EDIC RESEARCH PROPOSAL 1 Decorrelation Theory Aslı Bay I&C, EPFL Abstract—This report is mainly about Decorrelation Theory. compute or bound the advantage of d-limited distinguisher The first part presents the overview of Decorrelation Theory in Luby-Rackoff model. He also finds a link between d- mainly security of block ciphers against iterated attacks. Then, limited adversaries and differential and linear attacks and a the second part gives a brief overview of security results of the block cipher C which is practically secure. The third part wider class of attacks called iterated attacks. However, the provides the differential-linear attack on full COCONUT98 practicality of tools in this theory is controversial, since it is whose security is proven by Decorrelation Theory. Finally, the hard the compute the exact adversaries’ advantage. Therefore, last part gives a brief overview of my future research. Vaudenay suggested to use some algebraic constructions called Index Terms—Decorelation Theory, Iterated Attacks, The decorrelation modules and proposed a provably secure block Block Cipher C, COCONUT98 cipher called COCONUT98 block cipher which resists to 2- limited adversaries [8]. However, decorrelation results of the I. INTRODUCTION cipher do not prove anything more than its resistance to 2- OST modern block ciphers are resistant to many limited adversary. That is, they do not give any guarantee of M cryptanalytic techniques such as linear cryptanalysis, its security against d-limited adversary for d > 2. Therefore, differential cryptanalysis, as well as their variants such as Wagner’s boomerang attack [5] breaks COCONUT98 with 38 boomerang attack, impossible differential attack, or rectangle complexity about 2 and Biham et al. [4] breaks it within a 33:7 attack. Even if the given cipher is resistant to the existing complexity about 2 by differential-linear attack. However, attacks, it is not guarantee that a new variant would not it is still practical to prove the several security results of a break the cipher. Therefore, instead of proving the security practical block cipher, if we take advantage of the symmetries of the construction to each individually, it is reasonable to within the distribution matrices. For example, the block cipher find a technique which provides a unique proof for a family C is a practically secure block cipher proposed by Baignres of attacks. For this reason, Vaudenay proposed Decorrelation and Finiasz [2], the exact advantage of 2-limited distinguisher Theory which provides tools to prove the security of the given is computed, as well as the advantage of differential and linear block cipher [8], [6], [7], [3]. attacks. Decorrelation theory provides tools to quantify the security The structure of this report is as follows: the first section of block ciphers against some family of attacks. It enables to provides a brief overview of Decorrelation Theory and explain the security of block ciphers against iterated attacks. The Proposal submitted to committee: September 14th, 2010; second section provides the security proofs of the block cipher Candidacy exam date: September 21st, 2010; Candidacy exam C. The last section gives the differential-linear attack on full committee: Exam president, thesis director, co-examiner. COCONUT98. Finally the last section gives a brief overview This research plan has been approved: of my future research. Date: ———————————— A. Terminology Definition 1: The perfect cipher C∗ denotes a random per- Doctoral candidate: ———————————— mutation uniformly distributed among all possible permuta- (name and signature) tions on the given set. Definition 2: In Luby-Rackoff model, an adversary is an infinitely powerful algorithm A which has an access to an Thesis director: ———————————— oracle O. The oracle O either implements a cipher C or the (name and signature) Perfect Cipher C∗. The adversary aims to distinguish a cipher C from C∗ by querying the oracle with limited number of ∗ (d) times. The advantage of the attacker is AdvA = jp − p j, Thesis co-director: ———————————— ∗ (if applicable) (name and signature) where p is the probability of accepting C (resp C ). Finally, the adversary output 1 (accept) or 0 (reject). Definition 3: Let a = (a1; ··· ; a16) be an array of 128-bits Doct. prog. director:———————————— where ai’s are 8-bit strings. The support of a is a four by four (R. Urbanke) (signature) array with the 0’s at the positions where the entry of a is equal to 0 with 1’s where the entry of a is nonzero. It is denoted by EDIC-ru/05.05.2009 SUPP(a). EDIC RESEARCH PROPOSAL 2 p−1 Definition 4: A prime p is a strong-prime, if 2 is prime. Since we consider average complexities of the attack with- p−1 and it is a strong-strong prime if p and 2 are both strong- out any information on the key, we will concentrate on the primes. average value of of linear probability E(LPC (a; b)) : The following are some notations used in the report: C −2m X (x1⊕x2)·a+(y1⊕y2)·b ⊕:bitwise Xor. ELP (a; b) = 2 (−1) 0·0: dot product. x1;x2;y1;y2 C wt(s): is the number of 1’s in the bit string s. · Pr[(x1; x2) !; (y1; y2)]: (4) II. DECORRELATION THEORY AND RESISTANCE AGAINST Vaudenay shows the link between the advantage of linear ITERATED ATTACKS distinguisher and 2-wise distribution matrix of C as: In [8], Vaudenay proposed Decorrelation Theory which r n r n Adv ≤ 3 3 n · jjj[C]2 − [C∗]2jjj + +3 3 provides tools to prove the security results in Luby-Rackoff Table I 1 M − 1 M − 1 model. In this model, the attacker (the algorithm) is only (5) limited by the number of data (plaintext/ciphertext pairs) where M is the size of the plaintext space and n is the number (limited to d queries) and is computationally unbounded. of iterations. When the d queries are made at once, the adversary is called nonadaptive and when each query is made according to the TABLE I LINEAR DISTINGUISHER outcome of the previous queries, it is called adaptive. A block Parameters: n, a characteristics (a; b),A cipher C is considered as a random permutation on a message- m Oracle: a permutation c block space M = f0; 1g due to the random choice of the 1.Initialize counter δ to zero secret key. The following defines the distribution matrix of a 1.for i = 1 to i = n random function: 2. pick X at random and obtain c(X) Definition 5: Let F be a random function from a given set 3. if X · a = c(X) · b increase the counter δ 4. end for M1 to a given set M2 and d be an integer, then the d-wise 5.if δ 2 A output 1, otherwise 0 d d d distribution matrix [F] of F is defined as a M1 ×M2- matrix where the (x,y)-entry of [F]d corresponding to the multipoints d d x = (x1; ··· ; xd) 2 M1 and y = (y1; ··· ; yd) 2 M2 is Differential cryptanalysis was proposed by Biham and defined as the probability that we simultaneously have F(xi) = Shamir in [14] which depends on a differential distinguisher d F yi for i = 1; ··· ; d. It is denoted by [F]x;y =Pr[x ! y]: shown in Table II. Differential probability is defined as There is no precise definition of decorrelation, however it C can be determined when the distribution matrix of the given DP (a; b) = PrX [C(X + a) = C(X) + b] (6) function (or a cipher) is compared with the distribution matrix Vaudenay shows that the advantage of the differential distin- of another function (or a cipher). When a random function guisher is: (or a cipher) has the same distribution matrix of the perfect n n function (or the perfect cipher), it has a perfect decorrelation. ∗ 2 ∗ 2 AdvTable II(C; C ) ≤ + jjj[C] − [C ] jjj1: (7) To compare two distribution matrices of two functions (or two M − 1 2 ciphers) we need to define decorrelation distance: Both Advantages 5 and 7 show that small (negligible) 2- Definition 6: Given two random functions F and G from wise decorrelation bias allows to prove that C is immune from a given set M1 to a given set M2 and d be an integer and against linear and differential cryptanalysis. Md×Md d d a distance D over matrix space R 1 2 , and D([F] ; [G] ) is called the d-wise decorrelation distance between F and G. TABLE II DIFFERENTIAL DISTINGUISHER If G is the ideal version of F, then D([F]d; [G]d) is called the d-wise decorrelation bias of F. Parameters: n, a characteristics (a; b) Oracle: a permutation c To compute the distance, the following matrix norms are 1.for i = 1 to i = n used according to the purpose: 2. pick X at random and obtain c(X) and c(X + a) X 3. if c(X + a) = c(X) + b output 1 and stop jjjAjjj1 = max jAx;yj (1) x 4. end for y 5.output 0 X X jjAjja = max ··· max jA(x1;··· ;xd);(y1;··· ;yd)j (2) x1 xd y1 yd Definition 7: A non-adaptive iterated distinguisher of order As mentioned before, Vaudenay finds connection between d and complexity n which is illustrated in Table III is defined 2-wise decorrelation bias and the advantage of the linear by d distinguisher and differential distinguisher of a given cipher. • ”a plaintext distribution” D on M 2d Linear cryptanalysis was proposed by Matsui [11], [12] is • ”a text function” T from M n a statistical attack which is based on a linear distinguisher • ”an acceptance function” A from f0; 1g to [0,1] depicted in Table I.