Bit-Pattern Based Integral Attack Muhammad Reza Z’aba 1 , Håvard Raddum 2 , Matt Henricksen 3 , Ed Dawson 1 1 Information Security Institute, Queensland University of Technology, Australia 2 Selmersenteret , University of Bergen, Norway 3 Institute for Infocomm Research, A*STAR, Singapore Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 1 / 34
63
Embed
Bit-Pattern Based Integral Attack - iacr.org fileOutline 1 Introduction 2 Bit-Pattern Based Integral Attack Background Type of Block Ciphers Attack Algorithm 3 Application to Block
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Bit-Pattern Based Integral Attack
Muhammad Reza Z’aba1, Håvard Raddum2,Matt Henricksen3, Ed Dawson1
1Information Security Institute, Queensland University of Technology, Australia2Selmersenteret , University of Bergen, Norway
3Institute for Infocomm Research, A*STAR, Singapore
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 1 / 34
Outline
1 Introduction
2 Bit-Pattern Based Integral AttackBackgroundType of Block CiphersAttack Algorithm
3 Application to Block CiphersPRESENTNoekeonSerpent
4 Discussion and Conclusion
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 2 / 34
Introduction
Integral attack is very suitable for word-oriented ciphers
Problem for bit-oriented ciphersAny all-values property (a set of all possible values) of bijective S-boxoutput will be destroyed by bit-wise linear component
SolutionView each input bit position within structure as a sequence of bitpatterns – bit-pattern based integral attack
Application of bit-pattern based integral attack7-round PRESENT, 5-round Noekeon and 6-round Serpent
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 3 / 34
Introduction
Integral attack is very suitable for word-oriented ciphers
Problem for bit-oriented ciphersAny all-values property (a set of all possible values) of bijective S-boxoutput will be destroyed by bit-wise linear component
SolutionView each input bit position within structure as a sequence of bitpatterns – bit-pattern based integral attack
Application of bit-pattern based integral attack7-round PRESENT, 5-round Noekeon and 6-round Serpent
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 3 / 34
Introduction
Integral attack is very suitable for word-oriented ciphers
Problem for bit-oriented ciphersAny all-values property (a set of all possible values) of bijective S-boxoutput will be destroyed by bit-wise linear component
SolutionView each input bit position within structure as a sequence of bitpatterns – bit-pattern based integral attack
Application of bit-pattern based integral attack7-round PRESENT, 5-round Noekeon and 6-round Serpent
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 3 / 34
Outline
1 Introduction
2 Bit-Pattern Based Integral AttackBackgroundType of Block CiphersAttack Algorithm
3 Application to Block CiphersPRESENTNoekeonSerpent
4 Discussion and Conclusion
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 4 / 34
Bit-Pattern Based Integral Attack
Comparison between conventional byte-based and bit-based integralattacks
ConventionalA set of m-bit active wordsinto a single S-box inRound 1The active S-box receivesall possible 2m values inRound 1Inputs form an unorderedset
Bit-Pattern BasedA set of m-bit active wordsinto m S-boxes in Round 1Each active s-box receivesa pair of values in Round 1Inputs form an ordered set
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 5 / 34
Bit-Pattern Based Integral Attack
Comparison between conventional byte-based and bit-based integralattacks
ConventionalA set of m-bit active wordsinto a single S-box inRound 1The active S-box receivesall possible 2m values inRound 1Inputs form an unorderedset
Bit-Pattern BasedA set of m-bit active wordsinto m S-boxes in Round 1Each active s-box receivesa pair of values in Round 1Inputs form an ordered set
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 5 / 34
Bit-Pattern Based Integral Attack
Comparison between conventional byte-based and bit-based integralattacks
ConventionalA set of m-bit active wordsinto a single S-box inRound 1The active S-box receivesall possible 2m values inRound 1Inputs form an unorderedset
Bit-Pattern BasedA set of m-bit active wordsinto m S-boxes in Round 1Each active s-box receivesa pair of values in Round 1Inputs form an ordered set
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 5 / 34
Notations
Each bit position within structure is treated independently. Thepossible patterns:
Constant c: the bits consist of only bit ‘0’ or ‘1’.E.g. 00000000 or 11111111Active ai : alternating blocks of 2i consecutive bits (‘0’ and ‘1’).E.g. a1: 00110011Balance bi : repetition of blocks of 2i consecutive bits (‘0’ and ‘1’) –not alternating.E.g. b1: 00111100E.g. b∗0: 10110001E.g. b0: 10000000Dual di : c or ai
BalancednessBalanced pattern: XOR sum = 0For b0, b∗0 is balanced, b0 is not necessarily balanced
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 6 / 34
Notations
Each bit position within structure is treated independently. Thepossible patterns:
Constant c: the bits consist of only bit ‘0’ or ‘1’.E.g. 00000000 or 11111111Active ai : alternating blocks of 2i consecutive bits (‘0’ and ‘1’).E.g. a1: 00110011Balance bi : repetition of blocks of 2i consecutive bits (‘0’ and ‘1’) –not alternating.E.g. b1: 00111100E.g. b∗0: 10110001E.g. b0: 10000000Dual di : c or ai
BalancednessBalanced pattern: XOR sum = 0For b0, b∗0 is balanced, b0 is not necessarily balanced
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 6 / 34
Notations
Each bit position within structure is treated independently. Thepossible patterns:
Constant c: the bits consist of only bit ‘0’ or ‘1’.E.g. 00000000 or 11111111Active ai : alternating blocks of 2i consecutive bits (‘0’ and ‘1’).E.g. a1: 00110011Balance bi : repetition of blocks of 2i consecutive bits (‘0’ and ‘1’) –not alternating.E.g. b1: 00111100E.g. b∗0: 10110001E.g. b0: 10000000Dual di : c or ai
BalancednessBalanced pattern: XOR sum = 0For b0, b∗0 is balanced, b0 is not necessarily balanced
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 6 / 34
Notations
Each bit position within structure is treated independently. Thepossible patterns:
Constant c: the bits consist of only bit ‘0’ or ‘1’.E.g. 00000000 or 11111111Active ai : alternating blocks of 2i consecutive bits (‘0’ and ‘1’).E.g. a1: 00110011Balance bi : repetition of blocks of 2i consecutive bits (‘0’ and ‘1’) –not alternating.E.g. b1: 00111100E.g. b∗0: 10110001E.g. b0: 10000000Dual di : c or ai
BalancednessBalanced pattern: XOR sum = 0For b0, b∗0 is balanced, b0 is not necessarily balanced
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 6 / 34
Notations
Each bit position within structure is treated independently. Thepossible patterns:
Constant c: the bits consist of only bit ‘0’ or ‘1’.E.g. 00000000 or 11111111Active ai : alternating blocks of 2i consecutive bits (‘0’ and ‘1’).E.g. a1: 00110011Balance bi : repetition of blocks of 2i consecutive bits (‘0’ and ‘1’) –not alternating.E.g. b1: 00111100E.g. b∗0: 10110001E.g. b0: 10000000Dual di : c or ai
BalancednessBalanced pattern: XOR sum = 0For b0, b∗0 is balanced, b0 is not necessarily balanced
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 6 / 34
Notations
Each bit position within structure is treated independently. Thepossible patterns:
Constant c: the bits consist of only bit ‘0’ or ‘1’.E.g. 00000000 or 11111111Active ai : alternating blocks of 2i consecutive bits (‘0’ and ‘1’).E.g. a1: 00110011Balance bi : repetition of blocks of 2i consecutive bits (‘0’ and ‘1’) –not alternating.E.g. b1: 00111100E.g. b∗0: 10110001E.g. b0: 10000000Dual di : c or ai
BalancednessBalanced pattern: XOR sum = 0For b0, b∗0 is balanced, b0 is not necessarily balanced
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 6 / 34
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 9 / 34
How many distinct inputs into an S-box?
Lemma 1Given a set of input patterns l0, . . . , lm−1 to an m ×m bijectiveS-box, expressed as linear combinations of ai -patterns wherea = (a0, . . . , am−1)
T
Let l = (l0, . . . , lm−1)T
Represent as product of matrix Ma = lThe number of distinct values to S-box = 2rank(M)
Use to determine whether balancedness of structure is retained or notafter S-box
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 10 / 34
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 24 / 34
Bit-Pattern Based Integral Attack on PRESENT
4-round Key RecoveryGuesses: 4 bits of K4
Initialize array A[] of size 24
Guess 4-bit subkey bits v of K4
Partially decrypt ciphertextsIf Equation (1) does not hold, set A[v ] = 0If only one entry such that A[v ] = 1 is left, v is correct subkey bitsRepeat for other 15 S-boxesComplexities
Data: 2× 24 = 25
Time: 2× 24 × 16× 24 = 213
Memory: small
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 25 / 34
Bit-Pattern Based Integral Attack on PRESENT
5-round Key RecoveryGuesses
4 bits of K416 bits K5
Initialize array A of size 220
Guess 20-bit subkey bits v of K4
Partially decrypt ciphertextsIf Equation (1) does not hold, set A[v ] = 0If only one entry such that A[v ] = 1 is left, v is correct subkey bitsComplexities
Analysis by designersDifferential: 25-round characteristic (probability 2−100)Linear: 28-round linear approximation (bias 2−43)
The best 5-round differential attack on PRESENT requires on the orderof 220 CP. Our 5-round attack requires about 80 CPCP = chosen plaintexts
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 28 / 34
Outline
1 Introduction
2 Bit-Pattern Based Integral AttackBackgroundType of Block CiphersAttack Algorithm
3 Application to Block CiphersPRESENTNoekeonSerpent
4 Discussion and Conclusion
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 29 / 34
Summary of Attacks on Noekeon
Rounds ComplexityData Time Memory
4 217 CP 226 small5 220.6 CP 2108.1 289 bytes
Related-key attack [Knudsen and Raddum, 2001]:768 related keys with probability 2−32 for 16-round Noekeon
Our 3.5-round distinguisher for Noekeon with probability 1 is betterthan the 4-round differential trail with probability 2−48 predicted by thedesigners
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 30 / 34
Outline
1 Introduction
2 Bit-Pattern Based Integral AttackBackgroundType of Block CiphersAttack Algorithm
3 Application to Block CiphersPRESENTNoekeonSerpent
4 Discussion and Conclusion
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 31 / 34
Summary of Attacks on Serpent
Rounds Attack ComplexityData Time Memory
4 Integral 211 CP 220 small5 Integral 213.6 CP 258.7 244
6 Integral 265.2 CP 2110.7 244
Differential 283 CP 290 244
[Kohno et al., 2000]10 Linear 2120 KP 264 232
[Collard et al., 2007]
The best differential attack on 5-round Serpent requires on the order of242 CP. Our 5-round attack requires 213.6 CP
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 32 / 34
Discussion and Conclusion
AdvantagesAttack applies to bit-oriented block ciphers – order of texts playsimportant partBit-pattern based integral attacks on analyzed ciphers arecomparable to differential cryptanalysis over a few rounds – lesschosen plaintexts
LimitationsDifferential cryptanalysis can be extended to more rounds –integral cryptanalysis can not be extended beyond a certain pointTime complexity increases considerably as the number of cipherround increases
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 33 / 34
Discussion and Conclusion
AdvantagesAttack applies to bit-oriented block ciphers – order of texts playsimportant partBit-pattern based integral attacks on analyzed ciphers arecomparable to differential cryptanalysis over a few rounds – lesschosen plaintexts
LimitationsDifferential cryptanalysis can be extended to more rounds –integral cryptanalysis can not be extended beyond a certain pointTime complexity increases considerably as the number of cipherround increases
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 33 / 34
End
Thank youQuestions?
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 34 / 34
Anderson, R., Biham, E., and Knudsen, L. (1998).Serpent: A Proposal for the Advanced Encryption Standard.NIST AES Proposal.Available athttp://www.cl.cam.ac.uk/~rja14/serpent.html.
Bogdanov, A., Knudsen, L. R., Leander, G., Paar, C., Poschmann,A., Robshaw, M. J. B., Seurin, Y., and Vikkelsoe, C. (2007).PRESENT: An Ultra-Lightweight Block Cipher.In Paillier, P. and Verbauwhede, I., editors, CryptographicHardware and Embedded Systems – CHES 2007, 9thInternational Workshop, volume 4727 of Lecture Notes inComputer Science, pages 450–466. Springer-Verlag.
Collard, B., Standaert, F.-X., and Quisquater, J.-J. (2007).Improved and Multiple Linear Cryptanalysis of Reduced RoundSerpent.In Information Security and Cryptology, Third SKLOIS Conference,Inscrypt 2007, to appear.
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 34 / 34
Daemen, J., Peeters, M., Assche, G. V., and Rijmen, V. (2000).Nessie Proposal: NOEKEON.First Open NESSIE Workshop.Available at http://gro.noekeon.org/.
Knudsen, L. and Raddum, H. (2001).On Noekeon.NESSIE Phase 1 public reports.Available at https://www.cosic.esat.kuleuven.be/nessie/reports/.
Kohno, T., Kelsey, J., and Schneier, B. (2000).Preliminary Cryptanalysis of Reduced-Round Serpent.In The Third Advanced Encryption Standard CandidateConference, pages 195–211. NIST.Available at http://csrc.nist.gov/CryptoToolkit/aes/round2/conf3/aes3conf.htm.
Fast Software Encryption (2008) Bit-Pattern Based Integral Attack 13 February 2008 34 / 34