Efficient Algorithms for Differential Properties of Addition Helger - - PowerPoint PPT Presentation

efficient algorithms for differential properties of
SMART_READER_LITE
LIVE PREVIEW

Efficient Algorithms for Differential Properties of Addition Helger - - PowerPoint PPT Presentation

Oct 25, 2023 212 likes •484 views

Efficient Algorithms for Differential Properties of Addition Helger Lipmaa Helsinki University of Technology (Finland) helger@tml.hut.fi Shiho Moriai NTT Laboratories (Japan) shiho@isl.ntt.co.jp FSE 2001, 04.04.2001 Efficient Algorithms for

slide-1
SLIDE 1

Efficient Algorithms for Differential Properties of Addition

Helger Lipmaa

Helsinki University of Technology (Finland)

helger@tml.hut.fi Shiho Moriai

NTT Laboratories (Japan)

shiho@isl.ntt.co.jp

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 1

slide-2
SLIDE 2

Outline

  • Motivations
  • Our contributions
  • RAM model
  • Algorithm for differential probability of addition
  • Conclusion

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 2

slide-3
SLIDE 3

Differential Cryptanalysis

  • DC: one of best known general attacks against block ciphers
  • Security against DC is one of main criteria for new ciphers
  • Known how to construct DC-secure ciphers
  • . . . but this knowledge is rather limited
  • Reason: hard to find good differentials in “real” ciphers

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 3

slide-4
SLIDE 4

Motivations: Differential Properties of Addition

  • Bottom-up approach:

⋆ Start from the primitive cornerstones ⋆ Work your way up to the whole cipher

  • It is hard to DC-analyse + w.r.t. ⊕
  • Some block ciphers use this by intermingling ⊕ and + to create “con-

fusion” both in Shannon’s and layman’s sense

  • Makes the ciphers harder to analyse — but does it make them more

secure?

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 4

slide-5
SLIDE 5

Our Goals

  • To throughoutly analyse + w.r.t. ⊕
  • Hopefully results in a bottom-up approach to give us

⋆ Tighter proofs of security of some ciphers ⋆ Better attacks against others ⋆ New ciphers?

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 5

slide-6
SLIDE 6

What is a Bottom-Up Approach? (1)

Z1

1

Z1

4

Z1

2

+ + + + ⊕

X1

1

X1

2

X1

3

X1

4

⊕ ⊕ ⊕ ⊕

X2

1

X2

2

X2

3

X2

4

⊕ ⊙ ⊙ ⊙

Z1

2

Z1

5

Z1

6

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 6

slide-7
SLIDE 7

What is a Bottom-Up Approach? (2)

Z1

1

Z1

4

Z1

2

+ + + + ⊕

X1

1

X1

2

X1

3

X1

4

⊕ ⊕ ⊕ ⊕

X2

1

X2

2

X2

3

X2

4

⊕ ⊙ ⊙ ⊙

Z1

2

Z1

5

Z1

6

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 7

slide-8
SLIDE 8

Some differential properties of addition

DP+(α, β → γ) def

:=Px,y[(x+y)⊕((x⊕α)+(y⊕β)) = γ]

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 8

slide-9
SLIDE 9

Some differential properties of addition

DP+(α, β → γ) def

:=Px,y[(x+y)⊕((x⊕α)+(y⊕β)) = γ] Let δ = (α, β → γ). Equivalently,

DP+(δ) def

:= ♯{x, y ∈ {0, 1}n : (x+y)⊕((x⊕α)+(y⊕β)) = γ} 22n . ⇒ Trivial algorithm works in time 22n.

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 9

slide-10
SLIDE 10

Some differential properties of addition

DP+(α, β → γ) def

:=Px,y[(x+y)⊕((x⊕α)+(y⊕β)) = γ] DP+

max(α, β) def

:= max

γ

DP+(α, β → γ)

  • pt+(α, β)

def

:=γ in previous formula

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 10

slide-11
SLIDE 11

Some differential properties of addition

DP+(α, β → γ) def

:=Px,y[(x+y)⊕((x⊕α)+(y⊕β)) = γ] DP+

max(α, β) def

:= max

γ

DP+(α, β → γ)

  • pt+(α, β)

def

:=γ in previous formula DP+

2max(α) def

:= max

β,γ DP+(α, β → γ)

  • pt+(α)

def

:=(β, γ) in previous formula

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 11

slide-12
SLIDE 12

More differential properties of addition

If δ = (α, β → γ) and X

def

:= δ → DP+(δ), then find

P[X = k] =

  

k = 0, density of impossible differentials , k = 0, in general . and

E[X]

def

:=

  • k

X · P[X = k]

var[X] def

:=E[X2] − E[X]2 . More generally, what is the distribution of X? Our contributions: We give efficient answers to all these questions!

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 12

slide-13
SLIDE 13

The RAM model

  • We are interested in the software speed

⋆ Use the unit-cost RAM model

  • Minimal set of unit-cost operations: Boolean operations, addition, left

and right shifts, equality tests, (conditional) jumps

  • This model is surprisingly powerful!

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 13

slide-14
SLIDE 14

Example: Hamming weight

Hamming weight: given x = xi2i, compute xi. Traditional algorithm of Θ(n) complexity:

w = 0; for(i = 0; i < n; i++) if(word & (1<<i)) w++;

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 14

slide-15
SLIDE 15

Example: Hamming weight

Hamming weight: given x = xi2i, compute xi. A RAM-model algorithm of Θ(log n) complexity (for n = 32):

w = x; w = (w & 0x55555555) + ((w >> 1) & 0x55555555); w = (w & 0x33333333) + ((w >> 2) & 0x33333333); w = (w & 0x0f0f0f0f) + ((w >> 4) & 0x0f0f0f0f); w = (w & 0x00ff00ff) + ((w >> 8) & 0x00ff00ff); w = (w & 0x0000ffff) + ((w >> 16) & 0x0000ffff);

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 15

slide-16
SLIDE 16

Algorithm for DP+(δ)

  • Definition. DP+(α, β → γ)

def

:= Px,y[(x+y)⊕((x⊕α)+(y⊕β)) = γ]. Let eq(α, β, γ)i = 1 iff αi = βi = γi.

  • Theorem. We say δ = (α, β → γ) is “good” if

eq(α≪1, β ≪1, γ ≪1) ∧ (α⊕β⊕γ⊕(β ≪1)) = 0 .

Then

DP+(δ) =

  

0, δ is not “good”, 2−wh(¬eq(α,β,γ)∧(2n−1−1)),

  • therwise .

DP+(δ) can be computed in time Θ(log n) for any δ. Hence, DP+ is

either 0 or 2−k for 0 ≤ k < n − 1.

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 16

slide-17
SLIDE 17

DP+(δ): How it works?

  • Replace + with a XOR with carry, x+y = x⊕y⊕carry(x, y). Then

DP+(δ) = Px,y[carry(x, y)

  • c

⊕ carry(x⊕α, y⊕β)

  • c∗

= α⊕β⊕γ]

  • Then DP+(δ) = n−1

i=0 Px,y[ci⊕c∗ i = αi⊕βi⊕γi]

  • Compute the multiplicand probabilities
  • We prove that if δ is “good” then Px,y[ci⊕c∗

i = αi⊕βi⊕γi] = 1 if

αi = βi = γi or = 1/2 otherwise

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 17

slide-18
SLIDE 18

“Possibility” of DP+(δ): Pictorially

α β γ

0 1 0 1 0 0 1 1 1 0 0 0 0 0 1 1 1 0 0 0 1

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 18

slide-19
SLIDE 19

“Possibility” of DP+(δ): Pictorially

α β γ

0 1 0 1 0 0 1 1 1 0 0 0 0 0 1 1 1 0 0 0 1 ⊕

?

= The LSB of carry must be 0

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 19

slide-20
SLIDE 20

“Possibility” of DP+(δ): Pictorially

= = =

α β γ

0 1 0 1 0 0 1 1 1 0 0 0 0 0 1 1 1 0 0 0 1 0 0 1 Find all columns with equal bits.

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 20

slide-21
SLIDE 21

“Possibility” of DP+(δ): Pictorially

α β γ

⊕ ⊕ ⊕ = = = 1 0 0 1 0 1 1 0 0 1 1 1 0 0 0 0 1 1 0 0 0 1 1 Compute ⊕ of previous columns and compare.

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 21

slide-22
SLIDE 22

DP+(δ): Pictorially

α β γ

= = =

wh = 3

0 1 0 1 0 0 1 1 1 0 0 0 0 0 1 1 1 0 0 0 1

  • Establish that δ is possible
  • wh = ♯{columns that have both 0 and 1 entries}
  • Return 2−wh

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 22

slide-23
SLIDE 23

Statistical properties of DP+ (1/2)

Pδ[DP+(δ) = 0] = Pδ[δ is not “good”]

= Pδ[eq(α≪1, β ≪1, γ ≪1) ∧ (. . .) = 0] . . . = 1 2 · (7/8)n−1. Other properties: similar approach (calculate the probability that the algo- rithm for DP+ does “something”)

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 23

slide-24
SLIDE 24

Statistical properties of DP+ (2/2)

  • X : δ → DP+(δ) is a sum of two distributions, X = X0 + X1
  • X0 is defined on impossible differentials. X1 is defined on possible

differentials

  • X0 is a constant distribution, − log2 X1 is a binomial distribution with

p = 6/7

  • It is now easy to calculate probabilities that for random δ, DP+(δ) ≥

2−k for any k. But how to find suitable differentials?

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 24

slide-25
SLIDE 25

Maximum Differential Probability

Theorem. There exists a Θ(log n)-time algorithm that finds a γ, s.t.

DP+(α, β → γ) = DP+

max(α, β).

Improves upon the trivial algorithm of Θ(23n)

  • Theorem. There exists a Θ(log n)-time algorithm that finds a (β, γ) s.t.

DP+(α, β → γ) = DP+

2max(α).

Improves upon the trivial algorithm of Θ(24n) Both algorithm use complicated RAM-model algorithms that are interesting by themselves

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 25

slide-26
SLIDE 26

Conclusions

  • Log-time algorithms for most of the differential properties of addition
  • Previous algorithms: often exponential
  • Most drastic speedup: Θ(24n) → Θ(log n)
  • Hopefully has some practical applications!
  • Cryptanalytic software will (soon) be available from

http://www.tml.hut.fi/˜helger

FSE 2001, 04.04.2001 Efficient Algorithms for Differential Properties of Addition 26