Differential Equation of Addition: Theory and Practice

1
Differential Equation of Addition Theory and
Practice

• Speaker Souradyuti Paul
• (work jointly with Bart Preneel)
• Computer Security and Industrial Cryptography
  (COSIC)
• Department of Electrical Engineering
• Katholieke Universiteit Leuven, Belgium
• Email
  Souradyuti.Paul_at_esat.kuleuven.be

2
Overview

• Motivation What is DEA
• Satisfiability of DEA
• Solving DEA
• Solving DEA with batch queries
• Solving DEA with adaptive queries
• Applications in Cryptography
• Conclusions and Remarks

3
Overview

• Motivation What is DEA
• Satisfiability of DEA
• Solving DEA
• Solving DEA with batch queries
• Solving DEA with adaptive queries
• Applications in Cryptography
• Conclusions and Remarks

4
Motivation Mixing Diff. Group
Operations (I)

• Addition () Integer addition over Z2n abc
  a, b, c are n-bit integers
• XOR Addition in characteristic 2 over (Z2)n
• ab XOR c a, b, c are n-bit integers
• Combination of Addition and XOR is one of the
  most used symmetric cipher components

5
Motivation Why Addition and XOR (II)

• Extremely fast on all modern machines
• Generates nonlinear equations over GF(2)

6
Examples of Addition and XOR

• HELIX
• TWOFISH
• IDEA
• MARS
• RC6

7
Overview

• Motivation
• What is DEA
• Satisfiability of DEA
• Solving DEA
• Solving DEA with queries
• Applications in Cryptography
• Conclusions and Remarks

8
DEADifferential Eqn. of
Addition

• Investigating Addition under Differential
  Cryptanalysis
• Inputs (a, b), (a , b ) Outputs c, c
• a b c
• a b c
• Known differences as XORs m, n, p
• ma XOR a
• n b XOR b
• p c XOR c
• DEA p(ab) XOR ((a XOR m)(b XOR n))

9
DEA Whats the big deal?

• DEA p(ab) XOR ((a XOR m)(b XOR n))
• an-1 an-2 an-3 ai1 ai
  a1 a0
• bn-1 bn-2 bn-3 bi1 bi
  b1 b0
• cn-1 cn-2 cn-3 ci1 ci
  c1 0 Carry bits
• mn-1 mn-2 mn-3 mi1 mi m1
  m0
• nn-1 nn-2 nn-3 ni1 ni
  n1 n0
• --------------------------------------------------
  ---------------------------------------------
• pn-1 pn-2 pn-3 pi1 pi
  p1 0

10
Overview

• Motivation
• What is DEA
• Satisfiability of DEA
• Solving DEA
• Solving DEA with queries
• Applications in Cryptography
• Conclusions and Remarks

11
The Problem DEA-sat

• Consider an arbitrary set of DEA
• pi(a b) XOR ((a XOR mi) (b XOR ni))
  i 0,1,2, k
• Secret (a, b)
• Known pi, mi, ni for all i0,1,2,k
• kO(nl), l is a constant
• DEA-Sat Contains all satisfiable sets of DEA
• Question Verify membership in DEA-Sat

12
DEA-sat is in P

• In 1992, Berson observed that it is hard to
  analyze addition, for large n, when differences
  are expressed as XORs Berson, Eurocrypt 1992
  
• DEA-Sat by trivial exhaustive search requires
  time O(nl.22n)
• We verified membership in DEA-Sat in
  O(poly(n))-time

13
DEA-sat is in P How?
Whether there exists a solution (ai, bi, ci) for
(mi ,ni ,pi ,pi1 )

• Clue 1 Equivalence of two eqn.
• p (a b) XOR ((a XOR m) (b XOR n))
• p(a b) XOR ((a XOR m) (b XOR n)) XOR m XOR
  n
• There are k such equations
• Clue 2 Dependence among bits of a, b, m, n, p
  
• an-1 an-2 an-3 ai1 ai a1
  a0
• bn-1 bn-2 bn-3 bi1 bi
  b1 b0
• cn-1 cn-2 cn-3 ci1 ci
  c1 0 Carry bits
• mn-1 mn-2 mn-3 mi1 mi m1
  m0
• nn-1 nn-2 nn-3 ni1 ni
  n1 n0
• --------------------------------------------------
  ---------------------------------------------
• pn-1 pn-2 pn-3 pi1 pi
  p1 0

14
Tabulating pi1
mi, ni, pi
(ai, bi, ci)
0, 0, 0
0, 0, 1
0, 1, 0
0, 1, 1
1, 0, 0
1, 0, 1
1, 1, 0
1, 1, 1
15
Overview

• Motivation
• What is DEA
• Satisfiability of DEA
• Solving DEA
• Solving DEA with adaptive queries
• Applications in Cryptography
• Conclusions and Remarks

16
The Problem DEA-comp

• DEA-Comp Compute all solutions to a given set of
  DEA
• Our algorithm solves DEA-Comp with running time
  linear in the number of solutions
• Our technique is combinatorial (different from
  traditional methods such as Gröbner Bases)

17
DEA-comp How

• Consider the eqn.
• p(a b) XOR ((a XOR m) (b XOR n)) XOR m XOR
  n
• Individual Solution, Si
• an-1 an-2 an-3 ai1 ai a1
  a0
• bn-1 bn-2 bn-3 bi1 bi
  b1 b0
• cn-1 cn-2 cn-3 ci1 ci
  c1 0 Carry bits
• mn-1 mn-2 mn-3 mi1 mi m1
  m0
• nn-1 nn-2 nn-3 ni1 ni
  n1 n0
• --------------------------------------------------
  ---------------------------------------------
• pn-1 pn-2 pn-3 pi1 pi
  p1 0
• All Solutions, S4.Sn-2.Sn-3..SiS1.S0

18
Overview

• Motivation What is DEA
• Satisfiability of DEA
• Solving DEA
• Solving DEA with batch queries
• Solving DEA with adaptive queries
• Applications in Cryptography
• Conclusions and Remarks

19
What are Batch Queries (I)

• Consider the following DEA
• p (a b) XOR (a (b XOR n))
• Batch Query

n1, n2, ..
a,b
p1, p2, ..
20
Contrast with Adaptive Query

• Adaptive Query

n1
n2
a,b
p1
p2
21
DEA with Batch Queries (I)

• Consider the following DEA
• p (a b) XOR (a (b XOR n))
• Batch Query
• Challenge Obtain (a, b) with a min. number of
  nis

n1, n2, ..
a,b
p1, p2, ..
22
Facts to Remember

• Trivial Method Submit all 2n Queries
• Nontrivial Method the of queries is less than
  2n
• To ensure soln. set same as that for all 2n
  Queries for all (a, b)
• Fact of Solutions 2t3 8 if a01
• t is position of least significant 1
  of a

23
Lower Bound on of Queries

• Condition (n-2)-th bit of some output
• p is 1
• Condition violated of soln. gt 2t38
  if a01

24
Lower Bound Encode Query and Output in a Binary
Tree
A total Of ¾ .2n-2 paths in the subtree
Depth 0
0
1
0
0
1
1
0
1
Depth n-2
0
25
Is the Lower Bound Optimal?

• Our algorithm requires 2n-2 queries (see the
  paper)
• Our Lower bound is optimal up to a constant
  factor
• Open Question How to close the gap?

26
DEA with Batch Queries (I)

• Consider the following DEA
• p (a b) XOR ((a XOR m) (b XOR n))
• Batch Query
• Challenge Obtain (a, b) with a min. number of
  (m, n)s

(m, n)
a,b
p
27
Lower Bound A few facts

• All possible queries 22n
• A lower bound 3 for all ngt2 (proved)
• Large number of experiments suggests
• lower bound is 4 (conjecture)
• Our algorithm solves it with 6 queries for all
  ngt2 (major weakness)

28
Overview

• Motivation
• What is DEA
• Satisfiability of DEA
• Solving DEA
• Solving DEA with adaptive queries
• Applications in Cryptography
• Conclusions and Remarks

29
DEA with Adapt. Queries (I)

• Consider the following DEA
• p (a b) XOR ((a XOR m) (b XOR n))
• Adaptive Query
• Challenge Obtain (a, b) with a min. number of
  (m, n)s

(m1, n1)
(m2, n2)
a,b
p1
p2
30
DEA with Adapt. Queries (II)

• Solving all 22n eqn. gives 4 solutions
• Is it possible to obtain all 4 solutions with
  less queries?
• Lower Bound 3 for all n 3
• L.B Condition Si1 for all 0 i n-2
• Lower bound optimal (see the paper)
• Major weakness of addition under DC

31
DEA with Adapt. Queries (III)

• Consider another DEA
• p (a b) XOR (a (b XOR n))
• Adaptive Query
• Challenge Obtain (a, b) with a min. number of
  ns

n
a,b
p
32
DEA with Adapt. Queries (I)

• Consider the following DEA
• p (a b) XOR (a (b XOR n))
• Adaptive Query
• Challenge Obtain (a, b) with a min. number of
  ns

n1
n2
a,b
p1
p2
33
DEA with Adapt. Queries (IV)

• Total number of eqn. 2n
• The previous best known algorithm requires 3(n-1)
  adaptive queries Muller, FSE 2004
• We showed that a lower bound is (n-t-1), t is the
  least significant 1 of a (see paper)
• L.B Condition pn-2 1 for all 0 t n-3
• Our lower bound is optimal, weakness

34
Overview

• Motivation
• What is DEA
• Satisfiability of DEA
• Solving DEA
• Solving DEA with adaptive queries
• Applications in Cryptography
• Conclusions and Remarks

35
Cryptanalysis of Helix (I)

• Differential attack on Helix Muller, FSE 2004
• Mullers key recovery attack requires 212
  adaptive chosen plaintext blocks
• We improve the data complexity by a factor of 3
  in the worst case
• We improve data complexity by a factor of 46.5 in
  the best case

36
Cryptanalysis of Helix (II)

• No attack so far on Helix with chosen plaintexts
• Chosen messages attacks are more practical to
  implement (requires only one oracle)
• We, for the first time, show a key recovery
  attack on Helix with 235.64
• chosen plaintexts

37
Overview

• Motivation
• What is DEA
• Satisfiability of DEA
• Solving DEA
• Solving DEA with adaptive queries
• Applications in Cryptography
• Conclusions and Remarks

38
Conclusions and Remarks

• Behavior of Modular Addition against differential
  cryptanalysis
• Cryptanalysis of the cipher Helix
• Open questions regarding lower bounds
• What are the other applications?
• Can this be extended to solve more complex
  equations?

39
Reference

• S. Paul and Bart Preneel, Solving Systems of
  Differential Equations of Addition, ACISP 2005,
  Full Version IACR ePrint Report 2004/294
• S.Paul and Bart Preneel, Near Optimal Algorithms
  for Solving DEA with Batch Queries, Indocrypt
  2005 (to appear)

40

• Thanks.