Boomerang Connectivity Table: A New Cryptanalysis Tool Carlos Cid 1 - - PowerPoint PPT Presentation

▶

Jan 29, 2024 536 likes •802 views

Boomerang Connectivity Table: A New Cryptanalysis Tool Carlos Cid 1 , Tao Huang 2 , Thomas Peyrin 2 , Yu Sasaki 3 and Ling Song 2,4 1. Royal Holloway, University of London, UK 2. Nanyang Technological University, Singapore 3. NTT Secure Platform

SLIDE 1

Boomerang Connectivity Table: A New Cryptanalysis Tool

Carlos Cid1, Tao Huang2, Thomas Peyrin2, Yu Sasaki3 and Ling Song2,4

1. Royal Holloway, University of London, UK
2. Nanyang Technological University, Singapore
3. NTT Secure Platform Laboratories, Japan
4. Chinese Academy of Sciences, China

02 May 2018 Eurocrypt @ Tel Aviv

SLIDE 2

1

Differential Cryptanalysis

𝐹 𝑄

𝑄2 Δ𝑄 = 𝑄

1 ⊕ 𝑄2

𝐹 𝐷1 𝐷2

[Biham-Shamir1990]

Prepare two input values

𝑄

1, 𝑄2 with (usually) small

difference Δ𝑄 = 𝑄

1 ⊕ 𝑄2.

Expecting some output

differences Δ𝐷 = 𝐷1 ⊕ 𝐷2 with a high probability. Solid methods to evaluate probability are evaluated.

Δ𝐷 = 𝐷1 ⊕ 𝐷2

SLIDE 3

2

Differential Cryptanalysis

𝐹 𝑄

𝑄2 Δ𝑄 = 𝑄

1 ⊕ 𝑄2

𝐹 𝐷1 𝐷2

[Biham-Shamir1990]

Prepare two input values

𝑄

1, 𝑄2 with (usually) small

difference Δ𝑄 = 𝑄

1 ⊕ 𝑄2.

Expecting some output

differences Δ𝐷 = 𝐷1 ⊕ 𝐷2 with a high probability. Solid methods to evaluate probability are evaluated.

Δ𝐷 = 𝐷1 ⊕ 𝐷2

SLIDE 4

3

Boomerang Attacks Proposed by [Wag99] to combine independent two characteristics.

𝐹0: Pr Δ𝑗 → Δ𝑝 = 𝑞
𝐹1: Pr 𝛼𝑗 → 𝛼

𝑝 = 𝑟

Two pairs are analyzed. Distinguish probability: 𝑞2𝑟2

𝐹1 𝐹1 𝐹1 𝐹1 𝐷1 𝐷2 𝐷3 𝐷4 𝛼

𝑝

𝛼

𝑝

𝐹0 𝐹0 𝐹0 𝑄

𝑄2 𝑄3 𝑄

Δ𝑗 𝛼𝑗 𝛼𝑗 𝐹0 Δ𝑝 Δ𝑝 Δ𝑗

SLIDE 5

4

Two Trails in Boomerang Attacks [Wag99]: Assumed two trails are independent.

Dependency can help attackers.

[BDD03]: Middle-round S-box trick [BK09]: Boomerang switch

Ladder switch / Feistel switch / S-box switch

Dependency can spoil attacks.

[Mer09]: Incompatible trails not always correct

SLIDE 6

5

Ladder Switch

𝑇𝑆 𝑇𝐶 𝑁𝐷 𝑇𝐶

𝐹0 𝐹1 𝟑−𝟓𝟑 𝟑−𝟑𝟓

SLIDE 7

6

Ladder Switch

𝑇𝑆 𝑇𝐶 𝑁𝐷 𝑇𝐶

𝐹0 𝐹1 𝟑−𝟑𝟓

𝑇𝐶 𝑁𝐷

𝐹0: Columns 3: no active S-box for 𝐹0 𝟐/𝟐

𝑇𝐶

𝐹1: Columns 0: no active S-box for 𝐹1

𝑇𝑆

𝟑−𝟐𝟗

SLIDE 8

7

Feistel Switch / S-box Switch 𝐺𝑙

𝑗

Δ Δ 𝑏 𝑐 𝑑

𝐺𝑙

𝑗+1

Δ

𝒒

Δ

𝐹0 𝐹1

𝑇 𝑇 𝑇 𝑇 Δ 𝛼

Pr Δ → 𝛼 = 𝒒

𝑇

prob to be a right quartet is 𝒒 (not 𝒒𝟑)

SLIDE 9

8

Sandwich Attacks [DKS10] Generalized framework including dependency

f two trails:

𝐹 = 𝐹1 ∘ 𝐹𝑛 ∘ 𝐹0

Distinguish probability is 𝒒𝟑𝒓𝟑𝒔, with some probability 𝒔 for 𝐹𝑛.

𝛼

𝑝

𝛼

𝑝

𝛼𝑗 𝛼𝑗 𝐹0 𝐹0 𝐹0 Δ𝑗 𝐹0 Δ𝑝 Δ𝑗 𝐹1 𝐹1 𝐹1 𝑧1 𝑧2 𝑧3 𝑧4 𝐹1 𝑦1 𝑦2 𝑦3 𝑦4

𝐹𝑛 𝐹𝑛 𝐹𝑛 𝐹𝑛

Δ𝑝

SLIDE 10

9

Probability for 𝐹𝑛

𝒔 = #{𝑦 ∈ 0,1 𝑜|𝐹𝑛

−1 𝐹𝑛 𝑦 ⊕ 𝛼𝑗 ⊕ 𝐹𝑛 −1 𝐹𝑛 𝑦 ⊕ Δ𝑝 ⊕ 𝛼𝑗 = Δ𝑝}

2𝑜

𝐹𝑛 𝐹𝑛 𝐹𝑛 𝑦1 𝑦2 𝑦3 𝑦4 𝑧1 𝑧2 𝑧3 𝑧4

Δ𝑝 𝛼𝑗

𝒔: prob of being Δ𝑝

𝐹𝑛

𝛼𝑗

Probability space is only the size of 𝐹𝑛, not its square.

SLIDE 11

10 View of Boomerang Switch in Sandwich Attack

𝑇 𝑦1(= 𝑦3) 𝑧1(= y3) Δ𝑗 𝑦2(= 𝑦4) 𝑧2(= 𝑧4) 𝛼𝑗 = 0 𝛼𝑗 = 0 𝑇 𝑦1(= 𝑦4) 𝑧1(= y4) 𝑦2(= 𝑦3) 𝑧2(= 𝑧3) 𝑇 𝑇 Ladder Switch S-box Switch Δ𝑗 Δ𝑝 Δ𝑝

𝒔 = 𝒒 𝒔 = 𝟐

SLIDE 12

11

𝒔 is for a quartet, not for a pair in the standard

differential cryptanalysis. How to evaluate it?

Our focus: 𝐹𝑛 is a single S-box layer
a new form to easily evaluate 𝒔 for S-box
Adv. 1: new switching effect (𝒔 is surprisingly high)
Adv. 2: quantitating the strength of S-box against

sandwich attack (a new S-box design criterion)

We reveal several relationships between the

standard probability in DDT and 𝒔.

Our Goal

SLIDE 13

12

DDT: Differential Distribution Table

PRESENT S-box

SLIDE 14

13

BCT: Boomerang Connectivity Table

PRESENT S-box

SLIDE 15

14

Observations of BCT (1/3) ladder switch incompatibility [Mur09]

SLIDE 16

15

Observations of BCT (2/3)

DDT BCT

S-box Switch: "Pr Δ → 𝛼 = 𝒒" ⇒ "𝒔 = 𝒒"

𝑇

S-box switch is the equal case of Lem. 1

SLIDE 17

16

Observations of BCT (3/3)

DDT BCT

Values in BCT can be bigger than DDT. Comparison of DDT and BCT for AES S-box

SLIDE 18

17

Generalized Switching Effect

Focus on (Δ𝑗, Δ𝑝) whose DDT entry is 4.
2 pairs satisfying those diff propagation

𝑦1 𝑦2 𝑦3 𝑦4

𝑧1 𝑧2 𝑧3 𝑧4

Δ𝑗 Δ𝑗 Δ𝑝 Δ𝑝 𝑇 𝑇 𝑇 𝑇 How can we define 𝛼 s.t. a quartet is formed?

SLIDE 19

18

Generalized Switching Effect

3 ways to define 𝛼, one is known as S-box switch

𝑦1 𝑦2 𝑦3 𝑦4

𝑧1 𝑧2 𝑧3 𝑧4

Δ𝑗 Δ𝑗 Δ𝑝 Δ𝑝 𝑇 𝑇 𝑇 𝑇 S-box switch

SLIDE 20

19

Generalized Switching Effect

3 ways to define 𝛼, one is known as S-box switch

𝑦1 𝑦2 𝑦3 𝑦4

𝑧1 𝑧2 𝑧3 𝑧4

Δ𝑗 Δ𝑗 Δ𝑝 Δ𝑝 𝑇 𝑇 𝑇 𝑇 S-box switch new new

SLIDE 21

20

Generalized Switch for 6-uniform DDT

𝑇 𝑇 𝑇 𝑇

𝑦1 𝑦2 𝑦3 𝑦4 𝑧1 𝑧2 𝑧3 𝑧4

Δ𝑗 Δ𝑗 Δ𝑝 Δ𝑝

S-box switch New New

𝑇 𝑇

𝑦5 𝑦6 𝑧6

Δ𝑗 Δ𝑝

𝑧5

New New New New

We can make 3 distinct quartets. Each increases the value of BCT in 2 positions.

SLIDE 22

21

Applications so far Related-tweakey boomerang distinguisher on 8- round Deoxys-384:

Prev: 2−6 (single S-box switch)
New: 2−5.4 (single generalized switch)
9R and 10R distinguishers are also improved.

Related-tweakey rectangle attacks on SKINNY

Prev: prob was experimentally evaluated
New: theoretical analysis of the probability

SLIDE 23

22

Extension to ARX Construction

𝑦4’ 𝑦3’ 𝑦2’ 𝑦1 𝑦2 𝑦3 𝑦4 𝑧1 𝑧2 𝑧3 𝑧4

Δ𝑗 𝛼

𝑝

𝛼

𝑝

Δ𝑗

𝑦1’

Δ𝑗’ Δ𝑗’

Similar analysis can be applied to modular addition.

SLIDE 24

23

Case Study: 3-bit Addition (Δ𝑗 = 0) DDT BCT

BCT < DDT (S-box switch does not work)
MSB switch