On the behaviors of affine equivalent Sboxes regarding differential - - PowerPoint PPT Presentation

on the behaviors of affine equivalent sboxes regarding
SMART_READER_LITE
LIVE PREVIEW

On the behaviors of affine equivalent Sboxes regarding differential - - PowerPoint PPT Presentation

Nov 21, 2023 224 likes •544 views

On the behaviors of affine equivalent Sboxes regarding differential and linear cryptanalysis Anne Canteaut Inria, France Anne.Canteaut@inria.fr http://www-rocq.inria.fr/secret/Anne.Canteaut/ joint work with Jolle Rou ESC 2015, Clervaux,

slide-1
SLIDE 1

On the behaviors of affine equivalent Sboxes regarding differential and linear cryptanalysis

Anne Canteaut Inria, France Anne.Canteaut@inria.fr http://www-rocq.inria.fr/secret/Anne.Canteaut/ joint work with Joëlle Roué ESC 2015, Clervaux, January 2015

slide-2
SLIDE 2

Outline

  • Motivation: computing the MEDP and MELP for an SPN
  • New upper and lower bounds on the 2-round MEDP and MELP
  • Multiplicative invariance for Sboxes

1

slide-3
SLIDE 3

Round function of SPN(m, t, S, M)

S: a permutation of Fm

2

M: a linear permutation mixing the outputs of t copies of S S S S S S S S S S S M

❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄

x(i)

❄ ❄ ✒✑ ✓✏

+

ki

❄ ✲

x(i+1)

The AES superbox corresponds to two rounds of SPN(8, 4, S, MixColumns)

2

slide-4
SLIDE 4

Differential properties over r rounds

DP[k](a, b) = PrX[Ek(X) + Ek(X + a) = b]

Fixed-key results. probability of the 2-round characteristics [Daemen-Rijmen 07, 09] Average over all keys.

EDPr(a, b) = 2−κ

k∈Fκ

2

PrX[Ek(X) + Ek(X + a) = b] .

Maximum expected differential probability for r rounds:

MEDPr = max

a=0,b EDPr(a, b)

3

slide-5
SLIDE 5

Expected probability of 2-round characteristics Difference table of S.

δ(a, b) = #{x ∈ Fm

2 , S(x + a) + S(x) = b} .

Differential uniformity of S: ∆(S) = max

a=0,b δ(a, b)

Differential branch number of M over Fm

2 .

d = dmin(CM) where CM = {(x, M(x)), x ∈ (Fm

2 )t}

Then,

EDP((a, c, b)) =

t

  • i=1

δ(ai, ci) 2m

t

  • i=j

δ(M(c)j, bj) 2m ≤

  • 2−m∆(S)

d

4

slide-6
SLIDE 6

From characteristics to differentials

EDP2(a, b) =

  • c∈Fmt

2

EDP((a, c, b))

Find an upper bound on MEDP2 [Hong et al00][Daemen-Rijmen02]:

MEDP2 ≤

  • 2−m∆(S)

d−1

= ⇒ MEDP2 ≤ 2−24

Compute the exact value of MEDP2 [Keliher-Sui 07].

MEDP2 = 53 × 2−34

For 4 rounds of the AES:

MEDP4 ≤ 2−113 instead of 2−96 with the general bound

5

slide-7
SLIDE 7

FSE 2003 bound [Park et al. 03]

MEDP2 ≤ 2−md max

   max

a∈(Fm

2 )∗

  • γ∈(Fm

2 )∗

δ(a, γ)d, max

b∈(Fm

2 )∗

  • γ∈(Fm

2 )∗

δ(γ, b)d

   For the AES:

MEDP2 ≤ 2−40 45 + 126 × 25 = 79 × 2−34

6

slide-8
SLIDE 8

Example with a 4-bit Sbox 1 2 3 4 5 6 7 8 9 a b c d e f 1 2 2 2 4 2 2 2 2 4 2 2 2 2 2 2 3 2 4 2 2 2 2 2 4 4 2 2 2 2 2 2 5 2 2 2 4 2 2 2 6 2 2 2 2 2 2 4 7 2 2 2 2 4 2 2 8 2 2 2 2 2 4 2 9 2 2 2 2 2 2 4 a 2 2 4 2 2 2 2 b 2 2 2 2 4 2 2 c 2 2 2 4 2 2 2 d 2 2 2 4 2 2 2 e 2 2 2 2 4 2 2 f 2 2 4 2 2 2 2

7

slide-9
SLIDE 9

Invariance

MEDP2 ≤ 2−md max

   max

a∈(Fm

2 )∗

  • γ∈(Fm

2 )∗

δ(a, γ)d, max

b∈(Fm

2 )∗

  • γ∈(Fm

2 )∗

δ(γ, b)d

   This bound only depends on the affine equivalence class of S:

{A2 ◦ S ◦ A1, A1, A2 ∈ GA(Fm

2 )}

This is not the case of the exact values of MEDP2:

  • AES Sbox S(x) = A(x254): MEDP2 = 53 × 2−34 [Keliher-Sui 07]
  • Naive Sbox S(x) = x254: MEDP2 = 79 × 2−34 (= FSE 2003 bound).

8

slide-10
SLIDE 10

Motivations Conjecture [Daemen et al. 09] For any r, the MEDPr of the AES is smaller than the MEDPr of the AES variant with the naive Sbox. Related issues:

  • How does the composition of S with affine permutations affect

MEDP2?

  • Does this depend on the choice of the linear layer?

9

slide-11
SLIDE 11

Linear properties over r rounds Correlation of an r-round mask (u, v):

C[k](u, v) = 2−n

x∈Fn

2

(−1)u·x+v·Ek(x)

For an SPN with independent round keys:

  • k∈Fκ

2

C[k](u, v) = 0 for any nonzero masks

Expected square correlation (linear potential):

ELPr(u, v) = 2−2n−κ

k∈Fκ

2

  

  • x∈Fn

2

(−1)u·x+v·Ek(x)

  

2

.

Maximum expected square correlation for r rounds

MELPr = max

u,v=0 ELPr(u, v)

10

slide-12
SLIDE 12

Expected 2-round linear potential Walsh transform of S.

W(u, v) =

  • x∈Fm

2

(−1)u·x+v·S(x).

Linearity of S: L(S) = max

u,v=0 |W(u, v)|

Linear branch number of M over Fm

2 .

d⊥ = dmin(C⊥

M) where CM = {(x, M(x)), x ∈ Fmt 2 }

General bound [Hong et al. 00][Daemen Rijmen 02]

MELP2 ≤

  • 2−mL(S)

2(d⊥−1)

11

slide-13
SLIDE 13

FSE 2003 bound [Park et al. 03]

MELP2 ≤ max

   max

u∈(Fm

2 )∗

  • γ∈(Fm

2 )∗

W(u, γ)

2m

2d⊥

, max

v∈(Fm

2 )∗

  • γ∈(Fm

2 )∗

W(γ, v)

2m

2d⊥   For the AES:

MELP2 ≤ 2.873 × 2−28

Exact values:

  • AES Sbox: MELP2 = 1.638 × 2−28 [Keliher-Sui 07]
  • Naive Sbox: MELP2 = 2.873 × 2−28 (= FSE 2003 bound).

12

slide-14
SLIDE 14

GF -representation SPNF (m, t, S, M) M: an F2m-linear permutation of (F2m)t S: a permutation of F2m

Link between both representations: For a given basis (α0, . . . , αm−1) of F2m

ϕ : (x0, . . . , xm−1) ∈ Fm

2 −

m−1

  • i=0

xiαi ∈ F2m

Then,

S = ϕ ◦ S ◦ ϕ−1 and M = (ϕ, . . . , ϕ) ◦ M ◦ (ϕ−1, . . . , ϕ−1)

13

slide-15
SLIDE 15

GF -representation [Daemen Rijmen 11] EDP(a, b) and ELP(a, b) can be expressed by means of S and M: δF (α, β) ∆ = #{x ∈ F2m, S(x + α) + S(x) = β} = δ(ϕ−1(α), ϕ−1(β)) WF (α, β) ∆ =

  • x∈F2m

(−1)Tr(αx+βS(x)) = W(ψ−1(α), ψ−1(β))

where ψ : Fm

2 → F2m is defined by the dual basis (β0, . . . , βm−1) with

Tr(αiβj) =

  • 1

if i = j

  • therwise

FSE 2003 bound for SPNF (m, t, S, M):

MEDP2 ≤ 2−md max

   max

a∈F∗

2m

  • γ∈F∗

2m

δF (a, γ)d, max

b∈F∗

2m

  • γ∈F∗

2m

δF (γ, b)d

  

14

slide-16
SLIDE 16

The choice of the basis does not affect MEDPr and MELPr S S S S S S S S ϕ ϕ ϕ ϕ ϕ−1ϕ−1ϕ−1ϕ−1 ϕ−1ϕ−1ϕ−1ϕ−1 ϕ ϕ ϕ ϕ ϕ−1ϕ−1ϕ−1ϕ−1 ϕ ϕ ϕ ϕ M AddF(kF)

❄ ❄ ❄ ❄

M Add(k)

❄ ❄

15

slide-17
SLIDE 17

New bounds on MEDP2 and MELP2

16

slide-18
SLIDE 18

New upper bounds Theorem. For SPNF (m, t, S, M) where M is an F2m-linear permutation, we define for µ ∈ F2m

B(µ) = max

1≤u<d

max

α,β,λ∈F∗

2m

  • γ∈F∗

2m

δF (α, γ)uδF (γλ + µ, β)(d−u) B⊥(µ) = max

1≤u<d⊥

max

α,β,λ∈F∗

2m

  • γ∈F∗

2m

WF (α, γ)2uWF (γλ + µ, β)2(d⊥−u) .

Then,

MEDP2 ≤ 2−md max

µ∈F2m B(µ) and MELP2 ≤ 2−2md⊥ max µ∈F2m B⊥(µ)

For the AES Sbox and d = d⊥ = 5:

MEDP2 ≤ 55.5 × 2−34 compared to the FSE 2003 bound: 79 × 2−34 MELP2 ≤ 1.862 × 2−28 compared to the FSE 2003 bound: 2.873 × 2−28

17

slide-19
SLIDE 19

Example with a 4-bit Sbox 1 2 3 4 5 6 7 8 9 a b c d e f 1 2 2 2 4 2 2 2 2 4 2 2 2 2 2 2 3 2 4 2 2 2 2 2 4 4 2 2 2 2 2 2 5 2 2 2 4 2 2 2 6 2 2 2 2 2 2 4 7 2 2 2 2 4 2 2 8 2 2 2 2 2 4 2 9 2 2 2 2 2 2 4 a 2 2 4 2 2 2 2 b 2 2 2 2 4 2 2 c 2 2 2 4 2 2 2 d 2 2 2 4 2 2 2 e 2 2 2 2 4 2 2 f 2 2 4 2 2 2 2

18

slide-20
SLIDE 20

A lower bound

B(µ) = max

1≤u<d

max

α,β,λ∈F∗

2m

  • γ∈F∗

2m

δF (α, γ)uδF (γλ + µ, β)(d−u) B⊥(µ) = max

1≤u<d⊥

max

α,β,λ∈F∗

2m

  • γ∈F∗

2m

WF (α, γ)2uWF (γλ + µ, β)2(d⊥−u) .

Theorem. There exists an Fm

2 -linear permutation M1 (resp. M2)

with maximal branch number d = t + 1 (resp. d⊥ = t + 1) such that the corresponding SPNF (m, t, S, Mi) satisfy

MEDP2 ≥ 2−mdB(0) MELP2 ≥ 2−2md⊥B⊥(0)

19

slide-21
SLIDE 21

Involutional Sboxes If S is an involution over F2m, both lower and upper bounds are equal to the FSE 2003 bound. There exists an F2m-linear permutation M with maximal branch number such that

MEDP2 = 2−m(t+1) max

a∈F∗

2m

  • γ∈F∗

2m

δF (a, γ)(t+1)

and MELP2 = 2−2m(t+1) max

a∈F∗

2m

  • γ∈F∗

2m

WF (a, γ)2(t+1)

20

slide-22
SLIDE 22

Example: SPN(4, 4, S, M)

x 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 S(x) 0 1 2 13 4 7 15 6 8 14 11 10 9 3 12 5

  • For any F2-linear permutation M with d = 5,

MEDP2 ≤ 34 × 2−14 (FSE 2003 bound)

  • For any F24-linear permutation M with d = 5 defined over F24

where F24 is identified with F4

2 by {1, α, α2, α3}, α is a root of

X4 + X3 + X2 + X + 1, MEDP2 ≤ 33 × 2−14 (our upper bound)

  • There exists an F24-linear permutation M′ with d = 5 defined
  • ver F24 where F24 is identified with F4

2 by {1, β, β2, β3} where β

is a root of X4 + X + 1 such that

MEDP2 = 34 × 2−14 (our lower bound)

21

slide-23
SLIDE 23

Influence of the basis The basis has no influence if both M and S are defined over F2m. LED [Guo et al.11]:

S is the Present Sbox over F4

2

M is an F24-linear permutation with branch number 5

  • Basis (1, α, α2, α3) defined by X4 + X + 1:

MEDP2 ≤ 2−8

  • Basis (1, β, β2, β3) defined by X4 + X3 + 1:

MEDP2 ≤ 3 × 2−10

22

slide-24
SLIDE 24

Lower bounds for all F2m-linear layers

23

slide-25
SLIDE 25

Multiplicative invariance for Sboxes

  • S has multiplicative-invariant derivatives if, for any x ∈ F∗

2m there

exists a permutation πx of F∗

2m such that

δF (α, xy) = δF (πx(α), y), ∀y ∈ F∗

2m.

  • S has a multiplicative-invariant Walsh transform if, for any x ∈ F∗

2m

there exists a permutation ψx of F∗

2m such that

WF (α, xy)2 = WF (ψx(α), y)2, ∀y ∈ F∗

2m.

S is a monomial function xs δF (α, λβ) = δF

α

λs−1, β

  • ,

∀β ∈ F2m WF (α, λβ)2 = WF

α

λs−1, β

2

S is an APN permutation of degree 2: S has multiplicative-invariant derivatives and S−1 has a multiplicative-

invariant Walsh transform.

24

slide-26
SLIDE 26

Difference table of the inverse function 1 a a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13 a14 1 4 2 2 2 2 2 2 a 2 2 2 2 2 2 4 a2 2 2 2 2 2 2 4 a3 2 2 2 2 2 2 4 a4 2 2 2 2 2 2 4 a5 2 2 2 2 2 2 4 a6 2 2 2 2 2 4 2 a7 2 2 2 2 2 4 2 a8 2 2 2 2 4 2 2 a9 2 2 2 2 4 2 2 a10 2 2 2 2 4 2 2 a11 2 2 2 4 2 2 2 a12 2 2 4 2 2 2 2 a13 2 2 4 2 2 2 2 a14 2 4 2 2 2 2 2

25

slide-27
SLIDE 27

A universal lower bounds for multiplication invariant If S or S−1 has multiplication-invariant derivatives,

B(µ) = max

1≤u<d

max

α,β∈F∗

2m

  • γ∈F∗

2m

δF (α, γ)uδF (γ + µ, β)(d−u)

Theorem. For any F2m-linear layer M with maximal branch number,

  • If both S and S−1 have multiplicative-invariant derivatives, then

MEDP2 ≥ 2m(t+1)B(0);

  • if S has multiplicative-invariant derivatives, then

MEDP2 ≥ 2m(t+1) max

α,β∈F∗

2m

  • γ∈F∗

2m

δF (α, γ)tδF (γ + µ, β))

  • if S−1 has multiplicative-invariant derivatives, then

MEDP2 ≥ 2m(t+1) max

α,β∈F∗

2m

  • γ∈F∗

2m

δF (α, γ)δF (γ + µ, β)t

26

slide-28
SLIDE 28

SPNF (8, 4, S, M) with S(x) = A(x254) over F28

For any F28-linear M with branch number 5:

  • For the affine function A used in the AES

53 × 2−34 ≤ MEDP2 ≤ 55.5 × 2−34 1.6384 × 2−28 ≤ MELP2 ≤ 1.8616 × 2−28

For M in the AES, the exact values correspond to the lower

  • bounds. There exists some M with MELP2 ≥ 1.66 × 2−28.
  • For the affine function A used in SHARK and Square

53 × 2−34 ≤ MEDP2 ≤ 56 × 2−34 1.7169 × 2−28 ≤ MELP2 ≤ 1.9847 × 2−28

  • We have found an affine function A such that

MEDP2 = 56 × 2−34 and 1.8354 × 2−28 ≤ MELP2 ≤ 1.8684 × 2−28

27

slide-29
SLIDE 29

Involutions with some multiplicative-invariance Let S be an involution of F2m. If S has multiplicative-invariant deriva- tives, then for any F2m-linear permutation M of Ft

2m with maximal

branch number,

MEDP2 = 2−m(t+1) max

α∈F∗

2m

  • γ∈F∗

2m

δF (α, γ)t+1.

If S has a multiplicative-invariant Walsh transform, then for any F2m- linear permutation M of Ft

2m with maximal branch number,

MELP2 = 2−2m(t+1) max

α∈F∗

2m

  • γ∈F∗

2m

WF (α, γ)2(t+1)

For the naive Sbox:

MEDP2 = 79 × 2−34 and MELP2 = 2.873 × 2−28

for any F2m-linear M with branch number 5.

28

slide-30
SLIDE 30

Conclusions Some interactions between S and S−1 influence MEDP2 and MELP2

  • Involutions play a particular role
  • Involutional power permutations are the weakest Sboxes in their

equivalence class whatever MDS linear layer is chosen Are involutional Sboxes weak in general?

  • Involutions which do not have any multiplicative-invariant

property?

  • What happens for more rounds?

29