Numerical Solvers in Cryptanalysis

Similar documents
Algebraic Attack Against Trivium

Some thoughts on Trivium

Cube Attacks on Stream Ciphers Based on Division Property

Linear Approximations for 2-round Trivium

Key Recovery with Probabilistic Neutral Bits

Differential Fault Analysis of Trivium

On the Design of Trivium

A New Distinguisher on Grain v1 for 106 rounds

Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers

Stream Ciphers: Cryptanalytic Techniques

Algebraic analysis of Trivium-like ciphers (Poster)

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium

Cryptanalysis of Achterbahn

Algebraic Immunity of S-boxes and Augmented Functions

Analysis of Modern Stream Ciphers

Lecture 12: Block ciphers

Breaking One.Fivium by AIDA an Algebraic IV Differential Attack

Weaknesses in the HAS-V Compression Function

Algebraic Aspects of Symmetric-key Cryptography

Some Randomness Experiments on TRIVIUM

Analysis of Trivium Using Compressed Right Hand Side Equations

Some Randomness Experiments on TRIVIUM

Deterministic Cube Attacks:

Security Evaluation of Stream Cipher Enocoro-128v2

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

Lecture 10-11: General attacks on LFSR based stream ciphers

Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version)

Searching Cubes for Testing Boolean Functions and Its Application to Trivium

Trivium A Stream Cipher Construction Inspired by Block Cipher Design Principles

Algebraic Attacks and Stream Ciphers

Trivium A Stream Cipher Construction Inspired by Block Cipher Design Principles

On the Security of NOEKEON against Side Channel Cube Attacks

4.3 General attacks on LFSR based stream ciphers

Distinguishing Attack on Common Scrambling Algorithm

On The Nonlinearity of Maximum-length NFSR Feedbacks

Algebraic attack on stream ciphers Master s Thesis

Cube Testers and Key Recovery Attacks On Reduced-Round MD6 and Trivium

Optimized Interpolation Attacks on LowMC

Collision Attack on Boole

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

Dynamic Cube Attack on 105 round Grain v1

Fault Analysis of the KATAN Family of Block Ciphers

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Correlated Keystreams in Moustique

Attacking AES via SAT

Cube Analysis of KATAN Family of Block Ciphers

ON DISTINGUISHING ATTACK AGAINST THE REDUCED VERSION OF THE CIPHER NLSV2

Cryptanalysis of Bivium using a Boolean all solution solver

Linear Extension Cube Attack on Stream Ciphers ABSTRACT 1. INTRODUCTION

Modified version of Latin Dances Revisited: New Analytic Results of Salsa20 and ChaCha

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery

Truncated differential cryptanalysis of five rounds of Salsa20

Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium

ACORN: A Lightweight Authenticated Cipher (v3)

Functions on Finite Fields, Boolean Functions, and S-Boxes

On Stream Ciphers with Small State

FResCA: A Fault-Resistant Cellular Automata Based Stream Cipher

Algebraic Analysis of the Simon Block Cipher Family

Algebraic Attacks on Stream Ciphers with Linear Feedback

An Improved Estimate of the Correlation of Distinguisher for Dragon

Lightweight Cryptography for RFID Systems

Comparison of cube attacks over different vector spaces

Algebraic properties of SHA-3 and notable cryptanalysis results

A (Second) Preimage Attack on the GOST Hash Function

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly (Full Version)

New Distinguishers for Reduced Round Trivium and Trivia-SC using Cube Testers (Extended Abstract)

New Directions in Cryptanalysis of Self-Synchronizing Stream Ciphers

Analysis of Some Quasigroup Transformations as Boolean Functions

Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function

A Scalable Method for Constructing Galois NLFSRs with Period 2 n 1 using Cross-Join Pairs

Improved Linear Cryptanalysis of SOSEMANUK

Characterizations on Algebraic Immunity for Multi-Output Boolean Functions

A new simple technique to attack filter generators and related ciphers

Sequences, DFT and Resistance against Fast Algebraic Attacks

Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

Advanced Algebraic Attack on Trivium November 26, 2015 Frank-M. Quedenfeld 1 and Christopher Wolf 2 1 University of Technology Braunschweig, Germany

Classical Cryptography

Attack on Broadcast RC4

Block Cipher Cryptanalysis: An Overview

Differential Attack on Five Rounds of the SC2000 Block Cipher

Bernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p

Fast correlation attacks on certain stream ciphers

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Algebraic Techniques in Differential Cryptanalysis

Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers

27 Wyner Math 2 Spring 2019

A Five-Round Algebraic Property of the Advanced Encryption Standard

Math Lecture 18 Notes

L9: Galois Fields. Reading material

Breaking the F-FCSR-H Stream Cipher in Real Time

A survey of algebraic attacks against stream ciphers

Open problems related to algebraic attacks on stream ciphers

Cryptanalysis of the Bluetooth Stream Cipher

Rebound Attack on Reduced-Round Versions of JH

ORYX. ORYX not an acronym, but upper case Designed for use with cell phones. Standard developed by. Cipher design process not open

How Fast can be Algebraic Attacks on Block Ciphers?

THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys

New Results in the Linear Cryptanalysis of DES

Transcription:

Numerical Solvers in Cryptanalysis M. Lamberger, T. Nad, V. Rijmen Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria Tomislav.Nad@iaik.tugraz.at 1

1 Motivation 2 Trivium (Bivium A) 3 Conversion Methods 4 Numerical Methods 2

Motivation Linear and differential cryptanalysis Successful techniques to break many existing ciphers New ciphers try to resist New techniques needed Numerical solvers Well researched Fast and efficient Working on real numbers 3

Basic Approach GF(2) equations solution GF(2) 4

Basic Approach GF(2) equations linear/ differential cryptanalysis solution GF(2) 4

Basic Approach GF(2) equations conversion R equations solution GF(2) 4

Basic Approach GF(2) equations conversion R equations numerical methods solution GF(2) solution R 4

Basic Approach GF(2) equations conversion R equations numerical methods solution GF(2) inverse conversion solution R 4

1 Motivation 2 Trivium (Bivium A) 3 Conversion Methods 4 Numerical Methods 5

Trivium and Bivium A Designed by Christophe De Cannière [1] Synchronous stream cipher estream finalist 6

Trivium and Bivium A Designed by Christophe De Cannière [1] Synchronous stream cipher estream finalist 288 bit internal state 6

Trivium and Bivium A Designed by Christophe De Cannière [1] Synchronous stream cipher estream finalist 288 bit internal state Reduced variant by Raddum [4] Bivium A 6

Trivium and Bivium A Designed by Christophe De Cannière [1] Synchronous stream cipher estream finalist 288 bit internal state Reduced variant by Raddum [4] Bivium A Attack Known plaintext attack Goal: state recovery 6

Keystream generation 7

Keystream generation: Bivium A 7

Keystream generation: Bivium A S 69 T 2 7

Keystream generation: Bivium A For i=1 to N do T 1 S 66 + S 93 T 2 S 162 + S 177 Z i T 2 T 1 T 1 + S 91 S 92 + S 171 T 2 T 2 + S 175 S 176 + S 69 (S 1, S 2,, S 93 ) (T 2, S 1, S 2,, S 92 ) (S 94, S 95,, S 177 ) (T 1, S 94, S 95,, S 176 ) end for 8

Keystream generation: Bivium A For i=1 to N do T 1 S 66 + S 93 T 2 S 162 + S 177 Z i T 2 T 1 T 1 + S 91 S 92 + S 171 T 2 T 2 + S 175 S 176 + S 69 (S 1, S 2,, S 93 ) (T 2, S 1, S 2,, S 92 ) (S 94, S 95,, S 177 ) (T 1, S 94, S 95,, S 176 ) end for 8

Keystream generation: Bivium A For i=1 to N do T 1 S 66 + S 93 T 2 S 162 + S 177 S 178 S 179 Z i T 2 T 1 T 1 + S 91 S 92 + S 171 T 2 T 2 + S 175 S 176 + S 69 (S 1, S 2,, S 93 ) (T 2, S 1, S 2,, S 92 ) (S 94, S 95,, S 177 ) (T 1, S 94, S 95,, S 176 ) end for 8

System of Equations First round S 162 + S 177 + Z 1 = 0 S 162 + S 177 + S 175 S 176 + S 69 + S 178 = 0 S 66 + S 93 + S 91 S 92 + S 171 + S 179 = 0 177 keystream bits Z i needed for a fully determined system 327 equations and variables 177 linear equations 150 nonlinear equations 9

1 Motivation 2 Trivium (Bivium A) 3 Conversion Methods 4 Numerical Methods 10

Conversion: Requirements Convert from a normal form Algebraic Normal Form A solution for the Boolean system should be a solution for the real system A solution for the real system should be a solution for the Boolean system Low degrees Simple as possible 11

Conversion Methods Standard Conversion GF(2) = {0, 1} {0, 1} R X 1 X 2 = x 1 x 2 X 1 + X 2 = x 1 + x 2 2 x 1 x 2 Multiplication in GF(2) becomes mult. in R Increasing amount of monomials Increasing degree Multilinearity 12

Conversion Methods (cont d) Fourier Conversion GF(2) = {0, 1} {1, 1} R X 1 X 2 = 1 2 (1 + x 1 + x 2 x 1 x 2 ) X 1 + X 2 = x 1 x 2 Addition in GF(2) becomes mult. in R Variables can cancel out (x 2 = 1) Increasing amount of monomials Increasing degree 13

Adapted Standard Conversion (ASC) S 162 + S 177 + Z 1 = 0 Type I S 162 + S 177 + S 175 S 176 + S 69 + S 178 = 0 Type II S 66 + S 93 + S 91 S 92 + S 171 + S 179 = 0 Type II Convert each type of equation separately Do not change the structure of the equations Keep the degree low Evaluate over GF(2) and over the reals Introduce new variables for each possible real value 14

ASC (cont d) 15

ASC (cont d) 15

ASC (cont d) 777 equations and variables Fewer monomials More equations and variables Maximum degree is 3 New type of equations are linear 15

Other Conversion Tricks Convert each side separately S 66 + S 93 + S 171 + S 179 = S 91 S 92 16

Other Conversion Tricks Convert each side separately S 66 + S 93 + S 171 + S 179 = S 91 S 92 Split equations and Standard Conversion S 91 S 92 = R 1 S 66 + S 93 = R 1 + R 2 S 171 + S 179 = R 2 16

Other Conversion Tricks Convert each side separately S 66 + S 93 + S 171 + S 179 = S 91 S 92 Split equations and Standard Conversion S 91 S 92 = R 1 S 66 + S 93 = R 1 + R 2 S 171 + S 179 = R 2 s 91 s 92 r 1 = 0 s 66 + s 93 s 66 s 93 r 1 r 2 + 2r 1 r 2 = 0 s 171 + s 179 2s 171 s 179 r 2 = 0 16

Conversion Methods: Comparison S 66 + S 93 + S 171 + S 179 + S 91 S 92 = 0 Standard Conversion 17

Conversion Methods: Comparison S 66 + S 93 + S 171 + S 179 + S 91 S 92 = 0 Fourier Conversion 17

Conversion Methods: Comparison S 66 + S 93 + S 171 + S 179 + S 91 S 92 = 0 Adapted Standard Conversion 17

Conversion Methods: Comparison S 66 + S 93 + S 171 + S 179 + S 91 S 92 = 0 Splitting 17

Summary for Bivium A Standard Conversion 327 equations and variables Degree is 6 High amount of monomials with high degree Fourier Conversion 327 equations and variables Degree is 6 Less monomials No variables cancel out Adaptive Standard Conversion 777 equations and variables Degree is 3 Low amount of monomials Splitting 627 variables and equations Degree is 2 Low amount of monomials 18

1 Motivation 2 Trivium (Bivium A) 3 Conversion Methods 4 Numerical Methods 19

Converted System: Facts Large systems of polynomials Highly nonlinear, degrees between 2 and 6 Multilinear Coefficients are 1 Sparse Fully determined Possible over-determined 20

Converted System: Facts Large systems of polynomials Highly nonlinear, degrees between 2 and 6 Multilinear Coefficients are 1 Sparse Fully determined Possible over-determined Solution exists Solution is {0, 1} n or { 1, 1} n respectively Precomputed solution available Continuously differentiable Regular Jacobian in the solution Ill-conditioned Jacobian A lot of singular points 20

Optimization Problem min F (s) 2 2 21

Optimization Problem min F (s) 2 2 l i s i u i (i = 1,, n) Box-bounded optimization problem s, l, u R n F : R n R n Iterative algorithms Starting point needed Global and local convergence Global and local optimum 21

Interior Reflective Newton Method [2] [2] Box constrained problem Iterates are between upper and lower bounds Good global convergence Scales well with the system size 22

DIRECT Algorithm [3] Box constrained problem Global optimization, global search Good results on random systems Good results on systems with more than one global optimum [3] 23

Experiments Bivium A Standard Fourier ASC Splitting Starting point Random walk on the cube Random in (0, 1) or ( 1, 1) respectively Guessing bits (variables) 24

Results System Starting point Result Bivium A (F) a,b local optimum c (250) solution found Bivium A (S) a,b local optimum c (250) solution found Bivium A (ASC) a,b real-valued solution c (580) solution found Bivium A (Splitting) a,b local optimum c (470) solution found a Random in {0, 1} n or { 1, 1} n respectivley b Random in (0, 1) n or ( 1, 1) n respectivley c Guessing bits (variables) 25

Conclusions Hard problem Converted systems are difficult Large and highly nonlinear High influence on the system over the reals Many possibilities to model the problem over the reals Mixed Integer Linear Problem Mixed Integer Nonlinear Problem Adding constraints to the problem High amount of different solvers/algorithms/strategies Does a real-valued solution contain useful information? Does a local optimum contain useful information? 26

Thank you for your attention! 27

References [1] Christophe De Cannière. Trivium: A stream cipher construction inspired by block cipher design principles. In ISC, pages 171 186, 2006. [2] Thomas F. Coleman and Yuying Li. On the convergence of interior-reflective newton methods for nonlinear minimization subject to bounds. Math. Program., 67(2-17):189 224, 1994. [3] D. R. Jones, C. D. Perttunen, and B. E. Stuckman. Lipschitzian optimization without the lipschitz constant. J. Optim. Theory Appl., 79(1):157 181, 1993. [4] Havard Raddum. Cryptanalytic Result on Trivium. estream project. 2006. 28

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback