dd2448 foundations of cryptography lecture 3 · dd2448 foundations of cryptography february 3,...
TRANSCRIPT
![Page 1: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/1.jpg)
DD2448 Foundations of Cryptography
Lecture 3
Douglas WikstromKTH Royal Institute of Technology
February 3, 2016
DD2448 Foundations of Cryptography February 3, 2016
![Page 2: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/2.jpg)
Linear Cryptanalysis of the
SPN
DD2448 Foundations of Cryptography February 3, 2016
![Page 3: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/3.jpg)
Basic Idea – Linearize
Find an expression of the following form with a high probability ofoccurrence.
Pi1 ⊕ · · · ⊕ Pip ⊕ Cj1 ⊕ · · · ⊕ Cjc = Kℓ1,s1 ⊕ · · · ⊕ Kℓk ,sk
Each random plaintext/ciphertext pair gives an estimate of
Kℓ1,s1 ⊕ · · · ⊕ Kℓk ,sk
Collect many pairs and make a better estimate based on themajority vote.
DD2448 Foundations of Cryptography February 3, 2016
![Page 4: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/4.jpg)
How do we come up with the desired expression?
How do we compute the required number ofsamples?
DD2448 Foundations of Cryptography February 3, 2016
![Page 5: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/5.jpg)
Bias
Definition. The bias ǫ(X ) of a binary randomvariable X is defined by
ǫ(X ) = Pr [X = 0]−1
2.
DD2448 Foundations of Cryptography February 3, 2016
![Page 6: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/6.jpg)
Bias
Definition. The bias ǫ(X ) of a binary randomvariable X is defined by
ǫ(X ) = Pr [X = 0]−1
2.
≈ 1/ǫ2(X ) samples are required to estimate X
(Matsui)
DD2448 Foundations of Cryptography February 3, 2016
![Page 7: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/7.jpg)
Linear Approximation of S-Box (1/3)
Let X and Y be the input and output of an S-box, i.e.
Y = S(X ) .
We consider the bias of linear combinations of the form
a · X ⊕ b · Y =
(
⊕
i
aiXi
)
⊕
(
⊕
i
biYi
)
.
DD2448 Foundations of Cryptography February 3, 2016
![Page 8: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/8.jpg)
Linear Approximation of S-Box (1/3)
Let X and Y be the input and output of an S-box, i.e.
Y = S(X ) .
We consider the bias of linear combinations of the form
a · X ⊕ b · Y =
(
⊕
i
aiXi
)
⊕
(
⊕
i
biYi
)
.
Example: X2 ⊕ X3 = Y1 ⊕ Y3 ⊕ Y4
The expression holds in 12 out of the 16cases. Hence, it has a bias of(12 − 8)/16 = 4/16 = 1/4.
DD2448 Foundations of Cryptography February 3, 2016
![Page 9: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/9.jpg)
Linear Approximation of S-Box (2/3)
◮ Let NL(a, b) be the number of zero-outcomes of a · X ⊕ b · Y .
◮ The bias is then
ǫ(a · X ⊕ b · Y ) =NL(a, b)− 8
16,
since there are four bits in X , and Y is determined by X .
DD2448 Foundations of Cryptography February 3, 2016
![Page 10: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/10.jpg)
Linear Approximation Table (3/3)
NL(a, b)− 8
DD2448 Foundations of Cryptography February 3, 2016
![Page 11: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/11.jpg)
This gives linear approximation for one round.
How do we come up with linear approximation for more rounds?
DD2448 Foundations of Cryptography February 3, 2016
![Page 12: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/12.jpg)
Piling-Up Lemma
Lemma. Let X1, . . . ,Xt be independent binary random variablesand let ǫi = ǫ(Xi). Then
ǫ
(
⊕
i
Xi
)
= 2t−1∏
i
ǫi .
Proof. Case t = 2:
Pr [X1 ⊕ X2 = 0] = Pr [(X1 = 0 ∧ X1 = 0) ∨ (X1 = 1 ∧ X1 = 1)]
= (1
2+ ǫ1)(
1
2+ ǫ2) + (
1
2− ǫ1)(
1
2− ǫ2)
=1
2+ 2ǫ1ǫ2 .
By induction Pr [X1 ⊕ · · · ⊕ Xt = 0] = 12 + 2t−1
∏
i ǫi
DD2448 Foundations of Cryptography February 3, 2016
![Page 13: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/13.jpg)
Linear Trail
Four linear approximations with |ǫi | = 1/4
S12 : X1 ⊕ X3 ⊕ X4 = Y2
S22 : X2 = Y2 ⊕ Y4
S32 : X2 = Y2 ⊕ Y4
S34 : X2 = Y2 ⊕ Y4
Combine them to get:
U4,6⊕U4,8⊕U4,14⊕U4,16⊕P5⊕P7⊕P8 =⊕
Ki ,j
with bias |ǫ| = 24−1(14)4 = 2−5
DD2448 Foundations of Cryptography February 3, 2016
![Page 14: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/14.jpg)
Attack Idea
◮ Our expression (with bias 2−5) links plaintext bits to inputbits to the 4th round
◮ Partially undo the last round by guessing the last key. Only 2S-Boxes are involved, i.e., 28 = 256 guesses
◮ For a correct guess, the equation holds with bias 2−5. For awrong guess, it holds with bias zero (i.e., probability close to1/2).
DD2448 Foundations of Cryptography February 3, 2016
![Page 15: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/15.jpg)
Attack Idea
◮ Our expression (with bias 2−5) links plaintext bits to inputbits to the 4th round
◮ Partially undo the last round by guessing the last key. Only 2S-Boxes are involved, i.e., 28 = 256 guesses
◮ For a correct guess, the equation holds with bias 2−5. For awrong guess, it holds with bias zero (i.e., probability close to1/2).
Required pairs 210 ≈ 1000Attack complexity 218 ≪ 232 operations
DD2448 Foundations of Cryptography February 3, 2016
![Page 16: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/16.jpg)
Linear Cryptanalysis Summary
1. Find linear approximation of S-Boxes.
2. Compute bias of each approximation.
3. Find linear trails.
4. Compute bias of linear trails.
5. Compute data and time complexity.
6. Estimate key bits from many plaintext-ciphertexts pairs.
Linear cryptanalysis is a known plaintext attack.
DD2448 Foundations of Cryptography February 3, 2016
![Page 17: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/17.jpg)
Ideal Block Cipher
DD2448 Foundations of Cryptography February 3, 2016
![Page 18: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/18.jpg)
Negligible Functions
Definition. A function ǫ(n) is negligible if for every constantc > 0, there exists a constant n0, such that
ǫ(n) <1
nc
for all n ≥ n0.
Motivation. Events happening with negligible probability can notbe exploited by polynomial time algorithms! (they “never” happen)
DD2448 Foundations of Cryptography February 3, 2016
![Page 19: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/19.jpg)
Pseudo-Random Function
“Definition”. A function is pseudo-random if no efficientadversary can distinguish between the function and a randomfunction.
DD2448 Foundations of Cryptography February 3, 2016
![Page 20: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/20.jpg)
Pseudo-Random Function
“Definition”. A function is pseudo-random if no efficientadversary can distinguish between the function and a randomfunction.
Definition. A family of functions F : {0, 1}k × {0, 1}n → {0, 1}n
is pseudo-random if for all polynomial time oracle adversaries A
∣
∣
∣
∣
PrK
[
AFK (·) = 1
]
− PrR:{0,1}n→{0,1}n
[
AR(·) = 1
]
∣
∣
∣
∣
is negligible.
DD2448 Foundations of Cryptography February 3, 2016
![Page 21: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/21.jpg)
Pseudo-Random Permutation
“Definition”. A permutation and its inverse is pseudo-random ifno efficient adversary can distinguish between the permutation andits inverse, and a random permutation and its inverse.
DD2448 Foundations of Cryptography February 3, 2016
![Page 22: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/22.jpg)
Pseudo-Random Permutation
“Definition”. A permutation and its inverse is pseudo-random ifno efficient adversary can distinguish between the permutation andits inverse, and a random permutation and its inverse.
Definition. A family of permutationsP : {0, 1}k × {0, 1}n → {0, 1}n are pseudo-random if for allpolynomial time oracle adversaries A
∣
∣
∣
∣
PrK
[
APK (·),P
−1K
(·) = 1]
− PrΠ∈S2n
[
AΠ(·),Π−1(·) = 1
]
∣
∣
∣
∣
is negligible, where S2n is the set of permutations of {0, 1}n .
DD2448 Foundations of Cryptography February 3, 2016
![Page 23: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/23.jpg)
Idealized Four-Round Feistel Network
Definition. Feistel round (H for “Horst Feistel”).
HFK(L,R) = (R , L⊕ F (R ,K ))
DD2448 Foundations of Cryptography February 3, 2016
![Page 24: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/24.jpg)
Idealized Four-Round Feistel Network
Definition. Feistel round (H for “Horst Feistel”).
HFK(L,R) = (R , L⊕ F (R ,K ))
Theorem. (Luby and Rackoff) If F is a pseudo-random family offunctions, then
HFk1,Fk2
,Fk3,Fk4
(x) = HFk4(HFk3
(HFk2(HFk1
(x))))
(and its inverse) is a pseudo-random family of permutations.
DD2448 Foundations of Cryptography February 3, 2016
![Page 25: DD2448 Foundations of Cryptography Lecture 3 · DD2448 Foundations of Cryptography February 3, 2016. Linear Cryptanalysis Summary 1. Find linear approximation of S-Boxes. 2. Compute](https://reader033.vdocument.in/reader033/viewer/2022060602/6056e94c37c6160df73004c9/html5/thumbnails/25.jpg)
Idealized Four-Round Feistel Network
Definition. Feistel round (H for “Horst Feistel”).
HFK(L,R) = (R , L⊕ F (R ,K ))
Theorem. (Luby and Rackoff) If F is a pseudo-random family offunctions, then
HFk1,Fk2
,Fk3,Fk4
(x) = HFk4(HFk3
(HFk2(HFk1
(x))))
(and its inverse) is a pseudo-random family of permutations.
Why do we need four rounds?
DD2448 Foundations of Cryptography February 3, 2016