On the Usage of Deterministic (Related-Key) Truncated Differentials - PowerPoint PPT Presentation

On the Usage of Deterministic (Related-Key) Truncated Differentials and Multidimensional Linear Approximations for SPN Ciphers Ling Sun 1 , David Gerault 2 , Wei Wang 1 , Meiqin Wang 1 ( � ) 1. Shandong University, Jinan & Qingdao, China 2. Nanyang Technological University, Singapore FSE 2020 @ November, 2020

Outline Background & Contributions Preliminaries Finding Deterministic (RK) TDs and MDLAs Related-Key Differential-Linear Attack on AES-192 Constructing IDs with TDs and ZCLAs with MDLAs Finding (RK) IDs and ZCLAs with the CP Method Conclusion

Background & Contributions Automatic Search � Automatic tools for cryptanalysis obtained rapid development. � Few works concentrated on the deterministic TD/MDLA. Essential Problems � The optimality of TD/MDLA must be confirmed via an exhaustive search. � The incomplete search is also a long-term problem for optimal ID/ZCLA. Contributions � An automatic tool for the search of deterministic (RK) TDs and MDLAs. � Improved related-key differential-linear attack on AES-192. � Constructing (RK) IDs with TDs and ZCLAs with MDLAs. ◮ Provable security against ID attack of SKINNY and Midori64 .

Outline Background & Contributions Preliminaries Finding Deterministic (RK) TDs and MDLAs Related-Key Differential-Linear Attack on AES-192 Constructing IDs with TDs and ZCLAs with MDLAs Finding (RK) IDs and ZCLAs with the CP Method Conclusion

Preliminaries Basics of Differential and Linear Cryptanalyses � The difference of the state ∆ X = (∆ X 0 , ∆ X 1 , . . . , ∆ X ℓ − 1 ) , ∆ X i ∈ F 2 s . � The differential pattern ∆ X = (∆ X 0 , ∆ X 1 , . . . , ∆ X ℓ − 1 ) . ◮ zero differential pattern (Z). ◮ nonzero fixed differential pattern (N). ◮ nonzero varied differential pattern (N ∗ ). ◮ varied differential pattern (U). Lemma 1 (Branching) Lemma 2 (XOR) ∆ Y 0 = ∆ Y 1 = ∆ X . (∆ X 0 , ∆ X 1 ) → ∆ Y . ∆ X 1 ∆ Y Z N N ⊕ N ∗ N ∗ U X X 0 Z Z N N ⊕ N ∗ N ∗ U N N Z/N N ∗ /N ⊕ N ∗ N ⊕ N ∗ U Y 0 X 1 ∆ X 0 N ⊕ N ∗ N ⊕ N ∗ N ∗ /N ⊕ N ∗ U U U N ∗ N ∗ N ⊕ N ∗ U U U U U U U U U Y 1 Y

Preliminaries Basics of Differential and Linear Cryptanalyses X X 0 X 1 X m − 1 Lemma 3 (S-box) · · · ∆ X → ∆ Y . S M ∆ X Z N N ⊕ N ∗ N ∗ U · · · ∆ Y Z N ∗ U N ∗ U Y 0 Y 1 Y m − 1 Y Lemma 4 (MDS matrix) ∆ X → ∆ Y . ∆ X ( Z , Z , . . . , Z ) ( Z , . . . , Z , N / N ∗ , Z , . . . , Z ) Remaining cases ∆ Y ( Z , Z , . . . , Z ) ( N ∗ , N ∗ , . . . , N ∗ ) ( U , U , . . . , U ) X i ∈ F 2 s . � The linear mask of the state Γ X = (Γ X 0 , Γ X 1 , . . . , Γ X ℓ − 1 ) , Γ � The linear pattern Γ X = (Γ X 0 , Γ X 1 , . . . , Γ X ℓ − 1 ) . ◮ zero linear pattern (Z). ◮ nonzero fixed linear pattern (N). ◮ nonzero varied linear pattern (N ∗ ). ◮ varied linear pattern (U).

Preliminaries Constraint Satisfaction Problem Definition 1 (Constraint satisfaction problem @ SGL + 17) A constraint satisfaction problem (CSP) is represented as a triple �X , D , C� . � X = { x 0 , x 1 , . . . , x n − 1 } is a set of variables. � D = {D ( x 0 ) , D ( x 1 ) , . . . , D ( x n − 1 ) } is a set of nonempty sets. � C = {C 0 , C 1 , . . . , C m − 1 } stands for a set of constraints. � X = { A, B, . . . , J } . G � D = {D ( A ) , D ( B ) , . . . , D ( J ) } . B H F C A � D ( · ) = { “red” , “yellow” , “blue” } . � C = {C 0 , C 1 , . . . , C 14 } , C ∗ = �X ∗ , R ∗ � . D E I J � C ∗ = �{ A, D } , A � = D � . � SAT/SMT problems can be viewed as individual cases of the CSP. � The CSP can describe much harder cases. � Many CP solvers are available to solve problems of practical interest.

Outline Background & Contributions Preliminaries Finding Deterministic (RK) TDs and MDLAs Related-Key Differential-Linear Attack on AES-192 Constructing IDs with TDs and ZCLAs with MDLAs Finding (RK) IDs and ZCLAs with the CP Method Conclusion

Finding Deterministic TDs and MDLAs Step 1: Initialising Variables X 0 X 1 X r − 1 X r f f � δ X i : pattern ∆ X i . � ζ X i : s -bit difference ∆ X i .   { 0 } , 0 , if ∆ X i = Z if δ X i = 0   { 1 , 2 , . . . , 2 s − 1 } ,    1 , if ∆ X i = N  if δ X i = 1   δ X i = . ζ X i ∈ . 2 , if ∆ X i = N ∗ {− 1 } , if δ X i = 2        3 , if ∆ X i = U {− 2 } , if δ X i = 3  Model 1 (Relation between δ X i and ζ X i ) The following expression will ensure that ζ X i falls into the correct range. if δ X i = 0 then ζ X i = 0 elseif δ X i = 1 then ζ X i > 0 elseif δ X i = 2 then ζ X i = − 1 else ζ X i = − 2 endif

Finding Deterministic TDs and MDLAs Step 2: Propagating Differential Patterns X 0 X 1 X r − 1 X r f f Model 2 (Branching) The constraint restricts the pattern propagation for the Branching operation. δ Y 0 = δ X and ζ Y 0 = ζ X and δ Y 1 = δ X and ζ Y 1 = ζ X Model 3 (XOR) The constraint restricts the pattern propagation for the XOR operation. if δ X 0 + δ X 1 > 2 then δ Y = 3 and ζ Y = − 2 elseif δ X 0 + δ X 1 = 1 then δ Y = 1 and ζ Y = ζ X 0 + ζ X 1 elseif δ X 0 = δ X 1 = 0 then δ Y = 0 and ζ Y = 0 elseif ζ X 0 + ζ X 1 < 0 then δ Y = 2 and ζ Y = − 1 elseif ζ X 0 = ζ X 1 then δ Y = 0 and ζ Y = 0 else δ Y = 1 and ζ Y = ζ X 0 ⊕ ζ X 1 endif

Finding Deterministic TDs and MDLAs Step 2: Propagating Differential Patterns X r X 0 X 1 X r − 1 f f Model 4 (S-box) The constraint restricts the pattern propagation for the S-box. δ Y � = 1 and δ X + δ Y ∈ { 0 , 3 , 4 , 6 } and δ Y � δ X and δ Y − δ X � 1 Model 5 (MDS matrix) The constraint restricts the pattern propagation for the MDS matrix. m − 1 � if δ X i ≡ 0 then δ Y 0 = δ Y 1 = · · · = δ Y m − 1 = 0 i = 0 m − 1 � δ X i ≡ 1 then δ Y 0 = δ Y 1 = · · · = δ Y m − 1 = 2 elseif i = 0 m − 1 m − 1 � � δ X i ≡ 2 and ζ X i < 0 then δ Y 0 = δ Y 1 = · · · = δ Y m − 1 = 2 elseif i = 0 i = 0 else δ Y 0 = δ Y 1 = · · · = δ Y m − 1 = 3 endif

Finding Deterministic TDs and MDLAs Step 3: Clarifying the Searching Scopes of the Input Patterns X r X 0 X 1 X r − 1 f f Old-fashion � Fix the input pattern as a predetermined value. � The optimal TD requests an exhaustive search over all possible patterns. � The program should be implemented for about 2 ℓ times. New-fashion � Do not fix the format of the input pattern. ℓ − 1 � Denote ( X 0 0 , X 0 1 , . . . , X 0 ℓ − 1 ) the input state. Add � δ X 0 i � = 0. i = 0 � The CP solver will automatically traverse all possible input patterns. � To ensure the existence of R -round TDs/MDLAs, at most, we invoke the searching program for 3 · R · ℓ times. � The number of runs to search for the optimal ID of Minalpher-P is reduced from 2 128 to 2 10 . 9 .

Finding Deterministic TDs and MDLAs Step 4: Clarifying the Searching Scopes of the Output Patterns X 0 X 1 X r − 1 X r f f � The output differential patterns we are interested in are Z, N and N ∗ . ◮ ∆ X r i being zero corresponds to δ X r i = 0. ◮ ∆ X r i being nonzero and fixed corresponds to δ X r i = 1. ◮ ∆ X r i being any value except zero corresponds to δ X r i = 2. Generalisation � The method for the search of TDs can be adjusted to search for MDLAs . � For ciphers with word-oriented key schedules, this method can be applied to search for related-key truncated differentials .

Outline Background & Contributions Preliminaries Finding Deterministic (RK) TDs and MDLAs Related-Key Differential-Linear Attack on AES-192 Constructing IDs with TDs and ZCLAs with MDLAs Finding (RK) IDs and ZCLAs with the CP Method Conclusion

Related-Key Differential-Linear Attack on AES-192 Improved RK DL Attack on AES-192 α α ∆ P ∆ x I ∆ x S SR ∆ x R ∆ x M 1 1 1 1 α α <<< 1 ∆ k 0 AK SB MC <<< 2 <<< 3 Key Schedule ∆ x I ∆ x S SR ∆ x R ∆ x M 2 2 2 2 Previous distinguishing property <<< 1 ∆ k 1 AK SB MC <<< 2 Legend <<< 3 λ · (∆ x W 5 [ 1 , 3 ] ⊕ ∆ x W 5 [ 2 , 2 ]) = 0 Known nonzero difference Key Schedule ∆ x I ∆ x S SR ∆ x R ∆ x M 3 3 3 3 Unknown nonzero difference α α � The bias is about 2 − 9 . <<< 1 Unknown difference ∆ k 2 AK SB MC <<< 2 Known nonzero mask <<< 3 Unknown nonzero mask Key Schedule ∆ x I ∆ x S SR ∆ x R ∆ x M 4 4 4 4 Zero difference/mask New distinguishing property α α α α δ � <<< 1 � δ ∆ k 3 AK SB MC <<< 2 � δ <<< 3 λ · ∆ x W 5 [ 1 , 3 ] = 0 Key Schedule ∆ x I 5 α α � The bias is about 2 − 8 . 99 . � δ ∆ k 4 AK � δ β β Key Schedule Γ x I Γ x S Γ x R Γ x W SR 5 5 5 5 α α � λ λ <<< 1 λ λ ∆ k 5 SB AK � λ <<< 2 λ λ λ β β β β <<< 3 MC -1 � The biases are almost the same. � The complexity of the distinguishing attack basically remains unchanged. � The complexity of the key-recovery attack drops.