In this report, we suggest a new cryptanalytic framework of constructing distinguishers which can be eventually extended to full attacks in the related-key scenario. We name this new paradigm as ”Relational Cryptanalysis”. The main idea is to exhibit the non-randomness of a given encryption algorithm by observing the propagation of specific sets of plaintexts of the form (P,P′) such that these pairs satisfy some rotational and differential properties of the form R1(P) = P′ and P ⊕ P′ ∈ ∆P, for some rotational symmetry R1 and fixed set of differences ∆P . Except of rotational and differential properties, we can add any other relation which seems to hold for a reduced number of rounds of the cryptographic primitive we study. Intuitively, we expect that by adding more relations we increase the observed probability of the propagation and this result to stronger statistical distinguishers

Christofi, M.

Komninos, N.

Mourouzis, T.

City Research Online

Mourouzis, T., Komninos, N. & Christofi, M. (2014). Towards a combined Rotational-Differential Cryptanalytic Framework. Paper presented at the 2nd International Conference on Cryptography, Network Security and Applications in the Armed Forces, 1st - 2nd April 2014, Hellenic Military Academy, Athens, Greece. City Research OnlineOriginal citation: Mourouzis, T., Komninos, N. & Christofi, M. (2014). Towards a combined Rotational-Differential Cryptanalytic Framework. Paper presented at the 2nd International Conference on Cryptography, Network Security and Applications in the Armed Forces, 1st - 2nd April 2014, Hellenic Military Academy, Athens, Greece. Permanent City Research Online URL: http://openaccess.city.ac.uk/3244/ Copyright & reuseCity University London has developed City Research Online so that its users may access the research outputs of City University London's staff. Copyright © and Moral Rights for this paper are retained by the individual author(s) and/ or other copyright holders.  All material in City Research Online is checked for eligibility for copyright before being made available in the live archive. URLs from City Research Online may be freely distributed and linked to from other web pages. Versions of researchThe version in City Research Online may differ from the final published version. Users are advised to check the Permanent City Research Online URL above for the status of the paper.EnquiriesIf you have any enquiries about any aspect of City Research Online, or if you wish to make contact with the author(s) of this paper, please email the team at publications@city.ac.uk.Towards a Combined Rotational-Differential CryptanalyticFrameworkTheodosis MourouzisDepartment of CS, University College London, WC1E 6BTtmourouz@cs.ucl.ac.ukNikos KomninosDepartment of CS, City University London, EC1V 0HBnikos.komninos.1@city.ac.ukMichalis ChristofiDepartment of CS, King’s College, WC2R 2LSmichalis.christofi@kcl.ac.ukAbstractCryptanalysis is the science of studying given encryption algorithms or any other cryp-tographic related mechanism in order to identify potential flaws or vulnerabilities either inthe implementation and the environment or in the mathematics that underline the mathe-matical algorithms used. Such flaws can be used in order to dispute the level of securitythat the mechanism is claimed to offer and it is very important if we always enhance existingtechniques.One of the most important and powerful techniques in the area of symmetric cryptanalysisis the technique of Differential Cryptanalysis (DC). DC can be applied primarily to blockciphers but also to some extend to stream ciphers and cryptographic hash functions. Itsdiscovery was attributed to Eli Biham and Adi Shamir in the late 1980s [2, 3], but accordingto Don Coppersmith this technique was already known to IBM and NSA as early as 1974 [1].However, they decided to keep confidential the description of such powerful attack since itwould be possibly able of breaking many block ciphers or other cryptography standards usedin many applications.The main task in DC is to study the propagation of certain input differences throughdifferent number of rounds and identify some input-output pairs of differences which propagatewith comparatively good probability, compared to what expected in the case of a randompermutation. This non-random behavior of the cipher for reduced number of rounds cansometimes be extended to a key recovery attack. Several enhancements were proposed tonaive DC such as boomerang attack, impossible differentials and more importantly truncateddifferentials as proposed by Knudsen [6, 7]. In truncated differentials, an attacker studies thepropagation of sets of differences instead of single differences. The problem in attacks involvingtruncated differentials is the study of the exponentially large space of differentials. Some ad-hoc heuristics of the cipher can be used to speedup the process. For example, Courtois andMourouzis have suggested such heuristics in case of GOST block cipher which can be usedin order to construct reduced round distinguishers for up to 20 rounds [8, 9]. In addition, aframework for extending a distinguisher to a possibly efficiently good key recovery attack isdescribed in details in [10].In addition to DC, we have plenty of other cryptanalytic techniques such as Linear Crypt-analysis [4, 5], Algebraic Attacks [11] and more recently Rotational Cryptanalysis by Khovra-tovich [13]. In linear cryptanalysis, the attacker constructs linear equations involving plaintext,ciphertext and key bits for a certain number of rounds which can be used to extend to an at-tack against the full cipher. In algebraic attacks, an attacker tries to encode algebraicallyall cipher’s operations and then using limited data such as known plaintext-ciphertext pairstries to solve the underlying system of equations and derive some key bits. After deriving thealgebraic encoding of the given cryptographic primitive, then ready open-source software canbe used to derive the key in an automated way such as SAT solver.In the other framework, that of rotational cryptanalysis, the attacker observes the propa-gation of pairs of inputs or intermediate states, which have some rotational symmetry towardsdifferent number of rounds. What we end up is a distinguisher in the related-key setting, sincehere the assumption of stochastic equivalence is not guaranteed as in case of DC. Such attacksare applicable to the ARX ciphers which are ciphers widely used in lightweight cryptogra-phy since they have very cheap implementation cost and they involve only three operations;modular additions, rotations and XOR gates [13].All these attacks have been studied for many years and many advancements have beenmade. Many cryptographers combined such techniques in a cryptanalytic framework for con-structing more efficient techniques. For example, we have algebraic-linear attacks, where linearequations hold with sufficiently high probability and added to the algebraic description of thecipher, increasing in this way the probability of being able to solve the underlying system.Albrecht in his PhD thesis suggested a cryptanalytic framework of combining algebraic at-tacks with differential attacks [12] and recently Mourouzis in his PhD thesis suggested anenhancements of algebraic attacks using truncated differentials [10].In this report, we suggest a new cryptanalytic framework of constructing distinguisherswhich can be eventually extended to full attacks in the related-key scenario. We name thisnew paradigm as ”Relational Cryptanalysis”. The main idea is to exhibit the non-randomnessof a given encryption algorithm by observing the propagation of specific sets of plaintexts ofthe form (P, P ′) such that these pairs satisfy some rotational and differential properties ofthe form R1(P ) = P′ and P ⊕ P ′ ∈ ∆P , for some rotational symmetry R1 and fixed set ofdifferences ∆P . Except of rotational and differential properties, we can add any other relationwhich seems to hold for a reduced number of rounds of the cryptographic primitive we study.Intuitively, we expect that by adding more relations we increase the observed probability ofthe propagation and this result to stronger statistical distinguishers.The main idea behind our statistical distinguishers is to define two sets of relations A ={RI1, RI2, ..., RIn} and B = {RO1, RO2, ..., ROm}, for some relations RIi, ROj and someintegers n,m and then count the number of expected plaintext pairs (Pi, Pj) which are relatedby relations from the set A and lead to ciphertext pairs (Ci, Cj) which are related by relationsfrom set B after some rounds r. For example, one relation RIi may denote a specific differenceor a set of differences as in truncated differentials, or a rotational symmetry of the pair ofplaintexts by a fixed number of shifts or any other relation we can find based on the structureof the encryption algorithm.We count this number by simulations over random plaintexts and keys and by repeatingthis procedure and considering the average number of these pairs we expect that these eventsare described by some Gaussian distribution with the mean and standard deviation computedafter running many simulations until the limit of the probability is obtained. This is essentiallya simple application of the Central Limit Theorem. Thus, it is a non-trivial optimization stepsto find the best possible input-output relations which result in comparatively good probabilitiesof the propagation we study. For each encryption standard we need to derive some ad-hocheuristics derived from the specific structure in order to have a speed-up in this procedure.We formalize this new framework inspired from the work of Courtois and Mourouzis forconstructing statistical distinguishers based on truncated differentials for GOST block cipherand some of its variants [8, 9]. As a proof of concept, we apply this combined frameworkusing simple toy example ciphers and show that this combination leads to stronger statisticaldistinguishers. In addition, we discuss how this technique can be used in cryptanalysis ofhash functions since the attack has full control over the key and thus working in a related-keyscenario makes more sense.References[1] Don Coppersmith, The Data Encryption Standard (DES) and its strength against attacks ,IBM Journal of Research and Development 38 (3): 243. doi:10.1147/rd.383.0243, 1994.[2] Eli Biham and Adi Shamir, Differential Cryptanalysis of the Data Encryption Standard,Springer-Verlag, ISBN: 0-387-97930-1, 3-540-97930-1, 1993.[3] Eli Biham and Adi Shamir, Differential cryptanalysis of the full 16-round DES , In Advancesin Cryptology, CRYPTO 92, E. F. Brickel, Ed.,vol. 740 of Lecture Notes in Computer Science,pp. 487 496, 1992.[4] Mitsuru Matsui, The first experimental cryptanalysis of the data encryption standard, Advancesin Cryptology, CRYPTO, 1994.[5] Mitsuru Matsui, Linear cryptanalysis method for DES cipher, Advances in Cryptology, EURO-CRYPT, 1993.[6] Lars Knudsen, Truncated and higher order differentials , In Fast Software Encryption, pp.196-211, Springer Berlin Heidelberg, 2011.[7] Lars Knudsen and Matthew Robshaw, The Block Cipher Companion , Springer Berlin Heidel-berg, 1995.[8] Nicolas T. Courtois and Theodosis Mourouzis, Enhanced Truncated Differential Cryptanalysisof GOST, In SECRYPT, 2013.[9] Nicolas T. Courtois and Theodosis Mourouzis, Propagation of Truncated Differentials in GOST, In SECURWARE, 2013.[10] Theodosis Mourouzis, Optimizations in Algebraic and Differential Cryptanalysis , PhD Thesis,University College London , 2014.[11] Gregory Bard, Algorithms for Solving linear and polynomial systems of equations over finitefields to cryptanalysis, PhD Thesis, 2007.[12] Martin R. Albrecht, Algorithmic Algebraic Techniques and their Application to Block CipherCryptanalysis, PhD Thesis Dissertation, Royal Holloway, University of London, 2010.[13] Dmitry Khovratovich and Ivica Nikolic, Rotational Cryptanalysis of ARX, University of Lux-embourg, 2010.

Towards a combined Rotational-Differential Cryptanalytic Framework

Abstract

Similar works

Full text

Available Versions

City Research Online