Introduction to symmetric cryptography

Transcription

1 Introduction to symmetric cryptography hristina Boura École de printemps en codage et cryptographie May 17, / 48

2 Overview Introduction to symmetric-key cryptography Block ciphers Boolean functions and cryptographic Sboxes ttacks against block ciphers exploiting a low algebraic degree lgebraic attacks Higher-order differential attacks Integral attacks Estimating the algebraic degree of iterated constructions 2 / 48

3 Overview Introduction to symmetric-key cryptography Block ciphers Boolean functions and cryptographic Sboxes ttacks against block ciphers exploiting a low algebraic degree lgebraic attacks Higher-order differential attacks Integral attacks Estimating the algebraic degree of iterated constructions 2 / 48

4 Bibliography The Block ipher ompanion, Lars Knudsen and Matt Robshaw Lecture Notes on ryptographic Boolean Functions, nne anteaut nalyse de Fonctions de Hachage ryptographiques, Thèse, hristina Boura 3 / 48

5 Introduction to symmetric-key cryptography Outline 1 Introduction to symmetric-key cryptography 4 / 48

6 Introduction to symmetric-key cryptography Symmetric-key encryption lice and Bob exchange the secret key through a secure channel. Encryption Decryption 5 / 48

7 Introduction to symmetric-key cryptography Symmetric-key encryption lice and Bob exchange the secret key through a secure channel. Encryption Decryption Key-exchange problem birth of the public-key cryptography. 5 / 48

8 Introduction to symmetric-key cryptography Public-key encryption Encryption %gti2z* Decryption 6 / 48

9 Introduction to symmetric-key cryptography dvantages and disadvantages of each system Secret-key Public-key dvantages Fast systems Relatively short-keys No key-exchange needed n users: 2n keys Disadvantages Need secure key-exchange n users: n(n 1) 2 Slow systems keys Relatively long-keys 7 / 48

10 Introduction to symmetric-key cryptography Hybrid encryption Idea: Use a combination of asymmetric and symmetric encryption to benefit from the strengths of every system. Encryption Decryption Encryption Decryption 8 / 48

11 Introduction to symmetric-key cryptography Hybrid encryption Use a public-key cryptosystem to exchange a key (session key). Use the exchanged key to encrypt data by using a symmetric-key cryptosystem. dvantages: Slow public-key cryptosystem is used to encrypt a short string only. Fast symmetric-key cryptosystem is used to encrypt the longer communication session. 9 / 48

12 Introduction to symmetric-key cryptography Symmetric-key authentication Message authentication code (M) Verify Y/N Sign 10 / 48

13 Introduction to symmetric-key cryptography Public-key authentication Digital signatures Verify Y/N Sign lice s public key lice s secret key 11 / 48

14 Introduction to symmetric-key cryptography Hash functions If the message to sign is long, the signing process becomes heavy... Idea: Use a cryptographic hash function. H : {0,1} {0,1} n good hash function should be preimage, second-preimage and collision resistant. In recent hash proposals: n = 256, 512 Hash functions are considered as symmetric-key functions because they use similar building blocks with block-ciphers. 12 / 48

15 Introduction to symmetric-key cryptography Hash and sign Sign Verify Y/N lice s secret key lice s public key 13 / 48

16 Introduction to symmetric-key cryptography The best of the two worlds Secrecy: Hybrid encryption uthentication: Digital signatures with hashing There is a need for both public and symmetric-key cryptosystems. 14 / 48

17 Introduction to symmetric-key cryptography Symmetric-key cryptosystems cryptosystem is a five-tuple (P,, K, E, D) P: set of possible plaintexts : set of possible ciphertexts K: set of possible keys For each k K, there is an encryption rule e k E and a decryption rule d k D. For each k K : d k (e k (m)) = m, for every m P. m e k c d k m 15 / 48

18 Introduction to symmetric-key cryptography Kerckhoffs s principle (1883) In 1883 ugust Kerckhoffs stated 6 design principles for military ciphers. The 2nd principle states: cryptosystem should be secure even if everything about the system, except the key, is public knowledge. Reformulated by laude Shannon as The enemy knows the system. i.e., One ought design systems under the assumption that the enemy will immediately gain full familiarity with them. 16 / 48

19 Introduction to symmetric-key cryptography laude Shannon s theory ommunication Theory of Secrecy Systems, published in Many fundamental ideas of modern cryptography are introduced there: Provable security. onfusion and diffusion. Product ciphers. 17 / 48

20 Introduction to symmetric-key cryptography Shannon s idea of perfect secrecy No information about the plaintext can be obtained by observing the ciphertext. Shannon s definition: cryptosystem has perfect secrecy if n equivalent formulation: Pr(m c) = Pr(m) for all m P,c. Pr(c m) = Pr(c) for all m P,c. 18 / 48

21 Introduction to symmetric-key cryptography Shannon s theorem cryptosystem where P = = K provides perfect secrecy iff 1 Pr K (k) = 1/ K, k K 2 m P,c, exists unique k such that e k (m) = c. Fact: If P > K then no scheme is perfectly secure. 19 / 48

22 Introduction to symmetric-key cryptography The Vernam ipher or One-time Pad One-time Pad Let n 1 and P,,K = {0,1} n. If m = (m 1,...,m n ) P and k = (k 1,...,k n ) K then c = e k (m) = (m 1 k 1,...,m n k n ). Decryption: d k (c) = c k = m k k = m The One-time Pad provides perfect secrecy if used correctly: ll keys are equally likely. Each key is used only once. Two-time Pad c c = (m k) (m k) = m m. 20 / 48

23 Introduction to symmetric-key cryptography The One-time Pad is perfectly secure but... The secret key must be as long as the message. new key has to be generated for each communication. These long keys have to be exchanged in a secure way. Problem of generating truly random sequences for the key. 21 / 48

24 Introduction to symmetric-key cryptography onfusion and diffusion Diffusion: Each digit of the plaintext and each digit of the secret key should influence many digits of the ciphertext. onfusion: The ciphertext statistics should depend on the plaintext statistics in a manner too complicated to be exploited by the cryptanalyst. Idea: Use permutations to attain diffusion and substitutions to attain confusion. Product iphers 22 / 48

25 Introduction to symmetric-key cryptography Security notions Perfectly secret system: the key has to be at least as long as the message. ll cryptosystems used in practice can theoretically be broken. Symmetric-key approach: Try to make the system secure against all known attacks. No attack should be faster than exhaustive search on the key. 23 / 48

26 Introduction to symmetric-key cryptography Exhaustive search Expected time to recover a κ-bit key: 2 κ 1 operations. κ Time complexity Security (bits) (operations) easy to break practical to break not currently feasible very strong exceptionally strong Table from [Knudsen, Robshaw, The Block ipher ompanion, 2011.] The universe is less than 2 80 microseconds old! The number of the protons in the universe is / 48

27 Introduction to symmetric-key cryptography ryptanalysis of an encryption scheme Different attack models: iphertext-only attack. Known-plaintext attack. hosen-plaintext/ciphertext attack. daptively chosen-plaintext/ciphertext attack. The performance of an attack is measured by its: time complexity. data complexity. memory complexity. 25 / 48

28 Introduction to symmetric-key cryptography Symmetric encryption schemes Stream ciphers ombine (XOR) plaintext bits with a keystream generated by a pseudo-number generator. Keystream should have good statistical properties. dvantages: Performance and low hardware complexity. Block ciphers Operate on blocks of data. Probably the best understood symmetric primitives. an be used to build hash functions, stream ciphers, Ms, authenticated encryption algorithms, PRNGs / 48

29 Introduction to symmetric-key cryptography Block ciphers Encrypt a block of message m into a block of ciphertext c under the action of the key k. E : {0,1} n {0,1} κ {0,1} n (m,k) E(m,k) = c k m E c Given k, it must be easy to compute c from m. Given m,c it must be hard to compute k such that E(m,k) = c. 27 / 48

30 Introduction to symmetric-key cryptography Two important parameters: block size, n key size, κ block cipher generates a family of permutations indexed by a key k. (2 n )! permutations subset 2 κ Ideal design: 2 κ permutations chosen uniformly at random from all 2 n! 2 (n 1)2n permutations. 28 / 48

31 Introduction to symmetric-key cryptography Iterated block ciphers Idea: Iterate a round function f several times. The function f r is waited to be strong for large r. dvantages: ompact implementation. Easier analysis. master key k Key schedule k 1 k 2 k r m f f f c Use a key schedule to extend the user-supplied (or master) key to a sequence of r subkeys. 29 / 48

32 Introduction to symmetric-key cryptography How to build the round function? Two major approaches: Feistel network. Substitution-Permutation Network (SPN). 30 / 48

33 Introduction to symmetric-key cryptography Feistel Network Encryption L 0 R 0 k 1 Introduced by Horst Feistel in the early 70 s. F Split plaintext block: m = (L 0,R 0 ) For each round i = 0,...,r do: L i+1 = R i R i+1 = L i F(R i k i+1 ) iphertext block c = (R r+1,l r+1 ) k 2 F k r F R r+1 L r+1 31 / 48

34 Introduction to symmetric-key cryptography Feistel Network Introduced by Horst Feistel in the early 70 s. Split ciphertext block: c = (R r+1,l r+1 ) For each round i = r,...,0 do: R i = L i+1 L i = R i+1 F(L i+1 k i+1 ) Plaintext block m = (L 0,R 0 ) Decryption R r+1 L r+1 k r F k r 1 F Decryption with K = (k 1,...,k r ) equals encryption with K = (k r,...,k 1 ). F has not to be invertible. L 0 k 1 F R 0 31 / 48

35 Introduction to symmetric-key cryptography Data Encryption Standard (DES) The first and probably most famous Feistel cipher. Designed by IBM and published in Based on an earlier internal design called Lucifer. 1977: DES is published as a FIPS standard [FIPS 46]. 32 / 48

36 Introduction to symmetric-key cryptography DES Block size: 64 bits Key size: 56 bits 16 rounds 32 bits L 0 IP k 1 48 bits F R 0 32 bits Ri (32 bits) ki (48 bits) k 2 E 48 bits F S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 k 16 F P IP 1 R 16 L / 48

37 Introduction to symmetric-key cryptography Generalized Feistel Networks lassical Feistel Unbalanced Feistel lternating Feistel F F F G Type-1 Feistel Type-2 Feistel F F G 34 / 48

38 Introduction to symmetric-key cryptography Structrural properties of DES The omplementation Property DES k (m) = DES k (m) where x := bitwise complement of x Limited impact to the security in the classical model. Halves the cost of the exhaustive key search. Encrypt m and m: c = DES k (m) and c = DES k (m) For each candidate t, compute d = DES t (m). heck if d = c t candidate for k. heck if d = c (d = DES t (m)) t candidate for k. 35 / 48

39 Introduction to symmetric-key cryptography Structrural properties of DES Weak keys k weak: DES k (DES k (m)) = m. 4 weak keys were found for DES. Each weak key has 2 32 fixed points m : DES k (m) = m. 36 / 48

40 Introduction to symmetric-key cryptography Breaking DES 1992 : Differential cryptanalysis (theoretical attack, 2 47 chosen plaintexts) : Linear cryptanalysis (practical attack, a DES key is recovered). 1997: DESHLL Project (brute-force project over the net). message encrypted with DES is broken for the first time. 1999: Deep rack and distributed.net break a DES key in less than 23 hours. 2004: The standard is withdrawn. Key-length too short!!! DES still survives via its Triple-DES form. 37 / 48

41 Introduction to symmetric-key cryptography Substitution Permutation Network (SPN) m k1 Substitution Permutation k2 Substitution Permutation k3 Substitution Permutation k4 Substitution Permutation k5 c 38 / 48

42 Introduction to symmetric-key cryptography Substitution Permutation Network (SPN) m k1 S S S S k2 S S S S k3 S S S S k4 S S S S k5 c 38 / 48

43 Introduction to symmetric-key cryptography The dvanced Encryption Standard (ES) ompetition [ ] On January 2, 1997 the NIST announced that they wished a successor to DES (to be known as ES). Public competition, inputs from the cryptographic community. Requirements: Block size of 128 bits, key size of 128, 192, 256 bits, security of 2-key triple-des as minimum. 21 submissions (15 accepted for the 1st round) 5 finalists (Rijndael, Serpent, Twofish, R6, MRS) On October 2, 2000, Rijndael becomes the ES. 2001: Standardization [FIPS 197] 39 / 48

44 Introduction to symmetric-key cryptography ES Designed by Joan Daemen and Vincent Rijmen. Structure: Byte-oriented Substitution-Permutation Network. State: 128 bits, seen as a 4 4 matrix of bytes. 3 key-lengths: 128, 192, 256 bits Number of rounds: 10, 12, 14 rounds resp. 40 / 48

45 Introduction to symmetric-key cryptography ES Representation Each byte is viewed in two different ways: string of 8 bits (b 7,b 6,b 5,b 4,b 3,b 2,b 1,b 0 ) (8 th -dim vector over F 2 ) n element of the finite field with 2 8 elements F 2 8 b 7 X 7 +b 6 X 6 +b 5 X 5 +b 4 X 4 +b 3 X 3 +b 2 X 2 +b 1 X 1 +b 0 Irreducible polynomial R P R P = X 8 +X 4 +X 3 +X / 48

46 Introduction to symmetric-key cryptography n ES round Four byte-oriented transformations. SubBytes ShiftRows Mixolumns ddroundkey 42 / 48

47 Introduction to symmetric-key cryptography SubBytes S 43 / 48

48 Introduction to symmetric-key cryptography The ES Sbox S : F 2 8 F 2 8 x x 1 followed by an affine transformation on F 8 2 : y x 0 1 y x 1 1 y x 2 0 y 3 y 4 = x x y x 5 1 y x 6 1 y x 7 0 Good resistance against differential and linear cryptanalysis. 44 / 48

49 Introduction to symmetric-key cryptography ShiftRows 45 / 48

50 Introduction to symmetric-key cryptography Mixolumns M x 0 y x x 2 = y 1 y x 3 y 3 46 / 48

51 Introduction to symmetric-key cryptography Mixolumns M MDS matrix. Branch number = min x F 8 2 (HW(x)+HW(M(x)) = / 48

52 Introduction to symmetric-key cryptography ddroundkey K i Lightweight non-linear key-schedule (memory, performance) 47 / 48

53 Introduction to symmetric-key cryptography ryptanalysis of ES 2000 Integral attacks 2002 lgebraic attacks: ES is claimed to be broken. Proved to be not realistic Related-key attacks: ES-192 and ES-256 are broken under this model. Should we care? Meet-in-the-middle attacks 2011 Biclique attacks: First theoretical attacks on full ES. omplexity is quite marginal (see them as accelerated exhaustive search). 48 / 48

54 Boolean Functions lgebraic attacks hristina Boura École de printemps en codage et cryptographie May 18, / 42

55 Boolean functions and cryptographic Sboxes Outline 1 Boolean functions and cryptographic Sboxes 2 lgebraic attacks 2 / 42

56 Boolean functions and cryptographic Sboxes Boolean functions Inspired by nne anteaut s Lecture Notes Boolean function f of n variables is a function f : F n 2 F 2 x = (x 1,...,x n ) f(x) Value vector: Binary vector v f of length 2 n composed of all values f(x), for x F n 2. Example: f : F 3 2 F 2 v f = (f(1,1,1),f(1,1,0),f(1,0,1),f(1,0,0),f(0,1,1),f(0,1,0),f(0,0,1),f(0,0,0)) v f = (1,0,0,1,1,0,1,0) 3 / 42

57 Boolean functions and cryptographic Sboxes Truth table x x x f(x 1,x 2,x 3 ) / 42

58 Boolean functions and cryptographic Sboxes Question Question: How many different Boolean functions of n variables exist? 5 / 42

59 Boolean functions and cryptographic Sboxes Question Question: How many different Boolean functions of n variables exist? 2 2n 5 / 42

60 Boolean functions and cryptographic Sboxes Hamming weight of a Boolean function Let f : F n 2 F 2. The Hamming weight of f is defined as the number of 1 s in v f. wt(f) = wt(v f ) = #{x F n 2 : f(x) 0} For many cryptographic applications, we need Boolean functions that have a behaviour close to random functions. Use balanced functions. f is balanced wt(f) = 2 n 1 6 / 42

61 Boolean functions and cryptographic Sboxes Balancedness and bias Let f : F n 2 F 2. The bias of f is E(f) = x F n 2 ( 1) f(x) = #{x F n 2 : f(x) = 0} #{x F n 2 : f(x) = 1} = 2 n #{x F n 2 : f(x) = 1} #{x Fn 2 : f(x) = 1} = 2 n 2wt(f) f is balanced E(f) = 0 7 / 42

62 Boolean functions and cryptographic Sboxes lternative representation of a Boolean function Representation of a Boolean function, where the function is seen as a multivariate polynomial. In F 2 : +: XOR : ND x 2 i = x i (as 0 2 = 0 and 1 2 = 1) Monomial in F 2 [x 1,...,x n ]/(x 2 1 +x 1,...,x 2 n +x n ): product of distinct variables Examples: x 1, x 3 x 4, x 2 x 4 x 5, x 1 x 2...x n 8 / 42

63 Boolean functions and cryptographic Sboxes Monomials Notation : Monomial in F 2 [x 1,...,x n ]/(x 2 1 +x 1,...,x 2 n +x n ): where u = (u 1,...,u n ) F n 2. x u = n i=1 x u i i, Example: x F 4 2 : x1010 = x 1 1 x0 2 x1 3 x0 4 = x 1x 3 9 / 42

64 Boolean functions and cryptographic Sboxes lgebraic normal form (NF) Proposition: ny f : F n 2 F 2 can be uniquely written as a multivariate polynomial in F 2 [x 1,...,x n ]/(x 2 1 +x 1,...,x 2 n +x n): f(x 1,...,x n ) = a u x u, where a u F 2. u F n 2 This polynomial is called the lgebraic Normal Form (NF) of f. The coefficients a u can be computed as follows: a u = x uf(x), where x u x i u i, pour 1 i n 10 / 42

65 Boolean functions and cryptographic Sboxes Example (x 1,x 2,x 3 ) (1,1,1) (0,1,1) (1,0,1) (0,0,1) (1,1,0) (0,1,0) (1,0,0) (0,0,0) f(x 1,x 2,x 3 ) a 000 = f(0,0,0) = 0 a 100 = f(1,0,0)+f(0,0,0) = 1+0 = 1 a 010 = f(0,1,0)+f(0,0,0) = 0+0 = 0 a 110 = f(1,1,0)+f(0,1,0)+f(1,0,0)+f(0,0,0) = = 0 a 001 = f(0,0,1)+f(0,0,0) = 1+0 = 1 a 101 = f(1,0,1)+f(1,0,0)+f(0,0,1)+f(0,0,0) = = 0 a 011 = f(0,1,1)+f(0,1,0)+f(0,0,1)+f(0,0,0) = = 1 a 111 = x F 3 f(x) = wt(f) mod 2 = / 42

66 Boolean functions and cryptographic Sboxes Example (x 1,x 2,x 3 ) (1,1,1) (0,1,1) (1,0,1) (0,0,1) (1,1,0) (0,1,0) (1,0,0) (0,0,0) f(x 1,x 2,x 3 ) a 000 = f(0,0,0) = 0 a 100 = f(1,0,0)+f(0,0,0) = 1+0 = 1 a 010 = f(0,1,0)+f(0,0,0) = 0+0 = 0 a 110 = f(1,1,0)+f(0,1,0)+f(1,0,0)+f(0,0,0) = = 0 a 001 = f(0,0,1)+f(0,0,0) = 1+0 = 1 a 101 = f(1,0,1)+f(1,0,0)+f(0,0,1)+f(0,0,0) = = 0 a 011 = f(0,1,1)+f(0,1,0)+f(0,0,1)+f(0,0,0) = = 1 a 111 = x F 3 f(x) = wt(f) mod 2 = 0 2 f(x 1,x 2,x 3 ) = x 1 +x 3 +x 2 x 3 11 / 42

67 Boolean functions and cryptographic Sboxes Degree of a Boolean function The algebraic degree of a Boolean function f is defined as deg(f) = max{wt(u) : a u 0} u F n 2 Example: f(x 1,x 2,x 3 ) = x 1 x 2 x 3 +x 1 x 3 +x deg(f) = 3 12 / 42

68 Boolean functions and cryptographic Sboxes Functions of degree n Let f : F n 2 F 2. a = x F n 2 f(x) = wt(f) mod 2 deg(f) = n iff wt(f) is odd. Functions of maximum degree are not balanced. Maximal degree functions are not used in cryptographic applications. 13 / 42

69 Boolean functions and cryptographic Sboxes ffine functions Let f : F n 2 F 2 of degree 1. Then, wt(f) = 2 n 1. ffine functions are balanced. Let f = b x+ε, with b F n 2 \{0} and ε F 2. If ε = 1, f(x) = 1 iff b x = 0 iff x b (hyperplane) If ε = 0, f(x) = 1 iff b x = 1 iff x F n 2 \ b 14 / 42

70 Boolean functions and cryptographic Sboxes ryptographic Sboxes n Sbox S from F n 2 into Fm 2 variables. is a collection of m Boolean functions of n Example (PRESENT Sbox S : F 4 2 F4 2 ) x a b c d e f S(x) c 5 6 b 9 0 a d 3 e f S 1 (x) S 2 (x) S 3 (x) S 4 (x) / 42

71 Boolean functions and cryptographic Sboxes NF of the Sbox S 1 = x 1 +x 3 +x 4 +x 2 x 3 S 2 = x 2 +x 4 +x 2 x 4 +x 3 x 4 +x 1 x 2 x 3 +x 1 x 2 x 4 +x 1 x 3 x 4 S 3 = 1+x 3 +x 4 +x 1 x 2 +x 1 x 4 +x 2 x 4 +x 1 x 2 x 4 +x 1 x 3 x 4 S 4 = 1+x 1 +x 2 +x 4 +x 2 x 3 +x 1 x 2 x 3 +x 1 x 2 x 4 +x 1 x 3 x 4 The functions S 1,...,S m are called the coordinates of the Sbox. 16 / 42

72 Boolean functions and cryptographic Sboxes omponents of the Sbox Let S : F n 2 Fm 2. The components of the Sbox are the n-variable Boolean functions S λ : x λ S(x) for all λ F m 2. Examples: S 3 = S 1 +S 2 S 15 = S 1 +S 2 +S 3 +S 4 The components of an Sbox offer a useful characterisation. 17 / 42

73 Boolean functions and cryptographic Sboxes When an Sbox is a permutation Let S : F n 2 Fn 2. S is a permutation iff all its non-trivial components are balanced. Proof. (S permutation S λ are balanced) Suppose S is a permutation and let λ 0. Then, E(S λ ) = ( 1) λ S(x) = ( 1) λ y = 0. x F n 2 y F n 2 18 / 42

74 Boolean functions and cryptographic Sboxes lgebraic degree of an Sbox Let S : F n 2 Fm 2. The degree of S is the maximal degree of the NF of its components. Example: S = (S 1,S 2,S 3,S 4 ) S 1 = x 1 +x 3 +x 4 +x 2 x 3 S 2 = x 2 +x 4 +x 2 x 4 +x 3 x 4 +x 1 x 2 x 3 +x 1 x 2 x 4 +x 1 x 3 x 4 S 3 = 1+x 3 +x 4 +x 1 x 2 +x 1 x 4 +x 2 x 4 +x 1 x 2 x 4 +x 1 x 3 x 4 S 4 = 1+x 1 +x 2 +x 4 +x 2 x 3 +x 1 x 2 x 3 +x 1 x 2 x 4 +x 1 x 3 x 4 deg(s) = 3 19 / 42

75 Boolean functions and cryptographic Sboxes lgebraic degree of a permutation Boolean functions of maximal degree are not balanced. n Sbox is a permutation iff all its non-trivial components are balanced. The degree of an Sbox is the maximal degree of its components. Let S : F n 2 Fn 2. S is a permutation deg(s) n 1 20 / 42

76 Boolean functions and cryptographic Sboxes Univariate representation Identify the vector space F n 2 with the finite field F 2 n. S(X) = 2 n 1 i=0 b i X i, b i F 2 n. 21 / 42

77 Boolean functions and cryptographic Sboxes Degree in the univariate representation Let S be an n-bit Sbox and let F(x) = 2 n 1 i=0 be its univariate representation in F 2 n[x]. The degree of F is given by b i x i deg(f) = max{wt(i) : 0 i < 2 n and b i 0}. 22 / 42

78 lgebraic attacks Outline 1 Boolean functions and cryptographic Sboxes 2 lgebraic attacks 23 / 42

79 lgebraic attacks Basic algebraic attack Principle introduced by laude Shannon in Express the whole cipher as a large system of multivariate algebraic equations. Known-plaintext attack Known coefficients : plaintext and ciphertext bits Uknowns: key bits Solve the algebraic system and recover the secret key. 24 / 42

80 lgebraic attacks Linearization (I) The complexity of the attack depends on the degree of the system. (naive) method for solving such a system: linearization. Idea: Identify the system with a linear system of d i=1 ( ) n variables, i where n is the block size. Each product of i initial variables, 1 i d is seen as a new variable. 25 / 42

81 lgebraic attacks Linearization (II) Solve the linear system by linear algebra. omplexity: ( d i=1 ( ) ) ω n n ω, i where ω depends on the method used for the resolution (ω 2.37). Other methods for solving the system: Gröbner basis algorithms ad-hoc techniques: XL, XSL. 26 / 42

82 lgebraic attacks Example on a toy cipher nne anteaut s Lecture Notes Block size: n = 4 bits Key size: 8 bits k 1 k 2 m u S v c c = k 2 S(m k 1 ) c k 2 = S(m k 1 ) One plaintext-ciphertext pair gives 4 equations in 8 variables. 27 / 42

83 lgebraic attacks NF of the Sbox x a b c d e f S(x) f e b c 6 d a S 1 = 1+x 1 +x 3 +x 2 x 3 +x 4 +x 2 x 4 +x 3 x 4 +x 1 x 3 x 4 +x 2 x 3 x 4 S 2 = 1+x 1 x 2 +x 1 x 3 +x 1 x 2 x 3 +x 4 +x 1 x 4 +x 1 x 2 x 4 +x 1 x 3 x 4 S 3 = 1+x 2 +x 1 x 2 +x 2 x 3 +x 4 +x 2 x 4 +x 1 x 2 x 4 +x 3 x 4 +x 1 x 3 x 4 S 4 = 1+x 3 +x 1 x 3 +x 4 +x 2 x 4 +x 3 x 4 +x 1 x 3 x 4 +x 2 x 3 x 4 28 / 42

84 lgebraic attacks Write down the equations Express each ciphertext bit c i, 1 i 4, as a multivariate polynomial in the plaintext bits m 1,...,m 4 and in the key bits k 1,...,k 8. c 1 +k 5 = 1+(m 1 +k 1 )+(m 3 +k 3 )+(m 2 +k 2 )(m 3 +k 3 )+(m 4 +k 4 ) + (m 2 +k 2 )(m 4 +k 4 )+(m 3 +k 3 )(m 4 +k 4 )+(m 1 +k 1 )(m 3 +k 3 )(m 4 +k 4 ) + (m 2 +k 2 )(m 3 +k 3 )(m 4 +k 4 ) c 2 +k 6 = 1+(m 1 +k 1 )(m 2 +k 2 )+(m 1 +k 1 )(m 3 +k 3 )+(m 1 +k 1 )(m 2 +k 2 )(m 3 +k 3 ) + (m 4 +k 4 )+(m 1 +k 1 )(m 4 +k 4 )+(m 1 +k 1 )(m 2 +k 2 )(m 4 +k 4 ) + (m 1 +k 1 )(m 3 +k 3 )(m 4 +k 4 ) c 3 +k 7 = 1+(m 2 +k 2 )+(m 1 +k 1 )(m 2 +k 2 )+(m 2 +k 2 )(m 3 +k 3 )+(m 4 +k 4 ) + (m 2 +k 2 )(m 4 +k 4 )+(m 1 +k 1 )(m 2 +k 2 )(m 4 +k 4 )+(m 3 +k 3 )(m 4 +k 4 ) + (m 1 +k 1 )(m 3 +k 3 )(m 4 +k 4 ) c 4 +k 8 = 1+(m 3 +k 3 )+(m 1 +k 1 )(m 4 +k 3 )+(m 4 +k 4 )+(m 3 +k 2 )(m 4 +k 4 ) + (m 3 +k 3 )(m 4 +k 4 )+(m 2 +k 1 )(m 3 +k 3 )(m 4 +k 5 ) + (m 2 +k 2 )(m 3 +k 4 )(m 4 +k 4 ) 29 / 42

85 lgebraic attacks Re-write the equations c 1 +k 5 = S 1 (m)+(1+m 3 m 4 )k 1 +(m 3 +m 4 +m 3 m 4 )k 2 + (1+m 2 +m 4 +m 1 m 4 +m 2 m 4 )k 3 + (1+m 2 +m 3 +m 1 m 3 +m 2 m 3 )k 4 +m 4 k 1 k 3 +m 3 k 1 k 4 +(1 +m 4 )k 2 k 3 + (1+m 3 )k 2 k 4 +(1+m 1 +m 2 )k 3 k 4 +k 1 k 3 k 4 +k 2 k 3 k 4 c 2 +k 6 = S 2 (m)+(m 2 +m 3 +m 2 m 3 +m 4 +m 2 m 4 +m 3 m 4 )k 1 + (m 1 +m 1 m 3 +m 1 m 4 )k 2 +(m 1 +m 1 m 2 +m 1 m 4 )k 3 + (1+m 1 +m 1 m 2 +m 1 m 3 )k 4 +(1 +m 3 +m 4 )k 1 k 2 +(1+m 2 +m 4 )k 1 k 3 + (1+m 2 +m 3 )k 1 k 4 +m 1 k 2 k 3 +m 1 k 2 k 4 +m 1 k 3 k 4 +k 1 k 2 k 3 +k 1 k 2 k 4 +k 1 k 3 k 4 c 3 +k 7 = S 3 (m)+(m 2 +m 2 m 4 +m 3 m 4 )k 1 +(1+m 1 +m 3 +m 4 +m 1 m 4 )k 2 + (m 2 +m 4 +m 1 m 4 )k 3 +(1+m 2 +m 3 +m 1 m 2 +m 1 m 3 )k 4 +(1 +m 4 )k 1 k 2 + m 4 k 1 k 3 +(m 2 +m 3 )k 1 k 4 +k 2 k 3 +m 1 k 3 k 4 +(1 +m 1 )k 2 k 4 +k 3 k 4 +k 1 k 2 k 4 + k 1 k 3 k 4 c 4 +k 8 = S 4 (m)+(m 3 +m 3 m 4 )k 1 +(m 4 +m 3 m 4 )k 2 + (1+m 1 +m 4 +m 1 m 4 +m 2 m 4 )k 3 +(1 +m 2 +m 3 +m 1 m 3 +m 2 m 3 )k 4 + (1+m 4 )k 1 k 3 +(m 3 )k 1 k 4 +m 4 k 2 k 3 +(1+m 3 )k 2 k 4 +(1+m 1 +m 2 )k 3 k 4 + k 1 k 3 k 4 +k 2 k 3 k 4 30 / 42

86 lgebraic attacks Replace the known values From the plaintext-ciphertext couple (m, c) = (0x0, 0x4) we get c 1 +k 5 = 1+k 1 +k 3 +k 4 +k 2 k 3 +k 2 k 4 +k 3 k 4 +k 1 k 3 k 4 +k 2 k 3 k 4 c 2 +k 6 = 1+k 4 +k 1 k 2 +k 1 k 3 +k 1 k 4 +k 1 k 2 k 3 +k 1 k 2 k 4 +k 1 k 3 k 4 c 3 +k 7 = 1+k 2 +k 4 +k 1 k 2 +k 2 k 3 +k 2 k 4 +k 3 k 4 +k 1 k 2 k 4 +k 1 k 3 k 4 c 4 +k 8 = 1+k 3 +k 4 +k 1 k 3 +k 2 k 4 +k 3 k 4 +k 1 k 3 k 4 +k 2 k 3 k 4 Polynomial system of degree d = 3 with 8 unknowns. 31 / 42

87 lgebraic attacks Linearize the system Replace each monomial in the key bits of degree 2 or 3 with a new unknown: k 9 = k 1 k 2,k 10 = k 1 k 3,...,k 14 = k 3 k 4,k 15 = k 1 k 2 k 3,...,k 18 = k 2 k 3 k 4 c 1 +k 5 = 1+k 1 +k 3 +k 4 +k 12 +k 13 +k 14 +k 16 +k 18 c 2 +k 6 = 1+k 4 +k 9 +k 10 +k 11 +k 15 +k 17 +k 16 c 3 +k 7 = 1+k 2 +k 4 +k 9 +k 12 +k 13 +k 14 +k 17 +k 16 c 4 +k 8 = 1+k 3 +k 4 +k 10 +k 13 +k 14 +k 16 +k 18 Linear system with 8+ ( 4 2) + ( 4 3) = 18 unknowns. 32 / 42

88 lgebraic attacks Solve the system Here, 5 (m,c) couples are enough to solve the system (4 5 = 20 equations). In practice, block ciphers have a much larger block size and are composed of many rounds. The degree of the polynomial system increases with the number of rounds. Solving such systems: infeasible even for a few rounds. 33 / 42

89 lgebraic attacks lternative solution: use intermediate variables Use intermediate variables to control the degree of the system. k 1 k 2 w S x k 3 m u S v c onsider the 4 bits of v as additional unknowns. One known P- pair gives 8 equations of degree 3 with 16 unknowns (12 key bits + 4 bits of v). For any additional P- pair : +4 equations but +4 unknowns N P- pairs 8N equations and N unknowns. 34 / 42

90 lgebraic attacks dvanced algebraic attack Decrease the degree of the polynomial system even if the round function has a high degree. Idea introduced by ourtois and Pieprzyk in Example: Relations of degree 2 between inputs and outputs: x 2 x 4 +x 2 S 1 (x 1,...,x 4 )+x 2 S 2 (x 1,...,x 4 ) = 0 We get then the following quadratic equation: (m 4 +c 1 +c 2 )k 2 +m 2 k 4 +m 2 k 5 +m 2 k 6 +k 2 k 4 +k 2 k 5 +k 2 k 6 = m 2 m 4 +m 2 c 1 +m 2 c / 42

91 lgebraic attacks Relations of degree 2 21 linearly independent relations of degree 2 between the input and the output bits can be exhibited. System easier to solve than the original equations. Question: What is the least number of linearly independent relations of degree at most d? d i=0 ( ) 2n 2 n i 36 / 42

92 lgebraic attacks Example ny function from F 4 2 into F4 2 has at least 2 i=0 ( ) = = 21 i quadratic relations between its inputs and outputs. 37 / 42

93 lgebraic attacks The case of ES (I) The ES Sbox can be seen as the composition of the inversion over F 2 8 with an affine function. For the inverse operation, the input a and output b satisfy the relation over F 2 8. ab = 1 (a 7 X 7 +a 6 X 6 +a 5 X 5 +a 4 X 4 +a 3 X 3 +a 2 X 2 +a 1 X +a 0 ) (b 7 X 7 +b 6 X 6 +b 5 X 5 +b 4 X 4 +b 3 X 3 +b 2 X 2 +b 1 X +b 0 ) = 1 38 / 42

94 lgebraic attacks The case of ES (II) Derive 8 multivariate quadratic equations over F 2 (one for each coefficient of the previous equation). Example a 0 b 0 +a 7 b 1 +a 6 b 2 +a 5 b 3 +a 4 b 4 +a 3 b 5 +a 2 b 6 + a 1 b 7 +a 7 b 6 +a 6 b 7 +a 7 b 5 +a 6 b 6 +a 5 b 7 = 1. Derive other equations by exploiting for example relations of the form a 2 b = a and ab 2 = b over F / 42

95 lgebraic attacks Quadratic system for ES There are in total 39 quadratic relations for the ES Sbox (much more than for a randomly chosen mapping over F 8 2. Use these relations of degree 2 to form a quadratic system by introducing new variables for the outputs of successive rounds quadratic equations of 1600 variables. 40 / 42

96 lgebraic attacks Solving the system How to solve the resulting system? XSL (extended Sparse Linearisation): based on linearization, but attempting to exploit the sparsity and specific structure of the equation system. Gröbner Basis algorithms, ST-solvers, etc. ourtois and Pieprzyk claimed that by using XSL it was possible to mount an (at least theoretical) successful attack against ES-128. However, it was shown by id and Leurent (siacrypt 05) that the algorithm did not work as expected, so one could not claim that ES was broken. 41 / 42

97 lgebraic attacks The limitations of algebraic attacks No well-known block cipher has been broken using pure algebraic techniques faster than with other techniques. lgebraic cryptanalysis works better in the case of stream ciphers and resistance against such attacks is a design criteria goal. The applicability of an algebraic attack mainly depends on the algebraic degree of the block cipher. Other attacks depending on the algebraic degree: Higher-order differential attacks, their derivatives and extensions. 42 / 42

98 Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, / 59

99 Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3 Integral attacks 4 Bounds on the degree of iterated constructions 2 / 59

100 Last-round attacks Statistical attacks Statistical attacks exploit relations that hold with a certain probability only. Rely on the existence of a distinguisher. distinguisher D for a block cipher (E k ) k is an algorithm taking N pairs (x i,y i ), 1 i N and returning 0 or 1. Goal: Decide if the N pairs are input-output pairs of the target block cipher or not: 1: If the (x i,y i ) are input-output pairs of E k for some key k. 0: If the (x i,y i ) are input-output pairs of a random permutation. 3 / 59

101 Last-round attacks dvantage of the distinguisher Let p be the probability that the algorithm returns 1 (the N pairs come from the target block cipher). Let p be the probability that the algorithm returns 0 (the N pairs come from a random permutation). The capacity to distinguish the target block cipher from a random permutation is measured as p p and is called advantage. 4 / 59

102 Last-round attacks onsequences of a distinguisher The existence of a distinguisher with a non-negligeable advantage is an undesirable property for a block cipher. However, this does not always guarantee that once the distinguisher is discovered, the secret key will be recovered. But: For iterated ciphers a distinguisher for the reduced cipher E k = F kr F kr 1 F k1 can be a serious thread. G k = F kr 1 F k1 5 / 59

103 Last-round attacks ttack on the last round (I) If an attacker finds a distinguisher D for the reduced-round cipher G k, then he can run a last-round attack. Goal: Recover the last-round subkey k r. 6 / 59

104 Last-round attacks ttack on the last round (II) E k (x) k 1 k 2 k r 1 k r x F F F F z G k (x) ollect enough plaintext-ciphertext pairs (x i,z i ), where z i = E k (x i ). 7 / 59

105 Last-round attacks ttack on the last round (II) E k (x) k 1 k 2 k r 1 k r x F F F y F z G k (x) k ollect enough plaintext-ciphertext pairs (x i,z i ), where z i = E k (x i ). For all possible values k compute y i = F 1 k (z i ) 7 / 59

106 Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r x F F F y F z G k (x) k 8 / 59

107 Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r k x F F F F z F 1 y G k (x) 8 / 59

108 Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r k x F F F F z F 1 y G k (x) If k is the right subkey (k = k r ) 8 / 59

109 Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r k r x F F F F z F 1 y G k (x) If k is the right subkey (k = k r ) : P(k ) = F 1 k E k = F 1 k F kr F kr 1 F kr 2 F k1 = F 1 k r F kr F kr 1 F kr 2 F k1 = F kr 1 F kr 2 F k1 = G k P(k ) belongs to the family of reduced-ciphers. 8 / 59

110 Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r k x F F F F z F 1 y G k (x) If k is a wrong subkey, P(k ) is assumed to have the same behaviour as a randomly chosen permutation. This assumption is known as the wrong-key randomization hypothesis. 8 / 59

111 Last-round attacks lgorithm Data: N plaintext-ciphertext couples (x i,z i ), for 1 i N Result: set of candidate keys for the last-round subkey k r for all possible values k of k r do counter 0 ; for i = 0...N do compute y i = F 1 k (z i ); counter counter + D(x i,y i ); end if counter τ then return k ; end end The value τ is a threshold value fixed by the attacker. 9 / 59

112 Last-round attacks Remarks s we exhaust all values of the last round subkey, this attack only works in this basic form if the subkeys have a small size (eg. not for ES-128) In practice, we only try to recover a small part of the last round key (some bits). For the other bits of the subkey, we repeat the attack by modifying the parameters of the attack. Once the last subkey recovered, how do we proceed next? For some ciphers, once a subkey completely recovered, one can compute back through the key schedule to retrieve the master key. If the different subkeys are not related, one can Exhaustively search the remaining key bits Repeat the same attack on the ciphers obtained by successively removing the last round ombine both approaches 10 / 59

113 Higher-order differential attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3 Integral attacks 4 Bounds on the degree of iterated constructions 11 / 59

114 Higher-order differential attacks Higher-order derivatives Let F : F n 2 Fn 2. Derivative of F at a point a F n 2 : D a F(x) := F(x a) F(x), for every x F n 2 Xuejia Lai extended this notion in Definition[k-th order derivative of F] For any k-dimensional subspace V of F n 2, the k-th order derivative of F with respect to V is the function defined by D V F(x) = D a1 D a2...d ak F(x) = F(x+v), v V for every x F n 2, where (a 1,...,a k ) is a basis of V. 12 / 59

115 Higher-order differential attacks Example Let F : F n 2 Fn 2 and V = a 1,a 2 F n 2 of dimension 2. The 2 nd -order derivative of F with respect to V is D V F(x) = D a1 D a2 F(x) = D a1 (F(x)+F(x+a 2 )) = F(x)+F(x+a 1 )+F(x+a 2 )+F(x+a 1 +a 2 ). 13 / 59

116 Higher-order differential attacks Degree of a derivative Let F : F n 2 Fn 2 of degree d and a = (a 1,...,a n ). Then, D a F d 1. Examples: F(x 1,...,x n ) = x 1. Then, D a F(x) = D a (x 1 ) = (x 1 a 1 ) x 1 = a 1 deg(d a F) = 0 F(x 1,...,x n ) = x 1 x 2. Then, D a F(x) = D a (x 1 x 2 ) = (x 1 a 1 )(x 2 a 2 ) x 1 x 2 = x 1 x 2 a 1 x 2 a 2 x 1 a 1 a 2 x 1 x 2 = a 1 x 2 a 2 x 1 a 1 a 2 deg(d a F) = 1 14 / 59

117 Higher-order differential attacks Important property Let F : F n 2 Fn 2 of degree d and a = (a 1,...,a n ). Example: F(x 1,...,x n ) = x 1 x 2 x d. Then, D a (x 1 x 2 x d ) = (x 1 a 1 )(x 2 a 2 )...(x d a d ) x 1 x 2 x d = x 1 x d terms of deg d 1 x 1 x d deg(d a F) d 1 Proposition[Lai 94] For every subspace V with dim V > deg F, D V F(x) = v V F(x+v) = 0, for every x F n / 59

118 Higher-order differential attacks ttack on the last round ttack based on a low degree. F k 0 S k 1 S k r 1 S k r m S L S L S L c S S S z = F 1 k (c) deg < d 16 / 59

119 Higher-order differential attacks Use higher-order derivatives [Knudsen 94] For all values of k check whether m z = F 1 k (c) has degree < d. How? k r 1 S S L k r c heck whether all derivatives of order d are zero. S z = F 1 k (c) 17 / 59

120 Higher-order differential attacks The attack Let V be a vector space of dimension d. Input: hoose 2 d plaintexts of the form m v, v V (coset of V ) and get the corresponding ciphertexts. Example d = 3,m = 0, V = v 1,v 2,v 3. hosen plaintexts: 0,v 1,v 2,v 3,v 1 v 2,v 1 v 3,v 2 v 3,v 1 v 2 v 3. If for a key k, 2 d 1 i=0 we conclude that k is a wrong key. F 1 k (c i) 0, 18 / 59

121 Higher-order differential attacks Number of candidate keys What is the probability that for a wrong key, i F 1 k (c i) = 0? (false alarm probability) 2 d 1 P F 1 k (c i) = 0 = 2 n, where n is the block size. i=0 s there are 2 κ key candidates (κ is the size of a subkey), around 2 κ n among them will be proposed as candidates for the right key. 19 / 59

122 Higher-order differential attacks Find the right candidate How to find the right key among the left candidates? Do an exhaustive search among the remaining candidates or Repeat the attack by choosing a different vector space of dimension d. Data complexity: 2 d chosen plaintexts. Time complexity: 2 d 2 κ. Remark In practice, we recover smaller fragments of the key. 20 / 59

123 Higher-order differential attacks The KN cipher [Knudsen-Nyberg 95] 6-round Feistel cipher x i 1 y i 1 ki E : F 32 2 F33 2 linear T : F 33 2 F32 2 linear k i : 33-bit subkey T S E S : F 2 33 F 2 33 with x x 3 x i y i F 32 2 F32 2 F 32 2 F32 2 (x,y) (y,x T S(E(x) k i )) 21 / 59

124 Higher-order differential attacks The role of the function S Name initially given to the cipher: RDI (ipher Resistant gainst Differential ryptanalysis). The function S plays a crucial role. The function x x 3 on the field F 33 2 was chosen. This function is known to be resistant against linear and differential attacks. But, this function is of degree / 59

125 Higher-order differential attacks Higher-order differential attack against KN Presented by Jacobsen and Knudsen in Exploit the low algebraic degree of the round function. Input: Plaintexts of the form (x 0,y 0 ) F 32 2 F32 2, where y 0 = c, for some constant c. 23 / 59

126 Higher-order differential attacks 4 rounds of encryption x 0 = x y 0 = c F k1 y 0 (x) = c y 1 (x) = x F k1 (c) := x c y 2 (x) = F k2 (x c ) c y 3 (x) = F k3 (F k2 (x c ) c) x c y 4 (x) = F k4 (F k3 (F k2 (x c ) c) x c ) + F k2 (x c ) c F k2 F k3 F k4 F k5 d = 1 d = 2 d = 4 y 4 d = 8 F k6 x 6 y 6 24 / 59

127 Higher-order differential attacks Evaluate the degree of y 4 y 4 (x) = F k4 (F k3 (F k2 (x c ) c) x c ) F k2 (x c ) c Obviously, the degree of y 4 is bounded by the degree of G = F k4 F k3 F k2 s deg(f ki ) = deg(s) = 2, we get that deg(y 4 ) deg(g) deg(f k4 ) deg(f k3 ) deg(f k2 ) / 59

128 Higher-order differential attacks Write down the equations If V is a subspace of F 32 2 we have: with dim(v) = 9, D V y 4 (x) = v V y 4 (v x) = 0, for all x F We get now the following equation: y 4 F k5 d = 8 F k6 y 5 x 6 (x) = F k6 (y 5 (x)) y 4 (x), y 4 (x) = F k6 (y 5 (x)) x 6 (x) x 6 y 6 26 / 59

129 Higher-order differential attacks ttack equation F k6 (y 5 (v w)) x 6 (v w) = 0. v V v V Recover the key k 6. There will be in average = 2 candidate keys for k 6. Recover the remaining subkeys by mounting the same attack on the reduced-round cipher. 27 / 59

130 Integral attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3 Integral attacks 4 Bounds on the degree of iterated constructions 28 / 59

131 Integral attacks Integral attacks - History ttack exploiting weaknesses of the non-linear as well as the linear layer of the target cipher. In 1997, the SQURE cipher was presented by Daemen, Knudsen and Rijmen. During the design, the authors discover a new chosen-plaintext attack against 6 rounds of the cipher. This new attack was named the square attack. In the beginning the attack was applied against SPN ciphers. Later, Lucks generalizes the attack to other type of ciphers and call it the saturation attack. In 2002, Knudsen and Wagner unify the different aspects of these attacks and give them the name integral attacks. 29 / 59

132 Integral attacks Multisets Multiset: Every element in the set can appear multiple times. n element of a multiset is a pair (value, multiplicity). Example. V = {1,2,2,2,3,3,4}, or V = {(1,1),(2,3),(3,2),(4,1)} The attacker studies the propagation of the multiset through the cipher. 30 / 59

133 Integral attacks Integral over a multiset pplication to word-oriented ciphers. Notation: w number of words in a plaintext. (e.g. ES: 16 words of 8-bits each). hoose plaintexts in a way that the multiset in each word verifies a specific property. Definition. We call integral over a multiset S the sum v v S 31 / 59

134 Integral attacks Properties n attacker tries to predict the values in the integrals after a certain number of rounds. Distinguish between 3 cases. (For the examples, the word-size is 3 bits.) 1 : ll w words in the multiset have the same constant value. The multiset S = {3,3,3,3,3,3,3,3} has the property. 2 : The w words in the multiset take all possible values. The multiset S = {0,1,2,3,4,5,6,7} has the property. 3 B: The integral over S is / 59

135 Integral attacks Example: ES 16 words of 8 bits. 2 8 chosen plaintexts m i of the form (x i,c,c,c,c,c,c,c,c,c,c,c,c,c,c,c), where x i = i, for i = 0,...,255 and c some constant. nalyze how this multiset propagates through the different operations of ES. 33 / 59

136 Integral attacks Through ddroundkey The same constant value is XORed to each byte. Example. (0x06,..., 0x06) (0x06 0x01,..., 0x06 0x01) = (0x07,..., 0x07) Property. If we XOR the same constant value to each different value of a set having we get again all possible values in the set. Example. S = {0x0,0x1,0x2,0x3}, k = 0x2, S k = {0x2,0x3,0x0,0x1} ddroundkey 34 / 59

137 Integral attacks Through SubBytes The Sbox S is a permutation. If all values of a multiset have the same constant value c, all values will have the same constant value c = S(x) after SubBytes. If the values of a multiset take all possible values, the Sbox will only permute these values. SubBytes 35 / 59

138 Integral attacks Through ShiftRows ShiftRows only permutes the bytes of the state. ShiftRows 36 / 59

139 Integral attacks Through Mixolumns (I) Inputs of the 1 st column: (x i 0,xi 1,xi 2,xi 3 ), 0 i 255 Outputs of the 1 st column: (y0 i,yi 1,yi 2,yi 3 ), 0 i x i 0 y i x i x i = y i 1 2 y i x i 2 3 y3 i y 0 0 = 02 x x x x 0 3 y 0 1 = 02 x x x x y255 0 = 02 x x x x / 59

140 Integral attacks Through Mixolumns (I) Inputs of the 1 st column: (x i 0,xi 1,xi 2,xi 3 ), 0 i 255 Outputs of the 1 st column: (y0 i,yi 1,yi 2,yi 3 ), 0 i x i 0 y i x i x i = y i 1 2 y i x i 2 3 y3 i y 0 0 = 02 x x x x 0 3 y 0 1 = 02 x x x x y255 0 = 02 x x x x / 59

141 Integral attacks Through Mixolumns (I) Inputs of the 1 st column: (x i 0,xi 1,xi 2,xi 3 ), 0 i 255 Outputs of the 1 st column: (y0 i,yi 1,yi 2,yi 3 ), 0 i x i 0 y i x i x i = y i 1 2 y i x i 2 3 y3 i y 0 0 = 02 x 0 0 +c y 0 1 = 02 x 1 0 +c.... y = 02 x c 37 / 59

142 Integral attacks Through Mixolumns (II) Mixolumns 38 / 59

143 Integral attacks fter 3 rounds Mixolumns ddroundrey SubBytes ShiftRows SubBytes ShiftRows Mixolumns SubBytes ShiftRows ddroundrey ddroundrey Mixolumns???????????????? 39 / 59

144 Integral attacks fter Mixolumns x i 0 y i x i x i = y i 1 2 y i x i 2 3 y3 i y 0 0 y255 0 = 02 x x x x x x x x x x x x = 02 x i 0 03 x i 1 01 x i 2 01 i=0 i=0 i=0 = = x i 3 i=0 40 / 59

145 Integral attacks fter 3 rounds of ES Mixolumns ddroundrey SubBytes ShiftRows SubBytes ShiftRows Mixolumns SubBytes ShiftRows ddroundrey ddroundrey Mixolumns B B B B B B B B B B B B B B B B 41 / 59

146 Integral attacks Distinguishing property for 3 rounds of ES fter the 3 rd Mixolumns every byte position will be balanced (XOR of all 256 values in a single byte position is 0). Property that holds with probability 1. Property independent of the key. R B B B B B B B B B B B B B B B B R R The byte taking all 256 values (saturated) can be any of the 16 bytes. 42 / 59

147 Integral attacks Distinguishing property for 3 rounds of ES fter the 3 rd Mixolumns every byte position will be balanced (XOR of all 256 values in a single byte position is 0). Property that holds with probability 1. Property independent on the key. R B B B B B B B B B B B B B B B B R R The byte taking all 256 values (saturated) can be any of the 16 bytes. 42 / 59

148 Integral attacks ttack over ES reduced to 4 rounds Goal: Recover the subkey k 4 of the 4 th round of ES. Remark No Mixolumns in the last round. Input: 256 chosen plaintexts m i of the form (x i,c,c,c,c,c,c,c,c,c,c,c,c,c,c,c), where x i = i, for i = 0,...,255 and c some constant and the corresponding ciphertexts c i, i = 0,...,255. k 4 State after 3rd round ciphertext B B B B B B B B B B B B B B B B SubBytes ShiftRows 43 / 59

149 Integral attacks Divide and conquer Subkey k 4 is 128-bits long (exhaustive search not possible!). Use a divide and conquer strategy and recover the last subkey byte by byte. k 4 State after 3rd round ciphertext B B B B B B B B B B B B B B B B SubBytes ShiftRows 44 / 59

150 Integral attacks Divide and conquer Subkey k 4 is 128-bits long (exhaustive search not possible!). Use a divide and conquer strategy and recover the last subkey byte by byte. k 4 k4 13 State after 3rd round ciphertext B B B B Bv i B B B B B B B B B B B SubBytes ShiftRows c i c i = S(v i ) k 13 4 v i = S 1 (c i k 13 4 ) 44 / 59

151 Integral attacks Divide and conquer k 4 k4 13 State after 3rd round ciphertext B B B B Bv i B B B B B B B B B B B SubBytes ShiftRows c i c i = S(v i ) k 13 4 v i = S 1 (c i k 13 4 ) But, if k 13 4 is the right value v i = S 1 (c i k4 13 ) = 0 i=0 i=0 44 / 59

152 Integral attacks omplexity Data complexity: 2 8 chosen plaintext-ciphertext pairs (a little bit more to get rid off false alarms) Time complexity: = 2 20 XOR s. ssume that a full encryption is composed 2 6 similar simple operations. So, time complexity 2 14 encryptions. 45 / 59

153 Integral attacks Link with higher-order differential cryptanalysis differential of order d is the sum of 2 d vecteurs of a well-chosen vector space, so it can be seen as an integral. Recently, Yosuke Todo extended integral attacks to take in a clearer way the algebraic degree into account. This extension is called the division property. 46 / 59

154 Bounds on the degree of iterated constructions Outline 1 Last-round attacks 2 Higher-order differential attacks 3 Integral attacks 4 Bounds on the degree of iterated constructions 47 / 59

155 Bounds on the degree of iterated constructions Iterated permutations Most of the symmetric constructions (hash functions, block ciphers) are based on a permutation iterated a high number of times. Important to estimate the algebraic degree of such iterated permutations. Functions with a low degree are vulnerable to: lgebraic attacks Higher-order differential attacks and distinguishers 48 / 59

156 Bounds on the degree of iterated constructions trivial bound Proposition: Let F be a function from F n 2 into Fn 2 F n 2 into Fm 2. Then and G a function from deg(g F) deg(g)deg(f). Example: Round function R of ES is of degree 7. Then deg(r 2 ) = deg(r R) 7 2 = / 59

157 Bounds on the degree of iterated constructions Substitution Permutation Networks S S S S S S Linear Layer S S S S S S Linear Layer S S S S S S Linear Layer How to estimate the evolution of the degree of such constructions? 50 / 59

158 Bounds on the degree of iterated constructions x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 S 1 S 2 S 3 S 4 y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 fter several rounds, all coordinates can be expressed as a sum of monomials. Each monomial is a product of variables in X = {x 0,...,x 15 }. 51 / 59

159 Bounds on the degree of iterated constructions x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 S 1 S 2 S 3 S 4 y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 fter several rounds, all coordinates can be expressed as a sum of monomials. Each monomial is a product of variables in Y = {y 0,...,y 15 }. The coordinates y 0 y 3 are outputs of the same Sbox (equally for the others). What is the consequence on the degree of the product? 51 / 59

160 Bounds on the degree of iterated constructions The notion of δ k Definition : For a permutation S define δ k (S) as the maximum degree of the product of k coordinates of S. δ 1 (S) := algebraic degree of S Example: degs = 3 S k δ k S permutation of F n 2 : δ k (S) = n iff k = n. 52 / 59

161 Bounds on the degree of iterated constructions Example: Product of 6 coordinates. S 1 S 2 S 3 S 4 y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 π = y 0 y 1 y 3 y 8 y 9 y 10. deg(π) δ 3 (S 1 )+δ 3 (S 3 ) = / 59

162 Bounds on the degree of iterated constructions Example: Product of 6 coordinates. S 1 S 2 S 3 S 4 y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 π = y 0 y 5 y 8 y 10 y 13 y 15. deg(π) δ 1 (S 1 )+δ 1 (S 2 )+δ 2 (S 3 )+δ 2 (S 4 ) = 12. The degree of the product is relatively low if many coordinates coming from the same Sbox are involved! 53 / 59