The Improbable Differential Attack: Cryptanalysis Of - DocsLib

sign in sign up

<<

Home , DFC (cipher)

Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion

The Improbable Diﬀerential Attack: Cryptanalysis of Reduced Round CLEFIA

Cihangir TEZCAN

Ecole´ Polytechnique F´ed´eralede Lausanne, Switzerland

(This work was done at) Institute of Applied Mathematics Middle East Technical University, Ankara, Turkey

INDOCRYPT 2010 December 14, 2010, Hyderabad, India

Cihangir TEZCAN The Improbable Diﬀerential Attack Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion Outline

1 Introduction 2 The Improbable Differential Attack Introduction Two Techniques to Obtain Improbable Differentials 3 CLEFIA Specifications 13-round Improbable Differential Attack 4 Conclusion

Cihangir TEZCAN The Improbable Differential Attack Find a path (characteristic) so that when the input difference is α, output difference is β with high probability Truncated Differential Cryptanalysis Discovered by L. Knudsen, 1994 Find a path (differential) so that when the input difference is α, output difference is β with high probability Only parts of the differences α and β are specified Impossible Differential Cryptanalysis Discovered by E. Biham, A. Biryukov, A. Shamir, 1998 Find a path (impossible differential) so that when the input difference is α, the output difference is never β And others (Higher-order Differential, Boomerang,...)

Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion A (Very) Short Introduction to Diﬀerential Cryptanalysis

Diﬀerential Cryptanalysis Discovered by E. Biham and A. Shamir, early 1980s

Cihangir TEZCAN The Improbable Differential Attack Truncated Differential Cryptanalysis Discovered by L. Knudsen, 1994 Find a path (differential) so that when the input difference is α, output difference is β with high probability Only parts of the differences α and β are specified Impossible Differential Cryptanalysis Discovered by E. Biham, A. Biryukov, A. Shamir, 1998 Find a path (impossible differential) so that when the input difference is α, the output difference is never β And others (Higher-order Differential, Boomerang,...)

Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion A (Very) Short Introduction to Diﬀerential Cryptanalysis

Differential Cryptanalysis Discovered by E. Biham and A. Shamir, early 1980s Find a path (characteristic) so that when the input difference is α, output difference is β with high probability

Cihangir TEZCAN The Improbable Differential Attack Find a path (differential) so that when the input difference is α, output difference is β with high probability Only parts of the differences α and β are specified Impossible Differential Cryptanalysis Discovered by E. Biham, A. Biryukov, A. Shamir, 1998 Find a path (impossible differential) so that when the input difference is α, the output difference is never β And others (Higher-order Differential, Boomerang,...)

Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion A (Very) Short Introduction to Diﬀerential Cryptanalysis

Differential Cryptanalysis Discovered by E. Biham and A. Shamir, early 1980s Find a path (characteristic) so that when the input difference is α, output difference is β with high probability Truncated Differential Cryptanalysis Discovered by L. Knudsen, 1994

Cihangir TEZCAN The Improbable Differential Attack Only parts of the differences α and β are specified Impossible Differential Cryptanalysis Discovered by E. Biham, A. Biryukov, A. Shamir, 1998 Find a path (impossible differential) so that when the input difference is α, the output difference is never β And others (Higher-order Differential, Boomerang,...)

Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion A (Very) Short Introduction to Diﬀerential Cryptanalysis

Differential Cryptanalysis Discovered by E. Biham and A. Shamir, early 1980s Find a path (characteristic) so that when the input difference is α, output difference is β with high probability Truncated Differential Cryptanalysis Discovered by L. Knudsen, 1994 Find a path (differential) so that when the input difference is α, output difference is β with high probability

Cihangir TEZCAN The Improbable Differential Attack Impossible Differential Cryptanalysis Discovered by E. Biham, A. Biryukov, A. Shamir, 1998 Find a path (impossible differential) so that when the input difference is α, the output difference is never β And others (Higher-order Differential, Boomerang,...)

Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion A (Very) Short Introduction to Diﬀerential Cryptanalysis

Differential Cryptanalysis Discovered by E. Biham and A. Shamir, early 1980s Find a path (characteristic) so that when the input difference is α, output difference is β with high probability Truncated Differential Cryptanalysis Discovered by L. Knudsen, 1994 Find a path (differential) so that when the input difference is α, output difference is β with high probability Only parts of the differences α and β are specified

Cihangir TEZCAN The Improbable Differential Attack Find a path (impossible differential) so that when the input difference is α, the output difference is never β And others (Higher-order Differential, Boomerang,...)

Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion A (Very) Short Introduction to Diﬀerential Cryptanalysis

Differential Cryptanalysis Discovered by E. Biham and A. Shamir, early 1980s Find a path (characteristic) so that when the input difference is α, output difference is β with high probability Truncated Differential Cryptanalysis Discovered by L. Knudsen, 1994 Find a path (differential) so that when the input difference is α, output difference is β with high probability Only parts of the differences α and β are specified Impossible Differential Cryptanalysis Discovered by E. Biham, A. Biryukov, A. Shamir, 1998

Cihangir TEZCAN The Improbable Diﬀerential Attack And others (Higher-order Diﬀerential, Boomerang,...)

Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion A (Very) Short Introduction to Diﬀerential Cryptanalysis

Differential Cryptanalysis Discovered by E. Biham and A. Shamir, early 1980s Find a path (characteristic) so that when the input difference is α, output difference is β with high probability Truncated Differential Cryptanalysis Discovered by L. Knudsen, 1994 Find a path (differential) so that when the input difference is α, output difference is β with high probability Only parts of the differences α and β are specified Impossible Differential Cryptanalysis Discovered by E. Biham, A. Biryukov, A. Shamir, 1998 Find a path (impossible differential) so that when the input difference is α, the output difference is never β

Cihangir TEZCAN The Improbable Differential Attack Outline Introduction The Improbable Differential Attack CLEFIA Conclusion A (Very) Short Introduction to Differential Cryptanalysis

Differential Cryptanalysis Discovered by E. Biham and A. Shamir, early 1980s Find a path (characteristic) so that when the input difference is α, output difference is β with high probability Truncated Differential Cryptanalysis Discovered by L. Knudsen, 1994 Find a path (differential) so that when the input difference is α, output difference is β with high probability Only parts of the differences α and β are specified Impossible Differential Cryptanalysis Discovered by E. Biham, A. Biryukov, A. Shamir, 1998 Find a path (impossible differential) so that when the input difference is α, the output difference is never β And others (Higher-order Differential, Boomerang,...)

Cihangir TEZCAN The Improbable Differential Attack Probability of the probability of the Attack Type incident for incident for Note a wrong key the correct key Statistical Attacks p p0 p0 > p (Differential, Truncated,...) Impossible Differential p 0 p0 = 0 Improbable Differential p p0 p0 < p

Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion A (Very) Short Introduction to Diﬀerential Cryptanalysis

Statistical attacks on block ciphers make use of a property of the cipher so that an incident (characteristic, diﬀerential,...) occurs with diﬀerent probabilities depending on whether the correct key is used or not.

Cihangir TEZCAN The Improbable Differential Attack Impossible Differential p 0 p0 = 0 Improbable Differential p p0 p0 < p

Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion A (Very) Short Introduction to Diﬀerential Cryptanalysis

Statistical attacks on block ciphers make use of a property of the cipher so that an incident (characteristic, diﬀerential,...) occurs with diﬀerent probabilities depending on whether the correct key is used or not.

Probability of the probability of the Attack Type incident for incident for Note a wrong key the correct key Statistical Attacks p p0 p0 > p (Diﬀerential, Truncated,...)

Cihangir TEZCAN The Improbable Diﬀerential Attack Improbable Diﬀerential p p0 p0 < p

Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion A (Very) Short Introduction to Diﬀerential Cryptanalysis

Statistical attacks on block ciphers make use of a property of the cipher so that an incident (characteristic, diﬀerential,...) occurs with diﬀerent probabilities depending on whether the correct key is used or not.

Probability of the probability of the Attack Type incident for incident for Note a wrong key the correct key Statistical Attacks p p0 p0 > p (Diﬀerential, Truncated,...) Impossible Diﬀerential p 0 p0 = 0

Cihangir TEZCAN The Improbable Differential Attack Outline Introduction The Improbable Differential Attack CLEFIA Conclusion A (Very) Short Introduction to Differential Cryptanalysis

Statistical attacks on block ciphers make use of a property of the cipher so that an incident (characteristic, diﬀerential,...) occurs with diﬀerent probabilities depending on whether the correct key is used or not.

Probability of the probability of the Attack Type incident for incident for Note a wrong key the correct key Statistical Attacks p p0 p0 > p (Differential, Truncated,...) Impossible Differential p 0 p0 = 0 Improbable Differential p p0 p0 < p

Cihangir TEZCAN The Improbable Differential Attack Obtain a nontrivial differential so that a pair having α input difference have β0 output difference with probability p0 where β0 is different than β. Hence for the correct key, probability of observing these 0 differences becomes p0 = p · (1 − p ).

Caution

If there are nontrivial diﬀerentials from α to β, p0 becomes bigger than p · (1 − p0).

Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion Improbable Diﬀerentials

Assume that α and β diﬀerences are observed with probability p for a random key.

Cihangir TEZCAN The Improbable Diﬀerential Attack Hence for the correct key, probability of observing these 0 diﬀerences becomes p0 = p · (1 − p ).

Caution

If there are nontrivial diﬀerentials from α to β, p0 becomes bigger than p · (1 − p0).

Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion Improbable Diﬀerentials

Assume that α and β differences are observed with probability p for a random key. Obtain a nontrivial differential so that a pair having α input difference have β0 output difference with probability p0 where β0 is different than β.

Cihangir TEZCAN The Improbable Diﬀerential Attack Caution

If there are nontrivial diﬀerentials from α to β, p0 becomes bigger than p · (1 − p0).

Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion Improbable Diﬀerentials

Assume that α and β differences are observed with probability p for a random key. Obtain a nontrivial differential so that a pair having α input difference have β0 output difference with probability p0 where β0 is different than β. Hence for the correct key, probability of observing these 0 differences becomes p0 = p · (1 − p ).

Cihangir TEZCAN The Improbable Differential Attack Outline Introduction The Improbable Differential Attack CLEFIA Conclusion Improbable Differentials

Assume that α and β differences are observed with probability p for a random key. Obtain a nontrivial differential so that a pair having α input difference have β0 output difference with probability p0 where β0 is different than β. Hence for the correct key, probability of observing these 0 differences becomes p0 = p · (1 − p ).

Caution

If there are nontrivial diﬀerentials from α to β, p0 becomes bigger than p · (1 − p0).

Cihangir TEZCAN The Improbable Differential Attack Outline Introduction The Improbable Differential Attack CLEFIA Conclusion Two Techniques to Obtain Improbable Differentials

Two methods to obtain improbable differentials: 1 Use two differentials that miss in the middle with high probability (almost miss in the middle technique) 2 Expand impossible differentials to improbable diffrentials by adding a differential to the top and/or below the impossible differential (expansion technique)

Cihangir TEZCAN The Improbable Diﬀerential Attack Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion Almost Miss-in-the-Middle Technique

α

p1

δ p’=p .p γ 1 2

p2 β

Cihangir TEZCAN The Improbable Differential Attack Outline Introduction The Improbable Differential Attack CLEFIA Conclusion Improbable Differentials

Two methods to obtain improbable differentials: 1 Use two differentials that miss in the middle with high probability (almost miss in the middle technique) 2 Expand impossible differentials to improbable diffrentials by adding a differential to the top and/or below the impossible differential (expansion technique)

Cihangir TEZCAN The Improbable Differential Attack Outline Introduction The Improbable Differential Attack CLEFIA Conclusion Improbable Differentials from Impossible Differentials

δ

p’=1

γ

Cihangir TEZCAN The Improbable Differential Attack Outline Introduction The Improbable Differential Attack CLEFIA Conclusion Improbable Differentials from Impossible Differentials

α

p1 δ

p’=p1

γ

Cihangir TEZCAN The Improbable Differential Attack Outline Introduction The Improbable Differential Attack CLEFIA Conclusion Improbable Differentials from Impossible Differentials

α

p1 δ

p’=p1.p2

γ

p2 β

Cihangir TEZCAN The Improbable Diﬀerential Attack Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion Pros and Cons of the Expansion Method

Pros: Longer diﬀerentials Attack on more rounds Cons:

Data complexity increases (because p0 increases) Time complexity increases (since we use more data) Memory complexity increases (we need to keep counters for the guessed keys)

Cihangir TEZCAN The Improbable Diﬀerential Attack Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion Pros and Cons of the Expansion Method

Pros: Longer diﬀerentials Attack on more rounds Cons:

Data complexity increases (because p0 increases) Time complexity increases (since we use more data) Memory complexity increases (we need to keep counters for the guessed keys)

Cihangir TEZCAN The Improbable Diﬀerential Attack Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion Data Complexity and Success Probability

Blondeau et al. proposed acurate estimates of the data complexity and success probability for many statistical attacks including diﬀerential and truncated diﬀerential attacks.

Making appropriate changes, these estimates can be used for improbable diﬀerential attacks, too.

Cihangir TEZCAN The Improbable Diﬀerential Attack Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion Data Complexity and Success Probability

Blondeau et al. proposed acurate estimates of the data complexity and success probability for many statistical attacks including diﬀerential and truncated diﬀerential attacks.

Making appropriate changes, these estimates can be used for improbable diﬀerential attacks, too.

Cihangir TEZCAN The Improbable Diﬀerential Attack Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion

Previous attacks where p0 < p

Early examples of improbable diﬀerential attack: J. Borst, L. Knudsen, V. Rijmen: ”Two Attacks on Reduced IDEA” L. Knudsen, V. Rijmen: ”On the Decorrelated Fast Cipher (DFC) and Its Theory”

Cihangir TEZCAN The Improbable Diﬀerential Attack Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion CLEFIA

Developed by Sony in 2007 Clef means key in French. Block length: 128 bits Key lengths: 128, 192, and 256 bits Number of rounds: 18, 22, or 26 Previous best attacks: Impossible differential attacks on 12, 13, 14 rounds for 128, 196, 256-bit key lengths by Tsunoo et al. We converted these attacks to improbable differential attacks using the expansion technique Current best attacks: Improbable differential attacks on 13, 14, 15 rounds for 128, 196, 256-bit key lengths

Cihangir TEZCAN The Improbable Diﬀerential Attack Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion CLEFIA

Developed by Sony in 2007 Clef means key in French. Block length: 128 bits Key lengths: 128, 192, and 256 bits Number of rounds: 18, 22, or 26 Previous best attacks: Impossible differential attacks on 12, 13, 14 rounds for 128, 196, 256-bit key lengths by Tsunoo et al. We converted these attacks to improbable differential attacks using the expansion technique Current best attacks: Improbable differential attacks on 13, 14, 15 rounds for 128, 196, 256-bit key lengths

Cihangir TEZCAN The Improbable Diﬀerential Attack Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion CLEFIA: Encryption Function

X{0,0} X{0,1} X{0,2} X{0,3}

RK0 WK0 RK1 WK1

F0 F1

RK2 RK3

F0 F1 ......

RK2r-2 RK2r-1

F0 F1

WK2 WK3

C0 C1 C2 C3

Cihangir TEZCAN The Improbable Diﬀerential Attack Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion

CLEFIA: F0 and F1 Functions

k0 k1 k2 k3

x0 S0 y0 x1 S1 y1 M0 x2 S0 y2

x3 S1 y3 F0

k0 k1 k2 k3

x0 S1 y0 x1 S0 y1 M1 x2 S1 y2

x3 S0 y3 F1

Cihangir TEZCAN The Improbable Differential Attack Outline Introduction The Improbable Differential Attack CLEFIA Conclusion 10-round Improbable Differential

We will use the following two 9-round impossible diﬀerentials that are introduced by Tsunoo et al.,

[0(32), 0(32), 0(32), [X , 0, 0, 0](32)] 99r [0(32), 0(32), 0(32), [0, Y , 0, 0](32)] [0(32), 0(32), 0(32), [0, 0, X , 0](32)] 99r [0(32), 0(32), 0(32), [0, Y , 0, 0](32)]

where X(8) and Y(8) are non-zero diﬀerences.

Cihangir TEZCAN The Improbable Differential Attack Outline Introduction The Improbable Differential Attack CLEFIA Conclusion 10-round Improbable Differential

We obtain 10-round improbable differentials by adding the following one-round differentials to the top of these 9-round impossible differentials,

[[ψ, 0, 0, 0](32), ζ(32), 0(32), 0(32)] →1r [0(32), 0(32), 0(32), [ψ, 0, 0, 0](32)] 0 [[0, 0, ψ, 0](32), ζ(32), 0(32), 0(32)] →1r [0(32), 0(32), 0(32), [0, 0, ψ, 0](32)]

which hold when the output diﬀerence of the F0 function is ζ (resp. ζ0) when the input diﬀerence is [ψ, 0, 0, 0] (resp. [0, 0, ψ, 0]).

Cihangir TEZCAN The Improbable Differential Attack Outline Introduction The Improbable Differential Attack CLEFIA Conclusion 13-round Improbable Differential Attack

We choose ψ and corresponding ζ and ζ0 depending on the diﬀerence distribution table (DDT) of S0 in order to increase the probability of the diﬀerential. In this way we get p0 ≈ 2−5.87.

We put one additional round on the plaintext side and two additional rounds on the ciphertext side of the 10-round improbable diﬀerentials to attack ﬁrst 13 rounds of CLEFIA that captures RK1, RK23,1 ⊕ WK2,1, RK24, and RK25.

Cihangir TEZCAN The Improbable Differential Attack Outline Introduction The Improbable Differential Attack CLEFIA Conclusion 13-round Improbable Differential Attack

We choose ψ and corresponding ζ and ζ0 depending on the diﬀerence distribution table (DDT) of S0 in order to increase the probability of the diﬀerential. In this way we get p0 ≈ 2−5.87.

We put one additional round on the plaintext side and two additional rounds on the ciphertext side of the 10-round improbable diﬀerentials to attack ﬁrst 13 rounds of CLEFIA that captures RK1, RK23,1 ⊕ WK2,1, RK24, and RK25.

Cihangir TEZCAN The Improbable Differential Attack Outline Introduction The Improbable Differential Attack CLEFIA Conclusion 13-round Improbable Differential Attack

∆x{0,0}=0 ∆x{0,1}=[ψ,0,0,0] ∆x{0,2}=ζ ∆x{0,3}=X

WK RK0 0 RK1

F0 F1

∆x{1,0}=[ψ,0,0,0] ∆x{1,1}=ζ ∆x{1,2}=0 ∆x{1,3}=0

RK2 RK3 WK1 F0 F1

. . . . 10-round . . . . improbable . . . . di erential . . . . ∆x{11,0}=0 ∆x{11,1}=0 ∆x{11,2}=[0,Y,0,0] ∆x{11,3}=0 } RK22 WK2 RK23 WK2 F0 F1

∆x{12,0}=0 ∆x{12,1}=[0,Y,0,0] ∆x{12,2}=β ∆x{12,3}=0

RK24 RK25 F0 F1 WK3 ∆x{13,0}=0 ∆x{13,1}=[0,Y,0,0] ∆x{13,2}=β ∆x{13,3}=γ

Cihangir TEZCAN The Improbable Differential Attack Outline Introduction The Improbable Differential Attack CLEFIA Conclusion 13-round Improbable Differential Attack

Table: Comparison of Tsunoo et al.’s impossible attack with the expanded improbable attack

Rounds Attack Key Data Time Memory Success Type Length Complexity Complexity (blocks) Probability 12 Impossible 128 2118.9 2119 273 - 13 Improbable 128 2126.83 2126.83 2101.32 %99

Cihangir TEZCAN The Improbable Differential Attack Outline Introduction The Improbable Differential Attack CLEFIA Conclusion 14 and 15-round Improbable Differential Attacks

By using the similar expansion technique, we can apply improbable diﬀerential attack on 14-round CLEFIA when the key length is 192 bits 15-round CLEFIA when the key length is 256 bits

Cihangir TEZCAN The Improbable Diﬀerential Attack Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion Conclusion

We provided 1 a new cryptanalytic technique called improbable differential attack where a differential holds with less probability when tried with the correct key 2 two techniques to obtain improbable differentials 3 data complexity estimates for improbable differential attacks 4 state of art attacks on the block cipher CLEFIA

Cihangir TEZCAN The Improbable Diﬀerential Attack Outline Introduction The Improbable Diﬀerential Attack CLEFIA Conclusion Conclusion

THANK YOU FOR YOUR ATTENTION

Cihangir TEZCAN The Improbable Diﬀerential Attack

Web Analytics