Center for Applied Cryptographic Research. fa2youssef,

Size: px

Start display at page:

Download "Center for Applied Cryptographic Research. fa2youssef,"

Meredith McDaniel
5 years ago
Views:

1 On the Interpolation Attacks on Block Ciphers A.M. Youssef and G. Gong Center for Applied Cryptographic Research Department of Combinatorics and Optimization University of Waterloo, Waterloo, ON NL 3G fayoussef, Abstract. The complexity of interpolation attacks on block ciphers depends on the degree of the polynomial approximation andèor on the number of terms in the polynomial approximation expression. In some situations, the round function or the S-boxes of the block cipher are expressed explicitly in terms of algebraic function, yet in many other occasions the S-boxes are expressed in terms of their Boolean function representation. In this case, the cryptanalyst has to evaluate the algebraic description of the S-boxes or the round function using the Lagrange interpolation formula. A natural question is what is the eèect of the choice of the irreducible polynomial used to construct the ènite èeld on the degree of the resulting polynomial. Another question is whether or not there exists a simple linear transformation on the input or output bits of the S-boxes èor the round functionè such that the resulting polynomial has a less degree or smaller number of non-zero coeècients. In this paper we give an answer to these questions. We also present an explicit relation between the Lagrange interpolation formula and the Galois Field Fourier Transform. Keywords: Block cipher, cryptanalysis, interpolation attack, ènite èelds, Galois Field Fourier Transform Introduction Gong and Golomb è7è introduced a new criterion for the S-box design. Because many block ciphers can be viewed as a Non Linear Feedback Shift Register ènlfsrè with input then the S-boxes should not be approximated by a monomial. The reason is that the trace functions Trèè j d è and Trèèè have the same linear span. From the view point of m-sequences èè, both of the sequences ftrèèè id èg iè and ftrèèè i èg iè are m-sequences of period n,. The former can be obtained from the later by decimation d. Gong and Golomb showed that the distance of DES S-boxes approximated by monomial functions has the same distribution as for the S-boxes approximated by linear functions. In è3è Jakobsen and Knudsen introduced a new attack on block ciphers. This attack is useful for attacking ciphers using simple algebraic functions as S-boxes. The attack is based on the well known Lagrange interpolation formula. Let R be B. Schneier (Ed.): FSE, LNCS 978, pp. 9,. Springer-Verlag Berlin Heidelberg

2 A.M. Youssef and G. Gong a èeld. Given n elements x;:::;x n ;y;:::;y n R; where the x i s are distinct. Deène n Y x, x j fèxè = y i : x i= i, x j èjèn;j6=i Then fèxè is the only polynomial over R of degree at most n, such that fèx i è=y i for i =;:::;n. The main result in è3è is that for an iterated block cipher with block size m, if the cipher-text is expressed as a polynomial with n è m coeècients of the plain-text, then there exists an interpolation attack of time complexity n requiring n known plain-texts encrypted with a secret key K, which ènds an algorithm equivalent to encryption èor decryptionè with K. This attack can also be extended to a key recovery attack. In è4è Jakobsen extended this cryptanalysis method to attack block ciphers with probabilistic nonlinear relation of low degree. Using recent results from coding theory èsudan's algorithm for decoding Reed-Solomon codes beyond the error correction parameterè6èè, Jakobsen showed how to break ciphers where the cipher-text is expressible as evaluations of unknown univariate polynomial of low degree m with a typically low probability è. The known plain-text attack requires n =m=è plain-textècipher-text pairs. In the same paper, Jakobsen also presented a second attack that needs access to n =èm=èè plain-textècipher-text pairs and its running time is polynomial in n. It is clear that the complexity of such cryptanalytic attacks depends on the degree of the polynomial approximation or on the number of terms in the polynomial approximation expression. In some situations, the round function or the S-boxes of the block cipher are expressed explicitly in terms of algebraic function èfor example see è8è è,yet in many other occasions the S-boxes are expressed in terms of their Boolean function representation. In this case, the cryptanalyst has to evaluate the algebraic description of the S-boxes or the round function using the Lagrange interpolation formula. A natural question is what is the eèect of the choice of the irreducible polynomial used to construct the ènite èeld on the degree of the resulting polynomial. Another question is whether or not there exists a simple linear transformation on the input or output bits of the S-boxes èor the round functionè such that the resulting polynomial has a less degree or smaller number of coeècients. In this paper we give explicit answer to these questions. To illustrate the idea, consider the binary mapping from GF èè 4 to GF èè 4 given in the Table. If the Lagrange interpolation formula is applied to GF è 4 è where GF è 4 è is deèned by the irreducible polynomial then we have F èè = ; GF è 4 è. However, if we use the irreducible polynomial to deène GF è 4 è then we have F èè = 3 ; GF è 4 è which isobviously a simpler description. An interesting observation follows when applying the Lagrange interpolation formula to the DES S-boxes. In this case we consider the DES S-boxes output èè

3 On the Interpolation Attacks on Block Ciphers x f èxè Table. coordinates as a mapping from GF è 6 ètogf èè. Let f be the Boolean function resulting from ORing all the output coordinates of the DES S-box number four. When we deène GF è 6 è using the irreducible polynomial , the polynomial resulting from applying the Lagrange interpolation formula to f has only 39 nonzero coeècient. The Hamming weight of all the exponents corresponding to the nonzero coeècients was è 3. It should be noted that the expected value of the number of nonzero coeècients for a randomly selected function over GF è 6 è is 63. While this observation doesn't have a cryptanalytic signiècance, it shows the eèect of changing the irreducible polynomial when trying to search for a polynomial representation for cipher functions. Mathematical background and deènitions For a background about the general theory of ènite èelds, the reader is referred to èè and for a background about ènite èelds of charachteristic, the reader is referred to èè. Most of the results in this paper can be extended in a straightforward way from GF è n ètogf èq n è. Throughout this paper, we use integer P labels to present ènite èeld elements. I.e., for any element GF è 4 è, = x i+è i ;x i GF èè where P è is a root of the irreducible polynomial which deènes GF è n è, we represent by x i+ i as an integer in the range è; n,è. The associated addition and multiplication operations of these labels are deèned by the ènite èeld structure and have no resemblance to modular integer arithmetic. Deènition. A polynomial having the special form Lèè = t è i i with coeècients è i from GF è n è is called a linearized polynomial over GF è n è. Deènition. A cyclotomic coset mod N that contains an integer s is the set èè C s = fs;sq;:::;sq m, g èmod Nè è3è where m is the smallest positive integer such that sq m è s èmod Nè.

4 A.M. Youssef and G. Gong Lemma 3. Let A be a linear mapping over GF è n è, then Aèè; GF è n è can be expressed in terms of a linearized polynomial over GF è n è. I.e., we can express Aèè as Aèè = è i i Lemma 4. Let è;è;:::;è t be elements in GF è n è. Then è4è èè + è + :::+ è t è k = è k + è k + :::+ è k t è5è Lemma 5. The number of ways of choosing a basis of GF è n è over GF èè is Y è n, i è 3 Lagrange coeècients, Galois Field Fourier Transform and Boolean functions 3. Relation between the Galois Field Fourier Transform and the Lagrange coeècients In this section we give an explicit formula for the relation between the Lagrange Interpolation of F and the Galois Field Fourier Transform of its corresponding sequence. Besides its theoretical interest, the cryptographic signiècance of this relation stems from the view point of Gong and Golomb è7è where they model many block ciphers as a Non Linear Feedback Shift Register ènlfsrè with input. Let v = èv;v;:::;v l,è beavector over GF èqè whose length l divides q m, for some integer positive m. Let è be an element of order l in GF èq m è. The Galois èeld Fourier transform ègfftè èè of v is the vector Fèvè = V =èv;v;:::;v l,è where fv j g are computed as follows. l, V j = è,ij v i ;j =; ;:::;l, : The inverse transform is given by v i = l, è ij V j ;; ;:::;l, : l j= In the literature, è and è, are swapped in the equations above. Since è and è, have the same order, we may use the form presented here. We use this form in order to make it easy to compare with the polynomial representation. For the purpose of our discussion, we will consider the case with q = n, m = and l = n,. For a detailed discussion of the general case relation between the Lagrange Interpolation formula and the GFFT, the reader is referred to è3è. è6è è7è è8è

5 On the Interpolation Attacks on Block Ciphers 3 Theorem 6. Let F èè = P n, b i i be a function in GF è n è with the corresponding sequence v =èv;v;:::;v n,è where v i = F èè i è;i =; ;:::; n, and è GF è n è has order n,. IfF èè = then we have b i = 8è : if i = V i if èiè n, ; V if i = n, ; Proof: For functions in GF è n è, the Lagrange interpolation formula can be rewritten as n, F èè = b i i = F èèèè + è + èè n, è; èè where ègfè n è b i =è F èè if i =; PèGFè n è F èèèè,i if è i è n, è9è èè Equation è7è can be written as V i n, = è,ij v j n, = è,ij F èè j è= è,i F èèè; èè j= j= ègf è where GF è = GF è n è,fg. With the convention t = for any integer t, if F èè =, then è,i F èèè = è,i F èèè: è3è ègf è ègfè n è From Equation èè and èè we get b i = V i ; èiè n, : The result for i = n, follows by noting that and b n, = ègfè n è V = ègf è F èèè; F èèèè,èn,è = ègfè n è F èèè =V è4è è5è è6è which completes the proof. If F èè 6=, then we can compute its polynomial representation by èrst computing the polynomial representation of the function G, where Gèè = for = and Gèè =F èè otherwise. If we assume that F èè = P n, d i i and Gèè = P n, b i i and by noting that we can express F èè as then we have F èè =Gèè+F èèè + n, è; 8è : F d i = èè if i =; b i if èiè n, ; b n, + F èè if i = n, ; è7è è8è

6 4 A.M. Youssef and G. Gong 3. Relation between Boolean functions and its Galois èled polynomial representation Let F = GF èè and F ènè = fx;:::;x n jx i Fg. Let fèx;:::;x n è be a function from F n ènè to F. Then fèx;:::;x n è can be written as fèx;:::;x n è = èy;:::;y n è, where y j is a Boolean function in n variables, i.e., y j = y j èx;:::;x n è. Since F ènè is isomorphic to GF è n è, then fèx;:::;x n è can be regarded as a function F from GF è n ètogf è n è. It is well known that applying a linear transformation to a function f doesn't change its nonlinear degree. It is also known that the nonlinear degree of the function fèè = d is wtèdè. The following theorem illustrates the eèect of applying a linear transformation to the output coordinates of f on the coeècients of its corresponding polynomial. Theorem 7. Let F èè = d be a function of GF è n è which corresponds to the Boolean mapping fèx;:::;x n è = èfèxè;:::;f n èxèè over F ènè. Then the function Gèè P corresponding to the Boolean mapping obtained by applying a linear transformation to the output coordinates of fèx;:::;x n è can be expressed as Gèè = n, b i i, where b i =8i 6 C d and C d is the cyclotomic coset èmod n, è. Proof: Using Lemma 3, Gèè can be expressed as Gèè = èa i F èèè i = èa i d è i = a i i di : è9è The Theorem follows directly by noting that di = èdi èmodè n,è for GF è n è. Similarly, one can show that if F èè = P ii a i i, then Gèè = P jj b j j where J is the set of cyclotomic cosets modulo n, corresponding to the set I. Example. Consider the Boolean mapping fèxè in the Table. Assuming GF è 4 è x f èxè gèxè Table. is constructed using the irreducible polynomial , we have F èè =. Let gèxè be the function obtained from fèxè by swapping the least signiècant bits of the output. I.e., gèx;x;x3;x4è = èfèxè;fèxè;f4èxè;f3èxèè, then we have Gèè =

7 On the Interpolation Attacks on Block Ciphers 5 The following theorem illustrates the eèect of applying a linear transformation to the input coordinates of a given Boolean function on the coeècients of its corresponding polynomial. Theorem 8. Let F èè = d be a function of GF è n è which corresponds to the Boolean mapping fèx ;:::;x n è=èf èxè;:::;f n èxèè over F ènè.let Gèxè be the function which corresponds to the Boolean mapping obtained by applying a linear transformation to the input coordinates of x ;:::;x n while èxing fèx ;:::;x n è. Then Gèè can be expressed asgèè = P n, b i i, b i =for wtèiè èwtèdè, where wtèdè denotes the Hamming weight of d. Proof: Using Lemma 3, Gèè can be expressed as Gèè =è c i i è d èè Let d = P j= d j j and let J denote the set fj ;:::;j s g;s = wtèdè, for which d j =. Then we have =è i= = Gèè = c i i +j èè i= Y jj è c i i+j è c i i +j è :::è i= c is i +js è c i c i :::c is i +j + i +j +:::+ is+js èè èè è3è i;i;:::;is The Theorem follows by noting that wtè i+j + :::+ is+js è=s è wtèdè. Let W = max ii wtèiè. Then one can show that if F èè = P ii a i i, then Gèè = P jj b j j where J is the set of elements with Hamming weight è W. The following theorem illustrates the eèect of changing the irreducible polynomial used to construct the ènite èeld on the coeècients resulting polynomial. Theorem 9. Let F èè be a function of GF è n è which corresponds to the Boolean mapping fèx ;:::;x n è=èf èxè;:::;f n èxèè over F ènè using irreducible R. Then the function Gèxè which corresponds to the boolean mapping fèx ;:::;x n è and constructed using a dièerent irreducible polynomial R 6= R can be expressed as Gèè =LèF èl, èèèè; è4è where L is an invertible linear transformation over GF è n è.

8 6 A.M. Youssef and G. Gong Proof: Consider the ènite èeld generated P by an irreducible polynomial Rèè. In this case, GF è n è=fèè=èrèèè = f c i i jc i Fg where the multiplication is performed by modulus Rèè. Then every element in the èeld can be expressed as P a iè i where a i GF èè and è isarootofrèè. Similarly, if the èeld was generated using an irreducible polynomial Rèè. In this case, P GF è n è=fèè=èrèèè = f c i i jc i Fg where the multiplication is performed by P modulus Rèè. In this case, every element in the èeld can be expressed as express è i as b iè i ;b i GF èè where è is a root of Rèxè. However, we can è i = a j è j ;a j GF èè; è ièn: j= è5è This means that we can write Gèè =LèF èl, èèè where Lè:è is the linear transformation used to convert between the è and the è basis. From the theorem above changing the irreducible polynomial is equivalent to applying a linear transformation to both the input and the output coordinates, and hence we have the following corollary P Corollary. Let F èè = a ii i i be a function of GF è n è which corresponds to the Boolean mapping fèx;:::;x n è = èfèxè;:::;f n èxèè over F ènè using irreducible R. Let the W = max ii wtèiè. Then the function Gèxè corresponds to the boolean mapping fèx;:::;x n è and constructed using a dièerent irreducible polynomial R 6= R can be expressed as Gèè = jj b j j ; where J is the set of elements with Hamming weight è W. Example. Consider the Boolean function described in Table 3. è6è x f èxè Table 3. Using the irreducible polynomial with root è, wehave F èè = Now, consider the irreducible polynomial with root è. One can prove that è = è 3.Thus we have the following linear è è A = 4 3 è è A è7è

9 On the Interpolation Attacks on Block Ciphers 7 Applying this linear transformation to both the input and the output of the truth table we get L, èxèandlèfèxèè in Table 4. Interpolating the relation between L, èxè and Lèfèxèè, we get LèF èèè=èl, èèè 3. x L, èxè f èxè Lèf èxèè Table 4. To summarize the results in this section, a linear transformation on the output coordinates aèects only the coeècients of the exponents that belong to the same cyclotomic cosets of the exponent in the original function representation. A linear transformation on the input coordinates or changing the irreducible polynomial aèect only the coeècients of the exponents with Hamming weight less than or equal to the maximum Hamming weight of the exponents in original function representation. 4 Checking algebraic expressions for trap doors In è5è the authors presented a method to construct trap door block ciphers which contains some hidden structures known only to the cipher designers. The sample trapdoor cipher in è5è was broken èè and designing practical trape door S-boxes is still an intersting topic. In this section we discuss how tocheck if the S-boxes or the round function has a simple algebraic structure. In particular, we consider the case where we can represent the round function or the S-boxes by a monomial. The number of invertible linear transformations grows exponentially with n. Using exhaustive search to check if applying an invertible linear transformation to the output andèor the input coordinates of the Boolean function fèx ;:::;xnè =èf èxè;:::;fnèxèè leads to a simpler polynomial representation becomes computationally infeasible even for small values of n. In this section we show how to check for the existence of such simple description. Note that we only consider the case of polynomials over GF è n è. S-boxes with a complex algebraic expression over GF è n èmayhave a simpler description over other èelds. 4. Undoing the eèect of a linear transformation on the output coordinates First, we will consider the case of a function Gèè obtained by applying a linear transformation of the output coordinates of a monomial function d. The

10 8 A.M. Youssef and G. Gong algebraic description of such a function will have nonzero coeècients only for exponents C d èmod n, è. Thus Gèè is expressed as n, Gèè = b i id ; è8è b i =ifi= C d. A linear transformation of the output coordinates of Gèè can be expressed as n, LèGèèè = a j è b i i d è j è9è j= n, = a j b j i èi+j èd è3è j= By equating the coeècients of i to zero except for i = d, the above equation forms a system of n è n linear equations èwith unknowns a s GF i èn è è which can be checked for the existence of a solution using simple linear algebra. Example 3. Let Gèè = ; GF è 4 è constructed using the irreducible polynomial , Suppose we want tocheck if there exists a linear transformation on the output coordinates of Gèè;LèGèèè such that the resulting polynomial has only one term with degree. Using the theorem above, form the set of 4 è 4 linear equations over GF è 4 èwe get: 6 4 b b 3 b4 b8 b b b4 3 b8 b b b4 b8 3 b3 b b4 b a a C a A = a3 C A ; è3è For Gèè above wehave b =;b =;b =6;b3 =. Thus a a C aa = a3 C A è3è Solving for a i 's we get a ac aa = a3 and LèGèèè = Gèè+6Gèè +Gèè 4 +Gèè 8 = 6 C A è33è

11 On the Interpolation Attacks on Block Ciphers 9 4. Undoing the eèect of a linear transformation on the input coordinates Consider a function Gèè obtained by applying a linear transformation to the input coordinates of a monomial function d. The algebraic description of such a function will have zero coeècients for all exponents with Hamming weight èd. Thus Gèè is expressed as n, Gèè = b i i ; è34è b i =ifwtèiè èd A linear transformation of the input coordinates of Gèè can be expressed as n, LèGèèè = b i èa j j è i è35è j= If one tries to evaluate the above expression and equate the coeècients to the coeècients of a monomial, then one has to solve a set of non linear equations with unknowns a j ;j =; ;:::;n,. To overcome this problem, we will reduce the problem of undoing the eèect of a linear transformation on the input coordinates to undoing the eèect of a linear transformation on the output coordinates. Consider Gèè obtained by a linear transformation on the input coordinates of F èè. Then Gèè =F èlèèè. Thus we have G, èè =L, èf, èèè. If F èè is a monomial, then F, èè is also a monomial and our problem is reduced to ènding the linear transformation L, on the output coordinates of F, èè which is equivalent to solving a system of linear equations in n variables. Example 4. Consider the function Gèè = GF è 4 è where GF è 4 è is constructed using the irreducible polynomial In this case, we have Gèè, = In this case, we have 6 linear transformations on the output coordinates of G, èè that will map it to a monomial of exponent with weight 3. Out of these 6 transformations, we have 5 linear transformations such that LèG, èèè = a 3 ;a GF è 4 è. In particular, the linear mapping Lèè = on the output bits of G, èè reduces G, èè to 3, i.e., LèG, èèè = 3 and hence Gèè =èlèèè 7. Undoing the eèect of changing the irreducible polynomial corresponds to undoing the eèect of a linear transformation on both the input and the output coordinates which seems to be a hard problem. The number of irreducible polynomials of degree n over a ènite èeld with q elements is given by I n = n djn èèdèq n=d ; è36è

12 A.M. Youssef and G. Gong where èèdè is deèned by èèdè = 8 è : if d =; è,è k if d is the product of k distinct primes; if d is divisible by the square of a prime: è37è Since the dominant term in In occurs for d =,we get the estimate In è qn n è38è Thus for typical S-box sizes, exhaustive search through all the set of è n =nè irreducible polynomials seems to be a feasible task. References. R. Lidl and H. Niederreiter, Finite Fields èencyclopedia of Mathematics and its Applicationsè, Addison Wesley. Reading, MA R. J. McEliece, Finite Fields For Computer Scientists and Engineers, Kluwer Academic Publishers. Dordrecht T. Jakobsen and L. Knudsen, The Interpolation Attack on Block Ciphers, LNCS 67, Fast Software Encryption. pp T. Jakobsen, Cryptanalysis of Block Ciphers with Probabilistic Non-linear Relations of Low Degree, Proceedings of Crypto'99. LNCS 46. pp V. Rijmen and B. Preneel, A family of trapdoor ciphers, Proceedings of Fast Software Encryption. LNCS 67. pp M. Sudan, Decoding Reed Solomon Codes beyond the error-correction bound, Journal of Complexity. Vol. 3. no. pp8-93. March, G. Gong and S. W. Golomb, Transform Domain Analysis of DES, IEEE transactions on Information Theory. Vol. 45. no. 6. pp September, K. Nyberg and L. Knudsen, Provable Security Against a Dièerential Attack, Journal of Cryptology. Vol. 8. no K. Aoki, Eècient Evaluation of Security against Generalized Interpolation Attack, Sixth Annual Workshop on Selected Areas in cryptography SAC'99. Workshop record. pp S.W. Golomb,Shift Register Sequences, Aegean Park Press. Laguna Hills, California R.E. Blahut, Theory and Practice of Error Control Codes, Addison-Wesley. Reading, MA H. Wu, F. Bao, R. Deng and Q. Ye Cryptanalysis of Rijmen-Preneel Trapdoor Ciphers, LNCS 54, Asiacrypt'98. pp G. Gong and A.M. Youssef, Lagrange Interpolation Formula and Discrete Fourier Transform, Technical Report. Center for Applied Cryptographic Research. University ofwaterloo. 999.

Affine equivalence in the AES round function

Discrete Applied Mathematics 148 (2005) 161 170 www.elsevier.com/locate/dam Affine equivalence in the AES round function A.M. Youssef a, S.E. Tavares b a Concordia Institute for Information Systems Engineering,