TY - GEN
T1 - Efficient Detection of High Probability Statistical Properties of Cryptosystems via Surrogate Differentiation
AU - Dinur, Itai
AU - Dunkelman, Orr
AU - Keller, Nathan
AU - Ronen, Eyal
AU - Shamir, Adi
N1 - Publisher Copyright:
© 2023, International Association for Cryptologic Research.
PY - 2023
Y1 - 2023
N2 - A central problem in cryptanalysis is to find all the significant deviations from randomness in a given n-bit cryptographic primitive. When n is small (e.g., an 8-bit S-box), this is easy to do, but for large n, the only practical way to find such statistical properties was to exploit the internal structure of the primitive and to speed up the search with a variety of heuristic rules of thumb. However, such bottom-up techniques can miss many properties, especially in cryptosystems which are designed to have hidden trapdoors. In this paper we consider the top-down version of the problem in which the cryptographic primitive is given as a structureless black box, and reduce the complexity of the best known techniques for finding all its significant differential and linear properties by a large factor of 2 n/2. Our main new tool is the idea of using surrogate differentiation. In the context of finding differential properties, it enables us to simultaneously find information about all the differentials of the form f(x) ⊕ f(x⊕ α) in all possible directions α by differentiating f in a single randomly chosen direction γ (which is unrelated to the α ’s). In the context of finding linear properties, surrogate differentiation can be combined in a highly effective way with the Fast Fourier Transform. For 64-bit cryptographic primitives, this technique makes it possible to automatically find in about 2 64 time all their differentials with probability p≥ 2 - 32 and all their linear approximations with bias | p| ≥ 2 - 16 (using 2 64 memory); previous algorithms for these problems required at least 2 96 time. Similar techniques can be used to significantly improve the best known time complexities of finding related key differentials, second-order differentials, and boomerangs. In addition, we show how to run variants of these algorithms which require no memory, and how to detect such statistical properties even in trapdoored cryptosystems whose designers specifically try to evade our techniques.
AB - A central problem in cryptanalysis is to find all the significant deviations from randomness in a given n-bit cryptographic primitive. When n is small (e.g., an 8-bit S-box), this is easy to do, but for large n, the only practical way to find such statistical properties was to exploit the internal structure of the primitive and to speed up the search with a variety of heuristic rules of thumb. However, such bottom-up techniques can miss many properties, especially in cryptosystems which are designed to have hidden trapdoors. In this paper we consider the top-down version of the problem in which the cryptographic primitive is given as a structureless black box, and reduce the complexity of the best known techniques for finding all its significant differential and linear properties by a large factor of 2 n/2. Our main new tool is the idea of using surrogate differentiation. In the context of finding differential properties, it enables us to simultaneously find information about all the differentials of the form f(x) ⊕ f(x⊕ α) in all possible directions α by differentiating f in a single randomly chosen direction γ (which is unrelated to the α ’s). In the context of finding linear properties, surrogate differentiation can be combined in a highly effective way with the Fast Fourier Transform. For 64-bit cryptographic primitives, this technique makes it possible to automatically find in about 2 64 time all their differentials with probability p≥ 2 - 32 and all their linear approximations with bias | p| ≥ 2 - 16 (using 2 64 memory); previous algorithms for these problems required at least 2 96 time. Similar techniques can be used to significantly improve the best known time complexities of finding related key differentials, second-order differentials, and boomerangs. In addition, we show how to run variants of these algorithms which require no memory, and how to detect such statistical properties even in trapdoored cryptosystems whose designers specifically try to evade our techniques.
UR - http://www.scopus.com/inward/record.url?scp=85161642706&partnerID=8YFLogxK
U2 - 10.1007/978-3-031-30634-1_4
DO - 10.1007/978-3-031-30634-1_4
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:85161642706
SN - 9783031306334
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 98
EP - 127
BT - Advances in Cryptology – EUROCRYPT 2023 - 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2023, Proceedings
A2 - Hazay, Carmit
A2 - Stam, Martijn
PB - Springer Science and Business Media Deutschland GmbH
T2 - 42nd Annual International Conference on Theory and Applications of Cryptographic Techniques, EUROCRYPT 2023
Y2 - 23 April 2023 through 27 April 2023
ER -