UNAF: A Special Set of Additive Differences with Application to the - - PowerPoint PPT Presentation

Introduction The UNAF Framework Salsa20 Applications Conclusions

UNAF: A Special Set of Additive Differences with Application to the Differential Analysis of ARX

• V. Velichkov
• N. Mouha
• C. De Cannière
• B. Preneel

COSIC, KU Leuven; IBBT

FSE 2012, March 19-21, Washington DC, USA

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 1 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

UNAF Differences Cluster Multiple Characteristics

∆+x ∆+

1

∆+

2

∆+

3

∆+

4

∆+y = ⇒ ∆Ux ∆U

1

∆U

2

∆U

3

∆U

4

∆Uy

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 2 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

Applications of UNAF Differences Improved estimations of probabilities of differentials through ARX. New (better?) attacks.

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 3 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

Differential Cryptanalysis [Biham and Shamir,1991]

P round X1 round X2 round C P

′

round X

′

1

round X

′

2

round C

′

∆P = P ⊕ P

′

∆X1 ∆X2 ∆C = C ⊕ C

′

Pr(∆P → ∆C) =?

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 4 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

Addition, Rotation, XOR (ARX)

P ARX C Addition (⊞) : confusion Rotation (≪) : diffusion within a word XOR (⊕): diffusion between words FEAL RC2 1987 MD4 MD5 1990 SHA-1 TEA RC5 1994 SHA-2 2001 Salsa20 2006 Skein BLAKE 2008

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 5 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

Types of Differences

Additive difference ∆+

Definition ∆+X = X

′ − X .

Example 10002 = X

′

− 01012 = X 00112 = ∆+X

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 6 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

Types of Differences

XOR difference ∆⊕

Definition ∆⊕X = X

′ ⊕ X .

Example 10002 = X

′

⊕ 01012 = X 11012 = ∆⊕X

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 6 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

Types of Differences

BSD (Binary-Signed Digit) Difference ∆±

Definition ∆±X : ∆±X[i] = (X

′[i] − X[i]) ∈ {1, 0, 1},

0 ≤ i < n . Example 10002 = X

′

− 01012 = X 11012 = ∆±X

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 6 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

Types of Differences

NAF (Non-Adjacent Form) Difference ∆N Definition A NAF is a special BSD diff. s.t. no two consecutive bits are non-zero: ∄i : (∆NX[i] = 0) ∧ (∆NX[i + 1] = 0), 0 ≤ i < n − 1 . Example ∆+X = 3 =

• +1 · 23−1 · 22−1 · 20 = 11012 = ∆±X ,

+1 · 22−1 · 20 = 01012 = ∆NX .

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 6 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

UNAF (Unsigned NAF) Difference

Definition ∆UX = {∆+a : |∆Na| = |∆NX|} . Example ∆UX = 5 = ⇒ ∆UX = {3, 13, 5, 11} . ∆UX = 5 =            3 = +1 · 22 − 1 · 20( mod 24) = 010¯ 1 13 = −1 · 22 + 1 · 20( mod 24) = 0¯ 101 5 = +1 · 22 + 1 · 20( mod 24) = 0101 11 = −1 · 22 − 1 · 20( mod 24) = 0¯ 10¯ 1 = 0101 .

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 7 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

The Additive Differential Probability of XOR (adp⊕)

a1 b1 c1 ∆+a + a1 ∆+b + b1 ∆+c + c1 ((∆+a + a1) ⊕ (∆+b + b1)) − (a1 ⊕ b1) = ∆+c .

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 8 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

UNAF: Clustering of Differentials

5 1 10

adp⊕( 5, 1 → 10) = 0.15625

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 9 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

UNAF: Clustering of Differentials

5 1 10 6

adp⊕( 5, 1 → 10) = 0.15625 adp⊕( 5, 1 → 6) = 0.15625

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 9 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

UNAF: Clustering of Differentials

15 5 1 10 6

adp⊕( 5, 1 → 10) = 0.15625 adp⊕( 5, 1 → 6) = 0.15625 adp⊕( 5, 15 → 10) = 0.15625

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 9 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

UNAF: Clustering of Differentials

15 5 1 10 6

adp⊕( 5, 1 → 10) = 0.15625 adp⊕( 5, 1 → 6) = 0.15625 adp⊕( 5, 15 → 10) = 0.15625 adp⊕( 5, 15 → 6) = 0.15625

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 9 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

UNAF: Clustering of Differentials

11 15 5 1 10 6

adp⊕( 5, 1 → 10) = 0.15625 adp⊕( 5, 1 → 6) = 0.15625 adp⊕( 5, 15 → 10) = 0.15625 adp⊕( 5, 15 → 6) = 0.15625 adp⊕(11, 1 → 10) = 0.15625

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 9 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

UNAF: Clustering of Differentials

11 15 5 1 10 6

adp⊕( 5, 1 → 10) = 0.15625 adp⊕( 5, 1 → 6) = 0.15625 adp⊕( 5, 15 → 10) = 0.15625 adp⊕( 5, 15 → 6) = 0.15625 adp⊕(11, 1 → 10) = 0.15625 adp⊕(11, 1 → 6) = 0.15625

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 9 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

UNAF: Clustering of Differentials

11 15 5 1 10 6

adp⊕( 5, 1 → 10) = 0.15625 adp⊕( 5, 1 → 6) = 0.15625 adp⊕( 5, 15 → 10) = 0.15625 adp⊕( 5, 15 → 6) = 0.15625 adp⊕(11, 1 → 10) = 0.15625 adp⊕(11, 1 → 6) = 0.15625 adp⊕(11, 15 → 10) = 0.15625

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 9 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

UNAF: Clustering of Differentials

11 15 5 1 10 6

adp⊕( 5, 1 → 10) = 0.15625 adp⊕( 5, 1 → 6) = 0.15625 adp⊕( 5, 15 → 10) = 0.15625 adp⊕( 5, 15 → 6) = 0.15625 adp⊕(11, 1 → 10) = 0.15625 adp⊕(11, 1 → 6) = 0.15625 adp⊕(11, 15 → 10) = 0.15625 adp⊕(11, 15 → 6) = 0.15625

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 9 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

UNAF: Clustering of Differentials

3 11 15 5 1 10 6

adp⊕( 5, 1 → 10) = 0.15625 adp⊕( 5, 1 → 6) = 0.15625 adp⊕( 5, 15 → 10) = 0.15625 adp⊕( 5, 15 → 6) = 0.15625 adp⊕(11, 1 → 10) = 0.15625 adp⊕(11, 1 → 6) = 0.15625 adp⊕(11, 15 → 10) = 0.15625 adp⊕(11, 15 → 6) = 0.15625 adp⊕( 3, 1 → 10) = 0.09375

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 9 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

UNAF: Clustering of Differentials

3 11 15 5 1 10 6

adp⊕( 5, 1 → 10) = 0.15625 adp⊕( 5, 1 → 6) = 0.15625 adp⊕( 5, 15 → 10) = 0.15625 adp⊕( 5, 15 → 6) = 0.15625 adp⊕(11, 1 → 10) = 0.15625 adp⊕(11, 1 → 6) = 0.15625 adp⊕(11, 15 → 10) = 0.15625 adp⊕(11, 15 → 6) = 0.15625 adp⊕( 3, 1 → 10) = 0.09375 adp⊕( 3, 1 → 6) = 0.09375

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 9 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

UNAF: Clustering of Differentials

3 11 15 5 1 10 6

adp⊕( 5, 1 → 10) = 0.15625 adp⊕( 5, 1 → 6) = 0.15625 adp⊕( 5, 15 → 10) = 0.15625 adp⊕( 5, 15 → 6) = 0.15625 adp⊕(11, 1 → 10) = 0.15625 adp⊕(11, 1 → 6) = 0.15625 adp⊕(11, 15 → 10) = 0.15625 adp⊕(11, 15 → 6) = 0.15625 adp⊕( 3, 1 → 10) = 0.09375 adp⊕( 3, 1 → 6) = 0.09375 adp⊕( 3, 15 → 10) = 0.09375

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 9 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

UNAF: Clustering of Differentials

3 11 15 5 1 10 6

adp⊕( 5, 1 → 10) = 0.15625 adp⊕( 5, 1 → 6) = 0.15625 adp⊕( 5, 15 → 10) = 0.15625 adp⊕( 5, 15 → 6) = 0.15625 adp⊕(11, 1 → 10) = 0.15625 adp⊕(11, 1 → 6) = 0.15625 adp⊕(11, 15 → 10) = 0.15625 adp⊕(11, 15 → 6) = 0.15625 adp⊕( 3, 1 → 10) = 0.09375 adp⊕( 3, 1 → 6) = 0.09375 adp⊕( 3, 15 → 10) = 0.09375 adp⊕( 3, 15 → 6) = 0.09375

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 9 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

UNAF: Clustering of Differentials

13 3 11 15 5 1 10 6

adp⊕( 5, 1 → 10) = 0.15625 adp⊕( 5, 1 → 6) = 0.15625 adp⊕( 5, 15 → 10) = 0.15625 adp⊕( 5, 15 → 6) = 0.15625 adp⊕(11, 1 → 10) = 0.15625 adp⊕(11, 1 → 6) = 0.15625 adp⊕(11, 15 → 10) = 0.15625 adp⊕(11, 15 → 6) = 0.15625 adp⊕( 3, 1 → 10) = 0.09375 adp⊕( 3, 1 → 6) = 0.09375 adp⊕( 3, 15 → 10) = 0.09375 adp⊕( 3, 15 → 6) = 0.09375 adp⊕(13, 1 → 10) = 0.09375

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 9 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

UNAF: Clustering of Differentials

13 3 11 15 5 1 10 6

adp⊕( 5, 1 → 10) = 0.15625 adp⊕( 5, 1 → 6) = 0.15625 adp⊕( 5, 15 → 10) = 0.15625 adp⊕( 5, 15 → 6) = 0.15625 adp⊕(11, 1 → 10) = 0.15625 adp⊕(11, 1 → 6) = 0.15625 adp⊕(11, 15 → 10) = 0.15625 adp⊕(11, 15 → 6) = 0.15625 adp⊕( 3, 1 → 10) = 0.09375 adp⊕( 3, 1 → 6) = 0.09375 adp⊕( 3, 15 → 10) = 0.09375 adp⊕( 3, 15 → 6) = 0.09375 adp⊕(13, 1 → 10) = 0.09375 adp⊕(13, 1 → 6) = 0.09375

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 9 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

UNAF: Clustering of Differentials

13 3 11 15 5 1 10 6

adp⊕( 5, 1 → 10) = 0.15625 adp⊕( 5, 1 → 6) = 0.15625 adp⊕( 5, 15 → 10) = 0.15625 adp⊕( 5, 15 → 6) = 0.15625 adp⊕(11, 1 → 10) = 0.15625 adp⊕(11, 1 → 6) = 0.15625 adp⊕(11, 15 → 10) = 0.15625 adp⊕(11, 15 → 6) = 0.15625 adp⊕( 3, 1 → 10) = 0.09375 adp⊕( 3, 1 → 6) = 0.09375 adp⊕( 3, 15 → 10) = 0.09375 adp⊕( 3, 15 → 6) = 0.09375 adp⊕(13, 1 → 10) = 0.09375 adp⊕(13, 1 → 6) = 0.09375 adp⊕(13, 15 → 10) = 0.09375

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 9 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

UNAF: Clustering of Differentials

13 3 11 15 5 1 10 6

adp⊕( 5, 1 → 10) = 0.15625 adp⊕( 5, 1 → 6) = 0.15625 adp⊕( 5, 15 → 10) = 0.15625 adp⊕( 5, 15 → 6) = 0.15625 adp⊕(11, 1 → 10) = 0.15625 adp⊕(11, 1 → 6) = 0.15625 adp⊕(11, 15 → 10) = 0.15625 adp⊕(11, 15 → 6) = 0.15625 adp⊕( 3, 1 → 10) = 0.09375 adp⊕( 3, 1 → 6) = 0.09375 adp⊕( 3, 15 → 10) = 0.09375 adp⊕( 3, 15 → 6) = 0.09375 adp⊕(13, 1 → 10) = 0.09375 adp⊕(13, 1 → 6) = 0.09375 adp⊕(13, 15 → 10) = 0.09375 adp⊕(13, 15 → 6) = 0.09375

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 9 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

UNAF: Clustering of Differentials

{13, 3, 11, 5} {15, 1} {10, 6}

− →

∆Ua = 5 ∆Ub = 1 ∆Uc = 10

adp⊕ > 0 .

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 10 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

Main UNAF Theorem

Theorem adp⊕(∆+a, ∆+b → ∆+c) > 0 = ⇒ adp⊕(α, β → γ) > 0 , ∀α ∈ ∆Ua, ∀β ∈ ∆Ub, ∀γ ∈ ∆Uc .

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 11 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

The UNAF Differential Probability of XOR

udp⊕(∆Ua, ∆Ub → ∆Uc) = #{(a1, b1) : ∆+a ∈ ∆Ua, ∆+b ∈ ∆Ub, ∆+c ∈ ∆Uc} #{(a1, b1) : ∆+a ∈ ∆Ua, ∆+b ∈ ∆Ub} .

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 12 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

Salsa20 Input State

256-bit key (k0, k1, . . . , k7) 64-bit nonce (v0, v1) 64-bit counter (t0, t1) four 32-bit constants c0, c1, c2, c3      c0 k0 k1 k2 k3 c1 v0 v1 t0 t1 c2 k4 k5 k6 k7 c3      →     w0 w0

1

w0

2

w0

3

w0

4

w0

5

w0

6

w0

7

w0

8

w0

9

w0

10

w0

11

w0

12

w0

13

w0

14

w0

15

    .

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 13 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

One Round

wr

0 wr 4 wr 8 wr 12

wr

5 wr 9 wr 13 wr 1

wr

10 wr 14 wr 2 wr 6

wr

15 wr 3 wr 7 wr 11

qround qround qround qround

ws

0 ws 4 ws 8 ws 12

ws

5 ws 9 ws 13 ws 1

ws

10 ws 14 ws 2 ws 6

ws

15 ws 3 ws 7 ws 11

s = r + 1 .

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 14 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

One qround

wr wr

1

wr

2

wr

3

≪ 7 ≪ 9 ≪ 13 ≪ 18 wr+1 wr+1

1

wr+1

2

wr+1

3

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 15 / 24

w0

0 w0 4 w0 8 w0 12 w0 5 w0 9 w0 13w0 1 w0 10 w0 14w0 2 w0 6 w0 15w0 3 w0 7 w0 11

r = 8/12/20 ROUNDS wr

0 wr 4 wr 8 wr 12 wr 5 wr 9 wr 13wr 1 wr 10 wr 14wr 2 wr 6 wr 15wr 3 wr 7 wr 11

    wr wr

1

wr

2

wr

3

wr

4

wr

5

wr

6

wr

7

wr

8

wr

9

wr

10

wr

11

wr

12

wr

13

wr

14

wr

15

   

Introduction The UNAF Framework Salsa20 Applications Conclusions

Estimating Probability of Differentials using UNAF

Three estimations of the probabilities of the N-round differential:

∆+

in N

− → ∆+

• ut .

1

Based on experiments: pexper .

2

Using single additive differences: ˆ padd =

• adpARX .

3

Using UNAF differences: ˆ punaf =

• udpARX .

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 17 / 24

Improved Probability Estimations Using UNAF

• 50
• 40
• 30
• 20
• 10

1 2 3 4 5 6 7 8 Probability (Log2) 3-Round Differentials for Salsa20 (Index) Estimating the Probabilities of ARX Differentials Using UNAF Estimated Experimentally UNAF Additive

Introduction The UNAF Framework Salsa20 Applications Conclusions

Key-recovery attack on Salsa20/5

{∆U}0

8 = 0x80000000 → {∆U}3 11 = 0x01000024

{∆U}0

8

3 ROUNDS {∆U}3

11

P∆ = 2−3.38 (Prand = 2−29)

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 19 / 24

{∆U}3

11

qround qround qround qround ∆4

12

∆4

13

∆4

14

qround qround qround qround ∆5

4 ∆5 8

∆5

5 ∆5 9

∆5

1 ∆5 10

∆5

2 ∆5 6

∆5

3 ∆5 7∆5 11

Introduction The UNAF Framework Salsa20 Applications Conclusions

Attack Complexity

Rounds Reference Time Data Type of Differences Salsa20/5 Our result∗ 2167 27 Additive Salsa20/5 Crowley 2165 26 XOR Salsa20/6 Fischer et al. 2177 216 XOR Salsa20/7 Aumasson et al. 2151 226 XOR Salsa20/8 Aumasson et al. 2251 231 XOR

∗ Room for improval.

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 21 / 24

Introduction The UNAF Framework Salsa20 Applications Conclusions

Contributions and Future Work

Summary of Contributions:

Proposed new type of difference: UNAF. UNAF improves estimation of probabilities of differentials. Demonstrated practical application of UNAF to stream cipher Salsa20.

Future Work:

Why are the probabilities of differentials from the same UNAF set very close? (More rigorous analysis is needed.) Do UNAF differences lead to better attacks? Apply UNAF to other algorithms: Skein, BLAKE, TEA, ...

Thank you for your attention!

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 22 / 24

Appendix

Computation of adp⊕

Computing the probability adp⊕ is equivalent to the matrix multiplication: adp⊕(∆+a, ∆+b → ∆+c) = LAw[n−1] · · · Aw[1]Aw[0]C , where w[i] = ∆+a[i] ∆+b[i] ∆+c[i], 0 ≤ i < n , L = [ 1 1 1 1 1 1 1 1 ] , C = [ 0 1 0 ]T .

Velichkov et al. (KU Leuven) UNAF: A Special Set of Additive Differences FSE 2012 23 / 24

Best-first Search Strategy Based on A*

A0

w[0]

A0

w[1]

1 A1

w[1]

1 A1

w[0]

A0

w[1]

1 A1

w[1]

. . .

A0

w[n−1]

1 A1

w[n−1]

. . .

1 1

. . .

A0

w[n−1]

1 A1

w[n−1]