Improving impossible differential cryptanalysis
Christina Boura joint work with Virginie Lallemand, María Naya-Plasencia and Valentin Suder
Séminaire CCA, June 12, 2015
1 / 39 Block ciphers
E : 0, 1 n 0, 1 k 0, 1 n { } × { } → { } (m, K) E(m, K)= c 7→ K
mE c
2 / 39 Lightweight block ciphers
Block ciphers designed for constrained environnements (RFID tags, sensor networks,. . . ) A high number of proposals in the last few years (PRESENT, CLEFIA, LED, LBlock, Piccolo, TWINE, KLINE, Zorro, PRINTCipher, PRINCE, SIMON, SPECK, ...) New ISO/IEC standards: PRESENT, CLEFIA.
Need to identify the robust algorithms for future use.
3 / 39 Cryptanalysis of block ciphers
In symmetric key cryptography security proofs are partial and insuffient.
The only way to conclude that a block cipher is strong is to evaluate its security against different kind of attacks.
Generic attack: exhaustive search of the key in (2k). O A block cipher is considered unbroken as far as no attack faster than exhaustive search exists. There is a multitude of attacks against block ciphers : differential, linear, algebraic, higher-order differential, integral, impossible differential, . . .
4 / 39 Differential cryptanalysis
Introduced by Biham and Shamir in ’90.
Given an input difference between two plaintexts, some output differences occur more often than others.
x x + DX DX
Ek Ek
DY
Ek(x) Ek(x + DX )
A differential is a pair ( , ). DX DY
5 / 39 Impossible differential cryptanalysis
Introduced by Knudsen and Biham et al. in ’99.
Exploit differentials of probability 0.
Why care about impossible differential attacks?
Very powerful attacks (lead to the best cryptanalysis against many ciphers, e.g. some famous Feistel constructions) Were for a long time the most successful attacks against the AES. Not fully understood and exploited in an non-optimal way due to their high technicality.
6 / 39 First step: Find an impossible differential
Well understood and "easy" part of the attack. Algorithms for finding impossible differentials on a given cipher exist.
Find the impossible differential using the Miss-in-the-middle technique.
p =1
p =0
p =1
7 / 39 Miss in the Middle for AES
b b b b 33 3 33 3 b b AK b b SB b b SR b b MC AK333 AK AK333 b b b b 3 3 3 3 3 3 b b b b b b b b 3 3 3 3 3 3
Contradiction
b b b b b b b b b b b b b b b − − − − b b b b SB 1 b b b b SR 1 b b b b MC 1 b AK b SB 1 b
b b b b b b b b b b b b b b b
bbbb bbbb bbbb b b b
b b b b b b − − − − b SR 1 b MC 1 AK SB 1 SR 1
b b
b b
8 / 39 Extend the impossible differential
Example : 6-round attack on AES
Extend the impossible differential one round to both directions.
Impossible Differential
=6 1 round4 rounds 1 round
9 / 39 Second step: Extend the impossible differential
K0 b b
b b
Din DX b b b b b b b b b
SB SR MC b b
b b b b b b b b b Round 1 −16 p =2 b b
4-round Impossible Differential
DY Dout b b b b b −1 −1 −1 Round 6 MC b SB b SR b b b b b b −24 p =2 b b b b
b
b
b
b
K6
Collect pairs verifying ( , ). Din Dout Guess 4 bytes of K1 and 4 bytes of K6. If for a value of K and K we get at the same time and , 1 6 DX DY then these (partial) keys can be discarded.
Exhaustive search for the remaining candidate keys. 10 / 39 Our contributions
The key recovery phase of impossible differential attacks is a very technical and not fully understood procedure. Errors are common. Many of the published attacks are sub-optimal.
Our goal :
Formalize the key recovery procedure. Provide complete complexity formulas. Introduce new techniques for improving the time or data complexity of such attacks.
11 / 39 The results presented next appear in the following two papers:
Scrutinizing and Improving Impossible Differential Attacks: Applications to CLEFIA, Camellia, LBlock and Simon, Christina Boura, María Naya-Plasencia and Valentin Suder. Presented at ASIACRYPT 2014.
Improving Impossible Differential Cryptanalysis, Christina Boura, Virginie Lallemand, María Naya-Plasencia and Valentin Suder, submitted.
12 / 39 Notation
Din
Round 1 2−cin ∆V : size in bits of a
Round rin difference . DV DX cin, cout : number of bit Round rin +1 conditions to be verified. 0 Round rin + r∆ kin, kout : number of
DY involved subkey bits. Round rin + r∆ +1 kin kout : key entropy −c | ∪ | 2 out Round rin + r∆ + rout
Dout
13 / 39 Example
K0 b b
b b
Din DX b b b b b b b b b
SB SR MC b b
b b b b b b b b b Round 1 −16 p =2 b b
4-round Impossible Differential
DY Dout b b b b b −1 −1 −1 Round 6 MC b SB b SR b b b b b b −24 p =2 b b b b
b
b
b
b
K6
∆in = 32, ∆out = 32 cin = 16, cout = 24 kin = 32, kout = 32. 14 / 39 The early abort technique
Introduced by Lu et al. in 2008 for impossible differential cryptanalysis.
Din
K0 S S S P S
DX
15 / 39 The early abort technique
Din
K0 S S S P S
DX
Classical approach: Guess all the required subkey bits, encrypt a pair and verify if the difference occurs. DX
15 / 39 The early abort technique
Din
K0 S S DS S P S
DX
Early abort: Guess the subkey bits word by word and check if the partial difference occurs. If the partial difference doesn’t occur, discard the pair.
15 / 39 Complexity Formulas Outline
1 Complexity Formulas
2 New techniques
3 Applications
16 / 39 Complexity Formulas How many pairs does an attack require?
By taking N pairs satisfying ( , ), the probability of not discarding a Din Dout candidate key is
P = (1 2−(cin+cout))N −
How many pairs N are needed for the attack? First approach: (1 2−(cin+cout))N < 2−|kin∪kout| − Better approach: (1 2−(cin+cout))N < 1 − 2 Take
cin+cout Nmin = 2 .
Memory complexity : N
17 / 39 Complexity Formulas Finding N solutions for a given truncated differential
Problem: Find N pairs verifying and Din Dout
For N = 1: Limited birthday technique [Gilbert, Peyrin – FSE 2010]
n−∆ n−(∆in+∆out) C1 = max min √2 , 2 , {∆∈{∆in,∆out}{ } }
where n is the state size.
18 / 39 Complexity Formulas Limited Birthday Technique [Gilbert, Peyrin – FSE 2010]
n
∆in Ek
∆out
Find a pair of inputs (m,m′) such that m m′ and E (m) E (m′) ⊕ ∈ Din k ⊕ k ∈ Dout
19 / 39 Complexity Formulas Limited Birthday Technique [Gilbert, Peyrin – FSE 2010]
n
Ek
Extreme case: ∆out = 0 and input unrestricted. Collision after 2n/2 computations. ⇒ ≈
19 / 39 Complexity Formulas Limited Birthday Technique [Gilbert, Peyrin – FSE 2010]
n
∆in Ek
∆out
When the input space is restricted, the number of pairs that can be constructed is reduced.
Consider the quantity (2∆in +∆out). If (2∆ >n ∆ ) apply birthday paradox to collide on n ∆ in − out − out bits. Else, restart the birthday paradox 2n−2∆in−∆out times. 19 / 39 Complexity Formulas Limited Birthday Technique [Gilbert, Peyrin – FSE 2010]
n
∆in Ek
∆out
n−∆out √2 if 2∆in >n ∆out, C1 = − 2n−(∆out+∆in) otherwise.
19 / 39 Complexity Formulas
Cost CN for finding N pairs verifying ( in, out) D D
By considering C = N C we might be wasting some structures. N × 1 Determine the number of inputs 2x we need in order to construct N pairs. ∆ ∆ −1 2 in 2 in x ∆in 1 N n− 2 ∆out ( in is large enough). Thus 2 2 and therefore ≤ 22x−1 D ≤ N n− . = 2 ∆out We need
2x = √N2n−∆out+1 inputs. − 2∆in 2∆in 1 y 2 N > n− 2 ∆out ( in is not large enough). We need to add 2 D ∆ ∆ −1 y 2 in 2 in N n− . structures of size ∆in such that = 2 2 ∆out Therefore we need 2x = 2y+∆in = N2n−∆in−∆out+1 inputs.
20 / 39 Complexity Formulas Cost for finding N pairs
n−∆+1 n−∆in−∆out+1 CN = max min √N2 ,N2 . ∆∈{∆in,∆out} n o
Data complexity: CN
Obviously,
n CN < 2
21 / 39 Complexity Formulas Time complexity
Tcomp = CN +
Encrypt data.
22 / 39 Complexity Formulas Time complexity
|kin∪kout| N ′ T C N c c C comp = N + + 2 2 in+ out E
Encrypt data.
Early abort technique Check each key candidate step by step. Decrease the number of pairs in the list.
22 / 39 Complexity Formulas Time complexity
|kin∪kout| N ′ K T C N c c C P C comp = N + + 2 2 in+ out E + 2 E
Encrypt data.
Early abort technique Check each key candidate step by step. Decrease the number of pairs in the list. The last term corresponds to 2K P = 2K−|kin∪kout|P 2|kin∪kout|.
Test by exhaustive search the remaining keys.
22 / 39 Complexity Formulas The role of the key schedule
During the key-recovery phase, key bits of different subkeys are guessed.
How to recover the master key from these guessed bits?
This depends on the nature of the key-schedule.
If the key-schedule is (almost) linear, directly translate the kin and kout guessed bits in the same number of bits of the master key.
23 / 39 Complexity Formulas Complex key schedules
K0 K6 b b b
b b b
b b b
b b b
kin = 64 kout = 32
If the key-schedule is complex, it is not possible to directly translate the information guessed on the subkeys into the same amount of information on the master key.
24 / 39 Complexity Formulas What do we do then?
K0 K6 b b b
b b b
b b b
b b b
kin = 64 kout = 32
25 / 39 Complexity Formulas What do we do then?
Key schedule
K0 K6 b b b b b
b b b b b
b b b b b
b b b b b
kin = 64 kout = 32
Complete the missing bits to some of the subkeys. Compute through the key schedule. Verify if the result matches.
25 / 39 Complexity Formulas How is the time complexity affected?
A new term has to be added to the time complexity formula.
min(2K−kin , 2K−kout ) P 2kin+kout C , · · KS
where CKS is the key schedule cost.
26 / 39 Complexity Formulas How is the time complexity affected?
A new term has to be added to the time complexity formula.
min(2K+kin , 2K+kout ) P C , · · KS
where CKS is the key schedule cost.
In previous works, it was wrongly supposed that one guessed word of a subkey could directly be seen as one guessed word of the master key.
26 / 39 New techniques Outline
1 Complexity Formulas
2 New techniques
3 Applications
27 / 39 New techniques The state-test technique
Goal:
Eliminate some candidate keys without considering all the possibilities for the involved key bits.
How?
If a word of the state of size s depends on more than s key bits, guess this word instead.
28 / 39 New techniques Example on CLEFIA-128
ISO/IEC standard in lightweight crypto. Developed by SONY in 2007.
Block size: 4 32 = 128 bits × Key size: 128 bits Number of rounds: 18
i−1 i−1 i−1 i−1 P0 P1 P2 P3 RK2i−2 RK2i−1
F0 F1
i i i i P0 P1 P2 P3
29 / 39 New techniques The state-test technique in practice
Din
RK0 RK1
F0 F1
RK2 RK3
F0 F1
DX 30 / 39 New techniques The state-test technique in practice
Din
RK0 RK1
F0 F1
RK2 RK3
F F B 0 1
DX 30 / 39 New techniques The state-test technique in practice
Din
cste RK0 RK1
F0 F1
RK2 RK3
F F B 0 1
DX
B = S ( ) ⊕ 0 ⊕ ⊕
30 / 39 New techniques The state-test technique in practice
Din
cste RK0 RK1
F0 F1
RK2 RK3
F F B 0 1
DX
B′ = S ( ) with B = B′ ⊕ 0 ⊕ ⊕ kin kout = 122 bits kin kout = 122 16 + 8 bits | ∪ | ⇒ | ∪ | − ′ B 30 / 39 |{z} New techniques Remark regarding the state-test technique
The state-test technique applies to both Feistel and SPN constructions. However, it seems to apply better to Feistel ciphers. In SPN ciphers the gain in the time complexity generally leads to an equivalent loss in data complexity, because a part of the active part of the plaintexts has to be fixed. We have implemented this technique on a toy-cipher (mini-CLEFIA) and verified its efficiency in practice.
31 / 39 New techniques Multiple Impossible Differentials
Formalize the idea of [Tsunoo et al. 08].
CLEFIA has 9-round impossible differentials ((0, 0, 0, A) (0, 0, 0,B)) 6→ and ((0, A, 0, 0) (0, B, 0, 0)) when A and B verify: 6→ A B (0, 0, 0, α) (0, 0, β, 0) (0, β, 0, 0) (β, 0, 0, 0) (0, 0, α, 0) (0, 0, 0, β) (0, β, 0, 0) (β, 0, 0, 0) (0, α, 0, 0) (0, 0, 0, β) (0, 0, β, 0) (β, 0, 0, 0) (α, 0, 0, 0) (0, 0, 0, β) (0, 0, β, 0) (0, β, 0, 0)
C = 2113 C = 2113−log2(24) N ⇒ N
32 / 39 New techniques Multiple differentials in impossible differential cryptanalysis
More choices for the input/output patterns of a pair. Less data is needed to construct the pairs for the attack reduction → in the data complexity
Multiple inputs Din b b b b bb b b b b b b
b b b b b b b b b b b b
b b b b b b b b b b b b
b b b b b b b b b b b b
DX one impossible differential DY
b b b b
b b b b
b b b b
b b b b
Multiple outputs Dout
The log2 of the data complexity is reduced by # input multiples + # output multiples. 33 / 39 New techniques Combine multiple impossible diff. with multiple diff.
Use multiple differentials and multiple impossible differentials together to further reduce the amount of data.
b b b b Dout b
b b b b b b b b b b b b b b b b b b b b b b b b b b b b
b b b
b b b b
b Din DX DY b b b ×4 ×6 b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b
b
b b b
b
b b b
×4 ×6 b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b
b b b b
b b b b
b ×4 ×6 b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b
b
b b b b
b b b
b ×4 ×6 b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b
b b b
b
b b b
b
b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b
b
b b
b b 34 / 39 Applications Outline
1 Complexity Formulas
2 New techniques
3 Applications
35 / 39 Applications Applications
Feistel ciphers Best cryptanalysis on CLEFIA-128, Camellia and LBlock. Best impossible differential attacks on the SIMON family.
SPN ciphers Best impossible differential attacks on AES-128, CRYPTON-128 and ARIA-128. Each application illustrates a different combination of the new techniques.
36 / 39 Applications Results on Feistel ciphers Algorithm Rounds Data Time Memory Tech. Ref. (CP) (Blocks) 13 2117.8 2121.2 286.8 ID [MDS 11] CLEFIA-128 13 2114.4 2114.4 280 ID 11 2122 2122 298 ID [LLGWLCL 12] Camellia-128 11 2118.4 2118.43 292.4 ID 12 2123 2187.2 2155.41 ID [LLGWLCL 12] Camellia-192 12 2119.7 2161.06 2150.7 ID 13 2123 2251.1 2203 ID [LLGWLCL 12] Camellia-256 13 2119.71 2225.06 2198.71 ID 14 2120 2250.5 2120 ID [LLGWLCL 12] Camellia-256 ‡ 14 2117.7 2215.7 2166.7 ID 22 258 279.28 272.67 ID [KDH 12] LBlock 23 263.87 274.30 260 ZC [BM 14] 23 255.5 272 265 ID 37 / 39 Applications Results on SPN ciphers Algorithm Rounds Data Time Memory Tech. Ref. (CP) (Blocks) 7 2106.2 2110.2 290.2 ID [MDRM 10] AES-128 7 2105 2105 + 299 290 MITM [DFJ 13] 7 297 299 298 MITM [DFJ 13] 7 2113.1 2113.1 + 2105.1 274.1 ID 7 2105 2106.88 274 ID 7 297 297.2 2100 Tr. Diff. [KHLSY 03] CRYPTON- 7 2121 2121 + 2116.2 2119 ID [MSD 10] 128 7 2114.92 2114.92 + 2113.7 288.5 ID 8 2126 2126.2 2100 Tr. Diff. [KHLSY 03] 6 2113 2121.6 2113 ID [LSZL 08] 6 2121 2121 + 2112 2121 ID [WZD 07] ARIA-128 6 2120 2120 + 296 2120 ID [LS 08] 6 2111 2111 + 282 271 ID 105.8 105.8 100.99 79.73 7 2 2 + 2 2 LC [LGLLL38 / 11] 39 Applications Conclusions
The proposed techniques are general, however the level of applicability of each method is different on SPN and Feistel ciphers. Important to verify the new techniques by implementing them. Apply the same approach to other families of attacks, e.g. zero-correlation attacks.
39 / 39 Applications Conclusions
The proposed techniques are general, however the level of applicability of each method is different on SPN and Feistel ciphers. Important to verify the new techniques by implementing them. Apply the same approach to other families of attacks, e.g. zero-correlation attacks. Thanks for your attention!
39 / 39