Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of - PowerPoint PPT Presentation

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work with Stian Fauskanger 5 September 2017, MMC workshop

Round Block Cipher Cryptanalysis PL-TEXT K1 K1 X K2..K15 Y K16 CH-TEXT

Logarithmic Likelihood Ratio(LLR) Statistic ◮ To distinguish two distributions with densities P ( x ) , Q ( x ) ◮ by independent observations ν 1 , .., ν n ◮ Most powerful criteria(Neyman-Pearson lemma): ◮ accept P ( x ) if n ln P ( ν i ) � Q ( ν i ) > threshold i =1 ◮ left hand side function is called LLR statistic

LLR Statistic for large ( X , Y )? ◮ Approximate distribution of ( X , Y ) depends on some bits of K 2 , .., K 15 ◮ Observation on ( X , Y ) depends on some bits of K 1 , K 16 ◮ ¯ K key-bits which affect distribution and observation ◮ For large ( X , Y ) LLR statistic depends on many key-bits ¯ K ◮ Conventional Multivariate Linear Cryptanalysis not efficient: ◮ 2 | ¯ K | computations of the statistic to range the values of ¯ K ◮ Our work : << 2 | ¯ K | ( ≈ 10 3 times faster in DES) ◮ by using a new statistic ◮ which reflects the structure of the round function ◮ that has a price to pay, but trade-off is positive

LLRs for Projections ◮ ( h 1 , .., h m ) some linear projections of ( X , Y ) such that ◮ distr/observ of h i depends on a lower number of key-bits ¯ K i ◮ happens for modern ciphers with small S-boxes ◮ Vector ( LLR 1 , .., LLR m ) asymptotically distributed ◮ N ( n µ, nC ) if the value of ¯ K is correct ◮ and close to N ( − n µ, nC ) if the value of ¯ K is incorrect ◮ mean vector µ , covariance matrix C , number of plain-texts n

Separable Statistics ◮ LLR statistic S to distinguish two normal distributions ◮ quadratic, but in our case degenerates to linear ◮ S ( ¯ K , ν ) = � m i =1 S i ( ¯ K i , ν i ), where S i = ω i LLR i ◮ ω i weights, ν observation on ( X , Y ), and ν i observation on h i ◮ S distributed N ( a , a ) if ¯ K = k correct ◮ close to N ( − a , a ) if ¯ K = k incorrect, for an explicit a ◮ For polynomial schemes the theory of separable statistics was developed by Ivchenko, Medvedev,.. in 1970-s ◮ Problem: find ¯ K = k such that S ( k , ν ) > threshold without brute force

Reconstruct a set of ¯ K -candidates k ◮ find solutions ¯ K = k to (linear for DES) equations � ¯ K i = k i with weight S i ( k i , ν i ) = 1 , .., m i ◮ such that S ( k , ν ) = � m i =1 S i ( k i , ν i ) > threshold ◮ the system is sparse: | ¯ K | is large, but | ¯ K i | << | ¯ K | ◮ Walking over a search tree ◮ Algorithm first appears in I. Semaev, New Results in the Linear Cryptanalysis of DES , Crypt. ePrint Arch., 361, May 2014 ◮ We compute success rate and the number of wrong solutions ◮ that is ¯ K -candidates to brute force

Reconstruction Toy Example 0.1 0.2 0.3 0.1 S 1 x 1 + x 2 0 0 1 1 0 1 0 1 x 3 S 2 0.5 0.1 x 1 + x 3 0 1 S 3 0.4 0.5 0.7 0.1 x 1 0 0 1 1 x 2 + x 3 0 1 0 1 find x 1 , x 2 , x 3 s.t. S ( x 1 , x 2 , x 3 ) = S 1 ( x 1 + x 2 , x 3 ) + S 2 ( x 1 + x 3 ) + S 3 ( x 1 , x 2 + x 3 ) > 1 Solutions 010 , 111

Implementation for 16-Round DES ◮ 2 strings of 14 internal bits each(or a 28-bit string) ◮ 54 key-bits involved ◮ we use 28 of 10-bit projections, each involves ≈ 20 key-bits ◮ two separable statistics, one for each 14-bit string ◮ success probability 0 . 85(theoretically) ◮ number of (56-bit key)-candidates is 2 41 . 8 (theoretically&empirically) for n = 2 41 . 8 ◮ search tree complexity is about the same

Further Talk Outline ◮ Formulae for internal bits probability distribution ◮ Construction of the statistic S ◮ Search tree algorithm ◮ Implementation details for 16-round DES

Probability of events in encryption(a priori distribution) ◮ Z vector of some internal bits in the encryption algorithm ◮ we want to compute Pr ( Z = A ) over all possible A ◮ that makes a distribution of Z ◮ More generally, Pr ( E ) for some event E in the encryption

Notation: one Feistel round X i X i-1 K i F F X i+1 X i ◮ in DES ◮ X i − 1 , X i are 32-bit blocks ◮ K i is 48-bit round key ◮ sub-key of the main 56-bit key

Prob. Description of r -round Feistel ( for SPN similar) ◮ X 0 , X 1 , . . . , X r +1 random independently uniformly generated m -bit blocks ◮ Main event C defines DES: X i − 1 ⊕ X i +1 = F i ( X i , K i ) , i = 1 , . . . , r K 1 , . . . , K r fixed round keys ◮ Then Pr ( E|C ) = Pr ( EC ) Pr ( C ) = 2 mr Pr ( EC ) . ◮ likely depends on all key-bits.

Approximatie Probabilistic Description ◮ We want approximate probability of E in the encryption ◮ Choose a larger event C α ⊇ C : ◮ Pr ( E|C ) ≈ Pr ( E|C α ) = Pr ( EC α ) Pr ( C α ) ◮ Pr ( E|C α ) may depend on a lower number of key-bits ◮ Easier to compute and use

How to Choose C α ◮ To compute the distribution of the random variable Z = X 0 [ α 1 ] , X 1 [ α 2 ∪ β 1 ] , X r [ α r − 1 ∪ β r ] , X r +1 [ α r ] ◮ ( X [ α ] sub-vector of X defined by α ), we choose trail X i [ β i ] , F i [ α i ] , i = 1 , . . . , r ◮ and event C α : X i − 1 [ α i ] ⊕ X i +1 [ α i ] = F i ( X i , K i )[ α i ] , i = 1 , . . . , r . ◮ Pr ( C α ) = 2 − � r i =1 | α i |

Regular trails ◮ trail X i [ β i ] , F i [ α i ] , i = 1 , . . . , n ◮ is called regular if γ i ∩ ( α i − 1 ∪ α i +1 ) ⊆ β i ⊆ γ i , i = 1 , . . . , n . ◮ X i [ γ i ] input bits relevant to F i [ α i ] ◮ For regular trails Pr ( Z = A |C α ) is computed with a convolution-type formula, only depends on α i

Convolution Formula ◮ Z = X 0 [ α 1 ] , X 1 [ α 2 ∪ β 1 ] , X r [ α r − 1 ∪ β r ] , X r +1 [ α r ] ◮ Pr ( Z = A 0 , A 1 , A r , A r +1 |C α ) = � r − 1 r i =2 | α i | 2 � � q i ( A i [ β i ] , ( A i − 1 ⊕ A i +1 )[ α i ] , k i ) , � r i =1 | ( α i − 1 ∪ α i +1 ) \ β i | 2 i =1 A 2 ,..., A r − 1 ◮ probability distribution of round sub-vectors q i ( b , a , k ) = Pr ( X i [ β i ] = b , F i [ α i ] = a | K i [ δ i ] = k i ) ◮ K i [ δ i ] key-bits relevant to F i [ α i ] ◮ Corollary: compute iteratively by splitting encryption into two parts. Few seconds for 14-round DES

Theoretical(red) vs Empirical(green) Distributions ◮ X 2 [24 , 18 , 7 , 29] , X 7 [16 , 14] , X 8 [24 , 18 , 7 , 29] ◮ Emp. with 2 39 random pl-texts for one randomly chosen key

Approximate Distribution of a Vector from 14-round DES ◮ X 2 [24 , 18 , 7 , 29] , X 15 [16 , 15 , .., 11] , X 16 [24 , 18 , 7 , 29] ◮ computed with the trail round i β i , α i 2 , 6 , 10 , 14 ∅ , ∅ 3 , 5 , 7 , 9 , 11 , 13 { 15 } , { 24 , 18 , 7 , 29 } 4 , 8 , 12 { 29 } , { 15 } 15 { 16 , . . . , 11 } , { 24 , 18 , 7 , 29 } ◮ depends on 7 key-bits: K { 3 , 5 , 7 , 9 , 11 , 13 } [22] ⊕ K { 4 , 8 , 12 } [44] , K 15 [23 , 22 , 21 , 20 , 19 , 18] . ◮ notation K { 4 , 8 , 12 } [44] = K 4 [44] ⊕ K 8 [44] ⊕ K 12 [44]

Another Approximation to the Same Distribution ◮ same X 2 [24 , 18 , 7 , 29] , X 15 [16 , 15 , .., 11] , X 16 [24 , 18 , 7 , 29] ◮ with another trail round i β i , α i 2 ∅ , ∅ 3 , 5 , 7 , 9 , 11 , 13 { 16 , 15 , 14 } , { 24 , 18 , 7 , 29 } 4 , 6 , 8 , 10 , 12 , 14 { 29 , 24 } , { 16 , 15 , 14 } 15 { 16 , . . . , 11 } , { 24 , 18 , 7 , 29 } ◮ different distribution ◮ quadratic imbalance is negligibly larger ◮ but depends on a much larger number of the key-bits

Conventional LLR statistic ◮ We use 28 internal bits in the analysis of DES: X 2 [24 , 18 , 7 , 29] , X 15 [16 , 15 , .., 11] , X 16 [24 , 18 , 7 , 29] X 1 [24 , 18 , 7 , 29] , X 2 [16 , 15 , .., 11] , X 15 [24 , 18 , 7 , 29] ◮ distribution and observation depend on available plain-text/cipher-text and 54 key-bits ◮ conventional LLR statistic takes 2 54 computations ◮ no advantage over Matsui’s 2 43 complexity for breaking DES

Attack ◮ We used 28 projections( i , j ∈ { 16 , .., 11 } ): X 2 [24 , 18 , 7 , 29] , X 15 [ i , j ] , X 16 [24 , 18 , 7 , 29] X 1 [24 , 18 , 7 , 29] , X 2 [ i , j ] , X 15 [24 , 18 , 7 , 29] ◮ except i = 16 , j = 11, where the distributions are uniform ◮ For each projection LLR statistic depends on ( ≤ 21) key-bits ◮ We constructed two new separable statistics for two independent bunches of the projections ◮ and combined ( ≤ 21)-bit values to find a number of candidates for 54-bit sub-key ◮ brute force those candidates

Separable Statistics in Details ◮ observation ν = ( ν 1 , . . . , ν m ) on m projections ( h 1 , .., h m ) ◮ ν i depends on plain/cipher-texts and ¯ K i ◮ best statistic is approx. separable: S ( ¯ K , ν ) = � m i =1 S i ( ¯ K i , ν i ) ◮ S i ( ¯ K i , ν i ) weighted LLR statistics for h i ( x ) ◮ Construct ¯ K -values (s.t. � m i =1 S i ( ¯ K i , ν i ) > threshold) from ¯ K i -values ◮ One computes error probabilities etc., details are below

Separable Statistic Construction ◮ x may have distribution Q or P . Projection h i ( x ) may have Q i or P i i = 1 , .., m ◮ n plain/cipher-texts � � q ib ◮ LLR statistic for h i : LLR i = � b ν ib ln p ib ◮ ( LLR 1 , . . . , LLR m ) normally distributed ◮ N ( n µ Q , nC Q ) or N ( n µ P , nC P ) ◮ If Q is close to P , then µ Q ≈ − µ P (follows from Baigneres et al. 2004) and C Q ≈ C P (this work) ◮ We get N ( n µ, nC ) N ( − n µ, nC ) or