Boomerang Connectivity Table: A New Cryptanalysis Tool Carlos Cid 1 - PowerPoint PPT Presentation

Boomerang Connectivity Table: A New Cryptanalysis Tool Carlos Cid 1 , Tao Huang 2 , Thomas Peyrin 2 , Yu Sasaki 3 and Ling Song 2,4 1. Royal Holloway, University of London, UK 2. Nanyang Technological University, Singapore 3. NTT Secure Platform Laboratories, Japan 4. Chinese Academy of Sciences, China 02 May 2018 Eurocrypt @ Tel Aviv

Differential Cryptanalysis [Biham-Shamir1990] 𝑄 1 Δ𝑄 = 𝑄 1 ⊕ 𝑄 2 • Prepare two input values 𝑄 1 , 𝑄 2 with (usually) small 𝑄 2 𝐹 difference Δ𝑄 = 𝑄 1 ⊕ 𝑄 2 . • Expecting some output 𝐹 𝐷 1 differences Δ𝐷 = 𝐷 1 ⊕ 𝐷 2 with a high probability. 𝐷 2 Δ𝐷 = 𝐷 1 ⊕ 𝐷 2 Solid methods to evaluate probability are evaluated. 1

Differential Cryptanalysis [Biham-Shamir1990] 𝑄 1 Δ𝑄 = 𝑄 1 ⊕ 𝑄 2 • Prepare two input values 𝑄 1 , 𝑄 2 with (usually) small 𝑄 2 𝐹 difference Δ𝑄 = 𝑄 1 ⊕ 𝑄 2 . • Expecting some output 𝐹 𝐷 1 differences Δ𝐷 = 𝐷 1 ⊕ 𝐷 2 with a high probability. 𝐷 2 Δ𝐷 = 𝐷 1 ⊕ 𝐷 2 Solid methods to evaluate probability are evaluated. 2

Boomerang Attacks 𝑄 𝑄 3 1 Proposed by [Wag99] to Δ 𝑗 Δ 𝑗 combine independent 𝑄 2 𝑄 4 𝐹 0 𝐹 0 two characteristics. • 𝐹 0 : Pr Δ 𝑗 → Δ 𝑝 = 𝑞 𝛼 𝑗 𝐹 0 𝐹 0 Δ 𝑝 • 𝐹 1 : Pr 𝛼 𝑗 → 𝛼 𝑝 = 𝑟 Δ 𝑝 𝐹 1 𝐹 1 𝛼 𝑗 Two pairs are analyzed. 𝐹 1 𝐹 1 𝛼 𝑝 𝐷 1 𝐷 3 Distinguish probability: 𝑞 2 𝑟 2 𝐷 2 𝛼 𝐷 4 𝑝 3

Two Trails in Boomerang Attacks [Wag99]: Assumed two trails are independent. not always correct • Dependency can help attackers. [BDD03]: Middle-round S-box trick [BK09]: Boomerang switch Ladder switch / Feistel switch / S-box switch • Dependency can spoil attacks. [Mer09]: Incompatible trails 4

Ladder Switch 𝐹 0 𝐹 1 𝟑 −𝟓𝟑 𝟑 −𝟑𝟓 𝑁𝐷 𝑇𝐶 𝑇𝑆 𝑇𝐶 5

Ladder Switch 𝐹 0 𝐹 1 𝟑 −𝟐𝟗 𝟑 −𝟑𝟓 𝑁𝐷 𝑇𝐶 𝑇𝑆 𝑇𝐶 𝟐/𝟐 𝑁𝐷 𝑇𝐶 𝑇𝑆 𝑇𝐶 𝐹 0 : Columns 3: no active S-box for 𝐹 0 𝐹 1 : Columns 0: no active S-box for 𝐹 1 6

Feistel Switch / S-box Switch Δ 𝑏 𝑐 𝒒 𝑇 Pr Δ → 𝛼 = 𝒒 𝑗 𝐺 𝑙 𝐹 0 Δ 𝑑 Δ 𝑇 𝑇 𝑇 𝑇 Δ 𝐹 1 𝑗+1 𝐺 𝑙 𝛼 Δ prob to be a right quartet is 𝒒 (not 𝒒 𝟑 ) 7

Sandwich Attacks [DKS10] Δ 𝑗 Δ 𝑗 Generalized framework 𝐹 0 𝐹 0 including dependency of two trails: 𝐹 0 𝐹 0 𝑦 1 𝑦 3 𝐹 = 𝐹 1 ∘ 𝐹 𝑛 ∘ 𝐹 0 Δ 𝑝 Δ 𝑝 𝐹 𝑛 𝐹 𝑛 𝑦 2 𝑦 4 𝑧 1 𝑧 3 𝛼 𝑗 Distinguish probability is 𝐹 𝑛 𝐹 𝑛 𝒒 𝟑 𝒓 𝟑 𝒔 , with some 𝑧 2 𝑧 4 𝐹 1 𝐹 1 𝛼 𝑗 probability 𝒔 for 𝐹 𝑛 . 𝐹 1 𝐹 1 𝛼 𝑝 𝛼 𝑝 8

Probability for 𝐹 𝑛 −1 𝐹 𝑛 𝑦 ⊕ 𝛼 𝑗 ⊕ 𝐹 𝑛 −1 𝐹 𝑛 𝑦 ⊕ Δ 𝑝 ⊕ 𝛼 𝑗 = Δ 𝑝 } 𝒔 = #{𝑦 ∈ 0,1 𝑜 |𝐹 𝑛 2 𝑜 𝒔 : prob of being Δ 𝑝 𝑦 1 𝑦 3 Δ 𝑝 𝑦 2 𝑦 4 𝐹 𝑛 𝐹 𝑛 𝛼 𝑗 𝐹 𝑛 𝐹 𝑛 𝑧 1 𝑧 3 𝛼 𝑗 𝑧 2 𝑧 4 Probability space is only the size of 𝐹 𝑛 , not its square. 9

View of Boomerang Switch in Sandwich Attack 𝒔 = 𝟐 𝒔 = 𝒒 Ladder Switch S-box Switch 𝑦 1 (= 𝑦 3 ) 𝑦 1 (= 𝑦 4 ) Δ 𝑗 Δ 𝑗 𝑦 2 (= 𝑦 4 ) 𝑇 𝑦 2 (= 𝑦 3 ) 𝑇 𝛼 𝑗 = 0 𝑇 𝑇 Δ 𝑝 𝑧 1 (= y 4 ) 𝑧 1 (= y 3 ) Δ 𝑝 𝛼 𝑗 = 0 𝑧 2 (= 𝑧 3 ) 𝑧 2 (= 𝑧 4 ) 10

Our Goal 𝒔 is for a quartet, not for a pair in the standard • differential cryptanalysis. How to evaluate it? Our focus: 𝐹 𝑛 is a single S-box layer • a new form to easily evaluate 𝒔 for S-box • Adv. 1 : new switching effect ( 𝒔 is surprisingly high) Adv. 2 : quantitating the strength of S-box against sandwich attack (a new S-box design criterion) • We reveal several relationships between the standard probability in DDT and 𝒔 . 11

DDT: Differential Distribution Table PRESENT S-box 12

BCT: Boomerang Connectivity Table PRESENT S-box 13

Observations of BCT (1/3) ladder switch incompatibility [Mur09] 14

Observations of BCT (2/3) 𝑇 S-box Switch: "Pr Δ → 𝛼 = 𝒒" ⇒ "𝒔 = 𝒒" BCT DDT S-box switch is the equal case of Lem. 1 15

Observations of BCT (3/3) Values in BCT can be bigger than DDT. BCT DDT Comparison of DDT and BCT for AES S-box 16

Generalized Switching Effect • Focus on (Δ 𝑗 , Δ 𝑝 ) whose DDT entry is 4. • 2 pairs satisfying those diff propagation 𝑦 1 𝑦 3 Δ 𝑗 Δ 𝑗 𝑦 2 𝑦 4 𝑇 𝑇 𝑧 1 𝑧 3 𝑇 𝑇 Δ 𝑝 Δ 𝑝 𝑧 2 𝑧 4 How can we define 𝛼 s.t. a quartet is formed? 17

Generalized Switching Effect • 3 ways to define 𝛼 , one is known as S-box switch 𝑦 1 𝑦 3 Δ 𝑗 Δ 𝑗 𝑇 𝑦 2 𝑇 𝑦 4 𝑧 1 𝑧 3 𝑇 𝑇 Δ 𝑝 Δ 𝑝 S-box 𝑧 2 𝑧 4 switch 18

Generalized Switching Effect • 3 ways to define 𝛼 , one is known as S-box switch 𝑦 1 𝑦 3 Δ 𝑗 Δ 𝑗 𝑇 𝑦 2 𝑇 𝑦 4 new 𝑧 1 𝑧 3 𝑇 𝑇 Δ 𝑝 Δ 𝑝 new S-box 𝑧 2 𝑧 4 switch 19

Generalized Switch for 6-uniform DDT We can make 3 distinct quartets. Each increases 𝑦 5 the value of BCT in 2 positions. 𝑦 1 𝑦 3 Δ 𝑗 𝑦 6 Δ 𝑗 Δ 𝑗 𝑇 𝑦 2 𝑦 4 𝑇 𝑇 𝑇 𝑧 5 New Δ 𝑝 New New 𝑇 𝑇 𝑧 3 New 𝑧 1 Δ 𝑝 Δ 𝑝 New 𝑧 6 S-box New switch 𝑧 2 𝑧 4 20

Applications so far Related-tweakey boomerang distinguisher on 8- round Deoxys-384: • Prev: 2 −6 (single S-box switch) • New: 2 −5.4 (single generalized switch) • 9R and 10R distinguishers are also improved. Related-tweakey rectangle attacks on SKINNY • Prev: prob was experimentally evaluated • New: theoretical analysis of the probability 21

Extension to ARX Construction Similar analysis can be applied to modular addition. 𝑦 1 𝑦 3 Δ 𝑗 Δ 𝑗 𝑦 2 𝑦 4 𝑦 1 ’ 𝑦 3 ’ 𝑧 1 Δ 𝑗 ’ Δ 𝑗 ’ 𝑧 3 𝑦 2 ’ 𝛼 𝑝 𝑦 4 ’ 𝑧 2 𝛼 𝑧 4 𝑝 22

Case Study: 3-bit Addition (Δ 𝑗 = 0) BCT DDT • BCT < DDT (S-box switch does not work) • MSB switch 23

Concluding Remarks BCT: precomp table of 𝒔 in the sandwich attack Adv. 1 : new switching effect ( 𝒔 is surprisingly high) Adv. 2 : quantitating the strength of S-box against sandwich attack (S-box design criteria) Problems to investigate • improving previous boomerang attacks • extending 𝐹 𝑛 (more than single S-layer) • comprehensive study for modular addition Thank you for your attention!! 24