On the Construction of Partial Difference Distribution Tables for - - PowerPoint PPT Presentation

▶

Aug 12, 2023 35 likes •479 views

Motivation Partial DDT-s Results Conclusions On the Construction of Partial Difference Distribution Tables for ARX Ciphers A. Biryukov V. Velichkov LACS, Luxembourg University ESC 2013, January 14-18, Mondorf-les-Bains, Luxembourg

SLIDE 1

Motivation Partial DDT-s Results Conclusions

On the Construction of Partial Difference Distribution Tables for ARX Ciphers

A. Biryukov
V. Velichkov

LACS, Luxembourg University

ESC 2013, January 14-18, Mondorf-les-Bains, Luxembourg

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 1 / 37

SLIDE 2

Motivation Partial DDT-s Results Conclusions

Outline

1

Motivation

2

Partial DDT-s

3

Results Computation of pDDT-s: Timings Preliminary Results on TEA

4

Conclusions

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 2 / 37

SLIDE 3

Motivation Partial DDT-s Results Conclusions

Outline

1

Motivation

2

Partial DDT-s

3

Results Computation of pDDT-s: Timings Preliminary Results on TEA

4

Conclusions

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 3 / 37

SLIDE 4

Motivation Partial DDT-s Results Conclusions

Differential Cryptanalysis [Biham,Shamir,1991]

P round X1 round X2 round C P⋆ round X ⋆

1

round X ⋆

2

round C⋆ α = P ⊕ P⋆ ∆X1 ∆X2 β = C ⊕ C⋆ DP(α → β) =?

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 4 / 37

SLIDE 5

Motivation Partial DDT-s Results Conclusions

Substitution Box (S-box): a Source of Non-linearity

An example 4-bit S-box: a S b = S[a]

a 0 1 2 3 4 5 6 7 8 9 A B C D E F S[a] E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7

The differential probability of an S-box: DP(α → β) = #{a : S[a ⊕ α] ⊕ S[a] = β} #{a} . S-boxes make differential cryptanalysis harder

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 5 / 37

SLIDE 6

Motivation Partial DDT-s Results Conclusions

Difference Distribution Table (DDT) for 4-bit S-box

α, β 1 2 3 4 5 6 7 8 9 A B C D E F 16 . . . . . . . . . . . . . . . 1 . . . 2 . . . 2 . 2 4 . 4 2 . . 2 . . . 2 . 6 2 2 . 2 . . . . 2 . 3 . . 2 . 2 . . . . 4 2 . 2 . . 4 4 . . . 2 . . 6 . . 2 . 4 2 . . . 5 . 4 . . . 2 2 . . . 4 . 2 . . 2 6 . . . 4 . 4 . . . . . . 2 2 2 2 7 . . 2 2 2 . 2 . . 2 2 . . . . 4 8 . . . . . . 2 2 . . . 4 . 4 2 2 9 . 2 . . 2 . . 4 2 . 2 2 2 . . . A . 2 2 . . . . . 6 . . 2 . . 4 . B . . 8 . . 2 . 2 . . . . . 2 . 2 C . 2 . . 2 2 2 . . . . 2 . 6 . . D . 4 . . . . . 4 2 . 2 . 2 . 2 . E . . 2 4 2 . . . 6 . . . . . 2 . F . 2 . . 6 . . . . 4 . 2 . . 2 .

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 6 / 37

SLIDE 7

Motivation Partial DDT-s Results Conclusions

DDT: Analyzing the Differential Properties of an S-box

A DDT reflects the differential properties of an S-box Many useful parameters can be computed from the DDT e.g. the maximum differential probability: max

α,β DP(α → β) = DP(0xB → 0x2) = 8

16 = 0.5 . Used to estimate the strength against DC e.g. set upper bound on the max. probability of a differential

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 7 / 37

SLIDE 8

Motivation Partial DDT-s Results Conclusions

Cipher Designs that Use S-boxes

Many cipher designs use S-boxes as a component S S S S P Examples: DES, AES, PRESENT, etc.

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 8 / 37

SLIDE 9

Motivation Partial DDT-s Results Conclusions

Modular Addition and XOR as Sources of Non-linearity

a b ADD a + b a b XOR a ⊕ b ADD is non-linear w.r.t. XOR differences: (a ⊕ α)+(b ⊕ β) = (a+b) ⊕ (α+β) . XOR is non-linear w.r.t. ADD differences (a + α)⊕(b + β) = (a⊕b) + (α⊕β) .

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 9 / 37

SLIDE 10

Motivation Partial DDT-s Results Conclusions

Designs Based on ADD and XOR (ARX)

ADD and XOR provide non-linearity similarly to an S-box ≪ ≪ ≪ ≪ Examples: FEAL, MD4, MD5, Salsa20, Skein, etc.

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 10 / 37

SLIDE 11

Motivation Partial DDT-s Results Conclusions

The XOR Differential Probability of Modular Addition

α, β, γ are XOR differences: α β γ xdp+ xdp+(α, β → γ) = #{(a, b) : ((a ⊕ α) + (b ⊕ β) ⊕ (a + b)) = γ} #{(a, b)} .

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 11 / 37

SLIDE 12

Motivation Partial DDT-s Results Conclusions

The Additive Differential Probability of XOR

α, β, γ are additive (ADD) differences: α β γ adp⊕ adp⊕(α, β → γ) = #{(a, b) : ((a + α) ⊕ (b + β)) − (a + b) = γ} #{(a, b)} .

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 12 / 37

SLIDE 13

Motivation Partial DDT-s Results Conclusions

A DDT for ADD (resp. XOR)?

Viewing the ADD operation as an S-box: (a, b) S c = a + b = S[a||b] The DDT of this S-box is huge: 264 × 232 Infeasible to compute and store the full table! Maybe we can only store part of the DDT, say, the top k differentials: k ≪ 264 × 232 . (1) A partial DDT?

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 13 / 37

SLIDE 14

Motivation Partial DDT-s Results Conclusions

Outline

1

Motivation

2

Partial DDT-s

3

Results Computation of pDDT-s: Timings Preliminary Results on TEA

4

Conclusions

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 14 / 37

SLIDE 15

Motivation Partial DDT-s Results Conclusions

Partial DDT for XOR and ADD

Definition A partial difference distribution table D for ADD (resp. XOR) is a DDT that contains all XOR (resp. ADD) differentials (α, β → γ) whose probabilities are larger than or equal to a pre-defined threshold pthres: (α, β, γ) ∈ D ⇐ ⇒ DP(α, β → γ) ≥ pthres .

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 15 / 37

SLIDE 16

Motivation Partial DDT-s Results Conclusions

Computation of a Partial DDT

Proposition The differential probabilities (DP) of ADD and XOR (resp. xdp+ and adp⊕) are monotonously decreasing with the word size n of the differences α, β, γ: pn ≤ . . . ≤ pk+1 ≤ pk ≤ pk−1 ≤ . . . ≤ p1 , where pk = DP(αk, βk → γk) , n ≤ k ≤ 1 , and xk denotes the k LSB-s of the difference x.

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 16 / 37

SLIDE 17

Motivation Partial DDT-s Results Conclusions

The DP of ADD and XOR is Decreasing with n

For ADD, the proposition follows from a result by [LM01]: xdp+(α, β → γ) = 2− n−2

i=0 ¬eq(α[i],β[i],γ[i]) ,

where eq(α[i], β[i], γ[i]) = 1 ⇐ ⇒ α[i] = β[i] = γ[i] . Is also true for adp⊕.

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 17 / 37

[LM01] Lipmaa, Moriai: Efficient Algorithms for Computing Differential Properties of Addition. FSE 2001: 336-350

SLIDE 18

Motivation Partial DDT-s Results Conclusions

Example: the DP of ADD is Decreasing with n

n = 1 α β 1 1 γ 1.0 1.0

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

SLIDE 19

Motivation Partial DDT-s Results Conclusions

Example: the DP of ADD is Decreasing with n

n = 2 α 10 β 01 01 γ 0.5 ≤ 1.0 0.5

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

SLIDE 20

Motivation Partial DDT-s Results Conclusions

Example: the DP of ADD is Decreasing with n

n = 3 α 110 β 001 001 γ 0.25 ≤ 0.5 ≤ 1.0 0.25

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

SLIDE 21

Motivation Partial DDT-s Results Conclusions

Example: the DP of ADD is Decreasing with n

n = 4 α 1110 β 0001 0001 γ 0.125 ≤ 0.25 ≤ 0.5 ≤ 1.0 0.125

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

SLIDE 22

Motivation Partial DDT-s Results Conclusions

Example: the DP of ADD is Decreasing with n

n = 5 α 01110 β 00001 00001 γ 0.0625 ≤ 0.125 ≤ 0.25 ≤ 0.5 ≤ 1.0 0.0625

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

SLIDE 23

Motivation Partial DDT-s Results Conclusions

Example: the DP of ADD is Decreasing with n

n = 6 α 101110 β 000001 100001 γ 0.0625 ≤ 0.0625 ≤ 0.125 ≤ 0.25 ≤ 0.5 ≤ 1.0 0.0625

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

SLIDE 24

Motivation Partial DDT-s Results Conclusions

Example: the DP of ADD is Decreasing with n

n = 7 α 0101110 β 1000001 1100001 γ 0.03125 ≤ 0.0625 ≤ 0.0625 ≤ 0.125 ≤ 0.25 ≤ 0.5 ≤ 1.0 0.03125

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

SLIDE 25

Motivation Partial DDT-s Results Conclusions

Example: the DP of ADD is Decreasing with n

n = 8 α 00101110 β 11000001 11100001 γ 0.015625 ≤ 0.03125 ≤ 0.0625 ≤ 0.0625 ≤ 0.125 ≤ 0.25 ≤ 0.5 ≤ 1.0 0.015625

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

SLIDE 26

Motivation Partial DDT-s Results Conclusions

Computing a Partial DDT for ADD and XOR

Procedure 1 Compute partial DDT for ADD or XOR. Input: n, pthres, k, pk, αk, βk, γk. Output: Partial DDT D: (α, β, γ) ∈ D : DP(α, β → γ) ≥ pthres.

1: if n = k then 2:

Add (α, β, γ) ← (αk, βk, γk) to D

3:

return

4: for x, y, x ∈ {0, 1} do 5:

αk+1 ← x|αk, βk+1 ← y|βk, γk+1 ← z|γk .

6:

pk+1 = DP(αk+1, βk+1 → γk+1)

7:

if pk+1 ≥ pthres then

8:

Procedure 1(n, pthres, k + 1, pk+1, αk+1, βk+1, γk+1)

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 19 / 37

SLIDE 27

Motivation Partial DDT-s Results Conclusions

Outline

1

Motivation

2

Partial DDT-s

3

Results Computation of pDDT-s: Timings Preliminary Results on TEA

4

Conclusions

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 20 / 37

SLIDE 28

Motivation Partial DDT-s Results Conclusions

Computation of Partial DDT: Timings, n = 32

ADD XOR pthres DDT size Time DDT size Time 0.1 252, 940 36, sec. 3, 951, 388 2.29, min. 0.7 361, 420 37, sec. 3, 951, 388 1.23, min. 0.05 3, 038, 668 5.35, min. 167, 065, 948 44.36, min. 0.01 2, 715, 532, 204 17.46, hours. – –

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 21 / 37

SLIDE 29

Motivation Partial DDT-s Results Conclusions

Block Cipher TEA

Li Ri (K0, K1, δr) F Li+1 Ri+1 (K2, K3, δr) F Li+2 Ri+2

64-round Feistel network 64-bit blocks: Li||Ri 128-bit key: K0||K1||K2||K3 δr : 32 32-bit round constants (updated every 2-nd round) F : round function

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 22 / 37

SLIDE 30

Motivation Partial DDT-s Results Conclusions

The F-function of TEA

Ki ≪ 4 δr F(x) x ≫ 5 Ki+1

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 23 / 37

SLIDE 31

Motivation Partial DDT-s Results Conclusions

Current Status of TEA

Best attack: 23 rounds, zero-correlation [BW12] Best differential attack: 17 rounds, impossible differential [CWP12]

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 24 / 37

[BW12] Bogdanov, Wang: Zero Correlation Linear Cryptanalysis with Reduced Data Complexity. FSE 2012: 29-48 [CWP12] Chen, Wang, Preneel: Impossible Differential Cryptanalysis of the Lightweight Block Ciphers TEA, XTEA and HIGHT. AFRICACRYPT 2012: 117-137

SLIDE 32

Motivation Partial DDT-s Results Conclusions

Automatic Search for ADD Differentials in TEA

Main idea (sketch):

Work with ADD differences. Compute a partial DDT for the XOR operation of F. Extend the partial DDT to the full F. Apply Matsui search strategy using the partial DDT.

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 25 / 37

SLIDE 33

Motivation Partial DDT-s Results Conclusions

Key Dependence of the DP of the F-function

γ α ≫ r β k

=

γ α ≫ r β

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 26 / 37

SLIDE 34

Motivation Partial DDT-s Results Conclusions

Key Dependence of the DP of the F-function, n = 3

1 2 ≫ 1 2 1

0.125 =

1 2 ≫ 1 2

0.25

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 27 / 37

SLIDE 35

Motivation Partial DDT-s Results Conclusions

Key Dependence of the DP of the F-function, n = 3

1 2 ≫ 1 2 1

0.125 =

1 2 ≫ 1 2

0.25

Similar dependence for the ≪ operation In the TEA F-function, the input differences α and β are also dependent

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 27 / 37

SLIDE 36

Key Dependence of the DP of the F-function, n = 7

SLIDE 37

Key Dependence of the DP of the F-function, n = 10

Credit: Yann Le Corre, LACS

SLIDE 38

Key Dependence: More Issues

The same keys are used every 2-nd round Does it make sense to assume independent round keys in this case (as is usually done)? Are average probabilities (over all keys) still a good estimation of the actual probability of differentials (cf. hypothesis of stochastic equivalence)? Seems that TEA is not a key-alternating cipher – further complicates analysis: Definition (DR07) A key-alternating cipher consists of an alternating sequence of unkeyed rounds and simple bitwise key additions.

[DR07] Daemen, Rijmen: Probability distributions of correlation and differentials in block ciphers.

J. Mathematical Cryptology 1(3): 221-242 (2007)

SLIDE 39

TEA, n = 11, all δ, pthres = 0.01: pDDT vs. full DDT

r ∆+y ∆+x p ∆+y ∆+x p ← 1 378 ← 80 0.094727 1 388 ← 80 0.085785 ← 1 2 780 ← 388 0.027191 378 ← 80 0.117676 3 ← 1 780 ← 378 0.041992 4 80 ← 388 0.037476 ← 1 5 478 ← 80 0.131866 ← 378 0.049316 6 ← 1 ← 1 7 388 ← 80 0.093323 ← 378 0.021484 8 780 ← 388 0.023865 ← 1 9 ← 1 80 ← 378 0.034668 10 ← 388 0.038422 488 ← 80 0.112305 11 ← 1 ← 1

2−29.92 2−28.95

key = 4E1 193 1D5 34

SLIDE 40

TEA, n = 16, one δ, pthres = 0.01: pDDT vs. full DDT

r ∆+y ∆+x p ∆+y ∆+x p ← 1 ← 1 1 ← 1108 0.013123 ← F08 0.014404 2 ← 1 ← 1 3 ← 1108 0.013123 ← F08 0.014404 4 ← 1 ← 1 5 ← 1108 0.013123 ← F08 0.014404 6 ← 1 ← 1 7 ← 1108 0.013123 ← F08 0.014404 8 ← 1 ← 1 9 ← 1108 0.013123 ← F08 0.014404 10 ← 1 ← 1 11 ← 1108 0.013123 ← F08 0.014404 12 ← 1 ← 1 13 100 ← 1108 0.015442 FF00 ← F08 0.014267 14 EEF8 ← 100 0.039978 F0F8 ← FF00 0.042694 15 ← 1 ← 1

2−48.17 2−47.39

key = E1A5 37E3 8FCF FB5A

SLIDE 41

TEA, n = 32, all δ, pthres = 0.01

r ∆+y ∆+x p p, log2 ← 1 2−0.00 1 F ← FFFFFFFF 0.082794 2−3.59 2 ← F 0.000458 2−11.09 3 FFFFFFF1 ← FFFFFFFF 0.139893 2−2.84 4 ← 1 2−0.00 5 11 ← FFFFFFFF 0.081909 2−3.61 6 ← 11 0.000092 2−13.42 7 FFFFFFEF ← FFFFFFFF 0.133881 2−2.90 8 ← 1 2−0.00 9 11 ← FFFFFFFF 0.077576 2−3.69 10 ← 11 0.000122 2−13.00 11 FFFFFFEF ← FFFFFFFF 0.139709 2−2.84 12 ← 1 2−0.00 13 FFFFFFF1 ← FFFFFFFF 0.083771 2−3.58

2−60.56

key = E028DF9A 8819B4C3 3AB116AF 3C50723

SLIDE 42

TEA, n = 32, single δ, pthres = 0.01

r ∆+y ∆+x p p, log2 FFFFFFF1 ← 1 0.137390 2−2.86 1 ← 1 2−0.00 2 F ← 1 0.135712 2−2.88 3 ← F 0.001984 2−8.98 4 FFFFFFF1 ← 1 0.133148 2−2.91 5 ← 1 2−0.00 6 F ← 1 0.138214 2−2.86 7 ← F 0.002533 2−8.62 8 FFFFFFF1 ← 1 0.137360 2−2.86 9 ← 1 2−0.00 10 F ← 1 0.130371 2−2.94 11 ← F 0.001984 2−8.98 12 FFFFFFF1 ← 1 0.131958 2−2.92 13 ← 1 2−0.00 14 F ← 1 0.137543 2−2.86 15 ← F 0.002228 2−8.81 16 FFFFFFF1 ← 1 0.136597 2−2.87 17 ← 1 2−0.00

2−61.36

SLIDE 43

Motivation Partial DDT-s Results Conclusions

Outline

1

Motivation

2

Partial DDT-s

3

Results Computation of pDDT-s: Timings Preliminary Results on TEA

4

Conclusions

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 35 / 37

SLIDE 44

Motivation Partial DDT-s Results Conclusions

Summary of Contributions

Presented partial DDT-s + algorithm for their computation An attempt to quantify the resistance of ARX ciphers against DC, similarly to S-box-based ciphers Makes possible to apply Matsui algorithm (originally proposed for S-box ciphers) to automatically search for differentials in ARX designs Showed preliminary results from application to TEA:

Differential on 14 rounds, p = 2−60.56, original TEA Differential on 18 rounds, p = 2−61.36, modified TEA (use the same constant δ at every round)

Thank you for your attention!

(Luxembourg University) On the Construction of DDTs for ARX ESC 2013 36 / 37