On the Data Complexity of Statistical Attacks against Block Ciphers C´ eline Blondeau and Benoˆ ıt G´ erard INRIA project-team SECRET, France WCC - May the 14th 2009 C. Blondeau and B. G´ erard On the Data Complexity of Statistical Attacks against Block Ciphers 1 / 26
26
Embed
On the Data Complexity of Statistical Attacks against …users.ics.aalto.fi/blondeau/PDF/WCC09slide.pdfOn the Data Complexity of Statistical Attacks against Block Ciphers C´eline
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
On the Data Complexity of Statistical Attacks againstBlock Ciphers
Celine Blondeau and Benoıt Gerard
INRIA project-team SECRET, France
WCC - May the 14th 2009
C. Blondeau and B. Gerard On the Data Complexity of Statistical Attacks against Block Ciphers 1 / 26
Outline
1 Introduction
2 Algorithm for computing the data complexity
3 Approximations of the binomial tail
4 A formula for approximating the data complexity
5 Asymptotic behavior for some statistical attacks
C. Blondeau and B. Gerard On the Data Complexity of Statistical Attacks against Block Ciphers 2 / 26
Outline
1 Introduction
2 Algorithm for computing the data complexity
3 Approximations of the binomial tail
4 A formula for approximating the data complexity
5 Asymptotic behavior for some statistical attacks
C. Blondeau and B. Gerard On the Data Complexity of Statistical Attacks against Block Ciphers 3 / 26
Statistical attacks against block ciphers
Some known statistical cryptanalyses:
linear cryptanalysis [Matsui 93];
differential cryptanalysis [Biham Shamir 91];
higher order differential cryptanalysis [Knudsen 94];
C. Blondeau and B. Gerard On the Data Complexity of Statistical Attacks against Block Ciphers 4 / 26
Using a characteristic to distinguish from random
Let χ be some characteristic on a given cipher.
If the sub-key guess is correct : χ occurs with probability p∗.
If the sub-key guess is not correct : χ occurs with probability p.
Xi =
{
1 if χ occurs in sample i ,0 otherwise.
...
impossible differential,
truncated differential,
differential-linear
differential, linear
Characteristic
(X1, ...XN)
P(Xi = 1|Kgood) = p∗
(X1, ...XN)
P(Xi = 1|Kwrong ) = p
N samples
Kgood
Kwrong
C. Blondeau and B. Gerard On the Data Complexity of Statistical Attacks against Block Ciphers 5 / 26
Distinguisher
Neyman-Pearson (optimal) test:
Accept a candidate K if
P(X1, X2, . . . ,XN |Kgood)
P(X1, X2, . . . ,XN |Kwrong)> t.
This (likelihood) ratio only depends on SN =∑N
i=1 Xi , p∗ and p and isincreasing in SN .Thus, the acceptance condition becomes, for some threshold 0 < T < N,
SN > T
SN,p∗ =∑N
i=1 Xi follows a binomial law of parameters (N, p∗).
SN,p =∑N
i=1 Xi follows a binomial law of parameters (N, p).
C. Blondeau and B. Gerard On the Data Complexity of Statistical Attacks against Block Ciphers 6 / 26
Error probabilities
Two kinds of errors can be made:
Non-detection error probability P(SN,p∗ < T );
False alarm error probability P(SN,p ≥ T ).
The non-detection error probability is related with the successprobability of the cryptanalysis.
The false alarm error probability is the expected ratio of kept candidatesand thus influences the time complexity of the cryptanalysis.
Aim: Finding N minimal and the corresponding T such thatP(SN,p∗ < T ) ≤ α and P(SN,p ≥ T ) ≤ β for given values of α and β.
C. Blondeau and B. Gerard On the Data Complexity of Statistical Attacks against Block Ciphers 7 / 26
Motivation
@@R
@@R
@@R
@@R
@@R
@@R
PPPPPPq
������
e e
e e
e e
e e
�
�
�
�
?
?
?
?
? ? ? ?
�
�
�
�
�
�
�
�? ? ? ?
Y1 Y2 Y3 Y4 Y5 Y6 Y7 Y8
Z1 Z2 Z3 Z4 Z5 Z6 Z7 Z8
X1 X2 X3 X4 X5 X6 X7 X8
S1
S2
S3
S4
K1
K2
K3
K4
Generalized Feistel Network[Nyberg 96] with:
10 rounds;
4 S-boxes.
Truncated differential path: p∗ = 1.18 · 2−16 and p = 2−16
Differential path: p∗ = 1.53 · 2−27 and p = 2−32
Question:
Which couple of parameters gives the best cryptanalysis ???
C. Blondeau and B. Gerard On the Data Complexity of Statistical Attacks against Block Ciphers 8 / 26
Outline
1 Introduction
2 Algorithm for computing the data complexity
3 Approximations of the binomial tail
4 A formula for approximating the data complexity
5 Asymptotic behavior for some statistical attacks
C. Blondeau and B. Gerard On the Data Complexity of Statistical Attacks against Block Ciphers 9 / 26
An algorithm for finding N (1/2)
Some properties:
For a fixed τ = T/N, error probabilities decrease when N increases.
For a fixed N, non-detection error increases with τ .
For a fixed N, false alarm error decreases when τ increases.
Idea
Dichotomic search for τ .
C. Blondeau and B. Gerard On the Data Complexity of Statistical Attacks against Block Ciphers 10 / 26
An algorithm for finding N (2/2)
Input: (α, β) and (p∗, p)Output: N and τ the minimum number of samples and the correspondingrelative threshold to reach error probabilities less than (α, β).
τmin ← p and τmax ← p∗.repeat
τ ← τmin + τmax
2.
Compute Nnd such that ∀N > Nnd, P(SN,p∗ < Nτ)≤ α.Compute Nfa such that ∀N > Nfa, P(SN,p ≥ Nτ)≤ β.if Nnd > Nfa then τmax = τ else τmin = τ
until Nnd = Nfa.return N and τ .
C. Blondeau and B. Gerard On the Data Complexity of Statistical Attacks against Block Ciphers 11 / 26
Number of required samples N for differential andtruncated-differential cryptanalyses
Answer to the question:
In that case, truncated differential is better than differential.