Methods for Symmetric and EWM PhD Summer School, Turku, June 2009

Kaisa Nyberg

[email protected]

Department of Information and Computer Science Helsinki University of Technology and Nokia, Finland

Methods for Symmetric Key Cryptography and Cryptanalysis – 1/32 This lecture is dedicated to the memory of Professor Susanne Dierolf a dear and supporting friend, a highly respected colleague, and a great European Woman in Mathematics, who passed away in May 2009 at the age of 64 in Trier, Germany.

Methods for Symmetric Key Cryptography and Cryptanalysis – 2/32 Outline

1. Boolean function Linear approximation of Boolean function Related probability distribution 2. Cryptographic primitives Linear approximation of Linear approximation of 3. Cryptanalysis and attack scenarios Key information deduction on block cipher Distinguishing attack on stream cipher Initial state recovery of stream cipher 4. Conclusions

Methods for Symmetric Key Cryptography and Cryptanalysis – 3/32 Boolean Functions

Methods for Symmetric Key Cryptography and Cryptanalysis – 4/32 Binary vector space

n Z 2 the space of n-dimensional binary vectors

sum modulo 2

Given two vectors

1 n 1 n n a = ´ a ; : : : ; a µ ; b = ´ b ; : : : ; b µ Z 2

the inner product (dot product) is defined as

1 1 n n

a b = a b a b :

Then a is called the linear mask of b.

Methods for Symmetric Key Cryptography and Cryptanalysis – 5/32 Boolean function

n f : Z 2 Z 2 Boolean function.

Linear Boolean function is of the form f ´ x µ = u x for some n fixed linear mask u Z 2. n m f : Z 2 Z 2 with f = ´ f1 ; : : : ; fm µ ; where fi are Boolean functions, is called a vector Boolean function of dimension m. n m A linear vector Boolean function from Z 2 to Z 2 is represented

by an m n binary matrix U. The m rows of U are denoted by

u1 ; : : : ; um, where each ui is a linear mask.

Methods for Symmetric Key Cryptography and Cryptanalysis – 6/32 Correlation

n The correlation between two Boolean functions f : Z 2 Z 2 n and g : Z 2 Z 2 is defined as

n n n c´ f ; gµ = 2 ´ # x Z 2 f ´ x µ = g´ x µ # x Z 2 f ´ x µ = g´ x µ µ

Correlation c´ f ; 0µ is called the correlation (sometimes aka bias) of f . Linear cryptanalysis makes use of large correlations of Boolean functions in cipher constructions.

Methods for Symmetric Key Cryptography and Cryptanalysis – 7/32 Random variable related to Boolean function

n X discrete random variable taking on values in Z 2

= ´ η µ n If p p η¾ Z is the probability distribution (p.d.) of X, 2

ηµ where pη = Pr´ X = , we denote X p. n

θ Z Let denote the uniform distribution on 2. n m

θ: Let f : Z 2 Z 2 be a Boolean function and X Then the

p.d. of f ´ X µ is called the p.d. of f .

Methods for Symmetric Key Cryptography and Cryptanalysis – 8/32 Walsh-Hadamard Transform

Walsh-Hadamard transform is a type of discrete Fourier-transform. n

φ Z Ê Let : 2 be a real-valued function. The Walsh-Hadamard

transform b φ of φ is defined as

x¡ u n b φ φ´ µ = ´ µ´ µ ; Z : u ∑ x 1 u 2 n x¾ Z 2 Then

b n n b

φ Z ; φ´ µ ; ´ x µ = 2 x x 2 using the inverse of Walsh-Hadamard transform.

Methods for Symmetric Key Cryptography and Cryptanalysis – 9/32 Convolution

n n

φ Z Ê ψ Z Ê The convolution of two functions : 2 and : 2 is defined as n

φ ψµ´ µ = ´ µ ψ´ · µ ; Z : ´ φ y ∑ x x y y 2 n x¾ Z 2 Then

\ n b

b

φ ψµ´ µ = φ´ µ ψ ´ µ ; Z : ´ u u u u 2

Methods for Symmetric Key Cryptography and Cryptanalysis – 10/32 Correlation and probability distribution

The correlations of masked Boolean function can be computed as Walsh-Hadamard transform of the distribution of the function:

η n a¡ f ´ xµ a¡

b c´ a f µ = 2 ∑ ´ 1µ = ∑ ´ 1µ pη = p´ aµ : n m

η¾ Z x¾ Z 2 2 n m Theorem 1 Let f : Z 2 Z 2 be a Boolean function with p.d. p and m one-dimensional correlations c´ a f µ ; a Z 2 . Then η m a¡

pη = 2 ∑ ´ 1µ c´ a f µ m a¾ Z 2 m

η Z for all 2 .

Methods for Symmetric Key Cryptography and Cryptanalysis – 11/32 Cryptographic Encryption Primitives

Methods for Symmetric Key Cryptography and Cryptanalysis – 12/32 Symmetric-key encryption

K K the key

x P the plaintext

y C the

Encryption method is a family EK of transformations EK : P C , parametrised using the key K such that for each encryption transfor-

mation EK there is a decryption transformation DK : C P , such that

DK ´ EK ´ x µµµ = x, for all x P .

Methods for Symmetric Key Cryptography and Cryptanalysis – 13/32 Block cipher

The data to be encrypted is split into blocks xi, i = 1; : : : ; N of fixed length n. A typical value of n is 128.

n ` P = C = Z 2, K = Z 2 Block cipher seen as a vector Boolean function

n ` n n ` f : Z 2 Z 2 Z 2 Z 2 Z 2

f ´ x ; K µ = ´ x ; EK ´ x µ ; K µ Linear approximation of a block cipher

u x w EK ´ x µ v K θ where x and K is fixed.

Methods for Symmetric Key Cryptography and Cryptanalysis – 14/32 Stream cipher

Data to be encrypted is split into blocks

xi ; i = 1; : : : ; N

of fixed length n. Now typical values of n are n = 1; 8; or 32.

` K = Z 2

The key K K determines the initial state of a generator

which produces a new fresh key Ki, i = 1; : : : ; N, for each data block. n N P = C = ´ Z 2 µ where N can be any positive integer less than the period of the keystream generator.

EK ´ x1 ; : : : ; xN µ = K1 x1 ; : : : ; KN xN

Methods for Symmetric Key Cryptography and Cryptanalysis – 15/32 Linear approximation of stream cipher

Key stream generator seen as Boolean functions

` ` n fi : Z 2 Z 2 Z 2 ; fi ´ K µ = ´ K ; Ki µ Linear approximations of key stream generator

ui K w Ki

Methods for Symmetric Key Cryptography and Cryptanalysis – 16/32 Cryptanalysis

Methods for Symmetric Key Cryptography and Cryptanalysis – 17/32 Attack scenarios

Assumptions about data available to attacker

Ciphertext only (Shannon’s model)

Known plaintext-ciphertext pairs

Chosen (by attacker) plaintext and corresponding ciphertext

Methods for Symmetric Key Cryptography and Cryptanalysis – 18/32 Breaks

This classification is hierarchial. An attack is successful if its complexity is less than the complexity of exhaustive key search.

Total break: attacker gets the key

Instance deduction: attacker gets a clone of DK Key information deduction: attacker gets partial information about the key

Distinguishing: attacker can distinguish the cipher from a purely random function

Distinguishing leads sometimes to information deduction.

Methods for Symmetric Key Cryptography and Cryptanalysis – 19/32 Linear cryptanalysis

Linear cryptanalysis is a known plaintext-ciphertext attack

Linear cryptanalysis makes use of linear approximations of the cipher.

Linear cryptanalysis can be used in distinguishing attacks or in key information deduction.

Methods for Symmetric Key Cryptography and Cryptanalysis – 20/32 Key information recovery on block cipher

Linear approximation of a block cipher

u x w EK ´ x µ v K θ where x and K is fixed. The correlation c of this Boolean function is assumed to be known or a sufficiently accurate estimate is available.

Observe a number N of known plaintext-ciphertext pairs ´ x ; EK ´ x µµ

and calculate the observed correlation c˜ of u x w EK ´ x µ .

Determine v K = 0, if cc˜ > 0, and v K = 1, otherwise.

Methods for Symmetric Key Cryptography and Cryptanalysis – 21/32 The probability of success

Consider the case c > 0 and v ¡ K = 0. Other cases are similar.

Let N0 be the observed number of plaintexts x such that u ¡ x ¨ w ¡ EK ´ x µ = 0.

Then N0 is binomially distributed with expected value N p and variance N p´ 1 pµ ,

c· 1 where p = 2 . Then

N0 N p

Ô Z =  N ´ 0; 1µ

N p´ 1 pµ

where N ´ 0; 1µ is the standard normal distribution. Then the bit v ¡ K is correctly determined if the observed correlation c˜ is positive, which happens if and only if

Ô

N0 > N = 2, or equivalently, Z > c N. Hence the probability of success can be estimated as

Ô

Φ´ µ 1 c N

where Φ is the cumulative density function of N ´ 0; 1µ . The probability is 0.921 for 2 N = 1= c . This gives an estimate of the number N of plaintext-ciphertext pairs for successful cryptanalysis.

Methods for Symmetric Key Cryptography and Cryptanalysis – 22/32 Linear attacks on stream cipher

i Let fi : K Ki be of the form g Æ f , where f is a (linear) state transition function and g is a nonlinear state output function, aka filter function. Assume that we have a strong linear approximation of g, that is

u x w g´ x µ

with correlation c. Now two types of linear attacks can be launched:

distinguishing attacks

initial state information deduction attacks.

Methods for Symmetric Key Cryptography and Cryptanalysis – 23/32 Additive synchronous stream cipher

Methods for Symmetric Key Cryptography and Cryptanalysis – 24/32 Distinguishing attack on stream cipher

From the linear approximation we get

u ¡ si ¨ w ¡ g´ si µ = u ¡ si ¨ w ¡ Ki

i with correlation c, where si = f ´ K µ is the state at time i, i = 1; : : : ; N. Typically, f is a state transition function of a linear feedback . Then

there exist a small number of integers a1 ; : : : ad such that

i i· a1 i· ad f ¨ f ¨ : : : ¨ f = 0:

Then we use the linear approximation d · 1 times to make the internal states cancel and to get a linear relation on the keystream

¡ ´ ¨ ¨ : : : ¨ µ w Ki Ki· a1 Ki· ad

which has correlation cd · 1.

Methods for Symmetric Key Cryptography and Cryptanalysis – 25/32 Snow 2.0 stream cipher

× -1 ×

s t+15 s t+11 st+5 st+2 st

zt

R1 R2 S

Methods for Symmetric Key Cryptography and Cryptanalysis – 26/32 Linear approximations over Snow 2.0

st + 15 R1 R2

z s t t

S st + 5

st + 16

z s t +1 t + 1

Methods for Symmetric Key Cryptography and Cryptanalysis – 27/32 Initial state recovery on stream cipher

Assume linear approximations u si w g´ si µ = u si w Ki with i correlation c, where si = f ´ K µ is the state at time i. Typically, f is a state transition function of a linear feedback shift register. Let A be the transpose of f . Then we have

i A u K w Ki

with correlation c, for all i = 1; 2; :::; N. Denote bi = w Ki. Then the problem is to solve K from a large system of highly erroneous (but not completely random) equations

i

A u K = 0

bi with correlations ´ 1µ c, for all i = 1; 2; : : : ; N. Methods for Symmetric Key Cryptography and Cryptanalysis – 28/32 A decoding problem

Given such a system i

A u ¡ K = 0;

bi with correlations ´ 1µ c, for i = 1; 2; : : : ; N, we can proceed as follows. η η Assume c > 0. We select K = such that maximizes

N i η bi ¨ A u¡ pη = ∑ ´ 1µ

i= 1

η ` These values can be computed simultaneously for all ¾ Z 2 using the fast Fourier

`

(Walsh-Hadamard) transform. The computational complexity is ` 2 . Indeed, no sav-

ings have been gained compared to exhaustive search of the initial state. Some sav-

ings can be achieved using a trade off between exhaustive search and the Fourier

transform method.

Methods for Symmetric Key Cryptography and Cryptanalysis – 29/32 Multidimensional linear cryptanalysis

Makes use of a number of linear approximations simultaneously

Ux WEK ´ x µ VK

Particulary useful in key information deduction attack on block ciphers: now all key information bits VK can be deduced simultaneously with (about) the same amount of data

Can also be applied to stream cipher attacks

The binomial statistics of one-dimensional analysis has multiple generalizations to the multidimensional case: χ2, Log-likelihood ratio, etc.

Methods for Symmetric Key Cryptography and Cryptanalysis – 30/32 Conclusions

Linear cryptanalysis is one of the most powerful cryptanalytic methods.

The best known attacks on many contemporary good ciphers are linear attacks.

Resistance against linear cryptanalysis is one of the main design criteria for symmetric key ciphers.

Extensions to multidimensional linear approximations have been found to bring significant enhancements.

Decoding algorithms and techniques may be helpful in improving the efficiency of key information deduction attacks.

Methods for Symmetric Key Cryptography and Cryptanalysis – 31/32 Literature

Mitsuru Matsui: Linear Cryptanalysis Method for DES Cipher. In Helleseth, T., ed.: Advances in Cryptology – EUROCRYPT ’93. Volume 765 of Lecture Notes in Computer Science, Berlin/Heidelberg, Springer (1994) 386–397 Martin Hell, Thomas Johansson, Lennart Brynielsson: An overview of distinguishing attacks on stream ciphers. Volume 1 of Cryptography and Communications, Springer (2009) Come Berbain, Henri Gilbert, Alexander Maximov: Cryptanalysis of . In Robshaw, M., ed.: Fast Software Encryption. Volume 4047 of Lecture Notes in Computer Science, Berlin/Heidelberg, Springer (2006) 15–29 Miia Hermelin, Joo Yeon Cho, Kaisa Nyberg: Multidimensional extension of Matsui’s Algorithm 2. In: Fast Software Encryption. Volume 5665 of Lecture Notes in Computer Science, Springer (2009) 209–227

Methods for Symmetric Key Cryptography and Cryptanalysis – 32/32