Improved Parameter Estimates for Correlation and Capacity Deviates - - PowerPoint PPT Presentation

improved parameter estimates for correlation and capacity
SMART_READER_LITE
LIVE PREVIEW

Improved Parameter Estimates for Correlation and Capacity Deviates - - PowerPoint PPT Presentation

Aug 19, 2022 17 likes •263 views

Improved Parameter Estimates for Correlation and Capacity Deviates in Linear Cryptanalysis C eline Blondeau and Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi FSE 2017 TOKYO March 8, 2017 Outline Introduction

slide-1
SLIDE 1

Improved Parameter Estimates for Correlation and Capacity Deviates in Linear Cryptanalysis

C´ eline Blondeau and Kaisa Nyberg

Aalto University School of Science kaisa.nyberg@aalto.fi FSE 2017 TOKYO March 8, 2017

slide-2
SLIDE 2

FSE 2017 2/24

Outline

Introduction Key-Recovery Attack: One Linear Approximation Application to SIMON 32/64 Multidimensional/Multiple Linear Cryptanalysis Applications to PRESENT

slide-3
SLIDE 3

FSE 2017 3/24

Outline

Introduction Key-Recovery Attack: One Linear Approximation Application to SIMON 32/64 Multidimensional/Multiple Linear Cryptanalysis Applications to PRESENT

slide-4
SLIDE 4

FSE 2017 4/24

Data Complexity in Linear Cryptanalysis

Known Plaintext (KP) or Distinct Known Plaintext (DKP) data

Linear cryptanalysis

◮ data complexity upperbounded based on expected

absolute value of linear correlation (or bias), or when squared, expected linear potential ELP

Multiple/Multidimensional linear cryptanalysis

◮ data complexity upperbounded based on expected

capacity (sum of the ELP of linear approximations)

slide-5
SLIDE 5

FSE 2017 5/24

Variance of Correlation and Capacity

Correlation of a linear approximation varies with key

[BN 2016] Model of classical case with single dominant trail [this paper] Model of the case with several strong trails Application to SIMON

Capacity of multiple/multidimensional varies with key

Problem: Obtain accurate variance estimate [BN 2016] First estimate based on [Huang et al. 2015] [this paper] Improved variance estimates [Vejre 2016] Multivariate cryptanalysis: without independence assumptions on linear approximations

slide-6
SLIDE 6

FSE 2017 6/24

Outline

Introduction Key-Recovery Attack: One Linear Approximation Application to SIMON 32/64 Multidimensional/Multiple Linear Cryptanalysis Applications to PRESENT

slide-7
SLIDE 7

FSE 2017 7/24

Observed Correlation

D sample set of size N K encryption key kr recoverable part of the key κ last round key candidate G−1

κ

decryption with κ

Observed correlation

ˆ c(D, K, kr, κ) = 2

N #{(x, y′) ∈ D | u · x + v · G−1 κ (y′) = 0} − 1

Parameters of observed correlation

ExpDˆ c(D, K, kr, κ) = c(K, kr, κ) VarDˆ c(D, K, kr, κ) = B

N

B =    1, for KP (binomial distribution), 2n − N 2n − 1 , for DKP (hypergeometric distribution).

It remains to determine parameters of c(K, kr, κ)

slide-8
SLIDE 8

FSE 2017 8/24

Parameters of c(K, kr, κ)

We expect different behaviour for κ = k′

r (cipher) and κ = k′ r (random).

Random

c(K, kr, κ) is a correlation of a random linear approximation [Daemen-Rijmen 2006] c(K, kr, κ) is a normal deviate with ExpK,kr ,κc(K, kr, κ) = VarK,kr ,κc(K, kr, κ) = 2−n

Cipher

denote c(K) = c(K, kr, κ) ExpKc(K) = c ExpKc(K)2 = ELP VarKc(K) = ELP − c2

slide-9
SLIDE 9

FSE 2017 9/24

Case: Several Dominant Trails

Normal distribution, c = 0

0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8

  • 2
  • 1.5
  • 1
  • 0.5

0.5 1 1.5 2 −Θ Θ

Acceptance region Acceptance region N(0, 1

N + 2−n)

N(0, 1

N + ELP)

Given advantage a and sample size N, then PS = 2 − 2Φ

  • B + N2−n

B + N · ELP · Φ−1(1 − 2−a−1)

  • where Φ is CDF of standard normal distribution
slide-10
SLIDE 10

FSE 2017 10/24

Outline

Introduction Key-Recovery Attack: One Linear Approximation Application to SIMON 32/64 Multidimensional/Multiple Linear Cryptanalysis Applications to PRESENT

slide-11
SLIDE 11

FSE 2017 11/24

Experiments on SIMON

[Chen-Wang 2016] Attack on 20 rounds of SIMON32/64 using a 13-round linear approximation with c ≈ 0 and experimentally determined ELP = 2−18.19

Data N a P(exp)

S

P(our)

S

P(bt)

S

P(selcuk)

S

P(min)

S

P(max)

S

DKP 231.5 8 32.2% 36.6% (26.7%) (60.4%) (23.5%) (35.6%) DKP 232 8 38.4% 44.1% (36.8%) (80.5%) (24.9%) (38.9%) KP 233 8 30.6% 35.3% 61.7% 99.2% 26.1% 42.7% KP 235 8 35.5% 41.4% 97.3% 100% 26.4% 43.7% DKP 231.5 3 58.4% 63% (87.4%) (94.7%) (25.9%) (42.0%) DKP 232 3 64.1% 68.1% (94.2%) (98.6%) (26.2%) (42.9%) KP 233 3 60.5% 62.2% 99.5% 100% 26.4% 43.7% KP 235 3 59.6% 66.3% 100% 100% 26.4% 43.7%

slide-12
SLIDE 12

FSE 2017 12/24

Summary of Linear Attack

Variance of correlation

VarKc(K) = ELP − (ExpKc(K))2

[Selc ¸uk 2008] & [Bogdanov-Tischhauser 2013]

ELP = (ExpKc(K))2 ⇒ VarKc(K) = 0 that is, all keys behave as average.

[BN 2016]

VarKc(K) > 0 and ExpKc(K) = ±c where c = 0 (one dominant trail)

[this paper]

VarKc(K) > 0 and ExpKc(K) ≈ 0 ⇒ VarKc(K) ≈ ELP Strong trails always count

slide-13
SLIDE 13

FSE 2017 13/24

Estimating ELP

c(K) =

  • τ

(−1)τ·Kc(u, τ, v) where c(u, τ, v) is trail correlation of trail τ [Bogdanov-Tischhauser 2013] Set S of identified trails. Write c(K) =

  • τ∈S

(−1)τ·Kc(u, τ, v) + R(K) where R(K) is assumed to behave like random. ELP ≈

  • τ∈S

c(u, τ, v)2 + 2−n. Accuracy depends on the choice of S

slide-14
SLIDE 14

FSE 2017 14/24

Outline

Introduction Key-Recovery Attack: One Linear Approximation Application to SIMON 32/64 Multidimensional/Multiple Linear Cryptanalysis Applications to PRESENT

slide-15
SLIDE 15

FSE 2017 15/24

Attack Statistic

Given ℓ linear approximations, the attack statistic is computed as T(D, K, kr, κ) = N

  • j=1

ˆ cj(D, K, kr, κ)2. In multidimensional attack the linear approximations form a linear subspace and the attack statistic can also be computed as T(D, K, kr, κ) =

  • η=0

(V[η] − N2−s)2 N2−s , where V[η] corresponds to the number of occurrences of the value η

  • f the observed data distribution of dimension s where 2s = ℓ + 1.
slide-16
SLIDE 16

FSE 2017 16/24

Parameters of T(D, K, kr, κ)

Given in terms of capacity C(K) (= sum of squared correlations):

Cipher

[BN2016] ExpD,KT(D, K, kr, κ) = Bℓ + N · ExpKC(K) VarD,KT(D, K, kr, κ) = 2B2ℓ + 4BN · ExpKC(K) + N2 · VarKC(K) Multiple LC: assumption about independence of correlations ˆ cj(D, K, kr) for each fixed K, kr Multidimensional LC: No assumption

Random

ExpD,K (T(D, K, kr, κ)) = Bℓ + N2−nℓ VarD,K (T(D, K, kr, κ)) = 2

ℓ (Bℓ + N2−nℓ)2

non-central χ2 distribution

slide-17
SLIDE 17

FSE 2017 17/24

Multidimensional Trail for SPN Cipher

After encryption/decryption with key candidate, data pairs in U × V

S1 Permutation Layer r − 2 rounds S3 S2 V U ℓ = |U| · |V| − 1 M = |Ωα| · |Ωβ| ui wα wβ vi cor 2

1 (ui, wα)

cor 2

r−2(wα, wβ)

cor 2

1 (wβ, vi)

bijective S-boxes ⇒ capacity on U × V is equal to capacity on S1(U) × (S2||S3)−1(V) ⇒ two nonlinear rounds for free

slide-18
SLIDE 18

FSE 2017 18/24

Capacity of Multidimensional Approximation

S1(U) × (S2||S3)−1(V) has a certain capacity C(K). In practice, it can be estimated by considering a subset of M strong linear approximations (uj, vj) ∈ S1(U) × (S2||S3)−1(V) and assume all other linear approximations are random In general, write C(K) =

M

  • j=1

c(uj, vj)(K)2 +

  • j=M+1

ρ2

j

where ρj are correlations of random linear approximations.

slide-19
SLIDE 19

FSE 2017 19/24

Estimating Expected Capacity

Denote ELPj = Exp

  • c(uj, kj)2

. Then ExpKC(K) =

  • j=1

ELPj. Subset of linear approximations, numbered as j = 1, . . . , M, with identified sets Sj of strong linear trails, and the remaining are assumed to be random: ExpKC(K) ≈

M

  • j=1

ELPj + (ℓ − M)2−n. By ELPj ≈

τ∈Sj c(uj, τ, vj)2 + 2−n, we obtain

C = ExpKC(K) ≈

M

  • j=1
  • τ∈Sj

c(uj, τ, vj)2 + ℓ2−n.

slide-20
SLIDE 20

FSE 2017 20/24

Estimating Variance of Capacity

Starting from C(K) =

M

  • j=1

c(uj, vj)(K)2 +

  • j=M+1

c(uj, vj)(K)2, where the linear approximations (uj, vj), j = M + 1, . . . , ℓ, are random, we further assume: Assumption: Correlations c(uj, vj)(K), j = 1, . . . , M, are independent and have expected value equal to zero. Then VarKC(K) =

M

  • j=1

2ELP2

j + (ℓ − M)21−2n.

slide-21
SLIDE 21

FSE 2017 21/24

Outline

Introduction Key-Recovery Attack: One Linear Approximation Application to SIMON 32/64 Multidimensional/Multiple Linear Cryptanalysis Applications to PRESENT

slide-22
SLIDE 22

FSE 2017 22/24

Five Round SMALLPRESENT-[4]

20 40 60 80 100 120 140 160 180 200 200 320 440 560 680 800 TR(D, K) Experimental Hermelin et al Huang et al this work 20 40 60 80 100 120 140 160 200 340 480 620 760 900 TR(D, K) Experimental Hermelin et al Huang et al this work

Figure : Comparison between the experimental distribution of T(D, K, kr, κ) and normal distributions with mean ℓ + NC and different

  • variances. Left with N = 214. Right with N = 215.
slide-23
SLIDE 23

FSE 2017 23/24

Multidimensional Linear Attack on PRESENT

attacked

M

j=1

  • τ∈Sj c(uj, τ, vj)2

C N Success probability rounds Cho This paper r (over r − 2 rounds) 2010 KP 24 2−50.16 2−49.95 258.5 97% 86% 25 2−52.77 2−51.80 261 94% 74% 26 2−55.38 2−52.60 263.8 98% 51% Table : Multidimensional linear attacks on PRESENT. Success probability for advantage a of 8 bits.

  • Remark. Using DKP

, the success probability is higher, e.g., for 26 round attack we get PS = 90%.

slide-24
SLIDE 24

FSE 2017 24/24

Conclusions

◮ Focus on linear approximations with several strong trails ◮ Improved formula of PS of linear key recovery attack ◮ New better and simpler model of the attack on SIMON ◮ Parameters of test statistic in multiple/multidimensional

cryptanalysis

◮ Improved estimates of expected value and variance of

capacity Thank you for your attention!