Division Property: a New Attack Against Block Ciphers

Similar documents
Another view of the division property

Some attacks against block ciphers

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Analysis of cryptographic hash functions

Structural Evaluation by Generalized Integral Property

Block Cipher Cryptanalysis: An Overview

Introduction to symmetric cryptography

Optimized Interpolation Attacks on LowMC

Block Ciphers and Feistel cipher

Towards Provable Security of Substitution-Permutation Encryption Networks

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers

Classical Cryptography

Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs

Revisit and Cryptanalysis of a CAST Cipher

Lecture Notes on Cryptographic Boolean Functions

Cube Attacks on Stream Ciphers Based on Division Property

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Notes on Alekhnovich s cryptosystems

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

CIS 551 / TCOM 401 Computer and Network Security

Lecture Notes, Week 6

Lecture 12: Block ciphers

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Notes 10: Public-key cryptography

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT

An Improved Affine Equivalence Algorithm for Random Permutations

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Cook-Levin Theorem. SAT is NP-complete

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Cryptography Lecture 4 Block ciphers, DES, breaking DES

Cryptanalysis of SP Networks with Partial Non-Linear Layers

Algebraic properties of SHA-3 and notable cryptanalysis results

MATH3302 Cryptography Problem Set 2

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Module 2 Advanced Symmetric Ciphers

Structural Cryptanalysis of SASAS

Public Key Encryption

Higher-order differential properties of Keccak and Luffa

Choosing Round Constants in Lightweight Block Ciphers and Cryptographic Permutations

Solution to Midterm Examination

MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers

LS-Designs. Bitslice Encryption for Efficient Masked Software Implementations

Zero-Sum Partitions of PHOTON Permutations

Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation

Differential-Linear Cryptanalysis of Serpent

CPSC 467b: Cryptography and Computer Security

Construction of Lightweight S-Boxes using Feistel and MISTY structures (Full Version )

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

CPSC 467b: Cryptography and Computer Security

GENERALIZED NONLINEARITY OF S-BOXES. Sugata Gangopadhyay

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Akelarre. Akelarre 1

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Extended Criterion for Absence of Fixed Points

BISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

Introduction to Cybersecurity Cryptography (Part 4)

Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version)

Higher-order differential properties of Keccak and Luffa

Linear Cryptanalysis of Reduced-Round PRESENT

hold or a eistel cipher. We nevertheless prove that the bound given by Nyberg and Knudsen still holds or any round keys. This stronger result implies

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Provable Security Against Differential and Linear Cryptanalysis

Introduction to Cybersecurity Cryptography (Part 4)

Related-Key Statistical Cryptanalysis

A Weak Cipher that Generates the Symmetric Group

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Sieve-in-the-Middle: Improved MITM Attacks (Full Version )

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Higher-order differential properties of Keccak and Luffa

BLOCK CIPHERS KEY-RECOVERY SECURITY

Differential properties of power functions

AES side channel attacks protection using random isomorphisms

DK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Public Key Cryptography

Cryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1

Ing. Amilcare Francesco Santamaria, Ph.D. DIMES Dpt. University of Calabria

Public Key Cryptography

Lecture 1: Introduction to Public key cryptography

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

Decomposing Bent Functions

FFT-Based Key Recovery for the Integral Attack

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Cryptography and Security Midterm Exam

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

ECS 189A Final Cryptography Spring 2011

Statistical and Algebraic Properties of DES

Number theory (Chapter 4)

Transcription:

Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50

Symmetric-key encryption Alice and Bob exchange the secret key through a secure channel. Encryption Decryption 2 / 50

Symmetric-key encryption Alice and Bob exchange the secret key through a secure channel. Encryption Decryption Key-exchange problem birth of the public-key cryptography. 2 / 50

Public-key encryption Encryption %gti2z* Decryption 3 / 50

Advantages and disadvantages of each system Advantages Disadvantages Secret-key Public-key Fast systems Relatively short-keys No key-exchange needed n users: 2n keys Need secure key-exchange n users: n 2 keys Slow systems Relatively long-keys 4 / 50

Hybrid encryption Idea: Use a combination of asymmetric and symmetric encryption to benefit from the strengths of every system. Encryption Decryption Encryption Decryption 5 / 50

Hybrid encryption Use a public-key cryptosystem to exchange a key (session key). Use the exchanged key to encrypt data by using a symmetric-key cryptosystem. Advantages: Slow public-cryptosystem is used to encrypt a short string only. Fast symmetric-key cryptosystem is used to encrypt the longer communication session. Used for example in the SSL protocol. 6 / 50

Block ciphers Outline 1 Block ciphers 2 Division property 3 Propagation through an Sbox 4 Extending the division property 5 Understanding D n k for some specific values of k 7 / 50

Block ciphers Block ciphers Encrypt a block of message m into a block of ciphertext c under the action of the key k. ENC : {0,1} n {0,1} κ {0,1} n (m,k) ENC(m,k) = c k m ENC c Given k, it must be easy to compute c from m. Given m,c it must be hard to compute k such that ENC(m,k) = c. 8 / 50

Block ciphers Two important parameters: block size, n key size, κ A block cipher generates a family of permutations indexed by a key k. (2 n )! permutations subset 2 κ Ideal design: 2 κ permutations chosen uniformly at random from all 2 n! 2 (n 1)2n permutations. 9 / 50

Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function f r is waited to be strong for large r. Advantages: Compact implementation. Easier analysis. master key k Key schedule k 1 k 2 k r m f f f c Use a key schedule to extend the user-supplied (or master) key to a sequence of r subkeys. 10 / 50

Block ciphers How to build the round function? Two major approaches: Feistel network. Substitution-Permutation Network (SPN). 11 / 50

Block ciphers How to build the round function? Two major approaches: Feistel network. Substitution-Permutation Network (SPN). 11 / 50

Block ciphers Substitution Permutation Network (SPN) m k1 Substitution Permutation k2 Substitution Permutation k3 Substitution Permutation k4 Substitution Permutation k5 c 12 / 50

Block ciphers Substitution Permutation Network (SPN) m k1 S S S S k2 S S S S k3 S S S S k4 S S S S k5 c 12 / 50

Block ciphers Cryptanalysis of block ciphers Problem: Design block ciphers that are fast and secure at the same time. In symmetric key cryptography, security proofs are partial and insufficient. Only mean of proving that a design is secure: cryptanalysis. An algorithm is secure as long there is no attack against it. The more an algorithm is analysed without being broken, the more reliable it is. 13 / 50

Block ciphers What does "broken" mean? No attack faster than exhaustive search should exist. If a block cipher encrypts messages with a k-bit key, no attack with time complexity less than 2 k should be known. Otherwise, the cipher is considered as broken (even if the complexity of the attack is not practical). 14 / 50

Division property Outline 1 Block ciphers 2 Division property 3 Propagation through an Sbox 4 Extending the division property 5 Understanding D n k for some specific values of k 15 / 50

Division property A new property for block ciphers In Eurocrypt 2015, Yosuke Todo introduces a new property, called the division property. Combination (in some sense) of higher-order differential and saturation attacks. Construction of more powerful generic distinguishers for both SPN and Feistel constructions. Use of this new property for breaking full MISTY-1 (best paper award at CRYPTO 2015). 16 / 50

Division property Notation If x,u F n 2, we denote x u = n i=1 x u i i Example: (n = 4) x = (x 1,x 2,x 3,x 4 ) = (1,1,0,1), u = (u 1,u 2,u 3,u 4 ) = (1,0,1,0) x u = x 1 u 1 x 2 u 2 x 3 u 3 x 4 u 4 = 1 1 1 0 0 1 1 0 = 0. 17 / 50

Division property Division property Let X be a multiset of elements in F n 2. For 0 k n, we say that X has the division property Dk n if x u = 0, x X for all u F n 2 such that wt(u) < k. 18 / 50

Division property Division property - Example X = {0x0,0x3,0x3,0x3,0x5,0x6,0x8,0xB,0xD,0xE}. Compute x Xx u for all u F 4 2. x u = 1, x X for u = 1011, u = 1101 and u = 1110. So, x Xx u = 0 for all u with wt(u) < 3. X has the division property D 4 3. 19 / 50

Division property Using the division property in practice Prepare a set of plaintexts and evaluate its division property. Propagate the input texts and evaluate the division property of the output set after one round. Use rules to propagate the property through the different cipher components (Sboxes, XOR, etc..) Repeat the procedure and compute the division property of the set of texts after several rounds. If after several rounds some exploitable information is found, then we get a distinguisher. 20 / 50

Division property Distinguisher and key recovery attack Distinguisher: A property that permits to distinguish the target block cipher from an ideal permutation. Division property: E K (y) has the division property Dk n y Y for k 1. Key recovery: Exploit this property to recover the key by targeting first the subkey of the last round. 21 / 50

Propagation through an Sbox Outline 1 Block ciphers 2 Division property 3 Propagation through an Sbox 4 Extending the division property 5 Understanding D n k for some specific values of k 22 / 50

Propagation through an Sbox What is an Sbox? Main component for providing non-linearity. Can be seen as a vectorial Boolean function S : F n 2 Fm 2 (usually m = n). Algebraic Normal Form (ANF) of an Sbox y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x 2 +1. 23 / 50

Propagation through an Sbox Algebraic degree of an Sbox (y 0,y 1,y 2,y 3 ) = S(x 0,x 1,x 2,x 3 ) y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x 2 +1. The algebraic degree of S is 3. 24 / 50

Propagation through an Sbox Propagation of the division property through an Sbox Let S be a permutation of F n 2 of algebraic degree d. Let X be a multiset having the division property D n k. Question: What is the division property of Y = S(X)? If k = n, then Y has the division property D n n. Proposition (Todo): Y has the division property D n k d. 25 / 50

Propagation through an Sbox Example - MISTY S 7 MISTY s Sbox S 7 is a 7-bit Sbox of degree 3. The input set X has the property D 7 k. The output set Y has the property D 7 k, with k = k 3. k 0 1 2 3 4 5 6 7 k 0 1 1 1 2 2 2 7 26 / 50

Propagation through an Sbox Proof Sketch Let the input set X have the division property Dk n. Then, x u = 0, for all u F n 2 with wt(u) < k. x X Goal: Evaluate for which v F n 2, x XS(x) v vanishes. If deg(s v ) < k then x XS(x) v = 0. If deg(s v ) k, x XS(x) v is undetermined. Obviously, deg(s v ) wt(v) d, so the sum becomes unknown if wt(v) d k. 27 / 50

Propagation through an Sbox An improvement idea In the previous proof, the degree was bounded by deg(s v ) wt(v) d This bound is not tight! 28 / 50

Propagation through an Sbox The inverse permutation influences the degree Let S be a permutation on F n 2. Denote by δ k (S) the max. degree of the product of k coordinates of S. Theorem [B. Canteaut 2013]. For any k and l, δ l (S) < n k if and only if δ k (S 1 ) < n l. 29 / 50

Propagation through an Sbox Getting a tighter result Use the previous theorem to better estimate deg(s v ): deg(s v ) δ wt(v) (S). Then, δ wt(v) (S) < k iff δ n k (S 1 ) < n wt(v). By re-writing the second inequality we get δ wt(v) (S) < k iff wt(v) < n δ n k (S 1 ). The quantity x X (Sv )(x) becomes unknown when wt(v) n δ n k (S 1 ). So Y has the division property Dn δ n n k (S 1 ). 30 / 50

Propagation through an Sbox Example - Back to MISTY S 7 MISTY s inverse Sbox S 1 7 is a 7-bit Sbox of degree 3. k 1 2 3 4 5 6 7 δ k (S 1 7 ) 3 5 5 6 6 6 7 The input set X has the property Dk 7. The output set Y has the property Dk 7, with k = k 3 (Todo s estimation) k = 7 δ 7 k (S7 1 ) (our estimation) k 0 1 2 3 4 5 6 7 k (Todo s) 0 1 1 1 2 2 2 7 k (our) 0 1 1 1 2 2 4 7 For k = 6: k = 7 δ 7 6 (S 1 7 ) = 7 3 = 4 31 / 50

Extending the division property Outline 1 Block ciphers 2 Division property 3 Propagation through an Sbox 4 Extending the division property 5 Understanding D n k for some specific values of k 32 / 50

Extending the division property Reduced set of a multiset Let X be a multiset of elements in F n 2. The corresponding reduced set X is the set composed of all elements in X having an odd multiplicity. Example: If X = {0x0,0x3,0x3,0x3,0x5,0x7,0x7,0xB,0xC} then X = {0x0,0x3,0x5,0xB,0xC}. A multiset X fulfills D n k if and only if X fulfills D n k. 33 / 50

Extending the division property Parity set of a multiset Let X be a multiset of elements in F n 2. The set U(X) is the subset of Fn 2 defined by U(X) = {u F n 2 : x Xx u = 1}, is called the parity set of X. Obviously U(X) = U( X). The parity set provides a complete characterization of the reduced set of a multiset. 34 / 50

Extending the division property Incidence vector of U(X) Lemma. Let G be the 2 n 2 n binary matrix whose entries are indexed by n-bit vectors and defined by G u,a = a u, a,u F n 2. For any subset X of F n 2, the incidence vector of U(X) is equal to the product of G by the incidence vector of X. 35 / 50

Extending the division property An example (n = 3) G = 0 0 1 0 2 0 3 0 4 0 5 0 6 0 7 0 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 0 3 1 3 2 3 3 3 4 3 5 3 6 3 7 3 0 4 1 4 2 4 3 4 4 4 5 4 6 4 7 4 0 5 1 5 2 5 3 5 4 5 5 5 6 5 7 5 0 6 1 6 2 6 3 6 4 6 5 6 6 6 7 6 0 7 1 7 2 7 3 7 4 7 5 7 6 7 7 7 36 / 50

Extending the division property An example (n = 3) G = 1 1 1 1 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 1 0 0 1 1 0 0 0 1 0 0 0 1 0 0 0 0 1 1 1 1 0 0 0 0 0 1 0 1 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 1 36 / 50

Extending the division property An example (n = 3) X = {1,3,4} U(X) = 1 1 1 1 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 1 0 0 1 1 0 0 0 1 0 0 0 1 0 0 0 0 1 1 1 1 0 0 0 0 0 1 0 1 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 1 0 1 0 1 1 0 0 0 = 1 0 1 1 1 0 0 0 U(X) = {0,2,3,4}. 37 / 50

Extending the division property Reed-Muller codes F m 2 = {z 0,...,z 2 m 1}. Let f : F m 2 F 2. We define c f = (f(z 0 ),...,f(z 2 m 1)). The Reed-Muller code RM(d,m) of order d and length 2 m is defined as RM(d,m) := {c f : deg(f) d}. 38 / 50

Extending the division property Correspondance of X and U(X) Corollary. For any subset U of F n 2, there exists a unique setx Fn 2 such that U(X) = U. Proof. The matrix G is a generator matrix of the Reed-Muller code of length 2 n and order n. Dimension of the code : 2 n G is invertible. The mapping matching the incidence vector of a set X, v X to the incidence vector of U(X) is an isomorphism of the set of 2 n vectors. 39 / 50

Extending the division property Parity set and the division property Let E k be a keyed permutation. The division property is a distinguishing property of the multiset E k (X) for a given choice of the input multiset X. We can now reformulate the division property Dk n of E k(x) by a simple property of U(E k (X)). Indeed, Dk n characterizes a multiset X by a lower bound on the weight of all elements in U(X). 40 / 50

Extending the division property Proposition. Let X be a multiset of elements in F n 2 and k be an integer 0 k n. Then,the following assertions are equivalent: (i) X fulfills the division property D n k. (ii) U(X) {u F n 2 : wt(u) k}. (iii) The incidence vector of the corresponding reduced set X belongs to the Reed-Muller code of length 2 n and order (n k). 41 / 50

Understanding Dk n for some specific values of k Outline 1 Block ciphers 2 Division property 3 Propagation through an Sbox 4 Extending the division property 5 Understanding D n k for some specific values of k 42 / 50

Understanding Dk n for some specific values of k Some specific values of k Question: What can be said about a multiset X that verifies a property Dk n, for some value of k? The cases D1 n, Dn 2, Dn n, have been characterized. [Todo 2015], [Sun et al. 2015] The cases Dk n, for k {1,2,n} had not been exploited before. We provide some insight on these cases here by using the above introduced new vision and some well known properties of Reed-Muller codes. 43 / 50

Understanding Dk n for some specific values of k The property D n 1 Let X be a multiset of elements in F n 2. X fulfills D n 1 if and only if its cardinality is even. Indeed, X has the property D1 n: For u = (0,...,0) : x X xu = 0 x 0 1...x 0 n = = #X mod 2 = 0 x X x X1 The inverse can be easily deduced. 44 / 50

Understanding Dk n for some specific values of k The property D n 2 Let X be a multiset of elements in F n 2. X fulfills D n 2 if and only if its cardinality is even and it has the Balance property. Balance property: For any i, 1 i n x Xx i = 0. Indeed, if X has the property D n 2 : x X x0 1...x0 n = 0 X has even cardinality. For all u with wt(u) = 1: x X xu = x X x0 1...x0 i 1 x1 i...x0 n = x X x i = 0 X has the Balance property. The inverse is proven easily. 45 / 50

Understanding Dk n for some specific values of k The property D n n Let X be a multiset of elements in F n 2. X fulfills D n n if and only if its reduced set X is either empty or equal to F n 2. Let v be the incidence vector of X. Proof. X satisfies Dn n iff v R(0,n). Thus, either v is the all-zero vector, i.e., X is empty or v is the all-one vector i.e. X = F n 2. 46 / 50

Understanding Dk n for some specific values of k The property D n n 1 Let X be a multiset of elements in F n 2. Proposition. X satisfies D n n 1 if and only if X is an (affine) subspace of dimension (n 1). Proof. X satisfies Dn 1 n iff v R(1,n). R(1,n) consists of the incidence vectors of all (affine) hyperplanes of F 2. Then, this equivalently means that X is an (affine) hyperplane. 47 / 50

Understanding Dk n for some specific values of k Example [Todo, Eurocrypt 2015] For the multiset of elements of F 4 2 X = {0x0,0x3,0x3,0x3,0x5,0x6,0x8,0xB,0xD,0xE}, the corresponding reduced set X = {0x0,0x3,0x5,0x6,0x8,0xB,0xD,0xE} is a linear subspace of dimension 3 spanned by {0x3,0x5,0x8}. So, it can be directly deduced (without computation) that X has the property D3 4. 48 / 50

Understanding Dk n for some specific values of k The property D n k Proposition. Let X be a multiset of elements in F n 2 satisfying Dn k such that X is not empty. Then X 2 k, and equality holds iff X is an affine subspace of dimension k. Proof. X satisfies D n k iff v X belongs to R(n k,n). The minimum distance of R(n k,n) is 2 k and that the minimum-weight codewords in this code are the incidence vectors of the affine subspaces of dimension k. 49 / 50

Understanding Dk n for some specific values of k Conclusion We have reformulated the division property to captivate more information. Complete characterisation of the property Dk n for different values of k. More powerful distinguishers for a high number of block ciphers. Work in progress... 50 / 50

Understanding Dk n for some specific values of k Conclusion We have reformulated the division property to captivate more information. Complete characterisation of the property Dk n for different values of k. More powerful distinguishers for a high number of block ciphers. Work in progress... Thanks for your attention! 50 / 50

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback