Extending Higher-order Integral: An Efficient Unified Algorithm of Constructing Integral Distinguishers for Block Ciphers Wentao Zhang1, Bozhan Su2, Wenling Wu1 Dengguo Feng2, Chuankun Wu1 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences 2 Institute of Software, Chinese Academy of Sciences Outline 1. Introduction – Integral Cryptanalysis 2. Basic Ideas 3. A Unified Algorithm of Constructing Integral Distinguishers for Block Ciphers 4. Experimental Results 5. Summary and Discussion 1. Introduction – Integral Cryptanalysis Integral Cryptanalysis is originally proposed by L.R.Knudsen and D.Wagner as a dedicated attack against Square block cipher, so is firstly known as Square attack. Afterwards, the original idea has been extended and given different names, including saturation attack, collision attack, multiset attack and integral cryptanalysis. 1. Introduction – Integral Cryptanalysis Integral cryptanalysis is of particular significance for its applicability to AES 6-round AES is resistant to differential and linear attack 6-round AES can be broken using integral cryptanalysis, only with 6·232 chosen plaintexts and 244 time 1. Introduction – Integral Cryptanalysis Basic principles of Integral cryptanalysis Integral cryptanalysis is a chosen-plaintext attack, it considers the propagation of sums of many values after a certain number of encryption rounds. Assume a block cipher has n data subblocks. When mounting an integral attack: First, the attacker typically chooses one or several specific subblocks, which take on all possible values in these subblocks, and have constant values in the other subblocks. 1. Introduction – Integral Cryptanalysis Then, the attacker tries to predict the properties of some subblock(s) after a certain number of encryption rounds. Customarily, the following 4 properties are considered: (i) Constant: every data in this subblock has the same constant value. (ii) Active: the data can be divided into some disjoint subsets. For each subset, the data in this subblock are all different and have constant values in the other subblocks. (iii) Balanced: the sum (usually XOR sum) of all values in this subblock is zero. (iv) Unkown: no information can be derived. 1. Introduction – Integral Cryptanalysis First-order integral and higher-order integral (L.R.Knudsen and D.Wagner, FSE’2002 ) First-order integral: Consider a set of 2m elements, which differ only in one particular subblock, such that each of the 2m possible values occurs exactly once, the sum over the elements of this set is called a first-order integral Higher-order integral: Consider next a set of 2d×m elements, which differ in d subblocks, such that each of the 2d×m possible values for the d-tuple of values from these subblocks occurs exactly once, the sum of this set is called a dth-order integral. A dth-order integral is called a higher-order integral when d > 1. 1. Introduction – Integral Cryptanalysis Factors that affect the security of a block cipher against integral cryptanalysis Main Factors: the length of integral distinguishers specific input/output forms the strength of one-round encryption/decryption. key schedule Among them, the design of integral distinguishers is the most important. 1. Introduction – Integral Cryptanalysis In spite of a long time study of integral cryptanalysis on block ciphers, integral distinguishers have often been designed based on ad hoc approaches and the experience of cryptanalysts. There is no common method of designing integral distinguishers so far. 1. Introduction – Integral Cryptanalysis Our contribution: We give an extension of the concept of higher-order integral. This new extension takes linear relations among different subblocks into account. Based on the new extension, we present a unified algorithm to the design of higher-order integral distinguishers. Applying this algorithm, our experimental results show that better integral distinguishers can be derived for some block ciphers. 2. Basic Ideas 1). Expression of the state of data in subblock 2). Matrix Characterization of a block cipher (structure) 3). Inside-out approach 4). An extension of higher-order integral 2. Basic Ideas (1)Expression of the state of data in subblock: Traditionally, 4 kinds: Active, Constant, Balanced, Unknown Ours : Any constant state is denoted as a single letter “C”; A balanced state is denoted as a sum of some active states; Hence, the state in subblock can be expressed either as “C”, or a sum of some active states and some unknown states. 2. Basic Ideas (2)Matrix Characterization of a block cipher (structure): Inspired by the work of J.Kim et al [13, 14], more simpler Assume a block cipher has n data subblocks, it can be characterized by n x n characteristic Matrices. Each entry of the characteristic matrices has only one of the three values: 0, 1 or 2. 2. Basic Ideas Y0 Fk ( X 0 ) X1 , Y1 X 0 , One-round Feistel Y0 2 1 X 0 1 0 Y X1 1 characteristic matrix 2. Basic Ideas (3)Inside-out approach: Traditionally, integral distinguishers are designed from top to bottom, an attacker only tries to predict the behavior of a set of carefully chosen plaintexts after a certain number of encryption rounds. By contrast, we adopt the inside-out approach, trying to predict the behavior of a set of carefully intermediate data, not only after a certain number of encryption rounds, but also after a certain number of decryption rounds. 2. Basic Ideas As a result, we make an extension of the concept of higher-order integral. 2. Basic Ideas (4)An extension of higher-order integral In the original definition, a d th-order integral is related to a set of 2d×m elements, which differ only in d subblocks. However, there can be some linear relations among different subblocks. Taking these linear relations into account, we give an extension of higher-order integral, a d th-order integral is also related to 2d×m elements, but they can differ in d∗ subblocks, where d∗ ≥ d. 2. Basic Ideas This new extension can lead to more effective integral distinguishers for some block ciphers (structures). 3. A Unified Algorithm of Constructing Integral Distinguishers for Block Ciphers Expression of data state in subblock “C”, or a sum of some active states and some unknown states. state in block n data subblocks (α0 , α1 ,· · · ,αn−1), where αi denotes the state in the ith subblock, 0 ≤ i ≤ n−1. Expression of block cipher (structures) Characteristic matrices: each entry has one of the 3 values: 0, 1 or 2 3. A Unified Algorithm of Constructing Integral Distinguishers for Block Ciphers Rules for Applying Encryption/Decryption Characteristic Matrices to state in block Rules for applying 0,1,2 to a state in subblock Rules for applying characteristic matrices to a state in block like matrix multiplication 3. A Unified Algorithm of Constructing Integral Distinguishers for Block Ciphers A case: symbolic computation and constraint solving For a given set of intermediate data, we can calculate the state in block after one-round encryption/decryption. Theoretically, such a process can be iterated for arbitrary number of rounds, either along encryption direction, or along decryption direction. However, we must give some restrictions to terminate the process for deriving useful integral distinguishers. 3. A Unified Algorithm of Constructing Integral Distinguishers for Block Ciphers Finishing Conditions for Calculus Along encryption direction: after some encryption rounds, considering each subblock and each possible linear combination of the subblocks, if every state includes some unknown information, then nothing can be derived from the corresponding data. The attacker should terminate the process. 3. A Unified Algorithm of Constructing Integral Distinguishers for Block Ciphers Finishing Conditions for Calculus (continued) Along decryption direction: after some decryption rounds, if the amount of the corresponding data equals to (or exceeds) the maximum, i.e., 2l, where l is the block length. The attacker should terminate the process. 3. A Unified Algorithm of Constructing Integral Distinguishers for Block Ciphers A unified algorithm Based on the above, we propose a unified algorithm of constructing integral distinguishers for block ciphers. See Algorithm 1 for details 3. A Unified Algorithm of Constructing Integral Distinguishers for Block Ciphers 4. Experimental Results Gen-SMS4 Gen-Fourcell Present 4. Experimental Results Gen-SMS4 SMS4 is a 128-bit block cipher used in the WAPI standard for wireless networks in China, it uses a kind of generalized Feistel structure Using Alg.1, we derive 256 10-round integral distinguishers previous result: 8-round integral distinguisher, Liu, F., et al., ACISP’2007 4. Experimental Results Gen-Fourcell Fourcell is a 128-bit block cipher proposed at ACISP’2009, it also uses a kind of generalized Feistel structure Using Alg.1, we derive 56 18-round integral distinguishers previous result: 18-round integral distinguisher, Li, R. et al., ACISP’2007 4. Experimental Results Present Present is a 64-bit block cipher proposed at CHES’2007, it uses SP network and bit-oriented Using Alg.1, we derive many 5-round integral distinguishers previous result: 3-round integral distinguisher, M.Zaba et al., FSE’2008 5. Conclusions and outlook Summary We give an extension of the concept of higher-order integral, which can lead to better higher-order integral distinguishers for some block ciphers (structures). We present a unified algorithm of searching for the best possible higher-order integral distinguishers for block ciphers: inside-out method matrix method extended higher-order concept carefully-obtained finishing conditions in both encryption and decryption direction 5. Conclusions and outlook We expect that the algorithm can be used as a support tool for efficiently evaluating the security of block ciphers against integral cryptanalysis. 5. Conclusions and outlook Discussion General and specific: Algorithm 1 can be applicable to many block ciphers. For a specific cipher, one can possibly derive better results if taking its specific features into account. Find a block cipher, the application of Algorithm 1 can lead to a better distinguisher among all types of distinguishers. Thank You ! Question ?