Bounds in Shallows and in Miseries
Proving bounds on the expected differential probability (EDP) of a characteristic over all keys has been a popular technique of arguing security for both block ciphers and hash functions. In fact, to a large extent, it was the clear formulation and elegant deployment of this very principle that helped Rijndael win the AES competition. Moreover, most SHA-3 finalists have come with explicit upper bounds on the EDP of a characteristic as a major part of their design rationale. However, despite the pervasiveness of this design approach, there is no understanding of what such bounds actually mean for the security of a primitive once a key is fixed — an essential security question in practice.
In this paper, we aim to bridge this fundamental gap. Our main result is a quantitative connection between a bound on the EDP of differential characteristics and the highest number of input pairs that actually satisfy a characteristic for a fixed key. This is particularly important for the design of permutation-based hash functions such as sponge functions, where the EDP value itself is not informative for the absence of rekeying. We apply our theoretical result to revisit the security arguments of some prominent recent block ciphers and hash functions. For most of those, we have good news: a characteristic is followed by a small number of pairs only. For Keccak, though, currently much more rounds would be needed for our technique to guarantee any reasonable maximum number of pairs.
Thus, our work — for the first time — sheds light on the fixed-key differential behaviour of block ciphers in general and substitution-permutation networks in particular which has been a long-standing fundamental problem in symmetric-key cryptography.
Keywordsblock cipher hash function differential cryptanalysis differential characteristic expected differential probability Grøstl
- 2.Benadjila, R., Billet, O., Gilbert, H., Macario-Rat, G., Peyrin, T., Robshaw, M., Seurin, Y.: SHA-3 Proposal: ECHO (2010) (version 2.0)Google Scholar
- 3.Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: Ecrypt Hash Workshop 2007 (2007)Google Scholar
- 4.Bertoni, G., Daemen, J., Peeters, M., van Assche, G.: The Keccak SHA-3 submission (2011) (version 3)Google Scholar
- 6.Biham, E., Dunkelman, O.: The SHAvite-3 Hash Function (2009) (tweaked version)Google Scholar
- 7.Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991)Google Scholar
- 11.Blondeau, C., Gérard, B.: Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT. In: Ecrypt Workshop on Tools for Cryptanalysis (June 2010)Google Scholar
- 13.Bogdanov, A., Knezevic, M., Leander, G., Toz, D., Varici, K., Verbauwhede, I.: spongent: A Lightweight Hash Function. In: Preneel, Takagi (eds.) , pp. 312–325Google Scholar
- 20.Daemen, J., Rijmen, V.: Probability distributions of Correlation and Differentials in Block Ciphers. IACR Eprint Report 2005/212 (2005)Google Scholar
- 24.Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl – A SHA-3 candidate (2011)Google Scholar
- 26.Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.J.B.: The LED Block Cipher. In: Preneel, Takagi (eds.) , pp. 326–341Google Scholar
- 30.Leander, G.: Small Scale Variants of The Block Cipher PRESENT. IACR Cryptology ePrint Archive 2010, 143 (2010)Google Scholar
- 33.Rijmen, V., Toz, D., Varici, K.: On the Four-Round AES Characteristics. In: Pre-proceedings of WCC 2013, Bergen, Norway, April 15-19, pp. 315–328 (2013)Google Scholar
- 36.Wu, H.: The Hash Function JH (2011)Google Scholar