on multidimensional linear cryptanalysisweil0005/omlc_acisp10.pdfmotivation multidimensional...

MotivationMultidimensional Extension to Matsui’s Alg. 1

Cryptanalysis and Conclusions

On Multidimensional Linear Cryptanalysis

Phuong Ha Nguyen, Lei Wei, Huaxiong Wang and San Ling

Nanyang Technological University, Singapore

ACISP 2010, 5 Jul 2010

P. H. Nguyen, L. Wei, H. Wang, S. Ling On Multidimensional Linear Cryptanalysis



Talk Overview

1 MotivationThe Kaliski-Robshaw ApproachThe Biryukov-Canniere-Quisquater ApproachMultidimensional Linear Cryptanalysis

2 Multidimensional Extension to Matsui’s Alg. 1The Hermelin-Cho-Nyberg ApproachImproving the Algorithm

3 Cryptanalysis and Conclusions




The Kaliski-Robshaw ApproachThe Biryukov-Canniere-Quisquater ApproachMultidimensional Linear Cryptanalysis

Linear Cryptanalysis

Linear Cryptanalysis was formally introduced by Matsui in1993 and successfully applied to the full DES.

Algorithm 1: Given block cipher Ek (·), if there is a linearapproximation

g = uX ⊕ vY ⊕ cK

with Pr(g = 0) = 1/2 + ε, when the bias ε is big enough, asingle parity cK can be recovered with N ∼ c/ε2 randomplaintext-ciphertext pairs.





Linear Cryptanalysis

Linear Cryptanalysis was formally introduced by Matsui in1993 and successfully applied to the full DES.Algorithm 1: Given block cipher Ek (·), if there is a linearapproximation

g = uX ⊕ vY ⊕ cK

with Pr(g = 0) = 1/2 + ε, when the bias ε is big enough, asingle parity cK can be recovered with N ∼ c/ε2 randomplaintext-ciphertext pairs.





The Kaliski-Robshaw Approach

Linear Cryptanalysis Using Multiple Approximations,CRYPTO’94, Algorithm 1M.

Find m linear approximations g1, . . . ,gm, wheregi = uiX ⊕ viY ⊕ cK with bias εi .

Compute statistic Ti from gi as in Matsui’s Alg. 1.Find cK from the weighted average of the statistics Ti .N can achieve an m-fold reduction: N ∼ 1/

∑mi=1 ε

2i .

Each of the approximations must have the same key mask c.





The Kaliski-Robshaw Approach

Linear Cryptanalysis Using Multiple Approximations,CRYPTO’94, Algorithm 1M.

Find m linear approximations g1, . . . ,gm, wheregi = uiX ⊕ viY ⊕ cK with bias εi .Compute statistic Ti from gi as in Matsui’s Alg. 1.Find cK from the weighted average of the statistics Ti .N can achieve an m-fold reduction: N ∼ 1/

∑mi=1 ε

2i .

Each of the approximations must have the same key mask c.





The Biryukov-Canniere-Quisquater Approach

On Multiple Linear Approximations, CRYPTO’04, AlgorithmMK1.

Provides a theoretical framework for treating m statisticallyindependent linear approximations.

Defines capacity c2 as 4∑m

i=1 ε2i , which determines N

when the gain is fixed.c2 continues to grow even when linearly dependentapproximations are added to the base approximations.The same phenomena is observed in experiments ofCollard, et al. [CollardSQ08]







Provides a theoretical framework for treating m statisticallyindependent linear approximations.Defines capacity c2 as 4

∑mi=1 ε

2i , which determines N

when the gain is fixed.

c2 continues to grow even when linearly dependentapproximations are added to the base approximations.The same phenomena is observed in experiments ofCollard, et al. [CollardSQ08]








∑mi=1 ε


when the gain is fixed.c2 continues to grow even when linearly dependentapproximations are added to the base approximations.

The same phenomena is observed in experiments ofCollard, et al. [CollardSQ08]








∑mi=1 ε


when the gain is fixed.c2 continues to grow even when linearly dependentapproximations are added to the base approximations.The same phenomena is observed in experiments ofCollard, et al. [CollardSQ08]





Multidimensional Extension to Matsui’s Alg. 1

Multidimensional Linear Cryptanalysis of Reduced RoundSerpent, ACISP’08, Hermelin, et al.

Works with m linearly independent base approximations.Exploits the correlations in the 2m −m − 1 combinedapproximations spanned from the base g1, . . . ,gm.Data complexity N reduced, but time complexity is high,2mN for the Distillation and 22m for the Analysis phase.







Works with m linearly independent base approximations.

Exploits the correlations in the 2m −m − 1 combinedapproximations spanned from the base g1, . . . ,gm.Data complexity N reduced, but time complexity is high,2mN for the Distillation and 22m for the Analysis phase.







Works with m linearly independent base approximations.Exploits the correlations in the 2m −m − 1 combinedapproximations spanned from the base g1, . . . ,gm.

Data complexity N reduced, but time complexity is high,2mN for the Distillation and 22m for the Analysis phase.







Works with m linearly independent base approximations.Exploits the correlations in the 2m −m − 1 combinedapproximations spanned from the base g1, . . . ,gm.Data complexity N reduced, but time complexity is high,2mN for the Distillation and 22m for the Analysis phase.





Our contribution

An explicit measure of the data complexity N, based on εi .

Reduce the Distillation time complexity to 2m2m + mN.Reduce the Analysis time complexity to 3m2m.Application to 4- and 9-round Serpent.





Our contribution

An explicit measure of the data complexity N, based on εi .Reduce the Distillation time complexity to 2m2m + mN.

Reduce the Analysis time complexity to 3m2m.Application to 4- and 9-round Serpent.





Our contribution

An explicit measure of the data complexity N, based on εi .Reduce the Distillation time complexity to 2m2m + mN.Reduce the Analysis time complexity to 3m2m.

Application to 4- and 9-round Serpent.





Our contribution

An explicit measure of the data complexity N, based on εi .Reduce the Distillation time complexity to 2m2m + mN.Reduce the Analysis time complexity to 3m2m.Application to 4- and 9-round Serpent.




The Hermelin-Cho-Nyberg ApproachImproving the Algorithm

Notations and notions

Denote the space of m-dimensional binary vectors by Vm,or Vm = GF (2)m.The inner product of 2 vectors a,b ∈ Vm is ab = ⊕m

i=1aibi .

Let X be a random variable (r.v.) in Vm. Letpη = Pr(X = η), with η ∈ Vm.Associate with f : Vn → Vm an r.v. Y := f (X ) where X isuniformly distributed in Vn, then the probability distribution(p.d.) of Y is p(f ) := (p0(f ), . . . ,p2m−1(f )) wherepη(f ) = Pr(f (X ) = η), for all η ∈ Vm.Two Boolean functions f and g are statistically independentif f (X ) and g(Y ) are statistically independent, for X ,Yuniform in Vn.







i=1aibi .Let X be a random variable (r.v.) in Vm. Letpη = Pr(X = η), with η ∈ Vm.

Associate with f : Vn → Vm an r.v. Y := f (X ) where X isuniformly distributed in Vn, then the probability distribution(p.d.) of Y is p(f ) := (p0(f ), . . . ,p2m−1(f )) wherepη(f ) = Pr(f (X ) = η), for all η ∈ Vm.Two Boolean functions f and g are statistically independentif f (X ) and g(Y ) are statistically independent, for X ,Yuniform in Vn.







i=1aibi .Let X be a random variable (r.v.) in Vm. Letpη = Pr(X = η), with η ∈ Vm.Associate with f : Vn → Vm an r.v. Y := f (X ) where X isuniformly distributed in Vn, then the probability distribution(p.d.) of Y is p(f ) := (p0(f ), . . . ,p2m−1(f )) wherepη(f ) = Pr(f (X ) = η), for all η ∈ Vm.

Two Boolean functions f and g are statistically independentif f (X ) and g(Y ) are statistically independent, for X ,Yuniform in Vn.







i=1aibi .Let X be a random variable (r.v.) in Vm. Letpη = Pr(X = η), with η ∈ Vm.Associate with f : Vn → Vm an r.v. Y := f (X ) where X isuniformly distributed in Vn, then the probability distribution(p.d.) of Y is p(f ) := (p0(f ), . . . ,p2m−1(f )) wherepη(f ) = Pr(f (X ) = η), for all η ∈ Vm.Two Boolean functions f and g are statistically independentif f (X ) and g(Y ) are statistically independent, for X ,Yuniform in Vn.





Notations and notions - Con’t

The correlation between binary an r.v. X and 0 isρ = Pr(X = 0)− Pr(X = 1) = 2ε, where ε is the bias of X .

The correlation between a Boolean function g : Vm → V1and 0 is ρ := 2Pr(g(X ) = 0)− 1, with X uniform in Vm.For f : Vl → Vn with selection masks wi ∈ Vn, ui ∈ Vl ,i = 1, . . . ,m, where the pairs (wi ,ui) are linearlyindependent, we define gi as gi(η) = wi f (η)⊕ uiη, ∀η ∈ Vl .We use g1, . . . ,gm as base approximations of f .Construct matrices W = (w1, . . . ,wm) andU = (u1, . . . ,um), we cryptanalyze f with the p.d.p = (p0, . . . ,p2m−1) of g = (g1, . . . ,gm), namely,g(η) = Wf (η)⊕ Uη.






The correlation between binary an r.v. X and 0 isρ = Pr(X = 0)− Pr(X = 1) = 2ε, where ε is the bias of X .The correlation between a Boolean function g : Vm → V1and 0 is ρ := 2Pr(g(X ) = 0)− 1, with X uniform in Vm.

For f : Vl → Vn with selection masks wi ∈ Vn, ui ∈ Vl ,i = 1, . . . ,m, where the pairs (wi ,ui) are linearlyindependent, we define gi as gi(η) = wi f (η)⊕ uiη, ∀η ∈ Vl .We use g1, . . . ,gm as base approximations of f .Construct matrices W = (w1, . . . ,wm) andU = (u1, . . . ,um), we cryptanalyze f with the p.d.p = (p0, . . . ,p2m−1) of g = (g1, . . . ,gm), namely,g(η) = Wf (η)⊕ Uη.






The correlation between binary an r.v. X and 0 isρ = Pr(X = 0)− Pr(X = 1) = 2ε, where ε is the bias of X .The correlation between a Boolean function g : Vm → V1and 0 is ρ := 2Pr(g(X ) = 0)− 1, with X uniform in Vm.For f : Vl → Vn with selection masks wi ∈ Vn, ui ∈ Vl ,i = 1, . . . ,m, where the pairs (wi ,ui) are linearlyindependent, we define gi as gi(η) = wi f (η)⊕ uiη, ∀η ∈ Vl .We use g1, . . . ,gm as base approximations of f .

Construct matrices W = (w1, . . . ,wm) andU = (u1, . . . ,um), we cryptanalyze f with the p.d.p = (p0, . . . ,p2m−1) of g = (g1, . . . ,gm), namely,g(η) = Wf (η)⊕ Uη.






The correlation between binary an r.v. X and 0 isρ = Pr(X = 0)− Pr(X = 1) = 2ε, where ε is the bias of X .The correlation between a Boolean function g : Vm → V1and 0 is ρ := 2Pr(g(X ) = 0)− 1, with X uniform in Vm.For f : Vl → Vn with selection masks wi ∈ Vn, ui ∈ Vl ,i = 1, . . . ,m, where the pairs (wi ,ui) are linearlyindependent, we define gi as gi(η) = wi f (η)⊕ uiη, ∀η ∈ Vl .We use g1, . . . ,gm as base approximations of f .Construct matrices W = (w1, . . . ,wm) andU = (u1, . . . ,um), we cryptanalyze f with the p.d.p = (p0, . . . ,p2m−1) of g = (g1, . . . ,gm), namely,g(η) = Wf (η)⊕ Uη.





Kullback-Leibler (KL) distance

Let p = (p0, . . . ,pM) and q = (q0, . . . ,pM) be two p.d.’s, thenThe their (mutual) capacity is

C(p,q) =M∑η=0

(pη − qη)2

qη.

The relative entropy or the Kullback-Leibler (KL) distancebetween p and q is defined as

D(q||p) =M∑η=0

qη logqηpη.





Multidimensional Extension of Matsui’s Alg. 1

Find m linear approximations gi := uiX ⊕ viY ⊕ ciK fori = 1, . . . ,m, with correlations ρ1, . . . , ρm. The ci ’s are linearlyindependent and text masks (ui , vi) are linearly independent.

Define g := (g1, . . . ,gm) with p.d. p.

Define h := (h1, . . . ,hm) where hi := uiX ⊕ viY . h is calledthe experimental function and we study its theoretical p.d.q by its empirical p.d. q.Let wi := ciK , i = 1, . . . ,m, the m parity bits of theextended key K . Then w := (w1, . . . ,wm) defines a keyclass of K .Thus, g = h ⊕ w , p.d. q of h is a permutation of p.







Define g := (g1, . . . ,gm) with p.d. p.Define h := (h1, . . . ,hm) where hi := uiX ⊕ viY . h is calledthe experimental function and we study its theoretical p.d.q by its empirical p.d. q.

Let wi := ciK , i = 1, . . . ,m, the m parity bits of theextended key K . Then w := (w1, . . . ,wm) defines a keyclass of K .Thus, g = h ⊕ w , p.d. q of h is a permutation of p.







Define g := (g1, . . . ,gm) with p.d. p.Define h := (h1, . . . ,hm) where hi := uiX ⊕ viY . h is calledthe experimental function and we study its theoretical p.d.q by its empirical p.d. q.Let wi := ciK , i = 1, . . . ,m, the m parity bits of theextended key K . Then w := (w1, . . . ,wm) defines a keyclass of K .

Thus, g = h ⊕ w , p.d. q of h is a permutation of p.







Define g := (g1, . . . ,gm) with p.d. p.Define h := (h1, . . . ,hm) where hi := uiX ⊕ viY . h is calledthe experimental function and we study its theoretical p.d.q by its empirical p.d. q.Let wi := ciK , i = 1, . . . ,m, the m parity bits of theextended key K . Then w := (w1, . . . ,wm) defines a keyclass of K .Thus, g = h ⊕ w , p.d. q of h is a permutation of p.





|Z|-ary Hypothesis Testing

Let w∗ be the correct key class, pw∗ is the permutation of paccording to w∗. We have q = pw∗ .

The KL distance is used to find w∗ from the 2m keyclasses, by measuring D(q||pw ) for all w ∈ Vm.

Theorem (Hermelin, et al.)

Let us have an |Z |-ary hypothesis testing problem, with |Z |hypotheses Hw stating that the data originates from pw , wherew ∈ Z corresponds to the key. The hypothesis for which the KLdistance D(q||pw ) is smallest gets selected. Given somesuccess probability Psc , the lower bound for the data complexityN is given by

N ∼ 4 log2 |Z |minj 6=0C(p0,pj)

.





|Z|-ary Hypothesis Testing

Let w∗ be the correct key class, pw∗ is the permutation of paccording to w∗. We have q = pw∗ .The KL distance is used to find w∗ from the 2m keyclasses, by measuring D(q||pw ) for all w ∈ Vm.

Theorem (Hermelin, et al.)

Let us have an |Z |-ary hypothesis testing problem, with |Z |hypotheses Hw stating that the data originates from pw , wherew ∈ Z corresponds to the key. The hypothesis for which the KLdistance D(q||pw ) is smallest gets selected. Given somesuccess probability Psc , the lower bound for the data complexityN is given by

N ∼ 4 log2 |Z |minj 6=0C(p0,pj)

.





The Multidimensional Algorithm 1

Offline: Compute N based on previous theorem and p.

Online: With N plaintext-ciphertext pairs (X ,Y ),Distillation: Compute p.d. q of h using 2m counters.

Analysis: Construct a 2m × 2m matrix T, T(w , η) = log(qηpwη

).

Compute D = TqT = (D(q||p0), . . . ,D(q||p2m−1).Sorting: Sort the list of w by ascending D(q||pw ).Searching: Search the keys in the key classes in sortedorder.






Offline: Compute N based on previous theorem and p.Online: With N plaintext-ciphertext pairs (X ,Y ),

Distillation: Compute p.d. q of h using 2m counters.


).










).

Compute D = TqT = (D(q||p0), . . . ,D(q||p2m−1).

Sorting: Sort the list of w by ascending D(q||pw ).Searching: Search the keys in the key classes in sortedorder.









).

Compute D = TqT = (D(q||p0), . . . ,D(q||p2m−1).Sorting: Sort the list of w by ascending D(q||pw ).

Searching: Search the keys in the key classes in sortedorder.









).






Estimating N, the data complexity

Given g = (g1, . . . ,gm) and ρ(a), for all a ∈ Vm, the datacomplexity is determined by minj 6=0 C(p0,pj). Let p = p0 andq = pw , we proved the following lemma:

Lemma

C(p,q) ≥ 2∑∀a∈Vm\{0} ρ

2(a).

Hence we obtain the estimation

N ∼ m2

∑∀a∈Vm\{0} ε

2(a).

To the best of our knowledge, no algorithm is much faster than3m2m steps to compute minj 6=0 C(p0,pj).





Comparisons of Data Complexities

We can now compare the data complexities:

N Framework Comments1/ε2 Matsui’s Algorithm 1 1-bit gain

1/∑m

i=1 ε2i Kaliski and Robshaw 1-bit gain

1/4∑m

i=1 ε2i Biryukov, et al. m-bit gain

1/4∑m

′

i=1 ε2i Biryukov, et al. m-bit gain

m/2∑

a 6=0 ε2(a) Hermelin, et al. m-bit gain





Computational Bottlenecks

In the distillation phase, 2m counters are used to computeq from N samples. The time complexity is O(2mN).In the analysis phase, computing D has a time complexityof O(22m).

The algorithm is able to exploit all non-negligible spanned linearapproximations systematically, with a well selected larger baseg1, . . . ,gm, N may be further reduced. However, the timecomplexities in the distillation phase and the analysis phasesuffers from exponential increase.





Breaking the Bottlenecks

Observe that D(q||pw ) =∑

η∈Vmqη log qη −

∑η∈Vm

qη log pwη ,

the first sum does not affect the ranking of key classes.Define D(q||pw ) =

∑η∈Vm

qη log pwη and use D(·||·) to rank

the key class candidates.

The list of w in the sorting phase of the online stage is nowsorted by descending values of D(q||pw ).

A new matrix T is constructed as T(w , η) = log(pwη ),

∀w , η ∈ Vm. We show that T is a circulant matrix, computableby fast fourier transform. For T, only the first column(T(w ,0) = log(pw

0 ) = log(pw ), ∀w ∈ Vm) needs to be stored,with memory 2m. T is used to compute D = TqT .





Breaking the Bottlenecks

Observe that D(q||pw ) =∑

η∈Vmqη log qη −

∑η∈Vm

qη log pwη ,

the first sum does not affect the ranking of key classes.Define D(q||pw ) =

∑η∈Vm

qη log pwη and use D(·||·) to rank

the key class candidates.The list of w in the sorting phase of the online stage is nowsorted by descending values of D(q||pw ).

A new matrix T is constructed as T(w , η) = log(pwη ),

∀w , η ∈ Vm. We show that T is a circulant matrix, computableby fast fourier transform. For T, only the first column(T(w ,0) = log(pw

0 ) = log(pw ), ∀w ∈ Vm) needs to be stored,with memory 2m. T is used to compute D = TqT .





Breaking the Bottlenecks - Con’t

We optimize the online phase of the attack by the following twomethods.

Step 1: We present Method-A to calculate q from Nsamples given. The complexity is 2m2m + mN.

Step 2: We present Method-B to compute D. Thecomplexity is 3m2m.





Breaking the Bottlenecks - Con’t

We optimize the online phase of the attack by the following twomethods.

Step 1: We present Method-A to calculate q from Nsamples given. The complexity is 2m2m + mN.Step 2: We present Method-B to compute D. Thecomplexity is 3m2m.





Fast Computation of Empirical Distribution - Method A

Method-A is for computing the empirical distribution q of theexperimental function h from N known-plaintext (X ,Y ).

Step 1, compute γ(b) - correlation of the combined linearapproximation bh, for all b ∈ Vm.Step 2, compute q from γ(b) by the following result:

Corollary (Baigneres, et al.)Let g : Vn → Vm be a Boolean function with p.d. p andcorrelations ρ(a) of the combined approximations ag, for alla ∈ Vm. Then for η ∈ Vm,

pη = 2−m∑

a∈Vm

(−1)aηρ(a).





Method-A: Step 1

To compute γ(b), for all b =∈ Vm, from N samples:γ(b) = N−1 ∑N

j=1(−1)bh(Xj ,Yj ) = N−1 ∑a∈Vm

(−1)baTa,where Ta = #{(Xj ,Yj) : h(Xj ,Yj) = a}.

Construct 2m × 2m matrix S by S(b,a) := (−1)ba,E := (T0/N, . . . ,T2m−1/N), and γ = (γ(0), . . . , γ(2m − 1)),then

γ(b) =∑

a∈Vm

S(b,a)Ea,∀b ∈ Vm, or γ = SET .

Since S is a Hadamard matrix, we can apply the FastWalsh-Hadamard Transform to compute γ with time complexitym2m, the storage is O(2m). Computing the vectorT := (T0, . . . ,T2m−1) requires mN time.





Method-A: Step 1

To compute γ(b), for all b =∈ Vm, from N samples:γ(b) = N−1 ∑N

j=1(−1)bh(Xj ,Yj ) = N−1 ∑a∈Vm

(−1)baTa,where Ta = #{(Xj ,Yj) : h(Xj ,Yj) = a}.Construct 2m × 2m matrix S by S(b,a) := (−1)ba,E := (T0/N, . . . ,T2m−1/N), and γ = (γ(0), . . . , γ(2m − 1)),then

γ(b) =∑

a∈Vm

S(b,a)Ea,∀b ∈ Vm, or γ = SET .

Since S is a Hadamard matrix, we can apply the FastWalsh-Hadamard Transform to compute γ with time complexitym2m, the storage is O(2m). Computing the vectorT := (T0, . . . ,T2m−1) requires mN time.





Method-A: Step 2

Construct vector R = (R0, . . . ,R2m−1) with Rb = 2−mγ(b), for allb ∈ Vm. We have

qη =∑

b∈Vm

(−1)ηbRb, ∀η ∈ Vm, or q = SRT .

The Fast Walsh-Hadamard Transform is used again to computeq. Hence, the total complexity is mN + 2m2m for computing qfrom N samples.





Fast Computation of Kullback-Leibler Distance -Method B

Method-B is used to compute the vector D from matrix T basedon the idea of circulant matrix used by Collard, et al. We provethe following theorem:

Theorem

The matrix T is level-m circulant with type (2,2, . . . ,2)︸︷︷︸m-times

.





Method-B

With relevant results about circulant matrix, we have

T = F∗diag(λ)F, (F∗F = I),

λ = FT(:,1)√

2m,

and

D = (D(q||p0), . . . , D(q||p2m−1)) = Tq = (F∗(diag(λ)(Fq))).

Applying the Fast Fourier Transform three times for F, diag(λ),and F∗ we get all the values D(q||pw ), for all w ∈ Vm. Thecomplexity is 3m2m.





Efficiency of the Improved Algorithm - Online Stage

Distillation: compute empirical p.d. q of h from N byMethod-A.Analysis: from λ and q, compute vector D by Method-B.Sorting: sort the key classes w with D(q||pw ) indescending order.Searching: search the keys contained in the sorted keyclasses by order.

In practice, we estimate O(2m2m + mN) = O(mN).





Complexity comparison between different algorithms

Distillation Phase Analysis PhaseBiryukov Hermelin Method-A Biryukov Hermelin Method-B

Data O(Ns.i ) O(N) O(N) - - -Time O(m

′Ns.i ) O(2mN) O(mN) O(m

′2m) O(22m) O(m2m)

Mem O(m′) O(2m) O(2m) O(2m) O(2m) O(2m)

Following the definitions of Ns.i. and Nplain, N < Ns.i. < Nplain, m < m′.

We have improvement in the time complexities for the distillation phase and theanalysis phase.

We have shown that the multidimensional algorithm 1 requires fewer samplesthan Biryukov et al.. The same result was observed by Hermelin, et al. with onlyempirical evidence.




4-round Serpent

Hermelin, et al. considered the 1023 approximations from span{L0, . . . , L9}.

8,64,and 128 are with correlation 2−11,2−12 and 2−13 respectively.

Lemma 2 gives the overall capacity of 2P

a 6=0 ρ2(a) = 2−16 hence N ∼ 221.3.

We set m = 16 and pick another 6 linearly independent base approximations.

32, 384, 1664, 3072 and 2048 of the combined approximations have correlationof 2−11, 2−12, 2−13, 2−14 and 2−15 respectively. This gives a capacity of 2−12.8,hence we estimate N ∼ 4m/C(p||q) = 218.8.

m Capacity N Distillation Analysis MemoryHermelin This paper Hermelin This paper

10 2−16 221.3 231.3 224.6 220 214.9 210

16 2−12.8 218.8 234.8 223.2 232 221.6 216




4-round Serpent

Hermelin, et al. considered the 1023 approximations from span{L0, . . . , L9}.8,64,and 128 are with correlation 2−11,2−12 and 2−13 respectively.

Lemma 2 gives the overall capacity of 2P

a 6=0 ρ2(a) = 2−16 hence N ∼ 221.3.

We set m = 16 and pick another 6 linearly independent base approximations.

32, 384, 1664, 3072 and 2048 of the combined approximations have correlationof 2−11, 2−12, 2−13, 2−14 and 2−15 respectively. This gives a capacity of 2−12.8,hence we estimate N ∼ 4m/C(p||q) = 218.8.

m Capacity N Distillation Analysis MemoryHermelin This paper Hermelin This paper

10 2−16 221.3 231.3 224.6 220 214.9 210

16 2−12.8 218.8 234.8 223.2 232 221.6 216




9-round Serpent

We take a 9 round linear characteristic of Collard, et al., from S3 to the next S3.

11 active S-boxes with correlation of 2−11 and the remaining rounds 2−38.

1011 possible input masks gives correlation from 2−11 to 2−22.

Craft 44 base approximations we expect to cover the 1011 out of the 244

combined input masks.

The exponential number of non-negligible approximations in the 44-dimensionattack gives capacity of

2 · [11X

i=0

“11i

”· 2i · 811−i · ((2−1)i · (2−2)11−i )2] · (2−38)2 = 2−75.

The capacity is 222 times larger than the single approximation scenario.N ∼ 282.5.

Time complexity for distillation is 288, analysis 251 and 244 memory is required.




Conclusions

For block cipher designs, bounding the maximumcorrelation for single linear characteristic is not sufficient toclaim security. Especially for SPN block ciphers with smallS-boxes. It is easy to form huge number of non-negligibleapproximations, exponential in the number of activeS-boxes of the outer rounds.

With the suitable setup, multidimensional extension ofMatsui’s Alg. 1 is a systematic tool to exploit thecorrelations in combined approximations.It is worthy for designers to leave a large security margin orto develop specific mechanisms to prevent a huge numberof linear approximations being formed.




Conclusions

For block cipher designs, bounding the maximumcorrelation for single linear characteristic is not sufficient toclaim security. Especially for SPN block ciphers with smallS-boxes. It is easy to form huge number of non-negligibleapproximations, exponential in the number of activeS-boxes of the outer rounds.With the suitable setup, multidimensional extension ofMatsui’s Alg. 1 is a systematic tool to exploit thecorrelations in combined approximations.

It is worthy for designers to leave a large security margin orto develop specific mechanisms to prevent a huge numberof linear approximations being formed.




Conclusions

For block cipher designs, bounding the maximumcorrelation for single linear characteristic is not sufficient toclaim security. Especially for SPN block ciphers with smallS-boxes. It is easy to form huge number of non-negligibleapproximations, exponential in the number of activeS-boxes of the outer rounds.With the suitable setup, multidimensional extension ofMatsui’s Alg. 1 is a systematic tool to exploit thecorrelations in combined approximations.It is worthy for designers to leave a large security margin orto develop specific mechanisms to prevent a huge numberof linear approximations being formed.




Q & A

Thank you


on multidimensional linear cryptanalysisweil0005/omlc_acisp10.pdfmotivation multidimensional...

Documents