Truncated Differential Analysis of Reduced-Round LBlock Sareh - PowerPoint PPT Presentation

Truncated Differential Analysis of Reduced-Round LBlock Sareh Emami, Cameron McDonald, Josef Pieprzyk and Ron Steinfeld Joint work between Macquarie University , Qualcomm Inc. Australia and Monash University CANS 2013, Paraty, Brazil

Outline • Preliminaries • Truncated differential distribution • Truncated differential analysis of LBlock • Complexity Analysis • Experiments • Results CANS 2013 2/29

Our Contribution • Truncated differential analysis o Differential probability distributions o Log-likelihood ratio (LLR) test • Presented framework o Merges the truncated differential distributions with classical differential analysis • Application to LBlock o Single-key attack - 18 rounds o Related-key attacks – 21 rounds CANS 2013 3/29

LBlock • Was submitted to ACNS 2011 x 15 x 14 x 13 x 12 x 11 x 10 x 9 x 8 x 7 x 6 x 5 x 4 x 3 x 2 x 1 x 0 • Lightweight block cipher <<< 8 o 64-bit block SK 0 F o 80-bit secret key • Balanced Feistel network 30 rounds o 32-round <<< 8 SK 31 F y 15 y 14 y 13 y 12 y 11 y 10 y 9 y 8 y 7 y 6 y 5 y 4 y 3 y 2 y 1 y 0 CANS 2013 4/29

LBlock SPN round function • x 15 x 14 x 13 x 12 x 11 x 10 x 9 x 8 SK i s 7 s 6 s 5 s 4 s 3 s 2 s 1 s 0 Key Schedule • o 32-bit sub-keys: 𝑇𝐿 0 , 𝑇𝐿 1 , … , 𝑇𝐿 31 SK i 𝑙 79 𝑙 78 … 𝑙 49 𝑙 48 𝑙 47 𝑙 46 … 𝑙 1 𝑙 0 … … … … … <<< 29 𝑙 50 𝑙 49 𝑙 48 𝑙 47 𝑙 46 𝑙 45 𝑙 44 𝑙 43 𝑙 42 … 𝑙 21 … 𝑙 17 … 𝑙 51 𝑻 𝟘 𝑻 𝟗 i CANS 2013 5/29

Likelihood test • Statistical test which compares two distributions • Let 𝑄 and 𝑅 be two discrete probability distributions • Kullback-Leibler ( 𝐿𝑀 ) divergence o Measures the distance between 𝑄 and 𝑅 • The log-likelihood ratio ( 𝑀𝑀𝑆 ) o Empirical dataset 𝑦 taken from 𝑂 samples o Determines the probability distribution ( 𝑄 or 𝑅 ) that the sample data 𝑦 belongs to CANS 2013 6/29

Related Work • All-in-one approach to differential analysis of lightweight block ciphers o Albrecht and Leander (SAC 2012) • Multiple differential cryptanalysis using the 𝑀𝑀𝑆 and 𝜓 2 tests o Blondeau et. al. (SCN 2012) • Both analyses work on ciphers with small block sizes CANS 2013 7/29

Outline • Preliminaries • Truncated differential distribution • Truncated differential analysis of LBlock • Complexity Analysis • Experiments • Results CANS 2013 8/29

Truncated Differential Distribution (TDD) • Assumes the cipher follows the Marcov assumption o The probability distribution of round 𝑠 only depends on round 𝑠 − 1 • Finds the differential distribution for the state symbols o Nibbles in LBlock • Starts from a fixed differential o Propagates the differences through 𝑠 rounds o Finds the probability of every difference for each nibble CANS 2013 9/29

Truncated Differential 0 s 7 0 0 s 6 0 0 0 00000010 00000000 s 5 0 0 0 s 4 0 0 0 <<< 8 SK i s 3 0 0 0 0000000* s 2 0 0 0 s 1 * 1 0000000* 0 s 0 0 0 * 00000010 0 s 7 0 0 s 6 0 0 0 <<< 8 0000000* SK i+1 s 5 0 0 0 00001000 00000*00 s 4 0 0 0 s 3 0 0 0 s 2 0 0 * s 1 0 0 0 s 0 0000000* 00001*00 * * CANS 2013 10/29 0

Computing TDD 𝑡 Δ 𝑗𝑜 : 𝑦 Δ 𝑝𝑣𝑢 : 𝑧 • S-box transformation --------- --------- 15 0 0 𝑧 𝑗 = 𝑦 𝑘 ∙ Ρ(𝑡 𝑘 = 𝑗) 1 1 Ρ(𝑡 1 = 1) . . . . . 𝑘=0 . . . . 15 15 Δ 𝑗𝑜 : 𝑦 Δ 𝑝𝑣𝑢 : 𝑨 • XOR addition --------- --------- 15 0 0 𝑨 𝑗 = 𝑦 𝑘 ∙ 𝑧 𝑗⊕𝑘 1 1 Δ 𝑗𝑜 : 𝑧 . . --------- 𝑘=0 . . 0 . . 1 15 15 . . 14 CANS 2013 11/29 15

Sample TDD • Input difference: 00000000 10000000 • TDD is computed through 8 rounds of LBlock encryption o The right-hand half truncated differential distribution is: KL-divergence (distance from the uniform distribution) CANS 2013 12/29

Outline • Preliminaries • Truncated differential distribution • Truncated differential analysis of LBlock • Complexity Analysis • Experiments • Results CANS 2013 13/29

LBlock Attack • The TDD is extended on both sides o Benefits from the key schedule properties • The attack model o Standard differential phase (SD) o Truncated differential distribution phase (TDD) o Partial-key recovery phase (PKR) 𝑇 0 𝑇 1 𝑇 2 𝑇 3 𝑇𝐸 𝑈𝐸𝐸 𝑄𝐿𝑆 CANS 2013 14/29

TDD Phase 00000000 10000000 <<< 8 F • 8-round truncated 00000000 00000010 <<< 8 differential distribution F 00000010 0000000* <<< 8 • Target nibble F 0000000* 00001*00 <<< 8 o Its distribution has a F 00001*00 relatively high distance 0000***0 <<< 8 F from the uniform 0000***0 001**0** <<< 8 F 001**0** 0******* <<< 8 F 0******* ******** <<< 8 F Target Nibble CANS 2013 15/29 ******** ****** * *

PKR Phase • Additional rounds added to the end of TDD rounds • Partially decrypt the ciphertexts o Finds the differential distribution for the target nibble Target Nibble • LLR test ******** ****X*** SK 9 : 0 0000000 • Example 3 rounds <<< 8 Key bits: F 58-57-56-55 X******* SK 10 : 0000 0 000 **X***** <<< 8 Key bits: F 13-12-11-10 **X*X*** SK 11 : 00 000000 Key bits: <<< 8 0-79-78-77- F 76-75-74-73 CANS 2013 16/29 X*X***** XX****X*

SD Phase • High probability differential characteristic o Assume we know some key-bits • Example 1-round differential: (10000000 00002000) → (00000000 10000000) 10000000 00002000 79, 78, 77, 76 1 <<< 8 P=2 -2 SK 0 : 0 0000000 00200000 S P 00000000 10000000 CANS 2013 17/29

Merging Phase • Assume 𝛽 o Ρ 𝑇𝐸 = Ρ 𝛽 → 𝛾 𝑗 Ρ 1 − Ρ 𝑇𝐸 𝑇𝐸 o Ρ 𝑈𝐸𝐸 = Ρ 𝛾 𝑗 → Γ 𝑇𝐸 𝑉 is the random probability o Ρ 𝛾 𝑘≠𝑗 𝛾 𝑗 𝑉 Ρ 𝛽 → Γ = Ρ 𝑇𝐸 ⋅ Ρ 𝑈𝐸𝐸 + (1 − Ρ 𝑇𝐸 ) ⋅ Ρ 𝑈𝐸𝐸 Ρ 𝑈𝐸𝐸 Ρ 𝑉 Γ CANS 2013 18/29

12-Round Example 00000000 10000000 <<< 8 F 00000000 00000010 <<< 8 F 10000000 00002000 Target Nibble 00000010 79, 78, 77, 76 1 <<< 8 0000000* <<< 8 P=2 -2 ******** ****X*** SK 0 : 0 0000000 F 00200000 SK 9 : 0 0000000 <<< 8 0000000* S P 00001*00 Key bits: F <<< 8 F 58-57-56-55 X******* 00001*00 00000000 10000000 SK 10 : 0000 0 000 **X***** <<< 8 0000***0 <<< 8 F F Key bits: 0000***0 13-12-11-10 001**0** **X*X*** <<< 8 SK 11 : 00 000000 <<< 8 F Key bits: F 001**0** 0-79-78-77- 0******* <<< 8 76-75-74-73 F X*X***** XX****X* 0******* ******** <<< 8 F Target Nibble ******** ****** * * CANS 2013 19/29

Outline • Preliminaries • Truncated differential distribution • Truncated differential analysis of LBlock • Complexity Analysis • Experiments • Results CANS 2013 20/29

LLR Distributions 𝑋 is a random variable for the LLR of the wrong keys • o Wrong key randomization hypothesis 𝑆 is a random variable for the LLR of the right key • o Is a binomial distribution CANS 2013 21/29

Complexity Analysis • Cumulative distribution function (CDF) o Probability of 𝑌 falling into the interval [𝑦, ∞) : Denote Θ a threshold for the LLR • o Success rate : Ρ 𝑆 ≥ Θ o Probability of a wrong key LLR becomes higher than Θ : Ρ 𝑋 ≥ Θ 𝜤 CANS 2013 22/29

Complexity Number of wrong keys ranked higher than Θ • 𝑂 𝑥𝑙 = 𝑂 𝐿 ⋅ Ρ 𝑋 ≥ Θ We have to adjust Θ and 𝑂 (number of samples) • o Compromise between the success rate and the complexity Complexity of the full key-recovery • 𝐷 = 𝑂2 𝑐 + (𝑂 𝑥𝑙 + 1)2 80−𝑐 CANS 2013 23/29

Outline • Preliminaries • Truncated differential distribution • Truncated differential analysis of LBlock • Complexity Analysis • Experiments • Results CANS 2013 24/29

Experiments • 12-round sample attack o 𝑂 = 2 16 samples o The attack is repeated 100 times CANS 2013 25/29

Experiments The attack is repeated 1000 times • o 𝑀𝑀𝑆 distribution of the right key o The average 𝑀𝑀𝑆 distribution of the wrong keys CANS 2013 26/29

Outline • Preliminaries • Truncated differential distribution • Truncated differential analysis of LBlock • Complexity Analysis • Experiments • Results CANS 2013 27/29

Results • 18-round single key attack o Data: 2 23 plaintext/ciphertext pairs o Time: 2 68.71 encryptions CANS 2013 28/29

Results • Related-key attacks o 20 rounds: Data: 2 27 , time: 2 74.55 o 21 rounds: Data: 2 30 , time: 2 77.56 CANS 2013 29/29

Thank you for your attention CANS 2013