Improved Top-Down Techniques in Differential Cryptanalysis

Abstract

The fundamental problem of differential cryptanalysis is to find the highest entries in the Difference Distribution Table (DDT) of a given mapping F over n-bit values, and in particular to find the highest diagonal entries which correspond to the best iterative characteristics of F. The standard bottom-up approach to this problem is to consider all the internal components of the mapping along some differential characteristic, and to multiply their transition probabilities. However, this can provide seriously distorted estimates since the various events can be dependent, and there can be a huge number of low probability characteristics contributing to the same high probability entry. In this paper we use a top-down approach which considers the given mapping as a black box, and uses only its input/output relations in order to obtain direct experimental estimates for its DDT entries which are likely to be much more accurate. In particular, we describe three new techniques which reduce the time complexity of three crucial aspects of this problem: Finding the exact values of all the diagonal entries in the DDT for small values of n, approximating all the diagonal entries which correspond to low Hamming weight differences for large values of n, and finding an accurate approximation for any DDT entry whose large value is obtained from many small contributions. To demonstrate the potential contribution of our new techniques, we apply them to the SIMON family of block ciphers, show experimentally that most of the previously published bottom-up estimates of the probabilities of various differentials are off by a significant factor, and describe new differential properties which can cover more rounds with roughly the same probability for several of its members.

O. Dunkelman—The second author was supported in part by the Israel Science Foundation through grants No. 827/12 and No. 1910/12.

Appendices

A Calculating

\(P^{n}_{r,d}\) The Hamming ball algorithm of Sect. 5 relies on the value of \(P^n_{r,d}\). We compute this value by distinguishing between two cases: when \(d > 2r\), then \(P^n_{r,d} = 0\), as the largest Hamming distance between points in \(B_r(c)\) is 2r. Otherwise, \(d \le 2r\), and we consider the conditions on a point x such that both \(x \in B_r(c)\) and \(x \oplus \varDelta \in B_r(c)\). We partition the coordinates of \(x \oplus c\) which are set to 1 into two groups: the \(d_1 \le min(r,d)\) coordinates which are common to \(x \oplus c\) and \(\varDelta \oplus c\), and the remaining \(d_2 \le min(r,n-d)\) coordinates. Thus, we have \(dist(x,c) = d_1 + d_2\) and \(dist(x \oplus \varDelta ,c) = d + d_2 - d_1\), implying that \(d_1+d_2 \le r\) and \(d + d_2 - d_1 \le r\). In particular, the last equality implies that \(d_1 \ge max(d-r,0)\), and so \(max(d-r,0) \le d_1 \le min(r,d)\), while \(0 \le d_2 \le min(r-d_1,r+d_1-d, n-d)\). Therefore, we obtain

$$P^n_{r,d} = \sum _{d_1=m_1}^{m_2}\sum _{d_2=0}^{m_3}{d \atopwithdelims ()d_1}{n-d \atopwithdelims ()d_2}$$

where \(m_1 = max(d-r,0)\), \(m_2 = min(r,d)\) and \(m_3 = min(r-d_1,r+d_1-d, n-d)\).

B Improving the BITM Algorithm

We first note that there is no need to actually store \(L_2\). One can generate \(L_1\), and for each \(w \oplus w'\) value of Steps 3–4, to increment the counter if \(w \oplus w'\) happens to be in \(L_1\).

We now turn our attention to the generation of \(L_1\). It is easy to see that \(L_1\) can take at most O(N) memory cells. As N increases this may be a practical bottleneck. Hence, once the used memory reaches the machine’s limit (or the process’ limit), we suggest to “extract” all the high probability differences encountered so far into a shorter list \(L_1'\). Then, we sample more random pairs, but this time, we only deal with those pairs whose “output” difference is in the short list \(L_1'\). The main advantage is now that we use almost no memory (as \(L_1'\) tends to be small), we can actually increase the number of queries, thus obtaining a more accurate estimate.

The final improvement in this front is to perform the previous idea in steps. We first sample many pairs, and store the differences \(z \oplus z'\) in a hash table (with less than N bins). After finding the bins which were suggested more than others, we can dive into them by re-sampling more pairs.