The Improbable Differential Attack: Cryptanalysis of ...cihangir.forgottenlance.com/presentations/bilkent.pdf · Outline Introduction The Improbable Di erential Attack CLEFIAConclusion

Outline Introduction The Improbable Differential Attack CLEFIA Conclusion

The Improbable Differential Attack:Cryptanalysis of Reduced Round CLEFIA

Cihangir TEZCAN

Ecole Polytechnique Federale de Lausanne, Switzerland

July 20, 2011Bilkent University, Ankara, Turkey

Cihangir TEZCAN The Improbable Differential Attack


Outline

1 Introduction

2 The Improbable Differential Attack

IntroductionTwo Techniques to Obtain Improbable Differentials

3 CLEFIA

Specifications13-round Improbable Differential Attack

4 Conclusion



A (Very) Short Introduction to Differential Cryptanalysis

Differential Cryptanalysis

Discovered by E. Biham and A. Shamir, early 1980s

Find a path (characteristic) so that when the input differenceis α, output difference is β with high probability

Truncated Differential Cryptanalysis

Discovered by L. Knudsen, 1994Find a path (differential) so that when the input difference isα, output difference is β with high probabilityOnly parts of the differences α and β are specified

Impossible Differential Cryptanalysis

Discovered by E. Biham, A. Biryukov, A. Shamir, 1998Find a path (impossible differential) so that when the inputdifference is α, the output difference is never β

And others (Higher-order Differential, Boomerang,...)





Discovered by E. Biham and A. Shamir, early 1980sFind a path (characteristic) so that when the input differenceis α, output difference is β with high probability












Discovered by L. Knudsen, 1994

Find a path (differential) so that when the input difference isα, output difference is β with high probabilityOnly parts of the differences α and β are specified










Discovered by L. Knudsen, 1994Find a path (differential) so that when the input difference isα, output difference is β with high probability

Only parts of the differences α and β are specified






















Discovered by E. Biham, A. Biryukov, A. Shamir, 1998

Find a path (impossible differential) so that when the inputdifference is α, the output difference is never β

























Statistical attacks on block ciphers make use of a property ofthe cipher so that an incident (characteristic, differential,...)occurs with different probabilities depending on whether thecorrect key is used or not.

Probability of the probability of theAttack Type incident for incident for Note

a wrong key the correct keyStatistical Attacks p p0 p0 > p

(Differential, Truncated,...)Impossible Differential p 0 p0 = 0Improbable Differential p p0 p0 < p







(Differential, Truncated,...)

Impossible Differential p 0 p0 = 0Improbable Differential p p0 p0 < p







(Differential, Truncated,...)Impossible Differential p 0 p0 = 0

Improbable Differential p p0 p0 < p







(Differential, Truncated,...)Impossible Differential p 0 p0 = 0Improbable Differential p p0 p0 < p



Improbable Differentials

Assume that α and β differences are observed with probabilityp for a random key.

Obtain a nontrivial differential so that a pair having α inputdifference have β′ output difference with probability p′ whereβ′ is different than β.

Hence for the correct key, probability of observing thesedifferences becomes p0 = p · (1− p′).

Caution

If there are nontrivial differentials from α to β, p0 becomes biggerthan p · (1− p′).







Caution








Caution








Caution




Two Techniques to Obtain Improbable Differentials

Two methods to obtain improbable differentials:

1 Use two differentials that miss in the middle with highprobability (almost miss in the middle technique)

2 Expand impossible differentials to improbable diffrentials byadding a differential to the top and/or below the impossibledifferential (expansion technique)



Almost Miss-in-the-Middle Technique

α

δ

γ

β

p1

p2

p’=p1.p2




Two methods to obtain improbable differentials:

1 Use two differentials that miss in the middle with highprobability (almost miss in the middle technique)

2 Expand impossible differentials to improbable diffrentials byadding a differential to the top and/or below the impossibledifferential (expansion technique)



Improbable Differentials from Impossible Differentials

δ

γ

p’=1




δ

γ

αp1

p’=p1




δ

γ

α

β

p1

p2

p’=p1.p2



Pros and Cons of the Expansion Method

Pros:

Longer differentials

Attack on more rounds

Cons:

Data complexity increases (because p0 increases)

Time complexity increases (since we use more data)

Memory complexity increases (we need to keep counters forthe guessed keys)



Pros and Cons of the Expansion Method

Pros:

Longer differentials

Attack on more rounds

Cons:

Data complexity increases (because p0 increases)

Time complexity increases (since we use more data)

Memory complexity increases (we need to keep counters forthe guessed keys)



Data Complexity and Success Probability

Blondeau et al. proposed acurate estimates of the data complexityand success probability for many statistical attacks includingdifferential and truncated differential attacks.

By making appropriate changes, these estimates can be used forimprobable differential attacks, too.



Data Complexity and Success Probability

Blondeau et al. proposed acurate estimates of the data complexityand success probability for many statistical attacks includingdifferential and truncated differential attacks.

By making appropriate changes, these estimates can be used forimprobable differential attacks, too.



Previous attacks where p0 < p

Early examples of improbable differential attack:

J. Borst, L. Knudsen, V. Rijmen: ”Two Attacks on ReducedIDEA”

L. Knudsen, V. Rijmen: ”On the Decorrelated Fast Cipher(DFC) and Its Theory”



CLEFIA

Developed by Sony in 2007

Clef means key in French.

Block length: 128 bits

Key lengths: 128, 192, and 256 bits

Number of rounds: 18, 22, or 26

Previous best attacks: Impossible differential attacks on 12,13, 14 rounds for 128, 192, 256-bit key lengths by Tsunoo etal.

We converted these attacks to improbable differential attacksusing the expansion technique

Current best attacks: Improbable differential attacks on 13,14, 15 rounds for 128, 192, 256-bit key lengths



CLEFIA

Developed by Sony in 2007

Clef means key in French.

Block length: 128 bits

Key lengths: 128, 192, and 256 bits

Number of rounds: 18, 22, or 26

Previous best attacks: Impossible differential attacks on 12,13, 14 rounds for 128, 192, 256-bit key lengths by Tsunoo etal.

We converted these attacks to improbable differential attacksusing the expansion technique

Current best attacks: Improbable differential attacks on 13,14, 15 rounds for 128, 192, 256-bit key lengths



CLEFIA: Encryption Function

F0 F1

RK0 RK1

X{0,0} X{0,1} X{0,2} X{0,3}

WK0 WK1

F0 F1

RK2 RK3

.

.

....

.

.

....

F0 F1

RK2r-2 RK2r-1

WK2 WK3

C0 C1 C2 C3



CLEFIA: F0 and F1 Functions

k0 k3k2k1

x0x1x2x3

y0y1y2y3

k0 k3k2k1

x0x1x2x3

y0y1y2y3

S0S1S0S1

S1S0S1S0

M0

M1

F0

F1



10-round Improbable Differential

We will use the following two 9-round impossible differentials thatare introduced by Tsunoo et al.,

[0(32), 0(32), 0(32), [X , 0, 0, 0](32)] 99r [0(32), 0(32), 0(32), [0,Y , 0, 0](32)][0(32), 0(32), 0(32), [0, 0,X , 0](32)] 99r [0(32), 0(32), 0(32), [0,Y , 0, 0](32)]

where X(8) and Y(8) are non-zero differences.



10-round Improbable Differential

We obtain 10-round improbable differentials by adding thefollowing one-round differentials to the top of these 9-roundimpossible differentials,

[[ψ, 0, 0, 0](32), ζ(32), 0(32), 0(32)]→1r [0(32), 0(32), 0(32), [ψ, 0, 0, 0](32)][[0, 0, ψ, 0](32), ζ

′(32), 0(32), 0(32)]→1r [0(32), 0(32), 0(32), [0, 0, ψ, 0](32)]

which hold when the output difference of the F0 function is ζ(resp. ζ ′) when the input difference is [ψ, 0, 0, 0] (resp. [0, 0, ψ, 0]).



13-round Improbable Differential Attack

We choose ψ and corresponding ζ and ζ ′ depending on thedifference distribution table (DDT) of S0 in order to increase theprobability of the differential. In this way we get p′ ≈ 2−5.87.

We put one additional round on the plaintext side and twoadditional rounds on the ciphertext side of the 10-roundimprobable differentials to attack first 13 rounds of CLEFIA thatcaptures RK1, RK23,1 ⊕WK2,1, RK24, and RK25.




We choose ψ and corresponding ζ and ζ ′ depending on thedifference distribution table (DDT) of S0 in order to increase theprobability of the differential. In this way we get p′ ≈ 2−5.87.

We put one additional round on the plaintext side and twoadditional rounds on the ciphertext side of the 10-roundimprobable differentials to attack first 13 rounds of CLEFIA thatcaptures RK1, RK23,1 ⊕WK2,1, RK24, and RK25.




∆x{0,0}=0 ∆x{0,1}=[ψ,0,0,0] ∆x{0,2}=ζ ∆x{0,3}=X

∆x{1,0}=[ψ,0,0,0] ∆x{1,1}=ζ ∆x{1,2}=0 ∆x{1,3}=0

∆x{11,3}=0∆x{11,2}=[0,Y,0,0]∆x{11,1}=0∆x{11,0}=0

∆x{12,3}=0∆x{12,2}=β∆x{12,1}=[0,Y,0,0]∆x{12,0}=0

∆x{13,0}=0 ∆x{13,1}=[0,Y,0,0] ∆x{13,2}=β ∆x{13,3}=γ

F0 F1

F0

F0

F0

F1

F1

F1

} 10-roundimprobabledi�erential

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

WK0

WK1

WK2

WK3

RK0 RK1

RK2 RK3

RK22 RK23

RK24 RK25

WK2




Table: Comparison of Tsunoo et al.’s impossible attack with theexpanded improbable attack

Rounds Attack Key Data Time Memory SuccessType Length Complexity Complexity (blocks) Probability

12 Impossible 128 2118.9 2119 273 -13 Improbable 128 2126.83 2126.83 2101.32 %99



14 and 15-round Improbable Differential Attacks

By using the similar expansion technique, we can apply improbabledifferential attack on

14-round CLEFIA when the key length is 192 bits

15-round CLEFIA when the key length is 256 bits



Conclusion

We provided

1 a new cryptanalytic technique called improbable differentialattack where a differential holds with less probability whentried with the correct key

2 two techniques to obtain improbable differentials

3 data complexity estimates for improbable differential attacks

4 state of art attacks on the block cipher CLEFIA


Introduction Games and Security Padding Schemes Conclusion

On Hiding a Plaintext Length by Preencryption

Cihangir TEZCAN and Serge VAUDENAY

Ecole Polytechnique Federale de Lausanne (EPFL), Switzerland

July 20, 2011Bilkent University, Ankara, Turkey

Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption


Outline

1 Introduction

2 Games and Security

3 Padding Schemes

4 Conclusion



Introduction

Problem: Encryption schemes cannot hide a plaintext length whenplaintext domain is unbounded.

Moreover, an approximation of theplaintext length may leak some information.

A Solution: Use random padding before the encryption.

e.g. TLS Protocol version 1.2 allows to pad up to 211 bits tofrustrate attacks based on the lengths of exchanged messages (butthe resulting length must be a multiple of the block size).

Aim: To formalize preencryption schemes and define appropriatesecrecy.



Introduction

Problem: Encryption schemes cannot hide a plaintext length whenplaintext domain is unbounded. Moreover, an approximation of theplaintext length may leak some information.






Introduction







Introduction







Introduction







Games and Security

∆-IND-OTE Game

1 Challenger generates a key K and discloses its public part Kp

2 Adversary selects plaintexts x0 and x1 where ||x0| − |x1|| ≤ ∆

3 Challenger flips a coin b, computes EncK (xb) = Y and gives Y tothe adversary

4 Adversary guesses b′ and wins if b′ = b

IND-OTE security corresponds to the ∆ = 0 case.

Definition

The advantage is Pr[b = b′]− 12 . We say that the encryption scheme is

∆-IND-OTE(t, ε)-secure if for all adversary with time complexity limitedby t, the advantage is at most ε.



Games and Security

∆-IND-OTE Game






Definition





Games and Security

∆-IND-OTE Game






Definition





Games and Security

∆-IND-OTE Game






Definition





Games and Security

∆-IND-OTE Game






Definition





Games and Security

∆-IND-OTE Game






Definition





Preencryption Schemes

Definition

Given two plaintext domains X and X 0, a preencryption scheme from Xto X 0 is a pair of algorithms

a (probabilistic) algorithm pre such that for all x ∈ X , pre(x) ∈ X 0

with probability 1

a (deterministic) algorithm Extract

where Extract(pre(x)) = x with probability 1.

a preencryption scheme is B-almost length preserving if||pre(x)| − |x || ≤ B with probability 1 for all x .

a preencryption scheme is length-increasing if |pre(x)| ≥ |x | withprobability 1 for all x .




Definition



with probability 1








Definition



with probability 1








∆-IND Game:


2 Challenger flips a coin b, computes |pre(xb)| = L and gives L to theadversary


Definition (Security and Advantage)

A preencryption scheme is ∆-IND (t, ε)-secure if for all adversary A withtime complexity limited by t, the advantage in the following game is atmost ε. The advantage is defined as Pr[b = b′]− 1

2 .




∆-IND Game:






2 .




∆-IND Game:






2 .




∆-IND Game:






2 .




Theorem

For an IND-OTE-secure encryption C 0 which fully leaks the plaintextlength, the ∆-IND security of P is necessary and sufficient to have C∆-IND-OTE-secure where C (x) = C 0(pre(x)).

i.e. P ∆-IND-secure + C 0 IND-OTE-secure => C ∆-IND-OTE-secure




Theorem

For an IND-OTE-secure encryption C 0 which fully leaks the plaintextlength, the ∆-IND security of P is necessary and sufficient to have C∆-IND-OTE-secure where C (x) = C 0(pre(x)).

i.e. P ∆-IND-secure + C 0 IND-OTE-secure => C ∆-IND-OTE-secure



Advantage

Definition

Given a set of integers A, x0 and x1, we define a ∆-IND adversaryDA(x0, x1) as the one selecting x0 and x1 then yielding b′ = 1 if and onlyif L ∈ A. We define AdvA(x0, x1) as the advantage of this adversary.

Notation

We denote Adv(x0, x1) as the maximal advantage for adversaries selectingx0 and x1.

Actually, Adv(x0, x1) is the statistical distance between |pre(x0)| and|pre(x1)|.



Advantage

Definition


Notation





Advantage

Definition


Notation





Maximal Security of the Pad-then-Encrypt Scheme

Definition

A padding scheme defines the preencryption scheme pre(x) = x‖pad(x).

Note that preencryption schemes made out from a padding scheme areall length-increasing.

Example

Let B = 11 and N be the binomial distribution with parameters 10 and 12 .

Let the lengths of the two chosen plaintexts for the ∆-IND game be|x0| = 24 and |x1| = 27.




Definition



Example






Definition



Example





An Example

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0 2 4 6 8 10

Prob

abili

ty

Padding Length



An Example

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

24 26 28 30 32 34 36 38 40

Prob

abili

ty

Preencryption Length




Theorem (Lower bound)

If P is length-increasing and B-almost length-preserving, then there existsan adversary with advantage at least 1

2d B∆e

.

Some assumptions:

(uniformity) the distribution of the padding length is fixed (it doesnot depend on the plaintext)

(almost length-preserving) the padding length is in {1, . . . ,B}






2d B∆e

.

Some assumptions:








2d B∆e

.

Some assumptions:





Uniform Padding Schemes

We are considering the ∆-IND game where ||x0| − |x1|| ≤ ∆, N is thedistribution for the padding length, and |pad(x)| ≤ B. Three questionsto answer:

1 Given B and ∆, what is the optimal distribution N?

(uniformdistribution is nearly optimal)

2 What is the ε-security of the optimal distribution? (nearly ∆2B )

3 Given ∆, to obtain ε-security, what should be the padding length B?(nearly ∆

2ε )





1 Given B and ∆, what is the optimal distribution N? (uniformdistribution is nearly optimal)



2ε )






2 What is the ε-security of the optimal distribution?

(nearly ∆2B )


2ε )








2ε )







3 Given ∆, to obtain ε-security, what should be the padding length B?

(nearly ∆2ε )








2ε )




Example

The padding scheme that has uniformly distributed padding length in

{1, . . . ,B} has advantage Adv(x0, x1) = ||x1|−|x0||2B . So, this preencryption

scheme is ∆-IND(t, ∆

2B

)-secure for all ∆ and any t.



Example: Uniform Distribution

0

0.02

0.04

0.06

0.08

0.1

10 15 20 25 30 35

Prob

abili

ty

Preencryption Length




Thus, we have ∆2B ≥ Adv(a, b) ≥ 1

2d B∆e

.

Theorem (∆ = 2 Case)

Consider a uniform strictly length-increasing and B-almostlength-preserving padding scheme. If B is odd and ∆ = 2 thenAdv(a, b) ≥ B

B2+1 .




Thus, we have ∆2B ≥ Adv(a, b) ≥ 1

2d B∆e

.

Theorem (∆ = 2 Case)

Consider a uniform strictly length-increasing and B-almostlength-preserving padding scheme. If B is odd and ∆ = 2 thenAdv(a, b) ≥ B

B2+1 .



Table: Security when ∆ = 2 and B is odd

B Uniform Distribution ∆2B Best Achievable B

B2+1Lower Bound 1

2⌈B∆

⌉3 0.333333333333333 0.3 0.255 0.2 0.192307692307692 0.1666666666666677 0.142857142857143 0.14 0.1259 0.111111111111111 0.109756097560976 0.111 0.0909090909090909 0.0901639344262295 0.083333333333333313 0.0769230769230769 0.0764705882352941 0.071428571428571415 0.0666666666666667 0.0663716814159292 0.062517 0.0588235294117647 0.0586206896551724 0.055555555555555619 0.0526315789473684 0.0524861878453039 0.0521 0.0476190476190476 0.0475113122171946 0.045454545454545523 0.0434782608695652 0.0433962264150943 0.041666666666666725 0.04 0.0399361022364217 0.038461538461538527 0.037037037037037 0.036986301369863 0.035714285714285729 0.0344827586206897 0.0344418052256532 0.033333333333333331 0.032258064516129 0.0322245322245322 0.0312533 0.0303030303030303 0.0302752293577982 0.029411764705882435 0.0285714285714286 0.0285481239804241 0.027777777777777837 0.027027027027027 0.027007299270073 0.026315789473684239 0.0256410256410256 0.0256241787122208 0.02541 0.024390243902439 0.0243757431629013 0.023809523809523843 0.0232558139534884 0.0232432432432432 0.022727272727272745 0.0222222222222222 0.0222112537018756 0.021739130434782647 0.0212765957446809 0.0212669683257919 0.020833333333333349 0.0204081632653061 0.0203996669442132 0.02



Some Consequences

TLS Protocol version 1.2 allows to pad up to B = 211 bits tofrustrate attacks based on the lengths of exchanged messages. So itis ∆-IND(t, ∆

212 )-secure.

However, the resulting length must be amultiple of the block size. For example, B = 32 blocks of data whenthe block cipher uses blocks of 64 bits. So the real security is ε = ∆

25 .

Usual security levels cannot be obtained for the ∆-IND-OTE gamein practice. e.g. To have 2−80-indistinguishable two plaintexts with asingle bit of length difference (i.e. 1-IND-OTE(t, 2−80)), we need toappend a padding of length 279 bits.



Some Consequences


212 )-secure. However, the resulting length must be amultiple of the block size. For example, B = 32 blocks of data whenthe block cipher uses blocks of 64 bits. So the real security is ε = ∆

25 .




Some Consequences


212 )-secure. However, the resulting length must be amultiple of the block size. For example, B = 32 blocks of data whenthe block cipher uses blocks of 64 bits. So the real security is ε = ∆

25 .




Conclusion

We formalized the notion of preencryption scheme and its associated∆-IND security notion.

We formalized the pad-then-encrypt technique and showed that∆-IND-security is necessary and sufficient to make an encryptionscheme ∆-IND-OTE secure.

We showed that there is always an adversary with advantage nearly∆2B . So, insecurity degrades linearly with the padding length B.

We showed that a padding scheme making padding lengthsuniformly distributed is nearly optimal.



Conclusion







Conclusion







Conclusion







Conclusion

THANK YOU FOR YOURATTENTION


Documents

The Improbable Differential Attack: Cryptanalysis of ...cihangir.forgottenlance.com/presentations/bilkent.pdf · Outline Introduction The Improbable Di erential Attack CLEFIAConclusion