Exploiting Linear Hull in Matsuis Algorithm 1 Andrea Rck and Kaisa - PowerPoint PPT Presentation

Exploiting Linear Hull in Matsui’s Algorithm 1 Andrea Röck and Kaisa Nyberg Department of Information and Computer Science Aalto University, School of Science The Seventh International Workshop on Coding and Cryptography 2011 April 11-15, 2011, Paris, France

Outline Introduction Direct Attack Related Key Attack Results from Experiments Conclusion Exploiting Linear Hull in Matsui’s Algorithm 1 WCC 2011 2/24

Introduction Exploiting Linear Hull in Matsui’s Algorithm 1 WCC 2011 3/24

Linear Cryptanalysis [Matsui 1994] ◮ Key-alternating iterated block cipher ( R rounds): ◮ Block size: n bits ◮ Plain text: x = x 1 ◮ Key schedule: ( K ∈ Z ℓ K �→ K 1 , . . . , K R 2 ) ◮ Round function: x i + 1 = g ( x i ⊕ K i ) ◮ Cipher text: ε K ( x ) = x R + 1 ◮ Correlation over R rounds: c R ( u , w , K ) = # { u · x = w · ε K ( x ) } − # { u · x � = w · ε K ( x ) } 2 n ◮ Matsui’s Algorithm 1 : ◮ Use key dependency of c R ( u , w , K ) to learn K · v ◮ Matsui’s Algorithm 2 : ◮ Use that | c R − 1 ( u , w , K ) | > 0 to gain information on K R Exploiting Linear Hull in Matsui’s Algorithm 1 WCC 2011 4/24

Example 1 ◮ Single strong trail (like in SERPENT) ◮ Piling-up Lemma [Matsui 1994] c ( u , w , K ) = ( − 1 ) k 1 ⊕ k 2 ⊕ k 3 c 1 c 2 c 3 Sign of trail-correlation depends on linear combination of key bits Exploiting Linear Hull in Matsui’s Algorithm 1 WCC 2011 5/24

Example 2 - Linear Hull ◮ Multiple strong trails (like in AES, PRESENT) ◮ The total correlation is the sum of the trail-correlations [Nyberg 2001, Deamen and Rijmen 2002] c ( u , w , K ) = ( − 1 ) k 1 ⊕ k 2 ⊕ k 3 c 3 + ( − 1 ) k 1 ⊕ k 4 ⊕ k 5 ( − c 3 ) Exploiting Linear Hull in Matsui’s Algorithm 1 WCC 2011 6/24

Linear Hull - Algorithm 2 ◮ The average squared correlation of the linear approximation taken over all keys is equal to the sum of all squared trail correlations [Nyberg 1995] ◮ On average | c R − 1 ( u , w , K ) | is large enough to learn K R ◮ For some keys, | c R − 1 ( u , w , K ) | is very small and the attack does not work [Murphy 2009] Exploiting Linear Hull in Matsui’s Algorithm 1 WCC 2011 7/24

Linear Hull - Algorithm 1 ◮ Until now not analyzed ◮ Example: Two (independent) trails with trail-correlation c ◮ For 1 / 4 of keys: c ( u , w , K ) = − 2 c ◮ For 1 / 2 of keys: c ( u , w , K ) = 0 (Alg. 2 does not work) ◮ For 1 / 4 of keys: c ( u , w , K ) = 2 c ◮ Correlation gives information of the key ◮ In example: we learn 1.5 bits of information Exploiting Linear Hull in Matsui’s Algorithm 1 WCC 2011 8/24

Direct Attack Exploiting Linear Hull in Matsui’s Algorithm 1 WCC 2011 9/24

Idea ◮ Total correlation can be approximated by strong key-mask v ∈V ρ ( v )( − 1 ) v · K correlations: c ( u , w , K ) ≈ � ◮ Set of strong key masks: V ◮ Key-mask correlation: ρ ( v )( − 1 ) v · K ◮ Possible correlations: � c ( u , w , K ) : K ∈ Z ℓ � C = 2 ◮ Key classes: � K ∈ Z ℓ � K ( c ) = 2 : c ( u , w , K ) = c ◮ Goal : For a given secret key K estimate c ∈ C from data such that K ∈ K ( c ) Exploiting Linear Hull in Matsui’s Algorithm 1 WCC 2011 10/24

Efficient Precomputation ◮ How to compute C and K ( c ) faster than evaluating v ∈V ρ ( v )( − 1 ) v · K for all K ∈ Z ℓ � 2 ? ◮ Let t = dim ( span ( V )) ◮ Can partition set of keys into 2 t disjoint subsets such that all the keys in a subset have the same correlation (subset ⊂ K ( c ) for a c ∈ C ) ◮ Use fast Walsh-Hadamard transform ◮ Precomputation complexities: time O � t 2 t � � 2 t � , memory O Exploiting Linear Hull in Matsui’s Algorithm 1 WCC 2011 11/24

Statistical Test ◮ |C| -ary hypothesis testing problem: Find correct c ∈ C ◮ |K ( c ) | varies a lot for different c ◮ Use a priori probabilities π c = Pr [ c ( u , w , K ) = c ] of c (Bayesian approach) ◮ Complexity depends on minimal distance in C : d = min c 1 � = c 2 ∈C | c 1 − c 2 | ◮ Data complexity for error probability P e N = 8 ln ( 2 ) log 2 ( |C| − 1 ) − log 2 P e d 2 Exploiting Linear Hull in Matsui’s Algorithm 1 WCC 2011 12/24

Gained Information ◮ How much information do we learn? ◮ Average learned information: Shannon’s entropy of a priori probabilities π c � h = − π c log 2 π c c ∈C ◮ Special case: If all vectors in V linearly independent and | ρ ( v ) | = const : c ∈ C are binomial distributed and � 1 2 log 2 ( π e � O 2 |V| ) ◮ Always h ≤ log 2 |C| Exploiting Linear Hull in Matsui’s Algorithm 1 WCC 2011 13/24

Related Key Attack Exploiting Linear Hull in Matsui’s Algorithm 1 WCC 2011 14/24

Idea ◮ Complexity of direct attack increases with number of strong key masks |V| ◮ Reduce number of relevant key masks by related key attack ◮ Correlation difference: ∆( K , α ) = c ( u , w , K ) − c ( u , w , K ⊕ α ) � � ( − 1 ) v · K ρ ( v ) − ( − 1 ) v · ( K ⊕ α ) ρ ( v ) = v ∈V v ∈V ◮ Reduced key mask set: V α = { v ∈ V : v · α = 1 } � ( − 1 ) v · K ρ ( v ) ∆( K , α ) = 2 v ∈V α ◮ Statistical test and definition of C α , d α , t α , h α equivalent to direct attack Exploiting Linear Hull in Matsui’s Algorithm 1 WCC 2011 15/24

Multiple Related Key Attack ◮ For a given V we can learn at most t = dim ( span ( V )) bits of information ◮ Independent case: all vectors in V are linearly independent ◮ Given any v ∈ V choose α v such that for all v ′ ∈ V : � if v ′ = v 1 α v · v ′ = δ v , v ′ = 0 otherwise ◮ Then V α v = { v } and from ∆( K , α v ) = 2 ( − 1 ) v · K ρ ( v ) we learn K · v (as in the classical Alg. 1) ◮ Applying related key attacks for all α v , v ∈ V gives us |V| = t bits of information ◮ Can be generalized to dependent case by considering a basis of span ( V ) instead of V to learn ≤ t bits Exploiting Linear Hull in Matsui’s Algorithm 1 WCC 2011 16/24

Results from Experiments Exploiting Linear Hull in Matsui’s Algorithm 1 WCC 2011 17/24

Round Reduced PRESENT [Bogdanov et al. 2007] ◮ 7 round 80-bit key version of PRESENT cipher ◮ Key schedule is semi-linear ◮ Extended key K ∈ Z 104 : round keys depend linearly on K 2 ◮ Multiple strong trails of correlation 2 − 2 R for R rounds ◮ Direct attack ◮ |V| = 24, |C| = 13, t = 15, | ρ ( v ) | = 2 − 14 , h = 3 . 2 ◮ Related key approach ◮ Assert that K ⊕ α can be produced ( α must not influences non-linear parts of the key schedule) ◮ |V α | = 9, |C α | = 10, t α = 9, | ρ ( v ) | = 2 − 14 , h α = 2 . 6 ◮ Multiple related key approach ◮ Learn 14.25 bits of information ◮ 400 random keys and 2 32 plain text blocks ◮ Direct attack theoretically applicable on up to 12 rounds for an 80-bit key and on up to 14 rounds for a 128-bit key Exploiting Linear Hull in Matsui’s Algorithm 1 WCC 2011 18/24

Probability of Success ◮ Test for 400 different keys 1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 12 14 16 18 20 22 24 26 28 30 32 ◮ Multiple related key is only correct if all key classes are correct ◮ Related key has higher success probability Exploiting Linear Hull in Matsui’s Algorithm 1 WCC 2011 19/24

Achieved Entropy ◮ Achieved entropy: entropy × success probability ◮ Test for 400 different keys 14 12 10 8 6 4 2 0 12 14 16 18 20 22 24 26 28 30 32 ◮ For N ≥ 2 28 the multiple related key approach leads to best result Exploiting Linear Hull in Matsui’s Algorithm 1 WCC 2011 20/24

Conclusion Exploiting Linear Hull in Matsui’s Algorithm 1 WCC 2011 21/24

Comparison (1) ◮ Algorithm 1 vs. Algorithm 2 for multiple strong trails Algorithm 1 Algorithm 2 Targets K Targets K R Works for all keys Works for most keys Data complexity inverse For about half of the keys proportional to minimal the data complexity is better ��� v ∈V ρ ( v ) 2 � − 1 � distance d between or equal to O elements in C Exploiting Linear Hull in Matsui’s Algorithm 1 WCC 2011 22/24

Comparison (2) ◮ Multiple related key approach vs. multidimensional linear cryptanalysis for Algorithm 1 Multiple related key Multidimensional Setting One approximation with m linearly independent approx. multiple strong trails each with one strong trail Dim. t dimension of trail set V m number of base approx. � � � ( 2 m − 1 ) − log P e � ( |C α i | − 1 ) − log P e Data N O max O d 2 2 m � 2 ( p η − 2 − m ) 2 1 ≤ i ≤ t η ∈ Z m α i � t 2 2 t � � t 2 t � t: O ( m 2 m ) , m: O ( 2 m ) Offline t: O , m: O t: O ( mN ) , m: O ( 2 m ) Online t: O ( tN ) , m: O ( t ) Inform. ∼ t bits m bits Exploiting Linear Hull in Matsui’s Algorithm 1 WCC 2011 23/24

Conclusion ◮ Application of Matsui’s Algorithm 1 on key-alternating iterated block cipher which has linear approximations with multiple strong trails ◮ Precomputation complexity increases with number of trails ◮ Data complexity is inverse proportional to minimal distance between possible correlations ◮ Related key analysis reduces number of considered trails ◮ Several key differences can be combined for a better result Exploiting Linear Hull in Matsui’s Algorithm 1 WCC 2011 24/24