Using Multiple Differentials

Using Multiple Differentials...

1/28


On the LLR and χ2 Statistical Tests in Differential Context

Celine Blondeau

Aalto University

Luxembourg, January 2013

joint work with Benoıt Gerard and Kaisa Nyberg


2/28

Outline

IntroductionDifferential CryptanalysisMultiple Differential Cryptanalysis

Partitioning the Output DifferencesSet of Simple DifferencesSpecial set of Truncated Differentials

Analysing InformationLLR Statistical Testχ2 Statistical Test

ExperimentsExperimental ResultsDiscussion


3/28

Outline






4/28

Block ciphers

--

--

-

x

y

FK1

FK2

FKr

FKr+1

EK : Fm2 → Fm

2

I K : Master keyI F : Round functionI Ki : Round key

cccc cccc cccc cccc

cccc cccc cccc cccc

cccc cccc cccc cccc

cccc cccc cccc cccc

S3 S2 S1 S0

S3 S2 S1 S0

S3 S2 S1 S0

��

��

��

��

@@@

��

��

HHHH

HH

@@@

��

PPPP

PPPP

HHHH

HH

@@@

��

��

��

��

��

@@@

��

��

HHH

HHH

@@@

��

PPPP

PPPP

HHHH

HH

@@@

��

��

��

��

��

@@@

��

��

HHH

HHH

@@@

��

PPPP

PPPP

HHH

HHH

@@@

SMALLPRESENT-[4]


5/28

Statistical Attacks

Statistical attacks:I Take advantage of a non-uniform behavior of the cipherI Two families: Linear and Differential cryptanalysis

Improvement of differential cryptanalysis

I Differential cryptanalysis [Biham Shamir 91]I Truncated differential cryptanalysis [Knudsen 95]I Impossible differential cryptanalysis [Biham Biryukov Shamir

99]I Higher order differential cryptanalysis [Lai 94] [Knudsen 95]I Bulk Multiple differential cryptanalysis [Blondeau Gerard 11]


6/28

Differential CryptanalysisGiven an input difference between two plaintexts, some outputdifferences occur more often than others.

-

-

-

-

EK

EK

x

x ′

y

y ′

6

?

6

?

δin δout

Differential: pair of input and output difference (δin, δout)

Differential probability: p = PX ,K [ EK (x)⊕ Ek (x ⊕ δin) = δout ]

Uniform probability: θ = 2−m


7/28

Using Multiple differentials...

I Truncated differential cryptanalysisI Impossible differential cryptanalysisI Higher order differential cryptanalysisI Bulk differential cryptanalysis

One non-uniform probability is used for comparison with uniformprobability


7/28

Using Multiple differentials...

I Truncated differential cryptanalysisI Impossible differential cryptanalysisI Higher order differential cryptanalysisI Bulk differential cryptanalysis

One non-uniform probability is used for comparison with uniformprobability


8/28

Bulk differential cryptanalysis [FSE 2011]

I Set of differences (δin(v), δout

(v)), with probabilities pv .

I p = 1∆in

∑v pv expected probability.

I θ = 1∆in

∑v

12m uniform probability.

Frequencies are summed up.

How to use the probability of each differential individually?


8/28




I p = 1∆in


I θ = 1∆in

∑v





8/28




I p = 1∆in


I θ = 1∆in

∑v





9/28

Related Work

Linear Cryptanalysis [Matsui 93]:

I Multiple linear cryptanalysis [Baigneres Junod Vaudenay 04]

I Multidimensional linear cryptanalysis [Hermelin Cho Nyberg08]

Both use LLR and/or χ2 statistical tests.

Differential Cryptanalysis:

Recently :

I How to apply LLR and/or χ2 statistical tests?I How to partition the output differences?


10/28

Multiple Differential Cryptanalysis

I Fixed input difference δin (To simplify the analysis)

I Vector of “differences”: V = [δ(v)out ] after r rounds,

I p = [pv ]v∈V vector of expected probabilities.

I θ = [θv ]v∈V vector of uniform probabilities.

I qk = [qkv ]v∈V vector of observed probabilities for the key k .


11/28

Recent Work

[Albrecht Leander 12]

LLR statistical test

Application to SMALLPRESENT-[4] (m = 16) and KATAN-32(m = 32)

[Blondeau Gerard Nyberg 12]

LLR and χ2 statistical tests.

What to do when m > 32 ?

⇒ Introduction of partitioning functions


12/28

Outline






13/28

Partitioning Functions

We analyze two “orthogonal” cases

I Unbalanced partitioningI Take a subset of simple differences

I Balanced partitioningI Group the differences in order to be able to use information of

the whole output space.

Aim:I Compare Time, Memory and Data complexity of the different

methods.


13/28

Partitioning Functions

We analyze two “orthogonal” cases

I Unbalanced partitioningI Take a subset of simple differences

I Balanced partitioningI Group the differences in order to be able to use information of

the whole output space.

Aim:I Compare Time, Memory and Data complexity of the different

methods.


14/28

Last Round Attack

Plaintext

Characteristic

Partial State??

r roundsF rK

Distinguisher


14/28

Last Round Attack

Plaintext

Characteristic

Partial State??

r roundsF rK

Distinguisher

?Substitution Layer

Key addition

S7 S6 S5 S4 S3 S2 S1 S0

k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eCiphertext


15/28

Unbalanced Partitioning

Idea: Subset of simple differences

I Output differences (δ(v)out )1≤v≤A,

I Counter for each of these differentials qkv .

I As∑A

i=1 qkv 6= 1

I We have a “trash” counter qk0 which gathers all other output

differences.

Last Round Attack: We increment the counter qkv

if the difference δ(v)out is obtained after partial deciphering.


16/28

Unbalanced Partitioning: Last Round Attack

δin

?

V = [δ(v)out ]v

��* HHYV

Substitution LayerS7 S6 S5 S4 S3 S2 S1 S0

k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e e


16/28


V = [δ(v)out ]v

��* HHYV

S7 S6 S5 S4 S3 S2 S1 S0

k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eS4 S3 S1 Active Sboxes


16/28


��* HHYV

S7 S6 S5 S4 S3 S2 S1 S0

k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eS4 S3 S1

Sieving processDiscard some ciphertext pairs


16/28


��* HHYV

S7 S6 S5 S4 S3 S2 S1 S0


6e 6e 6e For all key candidates,partially decipherk4 k3 k1

6��@I


16/28


��* HHYV

S7 S6 S5 S4 S3 S2 S1 S0


6e 6e 6ek4 k3 k1

6��@I If δ = δ(v)out

Increment qkv

OtherwiseIncrement qk

0


16/28


��* HHYV

S7 S6 S5 S4 S3 S2 S1 S0


6e 6e 6ek4 k3 k1

6��@I If δ = δ(v)out

Increment qkv

OtherwiseIncrement qk

0

Analyse the vectors qk for each key


17/28

Unbalanced Partionning: Remarks

Corresponding known/former attacks:I Differential cryptanalysis.

Advantage:I A sieving process⇒ “smaller” time complexity

Disadvantage:I Subset of output space⇒ Not all informationI Small probabilities⇒ Non-tightness of the information


18/28

Balanced Partitioning

Idea: Using information from all differences by grouping them.

Let V = [δ(v)out ]v a subspace of Fm

2

A group of differences ∆(v)out = δ

(v)out ⊕ V (V ⊕ V = Fm

2 )

A counter qkv for each group of differences.


19/28

Balanced Partitioning: Last Round Attack

δin

?

V

∆out = δout ⊕ V

Substitution LayerS7 S6 S5 S4 S3 S2 S1 S0e e e e e e e ek7 k6 k5 k4 k3 k2 k1 k0


19/28


V

∆out = δout ⊕ V

S7 S6 S5 S4 S3 S2 S1 S0e e e e e e e ek7 k6 k5 k4 k3 k2 k1 k0

S7 S6 S5 S4 S3 S2 S1 S0 Active Sboxes


19/28


V


S7 S6 S5 S4 S3 S2 S1 S0

No sieving processPartially decipher for all pairs


19/28


V


S7 S6 S5 S4 S3 S2 S1 S0For all key candidates,

partially decipherk4 k3 k26e 6e 6eS4 S3 S2


19/28


V


S7 S6 S5 S4 S3 S2 S1 S0

k4 k3 k26e 6e 6eS4 S3 S2

��*6HHYIf δ ∈ δ(v)

out ⊕ VIncrement qk

v


19/28


V


S7 S6 S5 S4 S3 S2 S1 S0

k4 k3 k26e 6e 6eS4 S3 S2

��*6HHYIf δ ∈ δ(v)

out ⊕ VIncrement qk

v

Analyse the vectors qk for each key


20/28

Balanced Partitioning: Remarks

Corresponding known/former attacks:I Truncated Differential cryptanalysis.

Advantage:I Whole output space⇒ More informationI Bigger Probabilities⇒ Tightness of the information

Disadvantage:I No sieving process⇒ Larger time complexity


21/28

Outline






22/28

Statistical TestsProbability distribution vectors

I Expected: p = [pv ]v∈V

I Uniform: θ = [θv ]v∈V

I Observed: qk (for a given key candidate k )

LLR test: requires the knowledge of the theoretical probability p.

Sk = LLRk (qk ,p, θ)def= Ns

∑v∈V

qkv log

(pv

θv

).

χ2 test: Does not require the knowledge of p for the attack

Sk = χ2k (qk , θ) = Ns

∑v∈V

(qkv − θv )2

θv.


23/28

Complexities

Let S(k) be the statistic obtained for a key candidate k .

Sk = LLRk (qk ,p, θ) or = χ2k (qk , θ)

Then,

Sk ∼{N (µR, σ

2R) if k = Kr ,

N (µW , σ2W ) otherwise.

[Selcuk 07]:I Estimates of the value of µR, µW , σR, σw for both LLR and χ2

statistical tests.I Estimates of the Data Complexity


24/28

Asymptotic Complexity when PS = 0.5

a: AdvantageΦ0,1 : cumulative function of standard normal distribution

LLR test:

N ≈Varp(log(p

θ ))[Ep(log(p

θ ))− Eθ(log(pθ ))]2 Φ−2

0,1(1− 2−a)

χ2 test:

N ≈√

2|V |C(p)

Φ−10,1(1− 2−a)

where C(p) =∑

v∈V

(pv−θv )2

θv


25/28

Outline






26/28

Unbalanced Partitioning: Simple differences

0.5

0.6

0.7

0.8

0.9

20 22 24 26 28 30

PS

log2(N)

LLR : Ex. a = 4Th. a = 4Ex. a = 11Th. a = 11

χ2 : Ex. a = 4Th. a = 4Ex. a = 11Th. a = 11


27/28

Balanced Partitioning: Group of output differences

0.5

0.6

0.7

0.8

0.9

19 21 23 25 27

PS

log2(N)

LLR : Ex. a = 4Th. a = 4Ex. a = 7Th. a = 7

χ2 : Ex. a = 4Th. a = 4Ex. a = 7Th. a = 7


28/28

Conclusions

Balanced or Unbalanced partitioning ?I Time Complexity: unbalanced⇒ faster attack.I Data Complexity: depends of the cipher.

LLR or χ2?I If we have a good estimate of the expected probabilities⇒ LLR provides better Data and Memory complexities

I Otherwise LLR is not effective

Using Multiple Differentials

Documents