using multiple differentials

Using Multiple Differentials...

1/28

Using Multiple Differentials...

On the LLR and χ2 Statistical Tests in Differential Context

Celine Blondeau

Aalto University

Luxembourg, January 2013

joint work with Benoıt Gerard and Kaisa Nyberg

Using Multiple Differentials...

2/28

Outline

IntroductionDifferential CryptanalysisMultiple Differential Cryptanalysis

Partitioning the Output DifferencesSet of Simple DifferencesSpecial set of Truncated Differentials

Analysing InformationLLR Statistical Testχ2 Statistical Test

ExperimentsExperimental ResultsDiscussion

Using Multiple Differentials...

3/28

Outline

IntroductionDifferential CryptanalysisMultiple Differential Cryptanalysis

Partitioning the Output DifferencesSet of Simple DifferencesSpecial set of Truncated Differentials

Analysing InformationLLR Statistical Testχ2 Statistical Test

ExperimentsExperimental ResultsDiscussion

Using Multiple Differentials...

4/28

Block ciphers

--

--

-

x

y

FK1

FK2

FKr

FKr+1

EK : Fm2 → Fm

2

I K : Master keyI F : Round functionI Ki : Round key

cccc cccc cccc cccc

cccc cccc cccc cccc

cccc cccc cccc cccc

cccc cccc cccc cccc

S3 S2 S1 S0

S3 S2 S1 S0

S3 S2 S1 S0

���

������

����

����

@@@

���

������

HHHH

HH

@@@

���

PPPP

PPPP

HHHH

HH

@@@

���

���

���

����

����

@@@

���

������

HHH

HHH

@@@

���

PPPP

PPPP

HHHH

HH

@@@

���

���

���

����

����

@@@

���

������

HHH

HHH

@@@

���

PPPP

PPPP

HHH

HHH

@@@

SMALLPRESENT-[4]

Using Multiple Differentials...

5/28

Statistical Attacks

Statistical attacks:I Take advantage of a non-uniform behavior of the cipherI Two families: Linear and Differential cryptanalysis

Improvement of differential cryptanalysis

I Differential cryptanalysis [Biham Shamir 91]I Truncated differential cryptanalysis [Knudsen 95]I Impossible differential cryptanalysis [Biham Biryukov Shamir

99]I Higher order differential cryptanalysis [Lai 94] [Knudsen 95]I Bulk Multiple differential cryptanalysis [Blondeau Gerard 11]

Using Multiple Differentials...

6/28

Differential CryptanalysisGiven an input difference between two plaintexts, some outputdifferences occur more often than others.

-

-

-

-

EK

EK

x

x ′

y

y ′

6

?

6

?

δin δout

Differential: pair of input and output difference (δin, δout)

Differential probability: p = PX ,K [ EK (x)⊕ Ek (x ⊕ δin) = δout ]

Uniform probability: θ = 2−m

Using Multiple Differentials...

7/28

Using Multiple differentials...

I Truncated differential cryptanalysisI Impossible differential cryptanalysisI Higher order differential cryptanalysisI Bulk differential cryptanalysis

One non-uniform probability is used for comparison with uniformprobability

Using Multiple Differentials...

7/28

Using Multiple differentials...

I Truncated differential cryptanalysisI Impossible differential cryptanalysisI Higher order differential cryptanalysisI Bulk differential cryptanalysis

One non-uniform probability is used for comparison with uniformprobability

Using Multiple Differentials...

8/28

Bulk differential cryptanalysis [FSE 2011]

I Set of differences (δin(v), δout

(v)), with probabilities pv .

I p = 1∆in

∑v pv expected probability.

I θ = 1∆in

∑v

12m uniform probability.

Frequencies are summed up.

How to use the probability of each differential individually?

Using Multiple Differentials...

8/28

Bulk differential cryptanalysis [FSE 2011]

I Set of differences (δin(v), δout

(v)), with probabilities pv .

I p = 1∆in

∑v pv expected probability.

I θ = 1∆in

∑v

12m uniform probability.

Frequencies are summed up.

How to use the probability of each differential individually?

Using Multiple Differentials...

8/28

Bulk differential cryptanalysis [FSE 2011]

I Set of differences (δin(v), δout

(v)), with probabilities pv .

I p = 1∆in

∑v pv expected probability.

I θ = 1∆in

∑v

12m uniform probability.

Frequencies are summed up.

How to use the probability of each differential individually?

Using Multiple Differentials...

9/28

Related Work

Linear Cryptanalysis [Matsui 93]:

I Multiple linear cryptanalysis [Baigneres Junod Vaudenay 04]

I Multidimensional linear cryptanalysis [Hermelin Cho Nyberg08]

Both use LLR and/or χ2 statistical tests.

Differential Cryptanalysis:

Recently :

I How to apply LLR and/or χ2 statistical tests?I How to partition the output differences?

Using Multiple Differentials...

10/28

Multiple Differential Cryptanalysis

I Fixed input difference δin (To simplify the analysis)

I Vector of “differences”: V = [δ(v)out ] after r rounds,

I p = [pv ]v∈V vector of expected probabilities.

I θ = [θv ]v∈V vector of uniform probabilities.

I qk = [qkv ]v∈V vector of observed probabilities for the key k .

Using Multiple Differentials...

11/28

Recent Work

[Albrecht Leander 12]

LLR statistical test

Application to SMALLPRESENT-[4] (m = 16) and KATAN-32(m = 32)

[Blondeau Gerard Nyberg 12]

LLR and χ2 statistical tests.

What to do when m > 32 ?

⇒ Introduction of partitioning functions

Using Multiple Differentials...

12/28

Outline

IntroductionDifferential CryptanalysisMultiple Differential Cryptanalysis

Partitioning the Output DifferencesSet of Simple DifferencesSpecial set of Truncated Differentials

Analysing InformationLLR Statistical Testχ2 Statistical Test

ExperimentsExperimental ResultsDiscussion

Using Multiple Differentials...

13/28

Partitioning Functions

We analyze two “orthogonal” cases

I Unbalanced partitioningI Take a subset of simple differences

I Balanced partitioningI Group the differences in order to be able to use information of

the whole output space.

Aim:I Compare Time, Memory and Data complexity of the different

methods.

Using Multiple Differentials...

13/28

Partitioning Functions

We analyze two “orthogonal” cases

I Unbalanced partitioningI Take a subset of simple differences

I Balanced partitioningI Group the differences in order to be able to use information of

the whole output space.

Aim:I Compare Time, Memory and Data complexity of the different

methods.

Using Multiple Differentials...

14/28

Last Round Attack

Plaintext

Characteristic

Partial State??

r roundsF rK

Distinguisher

Using Multiple Differentials...

14/28

Last Round Attack

Plaintext

Characteristic

Partial State??

r roundsF rK

Distinguisher

?Substitution Layer

Key addition

S7 S6 S5 S4 S3 S2 S1 S0

k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eCiphertext

Using Multiple Differentials...

15/28

Unbalanced Partitioning

Idea: Subset of simple differences

I Output differences (δ(v)out )1≤v≤A,

I Counter for each of these differentials qkv .

I As∑A

i=1 qkv 6= 1

I We have a “trash” counter qk0 which gathers all other output

differences.

Last Round Attack: We increment the counter qkv

if the difference δ(v)out is obtained after partial deciphering.

Using Multiple Differentials...

16/28

Unbalanced Partitioning: Last Round Attack

δin

?

V = [δ(v)out ]v

��* HHYV

Substitution LayerS7 S6 S5 S4 S3 S2 S1 S0

k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e e

Using Multiple Differentials...

16/28

Unbalanced Partitioning: Last Round Attack

V = [δ(v)out ]v

��* HHYV

S7 S6 S5 S4 S3 S2 S1 S0

k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eS4 S3 S1 Active Sboxes

Using Multiple Differentials...

16/28

Unbalanced Partitioning: Last Round Attack

��* HHYV

S7 S6 S5 S4 S3 S2 S1 S0

k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eS4 S3 S1

Sieving processDiscard some ciphertext pairs

Using Multiple Differentials...

16/28

Unbalanced Partitioning: Last Round Attack

��* HHYV

S7 S6 S5 S4 S3 S2 S1 S0

k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eS4 S3 S1

6e 6e 6e For all key candidates,partially decipherk4 k3 k1

6��@I

Using Multiple Differentials...

16/28

Unbalanced Partitioning: Last Round Attack

��* HHYV

S7 S6 S5 S4 S3 S2 S1 S0

k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eS4 S3 S1

6e 6e 6ek4 k3 k1

6��@I If δ = δ(v)out

Increment qkv

OtherwiseIncrement qk

0

Using Multiple Differentials...

16/28

Unbalanced Partitioning: Last Round Attack

��* HHYV

S7 S6 S5 S4 S3 S2 S1 S0

k7 k6 k5 k4 k3 k2 k1 k0e e e e e e e eS4 S3 S1

6e 6e 6ek4 k3 k1

6��@I If δ = δ(v)out

Increment qkv

OtherwiseIncrement qk

0

Analyse the vectors qk for each key

Using Multiple Differentials...

17/28

Unbalanced Partionning: Remarks

Corresponding known/former attacks:I Differential cryptanalysis.

Advantage:I A sieving process⇒ “smaller” time complexity

Disadvantage:I Subset of output space⇒ Not all informationI Small probabilities⇒ Non-tightness of the information

Using Multiple Differentials...

18/28

Balanced Partitioning

Idea: Using information from all differences by grouping them.

Let V = [δ(v)out ]v a subspace of Fm

2

A group of differences ∆(v)out = δ

(v)out ⊕ V (V ⊕ V = Fm

2 )

A counter qkv for each group of differences.

Using Multiple Differentials...

19/28

Balanced Partitioning: Last Round Attack

δin

?

V

∆out = δout ⊕ V

Substitution LayerS7 S6 S5 S4 S3 S2 S1 S0e e e e e e e ek7 k6 k5 k4 k3 k2 k1 k0

Using Multiple Differentials...

19/28

Balanced Partitioning: Last Round Attack

V

∆out = δout ⊕ V

S7 S6 S5 S4 S3 S2 S1 S0e e e e e e e ek7 k6 k5 k4 k3 k2 k1 k0

S7 S6 S5 S4 S3 S2 S1 S0 Active Sboxes

Using Multiple Differentials...

19/28

Balanced Partitioning: Last Round Attack

V

S7 S6 S5 S4 S3 S2 S1 S0e e e e e e e ek7 k6 k5 k4 k3 k2 k1 k0

S7 S6 S5 S4 S3 S2 S1 S0

No sieving processPartially decipher for all pairs

Using Multiple Differentials...

19/28

Balanced Partitioning: Last Round Attack

V

S7 S6 S5 S4 S3 S2 S1 S0e e e e e e e ek7 k6 k5 k4 k3 k2 k1 k0

S7 S6 S5 S4 S3 S2 S1 S0For all key candidates,

partially decipherk4 k3 k26e 6e 6eS4 S3 S2

Using Multiple Differentials...

19/28

Balanced Partitioning: Last Round Attack

V

S7 S6 S5 S4 S3 S2 S1 S0e e e e e e e ek7 k6 k5 k4 k3 k2 k1 k0

S7 S6 S5 S4 S3 S2 S1 S0

k4 k3 k26e 6e 6eS4 S3 S2

��*6HHYIf δ ∈ δ(v)

out ⊕ VIncrement qk

v

Using Multiple Differentials...

19/28

Balanced Partitioning: Last Round Attack

V

S7 S6 S5 S4 S3 S2 S1 S0e e e e e e e ek7 k6 k5 k4 k3 k2 k1 k0

S7 S6 S5 S4 S3 S2 S1 S0

k4 k3 k26e 6e 6eS4 S3 S2

��*6HHYIf δ ∈ δ(v)

out ⊕ VIncrement qk

v

Analyse the vectors qk for each key

Using Multiple Differentials...

20/28

Balanced Partitioning: Remarks

Corresponding known/former attacks:I Truncated Differential cryptanalysis.

Advantage:I Whole output space⇒ More informationI Bigger Probabilities⇒ Tightness of the information

Disadvantage:I No sieving process⇒ Larger time complexity

Using Multiple Differentials...

21/28

Outline

IntroductionDifferential CryptanalysisMultiple Differential Cryptanalysis

Partitioning the Output DifferencesSet of Simple DifferencesSpecial set of Truncated Differentials

Analysing InformationLLR Statistical Testχ2 Statistical Test

ExperimentsExperimental ResultsDiscussion

Using Multiple Differentials...

22/28

Statistical TestsProbability distribution vectors

I Expected: p = [pv ]v∈V

I Uniform: θ = [θv ]v∈V

I Observed: qk (for a given key candidate k )

LLR test: requires the knowledge of the theoretical probability p.

Sk = LLRk (qk ,p, θ)def= Ns

∑v∈V

qkv log

(pv

θv

).

χ2 test: Does not require the knowledge of p for the attack

Sk = χ2k (qk , θ) = Ns

∑v∈V

(qkv − θv )2

θv.

Using Multiple Differentials...

23/28

Complexities

Let S(k) be the statistic obtained for a key candidate k .

Sk = LLRk (qk ,p, θ) or = χ2k (qk , θ)

Then,

Sk ∼{N (µR, σ

2R) if k = Kr ,

N (µW , σ2W ) otherwise.

[Selcuk 07]:I Estimates of the value of µR, µW , σR, σw for both LLR and χ2

statistical tests.I Estimates of the Data Complexity

Using Multiple Differentials...

24/28

Asymptotic Complexity when PS = 0.5

a: AdvantageΦ0,1 : cumulative function of standard normal distribution

LLR test:

N ≈Varp(log(p

θ ))[Ep(log(p

θ ))− Eθ(log(pθ ))]2 Φ−2

0,1(1− 2−a)

χ2 test:

N ≈√

2|V |C(p)

Φ−10,1(1− 2−a)

where C(p) =∑

v∈V

(pv−θv )2

θv

Using Multiple Differentials...

25/28

Outline

IntroductionDifferential CryptanalysisMultiple Differential Cryptanalysis

Partitioning the Output DifferencesSet of Simple DifferencesSpecial set of Truncated Differentials

Analysing InformationLLR Statistical Testχ2 Statistical Test

ExperimentsExperimental ResultsDiscussion

Using Multiple Differentials...

26/28

Unbalanced Partitioning: Simple differences

0.5

0.6

0.7

0.8

0.9

20 22 24 26 28 30

PS

log2(N)

LLR : Ex. a = 4Th. a = 4Ex. a = 11Th. a = 11

χ2 : Ex. a = 4Th. a = 4Ex. a = 11Th. a = 11

Using Multiple Differentials...

27/28

Balanced Partitioning: Group of output differences

0.5

0.6

0.7

0.8

0.9

19 21 23 25 27

PS

log2(N)

LLR : Ex. a = 4Th. a = 4Ex. a = 7Th. a = 7

χ2 : Ex. a = 4Th. a = 4Ex. a = 7Th. a = 7

Using Multiple Differentials...

28/28

Conclusions

Balanced or Unbalanced partitioning ?I Time Complexity: unbalanced⇒ faster attack.I Data Complexity: depends of the cipher.

LLR or χ2?I If we have a good estimate of the expected probabilities⇒ LLR provides better Data and Memory complexities

I Otherwise LLR is not effective