Programming the Demirci-Selc uk Meet-in-the-Middle Attack with - - PowerPoint PPT Presentation

Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints

Danping Shi1 Siwei Sun1 Patrick Derbez2 Yosuke Todo3 Bing Sun4 Lei Hu1

1Institute of Information Engineering, Chinese Academy of Sciences, China 2Univ Rennes, CNRS, IRISA, France 3NTT Secure Platform Laboratories, Japan 4College of Liberal Arts and Sciences, National University of Defense Technology, China

Asiacrypt 2018 2018.12.4

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 1 / 31

Outlines

1

Introduction

2

Modelling the MITM attack

3

Applications in Design

4

Conclusion

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 2 / 31

Introduction

Outline

1

Introduction Description of Demirci-Selc ¸uk MITM

2

Modelling the MITM attack

3

Applications in Design

4

Conclusion

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 3 / 31

Introduction Description of Demirci-Selc ¸uk MITM

Demirci-Selc ¸uk MITM Attack

Demirci-Selc ¸uk MITM, FSE 2008 [DS08]. Various Creative Techniques: Differential Enumeration, Key Bridging, Key Dependent Sieve,. . . , [DKS10, DFJ13, DF13, DF16, LJ16] General Model, Dedicated Search Algorithm [LWWZ13, DF13, DF16]

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 3 / 31

Introduction Description of Demirci-Selc ¸uk MITM

Automatic Searching methods

MILP ,CP ,SAT,SMT Differential, Linear, Integral, 3-subset MITM . . . [KLT15, SHW+14, ST17, CJF+16, XZBL16, GMS16, Sas18]

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 4 / 31

Introduction Description of Demirci-Selc ¸uk MITM

MITM Distinguisher

E

Introduction Description of Demirci-Selc ¸uk MITM

MITM Distinguisher

E A

δ(A)-set: {P0, P1, . . . , PN−1}

Introduction Description of Demirci-Selc ¸uk MITM

MITM Distinguisher

E A

δ(A)-set: {P0, P1, . . . , PN−1}

B

{C0, C1, . . . , CN−1}

Introduction Description of Demirci-Selc ¸uk MITM

MITM Distinguisher

E A

δ(A)-set: {P0, P1, . . . , PN−1}

B

{C0, C1, . . . , CN−1} ∆E(A, B): {C0[B] ⊕ C1[B], C0[B] ⊕ C2[B], . . . , C0[B] ⊕ CN−1[B]}

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 5 / 31

Introduction Description of Demirci-Selc ¸uk MITM

Distinguisher of MITM

E A B

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 6 / 31

Introduction Description of Demirci-Selc ¸uk MITM

Distinguisher of MITM

Random: NR E A B

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 6 / 31

Introduction Description of Demirci-Selc ¸uk MITM

Distinguisher of MITM

Random: NR Block Cipher : NE (saved into a hash table) E A B

Introduction Description of Demirci-Selc ¸uk MITM

Distinguisher of MITM

Random: NR Block Cipher : NE (saved into a hash table) Condition NE < NR

NR NE

E A B

Introduction Description of Demirci-Selc ¸uk MITM

Distinguisher of MITM

Random: NR Block Cipher : NE (saved into a hash table) Condition NE < NR

NR NE

Distinguisher:(A, B, NE) E A B

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 6 / 31

Introduction Description of Demirci-Selc ¸uk MITM

Key Recovery Attack of MITM

A cipher is divided in three keyed permutations:E0, E1, E2 Construct distinguisher (A, B, NE) at E1 A B state0 state0 state2r0 state2(r0+r1) state2(r0+r1+r2)

E0 E1 E2

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 7 / 31

Modelling the MITM attack

Outline

1

Introduction

2

Modelling the MITM attack Modelling the Distinguisher Modelling the Key-Recovery Process

3

Applications in Design

4

Conclusion

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 8 / 31

Modelling the MITM attack Modelling the Distinguisher

Variables

M X, Y, Z, M X, Y, Z X, Y, Z, W W

state0 state0 state2r0 state2(r0+r1) state2(r0+r1+r2)

E0 E1 E2

Var(X) describe the forward differential Var(Y) describe the backward determination Var(Z) model the relation between Var(X) and Var(Y)

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 8 / 31

Modelling the MITM attack Modelling the Distinguisher

Forward differential

Variables Var(X)

Xr[j] = 0 iff P0

r [j] ⊕ Pi r[j] = 0, ∀i ∈ 1, . . . , N − 1.

Var(X) for state0

X0[j] = 1 iff j in A. Xr propagate to Xr+1 with probability 1

NL

L k0

state0 state1

Round 0

NL

L k1

state2 state3

Round 1

NL

L k2

state4 state5

Round 2

state6 A

Modelling the MITM attack Modelling the Distinguisher

Forward differential

Variables Var(X)

Xr[j] = 0 iff P0

r [j] ⊕ Pi r[j] = 0, ∀i ∈ 1, . . . , N − 1.

Var(X) for state0

X0[j] = 1 iff j in A. Xr propagate to Xr+1 with probability 1

NL

L k0

state0 state1

Round 0

NL

L k1

state2 state3

Round 1

NL

L k2

state4 state5

Round 2

state6 A

Modelling the MITM attack Modelling the Distinguisher

Forward differential

Variables Var(X)

Xr[j] = 0 iff P0

r [j] ⊕ Pi r[j] = 0, ∀i ∈ 1, . . . , N − 1.

Var(X) for state0

X0[j] = 1 iff j in A. Xr propagate to Xr+1 with probability 1

NL

L k0

state0 state1

Round 0

NL

L k1

state2 state3

Round 1

NL

L k2

state4 state5

Round 2

state6 A

Modelling the MITM attack Modelling the Distinguisher

Forward differential

Variables Var(X)

Xr[j] = 0 iff P0

r [j] ⊕ Pi r[j] = 0, ∀i ∈ 1, . . . , N − 1.

Var(X) for state0

X0[j] = 1 iff j in A. Xr propagate to Xr+1 with probability 1

NL

L k0

state0 state1

Round 0

NL

L k1

state2 state3

Round 1

NL

L k2

state4 state5

Round 2

state6 A

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 9 / 31

Modelling the MITM attack Modelling the Distinguisher

Property of forward differential

values of P0 at the yellow states

⇓

P0

6 ⊕ Pi 6, ∀i ∈ {1, 2, . . . , N − 1}

NL

L k0

state0 state1

Round 0

NL

L k1

state2 state3

Round 1

NL

L k2

state4 state5

Round 2

state6 A

{P0[A2r]}r∈1,2 determine P0

6 ⊕ Pi 6

Modelling the MITM attack Modelling the Distinguisher

Property of forward differential

values of P0 at the yellow states

⇓

P0

6 ⊕ Pi 6, ∀i ∈ {1, 2, . . . , N − 1}

NL

L k0

state0 state1

Round 0

NL

L k1

state2 state3

Round 1

NL

L k2

state4 state5

Round 2

state6 A

{P0[A2r]}r∈1,2 determine P0

6 ⊕ Pi 6

Modelling the MITM attack Modelling the Distinguisher

Property of forward differential

values of P0 at the yellow states

⇓

P0

6 ⊕ Pi 6, ∀i ∈ {1, 2, . . . , N − 1}

NL

L k0

state0 state1

Round 0

NL

L k1

state2 state3

Round 1

NL

L k2

state4 state5

Round 2

state6 A

{P0[A2r]}r∈1,2 determine P0

6 ⊕ Pi 6

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 10 / 31

Modelling the MITM attack Modelling the Distinguisher

Forward Differential

Examples for Var(X)

Xr[j] = 0 iff P0

r [j] ⊕ Pi r[j] = 0, ∀i ∈ 1, . . . , N − 1.

x0 x1 x3 x2

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 11 / 31

Modelling the MITM attack Modelling the Distinguisher

Forward Differential

Examples for Var(X)

Xr[j] = 0 iff P0

r [j] ⊕ Pi r[j] = 0, ∀i ∈ 1, . . . , N − 1.

x0 x1 x3 x2 x2

=

x0 2x3

≥

x0 + x1 x3

≤

x0 + x1

Modelling the MITM attack Modelling the Distinguisher

Forward Differential

Examples for Var(X)

Xr[j] = 0 iff P0

r [j] ⊕ Pi r[j] = 0, ∀i ∈ 1, . . . , N − 1.

x0 x1 x3 x2 x2

=

x0 2x3

≥

x0 + x1 x3

≤

x0 + x1

S S S Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 11 / 31

Modelling the MITM attack Modelling the Distinguisher

Forward Differential

Examples for Var(X)

Xr[j] = 0 iff P0

r [j] ⊕ Pi r[j] = 0, ∀i ∈ 1, . . . , N − 1.

x0 x1 x3 x2 x2

=

x0 2x3

≥

x0 + x1 x3

≤

x0 + x1

S S S Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 11 / 31

Modelling the MITM attack Modelling the Distinguisher

Forward Differential

Examples for Var(X)

Xr[j] = 0 iff P0

r [j] ⊕ Pi r[j] = 0, ∀i ∈ 1, . . . , N − 1.

x0 x1 x3 x2 x2

=

x0 2x3

≥

x0 + x1 x3

≤

x0 + x1

S S S Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 11 / 31

Modelling the MITM attack Modelling the Distinguisher

Forward Differential

Examples for Var(X)

Xr[j] = 0 iff P0

r [j] ⊕ Pi r[j] = 0, ∀i ∈ 1, . . . , N − 1.

x0 x1 x3 x2 x2

=

x0 2x3

≥

x0 + x1 x3

≤

x0 + x1

S S S Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 11 / 31

Modelling the MITM attack Modelling the Distinguisher

Backward determination

Variables Var(Y)

Var(Y) for state6

Y[j] = 1 iff j ∈ B. Difference at B are determined by these colored positions

NL

L k0

state0 state1

Round 0

NL

L k1

state2 state3

Round 1

NL

L k2

state4 state5

Round 2

state6 B

Modelling the MITM attack Modelling the Distinguisher

Backward determination

Variables Var(Y)

Var(Y) for state6

Y[j] = 1 iff j ∈ B. Difference at B are determined by these colored positions

NL

L k0

state0 state1

Round 0

NL

L k1

state2 state3

Round 1

NL

L k2

state4 state5

Round 2

state6 B

Modelling the MITM attack Modelling the Distinguisher

Backward determination

Variables Var(Y)

Var(Y) for state6

Y[j] = 1 iff j ∈ B. Difference at B are determined by these colored positions

NL

L k0

state0 state1

Round 0

NL

L k1

state2 state3

Round 1

NL

L k2

state4 state5

Round 2

state6 B

Modelling the MITM attack Modelling the Distinguisher

Backward determination

Variables Var(Y)

Var(Y) for state6

Y[j] = 1 iff j ∈ B. Difference at B are determined by these colored positions

NL

L k0

state0 state1

Round 0

NL

L k1

state2 state3

Round 1

NL

L k2

state4 state5

Round 2

state6 B

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 12 / 31

Modelling the MITM attack Modelling the Distinguisher

Property of backward determination

Values of P0 at the yellow nibbles

⇓

P0

6 ⊕ Pi 6[B], ∀i ∈ {1, 2, . . . , N}

NL

L k0

state0 state1

Round 0

NL

L k1

state2 state3

Round 1

NL

L k2

state4 state5

Round 2

state6 B state6

{P0

2r[B2r]}r∈0,1,2 determine P0 6[B] ⊕ Pi 6[B]

Modelling the MITM attack Modelling the Distinguisher

Property of backward determination

Values of P0 at the yellow nibbles

⇓

P0

6 ⊕ Pi 6[B], ∀i ∈ {1, 2, . . . , N}

NL

L k0

state0 state1

Round 0

NL

L k1

state2 state3

Round 1

NL

L k2

state4 state5

Round 2

state6 B state6

{P0

2r[B2r]}r∈0,1,2 determine P0 6[B] ⊕ Pi 6[B]

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 13 / 31

Modelling the MITM attack Modelling the Distinguisher

Backward determination

Examples for Var(Y)

y0 y1 y3 y2

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 14 / 31

Modelling the MITM attack Modelling the Distinguisher

Backward determination

Examples for Var(Y)

y0 y1 y3 y2 y2 + y3

≤

2y0 y2 + y3

≥

y0 y1

=

y3

Modelling the MITM attack Modelling the Distinguisher

Backward determination

Examples for Var(Y)

y0 y1 y3 y2 y2 + y3

≤

2y0 y2 + y3

≥

y0 y1

=

y3

S S S Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 14 / 31

Modelling the MITM attack Modelling the Distinguisher

Backward determination

Examples for Var(Y)

y0 y1 y3 y2 y2 + y3

≤

2y0 y2 + y3

≥

y0 y1

=

y3

S S S Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 14 / 31

Modelling the MITM attack Modelling the Distinguisher

Backward determination

Examples for Var(Y)

y0 y1 y3 y2 y2 + y3

≤

2y0 y2 + y3

≥

y0 y1

=

y3

S S S Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 14 / 31

Modelling the MITM attack Modelling the Distinguisher

Backward determination

Examples for Var(Y)

y0 y1 y3 y2 y2 + y3

≤

2y0 y2 + y3

≥

y0 y1

=

y3

S S S Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 14 / 31

Modelling the MITM attack Modelling the Distinguisher

Constraints for Var(Z)

Variables Var(Z) describe the relations between Var(X) and Var(Y): Zr[j] = 1 iff Xr[j] = Yr[j] = 1

NL

L k0

state0 state1

Round 0

NL

L k1

state2 state3

Round 1

NL

L k2

state4 state5

Round 2

state6 A B

• bjective function: Minimize r0+r1−1

r=r0+1 Z2r

Modelling the MITM attack Modelling the Distinguisher

Constraints for Var(Z)

Variables Var(Z) describe the relations between Var(X) and Var(Y): Zr[j] = 1 iff Xr[j] = Yr[j] = 1

NL

L k0

state0 state1

Round 0

NL

L k1

state2 state3

Round 1

NL

L k2

state4 state5

Round 2

state6 A B

• bjective function: Minimize r0+r1−1

r=r0+1 Z2r

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 15 / 31

Modelling the MITM attack Modelling the Distinguisher

Application to SKINNY

Proposed at CRYPTO 2016 MC =

              

1 1 1 1 1 1 1 1

              

MCi,0Xr[0]+MCi,1Xr[1]+MCi,2Xr[2]+MCi,3Xr[3]−Xr+1[i] ≥ 0 4Xr+1[i]−MCi,0Xr[0]−MCi,1Xr[1]−MCi,2Xr[2]−MCi,3Xr[3] ≥ 0

SB,AC AK,SR MC SB,AC AK,SR MC

Round 1 Round 2

SB,AC AK,SR MC SB,AC AK,SR MC

Round 3 Round 4

SB,AC AK,SR MC SB,AC AK,SR MC

Round 5 Round 6

SB,AC AK,SR MC SB,AC AK,SR MC

Round 7 Round 8

SB,AC AK,SR MC SB,AC AK,SR MC

Round 9 Round 10 Round 11

SB,AC AK,SR

Modelling the MITM attack Modelling the Distinguisher

Application to SKINNY

Proposed at CRYPTO 2016 MC =

              

1 1 1 1 1 1 1 1

              

MCi,0Xr[0]+MCi,1Xr[1]+MCi,2Xr[2]+MCi,3Xr[3]−Xr+1[i] ≥ 0 4Xr+1[i]−MCi,0Xr[0]−MCi,1Xr[1]−MCi,2Xr[2]−MCi,3Xr[3] ≥ 0

SB,AC AK,SR MC SB,AC AK,SR MC

Round 1 Round 2

SB,AC AK,SR MC SB,AC AK,SR MC

Round 3 Round 4

SB,AC AK,SR MC SB,AC AK,SR MC

Round 5 Round 6

SB,AC AK,SR MC SB,AC AK,SR MC

Round 7 Round 8

SB,AC AK,SR MC SB,AC AK,SR MC

Round 9 Round 10 Round 11

SB,AC AK,SR

Modelling the MITM attack Modelling the Distinguisher

Application to SKINNY

Proposed at CRYPTO 2016 MC =

              

1 1 1 1 1 1 1 1

              

MCi,0Xr[0]+MCi,1Xr[1]+MCi,2Xr[2]+MCi,3Xr[3]−Xr+1[i] ≥ 0 4Xr+1[i]−MCi,0Xr[0]−MCi,1Xr[1]−MCi,2Xr[2]−MCi,3Xr[3] ≥ 0

SB,AC AK,SR MC SB,AC AK,SR MC

Round 1 Round 2

SB,AC AK,SR MC SB,AC AK,SR MC

Round 3 Round 4

SB,AC AK,SR MC SB,AC AK,SR MC

Round 5 Round 6

SB,AC AK,SR MC SB,AC AK,SR MC

Round 7 Round 8

SB,AC AK,SR MC SB,AC AK,SR MC

Round 9 Round 10 Round 11

SB,AC AK,SR

Modelling the MITM attack Modelling the Distinguisher

Application to SKINNY

Proposed at CRYPTO 2016 MC =

              

1 1 1 1 1 1 1 1

              

MCi,0Xr[0]+MCi,1Xr[1]+MCi,2Xr[2]+MCi,3Xr[3]−Xr+1[i] ≥ 0 4Xr+1[i]−MCi,0Xr[0]−MCi,1Xr[1]−MCi,2Xr[2]−MCi,3Xr[3] ≥ 0

SB,AC AK,SR MC SB,AC AK,SR MC

Round 1 Round 2

SB,AC AK,SR MC SB,AC AK,SR MC

Round 3 Round 4

SB,AC AK,SR MC SB,AC AK,SR MC

Round 5 Round 6

SB,AC AK,SR MC SB,AC AK,SR MC

Round 7 Round 8

SB,AC AK,SR MC SB,AC AK,SR MC

Round 9 Round 10 Round 11

SB,AC AK,SR

Modelling the MITM attack Modelling the Distinguisher

Application to SKINNY

Proposed at CRYPTO 2016 MC =

              

1 1 1 1 1 1 1 1

              

MCi,0Xr[0]+MCi,1Xr[1]+MCi,2Xr[2]+MCi,3Xr[3]−Xr+1[i] ≥ 0 4Xr+1[i]−MCi,0Xr[0]−MCi,1Xr[1]−MCi,2Xr[2]−MCi,3Xr[3] ≥ 0

SB,AC AK,SR MC SB,AC AK,SR MC

Round 1 Round 2

SB,AC AK,SR MC SB,AC AK,SR MC

Round 3 Round 4

SB,AC AK,SR MC SB,AC AK,SR MC

Round 5 Round 6

SB,AC AK,SR MC SB,AC AK,SR MC

Round 7 Round 8

SB,AC AK,SR MC SB,AC AK,SR MC

Round 9 Round 10 Round 11

SB,AC AK,SR

Modelling the MITM attack Modelling the Distinguisher

Application to SKINNY

Proposed at CRYPTO 2016 MC =

              

1 1 1 1 1 1 1 1

              

MC0,iYr+1[0]+MC1,iYr+1[1]+MC2,iYr+1[2]+MC3,iYr+1[3]−Yr[i] ≥ 0 4Yr[i]−MC0,iYr+1[0]−MC1,iYr+1[1]−MC2,iYr+1[2]−MC3,iYr+1[3] ≥ 0

SB,AC AK,SR MC SB,AC AK,SR MC

Round 1 Round 2

SB,AC AK,SR MC SB,AC AK,SR MC

Round 3 Round 4

SB,AC AK,SR MC SB,AC AK,SR MC

Round 5 Round 6

SB,AC AK,SR MC SB,AC AK,SR MC

Round 7 Round 8

SB,AC AK,SR MC SB,AC AK,SR MC

Round 9 Round 10 Round 11

SB,AC AK,SR

Modelling the MITM attack Modelling the Distinguisher

Application to SKINNY

Proposed at CRYPTO 2016 MC =

              

1 1 1 1 1 1 1 1

              

MC0,iYr+1[0]+MC1,iYr+1[1]+MC2,iYr+1[2]+MC3,iYr+1[3]−Yr[i] ≥ 0 4Yr[i]−MC0,iYr+1[0]−MC1,iYr+1[1]−MC2,iYr+1[2]−MC3,iYr+1[3] ≥ 0

SB,AC AK,SR MC SB,AC AK,SR MC

Round 1 Round 2

SB,AC AK,SR MC SB,AC AK,SR MC

Round 3 Round 4

SB,AC AK,SR MC SB,AC AK,SR MC

Round 5 Round 6

SB,AC AK,SR MC SB,AC AK,SR MC

Round 7 Round 8

SB,AC AK,SR MC SB,AC AK,SR MC

Round 9 Round 10 Round 11

SB,AC AK,SR

Modelling the MITM attack Modelling the Distinguisher

Application to SKINNY

Proposed at CRYPTO 2016 MC =

              

1 1 1 1 1 1 1 1

              

MC0,iYr+1[0]+MC1,iYr+1[1]+MC2,iYr+1[2]+MC3,iYr+1[3]−Yr[i] ≥ 0 4Yr[i]−MC0,iYr+1[0]−MC1,iYr+1[1]−MC2,iYr+1[2]−MC3,iYr+1[3] ≥ 0

SB,AC AK,SR MC SB,AC AK,SR MC

Round 1 Round 2

SB,AC AK,SR MC SB,AC AK,SR MC

Round 3 Round 4

SB,AC AK,SR MC SB,AC AK,SR MC

Round 5 Round 6

SB,AC AK,SR MC SB,AC AK,SR MC

Round 7 Round 8

SB,AC AK,SR MC SB,AC AK,SR MC

Round 9 Round 10 Round 11

SB,AC AK,SR

Modelling the MITM attack Modelling the Distinguisher

Application to SKINNY

Proposed at CRYPTO 2016 MC =

              

1 1 1 1 1 1 1 1

              

MC0,iYr+1[0]+MC1,iYr+1[1]+MC2,iYr+1[2]+MC3,iYr+1[3]−Yr[i] ≥ 0 4Yr[i]−MC0,iYr+1[0]−MC1,iYr+1[1]−MC2,iYr+1[2]−MC3,iYr+1[3] ≥ 0

SB,AC AK,SR MC SB,AC AK,SR MC

Round 1 Round 2

SB,AC AK,SR MC SB,AC AK,SR MC

Round 3 Round 4

SB,AC AK,SR MC SB,AC AK,SR MC

Round 5 Round 6

SB,AC AK,SR MC SB,AC AK,SR MC

Round 7 Round 8

SB,AC AK,SR MC SB,AC AK,SR MC

Round 9 Round 10 Round 11

SB,AC AK,SR

Modelling the MITM attack Modelling the Distinguisher

Application to SKINNY

Proposed at CRYPTO 2016 MC =

              

1 1 1 1 1 1 1 1

              

MC0,iYr+1[0]+MC1,iYr+1[1]+MC2,iYr+1[2]+MC3,iYr+1[3]−Yr[i] ≥ 0 4Yr[i]−MC0,iYr+1[0]−MC1,iYr+1[1]−MC2,iYr+1[2]−MC3,iYr+1[3] ≥ 0

SB,AC AK,SR MC SB,AC AK,SR MC

Round 1 Round 2

SB,AC AK,SR MC SB,AC AK,SR MC

Round 3 Round 4

SB,AC AK,SR MC SB,AC AK,SR MC

Round 5 Round 6

SB,AC AK,SR MC SB,AC AK,SR MC

Round 7 Round 8

SB,AC AK,SR MC SB,AC AK,SR MC

Round 9 Round 10 Round 11

SB,AC AK,SR

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 16 / 31

Modelling the MITM attack Modelling the Key-Recovery Process

New 0-1 variables Var(M) for E0

Var(M): Determine the plaintext structure

M2r0 = X2r0 backward differential propagation with probability 1. forward differential through E−1

0 :

NL

L k0

state0 state1

Round 0

NL

L k1

state2 state3

Round 1

NL

L k2

state4 state5

Round 2

NL

L k3

state6 state7

Round 3

NL

L k4

state8 state9

Round 4

state10

Modelling the MITM attack Modelling the Key-Recovery Process

New 0-1 variables Var(M) for E0

Var(M): Determine the plaintext structure

M2r0 = X2r0 backward differential propagation with probability 1. forward differential through E−1

0 :

NL

L k0

state0 state1

Round 0

NL

L k1

state2 state3

Round 1

NL

L k2

state4 state5

Round 2

NL

L k3

state6 state7

Round 3

NL

L k4

state8 state9

Round 4

state10 A

Modelling the MITM attack Modelling the Key-Recovery Process

New 0-1 variables Var(M) for E0

Var(M): Determine the plaintext structure

M2r0 = X2r0 backward differential propagation with probability 1. forward differential through E−1

0 :

NL

L k0

state0 state1

Round 0

NL

L k1

state2 state3

Round 1

NL

L k2

state4 state5

Round 2

NL

L k3

state6 state7

Round 3

NL

L k4

state8 state9

Round 4

state10 A

Modelling the MITM attack Modelling the Key-Recovery Process

New 0-1 variables Var(M) for E0

Var(M): Determine the plaintext structure

M2r0 = X2r0 backward differential propagation with probability 1. forward differential through E−1

0 :

NL

L k0

state0 state1

Round 0

NL

L k1

state2 state3

Round 1

NL

L k2

state4 state5

Round 2

NL

L k3

state6 state7

Round 3

NL

L k4

state8 state9

Round 4

state10 A

Modelling the MITM attack Modelling the Key-Recovery Process

New 0-1 variables Var(M) for E0

Var(M): Determine the plaintext structure

M2r0 = X2r0 backward differential propagation with probability 1. forward differential through E−1

0 :

NL

L k0

state0 state1

Round 0

NL

L k1

state2 state3

Round 1

NL

L k2

state4 state5

Round 2

NL

L k3

state6 state7

Round 3

NL

L k4

state8 state9

Round 4

state10 A

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 17 / 31

Modelling the MITM attack Modelling the Key-Recovery Process

Property of backward differential

Guess the values of P0 at the yellow state

• btain {P0, P1, . . . , PN−1} s.t.

{P0

6, P1 6, . . . , PN−1 6

} is δ(A)-set

NL

L k0

state0 state1

Round 0

NL

L k1

state2 state3

Round 1

NL

L k2

state4 state5

Round 2

NL

L k3

state6 state7

Round 3

NL

L k4

state8 state9

Round 4

state10 A

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 18 / 31

Modelling the MITM attack Modelling the Key-Recovery Process

New 0-1 variables Var(W) for E2

Var(W): forward determination process

W10 = Y10 backward determination through E−1

2 :

N L

L k4

state8 state9

Round 4

N L

L k5

state10 state11

Round 5

N L

L k6

state12 state13

Round 6

N L

L k7

state14 state15

Round 7

state16

Modelling the MITM attack Modelling the Key-Recovery Process

New 0-1 variables Var(W) for E2

Var(W): forward determination process

W10 = Y10 backward determination through E−1

2 :

N L

L k4

state8 state9

Round 4

N L

L k5

state10 state11

Round 5

N L

L k6

state12 state13

Round 6

N L

L k7

state14 state15

Round 7

state16 B

Modelling the MITM attack Modelling the Key-Recovery Process

New 0-1 variables Var(W) for E2

Var(W): forward determination process

W10 = Y10 backward determination through E−1

2 :

N L

L k4

state8 state9

Round 4

N L

L k5

state10 state11

Round 5

N L

L k6

state12 state13

Round 6

N L

L k7

state14 state15

Round 7

state16 B

Modelling the MITM attack Modelling the Key-Recovery Process

New 0-1 variables Var(W) for E2

Var(W): forward determination process

W10 = Y10 backward determination through E−1

2 :

N L

L k4

state8 state9

Round 4

N L

L k5

state10 state11

Round 5

N L

L k6

state12 state13

Round 6

N L

L k7

state14 state15

Round 7

state16 B

Modelling the MITM attack Modelling the Key-Recovery Process

New 0-1 variables Var(W) for E2

Var(W): forward determination process

W10 = Y10 backward determination through E−1

2 :

N L

L k4

state8 state9

Round 4

N L

L k5

state10 state11

Round 5

N L

L k6

state12 state13

Round 6

N L

L k7

state14 state15

Round 7

state16 B

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 19 / 31

Modelling the MITM attack Modelling the Key-Recovery Process

Property of Forward Determination

Guess the values of P0 at yellow states

⇓

Obtain sequence ∆E(A, B) at state10

N L

L k4

state8 state9

Round 4

N L

L k5

state10 state11

Round 5

N L

L k6

state12 state13

Round 6

N L

L k7

state14 state15

Round 7

state16 B

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 20 / 31

Modelling the MITM attack Modelling the Key-Recovery Process

Examples for Var(M) and Var(W)

Var(M): Backward differential

MC−1 =

              

1 1 1 1 1 1 1 1

               Var(W): Forward determination

SB,AC AK,SR MC SB,AC AK,SR MC

Round 0 Round 1

SB,AC AK,SR MC

Round 2 Round3 · · · Distinguisher · · ·

MC SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR MC SB,AC AK,SR MC

Modelling the MITM attack Modelling the Key-Recovery Process

Examples for Var(M) and Var(W)

Var(M): Backward differential

MC−1 =

              

1 1 1 1 1 1 1 1

               Var(W): Forward determination

SB,AC AK,SR MC SB,AC AK,SR MC

Round 0 Round 1

SB,AC AK,SR MC

Round 2 Round3 · · · Distinguisher · · ·

MC SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR MC SB,AC AK,SR MC

Modelling the MITM attack Modelling the Key-Recovery Process

Examples for Var(M) and Var(W)

Var(M): Backward differential

MC−1 =

              

1 1 1 1 1 1 1 1

               Var(W): Forward determination

SB,AC AK,SR MC SB,AC AK,SR MC

Round 0 Round 1

SB,AC AK,SR MC

Round 2 Round3 · · · Distinguisher · · ·

MC SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR MC SB,AC AK,SR MC

Modelling the MITM attack Modelling the Key-Recovery Process

Examples for Var(M) and Var(W)

Var(M): Backward differential

MC−1 =

              

1 1 1 1 1 1 1 1

               Var(W): Forward determination

SB,AC AK,SR MC SB,AC AK,SR MC

Round 0 Round 1

SB,AC AK,SR MC

Round 2 Round3 · · · Distinguisher · · ·

MC SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR MC SB,AC AK,SR MC

Modelling the MITM attack Modelling the Key-Recovery Process

Examples for Var(M) and Var(W)

Var(M): Backward differential

MC−1 =

              

1 1 1 1 1 1 1 1

               Var(W): Forward determination

SB,AC AK,SR MC SB,AC AK,SR MC

Round 0 Round 1

SB,AC AK,SR MC

Round 2 Round3 · · · Distinguisher · · ·

MC SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR MC SB,AC AK,SR MC

Round 14

Modelling the MITM attack Modelling the Key-Recovery Process

Examples for Var(M) and Var(W)

Var(M): Backward differential

MC−1 =

              

1 1 1 1 1 1 1 1

               Var(W): Forward determination

SB,AC AK,SR MC SB,AC AK,SR MC

Round 0 Round 1

SB,AC AK,SR MC

Round 2 Round3 · · · Distinguisher · · ·

MC SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR MC SB,AC AK,SR MC

Round 14 Round 15

Modelling the MITM attack Modelling the Key-Recovery Process

Examples for Var(M) and Var(W)

Var(M): Backward differential

MC−1 =

              

1 1 1 1 1 1 1 1

               Var(W): Forward determination

SB,AC AK,SR MC SB,AC AK,SR MC

Round 0 Round 1

SB,AC AK,SR MC

Round 2 Round3 · · · Distinguisher · · ·

MC SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR MC SB,AC AK,SR MC

Round 14 Round 15 Round 16

Modelling the MITM attack Modelling the Key-Recovery Process

Examples for Var(M) and Var(W)

Var(M): Backward differential

MC−1 =

              

1 1 1 1 1 1 1 1

               Var(W): Forward determination

SB,AC AK,SR MC SB,AC AK,SR MC

Round 0 Round 1

SB,AC AK,SR MC

Round 2 Round3 · · · Distinguisher · · ·

MC SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR MC SB,AC AK,SR MC

Round 14 Round 15 Round 16 Round 17 Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 21 / 31

Modelling the MITM attack Modelling the Key-Recovery Process

Guessed Subkeys

SB, AC AK, SR MC SB, AC AK, SR MC

Round 0 Round 1

SB,AC AK,SR MC

Round 2 Round 3 Round 14 Round 15 Round 16 Round 17 · · · Distinguisher · · ·

MC SB,AC AK,SR MC SB,AC AK,SR MC SB,AC AK,SR MC SB,AC AK,SR MC

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 22 / 31

Modelling the MITM attack Modelling the Key-Recovery Process

Results

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 23 / 31

Applications in Design

Outline

1

Introduction

2

Modelling the MITM attack

3

Applications in Design Results of TWINE and LBlock Structure

4

Conclusion

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 24 / 31

Applications in Design Results of TWINE and LBlock Structure SB SK0

P0 P1

Enumeration: 8! · 8!

Applications in Design Results of TWINE and LBlock Structure SB SK0

QP0Q−1 QP1Q−1 (P0, P1) → (QP0Q−1, QP1Q−1)

Enumeration: 8! · 8! → 22 · 8!

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 24 / 31

Applications in Design Results of TWINE and LBlock Structure

Results

144 permutations: no 15-round IM Distinguisher. 12 permutations may be best: no 11-round MITM distinguisher

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 25 / 31

Conclusion

Outline

1

Introduction

2

Modelling the MITM attack

3

Applications in Design

4

Conclusion

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 26 / 31

Conclusion

Conclusion

Conclusion modelling the MITM attack IM and MITM for variants cipher of LBlock and TWINE Future Work Differential Enumeration Key Bridging

. . .

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 26 / 31

Conclusion

References I

Tingting Cui, Keting Jia, Kai Fu, Shiyao Chen, and Meiqin Wang. New automatic search tool for impossible differentials and zero-correlation linear approximations. IACR Cryptology ePrint Archive, 2016:689, 2016. Patrick Derbez and Pierre-Alain Fouque. Exhausting demirci-selc ¸uk meet-in-the-middle attacks against reduced-round AES. In Fast Software Encryption - 20th International Workshop, FSE 2013, Singapore, March 11-13, 2013. Revised Selected Papers, pages 541–560, 2013. Patrick Derbez and Pierre-Alain Fouque. Automatic Search of Meet-in-the-Middle and Impossible Differential Attacks. In Advances in Cryptology - CRYPTO 2016 - 36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2016, Proceedings, Part II, pages 157–184, 2016. Patrick Derbez, Pierre-Alain Fouque, and J´ er´ emy Jean. Improved key recovery attacks on reduced-round AES in the single-key setting. In Advances in Cryptology - EUROCRYPT 2013, 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, May 26-30, 2013. Proceedings, pages 371–387, 2013.

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 27 / 31

Conclusion

References II

Orr Dunkelman, Nathan Keller, and Adi Shamir. Improved single-key attacks on 8-round AES-192 and AES-256. In Advances in Cryptology - ASIACRYPT 2010 - 16th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 5-9, 2010. Proceedings, pages 158–176, 2010. H¨ useyin Demirci and Ali Aydin Selc ¸uk. A meet-in-the-middle attack on 8-round AES. In Fast Software Encryption, 15th International Workshop, FSE 2008, Lausanne, Switzerland, February 10-13, 2008, Revised Selected Papers, pages 116–126, 2008. David Gerault, Marine Minier, and Christine Solnon. Constraint programming models for chosen key differential cryptanalysis. In Principles and Practice of Constraint Programming - 22nd International Conference, CP 2016, Toulouse, France, September 5-9, 2016, Proceedings, pages 584–601, 2016. Stefan K¨

• lbl, Gregor Leander, and Tyge Tiessen.

Observations on the SIMON block cipher family. In Advances in Cryptology - CRYPTO 2015 - 35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I, pages 161–185, 2015.

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 28 / 31

Conclusion

References III

Rongjia Li and Chenhui Jin. Meet-in-the-middle attacks on 10-round AES-256.

• Des. Codes Cryptography, 80(3):459–471, 2016.

Li Lin, Wenling Wu, Yanfeng Wang, and Lei Zhang. General model of the single-key meet-in-the-middle distinguisher on the word-oriented block cipher. In Information Security and Cryptology - ICISC 2013 - 16th International Conference, Seoul, Korea, November 27-29, 2013, Revised Selected Papers, pages 203–223, 2013. Yu Sasaki. Integer linear programming for three-subset meet-in-the-middle attacks: Application to gift. pages 227–243, 2018. Siwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, and Ling Song. Automatic security evaluation and (related-key) differential characteristic search: Application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In Advances in Cryptology - ASIACRYPT 2014 - 20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7-11, 2014. Proceedings, Part I, pages 158–178, 2014.

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 29 / 31

Conclusion

References IV

Yu Sasaki and Yosuke Todo. New impossible differential search tool from design and cryptanalysis aspects - revealing structural properties of several ciphers. In Advances in Cryptology - EUROCRYPT 2017 - 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30 - May 4, 2017, Proceedings, Part III, pages 185–215, 2017. Zejun Xiang, Wentao Zhang, Zhenzhen Bao, and Dongdai Lin. Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers. In Advances in Cryptology - ASIACRYPT 2016 - 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4-8, 2016, Proceedings, Part I, pages 648–678, 2016.

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 30 / 31

Conclusion

Thanks for your attention.

Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 31 / 31