Cube Attacks on Stream Ciphers Based on Division Property

Similar documents
Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly (Full Version)

Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version)

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery

Searching Cubes for Testing Boolean Functions and Its Application to Trivium

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

Optimized Interpolation Attacks on LowMC

Deterministic Cube Attacks:

Linear Extension Cube Attack on Stream Ciphers ABSTRACT 1. INTRODUCTION

Cube Testers and Key Recovery Attacks On Reduced-Round MD6 and Trivium

Numerical Solvers in Cryptanalysis

Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function

Some Randomness Experiments on TRIVIUM

On the Security of NOEKEON against Side Channel Cube Attacks

Revisit and Cryptanalysis of a CAST Cipher

Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium

Cube attack in finite fields of higher order

Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method

Key Recovery with Probabilistic Neutral Bits

Lecture 12: Block ciphers

Some Randomness Experiments on TRIVIUM

Division Property: a New Attack Against Block Ciphers

On the Design of Trivium

Algebraic properties of SHA-3 and notable cryptanalysis results

ACORN: A Lightweight Authenticated Cipher (v3)

Another View on Cube Attack, Cube Tester, AIDA and Higher Order Differential Cryptanalysis

Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers

MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

A New Distinguisher on Grain v1 for 106 rounds

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Differential Fault Analysis of Trivium

Cryptanalysis of the Stream Cipher DECIM

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Cube Analysis of KATAN Family of Block Ciphers

Comparison of cube attacks over different vector spaces

Fault Analysis of the KATAN Family of Block Ciphers

Analysis of cryptographic hash functions

New Distinguishers for Reduced Round Trivium and Trivia-SC using Cube Testers (Extended Abstract)

New Directions in Cryptanalysis of Self-Synchronizing Stream Ciphers

Security Evaluation of Stream Cipher Enocoro-128v2

Linear Cryptanalysis of Reduced-Round Speck

Algebraic Attack Against Trivium

Linear Approximations for 2-round Trivium

Algebraic analysis of Trivium-like ciphers (Poster)

Higher-order differential properties of Keccak and Luffa

Algebraic Techniques in Differential Cryptanalysis

Complementing Feistel Ciphers

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity

Stream Ciphers: Cryptanalytic Techniques

Parallel Cube Tester Analysis of the CubeHash One-Way Hash Function

Cryptanalysis of SP Networks with Partial Non-Linear Layers

DK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,

Subspace Trail Cryptanalysis and its Applications to AES

Higher-order differential properties of Keccak and Luffa

Lightweight Cryptography for RFID Systems

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning

Zero-Sum Partitions of PHOTON Permutations

Dynamic Cube Attack on 105 round Grain v1

Picnic Post-Quantum Signatures from Zero Knowledge Proofs

Some attacks against block ciphers

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Lecture 4: DES and block ciphers

Another view of the division property

MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers

Some thoughts on Trivium

Algebraic Immunity of S-boxes and Augmented Functions

Algebraic Aspects of Symmetric-key Cryptography

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Improved Multiple Impossible Differential Cryptanalysis of Midori128

Block Cipher Cryptanalysis: An Overview

Attack on Broadcast RC4

FFT-Based Key Recovery for the Integral Attack

Solution of Exercise Sheet 7

On Stream Ciphers with Small State

Automatic Search for A Variant of Division Property Using Three Subsets (Full Version)

On the Influence of Message Length in PMAC s Security Bounds

Improved characteristics for differential cryptanalysis of hash functions based on block ciphers

ON DISTINGUISHING ATTACK AGAINST THE REDUCED VERSION OF THE CIPHER NLSV2

Cryptanalysis of block EnRUPT

Structural Evaluation by Generalized Integral Property

Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA

STREAM CIPHER. Chapter - 3

Overtaking VEST. 45, avenue des États-Unis, Versailles Cedex, France 3 DCSSI Crypto Lab

Some New Weaknesses in the RC4 Stream Cipher

Block Cipher Invariants as Eigenvectors of Correlation Matrices

Two Generic Methods of Analyzing Stream Ciphers

Extended Criterion for Absence of Fixed Points

A Five-Round Algebraic Property of the Advanced Encryption Standard

Higher-order differential properties of Keccak and Luffa

Correlated Keystreams in Moustique

A Weak Cipher that Generates the Symmetric Group

Cryptanalysis of the Stream Cipher ABC v2

Cryptography Lecture 4 Block ciphers, DES, breaking DES

DD2448 Foundations of Cryptography Lecture 3

Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results

Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers

Transcription:

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23

Plan 1 Cube Attack: An Introduction 2 Cube Attacks with Division Property 3 Our Results 4 Conclusion and Future work Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 2 / 23

Motivation Symmetric key ciphers for FHE, MPC,... Trivium [Cannière-Preneel 07] LowMC [Albrecht et al. 15] Kreyvium [Canteaut et al. 16] Low Multiplicative Complexity (MC) is crucial Minimize the number of ANDs and multiplicative depth Our goal Cube attacks on low MC ciphers Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 3 / 23

Low MC stream ciphers Trivium [Cannière-Preneel 07] Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 4 / 23

Low MC stream ciphers Kreyvium [Canteaut et al. 16] Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 5 / 23

Cube attacks [Dinur-Shamir 09] Extension of Higher Order Differential Attack and Algebraic Attacks Chosen plaintext key recovery attack - Keyed hash functions - Stream ciphers - Block ciphers - MAC algorithms Powerful for primitives with low-degree component - Stream ciphers based on low-degree NFSR - Permutations with only a few XORs and ANDs Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 6 / 23

Cube attack in a nutshell Preprocessing: Sum over outputs of subspaces over chosen public variables Store equations between sums and secret variables Online: Evaluate sums over outputs of chosen plaintexts Recover key bits by solving equations Dinur-Shamir attack only needs blackbox access to the cipher Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 7 / 23

Main observation Cube sum of Boolean functions f (x 1, x 2, x 3, x 4 ) = x 1 + x 1 x 2 + x 3 x 4 + x 1 x 2 x 3 + x 1 x 3 x 4 = x 1 + x 1 x 2 + x 3 x 4 (1 + x 1 ) + x 1 x 2 x 3 Fix x 1, x 2, sum over all values of (x 3, x 4 ) (x 3,x 4 ) F 2 2 f (x 1, x 2, x 3, x 4 ) = 4x 1 + 4x 1 x 2 + 1 + x 1 + 2x 1 x 2 = 1 + x 1 The set {(c 1, c 2, x 3, x 4 ) F 4 2 } is a cube with dim 2 The resulting sum is the superpoly of the cube Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 8 / 23

The attack Write a cipher by f (x, v) Output Public variables v controlled by the attacker, e.g., a message or nonce Secret variables x Output: Ciphertext, keystream, or a hash bit Preprocessing Online Find cubes with simple (eg. linear) superpoly p(x) Reconstruct p(x) Collect a system of linear equations p(x) = b Recover key bits by solving the equations and exhaustive search for remaining key bits if necessary Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 9 / 23

Preprocessing phase Given cube I of size C Find cubes with simple (eg. linear) superpoly p(x) Property test of superpoly Complexity O(N 1 2 C ), N 1 is number of queries Reconstruct superpoly p(x) f (v, x) = p(x) v I Superpoly p(x) can be recovered by Moebius Transformation Complexity O(N 2 2 C ), N 2 is number of queries More information on p, smaller N 2 Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 10 / 23

Problems and Progress How to find the most efficient cube? Random walk heuristic algorithm [Dinur-Shamir 09] Cube variables with conditions [Dinur et al. 15] Conditional cube attack [Huang et al. 17] Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 11 / 23

Problems and Progress Attack in blackbox model - Cannot leverage the specific structural properties Size cube exploitable is limited ( 40) - Due to large complexity of testing superpoly - Cannot predict what will happen if bigger cube chosen Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 12 / 23

Problems and Progress Attack in blackbox model - Cannot leverage the specific structural properties Size cube exploitable is limited ( 40) - Due to large complexity of testing superpoly - Cannot predict what will happen if bigger cube chosen Kill two birds with one stone: Division property Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 12 / 23

Division property [Todo 15] A method to construct higher order differential/integral distinguisher Successfully used to analyze block ciphers and hash functions Efficient evaluation by MILP [Xiang et al. 16] Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 13 / 23

Cube attacks with division property Ideas of the new attack [Todo et al. 17] Analyze involved variables in the ANF of superpoly by division property + Non-Blackbox attack + Applied to nonlinear superpoly Model and solve the division propagation by MILP + Much more efficient than cube sum + Allow to search large cubes since no need to do cube sum to test the property of superpoly Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 14 / 23

What s new Apply division property to analyze stream ciphers Exploit large cubes Improve key recovery attacks on stream ciphers, e.g. Trivium Round Complexity Cube size Ref 767 2 36 30 [Dinur-Shamir 09] 799 2 62 40 [Fouque-Vannet 13] 832 2 79 72 [Todo et al. 17] Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 15 / 23

Our idea Investigate higher-degree monomials in the ANF of superpoly by division property Improve the MILP model by removing redundant division trails Highlights of improved method Detect more information on superpoly Reduce complexity of superpoly recovery Attack more rounds Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 16 / 23

Trivium [Cannière-Preneel 07] 80 bit key and 80 bit IV, 288 bit state 1152 rounds in initialization phase (s 1, s 2,..., s 93 ) (K 1, K 2,..., K 80, 0,..., 0) (s 94, s 95,..., s 177 ) (IV 1, IV 2,..., IV 80, 0,..., 0) (s 178, s 279,..., s 288 ) (0,..., 0, 1, 1, 1) t 1 s 66 s 93 t 2 s 162 s 177 t 3 s 243 s 288 z t 1 t 2 t 3 t 1 t 1 s 91 s 92 s 171 t 2 t 2 s 175 s 176 s 264 t 3 t 3 s 286 s 287 s 69 (s 1, s 2,..., s 93 ) (t 3, s 1,..., s 92 ) (s 94, s 95,..., s 177 ) (t 1, s 94,..., s 176 ) (s 178, s 279,..., s 288 ) (t 2, s 178,..., s 287 ) Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 17 / 23

Results on reduced-round Trivium Improved key recovery attack on Trivium Round Complexity Cube size Ref 799 2 62 40 [Fouque-Vannet 13] 832 2 79 72 [Todo et al. 17] 833 2 75 74 new Possible to further improve attack rounds! Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 18 / 23

Kreyvium [Canteaut et al. 16] 128-bit variant of Trivium, K = IV = 128 1152 rounds initialization (K 127, K 126,..., K 0 ) (K 1, K 2,..., K 128 ) (IV 127, IV 126,..., IV 0 ) (IV 1, IV 2,..., IV 128 ) (s 1, s 2,..., s 93 ) (K 1, K 2,..., K 93 ) (s 94, s 95,..., s 177 ) (IV 1, IV 2,..., IV 84 ) (s 178, s 279,..., s 288 ) (IV 85, IV 86,..., IV 128, 1,..., 1, 0) t 1 s 66 s 93 t 2 s 162 s 177 t 3 s 243 s 288 K 0 z t 1 t 2 t 3 t 1 t 1 s 91 s 92 s 171 IV 0 t 2 t 2 s 175 s 176 s 264 t 3 t 3 s 286 s 287 s 69 (s 1, s 2,..., s 93 ) (t 3, s 1,..., s 92 ) (s 94, s 95,..., s 177 ) (t 1, s 94,..., s 176 ) (s 178, s 279,..., s 288 ) (t 2, s 178,..., s 287 ) (K 127, K 126,..., K 0 ) (K 0, K 127, K 126,..., K 1 ) (IV 127, IV 126,..., IV 0 ) (IV 0, IV 127, IV 126,..., IV 1 ) Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 19 / 23

Results on reduced-round Kreyvium Improved key recovery attack on Kreyvium Round Complexity Cube size Ref 872 2 124 85 [Todo et al. 17] 884 2 124 95 new Still no clue on the security margin Lower security margin than Trivium - see also Conditional Differential Cryptanalysis [Watanabe et al. 17] Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 20 / 23

Conclusion Apply division property to analyze stream cipher Capable to search large cubes Reduce complexity of superpoly recovery Improve key recovery attack on stream ciphers Trivium and Kreyvium Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 21 / 23

Future work Find the most efficient cube for stream ciphers Optimize the complexity of key recovery phase Apply to other designs - Cube attack + structural properties Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 22 / 23

Thank you! Questions? Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 23 / 23

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback