Protecting against Multidimensional Linear and Truncated Differential Cryptanalysis by Decorrelation
Celine´ Blondeau1 Aslı Bay Serge Vaudenay2 1 Aalto University, Finland
2 EPFL, Lausanne, Switzerland Monday 9th of March FSE 2015, Istanbul Outline
Statistical Attacks
Decorrelation Theory
The Decorrelation Order of ML and TD Attacks
Protecting against ML and TD
2/21 Outline
Statistical Attacks
Decorrelation Theory
The Decorrelation Order of ML and TD Attacks
Protecting against ML and TD
3/21 Linear Cryptanalysis
` I Enc: permutation over {0, 1}
I Linear cryptanalysis: [Matsui 93] Relation between plaintext and ciphertext bits
` ` I The correlation at point (α, β) ∈ F2 × F2:
−`h n ` o cor(α, β) = 2 # x ∈ F2|α · x ⊕ β · Enc(x) = 0 −
n ` o i # x ∈ F2|α · x ⊕ β · Enc(x) = 1
I Square correlation: For v = (α, β),
2 LPEnc(v) = cor (α, β)
Protecting against ML and TD
4/21 Multidimensional Linear Cryptanalysis
I [Hermelin et al 08]
2` I V ⊂ F2 : Vector space spanned by different masks v
I k = dim(V )
I Capacity: X capEnc(V ) = LPEnc(v) v∈V ,v6=0
Protecting against ML and TD
5/21 Differential Cryptanalysis
I Differential Cryptanalysis [Biham Shamir 90]
` ` I Probability of a differential (∆, Γ) ∈ F2 × F2
−` ` DPEnc(∆, Γ) = 2 #{x ∈ F2 | Enc(x) ⊕ Enc(x ⊕ ∆) = Γ}
I Truncated Differential Cryptanalysis [Knudsen 94] ⊥ 2` I Differences (∆, Γ) in the vector space V ⊂ F2
STD ⊥ −2` 0 ` ` PEnc (V ) = 2 #{(x, x ) ∈ F2 × F2 | x ⊕ x0, Enc(x) ⊕ Enc(x0) ∈ V ⊥}
Protecting against ML and TD
6/21 Outline
Statistical Attacks
Decorrelation Theory
The Decorrelation Order of ML and TD Attacks
Protecting against ML and TD
7/21 Notation – Iterated Distinguisher
` ` I Enc : F2 → F2 I (x1,..., xd ): a sample I n: number of samples
I d: size of a sample (attack of order d)
I T and f two Boolean functions
Distinguisher Iter: 1: for i = 1 to n do ` d 2: pick (x1,..., xd ) ∈ ({0, 1} ) 3: set yj = Enc(xj ) for j = 1,..., d 4: set bi = T (x1,..., xd , y1,..., yd ) 5: output f (b1,..., bn)
Protecting against ML and TD
8/21 Decorrelation Order
∗ I C : When Enc is random permutation
I CK : When Enc is a permutation fixed by a random key K
e ∗ e I The cipher is decorrelated of order e if k[CK ] − [C ] k∞ is small
I [Vaudenay 03]: For an iterated attack of order d we have s 2 3 Iter Iter 3 2 2d d 3 2d ∗ 2d E(p ) − E(p ∗ ) ≤3s n 2δ + + + k[CK ] − [C ] k∞ CK C 2` 2`(2` − d) 2 ns + k[C ]2d − [C∗]2d k 2 K ∞
I An iterated attack of order d has a small advantage if the cipher is decorrelated of order 2d or smaller
Protecting against ML and TD
9/21 I [Vaudenay 03]: r r LC LC 3 2 ∗ 2 n 3 n E(p )−E(p ∗ ) ≤ 3 nk[CK ] − [C ] k∞ + +3 CK C 2` − 1 2` − 1
I In this paper: r r LC LC 2 ∗ 2 n n E(p )−E(p ∗ ) ≤ 2 nk[CK ] − [C ] k∞ + +2 CK C 2` − 1 2` − 1
Example – Linear Cryptanalysis Distinguisher LC: 1: for i = 1 to n do 2: pick x ∈ {0, 1}` uniformly 3: set y = Enc(x) 4: set bi = α · x ⊕ β · y 5: output f (b1,..., bn)
I Non-adaptive iterated attack of order 1
Protecting against ML and TD
10/21 Example – Linear Cryptanalysis Distinguisher LC: 1: for i = 1 to n do 2: pick x ∈ {0, 1}` uniformly 3: set y = Enc(x) 4: set bi = α · x ⊕ β · y 5: output f (b1,..., bn)
I Non-adaptive iterated attack of order 1 I [Vaudenay 03]: r r LC LC 3 2 ∗ 2 n 3 n E(p )−E(p ∗ ) ≤ 3 nk[CK ] − [C ] k∞ + +3 CK C 2` − 1 2` − 1
I In this paper: r r LC LC 2 ∗ 2 n n E(p )−E(p ∗ ) ≤ 2 nk[CK ] − [C ] k∞ + +2 CK C 2` − 1 2` − 1
Protecting against ML and TD
10/21 I Non-adaptive iterated attack of order 2
I [Vaudenay 03]: For the function f (b1,..., bn) = maxi bi , we have
DC DC n n 2 ∗ 2 E(p ) − E(p ∗ ) ≤ + k[CK ] − [C ] k∞. CK C 2` − 1 2
I In this paper: The bound is independent of the function f
Example – Differential Cryptanalysis Distinguisher DC: 1: for i = 1 to n do 2: pick x ∈ {0, 1}` uniformly 3: set x0 = x ⊕ ∆ 4: set y = Enc(x) and y 0 = Enc(x0) 5: set bi = 1y⊕y 0=Γ 6: output f (b1,..., bn)
Protecting against ML and TD
11/21 I [Vaudenay 03]: For the function f (b1,..., bn) = maxi bi , we have
DC DC n n 2 ∗ 2 E(p ) − E(p ∗ ) ≤ + k[CK ] − [C ] k∞. CK C 2` − 1 2
I In this paper: The bound is independent of the function f
Example – Differential Cryptanalysis Distinguisher DC: 1: for i = 1 to n do 2: pick x ∈ {0, 1}` uniformly 3: set x0 = x ⊕ ∆ 4: set y = Enc(x) and y 0 = Enc(x0) 5: set bi = 1y⊕y 0=Γ 6: output f (b1,..., bn)
I Non-adaptive iterated attack of order 2
Protecting against ML and TD
11/21 Example – Differential Cryptanalysis Distinguisher DC: 1: for i = 1 to n do 2: pick x ∈ {0, 1}` uniformly 3: set x0 = x ⊕ ∆ 4: set y = Enc(x) and y 0 = Enc(x0) 5: set bi = 1y⊕y 0=Γ 6: output f (b1,..., bn)
I Non-adaptive iterated attack of order 2
I [Vaudenay 03]: For the function f (b1,..., bn) = maxi bi , we have
DC DC n n 2 ∗ 2 E(p ) − E(p ∗ ) ≤ + k[CK ] − [C ] k∞. CK C 2` − 1 2
I In this paper: The bound is independent of the function f
Protecting against ML and TD
11/21 Decorrelation – A Resume of Results
Decor. Type Attack Maximal Attack order of attack order n Linear 2 iterative 1 2` Differential 2 iterative 2 2` Differential-linear 4 iterative 2 2`−1 Boomerang 4 adaptive, iterative 4 2`−1
In this paper:
I Differential-Linear Attack: We improved the bound as for linear cryptanalysis
I Boomerang Attack: The bound is now independent of the function f
Protecting against ML and TD
12/21 Outline
Statistical Attacks
Decorrelation Theory
The Decorrelation Order of ML and TD Attacks
Protecting against ML and TD
13/21 ML Attacks – Algorithm Distinguisher ML: 1: for i = 1 to n do 2: pick a random x ∈ {0, 1}` 3: set y = Enc(x) 4: for j = 1 to k do 5: set bi,j = (αj · x) ⊕ (βj · y) 6: set bi = (bi,1,..., bi,k ) 7: output f (b1,..., bn)
I Non-adaptive iterated attack of order 1
I In the paper we show: q ML ML k−` k−1 2 ∗ 2 E(p ) − E(p ∗ ) ≤ n 2 + 2 k[C ] − [C ] k CK C K ∞
Protecting against ML and TD
14/21 Special Truncated Differential Distinguisher
ML ML I To provide a bound on pEnc − pEnc∗ , we consider the following distinguisher, which is a special truncated differential (STD) distinguisher
I A known plaintext truncated differential distinguisher using only one sample
I Non-adaptive attack with two queries
Distinguisher STD: 1: pick two plaintexts x and x0 at random 2: set y = Enc(x) and y 0 = Enc(x0) 3: output 1(x0−x,Enc(x0)−Enc(x))∈V ⊥
Protecting against ML and TD
15/21 Link between ML and TD Attacks
I [Chabaud Vaudenay 94] Link between differential probability and square correlations
−` X v·(∆,Γ) DPEnc(∆, Γ) = 2 (−1) LPEnc(v) 2` v∈F2
I [Blondeau Nyberg 14] Given k = dim(V ), we have
−k STD ⊥ −k 2 capEnc(V ) = pEnc (V ) − 2 where
STD ⊥ −2` 0 ` ` PEnc (V ) = 2 #{(x, x ) ∈ F2 × F2 | x ⊕ x0, Enc(x) ⊕ Enc(x0) ∈ V ⊥}
Protecting against ML and TD
16/21 Link between ML and STD Distinguishers
I By definition, we have
STD −` X pEnc = 2 DPEnc(∆, Γ) (∆,Γ)∈V ⊥
∗ I For any fixed Ck and C , we have
k k 2 q 2 q ML ML n2 STD −k n2 STD −k p − p ∗ ≤ p − 2 + p ∗ − 2 CK C 2 CK 2 C
I We showed that
STD STD 1 2 ∗ 2 E(p ) − E(p ∗ ) ≤ k[CK ] − [C ] k∞ CK C 2 and −k STD −k −` 1 − 2 E(p ∗ − 2 ) ≤ 2 C 1 − 2−`
Protecting against ML and TD
17/21 Advantage of ML Bounded by Decorrelation
I One of the main results: q ML ML k−` k−1 2 ∗ 2 E(p ) − E(p ∗ ) ≤ n 2 + 2 k[C ] − [C ] k CK C K ∞
`−k I This distinguisher is resistant up to2 2 queries
I This bound can probably be improved √ I We think that we are loosing a factor n when iterating the attack
Protecting against ML and TD
18/21 TD Attacks – Algorithm
I V = Vin × Vout ⊥ ⊥ I (∆, Γ) ∈ Vin × Vout I s = dim(Vin)
Distinguisher TD: 1: for i = 1 to n do 0 ` 2 0 ⊥ 2: pick (x, x ) ∈ ({0, 1} ) uniformly such that x ⊕ x ∈ Vin 3: set y = Enc(x) and y 0 = Enc(x0) 4: set bi = 1((x,y)⊕(x0,y 0))∈V ⊥ 5: output f (b1,..., bn)
I Non-adaptive iterated attack of order 2
Protecting against ML and TD
19/21 Advantage of TD Bounded by Decorrelation
−k TD TD 1+s−` 1 − 2 s−1 2 ∗ 2 E(p ) − E(p ∗ ) ≤ n2 + n2 k[CK ] − [C ] k∞ CK C 1 − 2−`
I This bound is meaningful when the attacker has the knowledge of up to2 `−s−1 queries
I [Blondeau et al 14] For s = ` − 1 and q = 1, the TD attack is equivalent to a differential-linear attack
I [Bay 14] Decorrelation of order 4 is needed to protect against differential-linear attacks
I The decorrelation of order 2 is correct for small s
Protecting against ML and TD
20/21 Conclusion
I We improved the bounds for the linear and differential-linear distinguishers
I We generalized the differential and boomerang distinguishers to allow an arbitrary function f
I We proved the security for multidimensional linear and truncated differential with decorrelation
Protecting against ML and TD
21/21