Skip to main content

Efficient Detection of High Probability Statistical Properties of Cryptosystems via Surrogate Differentiation

  • Conference paper
  • First Online:
Advances in Cryptology – EUROCRYPT 2023 (EUROCRYPT 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14007))

Abstract

A central problem in cryptanalysis is to find all the significant deviations from randomness in a given n-bit cryptographic primitive. When n is small (e.g., an 8-bit S-box), this is easy to do, but for large n, the only practical way to find such statistical properties was to exploit the internal structure of the primitive and to speed up the search with a variety of heuristic rules of thumb. However, such bottom-up techniques can miss many properties, especially in cryptosystems which are designed to have hidden trapdoors.

In this paper we consider the top-down version of the problem in which the cryptographic primitive is given as a structureless black box, and reduce the complexity of the best known techniques for finding all its significant differential and linear properties by a large factor of \(2^{n/2}\). Our main new tool is the idea of using surrogate differentiation. In the context of finding differential properties, it enables us to simultaneously find information about all the differentials of the form \(f(x) \oplus f(x \oplus \alpha )\) in all possible directions \(\alpha \) by differentiating f in a single randomly chosen direction \(\gamma \) (which is unrelated to the \(\alpha \)’s). In the context of finding linear properties, surrogate differentiation can be combined in a highly effective way with the Fast Fourier Transform. For 64-bit cryptographic primitives, this technique makes it possible to automatically find in about \(2^{64}\) time all their differentials with probability \(p \ge 2^{-32}\) and all their linear approximations with bias \(|p| \ge 2^{-16}\) (using \(2^{64}\) memory); previous algorithms for these problems required at least \(2^{96}\) time. Similar techniques can be used to significantly improve the best known time complexities of finding related key differentials, second-order differentials, and boomerangs. In addition, we show how to run variants of these algorithms which require no memory, and how to detect such statistical properties even in trapdoored cryptosystems whose designers specifically try to evade our techniques.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    According to Wikipedia, a surrogate marker in clinical trials is a known measure which may correlate with the unknown clinical markers we would like to follow, but does not necessarily have a guaranteed relationship.

  2. 2.

    We remind the reader that a differential characteristic predicts all the intermediate differences, whereas a differential is concerned only with the input difference and the output difference.

  3. 3.

    If there are more than two values colliding, then each pair of collisions suggests a value for \(\alpha '\) and \(\beta '\).

  4. 4.

    In other words, one can easily define a statistical test based on the fundamental algorithm, and reject that function as a random function (or a random permutation) if the number of collisions exceeds \(\mathcal {O}(n/p^2)\).

  5. 5.

    We alert the reader that as we discuss a memoryless algorithm, the algorithm cannot store previous values. Instead, we discuss “query” complexity to refer to the number of evaluations of the function \(f(\cdot )\), which may be higher than \(2^n\).

  6. 6.

    We note that one can choose any constant as the “target”, as long as it is consistent with the constant used in the second part of algorithm mentioned later.

References

  1. Albrecht, M.R., Leander, G.: An all-in-one approach to differential cryptanalysis for small block ciphers. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 1–15. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-35999-6_1

  2. Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK Families of Lightweight Block Ciphers. IACR Cryptol. ePrint Arch. report 404/2013 (2013)

    Google Scholar 

  3. Benamira, A., Gerault, D., Peyrin, T., Tan, Q.Q.: A deeper look at machine learning-based cryptanalysis. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 805–835. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_28

  4. Bernstein, E., Vazirani, U.V.: Quantum complexity theory. SIAM J. Comput. 26(5), 1411–1473 (1997). https://doi.org/10.1137/S0097539796300921

    Article  MathSciNet  MATH  Google Scholar 

  5. Biham, E., Dunkelman, O., Keller, N.: Enhancing differential-linear cryptanalysis. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 254–266. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_16

  6. Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer, Heidelberg (1993). https://doi.org/10.1007/978-1-4613-9314-6

  7. Biryukov, Alex: The Boomerang Attack on 5 and 6-Round Reduced AES. In: Dobbertin, Hans, Rijmen, Vincent, Sowa, Aleksandra (eds.) AES 2004. LNCS, vol. 3373, pp. 11–15. Springer, Heidelberg (2005). https://doi.org/10.1007/11506447_2

    Chapter  MATH  Google Scholar 

  8. Biryukov, A., Roy, A., Velichkov, V.: Differential analysis of block ciphers SIMON and SPECK. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 546–570. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46706-0_28

  9. Biryukov, A., Velichkov, V.: Automatic search for differential trails in ARX ciphers. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 227–250. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04852-9_12

  10. Biryukov, A., Velichkov, V., Le Corre, Y.: Automatic search for the best trails in ARX: Application to block cipher Speck. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 289–310. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_15

  11. Blondeau, C., Gérard, B., Nyberg, K.: [Multiple differential cryptanalysis using , and X2 statistics]. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 343–360. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32928-9_19

  12. Blondeau, C., Leander, G., Nyberg, K.: Differential-linear cryptanalysis revisited. J. Cryptol. 30(3), 859–888 (2017). https://doi.org/10.1007/s00145-016-9237-5

  13. Blondeau, C., Nyberg, K.: New links between differential and linear cryptanalysis. In: Advances in Cryptology - Proceedings of EUROCRYPT 2013. LNCS, vol. 7881, pp. 388–404. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_24

  14. Chow, S., Eisen, P.A., Johnson, H., van Oorschot, P.C.: A White-Box DES implementation for DRM applications. In: Proceedings of DRM 2002. LNCS, vol. 2696, pp. 1–15. Springer, Heidelberg (2002). https://doi.org/10.1007/978-3-540-44993-5_1

  15. Dinur, I., Dunkelman, O., Gutman, M., Shamir, A.: Improved top-down techniques in differential cryptanalysis. In: Proceedings of LATINCRYPT 2015. LNCS, vol. 9230, pp. 139–156. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22174-8_8

  16. Dinur, I., Dunkelman, O., Keller, N., Ronen, E., Shamir, A.: Efficient detection of high probability statistical properties of cryptosystems via surrogate differentiation. IACR Cryptol. ePrint Arch. report 2023/288 (2023)

    Google Scholar 

  17. Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: Memory-efficient algorithms for finding needles in haystacks. In: Advances in Cryptology - Proceedings of CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 185–206. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_7

  18. Dunkelman, O., Keller, N., Shamir, A.: A practical-time related-key attack on the KASUMI cryptosystem used in GSM and 3G telephony. J. Cryptol. 27(4), 824–849 (2013). https://doi.org/10.1007/s00145-013-9154-9

    Article  MathSciNet  MATH  Google Scholar 

  19. Esser, A., Kübler, R., May, A.: LPN decoded. In: Advances in Cryptology - Proceedings of CRYPTO 2017, Part II. LNCS, vol. 10402, pp. 486–514. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_17

  20. Fourquet, R., Loidreau, P., Tavernier, C.: Finding good linear approximations of block ciphers and its application to cryptanalysis of reduced round DES (2009). https://perso.univ-rennes1.fr/pierre.loidreau/articles/wcc_2009/wcc_2009.pdf

  21. Gohr, A.: Improving attacks on round-reduced speck32/64 using deep learning. In: Advances in Cryptology - Proceedings of CRYPTO 2019, Part II. LNCS, vol. 11693, pp. 150–179. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_6

  22. Goldreich, O., Levin, L.A.: A hard-core predicate for all one-way functions. In: Proceedings of STOC 1989, pp. 25–32. ACM (1989). https://doi.org/10.1145/73007.73010

  23. Hellman, M.E.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980). https://doi.org/10.1109/TIT.1980.1056220

    Article  MathSciNet  MATH  Google Scholar 

  24. Kim, J., Hong, S., Preneel, B., Biham, E., Dunkelman, O., Keller, N.: Related-key boomerang and rectangle attacks: Theory and experimental analysis. IEEE Trans. Inf. Theory 58(7), 4948–4966 (2012). https://doi.org/10.1109/TIT.2012.2191655

    Article  MathSciNet  MATH  Google Scholar 

  25. Kölbl, S., Leander, G., Tiessen, T.: Observations on the SIMON block cipher family. In: Gennaro, R., Robshaw, M. (eds.) Advances in Cryptology – CRYPTO 2015: 35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I, pp. 161–185. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_8

  26. Langford, S.K., Hellman, M.E.: Differential-linear cryptanalysis. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 17–25. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_3

  27. Leurent, G., Pernot, C., Schrottenloher, A.: Clustering effect in Simon and Simeck. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13090, pp. 272–302. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_10

  28. Levieil, É., Fouque, P.-A.: An improved LPN algorithm. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 348–359. Springer, Heidelberg (2006). https://doi.org/10.1007/11832072_24

  29. Li, H., Yang, L.: Quantum differential cryptanalysis to the block ciphers. arxiv:1511.08800 (2015)

  30. Liu, Y., Fu, K., Wang, W., Sun, L., Wang, M.: Linear cryptanalysis of reduced-round SPECK. Inf. Process. Lett. 116(3), 259–266 (2016)

    Article  MathSciNet  MATH  Google Scholar 

  31. Liu, Y., Liang, H., Wang, W., Wang, M.: New linear cryptanalysis of Chinese commercial block cipher standard SM4. Secur. Commun. Netw. 2017, 1461520:1–1461520:10 (2017). https://doi.org/10.1155/2017/1461520

  32. Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_33

  33. Murphy, S.: The return of the cryptographic boomerang. IEEE Trans. Inf. Theory 57(4), 2517–2521 (2011). https://doi.org/10.1109/TIT.2011.2111091

    Article  MathSciNet  MATH  Google Scholar 

  34. van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999). https://doi.org/10.1007/PL00003816

    Article  MathSciNet  MATH  Google Scholar 

  35. Peyrin, T., Wang, H.: The MALICIOUS framework: Embedding backdoors into tweakable block ciphers. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 249–278. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_9

  36. Rijmen, V., Preneel, B.: A family of trapdoor ciphers. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 139–148. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052342

  37. Vaudenay, S.: Decorrelation: a theory for block cipher security. J. Cryptol. 16(4), 249–286 (2003). https://doi.org/10.1007/s00145-003-0220-6

    Article  MathSciNet  MATH  Google Scholar 

  38. Xie, H., Yang, L.: Using Bernstein–Vazirani algorithm to attack block ciphers. Design Codes Cryptogr. 87(5), 1161–1182 (2018). https://doi.org/10.1007/s10623-018-0510-5

    Article  MathSciNet  MATH  Google Scholar 

  39. Yao, Y., Zhang, B., Wu, W.: Automatic search for linear trails of the SPECK family. In: Lopez, J., Mitchell, C.J. (eds.) ISC 2015. LNCS, vol. 9290, pp. 158–176. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-23318-5_9

Download references

Acknowledgements

We would like to thank the reviewers of this paper for their detailed and constructive comments. The first author was supported in part by the Israeli Science Foundation through grant No. 1903/20. The second author was supported in part by the Center for Cyber, Law, and Policy in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office and by the Israeli Science Foundation through grants No. 880/18 and 3380/19. The third author was supported by the European Research Council under the ERC starting grant agreement n. 757731 (LightCrypt) and by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office. The fourth author is partally supported by Len Blavatnik and the Blavatnik Family foundation, the Blavatnik ICRC, and Robert Bosch Technologies Israel Ltd. He is a member of CPIIS.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Eyal Ronen .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Dinur, I., Dunkelman, O., Keller, N., Ronen, E., Shamir, A. (2023). Efficient Detection of High Probability Statistical Properties of Cryptosystems via Surrogate Differentiation. In: Hazay, C., Stam, M. (eds) Advances in Cryptology – EUROCRYPT 2023. EUROCRYPT 2023. Lecture Notes in Computer Science, vol 14007. Springer, Cham. https://doi.org/10.1007/978-3-031-30634-1_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-30634-1_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-30633-4

  • Online ISBN: 978-3-031-30634-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics