remarks on the data complexity of zero correlation linear
play

Remarks on the Data Complexity of Zero-Correlation Linear Attacks C - PowerPoint PPT Presentation

Remarks on the Data Complexity of Zero-Correlation Linear Attacks C eline Blondeau Aalto University ESC, Luxembourg 2015 Outline Zero-Correlation Linear Attacks Data Complexity of Zero-Correlation Attacks Repetition of Plaintexts Data


  1. Remarks on the Data Complexity of Zero-Correlation Linear Attacks C´ eline Blondeau Aalto University ESC, Luxembourg 2015

  2. Outline Zero-Correlation Linear Attacks Data Complexity of Zero-Correlation Attacks Repetition of Plaintexts Data Complexity of Key-Invariant Bias Attacks Complexity of Statistical Attacks 2/22

  3. Outline Zero-Correlation Linear Attacks Data Complexity of Zero-Correlation Attacks Repetition of Plaintexts Data Complexity of Key-Invariant Bias Attacks Complexity of Statistical Attacks 3/22

  4. Zero-Correlation (ZC) Linear Cryptanalysis [Bogdanov et al 12, 13,14], [Soleimany, Nyberg 13] The distinguisher takes advantage of linear approximation(s) with no bias. ◮ Single approximation ( u , v ) with cor ( u , v ) = 0 ◮ Multiple approximations: � cor 2 ( u , v ) = 0 , C = u ∈ U , v ∈ V , u � = 0 ◮ multiple ZC: U and V without structure. ◮ multidimensional ZC: U and V linear (affine) spaces. Complexity of Statistical Attacks 4/22

  5. Outline Zero-Correlation Linear Attacks Data Complexity of Zero-Correlation Attacks Repetition of Plaintexts Data Complexity of Key-Invariant Bias Attacks Complexity of Statistical Attacks 5/22

  6. Notation ◮ [Selc ¸uk 08] ◮ X R ∼ N ( µ R , σ R ) and X W ∼ N ( µ W , σ W ) ◮ Φ : CDF of the central normal distribution ◮ a : advantage of the attack    µ R − µ a  , P S ≈ Φ � σ 2 a + σ 2 R where µ a = µ W + σ W · Φ − 1 ( 1 − 2 − a ) and σ a is often negligible. ◮ ϕ a = Φ − 1 ( 1 − 2 − a ) and ϕ P S = Φ − 1 ( P S ) ◮ n : number of bits of the permutation (block cipher) Complexity of Statistical Attacks 6/22

  7. Data Complexity of Multiple/Multidimensional ZC Attacks [SAC 13]: ◮ ℓ : Number of linear approximations ◮ Multiple ZC Attack (m) N m ≈ 2 n ( ϕ PS + ϕ a ) � ℓ/ 2 − ϕ a ◮ Multidimensional ZC Attack (M) N M ≈ ( 2 n − 1 )( ϕ PS + ϕ a ) � ( ℓ − 1 ) / 2 + ϕ PS ◮ In [Soleimany, Nyberg 13], experiments have been conducted for a distinguisher 2 n ◮ The general behaviour: N = O ( ) is correct. � ℓ/ 2 Complexity of Statistical Attacks 7/22

  8. Success Probability ◮ Are these formulas correct for a key-recovery attack? ◮ Why is there a difference ? (In particular, when the set of masks is close to a linear space) Success probability: � N m ℓ/ 2 − ϕ a · ( N m � P m � ≈ Φ 2 n + 1 ) ( m ) S 2 n 2 n − 1 � � N M � ( ℓ − 1 ) / 2 P M ≈ ( 2 n − 1 ) − N M − ϕ a Φ ( M ) ( 2 n − 1 ) − N M S Complexity of Statistical Attacks 8/22

  9. Setting for the Experiments K 1 X 1 2 ✲ ❡ ✲ ❡ s F s F PPPPPPPPPPPPPPP � � � � � � � � � � � � � � � X 2 u 0 0 0 ZC on 9 rounds 0 u 0 0 X 11 K 11 ◮ 16-bit cipher 1 ✲ ❡ ✲ ❡ F F s s PPPPPPPPPPPPPPP � � � � � � ◮ Type-II GFN with 4 branches � � � � � � � � � K 12 X 12 2 ✲ ❡ ✲ ❡ s F s F ◮ Zero-correlation approximations: PPPPPPPPPPPPPPP � � � � � � � � � � � � ( 0 , 0 , u , 0 ) �→ ( 0 , u , 0 , 0 ) over 9 rounds ( u � = 0 ) � � � X 13 ◮ Key-recovery: 1 round before, 2 rounds after ◮ Maximal advantage: 12 bits ◮ Similar structure as for instance CLEFIA Complexity of Statistical Attacks 9/22

  10. Multidimensional ZC Attacks a = 1 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 10/22

  11. Multidimensional ZC Attacks a = 2 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 10/22

  12. Multidimensional ZC Attacks a = 4 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 10/22

  13. Multidimensional ZC Attacks a = 6 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 10/22

  14. Observations N M ≈ ( 2 n − 1 )( ϕ PS + ϕ a ) � ( ℓ − 1 ) / 2 + ϕ PS For a multidimensional ZC linear attack, ◮ N M is accurate for small advantages ◮ N M gives an overestimate of the data complexity for larger advantages Complexity of Statistical Attacks 11/22

  15. Multiple ZC Attack 8 approximations and a = 1 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22

  16. Multiple ZC Attack 8 approximations and a = 2 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22

  17. Multiple ZC Attack 8 approximations and a = 4 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22

  18. Multiple ZC Attack 5 approximations and a = 1 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22

  19. Multiple ZC Attack 5 approximations and a = 2 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22

  20. Multiple ZC Attack 5 approximations and a = 4 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22

  21. Multiple ZC Attack 2 approximations and a = 1 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22

  22. Multiple ZC Attack 2 approximations and a = 2 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22

  23. Data Complexity of Multiple ZC Attacks Based on these experiments, we confirmed that ◮ we do not need a particular formula to compute the data complexity/success probability of multiple zero-correlation attacks (comparatively to the complexity of multidimensional ZC attacks) Complexity of Statistical Attacks 13/22

  24. Outline Zero-Correlation Linear Attacks Data Complexity of Zero-Correlation Attacks Repetition of Plaintexts Data Complexity of Key-Invariant Bias Attacks Complexity of Statistical Attacks 14/22

  25. Repetition of Plaintexts ◮ In the presented attacks, distinct known plaintexts are used. ◮ Indeed the formulas for N M and P M S in the multidimensional linear context have been derived under this assumption. ◮ What happens if there is some repetition (assuming for instance that the plaintexts are generated/obtained randomly)? Complexity of Statistical Attacks 15/22

  26. Repetition of Plaintexts in a Multidimensional ZC Attack a=2 1 Distinct Random ( 1 ) 0.8 ( 1 ) 0.6 P S 0.4 0.2 0 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 16/22

  27. Repetition of Plaintexts in a Multidimensional ZC Attack a=4 1 No repertion Repetition ( 1 ) 0.8 ( 1 ) 0.6 P S 0.4 0.2 0 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 16/22

  28. Theoretical Conclusion We can show that ◮ N m ≈ 2 n ( ϕ PS + ϕ a ) , � ℓ/ 2 − ϕ a corresponds to the case where the plaintexts can be repeated. ◮ N M ≈ ( 2 n − 1 )( ϕ PS + ϕ a ) , � ( ℓ − 1 ) / 2 + ϕ PS corresponds to the case of distinct known plaintexts. Complexity of Statistical Attacks 17/22

  29. Theoretical Conclusion We can show that ◮ N m ≈ 2 n ( ϕ PS + ϕ a ) , � ℓ/ 2 − ϕ a corresponds to the case where the plaintexts can be repeated. ◮ N M ≈ ( 2 n − 1 )( ϕ PS + ϕ a ) , � ( ℓ − 1 ) / 2 + ϕ PS corresponds to the case of distinct known plaintexts. ◮ In the known plaintext model how can we select distinct messages? Complexity of Statistical Attacks 17/22

  30. Idea behind the proofs ◮ The proofs have already been presented in [Bogdanov et al 12, 13]. ◮ For distinct known plaintexts, we use hypergeometric distributions (no replacement). ◮ The other model assume a normal distribution of the capacity for the wrong keys. Complexity of Statistical Attacks 18/22

  31. Idea behind the proofs ◮ The proofs have already been presented in [Bogdanov et al 12, 13]. ◮ For distinct known plaintexts, we use hypergeometric distributions (no replacement). ◮ The other model assume a normal distribution of the capacity for the wrong keys. ◮ In both proofs, there is no assumption on the linear masks. Complexity of Statistical Attacks 18/22

  32. In Practice If we consider distinct known plaintexts we can improve the complexities of some ZC attacks. For instance: ◮ on CAST-256 presented at INDOCRYPT 2014 ◮ from 2 123 . 74 KP (2 123 . 2 ?) to 2 123 . 67 DKP (29 rounds) ◮ on Camellia presented at SAC 2013 ◮ Camellia-128 : from 2 125 . 3 KP to 2 125 . 1 DKP (11 rounds) ◮ Camellia-192 : from 2 125 . 7 KP to 2 125 . 5 DKP (12 rounds) Complexity of Statistical Attacks 19/22

Recommend


More recommend