boomerang connectivity table revisited
TRANSCRIPT
Ling Song1,2, Xianrui Qin3, Lei Hu2
Boomerang Connectivity Table Revisited
1. Nanyang Technological University, Singapore
2. Institute of Information Engineering, CAS, China
3. Shandong University, China
FSE 2019 @ Paris
/24
Boomerang Attacks
Proposed by [Wag99] to combine two diff. trails:β’ πΈ0: Pr πΌ β π½ = π
β’ πΈ1: Pr πΎ β πΏ = π
Distinguishing probability:
π2π2πΈ1 πΈ1
πΈ1πΆ1
πΆ2
πΆ3
πΆ4
πΏ
πΏ
πΈ0 πΈ0
πΈ0
π1
π2
π3
π4πΌ
πΎ
πΎπ½
π½
πΌ
πΈ0
πΈ1
2
/24
Boomerang attacks: When you
send it properly, it always
comes back to you.
Boomerang Attacks
Proposed by [Wag99] to combine two diff. trails:β’ πΈ0: Pr πΌ β π½ = π
β’ πΈ1: Pr πΎ β πΏ = π
Distinguishing probability:
π2π2πΈ1 πΈ1
πΈ1πΆ1
πΆ2
πΆ3
πΆ4
πΏ
πΏ
πΈ0 πΈ0
πΈ0
π1
π2
π3
π4πΌ
πΎ
πΎπ½
π½
πΌ
πΈ0
πΈ1
https://www.australiathegift.com.au/shop/boomerang-with-stand/
2
/24
Boomerang attacks: When you
send it properly, it always
comes back to you.
Boomerang Attacks
Proposed by [Wag99] to combine two diff. trails:β’ πΈ0: Pr πΌ β π½ = π
β’ πΈ1: Pr πΎ β πΏ = π
Distinguishing probability:
π2π2πΈ1 πΈ1
πΈ1πΆ1
πΆ2
πΆ3
πΆ4
πΏ
πΏ
πΈ0 πΈ0
πΈ0
π1
π2
π3
π4πΌ
πΎ
πΎπ½
π½
πΌ
πΈ0
πΈ1
[Wag99]: Assumed two trails are independent.
NOT always correct
https://www.australiathegift.com.au/shop/boomerang-with-stand/
2
/24
β’ [BDD03]: Middle-round S-box trick
β’ [BK09]: Boomerang switch: Ladder switch / Feistel switch / S-box switch
Dependency can help attackers
β’ [Mer09]: Incompatible trails
Dependency can spoil attacks.
Two Trails in Boomerang Attacks
3
/24
Sandwich Attacks [DKS10]
Distinguishing probability:
π2 π2π
πΏ
πΏ
πΎ
πΎ
ΰ·¨πΈ0 ΰ·¨πΈ0
ΰ·¨πΈ0
πΌ
ΰ·¨πΈ0π½
πΌ
ΰ·¨πΈ1 ΰ·¨πΈ1
ΰ·¨πΈ1
π¦1
π¦2
π¦3
π¦4
ΰ·¨πΈ1
π₯1 π₯3
π₯4πΈπ
π½
πΆ1
πΆ2
πΆ3
πΆ4
π1
π2
π3
π4
π₯2
πΈπ
πΈπ
πΈπ
Decompose the cipher into three partsβ’ πΈπ handles the dependency.
β’ ΰ·¨πΈ0 β πΈ0 \πΈπ: Pr πΌ β π½ = π
β’ ΰ·¨πΈ1 β πΈ1 \πΈπ: Pr πΎ β πΏ = π
4
/24
Sandwich Attacks [DKS10]
Distinguishing probability:
π2 π2π
πΏ
πΏ
πΎ
πΎ
ΰ·¨πΈ0 ΰ·¨πΈ0
ΰ·¨πΈ0
πΌ
ΰ·¨πΈ0π½
πΌ
ΰ·¨πΈ1 ΰ·¨πΈ1
ΰ·¨πΈ1
π¦1
π¦2
π¦3
π¦4
ΰ·¨πΈ1
π₯1 π₯3
π₯4πΈπ
π·?
πΆ1
πΆ2
πΆ3
πΆ4
π1
π2
π3
π4
π₯2
πΈπ
πΈπ
πΈπ
π = Pr[π₯3 βπ₯4 = π½|(π₯1 βπ₯2 = π½)β(π¦1 βπ¦3 = πΎ)β(π¦2 βπ¦4 = πΎ)]
Decompose the cipher into three partsβ’ πΈπ handles the dependency.
β’ ΰ·¨πΈ0 β πΈ0 \πΈπ: Pr πΌ β π½ = π
β’ ΰ·¨πΈ1 β πΈ1 \πΈπ: Pr πΎ β πΏ = π
4
/24
BCT [CHP+18]
Boomerang Connectivity Table (BCT)β’ Calculate π theoretically when πΈπ is composed of a
single Sβbox layer.β’ Unify previous observations on the S-box (incompa-
tibilities and switches)
π
π
π
π
π₯1
π₯2
π₯3
π₯4
π¦1
π¦2
π¦3
π¦4
πΌ
π½
π½
πΌ
5
/24
Our Work
β’ The actual boundaries of πΈπ which contains dependency
β’ How to calculate π when πΈπ contains multiple rounds?
β’ Generalized framework of BCTβ Determine the boundaries of πΈπ
β Calculate π of πΈπ in the sandwich attack
Motivation
Contribution
6
/24
DDT: Difference Distribution Table
π·π·π πΌ, π½ = #{π₯ β {0,1}π|π π₯ β¨π π₯β¨πΌ = π½}
SKINNYβs 4-bit S-box
πΌ
π½
7
/24
BCT: Boomerang Connectivity Table
π΅πΆπ πΌ, π½ = #{π₯ β {0,1}π|πβ1(π π₯ β π½)β¨πβ1(π π₯β¨πΌ β π½) = πΌ}
π π
π
π₯1
π₯2
π₯3
π¦1
π¦2
π¦3
π¦4
πΌ
π½π
π½
π₯4
πΌ
SKINNYβs 4-bit S-box
πΌ
π½
8
/24
Relation between DDT and BCT
Let
9
/24
Relation between DDT and BCT
Let
9
/24
Relation between DDT and BCT
Let
Eq. 1 can be re-written as
9
/24
New Explanation of BCT
π for πΈπ with one S-box layer at the boundary of E0 and E1
10
/24
New Explanation of BCT
π for πΈπ with one S-box layer at the boundary of E0 and E1
Similarly,
10
/24
New Explanation of BCT
π for πΈπ with one S-box layer at the boundary of E0 and E1
Similarly,
In this case, πΌ and π½ are regarded as fixed.10
/24
Generalization: S-box in E0 or E1
Lower crossing difference
Upper crossing difference
S-box in E0 S-box in E1
11
/24
Generalization: S-box in E0 or E1
11
What if πΌ or π½ (crossing differences) are not fixed?
S-box in E0 S-box in E1
Upper crossing difference
Lower crossing difference
/24
Generalization: S-box in E0
12
/24
Generalization: S-box in E0
(1) π½ is independent of the upper trail
12
/24
Generalization: S-box in E0
(1) π½ is independent of the upper trail
which becomes identical to π2π2 in the classical boomerang attack.
(2) π½ is uniformly distributed
12
/24
Generalization: S-box in E1
(1) πΌ is independent of the lower trail
which becomes identical to π2π2 in the classical boomerang attack.
(2) πΌ is uniformly distributed
13
/24
Generalization: Interrelated S-boxes
S-boxes A and B are interrelated.
Lower crossing diff. (π½) of A comes from B.
Upper crossing diff. (πΌβ²) of B comes from A.
14
/24
Generalization: Interrelated S-boxes
S-boxes A and B are interrelated.
Lower crossing diff. (π½) of A comes from B.
Upper crossing diff. (πΌβ²) of B comes from A.
14
/24
Generalization: Interrelated S-boxes
S-boxes A and B are interrelated.
Lower crossing diff. (π½) of A comes from B.
Upper crossing diff. (πΌβ²) of B comes from A.
14
/24
Generalized Framework of BCT
Boundaries of πΈπ: where crossing differences are distributed (almost) uniformly.
1. Initialization: πΈπ β πΈ1ππππ π‘
||πΈ0πππ π‘ .
2. Extend both trails: πΌβπΈ0π½ ββ’, β β(πΎβ
πΈ1πΏ).
3. Prepend πΈπ with one more rounda) If the lower crossing differences are distributed uni
formly, peel off the first round and go to Step 4.b) Go to Step 3
4. Append πΈπ with one more rounda) If the upper crossing differences are distributed uni
formly, peel off the last round and go to Step 5.b) Go to Step 4.
5. Calculate r using formulas in the previous slides
πΈ1 πΈ0Pr = 1Pr = 1
15
/24
Re-evaluate prob of four BM dist. of SKINNY
β’ Prev: prob evaluated by ΖΈπ2 ΰ·π2
β’ New: prob evaluated by the generalized BCT
Construct related-subkey BM dist. Of AES-128
β’ Prev: related-subkey BM dist. Of AES-192/256
β’ New: 6-round related-subkey BM dist. Of AES-128 with 2β109.42
Applications
16
/24
SKINNY [BJK+16] is an SPN cipher, with a linear key schedule.
β’ SKINNY-n-t where n is block size and t tweakey size
Example πΈπ of SKINNY-64-128 in the related-tweakey setting
β’ Upper trail: 2 rounds, 2β8
β’ Lower trail: 4 rounds, 2β14
β’ π2π2 = 2β44
SKINNY
17
/24
π¬π with 6 Middle Rounds
Rd Diff before and after SB βK βK Pr.
R1 0,0,0,0, 0,0,0,0, 0,0,0,b, 0,0,0,00,0,0,0, 0,0,0,0, 0,0,0,1, 0,0,0,0
0,0,0,0, 0,0,0,0 b,0,0,0, 0,0,0,0 2β2
R2 0,1,0,0, 0,0,0,0, 0,1,0,0, 0,1,0,00,8,0,0, 0,0,0,0, 0,8,0,0, 0,8,0,0
0,0,0,0, 0,c,0,0 0,0,0,0, 5,0,0,0 2β2β3
R3 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,20,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,3
0,0,0,0, 0,0,0,0 0,0,3,0, 0,0,0,0 2β2
R4 0,0,0,0, 0,0,3,0, 0,0,0,0, 0,0,3,00,0,0,0, 0,0,d,0, 0,0,0,0, 0,0,c,0
0,0,0,3, 0,0,0,0 0,0,0,0, 0,0,9,0 2β3β2
R5 0,c,0,0, 0,0,0,0, 0,0,0,4, 0,0,0,00,2,0,0, 0,0,0,0, 0,0,0,2, 0,0,0,0
0,0,0,0, 0,0,0,0 0,0,0,0, 2,0,0,0 2β2β2
R6 0,0,0,0, 0,2,0,0, 0,0,0,0, 0,0,0,00,0,0,0, 0,1,0,0, 0,0,0,0, 0,0,0,0
0,0,0,0, 0,0,0,d 0,0,0,0, 0,1,0,0 2β2
18
/24
Evaluation of π
Rounds ππππ ΰ·ππΰ·ππ π (new)
1+1 2β16 2β8.41 2β2
2+1 2β20 β¦ 2β2.79
2+2 2β32 β¦ 2β5.69
2+3 2β40 β¦ 2β10.56
2+4 2β44 2β29.91 2β12.96
Experiments confirm the results of π.
19
/24
Summary of the results on SKINNY
Ver. nπ¬π π¬ = ΰ·©π¬π β π¬π β ΰ·©π¬π
|π¬π| π |πΈ| π2 π2π ΖΈπ2 ΰ·π2[LGS17]
n-2n64 6(13) 2β12.96 17 2β29.78 2β48.72
128 5(12) 2β11.45 18 2β77.83 2β103.84
n-3n64 5(17) 2β10.50 22 2β42.98 2β54.94
128 5(17) 2β9.88 22 2β48.30 2β76.84
Prob. of BM dist. and comparison
β’ Take seconds to calculate π
20
/24
Summary of the results on SKINNY
Ver. nπ¬π π¬ = ΰ·©π¬π β π¬π β ΰ·©π¬π
|π¬π| π |πΈ| π2 π2π ΖΈπ2 ΰ·π2[LGS17]
n-2n64 6(13) 2β12.96 17 2β29.78 2β48.72
128 5(12) 2β11.45 18 2β77.83 2β103.84
n-3n64 5(17) 2β10.50 22 2β42.98 2β54.94
128 5(17) 2β9.88 22 2β48.30 2β76.84
Prob. of BM dist. and comparison
β’ Take seconds to calculate πβ’ Experiments confirm the results of π and the
17-round dist. of SKINNY-64-128 20
/24
6-round related-subkey BM dist. Of AES-128
3-round related-key differential trails:β’ 2 trails, 5 active S-boxes, 2β31
β’ 18 trails, 6 active S-boxes, 2β36, 2β37, 2β38
2β31
2β37
πΈπ, π = 2β33.42
π2 π2π= 2β109.42
21
/24
Discussion
Length of πΈπ:
β’ Mainly determined by the diffusion effect of the linear layer
β’ Density of active cells of the trails
r:Strongly affected by the DDT and BCT of the S-box
Limitation of the generalized BCT:
For a long πΈπ with large and strong S-boxes, calculating r might be a time-consuming task, e.g., T>235.
22
/24
Generalized BCT: for calculating π in the sandwich attack
1: identify the boundaries of dependency
2: calculate π
Problems to investigate:β Extension to non S-box based ciphers
β Improving previous boomerang attacks
Concluding Remarks
23
Slides credit to Yu Sasaki
Thank you for your attention!!