Remarks on the Data Complexity of Zero-Correlation Linear Attacks C´ eline Blondeau Aalto University ESC, Luxembourg 2015
Outline Zero-Correlation Linear Attacks Data Complexity of Zero-Correlation Attacks Repetition of Plaintexts Data Complexity of Key-Invariant Bias Attacks Complexity of Statistical Attacks 2/22
Outline Zero-Correlation Linear Attacks Data Complexity of Zero-Correlation Attacks Repetition of Plaintexts Data Complexity of Key-Invariant Bias Attacks Complexity of Statistical Attacks 3/22
Zero-Correlation (ZC) Linear Cryptanalysis [Bogdanov et al 12, 13,14], [Soleimany, Nyberg 13] The distinguisher takes advantage of linear approximation(s) with no bias. ◮ Single approximation ( u , v ) with cor ( u , v ) = 0 ◮ Multiple approximations: � cor 2 ( u , v ) = 0 , C = u ∈ U , v ∈ V , u � = 0 ◮ multiple ZC: U and V without structure. ◮ multidimensional ZC: U and V linear (affine) spaces. Complexity of Statistical Attacks 4/22
Outline Zero-Correlation Linear Attacks Data Complexity of Zero-Correlation Attacks Repetition of Plaintexts Data Complexity of Key-Invariant Bias Attacks Complexity of Statistical Attacks 5/22
Notation ◮ [Selc ¸uk 08] ◮ X R ∼ N ( µ R , σ R ) and X W ∼ N ( µ W , σ W ) ◮ Φ : CDF of the central normal distribution ◮ a : advantage of the attack µ R − µ a , P S ≈ Φ � σ 2 a + σ 2 R where µ a = µ W + σ W · Φ − 1 ( 1 − 2 − a ) and σ a is often negligible. ◮ ϕ a = Φ − 1 ( 1 − 2 − a ) and ϕ P S = Φ − 1 ( P S ) ◮ n : number of bits of the permutation (block cipher) Complexity of Statistical Attacks 6/22
Data Complexity of Multiple/Multidimensional ZC Attacks [SAC 13]: ◮ ℓ : Number of linear approximations ◮ Multiple ZC Attack (m) N m ≈ 2 n ( ϕ PS + ϕ a ) � ℓ/ 2 − ϕ a ◮ Multidimensional ZC Attack (M) N M ≈ ( 2 n − 1 )( ϕ PS + ϕ a ) � ( ℓ − 1 ) / 2 + ϕ PS ◮ In [Soleimany, Nyberg 13], experiments have been conducted for a distinguisher 2 n ◮ The general behaviour: N = O ( ) is correct. � ℓ/ 2 Complexity of Statistical Attacks 7/22
Success Probability ◮ Are these formulas correct for a key-recovery attack? ◮ Why is there a difference ? (In particular, when the set of masks is close to a linear space) Success probability: � N m ℓ/ 2 − ϕ a · ( N m � P m � ≈ Φ 2 n + 1 ) ( m ) S 2 n 2 n − 1 � � N M � ( ℓ − 1 ) / 2 P M ≈ ( 2 n − 1 ) − N M − ϕ a Φ ( M ) ( 2 n − 1 ) − N M S Complexity of Statistical Attacks 8/22
Setting for the Experiments K 1 X 1 2 ✲ ❡ ✲ ❡ s F s F PPPPPPPPPPPPPPP � � � � � � � � � � � � � � � X 2 u 0 0 0 ZC on 9 rounds 0 u 0 0 X 11 K 11 ◮ 16-bit cipher 1 ✲ ❡ ✲ ❡ F F s s PPPPPPPPPPPPPPP � � � � � � ◮ Type-II GFN with 4 branches � � � � � � � � � K 12 X 12 2 ✲ ❡ ✲ ❡ s F s F ◮ Zero-correlation approximations: PPPPPPPPPPPPPPP � � � � � � � � � � � � ( 0 , 0 , u , 0 ) �→ ( 0 , u , 0 , 0 ) over 9 rounds ( u � = 0 ) � � � X 13 ◮ Key-recovery: 1 round before, 2 rounds after ◮ Maximal advantage: 12 bits ◮ Similar structure as for instance CLEFIA Complexity of Statistical Attacks 9/22
Multidimensional ZC Attacks a = 1 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 10/22
Multidimensional ZC Attacks a = 2 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 10/22
Multidimensional ZC Attacks a = 4 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 10/22
Multidimensional ZC Attacks a = 6 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 10/22
Observations N M ≈ ( 2 n − 1 )( ϕ PS + ϕ a ) � ( ℓ − 1 ) / 2 + ϕ PS For a multidimensional ZC linear attack, ◮ N M is accurate for small advantages ◮ N M gives an overestimate of the data complexity for larger advantages Complexity of Statistical Attacks 11/22
Multiple ZC Attack 8 approximations and a = 1 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22
Multiple ZC Attack 8 approximations and a = 2 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22
Multiple ZC Attack 8 approximations and a = 4 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22
Multiple ZC Attack 5 approximations and a = 1 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22
Multiple ZC Attack 5 approximations and a = 2 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22
Multiple ZC Attack 5 approximations and a = 4 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22
Multiple ZC Attack 2 approximations and a = 1 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22
Multiple ZC Attack 2 approximations and a = 2 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22
Data Complexity of Multiple ZC Attacks Based on these experiments, we confirmed that ◮ we do not need a particular formula to compute the data complexity/success probability of multiple zero-correlation attacks (comparatively to the complexity of multidimensional ZC attacks) Complexity of Statistical Attacks 13/22
Outline Zero-Correlation Linear Attacks Data Complexity of Zero-Correlation Attacks Repetition of Plaintexts Data Complexity of Key-Invariant Bias Attacks Complexity of Statistical Attacks 14/22
Repetition of Plaintexts ◮ In the presented attacks, distinct known plaintexts are used. ◮ Indeed the formulas for N M and P M S in the multidimensional linear context have been derived under this assumption. ◮ What happens if there is some repetition (assuming for instance that the plaintexts are generated/obtained randomly)? Complexity of Statistical Attacks 15/22
Repetition of Plaintexts in a Multidimensional ZC Attack a=2 1 Distinct Random ( 1 ) 0.8 ( 1 ) 0.6 P S 0.4 0.2 0 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 16/22
Repetition of Plaintexts in a Multidimensional ZC Attack a=4 1 No repertion Repetition ( 1 ) 0.8 ( 1 ) 0.6 P S 0.4 0.2 0 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 16/22
Theoretical Conclusion We can show that ◮ N m ≈ 2 n ( ϕ PS + ϕ a ) , � ℓ/ 2 − ϕ a corresponds to the case where the plaintexts can be repeated. ◮ N M ≈ ( 2 n − 1 )( ϕ PS + ϕ a ) , � ( ℓ − 1 ) / 2 + ϕ PS corresponds to the case of distinct known plaintexts. Complexity of Statistical Attacks 17/22
Theoretical Conclusion We can show that ◮ N m ≈ 2 n ( ϕ PS + ϕ a ) , � ℓ/ 2 − ϕ a corresponds to the case where the plaintexts can be repeated. ◮ N M ≈ ( 2 n − 1 )( ϕ PS + ϕ a ) , � ( ℓ − 1 ) / 2 + ϕ PS corresponds to the case of distinct known plaintexts. ◮ In the known plaintext model how can we select distinct messages? Complexity of Statistical Attacks 17/22
Idea behind the proofs ◮ The proofs have already been presented in [Bogdanov et al 12, 13]. ◮ For distinct known plaintexts, we use hypergeometric distributions (no replacement). ◮ The other model assume a normal distribution of the capacity for the wrong keys. Complexity of Statistical Attacks 18/22
Idea behind the proofs ◮ The proofs have already been presented in [Bogdanov et al 12, 13]. ◮ For distinct known plaintexts, we use hypergeometric distributions (no replacement). ◮ The other model assume a normal distribution of the capacity for the wrong keys. ◮ In both proofs, there is no assumption on the linear masks. Complexity of Statistical Attacks 18/22
In Practice If we consider distinct known plaintexts we can improve the complexities of some ZC attacks. For instance: ◮ on CAST-256 presented at INDOCRYPT 2014 ◮ from 2 123 . 74 KP (2 123 . 2 ?) to 2 123 . 67 DKP (29 rounds) ◮ on Camellia presented at SAC 2013 ◮ Camellia-128 : from 2 125 . 3 KP to 2 125 . 1 DKP (11 rounds) ◮ Camellia-192 : from 2 125 . 7 KP to 2 125 . 5 DKP (12 rounds) Complexity of Statistical Attacks 19/22
Recommend
More recommend