Multiplicative Complexity Reductions in Cryptography and Cryptanalysis

Similar documents
Multiplicative Complexity Gate Complexity Cryptography and Cryptanalysis

Multiplicative Complexity

Multiplicative Complexity

Improved upper bounds for the expected circuit complexity of dense systems of linear equations over GF(2)

Extended Criterion for Absence of Fixed Points

Smart Hill Climbing Finds Better Boolean Functions

XOR - XNOR Gates. The graphic symbol and truth table of XOR gate is shown in the figure.

Finding Low Degree Annihilators for a Boolean Function Using Polynomial Algorithms

AES side channel attacks protection using random isomorphisms

Algebraic Aspects of Symmetric-key Cryptography

Functions on Finite Fields, Boolean Functions, and S-Boxes

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

Division Property: a New Attack Against Block Ciphers

Cryptographically Robust Large Boolean Functions. Debdeep Mukhopadhyay CSE, IIT Kharagpur

Quantum Differential and Linear Cryptanalysis

Virtual isomorphisms of ciphers: is AES secure against differential / linear attack?

Fast Algebraic Immunity of 2 m + 2 & 2 m + 3 variables Majority Function

Haar Spectrum of Bent Boolean Functions

Revisit and Cryptanalysis of a CAST Cipher

2. Accelerated Computations

Mixed-integer Programming based Differential and Linear Cryptanalysis

On Various Nonlinearity Measures for Boolean Functions

A Sound Method for Switching between Boolean and Arithmetic Masking

Multiplicative complexity in block cipher design and analysis

Towards Provable Security of Substitution-Permutation Encryption Networks

Several Masked Implementations of the Boyar-Peralta AES S-Box

Hadamard Matrices, d-linearly Independent Sets and Correlation-Immune Boolean Functions with Minimum Hamming Weights

Analysis of Some Quasigroup Transformations as Boolean Functions

Attacking AES via SAT

Matrix Power S-Box Construction

Analysis of cryptographic hash functions

A Note on Scalar Multiplication Using Division Polynomials

A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms

Algebraic Analysis of the Simon Block Cipher Family

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Linear Cryptanalysis of Reduced-Round Speck

Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL

Construction and Count of Boolean Functions of an Odd Number of Variables with Maximum Algebraic Immunity

Elliptic Curve Cryptography and Security of Embedded Devices

The Hash Function JH 1

On Conversions from CNF to ANF

Power Analysis to ECC Using Differential Power between Multiplication and Squaring

NP-Completeness I. Lecture Overview Introduction: Reduction and Expressiveness

Subquadratic space complexity multiplier for a class of binary fields using Toeplitz matrix approach

CBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking

Smashing the Implementation Records of AES S-box

The Elliptic Curve in https

Formal Verification Methods 1: Propositional Logic

Optimizing S-box Implementations for Several Criteria using SAT Solvers

Quantum-resistant cryptography

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

Cryptographic Hash Functions

Side-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman

CRYPTOGRAPHIC PROPERTIES OF ADDITION MODULO 2 n

Linear Algebra, Boolean Rings and Resolution? Armin Biere. Institute for Formal Models and Verification Johannes Kepler University Linz, Austria

Biomedical Security. Some Security News 9/17/2018. Erwin M. Bakker. Blockchains are not safe for voting (slashdot.org) : From: paragonie.

Modular Multiplication in GF (p k ) using Lagrange Representation

Characterizations on Algebraic Immunity for Multi-Output Boolean Functions

Boolean Algebra. Philipp Koehn. 9 September 2016

A Polynomial Description of the Rijndael Advanced Encryption Standard

PARITY BASED FAULT DETECTION TECHNIQUES FOR S-BOX/ INV S-BOX ADVANCED ENCRYPTION SYSTEM

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

On the computation of best second order approximations of Boolean Functions ΕΤΗΣΙΑ ΕΚΘΕΣΗ 2010

Affine equivalence in the AES round function

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Lecture 6: Cryptanalysis of public-key algorithms.,

LS-Designs. Bitslice Encryption for Efficient Masked Software Implementations

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Perfect Diffusion Primitives for Block Ciphers

Comparison of cube attacks over different vector spaces

conp = { L L NP } (1) This problem is essentially the same as SAT because a formula is not satisfiable if and only if its negation is a tautology.

On the complexity of computing discrete logarithms in the field F

8 Elliptic Curve Cryptography

A Five-Round Algebraic Property of the Advanced Encryption Standard

A New Classification of 4-bit Optimal S-boxes and its Application to PRESENT, RECTANGLE and SPONGENT

Two Philosophies For Solving Non-Linear Equations in Algebraic Cryptanalysis

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Open problems related to algebraic attacks on stream ciphers

On the Design of Trivium

Algorithmic Number Theory and Public-key Cryptography

New attacks on Keccak-224 and Keccak-256

New Gröbner Bases for formal verification and cryptography

USING SAT FOR COMBINATIONAL IMPLEMENTATION CHECKING. Liudmila Cheremisinova, Dmitry Novikov

Enhancing the Signal to Noise Ratio

Introduction to Cybersecurity Cryptography (Part 4)

Mechanizing Elliptic Curve Associativity

The ANF of the Composition of Addition and Multiplication mod 2 n with a Boolean Function

Provable Security against Side-Channel Attacks

Algebraic properties of SHA-3 and notable cryptanalysis results

McBits: Fast code-based cryptography

1 The Algebraic Normal Form

Gurgen Khachatrian Martun Karapetyan

Cryptanalysis of Achterbahn

On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

functions. E.G.BARDIS*, N.G.BARDIS*, A.P.MARKOVSKI*, A.K.SPYROPOULOS**

Encoding Basic Arithmetic Operations for SAT-Solvers

Highly Efficient GF(2 8 ) Inversion Circuit Based on Redundant GF Arithmetic and Its Application to AES Design

The quantum threat to cryptography

Transcription:

Multiplicative Complexity Reductions in Cryptography and Cryptanalysis THEODOSIS MOUROUZIS SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 1

Presentation Overview Linearity and Four Measures of Nonlinearity - Linearity - Non-Linearity - Algebraic Degree - Annihilator Immunity - Multiplicative Complexity (MC) Multiplicative Complexity (MC) - MC Reductions - Matrix Multiplication (MM) - Automated MC Reduction - Optimization of Circuits wrt other metrics SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 2

Presentation Overview Reductions of MC in Cryptanalysis - MC and Algebraic Attacks - MC and One-Wayness property References SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 3

Notation Let x F n 2 and f: F n 2 F 2 a Boolean function B n = f f: F n 2 F 2 } : The set of Boolean functions on n variables HW(x): Hamming weight of x S : Cardinality of a set S d f, g = x F n 2 f x g x } : Distance between two function f, g B n SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 4

Notation Algebraic Normal Form of f if defined by f x 1, x 2,, x n = S {1,2,..,n} a S i S x i, where a s 0,1 for all S and we define i x i to be 1 - a S = 0 for S > 1 we say that f is affine - If above holds and a = 0 we say that f is linear - If a S = a s whenever S = S we say that f is symmetric Σ n k : k-th elementary symmetric Boolean function. Sum of all terms where S = k SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 5

Linearity and Four Measures of Nonlinearity Cryptographic Applications are designed with the following properties in mind : Efficient circuit (hardware) implementation Efficient software implementation Resistant against known form of attacks such as linear/differential cryptanalysis [Informally] Cryptographic functions are required to be hard to invert, i.e. linear algebra is not applicable to the problem of saying something about x given f(x) (sufficient distant from linear)[bp2013] Several measures of how much non-linear or linear a Boolean function is, were proposed by the community [BP2013] Linearity is a more concrete concept, but nonlinearity much more complex to be described SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 6

Linearity and Four Measures of Nonlinearity Linearity: L f is defined by max a F 2 n fw a, where f W a is the Walsh Coefficient at a given by x F 2 n 1 Maximum value is 2 n and obtained iff f is affine/linear function Example: - MAJ x 1, x 2, x 3 = x 1 x 2 + x 1 x 3 + x 2 x 3 has linearity 4 - S 1 x 1, x 2 = x 1 + x 2 has linearity 4 - S 1 x 1, x 2 = x 1 x 2 + x 2 has linearity 2 f x +a.x SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 7

Linearity and Four Measures of Nonlinearity Boyar and Peralta discuss in [3][BP2013] four measures of nonlinearity for a Boolean function: 1. Nonlinearity (NL) 2. Algebraic Degree (AD) 3. Annihilator Immunity(AI) 4. Multiplicative Complexity (MC) All these measures intuitively capture the notion of nonlinearity These measures are shown to be incomparable => Need to be studied separately For each pair of measures μ 1, μ 2 there exist functions f 1, f 2 with μ 1 f 1 > μ 1 f 2 but μ 2 f 1 < μ 2 f 2 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 8

Linearity and Four Measures of Nonlinearity Nonlinearity - Hamming distance to the closest affine function 0 NL f 2 n 1 2 n 2 1 Affine functions have nonlinearity 0 Functions with maximum nonlinearity exists if and only if n is even (Bent functions) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 9

Linearity and Four Measures of Nonlinearity Algebraic Degree (deg f ): The number of variables in the highest order term with non-zero coefficient in the ANF Optimal value is n Example: - MAJ x 1, x 2, x 3 = x 1 x 2 + x 1 x 3 + x 2 x 3 has algebraic degree 2 - S 1 x 1, x 2, x 3, x 4 = x 1 x 3 x 4 + x 1 + x 2 + 1 has algebraic degree 3 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 10

Linearity and Four Measures of Nonlinearity Annihilator Immunity Let f a Boolean function on n inputs. Then, the annihilator immunity (AI) is given by AI f = min g deg(g), such that fg = 0 or f + 1 g = 0. The function g is called an annihilator Closely related to algebraic degree 0 AI f n 2 [Courtois-Meier 2003] Functions are known to achieve these bounds [Courtois-Meier 2003] SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 11

Linearity and Four Measures of Nonlinearity Definition of MC [Informal] Every function can be represented as a sum of non linear functions (a certain number of multiplications is required) and linear functions over a finite field/ring We call Multiplicative Complexity (MC) the number of multiplications required to compute the function MC computation is one of the most important problems in Computer Science (immediate positive effect in other areas discussed later) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 12

Linearity and Four Measures of Nonlinearity We discuss MC computation applied to: Tri-linear problems (Matrix Multiplication) Vectorial Boolean functions (known in cryptography as S-boxes) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 13

Linearity and Four Measures of Nonlinearity Multiplicative Complexity: The smallest number of AND gates necessary and sufficient to compute the function using the circuit over the basis (XOR,AND,1) i.e. using arithmetic over F 2 MC is at least zero with equality iff the function is an affine function Bounds for f: n even: MC 2 n 2 +1 n 2 2 [Lupanov] n odd: MC 3 2 2 2n 2 +1 n+3 2 [Boyar-Peralta-Pochuev] SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 14

Linearity and Four Measures of Nonlinearity These notions are incomparable [BP2013] NonLinearity Algebraic Degree Annihilator Immunity Multiplicative Complexity Σ 2 n (n odd) 2 n 1 2 n 1 2 2 2 n 2 Σ n n 1 n 1 n 1 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 15

Multiplicative Complexity Relation between MC and nonlinearity [3] [BP2013] If a functions has low nonlinearity, this gives bound on the MC If f B n with MC n, it has nonlinearity at most 2 2n 1 2 n MC 1 For f with MC = n 2 there exist a simple function with this nonlinearity [3] SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 16

Multiplicative Complexity In the rest of this talk we focus on three major problems: Matrix Multiplication MC Computation Optimization of vectorial Boolean functions (S-boxes) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 17

Multiplicative Complexity All these problems are still intractable Most of the existing algorithms are based on well-chosen ad-hoc heuristics Not formally proven that the existing techniques that can yield optimal solutions Improvements in such problems might lead to direct improvements in other fields SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 18

Multiplicative Complexity o Commercial software such as MATLAB o Forecasting techniques o Statistical analysis of large data sets o Gauss Elimination algorithm for solving a system of equations o Computer Graphics o Reduction in required silicon to implement digital circuits SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 19

Multiplicative Complexity o Cryptanalysis based on SAT-solvers benefits immediately from MC reductions as the time taken for a SAT solver to find a solution depends on the compactness of the circuit o Develop certain bitslice parallel-simd software implementations of block ciphers o Optimization wrt MC is a countermeasure against Side Channel Attacks (SCA) on smart cards such as Differential Power Analysis. XOR gates are easier to protect against such attacks. o Block ciphers with lower MC are less resistant against algebraic attacks (heuristically demonstrated in [4,5]) o A lot of energy and silicon in smart cards and hardware devices to handle SSL traffic in web servers can be saved with crypto with less multiplications (RSA, ECC, Diffie Hellman Key Exchange algorithm) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 20

Multiplicative Complexity Boyar and Peralta heuristic [BP2013] to obtain more efficient implementations of arbitrary digital circuits with respect to Boolean Complexity is based on the notion of MC: (2-step) Optimize wrt AND gates Optimize with respect to XOR gates separately equivalent to gate optimization problems of circuits for linear functions (NP-hard [BMP2013]) No formal method (and unlikely to be true in general) that optimization wrt to AND gates yields circuits with optimal Boolean Complexity However, this technique gives sufficiently good results. Applied to AES S-box and gave the smallest circuit known (32 AND, 83 XOR/XNOR gates) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 21

Multiplicative Complexity Boyar and Peralta results [BP2013]: Inversion in F 2 8 : 5 AND, 11 XOR SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 22

Multiplicative Complexity AES S-box: 32 AND (115 gates in total) [BP2013] SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 23

Multiplicative Complexity Automated tool based on SAT-solvers which can compute optimal values in MM and MC computational problems [4,5,8]. It consists of 3 major steps: 1. Write the problem as a set of algebraic equations based on the target value of MC 2. Convert it to its Conjunctive Normal Form (CNF) 3. Attempt to solve this using SAT solvers SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 24

Multiplicative Complexity Tricky part: derivation of the algebraic representation encoding step Conversion from ANF to CNF can be done by ready software (e.g. Courtois-Bard-Jefferson) We have applied this methodology to three areas: 1. Matrix Multiplication [4,6,7,8] 2. MC computation of circuits [4,6,7] 3. Optimization of digital circuits with respect to more complex metrics [7] [Important] We can achieve optimal results for sufficiently small problems e.g. S-boxes from 4-bits to 4-bits, multiplication of matrices up to dimension 4 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 25

Matrix Multiplication One of the most important problem in Computer Science (well-studied) Multiplication of n n matrices with entries over arbitrary rings Naïve algorithm: O n 3 Coppersmith-Winograd (1987): O n 2.3755 Andrew Stothers (2010): O n 2.3737 Virginia Vassilevska (2011): O n 2.3727 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 26

Matrix Multiplication [However,] solving for smaller instances of the same problem (e.g. 3x3 matrices) might yield to improvements in the general case (Divide-and-Conquer paradigm) Strassen s algorithm for multiplying 2x2 matrices in 7 multiplications instead of 8 Applying this algorithm recursively: O(n 2.807 ) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 27

Matrix Multiplication Brent Equations as form of encoding for discovering tri-linear algorithms of specified number of multiplications [6,7,8] We solved it firstly over F 2 and then heuristically lifted the solution to more general rings SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 28

Matrix Multiplication Applied to multiplication of 3x3 matrices Result: Another tri-linear algorithm with 23 multiplications Proved to be non-isomorphic with Laderman s solution Doing with 22 is a big challenge (if feasible) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 29

Matrix Multiplication SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 30

Automated MC Reduction Computing MC for arbitrary digital circuits is more complex! Encoding step (tricky part) [Important] A method to show that no better can be done do not exist - We present one which works BUT for sufficiently small dimensions (based on SAT-solvers) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 31

Automated MC Reduction Input: Truth Table, MC Output: A circuit representation of desired MC [7,8] STEPS: Encode the circuit as a straight-line program SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 32

Automated MC Reduction Input: Truth Table, MC Output: A circuit representation of desired MC [7,8] STEPS: Encode the circuit as a straight-line program Start with the input variables x 1, x 2,, x n in the circuit and let S = {x 1, x 2,, x n } SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 33

Automated MC Reduction Input: Truth Table, MC Output: A circuit representation of desired MC [7,8] STEPS: Encode the circuit as a straight-line program Start with the input variables x 1, x 2,, x n in the circuit and let S = {x 1, x 2,, x n } Allow new variable z to be the product of two elements of the form a 1 x 1 + a 2 x 2 + + a n x n where x 1, x 2,, x n S SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 34

Automated MC Reduction Input: Truth Table, MC Output: A circuit representation of desired MC [7,8] STEPS: Encode the circuit as a straight-line program Start with the input variables x 1, x 2,, x n in the circuit and let S = {x 1, x 2,, x n } Allow new variable z to be the product of two elements of the form a 1 x 1 + a 2 x 2 + + a n x n where x 1, x 2,, x n S Insert z in S and repeat generating MC such variables SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 35

Automated MC Reduction Input: Truth Table, MC Output: A circuit representation of desired MC [7,8] STEPS: Encode the circuit as a straight-line program Start with the input variables x 1, x 2,, x n in the circuit and let S = {x 1, x 2,, x n } Allow new variable z to be the product of two elements of the form a 1 x 1 + a 2 x 2 + + a n x n where x 1, x 2,, x n S Insert z in S and repeat generating MC such variables Write affine equations that make each output of the circuit an affine combination from elements in S SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 36

Automated MC Reduction Input: Truth Table, MC Output: A circuit representation of desired MC [7,8] STEPS: Encode the circuit as a straight-line program Start with the input variables x 1, x 2,, x n in the circuit and let S = {x 1, x 2,, x n } Allow new variable z to be the product of two elements of the form a 1 x 1 + a 2 x 2 + + a n x n where x 1, x 2,, x n S Insert z in S and repeat generating MC such variables Write affine equations that make each output of the circuit an affine combination from elements in S SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 37

Automated MC Reduction Input: Truth Table, MC Output: A circuit representation of desired MC [7,8] STEPS: Encode the circuit as a straight-line program Start with the input variables x 1, x 2,, x n in the circuit and let S = {x 1, x 2,, x n } Allow new variable z to be the product of two elements of the form a 1 x 1 + a 2 x 2 + + a n x n where x 1, x 2,, x n S Insert z in S and repeat generating MC such variables Write affine equations that make each output of the circuit an affine combination from elements in S Substitute all input/output pairs from the truth table of the circuit to generate more equations SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 38

Automated MC Reduction Optimality SAT obtained for K = k Keep decreasing K until UNSAT MC: minimum k with SAT but UNSAT for all K < k Constraints: Works sufficiently well for small problems Complexity of SAT solver performance is unpredicted SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 39

Automated MC Reduction SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 40

Automated MC Reduction Applied to PRESENT S-box Naïve Implementation 39 gates MC=4 (proved) Further optimizations: Best-known bitslice implementation with 14 gates SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 41

Automated MC Reduction 4-bits to 4-bits S-boxes Applied to the 8 principal GOST S-boxes GOST is a 256-bits key block cipher that operates on 64-bits inputs (32 rounds) maximum MC is 5 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 42

Automated MC Reduction Applied to Majority Function [7,8] 3 inputs 5 inputs 7 inputs SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 43

Automated MC Reduction SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 44

Automated MC Reduction Number of Inputs 3 5.0 5 8.1 7 16.0 Time taken with MiniSat (s) (Intel i7 1.73GHz/4GB RAM) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 45

Optimization of Circuits wrt other metrics Another 3 more complex metrics Bitslice Gate Complexity: The minimum number of 2-input gates of type XOR, OR, AND, NOT needed to compute a given circuit (Bitslice implementation of block ciphers on standard CPUs) Gate Complexity: The minimum number of 2-input gates of type XOR, AND, OR, NAND, NOR, NXOR needed to compute a given circuit (Bitslice parallel-simd implementations of block ciphers) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 46

Optimization of Circuits wrt other metrics NAND complexity: The minimum number of 2-input NAND gates required to compute a circuit The encoding part becomes trickier. Consider six sort of variables for this problem [7,8] x: input to the truth table y: output of the truth table q, q : inputs of internal gates t: output of gates b: variables which define the function of this gate (of the form b uv + b u + v + b ) a: variables which will be the unknown connections between different gates SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 47

Optimization of Circuits wrt other metrics Each element of the set S (as previously defined) can be a combination of other variables which corresponds to an allowed gate representation which is encoded through b coefficients Variables a are used in order to ensure that the combination of two elements yield only one gate avoid extra XOR gates SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 48

Optimization of Circuits wrt other metrics SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 49

Optimization of Circuits wrt other metrics Applied to CTC S-box (3-bits to 3-bits) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 50

Optimization of Circuits wrt other metrics Bitslice Gate Complexity is 8 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 51

Optimization of Circuits wrt other metrics Gate Complexity is 6 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 52

Extension to Optimization of Circuits wrt other metrics NAND complexity is 12 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 53

MC Reductions in Cryptanalysis (GOST) Official Encryption standard of Russian Federation Declassified in 1994 Submitted to ISO 18033-3 to become an international standard of encryption 32-round Feistel Network 256-bits key and 64-bit blocks Very simple key algorithm Round Function: - Linear: XOR and Rotation by 11 bits to the left - Non-linear: 8 4-bits to 4-bits S-boxes, 2 32 modular addition SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 54

MC Reductions in Cryptanalysis We applied an algebraic attack to an optimized version (wrt MC) of GOST cipher using SAT solvers [4,5]: 1. Write all the equations in their ANF: - For the S-boxes use the optimized versions (wrt MC) - Do not further optimize with respect to XOR gates ( more linearity ) - For modular addition use the following encoding which is optimal and has MC=31 [4,5,8] SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 55

MC Reductions in Cryptanalysis 2. For each input of each AND gate we add one new variable. All the other gates give linear equations over F 2 3. Convert to CNF using ready software 4. Solve using SAT solver Successful in all random cases we tried. SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 56

MC Reductions in Cryptanalysis MC Reductions might yield better results in algebraic attacks (heuristically demonstrated) MC Reduction as pre-processing in algebraic attacks Algebraic attack on SIMON cipher [eprint 2013/404] (MC=32 per round) of very low MC: [Courtois et al, SECRYPT 2013] - (10/44) round broken faster than brute-force using SAT-solvers (using truncated differentials of low Hamming Distance) - No key guessing is required SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 57

MC Reductions in Cryptanalysis Elliptic Curves over GF(2 n ) In char 2 and most common NIST curves the P1+P2=P3 (P3 fixed) corresponds to Semaev S3 Equation as follows: In a model where linearized polynomials (with powers of 2) are for free (x3 fixed) Lemma: This equation can be written with MC=1 over GF(2 n ) by a suitable variable change Consequence: all known very compact representations of this equation over GF(2) will be derived from this fact. SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 58

MC Reductions in Cryptanalysis Open Problem: Relation between MC and algebraic attacks MC Reduction might speed up algebraic attacks (?) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 59

MC Reductions in Cryptanalysis Multiplicative Reductions And One-wayness SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 60

MC Reductions in Cryptanalysis MC and One-Wayness [BP2013] If a function f has multiplicative complexity MC, then it can be inverted in at most 2 MC evaluations of f [3] MC f n 2 NL 2n 1 2 n MC 1 [3] Theorem [Boyar and Peralta -2013]: Collision resistance of a function f: F 2 n F 2 m requires that MC f n m SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 61

MC Reductions in Cryptanalysis If a function f has multiplicative complexity MC, then it can be inverted in at most 2 MC evaluations of f [3] [Sketch of Proof]: - Consider a circuit C for f with MC AND gates and suppose y has a non-empty pre-image under f. - Guessing the Boolean value of one input of each AND gate results in a linear system of equations L - Solve L to obtain a candidate input x and test if f(x) = y - This finds a pre-image of y after at most 2 MC iterations SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 62

MC Reductions in Cryptanalysis Theorem [Boyar and Peralta -2013]: Collision resistance of a function f: F 2 n F 2 m requires that MC f n m [Sketch of Proof]: Let C be a circuit of f and wlog assume C has no negations (negations can be pushed to the outputs of the circuit without changing the number of AND gates) - Search for two inputs tat map to 0 - Since there are no negations, one such point is 0 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 63

MC Reductions in Cryptanalysis We next show how to obtain a second pre-image of 0 - Pick a topologically minimal AND gate and set one of its inputs to 0 (this generates one homogeneous linear equation on the inputs to f and allows us to remove the AND gate from C ) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 64

MC Reductions in Cryptanalysis - Repeat until no AND gates are left in C -> Homogeneous system S with at most MC equations plus a circuit C which computes a homogeneous linear system with m equations. The system has 2 n m MC distinct solutions If m + MC < n then standard linear algebra yields non-zero solutions These are second pre-images of 0. SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 65

End of Presentation THANKS! SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 66

References [1] Boyar, J., Matthews, P., & Peralta, R. (2013). Logic minimization techniques with applications to cryptology. Journal of cryptology, 26(2), 280-312. [2] Boyar, J., & Peralta, R. (2010). A new combinational logic minimization technique with applications to cryptology. In Experimental Algorithms (pp. 178-189). Springer Berlin Heidelberg. [3] Boyar, J., & Peralta, R. (2013). Four Measures of Nonlinearity. In Algorithms and Complexity (pp. 61-72). Springer Berlin Heidelberg. [4] Courtois, N., Hulme, D., & Mourouzis, T. (2011). Solving Circuit Optimisation Problems in Cryptography and Cryptanalysis. IACR Cryptology eprint Archive,2011, 475. [5] Courtois, N., Hulme, D., & Mourouzis, T. (2012). Solving Circuit Optimisation Problems in Cryptography and Cryptanalysis. SHARCS Workshop, 2012. [6] Courtois, N., Hulme, D., & Mourouzis, T. (2012). Multiplicative Complexity and Solving Generalized Brent Equations With SAT Solvers. In COMPUTATION TOOLS 2012, The Third International Conference on Computational Logics, Algebras, Programming, Tools, and Benchmarking (pp. 22-27). [7] Courtois, N., Mourouzis, T., & Hulme, D. (2013). Exact Logic Minimization and Multiplicative Complexity of Concrete Algebraic and Cryptographic Circuits. International Journal On Advances in Intelligent Systems, 6(3 and 4), 165-176. [8] Mourouzis, T. (2015). Optimizations in Algebraic and Differential Cryptanalysis(Doctoral dissertation, UCL (University College London)). [9] Courtois, N. Extended Slides on the topic of Multiplicative Complexity. http://www.nicolascourtois.com/papers/multcomp.pdf SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 67

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback