Towards a unifying view of block cipher cryptanalysis

1
Towards a unifying view of block cipher
cryptanalysis

• David Wagner
• University of California, Berkeley

2
In this talk
How do we tell if a block cipher is secure? How
do we design good ones?

• Survey of cryptanalysis of block ciphers
• Steps towards a unifying view of this field
• Algebraic attacks

3
Whats a block cipher?
x
Ek X ? X bijective for all k
k
Ek(x)
4
When is a block cipher secure?
Answer when these two black boxes are
indistinguishable.
5
So many cryptanalytic attacks
prob. rational interpol.
higher-order d.c.
yo-yo
probabilistic interpol.
boomerang
rational interpol.
integrals
MITM interpolation
sliding
interpolation attacks
truncated d.c.
How do we unify them?
l.c. with multiple approximations
impossible d.c.
differential crypt.
linear crypt.
complementation props.
linear factors
6
How to attack a product cipher

• 1. Identify local properties of its round
  functions
• 2. Piece these together into global properties of
  the whole cipher

7
Motif 1 projection

• Identify local properties using commutative
  diagrams

8
Composing local properties

• Build global commutative diagrams out of local
  ones

9
Exploiting global properties

• Use global properties to build a known-text
  attack

• The distinguisher
• Let (x, y) be a plaintext/ciphertext pair
• If g(?(x)) ?(y), its probably from Ek
• Otherwise, its from ?

10
Example linearity in Madryga

• Madryga leaves parity unchanged
• Let ?(x) parity of x
• We see ?(Ek(x)) ?(x)
• This yields a distinguisher
• Pr?(?(x)) ?(x) ½
• Pr?(Ek(x)) ?(x) 1

11
Motif 2 statistics

• Suffices to find a property that holds with large
  enough probability
• A first attempt probabilistic commutative
  diagrams?
• Turns out to be too weak

Prob. p
where p Pr?(Ek(x)) g(?(x))
12
A more general formulationMarkov processes

• Stochastic commutative diagrams
• Ek , ?, ? induce a Markov process M, M(i,j)
  Pr?(Ek(x)) j ?(x) i
• ?, ?, ? induce M
• Pick a distance measure, e.g.,d(M, M) M
  M8
• Best distinguisher of Ek from ? has advantage
  0.5 M M8 Vaudenay
• Also, 1/(M M8)2 known texts suffice for
  a distinguishing attack

stochastic
stochastic
13
Example Linear cryptanalysis

• Matsuis linear cryptanalysis
• Set X GF(2)64, Y GF(2)
• Cryptanalyst chooses linear maps ?, ? cleverly
  to make M M8 as large as possible
• Note M is a 22 matrix of the form shown to the
  right, and 1/?2 known texts break the cipher

stochastic
½? ½?
½? ½?
and M M8 2?
14
Motif 3 higher-order attacks

• Use many encryptions to find better properties

X X

• Here weve definedÊk(x,x) (Ek(x), Ek(x))

Êk
stochastic
X X
15
Example Complementation

• Complementation properties are a simple example

• Take ?(x,x) x x
• Suppose M(?,?) 1 for some cleverly chosen ?
• Then we obtain a complementation property
• We can distinguish with just 2 chosen texts,
  sinceM M8 1

X X
Êk
stochastic
X X
16
Example Differential cryptanalysis

• Differential cryptanalysis

• Set X GF(2)n, and take ?(x,x) x x
• If p M(?,?) gtgt 2-n for some clever choice of
  ?,?, we can distinguish with 2/p chosen
  plaintexts

X X
Êk
stochastic
X X
17
Example Impossible differentials

• Impossible differential cryptanalysis

X X

• Set X GF(2)n, and take ?(x,x) x x
• If M(?,?) 0 for some clever choice of ?,?, we
  can distinguish with 2n chosen texts

Êk
stochastic
X X
18
Example Truncated diff. crypt.

• Truncated differential cryptanalysis

• Set X GF(2)n, Y GF(2)m, cleverly choose
  linear maps f1, f2 X ? Y, and take ?i(x,x)
  fi(x x)
• If M(?,?) gtgt 2-m for some clever choice of ?, ?,
  we can distinguish

X X
Êk
stochastic
X X
19
Generalized truncated d.c.

• Generalized truncated differential cryptanalysis

• Take X, Yi, ?i as before then M M8
  measures the distinguishing advantage of the
  attack
• Generalizes d.c., trunc d.c., l.c., diff-linear
  crypt., ...

X X
Êk
stochastic
X X
20
The attacks, compared
higher-order d.c.
yo-yo
boomerang
integrals
generalized truncated diff. crypt.
sliding
?
truncated d.c.
l.c. with multiple approximations
impossible d.c.
differential crypt.
linear crypt.
complementation props.
linear factors
21
Summary (1)

• A few leitmotifs generate many known attacks
• Many other attack methods can also be viewed this
  way (higher-order d.c., slide attacks, mod n
  attacks, d.c. over other groups, diff.-linear
  attacks, algebraic attacks, etc.)
• Are there other powerful attacks in this space?
• Can we prove security against all commutative
  diagram attacks?
• Were primarily exploiting linearities in ciphers
• E.g., the closure properties of GL(Y, Y) ?
  Perm(X)
• Are there other subgroups with useful closure
  properties?
• Are there interesting non-linear attacks?
• Can we prove security against all linear comm.
  diagram attacks?

22

Part 2 Algebraic attacks
23
Example Interpolation attacks

• Express cipher as a polynomial in the message
  key

• Write Ek(x) p(x), then interpolate from known
  texts
• Generalization MITM interpolation p(Ek(x))
  p(x)
• Generalization probabilistic interpolation
  attacks
• They use noisy polynomial reconstruction,
  decoding Reed-Solomon codes

24
Example Rational inter. attacks

• Express the cipher as a rational polynomial

• If Ek(x) p(x)/q(x), then
• Write Ek(x) q(x) p(x), and apply linear
  algebra
• Note rational polys are closed under
  composition
• Q Are probabilistic rational interpolation
  attacks feasible?

25
A generalization resultants

• A possible direction bivariate polynomials

• The small diagrams commute ifpi(x, fi(x)) 0
  for all x

26
Bivariate attacks generalize polynomial
rational interpolation
?
where q1(x, y) p(x) y
27
Algebraic attacks, compared
probabilistic bivariate attacks
prob. rational interpol.
bivariate attacks
probabilistic interpol.
rational interpol.
MITM interpolation
interpolation attacks
28
Summary (2)

• Many cryptanalytic methods can be understood, and
  compared, by expressing them as a combination of
  only a few basic ideas
• Commutative diagrams are a powerful way to think
  about cryptanalysis
• Questions?