Revisiting AES Related-Key Differential Attacks with Constraint Programming

Size: px

Start display at page:

Download "Revisiting AES Related-Key Differential Attacks with Constraint Programming"

Myron Lamb
5 years ago
Views:

1 Revisiting AES Related-Key Differential Attacs with Constraint Programming D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) () - LIMOS, Université Clermont-Ferrand (2) - LORIA, Université de Lorraine (3) - LIRIS, INSA de Lyon Journées Méthodes Formelles - 3 May 27 D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) / 4

2 Revisiting AES RKD Attacs with CP Differential cryptanalysis of the AES First CP model for Step Second CP model for Step Third CP model for Step CP model for Step 2 Results Conclusion D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 2 / 4

3 AES (Advanced Encryption Standard) Bloc cipher standard since 2 Input: A plaintext X = 28 bits = 4x4 bytes A ey K = 28, 92, or 256 bits = 4x4, 4x6, or 4x8 bytes Output: a ciphertext E K (X ) such that X = E K (E K (X )) Iterative process of r rounds: r = (2, 4) when K = 28 (92, 256) Operations applied at each round i [, r ] for AES-28: Key K = K (4 4 bytes) Subey K i+ SR MC Plaintext X (4 4 bytes) X i Xr Ciphertext E K (X ) D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 3 / 4

4 Cryptanalysis of the AES Bloc Cipher (/2) Differential Cryptanalysis [Biham and Shamir 99]: Trac XOR differences through the ciphering process to recover the ey: Let δx = X X be an input plaintext difference Let δy = E K (X ) E K (X ) be the output difference The cipher is wea if δx and δy such that Pr[δY δx ] >> 2 K Key recovery in O(/Pr[δY δx ]) D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 4 / 4

5 Cryptanalysis of the AES Bloc Cipher (2/2) Related-Key Attac [Biham 993]: Inject differences in texts and eys Let δx = X X be an input plaintext difference Let δk = K K be an input ey difference Let δy = E K (X ) E K (X ) be the output difference The cipher is wea if δx, δk, and δy such that Pr[δY δx, δk] >> 2 K Key recovery in O(/Pr[δY δx, δk]) D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 5 / 4

6 Related-Key Differential of AES δk = K K δk i+ = K i+ K i+ δx i = X i X i SR MC δx = X X δxr = Xr X r δy = Y Y Goal: Find δx, δk, and δy that maximizes Pr[δY δx, δk ]:, SR, and MC are linear: op(b i ) op(b j ) = op(b i B j ) Probabilities are equal to (or ) for these operators is not linear: Let Pr[δ o δ i ] = #{(B,B2) [,256]2 δ i =B B 2 and δ o=s(b ) S(B 2)} 256 Probability to have output difference δ o given input difference δ i Perfect cipher: δ i, δ o, Pr[δ o δ i ] = 256 but this is impossible! 2 of AES: if δ o =δ i = then Pr[δ o δ i ]= else Pr[δ o δ i ] {, 256, 4 D Gerault (), P combines Lafourcade () linear, M Minier operators (2), C Solnon with (3) non linear on some bytes 6 / }

7 Two step solving process [Biryuov et al 2, Fouque et al 23] Step : Asbtract differential bytes δb = B B to booleans B For each differential byte δb: B = if δb = ; B = if δb [, 255] K SK i [j][3] K i+ SR MC X X i SX i R i M i X r SX r D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 7 / 4

8 Two step solving process [Biryuov et al 2, Fouque et al 23] Step : Asbtract differential bytes δb = B B to booleans B For each differential byte δb: B = if δb = ; B = if δb [, 255] Minimize the nb of boolean variables X i [j][] and K i [j][3] set to : If δx i [j][] = δsx i [j][] = then Pr[δSX i [j][] δx i [j][]] = 2 Otherwise Pr[δSX i [j][] δx i [j][]] {, 256, } K SK i [j][3] K i+ SR MC X X i SX i R i M i X r SX r D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 7 / 4

9 Two step solving process [Biryuov et al 2, Fouque et al 23] Step 2: Concretize booleans to differential bytes If B = then set δb to ; otherwise search for δb [, 255] If not possible: Solution byte-inconsistent If possible: Solution byte-consistent Maximize the probability Pr[δSX r δx, δk ] K SK i [j][3] K i+ SR MC X X i SX i R i M i X r SX r D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 8 / 4

10 Existing approaches Biryuov et al 2: Branch & Bound for Step K = 28: Several days of CPU time K = 92: Several wees of CPU time Fouque et al 23: Graph traversal for Step K = 28: 3mn of CPU time (on 2 cores) but 6 GB of memory Not extended to K = 92 or 256 In both cases: Difficult and time-consuming programming wor Checing the correctness of the program is not straightforward D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 9 / 4

11 What about Constraint Programming (CP)? Solving a problem with CP: Define the problem with a declarative language: Variables (unnowns) and their domains Constraints (relations between variables) Optionally: Objective function to optimize Use generic engines to search for solutions Using CP to compute related-ey differentials: Step : Less than 35 hours for the hardest instance Step 2: Less than 6 minutes for the hardest instance Prove inconsistency of a solution proposed by Biryuov et al 2 New related-ey differentials: K = 28: p = 2 79 (instead of 2 8 ) for 4 rounds K = 92: p = 2 76 for rounds K = 256: p = 2 46 (instead of 2 54 ) for 4 rounds D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) / 4

12 Revisiting AES RKD Attacs with CP Differential cryptanalysis of the AES First CP model for Step Second CP model for Step Third CP model for Step CP model for Step 2 Results Conclusion D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) / 4

13 CP Basic : First CP model for Step K SK i [j][3] K i+ SR MC X X i SX i R i M i X r SX r For each round i, for each row j and each column : X [j][], X i [j][], SX i [j][], R i [j][], M i [j][], K i [j][], SK i [j][3] Boolean variables Domains = {, } D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 2 / 4

14 CP Basic : First CP model for Step K SK i [j][3] K i+ SR MC X X i SX i R i M i X r SX r performs XOR operations: j, [, 3] : XOR( X [j][], K [j][], X [j][]) i [, r ], j, [, 3] : XOR( M i [j][], K i+ [j][], X i+ [j][]) D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 3 / 4

15 CP Basic : First CP model for Step XOR at the byte level: δb δb 2 δb 3 = (δb, δb 2, δb 3 ) {(,, )} {(, x, x) x [, 255]} {(x,, x) x [, 255]} {(x, x, ) x [, 255]} {(x, y, z) x, y, z [, 255], x y z} XOR at the boolean level: ( B, B 2, B 3 ) { (,, ), (,, ), (,, ), (,, ), (,, )} Definition of the XOR( B, B 2, B 3 ) constraint: B + B 2 + B 3 D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 4 / 4

i ) S(B j ) = ) i [, r], j, [, 3]: X i [j][] = SX i [j][] i [, r], j [, 3]: K i

16 CP Basic : First CP model for Step K SK i [j][3] K i+ SR MC X X i SX i R i M i X r SX r SubBytes does not introduce nor remove differences (because B i B j = S(B i ) S(B j ) = ) i [, r], j, [, 3]: X i [j][] = SX i [j][] i [, r], j [, 3]: K i [j][3] = SK i [j][3] D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 5 / 4

17 CP Basic : First CP model for Step K SK i [j][3] K i+ SR MC X X i SX i R i M i X r SX r SR shifts bytes: i [, r ], j, [, 3]: R i [j][] = SX i [j][ + j%4] D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 6 / 4

Ensures the MDS property: i [, r ], [, 3] 3 R i [j][] + M i [j][] {,

18 CP Basic : First CP model for Step K SK i [j][3] K i+ SR MC X X i SX i R i M i X r SX r MC multiplies each column by a fixed matrix Ensures the MDS property: i [, r ], [, 3] 3 R i [j][] + M i [j][] {, 5, 6, 7, 8} j= D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 7 / 4

19 CP Basic : First CP model for Step K SK i [j][3] K i+ SR MC X X i SX i R i M i X r SX r RotWord SubWord Rcon RotWord SubWord Rcon,, 2, 3,,, 2, 3,,, 2, 3,,, 2, 3,,2,2 2,2 3,2,2,2 2,2 3,2,3,3 2,3 3,3,3,3 2,3 3,3 performs XOR, byte shifts, and operations For AES-28: i [, r ], j [, 3] : Column : XOR( K i [j][], SK i [(j + )%4][3], K i [j][]) Columns [, 3]: XOR( K i [j][], K i [j][ ], K i [j][]) D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 8 / 4

20 CP Basic : First CP model for Step K SK i [j][3] K i+ SR MC X X i SX i R i M i X r SX r Goal: Minimize the number of differences that pass through SubBytes: r 3 3 obj Step = ( K i [j][3] + X i [j][]) Ordering heuristics: i= j= = First choose variables that occur in the objective function D Gerault First (), P Lafourcade assign them (), M Minier to (2), C Solnon (3) 9 / 4

21 CP Basic : First CP model for Step r obj Step BCS S Gecode Choco 4 Chuffed Time CP Time CP Time CP 3 2 9e 4e 5e 3 3 5e 2 2e 3 4 2e 3 7e e 3 3 2e 4 8 e 4 2 5e e 4 6 6e 4 5 5e 4 9 2e e 4 6 e 4 3 8e e 4 7 e e 4 4 4e 4 4 6e e e 6 4 9e e r = Nb rounds obj Step = Nb of differences that pass through (active S-boxes) BCS = Number of byte-consistent solutions Boolean solutions that can be concretized to byte solutions S = Number of solutions Most NOT byte-consistent CP = number of choice points in the search tree Chuffed explores less choice points and is faster D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 2 / 4

22 Revisiting AES RKD Attacs with CP Differential cryptanalysis of the AES First CP model for Step Second CP model for Step Third CP model for Step CP model for Step 2 Results Conclusion D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 2 / 4

23 CP EQ : Second CP model for Step What s wrong with CP Basic? XOR constraints do not propagate equality relationships at the byte level For example, if δa δb δc = and δa δb δd = then δc = δd However, at the boolean level, we only propagate: A + B + C and A + B + D New variables and constraints to model byte equalities: For each couple of differential bytes (δa, δb): EQ δa,δb = if δa = δb EQ δa,δb = if δa δb Symmetry: EQ δa,δb = EQ δb,δa Transitivity: EQ δa,δb = EQ δb,δc = EQ δa,δc = Relation with variables: EQ δa,δb = A = B EQ δa,δb = A + B D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 22 / 4

24 CP EQ : Second CP model for Step Definition of XOR in CP Basic : B + B 2 + B 3 Can we strengthen it by exploiting byte equalities? Yes, because: B = δb 2 = δb 3 B 2 = δb = δb 3 B 3 = δb = δb 2 New definition of XOR: XOR( B, B 2, B 3 ) (( B + B 2 + B 3 ) (EQ δb,δb 2 = B 3 ) (EQ δb,δb 3 = B 2 ) (EQ δb2,δb 3 = B )) D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 23 / 4

25 CP EQ : Second CP model for Step K SK i [j][3] K i+ SR MC X X i SX i R i M i X r SX r MDS also holds when XORing different columns of δr and δm: i, i 2 [, r ],, 2 [, 3], the number of bytes equal to in δr i [j][ ] δr i2 [j][ 2 ] and δm i [j][ ] δm i2 [j][ 2 ] {,, 2, 3, 8} New constraints to ensure MDS: i, i 2 [, r ],, 2 [, 3] 3 j= EQ δr i [j][],δr i2 [j][2] + EQ δmi [j][],δm i2 [j][2] {,, 2, 3, 8} D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 24 / 4

26 ,, 2, 3,,, 2, 3,,, 2, 3,,, 2, 3,,2,2 2,2 3,2,2,2 2,2 3,2,3,3 2,3 3,3,3,3 2,3 3,3 Diff Crypt Step () Step (2) Step (3) Step 2 Results Conclusion CP EQ : Second CP model for Step (mainly) performs XOR operations: Column : K i [j][] = K i [j][] SK i [(j + )%4][3] Columns [, 3]: K i [j][] = K i [j][ ] K i [j][] Each byte of K i is eq to a XOR of bytes of K and SK i Ex: K 2 [][] = K 2 [][] K [][] = K [][] SK [2][3] K [][] K [][] = SK [2][3] K [][] New constraints: Pre-compute sets V i,j, such that δk i [j][] = δb V i,j, δb Introduce set variables S i,j, and post the following constraints: S i,j, = {δb V i,j, B = } If S i,j, = then K i [j][] = If S i,j, = {δb} then EQ δki [j][],δb = If S i,j, = {δb, δb 2 } then XOR( B, B 2, K i [j][]) If i, j, st S i,j, = S i,j, then EQ δk i [j][],δk i [j ][ ] = RotWord SubWord Rcon RotWord SubWord Rcon D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 25 / 4

27 Revisiting AES RKD Attacs with CP Differential cryptanalysis of the AES First CP model for Step Second CP model for Step Third CP model for Step CP model for Step 2 Results Conclusion D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 26 / 4

28 CP Class : Third CP model for Step Alternative way to model equivalence classes: For each boolean variable B, define an integer variable Class δb D(Class δb ) = [, 255] Constraints: ( B = ) (Class δb = ) Global precede constraint to brea symmetries Update all constraints: replace EQ δb,δb 2 = by Class δb = Class δb2 replace EQ δb,δb 2 = by Class δb Class δb2 D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 27 / 4

29 Revisiting AES RKD Attacs with CP Differential cryptanalysis of the AES First CP model for Step Second CP model for Step Third CP model for Step CP model for Step 2 Results Conclusion D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 28 / 4

30 CP model for Step 2 Initialize Obj Step to 2 Step : Search for all boolean solutions 3 For each boolean solution of Step : Step 2: Search for byte values that maximize Pr[δSX r δx, δk ] (or detect inconsistency and set Pr to ) Let Pr max be the largest probability wrt all boolean solutions of Step 4 If Pr max < 2 6(Obj Step+) then increment Obj Step and go to (2) Otherwise, return Pr max K SK i [j][3] K i+ SR MC X X i SX i R i M i Xr SXr D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 29 / 4

31 CP model for Step 2 For each boolean variable B: Integer variable δb If B = in the Step solution then: D(δB) = {} Otherwise: D(δB) = [, 255] For each byte A on which is applied: Integer variable P A Base 2 logarithm of Pr(δSA δa) If A = SA = then: D(P A ) = {} because Pr( ) = Otherwise: D(P A ) = { 7, 6} because Pr(δSA δa) { 2 256, } Objective function: Maximize obj Step2 = A on which is applied P A K SK i [j][3] K i+ SR MC X X i SX i R i M i Xr SXr D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 3 / 4

32 Table constraint related to : For each byte A on which is applied: CP model for Step 2 (δa, δsa, P A ) {(X, Y, P) (B, B 2 ) [, 255] [, 255], X = B B 2, Y = S(B ) S(B 2 ), P = log 2 (Pr(Y X ))} Constraints related to,, SR, and MC: Straightforward definition with table constraints K SK i [j][3] K i+ SR MC X X i SX i R i M i Xr SXr D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 3 / 4

33 Revisiting AES RKD Attacs with CP Differential cryptanalysis of the AES First CP model for Step Second CP model for Step Third CP model for Step CP model for Step 2 Results Conclusion D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 32 / 4

34 Experimental setup Languages and Solvers: CP models for Step are defined in MiniZinc Benchmar for the 26 MiniZinc Challenge Best results are obtained with Chuffed and Picat The CP model for Step 2 is defined in Choco 4 (Java CP library) CPU time limit for Step : 24 hours on a 35 GHz i7-47mq processor with 8 gigabytes of memory If not solved in 24 hours: Decompose into independent subproblems D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 33 / 4

35 Scale-up properties: AES-28 Step Step 2 r obj Step time # boolean # byte-cons time Pr CP EQ CP Class solutions solutions ?? 542 2? 2 3 Useless to go on with r > 6 because 2 3 < 2 28 Recall of the results of CP Basic for Step : r = 3, obj Step = 5 : 2e 4 boolean solutions r = 4, obj Step = : 9e 7 boolean solutions Most byte-inconsistent sol are removed by new constraints at byte level D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 34 / 4

36 Extension to AES-92 and AES-256 Key K Subey K i+ SR MC Plaintext X (4 4 bytes) X i X r Ciphertext E K (X ) Update constraints related to KeySchedule: Step : XOR constraints combined with byte shifts Step 2: XOR constraints combined with byte shifts + SubBytes on some columns D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 35 / 4

37 Extension to AES-92 and AES-256 Key K Subey K i+ SR MC Plaintext X (4 4 bytes) X i X r Ciphertext E K (X ) Update constraints related to KeySchedule: Step : XOR constraints combined with byte shifts Step 2: XOR constraints combined with byte shifts + SubBytes on some columns D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 35 / 4

38 Scale-up properties: AES-92 Step Step 2 r obj Step time # boolean # byte time Pr CP EQ CP Class Useless to go on with r > or obj Step > 3 because 6 32 = 92 D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 36 / 4

39 Scale-up properties: AES-256 Step Step 2 r obj Step time # boolean # byte-cons time Pr CP EQ CP Class solutions solutions D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 37 / 4

40 Decomposition of hard instances into independent subproblems For each round i: Integer variables SumX i and SumK i Number of differences in δx i : SumX i = j, [,3] X i[j][] Number of differences in δk i : SumK i = j [,3] K i[j][3] One subproblem for each possible value of SumX i and SumK i All subproblems are independent and may be solved in parallel Combine Picat and Chuffed to solve the subproblems Use Picat to enumerate SumX i and SumK i with solutions (if any) Use Chuffed to enumerate all solutions, given SumX i and SumK i given by Picat Time to solve the hardest instance AES-92 with r = and obj Step = 29 Less than 24 hours for each subproblem and 35 hours for the complete sum D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 38 / 4

41 Revisiting AES RKD Attacs with CP Differential cryptanalysis of the AES First CP model for Step Second CP model for Step Third CP model for Step CP model for Step 2 Results Conclusion D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 39 / 4

42 Conclusion Better related-ey differential Characteristic For AES-28, For 4 rounds, our solution (proved optimal): obj Step = 2 and Pr = 2 79 (before obj Step = 3 and Pr = 2 8 ) For AES-92, For rounds (not ) best related-ey differential trail: obj Step = 29 and Pr = 2 76 For AES-256, For 4 rounds, our solution (proved optimal): obj Step = 24 and Pr = 2 46 (before Pr = 2 54 ) Declarative framewor for Cryptanalysis? CP models describe problems, not how to solve them: Easier to define and chec than a full program Better solutions than [Biryuov et al 29] and [Fouque et al 23] Models are defined with the MiniZinc language: We can use different CP solvers to solve them D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 4 / 4

43 Thans for Your Attention! Questions? D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 4 / 4

Revisiting AES Related-Key Differential Attacks with Constraint Programming

Revisiting AES Related-Key Differential Attacks with Constraint Programming David Gérault, Pascal Lafourcade, Marine Minier, Christine Solnon To cite this version: David Gérault, Pascal Lafourcade, Marine