Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear - - PowerPoint PPT Presentation

block cipher cryptanalysis ii block cipher cryptanalysis
SMART_READER_LITE
LIVE PREVIEW

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear - - PowerPoint PPT Presentation

Dec 29, 2022 349 likes •662 views

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

slide-1
SLIDE 1

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y

Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC

slide-2
SLIDE 2

Outline Outline

  • Distribution of Correlation
  • Data Complexity
  • Linear Hulls
  • Zero Correlation Linear Cryptanalysis
  • Related‐Key Linear Cryptanalysis

Related Key Linear Cryptanalysis

slide-3
SLIDE 3

Linear Cryptanalysis: Basics I

Action of an n‐bit block cipher on plaintext P: Action of an n bit block cipher on plaintext P: Input and output linear masks: , Linear approximation : Probability of linear approximation: Correlation of linear approximation: Correlation of linear approximation:

slide-4
SLIDE 4

Linear Cryptanalysis: Basics II

  • Since probability varies from 0 to 1, the correlation

p y , varies from ‐1 to 1

  • For probability 1/2, one gets correlation 0
  • Of course, there is much more behind the notion of

correlation – correlation matrices [D94]

slide-5
SLIDE 5

Linear Cryptanalysis: Distribution of Correlation I

  • Fix a non‐trivial approximation
  • Randomly choose an n‐bit permutation
  • What is the probability for to have a

particular value? [O94] particular value? [O94]

  • Normal approximation [DR07]:
slide-6
SLIDE 6

Linear Cryptanalysis: Distribution of Correlation I

Fi bi i

  • Fix an n‐bit permutation
  • What is the probability for to have a

i l l ? [BT11 k i ] particular value? [BT11, work in progress]

  • Normal approximation:
  • The distribution holds already for just a single

randomly picked permutation with n=8 y p p (experiments)

slide-7
SLIDE 7

Linear Cryptanalysis: Distribution of Correlation II

  • Which correlations are in basic linear cryptanalysis

exploitable?

– Very roughly speaking, those with – About 68.5% of linear approximations do not fulfill that

  • In basic linear attacks, this has to hold for (at least) a

large part of the key space, once the linear approximation is fixed

– Not the case for a randomly picked block cipher y p p

  • The average proportion of linear approximations

with e.g. is still relatively high with e.g. is still relatively high

slide-8
SLIDE 8

Linear Cryptanalysis: Distribution of Correlation III

  • Two more observations:

– Zero is the most frequent single correlation value – For a randomly drawn permutation, a non‐trivial linear approximation is unlikely to have correlation linear approximation is unlikely to have correlation significantly deviating from 0

  • For permutations with structure however non‐trivial
  • For permutations with structure, however, non‐trivial

linear approximations with high deviation of correlation might exist for each key correlation might exist for each key

slide-9
SLIDE 9

Linear Cryptanalysis: Procedure [M93]

L li i i b ll b

  • Let a linear approximation be over all but

last round of an iterative block cipher

all but last round last round with key k

  • N PC‐pairs given for right key k0
  • For each key guess of the last round ki, partially

decrypt from C to V in each PC‐pair and count the number of times Ti the approximation is ti fi d satisfied

  • We want T0 (corresponding to right key k0) to deviate

f N/2 i ifi tl from N/2 significantly

slide-10
SLIDE 10

Linear Cryptanalysis: Advantage [S08]

  • For instance, we want T0 be among the top

counters Ti for p>1/2

  • Say, we guess m bits in the last round key, i.e. there

are candidates

  • Advantage a is m – r, i.e., the number of bits gained
slide-11
SLIDE 11

Linear Cryptanalysis: Data Complexity [S08]

  • If (essential assumptions)

– Counters Ti are independent – For wrong key guesses, approximation has correlation 0 has correlation 0 – N and m are sufficiently large

  • Then for s ccess probabilit P
  • Then for success probability PS
slide-12
SLIDE 12

Linear Cryptanalysis: Linear Hulls I

  • Iterative structure of a block cipher:
  • Correlation of a linear approximation over
  • ne round

:

  • ne round :

Linear trail Linear trail:

slide-13
SLIDE 13

Linear Cryptanalysis: Linear Hulls II [N94], [D94], [DR02]

  • Linear hull = linear approximation of an iterative

block cipher

  • Linear hull contains many linear trails U
  • Each U has its correlation contribution CU

Each U has its correlation contribution CU

  • Correlation of linear hull
slide-14
SLIDE 14

Linear Cryptanalysis: Linear Hulls III

Rounds in a key‐alternating block cipher look like:

S S S S S S S S Linear diffusion S S S S S S S S Key schedule map S S S S S S S S Key schedule map Linear diffusion Key schedule map

slide-15
SLIDE 15

Linear Cryptanalysis: Linear Hulls IV [D94], [DR02]

  • The correlation of a linear hull in a key‐alternating

block cipher can be computed as

– dU is the sign of correlation contribution for key 0 – K is the expanded key K is the expanded key – The sum is over all compatible linear trails

  • Thus the correlation value varies due to the key only
  • Thus, the correlation value varies due to the key only
slide-16
SLIDE 16

Linear Cryptanalysis: Linear Hulls V [L11], [O09]

  • For vast classes of keys, the correlation value can

deviate greatly from the average over all keys

  • Correlation amplification [O09] for PRESENT
slide-17
SLIDE 17

Linear Cryptanalysis: Some Extensions

  • Zero correlation linear cryptanalysis

yp y

– Linear approximations with probability 1/2

  • Related‐key linear cryptanalysis

– Equal correlations under different keys – For key‐alternating ciphers with simple key For key alternating ciphers with simple key schedule

slide-18
SLIDE 18

Linear Cryptanalysis: Zero Correlation I [BR11]

S d d li l i i k f

  • Standard linear cryptanalysis tries to make use of

linear approximations with highly nonzero correlation values correlation values Z l i li l i li

  • Zero correlation linear cryptanalysis uses linear

approximations with correlation exactly zero

  • It is the counterpart of impossible differential

t l i i th d i f li t l i cryptanalysis in the domain of linear cryptanalysis

  • Cf. [ER10], [CS11], [RN11]
slide-19
SLIDE 19

Linear Cryptanalysis: Zero Correlation II [BR11]

  • Zero correlation linear hulls exist in many popular

cipher constructions

  • Feistel networks

Balanced Feistel CAST256 Skipjack CLEFIA

slide-20
SLIDE 20

Linear Cryptanalysis: Zero Correlation III [BR11]

slide-21
SLIDE 21

Linear Cryptanalysis: Zero Correlation IV [BR11]

  • For each subkey guess:

– Partially decrypt the ciphertext and encrypt the plaintext up to the boundaries of the zero correlation linear hull – Evaluate the correlation value C – If C=0, the subkey guess survives the test

  • Low probability that a wrong key exhibits zero

correlation

  • Exact evaluation of correlation needed for this
  • Exact evaluation of correlation needed for this

distinguisher

slide-22
SLIDE 22

Linear Cryptanalysis: Zero Correlation V [BR11]

  • Round‐reduced AES‐192 and AES‐256:

Round reduced AES 192 and AES 256:

slide-23
SLIDE 23

Linear Cryptanalysis: Related‐Key I [BR11]

Th k h i f li h ll f k

  • The attack uses the properties of linear hulls for key‐

alternating block ciphers

  • Differential related‐key model:

– Adversary supplies two unknown keys with a specified known difference

  • Distinguisher is based on the equality for correlations

C=C’ under two distinct keys K and K’ C=C under two distinct keys K and K Cf [K06] [BDK07] [ZWZF06]

  • Cf. [K06], [BDK07], [ZWZF06]
slide-24
SLIDE 24

Linear Cryptanalysis: Related‐Key II [BR11]

  • For two randomly drawn permutations and a fixed

linear hull, their correlations are equal C=C’ with a probability of about

  • Now, if we choose a relation between keys K and K’

in a way that C C’ deterministically we have a in a way that C=C’ deterministically, we have a distinguisher based on correlation evaluation

slide-25
SLIDE 25

Linear Cryptanalysis: Related‐Key III [BR11]

  • Correlation for a key‐alternating cipher under two

expanded keys:

  • The difference of two correlations:
slide-26
SLIDE 26

Linear Cryptanalysis: Related‐Key IV [BR11]

A way to turn the sum to 0 is to make each summand 0: ith Th if f h li t il i th h ll th with Thus, if for each linear trail in the hull, then

slide-27
SLIDE 27

Linear Cryptanalysis: Related‐Key V [BR11]

  • 5 rounds of AES‐256 are distinguishable using this

fact, since AES‐256 is a key‐alternating block cipher with relatively sparse key schedule

  • Key difference

/

  • Input/output masks
slide-28
SLIDE 28

Linear Cryptanalysis: Related‐Key VI [BR11]

  • 5 rounds of AES‐256
  • This exhibits C=C’ for every pair of keys with the

specified difference

  • To distinguish, exact evaluation of C and C’ is needed

g ,

slide-29
SLIDE 29

Linear Cryptanalysis: Selected Further Topics

  • Linear cryptanalysis with multiple linear

approximations [HCN08], [HCN09], [GT09], pp [ ] [ ] [ ] [HN10]

  • Equivalence to some saturation attacks [L11]
  • Equivalence to some saturation attacks [L11]
  • Related‐key differential‐linear attacks [BDK06],

[K06]

  • Experiments with linear approximations
  • Experiments with linear approximations

[CSQ08], [CS10]

slide-30
SLIDE 30

Linear Cryptanalysis: Selected Open Problems

  • Provable bounds on ELP for real‐world ciphers
  • Linear hull effect for real‐world ciphers

Linear hull effect for real world ciphers

  • Reduction of data requirements for zero

l i li l i correlation linear cryptanalysis

  • More linear techniques in related‐key attacks

q y

  • More precise models for attack complexity

ti ti i li tt k estimations in linear attacks