On the Data Complexity of Statistical Attacks against...

On the Data Complexity of Statistical Attacks againstBlock Ciphers

Celine Blondeau and Benoıt Gerard

INRIA project-team SECRET, France

WCC - May the 14th 2009

C. Blondeau and B. Gerard On the Data Complexity of Statistical Attacks against Block Ciphers 1 / 26

Outline

1 Introduction

2 Algorithm for computing the data complexity

3 Approximations of the binomial tail

4 A formula for approximating the data complexity

5 Asymptotic behavior for some statistical attacks


Outline

1 Introduction






Statistical attacks against block ciphers

Some known statistical cryptanalyses:

linear cryptanalysis [Matsui 93];

differential cryptanalysis [Biham Shamir 91];

higher order differential cryptanalysis [Knudsen 94];

impossible differential cryptanalysis [Biham Biryukov Shamir 99];

...


Using a characteristic to distinguish from random

Let χ be some characteristic on a given cipher.

If the sub-key guess is correct : χ occurs with probability p∗.

If the sub-key guess is not correct : χ occurs with probability p.

Xi =

{

1 if χ occurs in sample i ,0 otherwise.

...

impossible differential,

truncated differential,

differential-linear

differential, linear

Characteristic

(X1, ...XN)

P(Xi = 1|Kgood) = p∗

(X1, ...XN)

P(Xi = 1|Kwrong ) = p

N samples

Kgood

Kwrong


Distinguisher

Neyman-Pearson (optimal) test:

Accept a candidate K if

P(X1, X2, . . . ,XN |Kgood)

P(X1, X2, . . . ,XN |Kwrong)> t.

This (likelihood) ratio only depends on SN =∑N

i=1 Xi , p∗ and p and isincreasing in SN .Thus, the acceptance condition becomes, for some threshold 0 < T < N,

SN > T

SN,p∗ =∑N

i=1 Xi follows a binomial law of parameters (N, p∗).

SN,p =∑N

i=1 Xi follows a binomial law of parameters (N, p).


Error probabilities

Two kinds of errors can be made:

Non-detection error probability P(SN,p∗ < T );

False alarm error probability P(SN,p ≥ T ).

The non-detection error probability is related with the successprobability of the cryptanalysis.

The false alarm error probability is the expected ratio of kept candidatesand thus influences the time complexity of the cryptanalysis.

Aim: Finding N minimal and the corresponding T such thatP(SN,p∗ < T ) ≤ α and P(SN,p ≥ T ) ≤ β for given values of α and β.


Motivation

@@R

@@R

@@R

@@R

@@R

@@R

PPPPPPq

��

e e

e e

e e

e e

�

�

�

�

?

?

?

?

? ? ? ?

�

�

�

�

�

�

�

�? ? ? ?

Y1 Y2 Y3 Y4 Y5 Y6 Y7 Y8

Z1 Z2 Z3 Z4 Z5 Z6 Z7 Z8

X1 X2 X3 X4 X5 X6 X7 X8

S1

S2

S3

S4

K1

K2

K3

K4

Generalized Feistel Network[Nyberg 96] with:

10 rounds;

4 S-boxes.

Truncated differential path: p∗ = 1.18 · 2−16 and p = 2−16

Differential path: p∗ = 1.53 · 2−27 and p = 2−32

Question:

Which couple of parameters gives the best cryptanalysis ???


Outline

1 Introduction






An algorithm for finding N (1/2)

Some properties:

For a fixed τ = T/N, error probabilities decrease when N increases.

For a fixed N, non-detection error increases with τ .

For a fixed N, false alarm error decreases when τ increases.

Idea

Dichotomic search for τ .


An algorithm for finding N (2/2)

Input: (α, β) and (p∗, p)Output: N and τ the minimum number of samples and the correspondingrelative threshold to reach error probabilities less than (α, β).

τmin ← p and τmax ← p∗.repeat

τ ← τmin + τmax

2.

Compute Nnd such that ∀N > Nnd, P(SN,p∗ < Nτ)≤ α.Compute Nfa such that ∀N > Nfa, P(SN,p ≥ Nτ)≤ β.if Nnd > Nfa then τmax = τ else τmin = τ

until Nnd = Nfa.return N and τ .


Number of required samples N for differential andtruncated-differential cryptanalyses

Answer to the question:

In that case, truncated differential is better than differential.

α β log(N) (differential) log(N) (truncated differential)

0.5 0.001 27.35 24.310.5 10−10 29.25 26.370.01 0.001 29.43 25.940.01 10−10 30.54 27.29

Differential: p∗ = 1.53 · 2−27 and p = 2−32

Truncated differential: p∗ = 1.18 · 2−16 and p = 2−16


Outline

1 Introduction






Gaussian approximation of the binomial tail

P [SN,p ≤ Nτ ] ≃∫ τ

−∞

1√

2πNp(1− p)· e−

N(x−p)2

2p(1−p) dx

Classically used in linear cryptanalysis:

[Matsui 93,94];

[Gilbert 97];

[Junod 01,03,05];

[Selcuk 08]

· · ·

But . . .

. . . not valid everywhere. For instance, when N · p is too small as indifferential cryptanalysis [Selcuk 08].


Poisson approximation of the binomial tail

P [SN,p ≤ Nτ ] ≃⌊Nτ⌋∑

k=0

e−Np · (Np)k

k!

Implicitly used in differential cryptanalysis:

[Biham Shamir 91,93];

[Gilbert 97];

[Selcuk 08]

· · ·

But . . .

. . . not valid everywhere. For instance, when N · p is too big as in linearcryptanalysis.


A good approximation of the binomial tail

We recall the binomial tail:

P [SN,p ≤ Nτ ] =

⌊Nτ⌋∑

k=0

(

n

k

)

pk(1− p)n−k

Approximation found, for instance, in [Arriata, Gordon 89]:

P(SN,p∗ ≤ Nτ) ∼N→∞

p∗√

1− τ

(p∗ − τ)√

2πNτ· 2−N·D(τ ||p∗).

Where the Kullback-Leibler divergence is defined by:

D (p||q) = p log2

(

p

q

)

+ (1− p) log2

(

1− p

1− q

)

.


Experimental results

Exact Poisson Gaussian Ours

Lin Crypt:p = 0.5

p∗ = 0.5 + 2−10

β

α

8.12 · 10−5

2.97 · 10−23.84 · 10−3

9.14 · 10−28.12 · 10−5

2.97 · 10−28.62 · 10−5

3.58 · 10−2

Diff Crypt:p = 2−27

p∗ = 2−20

β

α

2.03 · 10−3

3.27 · 10−32.03 · 10−3

3.27 · 10−38.84 · 10−5

6.66 · 10−31.97 · 10−3

3.33 · 10−3

Trunc Diff(1):p = 2−4

p∗ = 1.01 · 2−4

β

α

9.29 · 10−5

9.80 · 10−51.46 · 10−4

1.55 · 10−49.23 · 10−5

9.89 · 10−59.90 · 10−5

1.04 · 10−4

Trunc Diff(2):p = 2−15

p∗ = 1.5 · 2−15

β

α

5.05 · 10−5

4.37 · 10−45.06 · 10−5

4.38 · 10−43.17 · 10−5

5.45 · 10−45.34 · 10−5

4.67 · 10−4

These values are given for N = 223 and τ =p∗ + p

2.


Outline

1 Introduction






Approximation of the data complexity (1)

Aim: Finding a simple formula to estimate the data complexity.

Fixing τ simplifies the problem.

So we take T = Np∗ what impliesα ≃ 50 %.


Approximation of the data complexity (2)

N ′ = − 1

D (p∗||p)

[

log

(

λβ√

D (p∗||p)

)

+ 0.5 log (− log(λβ))

]

,

where λ =(p∗−p)

√2π(1−p∗)

(1−p)√

p∗.

N ′ ≤ N∞ ≤ N ′[

1 +(θ − 1) log(θ)

log(N ′)

]

,

with θ =[

1 + 12 log(λβ) log

(

− log(λβ)D(p∗||p)

)]−1.

This is a good approximation of N when β tends to 0.


Experimental results (1)

55

55.5

56

56.5

57

57.5

10 15 20 25 30

log 2

(N)

− log2(β)

OurGauss

PoissonN

42.5

43

43.5

44

44.5

45

45.5

46

10 15 20 25 30

log 2

(N)

− log2(β)

OurGauss

PoissonN

Differential cryptanalysis of DES Linear cryptanalysis of DES

p∗ = 1.87 · 2−56, p = 2−64 p∗ = 0.5 + 1.19 · 2−21, p = 0.5


Experimental results (2)

20.5

21

21.5

22

22.5

10 15 20 25 30

log 2

(N)

− log2(β)

OurGauss

PoissonN

20

20.5

21

21.5

22

22.5

10 15 20 25 30

log 2

(N)

− log2(β)

OurGauss

PoissonN

Truncated differential (1) Truncated differential (2)

p∗ = 1.01 · 2−4, p = 2−4 p∗ = 1.5 · 2−15, p = 2−15


Outline

1 Introduction






Simplified formula for the data complexity

Recall that:

N ′ = − 1

D (p∗||p)

[

log

(

λβ√

D (p∗||p)

)

+ 0.5 log (− log(λβ))

]

,

Using Taylor series, log

(

2√

π

λ

)

is a good estimate of log

(

1√

D (p∗||p)

)

.

N ′′ = − log(2√

πβ)

D (p∗||p).

So comparing the data complexity of two statistical cryptanalyses boilsdown to comparing the Kullback Leibler divergences of those cryptanalyses.


Behavior of the data complexity for some statistical attacks

Attack Parameters Classical results1

D (p∗||p)

Linear p = 0.5 p∗ − p ≪ p1

(p∗ − p)2

1

2(p∗ − p)2

Differential p∗ ≪ 1 p∗ ≫ p1

p∗

1

p∗ log2(p∗/p) − p∗

Differential-linear p = 0.5 p∗ − p ≪ p1

(p∗ − p)2

1

2(p∗ − p)2

Truncated differential p∗ ≪ 1 p∗ − p ≪ p unknown2p

(p∗ − p)2

Impossible differential p∗ = 0 p ≪ 1 implicitly :1

p

1

p

k-th order differential p∗ = 1 p ≪ 1 1 −1

log2 p


Conclusions

For statistical attacks, this work provides:

an accurately algorithm to compute the data complexity;

an asymptotic formula to estimate the data complexity;

the asymptotic behavior for some known cryptanalyses.

Perspectives:

No assumptions on τ .

Using an approximation that catches the lattice behavior of theconsidered random variables.

Generalizing this work to other distributions than Bernoulli.


On the Data Complexity of Statistical Attacks against...

Documents

Transcript of On the Data Complexity of Statistical Attacks against...