Higher-order differential cryptanalysis

Last updated October 30, 2022

In cryptography, higher-order differential cryptanalysis is a generalization of differential cryptanalysis, an attack used against block ciphers. While in standard differential cryptanalysis the difference between only two texts is used, higher-order differential cryptanalysis studies the propagation of a set of differences between a larger set of texts. Xuejia Lai, in 1994, laid the groundwork by showing that differentials are a special case of the more general case of higher order derivates.^[1] Lars Knudsen, in the same year, was able to show how the concept of higher order derivatives can be used to mount attacks on block ciphers.^[2] These attacks can be superior to standard differential cryptanalysis. Higher-order differential cryptanalysis has notably been used to break the KN-Cipher, a cipher which had previously been proved to be immune against standard differential cryptanalysis.^[3]

Higher-order derivatives

A block cipher which maps $n$ -bit strings to $n$ -bit strings can, for a fixed key, be thought of as a function $f:\mathbb {F} _{2}^{n}\to \mathbb {F} _{2}^{n}$ . In standard differential cryptanalysis, one is interested in finding a pair of an input difference $\alpha$ and an output difference $\beta$ such that two input texts with difference $\alpha$ are likely to result in output texts with a difference $\beta$ i.e., that $f(m\oplus \alpha )\oplus f(m)=\beta$ is true for many $m\in \mathbb {F} _{2}^{n}$ . Note that the difference used here is the XOR which is the usual case, though other definitions of difference are possible.

This motivates defining the derivative of a function $f:\mathbb {F} _{2}^{n}\to \mathbb {F} _{2}^{n}$ at a point $\alpha$ as^[1]

\Delta _{\alpha }f(x):=f(x\oplus \alpha )\oplus f(x)

.

Using this definition, the $i$ -th derivative at $(\alpha _{1},\alpha _{2},\dots ,\alpha _{i})$ can recursively be defined as^[1]

\Delta _{\alpha _{1},\alpha _{2},\dots ,\alpha _{i}}^{(i)}f(x):=\Delta _{\alpha _{i}}\left(\Delta _{\alpha _{1},\alpha _{2},\dots ,\alpha _{i-1}}^{i-1}f(x)\right)

.

Thus for example $\Delta _{\alpha _{1},\alpha _{2}}^{(2)}f(x)=f(x)\oplus f(x\oplus \alpha _{1})\oplus f(x\oplus \alpha _{2})\oplus f(x\oplus \alpha _{1}\oplus \alpha _{2})$ .

Higher order derivatives as defined here have many properties in common with ordinary derivative such as the sum rule and the product rule. Importantly also, taking the derivative reduces the algebraic degree of the function.

Higher-order differential attacks

To implement an attack using higher order derivatives, knowledge about the probability distribution of the derivative of the cipher is needed. Calculating or estimating this distribution is generally a hard problem but if the cipher in question is known to have a low algebraic degree, the fact that derivatives reduce this degree can be used. For example, if a cipher (or the S-box function under analysis) is known to only have an algebraic degree of 8, any 9th order derivative must be 0.

Therefore, it is important for any cipher or S-box function in specific to have a maximal (or close to maximal) degree to defy this attack.

Cube attacks have been considered a variant of higher-order differential attacks.^[4]

Resistance against Higher-order differential attacks

Limitations of Higher-order differential attacks

Works for small or low algebraic degree S-boxes or small S-boxes. In addition to AND and XOR operations.

Related Research Articles

Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in information input can affect the resultant difference at the output. In the case of a block cipher, it refers to a set of techniques for tracing differences through the network of transformation, discovering where the cipher exhibits non-random behavior, and exploiting such properties to recover the secret key.

In mathematics, the Dirac delta distribution, also known as the unit impulse, is a generalized function or distribution over the real numbers, whose value is zero everywhere except at zero, and whose integral over the entire real line is equal to one.

<span class="mw-page-title-main">De Rham cohomology</span> Cohomology with real coefficients computed using differential forms

In mathematics, de Rham cohomology is a tool belonging both to algebraic topology and to differential topology, capable of expressing basic topological information about smooth manifolds in a form particularly adapted to computation and the concrete representation of cohomology classes. It is a cohomology theory based on the existence of differential forms with prescribed properties.

In mathematics, the exterior algebra, or Grassmann algebra, named after Hermann Grassmann, is an algebra that uses the exterior product or wedge product as its multiplication. In mathematics, the exterior product or wedge product of vectors is an algebraic construction used in geometry to study areas, volumes, and their higher-dimensional analogues. The exterior product of two vectors $and denoted by is called a bivector and lives in a space called the exterior square, a vector space that is distinct from the original space of vectors. The magnitude of can be interpreted as the area of the parallelogram with sides and which in three dimensions can also be computed using the cross product of the two vectors. More generally, all parallel plane surfaces with the same orientation and area have the same bivector as a measure of their oriented area. Like the cross product, the exterior product is anticommutative, meaning that for all vectors and but, unlike the cross product, the exterior product is associative.$

In mathematics, a differential operator is an operator defined as a function of the differentiation operator. It is helpful, as a matter of notation first, to consider differentiation as an abstract operation that accepts a function and returns another function.

In mathematics, a Colombeau algebra is an algebra of a certain kind containing the space of Schwartz distributions. While in classical distribution theory a general multiplication of distributions is not possible, Colombeau algebras provide a rigorous framework for this.

In mathematics, particularly algebraic topology and homology theory, the Mayer–Vietoris sequence is an algebraic tool to help compute algebraic invariants of topological spaces, known as their homology and cohomology groups. The result is due to two Austrian mathematicians, Walther Mayer and Leopold Vietoris. The method consists of splitting a space into subspaces, for which the homology or cohomology groups may be easier to compute. The sequence relates the (co)homology groups of the space to the (co)homology groups of the subspaces. It is a natural long exact sequence, whose entries are the (co)homology groups of the whole space, the direct sum of the (co)homology groups of the subspaces, and the (co)homology groups of the intersection of the subspaces.

In mathematics, Hodge theory, named after W. V. D. Hodge, is a method for studying the cohomology groups of a smooth manifold M using partial differential equations. The key observation is that, given a Riemannian metric on M, every cohomology class has a canonical representative, a differential form that vanishes under the Laplacian operator of the metric. Such forms are called harmonic.

In mathematics, differential refers to several related notions derived from the early days of calculus, put on a rigorous footing, such as infinitesimal differences and the derivatives of functions.

In numerical analysis, the Crank–Nicolson method is a finite difference method used for numerically solving the heat equation and similar partial differential equations. It is a second-order method in time. It is implicit in time, can be written as an implicit Runge–Kutta method, and it is numerically stable. The method was developed by John Crank and Phyllis Nicolson in the mid 20th century.

In mathematics, a differentiable manifold is a type of manifold that is locally similar enough to a vector space to allow one to apply calculus. Any manifold can be described by a collection of charts (atlas). One may then apply ideas from calculus while working within the individual charts, since each chart lies within a vector space to which the usual rules of calculus apply. If the charts are suitably compatible, then computations done in one chart are valid in any other differentiable chart.

In cryptography, the boomerang attack is a method for the cryptanalysis of block ciphers based on differential cryptanalysis. The attack was published in 1999 by David Wagner, who used it to break the COCONUT98 cipher.

In mathematics, the derivative is a fundamental construction of differential calculus and admits many possible generalizations within the fields of mathematical analysis, combinatorics, algebra, geometry, etc.

In mathematics, in particular in algebraic geometry and differential geometry, Dolbeault cohomology is an analog of de Rham cohomology for complex manifolds. Let M be a complex manifold. Then the Dolbeault cohomology groups $depend on a pair of integers p and q and are realized as a subquotient of the space of complex differential forms of degree (p, q).$

In numerical analysis, finite-difference methods (FDM) are a class of numerical techniques for solving differential equations by approximating derivatives with finite differences. Both the spatial domain and time interval are discretized, or broken into a finite number of steps, and the value of the solution at these discrete points is approximated by solving algebraic equations containing finite differences and values from nearby points.

In applied mathematics, polyharmonic splines are used for function approximation and data interpolation. They are very useful for interpolating and fitting scattered data in many dimensions. Special cases include thin plate splines and natural cubic splines in one dimension.

In quantum geometry or noncommutative geometry a quantum differential calculus or noncommutative differential structure on an algebra $over a field means the specification of a space of differential forms over the algebra. The algebra here is regarded as a coordinate ring but it is important that it may be noncommutative and hence not an actual algebra of coordinate functions on any actual space, so this represents a point of view replacing the specification of a differentiable structure for an actual space. In ordinary differential geometry one can multiply differential 1-forms by functions from the left and from the right, and there exists an exterior derivative. Correspondingly, a first order quantum differential calculus means at least the following:$

A biclique attack is a variant of the meet-in-the-middle (MITM) method of cryptanalysis. It utilizes a biclique structure to extend the number of possibly attacked rounds by the MITM attack. Since biclique cryptanalysis is based on MITM attacks, it is applicable to both block ciphers and (iterated) hash-functions. Biclique attacks are known for having broken both full AES and full IDEA, though only with slight advantage over brute force. It has also been applied to the KASUMI cipher and preimage resistance of the Skein-512 and SHA-2 hash functions.

In mathematics, the Weyl integration formula, introduced by Hermann Weyl, is an integration formula for a compact connected Lie group G in terms of a maximal torus T. Precisely, it says there exists a real-valued continuous function u on T such that for every class function f on G:

In complex geometry, the $lemma$ is a mathematical lemma about the de Rham cohomology class of a complex differential form. The $-lemma is a result of Hodge theory on a compact Kähler manifold. Sometimes it is also known as the -lemma, due to the use of a related operator, with the relation between the two operators being and so .$

References

1 2 3 Lai, Xuejia (1994). "Higher Order Derivatives and Differential Cryptanalysis". Communications and Cryptography. Vol. 276. Springer US. pp. 227–233. doi:10.1007/978-1-4615-2694-0_23. ISBN 978-1-4613-6159-6.{{cite book}}: Missing or empty |title= (help)
↑ Knudsen, Lars (1994). Truncated and Higher Order Differentials (PDF/PostScript). Fast Software Encryption (FSE 1994). Springer-Verlag. pp. 196–211. Retrieved 2007-02-14.
↑ Jakobsen, Thomas and Knudsen, Lars (1997). The interpolation attack on block ciphers. Fast Software Encryption. Lecture Notes in Computer Science. Vol. 1267. Springer Berlin Heidelberg. pp. 28–40. doi:10.1007/BFb0052332. ISBN 978-3-540-63247-4.{{cite book}}: CS1 maint: multiple names: authors list (link)
↑ Daniel J. Bernstein (2009-01-14). "Why haven't cube attacks broken anything?" . Retrieved 2014-05-18.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[lai94-1] 1 2 3 Lai, Xuejia (1994). "Higher Order Derivatives and Differential Cryptanalysis". Communications and Cryptography. Vol. 276. Springer US. pp. 227–233. doi:10.1007/978-1-4615-2694-0_23. ISBN 978-1-4613-6159-6.{{cite book}}: Missing or empty |title= (help)

[knudsen94-2] Knudsen, Lars (1994). Truncated and Higher Order Differentials (PDF/PostScript). Fast Software Encryption (FSE 1994). Springer-Verlag. pp. 196–211. Retrieved 2007-02-14.

[3] Jakobsen, Thomas and Knudsen, Lars (1997). The interpolation attack on block ciphers. Fast Software Encryption. Lecture Notes in Computer Science. Vol. 1267. Springer Berlin Heidelberg. pp. 28–40. doi:10.1007/BFb0052332. ISBN 978-3-540-63247-4.{{cite book}}: CS1 maint: multiple names: authors list (link)

[djb-4] Daniel J. Bernstein (2009-01-14). "Why haven't cube attacks broken anything?" . Retrieved 2014-05-18.

[1]

[2]

[3]

[4]