New Impossible Differential Search Tool from Design and Cryptanalysis Aspects -- Revealing Structural Properties of Several Ciphers

Transcription

1 New Impossible Differential earch Tool from Design and Cryptanalysis Aspects -- Revealing tructural Properties of everal Ciphers Yu asaki and Yosuke Todo Eurocrypt May 217

2 Impossible Differential (ID) Impossible Differential attack (proposed by Knudsen and Biham et al.) ΔP subkey guess Δ in Δ out subkey guess ΔC When the input difference is Δ in, it s impossible for the output difference to be Δ out. Guess subkeys in the first and last several rounds. If guessed subkeys lead to (Δ in, Δ out ), the guessed subkeys are incorrect. 2

3 Contribution of our works New MILP-based ID search tool From cryptanalysis aspect. Target Previous Ours earch Mode Remarks Midori specific -box Lilliput 8 9 specific -box Minalpher arbitrary -box ARIA 4 4 arbitrary -box improve key recovery MIB 8 8 specific -box new ID From design tool aspect. Probable security on specific pair of differences under the subkey uniform assumption. Detect the optimality of the -box choice. 3

4 New Method to Find ID

5 General Method to Find ID U-method by Kim et al. For all (Δ i, Δ o ) and r Δ i 1. Propagate Δ i in forwards to record active or inactive bits with Pr.=1 2. Propagate Δ o in backwards to record active or inactive bits with Pr.=1 3. Find contradiction 1 Δ i 2 Δ i 3 Δ i r Δ i round 1 round 2 round 3 round 4 round 5 Δ o Δ1 o Δ2 o 3 Δ o Δr o More extensions exist e.g. UID-method. 5

6 Mixed Integer Linear Programing (MILP) MILP is an optimization or feasibility program in which variables are restricted to integers. The model M consists of variables M. var, constraints M. con, and objective M. obj. M. var M. con M. obj x, y, z (binary) x + 2y + 3z 4 x + y 1 Maximize : x + y + 2z olution of M is 3. (x, y, z) = (1,,1) 6

7 Cryptanalysis Applications MILP was first introduced by Mouha et al. to guarantee the lower bound of the number of acitve -boxes. everal follow-up works. Tight differential (linear) characteristic. Differential and Linear hull. Integral attack via division property. Zero-correlation linear. Impossible differential ( New) 7

8 How to model block ciphers M. con X F X 1 F X 2 F X R M. var 8

9 How to model block ciphers imple example by toy ciphers x1 x2 x3 y1 y2 y3 z1 z2 z3 x4 x5 x6 y4 y5 y6 z4 z5 z6 x7 x8 x9 y7 y8 y9 z7 z8 z9 Every value is M. vars which takes or 1. means inactive, and 1 means active. 9

10 How to model block ciphers Model DDT of -box * 1 * * * * 1 * * 11 * * * * 1 * * 11 * * * * 11 * * 111 * * * * : impossible propagation * : possible propagation 1

11 How to model block ciphers Model DDT of -box * 1 * * * * 1 * * 11 * * * * 1 * * 11 * * * * 11 * * 111 * * * * -x1+y2>= 16 propagations become infeasible by 1 constraint. 11

12 How to model block ciphers Model DDT of -box * 1 * * * * 1 * * 11 * * * * 1 * * 11 * * * * 11 * * 111 * * * * -x1+y2>= x1-y2>= 16 propagations become infeasible by 1 constraint. In total, 32 propagations are removed. 12

13 How to model block ciphers Model DDT of -box * 1 * * * * 1 * * 11 * * * * 1 * * 11 * * * * 11 * * 111 * * * * -x1+y2>= x1-y2>= x1+x2+x3-y3>= 4 propagations become infeasible by 1 constraint. In total, 34 propagations are removed. 13

14 How to model block ciphers Model DDT of -box * 1 * * * * 1 * * 11 * * * * 1 * * 11 * * * * 11 * * 111 * * * * -x1+y2>= x1-y2>= x1+x2+x3-y3>= x1-x2+x3-y1-y3>=-2 x2-x3+y2+y3>= x2-y1+y2+y3>= -x2+y1+y2+y3>= -x2-x3+y1+y2>=-1 Remove 41 impossible propagations. 8 constraints are enough to remove all impossible propagations. 14

15 How to model block ciphers Model XOR y1 y7 z1 y1 y7 z1 Impossible 1 (y1+y7-z1>=) 1 (y1-y7+z1>=) (-y1+y7+z1>=) (-y1-y7-z1>=-2) 4 constraints are enough to remove all impossible propagations. 15

16 How to model block ciphers imple example by toy ciphers x1 x2 x3 y1 y2 y3 z1 z2 z3 x4 x5 x6 y4 y5 y6 z4 z5 z6 x7 x8 x9 y7 y8 y9 z7 z8 z9 The number of constraints is (3*8)+(9*4)=24+36=6. 16

17 How to earch ID fix fix X F X 1 F X 2 F X R Technique is very simple. Input and output differences are fixed to specific values. MILP search whether or not there are propagations from input to output differences. If MILP model is infeasible, the pair is impossible. Advantage of our tool. Can look the inside of -box (DDT). Don t need to care the reason of contradiction. Can share MILP model for differential characteristic search. 17

18 New results from a cryptanalysis aspect Application to Midori128

19 Midori128 Proposed at Asiacryp215 by Banik et ak. Previous impossible differential is 6 rounds. Our tool founds 7-round IDs. It well exploits the structure of B. We also manually verified the IDs. B R-like MC 19

20 8-Bit -box in Midori128 MB b MB b 1 MB b 2 MB b 3 x x x x b b b b b 1 b 1 b 1 b 1 LB x 7 LB x 7 LB x 7 LB x 7 Four 8-bit -boxes are constructed from two 4-bit -boxes. 1. Apply bit permutation p i. 2. Apply an involution 4-bit -box in parallel. 3. Apply bit permutation p i 1. 2

21 Preserved Active-Bit Positions Active-bit positions are preserved because of the involution structure of 8-bit -boxes. * * * b 1 b 1 * * * * * * b 1 b 1 * * * 21

22 Illustration of New ID on Midori128 ubcell hufflecell MixColumn KeyAdd ubcell hufflecell MixColumn KeyAdd ubcell hufflecell MixColumn KeyAdd inactive ubcell hufflecell MixColumn KeyAdd (*,*,,,,,*,*) (,,*,*,*,*,,) active unknown ubcell hufflecell MixColumn KeyAdd ubcell hufflecell MixColumn KeyAdd ubcell 22

23 Illustration of New ID on Midori128 ubcell hufflecell MixColumn KeyAdd contradiction ubcell hufflecell MixColumn KeyAdd b ubcell hufflecell MixColumn KeyAdd 1 ubcell hufflecell * ubcell hufflecell MixColumn KeyAdd inactive (*,*,,,,,*,*) (,,*,*,*,*,,) active * MixColumn KeyAdd unknown * * b 1 * * ubcell hufflecell MixColumn KeyAdd ubcell 23

24 New results from a cryptanalysis aspect Application to Lilliput

25 Extended GFN and LILLIPUT Extended GFN (EGFN) by Berger et al. XORs some branches to others. LILLIPUT is an instantiation of EGFN. Previous impossible differential is 8 rounds. Our tool found 9-round IDs. F F Non-linear layer: F Linear layer: L Block shuffle Permutation layer: P 25

26 LILLIPUT pecification 64-bit block, 3 rounds X 15 X 14 X 13 X 12 X 11 X 1 X 9 X 8 RK X 7 X 6 X 5 X 4 X 3 X 2 X 1 X F L P π: 13, 9, 14, 8, 1, 11, 12, 15, 4, 5, 3, 1, 2, 6,, 7 26

27 New IDs on 9-round LILLIPUT Previous IDs are straightforward. Our IDs exploit DDT. (α, ) 9 rounds α {2,3,8,9, e, f} (, α) 27

28 Illustration of 9-round ID 28

29 Analysis of Rounds 1 and 2 α Round 1 Round 2 α β π: 13, 9, 14, 8, 1, 11, 12, 15, 4, 5, 3, 1, 2, 6,, 7 α π: 13, 9, 14, 8, 1, 11, 12, 15, 4, 5, 3, 1, 2, 6,, 7 α α β α β (1) 29

30 Analysis of Rounds 4 and 5 (α = 9) Round 4 Round 5 α β α β α α α α β α α α α α α α α 3

31 Analysis of Rounds 4 and 5 (α = 9) Round 4 Round 5 α β α β α α α α β α α α α α α α α 31

32 Analysis of Rounds 4 and 5 (α = 9) Round 4 Round 5 α β α β α α α α β α α α α α α α α 32

33 Analysis of Rounds 4 and 5 (α = 9) Round 4 Round 5 α β α β α α α α β α α α α α α α α 33

34 Analysis of Rounds 4 and 5 (α = 9) Round 4 Round 5 α β α β α α α α β α α α α α α α α 34

35 Analysis of Rounds 4 and 5 (α = 9) Round 4 Round 5 α β α β α α α α β α α α α β α α α α 35

36 Analysis of Rounds 4 and 5 (α = 9) Round 4 Round 5 α β α β α α α α β α α α α β α β, α β (2) β α α α α When α = 9, there is no β satisfying both of (1) and (2). 36

37 Analysis of Rounds 4 and 5 (α = 9) Round 4 Round 5 α β α β α α α α β α α α α β α β, α β (2) β α α α α When α = 9, there is no β satisfying both of (1) and (2). 37

38 New results from a design aspect

39 Provable ecurity. Assumption. Round keys are always XORed before -box. Round keys are chosen from uniform random. Observation There is a subkey that is possible. Linear layer can perfectly simulated from MILP. It implies that If our tool shows is possible, there is subkeys such that the propagation is possible. 39

40 ummary of Results. There is no impossible differential in #Rounds. 4

41 Arbitrary -box The number of inequalities to represent 8-bit -box is too large. It s difficult to solve such big MILP. Arbitrary -box is reasonable solutions * 1 * * * * * * * 1 * * * * * * * 11 * * * * * * * 1 * * * * * * * 11 * * * * * * * 11 * * * * * * * 111 * * * * * * * -x1+x2+x3+y1+y2+y3>= x1-x2+x3+y1+y2+y3>= x1+x2-x3+y1+y2+y3>= x1+x2+x3-y1+y2+y3>= x1+x2+x3+y1-y2+y3>= x1+x2+x3+y1+y2-y3>= Only 2n inequalities are enough to represent n-bit arbitrary -box. 41

42 Detect the optimality of its -box. ituation. Linear layer of the block cipher was already designed. But, the design of the -box is ongoing. We can check the existence of ID before concrete design of the -box. If we found an ID on arbitrary -box, such IDs are never avoidable even if the -box is modified. If IDs on specific -box are the same as the case on arbitrary -box, we can conclude the choice of the -box is optimal from the aspect of ID attack. 42

43 ummary of Results. Midori128. There are 8-round IDs even if b1 is regarded as arbitrary -box. The choice of -box is optimal. Lilliput. There are round IDs in specific -box. There are round IDs in arbitrary -box. The choice of -box is not optimal, but it is reasonable because the number of rounds is no change. 43

44 Conclusion. New ID search tool based on MILP. The impossibility of the propagation from specific input to output differences is detected. The DDT of -box is well exploited. We don t need to care about the reason of contradiction. Cryptanalysis aspects. New IDs on Midori, Lilliput, ARIA, Minalpher, MIB. Design aspects. Provable security under the reasonable assumption. Detect the optimality of the -box choice using arbitrary -box. 44