Multiple differential cryptanalysis using LLR and 2 Statistics

Multiple differential cryptanalysis using LLR and �2 StatisticsOctober, 8

1/27

Multiple differential cryptanalysis using LLR

and �2 Statistics

Celine Blondeaujoint work with Benoıt Gerard and Kaisa Nyberg

October 8, 2012


2/27

Outline

IntroductionBlock CiphersDifferential CryptanalysisLast Round Attacks

Multiple Differential CryptanalysisDefinitionPartitioning FunctionComplexities

ExperimentsExperimental ResultsAnalyse


3/27

Outline





4/27

Block ciphers

--

--

-

x

y

F

K1

F

K2

F

K

r

F

K

r+1

E

K

: Fm

2 ! Fm

2

IK : Master key

IF : Round function

IK

i

: Round key

cccc cccc cccc cccc

cccc cccc cccc cccc

cccc cccc cccc cccc

cccc cccc cccc cccc

S3 S2 S1 S0

S3 S2 S1 S0

S3 S2 S1 S0

��

��

⇣⇣⇣⇣⇣⇣⇣⇣

@@

@

��

��

HHHHHH

@@

@

��

PPPPPPPP

HHHHHH

@@

@

��

��

⇣⇣⇣⇣⇣⇣⇣⇣

@@

@

��

��

HHHHHH

@@

@

��

PPPPPPPP

HHHHHH

@@

@

��

��

⇣⇣⇣⇣⇣⇣⇣⇣

@@

@

��

��

HHHHHH

@@

@

��

PPPPPPPP

HHHHHH

@@

@

SMALLPRESENT-[4]


5/27

Statistical Attacks

Statistical attacks:I Take advantage of a non-uniform behavior of the cipherI Two families: Linear and Differential cryptanalysis

Improvement of differential cryptanalysis

I Differential cryptanalysis [Biham Shamir 91]I Truncated differential cryptanalysis [Knudsen 95]I Impossible differential cryptanalysis [Biham Biryukov Shamir

99]I Higher order differential cryptanalysis [Lai 94] [Knudsen 95]I Multiple differential cryptanalysis (First approach) [BG 11]


6/27

Linear cryptanalysis

cccc cccc cccc ccccS3 S2 S1 S0

c

��

��

⇣⇣⇣⇣⇣⇣⇣⇣

@@

@

��

��

HHHHHH

@@

@

��

PPPPPPPP

HHHHHH

@@

@


c

��

��

⇣⇣⇣⇣⇣⇣⇣⇣

@@

@

��

��

HHHHHH

@@

@

��

PPPPPPPP

HHHHHH

@@

@


c

��

��

⇣⇣⇣⇣⇣⇣⇣⇣

@@

@

��

��

HHHHHH

@@

@

��

PPPPPPPP

HHHHHH

@@

@

cccc cccc cccc ccccc

[Tardy-Gilbert91], [Matsui93]Linear relation using

I plaintext bits,I key bits,I ciphertext bits.

⇡ · x � · K � � · y = 0

with probability p = 12 + "


7/27

Differential CryptanalysisGiven an input difference between two plaintexts, some outputdifferences occur more often than others.

-

-

-

-

E

K

E

K

x

x

0

y

y

0

6

?

6

?

�in �out

Differential: pair of input and output difference (�in, �out)

Differential probability: p = P

X ,K [ E

K

(X )� E

K

(X � �in) = �out ]

Uniform probability: ✓ = 2�m


8/27

Last Round Attack

Plaintext

Characteristic

Partial State??

r roundsF

r

K

Distinguisher


8/27

Last Round Attack

Plaintext

Characteristic

Partial State??

r roundsF

r

K

Distinguisher

?Substitution Layer

Key addition

S7 S6 S5 S4 S3 S2 S1 S0

k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eCiphertext


9/27

Related WorkLinear Cryptanalysis:

I Multiple linear cryptanalysis [Baigneres, Junod, Vaudenay 04]

I Multidimensional linear cryptanalysis [Hermelin, Cho, Nyberg08]

Both use LLR and/or �2 statistical tests.

Differential Cryptanalysis:

I [Blondeau, Gerard 11]:The frequencies are sum up

I Here:We study the LLR and/or �2 statistical tests.


10/27

Multiple differential cryptanalysis (First Approach)

I Set of differences �in(v), �out

(v)

I With probabilities p

v

= P

X ,K [ E

K

(X )� E

K

(X � �(v)in ) = �(v)out ].

I Set of input differences �in(v) 2 �

in

.

Ip = 1

�in

Pv

p

v

expected probability.

I ✓ = 1�

in

Pv

12m

uniform probability.


11/27

Outline





12/27

Multiple Differential Cryptanalysis

I Fix input difference �in (To simplify the analysis)

I Vector of “difference”: V = [�(i)out] after r rounds,

Ip = [p

v

]v2V

vector of expected probabilities.

I ✓ = [✓v

]v2V

vector of uniform probabilities.


13/27

Discussion

Parallel Work for small ciphers: [Albrecht Leander 2012]

Whole distribution taken for SMALLPRESENT-[4] (16-bit cipher)Whole distribution taken for KATAN-32 (32-bit cipher)

Limits:

For actual ciphers the output size is too large (264 or 2128)

Application to real cipher:

Introduction of partitioning functions.


14/27

Partitioning function

We analyze two “orthogonal” cases

I Unbalanced partitioning

I Take a subset of simple differences

I Balanced partitioning

I Group the differences in order to be able to use information ofthe whole output space.


15/27

Unbalanced Partitioning

Idea: Subset of simple differences

I Output differences (�(i)out

)1iA

,I Counter for each of these differentials q

k

i

.

I AsP

A

i=1 q

k

i

6= 1I We have a “trash” counter q

k

0 which gather all other outputdifferences.

We increment the counter q

k

i

if the difference �(i)out

is obtained after partial deciphering.


16/27

Unbalanced Partitioning: Last Round Attack

�in

?V = [�(i)out]i

��* HHYV

Substitution LayerS7 S6 S5 S4 S3 S2 S1 S0

k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e e


16/27


V = [�(i)out]i

��* HHYV

S7 S6 S5 S4 S3 S2 S1 S0

k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eS4 S3 S1 Active Sboxes


16/27


��* HHYV

S7 S6 S5 S4 S3 S2 S1 S0

k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eS4 S3 S1

Sieving processDiscard some ciphertext pairs


16/27


��* HHYV

S7 S6 S5 S4 S3 S2 S1 S0


6e 6e 6e For all key candidates,partially decipherk4 k3 k1

6�✓@I


16/27


��* HHYV

S7 S6 S5 S4 S3 S2 S1 S0


6e 6e 6ek4 k3 k1

6�✓@I If � = �(i)outIncrement q

k

i

OtherwiseIncrement q

k

0


16/27


��* HHYV

S7 S6 S5 S4 S3 S2 S1 S0


6e 6e 6ek4 k3 k1

6�✓@I If � = �(i)outIncrement q

k

i

OtherwiseIncrement q

k

0

Analyse the vectors q

k for each keyScoring function


17/27

Unbalanced Partionning: Remarks

Corresponding known/former attacks:I Differential cryptanalysis.

Advantage:I A sieving process ) “smaller” time complexity

Disadvantage:I Subset of output space ) not all informationI Small Probabilities ) Non-tightness of the information


18/27

Balanced Partitioning

Idea: Using information from all output differences by groupingthem.

Let V = [�(i)out]i a subspace of Fm

2

A group of differences �(i)out = �(i)out � V (V � V = Fm

2 )

A counter q

k

i

for each group of differences.We increment the counter q

k

i

if the difference � 2 �(i)out

is obtained partial deciphering.


19/27

Balanced Partitioning: Last Round Attack

�in

?\V

�out = �out � V

Substitution LayerS7 S6 S5 S4 S3 S2 S1 S0

e e e e e e e ek7 k6 k5 k4 k3 k2 k1 k0


19/27


\V

�out = �out � V

S7 S6 S5 S4 S3 S2 S1 S0


S7 S6 S5 S4 S3 S2 S1 S0 Active Sboxes


19/27


\V

S7 S6 S5 S4 S3 S2 S1 S0


S7 S6 S5 S4 S3 S2 S1 S0

No Sieving processPartially decipher for all pairs


19/27


\V

S7 S6 S5 S4 S3 S2 S1 S0


S7 S6 S5 S4 S3 S2 S1 S0For all key candidates,

partially decipherk4 k3 k26e 6e 6eS4 S3 S2


19/27


\V

S7 S6 S5 S4 S3 S2 S1 S0


S7 S6 S5 S4 S3 S2 S1 S0

k4 k3 k26e 6e 6eS4 S3 S2

��*6HHYIf � 2 �(i)out � V

Increment q

k

i


19/27


\V

S7 S6 S5 S4 S3 S2 S1 S0


S7 S6 S5 S4 S3 S2 S1 S0

k4 k3 k26e 6e 6eS4 S3 S2

��*6HHYIf � 2 �(i)out � V

Increment q

k

i

Analyse the vectors q

k for each keyScoring function


20/27

Balanced Partitioning: Remarks

Corresponding known/former attacks:I Truncated Differential cryptanalysis.

Advantage:I Whole output space ) More informationI Bigger Probabilities ) Tightness of the information

Disadvantage:I No sieving process ) More time complexity

Mul

tiple

diff

eren

tialc

rypt

anal

ysis

usin

gLLR

and�

2S

tatis

tics

Oct

ober

,821

/27

Sta

tistic

alTe

sts

Pro

babi

lity

dist

ribut

ion

vect

ors

IE

xpec

ted:

p=

[pv

] v2

V

IU

nifo

rm:✓

IO

bser

ved:

q

k

(fora

give

nke

yca

ndid

ate)

LLR

test

:req

uire

sth

ekn

owle

dge

ofth

eth

eore

tical

prob

abili

typ

.

S

k

=LLR

k

(qk

,p,✓)

def

=N

s

X

v2

V

q

k

v

log✓

p

v ✓ v

◆.

�2

test

:Doe

sno

treq

uire

the

know

ledg

eof

pfo

rthe

atta

ck

S

k

=�

2 k

(qk

,✓)=

N

s

X

v2

V

(qk

v

�✓ v)2

✓ v.


22/27

Complexities

Let S(k) be the statistic obtained for a key candidate k .

S(k) = LLRk

(qk , p, ✓) or = �2k

(qk , ✓)

Then,

S(k) ⇠⇢N (µ

R

,�2R

) if k = K

r

,N (µ

W

,�2W

) otherwise.

In the paper:I Estimates of the value of µ

R

, µW

,�R

,�w

for both LLR and �2

statistical tests.I Estimates of the Data Complexity


23/27

Outline





24/27

Using unbalanced partitioning

Subset of output differences

0.5

0.6

0.7

0.8

0.9

20 22 24 26 28 30

P

S

log2(N)

LLR : Ex. a = 4Th. a = 4Ex. a = 11Th. a = 11

�2 : Ex. a = 4Th. a = 4Ex. a = 11Th. a = 11


25/27

Using balanced partitioning

Set of groups of output differences

0.5

0.6

0.7

0.8

0.9

19 21 23 25 27

P

S

log2(N)

LLR : Ex. a = 4Th. a = 4Ex. a = 7Th. a = 7

�2 : Ex. a = 4Th. a = 4Ex. a = 7Th. a = 7


26/27

Conclusions

Balanced or Unbalanced partitioning ?I Time Complexity: unbalanced ) faster attack.I Data Complexity: depends on the cipher.

LLR or �2?I If we have a good estimate of the expected probabilities

) LLR provides better Data and Memory complexitiesI Otherwise LLR is not effective


27/27

Work in Progress

Estimation of the Differential Probabilities

In TheoryI Estimation of truncated differential probabilities can be done

correlations.

In PracticeI Estimation of the correlations are “easy” on PRESENT CHOI We use them to compute the distribution vector.I We provide a multiple differential attack on PRESENT

Documents

Multiple differential cryptanalysis using LLR and 2 Statistics