A Model for Structure Attacks, with Applications to PRESENT and - - PowerPoint PPT Presentation

A Model for Structure Attacks, with Applications to PRESENT and Serpent

Meiqin Wang1, Yue Sun2, Elmar Tischhauser3 and Bart Preneel3

1Shandong University, 2Tsinghua University, 3KU Leuven and IBBT

FSE 2012 March 19, 2012

1 / 18

Outline

• 1. Motivation
• 2. Modeling structure attacks
• 3. Attacking PRESENT and Serpent
• 4. Conclusions and outlook

2 / 18

Motivation: How to leverage multiple differentials?

Using multiple differentials has advantages

◮ More likely to hit right pair ⇒ decrease data complexity ◮ Unlike linear cryptanalysis: always constructive ◮ Success stories: DES, Serpent

Caveats

◮ Too many differentials can increase complexity ◮ Multiple input, multiple output, both? ◮ How many active bits/S-boxes at input/output?

= ⇒ General model needed for evaluation

Motivation 3 / 18

Motivation: How to leverage multiple differentials?

Using multiple differentials has advantages

◮ More likely to hit right pair ⇒ decrease data complexity ◮ Unlike linear cryptanalysis: always constructive ◮ Success stories: DES, Serpent

Caveats

◮ Too many differentials can increase complexity ◮ Multiple input, multiple output, both? ◮ How many active bits/S-boxes at input/output?

= ⇒ General model needed for evaluation

Motivation 3 / 18

Motivation: How to leverage multiple differentials?

Using multiple differentials has advantages

◮ More likely to hit right pair ⇒ decrease data complexity ◮ Unlike linear cryptanalysis: always constructive ◮ Success stories: DES, Serpent

Caveats

◮ Too many differentials can increase complexity ◮ Multiple input, multiple output, both? ◮ How many active bits/S-boxes at input/output?

= ⇒ General model needed for evaluation

Motivation 3 / 18

State of the art: What we know

Historical introduction

◮ Biham and Shamir 1990: Quartets, Octets, etc. ◮ . . . widespread informal use . . . ◮ Blondeau and G´

erard, FSE 2011: Comprehensive framework for multiple differentials

What’s left to do then?

◮ Model of FSE’11: Analysis requires fairly restrictive condition

• n differentials

◮ Can this be avoided?

◮ Some small technical problems with the attack on 18-round

PRESENT

Motivation 4 / 18

State of the art: What we know

Historical introduction

◮ Biham and Shamir 1990: Quartets, Octets, etc. ◮ . . . widespread informal use . . . ◮ Blondeau and G´

erard, FSE 2011: Comprehensive framework for multiple differentials

What’s left to do then?

◮ Model of FSE’11: Analysis requires fairly restrictive condition

• n differentials

◮ Can this be avoided?

◮ Some small technical problems with the attack on 18-round

PRESENT

Motivation 4 / 18

State of the art: What we know

Historical introduction

◮ Biham and Shamir 1990: Quartets, Octets, etc. ◮ . . . widespread informal use . . . ◮ Blondeau and G´

erard, FSE 2011: Comprehensive framework for multiple differentials

What’s left to do then?

◮ Model of FSE’11: Analysis requires fairly restrictive condition

• n differentials

◮ Can this be avoided?

◮ Some small technical problems with the attack on 18-round

PRESENT

Motivation 4 / 18

State of the art: What we know

Historical introduction

◮ Biham and Shamir 1990: Quartets, Octets, etc. ◮ . . . widespread informal use . . . ◮ Blondeau and G´

erard, FSE 2011: Comprehensive framework for multiple differentials

What’s left to do then?

◮ Model of FSE’11: Analysis requires fairly restrictive condition

• n differentials

◮ Can this be avoided?

◮ Some small technical problems with the attack on 18-round

PRESENT

Motivation 4 / 18

Structure attacks

Structure attacks

◮ Use multiple input, single output differences ◮ Proper subclass of multiple differential cryptanalysis ◮ Allow avoiding the condition of [Blondeau and G´

erard, FSE’11]

Structures

◮ Consider set {∆1 0, . . . , ∆t 0} of input differences ◮ Structure: collection of plaintexts of the form

• x

{x ⊕ ∆

• ∆ ∈ span{∆1

0, . . . , ∆t 0}}

Here: focus on SPNs

Modeling structure attacks 5 / 18

Structure attacks

Structure attacks

◮ Use multiple input, single output differences ◮ Proper subclass of multiple differential cryptanalysis ◮ Allow avoiding the condition of [Blondeau and G´

erard, FSE’11]

Structures

◮ Consider set {∆1 0, . . . , ∆t 0} of input differences ◮ Structure: collection of plaintexts of the form

• x

{x ⊕ ∆

• ∆ ∈ span{∆1

0, . . . , ∆t 0}}

Here: focus on SPNs

Modeling structure attacks 5 / 18

Structure attacks

Structure attacks

◮ Use multiple input, single output differences ◮ Proper subclass of multiple differential cryptanalysis ◮ Allow avoiding the condition of [Blondeau and G´

erard, FSE’11]

Structures

◮ Consider set {∆1 0, . . . , ∆t 0} of input differences ◮ Structure: collection of plaintexts of the form

• x

{x ⊕ ∆

• ∆ ∈ span{∆1

0, . . . , ∆t 0}}

Here: focus on SPNs

Modeling structure attacks 5 / 18

Modeling structure attacks: The setting

Notation

◮ m-bit block cipher, k bit key ◮ Attack on R rounds with r-round differentials ◮ Set ∆0 of input differences, one output difference ∆r

Modeling structure attacks 6 / 18

Modeling structure attacks: The setting

Np bits active

S

15

S

14

S

13

S

12 11

S S10 S S S S S S S S S S

8 9 7 6 5 4 3 2 1

S

15

S

14

S

13

S

12 11

S S10 S S S S S S S S S S

8 9 7 6 5 4 3 2 1

S

15

S

14

S

13

S

12 11

S S10 S S S S S S S S S S

8 9 7 6 5 4 3 2 1

R rounds r rounds

Nc bits not active

Modeling structure attacks 6 / 18

Structure of the structures

In each structure:

◮ m − Np bits fixed, ◮ Np bits take on all Np-bit values

Modeling structure attacks 7 / 18

Structure of the structures

In each structure:

◮ m − Np bits fixed, ◮ Np bits take on all Np-bit values

Structure 1:

r

15

r

12 11

r r 10 r r r r r r r r

8 9 7 6 5 4 3 1

r

F

r

12 11

r r 10 r r r r r r r r

8 9 7 6 5 4 3 1

F F F F

Modeling structure attacks 7 / 18

Structure of the structures

In each structure:

◮ m − Np bits fixed, ◮ Np bits take on all Np-bit values

Structure 1:

r

15

r

12 11

r r 10 r r r r r r r r

8 9 7 6 5 4 3 1

r

F

r

12 11

r r 10 r r r r r r r r

8 9 7 6 5 4 3 1

F F F F

Structure 2:

s

15

s

12 11

s s 10 s s s s s s s s

8 9 7 6 5 4 3 1

s

F

s

12 11

s s 10 s s s s s s s s

8 9 7 6 5 4 3 1

F F F F

and so on

Modeling structure attacks 7 / 18

Anatomy of a structure attack

S

S

S

S

S S10 S S S S S S S S S S

S

S

S

S

S S10 S S S S S S S S S S

S

S

S

S

S S10 S S S S S S S S S S

R rounds r rounds

• 1. For each of the Nst structures:

(a) Insert ciphertexts into hash table indexed by Nc (b) For each entry: Check if input difference matches ∆0 (c) If yes: For each pair, filter by output difference in active S-boxes in round R (d) If pair survives filter: Guess nk subkey bits, decrypt to round r, maintain counters.

• 2. Search through the ℓ best key candidates,

find master key.

Modeling structure attacks 8 / 18

Anatomy of a structure attack

S

S

S

S

S S10 S S S S S S S S S S

S

S

S

S

S S10 S S S S S S S S S S

S

S

S

S

S S10 S S S S S S S S S S

R rounds r rounds

• 1. For each of the Nst structures:

(a) Insert ciphertexts into hash table indexed by Nc (b) For each entry: Check if input difference matches ∆0 (c) If yes: For each pair, filter by output difference in active S-boxes in round R (d) If pair survives filter: Guess nk subkey bits, decrypt to round r, maintain counters.

• 2. Search through the ℓ best key candidates,

find master key.

Modeling structure attacks 8 / 18

Anatomy of a structure attack

S

S

S

S

S S10 S S S S S S S S S S

S

S

S

S

S S10 S S S S S S S S S S

S

S

S

S

S S10 S S S S S S S S S S

R rounds r rounds

• 1. For each of the Nst structures:

(a) Insert ciphertexts into hash table indexed by Nc (b) For each entry: Check if input difference matches ∆0 (c) If yes: For each pair, filter by output difference in active S-boxes in round R (d) If pair survives filter: Guess nk subkey bits, decrypt to round r, maintain counters.

• 2. Search through the ℓ best key candidates,

find master key.

Modeling structure attacks 8 / 18

Anatomy of a structure attack

S

S

S

S

S S10 S S S S S S S S S S

S

S

S

S

S S10 S S S S S S S S S S

S

S

S

S

S S10 S S S S S S S S S S

R rounds r rounds

• 1. For each of the Nst structures:

(a) Insert ciphertexts into hash table indexed by Nc (b) For each entry: Check if input difference matches ∆0 (c) If yes: For each pair, filter by output difference in active S-boxes in round R (d) If pair survives filter: Guess nk subkey bits, decrypt to round r, maintain counters.

• 2. Search through the ℓ best key candidates,

find master key.

Modeling structure attacks 8 / 18

Anatomy of a structure attack

S

S

S

S

S S10 S S S S S S S S S S

S

S

S

S

S S10 S S S S S S S S S S

S

S

S

S

S S10 S S S S S S S S S S

R rounds r rounds

• 1. For each of the Nst structures:

(a) Insert ciphertexts into hash table indexed by Nc (b) For each entry: Check if input difference matches ∆0 (c) If yes: For each pair, filter by output difference in active S-boxes in round R (d) If pair survives filter: Guess nk subkey bits, decrypt to round r, maintain counters.

• 2. Search through the ℓ best key candidates,

find master key.

Modeling structure attacks 8 / 18

Anatomy of a structure attack

S

S

S

S

S S10 S S S S S S S S S S

S

S

S

S

S S10 S S S S S S S S S S

S

S

S

S

S S10 S S S S S S S S S S

R rounds r rounds

• 1. For each of the Nst structures:

(a) Insert ciphertexts into hash table indexed by Nc (b) For each entry: Check if input difference matches ∆0 (c) If yes: For each pair, filter by output difference in active S-boxes in round R (d) If pair survives filter: Guess nk subkey bits, decrypt to round r, maintain counters.

• 2. Search through the ℓ best key candidates,

find master key.

Modeling structure attacks 8 / 18

The time complexity of a structure attack

• 1. For each of the Nst structures:

(a) Insert ciphertexts into hash table indexed by Nc (b) For each entry: Check if input difference matches ∆0 (c) If yes: For each pair, filter by output difference in active S-boxes in round R (d) If pair survives filter: Guess nk subkey bits, decrypt to round r, maintain counters.

• 2. Search through the ℓ best key

candidates, find master key.

Ta = 2Nst+Np Tb = 2Nst+2Np−Nc Tc = |∆0| · 2Nst+Np−Nc Td ≈ |∆0| · 2Nst+Np−Nc

T2 = ℓ · 2k−nk

Modeling structure attacks 9 / 18

The time complexity of a structure attack

• 1. For each of the Nst structures:

(a) Insert ciphertexts into hash table indexed by Nc (b) For each entry: Check if input difference matches ∆0 (c) If yes: For each pair, filter by output difference in active S-boxes in round R (d) If pair survives filter: Guess nk subkey bits, decrypt to round r, maintain counters.

• 2. Search through the ℓ best key

candidates, find master key.

Ta = 2Nst+Np Tb = 2Nst+2Np−Nc Tc = |∆0| · 2Nst+Np−Nc Td ≈ |∆0| · 2Nst+Np−Nc

T2 = ℓ · 2k−nk

Modeling structure attacks 9 / 18

The time complexity of a structure attack

• 1. For each of the Nst structures:

(a) Insert ciphertexts into hash table indexed by Nc (b) For each entry: Check if input difference matches ∆0 (c) If yes: For each pair, filter by output difference in active S-boxes in round R (d) If pair survives filter: Guess nk subkey bits, decrypt to round r, maintain counters.

• 2. Search through the ℓ best key

candidates, find master key.

Ta = 2Nst+Np Tb = 2Nst+2Np−Nc Tc = |∆0| · 2Nst+Np−Nc Td ≈ |∆0| · 2Nst+Np−Nc

T2 = ℓ · 2k−nk

Modeling structure attacks 9 / 18

The time complexity of a structure attack

• 1. For each of the Nst structures:

(a) Insert ciphertexts into hash table indexed by Nc (b) For each entry: Check if input difference matches ∆0 (c) If yes: For each pair, filter by output difference in active S-boxes in round R (d) If pair survives filter: Guess nk subkey bits, decrypt to round r, maintain counters.

• 2. Search through the ℓ best key

candidates, find master key.

Ta = 2Nst+Np Tb = 2Nst+2Np−Nc Tc = |∆0| · 2Nst+Np−Nc Td ≈ |∆0| · 2Nst+Np−Nc

T2 = ℓ · 2k−nk

Modeling structure attacks 9 / 18

The time complexity of a structure attack

• 1. For each of the Nst structures:

(a) Insert ciphertexts into hash table indexed by Nc (b) For each entry: Check if input difference matches ∆0 (c) If yes: For each pair, filter by output difference in active S-boxes in round R (d) If pair survives filter: Guess nk subkey bits, decrypt to round r, maintain counters.

• 2. Search through the ℓ best key

candidates, find master key.

Ta = 2Nst+Np Tb = 2Nst+2Np−Nc Tc = |∆0| · 2Nst+Np−Nc Td ≈ |∆0| · 2Nst+Np−Nc

T2 = ℓ · 2k−nk

Modeling structure attacks 9 / 18

Using the model as guidance

Dominating term depends on relation between Np and Nc:

Ta + Tb + Tc + Td + T2 ≃      Ta + T2 if Np < Nc, Tb + T2 if Np > Nc, 2Ta + T2 if Np = Nc. Ta = 2Nst+Np, Tb = 2Nst+2Np−Nc, T2 = ℓ · 2k−nk

Implications

◮ If many differentials have probability close to 2−m (requires

large ℓ and hence T2): Increase Np, use more differentials

◮ If probabilites ≫ 2−m (hence small ℓ and T2): Take Np = Nc

Success probability: use model of FSE’11 without restrictive condition.

Modeling structure attacks 10 / 18

Using the model as guidance

Dominating term depends on relation between Np and Nc:

Ta + Tb + Tc + Td + T2 ≃      Ta + T2 if Np < Nc, Tb + T2 if Np > Nc, 2Ta + T2 if Np = Nc. Ta = 2Nst+Np, Tb = 2Nst+2Np−Nc, T2 = ℓ · 2k−nk

Implications

◮ If many differentials have probability close to 2−m (requires

large ℓ and hence T2): Increase Np, use more differentials

◮ If probabilites ≫ 2−m (hence small ℓ and T2): Take Np = Nc

Success probability: use model of FSE’11 without restrictive condition.

Modeling structure attacks 10 / 18

Using the model as guidance

Dominating term depends on relation between Np and Nc:

Ta + Tb + Tc + Td + T2 ≃      Ta + T2 if Np < Nc, Tb + T2 if Np > Nc, 2Ta + T2 if Np = Nc. Ta = 2Nst+Np, Tb = 2Nst+2Np−Nc, T2 = ℓ · 2k−nk

Implications

◮ If many differentials have probability close to 2−m (requires

large ℓ and hence T2): Increase Np, use more differentials

◮ If probabilites ≫ 2−m (hence small ℓ and T2): Take Np = Nc

Success probability: use model of FSE’11 without restrictive condition.

Modeling structure attacks 10 / 18

Using the model as guidance

Dominating term depends on relation between Np and Nc:

Ta + Tb + Tc + Td + T2 ≃      Ta + T2 if Np < Nc, Tb + T2 if Np > Nc, 2Ta + T2 if Np = Nc. Ta = 2Nst+Np, Tb = 2Nst+2Np−Nc, T2 = ℓ · 2k−nk

Implications

◮ If many differentials have probability close to 2−m (requires

large ℓ and hence T2): Increase Np, use more differentials

◮ If probabilites ≫ 2−m (hence small ℓ and T2): Take Np = Nc

Success probability: use model of FSE’11 without restrictive condition.

Modeling structure attacks 10 / 18

Using the model as guidance

Dominating term depends on relation between Np and Nc:

Ta + Tb + Tc + Td + T2 ≃      Ta + T2 if Np < Nc, Tb + T2 if Np > Nc, 2Ta + T2 if Np = Nc. Ta = 2Nst+Np, Tb = 2Nst+2Np−Nc, T2 = ℓ · 2k−nk

Implications

◮ If many differentials have probability close to 2−m (requires

large ℓ and hence T2): Increase Np, use more differentials

◮ If probabilites ≫ 2−m (hence small ℓ and T2): Take Np = Nc

Success probability: use model of FSE’11 without restrictive condition.

Modeling structure attacks 10 / 18

On the ratio of weak keys for structure attacks

Differential probabilities vary over the keys: Implications? Daemen and Rijmen 2006: Fixed-key cardinality of a (single) differential follows a Poisson distribution.

⇒ Theorem: Characterisation of the weak key ratio

Consider differentials ∆i

0 → ∆r with probability pi, 1 ≤ i ≤ |∆0|.

Then only a ratio of rw

def

= 1 −

µ−1

• x=0

Poisson(x, 2m−1

|∆0|

• j=1

pi) “weak” keys produces µ right pairs or more.

Modeling structure attacks 11 / 18

On the ratio of weak keys for structure attacks

Differential probabilities vary over the keys: Implications? Daemen and Rijmen 2006: Fixed-key cardinality of a (single) differential follows a Poisson distribution.

⇒ Theorem: Characterisation of the weak key ratio

Consider differentials ∆i

0 → ∆r with probability pi, 1 ≤ i ≤ |∆0|.

Then only a ratio of rw

def

= 1 −

µ−1

• x=0

Poisson(x, 2m−1

|∆0|

• j=1

pi) “weak” keys produces µ right pairs or more.

Modeling structure attacks 11 / 18

On the ratio of weak keys for structure attacks

Differential probabilities vary over the keys: Implications? Daemen and Rijmen 2006: Fixed-key cardinality of a (single) differential follows a Poisson distribution.

⇒ Theorem: Characterisation of the weak key ratio

Consider differentials ∆i

0 → ∆r with probability pi, 1 ≤ i ≤ |∆0|.

Then only a ratio of rw

def

= 1 −

µ−1

• x=0

Poisson(x, 2m−1

|∆0|

• j=1

pi) “weak” keys produces µ right pairs or more.

Modeling structure attacks 11 / 18

Applying the structure attack

PRESENT

◮ 64-bit SPN block cipher with 80-bit key ◮ By Bogdanov et al (CHES 2007), now ISO standard ◮ Best attack: [Cho 2010], Multidimensional linear, 26 rounds ◮ Best differential attack: [Blondeau and G´

erard 2011], multiple differential, 18 rounds (+ minor corrections)

Attacking PRESENT and Serpent 12 / 18

Attacking PRESENT: Differential pattern propagation

Focus on trails with two active S-boxes per round

G=3 G=1 G=2 G=0

S

15

S

14

S

12 11

S S10 S S S S S S S S S

8 9 7 6 4 3 2 1

S

15

S

14

S

13

S

12 11

S S10 S S S S S S S S

8 9 7 5 3 2 1

S

15

S

14

S

13

S

12 11

S S10 S S S S S S S S

8 9 7 6 5 4 2

= = = = = =

Attacking PRESENT and Serpent 13 / 18

Applying the structure attack to 18-round PRESENT

Parameters

◮ |∆0| = 36 16-round differentials ◮ 224 structures, Np = 40, Nc = 32 ◮ key candidate list size ℓ = 236

Complexities

◮ Time 276, data 264 ◮ Success probability 86% ◮ Weak key ratio 57%

Attacking PRESENT and Serpent 14 / 18

Applying the structure attack to 18-round PRESENT

Parameters

◮ |∆0| = 36 16-round differentials ◮ 224 structures, Np = 40, Nc = 32 ◮ key candidate list size ℓ = 236

Complexities

◮ Time 276, data 264 ◮ Success probability 86% ◮ Weak key ratio 57%

Attacking PRESENT and Serpent 14 / 18

Comparison to multiple differential attacks on PRESENT

Best previous differential attack: 18 rounds, revised multiple differential attack of Blondeau and G´ erard, eprint 2011/115 Multiple differential Structure attack ℓ PS ℓ PS data time 238 65.27% 236 85.94% 264 276 239 79.68% 237 92.30% 264 277 241 94.62% 239 98.36% 264 279

Attacking PRESENT and Serpent 15 / 18

Second example: Serpent

Serpent

◮ 128-bit block cipher, 128 to 256-bit key ◮ By Anderson et al (1998), AES finalist ◮ Best attack: Differential-linear attack on 12 rounds,

Dunkelman et al 2008

Differential attacks

Biham et al (2001) Structure attack rounds time data time data 7 285 284 275 271 8 2213 284 2203 271

Attacking PRESENT and Serpent 16 / 18

Second example: Serpent

Serpent

◮ 128-bit block cipher, 128 to 256-bit key ◮ By Anderson et al (1998), AES finalist ◮ Best attack: Differential-linear attack on 12 rounds,

Dunkelman et al 2008

Differential attacks

Biham et al (2001) Structure attack rounds time data time data 7 285 284 275 271 8 2213 284 2203 271

Attacking PRESENT and Serpent 16 / 18

Conclusions and outlook

Summary

◮ We propose a complete model for the analysis of structure

attacks

◮ This leads to an explicit characterisation of the ratio of weak

keys

◮ Structure attacks provide the currently best differential

attacks on PRESENT and Serpent.

Future work

◮ More study is needed on the necessity of the restrictive

condition in the model of FSE’11

◮ Applying structure attacks to other ciphers

Conclusions and outlook 17 / 18

Conclusions and outlook

Summary

◮ We propose a complete model for the analysis of structure

attacks

◮ This leads to an explicit characterisation of the ratio of weak

keys

◮ Structure attacks provide the currently best differential

attacks on PRESENT and Serpent.

Future work

◮ More study is needed on the necessity of the restrictive

condition in the model of FSE’11

◮ Applying structure attacks to other ciphers

Conclusions and outlook 17 / 18

The End

Thank you for your attention!

18 / 18