Improving impossible differential cryptanalysis

Christina Boura joint work with Virginie Lallemand, María Naya-Plasencia and Valentin Suder

Séminaire CCA, June 12, 2015

1 / 39 Block ciphers

E : 0, 1 n 0, 1 k 0, 1 n { } × { } → { } (m, K) E(m, K)= c 7→ K

mE c

2 / 39 Lightweight block ciphers

Block ciphers designed for constrained environnements (RFID tags, sensor networks,. . . ) A high number of proposals in the last few years (PRESENT, CLEFIA, LED, LBlock, Piccolo, TWINE, KLINE, Zorro, PRINTCipher, PRINCE, SIMON, SPECK, ...) New ISO/IEC standards: PRESENT, CLEFIA.

Need to identify the robust algorithms for future use.

3 / 39 Cryptanalysis of block ciphers

In symmetric key cryptography security proofs are partial and insuffient.

The only way to conclude that a block cipher is strong is to evaluate its security against different kind of attacks.

Generic attack: exhaustive search of the key in (2k). O A block cipher is considered unbroken as far as no attack faster than exhaustive search exists. There is a multitude of attacks against block ciphers : differential, linear, algebraic, higher-order differential, integral, impossible differential, . . .

4 / 39 Differential cryptanalysis

Introduced by Biham and Shamir in ’90.

Given an input difference between two plaintexts, some output differences occur more often than others.

x x + DX DX

Ek Ek

DY

Ek(x) Ek(x + DX )

A differential is a pair ( , ). DX DY

5 / 39 Impossible differential cryptanalysis

Introduced by Knudsen and Biham et al. in ’99.

Exploit differentials of probability 0.

Why care about impossible differential attacks?

Very powerful attacks (lead to the best cryptanalysis against many ciphers, e.g. some famous Feistel constructions) Were for a long time the most successful attacks against the AES. Not fully understood and exploited in an non-optimal way due to their high technicality.

6 / 39 First step: Find an impossible differential

Well understood and "easy" part of the attack. Algorithms for finding impossible differentials on a given cipher exist.

Find the impossible differential using the Miss-in-the-middle technique.

p =1

p =0

p =1

7 / 39 Miss in the Middle for AES

b b b b 33 3 33 3 b b AK b b SB b b SR b b MC AK333 AK AK333 b b b b 3 3 3 3 3 3 b b b b b b b b 3 3 3 3 3 3

Contradiction

b b b b b b b b b b b b b b b − − − − b b b b SB 1 b b b b SR 1 b b b b MC 1 b AK b SB 1 b

b b b b b b b b b b b b b b b

bbbb bbbb bbbb b b b

b b b b b b − − − − b SR 1 b MC 1 AK SB 1 SR 1

b b

b b

8 / 39 Extend the impossible differential

Example : 6-round attack on AES

Extend the impossible differential one round to both directions.

Impossible Differential

=6 1 round4 rounds 1 round

9 / 39 Second step: Extend the impossible differential

K0 b b

b b

Din DX b b b b b b b b b

SB SR MC b b

b b b b b b b b b Round 1 −16 p =2 b b

4-round Impossible Differential

DY Dout b b b b b −1 −1 −1 Round 6 MC b SB b SR b b b b b b −24 p =2 b b b b

b

b

b

b

K6

Collect pairs verifying ( , ). Din Dout Guess 4 bytes of K1 and 4 bytes of K6. If for a value of K and K we get at the same time and , 1 6 DX DY then these (partial) keys can be discarded.

Exhaustive search for the remaining candidate keys. 10 / 39 Our contributions

The key recovery phase of impossible differential attacks is a very technical and not fully understood procedure. Errors are common. Many of the published attacks are sub-optimal.

Our goal :

Formalize the key recovery procedure. Provide complete complexity formulas. Introduce new techniques for improving the time or data complexity of such attacks.

11 / 39 The results presented next appear in the following two papers:

Scrutinizing and Improving Impossible Differential Attacks: Applications to CLEFIA, Camellia, LBlock and Simon, Christina Boura, María Naya-Plasencia and Valentin Suder. Presented at ASIACRYPT 2014.

Improving Impossible Differential Cryptanalysis, Christina Boura, Virginie Lallemand, María Naya-Plasencia and Valentin Suder, submitted.

12 / 39 Notation

Din

Round 1 2−cin ∆V : size in bits of a

Round rin difference . DV DX cin, cout : number of bit Round rin +1 conditions to be verified. 0 Round rin + r∆ kin, kout : number of

DY involved subkey bits. Round rin + r∆ +1 kin kout : key entropy −c | ∪ | 2 out Round rin + r∆ + rout

Dout

13 / 39 Example

K0 b b

b b

Din DX b b b b b b b b b

SB SR MC b b

b b b b b b b b b Round 1 −16 p =2 b b

4-round Impossible Differential

DY Dout b b b b b −1 −1 −1 Round 6 MC b SB b SR b b b b b b −24 p =2 b b b b

b

b

b

b

K6

∆in = 32, ∆out = 32 cin = 16, cout = 24 kin = 32, kout = 32. 14 / 39 The early abort technique

Introduced by Lu et al. in 2008 for impossible differential cryptanalysis.

Din

K0 S S S P S

DX

15 / 39 The early abort technique

Din

K0 S S S P S

DX

Classical approach: Guess all the required subkey bits, encrypt a pair and verify if the difference occurs. DX

15 / 39 The early abort technique

Din

K0 S S DS S P S

DX

Early abort: Guess the subkey bits word by word and check if the partial difference occurs. If the partial difference doesn’t occur, discard the pair.

15 / 39 Complexity Formulas Outline

1 Complexity Formulas

2 New techniques

3 Applications

16 / 39 Complexity Formulas How many pairs does an attack require?

By taking N pairs satisfying ( , ), the probability of not discarding a Din Dout candidate key is

P = (1 2−(cin+cout))N −

How many pairs N are needed for the attack? First approach: (1 2−(cin+cout))N < 2−|kin∪kout| − Better approach: (1 2−(cin+cout))N < 1 − 2 Take

cin+cout Nmin = 2 .

Memory complexity : N

17 / 39 Complexity Formulas Finding N solutions for a given truncated differential

Problem: Find N pairs verifying and Din Dout

For N = 1: Limited birthday technique [Gilbert, Peyrin – FSE 2010]

n−∆ n−(∆in+∆out) C1 = max min √2 , 2 , {∆∈{∆in,∆out}{ } }

where n is the state size.

18 / 39 Complexity Formulas Limited Birthday Technique [Gilbert, Peyrin – FSE 2010]

n

∆in Ek

∆out

Find a pair of inputs (m,m′) such that m m′ and E (m) E (m′) ⊕ ∈ Din k ⊕ k ∈ Dout

19 / 39 Complexity Formulas Limited Birthday Technique [Gilbert, Peyrin – FSE 2010]

n

Ek

Extreme case: ∆out = 0 and input unrestricted. Collision after 2n/2 computations. ⇒ ≈

19 / 39 Complexity Formulas Limited Birthday Technique [Gilbert, Peyrin – FSE 2010]

n

∆in Ek

∆out

When the input space is restricted, the number of pairs that can be constructed is reduced.

Consider the quantity (2∆in +∆out). If (2∆ >n ∆ ) apply birthday paradox to collide on n ∆ in − out − out bits. Else, restart the birthday paradox 2n−2∆in−∆out times. 19 / 39 Complexity Formulas Limited Birthday Technique [Gilbert, Peyrin – FSE 2010]

n

∆in Ek

∆out

n−∆out √2 if 2∆in >n ∆out, C1 = −  2n−(∆out+∆in) otherwise.

19 / 39 Complexity Formulas

Cost CN for finding N pairs verifying ( in, out) D D

By considering C = N C we might be wasting some structures. N × 1 Determine the number of inputs 2x we need in order to construct N pairs. ∆ ∆ −1 2 in 2 in x ∆in 1 N n− 2 ∆out ( in is large enough). Thus 2 2 and therefore ≤ 22x−1 D ≤ N n− . = 2 ∆out We need

2x = √N2n−∆out+1 inputs. − 2∆in 2∆in 1 y 2 N > n− 2 ∆out ( in is not large enough). We need to add 2 D ∆ ∆ −1 y 2 in 2 in N n− . structures of size ∆in such that = 2 2 ∆out Therefore we need 2x = 2y+∆in = N2n−∆in−∆out+1 inputs.

20 / 39 Complexity Formulas Cost for finding N pairs

n−∆+1 n−∆in−∆out+1 CN = max min √N2 ,N2 . ∆∈{∆in,∆out} n  o

Data complexity: CN

Obviously,

n CN < 2

21 / 39 Complexity Formulas Time complexity

Tcomp = CN +

Encrypt data.

22 / 39 Complexity Formulas Time complexity

|kin∪kout| N ′ T C N c c C comp = N + + 2 2 in+ out E

Encrypt data.

Early abort technique Check each key candidate step by step. Decrease the number of pairs in the list.

22 / 39 Complexity Formulas Time complexity

|kin∪kout| N ′ K T C N c c C P C comp = N + + 2 2 in+ out E + 2 E

Encrypt data.

Early abort technique Check each key candidate step by step. Decrease the number of pairs in the list. The last term corresponds to 2K P = 2K−|kin∪kout|P 2|kin∪kout|.

Test by exhaustive search the remaining keys.

22 / 39 Complexity Formulas The role of the key schedule

During the key-recovery phase, key bits of different subkeys are guessed.

How to recover the master key from these guessed bits?

This depends on the nature of the key-schedule.

If the key-schedule is (almost) linear, directly translate the kin and kout guessed bits in the same number of bits of the master key.

23 / 39 Complexity Formulas Complex key schedules

K0 K6 b b b

b b b

b b b

b b b

kin = 64 kout = 32

If the key-schedule is complex, it is not possible to directly translate the information guessed on the subkeys into the same amount of information on the master key.

24 / 39 Complexity Formulas What do we do then?

K0 K6 b b b

b b b

b b b

b b b

kin = 64 kout = 32

25 / 39 Complexity Formulas What do we do then?

Key schedule

K0 K6 b b b b b

b b b b b

b b b b b

b b b b b

kin = 64 kout = 32

Complete the missing bits to some of the subkeys. Compute through the key schedule. Verify if the result matches.

25 / 39 Complexity Formulas How is the time complexity affected?

A new term has to be added to the time complexity formula.

min(2K−kin , 2K−kout ) P 2kin+kout C , · · KS

where CKS is the key schedule cost.

26 / 39 Complexity Formulas How is the time complexity affected?

A new term has to be added to the time complexity formula.

min(2K+kin , 2K+kout ) P C , · · KS

where CKS is the key schedule cost.

In previous works, it was wrongly supposed that one guessed word of a subkey could directly be seen as one guessed word of the master key.

26 / 39 New techniques Outline

1 Complexity Formulas

2 New techniques

3 Applications

27 / 39 New techniques The state-test technique

Goal:

Eliminate some candidate keys without considering all the possibilities for the involved key bits.

How?

If a word of the state of size s depends on more than s key bits, guess this word instead.

28 / 39 New techniques Example on CLEFIA-128

ISO/IEC standard in lightweight crypto. Developed by SONY in 2007.

Block size: 4 32 = 128 bits × Key size: 128 bits Number of rounds: 18

i−1 i−1 i−1 i−1 P0 P1 P2 P3 RK2i−2 RK2i−1

F0 F1

i i i i P0 P1 P2 P3

29 / 39 New techniques The state-test technique in practice

Din

RK0 RK1

F0 F1

RK2 RK3

F0 F1

DX 30 / 39 New techniques The state-test technique in practice

Din

RK0 RK1

F0 F1

RK2 RK3

F F B 0 1

DX 30 / 39 New techniques The state-test technique in practice

Din

cste RK0 RK1

F0 F1

RK2 RK3

F F B 0 1

DX

B =  S ( )  ⊕ 0 ⊕ ⊕

30 / 39 New techniques The state-test technique in practice

Din

cste RK0 RK1

F0 F1

RK2 RK3

F F B 0 1

DX

B′ =  S ( ) with B = B′  ⊕ 0 ⊕ ⊕ kin kout = 122 bits kin kout = 122 16 + 8 bits | ∪ | ⇒ | ∪ | − ′ B 30 / 39 |{z} New techniques Remark regarding the state-test technique

The state-test technique applies to both Feistel and SPN constructions. However, it seems to apply better to Feistel ciphers. In SPN ciphers the gain in the time complexity generally leads to an equivalent loss in data complexity, because a part of the active part of the plaintexts has to be fixed. We have implemented this technique on a toy-cipher (mini-CLEFIA) and verified its efficiency in practice.

31 / 39 New techniques Multiple Impossible Differentials

Formalize the idea of [Tsunoo et al. 08].

CLEFIA has 9-round impossible differentials ((0, 0, 0, A) (0, 0, 0,B)) 6→ and ((0, A, 0, 0) (0, B, 0, 0)) when A and B verify: 6→ A B (0, 0, 0, α) (0, 0, β, 0) (0, β, 0, 0) (β, 0, 0, 0) (0, 0, α, 0) (0, 0, 0, β) (0, β, 0, 0) (β, 0, 0, 0) (0, α, 0, 0) (0, 0, 0, β) (0, 0, β, 0) (β, 0, 0, 0) (α, 0, 0, 0) (0, 0, 0, β) (0, 0, β, 0) (0, β, 0, 0)

C = 2113 C = 2113−log2(24) N ⇒ N

32 / 39 New techniques Multiple differentials in impossible differential cryptanalysis

More choices for the input/output patterns of a pair. Less data is needed to construct the pairs for the attack reduction → in the data complexity

Multiple inputs Din b b b b bb b b b b b b

b b b b b b b b b b b b

b b b b b b b b b b b b

b b b b b b b b b b b b

DX one impossible differential DY

b b b b

b b b b

b b b b

b b b b

Multiple outputs Dout

The log2 of the data complexity is reduced by # input multiples + # output multiples. 33 / 39 New techniques Combine multiple impossible diff. with multiple diff.

Use multiple differentials and multiple impossible differentials together to further reduce the amount of data.

b b b b Dout b

b b b b b b b b b b b b b b b b b b b b b b b b b b b b

b b b

b b b b

b Din DX DY b b b ×4 ×6 b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b

b

b b b

b

b b b

×4 ×6 b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b

b b b b

b b b b

b ×4 ×6 b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b

b

b b b b

b b b

b ×4 ×6 b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b

b b b

b

b b b

b

b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b

b

b b

b b 34 / 39 Applications Outline

1 Complexity Formulas

2 New techniques

3 Applications

35 / 39 Applications Applications

Feistel ciphers Best cryptanalysis on CLEFIA-128, Camellia and LBlock. Best impossible differential attacks on the SIMON family.

SPN ciphers Best impossible differential attacks on AES-128, CRYPTON-128 and ARIA-128. Each application illustrates a different combination of the new techniques.

36 / 39 Applications Results on Feistel ciphers Algorithm Rounds Data Time Memory Tech. Ref. (CP) (Blocks) 13 2117.8 2121.2 286.8 ID [MDS 11] CLEFIA-128 13 2114.4 2114.4 280 ID 11 2122 2122 298 ID [LLGWLCL 12] Camellia-128 11 2118.4 2118.43 292.4 ID 12 2123 2187.2 2155.41 ID [LLGWLCL 12] Camellia-192 12 2119.7 2161.06 2150.7 ID 13 2123 2251.1 2203 ID [LLGWLCL 12] Camellia-256 13 2119.71 2225.06 2198.71 ID 14 2120 2250.5 2120 ID [LLGWLCL 12] Camellia-256 ‡ 14 2117.7 2215.7 2166.7 ID 22 258 279.28 272.67 ID [KDH 12] LBlock 23 263.87 274.30 260 ZC [BM 14] 23 255.5 272 265 ID 37 / 39 Applications Results on SPN ciphers Algorithm Rounds Data Time Memory Tech. Ref. (CP) (Blocks) 7 2106.2 2110.2 290.2 ID [MDRM 10] AES-128 7 2105 2105 + 299 290 MITM [DFJ 13] 7 297 299 298 MITM [DFJ 13] 7 2113.1 2113.1 + 2105.1 274.1 ID 7 2105 2106.88 274 ID 7 297 297.2 2100 Tr. Diff. [KHLSY 03] CRYPTON- 7 2121 2121 + 2116.2 2119 ID [MSD 10] 128 7 2114.92 2114.92 + 2113.7 288.5 ID 8 2126 2126.2 2100 Tr. Diff. [KHLSY 03] 6 2113 2121.6 2113 ID [LSZL 08] 6 2121 2121 + 2112 2121 ID [WZD 07] ARIA-128 6 2120 2120 + 296 2120 ID [LS 08] 6 2111 2111 + 282 271 ID 105.8 105.8 100.99 79.73 7 2 2 + 2 2 LC [LGLLL38 / 11] 39 Applications Conclusions

The proposed techniques are general, however the level of applicability of each method is different on SPN and Feistel ciphers. Important to verify the new techniques by implementing them. Apply the same approach to other families of attacks, e.g. zero-correlation attacks.

39 / 39 Applications Conclusions

The proposed techniques are general, however the level of applicability of each method is different on SPN and Feistel ciphers. Important to verify the new techniques by implementing them. Apply the same approach to other families of attacks, e.g. zero-correlation attacks. Thanks for your attention!

39 / 39