Extending Higher-order Integral: An Efficient Unified Algorithm of Constructing Integral Distinguishers for Block Ciphers

1
Extending Higher-order Integral An Efficient
Unified Algorithm of Constructing Integral
Distinguishers for Block Ciphers

• Wentao Zhang1, Bozhan Su2, Wenling Wu1
• Dengguo Feng2, Chuankun Wu1
• 1 State Key Laboratory of Information Security,
  Institute
• of Information Engineering, Chinese Academy of
  Sciences
• 2 Institute of Software, Chinese Academy of
  Sciences

2
Outline

• 1. Introduction Integral Cryptanalysis
• 2. Basic Ideas
• 3. A Unified Algorithm of Constructing Integral
• Distinguishers for Block Ciphers
• 4. Experimental Results
• 5. Summary and Discussion

3
1. Introduction Integral Cryptanalysis

• Integral Cryptanalysis is originally proposed by
  L.R.Knudsen and D.Wagner as a dedicated attack
  against Square block cipher, so is firstly known
  as
• Square attack.
• Afterwards, the original idea has been extended
  and given different names, including saturation
  attack, collision attack, multiset attack and
  integral cryptanalysis.

4
1. Introduction Integral Cryptanalysis

• Integral cryptanalysis is of particular
  significance for its applicability to AES
• 6-round AES is resistant to differential and
  linear attack
• 6-round AES can be broken using integral
  cryptanalysis, only with 6232 chosen plaintexts
  and 244 time

5
1. Introduction Integral Cryptanalysis

• Basic principles of Integral cryptanalysis
• Integral cryptanalysis is a chosen-plaintext
  attack, it considers the propagation of sums of
  many values after a certain number of encryption
  rounds.
• Assume a block cipher has n data subblocks. When
  mounting an integral attack
• First, the attacker typically chooses one or
  several specific subblocks, which take on all
  possible values in these subblocks, and have
  constant values in the other subblocks.

6
1. Introduction Integral Cryptanalysis

• Then, the attacker tries to predict the
  properties of some subblock(s) after a certain
  number of encryption rounds. Customarily, the
  following 4 properties are considered
• (i) Constant every data in this subblock has
  the same
• constant value.
• (ii) Active the data can be divided into some
  disjoint
• subsets. For each subset, the data in
  this subblock
• are all different and have constant
  values in the other
• subblocks.
• (iii) Balanced the sum (usually XOR sum) of
  all values in
• this subblock is zero.
• (iv) Unkown no information can be derived.

7
1. Introduction Integral Cryptanalysis

• First-order integral and higher-order
  integral (L.R.Knudsen and D.Wagner, FSE2002 )
• First-order integral Consider a set of 2m
  elements, which differ only in one particular
  subblock, such that each of the 2m possible
  values occurs exactly once, the sum over the
  elements of this set is called a first-order
  integral
• Higher-order integral Consider next a set of
  2dm elements, which differ in d subblocks, such
  that each of the 2dm possible values for the
  d-tuple of values from these subblocks occurs
  exactly once, the sum of this set is called a
  dth-order integral. A dth-order integral is
  called a higher-order integral when d gt 1.

8
1. Introduction Integral Cryptanalysis

• Factors that affect the security of a block
• cipher against integral cryptanalysis
• Main Factors
• the length of integral distinguishers
• specific input/output forms
• the strength of one-round encryption/decryption.
• key schedule
• Among them, the design of integral distinguishers
  is the most important.

9
1. Introduction Integral Cryptanalysis

• In spite of a long time study of integral
  cryptanalysis on block ciphers, integral
  distinguishers have often been designed based on
  ad hoc approaches and the experience of
  cryptanalysts. There is no common method of
  designing integral distinguishers so far.

10
1. Introduction Integral Cryptanalysis

• Our contribution
• We give an extension of the concept of
  higher-order integral. This new extension takes
  linear relations among different subblocks into
  account.
• Based on the new extension, we present a unified
  algorithm to the design of higher-order integral
  distinguishers. Applying this algorithm, our
  experimental results show that better integral
  distinguishers can be derived for some block
  ciphers.

11
2. Basic Ideas

• 1). Expression of the state of data in subblock
• 2). Matrix Characterization of a block cipher
  (structure)
• 3). Inside-out approach
• 4). An extension of higher-order integral

12
2. Basic Ideas

• (1)Expression of the state of data in subblock
• Traditionally, 4 kinds
• Active, Constant, Balanced, Unknown
• Ours
• Any constant state is denoted as a single letter
  C
• A balanced state is denoted as a sum of some
  active states
• Hence, the state in subblock can be expressed
  either as C, or a sum of some active states and
  some unknown states.

13
2. Basic Ideas

• (2)Matrix Characterization of a block cipher
  (structure)
• Inspired by the work of J.Kim et al 13, 14,
  more simpler
• Assume a block cipher has n data subblocks, it
  can be characterized by n x n characteristic
  Matrices.
• Each entry of the characteristic matrices has
  only one of the three values 0, 1 or 2.

14
2. Basic Ideas
One-round Feistel
characteristic matrix
15
2. Basic Ideas

• (3)Inside-out approach
• Traditionally, integral distinguishers are
  designed from top to bottom, an attacker only
  tries to predict the behavior of a set of
  carefully chosen plaintexts after a certain
  number of encryption rounds.
• By contrast, we adopt the inside-out approach,
  trying to predict the behavior of a set of
  carefully intermediate data, not only after a
  certain number of encryption rounds, but also
  after a certain number of decryption rounds.

16
2. Basic Ideas

• As a result, we make an extension of the concept
  of higher-order integral.

17
2. Basic Ideas

• (4)An extension of higher-order integral
• In the original definition, a d th-order integral
  is related to a set of 2dm elements, which
  differ only in d subblocks.
• However, there can be some linear relations among
  different subblocks.
• Taking these linear relations into account, we
  give an extension of higher-order integral, a d
  th-order integral is also related to 2dm
  elements, but they can differ in d subblocks,
  where d d.

18
2. Basic Ideas

• This new extension can lead to more effective
  integral distinguishers for some block ciphers
  (structures).

19
3. A Unified Algorithm of Constructing
Integral Distinguishers for Block Ciphers

• Expression of data
• state in subblock
• C, or a sum of some active states and some
  unknown states.
• state in block
• n data subblocks
• (a0 , a1 , ,an-1), where ai denotes the
  state in the i-th subblock, 0 i n-1.
• Expression of block cipher (structures)
• Characteristic matrices each entry has one of
  the 3 values 0, 1 or 2

20
3. A Unified Algorithm of Constructing
Integral Distinguishers for Block Ciphers

• Rules for Applying Encryption/Decryption
  Characteristic Matrices to state in block
• Rules for applying 0,1,2 to a state in subblock
• Rules for applying characteristic matrices to a
  state in block
• like matrix multiplication

21
3. A Unified Algorithm of Constructing
Integral Distinguishers for Block Ciphers

• A case symbolic computation and constraint
  solving
• For a given set of intermediate data, we can
  calculate the state in block after one-round
  encryption/decryption.
• Theoretically, such a process can be iterated for
  arbitrary number of rounds, either along
  encryption direction, or along decryption
  direction.
• However, we must give some restrictions to
  terminate the process for deriving useful
  integral distinguishers.

22
3. A Unified Algorithm of Constructing
Integral Distinguishers for Block Ciphers

• Finishing Conditions for Calculus
• Along encryption direction after some encryption
  rounds, considering each subblock and each
  possible linear combination of the subblocks, if
  every state includes some unknown information,
  then nothing can be derived from the
  corresponding data. The attacker should terminate
  the process.

23
3. A Unified Algorithm of Constructing
Integral Distinguishers for Block Ciphers

• Finishing Conditions for Calculus (continued)
• Along decryption direction after some decryption
  rounds, if the amount of the corresponding data
  equals to (or exceeds) the maximum, i.e., 2l,
  where l is the block length. The attacker should
  terminate the process.

24
3. A Unified Algorithm of Constructing
Integral Distinguishers for Block Ciphers

• A unified algorithm
• Based on the above, we propose a unified
  algorithm of constructing integral distinguishers
  for block ciphers.
• See Algorithm 1 for details

25
3. A Unified Algorithm of Constructing
Integral Distinguishers for Block Ciphers
26
4. Experimental Results

• Gen-SMS4
• Gen-Fourcell
• Present

27
4. Experimental Results

• Gen-SMS4
• SMS4 is a 128-bit block cipher used in the WAPI
  standard for wireless networks in China, it uses
  a kind of generalized Feistel structure
• Using Alg.1, we derive 256 10-round integral
  distinguishers
• previous result 8-round integral distinguisher,
  Liu, F., et al., ACISP2007

28
4. Experimental Results

• Gen-Fourcell
• Fourcell is a 128-bit block cipher proposed at
  ACISP2009, it also uses a kind of generalized
  Feistel structure
• Using Alg.1, we derive 56 18-round integral
  distinguishers
• previous result 18-round integral distinguisher,
  Li, R. et al., ACISP2007

29
4. Experimental Results

• Present
• Present is a 64-bit block cipher proposed at
  CHES2007, it uses SP network and bit-oriented
• Using Alg.1, we derive many 5-round integral
  distinguishers
• previous result 3-round integral distinguisher,
  M.Zaba et al., FSE2008

30
5. Conclusions and outlook

• Summary
• We give an extension of the concept of
  higher-order integral, which can lead to better
  higher-order integral distinguishers for some
  block ciphers (structures).
• We present a unified algorithm of searching for
  the best possible higher-order integral
  distinguishers for block ciphers
• inside-out method
• matrix method
• extended higher-order concept
• carefully-obtained finishing conditions in both
  encryption and decryption direction

31
5. Conclusions and outlook

• We expect that the algorithm can be used as a
  support tool for efficiently evaluating the
  security of block ciphers against integral
  cryptanalysis.

32
5. Conclusions and outlook

• Discussion
• General and specific Algorithm 1 can be
  applicable to many block ciphers. For a specific
  cipher, one can possibly derive better results if
  taking its specific features into account.
• Find a block cipher, the application of
  Algorithm 1 can lead to a better distinguisher
  among all types of distinguishers.

33

• Thank You !
• Question ?