Itai Dinur
Adi Shamir
Abstract
A central problem in cryptanalysis is to find all the significant deviations from randomness in a given n-bit cryptographic primitive. When n is small (e.g., an 8-bit S-box), this is easy to do, but for large n, the only practical way to find such statistical properties was to exploit the internal structure of the primitive and to speed up the search with a variety of heuristic rules of thumb. However, such bottom-up techniques can miss many properties, especially in cryptosystems which are designed to have hidden trapdoors.
In this paper we consider the top-down version of the problem in which the cryptographic primitive is given as a structureless black box, and reduce the complexity of the best known techniques for finding all its significant differential and linear properties by a large factor of . Our main new tool is the idea of using surrogate differentiation. In the context of finding differential properties, it enables us to simultaneously find information about all the differentials of the form in all possible directions by differentiating f in a single randomly chosen direction (which is unrelated to the ’s). In the context of finding linear properties, surrogate differentiation can be combined in a highly effective way with the Fast Fourier Transform. For 64-bit cryptographic primitives, this technique makes it possible to automatically find in about time all their differentials with probability and all their linear approximations with bias (using memory); previous algorithms for these problems required at least time. Similar techniques can be used to significantly improve the best known time complexities of finding related key differentials, second-order differentials, and boomerangs. In addition, we show how to run variants of these algorithms which require no memory, and how to detect such statistical properties even in trapdoored cryptosystems whose designers specifically try to evade our techniques.
- 1.Albrecht, M.R., Leander, G.: An all-in-one approach to differential cryptanalysis for small block ciphers. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 1–15. Springer, Heidelberg (2013).
DOI:
https://doi.org/10.1007/978-3-642-35999-6_1Google Scholar
- 2.Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK Families of Lightweight Block Ciphers. IACR Cryptol. ePrint Arch. report 404/2013 (2013)Google Scholar
- 3.Benamira, A., Gerault, D., Peyrin, T., Tan, Q.Q.: A deeper look at machine learning-based cryptanalysis. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 805–835. Springer, Cham (2021).
DOI:
https://doi.org/10.1007/978-3-030-77870-5_28Google Scholar
- 4.Quantum complexity theorySIAM J. Comput.199726514111473147198810.1137/S00975397963009210895.68042Google ScholarDigital Library
- 5.Biham, E., Dunkelman, O., Keller, N.: Enhancing differential-linear cryptanalysis. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 254–266. Springer, Heidelberg (2002).
DOI:
https://doi.org/10.1007/3-540-36178-2_16Google Scholar
- 6.Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer, Heidelberg (1993).
DOI:
https://doi.org/10.1007/978-1-4613-9314-6Google Scholar
- 7.The Boomerang Attack on 5 and 6-Round Reduced AESAdvanced Encryption Standard – AES2005HeidelbergSpringer111510.1007/11506447_21117.94311Google ScholarDigital Library
- 8.Biryukov, A., Roy, A., Velichkov, V.: Differential analysis of block ciphers SIMON and SPECK. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 546–570. Springer, Heidelberg (2015).
DOI:
https://doi.org/10.1007/978-3-662-46706-0_28Google Scholar
- 9.Biryukov, A., Velichkov, V.: Automatic search for differential trails in ARX ciphers. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 227–250. Springer, Cham (2014).
DOI:
https://doi.org/10.1007/978-3-319-04852-9_12Google Scholar
- 10.Biryukov, A., Velichkov, V., Le Corre, Y.: Automatic search for the best trails in ARX: Application to block cipher Speck. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 289–310. Springer, Heidelberg (2016).
DOI:
https://doi.org/10.1007/978-3-662-52993-5_15Google Scholar
- 11.Blondeau, C., Gérard, B., Nyberg, K.: [Multiple differential cryptanalysis using , and X2 statistics]. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 343–360. Springer, Heidelberg (2012).
DOI:
https://doi.org/10.1007/978-3-642-32928-9_19Google Scholar
- 12.Blondeau, C., Leander, G., Nyberg, K.: Differential-linear cryptanalysis revisited. J. Cryptol. 30(3), 859–888 (2017).
DOI:
https://doi.org/10.1007/s00145-016-9237-5Google Scholar
- 13.Blondeau, C., Nyberg, K.: New links between differential and linear cryptanalysis. In: Advances in Cryptology - Proceedings of EUROCRYPT 2013. LNCS, vol. 7881, pp. 388–404. Springer, Heidelberg (2013).
DOI:
https://doi.org/10.1007/978-3-642-38348-9_24Google Scholar
- 14.Chow, S., Eisen, P.A., Johnson, H., van Oorschot, P.C.: A White-Box DES implementation for DRM applications. In: Proceedings of DRM 2002. LNCS, vol. 2696, pp. 1–15. Springer, Heidelberg (2002).
DOI:
https://doi.org/10.1007/978-3-540-44993-5_1Google Scholar
- 15.Dinur, I., Dunkelman, O., Gutman, M., Shamir, A.: Improved top-down techniques in differential cryptanalysis. In: Proceedings of LATINCRYPT 2015. LNCS, vol. 9230, pp. 139–156. Springer, Cham (2015).
DOI:
https://doi.org/10.1007/978-3-319-22174-8_8Google Scholar
- 16.Dinur, I., Dunkelman, O., Keller, N., Ronen, E., Shamir, A.: Efficient detection of high probability statistical properties of cryptosystems via surrogate differentiation. IACR Cryptol. ePrint Arch. report 2023/288 (2023)Google Scholar
- 17.Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: Memory-efficient algorithms for finding needles in haystacks. In: Advances in Cryptology - Proceedings of CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 185–206. Springer, Heidelberg (2016).
DOI:
https://doi.org/10.1007/978-3-662-53008-5_7Google Scholar
- 18.A practical-time related-key attack on the KASUMI cryptosystem used in GSM and 3G telephonyJ. Cryptol.2013274824849324986310.1007/s00145-013-9154-91301.94113Google ScholarDigital Library
- 19.Esser, A., Kübler, R., May, A.: LPN decoded. In: Advances in Cryptology - Proceedings of CRYPTO 2017, Part II. LNCS, vol. 10402, pp. 486–514. Springer, Cham (2017).
DOI:
https://doi.org/10.1007/978-3-319-63715-0_17Google Scholar
- 20.Fourquet, R., Loidreau, P., Tavernier, C.: Finding good linear approximations of block ciphers and its application to cryptanalysis of reduced round DES (2009). https://perso.univ-rennes1.fr/pierre.loidreau/articles/wcc_2009/wcc_2009.pdfGoogle Scholar
- 21.Gohr, A.: Improving attacks on round-reduced speck32/64 using deep learning. In: Advances in Cryptology - Proceedings of CRYPTO 2019, Part II. LNCS, vol. 11693, pp. 150–179. Springer, Cham (2019).
DOI:
https://doi.org/10.1007/978-3-030-26951-7_6Google Scholar
- 22.Goldreich, O., Levin, L.A.: A hard-core predicate for all one-way functions. In: Proceedings of STOC 1989, pp. 25–32. ACM (1989).
DOI:
https://doi.org/10.1145/73007.73010Google Scholar
- 23.A cryptanalytic time-memory trade-offIEEE Trans. Inf. Theory198026440140658178610.1109/TIT.1980.10562200436.94016Google ScholarDigital Library
- 24.Related-key boomerang and rectangle attacks: Theory and experimental analysisIEEE Trans. Inf. Theory201258749484966294986510.1109/TIT.2012.21916551365.94438Google ScholarDigital Library
- 25.Kölbl, S., Leander, G., Tiessen, T.: Observations on the SIMON block cipher family. In: Gennaro, R., Robshaw, M. (eds.) Advances in Cryptology – CRYPTO 2015: 35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I, pp. 161–185. Springer, Heidelberg (2015).
DOI:
https://doi.org/10.1007/978-3-662-47989-6_8Google Scholar
- 26.Langford, S.K., Hellman, M.E.: Differential-linear cryptanalysis. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 17–25. Springer, Heidelberg (1994).
DOI:
https://doi.org/10.1007/3-540-48658-5_3Google Scholar
- 27.Leurent, G., Pernot, C., Schrottenloher, A.: Clustering effect in Simon and Simeck. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13090, pp. 272–302. Springer, Cham (2021).
DOI:
https://doi.org/10.1007/978-3-030-92062-3_10Google Scholar
- 28.Levieil, É., Fouque, P.-A.: An improved LPN algorithm. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 348–359. Springer, Heidelberg (2006).
DOI:
https://doi.org/10.1007/11832072_24Google Scholar
- 29.Li, H., Yang, L.: Quantum differential cryptanalysis to the block ciphers. arxiv:1511.08800 (2015)Google Scholar
- 30.Linear cryptanalysis of reduced-round SPECKInf. Process. Lett.20161163259266343393410.1016/j.ipl.2015.11.0051343.94072Google ScholarDigital Library
- 31.Liu, Y., Liang, H., Wang, W., Wang, M.: New linear cryptanalysis of Chinese commercial block cipher standard SM4. Secur. Commun. Netw. 2017, 1461520:1–1461520:10 (2017).
DOI:
https://doi.org/10.1155/2017/1461520Google Scholar
- 32.Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994).
DOI:
https://doi.org/10.1007/3-540-48285-7_33Google Scholar
- 33.The return of the cryptographic boomerangIEEE Trans. Inf. Theory201157425172521280910610.1109/TIT.2011.21110911366.94520Google ScholarDigital Library
- 34.Parallel collision search with cryptanalytic applicationsJ. Cryptol.1999121128166477410.1007/PL000038160992.94028Google ScholarDigital Library
- 35.Peyrin, T., Wang, H.: The MALICIOUS framework: Embedding backdoors into tweakable block ciphers. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 249–278. Springer, Cham (2020).
DOI:
https://doi.org/10.1007/978-3-030-56877-1_9Google Scholar
- 36.Rijmen, V., Preneel, B.: A family of trapdoor ciphers. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 139–148. Springer, Heidelberg (1997).
DOI:
https://doi.org/10.1007/BFb0052342Google Scholar
- 37.Decorrelation: a theory for block cipher securityJ. Cryptol.2003164249286200204510.1007/s00145-003-0220-61070.94009Google ScholarDigital Library
- 38.Using Bernstein–Vazirani algorithm to attack block ciphersDesign Codes Cryptogr.201887511611182394228110.1007/s10623-018-0510-51445.94029Google ScholarDigital Library
- 39.Yao, Y., Zhang, B., Wu, W.: Automatic search for linear trails of the SPECK family. In: Lopez, J., Mitchell, C.J. (eds.) ISC 2015. LNCS, vol. 9290, pp. 158–176. Springer, Cham (2015).
DOI:
https://doi.org/10.1007/978-3-319-23318-5_9Google Scholar
Recommendations
Differential cryptanalysis of DES-like cryptosystems
The Data Encryption Standard (DES) is the best known and most widely used cryptosystem for civilian applications. It was developed at IBM and adopted by the National Bureau of Standards in the mid 1970s, and has successfully withstood all the attacks ...
Statistical integral attack on CAST-256 and IDEA
Integral attack, as a powerful technique in the cryptanalysis field, has been widely utilized to evaluate the security of block ciphers. Integral distinguisher is based on balanced property on output with probability one. To obtain a distinguisher ...
Efficient revocation and threshold pairing based cryptosystems
PODC '03: Proceedings of the twenty-second annual symposium on Principles of distributed computingBoneh, Ding, Tsudik and Wong recently proposed a way for obtaining fast revocation of RSA keys. Their method consists in using security mediators that keep a piece of each user's private key in such a way that every decrytion or signature operation ...
Comments