Protecting against Multidimensional Linear and Truncated Differential by Decorrelation

Celine´ Blondeau1 Aslı Bay Serge Vaudenay2 1 Aalto University, Finland

2 EPFL, Lausanne, Switzerland Monday 9th of March FSE 2015, Istanbul Outline

Statistical Attacks

Decorrelation Theory

The Decorrelation Order of ML and TD Attacks

Protecting against ML and TD

2/21 Outline

Statistical Attacks

Decorrelation Theory

The Decorrelation Order of ML and TD Attacks

Protecting against ML and TD

3/21

` I Enc: permutation over {0, 1}

I Linear cryptanalysis: [Matsui 93] Relation between plaintext and bits

` ` I The correlation at point (α, β) ∈ F2 × F2:

−`h n ` o cor(α, β) = 2 # x ∈ F2|α · x ⊕ β · Enc(x) = 0 −

n ` o i # x ∈ F2|α · x ⊕ β · Enc(x) = 1

I Square correlation: For v = (α, β),

2 LPEnc(v) = cor (α, β)

Protecting against ML and TD

4/21 Multidimensional Linear Cryptanalysis

I [Hermelin et al 08]

2` I V ⊂ F2 : Vector space spanned by different masks v

I k = dim(V )

I Capacity: X capEnc(V ) = LPEnc(v) v∈V ,v6=0

Protecting against ML and TD

5/21 Differential Cryptanalysis

I Differential Cryptanalysis [Biham Shamir 90]

` ` I Probability of a differential (∆, Γ) ∈ F2 × F2

−` ` DPEnc(∆, Γ) = 2 #{x ∈ F2 | Enc(x) ⊕ Enc(x ⊕ ∆) = Γ}

I Truncated Differential Cryptanalysis [Knudsen 94] ⊥ 2` I Differences (∆, Γ) in the vector space V ⊂ F2

STD ⊥ −2` 0 ` ` PEnc (V ) = 2 #{(x, x ) ∈ F2 × F2 | x ⊕ x0, Enc(x) ⊕ Enc(x0) ∈ V ⊥}

Protecting against ML and TD

6/21 Outline

Statistical Attacks

Decorrelation Theory

The Decorrelation Order of ML and TD Attacks

Protecting against ML and TD

7/21 Notation – Iterated Distinguisher

` ` I Enc : F2 → F2 I (x1,..., xd ): a sample I n: number of samples

I d: size of a sample (attack of order d)

I T and f two Boolean functions

Distinguisher Iter: 1: for i = 1 to n do ` d 2: pick (x1,..., xd ) ∈ ({0, 1} ) 3: set yj = Enc(xj ) for j = 1,..., d 4: set bi = T (x1,..., xd , y1,..., yd ) 5: output f (b1,..., bn)

Protecting against ML and TD

8/21 Decorrelation Order

∗ I C : When Enc is random permutation

I CK : When Enc is a permutation fixed by a random K

e ∗ e I The cipher is decorrelated of order e if k[CK ] − [C ] k∞ is small

I [Vaudenay 03]: For an iterated attack of order d we have s  2 3  Iter Iter 3 2 2d d 3 2d ∗ 2d E(p ) − E(p ∗ ) ≤3s n 2δ + + + k[CK ] − [C ] k∞ CK C 2` 2`(2` − d) 2 ns + k[C ]2d − [C∗]2d k 2 K ∞

I An iterated attack of order d has a small advantage if the cipher is decorrelated of order 2d or smaller

Protecting against ML and TD

9/21 I [Vaudenay 03]: r r LC LC 3 2 ∗ 2 n 3 n E(p )−E(p ∗ ) ≤ 3 nk[CK ] − [C ] k∞ + +3 CK C 2` − 1 2` − 1

I In this paper: r r LC LC 2 ∗ 2 n n E(p )−E(p ∗ ) ≤ 2 nk[CK ] − [C ] k∞ + +2 CK C 2` − 1 2` − 1

Example – Linear Cryptanalysis Distinguisher LC: 1: for i = 1 to n do 2: pick x ∈ {0, 1}` uniformly 3: set y = Enc(x) 4: set bi = α · x ⊕ β · y 5: output f (b1,..., bn)

I Non-adaptive iterated attack of order 1

Protecting against ML and TD

10/21 Example – Linear Cryptanalysis Distinguisher LC: 1: for i = 1 to n do 2: pick x ∈ {0, 1}` uniformly 3: set y = Enc(x) 4: set bi = α · x ⊕ β · y 5: output f (b1,..., bn)

I Non-adaptive iterated attack of order 1 I [Vaudenay 03]: r r LC LC 3 2 ∗ 2 n 3 n E(p )−E(p ∗ ) ≤ 3 nk[CK ] − [C ] k∞ + +3 CK C 2` − 1 2` − 1

I In this paper: r r LC LC 2 ∗ 2 n n E(p )−E(p ∗ ) ≤ 2 nk[CK ] − [C ] k∞ + +2 CK C 2` − 1 2` − 1

Protecting against ML and TD

10/21 I Non-adaptive iterated attack of order 2

I [Vaudenay 03]: For the function f (b1,..., bn) = maxi bi , we have

DC DC n n 2 ∗ 2 E(p ) − E(p ∗ ) ≤ + k[CK ] − [C ] k∞. CK C 2` − 1 2

I In this paper: The bound is independent of the function f

Example – Differential Cryptanalysis Distinguisher DC: 1: for i = 1 to n do 2: pick x ∈ {0, 1}` uniformly 3: set x0 = x ⊕ ∆ 4: set y = Enc(x) and y 0 = Enc(x0) 5: set bi = 1y⊕y 0=Γ 6: output f (b1,..., bn)

Protecting against ML and TD

11/21 I [Vaudenay 03]: For the function f (b1,..., bn) = maxi bi , we have

DC DC n n 2 ∗ 2 E(p ) − E(p ∗ ) ≤ + k[CK ] − [C ] k∞. CK C 2` − 1 2

I In this paper: The bound is independent of the function f

Example – Differential Cryptanalysis Distinguisher DC: 1: for i = 1 to n do 2: pick x ∈ {0, 1}` uniformly 3: set x0 = x ⊕ ∆ 4: set y = Enc(x) and y 0 = Enc(x0) 5: set bi = 1y⊕y 0=Γ 6: output f (b1,..., bn)

I Non-adaptive iterated attack of order 2

Protecting against ML and TD

11/21 Example – Differential Cryptanalysis Distinguisher DC: 1: for i = 1 to n do 2: pick x ∈ {0, 1}` uniformly 3: set x0 = x ⊕ ∆ 4: set y = Enc(x) and y 0 = Enc(x0) 5: set bi = 1y⊕y 0=Γ 6: output f (b1,..., bn)

I Non-adaptive iterated attack of order 2

I [Vaudenay 03]: For the function f (b1,..., bn) = maxi bi , we have

DC DC n n 2 ∗ 2 E(p ) − E(p ∗ ) ≤ + k[CK ] − [C ] k∞. CK C 2` − 1 2

I In this paper: The bound is independent of the function f

Protecting against ML and TD

11/21 Decorrelation – A Resume of Results

Decor. Type Attack Maximal Attack order of attack order n Linear 2 iterative 1 2` Differential 2 iterative 2 2` Differential-linear 4 iterative 2 2`−1 Boomerang 4 adaptive, iterative 4 2`−1

In this paper:

I Differential-Linear Attack: We improved the bound as for linear cryptanalysis

I Boomerang Attack: The bound is now independent of the function f

Protecting against ML and TD

12/21 Outline

Statistical Attacks

Decorrelation Theory

The Decorrelation Order of ML and TD Attacks

Protecting against ML and TD

13/21 ML Attacks – Algorithm Distinguisher ML: 1: for i = 1 to n do 2: pick a random x ∈ {0, 1}` 3: set y = Enc(x) 4: for j = 1 to k do 5: set bi,j = (αj · x) ⊕ (βj · y) 6: set bi = (bi,1,..., bi,k ) 7: output f (b1,..., bn)

I Non-adaptive iterated attack of order 1

I In the paper we show: q ML ML k−` k−1 2 ∗ 2 E(p ) − E(p ∗ ) ≤ n 2 + 2 k[C ] − [C ] k CK C K ∞

Protecting against ML and TD

14/21 Special Truncated Differential Distinguisher

ML ML I To provide a bound on pEnc − pEnc∗ , we consider the following distinguisher, which is a special truncated differential (STD) distinguisher

I A known plaintext truncated differential distinguisher using only one sample

I Non-adaptive attack with two queries

Distinguisher STD: 1: pick two plaintexts x and x0 at random 2: set y = Enc(x) and y 0 = Enc(x0) 3: output 1(x0−x,Enc(x0)−Enc(x))∈V ⊥

Protecting against ML and TD

15/21 Link between ML and TD Attacks

I [Chabaud Vaudenay 94] Link between differential probability and square correlations

−` X v·(∆,Γ) DPEnc(∆, Γ) = 2 (−1) LPEnc(v) 2` v∈F2

I [Blondeau Nyberg 14] Given k = dim(V ), we have

−k STD ⊥ −k 2 capEnc(V ) = pEnc (V ) − 2 where

STD ⊥ −2` 0 ` ` PEnc (V ) = 2 #{(x, x ) ∈ F2 × F2 | x ⊕ x0, Enc(x) ⊕ Enc(x0) ∈ V ⊥}

Protecting against ML and TD

16/21 Link between ML and STD Distinguishers

I By definition, we have

STD −` X pEnc = 2 DPEnc(∆, Γ) (∆,Γ)∈V ⊥

∗ I For any fixed Ck and C , we have

k k 2 q 2 q ML ML n2 STD −k n2 STD −k p − p ∗ ≤ p − 2 + p ∗ − 2 CK C 2 CK 2 C

I We showed that

STD STD 1 2 ∗ 2 E(p ) − E(p ∗ ) ≤ k[CK ] − [C ] k∞ CK C 2 and −k STD −k −` 1 − 2 E(p ∗ − 2 ) ≤ 2 C 1 − 2−`

Protecting against ML and TD

17/21 Advantage of ML Bounded by Decorrelation

I One of the main results: q ML ML k−` k−1 2 ∗ 2 E(p ) − E(p ∗ ) ≤ n 2 + 2 k[C ] − [C ] k CK C K ∞

`−k I This distinguisher is resistant up to2 2 queries

I This bound can probably be improved √ I We think that we are loosing a factor n when iterating the attack

Protecting against ML and TD

18/21 TD Attacks – Algorithm

I V = Vin × Vout ⊥ ⊥ I (∆, Γ) ∈ Vin × Vout I s = dim(Vin)

Distinguisher TD: 1: for i = 1 to n do 0 ` 2 0 ⊥ 2: pick (x, x ) ∈ ({0, 1} ) uniformly such that x ⊕ x ∈ Vin 3: set y = Enc(x) and y 0 = Enc(x0) 4: set bi = 1((x,y)⊕(x0,y 0))∈V ⊥ 5: output f (b1,..., bn)

I Non-adaptive iterated attack of order 2

Protecting against ML and TD

19/21 Advantage of TD Bounded by Decorrelation

−k TD TD 1+s−` 1 − 2 s−1 2 ∗ 2 E(p ) − E(p ∗ ) ≤ n2 + n2 k[CK ] − [C ] k∞ CK C 1 − 2−`

I This bound is meaningful when the attacker has the knowledge of up to2 `−s−1 queries

I [Blondeau et al 14] For s = ` − 1 and q = 1, the TD attack is equivalent to a differential-linear attack

I [Bay 14] Decorrelation of order 4 is needed to protect against differential-linear attacks

I The decorrelation of order 2 is correct for small s

Protecting against ML and TD

20/21 Conclusion

I We improved the bounds for the linear and differential-linear distinguishers

I We generalized the differential and boomerang distinguishers to allow an arbitrary function f

I We proved the security for multidimensional linear and truncated differential with decorrelation

Protecting against ML and TD

21/21