Truncated Differential Analysis of Reduced-Round LBlock Sareh - - PowerPoint PPT Presentation

Truncated Differential Analysis of Reduced-Round LBlock

Sareh Emami, Cameron McDonald, Josef Pieprzyk and Ron Steinfeld Joint work between Macquarie University, Qualcomm Inc. Australia and Monash University CANS 2013, Paraty, Brazil

Outline

• Preliminaries
• Truncated differential distribution
• Truncated differential analysis of LBlock
• Complexity Analysis
• Experiments
• Results

CANS 2013 2/29

Our Contribution

• Truncated differential analysis
• Differential probability distributions
• Log-likelihood ratio (LLR) test
• Presented framework
• Merges the truncated differential distributions with classical differential

analysis

• Application to LBlock
• Single-key attack - 18 rounds
• Related-key attacks – 21 rounds

CANS 2013 3/29

LBlock

• Was submitted to ACNS 2011
• Lightweight block cipher
• 64-bit block
• 80-bit secret key
• Balanced Feistel network
• 32-round

CANS 2013

<<< 8

x15 x14 x13 x12 x11 x10 x9 x8 x7 x6 x5 x4 x3 x2 x1 x0

F

<<< 8

F

30 rounds

y15 y14 y13 y12 y11 y10 y9 y8 y7 y6 y5 y4 y3 y2 y1 y0 SK0 SK31

4/29

LBlock

• SPN round function
• Key Schedule
• 32-bit sub-keys: 𝑇𝐿0, 𝑇𝐿1, … , 𝑇𝐿31

CANS 2013

x15 x14 x13 x12 x11 x10 x9 x8

SKi s7 s6 s5 s4 s3 s2 s1 s0

𝑙79 𝑙78 … … 𝑙49 𝑙48 𝑙47 𝑙46 … … … … … 𝑙1 𝑙0

SKi

<<< 29 𝑙50 𝑙49 𝑙48 𝑙47 𝑙46 𝑙45 𝑙44 𝑙43 𝑙42 … 𝑙21 … 𝑙17 … 𝑙51 𝑻𝟘 𝑻𝟗

i

5/29

Likelihood test

• Statistical test which compares two distributions
• Let 𝑄 and 𝑅 be two discrete probability distributions
• Kullback-Leibler (𝐿𝑀) divergence
• Measures the distance between 𝑄 and 𝑅
• The log-likelihood ratio (𝑀𝑀𝑆)
• Empirical dataset 𝑦 taken from 𝑂 samples
• Determines the probability distribution (𝑄 or 𝑅 ) that the sample

data 𝑦 belongs to

CANS 2013 6/29

Related Work

• All-in-one approach to differential analysis of lightweight

block ciphers

• Albrecht and Leander (SAC 2012)
• Multiple differential cryptanalysis using the 𝑀𝑀𝑆 and 𝜓2

tests

• Blondeau et. al. (SCN 2012)
• Both analyses work on ciphers with small block sizes

CANS 2013 7/29

Outline

• Preliminaries
• Truncated differential distribution
• Truncated differential analysis of LBlock
• Complexity Analysis
• Experiments
• Results

CANS 2013 8/29

Truncated Differential Distribution (TDD)

• Assumes the cipher follows the Marcov assumption
• The probability distribution of round 𝑠 only depends on round

𝑠 − 1

• Finds the differential distribution for the state symbols
• Nibbles in LBlock
• Starts from a fixed differential
• Propagates the differences through 𝑠 rounds
• Finds the probability of every difference for each nibble

CANS 2013 9/29

Truncated Differential

CANS 2013

<<< 8

00000010 00000000 00000010

SKi s0 s1 s2 s3 s4 s5 s6 s7

1

* *

<<< 8

SKi+1 s0 s1 s2 s3 s4 s5 s6 s7 * * *

00001000 0000000* 0000000* 0000000* 00000*00 00001*00 0000000*

10/29

Computing TDD

• S-box transformation

𝑧𝑗 = 𝑦𝑘 ∙ Ρ(𝑡 𝑘 = 𝑗)

15 𝑘=0

• XOR addition

𝑨𝑗 = 𝑦𝑘 ∙ 𝑧𝑗⊕𝑘

15 𝑘=0

CANS 2013

𝑡

Δ𝑗𝑜: 𝑦

• 1

. . . 15

. . .

Ρ(𝑡 1 = 1)

Δ𝑝𝑣𝑢: 𝑧

• 1

. . . 15 Δ𝑗𝑜: 𝑦

• 1

. . . 15 Δ𝑗𝑜: 𝑧

• 1

. . 14 15 Δ𝑝𝑣𝑢: 𝑨

• 1

. . . 15

11/29

Sample TDD

• Input difference: 00000000 10000000
• TDD is computed through 8 rounds of LBlock encryption
• The right-hand half truncated differential distribution is:

CANS 2013

KL-divergence (distance from the uniform distribution)

12/29

Outline

• Preliminaries
• Truncated differential distribution
• Truncated differential analysis of LBlock
• Complexity Analysis
• Experiments
• Results

CANS 2013 13/29

LBlock Attack

• The TDD is extended on both sides
• Benefits from the key schedule properties
• The attack model
• Standard differential phase (SD)
• Truncated differential distribution phase (TDD)
• Partial-key recovery phase (PKR)

CANS 2013

𝑇𝐸 𝑈𝐸𝐸 𝑄𝐿𝑆 𝑇0 𝑇1 𝑇2 𝑇3

14/29

TDD Phase

• 8-round truncated

differential distribution

• Target nibble
• Its distribution has a

relatively high distance from the uniform

CANS 2013

<<< 8

00000000 10000000 00000010

F

<<< 8

F

0000000*

<<< 8

F

00001*00

<<< 8

F

0000***0

<<< 8

F

001**0**

<<< 8

F

Target Nibble

00000000 00000010 0000000* 00001*00 0000***0 0*******

<<< 8

F

********

<<< 8

F

001**0** 0******* ******** ********

15/29

PKR Phase

• Additional rounds added to the end of TDD rounds
• Partially decrypt the ciphertexts
• Finds the differential distribution for the target nibble
• LLR test
• Example 3 rounds

CANS 2013 <<< 8

X*X*****

F

<<< 8

F

SK9: 00000000 SK10: 00000000 ******** Target Nibble ****X***

F

SK11: 00000000 **X*X*** X*******

<<< 8

XX****X* Key bits: 0-79-78-77- 76-75-74-73 Key bits: 13-12-11-10 Key bits: 58-57-56-55 **X*****

16/29

SD Phase

• High probability differential characteristic
• Assume we know some key-bits
• Example 1-round differential:

(10000000 00002000) → (00000000 10000000)

CANS 2013

S

<<< 8

P

10000000

P=2-2

SK0: 00000000 00200000 00002000 00000000 10000000

1

79, 78, 77, 76

17/29

Merging Phase

• Assume
• Ρ

𝑇𝐸 = Ρ 𝛽 → 𝛾𝑗

• Ρ𝑈𝐸𝐸 = Ρ 𝛾𝑗 → Γ
• Ρ

𝑉 is the random probability

Ρ 𝛽 → Γ = Ρ

𝑇𝐸 ⋅ Ρ𝑈𝐸𝐸 + (1 − Ρ 𝑇𝐸) ⋅ Ρ 𝑉

CANS 2013

𝛽 𝛾𝑗 Ρ

𝑇𝐸

𝛾𝑘≠𝑗 1 − Ρ

𝑇𝐸

Ρ𝑈𝐸𝐸 Ρ

𝑉

Γ 𝑇𝐸 𝑈𝐸𝐸

18/29

12-Round Example

CANS 2013

S

<<< 8

P

10000000

P=2-2

SK0: 00000000 00200000 00002000 00000000 10000000

1

79, 78, 77, 76

<<< 8

00000000 10000000 00000010

F

<<< 8

F

0000000*

<<< 8

F

00001*00

<<< 8

F

0000***0

<<< 8

F

001**0**

<<< 8

F

Target Nibble

00000000 00000010 0000000* 00001*00 0000***0 0*******

<<< 8

F

********

<<< 8

F

001**0** 0******* ******** ******** Key bits: 0-79-78-77- 76-75-74-73 Key bits: 58-57-56-55 Key bits: 13-12-11-10

<<< 8

X*X*****

F

<<< 8

F

SK9: 00000000 SK10: 00000000 ******** Target Nibble ****X***

F

SK11: 00000000 **X*X*** X*******

<<< 8

XX****X* **X***** 19/29

Outline

• Preliminaries
• Truncated differential distribution
• Truncated differential analysis of LBlock
• Complexity Analysis
• Experiments
• Results

CANS 2013 20/29

LLR Distributions

• 𝑋 is a random variable for the LLR of the wrong keys
• Wrong key randomization hypothesis
• 𝑆 is a random variable for the LLR of the right key
• Is a binomial distribution

CANS 2013 21/29

Complexity Analysis

• Cumulative distribution function (CDF)
• Probability of 𝑌 falling into the interval [𝑦, ∞):
• Denote Θ a threshold for the LLR
• Success rate : Ρ 𝑆 ≥ Θ
• Probability of a wrong key LLR becomes higher than Θ : Ρ 𝑋 ≥ Θ

CANS 2013

𝜤

22/29

Complexity

• Number of wrong keys ranked higher than Θ

𝑂𝑥𝑙 = 𝑂𝐿 ⋅ Ρ 𝑋 ≥ Θ

• We have to adjust Θ and 𝑂 (number of samples)
• Compromise between the success rate and the complexity
• Complexity of the full key-recovery

𝐷 = 𝑂2𝑐 + (𝑂𝑥𝑙 + 1)280−𝑐

CANS 2013 23/29

Outline

• Preliminaries
• Truncated differential distribution
• Truncated differential analysis of LBlock
• Complexity Analysis
• Experiments
• Results

CANS 2013 24/29

Experiments

• 12-round sample attack
• 𝑂 = 216 samples
• The attack is repeated 100 times

CANS 2013 25/29

Experiments

CANS 2013

• The attack is repeated 1000 times
• 𝑀𝑀𝑆 distribution of the right key
• The average 𝑀𝑀𝑆 distribution of the wrong keys

26/29

Outline

• Preliminaries
• Truncated differential distribution
• Truncated differential analysis of LBlock
• Complexity Analysis
• Experiments
• Results

CANS 2013 27/29

Results

• 18-round single key attack
• Data: 223 plaintext/ciphertext pairs
• Time: 268.71 encryptions

CANS 2013 28/29

Results

• Related-key attacks
• 20 rounds: Data: 227, time: 274.55
• 21 rounds: Data: 230, time: 277.56

CANS 2013 29/29

Thank you for your attention

CANS 2013