DOCSLIB.ORG

Protecting Against Multidimensional Linear and Truncated Differential Cryptanalysis by Decorrelation

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Protecting Against Multidimensional Linear and Truncated Differential Cryptanalysis by Decorrelation Protecting against Multidimensional Linear and Truncated Differential Cryptanalysis by Decorrelation Celine´ Blondeau1 Aslı Bay Serge Vaudenay2 1 Aalto University, Finland 2 EPFL, Lausanne, Switzerland Monday 9th of March FSE 2015, Istanbul Outline Statistical Attacks Decorrelation Theory The Decorrelation Order of ML and TD Attacks Protecting against ML and TD 2/21 Outline Statistical Attacks Decorrelation Theory The Decorrelation Order of ML and TD Attacks Protecting against ML and TD 3/21 Linear Cryptanalysis ` I Enc: permutation over f0; 1g I Linear cryptanalysis: [Matsui 93] Relation between plaintext and ciphertext bits ` ` I The correlation at point (α; β) 2 F2 × F2: −`h n ` o cor(α; β) = 2 # x 2 F2jα · x ⊕ β · Enc(x) = 0 − n ` o i # x 2 F2jα · x ⊕ β · Enc(x) = 1 I Square correlation: For v = (α; β), 2 LPEnc(v) = cor (α; β) Protecting against ML and TD 4/21 Multidimensional Linear Cryptanalysis I [Hermelin et al 08] 2` I V ⊂ F2 : Vector space spanned by different masks v I k = dim(V ) I Capacity: X capEnc(V ) = LPEnc(v) v2V ;v6=0 Protecting against ML and TD 5/21 Differential Cryptanalysis I Differential Cryptanalysis [Biham Shamir 90] ` ` I Probability of a differential (∆; Γ) 2 F2 × F2 −` ` DPEnc(∆; Γ) = 2 #fx 2 F2 j Enc(x) ⊕ Enc(x ⊕ ∆) = Γg I Truncated Differential Cryptanalysis [Knudsen 94] ? 2` I Differences (∆; Γ) in the vector space V ⊂ F2 STD ? −2` 0 ` ` PEnc (V ) = 2 #f(x; x ) 2 F2 × F2 j x ⊕ x0; Enc(x) ⊕ Enc(x0) 2 V ?g Protecting against ML and TD 6/21 Outline Statistical Attacks Decorrelation Theory The Decorrelation Order of ML and TD Attacks Protecting against ML and TD 7/21 Notation – Iterated Distinguisher ` ` I Enc : F2 ! F2 I (x1;:::; xd ): a sample I n: number of samples I d: size of a sample (attack of order d) I T and f two Boolean functions Distinguisher Iter: 1: for i = 1 to n do ` d 2: pick (x1;:::; xd ) 2 (f0; 1g ) 3: set yj = Enc(xj ) for j = 1;:::; d 4: set bi = T (x1;:::; xd ; y1;:::; yd ) 5: output f (b1;:::; bn) Protecting against ML and TD 8/21 Decorrelation Order ∗ I C : When Enc is random permutation I CK : When Enc is a permutation fixed by a random key K e ∗ e I The cipher is decorrelated of order e if k[CK ] − [C ] k1 is small I [Vaudenay 03]: For an iterated attack of order d we have s 2 3 Iter Iter 3 2 2d d 3 2d ∗ 2d E(p ) − E(p ∗ ) ≤3s n 2δ + + + k[CK ] − [C ] k1 CK C 2` 2`(2` − d) 2 ns + k[C ]2d − [C∗]2d k 2 K 1 I An iterated attack of order d has a small advantage if the cipher is decorrelated of order 2d or smaller Protecting against ML and TD 9/21 I [Vaudenay 03]: r r LC LC 3 2 ∗ 2 n 3 n E(p )−E(p ∗ ) ≤ 3 nk[CK ] − [C ] k1 + +3 CK C 2` − 1 2` − 1 I In this paper: r r LC LC 2 ∗ 2 n n E(p )−E(p ∗ ) ≤ 2 nk[CK ] − [C ] k1 + +2 CK C 2` − 1 2` − 1 Example – Linear Cryptanalysis Distinguisher LC: 1: for i = 1 to n do 2: pick x 2 f0; 1g` uniformly 3: set y = Enc(x) 4: set bi = α · x ⊕ β · y 5: output f (b1;:::; bn) I Non-adaptive iterated attack of order 1 Protecting against ML and TD 10/21 Example – Linear Cryptanalysis Distinguisher LC: 1: for i = 1 to n do 2: pick x 2 f0; 1g` uniformly 3: set y = Enc(x) 4: set bi = α · x ⊕ β · y 5: output f (b1;:::; bn) I Non-adaptive iterated attack of order 1 I [Vaudenay 03]: r r LC LC 3 2 ∗ 2 n 3 n E(p )−E(p ∗ ) ≤ 3 nk[CK ] − [C ] k1 + +3 CK C 2` − 1 2` − 1 I In this paper: r r LC LC 2 ∗ 2 n n E(p )−E(p ∗ ) ≤ 2 nk[CK ] − [C ] k1 + +2 CK C 2` − 1 2` − 1 Protecting against ML and TD 10/21 I Non-adaptive iterated attack of order 2 I [Vaudenay 03]: For the function f (b1;:::; bn) = maxi bi , we have DC DC n n 2 ∗ 2 E(p ) − E(p ∗ ) ≤ + k[CK ] − [C ] k1: CK C 2` − 1 2 I In this paper: The bound is independent of the function f Example – Differential Cryptanalysis Distinguisher DC: 1: for i = 1 to n do 2: pick x 2 f0; 1g` uniformly 3: set x0 = x ⊕ ∆ 4: set y = Enc(x) and y 0 = Enc(x0) 5: set bi = 1y⊕y 0=Γ 6: output f (b1;:::; bn) Protecting against ML and TD 11/21 I [Vaudenay 03]: For the function f (b1;:::; bn) = maxi bi , we have DC DC n n 2 ∗ 2 E(p ) − E(p ∗ ) ≤ + k[CK ] − [C ] k1: CK C 2` − 1 2 I In this paper: The bound is independent of the function f Example – Differential Cryptanalysis Distinguisher DC: 1: for i = 1 to n do 2: pick x 2 f0; 1g` uniformly 3: set x0 = x ⊕ ∆ 4: set y = Enc(x) and y 0 = Enc(x0) 5: set bi = 1y⊕y 0=Γ 6: output f (b1;:::; bn) I Non-adaptive iterated attack of order 2 Protecting against ML and TD 11/21 Example – Differential Cryptanalysis Distinguisher DC: 1: for i = 1 to n do 2: pick x 2 f0; 1g` uniformly 3: set x0 = x ⊕ ∆ 4: set y = Enc(x) and y 0 = Enc(x0) 5: set bi = 1y⊕y 0=Γ 6: output f (b1;:::; bn) I Non-adaptive iterated attack of order 2 I [Vaudenay 03]: For the function f (b1;:::; bn) = maxi bi , we have DC DC n n 2 ∗ 2 E(p ) − E(p ∗ ) ≤ + k[CK ] − [C ] k1: CK C 2` − 1 2 I In this paper: The bound is independent of the function f Protecting against ML and TD 11/21 Decorrelation – A Resume of Results Decor. Type Attack Maximal Attack order of attack order n Linear 2 iterative 1 2` Differential 2 iterative 2 2` Differential-linear 4 iterative 2 2`−1 Boomerang 4 adaptive, iterative 4 2`−1 In this paper: I Differential-Linear Attack: We improved the bound as for linear cryptanalysis I Boomerang Attack: The bound is now independent of the function f Protecting against ML and TD 12/21 Outline Statistical Attacks Decorrelation Theory The Decorrelation Order of ML and TD Attacks Protecting against ML and TD 13/21 ML Attacks – Algorithm Distinguisher ML: 1: for i = 1 to n do 2: pick a random x 2 f0; 1g` 3: set y = Enc(x) 4: for j = 1 to k do 5: set bi;j = (αj · x) ⊕ (βj · y) 6: set bi = (bi;1;:::; bi;k ) 7: output f (b1;:::; bn) I Non-adaptive iterated attack of order 1 I In the paper we show: q ML ML k−` k−1 2 ∗ 2 E(p ) − E(p ∗ ) ≤ n 2 + 2 k[C ] − [C ] k CK C K 1 Protecting against ML and TD 14/21 Special Truncated Differential Distinguisher ML ML I To provide a bound on pEnc − pEnc∗ , we consider the following distinguisher, which is a special truncated differential (STD) distinguisher I A known plaintext truncated differential distinguisher using only one sample I Non-adaptive attack with two queries Distinguisher STD: 1: pick two plaintexts x and x0 at random 2: set y = Enc(x) and y 0 = Enc(x0) 3: output 1(x0−x;Enc(x0)−Enc(x))2V ? Protecting against ML and TD 15/21 Link between ML and TD Attacks I [Chabaud Vaudenay 94] Link between differential probability and square correlations −` X v·(∆;Γ) DPEnc(∆; Γ) = 2 (−1) LPEnc(v) 2` v2F2 I [Blondeau Nyberg 14] Given k = dim(V ), we have −k STD ? −k 2 capEnc(V ) = pEnc (V ) − 2 where STD ? −2` 0 ` ` PEnc (V ) = 2 #f(x; x ) 2 F2 × F2 j x ⊕ x0; Enc(x) ⊕ Enc(x0) 2 V ?g Protecting against ML and TD 16/21 Link between ML and STD Distinguishers I By definition, we have STD −` X pEnc = 2 DPEnc(∆; Γ) (∆;Γ)2V ? ∗ I For any fixed Ck and C , we have k k 2 q 2 q ML ML n2 STD −k n2 STD −k p − p ∗ ≤ p − 2 + p ∗ − 2 CK C 2 CK 2 C I We showed that STD STD 1 2 ∗ 2 E(p ) − E(p ∗ ) ≤ k[CK ] − [C ] k1 CK C 2 and −k STD −k −` 1 − 2 E(p ∗ − 2 ) ≤ 2 C 1 − 2−` Protecting against ML and TD 17/21 Advantage of ML Bounded by Decorrelation I One of the main results: q ML ML k−` k−1 2 ∗ 2 E(p ) − E(p ∗ ) ≤ n 2 + 2 k[C ] − [C ] k CK C K 1 `−k I This distinguisher is resistant up to2 2 queries I This bound can probably be improved p I We think that we are loosing a factor n when iterating the attack Protecting against ML and TD 18/21 TD Attacks – Algorithm I V = Vin × Vout ? ? I (∆; Γ) 2 Vin × Vout I s = dim(Vin) Distinguisher TD: 1: for i = 1 to n do 0 ` 2 0 ? 2: pick (x; x ) 2 (f0; 1g ) uniformly such that x ⊕ x 2 Vin 3: set y = Enc(x) and y 0 = Enc(x0) 4: set bi = 1((x;y)⊕(x0;y 0))2V ? 5: output f (b1;:::; bn) I Non-adaptive iterated attack of order 2 Protecting against ML and TD 19/21 Advantage of TD Bounded by Decorrelation −k TD TD 1+s−` 1 − 2 s−1 2 ∗ 2 E(p ) − E(p ∗ ) ≤ n2 + n2 k[CK ] − [C ] k1 CK C 1 − 2−` I This bound is meaningful when the attacker has the knowledge of up to2 `−s−1 queries I [Blondeau et al 14] For s = ` − 1 and q = 1, the TD attack is equivalent to a differential-linear attack I [Bay 14] Decorrelation of order 4 is needed to protect against differential-linear attacks I The decorrelation of order 2 is correct for small s Protecting against ML and TD 20/21 Conclusion I We improved the bounds for the linear and differential-linear distinguishers I We generalized the differential and boomerang distinguishers to allow an arbitrary function f I We proved the security for multidimensional linear and truncated differential with decorrelation Protecting against ML and TD 21/21.
Load more

Recommended publications
  • Indistinguishability Amplification
    Indistinguishability Amplification Ueli Maurer Krzysztof Pietrzak Renato Renner [email protected] [email protected] [email protected] ETH Z¨urich ENS Paris Cambridge Abstract A random system is the abstraction of the input-output behavior of any kind of discrete system, in particular cryptographic systems. Many aspects of cryptographic security analyses and proofs can be seen as the proof that a certain random system (e.g. a block cipher) is indistinguishable from an ideal system (e.g. a random permutation), for different types of distinguishers. This paper presents a new generic approach to proving upper bounds on the distinguishing ad- vantage of a combined system, assuming upper bounds of various types on the component systems. For a general type of combination operation of systems (including the combination of functions or the cascade of permutations), we prove two amplification theorems. The first is a direct-product theorem, similar in spirit to the XOR-Lemma: The distinguishing advantage (or security) of the combination of two (possibly stateful) systems is twice the product of the individual distinguishing advantages, which is optimal. The second theorem states that the combination of systems is secure against some strong class of distinguishers, assuming only that the components are secure against some weaker class of attacks. As a corollary we obtain tight bounds on the adaptive security of the cascade and parallel composition of non-adaptively (or only random-query) secure component systems. A key technical tool of the paper is to show a tight two-way correspondence, previously only known to hold in one direction, between the distinguishing advantage of two systems and the probability of provoking an appropriately defined event on one of the systems.
    [Show full text]
  • On the Decorrelated Fast Cipher (DFC) and Its Theory
    On the Decorrelated Fast Cipher (DFC) and Its Theory Lars R. Knudsen and Vincent Rijmen ? Department of Informatics, University of Bergen, N-5020 Bergen Abstract. In the first part of this paper the decorrelation theory of Vaudenay is analysed. It is shown that the theory behind the propo- sed constructions does not guarantee security against state-of-the-art differential attacks. In the second part of this paper the proposed De- correlated Fast Cipher (DFC), a candidate for the Advanced Encryption Standard, is analysed. It is argued that the cipher does not obtain prova- ble security against a differential attack. Also, an attack on DFC reduced to 6 rounds is given. 1 Introduction In [6,7] a new theory for the construction of secret-key block ciphers is given. The notion of decorrelation to the order d is defined. Let C be a block cipher with block size m and C∗ be a randomly chosen permutation in the same message space. If C has a d-wise decorrelation equal to that of C∗, then an attacker who knows at most d − 1 pairs of plaintexts and ciphertexts cannot distinguish between C and C∗. So, the cipher C is “secure if we use it only d−1 times” [7]. It is further noted that a d-wise decorrelated cipher for d = 2 is secure against both a basic linear and a basic differential attack. For the latter, this basic attack is as follows. A priori, two values a and b are fixed. Pick two plaintexts of difference a and get the corresponding ciphertexts.
    [Show full text]
  • Report on the AES Candidates
    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
    [Show full text]
  • A Classical Introduction to Cryptography Exercise Book a Classical Introduction to Cryptography Exercise Book
    A CLASSICAL INTRODUCTION TO CRYPTOGRAPHY EXERCISE BOOK A CLASSICAL INTRODUCTION TO CRYPTOGRAPHY EXERCISE BOOK Thomas Baignkres EPFL, Switzerland Pascal Junod EPFL, Switzerland Yi Lu EPFL, Switzerland Jean Monnerat EPFL, Switzerland Serge Vaudenay EPFL, Switzerland - Springer Thomas Baignbres Pascal Junod EPFL - I&C - LASEC Lausanne, Switzerland Lausanne, Switzerland Yi Lu Jean Monnerat EPFL - I&C - LASEC EPFL-I&C-LASEC Lausanne, Switzerland Lausanne, Switzerland Serge Vaudenay Lausanne, Switzerland Library of Congress Cataloging-in-Publication Data A C.I.P. Catalogue record for this book is available from the Library of Congress. A CLASSICAL INTRODUCTION TO CRYPTOGRAPHY EXERCISE BOOK by Thomas Baignkres, Palcal Junod, Yi Lu, Jean Monnerat and Serge Vaudenay ISBN- 10: 0-387-27934-2 e-ISBN-10: 0-387-28835-X ISBN- 13: 978-0-387-27934-3 e-ISBN- 13: 978-0-387-28835-2 Printed on acid-free paper. O 2006 Springer Science+Business Media, Inc. All rights reserved. This work may not be translated or copied in whole or in part without the written permission of the publisher (Springer Science+Business Media, Inc., 233 Spring Street, New York, NY 10013, USA), except for brief excerpts in connection with reviews or scholarly analysis. Use in connection with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now know or hereafter developed is forbidden. The use in this publication of trade names, trademarks, service marks and similar terms, even if the are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights.
    [Show full text]
  • Applications of Search Techniques to Cryptanalysis and the Construction of Cipher Components. James David Mclaughlin Submitted F
    Applications of search techniques to cryptanalysis and the construction of cipher components. James David McLaughlin Submitted for the degree of Doctor of Philosophy (PhD) University of York Department of Computer Science September 2012 2 Abstract In this dissertation, we investigate the ways in which search techniques, and in particular metaheuristic search techniques, can be used in cryptology. We address the design of simple cryptographic components (Boolean functions), before moving on to more complex entities (S-boxes). The emphasis then shifts from the construction of cryptographic arte- facts to the related area of cryptanalysis, in which we first derive non-linear approximations to S-boxes more powerful than the existing linear approximations, and then exploit these in cryptanalytic attacks against the ciphers DES and Serpent. Contents 1 Introduction. 11 1.1 The Structure of this Thesis . 12 2 A brief history of cryptography and cryptanalysis. 14 3 Literature review 20 3.1 Information on various types of block cipher, and a brief description of the Data Encryption Standard. 20 3.1.1 Feistel ciphers . 21 3.1.2 Other types of block cipher . 23 3.1.3 Confusion and diffusion . 24 3.2 Linear cryptanalysis. 26 3.2.1 The attack. 27 3.3 Differential cryptanalysis. 35 3.3.1 The attack. 39 3.3.2 Variants of the differential cryptanalytic attack . 44 3.4 Stream ciphers based on linear feedback shift registers . 48 3.5 A brief introduction to metaheuristics . 52 3.5.1 Hill-climbing . 55 3.5.2 Simulated annealing . 57 3.5.3 Memetic algorithms . 58 3.5.4 Ant algorithms .
    [Show full text]
  • A Brief Outlook at Block Ciphers
    A Brief Outlook at Block Ciphers Pascal Junod Ecole¶ Polytechnique F¶ed¶eralede Lausanne, Suisse CSA'03, Rabat, Maroc, 10-09-2003 Content F Generic Concepts F DES / AES F Cryptanalysis of Block Ciphers F Provable Security CSA'03, 10 septembre 2003, Rabat, Maroc { i { Block Cipher P e d P C K K CSA'03, 10 septembre 2003, Rabat, Maroc { ii { Block Cipher (2) F Deterministic, invertible function: e : {0, 1}n × K → {0, 1}n d : {0, 1}n × K → {0, 1}n F The function is parametered by a key K. F Mapping an n-bit plaintext P to an n-bit ciphertext C: C = eK(P ) F The function must be a bijection for a ¯xed key. CSA'03, 10 septembre 2003, Rabat, Maroc { iii { Product Ciphers and Iterated Block Ciphers F A product cipher combines two or more transformations in a manner intending that the resulting cipher is (hopefully) more secure than the individual components. F An iterated block cipher is a block cipher involving the sequential repeti- tion of an internal function f called a round function. Parameters include the number of rounds r, the block bit size n and the bit size k of the input key K from which r subkeys ki (called round keys) are derived. For invertibility purposes, the round function f is a bijection on the round input for each value ki. CSA'03, 10 septembre 2003, Rabat, Maroc { iv { Product Ciphers and Iterated Block Ciphers (2) P K f k1 f k2 f kr C CSA'03, 10 septembre 2003, Rabat, Maroc { v { Good and Bad Block Ciphers F Flexibility F Throughput F Estimated Security Level CSA'03, 10 septembre 2003, Rabat, Maroc { vi { Data Encryption Standard (DES) F American standard from (1976 - 1998).
    [Show full text]
  • Probability Distributions of Correlation and Differentials in Block Ciphers
    Probability distributions of Correlation and Di®erentials in Block Ciphers Joan Daemen¤ Vincent Rijmeny April 13, 2006 Abstract In this paper, we derive the probability distributions of di®erence propagation proba- bilities and input-output correlations for random functions and block ciphers, for several of them for the ¯rst time. We show that these parameters have distributions that are well-studied in the ¯eld of probability such as the normal, Poisson, Gamma and extreme value distributions. For Markov ciphers there exists a solid theory that expresses bounds on the complexity of di®erential and linear cryptanalysis in terms of average di®erence propagation probabil- ities and average correlations, where the average is taken over the keys. The propagation probabilities and correlations exploited in di®erential and linear cryptanalysis actually de- pend on the key and hence so does the attack complexity. The theory of Markov ciphers does not make statements on the distributions of these ¯xed-key properties but rather makes the assumption that their values will be close to the average for the vast majority of keys. This assumption is made explicit in the form of the hypothesis of stochastic equivalence. In this paper, we study the distributions of propagation properties that are relevant in the resistance of key-alternating ciphers against di®erential and linear cryptanalysis. Key-alternating ciphers are basically iterative ciphers where round keys are applied by an XOR operation in between unkeyed rounds and are a sub-class of Markov ciphers. We give the distributions of ¯xed-key di®erence propagation probability and ¯xed-key correlation of iterative ciphers.
    [Show full text]
  • Resistance Against Iterated Attacks by Decorrelation Revisited
    Resistance Against Iterated Attacks by Decorrelation Revisited Aslı Bay?, Atefeh Mashatan??, and Serge Vaudenay EPFL, Switzerland fasli.bay, atefeh.mashatan, [email protected] Abstract. Iterated attacks are comprised of iterating adversaries who can make d plaintext queries, in each iteration to compute a bit, and are trying to distinguish between a random cipher C and the ideal random cipher C∗ based on all bits. In EUROCRYPT '99, Vaudenay showed that a 2d-decorrelated cipher resists to iterated attacks of order d when iter- ations make almost no common queries. Then, he first asked what the necessary conditions are for a cipher to resist a non-adaptive iterated at- tack of order d. Secondly, he speculated that repeating a plaintext query in different iterations does not provide any advantage to a non-adaptive distinguisher. We close here these two long-standing open problems. We show that, in order to resist non-adaptive iterated attacks of order d, decorrelation of order 2d − 1 is not sufficient. We do this by providing a counterexample consisting of a cipher decorrelated to the order 2d − 1 and a successful non-adaptive iterated attack of order d against it. Moreover, we prove that the aforementioned claim is wrong by showing that a higher probability of having a common query between different iterations can translate to a high advantage of the adversary in distin- guishing C from C∗. We provide a counterintuitive example consisting of a cipher decorrelated to the order 2d which can be broken by an iterated attack of order 1 having a high probability of common queries.
    [Show full text]
  • Statistical Cryptanalysis of Block Ciphers
    STATISTICAL CRYPTANALYSIS OF BLOCK CIPHERS THÈSE NO 3179 (2005) PRÉSENTÉE À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS Institut de systèmes de communication SECTION DES SYSTÈMES DE COMMUNICATION ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES PAR Pascal JUNOD ingénieur informaticien dilpômé EPF de nationalité suisse et originaire de Sainte-Croix (VD) acceptée sur proposition du jury: Prof. S. Vaudenay, directeur de thèse Prof. J. Massey, rapporteur Prof. W. Meier, rapporteur Prof. S. Morgenthaler, rapporteur Prof. J. Stern, rapporteur Lausanne, EPFL 2005 to Mimi and Chlo´e Acknowledgments First of all, I would like to warmly thank my supervisor, Prof. Serge Vaude- nay, for having given to me such a wonderful opportunity to perform research in a friendly environment, and for having been the perfect supervisor that every PhD would dream of. I am also very grateful to the president of the jury, Prof. Emre Telatar, and to the reviewers Prof. em. James L. Massey, Prof. Jacques Stern, Prof. Willi Meier, and Prof. Stephan Morgenthaler for having accepted to be part of the jury and for having invested such a lot of time for reviewing this thesis. I would like to express my gratitude to all my (former and current) col- leagues at LASEC for their support and for their friendship: Gildas Avoine, Thomas Baign`eres, Nenad Buncic, Brice Canvel, Martine Corval, Matthieu Finiasz, Yi Lu, Jean Monnerat, Philippe Oechslin, and John Pliam. With- out them, the EPFL (and the crypto) would not be so fun! Without their support, trust and encouragement, the last part of this thesis, FOX, would certainly not be born: I owe to MediaCrypt AG, espe- cially to Ralf Kastmann and Richard Straub many, many, many hours of interesting work.
    [Show full text]
  • Statistical Cryptanalysis of Block Ciphers
    Statistical Cryptanalysis of Block Ciphers THESE` N◦ 3179 (2004) PRESENT´ EE´ A` LA FACULTE´ INFORMATIQUE & COMMUNICATIONS Institut de syst`emes de communication SECTION DES SYSTEMES` DE COMMUNICATION ECOLE´ POLYTECHNIQUE FED´ ERALE´ DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ES` SCIENCES PAR Pascal JUNOD ing´enieur informaticien diplom´e EPF de nationalit´e suisse et originaire de Sainte-Croix (VD) accept´ee sur proposition du jury: Prof. Emre Telatar (EPFL), pr´esident du jury Prof. Serge Vaudenay (EPFL), directeur de th`ese Prof. Jacques Stern (ENS Paris, France), rapporteur Prof. em. James L. Massey (ETHZ & Lund University, Su`ede), rapporteur Prof. Willi Meier (FH Aargau), rapporteur Prof. Stephan Morgenthaler (EPFL), rapporteur Lausanne, EPFL 2005 to Mimi and Chlo´e Acknowledgments First of all, I would like to warmly thank my supervisor, Prof. Serge Vaude- nay, for having given to me such a wonderful opportunity to perform research in a friendly environment, and for having been the perfect supervisor that every PhD would dream of. I am also very grateful to the president of the jury, Prof. Emre Telatar, and to the reviewers Prof. em. James L. Massey, Prof. Jacques Stern, Prof. Willi Meier, and Prof. Stephan Morgenthaler for having accepted to be part of the jury and for having invested such a lot of time for reviewing this thesis. I would like to express my gratitude to all my (former and current) col- leagues at LASEC for their support and for their friendship: Gildas Avoine, Thomas Baign`eres, Nenad Buncic, Brice Canvel, Martine Corval, Matthieu Finiasz, Yi Lu, Jean Monnerat, Philippe Oechslin, and John Pliam.
    [Show full text]
  • Protecting Against Multidimensional Linear and Truncated Differential
    Protecting against Multidimensional Linear and Truncated Differential Cryptanalysis by Decorrelation C´elineBlondeau1, Aslı Bay, and Serge Vaudenay2 1 Department of Computer Science, School of Science, Aalto University, Finland 2 EPFL, Lausanne, Switzerland Abstract. The decorrelation theory provides a different point of view on the security of block cipher primitives. Results on some statistical at- tacks obtained in this context can support or provide new insight on the security of symmetric cryptographic primitives. In this paper, we study, for the first time, the multidimensional linear attacks as well as the trun- cated differential attacks in this context. We show that the cipher should be decorrelated of order two to be resistant against some multidimen- sional linear and truncated differential attacks. Previous results obtained with this theory for linear, differential, differential-linear and boomerang attacks are also resumed and improved in this paper. Keywords: decorrelation theory, multidimensional linear cryptanalysis, truncated differential cryptanalysis. 1 Introduction In the last 25 years many statistical attacks have been proposed and implemented on different symmetric key cryptographic primitives. Nowadays, new symmetric primitives are not considered secure until evaluation by the community. But it is often difficult to evaluate the security of a cipher due to the large number of known attacks. In 1998, Vaudenay [18,21] introduced the decorrelation theory to prevent this long and tedious security evaluation. When a cipher is designed and proved secure up to a certain degree of decorrelation, it is secure against a wide range of statistical attacks. Among statistical attacks, differential cryptanalysis [8], linear cryptanalysis [17] and their generalizations have been prominent.
    [Show full text]
  • Related-Key Linear Hull Distinguishers for Key-Alternating Block Ciphers Andrey Bogdanov, Vincent Rijmen, Elmar Tischhauser
    Related-Key Linear Hull Distinguishers for Key-Alternating Block Ciphers Andrey Bogdanov, Vincent Rijmen, Elmar Tischhauser To cite this version: Andrey Bogdanov, Vincent Rijmen, Elmar Tischhauser. Related-Key Linear Hull Distinguishers for Key-Alternating Block Ciphers. The 9th International Workshop on Coding and Cryptography 2015 WCC2015, Anne Canteaut, Gaëtan Leurent, Maria Naya-Plasencia, Apr 2015, Paris, France. hal- 01276514 HAL Id: hal-01276514 https://hal.inria.fr/hal-01276514 Submitted on 19 Feb 2016 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Related-Key Linear Hull Distinguishers for Key-Alternating Block Ciphers Andrey Bogdanov1, Vincent Rijmen2, and Elmar Tischhauser1 1 Department of Applied Mathematics and Computer Science, Technical University of Denmark 2 ESAT/COSIC, Katholieke Universiteit Leuven, Belgium {anbog,ewti}@dtu.dk Abstract. In this paper, we describe work in progress on novel related-key distinguishers ap- plicable to key-alternating block ciphers, a wide class of symmetric-key primitives. This class includes the AES finalists Rijndael and Serpent as well as many other block ciphers having SPN structure, including many Feistel networks. Unlike the known differential related-key techniques, our distinguishers are essentially of linear nature and make use of how exactly that linear hulls of key-alternating ciphers are structured when encrypting under different keys.
    [Show full text]