Output Prediction Attacks on Block Ciphers Using Deep Learning

Abstract

In this paper, we propose deep learning-based output prediction attacks in a blackbox setting. As preliminary experiments, we first focus on two toy SPN block ciphers (small PRESENT-[4] and small AES-[4]) and one toy Feistel block cipher (small TWINE-[4]). Due to its small internal structures with a block size of 16 bits, we can construct deep learning models by employing the maximum number of plaintext/ciphertext pairs, and we can precisely calculate the rounds in which full diffusion occurs. Next, based on the preliminary experiments, we explore whether the evaluation results obtained by our attacks against three toy block ciphers can be applied to block ciphers with large block sizes, e.g., 32 and 64 bits. As a result, we demonstrate the following results, specifically for the SPN block ciphers: (1) our attacks work against a similar number of rounds that the linear/differential attacks can be successful, (2) our attacks realize output predictions (precisely ciphertext prediction and plaintext recovery) that are much stronger than distinguishing attacks, and (3) swapping or replacing the internal components of the target block ciphers affects the average success probabilities of the proposed attacks. It is particularly worth noting that this is a deep learning specific characteristic because swapping/replacing does not affect the average success probabilities of the linear/differential attacks. We also confirm whether the proposed attacks work on the Feistel block cipher. We expect that our results will be an important stepping stone in the design of deep learning-resistant symmetric-key ciphers.

This work was done when the first author, Hayato Kimura, was a master student at the Tokai University, Japan, and was a research assistant at the National Institute of Information and Communications Technology (NICT), Japan.

Appendices

A A Our Target Ciphers

In this section, we introduce two SPN block ciphers (PRESENT [9] and AES-like cipher), one Feistel block cipher (TWINE-like cipher), and their toy ciphers (small PRESENT-[n] [27], small AES-[n], and small TWINE-[n]).

PRESENT and Small PRESENT-[ n ]: PRESENT [9] is a lightweight SPN block cipher with a 64-bit block size, 31 rounds, and a key size of either 80 or 128 bits. To analyze PRESENT, a toy model of PRESENT called small PRESENT-[n] [27] has been proposed. We show the round function of small PRESENT-[n] in Fig. 1. Since the block size is 4n, small PRESENT-[16] is equivalent to the original PRESENT. The variant n, which specifies the block size and round key length, allows us to control the round of full diffusion. The S-box has 4-bit input and output. We provide the correspondence table in Table 7 that maps \(\mathbb {F}_2^4 \rightarrow \mathbb {F}_2^4\). The pLayer is described as bit permutation P(i), which is defined as follows. Note that this is a generalization of that of PRESENT and is equivalent to that of PRESENT when \(n=16\). P(i) is used for encryption and \(P^{-1}(i)\) is used for decryption.

$$\begin{aligned} P(i)= {\left\{ \begin{array}{ll} n \times i \bmod (4n-1) &{} (0 \le i< 4n-1)\\ 4n-1 &{} (i=4n-1) \end{array}\right. }\\ P^{-1}(i)= {\left\{ \begin{array}{ll} 4 \times i \bmod (4n-1) &{} (0 \le i < 4n-1)\\ 4n-1 &{} (i=4n-1) \end{array}\right. } \end{aligned}$$

For key scheduling, the key scheduling algorithm of PRESENT-80, which is a variant of PRESENT with a key length of 80, is executed; furthermore, the 4n rightmost bits are used as round keys \(rk_{i}\).

AES-Like and Small AES-[ n ]: We design AES-like cipher with a 64-bit block size, called AES-like for short. To analyze AES-like, we design its toy model called small AES-[n]. The round function of small AES is shown in Fig. 1. As with the case of PRESENT, small AES-[16] is equivalent to AES-like since the block size is 4n. The S-box and key scheduling are the same as those of PRESENT. The maximum distance separable (MDS) matrix (over \(GF(2^4)\) defined by the irreducible polynomial \(x^4+x+1\)) is the same as that of Piccolo [32], which is expressed as follows.

$$\begin{aligned} M = \left( \begin{array}{cccc} 2 &{} 3 &{} 1 &{} 1 \\ 1 &{} 2 &{} 3 &{} 1 \\ 1 &{} 1 &{} 2 &{} 3 \\ 3 &{} 1 &{} 1 &{} 2 \\ \end{array} \right) \end{aligned}$$

When a 16-bit input \(X_{(16)}\) is given, the output is computed as \(^t\!(y_{0(4)}, y_{1(4)}, y_{2(4)},y_{3(4)}) \leftarrow M \cdot ^t\!(x_{0(4)}, x_{1(4)}, x_{2(4)}, x_{3(4)})\).

Fig. 1.

(a) Round Functions of small PRESENT-[n] and small AES-[n], (b) Last Round Function of small AES-[n].

Table 7. S-box (PRESENT and small PRESENT-[n])

Fig. 2.

Round Function of small TWINE-[n]

TWINE-Like and Small TWINE-[ n ]: We design TWINE-like cipher with a 64-bit block size, called TWINE-like for short. To analyze TWINE-like, we design its toy model called small TWINE-[n]. For our design, we adopt the type-II generalized Feistel structure with n branches and similar F function as TWINE, which comprises round key operation and 4-bit S-box, as shown in Fig. 2.

As with the case of PRESENT, small TWINE-[16] is equivalent to TWINE-like since the block size is 4n. The S-box and key scheduling are the same as those of PRESENT. The pLayer is described as round permutation RP, which is defined as follows:

$$\begin{aligned} RP: (y_0, y_1, \dots , y_{n-2}, y_{n-1}) \leftarrow (x_1, x_2, \dots , x_{n-1}, x_0). \end{aligned}$$

Two sub-round keys, \(rk^{s}_{i}\) for \(s \in \{0, 1, \dots , \frac{n}{2}-1\}\), are used in each round, which are generated from the round key \(rk_{i}\) as follows:

$$ \begin{aligned} rk^{s}_i = (rk_i \gg (4n - (4s +4)))~ \& ~\textsf{0xF}, \end{aligned}$$

where \(\gg \) and & are bitwise right shift operation and bitwise AND operation, respectively.

B B Related Works

Table 8. Comparison of deep learning-based cryptanalysis. OP:=Output Prediction, PR:=Plaintext Recovery, KR:=Key Recovery, DD:=Differential Distinguisher, LD:=Linear Distinguisher, and DLD:=Differential-Linear Distinguisher.

Regarding the whitebox analysis, Danziger et al. presented deep learning-based attacks that predict key bits of 2-round DES from a plaintext/ciphertext set, and analyze the relationship between these attacks and the differential probability [14]. They compared variants employing several types of S-boxes with different properties for differential attacks, and they concluded that there is a nontrivial relationship between the differential characteristics and success probability of their deep learning-based attacks. However, their results are extremely limited because they targeted a two-round Feistel construction, which is quite insecure even if the component is ideal function. It is unclear how much the property of internal components affects the security of the whole construction. In addition to improve Gohr’s deep learning-based attack [17], Benamira et al. [8] and Chen et al. [12] improved the success probability of traditional distinguishers using characteristics that are expected to be reacted by Gohr’s attack. Their work confirms whether characteristics explored by Gohr can be employed in the traditional distinguishing attacks and they did not identify any deep learning specific characteristic. However, we calculated the ability of traditional distinguisher and our deep learning-based attack and compared them to investigate a relationship between them. Then, we identified a deep learning specific characteristic of small-PRESENT. To summarize, to the best of our knowledge, our results are the first ones that perform the whitebox analysis.

Alani and Hu reported plaintext recovery attacks on DES, 3-DES, and AES [2, 24] that guess plaintexts from given ciphertexts. They claimed that attacks on DES, 3-DES, and AES are feasible with \(2^{11}\), \(2^{11}\) and 1741 (\(\simeq 2^{10.76}\)) plaintext/ciphertext pairs, respectively. However, Xiao et al. doubted the correctness of their results [2, 24] because they could not be reproduced. Baek et al. also pointed this out in the literature [4]. Therefore, we exclude these results in Table 8. Mishra et al. reported that they mounted output prediction attacks on full-round PRESENT; however, it did not work well [16]. In addition, certain results have yielded classical ciphers such as Caesar cipher, Vigenere, and Enigma ciphers [15, 18, 19, 30].

Other machine learning-based analyses have also been reported, e.g., [28, 29]. Tan et al. demonstrated that deep learning can be used to distinguish ciphertexts encrypted by AES, Blowfish, DES, 3-DES, and RC5, respectively [35], for detecting the encryption algorithm that the malware utilizes. Alshammari et al. attempted to classify encrypted Skype and SSH traffic [3].

C C Experimental Results Using the CNN

To confirm that the use of the LSTM induces better experimental results than that of the CNN, we conducted experiments using the CNN in the same procedure described in Sect. 3.1. In our experiments, we optimize activation functions in addition to the hyperparameters shown in Table 1. The following is the search range for activation functions: Tanh, Sigmoid, and ReLU. For developing CNN models by Keras, e.g., model.add(Conv1D(...)), we specify only filters, kernel_size, activation, and input_shape as its arguments⁵.

Table 9 shows experimental results using the CNN. Consequently, we clarify the following facts by comparing the experimental results using the LSTM and CNN based on Tables 3 and 9:

• For small PRESENT-[4], the maximum number of rounds that the proposed attacks using the LSTM and CNN can be successful is 4 and 3, respectively.

• For small AES-[4], the maximum number of rounds that the proposed attacks using the LSTM and CNN can be successful is 1 for each case. In addition, the average success probabilities of ciphertext prediction (plaintext recovery) by the proposed attacks against the 1-round small AES-[4] using the LSTM and CNN are 1 (1) and \(2^{-11.88}\) (\(2^{-11.83}\)), respectively.

• For small TWINE-[4], the maximum number of rounds that the proposed attacks using the LSTM and CNN can be successful is 3 and 1, respectively.

To summarize the foregoing facts, we conclude that the use of the LSTM induces better experimental results of all the target block ciphers compared to the use of the CNN.

Table 9. Average success probabilities of ciphertext prediction/plaintext recovery using the proposed attacks against three toy block ciphers with a block size of 16 bits. We employ the CNN and use \(2^{15}\) training data as well as remaining \(2^{15}\) testing data. CP:=Ciphertext Prediction and PR:=Plaintext Recovery.

D D Maximum Differential Probabilities of small PRESENT-[4], small AES-[4], and small TWINE-[4]

Table 10 shows the maximum differential probabilities of small PRESENT-[4], small AES-[4], and small TWINE-[4].

Table 10. Maximum differential probabilities of small PRESENT-[4], small AES-[4], and small TWINE-[4]

E E More Detailed Results in Sect. 3.1

Table 11. Minimum amount of training data required for successful ciphertext prediction/plaintext recovery using the proposed attacks against three toy block ciphers with a block size of 16 bits. We use the optimized hyperparameters obtained in Experiment 1 (see Table 3). CP:=Ciphertext Prediction and PR:=Plaintext Recovery.

Table 11 shows the minimum amount of training data required for successful ciphertext prediction/plaintext recovery against three toy block ciphers. In addition, Table 12 details the experimental results shown in Table 11. If the predicted probability is greater than \(2^{-15}\), we consider the proposed attacks to be successful⁶.

Table 12. Average success probabilities of ciphertext prediction/plaintext recovery using the proposed attacks against three toy block ciphers with a block size of 16 bits. We vary the amount of training data in the range of from \(2^{2}\) to \(2^{14}\) and use all remaining plaintexts or ciphertexts as testing data. Moreover, we use the optimized hyperparameters obtained in Experiment 1 (see Table 3). CP:=Ciphertext Prediction and PR:=Plaintext Recovery.

F F More Detailed Results in Sect. 3.2

Tables 13 and 14 show the minimum amount of training data required for successful ciphertext prediction/plaintext recovery against three block ciphers with block sizes of 32 and 64 bits, respectively. In addition, Tables 15 and 16 detail the experimental results shown in Tables 13 and 14, respectively.

We vary the amount of training data in the range of from \(2^{8}\) to \(2^{17}\) or from \(2^{10}\) to \(2^{19}\) and use \(2^{16}\) of the remaining plaintexts or ciphertexts as testing data against three toy block ciphers with block sizes of 32 or 64 bits, respectively; thus, if the predicted probability is greater than the threshold derived by equation \({(2^{4n} - 2^{x})}^{-1}\) shown in Sect. 2.3, we consider the proposed attacks to be successful for both cases. In this case, those thresholds are \((2^{32}-2^{8})^{-1}\) to \((2^{32}-2^{17})^{-1}\) or from \((2^{64}-2^{10})^{-1}\) to \((2^{64}-2^{19})^{-1}\).

Table 13. Minimum amount of training data required for successful ciphertext prediction/plaintext recovery using the proposed attacks against three block ciphers with a block size of 32 bits. We use the optimized hyperparameters obtained in Experiment 1 (see Table 3). CP:=Ciphertext Prediction and PR:=Plaintext Recovery.

Table 14. Minimum amount of training data required for successful ciphertext prediction/plaintext recovery using the proposed attacks against three block ciphers with a block size of 64 bits. We use the optimized hyperparameters obtained in Experiment 1 (see Table 3). CP:=Ciphertext Prediction and PR:=Plaintext Recovery.

Table 15. Average success probabilities of ciphertext prediction/plaintext recovery using the proposed attacks against three block ciphers with a block size of 32 bits. We vary the amount of training data in the range of from \(2^{8}\) to \(2^{17}\) and use \(2^{16}\) of the remaining plaintexts or ciphertexts as testing data. Moreover, we use the optimized hyperparameters obtained in Experiment 1 (see Table 3). CP:=Ciphertext Prediction and PR:=Plaintext Recovery.

Table 16. Average success probabilities of ciphertext prediction/plaintext recovery using the proposed attacks against three block ciphers with a block size of 64 bits. We vary the amount of training data in the range of from \(2^{10}\) to \(2^{19}\) and use \(2^{16}\) of the remaining plaintexts or ciphertexts as testing data. Moreover, we use the optimized hyperparameters obtained in Experiment 1 (see Table 3). CP:=Ciphertext Prediction and PR:=Plaintext Recovery.