Abstract
The fundamental problem of differential cryptanalysis is to find the highest entries in the Difference Distribution Table (DDT) of a given mapping F over n-bit values, and in particular to find the highest diagonal entries which correspond to the best iterative characteristics of F. The standard bottom-up approach to this problem is to consider all the internal components of the mapping along some differential characteristic, and to multiply their transition probabilities. However, this can provide seriously distorted estimates since the various events can be dependent, and there can be a huge number of low probability characteristics contributing to the same high probability entry. In this paper we use a top-down approach which considers the given mapping as a black box, and uses only its input/output relations in order to obtain direct experimental estimates for its DDT entries which are likely to be much more accurate. In particular, we describe three new techniques which reduce the time complexity of three crucial aspects of this problem: Finding the exact values of all the diagonal entries in the DDT for small values of n, approximating all the diagonal entries which correspond to low Hamming weight differences for large values of n, and finding an accurate approximation for any DDT entry whose large value is obtained from many small contributions. To demonstrate the potential contribution of our new techniques, we apply them to the SIMON family of block ciphers, show experimentally that most of the previously published bottom-up estimates of the probabilities of various differentials are off by a significant factor, and describe new differential properties which can cover more rounds with roughly the same probability for several of its members.
O. Dunkelman—The second author was supported in part by the Israel Science Foundation through grants No. 827/12 and No. 1910/12.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This claim can be easily supported by the fact that as more bits are changed, the probability that the new computed value is outside the ball increases.
- 2.
The computation of \(P^n_{r,d}\) is discussed in Appendix A.
- 3.
In such cases, the probability of the characteristic can be estimated independently of the round keys, assuming the input values are selected at random.
- 4.
When using BITM to calculate the probability of a differential, one can choose the meeting round in a variety of ways. Usually setting \(r' \approx r/2\) gives the optimal results.
- 5.
Of course, we still need to assume independence between the two parts of the cipher.
- 6.
The value of N is discussed later.
- 7.
We note that one can take more pairs, but as we later show, \(N=O(1/p_b)\), i.e., as long as \(p_b\) is above \(2^{-n/2}\) the algorithm is expected to work. Moreover, if both \(\varDelta _I \xrightarrow {r'} \varDelta _M\) and \(\varDelta _M \xrightarrow {r-r'} \varDelta _O\) have probability lower than \(p_b\), the overall contribution of the characteristic \(\varDelta _I \xrightarrow {r'} \varDelta _M\xrightarrow {r-r'} \varDelta _O\) to the probability we estimate is at most \(p_b^2\). Picking \(p_b<2^{-n/2}\) suggests that the contribution is less than \(2^{-n}\). Such a low probability is usually of little interest in cryptanalysis, and requires a very careful analysis.
- 8.
For \(\alpha =4\) and \(t=32\) (expecting four pairs in 32 experiments), the total number of times \(\varDelta _M\) appears in all experiments follows a Poisson distribution with a mean of 128. Hence, with probability 95 %, counting over all experiments will suggest \(\varDelta _M\) somewhere between 105 and 151 times (in all 32 experiments). In other words, taking the number of times \(\varDelta _M\) appears (divided by 32N) as an estimate for the actual probability will be accurate within 18 % of the correct probability with probability 95 %.
- 9.
All these differential characteristics could be theoretically extended to cover more rounds, but in order to break an n-bit block cipher, the probabilities generally need to be higher than \(2^{-n}\) (otherwise we do not expect to find more than a single accidental pair, even when we try the full code book).
- 10.
The results for other differentials do not seem to differ significantly.
References
Abed, F., List, E., Lucks, S., Wenzel, J.: Differential cryptanalysis of round-reduced simon and speck. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 525–545. Springer, Heidelberg (2015)
Alkhzaimi, H.A., Lauridsen, M.M.: Cryptanalysis of the SIMON Family of Block Ciphers. Cryptology ePrint Archive, Report 2013/543 (2013)
Aoki, K., Kobayashi, K., Moriai, S.: Best differential characteristic search of FEAL. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 41–53. Springer, Heidelberg (1997)
Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK Families of Lightweight Block Ciphers. Cryptology ePrint Archive, Report 2013/404 (2013)
Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999)
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991)
Biryukov, A., Nikolić, I.: Automatic search for related-key differential characteristics in byte-oriented block ciphers: application to aes, camellia, khazad and others. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 322–344. Springer, Heidelberg (2010)
Biryukov, A., Nikolić, I.: Search for related-key differential characteristics in DES-like ciphers. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 18–34. Springer, Heidelberg (2011)
Biryukov, A., Roy, A., Velichkov, V.: Differential analysis of block ciphers SIMON and SPECK. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 546–570. Springer, Heidelberg (2015)
Biryukov, A., Velichkov, V.: Automatic search for differential trails in ARX ciphers. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 227–250. Springer, Heidelberg (2014)
Daemen, J., Govaerts, R., Vandewalle, J.: A new approach to block cipher design. In: Anderson, R. (ed.) FSE 1993. LNCS, vol. 809. Springer, Heidelberg (1994)
De Cannière, C., Rechberger, C.: Finding SHA-1 characteristics: general results and applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006)
Dinur, I., Dunkelman, O., Gutman, M., Shamir, A.: Improved top-down techniques in differential cryptanalysis. IACR Cryptol. ePrint Arch. 2015, 268 (2015)
Fouque, P.-A., Jean, J., Peyrin, T.: Structural evaluation of AES and chosen-key distinguisher of 9-round AES-128. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 183–203. Springer, Heidelberg (2013)
Knudsen, L.: DEAL - A 128-bit Block Cipher. NIST AES Proposal (1998)
Lai, X., Massey, J.L.: Markov ciphers and differential cryptanalysis. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 17–38. Springer, Heidelberg (1991)
Leurent, G.: Analysis of differential attacks in ARX constructions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 226–243. Springer, Heidelberg (2012)
Matsui, M.: On correlation between the order of s-boxes and the strength of DES. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 366–375. Springer, Heidelberg (1995)
Mendel, F., Nad, T., Schläffer, M.: Finding SHA-2 characteristics: searching through a minefield of contradictions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 288–307. Springer, Heidelberg (2011)
Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Wu, C.-K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012)
Nikolić, I.: Tweaking AES. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 198–210. Springer, Heidelberg (2011)
Nyberg, K., Knudsen, L.R.: Provable security against differential cryptanalysis. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 566–574. Springer, Heidelberg (1993)
Sun, S., Hu, L., Wang, M., Wang, P., Qiao, K., Ma, X., Shi, D., Song, L.: Automatic Enumeration of (Related-key) Differential and Linear Characteristics with Predefined Properties and Its Applications (2014)
Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-oriented Block Ciphers. Cryptology ePrint Archive, Report 2013/676 (2013). Accepted to ASIACRYPT 2014
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Calculating
\(P^{n}_{r,d}\) The Hamming ball algorithm of Sect. 5 relies on the value of \(P^n_{r,d}\). We compute this value by distinguishing between two cases: when \(d > 2r\), then \(P^n_{r,d} = 0\), as the largest Hamming distance between points in \(B_r(c)\) is 2r. Otherwise, \(d \le 2r\), and we consider the conditions on a point x such that both \(x \in B_r(c)\) and \(x \oplus \varDelta \in B_r(c)\). We partition the coordinates of \(x \oplus c\) which are set to 1 into two groups: the \(d_1 \le min(r,d)\) coordinates which are common to \(x \oplus c\) and \(\varDelta \oplus c\), and the remaining \(d_2 \le min(r,n-d)\) coordinates. Thus, we have \(dist(x,c) = d_1 + d_2\) and \(dist(x \oplus \varDelta ,c) = d + d_2 - d_1\), implying that \(d_1+d_2 \le r\) and \(d + d_2 - d_1 \le r\). In particular, the last equality implies that \(d_1 \ge max(d-r,0)\), and so \(max(d-r,0) \le d_1 \le min(r,d)\), while \(0 \le d_2 \le min(r-d_1,r+d_1-d, n-d)\). Therefore, we obtain
where \(m_1 = max(d-r,0)\), \(m_2 = min(r,d)\) and \(m_3 = min(r-d_1,r+d_1-d, n-d)\).
B Improving the BITM Algorithm
We first note that there is no need to actually store \(L_2\). One can generate \(L_1\), and for each \(w \oplus w'\) value of Steps 3–4, to increment the counter if \(w \oplus w'\) happens to be in \(L_1\).
We now turn our attention to the generation of \(L_1\). It is easy to see that \(L_1\) can take at most O(N) memory cells. As N increases this may be a practical bottleneck. Hence, once the used memory reaches the machine’s limit (or the process’ limit), we suggest to “extract” all the high probability differences encountered so far into a shorter list \(L_1'\). Then, we sample more random pairs, but this time, we only deal with those pairs whose “output” difference is in the short list \(L_1'\). The main advantage is now that we use almost no memory (as \(L_1'\) tends to be small), we can actually increase the number of queries, thus obtaining a more accurate estimate.
The final improvement in this front is to perform the previous idea in steps. We first sample many pairs, and store the differences \(z \oplus z'\) in a hash table (with less than N bins). After finding the bins which were suggested more than others, we can dive into them by re-sampling more pairs.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Dinur, I., Dunkelman, O., Gutman, M., Shamir, A. (2015). Improved Top-Down Techniques in Differential Cryptanalysis. In: Lauter, K., Rodríguez-Henríquez, F. (eds) Progress in Cryptology -- LATINCRYPT 2015. LATINCRYPT 2015. Lecture Notes in Computer Science(), vol 9230. Springer, Cham. https://doi.org/10.1007/978-3-319-22174-8_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-22174-8_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-22173-1
Online ISBN: 978-3-319-22174-8
eBook Packages: Computer ScienceComputer Science (R0)