Etude d hypothèses algorithmiques et attaques de primitives cryptographiques

Size: px

Start display at page:

Download "Etude d hypothèses algorithmiques et attaques de primitives cryptographiques"

Claud Alexander
5 years ago
Views:

1 Etude d hypothèses algorithmiques et attaques de primitives cryptographiques Charles Bouillaguet École normale supérieure Paris, France Ph.D. Defense September 26, 2011

2 Introduction Modes of Operation AES Cryptanalysis Multivariate Cryptanalysis A (Very Brief) Introduction to Cryptography: Encryption ŒŒŒŒŒŒ Conclusion

3 Introduction Modes of Operation AES Cryptanalysis Multivariate Cryptanalysis A (Very Brief) Introduction to Cryptography: Encryption ŒŒŒŒŒŒ!!! Conclusion

4 Introduction Modes of Operation AES Cryptanalysis Multivariate Cryptanalysis A (Very Brief) Introduction to Cryptography: Encryption 5c14ff5cc3225fb9e5ae e23b6??? Conclusion

5 Introduction Modes of Operation AES Cryptanalysis Multivariate Cryptanalysis A (Very Brief) Introduction to Cryptography: Encryption 5c14ff5cc3225fb9e5ae e23b6??? Conclusion

6 Introduction Modes of Operation AES Cryptanalysis Multivariate Cryptanalysis A (Very Brief) Introduction to Cryptography: Encryption 5c14ff5cc3225fb9e5ae e23b6 K K??? Conclusion

7 Introduction Modes of Operation AES Cryptanalysis Multivariate Cryptanalysis A (Very Brief) Introduction to Cryptography: Encryption 5c14ff5cc3225fb9e5ae e23b6 K K????? Conclusion

8 Secret-Key and Public-key Cryptography Alice and Bob used symmetric encryption They have the same secret key K

9 Secret-Key and Public-key Cryptography Alice and Bob used symmetric encryption They have the same secret key K In the late 70s, invention of public-key cryptography

10 Public-key Cryptography PK bob SK bob The Public Key is sufficient to encrypt web page, public directory,... The Secret Key is necessary to decrypt personal!

11 Introduction Modes of Operation AES Cryptanalysis Multivariate Cryptanalysis Sharing Secrets in Public SKbob Conclusion

12 Introduction Modes of Operation AES Cryptanalysis Multivariate Cryptanalysis Sharing Secrets in Public SKbob PK bob? Conclusion

13 Introduction Modes of Operation AES Cryptanalysis Multivariate Cryptanalysis Sharing Secrets in Public SKbob PK bob =0 x4a 1... PK bob? Conclusion

14 Introduction Modes of Operation AES Cryptanalysis Multivariate Cryptanalysis Sharing Secrets in Public PKbob SKbob PK bob =0 x4a 1... PK bob? Conclusion

15 Introduction Modes of Operation AES Cryptanalysis Multivariate Cryptanalysis Sharing Secrets in Public 5c14ff5cc3225fb9e5ae e23b6 PKbob SKbob PK bob =0 x4a 1... PK bob? Conclusion

Public-key Cryptography PK bob SK bob The

16 Public-key Cryptography PK bob SK bob The Public Key is sufficient to encrypt web page, public directory,... The Secret Key is necessary to decrypt personal! (Computationally) impossible to extract Secret Key from Public Key Need hard problems from mathematics

17 Hash Functions Hash functions compute fingerints Various uses Oblivious to most users H

18 Hash Functions Hash functions compute fingerints Various uses Oblivious to most users H 0x1d66ca77ab361c6f

19 Hash Functions Hash functions compute fingerints Various uses Oblivious to most users No Keys! H 0x1d66ca77ab361c6f

20 An Ideal Hash Function: the Random Oracle Public Random Function (a.k.a. the Random Oracle ) Generate new answers (uniformly) at random Remembers its previous answers

21 Security goals Preimage attack F 0xb58bff99? Given y, find M such that H(M) = y. Ideal security: 2 n trials.

22 Security goals Second-preimage attack F = 0xf46cc414? F Given M 1, find M 2 = M 1 such that H(M 1 ) = H(M 2 ). Ideal security: 2 n trials.

23 Security goals Collision attack? F =?? F Find M 1 = M 2 such that H(M 1 ) = H(M 2 ). Ideal security: 2 n/2 trials (birthday paradox).

24 Outline 1 Introduction 2 Modes of Operation for Hash Functions The Merkle-Damgård Mode of Operation and its Problems Previous Generic Attacks Attempts to Fix it and their Problems 3 Computer-Assisted Cryptanalysis of the AES Algebraic Structure Automated Tools Results 4 Multivariate Cryptanalysis The MQ Problem Polynomial Equivalence Problems

25 Outline 1 Introduction 2 Modes of Operation for Hash Functions The Merkle-Damgård Mode of Operation and its Problems Previous Generic Attacks Attempts to Fix it and their Problems 3 Computer-Assisted Cryptanalysis of the AES Algebraic Structure Automated Tools Results 4 Multivariate Cryptanalysis The MQ Problem Polynomial Equivalence Problems

26 Hash Functions are Iterated Constructions = M 0 M 1 M 2 M 3 M 4 M 5 M 6 M 7

27 Hash Functions are Iterated Constructions = M 0 M 1 M 2 M 3 M 4 M 5 M 6 M 7

28 Hash Functions are Iterated Constructions = M 0 M 1 M 2 M 3 M 4 M 5 M 6 M 7

29 Hash Functions are Iterated Constructions = M 1 M 2 M 3 M 4 M 5 M 6 M 7

30 Hash Functions are Iterated Constructions = M 1 M 2 M 3 M 4 M 5 M 6 M 7

31 Hash Functions are Iterated Constructions = M 2 M 3 M 4 M 5 M 6 M 7

32 Hash Functions are Iterated Constructions = M 2 M 3 M 4 M 5 M 6 M 7

33 Hash Functions are Iterated Constructions = M 3 M 4 M 5 M 6 M 7

34 Hash Functions are Iterated Constructions = M 4 M 5 M 6 M 7

35 Hash Functions are Iterated Constructions = M 5 M 6 M 7

36 Hash Functions are Iterated Constructions = M 6 M 7

37 Hash Functions are Iterated Constructions = M 7

38 Hash Functions are Iterated Constructions =

39 Hash Functions are Iterated Constructions = 0x8d90f5bc447d7bdd767a68b98e37e785

40 The Merkle-Damgård Mode of Operation Iterate a small compression function f. Cut the message in chunks M 0,..., M k Include size of M in last block h i = f(h i 1, M i ) H f (M) = h k M 0 M 1 M 2 M 3 f f f f IV h 0 h 1 h 2 h 3 Provable Security Result Collision in H f = collision in f

41 Merkle-Damgård: a Timeline Merkle-Damgård

42 Merkle-Damgård: a Timeline Merkle-Damgård MD4 MD5 SHA-0 SHA SHA

43 Merkle-Damgård: a Timeline Merkle-Damgård MD4 MD5 SHA-0 SHA nd Preimages SHA

44 Merkle-Damgård: a Timeline Merkle-Damgård MD4 MD5 SHA-0 SHA SHA-2 Multicollisions 2nd Preimages Herding nd Preimages

45 Merkle-Damgård: a Timeline Merkle-Damgård MD4 MD5 SHA-0 SHA SHA-2 Multicollisions 2nd Preimages Herding nd Preimages 2nd Preimages Trojan Message

46 The Multicollision Attack of Joux (2004) Main Idea k collisions 2 k -multicollision. Find two colliding blocks from previous chaining value 2 k paths between IV and h k m 1 m 2 m 3 IV h 1 h 2 h 3 h k m 1 m 2 m 3

47 The Second Preimage Attack of Kelsey-Schneier (2005) Main Idea multicollision with messages of all possible sizes (an exandable message) From h i, collision between a single block and a (2 i + 1)-block message m 1 =2 m 2 =3 m 3 =5 m 1 m 2 m 3 IV h 1 h 2 h 3 m 1 m 2 m 3 m 1 =1 m 2 =1 m 3 =1 All sizes between k and 2 k

48 The Second Preimage Attack of Kelsey-Schneier (2005) M ex h IV M H(M)

49 The Second Preimage Attack of Kelsey-Schneier (2005) M ex h f ( h, m ) = h i m IV M h i H(M)

50 The Second Preimage Attack of Kelsey-Schneier (2005) P h f ( h, m ) = h i m IV M h i H(M)

51 The Second Preimage Attack of Kelsey-Schneier (2005) P h f ( h, m ) = h i m M IV M h i M i+1,..., M l H(M)

52 The Herding Attack of Kelsey-Kohno (2006) Objective Commit to h, then receive P, find S such that H(P S) = h. Main Idea Build a Collision Tree (a.k.a. Diamond Structure ) x 3 x 1 Binary tree of height l 2 l x 4 x 5 m h Nodes chaining values Edges message blocks x 6 m x 2 Commit to h

53 The Herding Attack of Kelsey-Kohno (2006): Online Phase x 3 IV P h P 2 l x 4 x 5 x 1 h x 2 x 6

54 The Herding Attack of Kelsey-Kohno (2006): Online Phase IV P h P m x 3 x 4 x 5 x 1 h f ( hp, m ) = x j x j x 6 x 2

55 The Herding Attack of Kelsey-Kohno (2006): Online Phase IV P h P m x 3 x 4 x 5 x 1 h f ( hp, m ) = x j x j x 6 x 2

56 A New, More Flexible, Generic Second Preimage Attack Main Idea Kelsey and Schneier s attack with a collision tree 2 l x 3 x 4 x 5 x 6 x 1 x 2 h IV M H(M)

57 A New, More Flexible, Generic Second Preimage Attack Main Idea Kelsey and Schneier s attack with a collision tree x 3 x 1 2 l x 4 x 5 h x 2 x 6 f ( h, m ) = h i m IV M h i H(M)

58 A New, More Flexible, Generic Second Preimage Attack Main Idea Kelsey and Schneier s attack with a collision tree x 3 x 1 x 4 h x 5 x 2 x 6 P h P f ( h, m ) = h i m IV M h i H(M)

59 A New, More Flexible, Generic Second Preimage Attack Main Idea Kelsey and Schneier s attack with a collision tree x 3 x 1 x 4 m x 5 h x 2 x 6 P h P f ( h, m ) = h i m IV f ( h P, m ) = x j M h i H(M)

60 A New, More Flexible, Generic Second Preimage Attack Main Idea Kelsey and Schneier s attack with a collision tree x 3 x 1 x 4 m x 5 h x 2 x 6 P h P f ( h, m ) = h i m IV f ( h P, m ) = x j M h i M i+1,..., M l H(M)

61 How to Repair the Merkle-Damgård Mode of Operation? Problems, because the attacker can: 1 Find internal collisions 2 Copy-and-Paste message blocks 3 Control the internal state M 0 M 1 M 2 M 3 IV f f f f h 0 h 1 h 2 h 3

62 How to Repair the Merkle-Damgård Mode of Operation? Problems, because the attacker can: 1 Find internal collisions 2 Copy-and-Paste message blocks 3 Control the internal state counter-measure: larger internal state M 0 M 1 M 2 M 3 IV 2n f 2n f 2n f 2n f 2n Trunc n h 0 h 1 h 2 h 3

63 How to Repair the Merkle-Damgård Mode of Operation? Problems, because the attacker can: 1 Find internal collisions 2 Copy-and-Paste message blocks 3 Control the internal state counter-measure: position-dependent hashing M 0 M 1 M 2 M 3 z 0 z 1 z 2 z 3 IV f f f f h 0 h 1 h 2 h 3

64 How to Repair the Merkle-Damgård Mode of Operation? Problems, because the attacker can: 1 Find internal collisions 2 Copy-and-Paste message blocks 3 Control the internal state counter-measure: several passes M 0 M 1 M 2 M 3 IV f f f f M 0 M 1 M 2 M 3 f f f f

65 Position-Dependent Hashing Additional input z? M 0 M 1 M 2 M 3 z 0 z 1 z 2 z 3 IV f f f f h 0 h 1 h 2 h 3

66 Position-Dependent Hashing Additional input z? M 0 M 1 M 2 M 3 z 0 z 1 z 2 z 3 IV f f f f h 0 h 1 h 2 h 3 Rivest s Proposal (2005): Abelian Square-Free Dithering 2-bit additional input (a,b,c,d) z = abcacdcbcdcadcdbdabaca... Kills the Kelsey-Schneier attack

67 Extending the New 2nd-Preimage Attack to Dithered Hashing ω 1 ω l 1 ω l x 3 x 4 x 5 x 6 x 1 x 2 h IV M abcacdcbcdcadcdbdabacabadbabcbdbcbacbcdcacba... H(M)

68 Extending the New 2nd-Preimage Attack to Dithered Hashing ω 1 ω l 1 ω l x 3 x 4 x 5 x 6 x 1 x 2 h f ( h, ω l+1, m ) = h i m ω l+1 IV M abcacdcbcdcadcdbdabacabadbabcbdbcbacbcdcacba... h i H(M)

69 Extending the New 2nd-Preimage Attack to Dithered Hashing ω 1 ω l 1 ω l x 3 x 4 x 5 x 6 x 1 x 2 h f ( h, ω l+1, m ) = h i m ω l+1 IV M h i must be the same H(M) abcacdcbcdcadcdbdabacabadbabcbdbcbacbcdcacba...

70 Extending the New 2nd-Preimage Attack to Dithered Hashing ω 1 ω l 1 ω l must be the same x 3 x 4 x 5 x 6 x 1 x 2 h f ( h, ω l+1, m ) = h i m ω l+1 IV M h i must be the same H(M) abcacdcbcdcadcdbdabacabadbabcbdbcbacbcdcacba...

71 Extending the New 2nd-Preimage Attack to Dithered Hashing ω 1 ω l 1 ω l x 3 x 4 x 5 x 6 x 1 x 2 h IV ω ω ω ω ω ω ω ω H(M) M abcacdcbcdcadcdbdabacabadbabcbdbcbacbcdcacba...

72 Rivest s Dithering Sequence in Detail z = abcacdcbcdcadcdbdabacabadbabcbdbcbacbcdcacba... Does it have Frequent factors? An infinite (abelian) square-free sequence over 4 letters! Fixed point of a (uniform) morphism over the free monoid Theorem (Cobham,1972) The number of different factors of size l in z is linear in l. There is a very low number of different factors in z At least one of them occur frequently (freq. 0.2%).

73 Extending the New 2nd-Preimage Attack to Several Passes M 0 M 1 M 2 M 3 IV f f f f M 0 M 1 M 2 M 3 f f f f

74 Extending the New 2nd-Preimage Attack to Several Passes M ex h M 0 M 1 M 2 M 3 IV f f f f M 0 M 1 M 2 M 3 f f f f

75 Extending the New 2nd-Preimage Attack to Several Passes IV M ex multicollision h H(M)

76 Conclusion 1 Rivest s Dithering A Broken A by new 2nd preimage attack 2 Several Passes A Broken A by new 2nd preimage attack 3 Round counter provably secure against generic 2nd preimage attacks 4 Larger internal state provably secure against all generic attacks

77 Outline 1 Introduction 2 Modes of Operation for Hash Functions The Merkle-Damgård Mode of Operation and its Problems Previous Generic Attacks Attempts to Fix it and their Problems 3 Computer-Assisted Cryptanalysis of the AES Algebraic Structure Automated Tools Results 4 Multivariate Cryptanalysis The MQ Problem Polynomial Equivalence Problems

78 Block-Cipher Cryptanalysis The Object: a Block Cipher E : {0, 1} k }{{} key The Subject: an Attacker {0, 1} n }{{} plaintext {0, 1} n }{{} ciphertext Objective: recover the secret key Resources: Time: less than 2 k encryptions Data: less than 2 n plaintext/ciphertext pairs

79 Block Cipher Cryptanalysis Plaintext k 0 Round k 1 Round K Key Schedule k 2 Round k r Round Ciphertext

80 Block Cipher Cryptanalysis First weaken it Then break it Plaintext k 0 Round k 1 Round K Key Schedule k 2 Round k r Round Ciphertext

81 Block Cipher Cryptanalysis First weaken it (reduce number of rounds) Then break it Plaintext k 0 Round k 1 Round K Key Schedule k 2 k 3 Round Round Ciphertext

82 Adversarial Model Low Data Complexity Attacks Must be faster than exhaustive search Only very few plaintext/ciphertext pairs available Why? Rather unexplored territory What is harder in practice? performing 2 50 elementary operations? or acquiring 50 Plaintext/Ciphertext pairs?

Target Block Cipher: the Advanced Encryption Standard Designed by Rijmen and Daemen Winner of AES competition in 2001 One of the most widely used

83 Target Block Cipher: the Advanced Encryption Standard Designed by Rijmen and Daemen Winner of AES competition in 2001 One of the most widely used encryption primitive AES basic structures Substitution-Permutation network Block size: 128 bits key lengths: 128, 192 or 256 bits 10 rounds for the 128-bit version

84 Description of the AES k i AES Round x i x i+1

85 Description of the AES S k i x i x i+1

86 Description of the AES k i x i x i+1

87 Description of the AES k i x i x i+1

88 Description of the AES M k i x i x i+1

89 Description of the AES k i + x i x i+1

90 The AES Has a Clean Description over F 256 y i [l] = S(x i [l]) y i [0] y i [4] y i [8] y i [12] x i+1 = y i [5] y i [9] y i [13] y i [1] y i [10] y i [14] y i [2] y i [6] + k i y i [15] y i [3] y i [7] y i [11] Is it a Problem? Concerns about the AES s algebraic simplicity have been expressed several times But so far, no attack directly exploited this property......until now

91 Working With the Equations Algebraic Cryptanalysis: the Direct Approach Equations Solver (SAT, Gröbner) Key

92 Working With the Equations Algebraic Cryptanalysis: the Direct Approach Equations Solver (SAT, Gröbner) Key Time complexity? No interesting result at this point

Our Approach to Solve Systems of AES-like equations Expected complexity of Solver Equations C++ 1 Tools look at the equations 2 Searches a (good) solver 3 C++ code of the solver is generated

93 Our Approach to Solve Systems of AES-like equations Expected complexity of Solver Equations C++ 1 Tools look at the equations 2 Searches a (good) solver 3 C++ code of the solver is generated 4 Solver finds actual solution(s) Compiler Solver The Algebraic Simplicity of the AES allows Automatic search procedures (for some classes of attacks) Non-trivial results automatically found

94 Harnessing The Algebraic Simplicity: Guess-and-Determine Attacks The equations are sparse All terms known except one: knowledge propagation e.g. x i + S(z j ) + 03 z k = 0 The equations are linear over F 256 in x i and S (x i ) Gaussian elimination allows more knowledge propagation: e.g. x i + S(z j ) +03 z k +7f u l = 0 3d x j +56 z k +S(v r ) +9a u l = 0 c2 y s +84 z k +cf S(v r ) = 0 All terms known except one in a linear combination

95 Harnessing The Algebraic Simplicity: Guess-and-Determine Attacks A Tentative Guess-and-determine Attack Search Procedure For all possible subset X of the variables Assume X is known While knowledge propagation gives a new variable y do X X {y} If X contains all the variables, then report possible solver. When done (or timeout) return best solver found so far Actual Implementation More sophisticated (backtracking, sparse linear algebra,... ) 5000 lines of Ocaml

96 Harnessing The Algebraic Simplicity: Meet-in-the-Middle Attacks Idea: Partition the Set of Variables in Two F(x, y, z, t, u, v) = 0 G(x, y, z) = H(t, u, v) G H x, y, z t, u, v Meet-in-the-Middle Solver for all x, y, z, store G(x, y, z) (x, y, z) in a hash table for all u, v, t, look-up H(u, v, t) in the hash table On average one value of (x, y, z) per value of (u, v, t).

97 Harnessing The Algebraic Simplicity: Meet-in-the-Middle Attacks Idea: Partition the Set of Variables in Two F(x, y, z, t, u, v) = 0 G(x, y, z) = H(t, u, v) G H x, y, z t, u, v Meet-in-the-Middle Solver for all x, y, z, store G(x, y, z) (x, y, z) in a hash table for all u, v, t, look-up H(u, v, t) in the hash table On average one value of (x, y, z) per value of (u, v, t).

98 Harnessing The Algebraic Simplicity: Recursive Meet-in-the-Middle Objective: Find partition such that G 1 (x, y, z) = H 1 (t, u, v) F(x, y, z, t, u, v) = 0 G 2 (x, y, z) = 0 0 = H 2 (t, u, v) Improved Solving Algorithm for all (x, y, z) such that G 2 (x, y, z) = 0 Store G 1 (x, y, z) (x, y, z) in a hash table for all (u, v, t) such that H 2 (u, v, t) = 0 Look-up H 1 (u, v, t) in the hash table Same problem Smaller instanc Each collision suggests a complete solution A solver for the full problem can be constructed recursively from two solvers for smaller sub-problems.

99 Harnessing The Algebraic Simplicity: Recursive Meet-in-the-Middle In Practice: Bottom-Up Saturation Procedure 1: function BESTSOLVER(E, T up ) 2: G { BaseSolver(x) : x X } 3: P { (G i, G j ) : 1 i < j G } 4: while P = do 5: Pick (A 1, A 2 ) P and remove it from P 6: C A 1 A 2 7: if T(C) T up then UPDATE-QUEUE(G, P, C) 8: end while 9: return G 10: end function Design,Implementation, Improvements, Tricks,... by Patrick Derbez lines of C

100 Results (Reduced AES) Attacks on round reduced version of the AES-128 Tool-found Human-found #Rounds Data Time Time 1 1 KP KP KP CP KP CP KP CP CP CP KP The attacks that are practical have been implemented and verified

101 Results: Pelican-MAC Pelican-MAC Building Block: 4 keyless AES rounds Attack Plan Query the MAC, find Internal Collision Recover Internal state, by solving: AES 4 (x i ) = AES 4 (x) o 4 keyless AES rounds i o

102 Results: Pelican-MAC Pelican-MAC Building Block: 4 keyless AES rounds Attack Plan Query the MAC, find Internal Collision Recover Internal state, by solving: AES 4 (x i ) = AES 4 (x) o SB+SR MC SB+SR MC SB+SR MC SB+SR i o

103 Results: Pelican-MAC Pelican-MAC Building Block: 4 keyless AES rounds Attack Plan Query the MAC, find Internal Collision Recover Internal state, by solving: AES 4 (x i ) = AES 4 (x) o SB+SR MC SB+SR MC SB+SR MC SB+SR i o

104 Results: Pelican-MAC Pelican-MAC Building Block: 4 keyless AES rounds Attack Plan Query the MAC, find Internal Collision Recover Internal state, by solving: AES 4 (x i ) = AES 4 (x) o SB+SR MC SB+SR MC SB+SR MC SB+SR i o

105 Results: Pelican-MAC Pelican-MAC Building Block: 4 keyless AES rounds Attack Plan Query the MAC, find Internal Collision Recover Internal state, by solving: AES 4 (x i ) = AES 4 (x) o SB+SR MC SB+SR MC SB+SR MC SB+SR i o

106 Results: Pelican-MAC Pelican-MAC Building Block: 4 keyless AES rounds Attack Plan Query the MAC, find Internal Collision Recover Internal state, by solving: AES 4 (x i ) = AES 4 (x) o SB+SR MC SB+SR MC SB+SR MC SB+SR i o

107 Results: Pelican-MAC Pelican-MAC Building Block: 4 keyless AES rounds Attack Plan Query the MAC, find Internal Collision Recover Internal state, by solving: AES 4 (x i ) = AES 4 (x) o SB+SR MC SB+SR MC SB+SR MC SB+SR i o 4 Hash Tables to build: ops. Isolate 2 32 possible internal states

108 Conclusion New process to solve equations describing the AES Automatically find the best known low data complexity attacks on round-reduced AES, Pelican-MAC, LEX Can generate C++ code of the attacks Tool publicly available at:

109 Outline 1 Introduction 2 Modes of Operation for Hash Functions The Merkle-Damgård Mode of Operation and its Problems Previous Generic Attacks Attempts to Fix it and their Problems 3 Computer-Assisted Cryptanalysis of the AES Algebraic Structure Automated Tools Results 4 Multivariate Cryptanalysis The MQ Problem Polynomial Equivalence Problems

110 The Hard Problem Underlying Multivariate Cryptography RSA Encryption: y = x e mod N, with x, y Z/NZ Multivariate Quadratic Encryption: y 1 = x x 1 x 3 + x 2 x 3 + x 2 x 4 + x x 3 x y 2 = x x 1 x 2 + x 1 x 3 + x x 2 x 4 + x x y 3 = x 1 x 2 + x 1 x 4 + x 2 x 3 + x 2 x 4 + x x 3 x 4 + x 2 4 y 4 = x 1 x 2 + x 1 x 3 + x x 2 x 3 + x 3 x 4 with x, y ( ) n F q Rationale Solving MQ Polynomial Systems is NP-hard over any field

111 Multivariate Quadratic Trapdoor One-Way Functions A trapdoor must be embedded in the equations ψ A Common Construction: Obfuscation 1 Non-linear function ψ : ( ) n F q ( ) n F q easily invertible, can be public (as in SFLASH) 2 Express it as multivariate polynomials over ( ) n F q 3 Obfuscate ψ: compose with secret matrices S and T 4 PK = T ψ S (the obfuscated representation of ψ)

112 Multivariate Quadratic Trapdoor One-Way Functions A trapdoor must be embedded in the equations T ψ S A Common Construction: Obfuscation 1 Non-linear function ψ : ( ) n F q ( ) n F q easily invertible, can be public (as in SFLASH) 2 Express it as multivariate polynomials over ( ) n F q 3 Obfuscate ψ: compose with secret matrices S and T 4 PK = T ψ S (the obfuscated representation of ψ)

113 Multivariate Quadratic Trapdoor One-Way Functions A trapdoor must be embedded in the equations PK = A Common Construction: Obfuscation 1 Non-linear function ψ : ( ) n F q ( ) n F q easily invertible, can be public (as in SFLASH) 2 Express it as multivariate polynomials over ( ) n F q 3 Obfuscate ψ: compose with secret matrices S and T 4 PK = T ψ S (the obfuscated representation of ψ)

114 Multivariate Quadratic Trapdoor One-Way Functions Is it Secure? 1 Public-key must be one-way Even though ψ is not Hardness of (a special case of) MQ ciphertext plaintext

115 Multivariate Quadratic Trapdoor One-Way Functions Is it Secure? 1 Public-key must be one-way Even though ψ is not Hardness of (a special case of) MQ 2 Retrieving S and T must be (very) hard Hardness of Polynomial Linear Equivalence ciphertext plaintext ψ T S

116 Solving Multivariate Quadratic Equations Problem: Find (x 1,..., x n ) ( F q ) n such that 1 = x x 1 x 3 + x 2 x 3 + x 2 x 4 + x x 3 x 4 0 = x x 1 x 2 + x 1 x 3 + x x 2 x 4 + x x = x 1 x 2 + x 1 x 4 + x 2 x 3 + x 2 x 4 + x x 3 x 4 + x = x 1 x 2 + x 1 x 3 + x x 2 x 3 + x 3 x 4 Exhaustive search costs O (q n ) Gröbner basis O (α n ) Conclusion Exhaustive search is (often) faster on very small fields (F 2 )

117 Exhaustive Search for MQ over F 2 Let V = (F 2 ) n, and f : V V be a quadratic map. f(x) = Naive Exhaustive Search n n i=1 j=i a ij x i x j + n i=1 1: for i from 1 to 2 n do 2: x V[i] 3: y f(x) 4: if y = 0 then Report x as solution 5: end for n(n + 3) Evaluating f costs XORs 2 Full exhaustive search = O ( n 2 2 n) b i x i + c

118 Exhaustive Search for MQ over F 2 : Improvement #1 Idea Suppose I know y = f(x) y 1 = x x 1 x 3 + x 2 x 3 + x 2 x 4 + x x 3 x 4 y 2 = x x 1 x 2 + x 1 x 3 + x x 2 x 4 + x x 2 4 y 3 = x 1 x 2 + x 1 x 4 + x 2 x 3 + x 2 x 4 + x x 3 x 4 + x 2 4 y 4 = x 1 x 2 + x 1 x 3 + x x 2 x 3 + x 3 x 4 To flip x 2, only recompute n terms per polynomial f x 2 (y) = f(y) + f(y + x 2 ) is affine evaluates in O (n) ops.

119 A (Folklore) More Efficient Exaustive Search i GRAY(i) b 1 (i) Improved Exhaustive Search 1: x 0 2: y f(0) 3: for i from 0 to 2 n 1 do 4: k b 1 (i + 1) 5: z DOTPRODUCT (x, D k ) 6: y y z 7: if y = 0 then Report x as solution 8: x x e k 9: end for DOTPRODUCT costs n XORs Full exhaustive search = O (n 2 n )

120 Exhaustive Search for MQ over F 2 : Improvement #2 i GRAY(i) b 1 (i) Theorem If i and j are consecutive integers s.t. b 1 (i) = b 1 (j), then GRAY(i) and GRAY(j) differ in two bits. z DOTPRODUCT (x, D k ) differ in two bits z DOTPRODUCT (x, D k ) equal

121 Exhaustive Search for MQ over F 2 : Improvement #2 i GRAY(i) b 1 (i) Theorem If i and j are consecutive integers s.t. b 1 (i) = b 1 (j), then GRAY(i) and GRAY(j) differ in two bits. z DOTPRODUCT (x, D k ) z DOTPRODUCT (x + 2 bits, D k )

122 Exhaustive Search for MQ over F 2 : Improvement #2 i GRAY(i) b 1 (i) Theorem If i and j are consecutive integers s.t. b 1 (i) = b 1 (j), then GRAY(i) and GRAY(j) differ in two bits. z k DOTPRODUCT (x, D k ) z k z k + DOTPRODUCT (2 bits, D k )

123 A New, Even More Efficient Exaustive Search Even More Improved Exhaustive Search 1: x 0 2: y f(0) 3: initialize the z[i] 4: for i from 0 to 2 n 1 do 5: k 1 b 1 (i + 1) 6: k 2 b 2 (i + 1) 7: z[k 1 ] z[k 1 ] D k1 [k 2 ] 8: y y z[k 1 ] 9: if y = 0 then Report GRAY(i) as solution 10: end for Each iteration costs 2 XORs Full exhaustive search = O (2 n )

124 Efficient Implementation(s) # core GHz cycles/iteration n = 48? 1h35 2h22 21 min

125 What About 80-bit Security? 80-bit Security Not so long ago, it was considered a decent level 80 quadratic eq. in 80 F 2 -variables offer 80 bits of security world 3rd fastest computer Nat. Center for Comp. Sciences GHz Solves the problem in 18 years Better results possible with more ad hoc hardware

126 Polynomial Equivalence Problems vectors of n multivariate quadratic polynomials in n variables Secret invertible matrices = T ψ S The Problem: ψ? T S

127 Polynomial Equivalence Problems vectors of n multivariate quadratic polynomials in n variables Secret invertible matrices T 1 = ψ S The Problem: ψ? T S

128 Complexity-Theoretic Status of PLE Could PLE be Solvable in Deterministic Polynomial Time? Courtois-Goubin-Patarin, 1998 : Graph Isomorphism PLE Transform instances of GI into PLE % sure that PLE / P Is it NP-hard? Courtois-Goubin-Patarin, Faugère-Perret, 2006 : No!

129 Easy and Hard Cases Inhomogeneous Case Homogeneous Case ψ ψ f(x) = n n i=1 j=i a ij x i x j + n i=1 b i x i + c f(x) = n n i=1 j=i a ij x i x j Gröbner-based = O ( n 9) Differential = O ( n 6) Inversion-free To-n-Fro = O ( n 3)

130 Dehomogenization T = ψ S ζ ζ (z) = ζ(z + x) ψ (z) = ψ(z + S x) T ζ = ψ S

131 Finding the Image of S on One Point Efficient Algorithms available Once the image of S is known on one point Exhaustive Search q n trials... Natural approach: birthday paradox y x S? Try pairs (x, y) Assume y = S x Dehomogenize Solution found?

132 Finding the Image of S on One Point Efficient Algorithms available Once the image of S is known on one point Exhaustive Search q n trials... Natural approach: birthday paradox y S? x Try pairs (x, y) Assume y = S x Dehomogenize Solution found?

133 Machinery A Key Tool for Multivariate Cryptanalysis Given a quadratic map φ : ( F q ) n ( F q ) n, its differential is: Dφ : ( Fq ) n ( F q ) n ( F q ) n (x, y) φ(x + y) φ(x) φ(y) + φ(0) Dφ is a symmetric bilinear map. From any Quadratic Map φ We Define a Undirected Graph G ψ : Vertices: ( F q ) n {0} Edges: { x y Dφ(x, y) = 0 }

134 Machinery

135 Machinery A Key Tool for Multivariate Cryptanalysis Given a quadratic map φ : ( F q ) n ( F q ) n, its differential is: Dφ : ( Fq ) n ( F q ) n ( F q ) n (x, y) φ(x + y) φ(x) φ(y) + φ(0) Dφ is a symmetric bilinear map. From any Quadratic Map φ We Define a Undirected Graph G ψ : Vertices: ( F q ) n {0} Edges: { x y Dφ(x, y) = 0 } If T ζ = ψ S, then... S is a Graph Isomorphism that sends G ζ to G ψ.

136 Topological Hashing S is a Graph Isomorphism that sends G ζ to G ψ x and (S x) have neighborhoods of the same shape G ζ TOPOLOGY(x) TOPOLOGY(y) G ψ Topological Meet-in-the middle Algorithm Sample random points x in G ζ, store TOPOLOGY(x) x Sample random points y in G ψ, store TOPOLOGY(y) y for all colliding pairs, assume y = S x, dehomogenize, etc.

137 Topological Hashing S is a Graph Isomorphism that sends G ζ to G ψ x and (S x) have neighborhoods of the same shape G ζ TOPOLOGY(x) TOPOLOGY(y) G ψ Topological Meet-in-the middle Algorithm Sample random points x in G ζ, store TOPOLOGY(x) x Sample random points y in G ψ, store TOPOLOGY(y) y for all colliding pairs, assume y = S x, dehomogenize, etc.

138 Topological Hashing: Extracting Little Information Problem Deterministically extract topological information? Simple Solution TOPOLOGY(x) #adjacent vertices Sample q n/3 points in both G ζ and G φ Running time O ( q 2n/3), success probability close to 1

139 Topological Hashing: Extracting Much More Information Graphs are very sparse Tree-like (besides the small triangles) Kill the triangles actual tree (BFS, no backwards edges) The topology of trees is easy to encode

140 Topological Hashing: Extracting Much More Information Complicated Solution TOPOLOGY(x) Tree-encoding (depth n log n) Sample q n/2 points with deep neighborhoods Theorem If the trees are random and independent, then O (1) collisions (prob. of accidental collision negligible, even with exponentially many trees) Running time O ( q n/2), success probability close to 1

141 Conclusion 1 The MQ problem Faster exhaustive search over F 2 O ( n 2 2 n) O (n 2 n ) O (2 n ) 80-bit challenge not strictly out of reach 2 The PLE problem Faster polynomial algorithms for the inhomogeneous case O ( n 9) O (n 6) O ( n 3) First working birthday algorithm for the homogeneous case O ( q 3n) ( O (q n ) O q 2n/3) O (q n/2) Currently known to work over F 2, extension seems easy The obfuscation technique is probably a bad idea

142 My contributions: Hash Functions Modes of Operations New Generic 2nd-Preimage Attack and Applications Second Preimage Attacks on Dithered Hash Functions Andreeva, B., Fouque, Hoch, Kelsey, Shamir, Zimmer [Eurocrypt 08] Herding, Second Preimage and Trojan Message Attacks Beyond Merkle-Damgård Andreeva, Bouillaguet, Dunkelman, Kelsey [SAC 09] Provable Security Against 2nd-Preimage Attacks Practical Hash Functions Constructions Resistant to Generic Second Preimage Attacks Beyond the Birthday Bound Bouillaguet, Fouque [submitted to IPL] Provable Second Preimage Resistance:an Impossibility Result Bouillaguet [submitted to CT-RSA 12] Indifferentiability in the Presence of Distinguishers Security Analysis of SIMD Bouillaguet, Fouque, Leurent [SAC 10]

143 My contributions: Symmetric Cryptanalysis Low-Data Complexity Attacks on the AES Low Data Complexity Attacks on AES [submitted to IEEE IT] Bouillaguet, Derbez, Dunkelman, Fouque, Keller, Rijmen Automatic Search of Attacks on round-reduced AES and Applications Bouillaguet, Derbez, Fouque Other Results [Crypto 11] Analysis of the Collision Resistance of RadioGatún using Algebraic Techniques Bouillaguet, Fouque [SAC 08] Another Look at the Complementation Property Bouillaguet, Dunkelman, Fouque, Leurent Attacks on Hash Functions based on Generalized Feistel - Application to Reduced-Round Lesamnta and SHA-losh Bouillaguet, Dunkelman, Fouque, Leurent New Insights on Impossible Differential Cryptanalysis Bouillaguet, Dunkelman, Fouque, Leurent [FSE 10] [SAC 10] [SAC 11]

144 My contributions: Multivariate Cryptanalysis Attacks Against Multivariate Schemes A Family of Weak Keys in HFE and the Corresponding Practical Key-Recovery Bouillaguet, Fouque, Joux, Treger [J.Math.Crypto] Practical Key-recovery For All Possible Parameters of SFLASH Bouillaguet, Fouque, Macario-Rat [Asiacrypt 11] Algorithms for Multivariate Hard Problems Fast Exhaustive Search for Polynomial Systems in F 2 B., Chen, Cheng, Chou, Niederhagen, Shamir, Yang [CHES 10] Practical Cryptanalysis of the Identification Scheme Based on the Isomorphism of Polynomial With One Secret Problem Bouillaguet, Faugère, Fouque, Perret [PKC 11]

145 And... Thank You

146 Introduction Modes of Operation AES Cryptanalysis And Now The Part We Were All Waiting For Multivariate Cryptanalysis Conclusion

147

New Attacks on the Concatenation and XOR Hash Combiners

New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. We study the security of the concatenation combiner H 1(M) H 2(M)