New Impossible Differential Search Tool from Design and ... · Title: New Impossible Differential...
Transcript of New Impossible Differential Search Tool from Design and ... · Title: New Impossible Differential...
Copyright©2017 NTT corp. All Rights Reserved.
New Impossible Differential Search Tool from Design and Cryptanalysis Aspects -- Revealing Structural Properties of Several Ciphers
Yu Sasaki and Yosuke Todo
Eurocrypt 2017
3 May 2017
2 Copyright©2017 NTT corp. All Rights Reserved.
Impossible Differential (ID)
Δ𝑖𝑛
Impossible Differential attack (proposed by Knudsen and Biham et al.)
Δout
• When the input difference is Δ𝑖𝑛, it’s impossible for the output difference to be Δ𝑜𝑢𝑡.
• Guess subkeys in the first and last several rounds. • If guessed subkeys lead to (Δ𝑖𝑛, Δ𝑜𝑢𝑡), the guessed
subkeys are incorrect.
subkey guess Δ𝑃
subkey guess ΔC
3 Copyright©2017 NTT corp. All Rights Reserved.
Contribution of our works
New MILP-based ID search tool
From cryptanalysis aspect. Target Previous Ours Search Mode Remarks
Midori128 6 7 specific S-box
Lilliput 8 9 specific S-box
Minalpher 6.5 7.5 arbitrary S-box
ARIA 4 4 arbitrary S-box improve key recovery
MIBS 8 8 specific S-box new ID
From design tool aspect. • “Probable security” on specific pair of differences
under the subkey uniform assumption. • Detect the optimality of the S-box choice.
Copyright©2017 NTT corp. All Rights Reserved.
New Method to Find ID
5 Copyright©2017 NTT corp. All Rights Reserved.
General Method to Find ID
• 𝒰-method by Kim et al.
• More extensions exist e.g. UID-method.
Δ𝑜
Δ𝑖
round 1
round 2
round 3
round 4
round 5
Δ𝑖1
Δ𝑖3
Δ𝑖2
Δ𝑖𝑟
Δ𝑜1
Δ𝑜3
Δ𝑜2
Δ𝑜𝑟
For all (Δ𝑖 , Δ𝑜) and 𝑟
1. Propagate Δ𝑖 in forwards to record active or inactive bits with Pr.=1
2. Propagate Δ𝑜 in backwards to record active or inactive bits with Pr.=1
3. Find contradiction
6 Copyright©2017 NTT corp. All Rights Reserved.
Mixed Integer Linear Programing (MILP)
• MILP is an optimization or feasibility program in which variables are restricted to integers.
• The model 𝑀 consists of variables 𝑀. 𝑣𝑎𝑟, constraints 𝑀. 𝑐𝑜𝑛, and objective 𝑀. 𝑜𝑏𝑗.
𝑀. 𝑣𝑎𝑟 𝑥, 𝑦, 𝑧 (binary) 𝑥 + 2𝑦 + 3𝑧 ≤ 4 𝑥 + 𝑦 ≥ 1 Maximize : 𝑥 + 𝑦 + 2𝑧
𝑀. 𝑐𝑜𝑛
𝑀. 𝑜𝑏𝑗
Solution of 𝑀 is 3. (𝑥, 𝑦, 𝑧) = (1,0,1)
7 Copyright©2017 NTT corp. All Rights Reserved.
Cryptanalysis Applications
• MILP was first introduced by Mouha et al. to guarantee the lower bound of the number of acitve S-boxes.
• Several follow-up works.
‐ Tight differential (linear) characteristic.
‐ “Differential” and “Linear hull”.
‐ Integral attack via division property.
‐ Zero-correlation linear.
‐ Impossible differential ( New)
8 Copyright©2017 NTT corp. All Rights Reserved.
How to model block ciphers
𝑋0 F 𝑋1 F 𝑋2 F 𝑋𝑅
𝑀. 𝑣𝑎𝑟
𝑀. 𝑐𝑜𝑛
9 Copyright©2017 NTT corp. All Rights Reserved.
How to model block ciphers
S
S
S
x1
x2
x3
x4
x5
x6
x7
x8
x9
y1
y2
y3
y4
y5
y6
y7
y8
y9
z1
z2
z3
z4
z5
z6
z7
z8
z9
Every value is 𝑀. 𝑣𝑎𝑟𝑠 which takes 0 or 1. “0” means inactive, and “1” means active.
Simple example by toy ciphers
10 Copyright©2017 NTT corp. All Rights Reserved.
How to model block ciphers
Model DDT of S-box
000 001 010 011 100 101 110 111 000 * 0 0 0 0 0 0 0 001 0 0 * * 0 0 * * 010 0 * 0 0 * 0 0 0 011 0 0 * * 0 0 * * 100 0 0 0 0 * * 0 0 101 0 0 * * 0 0 * * 110 0 * 0 0 0 * 0 0 111 0 0 * * 0 0 * *
0 : impossible propagation * : possible propagation
11 Copyright©2017 NTT corp. All Rights Reserved.
How to model block ciphers
Model DDT of S-box
000 001 010 011 100 101 110 111 000 * 0 0 0 0 0 0 0 001 0 0 * * 0 0 * * 010 0 * 0 0 * 0 0 0 011 0 0 * * 0 0 * * 100 0 0 0 0 * * 0 0 101 0 0 * * 0 0 * * 110 0 * 0 0 0 * 0 0 111 0 0 * * 0 0 * *
-x1+y2>=0
16 propagations become infeasible by 1 constraint.
12 Copyright©2017 NTT corp. All Rights Reserved.
How to model block ciphers
Model DDT of S-box
000 001 010 011 100 101 110 111 000 * 0 0 0 0 0 0 0 001 0 0 * * 0 0 * * 010 0 * 0 0 * 0 0 0 011 0 0 * * 0 0 * * 100 0 0 0 0 * * 0 0 101 0 0 * * 0 0 * * 110 0 * 0 0 0 * 0 0 111 0 0 * * 0 0 * *
-x1+y2>=0 x1-y2>=0
16 propagations become infeasible by 1 constraint. In total, 32 propagations are removed.
13 Copyright©2017 NTT corp. All Rights Reserved.
How to model block ciphers
Model DDT of S-box
000 001 010 011 100 101 110 111 000 * 0 0 0 0 0 0 0 001 0 0 * * 0 0 * * 010 0 * 0 0 * 0 0 0 011 0 0 * * 0 0 * * 100 0 0 0 0 * * 0 0 101 0 0 * * 0 0 * * 110 0 * 0 0 0 * 0 0 111 0 0 * * 0 0 * *
-x1+y2>=0 x1-y2>=0 x1+x2+x3-y3>=0
4 propagations become infeasible by 1 constraint. In total, 34 propagations are removed.
14 Copyright©2017 NTT corp. All Rights Reserved.
How to model block ciphers
Model DDT of S-box
000 001 010 011 100 101 110 111 000 * 0 0 0 0 0 0 0 001 0 0 * * 0 0 * * 010 0 * 0 0 * 0 0 0 011 0 0 * * 0 0 * * 100 0 0 0 0 * * 0 0 101 0 0 * * 0 0 * * 110 0 * 0 0 0 * 0 0 111 0 0 * * 0 0 * *
-x1+y2>=0 x1-y2>=0 x1+x2+x3-y3>=0 x1-x2+x3-y1-y3>=-2 x2-x3+y2+y3>=0 x2-y1+y2+y3>=0 -x2+y1+y2+y3>=0 -x2-x3+y1+y2>=-1
Remove 41 impossible propagations. 8 constraints are enough to remove all impossible propagations.
15 Copyright©2017 NTT corp. All Rights Reserved.
How to model block ciphers
Model XOR
y1
y7
z1
4 constraints are enough to remove all impossible propagations.
y1 y7 z1 Impossible
0 0 0
0 0 1 ✓ (y1+y7-z1>=0)
0 1 0 ✓ (y1-y7+z1>=0)
0 1 1
1 0 0 ✓ (-y1+y7+z1>=0)
1 0 1
1 1 0
1 1 1 ✓ (-y1-y7-z1>=-2)
16 Copyright©2017 NTT corp. All Rights Reserved.
How to model block ciphers
S
S
S
x1
x2
x3
x4
x5
x6
x7
x8
x9
y1
y2
y3
y4
y5
y6
y7
y8
y9
z1
z2
z3
z4
z5
z6
z7
z8
z9
Simple example by toy ciphers
The number of constraints is (3*8)+(9*4)=24+36=60.
17 Copyright©2017 NTT corp. All Rights Reserved.
How to Search ID?
• Technique is very simple. ‐ Input and output differences are fixed to specific values. ‐ MILP search whether or not there are propagations from
input to output differences. ‐ If MILP model is infeasible, the pair is impossible.
• Advantage of our tool. ‐ Can look the inside of S-box (DDT). ‐ Don’t need to care the reason of contradiction. ‐ Can share MILP model for differential characteristic
search.
𝑋0 F 𝑋1 F 𝑋2 F 𝑋𝑅
fix fix
Copyright©2017 NTT corp. All Rights Reserved.
New results from a cryptanalysis aspect Application to Midori128
19 Copyright©2017 NTT corp. All Rights Reserved.
Midori128
• Proposed at Asiacryp2015 by Banik et ak.
• Previous impossible differential is 6 rounds.
• Our tool founds 7-round IDs.
‐ It well exploits the structure of SB.
‐ We also manually verified the IDs.
SR-like SB MC
20 Copyright©2017 NTT corp. All Rights Reserved.
8-Bit S-box in Midori128
• Four 8-bit S-boxes are constructed from two 4-bit S-boxes.
1. Apply bit permutation 𝑝𝑖.
2. Apply an involution 4-bit S-box in parallel.
3. Apply bit permutation 𝑝𝑖−1.
Sb 1
SSb 0
Sb 1
MSB
LSB
x 0
x 7
8 8
Sb 1
SSb 1
Sb 1
MSB
LSB
x 0
x 7
8 8
Sb 1
SSb 2
Sb 1
MSB
LSB
x 0
x 7
8 8
Sb 1
SSb 3
Sb 1
MSB
LSB
x 0
x 7
8 8
21 Copyright©2017 NTT corp. All Rights Reserved.
Preserved Active-Bit Positions
• Active-bit positions are preserved because of the involution structure of 8-bit S-boxes.
Sb1
Sb1
* * 0 0
* *
0 0
* * 0 0
* *
0 0
Sb1
Sb1
* * 0 0
* *
0 0
* * 0 0
* *
0 0
22 Copyright©2017 NTT corp. All Rights Reserved.
Illustration of New ID on Midori128
SubCell ShuffleCell MixColumn KeyAdd
SubCell ShuffleCell MixColumn KeyAdd
SubCell ShuffleCell MixColumn KeyAdd
SubCell
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
? ?
?
?
?
?
?
?
?
?
?
ShuffleCell
inactive
active
unknown
(*,*,0,0,0,0,*,*)
(0,0,*,*,*,*,0,0)
MixColumn KeyAdd
SubCell ShuffleCell MixColumn KeyAdd
SubCell ShuffleCell MixColumn KeyAdd
SubCell
?
?
?
?
? ?
? ?
?
?
?
?
?
?
?
? ?
?
?
?
?
23 Copyright©2017 NTT corp. All Rights Reserved.
Illustration of New ID on Midori128
SubCell ShuffleCell MixColumn KeyAdd
SubCell ShuffleCell MixColumn KeyAdd
SubCell ShuffleCell MixColumn KeyAdd
SubCell
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
? ?
?
?
?
?
?
?
?
?
?
ShuffleCell
inactive
active
unknown
(*,*,0,0,0,0,*,*)
(0,0,*,*,*,*,0,0)
MixColumn KeyAdd
SubCell ShuffleCell MixColumn KeyAdd
SubCell ShuffleCell MixColumn KeyAdd
SubCell
?
?
?
?
? ?
? ?
?
?
?
?
?
?
?
? ?
?
?
?
?
Sb1
Sb1
* * 0 0
* *
0 0
* * 0 0
* *
0 0
contradiction
Copyright©2017 NTT corp. All Rights Reserved.
New results from a cryptanalysis aspect Application to Lilliput
25 Copyright©2017 NTT corp. All Rights Reserved.
Extended GFN and LILLIPUT
• Extended GFN (EGFN) by Berger et al. XORs some branches to others. • LILLIPUT is an instantiation of EGFN.
• Previous impossible differential is 8 rounds.
• Our tool found 9-round IDs.
Non-linear layer: ℱ
Permutation layer: 𝒫
𝐹
𝐹
Linear layer: 𝓛
Block shuffle
26 Copyright©2017 NTT corp. All Rights Reserved.
LILLIPUT Specification
• 64-bit block, 30 rounds
𝑋15 𝑋14 𝑋13 𝑋12 𝑋11 𝑋10 𝑋9 𝑋8 𝑋7 𝑋6 𝑋5 𝑋4 𝑋3 𝑋2 𝑋1 𝑋0
𝑆
𝑅𝐾
𝜋: 13, 9, 14, 8, 10, 11, 12, 15, 4, 5, 3, 1, 2, 6, 0, 7
ℱ
𝒫
ℒ
27 Copyright©2017 NTT corp. All Rights Reserved.
New IDs on 9-round LILLIPUT
• Previous IDs are straightforward.
• Our IDs exploit DDT.
(000000𝜶0, 00000000)
(00000000, 00000𝜶00)
9 rounds 𝜶 ∈ {2,3,8,9, 𝑒, 𝑓}
28 Copyright©2017 NTT corp. All Rights Reserved.
Illustration of 9-round ID
29 Copyright©2017 NTT corp. All Rights Reserved.
Analysis of Rounds 1 and 2
𝛼
𝑆
𝜋: 13, 9, 14, 8, 10, 11, 12, 15, 4, 5, 3, 1, 2, 6, 0, 7
𝛼
𝛼
𝛼 𝛼 𝛽
𝑆
𝜋: 13, 9, 14, 8, 10, 11, 12, 15, 4, 5, 3, 1, 2, 6, 0, 7
𝛽
Round 1 Round 2
𝛼 ⟶ 𝛽 (1) 𝑆
30 Copyright©2017 NTT corp. All Rights Reserved.
Analysis of Rounds 4 and 5 (𝛼 = 9)
𝛼 ⊕ 𝛽 𝛼 𝛼 𝛼 ? ? 𝛼 ? ? ? ? ? ? ? ?
? ? ? ? ? ? ? ?
𝑆
? 𝛼 𝛼 ? 𝛼 ? 𝛼
𝑆
𝛼 𝛽 𝛼 ? 𝛼 ? 𝛼 𝛼 ⊕ 𝛽
Round 4 Round 5
31 Copyright©2017 NTT corp. All Rights Reserved.
Analysis of Rounds 4 and 5 (𝛼 = 9)
𝛼 ⊕ 𝛽 𝛼 𝛼 𝛼 ? ? 𝛼 ? ? ? ? ? ? ? ?
? ? ? ? ? ? ? ?
𝑆
? 𝛼 𝛼 ? 𝛼 ? 𝛼
𝑆
𝛼 𝛽 𝛼 ? 𝛼 ? 𝛼 0
𝛼 ⊕ 𝛽
Round 4 Round 5
0 0
32 Copyright©2017 NTT corp. All Rights Reserved.
Analysis of Rounds 4 and 5 (𝛼 = 9)
𝛼 ⊕ 𝛽 𝛼 𝛼 𝛼 ? ? 𝛼 ? ? ? ? ? ? ? ?
? ? ? ? ? ? ? ?
𝑆
? 𝛼 𝛼 ? 𝛼 ? 𝛼
𝑆
𝛼 𝛽 𝛼 ? 𝛼 ? 𝛼 0
𝛼 ⊕ 𝛽
Round 4 Round 5
0 0
33 Copyright©2017 NTT corp. All Rights Reserved.
Analysis of Rounds 4 and 5 (𝛼 = 9)
𝛼 ⊕ 𝛽 𝛼 𝛼 𝛼 ? ? 𝛼 ? ? ? ? ? ? ? ?
? ? ? ? ? ? ? ?
𝑆
? 𝛼 𝛼 ? 𝛼 ? 𝛼
𝑆
𝛼 𝛽 𝛼 ? 𝛼 ? 𝛼 0 0 0
𝛼 ⊕ 𝛽
Round 4 Round 5
0 0
0 0
0 0
34 Copyright©2017 NTT corp. All Rights Reserved.
Analysis of Rounds 4 and 5 (𝛼 = 9)
𝛼 ⊕ 𝛽 𝛼 𝛼 𝛼 ? ? 𝛼 ? ? ? ? ? ? ? ?
? ? ? ? ? ? ? ?
𝑆
? 𝛼 𝛼 ? 𝛼 ? 𝛼
𝑆
𝛼 𝛽 𝛼 ? 𝛼 ? 𝛼 0 0 0
0 ? ? 0 ? ? 0 ?
𝛼 ⊕ 𝛽
Round 4 Round 5
0 0
0 0
0 0
35 Copyright©2017 NTT corp. All Rights Reserved.
Analysis of Rounds 4 and 5 (𝛼 = 9)
𝛼 ⊕ 𝛽 𝛼 𝛼 𝛼 ? ? 𝛼 ? ? ? ? ? ? ? ?
? ? ? ? ? ? ? ?
𝑆
? 𝛼 𝛼 ? 𝛼 ? 𝛼
𝑆
𝛼 𝛽 𝛼 ? 𝛼 ? 𝛼 0 0 0
0 ? ? 0 ? ? 0 ?
𝛼 ⊕ 𝛽
Round 4 Round 5
0 0
0 0
0 0
𝛽
36 Copyright©2017 NTT corp. All Rights Reserved.
Analysis of Rounds 4 and 5 (𝛼 = 9)
𝛼 ⊕ 𝛽 𝛼 𝛼 𝛼 ? ? 𝛼 ? ? ? ? ? ? ? ?
? ? ? ? ? ? ? ?
𝑆
? 𝛼 𝛼 ? 𝛼 ? 𝛼
𝑆
𝛼 𝛽 𝛼 ? 𝛼 ? 𝛼 0 0 0
0 ? ? 0 ? ? 0 ?
𝛼 ⊕ 𝛽
𝛼 ⊕ 𝛽 ≠ 0, 𝛼 ⊕ 𝛽 ⟶ 𝛽 𝑆 (2)
Round 4 Round 5
When 𝜶 = 𝟗, there is no 𝜷 satisfying both of (𝟏) and (𝟐).
0 0
0 0
0 0
𝛽
37 Copyright©2017 NTT corp. All Rights Reserved.
Analysis of Rounds 4 and 5 (𝛼 = 9)
𝛼 ⊕ 𝛽 𝛼 𝛼 𝛼 ? ? 𝛼 ? ? ? ? ? ? ? ?
? ? ? ? ? ? ? ?
𝑆
? 𝛼 𝛼 ? 𝛼 ? 𝛼
𝑆
𝛼 𝛽 𝛼 ? 𝛼 ? 𝛼 0 0 0
0 ? ? 0 ? ? 0 ?
𝛼 ⊕ 𝛽
𝛼 ⊕ 𝛽 ≠ 0, 𝛼 ⊕ 𝛽 ⟶ 𝛽 𝑆 (2)
Round 4 Round 5
When 𝜶 = 𝟗, there is no 𝜷 satisfying both of (𝟏) and (𝟐).
0 0
0 0
0 0
𝛽
Copyright©2017 NTT corp. All Rights Reserved.
New results from a design aspect
39 Copyright©2017 NTT corp. All Rights Reserved.
Provable Security.
• Assumption. ‐ Round keys are always XORed before S-box.
‐ Round keys are chosen from uniform random.
• Observation ‐ There is a subkey that is possible.
‐ Linear layer can perfectly simulated from MILP.
• It implies that If our tool shows is possible, there is subkeys such that the propagation is possible.
S
40 Copyright©2017 NTT corp. All Rights Reserved.
Summary of Results.
There is no impossible differential in #Rounds.
41 Copyright©2017 NTT corp. All Rights Reserved.
Arbitrary S-box
• The number of inequalities to represent 8-bit S-box is too large.
‐ It’s difficult to solve such big MILP.
‐ Arbitrary S-box is reasonable solutions.
000 001 010 011 100 101 110 111 000 * 0 0 0 0 0 0 0 001 0 * * * * * * * 010 0 * * * * * * * 011 0 * * * * * * * 100 0 * * * * * * * 101 0 * * * * * * * 110 0 * * * * * * * 111 0 * * * * * * *
Only 2n inequalities are enough to represent n-bit arbitrary S-box.
-x1+x2+x3+y1+y2+y3>=0 x1-x2+x3+y1+y2+y3>=0 x1+x2-x3+y1+y2+y3>=0 x1+x2+x3-y1+y2+y3>=0 x1+x2+x3+y1-y2+y3>=0 x1+x2+x3+y1+y2-y3>=0
42 Copyright©2017 NTT corp. All Rights Reserved.
Detect the optimality of its S-box.
• Situation. ‐ Linear layer of the block cipher was already designed.
‐ But, the design of the S-box is ongoing.
• We can check the existence of ID before concrete design of the S-box. ‐ If we found an ID on arbitrary S-box, such IDs are
never avoidable even if the S-box is modified.
• If IDs on specific S-box are the same as the case on arbitrary S-box, we can conclude the choice of the S-box is optimal from the aspect of ID attack.
43 Copyright©2017 NTT corp. All Rights Reserved.
Summary of Results.
• Midori128.
‐ There are 8-round IDs even if Sb1 is regarded as arbitrary S-box.
‐ The choice of S-box is optimal.
• Lilliput.
‐ There are 217 9-round IDs in specific S-box.
‐ There are 195 9-round IDs in arbitrary S-box.
‐ The choice of S-box is not optimal, but it is reasonable because the number of rounds is no change.
44 Copyright©2017 NTT corp. All Rights Reserved.
Conclusion.
• New ID search tool based on MILP. ‐ The impossibility of the propagation from specific
input to output differences is detected. ‐ The DDT of S-box is well exploited. ‐ We don’t need to care about the reason of
contradiction.
• Cryptanalysis aspects. ‐ New IDs on Midori, Lilliput, ARIA, Minalpher, MIBS.
• Design aspects. ‐ Provable security under the reasonable assumption. ‐ Detect the optimality of the S-box choice using
arbitrary S-box.