Cryptanalysis of Lightweight Block Ciphers: Theory Meets - PowerPoint PPT Presentation

Dependency Other Win Open Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer Science Department University of Haifa, Israel December 14th, 2019 Orr Dunkelman Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies 1/ 31

Dependency Other Win Open Outline 1 Dependencies in Differential Cryptanalysis Differential Charactetristics General Independence Assumptions Independent Subkeys A Counter Example 2 Dependency Issues in Other Attacks Linear Cryptanalysis Boomerang Differential-Linear Cryptanalysis 3 The Good Bits Conditional Differential/Linear Why Experiments Can Help 4 Open Problems Orr Dunkelman Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies 2/ 31

Characteristics Independence Subkeys Counter Dependency Other Win Open 1-Round Differential Characteristics [BS91] Definition A 1 -round differential characteristic is a pair (Ω P , Ω T ) where Ω P and Ω T are n -bit differences, such that the probability of a pair with input difference Ω P to have an output difference Ω T after one round is p . Orr Dunkelman Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies 3/ 31

Characteristics Independence Subkeys Counter Dependency Other Win Open r -Round Differential Characteristics [BS91] Definition A r -round differential characteristic is a tuple Ω = (Ω P = Ω 0 , Ω 1 , Ω 2 , . . . , Ω r = Ω T ) where Ω P , Ω T , and all Ω i are n -bit differences, where Ω i are the differences predicted after each round of the scheme. Orr Dunkelman Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies 4/ 31

Characteristics Independence Subkeys Counter Dependency Other Win Open Probability of a Characteristic ◮ Definition: The probability of a characteristic is the probability that a random pair P , P ∗ which satisfies P ′ = Ω P is a right pair with respect to a random independent key. ◮ The probability of an r -round characteristic is the product of all the probabilities of the 1-round characteristics which compose the n -round characteristic. ◮ There is an underlying assumption that all the transitions are independent. ◮ Usually, it is OK to assume that. Usually . Usually . Usually . Orr Dunkelman Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies 5/ 31

Characteristics Independence Subkeys Counter Dependency Other Win Open Underlying Assumptions for Differential Attacks Formally, let � � E � � � G K Ω P − → Ω T = P � E K ( P ) ⊕ E K ( P ⊕ Ω P ) = Ω T . and � � E G − 1 � E − 1 K ( C ) ⊕ E − 1 � � � Ω P − → Ω T = K ( C ⊕ Ω T ) = Ω P C . K These two sets contain all the right pairs (i.e., X is in the set if it is a part of a right pair). Orr Dunkelman Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies 6/ 31

Characteristics Independence Subkeys Counter Dependency Other Win Open Independence Assumptions for Differential Attacks 1 The probability of the differential characteristic in round i is independent of other rounds. E 0 (formally: the event X ∈ G − 1 K (Ω P − → Ω r ′ ) is independent of E 1 the event X ∈ G K (Ω r ′ − → Ω T ) for all K and Ω r ′ ) 2 Partial encryption/decryption under the wrong key makes the cipher closer to a random permutation. Orr Dunkelman Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies 7/ 31

Characteristics Independence Subkeys Counter Dependency Other Win Open Independent Subkeys ◮ A cipher whose subkeys are all chosen at random (independently of each other) can be modeled as a Markov chain. ◮ For such a cipher, the previous conditions are satisfied (under reasonable use of the keys) as the independent subkeys assure that the inputs to each round are truly random and independent. Orr Dunkelman Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies 8/ 31

Characteristics Independence Subkeys Counter Dependency Other Win Open Independent Subkeys — Where We Cheated ◮ The above assumes that the keys are chosen during the differential attack, and for each new pair of plaintexts, they are chosen again at random. ◮ This is of course wrong, as the key is fixed a priori , and the only source of “randomness” in the experiment is the plaintext pair. ◮ Hence, we need to assume Stochastic Equivalence , i.e., Pr[∆ C = Ω T | ∆ P = Ω P ] = Pr[∆ C = Ω T | ∆ P = Ω C ∧ K = ( k 1 , k 2 , . . . )] for almost all keys K . ◮ See more info at [LM93] where the Markov cipher is introduced. Orr Dunkelman Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies 9/ 31

Characteristics Independence Subkeys Counter Dependency Other Win Open Why the Stochastic Equivalence Assumption was Used? ◮ It works — most of the times it works. ◮ Even when it does not work for a large portion of the keys — it is mostly an issue of weak keys. ◮ Experiments showed it to hold many times. Orr Dunkelman Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies 10/ 31

Characteristics Independence Subkeys Counter Dependency Other Win Open However, In theory there is no difference between theory and practice. In practice, there is. Orr Dunkelman Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies 11/ 31

Characteristics Independence Subkeys Counter Dependency Other Win Open XOR Differences in Additive World [WangDK07] A differential Characteristic used in [HKK+05] for SHACAL-1 from round 6 to round 12: i ∆ A i ∆ B i ∆ C i ∆ D i ∆ E i ∆ K i Prob . 2 − 3 6 e 3 0 0 e 13 , 31 0 0 2 − 3 7 0 0 e 8 e 3 e 13 , 31 e 31 2 − 2 8 0 0 0 0 e 8 e 1 2 − 2 9 0 0 0 0 e 6 e 1 2 − 2 10 0 0 0 e 6 e 1 0 2 − 2 11 e 1 0 0 0 e 6 0 2 − 1 12 0 e 1 0 0 0 0 Orr Dunkelman Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies 12/ 31

Characteristics Independence Subkeys Counter Dependency Other Win Open XOR Differences in Additive World [WangDK07] ◮ According to A i +1 = K i + ROTL 5 ( A i ) + F i ( B i , C i , D i ) + E i + Con i , we get that A 7 , 8 = A 6 , 3 and A ∗ 7 , 8 = A ∗ 6 , 3 . ◮ From the encryption algorithm, we get that A 11 , 1 = E 10 , 1 = A 6 , 3 , A ∗ 11 , 1 = E ∗ 10 , 1 = A ∗ 6 , 3 , E 11 , 6 = A 7 , 8 and E ∗ 11 , 6 = A ∗ 7 , 8 . ◮ From the above two claims, we obtain that A 11 , 1 = E 11 , 6 and A ∗ 11 , 1 = E ∗ 11 , 6 . By A i +1 = K i + ROTL 5 ( A i ) + F i ( B i , C i , D i ) + E i + Con i , we obtain that A 12 � = A ∗ 12 , i.e., ∆ A 12 � = 0, which is a contradiction with ∆ A 12 = 0 in the differential characteristic. The signs of the difference are not compatible. Orr Dunkelman Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies 13/ 31

Linear Boomerang DL Dependency Other Win Open Linear Cryptanalysis [M93] ◮ Linear cryptanalysis studies the relation between plaintext, ciphertext, and key bits. ◮ The key element is the linear approximation: λ P · P ⊕ λ C · C = λ K · K that holds for non-trivial λ P , λ C , λ K with as large as possible bias ∗ . ◮ Such approximations can be built by concatenating short 1-round approximations to form an r -round approximations. Orr Dunkelman Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies 14/ 31

Linear Boomerang DL Dependency Other Win Open Independence Assumptions in Linear Cryptanalysis ◮ Two 1-round approximations that are concatenated are independent, ◮ There are no other linear approximations (with the same input/output masks) that interfere with the approximation we use, ◮ Random wrong keys, produce a close to uniform distribution w.r.t. the probability of satisfying the approximation. Orr Dunkelman Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies 15/ 31

Linear Boomerang DL Dependency Other Win Open The Boomerang Attack ◮ Introduced by [W99]. P 1 P 3 α α ◮ Targets ciphers with good short P 2 P 4 differentials, but bad long ones. ◮ The core idea: Treat the cipher as a E 0 γ cascade of two sub-ciphers. Where X 1 X 3 β β in the first sub-cipher a differential γ X 2 X 4 E 0 − → β exists, and a differential α E 1 − → δ exists for the second. γ E 1 ◮ The process starts with a pair of C 1 C 3 δ plaintexts: P 1 , P 2 = P 1 ⊕ α . C 2 C 4 ◮ After the first sub-cipher, δ X 1 ⊕ X 2 = β . ◮ But the encryption process Orr Dunkelman Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies 16/ 31

Linear Boomerang DL Dependency Other Win Open Underlying Assumptions for the Boomerang Attack For E = E 1 ◦ E 0 , and any set of differences α, γ and δ, , we E 1 require that X is (part of) a right pair with respect to γ − → δ independently of the following three events: E 0 1 X is (part of) a right pair with respect to α − → β for all β . E 1 2 X ⊕ β is (part of) a right pair with respect to γ − → δ for all β, γ . E 0 3 X ⊕ γ is (part of) a right pair with respect to α − → β for all β . Orr Dunkelman Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies 17/ 31