A General Proof Framework for Recent AES Distinguishers Christina - PowerPoint PPT Presentation

A General Proof Framework for Recent AES Distinguishers Christina Boura, Anne Canteaut, Daniel Coggia Inria, Project Team SECRET, France March 27, FSE 2019

Outline Definitions and the multiple-of-8 distinguisher Proof for the distinguisher Generalisation of this proof framework Adaptation to other SPN ciphers Daniel Coggia 2/ 37

Definitions and the multiple-of-8 distinguisher Definitions and the multiple-of-8 distinguisher Proof for the distinguisher Generalisation of this proof framework Adaptation to other SPN ciphers Daniel Coggia 3/ 37

Definitions and the multiple-of-8 distinguisher Some definitions...   x 0 x 4 x 8 x 12 x 1 x 5 x 9 x 13    ∈ F 16 x i ∈ F 2 8   2 8 x 2 x 6 x 10 x 14  x 3 x 7 x 11 x 15 Daniel Coggia 4/ 37

Definitions and the multiple-of-8 distinguisher Some definitions...   x 0 x 4 x 8 x 12 x 1 x 5 x 9 x 13    ∈ F 16 x i ∈ F 2 8   2 8 x 2 x 6 x 10 x 14  x 3 x 7 x 11 x 15   0 0 0 x 0 x 1 0 0 0    ∈ C 0 Columns   0 0 0 x 2  x 3 0 0 0 Daniel Coggia 4/ 37

Definitions and the multiple-of-8 distinguisher Some definitions...   x 0 x 4 x 8 x 12 x 1 x 5 x 9 x 13    ∈ F 16 x i ∈ F 2 8   2 8 x 2 x 6 x 10 x 14  x 3 x 7 x 11 x 15   0 0 0 x 0 x 1 0 0 0    ∈ C 0 Columns   0 0 0 x 2  x 3 0 0 0   0 x 0 0 y 0 I ⊆ { 0 , . . . , 3 } : C I = � 0 0 x 1 y 1 i ∈ I C i .    ∈ C { 1 , 3 }   0 x 2 0 y 2  0 x 3 0 y 3 Daniel Coggia 4/ 37

Definitions and the multiple-of-8 distinguisher   x 0 0 0 0 0 0 0 x 1    ∈ D 0 Diagonals   0 0 x 2 0  0 0 0 x 3 ShiftRows D I − − − − − − → C I Daniel Coggia 5/ 37

Definitions and the multiple-of-8 distinguisher   x 0 0 0 0 0 0 0 x 1    ∈ D 0 Diagonals   0 0 x 2 0  0 0 0 x 3   x 0 0 0 0 0 0 0 x 1    ∈ ID 0 Anti-diagonals   0 0 x 2 0  0 0 0 x 3 ShiftRows C I − − − − − − → ID I Daniel Coggia 5/ 37

Definitions and the multiple-of-8 distinguisher   x 0 0 0 0 0 0 0 x 1    ∈ D 0 Diagonals   0 0 x 2 0  0 0 0 x 3   x 0 0 0 0 0 0 0 x 1    ∈ ID 0 Anti-diagonals   0 0 x 2 0  0 0 0 x 3   2 · x 0 x 1 x 2 3 · x 3 3 · x 2 2 · x 3 x 0 x 1    ∈ M 0 Mixed   x 0 3 · x 1 2 · x 2 x 3  3 · x 0 2 · x 1 x 2 x 3 MixColumns ID I − − − − − − − → M I Daniel Coggia 5/ 37

Definitions and the multiple-of-8 distinguisher R � �� � SubBytes ShiftRows MixColumns D I − − − − − → D I − − − − − − → C I − − − − − − − → C I R � �� � SubBytes ShiftRows MixColumns C I − − − − − → C I − − − − − − → ID I − − − − − − − → M I Daniel Coggia 6/ 37

Definitions and the multiple-of-8 distinguisher R � �� � SubBytes ShiftRows MixColumns D I − − − − − → D I − − − − − − → C I − − − − − − − → C I R � �� � SubBytes ShiftRows MixColumns C I − − − − − → C I − − − − − − → ID I − − − − − − − → M I k 0 k 1 k 2 k r · · · m c R 1 R 2 R r Daniel Coggia 6/ 37

Definitions and the multiple-of-8 distinguisher Subspace trails Grassi, Rechberger and Rønjom, ToSC 2016 F ∀ a ∈ F 16 2 8 , ∃ b ∈ F 16 U ⇒ V if 2 8 : F ( U + a ) = V + b . F F F Daniel Coggia 7/ 37

Definitions and the multiple-of-8 distinguisher Subspace trails Grassi, Rechberger and Rønjom, ToSC 2016 F ∀ a ∈ F 16 2 8 , ∃ b ∈ F 16 U ⇒ V if 2 8 : F ( U + a ) = V + b . F Examples: F ◮ { 0 } ⇒ { 0 } F F ⇒ F N ◮ U 2 8 R ◮ D I ⇒ C I R ◮ C I F ⇒ M I Daniel Coggia 7/ 37

Definitions and the multiple-of-8 distinguisher The multiple-of-8 distinguisher Grassi, Rechberger and Rønjom, Eurocrypt 2017 a ∈ F 16 2 8 Daniel Coggia 8/ 37

Definitions and the multiple-of-8 distinguisher The multiple-of-8 distinguisher Grassi, Rechberger and Rønjom, Eurocrypt 2017 a ∈ F 16 i ∈ { 0 , . . . , 3 } : D i 2 8 Daniel Coggia 8/ 37

Definitions and the multiple-of-8 distinguisher The multiple-of-8 distinguisher Grassi, Rechberger and Rønjom, Eurocrypt 2017 a ∈ F 16 i ∈ { 0 , . . . , 3 } : D i J ⊆ { 0 , . . . , 3 } : M J 2 8 Daniel Coggia 8/ 37

Definitions and the multiple-of-8 distinguisher The multiple-of-8 distinguisher Grassi, Rechberger and Rønjom, Eurocrypt 2017 a ∈ F 16 i ∈ { 0 , . . . , 3 } : D i J ⊆ { 0 , . . . , 3 } : M J 2 8 n = # { { p 0 , p 1 } with p 0 , p 1 ∈ ( D i + a ) | R 5 ( p 0 ) + R 5 ( p 1 ) ∈ M J } . Daniel Coggia 8/ 37

Definitions and the multiple-of-8 distinguisher The multiple-of-8 distinguisher Grassi, Rechberger and Rønjom, Eurocrypt 2017 a ∈ F 16 i ∈ { 0 , . . . , 3 } : D i J ⊆ { 0 , . . . , 3 } : M J 2 8 n = # { { p 0 , p 1 } with p 0 , p 1 ∈ ( D i + a ) | R 5 ( p 0 ) + R 5 ( p 1 ) ∈ M J } . Then n ≡ 0 mod 8. Daniel Coggia 8/ 37

Definitions and the multiple-of-8 distinguisher Our contribution starts here Questions to answer: ◮ Is the maximal branch number necessary ? ◮ Can we adapt this distinguisher to other SPN ? Daniel Coggia 9/ 37

Definitions and the multiple-of-8 distinguisher Our contribution starts here Questions to answer: ◮ Is the maximal branch number necessary ? New proof ◮ Can we adapt this distinguisher to other SPN ? Daniel Coggia 9/ 37

Definitions and the multiple-of-8 distinguisher Our contribution starts here Questions to answer: ◮ Is the maximal branch number necessary ? New proof ◮ Can we adapt this distinguisher to other SPN ? Adaptation of the new proof Daniel Coggia 9/ 37

Proof for the distinguisher Definitions and the multiple-of-8 distinguisher Proof for the distinguisher Generalisation of this proof framework Adaptation to other SPN ciphers Daniel Coggia 10/ 37

Proof for the distinguisher A key lemma Grassi, Rechberger and Rønjom, Eurocrypt 2017 2 2 � �� � � �� � R R R R D I ⇒ C I ⇒ M I D J ⇒ C J ⇒ M J Daniel Coggia 11/ 37

Proof for the distinguisher A key lemma Grassi, Rechberger and Rønjom, Eurocrypt 2017 1 2 2 ���� � �� � � �� � Lemma R R R R R D I ⇒ C I ⇒ M I D J ⇒ C J ⇒ M J ��� Daniel Coggia 11/ 37

Proof for the distinguisher A key lemma Grassi, Rechberger and Rønjom, Eurocrypt 2017 1 2 2 ���� � �� � � �� � Lemma R R R R R D I ⇒ C I ⇒ M I D J ⇒ C J ⇒ M J ��� Lemma Let a ∈ F 16 2 8 , I ⊂ � 0 , 3 � , J ⊆ � 0 , 3 � . We define n = # { { p 0 , p 1 } with p 0 , p 1 ∈ ( M I + a ) | R ( p 0 ) + R ( p 1 ) ∈ D J } . Then n ≡ 0 mod 8 . Daniel Coggia 11/ 37

Proof for the distinguisher Step 1: equivalence relation between pairs In M 0       2 · x 0 x 1 z 2 3 · z 3 2 · y 0 y 1 z 2 3 · z 3       x 0 x 1 3 · z 2 2 · z 3 y 0 y 1 3 · z 2 2 · z 3      ,     x 0 3 · x 1 2 · z 2 z 3 y 0 3 · y 1 2 · z 2 z 3          3 · x 0 2 · x 1 z 2 z 3 3 · y 0 2 · y 1 z 2 z 3 Definition p 0 , p 1 ∈ ( M I + a ) . The information set K of the pair { p 0 , p 1 } is { k ∈ { 0 , . . . , 3 } | ∃ i ∈ I : x i , k � = y i , k } . It is K = { 0 , 1 } in the example. Daniel Coggia 12/ 37

Proof for the distinguisher       2 · x 0 3 · z 3 2 · y 0 3 · z 3 x 1 z 2 y 1 z 2       x 0 x 1 3 · z 2 2 · z 3 y 0 y 1 3 · z 2 2 · z 3      ,     3 · x 1 2 · z 2 3 · y 1 2 · z 2 x 0 z 3 y 0 z 3          3 · x 0 2 · x 1 z 2 z 3 3 · y 0 2 · y 1 z 2 z 3 ∼       2 · x 0 3 · w 3 2 · y 0 3 · w 3 y 1 w 2 x 1 w 2       x 0 y 1 3 · w 2 2 · w 3 y 0 x 1 3 · w 2 2 · w 3      ,     x 0 3 · y 1 2 · w 2 w 3 y 0 3 · x 1 2 · w 2 w 3          3 · x 0 2 · y 1 w 2 w 3 3 · y 0 2 · x 1 w 2 w 3 Definition p 0 , p 1 , q 0 , q 1 ∈ ( M I + a ) , P = { p 0 , p 1 } , Q = { q 0 , q 1 } P ∼ Q if: ◮ P and Q share the same information set K . i , k = p 1 − b ◮ ∀ k ∈ K , ∃ b ∈ { 0 , 1 } : ∀ i ∈ I , q 0 i , k = p b i , k et q 1 i , k . ∼ is an equivalence relation on the pairs of ( M I + a ) . Daniel Coggia 13/ 37

Proof for the distinguisher Theorem The function ∆ : { p 0 , p 1 } �− → R ( p 0 ) + R ( p 1 ) is constant on the equivalence classes of ∼ . Daniel Coggia 14/ 37

Proof for the distinguisher Theorem The function ∆ : { p 0 , p 1 } �− → R ( p 0 ) + R ( p 1 ) is constant on the equivalence classes of ∼ . Proposition Let C be an equivalence class with information set K . Then # C = 2 | K |− 1 + 8 | I | ( 4 −| K | ) ≡ 0 mod 8 . Daniel Coggia 14/ 37