New Impossible Differential Search Tool from Design and ... · Title: New Impossible Differential...

Copyright©2017 NTT corp. All Rights Reserved.

New Impossible Differential Search Tool from Design and Cryptanalysis Aspects -- Revealing Structural Properties of Several Ciphers

Yu Sasaki and Yosuke Todo

Eurocrypt 2017

3 May 2017

2 Copyright©2017 NTT corp. All Rights Reserved.

Impossible Differential (ID)

Δ𝑖𝑛

Impossible Differential attack (proposed by Knudsen and Biham et al.)

Δout

• When the input difference is Δ𝑖𝑛, it’s impossible for the output difference to be Δ𝑜𝑢𝑡.

• Guess subkeys in the first and last several rounds. • If guessed subkeys lead to (Δ𝑖𝑛, Δ𝑜𝑢𝑡), the guessed

subkeys are incorrect.

subkey guess Δ𝑃

subkey guess ΔC


Contribution of our works

New MILP-based ID search tool

From cryptanalysis aspect. Target Previous Ours Search Mode Remarks

Midori128 6 7 specific S-box

Lilliput 8 9 specific S-box

Minalpher 6.5 7.5 arbitrary S-box

ARIA 4 4 arbitrary S-box improve key recovery

MIBS 8 8 specific S-box new ID

From design tool aspect. • “Probable security” on specific pair of differences

under the subkey uniform assumption. • Detect the optimality of the S-box choice.


New Method to Find ID


General Method to Find ID

• 𝒰-method by Kim et al.

• More extensions exist e.g. UID-method.

Δ𝑜

Δ𝑖

round 1

round 2

round 3

round 4

round 5

Δ𝑖1

Δ𝑖3

Δ𝑖2

Δ𝑖𝑟

Δ𝑜1

Δ𝑜3

Δ𝑜2

Δ𝑜𝑟

For all (Δ𝑖 , Δ𝑜) and 𝑟

1. Propagate Δ𝑖 in forwards to record active or inactive bits with Pr.=1

2. Propagate Δ𝑜 in backwards to record active or inactive bits with Pr.=1

3. Find contradiction


Mixed Integer Linear Programing (MILP)

• MILP is an optimization or feasibility program in which variables are restricted to integers.

• The model 𝑀 consists of variables 𝑀. 𝑣𝑎𝑟, constraints 𝑀. 𝑐𝑜𝑛, and objective 𝑀. 𝑜𝑏𝑗.

𝑀. 𝑣𝑎𝑟 𝑥, 𝑦, 𝑧 (binary) 𝑥 + 2𝑦 + 3𝑧 ≤ 4 𝑥 + 𝑦 ≥ 1 Maximize : 𝑥 + 𝑦 + 2𝑧

𝑀. 𝑐𝑜𝑛

𝑀. 𝑜𝑏𝑗

Solution of 𝑀 is 3. (𝑥, 𝑦, 𝑧) = (1,0,1)


Cryptanalysis Applications

• MILP was first introduced by Mouha et al. to guarantee the lower bound of the number of acitve S-boxes.

• Several follow-up works.

‐ Tight differential (linear) characteristic.

‐ “Differential” and “Linear hull”.

‐ Integral attack via division property.

‐ Zero-correlation linear.

‐ Impossible differential ( New)


How to model block ciphers

𝑋0 F 𝑋1 F 𝑋2 F 𝑋𝑅

𝑀. 𝑣𝑎𝑟

𝑀. 𝑐𝑜𝑛



S

S

S

x1

x2

x3

x4

x5

x6

x7

x8

x9

y1

y2

y3

y4

y5

y6

y7

y8

y9

z1

z2

z3

z4

z5

z6

z7

z8

z9

Every value is 𝑀. 𝑣𝑎𝑟𝑠 which takes 0 or 1. “0” means inactive, and “1” means active.

Simple example by toy ciphers



Model DDT of S-box

000 001 010 011 100 101 110 111 000 * 0 0 0 0 0 0 0 001 0 0 * * 0 0 * * 010 0 * 0 0 * 0 0 0 011 0 0 * * 0 0 * * 100 0 0 0 0 * * 0 0 101 0 0 * * 0 0 * * 110 0 * 0 0 0 * 0 0 111 0 0 * * 0 0 * *

0 : impossible propagation * : possible propagation



Model DDT of S-box

000 001 010 011 100 101 110 111 000 * 0 0 0 0 0 0 0 001 0 0 * * 0 0 * * 010 0 * 0 0 * 0 0 0 011 0 0 * * 0 0 * * 100 0 0 0 0 * * 0 0 101 0 0 * * 0 0 * * 110 0 * 0 0 0 * 0 0 111 0 0 * * 0 0 * *

-x1+y2>=0

16 propagations become infeasible by 1 constraint.



Model DDT of S-box

000 001 010 011 100 101 110 111 000 * 0 0 0 0 0 0 0 001 0 0 * * 0 0 * * 010 0 * 0 0 * 0 0 0 011 0 0 * * 0 0 * * 100 0 0 0 0 * * 0 0 101 0 0 * * 0 0 * * 110 0 * 0 0 0 * 0 0 111 0 0 * * 0 0 * *

-x1+y2>=0 x1-y2>=0

16 propagations become infeasible by 1 constraint. In total, 32 propagations are removed.



Model DDT of S-box

000 001 010 011 100 101 110 111 000 * 0 0 0 0 0 0 0 001 0 0 * * 0 0 * * 010 0 * 0 0 * 0 0 0 011 0 0 * * 0 0 * * 100 0 0 0 0 * * 0 0 101 0 0 * * 0 0 * * 110 0 * 0 0 0 * 0 0 111 0 0 * * 0 0 * *

-x1+y2>=0 x1-y2>=0 x1+x2+x3-y3>=0

4 propagations become infeasible by 1 constraint. In total, 34 propagations are removed.



Model DDT of S-box

000 001 010 011 100 101 110 111 000 * 0 0 0 0 0 0 0 001 0 0 * * 0 0 * * 010 0 * 0 0 * 0 0 0 011 0 0 * * 0 0 * * 100 0 0 0 0 * * 0 0 101 0 0 * * 0 0 * * 110 0 * 0 0 0 * 0 0 111 0 0 * * 0 0 * *

-x1+y2>=0 x1-y2>=0 x1+x2+x3-y3>=0 x1-x2+x3-y1-y3>=-2 x2-x3+y2+y3>=0 x2-y1+y2+y3>=0 -x2+y1+y2+y3>=0 -x2-x3+y1+y2>=-1

Remove 41 impossible propagations. 8 constraints are enough to remove all impossible propagations.



Model XOR

y1

y7

z1

4 constraints are enough to remove all impossible propagations.

y1 y7 z1 Impossible

0 0 0

0 0 1 ✓ (y1+y7-z1>=0)

0 1 0 ✓ (y1-y7+z1>=0)

0 1 1

1 0 0 ✓ (-y1+y7+z1>=0)

1 0 1

1 1 0

1 1 1 ✓ (-y1-y7-z1>=-2)



S

S

S

x1

x2

x3

x4

x5

x6

x7

x8

x9

y1

y2

y3

y4

y5

y6

y7

y8

y9

z1

z2

z3

z4

z5

z6

z7

z8

z9

Simple example by toy ciphers

The number of constraints is (3*8)+(9*4)=24+36=60.


How to Search ID?

• Technique is very simple. ‐ Input and output differences are fixed to specific values. ‐ MILP search whether or not there are propagations from

input to output differences. ‐ If MILP model is infeasible, the pair is impossible.

• Advantage of our tool. ‐ Can look the inside of S-box (DDT). ‐ Don’t need to care the reason of contradiction. ‐ Can share MILP model for differential characteristic

search.

𝑋0 F 𝑋1 F 𝑋2 F 𝑋𝑅

fix fix


New results from a cryptanalysis aspect Application to Midori128


Midori128

• Proposed at Asiacryp2015 by Banik et ak.

• Previous impossible differential is 6 rounds.

• Our tool founds 7-round IDs.

‐ It well exploits the structure of SB.

‐ We also manually verified the IDs.

SR-like SB MC


8-Bit S-box in Midori128

• Four 8-bit S-boxes are constructed from two 4-bit S-boxes.

1. Apply bit permutation 𝑝𝑖.

2. Apply an involution 4-bit S-box in parallel.

3. Apply bit permutation 𝑝𝑖−1.

Sb 1

SSb 0

Sb 1

MSB

LSB

x 0

x 7

8 8

Sb 1

SSb 1

Sb 1

MSB

LSB

x 0

x 7

8 8

Sb 1

SSb 2

Sb 1

MSB

LSB

x 0

x 7

8 8

Sb 1

SSb 3

Sb 1

MSB

LSB

x 0

x 7

8 8


Preserved Active-Bit Positions

• Active-bit positions are preserved because of the involution structure of 8-bit S-boxes.

Sb1

Sb1

* * 0 0

* *

0 0

* * 0 0

* *

0 0

Sb1

Sb1

* * 0 0

* *

0 0

* * 0 0

* *

0 0


Illustration of New ID on Midori128

SubCell ShuffleCell MixColumn KeyAdd



SubCell

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

? ?

?

?

?

?

?

?

?

?

?

ShuffleCell

inactive

active

unknown

(*,*,0,0,0,0,*,*)

(0,0,*,*,*,*,0,0)

MixColumn KeyAdd



SubCell

?

?

?

?

? ?

? ?

?

?

?

?

?

?

?

? ?

?

?

?

?


Illustration of New ID on Midori128




SubCell

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

? ?

?

?

?

?

?

?

?

?

?

ShuffleCell

inactive

active

unknown

(*,*,0,0,0,0,*,*)

(0,0,*,*,*,*,0,0)

MixColumn KeyAdd



SubCell

?

?

?

?

? ?

? ?

?

?

?

?

?

?

?

? ?

?

?

?

?

Sb1

Sb1

* * 0 0

* *

0 0

* * 0 0

* *

0 0

contradiction


New results from a cryptanalysis aspect Application to Lilliput


Extended GFN and LILLIPUT

• Extended GFN (EGFN) by Berger et al. XORs some branches to others. • LILLIPUT is an instantiation of EGFN.

• Previous impossible differential is 8 rounds.

• Our tool found 9-round IDs.

Non-linear layer: ℱ

Permutation layer: 𝒫

𝐹

𝐹

Linear layer: 𝓛

Block shuffle


LILLIPUT Specification

• 64-bit block, 30 rounds

𝑋15 𝑋14 𝑋13 𝑋12 𝑋11 𝑋10 𝑋9 𝑋8 𝑋7 𝑋6 𝑋5 𝑋4 𝑋3 𝑋2 𝑋1 𝑋0

𝑆

𝑅𝐾

𝜋: 13, 9, 14, 8, 10, 11, 12, 15, 4, 5, 3, 1, 2, 6, 0, 7

ℱ

𝒫

ℒ


New IDs on 9-round LILLIPUT

• Previous IDs are straightforward.

• Our IDs exploit DDT.

(000000𝜶0, 00000000)

(00000000, 00000𝜶00)

9 rounds 𝜶 ∈ {2,3,8,9, 𝑒, 𝑓}


Illustration of 9-round ID


Analysis of Rounds 1 and 2

𝛼

𝑆

𝜋: 13, 9, 14, 8, 10, 11, 12, 15, 4, 5, 3, 1, 2, 6, 0, 7

𝛼

𝛼

𝛼 𝛼 𝛽

𝑆

𝜋: 13, 9, 14, 8, 10, 11, 12, 15, 4, 5, 3, 1, 2, 6, 0, 7

𝛽

Round 1 Round 2

𝛼 ⟶ 𝛽 (1) 𝑆


Analysis of Rounds 4 and 5 (𝛼 = 9)

𝛼 ⊕ 𝛽 𝛼 𝛼 𝛼 ? ? 𝛼 ? ? ? ? ? ? ? ?

? ? ? ? ? ? ? ?

𝑆

? 𝛼 𝛼 ? 𝛼 ? 𝛼

𝑆

𝛼 𝛽 𝛼 ? 𝛼 ? 𝛼 𝛼 ⊕ 𝛽

Round 4 Round 5



𝛼 ⊕ 𝛽 𝛼 𝛼 𝛼 ? ? 𝛼 ? ? ? ? ? ? ? ?

? ? ? ? ? ? ? ?

𝑆

? 𝛼 𝛼 ? 𝛼 ? 𝛼

𝑆

𝛼 𝛽 𝛼 ? 𝛼 ? 𝛼 0

𝛼 ⊕ 𝛽

Round 4 Round 5

0 0



𝛼 ⊕ 𝛽 𝛼 𝛼 𝛼 ? ? 𝛼 ? ? ? ? ? ? ? ?

? ? ? ? ? ? ? ?

𝑆

? 𝛼 𝛼 ? 𝛼 ? 𝛼

𝑆

𝛼 𝛽 𝛼 ? 𝛼 ? 𝛼 0 0 0

𝛼 ⊕ 𝛽

Round 4 Round 5

0 0

0 0

0 0



𝛼 ⊕ 𝛽 𝛼 𝛼 𝛼 ? ? 𝛼 ? ? ? ? ? ? ? ?

? ? ? ? ? ? ? ?

𝑆

? 𝛼 𝛼 ? 𝛼 ? 𝛼

𝑆

𝛼 𝛽 𝛼 ? 𝛼 ? 𝛼 0 0 0

0 ? ? 0 ? ? 0 ?

𝛼 ⊕ 𝛽

Round 4 Round 5

0 0

0 0

0 0



𝛼 ⊕ 𝛽 𝛼 𝛼 𝛼 ? ? 𝛼 ? ? ? ? ? ? ? ?

? ? ? ? ? ? ? ?

𝑆

? 𝛼 𝛼 ? 𝛼 ? 𝛼

𝑆

𝛼 𝛽 𝛼 ? 𝛼 ? 𝛼 0 0 0

0 ? ? 0 ? ? 0 ?

𝛼 ⊕ 𝛽

Round 4 Round 5

0 0

0 0

0 0

𝛽



𝛼 ⊕ 𝛽 𝛼 𝛼 𝛼 ? ? 𝛼 ? ? ? ? ? ? ? ?

? ? ? ? ? ? ? ?

𝑆

? 𝛼 𝛼 ? 𝛼 ? 𝛼

𝑆

𝛼 𝛽 𝛼 ? 𝛼 ? 𝛼 0 0 0

0 ? ? 0 ? ? 0 ?

𝛼 ⊕ 𝛽

𝛼 ⊕ 𝛽 ≠ 0, 𝛼 ⊕ 𝛽 ⟶ 𝛽 𝑆 (2)

Round 4 Round 5

When 𝜶 = 𝟗, there is no 𝜷 satisfying both of (𝟏) and (𝟐).

0 0

0 0

0 0

𝛽


New results from a design aspect


Provable Security.

• Assumption. ‐ Round keys are always XORed before S-box.

‐ Round keys are chosen from uniform random.

• Observation ‐ There is a subkey that is possible.

‐ Linear layer can perfectly simulated from MILP.

• It implies that If our tool shows is possible, there is subkeys such that the propagation is possible.

S


Summary of Results.

There is no impossible differential in #Rounds.


Arbitrary S-box

• The number of inequalities to represent 8-bit S-box is too large.

‐ It’s difficult to solve such big MILP.

‐ Arbitrary S-box is reasonable solutions.

000 001 010 011 100 101 110 111 000 * 0 0 0 0 0 0 0 001 0 * * * * * * * 010 0 * * * * * * * 011 0 * * * * * * * 100 0 * * * * * * * 101 0 * * * * * * * 110 0 * * * * * * * 111 0 * * * * * * *

Only 2n inequalities are enough to represent n-bit arbitrary S-box.

-x1+x2+x3+y1+y2+y3>=0 x1-x2+x3+y1+y2+y3>=0 x1+x2-x3+y1+y2+y3>=0 x1+x2+x3-y1+y2+y3>=0 x1+x2+x3+y1-y2+y3>=0 x1+x2+x3+y1+y2-y3>=0


Detect the optimality of its S-box.

• Situation. ‐ Linear layer of the block cipher was already designed.

‐ But, the design of the S-box is ongoing.

• We can check the existence of ID before concrete design of the S-box. ‐ If we found an ID on arbitrary S-box, such IDs are

never avoidable even if the S-box is modified.

• If IDs on specific S-box are the same as the case on arbitrary S-box, we can conclude the choice of the S-box is optimal from the aspect of ID attack.


Summary of Results.

• Midori128.

‐ There are 8-round IDs even if Sb1 is regarded as arbitrary S-box.

‐ The choice of S-box is optimal.

• Lilliput.

‐ There are 217 9-round IDs in specific S-box.

‐ There are 195 9-round IDs in arbitrary S-box.

‐ The choice of S-box is not optimal, but it is reasonable because the number of rounds is no change.


Conclusion.

• New ID search tool based on MILP. ‐ The impossibility of the propagation from specific

input to output differences is detected. ‐ The DDT of S-box is well exploited. ‐ We don’t need to care about the reason of

contradiction.

• Cryptanalysis aspects. ‐ New IDs on Midori, Lilliput, ARIA, Minalpher, MIBS.

• Design aspects. ‐ Provable security under the reasonable assumption. ‐ Detect the optimality of the S-box choice using

arbitrary S-box.

New Impossible Differential Search Tool from Design and ... · Title: New Impossible Differential...

Documents

Transcript of New Impossible Differential Search Tool from Design and ... · Title: New Impossible Differential...