Protecting against Multidimensional Linear and Truncated Differential Cryptanalysis by Decorrelation Celine´ Blondeau1 Aslı Bay Serge Vaudenay2 1 Aalto University, Finland 2 EPFL, Lausanne, Switzerland Monday 9th of March FSE 2015, Istanbul Outline Statistical Attacks Decorrelation Theory The Decorrelation Order of ML and TD Attacks Protecting against ML and TD 2/21 Outline Statistical Attacks Decorrelation Theory The Decorrelation Order of ML and TD Attacks Protecting against ML and TD 3/21 Linear Cryptanalysis ` I Enc: permutation over f0; 1g I Linear cryptanalysis: [Matsui 93] Relation between plaintext and ciphertext bits ` ` I The correlation at point (α; β) 2 F2 × F2: −`h n ` o cor(α; β) = 2 # x 2 F2jα · x ⊕ β · Enc(x) = 0 − n ` o i # x 2 F2jα · x ⊕ β · Enc(x) = 1 I Square correlation: For v = (α; β), 2 LPEnc(v) = cor (α; β) Protecting against ML and TD 4/21 Multidimensional Linear Cryptanalysis I [Hermelin et al 08] 2` I V ⊂ F2 : Vector space spanned by different masks v I k = dim(V ) I Capacity: X capEnc(V ) = LPEnc(v) v2V ;v6=0 Protecting against ML and TD 5/21 Differential Cryptanalysis I Differential Cryptanalysis [Biham Shamir 90] ` ` I Probability of a differential (∆; Γ) 2 F2 × F2 −` ` DPEnc(∆; Γ) = 2 #fx 2 F2 j Enc(x) ⊕ Enc(x ⊕ ∆) = Γg I Truncated Differential Cryptanalysis [Knudsen 94] ? 2` I Differences (∆; Γ) in the vector space V ⊂ F2 STD ? −2` 0 ` ` PEnc (V ) = 2 #f(x; x ) 2 F2 × F2 j x ⊕ x0; Enc(x) ⊕ Enc(x0) 2 V ?g Protecting against ML and TD 6/21 Outline Statistical Attacks Decorrelation Theory The Decorrelation Order of ML and TD Attacks Protecting against ML and TD 7/21 Notation – Iterated Distinguisher ` ` I Enc : F2 ! F2 I (x1;:::; xd ): a sample I n: number of samples I d: size of a sample (attack of order d) I T and f two Boolean functions Distinguisher Iter: 1: for i = 1 to n do ` d 2: pick (x1;:::; xd ) 2 (f0; 1g ) 3: set yj = Enc(xj ) for j = 1;:::; d 4: set bi = T (x1;:::; xd ; y1;:::; yd ) 5: output f (b1;:::; bn) Protecting against ML and TD 8/21 Decorrelation Order ∗ I C : When Enc is random permutation I CK : When Enc is a permutation fixed by a random key K e ∗ e I The cipher is decorrelated of order e if k[CK ] − [C ] k1 is small I [Vaudenay 03]: For an iterated attack of order d we have s 2 3 Iter Iter 3 2 2d d 3 2d ∗ 2d E(p ) − E(p ∗ ) ≤3s n 2δ + + + k[CK ] − [C ] k1 CK C 2` 2`(2` − d) 2 ns + k[C ]2d − [C∗]2d k 2 K 1 I An iterated attack of order d has a small advantage if the cipher is decorrelated of order 2d or smaller Protecting against ML and TD 9/21 I [Vaudenay 03]: r r LC LC 3 2 ∗ 2 n 3 n E(p )−E(p ∗ ) ≤ 3 nk[CK ] − [C ] k1 + +3 CK C 2` − 1 2` − 1 I In this paper: r r LC LC 2 ∗ 2 n n E(p )−E(p ∗ ) ≤ 2 nk[CK ] − [C ] k1 + +2 CK C 2` − 1 2` − 1 Example – Linear Cryptanalysis Distinguisher LC: 1: for i = 1 to n do 2: pick x 2 f0; 1g` uniformly 3: set y = Enc(x) 4: set bi = α · x ⊕ β · y 5: output f (b1;:::; bn) I Non-adaptive iterated attack of order 1 Protecting against ML and TD 10/21 Example – Linear Cryptanalysis Distinguisher LC: 1: for i = 1 to n do 2: pick x 2 f0; 1g` uniformly 3: set y = Enc(x) 4: set bi = α · x ⊕ β · y 5: output f (b1;:::; bn) I Non-adaptive iterated attack of order 1 I [Vaudenay 03]: r r LC LC 3 2 ∗ 2 n 3 n E(p )−E(p ∗ ) ≤ 3 nk[CK ] − [C ] k1 + +3 CK C 2` − 1 2` − 1 I In this paper: r r LC LC 2 ∗ 2 n n E(p )−E(p ∗ ) ≤ 2 nk[CK ] − [C ] k1 + +2 CK C 2` − 1 2` − 1 Protecting against ML and TD 10/21 I Non-adaptive iterated attack of order 2 I [Vaudenay 03]: For the function f (b1;:::; bn) = maxi bi , we have DC DC n n 2 ∗ 2 E(p ) − E(p ∗ ) ≤ + k[CK ] − [C ] k1: CK C 2` − 1 2 I In this paper: The bound is independent of the function f Example – Differential Cryptanalysis Distinguisher DC: 1: for i = 1 to n do 2: pick x 2 f0; 1g` uniformly 3: set x0 = x ⊕ ∆ 4: set y = Enc(x) and y 0 = Enc(x0) 5: set bi = 1y⊕y 0=Γ 6: output f (b1;:::; bn) Protecting against ML and TD 11/21 I [Vaudenay 03]: For the function f (b1;:::; bn) = maxi bi , we have DC DC n n 2 ∗ 2 E(p ) − E(p ∗ ) ≤ + k[CK ] − [C ] k1: CK C 2` − 1 2 I In this paper: The bound is independent of the function f Example – Differential Cryptanalysis Distinguisher DC: 1: for i = 1 to n do 2: pick x 2 f0; 1g` uniformly 3: set x0 = x ⊕ ∆ 4: set y = Enc(x) and y 0 = Enc(x0) 5: set bi = 1y⊕y 0=Γ 6: output f (b1;:::; bn) I Non-adaptive iterated attack of order 2 Protecting against ML and TD 11/21 Example – Differential Cryptanalysis Distinguisher DC: 1: for i = 1 to n do 2: pick x 2 f0; 1g` uniformly 3: set x0 = x ⊕ ∆ 4: set y = Enc(x) and y 0 = Enc(x0) 5: set bi = 1y⊕y 0=Γ 6: output f (b1;:::; bn) I Non-adaptive iterated attack of order 2 I [Vaudenay 03]: For the function f (b1;:::; bn) = maxi bi , we have DC DC n n 2 ∗ 2 E(p ) − E(p ∗ ) ≤ + k[CK ] − [C ] k1: CK C 2` − 1 2 I In this paper: The bound is independent of the function f Protecting against ML and TD 11/21 Decorrelation – A Resume of Results Decor. Type Attack Maximal Attack order of attack order n Linear 2 iterative 1 2` Differential 2 iterative 2 2` Differential-linear 4 iterative 2 2`−1 Boomerang 4 adaptive, iterative 4 2`−1 In this paper: I Differential-Linear Attack: We improved the bound as for linear cryptanalysis I Boomerang Attack: The bound is now independent of the function f Protecting against ML and TD 12/21 Outline Statistical Attacks Decorrelation Theory The Decorrelation Order of ML and TD Attacks Protecting against ML and TD 13/21 ML Attacks – Algorithm Distinguisher ML: 1: for i = 1 to n do 2: pick a random x 2 f0; 1g` 3: set y = Enc(x) 4: for j = 1 to k do 5: set bi;j = (αj · x) ⊕ (βj · y) 6: set bi = (bi;1;:::; bi;k ) 7: output f (b1;:::; bn) I Non-adaptive iterated attack of order 1 I In the paper we show: q ML ML k−` k−1 2 ∗ 2 E(p ) − E(p ∗ ) ≤ n 2 + 2 k[C ] − [C ] k CK C K 1 Protecting against ML and TD 14/21 Special Truncated Differential Distinguisher ML ML I To provide a bound on pEnc − pEnc∗ , we consider the following distinguisher, which is a special truncated differential (STD) distinguisher I A known plaintext truncated differential distinguisher using only one sample I Non-adaptive attack with two queries Distinguisher STD: 1: pick two plaintexts x and x0 at random 2: set y = Enc(x) and y 0 = Enc(x0) 3: output 1(x0−x;Enc(x0)−Enc(x))2V ? Protecting against ML and TD 15/21 Link between ML and TD Attacks I [Chabaud Vaudenay 94] Link between differential probability and square correlations −` X v·(∆;Γ) DPEnc(∆; Γ) = 2 (−1) LPEnc(v) 2` v2F2 I [Blondeau Nyberg 14] Given k = dim(V ), we have −k STD ? −k 2 capEnc(V ) = pEnc (V ) − 2 where STD ? −2` 0 ` ` PEnc (V ) = 2 #f(x; x ) 2 F2 × F2 j x ⊕ x0; Enc(x) ⊕ Enc(x0) 2 V ?g Protecting against ML and TD 16/21 Link between ML and STD Distinguishers I By definition, we have STD −` X pEnc = 2 DPEnc(∆; Γ) (∆;Γ)2V ? ∗ I For any fixed Ck and C , we have k k 2 q 2 q ML ML n2 STD −k n2 STD −k p − p ∗ ≤ p − 2 + p ∗ − 2 CK C 2 CK 2 C I We showed that STD STD 1 2 ∗ 2 E(p ) − E(p ∗ ) ≤ k[CK ] − [C ] k1 CK C 2 and −k STD −k −` 1 − 2 E(p ∗ − 2 ) ≤ 2 C 1 − 2−` Protecting against ML and TD 17/21 Advantage of ML Bounded by Decorrelation I One of the main results: q ML ML k−` k−1 2 ∗ 2 E(p ) − E(p ∗ ) ≤ n 2 + 2 k[C ] − [C ] k CK C K 1 `−k I This distinguisher is resistant up to2 2 queries I This bound can probably be improved p I We think that we are loosing a factor n when iterating the attack Protecting against ML and TD 18/21 TD Attacks – Algorithm I V = Vin × Vout ? ? I (∆; Γ) 2 Vin × Vout I s = dim(Vin) Distinguisher TD: 1: for i = 1 to n do 0 ` 2 0 ? 2: pick (x; x ) 2 (f0; 1g ) uniformly such that x ⊕ x 2 Vin 3: set y = Enc(x) and y 0 = Enc(x0) 4: set bi = 1((x;y)⊕(x0;y 0))2V ? 5: output f (b1;:::; bn) I Non-adaptive iterated attack of order 2 Protecting against ML and TD 19/21 Advantage of TD Bounded by Decorrelation −k TD TD 1+s−` 1 − 2 s−1 2 ∗ 2 E(p ) − E(p ∗ ) ≤ n2 + n2 k[CK ] − [C ] k1 CK C 1 − 2−` I This bound is meaningful when the attacker has the knowledge of up to2 `−s−1 queries I [Blondeau et al 14] For s = ` − 1 and q = 1, the TD attack is equivalent to a differential-linear attack I [Bay 14] Decorrelation of order 4 is needed to protect against differential-linear attacks I The decorrelation of order 2 is correct for small s Protecting against ML and TD 20/21 Conclusion I We improved the bounds for the linear and differential-linear distinguishers I We generalized the differential and boomerang distinguishers to allow an arbitrary function f I We proved the security for multidimensional linear and truncated differential with decorrelation Protecting against ML and TD 21/21.