Improved Parameter Estimates for Correlation and Capacity Deviates - PowerPoint PPT Presentation

Improved Parameter Estimates for Correlation and Capacity Deviates in Linear Cryptanalysis C´ eline Blondeau and Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi FSE 2017 TOKYO March 8, 2017

Outline Introduction Key-Recovery Attack: One Linear Approximation Application to SIMON 32/64 Multidimensional/Multiple Linear Cryptanalysis Applications to PRESENT FSE 2017 2/24

Outline Introduction Key-Recovery Attack: One Linear Approximation Application to SIMON 32/64 Multidimensional/Multiple Linear Cryptanalysis Applications to PRESENT FSE 2017 3/24

Data Complexity in Linear Cryptanalysis Known Plaintext (KP) or Distinct Known Plaintext (DKP) data Linear cryptanalysis ◮ data complexity upperbounded based on expected absolute value of linear correlation (or bias), or when squared, expected linear potential ELP Multiple/Multidimensional linear cryptanalysis ◮ data complexity upperbounded based on expected capacity (sum of the ELP of linear approximations) FSE 2017 4/24

Variance of Correlation and Capacity Correlation of a linear approximation varies with key [BN 2016] Model of classical case with single dominant trail [this paper] Model of the case with several strong trails Application to SIMON Capacity of multiple/multidimensional varies with key Problem: Obtain accurate variance estimate [BN 2016] First estimate based on [Huang et al. 2015] [this paper] Improved variance estimates [Vejre 2016] Multivariate cryptanalysis: without independence assumptions on linear approximations FSE 2017 5/24

Outline Introduction Key-Recovery Attack: One Linear Approximation Application to SIMON 32/64 Multidimensional/Multiple Linear Cryptanalysis Applications to PRESENT FSE 2017 6/24

Observed Correlation D sample set of size N K encryption key k r recoverable part of the key κ last round key candidate G − 1 decryption with κ κ Observed correlation c ( D , K , k r , κ ) = 2 ˆ N # { ( x , y ′ ) ∈ D | u · x + v · G − 1 κ ( y ′ ) = 0 } − 1 Parameters of observed correlation Exp D ˆ c ( D , K , k r , κ ) = c ( K , k r , κ ) Var D ˆ c ( D , K , k r , κ ) = B N  1 , for KP (binomial distribution),  2 n − N B = 2 n − 1 , for DKP (hypergeometric distribution).  It remains to determine parameters of c ( K , k r , κ ) FSE 2017 7/24

Parameters of c ( K , k r , κ ) We expect different behaviour for κ = k ′ r (cipher) and κ � = k ′ r (random). Random c ( K , k r , κ ) is a correlation of a random linear approximation [Daemen-Rijmen 2006] c ( K , k r , κ ) is a normal deviate with Exp K , k r ,κ c ( K , k r , κ ) = 0 2 − n Var K , k r ,κ c ( K , k r , κ ) = Cipher denote c ( K ) = c ( K , k r , κ ) Exp K c ( K ) = c Exp K c ( K ) 2 = ELP ELP − c 2 Var K c ( K ) = FSE 2017 8/24

Case: Several Dominant Trails Normal distribution, c = 0 N ( 0 , 1 1.8 N + 2 − n ) N ( 0 , 1 N + ELP ) 1.6 1.4 − Θ Θ 1.2 1 Acceptance region Acceptance region 0.8 0.6 0.4 0.2 0 -2 -1.5 -1 -0.5 0 0.5 1 1.5 2 Given advantage a and sample size N , then �� � B + N 2 − n B + N · ELP · Φ − 1 ( 1 − 2 − a − 1 ) P S = 2 − 2 Φ where Φ is CDF of standard normal distribution FSE 2017 9/24

Outline Introduction Key-Recovery Attack: One Linear Approximation Application to SIMON 32/64 Multidimensional/Multiple Linear Cryptanalysis Applications to PRESENT FSE 2017 10/24

Experiments on SIMON [Chen-Wang 2016] Attack on 20 rounds of SIMON32/64 using a 13-round linear approximation with c ≈ 0 and experimentally determined ELP = 2 − 18 . 19 P ( exp ) P ( our ) P ( bt ) P ( selcuk ) P ( min ) P ( max ) Data N a S S S S S S 2 31 . 5 DKP 8 32 . 2 % 36 . 6 % (26 . 7 % ) (60 . 4 % ) (23 . 5 % ) (35 . 6 % ) 2 32 DKP 8 38 . 4 % 44 . 1 % (36 . 8 % ) (80 . 5 % ) (24 . 9 % ) (38 . 9 % ) 2 33 KP 8 30 . 6 % 35 . 3 % 61 . 7 % 99 . 2 % 26 . 1 % 42 . 7 % 2 35 KP 8 35 . 5 % 41 . 4 % 97 . 3 % 100 % 26 . 4 % 43 . 7 % 2 31 . 5 DKP 3 58 . 4 % 63 % (87 . 4 % ) (94 . 7 % ) (25 . 9 % ) (42 . 0 % ) 2 32 DKP 3 64 . 1 % 68 . 1 % (94 . 2 % ) (98 . 6 % ) (26 . 2 % ) (42 . 9 % ) 2 33 KP 3 60 . 5 % 62 . 2 % 99 . 5 % 100 % 26 . 4 % 43 . 7 % 2 35 KP 3 59 . 6 % 66 . 3 % 100 % 100 % 26 . 4 % 43 . 7 % FSE 2017 11/24

Summary of Linear Attack Variance of correlation Var K c ( K ) = ELP − ( Exp K c ( K )) 2 [Selc ¸uk 2008] & [Bogdanov-Tischhauser 2013] ELP = ( Exp K c ( K )) 2 ⇒ Var K c ( K ) = 0 that is, all keys behave as average. [BN 2016] Var K c ( K ) > 0 and Exp K c ( K ) = ± c where c � = 0 (one dominant trail) [this paper] Var K c ( K ) > 0 and Exp K c ( K ) ≈ 0 ⇒ Var K c ( K ) ≈ ELP Strong trails always count FSE 2017 12/24

Estimating ELP � ( − 1 ) τ · K c ( u , τ, v ) c ( K ) = τ where c ( u , τ, v ) is trail correlation of trail τ [Bogdanov-Tischhauser 2013] Set S of identified trails. Write � ( − 1 ) τ · K c ( u , τ, v ) + R ( K ) c ( K ) = τ ∈S where R ( K ) is assumed to behave like random. c ( u , τ, v ) 2 + 2 − n . � ELP ≈ τ ∈S Accuracy depends on the choice of S FSE 2017 13/24

Outline Introduction Key-Recovery Attack: One Linear Approximation Application to SIMON 32/64 Multidimensional/Multiple Linear Cryptanalysis Applications to PRESENT FSE 2017 14/24

Attack Statistic Given ℓ linear approximations, the attack statistic is computed as ℓ � c j ( D , K , k r , κ ) 2 . T ( D , K , k r , κ ) = N ˆ j = 1 In multidimensional attack the linear approximations form a linear subspace and the attack statistic can also be computed as ℓ ( V [ η ] − N 2 − s ) 2 � T ( D , K , k r , κ ) = , N 2 − s η = 0 where V [ η ] corresponds to the number of occurrences of the value η of the observed data distribution of dimension s where 2 s = ℓ + 1. FSE 2017 15/24

Parameters of T ( D , K , k r , κ ) Given in terms of capacity C ( K ) (= sum of squared correlations): Cipher [BN2016] Exp D , K T ( D , K , k r , κ ) = B ℓ + N · Exp K C ( K ) Var D , K T ( D , K , k r , κ ) = 2 B 2 ℓ + 4 BN · Exp K C ( K ) + N 2 · Var K C ( K ) Multiple LC: assumption about independence of correlations ˆ c j ( D , K , k r ) for each fixed K , k r Multidimensional LC: No assumption Random Exp D , K ( T ( D , K , k r , κ )) = B ℓ + N 2 − n ℓ ℓ ( B ℓ + N 2 − n ℓ ) 2 Var D , K ( T ( D , K , k r , κ )) = 2 non-central χ 2 distribution FSE 2017 16/24

Multidimensional Trail for SPN Cipher After encryption/decryption with key candidate, data pairs in U × V U u i cor 2 1 ( u i , w α ) S 1 w α Permutation Layer cor 2 r − 2 ( w α , w β ) ℓ = | U | · | V | − 1 r − 2 rounds M = | Ω α | · | Ω β | w β cor 2 1 ( w β , v i ) S 3 S 2 v i V bijective S-boxes ⇒ capacity on U × V is equal to capacity on S 1 ( U ) × ( S 2 || S 3 ) − 1 ( V ) ⇒ two nonlinear rounds for free FSE 2017 17/24

Capacity of Multidimensional Approximation S 1 ( U ) × ( S 2 || S 3 ) − 1 ( V ) has a certain capacity C ( K ) . In practice, it can be estimated by considering a subset of M strong linear approximations ( u j , v j ) ∈ S 1 ( U ) × ( S 2 || S 3 ) − 1 ( V ) and assume all other linear approximations are random In general, write M ℓ c ( u j , v j )( K ) 2 + � � ρ 2 C ( K ) = j j = 1 j = M + 1 where ρ j are correlations of random linear approximations. FSE 2017 18/24

Estimating Expected Capacity c ( u j , k j ) 2 � � Denote ELP j = Exp . Then ℓ � Exp K C ( K ) = ELP j . j = 1 Subset of linear approximations, numbered as j = 1 , . . . , M , with identified sets S j of strong linear trails, and the remaining are assumed to be random: M � ELP j + ( ℓ − M ) 2 − n . Exp K C ( K ) ≈ j = 1 τ ∈S j c ( u j , τ, v j ) 2 + 2 − n , we obtain By ELP j ≈ � M c ( u j , τ, v j ) 2 + ℓ 2 − n . � � C = Exp K C ( K ) ≈ j = 1 τ ∈S j FSE 2017 19/24

Estimating Variance of Capacity Starting from M ℓ c ( u j , v j )( K ) 2 + � � c ( u j , v j )( K ) 2 , C ( K ) = j = 1 j = M + 1 where the linear approximations ( u j , v j ) , j = M + 1 , . . . , ℓ , are random, we further assume: Assumption: Correlations c ( u j , v j )( K ) , j = 1 , . . . , M , are independent and have expected value equal to zero. Then M � 2 ELP 2 j + ( ℓ − M ) 2 1 − 2 n . Var K C ( K ) = j = 1 FSE 2017 20/24

Outline Introduction Key-Recovery Attack: One Linear Approximation Application to SIMON 32/64 Multidimensional/Multiple Linear Cryptanalysis Applications to PRESENT FSE 2017 21/24

Five Round SMALLPRESENT-[4] 200 160 Experimental Experimental 180 Hermelin et al Hermelin et al 140 Huang et al Huang et al 160 this work this work 120 140 100 120 100 80 80 60 60 40 40 20 20 0 0 200 320 440 560 680 800 200 340 480 620 760 900 T R ( D , K ) T R ( D , K ) Figure : Comparison between the experimental distribution of T ( D , K , k r , κ ) and normal distributions with mean ℓ + NC and different variances. Left with N = 2 14 . Right with N = 2 15 . FSE 2017 22/24