Division Property: a New Attack Against Block Ciphers

Transcription

1 Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, / 50

2 Symmetric-key encryption Alice and Bob exchange the secret key through a secure channel. Encryption Decryption 2 / 50

3 Symmetric-key encryption Alice and Bob exchange the secret key through a secure channel. Encryption Decryption Key-exchange problem birth of the public-key cryptography. 2 / 50

4 Public-key encryption Encryption %gti2z* Decryption 3 / 50

5 Advantages and disadvantages of each system Advantages Disadvantages Secret-key Public-key Fast systems Relatively short-keys No key-exchange needed n users: 2n keys Need secure key-exchange n users: n 2 keys Slow systems Relatively long-keys 4 / 50

6 Hybrid encryption Idea: Use a combination of asymmetric and symmetric encryption to benefit from the strengths of every system. Encryption Decryption Encryption Decryption 5 / 50

7 Hybrid encryption Use a public-key cryptosystem to exchange a key (session key). Use the exchanged key to encrypt data by using a symmetric-key cryptosystem. Advantages: Slow public-cryptosystem is used to encrypt a short string only. Fast symmetric-key cryptosystem is used to encrypt the longer communication session. Used for example in the SSL protocol. 6 / 50

8 Block ciphers Outline 1 Block ciphers 2 Division property 3 Propagation through an Sbox 4 Extending the division property 5 Understanding D n k for some specific values of k 7 / 50

9 Block ciphers Block ciphers Encrypt a block of message m into a block of ciphertext c under the action of the key k. ENC : {0,1} n {0,1} κ {0,1} n (m,k) ENC(m,k) = c k m ENC c Given k, it must be easy to compute c from m. Given m,c it must be hard to compute k such that ENC(m,k) = c. 8 / 50

10 Block ciphers Two important parameters: block size, n key size, κ A block cipher generates a family of permutations indexed by a key k. (2 n )! permutations subset 2 κ Ideal design: 2 κ permutations chosen uniformly at random from all 2 n! 2 (n 1)2n permutations. 9 / 50

11 Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function f r is waited to be strong for large r. Advantages: Compact implementation. Easier analysis. master key k Key schedule k 1 k 2 k r m f f f c Use a key schedule to extend the user-supplied (or master) key to a sequence of r subkeys. 10 / 50

12 Block ciphers How to build the round function? Two major approaches: Feistel network. Substitution-Permutation Network (SPN). 11 / 50

13 Block ciphers How to build the round function? Two major approaches: Feistel network. Substitution-Permutation Network (SPN). 11 / 50

14 Block ciphers Substitution Permutation Network (SPN) m k1 Substitution Permutation k2 Substitution Permutation k3 Substitution Permutation k4 Substitution Permutation k5 c 12 / 50

15 Block ciphers Substitution Permutation Network (SPN) m k1 S S S S k2 S S S S k3 S S S S k4 S S S S k5 c 12 / 50

16 Block ciphers Cryptanalysis of block ciphers Problem: Design block ciphers that are fast and secure at the same time. In symmetric key cryptography, security proofs are partial and insufficient. Only mean of proving that a design is secure: cryptanalysis. An algorithm is secure as long there is no attack against it. The more an algorithm is analysed without being broken, the more reliable it is. 13 / 50

17 Block ciphers What does "broken" mean? No attack faster than exhaustive search should exist. If a block cipher encrypts messages with a k-bit key, no attack with time complexity less than 2 k should be known. Otherwise, the cipher is considered as broken (even if the complexity of the attack is not practical). 14 / 50

18 Division property Outline 1 Block ciphers 2 Division property 3 Propagation through an Sbox 4 Extending the division property 5 Understanding D n k for some specific values of k 15 / 50

19 Division property A new property for block ciphers In Eurocrypt 2015, Yosuke Todo introduces a new property, called the division property. Combination (in some sense) of higher-order differential and saturation attacks. Construction of more powerful generic distinguishers for both SPN and Feistel constructions. Use of this new property for breaking full MISTY-1 (best paper award at CRYPTO 2015). 16 / 50

20 Division property Notation If x,u F n 2, we denote x u = n i=1 x u i i Example: (n = 4) x = (x 1,x 2,x 3,x 4 ) = (1,1,0,1), u = (u 1,u 2,u 3,u 4 ) = (1,0,1,0) x u = x 1 u 1 x 2 u 2 x 3 u 3 x 4 u 4 = = / 50

21 Division property Division property Let X be a multiset of elements in F n 2. For 0 k n, we say that X has the division property Dk n if x u = 0, x X for all u F n 2 such that wt(u) < k. 18 / 50

22 Division property Division property - Example X = {0x0,0x3,0x3,0x3,0x5,0x6,0x8,0xB,0xD,0xE}. Compute x Xx u for all u F 4 2. x u = 1, x X for u = 1011, u = 1101 and u = So, x Xx u = 0 for all u with wt(u) < 3. X has the division property D / 50

23 Division property Using the division property in practice Prepare a set of plaintexts and evaluate its division property. Propagate the input texts and evaluate the division property of the output set after one round. Use rules to propagate the property through the different cipher components (Sboxes, XOR, etc..) Repeat the procedure and compute the division property of the set of texts after several rounds. If after several rounds some exploitable information is found, then we get a distinguisher. 20 / 50

24 Division property Distinguisher and key recovery attack Distinguisher: A property that permits to distinguish the target block cipher from an ideal permutation. Division property: E K (y) has the division property Dk n y Y for k 1. Key recovery: Exploit this property to recover the key by targeting first the subkey of the last round. 21 / 50

25 Propagation through an Sbox Outline 1 Block ciphers 2 Division property 3 Propagation through an Sbox 4 Extending the division property 5 Understanding D n k for some specific values of k 22 / 50

26 Propagation through an Sbox What is an Sbox? Main component for providing non-linearity. Can be seen as a vectorial Boolean function S : F n 2 Fm 2 (usually m = n). Algebraic Normal Form (ANF) of an Sbox y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x / 50

27 Propagation through an Sbox Algebraic degree of an Sbox (y 0,y 1,y 2,y 3 ) = S(x 0,x 1,x 2,x 3 ) y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x The algebraic degree of S is / 50

28 Propagation through an Sbox Propagation of the division property through an Sbox Let S be a permutation of F n 2 of algebraic degree d. Let X be a multiset having the division property D n k. Question: What is the division property of Y = S(X)? If k = n, then Y has the division property D n n. Proposition (Todo): Y has the division property D n k d. 25 / 50

29 Propagation through an Sbox Example - MISTY S 7 MISTY s Sbox S 7 is a 7-bit Sbox of degree 3. The input set X has the property D 7 k. The output set Y has the property D 7 k, with k = k 3. k k / 50

30 Propagation through an Sbox Proof Sketch Let the input set X have the division property Dk n. Then, x u = 0, for all u F n 2 with wt(u) < k. x X Goal: Evaluate for which v F n 2, x XS(x) v vanishes. If deg(s v ) < k then x XS(x) v = 0. If deg(s v ) k, x XS(x) v is undetermined. Obviously, deg(s v ) wt(v) d, so the sum becomes unknown if wt(v) d k. 27 / 50

31 Propagation through an Sbox An improvement idea In the previous proof, the degree was bounded by deg(s v ) wt(v) d This bound is not tight! 28 / 50

32 Propagation through an Sbox The inverse permutation influences the degree Let S be a permutation on F n 2. Denote by δ k (S) the max. degree of the product of k coordinates of S. Theorem [B. Canteaut 2013]. For any k and l, δ l (S) < n k if and only if δ k (S 1 ) < n l. 29 / 50

33 Propagation through an Sbox Getting a tighter result Use the previous theorem to better estimate deg(s v ): deg(s v ) δ wt(v) (S). Then, δ wt(v) (S) < k iff δ n k (S 1 ) < n wt(v). By re-writing the second inequality we get δ wt(v) (S) < k iff wt(v) < n δ n k (S 1 ). The quantity x X (Sv )(x) becomes unknown when wt(v) n δ n k (S 1 ). So Y has the division property Dn δ n n k (S 1 ). 30 / 50

34 Propagation through an Sbox Example - Back to MISTY S 7 MISTY s inverse Sbox S 1 7 is a 7-bit Sbox of degree 3. k δ k (S 1 7 ) The input set X has the property Dk 7. The output set Y has the property Dk 7, with k = k 3 (Todo s estimation) k = 7 δ 7 k (S7 1 ) (our estimation) k k (Todo s) k (our) For k = 6: k = 7 δ 7 6 (S 1 7 ) = 7 3 = 4 31 / 50

35 Extending the division property Outline 1 Block ciphers 2 Division property 3 Propagation through an Sbox 4 Extending the division property 5 Understanding D n k for some specific values of k 32 / 50

36 Extending the division property Reduced set of a multiset Let X be a multiset of elements in F n 2. The corresponding reduced set X is the set composed of all elements in X having an odd multiplicity. Example: If X = {0x0,0x3,0x3,0x3,0x5,0x7,0x7,0xB,0xC} then X = {0x0,0x3,0x5,0xB,0xC}. A multiset X fulfills D n k if and only if X fulfills D n k. 33 / 50

37 Extending the division property Parity set of a multiset Let X be a multiset of elements in F n 2. The set U(X) is the subset of Fn 2 defined by U(X) = {u F n 2 : x Xx u = 1}, is called the parity set of X. Obviously U(X) = U( X). The parity set provides a complete characterization of the reduced set of a multiset. 34 / 50

38 Extending the division property Incidence vector of U(X) Lemma. Let G be the 2 n 2 n binary matrix whose entries are indexed by n-bit vectors and defined by G u,a = a u, a,u F n 2. For any subset X of F n 2, the incidence vector of U(X) is equal to the product of G by the incidence vector of X. 35 / 50

39 Extending the division property An example (n = 3) G = / 50

40 Extending the division property An example (n = 3) G = / 50

41 Extending the division property An example (n = 3) X = {1,3,4} U(X) = = U(X) = {0,2,3,4}. 37 / 50

42 Extending the division property Reed-Muller codes F m 2 = {z 0,...,z 2 m 1}. Let f : F m 2 F 2. We define c f = (f(z 0 ),...,f(z 2 m 1)). The Reed-Muller code RM(d,m) of order d and length 2 m is defined as RM(d,m) := {c f : deg(f) d}. 38 / 50

43 Extending the division property Correspondance of X and U(X) Corollary. For any subset U of F n 2, there exists a unique setx Fn 2 such that U(X) = U. Proof. The matrix G is a generator matrix of the Reed-Muller code of length 2 n and order n. Dimension of the code : 2 n G is invertible. The mapping matching the incidence vector of a set X, v X to the incidence vector of U(X) is an isomorphism of the set of 2 n vectors. 39 / 50

44 Extending the division property Parity set and the division property Let E k be a keyed permutation. The division property is a distinguishing property of the multiset E k (X) for a given choice of the input multiset X. We can now reformulate the division property Dk n of E k(x) by a simple property of U(E k (X)). Indeed, Dk n characterizes a multiset X by a lower bound on the weight of all elements in U(X). 40 / 50

45 Extending the division property Proposition. Let X be a multiset of elements in F n 2 and k be an integer 0 k n. Then,the following assertions are equivalent: (i) X fulfills the division property D n k. (ii) U(X) {u F n 2 : wt(u) k}. (iii) The incidence vector of the corresponding reduced set X belongs to the Reed-Muller code of length 2 n and order (n k). 41 / 50

46 Understanding Dk n for some specific values of k Outline 1 Block ciphers 2 Division property 3 Propagation through an Sbox 4 Extending the division property 5 Understanding D n k for some specific values of k 42 / 50

47 Understanding Dk n for some specific values of k Some specific values of k Question: What can be said about a multiset X that verifies a property Dk n, for some value of k? The cases D1 n, Dn 2, Dn n, have been characterized. [Todo 2015], [Sun et al. 2015] The cases Dk n, for k {1,2,n} had not been exploited before. We provide some insight on these cases here by using the above introduced new vision and some well known properties of Reed-Muller codes. 43 / 50

48 Understanding Dk n for some specific values of k The property D n 1 Let X be a multiset of elements in F n 2. X fulfills D n 1 if and only if its cardinality is even. Indeed, X has the property D1 n: For u = (0,...,0) : x X xu = 0 x x 0 n = = #X mod 2 = 0 x X x X1 The inverse can be easily deduced. 44 / 50

49 Understanding Dk n for some specific values of k The property D n 2 Let X be a multiset of elements in F n 2. X fulfills D n 2 if and only if its cardinality is even and it has the Balance property. Balance property: For any i, 1 i n x Xx i = 0. Indeed, if X has the property D n 2 : x X x0 1...x0 n = 0 X has even cardinality. For all u with wt(u) = 1: x X xu = x X x0 1...x0 i 1 x1 i...x0 n = x X x i = 0 X has the Balance property. The inverse is proven easily. 45 / 50

50 Understanding Dk n for some specific values of k The property D n n Let X be a multiset of elements in F n 2. X fulfills D n n if and only if its reduced set X is either empty or equal to F n 2. Let v be the incidence vector of X. Proof. X satisfies Dn n iff v R(0,n). Thus, either v is the all-zero vector, i.e., X is empty or v is the all-one vector i.e. X = F n / 50

51 Understanding Dk n for some specific values of k The property D n n 1 Let X be a multiset of elements in F n 2. Proposition. X satisfies D n n 1 if and only if X is an (affine) subspace of dimension (n 1). Proof. X satisfies Dn 1 n iff v R(1,n). R(1,n) consists of the incidence vectors of all (affine) hyperplanes of F 2. Then, this equivalently means that X is an (affine) hyperplane. 47 / 50

52 Understanding Dk n for some specific values of k Example [Todo, Eurocrypt 2015] For the multiset of elements of F 4 2 X = {0x0,0x3,0x3,0x3,0x5,0x6,0x8,0xB,0xD,0xE}, the corresponding reduced set X = {0x0,0x3,0x5,0x6,0x8,0xB,0xD,0xE} is a linear subspace of dimension 3 spanned by {0x3,0x5,0x8}. So, it can be directly deduced (without computation) that X has the property D / 50

53 Understanding Dk n for some specific values of k The property D n k Proposition. Let X be a multiset of elements in F n 2 satisfying Dn k such that X is not empty. Then X 2 k, and equality holds iff X is an affine subspace of dimension k. Proof. X satisfies D n k iff v X belongs to R(n k,n). The minimum distance of R(n k,n) is 2 k and that the minimum-weight codewords in this code are the incidence vectors of the affine subspaces of dimension k. 49 / 50

54 Understanding Dk n for some specific values of k Conclusion We have reformulated the division property to captivate more information. Complete characterisation of the property Dk n for different values of k. More powerful distinguishers for a high number of block ciphers. Work in progress / 50

55 Understanding Dk n for some specific values of k Conclusion We have reformulated the division property to captivate more information. Complete characterisation of the property Dk n for different values of k. More powerful distinguishers for a high number of block ciphers. Work in progress... Thanks for your attention! 50 / 50