Results on Linear Models in Cryptography

Aalto University, P.O. Box 11000, FI-00076 Aalto www.aalto.fi Author Risto M. Hakala Name of the doctoral dissertation Results on Linear Models in Cryptography Publisher School of Science Unit Department of Information and Computer Science Series Aalto University publication series DOCTORAL DISSERTATIONS 29/2013 Field of research Theoretical Computer Science Manuscript submitted 12 December 2012 Date of the defence 8 March 2013 Permission to publish granted (date) 29 January 2013 Language English Monograph Article dissertation (summary + original articles) Abstract Many cryptanalytic techniques are based on exploiting linearity properties of cryptosystems. One of such techniques is linear cryptanalysis, invented by Matsui in 1993. Originally developed for block ciphers FEAL and DES, it has become a standard method for analyzing all kinds of symmetric ciphers. Linear cryptanalysis of a block cipher is traditionally based on a biased linear combination of the input and output bits of the cipher. Mathematically speaking, such a combination can be seen as a linear mapping to a one-dimensional binary vector space. Several authors have considered the use of other types of linear mappings as well, such as multidimensional and nonbinary mappings. To find suitable mappings, one usually has to analyze linearity properties of the individual components used in the cipher. The more the components resemble linear functions, the less secure the cipher is against linear cryptanalysis. Linear cryptanalysis is a method for analyzing the formal description of a cryptographic primitive. Side-channel attacks form another class of cryptanalytic methods in which an implementation of the primitive is analyzed instead of the description. They are based on doing physical measurements which may reveal critical information about the internal state of the primitive. This dissertation presents several cryptanalytic results related to linearity of cryptographic primitives. The work contains results concerning both formal specifications and real-life implementations of primitives. Related to the former area of cryptography, we describe a framework for estimating resistance against general linear cryptanalysis in which linear mappings over arbitrary finite Abelian groups can be used. As applications, we present a linear distinguishing attack on the stream cipher Shannon and on the block cipher DEAN. In addition, we study individual cryptographic components and present results regarding their linearity properties in different domains. In particular, we give evidence that certain functions based on discrete logarithm are highly nonlinear. Related to the implementation side of cryptography, we present a technique for automated analysis of side-channel data and show that it works in practice by using it to attack the ECDSA implementation in OpenSSL. The technique is based on modeling the implementation as a linear dynamical system which allows efficient analysis of the situation.Many cryptanalytic techniques are based on exploiting linearity properties of cryptosystems. One of such techniques is linear cryptanalysis, invented by Matsui in 1993. Originally developed for block ciphers FEAL and DES, it has become a standard method for analyzing all kinds of symmetric ciphers. Linear cryptanalysis of a block cipher is traditionally based on a biased linear combination of the input and output bits of the cipher. Mathematically speaking, such a combination can be seen as a linear mapping to a one-dimensional binary vector space. Several authors have considered the use of other types of linear mappings as well, such as multidimensional and nonbinary mappings. To find suitable mappings, one usually has to analyze linearity properties of the individual components used in the cipher. The more the components resemble linear functions, the less secure the cipher is against linear cryptanalysis. Linear cryptanalysis is a method for analyzing the formal description of a cryptographic primitive. Side-channel attacks form another class of cryptanalytic methods in which an implementation of the primitive is analyzed instead of the description. They are based on doing physical measurements which may reveal critical information about the internal state of the primitive. This dissertation presents several cryptanalytic results related to linearity of cryptographic primitives. The work contains results concerning both formal specifications and real-life implementations of primitives. Related to the former area of cryptography, we describe a framework for estimating resistance against general linear cryptanalysis in which linear mappings over arbitrary finite Abelian groups can be used. As applications, we present a linear distinguishing attack on the stream cipher Shannon and on the block cipher DEAN. In addition, we study individual cryptographic components and present results regarding their linearity properties in different domains. In particular, we give evidence that certain functions based on discrete logarithm are highly nonlinear. Related to the implementation side of cryptography, we present a technique for automated analysis of side-channel data and show that it works in practice by using it to attack the ECDSA implementation in OpenSSL. The technique is based on modeling the implementation as a linear dynamical system which allows efficient analysis of the situation.

[1]  L. Baum,et al.  A Maximization Technique Occurring in the Statistical Analysis of Probabilistic Functions of Markov Chains , 1970 .

[2]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[3]  Jing Yang,et al.  Maximal values of generalized algebraic immunity , 2009, Des. Codes Cryptogr..

[4]  R. Lidl,et al.  Applied abstract algebra , 1984 .

[5]  Serge Vaudenay,et al.  How Far Can We Go Beyond Linear Cryptanalysis? , 2004, ASIACRYPT.

[6]  Shirley Dex,et al.  JR 旅客販売総合システム(マルス)における運用及び管理について , 1991 .

[7]  Xuejia Lai,et al.  A Proposal for a New Block Encryption Standard , 1991, EUROCRYPT.

[8]  V. V. Yashchenko,et al.  Bent functions on a finite Abelian group , 1997 .

[9]  O. S. Rothaus,et al.  On "Bent" Functions , 1976, J. Comb. Theory, Ser. A.

[10]  Jacques Stern,et al.  Linear Cryptanalysis of Non Binary Ciphers , 2007, Selected Areas in Cryptography.

[11]  Kaisa Nyberg,et al.  Linear Approximation of Block Ciphers , 1994, EUROCRYPT.

[12]  L. R. Rabiner,et al.  An introduction to the application of the theory of probabilistic functions of a Markov process to automatic speech recognition , 1983, The Bell System Technical Journal.

[13]  Gary McGuire,et al.  APN permutations on Zn and Costas arrays , 2009, Discret. Appl. Math..

[14]  Kaisa Nyberg,et al.  Multidimensional Linear Cryptanalysis of Reduced Round Serpent , 2008, ACISP.

[15]  James L. Massey,et al.  SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm , 1993, FSE.

[16]  Teuvo Kohonen,et al.  Self-Organizing Maps , 2010 .

[17]  R. Durrett Essentials of Stochastic Processes , 1999 .

[18]  P. Vijay Kumar,et al.  Generalized Bent Functions and Their Properties , 1985, J. Comb. Theory, Ser. A.

[19]  Philip Hawkes,et al.  Cache Timing Analysis of LFSR-Based Stream Ciphers , 2009, IMACC.

[20]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[21]  Lars R. Knudsen,et al.  Contemporary Block Ciphers , 1998, Lectures on Data Security.

[22]  Claude Carlet,et al.  An Infinite Class of Balanced Vectorial Boolean Functions with Optimum Algebraic Immunity and Good Nonlinearity , 2009, IWCC.

[23]  James L. Massey,et al.  SAFER K-64: One Year Later , 1994, FSE.

[24]  Mitsuru Matsui,et al.  A New Method for Known Plaintext Attack of FEAL Cipher , 1992, EUROCRYPT.

[25]  Verónica Requena,et al.  On the Nonlinearity of Exponential Welch Costas Functions , 2010, IEEE Transactions on Information Theory.

[26]  Philip Hawkes,et al.  Design and Primitive Specification for Shannon , 2007, Symmetric Cryptography.

[27]  Jr. G. Forney,et al.  The viterbi algorithm , 1973 .

[28]  S. P. Lloyd,et al.  Least squares quantization in PCM , 1982, IEEE Trans. Inf. Theory.

[29]  M. F.,et al.  Bibliography , 1985, Experimental Gerontology.

[30]  Kaisa Nyberg,et al.  Improved Linear Distinguishers for SNOW 2.0 , 2006, FSE.

[31]  Tanja Lange,et al.  On the Non-linearity and Sparsity of Boolean Functions Related to the Discrete Logarithm in Finite Fields of Characteristic Two , 2005, WCC.

[32]  N. L. Biggs APPLIED ABSTRACT ALGEBRA (Undergraduate Texts in Mathematics) , 1985 .

[33]  Van Nostrand,et al.  Error Bounds for Convolutional Codes and an Asymptotically Optimum Decoding Algorithm , 1967 .

[34]  Alexander Maximov,et al.  Attack the Dragon , 2005, INDOCRYPT.

[35]  Johan Wallén Linear Approximations of Addition Modulo 2n , 2003, FSE.

[36]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[37]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[38]  H. Wold,et al.  Some Theorems on Distribution Functions , 1936 .

[39]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[40]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.

[41]  Todd Cochrane On a trigonometric inequality of vinogradov , 1987 .

[42]  Joos Vandewalle,et al.  Correlation Matrices , 1994, FSE.

[43]  Alex Biryukov,et al.  On Multiple Linear Approximations , 2004, IACR Cryptol. ePrint Arch..

[44]  K. Conrad,et al.  Finite Fields , 2018, Series and Products in the Development of Mathematics.

[45]  Joo Yeon Cho,et al.  Linear Cryptanalysis of Reduced-Round PRESENT , 2010, CT-RSA.

[46]  Serge Vaudenay,et al.  An experiment on DES statistical cryptanalysis , 1996, CCS '96.

[47]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[48]  Matthew J. B. Robshaw,et al.  Linear Cryptanalysis Using Multiple Approximations , 1994, CRYPTO.