Another view of the division property Christina Boura and Anne - - PowerPoint PPT Presentation

Another view of the division property

Christina Boura and Anne Canteaut Université de Versailles-St Quentin, France Inria Paris, France Dagstuhl seminar, January 2016

Motivation

EK: block cipher with block size n

Choose a set of inputs X ⊆ Fn

2

Aim: find a distinguishing property of {EK(x), x ∈ X} valid for all K At Eurocrypt 2015, Yosuke Todo introduced the division property as a generalization of integral and higher-order differential distinguishers.

1

Outline

• Characterizing a set by its parity-set
• Propagation of a parity-set through a block cipher
• Application to Present

2

Monomials of n variables For x and u in Fn

2 ,

xu =

n

• i=1

xui

i

Example: For u = (0101),

xu = x0

4x1 3x0 2x1 1 = x3x1

Evaluation at Point x = (0011):

00011011 = 1011 = 0

Evaluation of a monomial:

xu = 1 if and only if u x

i.e., ui ≤ xi for all 1 ≤ i ≤ n.

3

Parity set of a set Definition. Let X ⊆ Fn

2 . Its parity set is

U(X) =

u ∈ Fn

2 :

• x∈X

xu = 1

• Example:

X = {000, 010, 011} U(000) = {000} U(010) = {000, 010} U(011) = {000, 010, 001, 011}

Then

U(X) = {000, 001, 011}

4

Correspondence between a set and its parity-set Incidence vector of a set X ⊆ Fn

2 :

vX : vector of length 2n having a 1 at all positions x ∈ X

Proposition.

GvX = vU(X)

where G is the binary square matrix such that

Ga,b = ba

• r equivalently

i.e.

Ga,b = 1 if and only if a b

5

Matrix G for n = 3

GvX = vU(X)

              

00 10 20 30 40 50 60 70 01 11 21 31 41 51 61 71 02 12 22 32 42 52 62 72 03 13 23 33 43 53 63 73 04 14 24 34 44 54 64 74 05 15 25 35 45 55 65 75 06 16 26 36 46 56 66 76 07 17 27 37 47 57 67 77

              

6

Matrix G for n = 3

GvX = vU(X)

              

1 1 1 1 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 1 0 0 1 1 0 0 0 1 0 0 0 1 0 0 0 0 1 1 1 1 0 0 0 0 0 1 0 1 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 1

               Definition. The Reed-Muller code of length 2n and order r, RM(r, n), is the set of all (f(x), x ∈ Fn

2) with deg f ≤ r.

⇒ G: generator matrix of RM(n, n)

7

Unicity of the parity set

GvX = vU(X) G has full-rank and G−1 = G

Theorem. For any U ⊆ Fn

2 , there exists a unique X ⊆ Fn 2 such that

U = U(X)

Examples:

• U(X) = ∅ if and only if X = ∅.
• U(X) = {u : u x} if and only if X = {x}.
• U(X) = {u} if and only if X is the subspace of dimension wt(u)

defined by X = {x : x u}.

• U(X) = {1111} if and only if X = Fn

2

8

Division property [Todo 15] Definition.

X ⊆ Fn

2 fulfills the division property Dn k , where 0 ≤ k ≤ n

if

U(X) ⊆ {u ∈ Fn

2 : wt(u) ≥ k}

The rows of G defined by the exponents u with wt(u) < k form a generator matrix of the Reed-Muller code of order (k − 1). Corollary.

X ⊆ Fn

2 fulfills the division property Dn k if and only if its

incidence vector belongs to RM(k − 1, n)⊥ = RM(n − k, n).

9

Some direct consequences

• Corollary. [Sun et al. 15] If X fulfills Dn

k , then |X| ≥ 2k.

Equality holds if and only if X is an affine subspace of dimension k. Some specific cases:

• X fulfills Dn

1 : |X| is even.

• X fulfills Dn

2 : x∈X x = 0 [BALANCED]

• X fulfills Dn

n: U(X) = {1...1} ⇔ X = Fn 2 [ALL]

• X fulfills Dn

n−1: vX ∈ RM(1, n) or equivalently X is an (affine)

hyperplane.

10

Propagation of a parity set through a block cipher

11

Determining U(S(X)) from U(X)

v ∈ U(S(X)) ⇔

• x∈X

Sv(x) = 1

implies that the ANF of Sv(x) contains some xu with u ∈ U(X)

• Proposition. Let

VS(u) = {v ∈ Fn

2 : Sv(x) contains xu}

Then,

U(S(X)) ⊆

• u∈U(X)

VS(u)

12

VS(u) for Present Sbox

1 2 4 8 3 5 9 6 a c 7 b d e f x x x x 1 x x x x 2 x x x x 4 x x x x 8 x x x x x x 3 x x x x x x x x 5 x x x 9 x x x x x x 6 x x x x x x a x x x x x x x x x x c x x x x 7 x x x x x x x b x x x x x x x x x x d x x x x x x x e x x x x x x f x

13

Computing VS(u) from the inverse Sbox Theorem. Let S∗ : x → S−1(x). Then, S(x)v contains xu if and only if S∗(x)u contains xv.

⇒ Vs(u) = {v : [S∗(x)]u contains xv}

Example: The 1st coordinate of S∗ is:

1 + x1 + x2 + x3 + x4 + x2x4 ⇒ VS(1110) = {0101, 0111, 1011, 1101, 1110, 1111}

14

Propagation through key addition

(x ⊕ k)v =

• uv

xukv⊕u

Then,

U(AddK(X)) ⊆

• u∈U(X)

{v ∈ Fn

2 : v u}

15

Application to Present

16

Division distinguisher on a 3-round SPN with 4-bit Sboxes [Todo 15] Integral attack:

X = C C C C C C C C C C C C C A A A

• invariant under the key addition and the first Sbox layer
• Let F = first linear layer + rounds 2 and 3.

Since deg F ≤ 9 and dim X = 12, EK(X) is balanced.

17

Division distinguisher on a 3-round SPN with 4-bit Sboxes [Todo 15]

X = C C C C C C C C C C C C C A A A

In terms of parity sets:

X = α + V where V = {x : x 0000000000000fff} ⇒ U(X) ⊆ {u : u 0000000000000fff}

• For each Sbox, VS(f) = {v : Sv(x) contains xf} = {f}.

After the first Sbox layer, U ⊆ {u : u 0000000000000fff}.

• After F with deg F ≤ 9:

U(EK(X)) ⊆

• u∈U

VF (u)

But VF (u) = {v : F v(x) contains xu} contains no v with wt(v) ≤ 1 when wt(u) ≥ 12.

⇒ U(EK(X)) ⊆ {v : wt(v) ≥ 2}

18

Division distinguisher on 4 rounds exploiting the linear layer

X = C C C C C C C C C C C C A A A C U(X) = {u : u 0000000000000fff0}

• invariant under the 1st Sbox layer:
• After the 1st linear layer:

U = {u : u 000e000e000e000e} → 4 active superboxes

• After the 3rd Sbox layer: U ⊆ {u : wt(u) ≥ 4}
• After the 3rd linear layer:

U ⊆ {u with ≥ 2 active nibbles} ∪ {00 . . . 0f, . . . , f00 . . . 0}

• invariant under the 4th Sbox layer

⇒ U(EK(X)) ⊆ {v : wt(v) ≥ 2}

19

Does not work on 5 rounds

u ∈ U

f f f after 1st S-layer f f f after 1st P-layer e e e e after 2nd S-layer 2 1 1 1 after 2nd P-layer 1 1 1 1 after 3rd S-layer 1 1 1 1 after 3rd P-layer 8 7 after 4th S-layer 2 8 after 4th P-layer 3 after 5th S-layer 1

20

Conclusions The notion of parity set enables us to capture more situations than the division property. Further improvements. We can use some other properties of the output parity set: for any fixed u, the probability that u ∈ U(X) is 1/2.

21