Truncated Differentials - COSIC · Truncated differentials Impossible differentials Truncated...

Differential cryptanalysisCipherFOUR

Truncated differentialsImpossible differentials

Truncated Differentials

Lars R. Knudsen

DTU Mathematics

Spring 2011

Lars R. Knudsen Truncated Differentials



Outline

1 Differential cryptanalysis

2 CipherFOUR

3 Truncated differentials

4 Impossible differentials




Differential cryptanalysis: the idea

Differential cryptanalysis on iterated cipherstrace difference in chosen plaintexts through encryptionprocess;

predict difference in next to last round of encryption;

guess key in last round, compute backwards.




Outline


2 CipherFOUR






CIPHERFOUR

k1

????? ???? ???? ????�

��

��

��

@@@

��

��

��

HH

HHH

@@@

��

PPPPPPP

HH

HHH

@@@

S S S S???? ???? ???? ?????

?- d

mk0

????? ???? ???? ????�

��

��

��

@@@

��

��

HHHHH

@@@

��

PPPPPPP

HHHHH

@@@

S S S S???? ???? ???? ?????

?- d




5 rounds of CIPHERFOUR

c

k4

k5 ?

?- d???? ???? ???? ????

S S S S???? ???? ???? ?????

?- d

k3

????? ???? ???? ????�

��

��

��

@@@

��

��

��

HHH

HH

@@@

��

PPPPPPP

HHH

HH

@@@

S S S S???? ???? ???? ?????

?- d

k2

????? ???? ???? ????�

��

��

��

@@@

��

��

HHHHH

@@@

��

PPPPPPP

HHHHH

@@@

S S S S???? ???? ???? ?????

?- d




Characteristic

Consider(0, 0, 2, 0)

(S,S,S,S)→ (0, 0, 2, 0)

which has probability 6/16 and note that

(0, 0, 2, 0)P→ (0, 0, 2, 0)

Thus(0, 0, 2, 0)

R→ (0, 0, 2, 0)




Characteristic

(0, 0, 2, 0)R→ (0, 0, 2, 0)

R→ (0, 0, 2, 0)

with probability(6/16)2

and

(0, 0, 2, 0)R→ (0, 0, 2, 0)

R→ (0, 0, 2, 0)R→ (0, 0, 2, 0)

R→ (0, 0, 2, 0)

with probability(6/16)4 ≈ 0.02.

ExampleAttack 5 rounds by guessing (parts of) the last round key.




Differential Attack of CIPHERFOUR

k4

k5

c0 c1 c2 c3

0 0 2 0

0 0 ? 0?

?

- f???? ???? ???? ????

S S S S???? ???? ???? ????

?

?- f

k30 0 2 0

????? ???? ???? ????�

��

��

��

@@

@

��

�

��

HHHH

HH

@@

@

��

�

PPPPPPPPP

HHHHHH

@@

@

S S S S???? ???? ???? ????

?

?- f




Differentials

ObservationWhen using

(0, 0, 2, 0)R→ (0, 0, 2, 0)

R→ (0, 0, 2, 0)R→ (0, 0, 2, 0)

R→ (0, 0, 2, 0)

we do not care about the intermediate differences!

What we are really interested in is

(0, 0, 2, 0)R→?

R→?R→?

R→ (0, 0, 2, 0)

or(0, 0, 2, 0)

4R→ (0, 0, 2, 0).




Differentials

(0, 0, 2, 0)4R→ (0, 0, 2, 0).

There are at least four characteristics involved

(0, 0, 2, 0)R−→ (0, 0, 2, 0)

R−→ (0, 0, 2, 0)R−→ (0, 0, 2, 0)

R−→ (0, 0, 2, 0),

(0, 0, 2, 0)R−→ (0, 0, 0, 2)

R−→ (0, 0, 0, 1)R−→ (0, 0, 1, 0)

R−→ (0, 0, 2, 0),

(0, 0, 2, 0)R−→ (0, 0, 0, 2)

R−→ (0, 0, 1, 0)R−→ (0, 0, 2, 0)

R−→ (0, 0, 2, 0),

(0, 0, 2, 0)R−→ (0, 0, 2, 0)

R−→ (0, 0, 0, 2)R−→ (0, 0, 1, 0)

R−→ (0, 0, 2, 0).

P((0, 0, 2, 0)4R→ (0, 0, 2, 0)) ≈ 0.081 > 0.02.





k4

k5

c0 c1 c2 c3

0 0 2 0

0 0 ? 0?

?

- f???? ???? ???? ????

S S S S???? ???? ???? ????

?

?- f

k3? ? ? ?

????? ???? ???? ????�

��

��

��

@@

@

��

�

��

HHHH

HH

@@

@

��

�

PPPPPPPPP

HHHHHH

@@

@

S S S S???? ???? ???? ????

?

?- f




CIPHERFOUR: Experimental Results

Differential attack on 5 rounds

Attacker tries to determine four bits of the key

Experiment

Number of texts Differential attack32 64%64 76%128 85%256 96%




Outline


2 CipherFOUR






Truncated differentials

DefinitionA (differential) characteristic predicts the difference in a pair oftexts after each round of encryption.

DefinitionA differential is a collection of characteristics.





DefinitionA truncated characteristic predicts only part of the difference ina pair of texts after each round of encryption.

DefinitionA truncated differential is a collection of truncatedcharacteristics.





S-box from beforeBit notation:

0010 S→ 0010 has probability 616 .

0010 S→ ?0 ? ? has probability 1.




Distribution table

in \out 0 1 2 3 4 5 6 7 8 9 a b c d e f0 16 - - - - - - - - - - - - - - -1 - - 6 - - - - 2 - 2 - - 2 - 4 -2 - 6 6 - - - - - - 2 2 - - - - -3 - - - 6 - 2 - - 2 - - - 4 - 2 -4 - - - 2 - 2 4 - - 2 2 2 - - 2 -5 - 2 2 - 4 - - 4 2 - - 2 - - - -6 - - 2 - 4 - - 2 2 - 2 2 2 - - -7 - - - - - 4 4 - 2 2 2 2 - - - -8 - - - - - 2 - 2 4 - - 4 - 2 - 29 - 2 - - - 2 2 2 - 4 2 - - - - 2a - - - - 2 2 - - - 4 4 - 2 2 - -b - - - 2 2 - 2 2 2 - - 4 - - 2 -c - 4 - 2 - 2 - - 2 - - - - - 6 -d - - - - - - 2 2 - - - - 6 2 - 4e - 2 - 4 2 - - - - - 2 - - - - 6f - - - - 2 - 2 - - - - - - 10 - 2





Input difference 2 to S-box lead only to output differences1, 2, 9, and a. So for one round

(0000 0000 0010 0000)R−→

(0000 0000 0010 0000) or(0000 0000 0000 0010) or(0010 0000 0010 0000) or(0010 0000 0000 0010)





(0000 0000 0010 0000)R−→ (00?0 0000 00?0 00?0)

(0000 0000 0000 0010)R−→ (000? 0000 000? 000?)

(0010 0000 0010 0000)R−→ (?0?0 0000 ?0?0 ?0?0)

(0010 0000 0000 0010)R−→ (?00? 0000 ?00? ?00?)

(0000 0000 0010 0000)(0000 0000 0000 0010)(0010 0000 0010 0000)(0010 0000 0000 0010)

R−→ (? 0?? 0000 ?0?? ?0??)





Leads to a 2-round truncated differential

(0000 0000 0010 0000)R−→ (? 0?? 0000 ? 0?? ? 0??)

Adding another round gives

(? 0?? 0000 ? 0?? ? 0??)R−→ (? 0?? ? 0?? ? 0?? ? 0??).





This leads to a 3-round truncated differential

(0000 0000 0010 0000)3R−−→ (? 0?? ? 0?? ? 0?? ? 0??)

of probability 1!

Can we extend this further?





Consider the 1-round characteristic(0000 0000 0010 0000)

R−→ (0000 0000 0010 0000).

A pair will follow this characteristic if 2 S−→ 2Choose 16 texts

(t0, t1, i , t2),

where i = 0, . . . , 15 and t0, t1, t2 are arbitrary and fixed.Any two (different) texts lead to a pair of difference

(t0 ⊕ t0 t1 ⊕ t1 i ⊕ j t2 ⊕ t2) =(0000 0000 ???? 0000).





How many pairs lead to difference (0000 0000 0010 0000)after the first S-box?

Exactly eight (distinct pairs)!

For these eight pairs one gets

(0000 0000 ???? 0000)R−→ (0000 0000 0010 0000).

With correct guess of four-bit key one can easily identifythese eight.





Summing up: yields a 4-round truncated differential

(0000 0000 ???? 0000)4R−−→ (? 0?? ? 0?? ? 0?? ? 0??)

which for correct guess of 4-bit key in 1st round, gives 8 rightpairs from pool of 16 texts.

5-round attack: run attack for all values of 4 bits of k0 and 4times 4 bits of k5.





k4

k5

c0 c1 c2 c3

? 0?? ? 0?? ? 0?? ? 0??

?

?

- f???? ???? ???? ????

S S S S???? ???? ???? ????

?

?- f

k3

????? ???? ???? ????�

��

��

��

@@

@

��

�

��

HHHH

HH

@@

@

��

�

PPPPPPPPP

HHHHHH

@@

@

S S S S???? ???? ???? ????

?

?- f





5-round attack on CIPHERFOUR

Experiment

Number of texts Differentials Truncated differentials16 . 28% (4+4)32 . 78% (4+9)48 . 97% (4+12)64 76% (4)128 85% (4)256 96% (4)

Numbers in brackets denote the number of key bits identified




Outline


2 CipherFOUR






Impossible differentials

Traditionally in differential attack, aim is to find differentialof high probability

A differential of low probability can be equally useful

S/N should be different from one:S/N > 1, right value of key suggested the mostS/N < 1, right value of key suggested the least




Truncated differentials - Feistel network

Consider Feistel network where round function is abijection for any fixed key

Consider a differential (α, 0) such that the difference in theleft halves of the plaintexts is α and where the right halvesare equal

It follows that after 5 rounds of encryption, the difference inthe ciphertexts will never be (0, α)

Can be used in attacks on such ciphers with more than 5rounds by guessing keys and computing backwards

For the correct key guesses the computed difference willnever be (0, α)





f

f

f

�

�

�

�

�

�

⊕

⊕

⊕

(((((((((((

(((((((((((

(((((((((((

hhhhhhhhhhh

hhhhhhhhhhh

hhhhhhhhhhh

βγ

αβ

00

0α α 6= 0

β 6= 0

γ 6= 0

α⊕ γβ





f

f

f

�

�

�

�

�

�

⊕

⊕

⊕

(((((((((((

(((((((((((

hhhhhhhhhhh

hhhhhhhhhhh

α0 α

00

α⊕ γβ




Skipjack (Biham, Biryukov, Shamir)

Skipjack - a 32-round iterated block cipher by NSA

there exists truncated differentials of Skipjackfor 12 encryption rounds of probability one(0, a, 0, 0)

12r−→ (b, c, d , 0)

for 12 decryption rounds of probability one(f , g, 0, h)

12r←− (e, 0, 0, 0)

for 24 rounds of probability zero (0, a, 0, 0)24r−→ (e, 0, 0, 0)

these can be used to break Skipjack with 31 rounds fasterthan by an exhaustive key search




Skipjack (continued)

Skipjack is an iterated 64-bit block cipher using an 80-bitkey and running in 32 rounds, see Figure next page.Encryption of a 64-bit plaintext consists of first applyingeight A-rounds, then eight B-rounds, once again eightA-rounds and finally eight B-rounds. A round counter isadded to one of the 16-bit words in each round. The keyschedule is simple but this and the round counter is notimportant for the illustration here.

There is a twelve-round truncated differential of probabilityone through 4 A-rounds and 8 B-rounds.

There is a twelve-round truncated differential of probabilityone through 4 inverse B-rounds and 8 inverse A-rounds.




Skipjack graph (G takes 16-bit round key)

A B C D

?

? ? ?

�

Gi+?

pA B C D

Skipjack A-round

A B C D

?

?

?

? ??

G-p i+

A B C D

Skipjack B-round


Higher order differentials

Higher Order Differentials

Lars R. Knudsen

DTU Mathematics

Spring 2011

Lars R. Knudsen Higher Order Differentials


Outline

1 Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack


Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack

Higher order differentials (Lai)

1st-order differentialthe conventional differential where

f (x)⊕ f (x ⊕ α)

where α 6= 0 is well-chosen value.

2nd-order differentialinvolves tuple of 4 texts and difference

f (x)⊕ f (x ⊕ α)⊕ f (x ⊕ β)⊕ f (x ⊕ α⊕ β)

where α, β are distinct, non-zero values.




Consider difference α 6= 0 through f .

DefinitionThe (first-order) derivative of f at point α:

∆αf (x) = f (x ⊕ α)⊕ f (x).

Definitiond th order derivative of f at point α1, . . . , αd is defined

∆α1,...,αd f (x) = ∆αd (∆α1,...,αd−1 f (x)).




Consider functions over GF (2).

A d th order derivative involves 2d function values of f .

The points (α1, . . . , αd) must be linearly independent whenviewed as bit-vectors.

The arguments to f form a d th dimensional subspace.



Algebraic degree

Let f : {0, 1}3 → {0, 1} be a Boolean function, s.t.,

f (x) = f (x2, x1, x0) = x2x1x0 + x0 + 1.

The algebraic degree of f is three.

Let g : {0, 1}3 → {0, 1} be a Boolean function, s.t.,

g(x2, x1, x0) = x2x1 + x0x2 + x2 + x1 + 1.

The algebraic degree of g is two.



Algebraic degree and higher order differentials

Let f : {0, 1}3 → {0, 1} be function, s.t.,

f (x2, x1, x0) = x2x1x0 + x0 + 1.

Algebraic degree of f is three.

Consider the first order derivative at the point 1 = (0, 0, 1)

∆1f (x) = x2x1 + 1.

The algebraic degree of ∆1f (x) is two.




Consider the second order derivative of f

∆1,2f (x) = x2.

The algebraic degree of ∆1,2f (x) is one.

Consider the third order derivative of f

∆1,2,4f (x) = 1.

The algebraic degree of ∆1,2,4f (x) is zero.




FactLet f be a Boolean function of algebraic degree d.The algebraic degree of a dth order derivative of f is zero.

ExtensionLet h : {0, 1}n → {0, 1}m be function. h can be described asconcatenation of m Boolean functions hi : {0, 1}n → {0, 1}. Thehis are called coordinate functions of h.

DefinitionLet h : {0, 1}n → {0, 1}m be function. The algebraic degree of his maximum algebraic degree of the coordination functions hi .




DefinitionLet h : {0, 1}n → {0, 1}m be function. The algebraic degree of his maximum algebraic degree of the coordination functions hi .

FactLet h be a function of algebraic degree d.The algebraic degree of a dth order derivative of h is zero.

FactLet h be a function of algebraic degree d.The value of a (d + 1)st order derivative of h is zero.



Higher order differential attack

Consider the iterated cipher

m −→

k0↓g −→

k1↓g −→

k2↓g −→

k3↓g −→ x −→

k4↓g −→ c

Assume algebraic degree of g is two.Algebraic degree of x (as a function of m) is a most 16.Specify 17th order differential.Guess k4, compute backwards, check if value is zero.



Boomerang attack - 2nd order differential (Wagner)

assume encryption process ENCk (m) can be written

m −→

k1↓

E1 −→ x −→

kA↓

Ak −→ y −→

k2↓

E2 −→ c

where Ak is key-dependent affine transformation

suppose there exist differentials of probs p1 and p2

αENC1−−−−→ β and β

DEC1−−−−→ α

suppose there is differential of prob q: γDEC2−−−−→ φ

combine to boomerang of probability p1p2q2



Boomerang attack - a 2nd order differential

m −→ E1 −→ x1 −→ Ak −→ y1 −→ E2 −→ c

m3 ←− E1 ←− x3 ←− Ak ←− y3 ←− E2 ←− c ⊕ γ

m ⊕ α −→ E1 −→ x2 −→ Ak −→ y2 −→ E2 −→ c2

m4 ←− E1 ←− x4 ←− Ak ←− y4 ←− E2 ←− c2 ⊕ γ

if∑

yi = 0 then∑

xi = 0

if boomerang holds then m3 ⊕m4 = α

four half-cipher differentials, boomerang probability p1p2q2

note that we pass through Ak “for free”.



Conclusion from me

modern block ciphers introduced with DES

differential and linear cryptanalysis started new era

many advanced attacks on block ciphers today

many interesting designs, many unbroken proposals

good understanding of block cipher security

latest trend: lightweight block ciphers



The Block Cipher Companion

By Lars R. Knudsen and Matt Robshaw.

Available in a few weeks from now via Springer and Amazon!Lars R. Knudsen Higher Order Differentials

Truncated Differentials - COSIC · Truncated differentials Impossible differentials Truncated...

Documents

Transcript of Truncated Differentials - COSIC · Truncated differentials Impossible differentials Truncated...