Reconstructing an S-box from its Difference Distribution Table Orr - PowerPoint PPT Presentation

Reconstructing an S-box from its Difference Distribution Table Orr Dunkelman, Senyang Huang Department of Computer Science, University of Haifa, Haifa, Israel 2020 . 11 . 5

Background and Motivation

Difference Distribution Table (DDT) of an S-box S Let S be a Boolean function from F n 2 into F m 2 � � � � { z ∈ F n � S ( z ⊕ a ) ⊕ S ( z ) = b } � . δ ( a , b ) = 2

◮ S-box → DDT: Easy ◮ DDT → S-box: Difficult ◮ The ability to recover the S-box from the DDT of a secret S-box can be used in cryptanalytic attacks. ◮ Boura et al. [BCJS19] proposed a straightforward guess and determine (GD) algorithm to solve the problem. ◮ Using the well established relation between the DDT and the linear approximation table (LAT), we devise a new approach to reconstruct an S-box from its DDT.

Linear Approximation Table (LAT) of an S-box S � � � � { x ∈ F n � a · x ⊕ b · S ( x ) = 0 } � − 2 n − 1 λ ( a , b ) = 2 � 1 ( − 1) a · x ⊕ b · S ( x ) = 2 x ∈ F n 2

Walsh-Hadamard Transform 2 → R be a function. ˆ Let f : F n 2 × F m f denotes its Walsh-Hadamard transform , which is equal to: � ˆ f ( x , y )( − 1) a · x ⊕ b · y , f ( a , b ) = x , y where a ∈ F n 2 , b ∈ F m 2 and a · x and b · y are the inner product over the domains F n 2 and F m 2 , respectively.

Links between an S-box, its DDT and LAT

Lemma 1. ([CV95, Lemma 2]) For ( a , b ) ∈ F n 2 × F m 2 , let θ ( a , b ) be the characteristic function of S, i.e., θ ( a , b ) = 1 if and only if S ( a ) = b; otherwise θ ( a , b ) = 0 . Then, λ ( a , b ) = 2 m + n − 1 θ ( a , b ) . ˆ Theorem 2. ([BN13, CV95, DGV95]) For all ( a , b ) ∈ F n 2 × F m 2 , 1. ˆ δ ( a , b ) = 4 λ 2 ( a , b ) , 2. 4 � λ 2 ( a , b ) = 2 m + n δ ( a , b ) , where � λ 2 ( a , b ) is the Walsh-Hadamard transform of λ 2 ( a , b ) , the squared LAT.

Theorem 2 The Squared LAT The Given DDT Lemma 1 The S-box The Real LAT

Theorem 2 The Squared LAT The Given DDT Lemma 1 The S-box The Real LAT

The Squared LAT The Sign Determination Problem The Given DDT No Improved GD Algorithm The Sbox m Columns Recoverd? The Real LAT Yes

The Sign Determination Problem Definition 3. We define the † notion as follows: v † = ( | v 0 | , . . . , | v ℓ − 1 | ) T , � v = ( v 0 , . . . , v ℓ − 1 ) T and | · | is the absolute value of a where � number. Definition 4. Given � λ † b where 1 ≤ b < 2 m , the sign determination problem of the λ † b -th column in an LAT is the problem of recovering � λ b from � b , i.e., determining the signs of λ ( a , b ) , 0 ≤ a < 2 n .

The Squared LAT The Sign Determination Problem The Given DDT The Sbox Improved GD Algorithm ◮ The Linear Relation between � λ b and � s b ◮ Solving the System of Linear Equations H n � x = � y ◮ Basic Algorithm ◮ Improved Algorithm

The Linear Relation between � λ b and � s b Theorem 5. For any b-th column of the linear approximation table (for 0 ≤ b < 2 m ), the following formula holds s b = 2 � H n � λ b . Definition 6. Let H 0 = (1), then the Hadamard matrix H i can be represented as � H i − 1 � H i − 1 H i = , i ≥ 1 . H i − 1 − H i − 1

The Squared LAT The Sign Determination Problem The Given DDT The Sbox Improved GD Algorithm ◮ The Linear Relation between � λ b and � s b ◮ Solving the System of Linear Equations H n � x = � y ◮ Basic Algorithm ◮ Improved Algorithm

Solving the System of Linear Equations H n � x = � y � � y [0 , 2 n − 1 − 1] H n − 1 H n − 1 � ( H n , � y ) = y [2 n − 1 , 2 n − 1] H n − 1 − H n − 1 � � � y [0 , 2 n − 1 − 1] + � y [2 n − 1 , 2 n − 1] ) / 2 H n − 1 0 ( � ⇒ y [0 , 2 n − 1 − 1] − � y [2 n − 1 , 2 n − 1] ) / 2 0 H n − 1 ( � . . .   H 0 · · · 0 � x [0]   . ... . ⇒  .  . x [2 n − 1] 0 · · · H 0 � Apply the elementary transformation to the independent subproblems by n times.

The Squared LAT The Sign Determination Problem The Given DDT The Sbox Improved GD Algorithm ◮ The Linear Relation between � λ b and � s b ◮ Solving the System of Linear Equations H n � x = � y ◮ Basic Algorithm ◮ Improved Algorithm

Basic Algorithm                   T 2 [0] 1,1,1, 1 , 1, 1, 1,1 , 1,1, 1,1 , 1, 1,1, 1 ,                  1, 1,1,1 , 1,1, 1, 1 , 1,1,1,1 , 1, 1, 1, 1                     T 1 [0]  2,0 , 0,2 ,  2,0 , 0, 2  T 1 [1]  2,0 , 0,2 ,  2,0 , 0, 2  †                      1,1,1,1 T 0 [0] 2 T 0 [1] 2 T 0 [2] 2 T 0 [3] 2 b Figure 1: The Tree Structure for n = 2 ◮ Apply the idea of solving the system of linear equations H n � x = � y to reduce the problem into two independent subproblems. ◮ The possible i -th constraint of subproblems is stored as a vector. ◮ A full set contains all the possible i -th constraints.

The size of the full sets in the intermediate layers grows so fast!

The Squared LAT The Sign Determination Problem The Given DDT The Sbox Improved GD Algorithm ◮ The Linear Relation between � λ b and � s b ◮ Solving the System of Linear Equations H n � x = � y ◮ Basic Algorithm ◮ Improved Algorithm

Improved Algorithm      C 3 [0] 1 ， 1 ， 1 ， -1 ， -1 ， -1 ， -1 ， 1       C [0] C [1] 2 ， 0 ， -2 ， 0 2 2         C [0] C [1] C [2] C [3] 2 ， -2 1 1 1 1         C [0] C [1] C [2] C [3] 0 C [4]  C [5]  C [6]  C [7]  4 0 0 0 0 0 0 0 0 Figure 2: The Tree Structure for a Sign Determination Problem ◮ The symmetric structure of the full set ◮ Only record the representatives of the equivalence classes in the compact set . ◮ The compact representation reduces both time and memory complexity.

w ∈ C ℓ [ i + 2 n − ℓ − 1 ] Algorithm 1: Constructing M � w from � u ∈ C ℓ [ i ] and � u ,� w ] + , J ) 1: procedure ConstructSet ( � u ,[ � w ] + 2: M � w = [ � u ,� 3: for all integers j ∈ J do Find π ℓ j 0 , . . . , π ℓ u = ± π ℓ j p − 1 ◦ · · · ◦ π ℓ 4: j p − 1 such that � j 0 ( � u ) e , � 5: for all the distinct vectors � f in M � w do u ,� j 0 ( � e = ± π ℓ j p − 1 ◦ · · · ◦ π ℓ 6: if � f ) then w \{ � 7: M � w = M � f } u ,� u ,� 8: end if 9: end for 10: end for 11: return M � u ,� w 12: end procedure In this way, the compact set C ℓ +1 [ i ] is indeed constructed by combining � u ∈ C ℓ [ i ] and � v in each M � w . u ,�

Algorithm 2: Improved Algorithm for Solving the Sign Determination Problem 1: Input: � λ † b ; u = 2 � 2: Output: F = { � u | H n � λ b , � u [0] = 1 } 3: for each integer i ∈ [0 , 2 n − 1] do C 0 [ i ] = { 2 λ † ( i , b ) } 4: ⊲ Initialization 5: end for 6: C n [0] = Layer ( C 0 , 0) 7: Construct the full set F n [0] from C n [0]. 8: return F = { � u | � u ∈ F n [0] , � u [0] = 1 } . 9: 10: procedure Layer ( C ℓ , ℓ ); for each integer i ∈ [0 , 2 n − ℓ − 1 − 1] do 11: if there are no vectors in C ℓ [ i ] or C ℓ [ i + 2 n − ℓ − 1 ] then 12: 13: return There exist no S-boxes corresponding to the given DDT! 14: end if C ℓ +1 [ i ] = ∅ 15: � 16: Randomly pick a vector from C ℓ [ i ] and compute J = { j � C ℓ [ i ] is j -symmetric, 0 ≤ j < ℓ } w in C ℓ [ i + 2 n − ℓ − 1 ] do 17: for each � 18: for each � u in C ℓ [ i ] do w ] + , J ) 19: M = ConstructSet ( � u , [ � 20: for each � v in M do

21: � r = E ℓ ( � u , � v ) 22: if ℓ < n then r is even and [ − 2 n − ℓ − 1 , 2 n − ℓ − 1 ] then 23: if every entry in � 24: C ℓ +1 [ i ] = C ℓ +1 [ i ] ∪ { � r } 25: else 26: Discard � r 27: end if 28: else r is 1 or − 1 then 29: if every entry in � ⊲ when ℓ = n 30: C n [ i ] = C n [ i ] ∪ { � r } 31: else 32: Discard � r 33: end if 34: end if 35: end for 36: end for 37: end for 38: end for 39: if ℓ < n then 40: Layer ( C ℓ +1 , ℓ + 1) 41: else 42: return C n [0] 43: end if 44: end procedure

For some cases, the size of the compact sets still grows very fast!

Heuristic Threshold ◮ A threshold H on the number of internal vectors can be preset heuristically with respect to the accessible memory of the attacker. ◮ We call a column in the absolute LAT good if it can be recovered under the threshold H applying Algorithm 2; otherwise bad . ◮ According to our experiments with input size n between 8 and 14, the solutions for the good columns contains at most two equivalence classes.

Complexity Analysis of Algorithm 2 ◮ The memory complexity of Algorithm 2 is O ( H · n 2 2 n + n 2 2 n ) bits. ◮ The upper bound of the time complexity is O ( H 2 2 3 n ).

The Squared LAT The Sign Determination Problem The Given DDT Improved GD Algorithm The Sbox ◮ The Matching Phase for k Independent Good Columns ◮ Improved Guess-and-determine Algorithm