Atoolforstudyingdiﬀerentialandlinear...

A tool for studying differential and linear propagation in Keccak-f

A tool for studying differential and linearpropagation in Keccak-f

Guido Bertoni1 Joan Daemen1

Michaël Peeters2 Gilles Van Assche1

1STMicroelectronics 2NXP Semiconductors

Ecrypt Summer school on tools,May 27 to June 1, 2012

1 / 39


Outline

1 Introduction

2 Trails in Keccak-f

3 Generating all trails up to some weight

4 KeccakTools

5 Illustrations

2 / 39


Introduction

Outline

1 Introduction



4 KeccakTools

5 Illustrations

3 / 39


Introduction

Keccak

Keccak

Sponge construction calling:permutation Keccak-f with width b = 2ℓ25 and 0 ≤ ℓ ≤ 6padding rule: 10∗1

All values c and r with c+ r = b supported4 / 39


Introduction

Keccak-f: an iterative permutation


Operates on 3D state:

x

y zstate

(5× 5)-bit slices

2ℓ-bit lanes

parameter 0 ≤ ℓ < 7

Round function with 5 steps:

θ: mixing layer

ρ: inter-slice bit transposition

π: intra-slice bit transposition

χ: non-linear layer

ι: round constants

# rounds: 12+ 2ℓ for width b = 2ℓ25

12 rounds in Keccak-f[25]


5 / 39


Introduction




x

y zslice

(5× 5)-bit slices

2ℓ-bit lanes



θ: mixing layer




ι: round constants




5 / 39


Introduction




x

y zlane

(5× 5)-bit slices

2ℓ-bit lanes



θ: mixing layer




ι: round constants




5 / 39


Introduction




x

y zrow

(5× 5)-bit slices

2ℓ-bit lanes



θ: mixing layer




ι: round constants




5 / 39


Introduction




x

y zcolumn

(5× 5)-bit slices

2ℓ-bit lanes



θ: mixing layer




ι: round constants




5 / 39


Introduction

The nonlinear layer χ

χ, the nonlinear mapping in Keccak-f

“Flip bit if neighbors exhibit 01 pattern”

Operates independently and in parallel on 5-bit rows

6 / 39


Introduction

Differential trails and iterated mappings

Differential trails in iterated mappings

Trail: sequence of differences

DP(Q): fraction of pairs that exhibit differences qi

7 / 39


Introduction

Differential trails and iterated mappings

Differential trails and weight

w = − log2(DP)

If independent rounds and w(Q) < b: #pairs(Q) ≈ 2b−w(Q)

8 / 39


Introduction

Design approaches

Different design approaches

ARXestimating #pairs(Q) from w(Q): hardno strong trail weight boundsrevert to pre-DC/LC folklore such as avalanche effect

Rijndael-inspired: strong alignment#pairs(Q) from w(Q): easy modulo plateau trailseasy demonstration of strong trail weight boundsstill, truncated trails, rebound attack, …

Keccak-f: weak alignment#pairs(Q) from w(Q): easycryptanalysis seems hard…but proving strong lower bounds also

9 / 39


Introduction

Goal of this work

Goal

Security of Keccak-f[b] relies not on presumed hardness offinding low-weight trailsfinding pairs given a trail Q

But on hardness to exploit trails with at most a few pairs

Keccak-f[b] design goal

Absence of trails with w(Q) < b

Goal of this effort:exhaustively generate trails up to some weightto build assurance that there are no low-weight trailsInspired by similar efforts for Noekeon and MD6

width weight bound per roundNoekeon 128 12.0 [Nessie, 2000]

MD6 4096 2.5 [Rivest et al., 2008][Heilman, 2011]10 / 39


Trails in Keccak-f

Outline

1 Introduction



4 KeccakTools

5 Illustrations

11 / 39


Trails in Keccak-f

Conventions and concepts

Trails in Keccak-f

Round: linear step λ = π ◦ ρ ◦ θ and non-linear step χ

ai fully determines bi = λ(ai)

w(Q) = ∑iw(bi−1χ→ ai)

12 / 39


Trails in Keccak-f


Trails in Keccak-f

Nonlinear step χ has algebraic degree 2

for input bi−1, the outputs ai form affine space A(bi−1)

dimension of A(bi−1) is w(bi−1, ai) = w(bi−1)

12 / 39


Trails in Keccak-f


Trails in Keccak-f

Trail weight fully determined by biWe can ignore a4: trail prefix

We can ignore a0

12 / 39


Trails in Keccak-f


Trails in Keccak-f

w(Q) > b now has a simple meaning:

w(Q): # conditions on intermediate state bits

b: # input bits

12 / 39


Trails in Keccak-f

Trail extension

Trail extension

Given a trail, we can extend it:forward: iterate ar+1 over A(br)backward: iterate b−1 over all differences χ−1-compatiblewith a0 = λ−1(b0)

Tree search:extension can be done recursivelylimited by total weight

13 / 39


Generating all trails up to some weight

Outline

1 Introduction



4 KeccakTools

5 Illustrations

14 / 39



First order approach

First-order approach

Fact

In an r-round trail prefix Q at leastone of the bi has weight ≤ w(Q)/r

Generating trails up to weight T (first order approach)

Generate V1 = {b|w(b) ≤ T/r}∀0 ≤ i < r, iterate bi over V1

extend forward up to br−1extend backward down to b0prune as soon as weight will exceed T

15 / 39



First order approach

Limits of first-order approach

V1 grows quickly with maximum weight and Keccak-f width:

16 / 39



Second order approach

Trail core

Minimum reverse weight: lower bound of weight givendifference after χ

wrev(a) , minb : a∈A(b)

w(b)

Can be used to lower bound of set of trailsTrail core: set of trails with b1, b2, . . . in common

17 / 39



Second order approach

Second-order approach

Observation

For most low-weight a, b = λ(a) hashigh weight and vice versa

Generating trails up to weight T (second order approach)

Generate V2 = {b|b = λ(a) and wrev(a) +w(b) ≤ 2T/r}∀0 ≤ i < r, iterate bi over V2

extend forward up to br−1extent backward down to b0prune as soon as weight exceeds T

But how does the size of V2 behave with maximum weight? 18 / 39



Intermezzo: θ properties

θ, the mixing layer

+ =

column parity θ effect

combine

Compute parity cx,z of each column

Add to each cell the parities of two nearby columns

19 / 39





+ =


combine

Single-bit parity flips 2 columns = 10 bits

Other linear mapping ρ and π just move bits around

19 / 39





+ =


combine

Single-run parity flips 2 columns

Hamming weight branch number: 12

19 / 39





+ =


combine

In general: 2 columns flipped per parity-run

Branch number per class of states with given parity

19 / 39





+ =


combine

Column parity kernel: zero-parity and θ is identity

Low branch number

19 / 39




Limits of second-order approach

V2 contains states in kernel#V2 still grows quickly with weight and Keccak-f width:

20 / 39



Third-order approach

Third-order approach: dealing with the kernel

Problem: too many states in V2 due to kernel

Problematic case:

V3: trail cores (b, d) with wrev(a) +w(b) +w(d) ≤ 3T/ra = λ−1(b) is in the kernelintersection of A(b) and kernel is not emptyb is tame

Elements of V3 can then be extended as usual

21 / 39



ρ and π

Third-order approach: tame states

Condition that a is in kernelOne-to-one mapping of active bit positions between a and btranslate conditions to b

Tameness of slices of bempty slice is tamesingle-bit slice cannot be tametwo-bit slice is tame iff bits are in same column (orbital)more than 2 bits: knot

Chains: sequences of active bits pi that:start and end in a knotp2i and p2i+1 are in same column in ap2i+1 and p2i are in same column in b

22 / 39



ρ and π

ρ, π and chains

Bit transpositions ρ and π

ρ: inter-slice

π: intra-slice

Example of a chain:

0

1

2

3

45

y

x

z

ρ, π

01

2

3

4

5

23 / 39



ρ and π

Third-order approach

Representation of tame states:set of chains between knotsplus some circular chains: vortices

Efficiently iterating over tame states:start from empty staterecursively add chains and vortices until predicted weightexceeds 3T/rif all knots are tame, valid output

Full coverage guaranteed bymonotonous weight prediction functionwell-defined order of chains

24 / 39



ρ and π

Summary of current results

Scanned all 3-round trails up to weight 36

None extended to 6-round trails with weight below 74

There are no trails in Keccak-f[1600] with weight below 296

Scanned in-kernel 3-round trails up to weight 54

Nr. w̃(·) profile P(a1) P(a2) Structure

1 32 4 4 24 kernel θ-gap 11 35 12 12 11 kernel kernel vortex, length 67 36 12 12 12 kernel kernel vortex, length 67 39 12 12 15 kernel kernel vortex, length 62 39 12 11 16 kernel kernel 2 knots, 3 chains41 40 12 12 16 kernel kernel vortex, length 64 40 12 12 16 kernel kernel 2 knots, 3 chains

25 / 39



ρ and π

Potential of third-order: in-kernel 3-round trails

Inversion: # trails decreases with growing Keccak-f width

In absolute number and in slope

26 / 39


KeccakTools

Outline

1 Introduction



4 KeccakTools

5 Illustrations

27 / 39


KeccakTools

What is KeccakTools?

What is KeccakTools?A set of documented C++ classes to help analyze Keccak-fVersion 1.0 was released in April 2009Now version 3.3Freely available on http://keccak.noekeon.org

Documentation:Documentation in Doxygen formatVarious example routines in main.cppSample of differential and linear trails

28 / 39

http://keccak.noekeon.org


KeccakTools

KeccakTools in a nutshell

Sponge and duplex constructions on any permutationSeven permutations, from Keccak-f[25] to Keccak-f[1600]

Two ways to represent the state:vector<LaneValue>, 25 lanesvector<SliceValue>, from 1 to 64 slices

Individual steps θ, ρ, π, χ and ιAnd all inverses including χ−1 and θ−1

Differential and linear trail generation and displayforward and backward trail extensionaffine space and parity handling2nd and 3rd order (DC-only) trail seed generation

Equations in GF(2) of rounds, steps and trails

Generation of optimized C codeLane complementing, bit interleaving, …Macros currently in our optimized implementations

29 / 39


KeccakTools

Equation generation: variable naming convention

Lane naming convention

x = 0 x = 1 x = 2 x = 3 x = 4y = 0 ba be bi bo buy = 1 ga ge gi go guy = 2 ka ke ki ko kuy = 3 ma me mi mo muy = 4 sa se si so su

z coordinate as a suffixE.g., bu21 is bit at x = 4, y = 0 and z = 21

Alphabetical order = bit ordering at sponge levelMakes it easier to express concrete CICO problems(preimage, etc.)

30 / 39


KeccakTools

Examples of generated equations

Equations for θ and θ−1 in Keccak-f[100]

Oba0 = Iba0 + Ibe3 + Ige3 + Ike3 + Ime3 + Ise3 + Ibu0 +Igu0 + Iku0 + Imu0 + Isu0

Iba0 = Oba0 + Obi0 + Ogi0 + Oki0 + Omi0 + Osi0 + Obo3 +Ogo3 + Oko3 + Omo3 + Oso3 + Obi3 + Ogi3 + Oki3 + Omi3+ Osi3 + Oba2 + Oga2 + Oka2 + Oma2 + Osa2 + Obo2 +Ogo2 + Oko2 + Omo2 + Oso2 + Obi2 + Ogi2 + Oki2 +Omi2 + Osi2 + Obe2 + Oge2 + Oke2 + Ome2 + Ose2 +Oba1 + Oga1 + Oka1 + Oma1 + Osa1 + Obo1 + Ogo1 + Oko1+ Omo1 + Oso1 + Obe1 + Oge1 + Oke1 + Ome1 + Ose1

31 / 39


KeccakTools

Examples of generated equations

Equations for χ and χ−1 in Keccak-f[100]

Obo2 = Ibo2 + (Ibu2 + 1)*Iba2

Ibo2 = Obo2 + (Oba2 + Obi2*(Obe2 + 1))*(Obu2 + 1)

Equations for full round in Keccak-f[100]

Bgo3 = Ame2 + Abi1 + Agi1 + Aki1 + Ami1 + Asi1 + Aba2 +Aga2 + Aka2 + Ama2 + Asa2 + (Asi2 + Abo1 + Ago1 + Ako1+ Amo1 + Aso1 + Abe2 + Age2 + Ake2 + Ame2 + Ase2 +1)*(Abo3 + Abu2 + Agu2 + Aku2 + Amu2 + Asu2 + Abi3 +Agi3 + Aki3 + Ami3 + Asi3)

32 / 39


Illustrations

Outline

1 Introduction



4 KeccakTools

5 Illustrations

33 / 39


Illustrations

Illustration: the best 3-round trailz = 0

weight: 4

χz = 0

θ, ρ, πz = 55 z = 56

weight: 4

χz = 55 z = 56 z = 57

θz = 55 z = 56 z = 57

ρ, πz = 0 z = 6 z = 14 z = 18 z = 21 z = 34

z = 48 z = 49 z = 52 z = 53 z = 57 z = 61

weight: 24

parity and θ-effect:z

x

odd columnaffected column

34 / 39


Illustrations

Illustration: an in-kernel 3-round trail with a vortexz = 9 z = 43 z = 56

weight: 12

χz = 9 z = 43 z = 56

θ, ρ, πz = 0 z = 6 z = 7

weight: 12

χz = 0 z = 6 z = 7

θ, ρ, πz = 25 z = 26 z = 28 z = 33 z = 43

weight: 11

35 / 39


Illustrations

Illustration: an in-kernel 3-round trail with two knotsz = 3 z = 21 z = 46

weight: 12

χz = 3 z = 21 z = 46

θ, ρ, πz = 0 z = 18

weight: 11

χz = 0 z = 18

θ, ρ, πz = 9 z = 20 z = 26 z = 38

z = 39 z = 43 z = 62

weight: 16

36 / 39


Illustrations

Illustration: an in-kernel 3-round trail with a singleknot

z = 0 z = 21 z = 43 z = 54

weight: 16

χz = 0 z = 21 z = 43 z = 54

θ, ρ, πz = 0 z = 18 z = 34

weight: 13

χz = 0 z = 18 z = 34

θ, ρ, πz = 15 z = 35 z = 36 z = 38 z = 57 z = 62

weight: 12

37 / 39


Illustrations

Some Keccak references

Differential propagation in Keccak, FSE 2012full version at http://eprint.iacr.org/2012/163

The Keccak reference version 3.0

KeccakTools version 3.3

On alignment in Keccak, Ecrypt II Hash Workshop 2011

http://keccak.noekeon.org/

38 / 39

http://eprint.iacr.org/2012/163

http://keccak.noekeon.org/


Illustrations

Questions?

Thanks for your attention!

Q?

39 / 39

Atoolforstudyingdiﬀerentialandlinear...

Documents

Transcript of Atoolforstudyingdiﬀerentialandlinear...