Paper 2021/719

Conditional Differential-Neural Cryptanalysis

Zhenzhen Bao, Jian Guo, Meicheng Liu, Li Ma, and Yi Tu

Abstract

Although it has been a long-standing question that whether computers can learn to perform cryptanalytic tasks, positive answers made by breakthrough machine-learning-based cryptanalysis are still rare. In CRYPTO 2019, a remarkable work made by Gohr shed light on a positive answer. It shows that well-trained neural networks can perform cryptanalytic distinguishing tasks at a superior level to traditional differential-based distinguishers. Additionally, a non-traditional key-recovery procedure was devised, integrating with the Upper Confidence Bounds and Bayesian optimization. Combining the neural distinguishers with a classical differential, integrating the advanced key-recovery procedure, an 11-round key-recovery attack on Speck32/64, a small-sized modern cipher designed by researchers from NSA, was achieved, which has a competitive performance compared with the state-of-the-art result. However, it turns out to be still difficult for the community to achieve a comparable performance increase on longer reduced-versions of the same cipher. This difficulty calls into a question: to what extent is the advantage of machine-learning approaches over traditional ones, and whether the advantage generally exists on modern ciphers? To answer these questions, we devised the first practical 13-round and improved 12-round neural-distinguisher-based key-recovery attacks on Speck32/64 and 16-round key-recovery attacks on Simon32/64. The results confirm the advantages of using machine-learning approaches in cryptanalysis. However, the main reason lies in the enhancement made on the classical components. The crucial technical element for the improved attacks is the concept of conditional (simultaneous) neutral bits/bit-sets, which is derived from the concept of neutral bit with a long history in cryptanalysis. This fact indicates an outcome: a strengthened combination between the classical cryptanalysis and machine learning approaches is one way for machine-learning-based cryptanalysis to maximize its advantage. Apart from best attacks, we exhibit substantial details of the key-recovery phase that is missing a theoretical model to analyze its complexity and success probability. Some observations on important statistics could serve as a rule of thumb on tuning parameters and making trade-offs. To answer whether the advantage of machine learning approaches shown in the cryptanalysis of Speck32/64 can also be obtained on other primitives, we produce various neural distinguishers and traditional DDT-based distinguisher on Simon32/64. The answer is slightly negative. The same approaches for Speck32/64 indeed apply to Simon32/64. However, the advantage over the pure differential-based approach seems to be limited.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Keywords
Neural DistinguisherKey Recovery AttackDifferential CryptanalysisSimonSpeckGeneralized Neutral BitsBayesian Search
Contact author(s)
zzbao @ ntu edu sg
guojian @ ntu edu sg
meicheng liu @ gmail com
skloismary @ gmail com
tuyi0002 @ e ntu edu sg
History
2021-10-03: revised
2021-05-31: received
See all versions
Short URL
https://ia.cr/2021/719
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2021/719,
      author = {Zhenzhen Bao and Jian Guo and Meicheng Liu and Li Ma and Yi Tu},
      title = {Conditional Differential-Neural Cryptanalysis},
      howpublished = {Cryptology ePrint Archive, Paper 2021/719},
      year = {2021},
      note = {\url{https://eprint.iacr.org/2021/719}},
      url = {https://eprint.iacr.org/2021/719}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.