SLIDE 1
Complexity of Statistical Attacks 2/22
Remarks on the Data Complexity of Zero-Correlation Linear Attacks C - - PowerPoint PPT Presentation
Remarks on the Data Complexity of Zero-Correlation Linear Attacks C - - PowerPoint PPT Presentation
Remarks on the Data Complexity of Zero-Correlation Linear Attacks C eline Blondeau Aalto University ESC, Luxembourg 2015 Outline Zero-Correlation Linear Attacks Data Complexity of Zero-Correlation Attacks Repetition of Plaintexts Data
SLIDE 2
SLIDE 3
Complexity of Statistical Attacks 3/22
Outline
Zero-Correlation Linear Attacks Data Complexity of Zero-Correlation Attacks Repetition of Plaintexts Data Complexity of Key-Invariant Bias Attacks
SLIDE 4
Complexity of Statistical Attacks 4/22
Zero-Correlation (ZC) Linear Cryptanalysis
[Bogdanov et al 12, 13,14], [Soleimany, Nyberg 13] The distinguisher takes advantage of linear approximation(s) with no bias.
◮ Single approximation (u, v) with cor(u, v) = 0 ◮ Multiple approximations:
C =
- u∈U,v∈V,u=0
cor 2(u, v) = 0,
◮ multiple ZC: U and V without structure. ◮ multidimensional ZC: U and V linear (affine) spaces.
SLIDE 5
Complexity of Statistical Attacks 5/22
Outline
Zero-Correlation Linear Attacks Data Complexity of Zero-Correlation Attacks Repetition of Plaintexts Data Complexity of Key-Invariant Bias Attacks
SLIDE 6
Complexity of Statistical Attacks 6/22
Notation
◮ [Selc
¸uk 08]
◮ XR ∼ N(µR, σR) and XW ∼ N(µW, σW) ◮ Φ: CDF of the central normal distribution ◮ a: advantage of the attack
PS ≈ Φ µR − µa
- σ2
a + σ2 R
, where µa = µW + σW · Φ−1(1 − 2−a) and σa is often negligible.
◮ ϕa = Φ−1(1 − 2−a) and ϕPS = Φ−1(PS) ◮ n: number of bits of the permutation (block cipher)
SLIDE 7
Complexity of Statistical Attacks 7/22
Data Complexity of Multiple/Multidimensional ZC Attacks
[SAC 13]:
◮ ℓ: Number of linear approximations ◮ Multiple ZC Attack (m)
Nm ≈ 2n(ϕPS + ϕa)
- ℓ/2 − ϕa
◮ Multidimensional ZC Attack (M)
NM ≈ (2n − 1)(ϕPS + ϕa)
- (ℓ − 1)/2 + ϕPS
◮ In [Soleimany, Nyberg 13], experiments have been conducted for
a distinguisher
◮ The general behaviour: N = O(
2n
- ℓ/2
) is correct.
SLIDE 8
Complexity of Statistical Attacks 8/22
Success Probability
◮ Are these formulas correct for a key-recovery attack? ◮ Why is there a difference ? (In particular, when the set of masks
is close to a linear space) Success probability: Pm
S
≈ Φ Nm 2n
- ℓ/2 − ϕa · (Nm
2n + 1)
- (m)
PM
S
≈ Φ
- NM
(ℓ − 1)/2 (2n − 1) − NM − ϕa 2n − 1 (2n − 1) − NM
- (M)
SLIDE 9
Complexity of Statistical Attacks 9/22
Setting for the Experiments
◮ 16-bit cipher ◮ Type-II GFN with 4 branches ◮ Zero-correlation approximations:
(0, 0, u, 0) → (0, u, 0, 0) over 9 rounds (u = 0)
◮ Key-recovery: 1 round before, 2 rounds after ◮ Maximal advantage: 12 bits ◮ Similar structure as for instance CLEFIA
F F s ✲ ❡ s ✲ ❡ PPPPPPPPPPPPPPP
- F
F s ✲ ❡ s ✲ ❡ PPPPPPPPPPPPPPP
- F
F s ✲ ❡ s ✲ ❡ PPPPPPPPPPPPPPP
- u
u K 1
2
K 11
1
K 12
2
X 1 X 2 X 11 X 12 X 13
ZC on 9 rounds
SLIDE 10
Complexity of Statistical Attacks 10/22
Multidimensional ZC Attacks
a = 1
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 12 12.5 13 13.5 14 14.5 15 15.5 16
PS log2(N)
Exp (1) (1)
SLIDE 11
Complexity of Statistical Attacks 10/22
Multidimensional ZC Attacks
a = 2
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 12 12.5 13 13.5 14 14.5 15 15.5 16
PS log2(N)
Exp (1) (1)
SLIDE 12
Complexity of Statistical Attacks 10/22
Multidimensional ZC Attacks
a = 4
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 12 12.5 13 13.5 14 14.5 15 15.5 16
PS log2(N)
Exp (1) (1)
SLIDE 13
Complexity of Statistical Attacks 10/22
Multidimensional ZC Attacks
a = 6
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 12 12.5 13 13.5 14 14.5 15 15.5 16
PS log2(N)
Exp (1) (1)
SLIDE 14
Complexity of Statistical Attacks 11/22
Observations
NM ≈ (2n − 1)(ϕPS + ϕa)
- (ℓ − 1)/2 + ϕPS
For a multidimensional ZC linear attack,
◮ NM is accurate for small advantages ◮ NM gives an overestimate of the data complexity for larger
advantages
SLIDE 15
Complexity of Statistical Attacks 12/22
Multiple ZC Attack
8 approximations and a = 1
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 12 12.5 13 13.5 14 14.5 15 15.5 16
PS log2(N)
Exp (1) (1)
SLIDE 16
Complexity of Statistical Attacks 12/22
Multiple ZC Attack
8 approximations and a = 2
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 12 12.5 13 13.5 14 14.5 15 15.5 16
PS log2(N)
Exp (1) (1)
SLIDE 17
Complexity of Statistical Attacks 12/22
Multiple ZC Attack
8 approximations and a = 4
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 12 12.5 13 13.5 14 14.5 15 15.5 16
PS log2(N)
Exp (1) (1)
SLIDE 18
Complexity of Statistical Attacks 12/22
Multiple ZC Attack
5 approximations and a = 1
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 12 12.5 13 13.5 14 14.5 15 15.5 16
PS log2(N)
Exp (1) (1)
SLIDE 19
Complexity of Statistical Attacks 12/22
Multiple ZC Attack
5 approximations and a = 2
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 12 12.5 13 13.5 14 14.5 15 15.5 16
PS log2(N)
Exp (1) (1)
SLIDE 20
Complexity of Statistical Attacks 12/22
Multiple ZC Attack
5 approximations and a = 4
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 12 12.5 13 13.5 14 14.5 15 15.5 16
PS log2(N)
Exp (1) (1)
SLIDE 21
Complexity of Statistical Attacks 12/22
Multiple ZC Attack
2 approximations and a = 1
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 12 12.5 13 13.5 14 14.5 15 15.5 16
PS log2(N)
Exp (1) (1)
SLIDE 22
Complexity of Statistical Attacks 12/22
Multiple ZC Attack
2 approximations and a = 2
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 12 12.5 13 13.5 14 14.5 15 15.5 16
PS log2(N)
Exp (1) (1)
SLIDE 23
Complexity of Statistical Attacks 13/22
Data Complexity of Multiple ZC Attacks
Based on these experiments, we confirmed that
◮ we do not need a particular formula to compute the data
complexity/success probability of multiple zero-correlation attacks (comparatively to the complexity of multidimensional ZC attacks)
SLIDE 24
Complexity of Statistical Attacks 14/22
Outline
Zero-Correlation Linear Attacks Data Complexity of Zero-Correlation Attacks Repetition of Plaintexts Data Complexity of Key-Invariant Bias Attacks
SLIDE 25
Complexity of Statistical Attacks 15/22
Repetition of Plaintexts
◮ In the presented attacks, distinct known plaintexts are used. ◮ Indeed the formulas for NM and PM S in the multidimensional
linear context have been derived under this assumption.
◮ What happens if there is some repetition (assuming for instance
that the plaintexts are generated/obtained randomly)?
SLIDE 26
Complexity of Statistical Attacks 16/22
Repetition of Plaintexts in a Multidimensional ZC Attack
a=2
0.2 0.4 0.6 0.8 1 12 12.5 13 13.5 14 14.5 15 15.5 16
PS log2(N)
Distinct Random (1) (1)
SLIDE 27
Complexity of Statistical Attacks 16/22
Repetition of Plaintexts in a Multidimensional ZC Attack
a=4
0.2 0.4 0.6 0.8 1 12 12.5 13 13.5 14 14.5 15 15.5 16
PS log2(N)
No repertion Repetition (1) (1)
SLIDE 28
Complexity of Statistical Attacks 17/22
Theoretical Conclusion
We can show that
◮
Nm ≈ 2n(ϕPS + ϕa)
- ℓ/2 − ϕa
, corresponds to the case where the plaintexts can be repeated.
◮
NM ≈ (2n − 1)(ϕPS + ϕa)
- (ℓ − 1)/2 + ϕPS
, corresponds to the case of distinct known plaintexts.
SLIDE 29
Complexity of Statistical Attacks 17/22
Theoretical Conclusion
We can show that
◮
Nm ≈ 2n(ϕPS + ϕa)
- ℓ/2 − ϕa
, corresponds to the case where the plaintexts can be repeated.
◮
NM ≈ (2n − 1)(ϕPS + ϕa)
- (ℓ − 1)/2 + ϕPS
, corresponds to the case of distinct known plaintexts.
◮ In the known plaintext model how can we select distinct
messages?
SLIDE 30
Complexity of Statistical Attacks 18/22
Idea behind the proofs
◮ The proofs have already been presented in [Bogdanov et al 12,
13].
◮ For distinct known plaintexts, we use hypergeometric
distributions (no replacement).
◮ The other model assume a normal distribution of the capacity for
the wrong keys.
SLIDE 31
Complexity of Statistical Attacks 18/22
Idea behind the proofs
◮ The proofs have already been presented in [Bogdanov et al 12,
13].
◮ For distinct known plaintexts, we use hypergeometric
distributions (no replacement).
◮ The other model assume a normal distribution of the capacity for
the wrong keys.
◮ In both proofs, there is no assumption on the linear masks.
SLIDE 32
Complexity of Statistical Attacks 19/22
In Practice
If we consider distinct known plaintexts we can improve the complexities of some ZC attacks. For instance:
◮ on CAST-256 presented at INDOCRYPT 2014
◮ from 2123.74 KP (2123.2?) to 2123.67 DKP (29 rounds)
◮ on Camellia presented at SAC 2013
◮ Camellia-128 : from 2125.3 KP to 2125.1 DKP (11 rounds) ◮ Camellia-192 : from 2125.7 KP to 2125.5 DKP (12 rounds)
SLIDE 33
Complexity of Statistical Attacks 20/22
Outline
Zero-Correlation Linear Attacks Data Complexity of Zero-Correlation Attacks Repetition of Plaintexts Data Complexity of Key-Invariant Bias Attacks
SLIDE 34
Complexity of Statistical Attacks 21/22
Key-Invariant Bias Attacks
◮ Related-key attack introduced at ASIACRYPT 2013 ◮ We can make the same observation on the data complexity ◮ Improvement of the attack on LBlock (Twine) considering distinct
plaintexts:
◮ Data: from 262.95 KP to 262.52 DKP (considering the same
advantage and the same success probability)
◮ Improvement of the time complexity is also possible depending
- n the data/time trade-off
SLIDE 35
Complexity of Statistical Attacks 22/22