Title: Extending Higher-order Integral: An Efficient Unified Algorithm of Constructing Integral Distinguishers for Block Ciphers
1Extending Higher-order Integral An Efficient
Unified Algorithm of Constructing Integral
Distinguishers for Block Ciphers
- Wentao Zhang1, Bozhan Su2, Wenling Wu1
- Dengguo Feng2, Chuankun Wu1
- 1 State Key Laboratory of Information Security,
Institute - of Information Engineering, Chinese Academy of
Sciences - 2 Institute of Software, Chinese Academy of
Sciences
2Outline
- 1. Introduction Integral Cryptanalysis
- 2. Basic Ideas
- 3. A Unified Algorithm of Constructing Integral
- Distinguishers for Block Ciphers
- 4. Experimental Results
- 5. Summary and Discussion
3 1. Introduction Integral Cryptanalysis
- Integral Cryptanalysis is originally proposed by
L.R.Knudsen and D.Wagner as a dedicated attack
against Square block cipher, so is firstly known
as - Square attack.
- Afterwards, the original idea has been extended
and given different names, including saturation
attack, collision attack, multiset attack and
integral cryptanalysis.
41. Introduction Integral Cryptanalysis
- Integral cryptanalysis is of particular
significance for its applicability to AES - 6-round AES is resistant to differential and
linear attack - 6-round AES can be broken using integral
cryptanalysis, only with 6232 chosen plaintexts
and 244 time
51. Introduction Integral Cryptanalysis
- Basic principles of Integral cryptanalysis
- Integral cryptanalysis is a chosen-plaintext
attack, it considers the propagation of sums of
many values after a certain number of encryption
rounds. - Assume a block cipher has n data subblocks. When
mounting an integral attack - First, the attacker typically chooses one or
several specific subblocks, which take on all
possible values in these subblocks, and have
constant values in the other subblocks.
61. Introduction Integral Cryptanalysis
- Then, the attacker tries to predict the
properties of some subblock(s) after a certain
number of encryption rounds. Customarily, the
following 4 properties are considered - (i) Constant every data in this subblock has
the same - constant value.
- (ii) Active the data can be divided into some
disjoint - subsets. For each subset, the data in
this subblock - are all different and have constant
values in the other - subblocks.
- (iii) Balanced the sum (usually XOR sum) of
all values in - this subblock is zero.
- (iv) Unkown no information can be derived.
71. Introduction Integral Cryptanalysis
- First-order integral and higher-order
integral (L.R.Knudsen and D.Wagner, FSE2002 ) - First-order integral Consider a set of 2m
elements, which differ only in one particular
subblock, such that each of the 2m possible
values occurs exactly once, the sum over the
elements of this set is called a first-order
integral - Higher-order integral Consider next a set of
2dm elements, which differ in d subblocks, such
that each of the 2dm possible values for the
d-tuple of values from these subblocks occurs
exactly once, the sum of this set is called a
dth-order integral. A dth-order integral is
called a higher-order integral when d gt 1.
81. Introduction Integral Cryptanalysis
- Factors that affect the security of a block
- cipher against integral cryptanalysis
- Main Factors
- the length of integral distinguishers
- specific input/output forms
- the strength of one-round encryption/decryption.
- key schedule
- Among them, the design of integral distinguishers
is the most important.
91. Introduction Integral Cryptanalysis
- In spite of a long time study of integral
cryptanalysis on block ciphers, integral
distinguishers have often been designed based on
ad hoc approaches and the experience of
cryptanalysts. There is no common method of
designing integral distinguishers so far.
101. Introduction Integral Cryptanalysis
- Our contribution
- We give an extension of the concept of
higher-order integral. This new extension takes
linear relations among different subblocks into
account. - Based on the new extension, we present a unified
algorithm to the design of higher-order integral
distinguishers. Applying this algorithm, our
experimental results show that better integral
distinguishers can be derived for some block
ciphers.
11 2. Basic Ideas
- 1). Expression of the state of data in subblock
- 2). Matrix Characterization of a block cipher
(structure) - 3). Inside-out approach
- 4). An extension of higher-order integral
12 2. Basic Ideas
- (1)Expression of the state of data in subblock
- Traditionally, 4 kinds
- Active, Constant, Balanced, Unknown
- Ours
- Any constant state is denoted as a single letter
C - A balanced state is denoted as a sum of some
active states - Hence, the state in subblock can be expressed
either as C, or a sum of some active states and
some unknown states.
13 2. Basic Ideas
- (2)Matrix Characterization of a block cipher
(structure) - Inspired by the work of J.Kim et al 13, 14,
more simpler - Assume a block cipher has n data subblocks, it
can be characterized by n x n characteristic
Matrices. - Each entry of the characteristic matrices has
only one of the three values 0, 1 or 2.
14 2. Basic Ideas
One-round Feistel
characteristic matrix
15 2. Basic Ideas
- (3)Inside-out approach
- Traditionally, integral distinguishers are
designed from top to bottom, an attacker only
tries to predict the behavior of a set of
carefully chosen plaintexts after a certain
number of encryption rounds. - By contrast, we adopt the inside-out approach,
trying to predict the behavior of a set of
carefully intermediate data, not only after a
certain number of encryption rounds, but also
after a certain number of decryption rounds.
16 2. Basic Ideas
- As a result, we make an extension of the concept
of higher-order integral.
17 2. Basic Ideas
- (4)An extension of higher-order integral
- In the original definition, a d th-order integral
is related to a set of 2dm elements, which
differ only in d subblocks. - However, there can be some linear relations among
different subblocks. - Taking these linear relations into account, we
give an extension of higher-order integral, a d
th-order integral is also related to 2dm
elements, but they can differ in d subblocks,
where d d.
18 2. Basic Ideas
- This new extension can lead to more effective
integral distinguishers for some block ciphers
(structures).
193. A Unified Algorithm of Constructing
Integral Distinguishers for Block Ciphers
- Expression of data
- state in subblock
- C, or a sum of some active states and some
unknown states. - state in block
- n data subblocks
- (a0 , a1 , ,an-1), where ai denotes the
state in the i-th subblock, 0 i n-1. - Expression of block cipher (structures)
- Characteristic matrices each entry has one of
the 3 values 0, 1 or 2
203. A Unified Algorithm of Constructing
Integral Distinguishers for Block Ciphers
- Rules for Applying Encryption/Decryption
Characteristic Matrices to state in block - Rules for applying 0,1,2 to a state in subblock
- Rules for applying characteristic matrices to a
state in block - like matrix multiplication
213. A Unified Algorithm of Constructing
Integral Distinguishers for Block Ciphers
- A case symbolic computation and constraint
solving - For a given set of intermediate data, we can
calculate the state in block after one-round
encryption/decryption. - Theoretically, such a process can be iterated for
arbitrary number of rounds, either along
encryption direction, or along decryption
direction. - However, we must give some restrictions to
terminate the process for deriving useful
integral distinguishers.
223. A Unified Algorithm of Constructing
Integral Distinguishers for Block Ciphers
- Finishing Conditions for Calculus
- Along encryption direction after some encryption
rounds, considering each subblock and each
possible linear combination of the subblocks, if
every state includes some unknown information,
then nothing can be derived from the
corresponding data. The attacker should terminate
the process.
233. A Unified Algorithm of Constructing
Integral Distinguishers for Block Ciphers
- Finishing Conditions for Calculus (continued)
- Along decryption direction after some decryption
rounds, if the amount of the corresponding data
equals to (or exceeds) the maximum, i.e., 2l,
where l is the block length. The attacker should
terminate the process.
243. A Unified Algorithm of Constructing
Integral Distinguishers for Block Ciphers
- A unified algorithm
- Based on the above, we propose a unified
algorithm of constructing integral distinguishers
for block ciphers. - See Algorithm 1 for details
253. A Unified Algorithm of Constructing
Integral Distinguishers for Block Ciphers
264. Experimental Results
-
- Gen-SMS4
- Gen-Fourcell
- Present
274. Experimental Results
- Gen-SMS4
- SMS4 is a 128-bit block cipher used in the WAPI
standard for wireless networks in China, it uses
a kind of generalized Feistel structure - Using Alg.1, we derive 256 10-round integral
distinguishers - previous result 8-round integral distinguisher,
Liu, F., et al., ACISP2007
284. Experimental Results
- Gen-Fourcell
- Fourcell is a 128-bit block cipher proposed at
ACISP2009, it also uses a kind of generalized
Feistel structure - Using Alg.1, we derive 56 18-round integral
distinguishers - previous result 18-round integral distinguisher,
Li, R. et al., ACISP2007
294. Experimental Results
- Present
- Present is a 64-bit block cipher proposed at
CHES2007, it uses SP network and bit-oriented - Using Alg.1, we derive many 5-round integral
distinguishers - previous result 3-round integral distinguisher,
M.Zaba et al., FSE2008
305. Conclusions and outlook
- Summary
- We give an extension of the concept of
higher-order integral, which can lead to better
higher-order integral distinguishers for some
block ciphers (structures). - We present a unified algorithm of searching for
the best possible higher-order integral
distinguishers for block ciphers - inside-out method
- matrix method
- extended higher-order concept
- carefully-obtained finishing conditions in both
encryption and decryption direction
315. Conclusions and outlook
- We expect that the algorithm can be used as a
support tool for efficiently evaluating the
security of block ciphers against integral
cryptanalysis.
325. Conclusions and outlook
- Discussion
- General and specific Algorithm 1 can be
applicable to many block ciphers. For a specific
cipher, one can possibly derive better results if
taking its specific features into account. - Find a block cipher, the application of
Algorithm 1 can lead to a better distinguisher
among all types of distinguishers.
33