differential forgery attack against lac · 2020. 7. 16. · 2 getavalidciphertext(n,c1‖c2,𝜏) 3...
TRANSCRIPT
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack against LAC
Gaeumltan Leurent
Inria France
SAC 2015
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 1 14
Introduction Characteristics Differentials Forgery Attack
Authenticated encryption
Cryptography has two main objectivesConfidentiality keeping the message secret
Authenticity making sure the message is authentic
Authenticated encryption scheme provides both Combines a cipher and a MAC
CAESAR competition Ongoing competition to design new AE schemes 57 submissions in March 2014 29 selected for second-round in July 2015 Important cryptanalysis effort
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 2 14
Introduction Characteristics Differentials Forgery Attack
Description of LAC
N
KInit Final T
64
KS KS KS80
Gleak
Gleak
Gleak
64
m1
48
m2 m3
c1 c2 c3
48
CAESAR candidate designed at Chinese Academy of Science by Lei Zhang Wenling Wu Yanfeng Wang Shengbao Wu Jian Zhang
Follows the structure of ALE [Bogdanov amp al FSE rsquo13] G based on modified LBlock (LBlock-s) 80-bit key 64-bit state 48-bit leak
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 3 14
Introduction Characteristics Differentials Forgery Attack
Description of LAC
N
KInit Final T
64
KS KS KS80
Gleak
Gleak
Gleak
64
m1
48
m2 m3
c1 c2 c3
48
Security claims
Confidentiality 80 bits Integrity 64 bits ldquoany forgery attack with an unused tuple
has a success probability at most 2minus64rdquo
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 3 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Find a differential 120572 120573 in G with probability p p = Prkx 1114094Gk(x oplus 120572) = Gk(x) oplus 1205731114097
2 Get a valid ciphertext (N c1 c2 120591)3 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability p
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 4 14
Introduction Characteristics Differentials Forgery Attack
Differentials and characteristics
Differential 120572 120573 p = Prkx[Gk(x oplus 120572) = Gk(x) oplus 120573]Characteristic 1205720 rarr 1205721 rarr⋯120572n = 120573 p = Prkx[xprimei = xi oplus 120572i|xprime0 = x0 oplus 120572]
The probability of a differential is hard to evaluate
Common assumptionA single characteristic dominates the differential
Modifying one step leads to a significantly different characteristic Security analysis bounds probability of characteristics
Not always true for byte-wise SPN Given a truncated characteristic there are many instantiationswith the same inputout differences
If S-Box differential table is flat many of them are good
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 5 14
Introduction Characteristics Differentials Forgery Attack
Inside LBlock-s
s s s s s s s s
k
2
Feistel structure Nibble-oriented(4-bit words)
16 rounds Key addition Nibble S-box Nibble permutation
Best characteristics 35 active S-boxes 120575(S) = 2minus2 Proba le 2minus70
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 6 14
Introduction Characteristics Differentials Forgery Attack
Truncated differential characteristics
R12
R22
R32
R42
R52
R62
R72
R82
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 7 14
Introduction Characteristics Differentials Forgery Attack
Truncated differential characteristics
R92
R102
R112
R122
R132
R142
R152
R162
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 7 14
Introduction Characteristics Differentials Forgery Attack
Differentials and characteristics
Differential 120572 120573 p = Prkx[Gk(x oplus 120572) = Gk(x) oplus 120573]Characteristic 1205720 rarr 1205721 rarr⋯120572n = 120573 p = Prkx[xprimei = xi oplus 120572i|xprime0 = x0 oplus 120572]
The probability of a differential is hard to evaluate
Common assumptionA single characteristic dominates the differential
Modifying one step leads to a significantly different characteristic Security analysis bounds probability of characteristics
Not always true for byte-wise SPN Given a truncated characteristic there are many instantiationswith the same inputout differences
If S-Box differential table is flat many of them are good
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 8 14
Introduction Characteristics Differentials Forgery Attack
Estimating of the probability of differentials
For security proofs upper bounds on the probability of differentials Few results known Notable exception AES [Keliher amp Sui]
For cryptanalysis lower bound on the probability of differentials Sum characteristics with the same inputoutput differences Recent work using MILP to find characteristics [Sun amp al]
Our approach use a truncated characteristic Consider the set of all characteristics followingthe same truncated characteristic
Fix inputoutput differences vary internal differences Large number of characteristics many with good probability
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 9 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
12057212057301205731120573212057331205734
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Application to LAC
R12
R22
R32
R42
At most 6 active nibbles Storage 224
At most 3 active S-Boxes At most 29 transitions Time 16 sdot 224 sdot 29 = 237
ResultsBest differential found p ge 2minus6152
Collection of 302116704characteristics
17512 differentials with p gt 2minus64
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 11 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Get a valid ciphertext (N c1 c2 120591)2 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability ge 2minus6152
Corresponding plaintext m1 oplus 120572 m2 oplus 120573because the leak is not affected
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
Limitations
Probability slightly higher than security claims (2minus6152 vs 2minus64) Need new data to repeat (cannot increase success probability)
Or use several differentials Limit to 240 data per key
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Conclusion
Lower bound on the probability of some differential Collection of characteristics following a truncated characteristic Good estimate of the probability of a differential
Breaks the security claims of LAC Pr[characteristic] le 2minus70 Pr[best differential] ge 2minus6152
Designers should check if applicable
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 13 14
Introduction Characteristics Differentials Forgery Attack
Thanks
Questions
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 14 14
- Introduction
- Characteristics
- Differentials
- Forgery Attack
-
Introduction Characteristics Differentials Forgery Attack
Authenticated encryption
Cryptography has two main objectivesConfidentiality keeping the message secret
Authenticity making sure the message is authentic
Authenticated encryption scheme provides both Combines a cipher and a MAC
CAESAR competition Ongoing competition to design new AE schemes 57 submissions in March 2014 29 selected for second-round in July 2015 Important cryptanalysis effort
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 2 14
Introduction Characteristics Differentials Forgery Attack
Description of LAC
N
KInit Final T
64
KS KS KS80
Gleak
Gleak
Gleak
64
m1
48
m2 m3
c1 c2 c3
48
CAESAR candidate designed at Chinese Academy of Science by Lei Zhang Wenling Wu Yanfeng Wang Shengbao Wu Jian Zhang
Follows the structure of ALE [Bogdanov amp al FSE rsquo13] G based on modified LBlock (LBlock-s) 80-bit key 64-bit state 48-bit leak
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 3 14
Introduction Characteristics Differentials Forgery Attack
Description of LAC
N
KInit Final T
64
KS KS KS80
Gleak
Gleak
Gleak
64
m1
48
m2 m3
c1 c2 c3
48
Security claims
Confidentiality 80 bits Integrity 64 bits ldquoany forgery attack with an unused tuple
has a success probability at most 2minus64rdquo
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 3 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Find a differential 120572 120573 in G with probability p p = Prkx 1114094Gk(x oplus 120572) = Gk(x) oplus 1205731114097
2 Get a valid ciphertext (N c1 c2 120591)3 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability p
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 4 14
Introduction Characteristics Differentials Forgery Attack
Differentials and characteristics
Differential 120572 120573 p = Prkx[Gk(x oplus 120572) = Gk(x) oplus 120573]Characteristic 1205720 rarr 1205721 rarr⋯120572n = 120573 p = Prkx[xprimei = xi oplus 120572i|xprime0 = x0 oplus 120572]
The probability of a differential is hard to evaluate
Common assumptionA single characteristic dominates the differential
Modifying one step leads to a significantly different characteristic Security analysis bounds probability of characteristics
Not always true for byte-wise SPN Given a truncated characteristic there are many instantiationswith the same inputout differences
If S-Box differential table is flat many of them are good
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 5 14
Introduction Characteristics Differentials Forgery Attack
Inside LBlock-s
s s s s s s s s
k
2
Feistel structure Nibble-oriented(4-bit words)
16 rounds Key addition Nibble S-box Nibble permutation
Best characteristics 35 active S-boxes 120575(S) = 2minus2 Proba le 2minus70
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 6 14
Introduction Characteristics Differentials Forgery Attack
Truncated differential characteristics
R12
R22
R32
R42
R52
R62
R72
R82
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 7 14
Introduction Characteristics Differentials Forgery Attack
Truncated differential characteristics
R92
R102
R112
R122
R132
R142
R152
R162
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 7 14
Introduction Characteristics Differentials Forgery Attack
Differentials and characteristics
Differential 120572 120573 p = Prkx[Gk(x oplus 120572) = Gk(x) oplus 120573]Characteristic 1205720 rarr 1205721 rarr⋯120572n = 120573 p = Prkx[xprimei = xi oplus 120572i|xprime0 = x0 oplus 120572]
The probability of a differential is hard to evaluate
Common assumptionA single characteristic dominates the differential
Modifying one step leads to a significantly different characteristic Security analysis bounds probability of characteristics
Not always true for byte-wise SPN Given a truncated characteristic there are many instantiationswith the same inputout differences
If S-Box differential table is flat many of them are good
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 8 14
Introduction Characteristics Differentials Forgery Attack
Estimating of the probability of differentials
For security proofs upper bounds on the probability of differentials Few results known Notable exception AES [Keliher amp Sui]
For cryptanalysis lower bound on the probability of differentials Sum characteristics with the same inputoutput differences Recent work using MILP to find characteristics [Sun amp al]
Our approach use a truncated characteristic Consider the set of all characteristics followingthe same truncated characteristic
Fix inputoutput differences vary internal differences Large number of characteristics many with good probability
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 9 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
12057212057301205731120573212057331205734
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Application to LAC
R12
R22
R32
R42
At most 6 active nibbles Storage 224
At most 3 active S-Boxes At most 29 transitions Time 16 sdot 224 sdot 29 = 237
ResultsBest differential found p ge 2minus6152
Collection of 302116704characteristics
17512 differentials with p gt 2minus64
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 11 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Get a valid ciphertext (N c1 c2 120591)2 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability ge 2minus6152
Corresponding plaintext m1 oplus 120572 m2 oplus 120573because the leak is not affected
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
Limitations
Probability slightly higher than security claims (2minus6152 vs 2minus64) Need new data to repeat (cannot increase success probability)
Or use several differentials Limit to 240 data per key
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Conclusion
Lower bound on the probability of some differential Collection of characteristics following a truncated characteristic Good estimate of the probability of a differential
Breaks the security claims of LAC Pr[characteristic] le 2minus70 Pr[best differential] ge 2minus6152
Designers should check if applicable
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 13 14
Introduction Characteristics Differentials Forgery Attack
Thanks
Questions
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 14 14
- Introduction
- Characteristics
- Differentials
- Forgery Attack
-
Introduction Characteristics Differentials Forgery Attack
Description of LAC
N
KInit Final T
64
KS KS KS80
Gleak
Gleak
Gleak
64
m1
48
m2 m3
c1 c2 c3
48
CAESAR candidate designed at Chinese Academy of Science by Lei Zhang Wenling Wu Yanfeng Wang Shengbao Wu Jian Zhang
Follows the structure of ALE [Bogdanov amp al FSE rsquo13] G based on modified LBlock (LBlock-s) 80-bit key 64-bit state 48-bit leak
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 3 14
Introduction Characteristics Differentials Forgery Attack
Description of LAC
N
KInit Final T
64
KS KS KS80
Gleak
Gleak
Gleak
64
m1
48
m2 m3
c1 c2 c3
48
Security claims
Confidentiality 80 bits Integrity 64 bits ldquoany forgery attack with an unused tuple
has a success probability at most 2minus64rdquo
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 3 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Find a differential 120572 120573 in G with probability p p = Prkx 1114094Gk(x oplus 120572) = Gk(x) oplus 1205731114097
2 Get a valid ciphertext (N c1 c2 120591)3 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability p
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 4 14
Introduction Characteristics Differentials Forgery Attack
Differentials and characteristics
Differential 120572 120573 p = Prkx[Gk(x oplus 120572) = Gk(x) oplus 120573]Characteristic 1205720 rarr 1205721 rarr⋯120572n = 120573 p = Prkx[xprimei = xi oplus 120572i|xprime0 = x0 oplus 120572]
The probability of a differential is hard to evaluate
Common assumptionA single characteristic dominates the differential
Modifying one step leads to a significantly different characteristic Security analysis bounds probability of characteristics
Not always true for byte-wise SPN Given a truncated characteristic there are many instantiationswith the same inputout differences
If S-Box differential table is flat many of them are good
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 5 14
Introduction Characteristics Differentials Forgery Attack
Inside LBlock-s
s s s s s s s s
k
2
Feistel structure Nibble-oriented(4-bit words)
16 rounds Key addition Nibble S-box Nibble permutation
Best characteristics 35 active S-boxes 120575(S) = 2minus2 Proba le 2minus70
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 6 14
Introduction Characteristics Differentials Forgery Attack
Truncated differential characteristics
R12
R22
R32
R42
R52
R62
R72
R82
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 7 14
Introduction Characteristics Differentials Forgery Attack
Truncated differential characteristics
R92
R102
R112
R122
R132
R142
R152
R162
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 7 14
Introduction Characteristics Differentials Forgery Attack
Differentials and characteristics
Differential 120572 120573 p = Prkx[Gk(x oplus 120572) = Gk(x) oplus 120573]Characteristic 1205720 rarr 1205721 rarr⋯120572n = 120573 p = Prkx[xprimei = xi oplus 120572i|xprime0 = x0 oplus 120572]
The probability of a differential is hard to evaluate
Common assumptionA single characteristic dominates the differential
Modifying one step leads to a significantly different characteristic Security analysis bounds probability of characteristics
Not always true for byte-wise SPN Given a truncated characteristic there are many instantiationswith the same inputout differences
If S-Box differential table is flat many of them are good
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 8 14
Introduction Characteristics Differentials Forgery Attack
Estimating of the probability of differentials
For security proofs upper bounds on the probability of differentials Few results known Notable exception AES [Keliher amp Sui]
For cryptanalysis lower bound on the probability of differentials Sum characteristics with the same inputoutput differences Recent work using MILP to find characteristics [Sun amp al]
Our approach use a truncated characteristic Consider the set of all characteristics followingthe same truncated characteristic
Fix inputoutput differences vary internal differences Large number of characteristics many with good probability
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 9 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
12057212057301205731120573212057331205734
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Application to LAC
R12
R22
R32
R42
At most 6 active nibbles Storage 224
At most 3 active S-Boxes At most 29 transitions Time 16 sdot 224 sdot 29 = 237
ResultsBest differential found p ge 2minus6152
Collection of 302116704characteristics
17512 differentials with p gt 2minus64
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 11 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Get a valid ciphertext (N c1 c2 120591)2 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability ge 2minus6152
Corresponding plaintext m1 oplus 120572 m2 oplus 120573because the leak is not affected
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
Limitations
Probability slightly higher than security claims (2minus6152 vs 2minus64) Need new data to repeat (cannot increase success probability)
Or use several differentials Limit to 240 data per key
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Conclusion
Lower bound on the probability of some differential Collection of characteristics following a truncated characteristic Good estimate of the probability of a differential
Breaks the security claims of LAC Pr[characteristic] le 2minus70 Pr[best differential] ge 2minus6152
Designers should check if applicable
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 13 14
Introduction Characteristics Differentials Forgery Attack
Thanks
Questions
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 14 14
- Introduction
- Characteristics
- Differentials
- Forgery Attack
-
Introduction Characteristics Differentials Forgery Attack
Description of LAC
N
KInit Final T
64
KS KS KS80
Gleak
Gleak
Gleak
64
m1
48
m2 m3
c1 c2 c3
48
Security claims
Confidentiality 80 bits Integrity 64 bits ldquoany forgery attack with an unused tuple
has a success probability at most 2minus64rdquo
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 3 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Find a differential 120572 120573 in G with probability p p = Prkx 1114094Gk(x oplus 120572) = Gk(x) oplus 1205731114097
2 Get a valid ciphertext (N c1 c2 120591)3 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability p
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 4 14
Introduction Characteristics Differentials Forgery Attack
Differentials and characteristics
Differential 120572 120573 p = Prkx[Gk(x oplus 120572) = Gk(x) oplus 120573]Characteristic 1205720 rarr 1205721 rarr⋯120572n = 120573 p = Prkx[xprimei = xi oplus 120572i|xprime0 = x0 oplus 120572]
The probability of a differential is hard to evaluate
Common assumptionA single characteristic dominates the differential
Modifying one step leads to a significantly different characteristic Security analysis bounds probability of characteristics
Not always true for byte-wise SPN Given a truncated characteristic there are many instantiationswith the same inputout differences
If S-Box differential table is flat many of them are good
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 5 14
Introduction Characteristics Differentials Forgery Attack
Inside LBlock-s
s s s s s s s s
k
2
Feistel structure Nibble-oriented(4-bit words)
16 rounds Key addition Nibble S-box Nibble permutation
Best characteristics 35 active S-boxes 120575(S) = 2minus2 Proba le 2minus70
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 6 14
Introduction Characteristics Differentials Forgery Attack
Truncated differential characteristics
R12
R22
R32
R42
R52
R62
R72
R82
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 7 14
Introduction Characteristics Differentials Forgery Attack
Truncated differential characteristics
R92
R102
R112
R122
R132
R142
R152
R162
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 7 14
Introduction Characteristics Differentials Forgery Attack
Differentials and characteristics
Differential 120572 120573 p = Prkx[Gk(x oplus 120572) = Gk(x) oplus 120573]Characteristic 1205720 rarr 1205721 rarr⋯120572n = 120573 p = Prkx[xprimei = xi oplus 120572i|xprime0 = x0 oplus 120572]
The probability of a differential is hard to evaluate
Common assumptionA single characteristic dominates the differential
Modifying one step leads to a significantly different characteristic Security analysis bounds probability of characteristics
Not always true for byte-wise SPN Given a truncated characteristic there are many instantiationswith the same inputout differences
If S-Box differential table is flat many of them are good
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 8 14
Introduction Characteristics Differentials Forgery Attack
Estimating of the probability of differentials
For security proofs upper bounds on the probability of differentials Few results known Notable exception AES [Keliher amp Sui]
For cryptanalysis lower bound on the probability of differentials Sum characteristics with the same inputoutput differences Recent work using MILP to find characteristics [Sun amp al]
Our approach use a truncated characteristic Consider the set of all characteristics followingthe same truncated characteristic
Fix inputoutput differences vary internal differences Large number of characteristics many with good probability
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 9 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
12057212057301205731120573212057331205734
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Application to LAC
R12
R22
R32
R42
At most 6 active nibbles Storage 224
At most 3 active S-Boxes At most 29 transitions Time 16 sdot 224 sdot 29 = 237
ResultsBest differential found p ge 2minus6152
Collection of 302116704characteristics
17512 differentials with p gt 2minus64
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 11 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Get a valid ciphertext (N c1 c2 120591)2 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability ge 2minus6152
Corresponding plaintext m1 oplus 120572 m2 oplus 120573because the leak is not affected
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
Limitations
Probability slightly higher than security claims (2minus6152 vs 2minus64) Need new data to repeat (cannot increase success probability)
Or use several differentials Limit to 240 data per key
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Conclusion
Lower bound on the probability of some differential Collection of characteristics following a truncated characteristic Good estimate of the probability of a differential
Breaks the security claims of LAC Pr[characteristic] le 2minus70 Pr[best differential] ge 2minus6152
Designers should check if applicable
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 13 14
Introduction Characteristics Differentials Forgery Attack
Thanks
Questions
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 14 14
- Introduction
- Characteristics
- Differentials
- Forgery Attack
-
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Find a differential 120572 120573 in G with probability p p = Prkx 1114094Gk(x oplus 120572) = Gk(x) oplus 1205731114097
2 Get a valid ciphertext (N c1 c2 120591)3 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability p
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 4 14
Introduction Characteristics Differentials Forgery Attack
Differentials and characteristics
Differential 120572 120573 p = Prkx[Gk(x oplus 120572) = Gk(x) oplus 120573]Characteristic 1205720 rarr 1205721 rarr⋯120572n = 120573 p = Prkx[xprimei = xi oplus 120572i|xprime0 = x0 oplus 120572]
The probability of a differential is hard to evaluate
Common assumptionA single characteristic dominates the differential
Modifying one step leads to a significantly different characteristic Security analysis bounds probability of characteristics
Not always true for byte-wise SPN Given a truncated characteristic there are many instantiationswith the same inputout differences
If S-Box differential table is flat many of them are good
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 5 14
Introduction Characteristics Differentials Forgery Attack
Inside LBlock-s
s s s s s s s s
k
2
Feistel structure Nibble-oriented(4-bit words)
16 rounds Key addition Nibble S-box Nibble permutation
Best characteristics 35 active S-boxes 120575(S) = 2minus2 Proba le 2minus70
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 6 14
Introduction Characteristics Differentials Forgery Attack
Truncated differential characteristics
R12
R22
R32
R42
R52
R62
R72
R82
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 7 14
Introduction Characteristics Differentials Forgery Attack
Truncated differential characteristics
R92
R102
R112
R122
R132
R142
R152
R162
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 7 14
Introduction Characteristics Differentials Forgery Attack
Differentials and characteristics
Differential 120572 120573 p = Prkx[Gk(x oplus 120572) = Gk(x) oplus 120573]Characteristic 1205720 rarr 1205721 rarr⋯120572n = 120573 p = Prkx[xprimei = xi oplus 120572i|xprime0 = x0 oplus 120572]
The probability of a differential is hard to evaluate
Common assumptionA single characteristic dominates the differential
Modifying one step leads to a significantly different characteristic Security analysis bounds probability of characteristics
Not always true for byte-wise SPN Given a truncated characteristic there are many instantiationswith the same inputout differences
If S-Box differential table is flat many of them are good
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 8 14
Introduction Characteristics Differentials Forgery Attack
Estimating of the probability of differentials
For security proofs upper bounds on the probability of differentials Few results known Notable exception AES [Keliher amp Sui]
For cryptanalysis lower bound on the probability of differentials Sum characteristics with the same inputoutput differences Recent work using MILP to find characteristics [Sun amp al]
Our approach use a truncated characteristic Consider the set of all characteristics followingthe same truncated characteristic
Fix inputoutput differences vary internal differences Large number of characteristics many with good probability
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 9 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
12057212057301205731120573212057331205734
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Application to LAC
R12
R22
R32
R42
At most 6 active nibbles Storage 224
At most 3 active S-Boxes At most 29 transitions Time 16 sdot 224 sdot 29 = 237
ResultsBest differential found p ge 2minus6152
Collection of 302116704characteristics
17512 differentials with p gt 2minus64
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 11 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Get a valid ciphertext (N c1 c2 120591)2 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability ge 2minus6152
Corresponding plaintext m1 oplus 120572 m2 oplus 120573because the leak is not affected
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
Limitations
Probability slightly higher than security claims (2minus6152 vs 2minus64) Need new data to repeat (cannot increase success probability)
Or use several differentials Limit to 240 data per key
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Conclusion
Lower bound on the probability of some differential Collection of characteristics following a truncated characteristic Good estimate of the probability of a differential
Breaks the security claims of LAC Pr[characteristic] le 2minus70 Pr[best differential] ge 2minus6152
Designers should check if applicable
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 13 14
Introduction Characteristics Differentials Forgery Attack
Thanks
Questions
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 14 14
- Introduction
- Characteristics
- Differentials
- Forgery Attack
-
Introduction Characteristics Differentials Forgery Attack
Differentials and characteristics
Differential 120572 120573 p = Prkx[Gk(x oplus 120572) = Gk(x) oplus 120573]Characteristic 1205720 rarr 1205721 rarr⋯120572n = 120573 p = Prkx[xprimei = xi oplus 120572i|xprime0 = x0 oplus 120572]
The probability of a differential is hard to evaluate
Common assumptionA single characteristic dominates the differential
Modifying one step leads to a significantly different characteristic Security analysis bounds probability of characteristics
Not always true for byte-wise SPN Given a truncated characteristic there are many instantiationswith the same inputout differences
If S-Box differential table is flat many of them are good
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 5 14
Introduction Characteristics Differentials Forgery Attack
Inside LBlock-s
s s s s s s s s
k
2
Feistel structure Nibble-oriented(4-bit words)
16 rounds Key addition Nibble S-box Nibble permutation
Best characteristics 35 active S-boxes 120575(S) = 2minus2 Proba le 2minus70
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 6 14
Introduction Characteristics Differentials Forgery Attack
Truncated differential characteristics
R12
R22
R32
R42
R52
R62
R72
R82
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 7 14
Introduction Characteristics Differentials Forgery Attack
Truncated differential characteristics
R92
R102
R112
R122
R132
R142
R152
R162
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 7 14
Introduction Characteristics Differentials Forgery Attack
Differentials and characteristics
Differential 120572 120573 p = Prkx[Gk(x oplus 120572) = Gk(x) oplus 120573]Characteristic 1205720 rarr 1205721 rarr⋯120572n = 120573 p = Prkx[xprimei = xi oplus 120572i|xprime0 = x0 oplus 120572]
The probability of a differential is hard to evaluate
Common assumptionA single characteristic dominates the differential
Modifying one step leads to a significantly different characteristic Security analysis bounds probability of characteristics
Not always true for byte-wise SPN Given a truncated characteristic there are many instantiationswith the same inputout differences
If S-Box differential table is flat many of them are good
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 8 14
Introduction Characteristics Differentials Forgery Attack
Estimating of the probability of differentials
For security proofs upper bounds on the probability of differentials Few results known Notable exception AES [Keliher amp Sui]
For cryptanalysis lower bound on the probability of differentials Sum characteristics with the same inputoutput differences Recent work using MILP to find characteristics [Sun amp al]
Our approach use a truncated characteristic Consider the set of all characteristics followingthe same truncated characteristic
Fix inputoutput differences vary internal differences Large number of characteristics many with good probability
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 9 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
12057212057301205731120573212057331205734
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Application to LAC
R12
R22
R32
R42
At most 6 active nibbles Storage 224
At most 3 active S-Boxes At most 29 transitions Time 16 sdot 224 sdot 29 = 237
ResultsBest differential found p ge 2minus6152
Collection of 302116704characteristics
17512 differentials with p gt 2minus64
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 11 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Get a valid ciphertext (N c1 c2 120591)2 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability ge 2minus6152
Corresponding plaintext m1 oplus 120572 m2 oplus 120573because the leak is not affected
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
Limitations
Probability slightly higher than security claims (2minus6152 vs 2minus64) Need new data to repeat (cannot increase success probability)
Or use several differentials Limit to 240 data per key
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Conclusion
Lower bound on the probability of some differential Collection of characteristics following a truncated characteristic Good estimate of the probability of a differential
Breaks the security claims of LAC Pr[characteristic] le 2minus70 Pr[best differential] ge 2minus6152
Designers should check if applicable
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 13 14
Introduction Characteristics Differentials Forgery Attack
Thanks
Questions
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 14 14
- Introduction
- Characteristics
- Differentials
- Forgery Attack
-
Introduction Characteristics Differentials Forgery Attack
Inside LBlock-s
s s s s s s s s
k
2
Feistel structure Nibble-oriented(4-bit words)
16 rounds Key addition Nibble S-box Nibble permutation
Best characteristics 35 active S-boxes 120575(S) = 2minus2 Proba le 2minus70
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 6 14
Introduction Characteristics Differentials Forgery Attack
Truncated differential characteristics
R12
R22
R32
R42
R52
R62
R72
R82
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 7 14
Introduction Characteristics Differentials Forgery Attack
Truncated differential characteristics
R92
R102
R112
R122
R132
R142
R152
R162
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 7 14
Introduction Characteristics Differentials Forgery Attack
Differentials and characteristics
Differential 120572 120573 p = Prkx[Gk(x oplus 120572) = Gk(x) oplus 120573]Characteristic 1205720 rarr 1205721 rarr⋯120572n = 120573 p = Prkx[xprimei = xi oplus 120572i|xprime0 = x0 oplus 120572]
The probability of a differential is hard to evaluate
Common assumptionA single characteristic dominates the differential
Modifying one step leads to a significantly different characteristic Security analysis bounds probability of characteristics
Not always true for byte-wise SPN Given a truncated characteristic there are many instantiationswith the same inputout differences
If S-Box differential table is flat many of them are good
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 8 14
Introduction Characteristics Differentials Forgery Attack
Estimating of the probability of differentials
For security proofs upper bounds on the probability of differentials Few results known Notable exception AES [Keliher amp Sui]
For cryptanalysis lower bound on the probability of differentials Sum characteristics with the same inputoutput differences Recent work using MILP to find characteristics [Sun amp al]
Our approach use a truncated characteristic Consider the set of all characteristics followingthe same truncated characteristic
Fix inputoutput differences vary internal differences Large number of characteristics many with good probability
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 9 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
12057212057301205731120573212057331205734
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Application to LAC
R12
R22
R32
R42
At most 6 active nibbles Storage 224
At most 3 active S-Boxes At most 29 transitions Time 16 sdot 224 sdot 29 = 237
ResultsBest differential found p ge 2minus6152
Collection of 302116704characteristics
17512 differentials with p gt 2minus64
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 11 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Get a valid ciphertext (N c1 c2 120591)2 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability ge 2minus6152
Corresponding plaintext m1 oplus 120572 m2 oplus 120573because the leak is not affected
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
Limitations
Probability slightly higher than security claims (2minus6152 vs 2minus64) Need new data to repeat (cannot increase success probability)
Or use several differentials Limit to 240 data per key
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Conclusion
Lower bound on the probability of some differential Collection of characteristics following a truncated characteristic Good estimate of the probability of a differential
Breaks the security claims of LAC Pr[characteristic] le 2minus70 Pr[best differential] ge 2minus6152
Designers should check if applicable
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 13 14
Introduction Characteristics Differentials Forgery Attack
Thanks
Questions
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 14 14
- Introduction
- Characteristics
- Differentials
- Forgery Attack
-
Introduction Characteristics Differentials Forgery Attack
Truncated differential characteristics
R12
R22
R32
R42
R52
R62
R72
R82
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 7 14
Introduction Characteristics Differentials Forgery Attack
Truncated differential characteristics
R92
R102
R112
R122
R132
R142
R152
R162
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 7 14
Introduction Characteristics Differentials Forgery Attack
Differentials and characteristics
Differential 120572 120573 p = Prkx[Gk(x oplus 120572) = Gk(x) oplus 120573]Characteristic 1205720 rarr 1205721 rarr⋯120572n = 120573 p = Prkx[xprimei = xi oplus 120572i|xprime0 = x0 oplus 120572]
The probability of a differential is hard to evaluate
Common assumptionA single characteristic dominates the differential
Modifying one step leads to a significantly different characteristic Security analysis bounds probability of characteristics
Not always true for byte-wise SPN Given a truncated characteristic there are many instantiationswith the same inputout differences
If S-Box differential table is flat many of them are good
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 8 14
Introduction Characteristics Differentials Forgery Attack
Estimating of the probability of differentials
For security proofs upper bounds on the probability of differentials Few results known Notable exception AES [Keliher amp Sui]
For cryptanalysis lower bound on the probability of differentials Sum characteristics with the same inputoutput differences Recent work using MILP to find characteristics [Sun amp al]
Our approach use a truncated characteristic Consider the set of all characteristics followingthe same truncated characteristic
Fix inputoutput differences vary internal differences Large number of characteristics many with good probability
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 9 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
12057212057301205731120573212057331205734
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Application to LAC
R12
R22
R32
R42
At most 6 active nibbles Storage 224
At most 3 active S-Boxes At most 29 transitions Time 16 sdot 224 sdot 29 = 237
ResultsBest differential found p ge 2minus6152
Collection of 302116704characteristics
17512 differentials with p gt 2minus64
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 11 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Get a valid ciphertext (N c1 c2 120591)2 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability ge 2minus6152
Corresponding plaintext m1 oplus 120572 m2 oplus 120573because the leak is not affected
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
Limitations
Probability slightly higher than security claims (2minus6152 vs 2minus64) Need new data to repeat (cannot increase success probability)
Or use several differentials Limit to 240 data per key
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Conclusion
Lower bound on the probability of some differential Collection of characteristics following a truncated characteristic Good estimate of the probability of a differential
Breaks the security claims of LAC Pr[characteristic] le 2minus70 Pr[best differential] ge 2minus6152
Designers should check if applicable
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 13 14
Introduction Characteristics Differentials Forgery Attack
Thanks
Questions
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 14 14
- Introduction
- Characteristics
- Differentials
- Forgery Attack
-
Introduction Characteristics Differentials Forgery Attack
Truncated differential characteristics
R92
R102
R112
R122
R132
R142
R152
R162
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 7 14
Introduction Characteristics Differentials Forgery Attack
Differentials and characteristics
Differential 120572 120573 p = Prkx[Gk(x oplus 120572) = Gk(x) oplus 120573]Characteristic 1205720 rarr 1205721 rarr⋯120572n = 120573 p = Prkx[xprimei = xi oplus 120572i|xprime0 = x0 oplus 120572]
The probability of a differential is hard to evaluate
Common assumptionA single characteristic dominates the differential
Modifying one step leads to a significantly different characteristic Security analysis bounds probability of characteristics
Not always true for byte-wise SPN Given a truncated characteristic there are many instantiationswith the same inputout differences
If S-Box differential table is flat many of them are good
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 8 14
Introduction Characteristics Differentials Forgery Attack
Estimating of the probability of differentials
For security proofs upper bounds on the probability of differentials Few results known Notable exception AES [Keliher amp Sui]
For cryptanalysis lower bound on the probability of differentials Sum characteristics with the same inputoutput differences Recent work using MILP to find characteristics [Sun amp al]
Our approach use a truncated characteristic Consider the set of all characteristics followingthe same truncated characteristic
Fix inputoutput differences vary internal differences Large number of characteristics many with good probability
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 9 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
12057212057301205731120573212057331205734
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Application to LAC
R12
R22
R32
R42
At most 6 active nibbles Storage 224
At most 3 active S-Boxes At most 29 transitions Time 16 sdot 224 sdot 29 = 237
ResultsBest differential found p ge 2minus6152
Collection of 302116704characteristics
17512 differentials with p gt 2minus64
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 11 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Get a valid ciphertext (N c1 c2 120591)2 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability ge 2minus6152
Corresponding plaintext m1 oplus 120572 m2 oplus 120573because the leak is not affected
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
Limitations
Probability slightly higher than security claims (2minus6152 vs 2minus64) Need new data to repeat (cannot increase success probability)
Or use several differentials Limit to 240 data per key
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Conclusion
Lower bound on the probability of some differential Collection of characteristics following a truncated characteristic Good estimate of the probability of a differential
Breaks the security claims of LAC Pr[characteristic] le 2minus70 Pr[best differential] ge 2minus6152
Designers should check if applicable
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 13 14
Introduction Characteristics Differentials Forgery Attack
Thanks
Questions
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 14 14
- Introduction
- Characteristics
- Differentials
- Forgery Attack
-
Introduction Characteristics Differentials Forgery Attack
Differentials and characteristics
Differential 120572 120573 p = Prkx[Gk(x oplus 120572) = Gk(x) oplus 120573]Characteristic 1205720 rarr 1205721 rarr⋯120572n = 120573 p = Prkx[xprimei = xi oplus 120572i|xprime0 = x0 oplus 120572]
The probability of a differential is hard to evaluate
Common assumptionA single characteristic dominates the differential
Modifying one step leads to a significantly different characteristic Security analysis bounds probability of characteristics
Not always true for byte-wise SPN Given a truncated characteristic there are many instantiationswith the same inputout differences
If S-Box differential table is flat many of them are good
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 8 14
Introduction Characteristics Differentials Forgery Attack
Estimating of the probability of differentials
For security proofs upper bounds on the probability of differentials Few results known Notable exception AES [Keliher amp Sui]
For cryptanalysis lower bound on the probability of differentials Sum characteristics with the same inputoutput differences Recent work using MILP to find characteristics [Sun amp al]
Our approach use a truncated characteristic Consider the set of all characteristics followingthe same truncated characteristic
Fix inputoutput differences vary internal differences Large number of characteristics many with good probability
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 9 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
12057212057301205731120573212057331205734
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Application to LAC
R12
R22
R32
R42
At most 6 active nibbles Storage 224
At most 3 active S-Boxes At most 29 transitions Time 16 sdot 224 sdot 29 = 237
ResultsBest differential found p ge 2minus6152
Collection of 302116704characteristics
17512 differentials with p gt 2minus64
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 11 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Get a valid ciphertext (N c1 c2 120591)2 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability ge 2minus6152
Corresponding plaintext m1 oplus 120572 m2 oplus 120573because the leak is not affected
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
Limitations
Probability slightly higher than security claims (2minus6152 vs 2minus64) Need new data to repeat (cannot increase success probability)
Or use several differentials Limit to 240 data per key
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Conclusion
Lower bound on the probability of some differential Collection of characteristics following a truncated characteristic Good estimate of the probability of a differential
Breaks the security claims of LAC Pr[characteristic] le 2minus70 Pr[best differential] ge 2minus6152
Designers should check if applicable
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 13 14
Introduction Characteristics Differentials Forgery Attack
Thanks
Questions
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 14 14
- Introduction
- Characteristics
- Differentials
- Forgery Attack
-
Introduction Characteristics Differentials Forgery Attack
Estimating of the probability of differentials
For security proofs upper bounds on the probability of differentials Few results known Notable exception AES [Keliher amp Sui]
For cryptanalysis lower bound on the probability of differentials Sum characteristics with the same inputoutput differences Recent work using MILP to find characteristics [Sun amp al]
Our approach use a truncated characteristic Consider the set of all characteristics followingthe same truncated characteristic
Fix inputoutput differences vary internal differences Large number of characteristics many with good probability
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 9 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
12057212057301205731120573212057331205734
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Application to LAC
R12
R22
R32
R42
At most 6 active nibbles Storage 224
At most 3 active S-Boxes At most 29 transitions Time 16 sdot 224 sdot 29 = 237
ResultsBest differential found p ge 2minus6152
Collection of 302116704characteristics
17512 differentials with p gt 2minus64
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 11 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Get a valid ciphertext (N c1 c2 120591)2 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability ge 2minus6152
Corresponding plaintext m1 oplus 120572 m2 oplus 120573because the leak is not affected
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
Limitations
Probability slightly higher than security claims (2minus6152 vs 2minus64) Need new data to repeat (cannot increase success probability)
Or use several differentials Limit to 240 data per key
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Conclusion
Lower bound on the probability of some differential Collection of characteristics following a truncated characteristic Good estimate of the probability of a differential
Breaks the security claims of LAC Pr[characteristic] le 2minus70 Pr[best differential] ge 2minus6152
Designers should check if applicable
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 13 14
Introduction Characteristics Differentials Forgery Attack
Thanks
Questions
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 14 14
- Introduction
- Characteristics
- Differentials
- Forgery Attack
-
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
12057212057301205731120573212057331205734
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Application to LAC
R12
R22
R32
R42
At most 6 active nibbles Storage 224
At most 3 active S-Boxes At most 29 transitions Time 16 sdot 224 sdot 29 = 237
ResultsBest differential found p ge 2minus6152
Collection of 302116704characteristics
17512 differentials with p gt 2minus64
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 11 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Get a valid ciphertext (N c1 c2 120591)2 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability ge 2minus6152
Corresponding plaintext m1 oplus 120572 m2 oplus 120573because the leak is not affected
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
Limitations
Probability slightly higher than security claims (2minus6152 vs 2minus64) Need new data to repeat (cannot increase success probability)
Or use several differentials Limit to 240 data per key
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Conclusion
Lower bound on the probability of some differential Collection of characteristics following a truncated characteristic Good estimate of the probability of a differential
Breaks the security claims of LAC Pr[characteristic] le 2minus70 Pr[best differential] ge 2minus6152
Designers should check if applicable
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 13 14
Introduction Characteristics Differentials Forgery Attack
Thanks
Questions
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 14 14
- Introduction
- Characteristics
- Differentials
- Forgery Attack
-
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
12057212057301205731120573212057331205734
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Application to LAC
R12
R22
R32
R42
At most 6 active nibbles Storage 224
At most 3 active S-Boxes At most 29 transitions Time 16 sdot 224 sdot 29 = 237
ResultsBest differential found p ge 2minus6152
Collection of 302116704characteristics
17512 differentials with p gt 2minus64
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 11 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Get a valid ciphertext (N c1 c2 120591)2 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability ge 2minus6152
Corresponding plaintext m1 oplus 120572 m2 oplus 120573because the leak is not affected
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
Limitations
Probability slightly higher than security claims (2minus6152 vs 2minus64) Need new data to repeat (cannot increase success probability)
Or use several differentials Limit to 240 data per key
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Conclusion
Lower bound on the probability of some differential Collection of characteristics following a truncated characteristic Good estimate of the probability of a differential
Breaks the security claims of LAC Pr[characteristic] le 2minus70 Pr[best differential] ge 2minus6152
Designers should check if applicable
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 13 14
Introduction Characteristics Differentials Forgery Attack
Thanks
Questions
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 14 14
- Introduction
- Characteristics
- Differentials
- Forgery Attack
-
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
12057212057301205731120573212057331205734
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Application to LAC
R12
R22
R32
R42
At most 6 active nibbles Storage 224
At most 3 active S-Boxes At most 29 transitions Time 16 sdot 224 sdot 29 = 237
ResultsBest differential found p ge 2minus6152
Collection of 302116704characteristics
17512 differentials with p gt 2minus64
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 11 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Get a valid ciphertext (N c1 c2 120591)2 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability ge 2minus6152
Corresponding plaintext m1 oplus 120572 m2 oplus 120573because the leak is not affected
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
Limitations
Probability slightly higher than security claims (2minus6152 vs 2minus64) Need new data to repeat (cannot increase success probability)
Or use several differentials Limit to 240 data per key
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Conclusion
Lower bound on the probability of some differential Collection of characteristics following a truncated characteristic Good estimate of the probability of a differential
Breaks the security claims of LAC Pr[characteristic] le 2minus70 Pr[best differential] ge 2minus6152
Designers should check if applicable
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 13 14
Introduction Characteristics Differentials Forgery Attack
Thanks
Questions
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 14 14
- Introduction
- Characteristics
- Differentials
- Forgery Attack
-
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
12057212057301205731120573212057331205734
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Application to LAC
R12
R22
R32
R42
At most 6 active nibbles Storage 224
At most 3 active S-Boxes At most 29 transitions Time 16 sdot 224 sdot 29 = 237
ResultsBest differential found p ge 2minus6152
Collection of 302116704characteristics
17512 differentials with p gt 2minus64
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 11 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Get a valid ciphertext (N c1 c2 120591)2 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability ge 2minus6152
Corresponding plaintext m1 oplus 120572 m2 oplus 120573because the leak is not affected
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
Limitations
Probability slightly higher than security claims (2minus6152 vs 2minus64) Need new data to repeat (cannot increase success probability)
Or use several differentials Limit to 240 data per key
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Conclusion
Lower bound on the probability of some differential Collection of characteristics following a truncated characteristic Good estimate of the probability of a differential
Breaks the security claims of LAC Pr[characteristic] le 2minus70 Pr[best differential] ge 2minus6152
Designers should check if applicable
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 13 14
Introduction Characteristics Differentials Forgery Attack
Thanks
Questions
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 14 14
- Introduction
- Characteristics
- Differentials
- Forgery Attack
-
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
120572
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
12057212057301205731120573212057331205734
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Application to LAC
R12
R22
R32
R42
At most 6 active nibbles Storage 224
At most 3 active S-Boxes At most 29 transitions Time 16 sdot 224 sdot 29 = 237
ResultsBest differential found p ge 2minus6152
Collection of 302116704characteristics
17512 differentials with p gt 2minus64
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 11 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Get a valid ciphertext (N c1 c2 120591)2 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability ge 2minus6152
Corresponding plaintext m1 oplus 120572 m2 oplus 120573because the leak is not affected
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
Limitations
Probability slightly higher than security claims (2minus6152 vs 2minus64) Need new data to repeat (cannot increase success probability)
Or use several differentials Limit to 240 data per key
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Conclusion
Lower bound on the probability of some differential Collection of characteristics following a truncated characteristic Good estimate of the probability of a differential
Breaks the security claims of LAC Pr[characteristic] le 2minus70 Pr[best differential] ge 2minus6152
Designers should check if applicable
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 13 14
Introduction Characteristics Differentials Forgery Attack
Thanks
Questions
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 14 14
- Introduction
- Characteristics
- Differentials
- Forgery Attack
-
Introduction Characteristics Differentials Forgery Attack
Computing the aggregation Consider a fixed truncated characteristic D
Di is the first i rounds of D Pr 1114094D ∶ 120572 1205731114097 probability that 120572 120573 following D
Compute the probabilities of all 1-round transitions following D
Computing Pr 1114094D ∶ 120572 1205731114097
1 Compute Pr 1114094D1 ∶ 120572 x1114097 for all valid x
2 Compute Pr 1114094Di ∶ 120572 x1114097 for all valid x iterativelyPr 1114094Di ∶ 120572 x1114097 = sumxprime Pr 1114094Diminus1 ∶ 120572 xprime1114097 sdot Pr[xprime rarr x]
12057212057301205731120573212057331205734
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 10 14
Introduction Characteristics Differentials Forgery Attack
Application to LAC
R12
R22
R32
R42
At most 6 active nibbles Storage 224
At most 3 active S-Boxes At most 29 transitions Time 16 sdot 224 sdot 29 = 237
ResultsBest differential found p ge 2minus6152
Collection of 302116704characteristics
17512 differentials with p gt 2minus64
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 11 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Get a valid ciphertext (N c1 c2 120591)2 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability ge 2minus6152
Corresponding plaintext m1 oplus 120572 m2 oplus 120573because the leak is not affected
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
Limitations
Probability slightly higher than security claims (2minus6152 vs 2minus64) Need new data to repeat (cannot increase success probability)
Or use several differentials Limit to 240 data per key
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Conclusion
Lower bound on the probability of some differential Collection of characteristics following a truncated characteristic Good estimate of the probability of a differential
Breaks the security claims of LAC Pr[characteristic] le 2minus70 Pr[best differential] ge 2minus6152
Designers should check if applicable
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 13 14
Introduction Characteristics Differentials Forgery Attack
Thanks
Questions
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 14 14
- Introduction
- Characteristics
- Differentials
- Forgery Attack
-
Introduction Characteristics Differentials Forgery Attack
Application to LAC
R12
R22
R32
R42
At most 6 active nibbles Storage 224
At most 3 active S-Boxes At most 29 transitions Time 16 sdot 224 sdot 29 = 237
ResultsBest differential found p ge 2minus6152
Collection of 302116704characteristics
17512 differentials with p gt 2minus64
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 11 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Get a valid ciphertext (N c1 c2 120591)2 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability ge 2minus6152
Corresponding plaintext m1 oplus 120572 m2 oplus 120573because the leak is not affected
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
Limitations
Probability slightly higher than security claims (2minus6152 vs 2minus64) Need new data to repeat (cannot increase success probability)
Or use several differentials Limit to 240 data per key
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Conclusion
Lower bound on the probability of some differential Collection of characteristics following a truncated characteristic Good estimate of the probability of a differential
Breaks the security claims of LAC Pr[characteristic] le 2minus70 Pr[best differential] ge 2minus6152
Designers should check if applicable
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 13 14
Introduction Characteristics Differentials Forgery Attack
Thanks
Questions
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 14 14
- Introduction
- Characteristics
- Differentials
- Forgery Attack
-
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
1 Get a valid ciphertext (N c1 c2 120591)2 (N c1 oplus 120572 c2 oplus 120573 120591) is a forge with probability ge 2minus6152
Corresponding plaintext m1 oplus 120572 m2 oplus 120573because the leak is not affected
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
Limitations
Probability slightly higher than security claims (2minus6152 vs 2minus64) Need new data to repeat (cannot increase success probability)
Or use several differentials Limit to 240 data per key
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Conclusion
Lower bound on the probability of some differential Collection of characteristics following a truncated characteristic Good estimate of the probability of a differential
Breaks the security claims of LAC Pr[characteristic] le 2minus70 Pr[best differential] ge 2minus6152
Designers should check if applicable
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 13 14
Introduction Characteristics Differentials Forgery Attack
Thanks
Questions
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 14 14
- Introduction
- Characteristics
- Differentials
- Forgery Attack
-
Introduction Characteristics Differentials Forgery Attack
Differential Forgery Attack
N
KInit Final T
64
KS KS80
Gleak
Gleak
64
c1 oplus 12057248
c2 oplus 120573
m1 m2
48
Limitations
Probability slightly higher than security claims (2minus6152 vs 2minus64) Need new data to repeat (cannot increase success probability)
Or use several differentials Limit to 240 data per key
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 12 14
Introduction Characteristics Differentials Forgery Attack
Conclusion
Lower bound on the probability of some differential Collection of characteristics following a truncated characteristic Good estimate of the probability of a differential
Breaks the security claims of LAC Pr[characteristic] le 2minus70 Pr[best differential] ge 2minus6152
Designers should check if applicable
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 13 14
Introduction Characteristics Differentials Forgery Attack
Thanks
Questions
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 14 14
- Introduction
- Characteristics
- Differentials
- Forgery Attack
-
Introduction Characteristics Differentials Forgery Attack
Conclusion
Lower bound on the probability of some differential Collection of characteristics following a truncated characteristic Good estimate of the probability of a differential
Breaks the security claims of LAC Pr[characteristic] le 2minus70 Pr[best differential] ge 2minus6152
Designers should check if applicable
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 13 14
Introduction Characteristics Differentials Forgery Attack
Thanks
Questions
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 14 14
- Introduction
- Characteristics
- Differentials
- Forgery Attack
-
Introduction Characteristics Differentials Forgery Attack
Thanks
Questions
G Leurent (Inria) Differential Forgery Attack against LAC SAC 2015 14 14
- Introduction
- Characteristics
- Differentials
- Forgery Attack
-