Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium

Transcription

1 Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27

2 Cube attacks 2 / 27

3 Timeline Aug 08: Shamir presents cube attacks at CRYPTO Sep 08: Dinur/Shamir paper on eprint, attack on 771-round Trivium Oct 08: cube attacks reported on 14-round MD6 Oct 08: cube testers reported on 18-round MD6 Dec 08: Dinur/Shamir paper accepted to EUROCRYPT Jan 09: cube testers reported on Shabal 3 / 27

4 Cube attacks in a nutshell Can attack any primitive with secret and public variables keyed hash functions stream ciphers block ciphers MACs Target algorithms with low-degree components stream ciphers based on low-degree NFSR hash functions with only XORs and a few ANDs 4 / 27

5 Cube attacks in a nutshell Requirements of the attacker: only black-box access to the function negligible memory Cube attacks work in 2 phases precomputation: chosen keys and chosen IVs online: fixed unknown key and chosen IVs 5 / 27

6 Key observation 1 Any function f : {0, 1} m {0, 1} n admits an algebraic normal form (ANF) Example: f : {0, 1} 10 {0, 1} 4 f 1 (x) = x 1 x 2 + x 2 x 8 x 9 + x 3 x 4 x 5 x 6 x 7 f 2 (x) = x 2 x 4 + x 6 x 8 x 9 + x 5 x 6 x 7 x 8 x 9 x 10 f 3 (x) = 1 f 4 (x) = 1 + x 1 + x 3 + x 5 6 / 27

7 Key observation 2 Computation of the largest monomial s coefficient f (x 1, x 2, x 3, x 4 ) = x 1 + x 3 + x 1 x 2 x 3 + x 1 x 2 x 4 = x 1 + x 3 + x 1 x 2 x 3 + x 1 x 2 x x 1 x 2 x 3 x 4 Sum over all values of (x 1, x 2, x 3, x 4 ): f (0, 0, 0, 0)+f (0, 0, 0, 1)+f (0, 0, 1, 0)+ +f (1, 1, 1, 1) = 0 7 / 27

8 Key observation 3 Evaluation of factor polynomials f (x 1, x 2, x 3, x 4 ) = x 1 + x 3 + x 1 x 2 x 3 + x 1 x 2 x 4 = x 1 + x 3 + x 1 x 2 (x 3 + x 4 ) Fix x 3 and x 4, sum over all values of (x 1, x 2 ): (x 1,x 2 ) {0,1} 2 f (x 1, x 2, x 3, x 4 ) = 4 x x (x 3 + x 4 ) = x 3 + x 4 8 / 27

9 Key observation 3 Evaluation of factor polynomials f (x 1, x 2, x 3, x 4 ) = + x 1 x 2 (x 3 + x 4 ) Fix x 3 and x 4, sum over all values of (x 1, x 2 ): (x 1,x 2 ) {0,1} 2 f (x 1, x 2, x 3, x 4 ) = x 3 + x 4 9 / 27

10 Terminology f (x 1, x 2, x 3, x 4 ) = x 1 + x 3 + x 1 x 2 (x 3 + x 4 ) (x 3 + x 4 ) is called the superpoly of the cube x 1 x 2 10 / 27

11 Evaluation of a superpoly x 3 and x 4 fixed and unknown f (,, x 3, x 4 ) queried as a black box ANF unknown, except: x 1 x 2 s superpoly is (x 3 + x 4 ) f (x 1, x 2, x 3, x 4 ) = + x 1 x 2 (x 3 + x 4 ) + Query f to evaluate the superpoly: (x 1,x 2 ) {0,1} 2 f (x 1, x 2, x 3, x 4 ) = x 3 + x 4 11 / 27

12 Key-recovery attack On a stream cipher with key k and IV v f : (k, v) first keystream bit Offline: find cubes with linear superpolys f (k, v) = + v 1 v 3 v 5 v 7 (k 2 + k 3 + k 5 ) + f (k, v) = + v 1 v 2 v 6 v 8 v 12 (k 1 + k 2 ) + = f (k, v) = + v 3 v 4 v 5 v 6 (k 3 + k 4 + k 5 ) + (reconstruct the superpolys with linearity tests) Online: evaluate the superpolys, solve the system 12 / 27

13 Cube testers 13 / 27

14 Cube testers in a nutshell Like cube attacks: need only black-box access target primitives with secret and public variables and built on low-degree components Unlike cube attacks: give distinguishers rather than key-recovery don t require low-degree functions need no precomputation 14 / 27

15 Basic idea Detect structure (nonrandomness) in the superpoly, using algebraic property testers A tester for property P on the function f : makes (adaptive) queries to f accepts when f satisfies P rejects with bounded probability otherwise 15 / 27

16 Examples of efficiently testable properties balance linearity low-degree constantness presence of linear variables presence of neutral variables General characterization by Kaufman/Sudan, STOC / 27

17 Superpolys attackable by testing low-degree (6) + x 1 x 2 x 3 (x 5 x 6 + x 7 x 21 + x 6 x 9 x 20 x 30 x 40 x 50 ) +... neutral variables (x 6 ) + x 1 x 2 x 3 x 4 x 5 g(x 7, x 8,..., x 80 ) +... linear variables (x 6 ) + x 1 x 2 x 3 x 4 x 5 (x 6 + g(x 7, x 8,..., x 80 )) + 17 / 27

18 Results 18 / 27

19 MD6 Presented by Rivest at CRYPTO 2008 Submitted to the SHA-3 competition quadtree structure construction RO-indifferentiable low-degree compression function at least 80 rounds best attack by the designers: 12 rounds 19 / 27

20 MD6 s compression function {0, 1} {0, 1} Input: 64-bit words A 0.A 1,..., A 88 Compute the A i s with the recursion x S i A i 17 A i 89 (A i 18 A i 21 ) (A i 31 A i 67 ) x x (x r i ) A i x (x l i ) round-dependent constant S i quadratic step, at least 1280 steps 20 / 27

21 Results on MD6 Cube attack (key recovery) on the 14-round compression function recover any 128-bit key in time 2 22 Cube testers (testing balance) detect nonrandomness on 18 rounds detect nonrandomness on 66 rounds when S i = 0 in time 2 17, 2 24, resp. 21 / 27

22 Trivium Stream cipher by De Cannière and Preneel, 2005 estream HW portfolio 80-bit key and IV 3 quadratic NFSRs 1152 initialization rounds best attack on 771 rounds (cube attack) 22 / 27

23 Cube testers on Trivium Test the presence of neutral variables Distinguishers (only choose IVs) 2 24 : 772 rounds 2 30 : 790 rounds Nonrandomness (assumes some control of the key) 2 24 : 842 rounds 2 27 : 885 rounds Full version: 1152 rounds 23 / 27

24 Conclusions 24 / 27

25 Cube testers + more general than classical cube attacks no precomputation polymorphic only gives distinguishers only finds feasible attacks relevant for a minority of functions (like cube attacks) 25 / 27

26 Open issues How to predict the existence of unexpected properties? How to find the best cubes? Attack on (reduced versions of) other algorithms: Grain, ESSENCE, Keccak, Luffa, Shabal, / 27

27 Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 27 / 27