Invariant Hopping Attacks on Block Ciphers

Transcription

1 Invariant Hopping Attacks on Block Ciphers attack 3 attack 4 strong Bool + high degree invariant + high success proba attack 1 2x linear attack 2 1x linear Nicolas T. Courtois University College London, UK

2 Roadmap Part 1: Cold War / History Block Ciphers Part 2: New Attacks: Constructive Cryptanalysis with Polynomial Invariants + Annihilators + inside Boolean ring B n 2

3 Algebraic Attacks on Block Ciphers Nicolas T. Courtois Question 1: Why 0% of symmetric encryption used in practice are provably secure? 3

4 A New Frontier in Symmetric Cryptanalysis MQ Problem Dense MQ is VERY hard. Best attacks n top of the top hard problem. for both standard and PQ crypto mqchallenge.org FXL/Joux 2017/372 => Allows to build a provably secure stream cipher based on MQ directly! C. Berbain, H. Gilbert, and J. Patarin: QUAD: A Practical Stream Cipher with Provable Security, Eurocrypt 2005 => provably secure encryption exists! 4

5 Algebraic Attacks on Block Ciphers Nicolas T. Courtois Question 2: Why researchers have found so few attacks on block ciphers? mystified by complexity 5

6 Algebraic Attacks on Block Ciphers Nicolas T. Courtois Claim: Finding new attacks on block ciphers is EASY and FUN 6

7 Dr. Nicolas T. Courtois blog.bettercrypto.com 1. cryptanalysis 7

8 Dr. Nicolas T. Courtois blog.bettercrypto.com 1. cryptanalysis 2. industrial crypto 8

9 Code Breakers - LinkedIn 9

10 Code Breakers 3. Crypto History 10 Nicolas T. Courtois

11 Roadmap Towards Modern Crypto 11

12 s NATO Cipher competition UK US France Germany Requirements: tapeless and rotorless => semi-conductor electronic, high EM/SCA security!

13 Backdoors French Submission [2004] large period, non-linearity / removing the correlations (p.108) certainement la meilleure machine cryptographique de son époque "?????????????????????????????????????????????????????????? 13 Nicolas T. Courtois

14 Code Breakers Compromise of Old Crypto USS Pueblo / North Korea Jan

15 Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists [Source: Cryptologia, interviews by David Kahn with gen. Andreev=first head of FAPSI=Russian NSA] Example: In 1967 GRU (Soviet Intelligence) was intercepting cryptograms from 115 countries, using 152 cryptosystems, and among these they broke 11 codes and obtained 7 other codes. 15

16 US/NATO crypto broken Russia broke the NATO KW-7 cipher machine: Walker spy ring, rotors+keys, paid more than 1M USD (source: NSA) greatest exploit in KGB history allowed Soviets to read millions of US messages [1989, Washington Post] 16

17 1970s Modern block ciphers are born. In which country?? 17

18 1970s Modern block ciphers are born. In which country?? Who knows Eastern Bloc also worked on these questions and for a long time. 18

19 1927 The inventor of the ANF = Algebraic Normal Form en.wikipedia.org/wiki/zhegalkin_polynomial Russian mathematician and logician Ива н Ива нович Жега лкин [Moscow State University] best known for his formulation of Boolean algebra as the theory of the ring of integers mod 2 B n, +,* 19

20 Backdoors Our Sources T-310 spec 20 Nicolas T. Courtois

21 Backdoors Our Sources ZCO = Zentrales Chiffrierorgan der DDR BStU = Stasi Records Agency 21 Nicolas T. Courtois

22 T-310 East German T-310 Block Cipher 240 bits quasi-absolute security [ ] has a physical RNG=>IV 22 Nicolas T. Courtois long-term secret 90 bits only!

23 References Nicolas T. Courtois, Jörg Drobick, Jacques Patarin, Maria-Bristena Oprisanu, Matteo Scarlata, Om Bhallamudi, Cryptographic Security Analysis of T-310, eprint.iacr.org/2017/440.pdf, 132 pages, 2017 Nicolas T. Courtois, Maria-Bristena Oprisanu: Ciphertext-Only Attacks and Weak Long-Term Keys in T-310, in Cryptologia, vol 42, iss. 4, pp , May Nicolas T. Courtois, Maria-Bristena Oprisanu, Klaus Schmeh: Linear Cryptanalysis and Block Cipher Design in Eastern Germany in the 1970s, Cryptologia, Dec 2018, Nicolas T. Courtois, Klaus Schmeh: Feistel ciphers in East Germany in the communist era, In Cryptologia, vol. 42, Iss. 6, 2018, pp

24 Cipher Class Alpha 1970s Who invented Alpha? [full document not avail.] 24

25 T-310 [ ] 4 branches 25

26 IBM USA 1970s IBM have agreed with the NSA that the design criteria of DES should not be made public. NSA have generated DES S-boxes. source: Coppersmith, invited summer

27 Security of DES (overview) Official History of Cryptanalysis DC was in 1970s Davies-Murphy attack [1982=classified, published in 1995] = early LC Shamir Paper [1985] early LC Differential Cryptanalysis : Biham-Shamir [1991] Linear Cryptanalysis: Gilbert and Matsui [ ] 27

28 One form of DC was known in 1973! 28

29 LC at ZCO ! 29

30 Discrete Differentials and HO DC 1976! Higher Order: 30

31 Computing HO Differentials for All Orders... fast points! 31

32 Backdoors Contracting Feistel [1970s Eastern Germany!] 1 round of T-310 φ 32 Nicolas T. Courtois

33 Roadmap Backdoors 33

34 Roadmap Backdoors vs. Normal Cryptanalysis All our attacks work with relatively large probability. so if you are not lucky a cipher which was NOT backdoored will also be broken! 34

35 Better Card-only Attacks on Mifare Classic Any Backdoors? Claim: Non-bijective φ ALL broken! See: 1. Nicolas T. Courtois, Maria-Bristena Oprisanu: Ciphertext-Only Attacks and Weak Long-Term Keys in T-310 [Cryptologia v.42 iss ] 35 Nicolas T. Courtois,

36 Backdoors How to Backdoor T-310 [yes we can] omit just 1 out of 40 conditions: ciphertext-only bad long-term key 36

37 Backdoors LC Method to Backdoor T-310 [2017] 1,3,5 => 1,3,5 P=1 bad long-term key 703 P=7,14,33,23,18,36,5,2,9, 16,30,12,32,26,21,1,13,25, 20,8,24,15,22,29,10,28,6 D=0,4,24,12,16,32,28,36,20 37

38 Generalised Linear Cryptanalysis = GLC = [Harpes, Kramer and Massey, Eurocrypt 95] 38

39 Generalised Linear Cryptanalysis = GLC = [Harpes, Kramer and Massey, Eurocrypt 95] Concept of non-linear I/O sums. F(inputs) = G(outputs) with some probability 39

40 Connecting Non-Linear Approxs. Black-Box Approach Non-linear functions F G H I. F(x 1, ) G(x 1, ) H(y 1, ) I(z 1, ) 40

41 GLC and Feistel Ciphers? [Knudsen and Robshaw, EuroCrypt 96 one-round approximations that are non-linear [ ] cannot be joined together At Crypto 2004 Courtois shows that GLC is in fact possible for Feistel schemes! 41

42 BLC better than LC for DES Better than the best existing linear attack of Matsui for 3, 7, 11, 15, rounds. Ex: LC 11 rounds: BLC 11 rounds: 42

43 Wrong Approach [!!!!] Black-Box Combination Approach constructive BUT limited possibilities F(x 1, ) G(x 1, ) H(y 1, ) I(z 1, ) 43

44 White Box Approach New! [Courtois 2018] Study of non-linear I/O sums. P(inputs) = P(outputs) 44

45 New White Box Approach Study of non-linear I/O sums.. P(inputs) = P(outputs) with probability 1. Formal equality of 2 polynomials. BIG PROBLEM: 2 2^n possible attacks 45

46 Variable Boolean Function We denote by Z our Boolean function We consider a space of ciphers where Z is variable. Question: given a fixed polynomial P what is the probability over random choice of Z that P(inputs) = P(outputs) is an invariant (for any number of rounds). 46

47 Invariant Hopping attack 3 attack 4 strong Bool + high degree invariant + high success proba attack 1 2x linear 47 attack 2 1x linear

48 Group Theory Is DES A Group? Study of group generated by φ K for any key K. Typically AGL not GL. Any smaller sub-groups? 48 Nicolas T. Courtois, January 2009

49 Group Theory Is DES A Group? Study of group generated by φ K for any key K. Typically AGL not GL. Any smaller sub-groups? This question was also Bloc 49 Nicolas T. Courtois, January 2009

50 Group Theory Is DES A Group? Study of group generated by φ K for any key K. Typically AGL not GL. Any smaller sub-groups? This question was also Bloc 50 Nicolas T. Courtois, January 2009

51 Hopping in Group Lattices attack 1 three invariants linear Boolean function 51 AGL

52 Hopping in Group Lattices attack 1 three invariants linear Boolean function attack 2 two invariants bad Boolean function 52 AGL

53 Hopping in Group Lattices attack 1 three invariants linear Boolean function attack 2 two invariants bad Boolean function attack 36 one high degree invariant strong Boolean function 53 AGL

54 Hopping in Group Lattices attack 1 three invariants linear Boolean function attack 2 two invariants bad Boolean function attack 36 one complex high degree invariant strong Boolean function 54 Nicolas T. Courtois, January 2009 AGL

55 Hopping Discovery Method Making the impossible possible. How? Learn from examples. old => new attack transform a linear attack on a weak cipher with a linear Boolean function into non-linear attack on a cipher with a strong Boolean function. 55

56 Hopping Discovery We navigate inside a product lattice =def= set of pairs (set of invariants, cipher spec) = -all possible invariant attacks -all possible ciphers [we modify the spec of the cipher] Find a path from a trivial attack on a weak cipher to a non-trivial attack on a strong cipher. 56

57 Linear Attack Example 57

58 Exact Thm. [eprint/2017/440] 58

59 Hopping Step 1 First we look at an attack where the Boolean function is linear and we have trivial LINEAR invariants (same as Matsui s LC) Example: 59

60 Backdoors A Vulnerable Setup 1 round of T-310 φ 60 Nicolas T. Courtois

61 Hopping Step2 Now could you please tell us if is an invariant? 61

62 Hopping Step2 Now could you please tell us if is an invariant? The answer is remarkably simple. 62

63 Hopping Step2 Theorem: is an invariant IF AND ONLY IF a certain polynomial = FE = 63 is zero (as a polynomial, multiple cancellations)

64 Hopping Step2 Theorem: is an invariant IF AND ONLY IF 64 is zero (as a polynomial, multiple cancellations)

65 Hopping Step2 Theorem: is an invariant IF AND ONLY IF subs by ANF simplifies to: 65 is zero (as a polynomial, multiple cancellations)

66 Hopping Step2 Theorem: is an invariant IF AND ONLY IF 66 is zero (as a polynomial, multiple cancellations)

67 What is Special About P 2-factoring decomposition = AC+BD. is invariant IF AND ONLY IF some solutions are: 67

68 Invariant P of Degree 4? = ABCD. is a 1-round invariant IF AND ONLY IF 68

69 Invariant P of Degree 4? = ABCD. is a 1-round invariant IF AND ONLY IF 69 a multiple of the previous polynomial!

70 Corollary: Easy Thm. [not included in the paper]. For every cipher in our cipher space = (LZS551+any Boolean) if AC+BD is an invariant (degree 2) then also ABCD is an invariant (degree 4). Note: there is no invariant of degree 3 etc 70

71 Selective Removal Q : Can we now have ABCD to be an invariant of degree 4 WITHOUT any invariants of degrees 1,2,3???? 71

72 Selective Removal Q : Can we now have ABCD to be an invariant of degree 4 WITHOUT any invariants of degrees 1,2,3???? Answer: easy: a root of second polynomial and NOT a root of the first [almost always]. mc=yc mbcd=ybcd 72

73 Summary 1. We start with a trivial attack on a weak cipher. Benefit: a certain polynomial has a solution. 2. Then some non-linear invariants also exist = additional roots. 3. Then we modify the cipher [manipulation of roots of our FE] and the invariant so that simple invariants are removed. 4. What you get is a bit like a backdoor! Potentially hard to detect. 73

74 Conclusion We modify the cipher and the invariant so that simple invariants disappear. Q: Can this be done with a really secure Boolean function? YES, see [eprint/2018/1242] 74

75 Remark: Irreducible Polynomials For a long time we searched for invariant attacks where P is an irreducible polynomial. We were wrong! 75

76 Product Question Trivial NL invariants based on cycles in LC. A B C D A Then ABCD is a round invariant of degree 4. Stupid?? 76

77 Product Question Trivial NL invariants based on cycles in LC. A B C D A Then ABCD is a round invariant of degree 4. Stupid?? Not at all! Some of the strongest attacks ever found are like this. 77

78 Product Question 78 Trivial NL invariants based on cycles in LC. A B C D E A Then ABCDE is a round invariant of degree 5. Stupid?? Not at all! Some of the strongest attacks ever found are like this. Trivial invariants can be REMOVED!!!!

79 Hopping in Group Lattices attack 1 three invariants linear Boolean function attack 2 two invariants bad Boolean function attack 36 one complex high degree invariant strong Boolean function 79 Nicolas T. Courtois, January 2009 AGL

80 Phase Transition When P is of degree 4, the Boolean function is still inevitably degenerated [this paper]. Q: Can we backdoor or break a cipher with a random Boolean function? 80

81 Phase Transition When P is of degree 4, the Boolean function is still inevitably degenerated [this paper]. Q: Can we backdoor or break a cipher with a random Boolean function? YES, see [eprint/2018/1242] Degree 8 attack, P =ABCDEFGH. extremely strong: 15% success rate over the choice of a random Boolean function. 81

82 Other Ciphers? DES 82

83 Bonus: New No-Trivial Attacks an irregular sporadic attack with P of degree 7 83

84 New White Box Method 84 [Courtois 2018] Same concept of a non-linear I/O sums. Focus on perfect invariants mostly. P(inputs) = P(outputs) with probability 1. Formal equality of 2 polynomials. Exploits the structure of the ring B n. annihilation events absorption events would be unthinkable if we had unique factorisation ABCD=A B C D

85 *Lack Of Unique Factorization sage: R.<A,B,C,D,E,F,G,H> = BooleanPolynomialRing(8) sage: mu=(b+c)*(g+h)*(b+h)*(b+f)*(c+d) sage: mu + (C+H+1)*(C+F+1)*(B*D*G + H*(B+D+1)*(B+G+1)) sage: 0 sage: mu + (B+D+1)*(B+G+1)*(C*F*H + G*(C+H+1)*(C+F+1)) sage: 0 sage: 85

86 *Lack Of Unique Factorization sage: R.<A,B,C,D,E,F,G,H> = BooleanPolynomialRing(8) sage: mu=(b+c)*(g+h)*(b+h)*(b+f)*(c+d) sage: mu + (C+H+1)*(C+F+1)*(B*D*G + H*(B+D+1)*(B+G+1)) sage: 0 sage: mu + (B+D+1)*(B+G+1)*(C*F*H + G*(C+H+1)*(C+F+1)) sage: 0 sage: 86