∗ 2 m W F ( α, γ ) 2 u W F ( γλ + µ, β ) 2( d ⊥ − u ) . B ⊥ ( µ ) = � max max α,β,λ ∈ F ∗ 1 ≤ u<d ⊥ 2 m γ ∈ F ∗ 2 m Then, µ ∈ F 2 m B ( µ ) and MELP 2 ≤ 2 − 2 md ⊥ max MEDP 2 ≤ 2 − md max µ ∈ F 2 m B ⊥ ( µ ) For the AES Sbox and d = d ⊥ = 5 : MEDP 2 ≤ 55 . 5 × 2 − 34 compared to the FSE 2003 bound: 79 × 2 − 34 MELP 2 ≤ 1 . 862 × 2 − 28 compared to the FSE 2003 bound: 2 . 873 × 2 − 28 17

Example with a 4 -bit Sbox 1 2 3 4 5 6 7 8 9 a b c d e f 1 2 2 2 4 0 2 0 0 2 0 0 0 0 0 2 2 4 2 0 0 0 0 2 0 0 0 2 2 2 0 2 3 0 2 4 0 2 0 0 2 2 0 2 0 2 0 0 4 0 4 0 2 0 2 0 0 0 2 2 0 2 2 0 5 0 2 0 2 2 4 2 2 0 0 0 2 0 0 0 6 0 0 2 0 2 2 2 0 0 2 0 0 2 0 4 7 2 0 0 0 2 2 2 0 4 0 2 0 0 2 0 8 0 0 0 2 0 0 2 2 2 0 0 0 2 4 2 9 2 0 0 0 0 2 0 2 2 2 0 2 4 0 0 a 2 2 0 0 4 0 0 2 0 2 0 0 0 2 2 b 2 0 2 2 2 0 0 0 0 0 0 4 2 2 0 c 0 0 0 2 2 0 0 0 2 4 2 2 0 0 2 d 0 0 2 0 0 2 0 2 0 0 4 2 0 2 2 e 2 0 2 2 0 0 2 4 0 2 2 0 0 0 0 f 0 2 2 0 0 0 4 0 2 2 0 2 0 2 0 18

A lower bound δ F ( α, γ ) u δ F ( γλ + µ, β ) ( d − u ) � B ( µ ) = max max α,β,λ ∈ F ∗ 1 ≤ u<d 2 m γ ∈ F ∗ 2 m W F ( α, γ ) 2 u W F ( γλ + µ, β ) 2( d ⊥ − u ) . B ⊥ ( µ ) = � max max α,β,λ ∈ F ∗ 1 ≤ u<d ⊥ 2 m γ ∈ F ∗ 2 m There exists an F m Theorem. 2 -linear permutation M 1 (resp. M 2 ) with maximal branch number d = t + 1 (resp. d ⊥ = t + 1 ) such that the corresponding SPN F ( m, t, S , M i ) satisfy MEDP 2 ≥ 2 − md B (0) MELP 2 ≥ 2 − 2 md ⊥ B ⊥ (0) 19

Involutional Sboxes If S is an involution over F 2 m , both lower and upper bounds are equal to the FSE 2003 bound. There exists an F 2 m -linear permutation M with maximal branch number such that MEDP 2 = 2 − m ( t +1) max δ F ( a, γ ) ( t +1) � a ∈ F ∗ 2 m γ ∈ F ∗ 2 m and MELP 2 = 2 − 2 m ( t +1) max W F ( a, γ ) 2( t +1) � a ∈ F ∗ 2 m γ ∈ F ∗ 2 m 20