Some integral properties of Rijndael, Grøstl-512 and LANE-256

Transcription

1 Some integral properties of Rijndael, Grøstl-512 and LANE-256 Marine Minier 1, Raphael C.-W. Phan 2, and Benjamin Pousse 3 1 Universit de Lyon, INRIA, INSA-Lyon, CITI, 2 Electronic & Electrical Engineering, Loughborough U., UK 3 XLIM, University of Limoges, France CCA Seminar

2 Guideline Description of the AES and of its little brothers Integral properties of the AES Integral properties of the different Rijndael versions Deduced distinguishers With unknown keys With known keys Grøstl-512 and LANE-256 Conclusion CCA Seminar

3 The AES and its brothers CCA Seminar

4 AES and Rijndael (1/3) [DR 98] Rijndael, created by J. Daemen and V. Rijmen, AES new standard Iterative block ciphers with a parallel structure. blocks sizes: 128, 160, 192, 224 or 256 bits. Key sizes: 128, 192 or 256 bits. The number of rounds vary between 10 and 14 according to the blocks sizes and the key sizes. Plaintexts (128, ,224, 256 bits) Bytes matrix 4x, 5x, 6x, 7x, 8x4 K initial Key addition 0 K 1 K 9 Byte Sub Shift Row Mix Column Key Addition Byte Sub Shift Row Mix Column Key Addition CCA Seminar round 1 round 9, 11 ou 13 Byte Sub Last Shift Row Round K Key Addition 10 Ciphertexts (128, ,224, 256 bits) Bytes matrix 4x, 5x, 6x, 7x, 8x4

5 The AES (2/3): Round function (1/2) Byte Substitution Shift Row a 00 a 01 a 02 a 03 a 10 a 11 a 12 a 13 a 20 a 21 a 22 a 23 a 30 a 31 a 32 a 33 (8x8 S-box S) a 00 a 01 a 02 a 03 a 10 a 11 a 12 a 13 a 20 a 21 a 22 a 23 a 30 a 31 a 32 a S(a 00 ) S(a 01 ) S(a 01 ) S(a 00 ) S(a 13 ) S(a 12 ) S(a 11 ) S(a 10 ) S(a 23 ) S(a 22 ) S(a 21 ) S(a 20 ) S(a 33 ) S(a 32 ) S(a 31 ) S(a 30 ) a 00 a 01 a 02 a 03 a 11 a 12 a 13 a 10 a 22 a 23 a 20 a 21 a 32 a 30 a 33 a 31 CCA Seminar

6 The AES (3/3): Round function (2/2) Mix Column Key Addition a 00 a 01 a 02 a 03 a 10 a 11 a 12 a 13 a 00 a 01 a 02 a 03 a 20 a 21 a 22 a 23 a 10 a 11 a 12 a 13 a 30 a 31 a 32 a 33 a 20 a 21 a 22 a a 30 a 31 a 32 a 33 K i (128 bits) b 00 b 01 b 02 b 03 b 00 b 01 b 02 b 03 b 10 b 11 b 12 b 13 b 10 b 20 b 11 b 21 b 12 b 22 b 13 b 23 b 20 b 21 b 22 b 23 b 30 b 31 b 32 b 33 b 30 b 31 b 32 b 33 CCA Seminar

7 Rijndael: main differences Change: nb of rounds ShiftRows AES (4 col.) Rijndael-160 (5 col.) Rijndael-192 (6 col.) Rijndael-224 (7 col.) Rijndael-256 (8 col.) CCA Seminar

8 General principle of cryptanalysis X [n bits] Intermediate rounds Initial rounds f f f f.. K X x = Ψ(X,K X ) x [ n bits] R(x,y ) Distinguisher A: To find a relation R(x,y ) on intermediate states which has a probability p of happening as far as possible from the uniform probability p*: Final rounds K r. f y [ n bits] Y K Y y = Φ(Y,K Y ) Pr[A]=Adv(A)= p-p* Test over the keys sur (K X, K Y ) CCA Seminar

9 Integral properties CCA Seminar

10 Integral property of the AES (1/2) byte y = Y MixColumns AddRoundKey other bytes = constants Z SubBytes ShiftRows 255 y = 0 s(y) = 0 R S y SubBytes ShiftRows S(z 3 ) S(z 2 ) S(z 1 ) S(y) SubBytes ShiftRows z 0 z 1 z 2 z 3 S(z 0 ) MixColumns AddRoundKey MixColumns AddRoundKey s CCA Seminar

11 Integral property of the AES (2/2) On 6 rounds: 2 32 textes clairs 4 key bytes For each 9 bytes of keys: Test if: 255 y = 0 s(y) =? 0 3 rounds As before Y Trois rounds S( y ) Good keys pass the test. Take care of false alarms. Lasr round without MixColumn 2 32 textes chiffrés 4 key bytes CCA Seminar

12 Complexity of integral attacks Improvement by Ferguson: Sum over the 2 32 values => Complexity for 6 rounds Nb plaintexts = 6*2 32 Complexity = 2 46 using partial sum techniques For 7 rounds: Nb plaintexts = (with herd technique) Complexity = cipher operations CCA Seminar

13 For Rijndael The same kind of properties But, due to the slower diffusion, => more rounds and better extensions CCA Seminar

14 Rijndael-256: first remark y Note: SR: 1, 2, 4 z0 z1 Nb rounds: 14 (min) z2 z3 z0 z3 z2 z1 SubBytes ShiftRows z2 z1 a 0 b 0 a 1 b 1 a 2 b 2 a 3 b 3 MixColumns AddKey CCA Seminar

15 Rijndael 256 Integral property Distinguisher on 4 rounds: Saturation on 3 bytes => Complexity: 2 24 ciphers y n p z0 z1 z2 z3 First round Second round Third round Fourth round CCA Seminar

16 Rijndael 224 Integral property y z0 z1 z2 z3 p First round Second round Distinguisher on 4 rounds: Saturation on 2 bytes Third round => Complexity: 2 16 ciphers Fourth round CCA Seminar

17 Rijndael 192 Integral property (1) y z0 z1 z2 z3 p Distinguisher on 4 rounds: Saturation of 2 bytes => Complexity: 2 16 ciphers = 2 = 2 = 1 = 1 CCA Seminar

18 Rijndael 192 Integral property y p n (2) z0 z1 z2 z3 Distinguisher on 4 rounds: Saturation on 3 bytes => Complexity: 2 24 ciphers = = 1 = = CCA Seminar

19 Rijndael 160 Integral property y z0 z1 z2 z3 p n Distinguisher on 4 rounds: Saturation de 3 bytes => Complexity: 2 24 ciphers = 2 = = 1 = 1 CCA Seminar

20 Unknown keys Distinguishers CCA Seminar

21 Extension of 2 rounds at the end [Ferguson and al. -00]: partial sums s directly deduced from c i,j For each ciphertext c, we associate the partial sum: Use to sequentially determine k k => Share in 4 steps the key serach CCA Seminar

22 Extension at the beginning: 2 methods [Ferguson and al. - 00]: one initial round => attack on 5 rounds with 2 32 plaintexts CCA Seminar

23 The herd technique One more round at the beginning: Naively plaintexts (work, cf Nakhara and al.) Fix a particular byte x => a herd: set of ciphertexts of 2 88 structures Test on a single herd. X depends on (p 4,,p 7 ) and on 4 bytes of K 0 1. Using 2 64 counters m y counters n z 3. Filter information on the key guess CCA Seminar

24 Combine those extensions attack over 2+4+2=8 rounds (for Rijndael-256) 1. Increment the 64 bits (c 0,,c 3,p 4,, p 7 ) 2. Guess the 4 bytes of K 0, compute x, separate counters into herds. 3. Choose a single herd, n z en ajoutant (c 0,,c 3 ) pour chaque y correct 4. Guess the 5 bytes of K 7 and of K 6 of the two last rounds to decipher each z on one byte. Sum this value over the 2 32 values of z and look at the 0s. 5. Repeat this point for each value of thek 0 bytes. => The 4 bytes (p 4,, p 7 ) and the 4 bytes of K 0 give 4 bytes => 2 24 smaller herds => reduce the exhaustive search to plaintexts. CCA Seminar

25 Complexity and attacks on 9 rounds Total cost: plaintexts cipher operations => Add one round at the end using a complete exhaustive search on the subkey K 9 CCA Seminar

26 Summary of the attacks CCA Seminar

27 Known Keys Distinguishers CCA Seminar

28 [Knudsen Rijmen 07] Notion of Known Key Distinguisher Principle: create a distinguisher beginning at the middle of the cipher Then, determine a particular property linking plaintexts and ciphertexts Comparison withe the complexity required to find such a structure for a random permutation Interest: create distinguishers when block ciphers are used as hash functions CCA Seminar

29 Theoritical model [Africacrypt 09] Advantage of Distinguishers [Vaudenay 97]: Adv E (A) Two more cases: non-adaptative, adaptative CCA Seminar

30 Case of an adaptative SPRP Distinguisher CCA Seminar

31 Case of a non-adaptative Known Key Distinguisher CCA Seminar

32 Case of study: the AES [Knu-Rij 07] Forward sense Backward sense CCA Seminar

33 KK distinguisher for the AES KK distinguisher on 7 rounds 3 in backward, 4 in forward 3 4 rounds rounds Requires 2 56 middletexts and 2 56 cipher operations For a random permutation => k-sum problem, Complexity: 2 58 operations => KK distinguisher for the AES CCA Seminar

34 KK distinguisher for Rijndael Same kind of properties in the backward sense Summary of the KK distinguishers for Rijndael [Africacrypt 2009]: CCA Seminar

35 A last idea: some integral distinguishers for the SHA3 candidates: Grøstl-512 and LANE-256 ( CCA Seminar

36 Grøstl-512 CCA Seminar

37 Description of Grøstl-512 (Phase 3!) [Gauravaram, Knudsen, Matusiewicz, Mendel, Rechberger, Schläffer, Thomsen 2009] iterated hash function Compression function with 2 permutations P and Q. A t-block message M (after padding) is hashed using f(h i-1, M i ) and output g(h t ): H 0 = IV ; H i = f(h i-1, M i ) = H i-1 P(H i-1 M i ) Q(M i ) ; at the end, h = g(h t ) = trunc(h t P(H t )) CCA Seminar

38 P (and Q) permutations of Grøstl-512 P and Q: similar design as AES with a fixed key input and 14 rounds The state = 1024-bit seen as a 8x16 matrix of bytes The round transformations: AddRoundConstant (AC): adds one-byte constants to the state SubBytes (SB): apply the AES S-box to each byte of the state ShiftBytes (ShB): rotates the bytes of row j: MixBytes (MB): linear diffusion layer: each column is multiplied by a constant matrix B. CCA Seminar

39 Integral properties of Grøstl-512 (1/3) Direct sense: 4 rounds property with 2 40 texts Extension by 1 round at the beginning with texts: CCA Seminar

40 Integral properties of Grøstl-512 (2/3) Backward sense: 3 rounds property with 2 16 texts Extension by 2 round at the beginning with texts: CCA Seminar

41 Integral properties of Grøstl-512 (3/3) Combine both senses for P and Q on 10 rounds: For P: start from the middle with middletexts with 64 active bytes then, go backward on five rounds to obtain inputs that sum to 0 on 3 shifted columns go forward on 5 rounds to obtain outputs that sum to 0 on 4 columns. Do the same for Q. Using Q, get the M t messages. Using those messages and the inputs of P, compute the H t-1 values. Those values verify that their sums = 0 on 3 shifted columns => The sum taken over the outputs of the compression function is zero at 7 byte positions and the corresponding inputs H t-1 and M t have 0-sum on 3 shifted columns. => Structural property of the Grøstl-512 compression function to find 0-sums for 10 rounds of P and Q Computational cost = operations with few memory requirements CCA Seminar

42 LANE-256 CCA Seminar

43 Description of LANE-256 (Phase 1) [Indesteege 08] Chaining values: H i-1 (256 bits) Message blocks: M i (512 bits) A counter: C i Compression function: H i =f(h i-1,m i,c i ) H i-1 and M i produced the inputs of P 0,,P 5 via a message expansion CCA Seminar

44 Compression function of LANE-256 P 0,,P 5 = 6 rounds, Q 0,Q 1 = 3 rounds The state Input of the round function = a 256 bits word seen as a double AES state Round function: SubBytes (SB), ShiftRows (SR), MixColumns (MC) AddConstant (AC): add columns constants AddCounter (ACO): add a column counter SwapColumns (SC): swaps the two right columns of the left half-state with the two left columns of the right halfstate SwapColumns transform CCA Seminar

45 Integral properties of LANE-256 (1/4) Same principle (2 senses): Direct sense: 4 rounds property with 2 16 texts Extension by 2 rounds at the beginning with texts: CCA Seminar

46 Integral properties of LANE-256 (2/4) Backward sense: 3 backward rounds property with 2 16 texts Extension by 1 round at the beginning with 2 64 texts: CCA Seminar

47 Integral properties of LANE-256 (3/4) Combining both integral properties on 9 rounds: => Distinguisher on 9 rounds with middletexts CCA Seminar

48 Integral properties of LANE-256 (4/4) Extension to the LANE-256 compression function with P 0,P 1,P 2 limited to 3 rounds with values Using for the left part the previous property with middletexts Repeat the 6-round forward property for values of h 0 h 1 => intrinsic property of the compression function of LANE when using values Same kind of properties for LANE-512. CCA Seminar

49 Conclusion Integral properties of Rijndael were not well studied Unknown Keys Distinguishers Known Keys Distinguishers The last model is really useful to create distinguishers for the SHA-3 competition but less efficient than rebound! CCA Seminar

50 Thank you for your attention! [DR98] J. Daemen, V. Rijmen, AES proposal: Rijndael. In First AES conference, NIST, 1998 [Ferguson and al. -00] N. Ferguson, et al.: Improved Cryptanalysis of Rijndael. FSE 2000: [Knudsen-Rijmen 07] L. R. Knudsen, V. Rijmen: Known-Key Distinguishers for Some Block Ciphers. ASIACRYPT 2007: Grøstl: LANE: CCA Seminar