Attacks on the Design of Symmetric-key Ciphers The importance of proving security in symmetric-key cipher design โซ The newly released cipher should be resistant to all known attacks, e.g., โ differential, linear, impossible differential, zero-correlation linear, integral attacks, etc. A vast number of potential candidate ciphers โซ Analyzing the security of all candidate ciphers may be very time-consuming. Automated tools have made this time-consuming task relatively easy, but 1. it requires high-level expertise in analysis and modeling methods; 2. modeling methods differ depending on the attack vectors; 3. unknown vulnerabilities may be overlooked due to coding mistakes. There have been several cases where unknown vulnerabilities unexpected for the designers were discovered.
Attacks on the Design of Symmetric-key Ciphers The importance of proving security in symmetric-key cipher design โซ The newly released cipher should be resistant to all known attacks, e.g., โ differential, linear, impossible differential, zero-correlation linear, integral attacks, etc. A vast number of potential candidate ciphers โซ Analyzing the security of all candidate ciphers may be very time-consuming. Automated tools have made this time-consuming task relatively easy, but 1. it requires high-level expertise in analysis and modeling methods; 2. modeling methods differ depending on the attack vectors; 3. unknown vulnerabilities may be overlooked due to coding mistakes. There have been several cases where unknown vulnerabilities unexpected for the designers were discovered.
Attacks on the Design of Symmetric-key Ciphers The importance of proving security in symmetric-key cipher design โซ The newly released cipher should be resistant to all known attacks, e.g., โ differential, linear, impossible differential, zero-correlation linear, integral attacks, etc. A vast number of potential candidate ciphers โซ Analyzing the security of all candidate ciphers may be very time-consuming. Automated tools have made this time-consuming task relatively easy, but 1. it requires high-level expertise in analysis and modeling methods; 2. modeling methods differ depending on the attack vectors; 3. unknown vulnerabilities may be overlooked due to coding mistakes. There have been several cases where unknown vulnerabilities unexpected for the designers were discovered.
Attacks on the Design of Symmetric-key Ciphers Neural network-based output prediction (NN) attacks [KEI+22, KEI+23] 1. it does not require high-level expertise in analysis and modeling methods; 2. it has the potential to handle all attack vectors; 3. it is less prone to coding mistakes because it requires only input/output interfaces. [KEI+22] Kimura et al. Output Prediction Attacks on Block Ciphers Using Deep Learning. In AIoTS 2022. [KEI+23] Kimura et al. A Deeper Look into Deep Learning-based Output Prediction Attacks Using Weak SPN Block Ciphers. In Journal of Information Processing. Target (block size) NN Differential Linear Small PRESENT with original S-box (16 bits) 5 4 5 Small PRESENT with weak S-box1 (16 bits) 11 11 9 Small PRESENT with weak S-box2 (16 bits) 8 7 8 Maximum number of attackable rounds for NN, differential, and linear attacks. NN attacks have the potential to be a helpful tool for symmetric-key cipher design, especially S-box-based ciphers.
Attacks on the Design of Symmetric-key Ciphers Neural network-based output prediction (NN) attacks [KEI+22, KEI+23] 1. it does not require high-level expertise in analysis and modeling methods; 2. it has the potential to handle all attack vectors; 3. it is less prone to coding mistakes because it requires only input/output interfaces. [KEI+22] Kimura et al. Output Prediction Attacks on Block Ciphers Using Deep Learning. In AIoTS 2022. [KEI+23] Kimura et al. A Deeper Look into Deep Learning-based Output Prediction Attacks Using Weak SPN Block Ciphers. In Journal of Information Processing. Target (block size) NN Differential Linear Small PRESENT with original S-box (16 bits) 5 4 5 Small PRESENT with weak S-box1 (16 bits) 11 11 9 Small PRESENT with weak S-box2 (16 bits) 8 7 8 Maximum number of attackable rounds for NN, differential, and linear attacks. NN attacks have the potential to be a helpful tool for symmetric-key cipher design, especially S-box-based ciphers.
Prediction Attacks on the Design of Symmetric-key Ciphers [KLT15] Kolbl et al. Observations on the SIMON Block Cipher Family. In Crypto 2015. [KSTI18] Kondo et al. On the Design of SIMON Block Cipher: Integral Attacks and Impossible Differential Attacks against SIMON Variants. In IEICE Trans. 2018. The Kolbl-Leander-Tiessen work [KLT15] โซ Identified the optimal rotation parameter (๐, ๐, ๐) for Simon32 variants in terms of differential and linear attacks. โซ Found some optimal parameter sets for Simon32 variants. โซ Concluded that the default parameter (1,8,2) seems to be not always optimal. The Kondo-Sasaki-Todo-Iwata work [KSTI18] โซ Extended Kolbl et al.โs work to integral and impossible differential attacks. โซ Clalified which rotation parameter is optimal for Simon32. These works focused only on specific attacks and do not address all attack vectors โซ The โoptimalโ rotation parameters identified in these works may not truly be optimal.
Attacks on the Design of Symmetric-key Ciphers 1. Which structures in Simon-like ciphers are vulnerable to NN attacks? โ ๐ = ๐ or ๐ = ๐ โ ๐ โ ๐ = ๐ or ๐ โ ๐ = ๐ 2. What types of vulnerabilities are detected by NN attacks? โ NN attacks have the possibility of detecting vulnerabilities caused by integral attacks. 3. If a vulnerability is detected, can we figure out its root cause? โ The lowest diffusion property โ Highly biased linear approximations 4. How resistant are the vulnerable ciphers to key recovery attacks? โ Vulnerable to Matsuiโs algorithm 1
Attacks on the Design of Symmetric-key Ciphers 1. Which structures in Simon-like ciphers are vulnerable to NN attacks? โ ๐ = ๐ or ๐ = ๐ with 0 or ๐/2 โ ๐ โ ๐ = ๐ or ๐ โ ๐ = ๐ 2. What types of vulnerabilities are detected by NN attacks? โ NN attacks have the possibility of detecting vulnerabilities caused by integral attacks. 3. If a vulnerability is detected, can we figure out its root cause? โ The lowest diffusion property โ Highly biased linear approximations 4. How resistant are the vulnerable ciphers to key recovery attacks? โ Vulnerable to a linear key recovery attacks based on Matsuiโs algorithm 1
Network-based Output Prediction Attacks on the Design of Symmetric-key Ciphers Learning Training data ๏ผplaintext/ciphertext pair๏ผ Update model Create model For plaintext recovery KPA setting Black-box model Only an input/output interface is used
Network-based Output Prediction Attacks on the Design of Symmetric-key Ciphers Learning Prediction Training data ๏ผplaintext/ciphertext pair๏ผ Update model Create model For plaintext recovery KPA setting Black-box model Only an input/output interface is used For predicting plaintext No duplicates in training and test data Predict plaintext Metrics: average match rate Test data ๏ผciphertext๏ผ
Effects of Neural Network-based Output Prediction Attacks on the Design of Symmetric-key Ciphers [BJV04] Baigneres et al. How Far Can We Go Beyond Linear Cryptanalysis?. In Asiacrypt 2004. Theorem 1 ([BJV04, Theorem 6]) Let ๐1 , โฆ , ๐๐ be independent and identically distributed random variables over the set โค of distribution ๐, ๐0 and ๐1 be two distributions of same support which are close to each other, and ๐ be the number of samples of the best distinguisher between ๐ = ๐0 or ๐ = ๐1 . Let ๐ be a real number such that ๐ = ๐ ฯ๐งโโค ๐๐ง 2 ๐๐ง where ๐๐ง and ๐๐ง + ๐๐ง are probabilities of a random variables ๐ง following ๐0 and ๐1 . Then, the overall probability of error is ๐๐ โ ๐ท โ ๐/2 , where ๐ท โ is the distribution function of the standard normal distribution. The average match rate is derived by computing the predicted probabilities for each bit and then calculating the average value of all the predicted probabilities for 2๐ bits. โซ NN attacks are successful when the average match rate is 0.505 or higher. โซ The confidence level of this condition is about 0.7.
Prediction Attacks on the Design of Symmetric-key Ciphers An Experimental Result of the NN attack for a Simon32 vatiant with (4,1,12). The average match rate is derived by computing the predicted probabilities for each bit and then calculating the average value of all the predicted probabilities for 2๐ bits. โซ NN attacks are successful when the average match rate is 0.505 or higher. โซ The confidence level of this condition is about 0.7. Round Average Match Rate success ( ) or failure (-) 1 0.99047 2 0.57558 3 0.55783 4 0.54309 5 0.52027 6 0.51634 7 0.51215 8 0.50619 9 0.50413 -
Attacks on the Design of Symmetric-key Ciphers [KEI+22] Kimura et al. Output Prediction Attacks on Block Ciphers Using Deep Learning. In AIoTS 2022. We follow the hyperparameters used in Kimura et al.sโ work. [KEI+22] Number of training dataโ 215 Number of test dataโ 215 Method LSTM Number of nodes for input/output layerโก 32 Number of hidden nodes 300 Number of hidden layers 1 Loss function Mean squared error Optimizer Adam Initial value of learning rate 0.01 Batch size 250 Number of epochs 100 โ Number of plaintext/ciphertext pairs (no duplicates in training and test data) โก Block size
On the Effects of Neural Network-based Output Prediction Attacks on the Design of Symmetric-key Ciphers Diffusion property for the rotation parameter (1,0,1). Verify the diffusion property โซ (1,0,1), including โ๐ = ๐โ and โ0โ โซ (5,2,2), including โ๐ = ๐โ โซ (1,8,2), original parameter Based on the propagation rules โซ Initialize โซ Rotation/Swap โซ AND โซ XOR โซ Stop
Network-based Output Prediction Attacks on the Design of Symmetric-key Ciphers Summary of our simulation results for (1,0,1), (5,2,2), and (1,8,2). No. Rotation Parameter #roundsโ Note 1 (1,0,1) 24 including โa=cโ and โ0โ 2 (5,2,2) 13 including โb=cโ 3 (1,8,2) 7 original parameter โ Number of rounds for satisfying the full diffusion property
Attacks on the Design of Symmetric-key Ciphers 1. Which structures in Simon-like ciphers are vulnerable to NN attacks? โ ๐ = ๐ or ๐ = ๐ with 0 or ๐/2 โ ๐ โ ๐ = ๐ or ๐ โ ๐ = ๐ 2. What types of vulnerabilities are detected by NN attacks? โ NN attacks have the possibility of detecting vulnerabilities caused by integral attacks. 3. If a vulnerability is detected, can we figure out its root cause? โ the lowest diffusion property โ highly biased linear approximations 4. How resistant are the vulnerable ciphers to key recovery attacks? โ Vulnerable to a linear key recovery attacks based on Matsuiโs algorithm 1
of Neural Network-based Output Prediction Attacks on the Design of Symmetric-key Ciphers For example: Small PRESENT with original S-box โซ The maximum number of attackable rounds for the NN attack is 5 โซ The maximum number of attackable rounds for the differential attack is 4 โซ The maximum number of attackable rounds for the linear attack is 5 Target (block size) NN Differential Linear Small PRESENT with original S-box (16 bits) 5 4 5 Small PRESENT with weak S-box1 (16 bits) 11 11 9 Small PRESENT with weak S-box2 (16 bits) 8 7 8 Maximum number of attackable rounds for NN, differential, and linear attacks. The NN attack is comparable to the higher of the maximum number of attackable rounds for differential or linear attack. [KEI+22] Kimura et al. Output Prediction Attacks on Block Ciphers Using Deep Learning. In AIoTS 2022. [KEI+23] Kimura et al. A Deeper Look into Deep Learning-based Output Prediction Attacks Using Weak SPN Block Ciphers. In Journal of Information Processing.
Neural Network-based Output Prediction Attacks on the Design of Symmetric-key Ciphers Learning Prediction Training data ๏ผplaintext/ciphertext pair๏ผ Update model Create model For plaintext recovery Single-key setting Test data ๏ผciphertext๏ผ The same key used in the training data
Effects of Neural Network-based Output Prediction Attacks on the Design of Symmetric-key Ciphers [BJV04] Baigneres et al. How Far Can We Go Beyond Linear Cryptanalysis?. In Asiacrypt 2004. Theorem 1 ([BJV04, Theorem 6]) Let ๐1 , โฆ , ๐๐ be independent and identically distributed random variables over the set โค of distribution ๐, ๐0 and ๐1 be two distributions of same support which are close to each other, and ๐ be the number of samples of the best distinguisher between ๐ = ๐0 or ๐ = ๐1 . Let ๐ be a real number such that ๐ = ๐ ฯ๐งโโค ๐๐ง 2 ๐๐ง where ๐๐ง and ๐๐ง + ๐๐ง are probabilities of a random variables ๐ง following ๐0 and ๐1 . Then, the overall probability of error is ๐๐ โ ๐ท โ ๐/2 , where ๐ท โ is the distribution function of the standard normal distribution. โซ ๐๐ = 1 โ 0.7 = 0.3 โ ๐ท โ ๐/2 โ ๐ท 0.53 โด ๐ โ ๐. ๐๐ โซ ๐ = ๐๐๐, ๐๐ = ๐. ๐ ๐ = ๐ ๐0/๐0 โด ๐บ๐ = ๐. ๐๐๐๐๐ โฏ ๐ ๐ : error probability, 0.7: confidence level of the successful conditiontes, ๐: # test data, ๐0 : the average match rate for random guess, ๐0 + ๐0 : the average match rate for the NN attack
Output Prediction Attacks on the Design of Symmetric-key Ciphers Many automated tools are available as open-source to search for various types of distinguishing attacks. We customize and use the following tools: โซ The maximum number of rounds for differential and linear distinguishing attacks is evaluated by Sun et al.โs SAT-based tool1. โซ The maximum number of rounds for impossible differential and zero-correlation linear distinguishing attacks is evaluated by Hadipour et al.โs CP-based tool2. โซ The maximum number of rounds for integral distinguishing attack is evaluated by Hadipour et al.โs SAT-based tool3. 1 https://github.com/SunLing134340/Accelerating_Automatic_Search 2 https://github.com/hadipourh/zeroplus 3 https://github.com/hadipourh/mpt
itorym
shimosan
hisaokatsumi
matsui_528
mizuhoaoki
kurita
.png){kind=avatar}
satai
smartfukushilab1
ymd65536
ratatata
masakat0
upura
tam07pb915
eitanlees
smashingmag
aki_iinuma
trishagee
samlambert
speakerdeck
matthewcrist
addyosmani
jacobian
tanoku
chrislema
jonrohan
![Kimura et al.โs Work [KEI+22, KEI+23] 35 On the Effects](https://files.speakerdeck.com/presentations/5b0dc770e07a4b5aabc67c9deac6bf71/slide_35.jpg){kind=link}
