General Iterated Attack

In case of basic differential cryptanalysis, a simple2-limited non-adaptive plaintext attack was repeated several times. This approach can be generalized to any non-adaptive plaintext attack: An iterated attack iteratesn times an elementary d-limited plaintext-attack distinguisher D between a cipher C and a perfect cipher onM. It is defined by

1. the underlyingd-limited attack D;

2. the number of iterationsn (complexity) of the underlying attack (the number of iterations n of the attack is assumed to be large, the order of the underlying attackd small);

3. a plaintext distributionD on M^d, which describes the distribution on queries of the underlyingd-limited distinguisher (ifD is the uniform distribution, we will refer to known-plaintext iterated attack);

4. a test functionT : M^d×M^d→ {0, 1} that corresponds to the acceptance set of the underlying d-limited distinguisherD — it returns 1 for all pairs (X, Y ) for which D accepts; and

5. an acceptance setA ⊆ {0, 1}ⁿ, that contains all combinations of the test function outputs for which the iterated distinguisher accepts;

and works as follows:

DISTINGUISHER4.2 (IA):nd-limited iterated-attack distinguisher 1. Fork = 1 to n do

1.1 Choose a random vector of plaintext messagesXk= (xk1, . . . , xkd) with distribution D.

1.2 GetYk= (Ci(xk1), . . . , Ci(xkd)), where i ∈ {1, 2}, C1= C, and C2= C^∗. 1.3 Get the answer of the underlyingd-limited distinguisher: Tk= T (Xk, Yk).

2. If(T1, . . . Tn) ∈ A, output “accept”, otherwise output “reject”.

At the first glance, it is tempting to believe that a cipher resists this type of attack once it has a small d-wise decorrelation bias. The following example shows that this is not true.

Example 4.2.1 ([21]) LetC be a cipher with a perfect d-wise decorrelation. Assume that each instance (induced by a key) is totally defined by anyd distinct plaintext-ciphertext pairs. [For example, the cipher defined in Example 2.3.5 —C(x) = ax + b — has perfect 2-wise decorrelation, and each key (a, b) can be reconstructed from any two distinct plaintext-ciphertext pairs.] Thus, there are|M|^ddifferent instances, and they can be indexed by numbers from 1 to|M|^d: c1, . . . , c_|M|^d. For eachd-tuple of plaintexts X = (x1, . . . , xd) and ciphertexts Y = (y1, . . . , yd) we can define an index function I : M^d → {1, . . . , |M|^d}, so thatI(X, Y ) is the unique index k such that ck(xi) = yifor alli = 1, . . . , d. Let now D be an 2d-limited iterated-attack-distinguisher with the following properties:

1. D is uniform distribution;

2. T (X, Y ) =

 1 if I(X, Y ) ≡ 0 (mod µ) 0 otherwise

with a given modulusµ = ⁿ_a for a constanta < n;

3. A = {0, 1}ⁿ\ {(0, . . . , 0)}.

If the oracle implementsC then for each pair (X, Y ), there is exactly one value k such that I(X, Y ) = k, and

T (X, Y ) =

 1 if k ≡ 0 (mod µ) 0 otherwise

Therefore,

p = Pr[k ≡ 0 mod µ] = 1 µ

If the oracle implementsC^∗then the output is random, and thus any of k is equally possible. Therefore, Pr[Ti= 1] = 1

µ Pr[Ti= 0] = 1 − 1

µ

and

p^∗= Pr[∃i : Ti= 1] = 1 − Pr[∀i : Ti= 0]

= 1 −

n

Y

i=1

Pr[Ti= 0] = 1 −

 1 − 1

µ

n

Hence, ifn ≥ 2

AdvC^IA(nd)(C) = 1 −

 1 − 1

µ

n

− 1 µ ≥ 1 −

 1 − 1

µ

2

−1 µ

= 1 µ

 1 − 1

µ



which can be quite large althoughC is perfectly pairwise decorrelated. The idea behind this attack is that the testT provides the same expected result for C and C^∗, but a different standard deviation.

The previous example shows that decorrelation of orderd is not sufficient to prove the security of a cipher against iterated attacks of orderd. The following theorem proves that the decorrelation of order 2d is sufficient.

Theorem 4.2.2 LetC be a cipher on M such that AdvC^CPA(2d)(C) ≤ ε for some integer d <p|M|. Let n be an integer. Let D be a plaintext distribution, and δ the probability that for two independent random plaintext vectorsX = (x1, . . . , xd) and X⁰ = (x⁰₁, . . . , x⁰_d) with distribution D there is i and j such that xi= x⁰_j. Then for iterated attacks of orderd and complexity n with plaintext distribution D

AdvC^IA(nd)(C) ≤ 3



2δ + 2d²

|M|+ 3ε

 n²

¹3

+ nε.

Proof: [The proof is based on the technique introduced in [24].]

The proof is presented in several steps.

LetC1:= C, and C2:= C^∗.

1. LetZibe the probability (over the distribution ofX) such that the test T accepts (X, Cⁱ(X)), i.e.

Zi=X

X

Pr[X]T (X, Cⁱ(X)) = EX(T (X, Cⁱ(X))).

Note thatZidepends onCi.

2. Let ˜X denote a vector (X1, . . . , Xn), and ˜Y denote (Y1, . . . , Yn), where all Xk’s andYk’s are vectors fromM^d. The probability that the attack accepts when the oracle implementsCiis:

pi=X

X˜

Pr[ ˜X]X

Y˜

Pr[Ci( ˜X) = ˜Y ] X

T1,...,Tn

1(T1,...,Tn)∈APr[∀k : T (X^k, Yk) = Tk]

=X

X˜

Pr[ ˜X]X

Y˜

Pr[Ci( ˜X) = ˜Y ] X

T1,...,Tn

1(T1,...,Tn)∈A n

Y

k=1

Z_i^Tk(1 − Zi)^1−Tk

=X

X˜

Pr[ ˜X]X

Y˜

Pr[Ci( ˜X) = ˜Y ] X

T1,...,Tn

1(T1,...,Tn)∈AZ_i^T1+...+Tn(1 − Zⁱ)^{n−T1−...−Tn}

= ECi(f (Zi)) where

f (z) = X

T1,...,Tn

1(T1,...,Tn)∈Az^T1+...+Tn(1 − z)^{n−T1−...−Tn}=

n

X

k=0

akz^k(1 − z)^n−k

for some constantsak such thatak≤ ⁿk
.¹Sincef (z) is a polynomial of degree at most n, f⁰(z) =

n

X

k=0

kakz^k−1(1 − z)^n−k− akz^k(n − k)(1 − z)^n−k−1

=

n

X

k=1

kakz^k−1(1 − z)^n−k−

n−1

X

k=0

akz^k(n − k)(1 − z)^n−k−1.

1a(k) = ⁿ_k
if and only if A contains all vectors with exactly k ones.

For the first sum,

n

X

k=1

kakz^k−1(1 − z)^n−k≤

n

X

k=1

kn k



z^k−1(1 − z)^n−k= n

n

X

k=1

n − 1 k − 1



z^k−1(1 − z)^n−k

= n

n−1

X

k=0

n − 1 k



z^k(1 − z)^n−1−k = n(z + 1 − z)ⁿ⁻¹= n

and for the second sum

n−1

X

k=0

akz^k(n − k)(1 − z)^n−k−1 ≤

n−1

X

k=0

n k



z^k(n − k)(1 − z)^n−k−1

= n

n−1

X

k=0

n − 1 k



z^k(1 − z)^n−1−k= n(z + 1 − z)ⁿ⁻¹= n

holds. Consequently,

|f⁰(z)| ≤ max ( _n

X

k=1

kakz^k−1(1 − z)^n−k,

n−1

X

k=0

akz^k(n − k)(1 − z)^n−k−1 )

≤ n

Therefore,

|f(Z¹) − f(Z²)| ≤ n|Z¹− Z²|.

3. The probability that one round is accepted, i.e. thatT (X^k, Yk) = 1, is p^round_i ^k=X

X

Pr[X]X

Y

Pr[Ci(X) = Y ] · Pr[T (X, Y ) = 1]

=X

X

Pr[X]X

Y

Pr[Ci(X) = Y ] · Zi= ECi(Zi)

Since one round of the iterated attack is actually a chosen-plaintext attack,

|E^C1(Z1) − E^C2(Z2)| =  p

round_k

1 − p^round2 ^k

 

 ≤ AdvC

CPA(d)

(C) ≤ AdvC^CPA(2d)(C) ≤ ε 4. Since

Z_i²=

"

X

X

Pr[X]T (X, Ci(X))

#2

= X

X1,X2

Pr[X1]Pr[X2]T (X1, Ci(X1))T (X2, Ci(X2))

and sinceXk’s are chosen independently from each other, Z_i²= X

X⁰=(x1,...,x2d)

Pr[X⁰]T⁰(X⁰, Ci(X⁰))]

corresponds to another testT⁰with2d entries such that

T⁰((X1, X2), (Ci(X1), Ci(X2)) = T (X¹, Ci(X1)) · T (X², Ci(X2)), i.e.T⁰((X1, X2), (Ci(X1), Ci(X2)) accepts if and only if both T (X1, Ci(X1)) and T (X2, Ci(X2)) accept. Therefore from 3:

EC1(Z₁²) − EC2(Z₂²)

≤ AdvC^CPA(2d)(C) ≤ ε and

|VC1(Z1) − VC2(Z2)| =

EC1(Z₁²) − E²(Z1) − EC2(Z₂²) + E²(Z2) 

≤

EC1(Z₁²) − E^C2(Z₂²) 

+ |(EC1(Z1) − EC2(Z2)) · (EC1(Z1) + EC2(Z2))|

≤ ε + ε · 2 = 3ε Hence,VC1(Z1) ≤ VC2(Z2) + 3ε.

5. From the Chebyshev inequality, one finds:

Pr[|Zⁱ− E^Ci(Zi)| > λ] ≤ VCi(Zi) λ² Hence using 3,

Pr[|Z¹− Z²| > 2λ + ε] ≤ Pr[|Z¹− E^C1(Z1)| + |E^C1(Z1) − E^C2(Z2)|

+ |E^C2(Z2) − Z²| > 2λ + ε]

≤ Pr[|Z1− EC1(Z1)| > λ] + Pr[|Z2− EC2(Z2)| > λ]

+ Pr[|E^C1(Z1) − E^C2(Z2)| > ε]

≤ VC1(Z1)

λ² +VC2(Z2)

λ² ≤ 2VC2(Z2) + 3ε λ² 6. Using 2 and 5:

AdvC^IA(nd)(C) = |p1− p2|

=      

X

X˜

Pr[ ˜X]X

Y˜

Pr[C1( ˜X) = ˜Y ] · f(Z1) − Pr[C2( ˜X) = ˜Y ] · f(Z2)      

=      

X

X˜

Pr[ ˜X]X

Y˜

X

Y˜⁰

Pr[C1( ˜X) = ˜Y ] · Pr[C2( ˜X) = ˜Y⁰]f (Z1)

− Pr[C1( ˜X) = ˜Y ] · Pr[C2( ˜X) = ˜Y⁰]f (Z2)     

≤X

X˜

Pr[ ˜X]X

Y˜

X

Y˜⁰

Pr[C1( ˜X) = ˜Y ]Pr[C2( ˜X) = ˜Y⁰] |f(Z¹) − f(Z²)|

= E(|f(Z1) − f(Z2)|) ≤ E(n|Z1− Z2|)

≤ n (ε + 2λ) +2VC2(Z2) + 3ε λ² 7. Since

EC2(Z₂²) = X

X,X⁰

X

Y,Y⁰

Pr[X]Pr[X⁰]Pr[X ^C→ Y, X^{2 0 C}→ Y^{2 0}]T (X, Y )T (X⁰, Y⁰)

E_C²₂(Z2) = X

X,X⁰

X

Y,Y⁰

Pr[X]Pr[X⁰]Pr[X ^C→ Y ]Pr[X^{2 0 C}→ Y^{2 0}]T (X, Y )T (X⁰, Y⁰)

we have

VC2(Z2) = EC2(Z₂²) − EC²2(Z2)

= X

X,X⁰ Y,Y⁰

Pr[X]Pr[X⁰]T (X, Y )T (X⁰, Y⁰) Prh

X^C2→Y X^{0 C2}→Y⁰

i− Pr[X→ Y ]Pr[X^{C2 0 C}→ Y^{2 0}]

This sum is maximal whenT (X, Y ) and T (X⁰, Y⁰) are 1 for all terms with the same sign.

Since X

X,X⁰ Y,Y⁰

Pr[X]Pr[X⁰]

Pr[X→ Y, X^{C2 0 C}→ Y^{2 0}] − Pr[X^C→ Y ]Pr[X^{2 0 C}→ Y^{2 0}]

= 0

we get

max VC2(Z2) = 1 2

X

X,X⁰ Y,Y⁰

Pr[X]Pr[X⁰]  Prh

X^C2→Y X^{0 C2}→Y⁰

i− Pr[X^C→ Y ]Pr[X^{2 0 C}→ Y^{2 0}]  

a) Sum of all terms forX and X⁰with colliding entries (recall that there are collision only betweenX and X⁰, but no collisions insideX, and inside X⁰, because we may assume that the underlying distinguisher always chooses different queries):

1

b) Sum of all terms forX and X⁰without colliding entries, andY and Y⁰with colliding entries. SinceC2is a permutation, if a collision insideY occurs, then Pr[C(X) = Y ] = 0.

Similarly, if there is a collision inY⁰then Pr[C(X) = Y ] = 0, and if there is a collision in Y ∪ Y⁰then Pr[C(X) = Y, C(X⁰) = Y⁰] = 0. Furthermore, there are

d²|M|(|M| − 1)^d−12

possibilities to choose collisions betweenY and Y⁰. Thus, 1

c) Sum of all terms forX and X⁰without colliding entries, andY and Y⁰without colliding entries. There are|M|^2dpossibilities to choose non-collidingY and Y⁰. Thus,

1

Summing all three values gives

VC2(Z2) ≤ δ + d²

|M|.

8. Letλ =_2V

C2(Z2)+3ε n

¹₃ . Then

AdvC^IA(nd)(C)≤ n (ε + 2λ) +^6. 2VC2(Z2) + 3ε λ²

= nε + 2n 2V_C2(Z2) + 3ε n

¹₃

+ (2VC2(Z2) + 3ε)

 n

2VC2(Z2) + 3ε

²₃

= nε + 3n 2V_C2(Z2) + 3ε n

¹₃

≤ nε + 37.

 n²



2δ + 2d²

|M| + 3ε

¹3

Corollary 4.2.3 ([24]) LetC be a cipher on M such that AdvC^CPA(2d)(C) ≤ ε for some d <p|M|. Let n be an integer. Then for an iterated attacks of order d and complexity n with uniform plaintext distribution

AdvC^IA(nd)(C) ≤ 3 4d²

|M| + 3ε

 n²

¹3

+ nε holds.

Proof: Since the plaintext distribution is uniform, the probability that for two independent random X = (x1, . . . , xd) and X⁰= (x⁰₁, . . . , x⁰_d) there is i and j such that xi= x⁰_j is:

δ = P r[∃i, j : xⁱ= x⁰_j] ≤X

i,j

P r[xi = x⁰_j] =X

i,j

X

x

P r[xi= x ∧ x⁰j = x]

= d²|M|(|M| − 1)^d−12

h|M|^di2 = d²

|M|

The inequality follows now directly from Theorem 4.2.2.

The result of the corollary says that with a small advantageε against the 2d-limited chosen-plaintext-attack distinguishers, one needs

n = Ω minn

1/√

ε,p|M|o

in order to get a significant advantage, unless the distributionD has some special property. Further, note that the previous results are not tight because of the use of the Chebyshev inequality.

Note On The Basic Differential Cryptanalysis

From the definition of the basic differential cryptanalysis, it is easy to see, that it is an iterated attack of order 2 with the following parameters:

1. DistributionD is distribution of (x, x + a) with uniformly distributed X;

2. T ((x, x⁰), (y, y⁰)) = 1 if and only if y + b = y⁰. 3. A = {0, 1}ⁿ\ {(0, . . . , 0)}.

Corollary 4.2.4 LetC be a cipher on M such that AdvC^CPA4(C) = ¹₂DecC_|||·|||⁴

∞(C) ≤ ε, and n be an integer. Then,

AdvC^DCA(2n)(C) ≤ 3

 n²

 12

|M|+ 3ε

¹₃ + nε,

Proof: The probability thatX = (x, x + a) and X⁰= (x⁰, x⁰+ a) have a colliding entry is δ = Pr[x = x⁰∨ x + a = x⁰+ a ∨ x + a = x⁰∨ x = x⁰+ a]

≤ Pr[x = x⁰] + Pr[x + a = x⁰] + Pr[x = x⁰+ a] = 3

|M|. Now, we can use Theorem 4.2.2 to get the result.

Since Corollary 4.2.3 requires decorrelation of order 4, this result is weaker than the result of Theorem 4.1.1.

In document Provable secure scalable block ciphers (Page 53-59)