Multiplicative Complexity Reductions in Cryptography and Cryptanalysis THEODOSIS MOUROUZIS SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 1
Presentation Overview Linearity and Four Measures of Nonlinearity - Linearity - Non-Linearity - Algebraic Degree - Annihilator Immunity - Multiplicative Complexity (MC) Multiplicative Complexity (MC) - MC Reductions - Matrix Multiplication (MM) - Automated MC Reduction - Optimization of Circuits wrt other metrics SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 2
Presentation Overview Reductions of MC in Cryptanalysis - MC and Algebraic Attacks - MC and One-Wayness property References SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 3
Notation Let x F n 2 and f: F n 2 F 2 a Boolean function B n = f f: F n 2 F 2 } : The set of Boolean functions on n variables HW(x): Hamming weight of x S : Cardinality of a set S d f, g = x F n 2 f x g x } : Distance between two function f, g B n SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 4
Notation Algebraic Normal Form of f if defined by f x 1, x 2,, x n = S {1,2,..,n} a S i S x i, where a s 0,1 for all S and we define i x i to be 1 - a S = 0 for S > 1 we say that f is affine - If above holds and a = 0 we say that f is linear - If a S = a s whenever S = S we say that f is symmetric Σ n k : k-th elementary symmetric Boolean function. Sum of all terms where S = k SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 5
Linearity and Four Measures of Nonlinearity Cryptographic Applications are designed with the following properties in mind : Efficient circuit (hardware) implementation Efficient software implementation Resistant against known form of attacks such as linear/differential cryptanalysis [Informally] Cryptographic functions are required to be hard to invert, i.e. linear algebra is not applicable to the problem of saying something about x given f(x) (sufficient distant from linear)[bp2013] Several measures of how much non-linear or linear a Boolean function is, were proposed by the community [BP2013] Linearity is a more concrete concept, but nonlinearity much more complex to be described SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 6
Linearity and Four Measures of Nonlinearity Linearity: L f is defined by max a F 2 n fw a, where f W a is the Walsh Coefficient at a given by x F 2 n 1 Maximum value is 2 n and obtained iff f is affine/linear function Example: - MAJ x 1, x 2, x 3 = x 1 x 2 + x 1 x 3 + x 2 x 3 has linearity 4 - S 1 x 1, x 2 = x 1 + x 2 has linearity 4 - S 1 x 1, x 2 = x 1 x 2 + x 2 has linearity 2 f x +a.x SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 7
Linearity and Four Measures of Nonlinearity Boyar and Peralta discuss in [3][BP2013] four measures of nonlinearity for a Boolean function: 1. Nonlinearity (NL) 2. Algebraic Degree (AD) 3. Annihilator Immunity(AI) 4. Multiplicative Complexity (MC) All these measures intuitively capture the notion of nonlinearity These measures are shown to be incomparable => Need to be studied separately For each pair of measures μ 1, μ 2 there exist functions f 1, f 2 with μ 1 f 1 > μ 1 f 2 but μ 2 f 1 < μ 2 f 2 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 8
Linearity and Four Measures of Nonlinearity Nonlinearity - Hamming distance to the closest affine function 0 NL f 2 n 1 2 n 2 1 Affine functions have nonlinearity 0 Functions with maximum nonlinearity exists if and only if n is even (Bent functions) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 9
Linearity and Four Measures of Nonlinearity Algebraic Degree (deg f ): The number of variables in the highest order term with non-zero coefficient in the ANF Optimal value is n Example: - MAJ x 1, x 2, x 3 = x 1 x 2 + x 1 x 3 + x 2 x 3 has algebraic degree 2 - S 1 x 1, x 2, x 3, x 4 = x 1 x 3 x 4 + x 1 + x 2 + 1 has algebraic degree 3 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 10
Linearity and Four Measures of Nonlinearity Annihilator Immunity Let f a Boolean function on n inputs. Then, the annihilator immunity (AI) is given by AI f = min g deg(g), such that fg = 0 or f + 1 g = 0. The function g is called an annihilator Closely related to algebraic degree 0 AI f n 2 [Courtois-Meier 2003] Functions are known to achieve these bounds [Courtois-Meier 2003] SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 11
Linearity and Four Measures of Nonlinearity Definition of MC [Informal] Every function can be represented as a sum of non linear functions (a certain number of multiplications is required) and linear functions over a finite field/ring We call Multiplicative Complexity (MC) the number of multiplications required to compute the function MC computation is one of the most important problems in Computer Science (immediate positive effect in other areas discussed later) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 12
Linearity and Four Measures of Nonlinearity We discuss MC computation applied to: Tri-linear problems (Matrix Multiplication) Vectorial Boolean functions (known in cryptography as S-boxes) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 13
Linearity and Four Measures of Nonlinearity Multiplicative Complexity: The smallest number of AND gates necessary and sufficient to compute the function using the circuit over the basis (XOR,AND,1) i.e. using arithmetic over F 2 MC is at least zero with equality iff the function is an affine function Bounds for f: n even: MC 2 n 2 +1 n 2 2 [Lupanov] n odd: MC 3 2 2 2n 2 +1 n+3 2 [Boyar-Peralta-Pochuev] SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 14
Linearity and Four Measures of Nonlinearity These notions are incomparable [BP2013] NonLinearity Algebraic Degree Annihilator Immunity Multiplicative Complexity Σ 2 n (n odd) 2 n 1 2 n 1 2 2 2 n 2 Σ n n 1 n 1 n 1 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 15
Multiplicative Complexity Relation between MC and nonlinearity [3] [BP2013] If a functions has low nonlinearity, this gives bound on the MC If f B n with MC n, it has nonlinearity at most 2 2n 1 2 n MC 1 For f with MC = n 2 there exist a simple function with this nonlinearity [3] SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 16
Multiplicative Complexity In the rest of this talk we focus on three major problems: Matrix Multiplication MC Computation Optimization of vectorial Boolean functions (S-boxes) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 17
Multiplicative Complexity All these problems are still intractable Most of the existing algorithms are based on well-chosen ad-hoc heuristics Not formally proven that the existing techniques that can yield optimal solutions Improvements in such problems might lead to direct improvements in other fields SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 18
Multiplicative Complexity o Commercial software such as MATLAB o Forecasting techniques o Statistical analysis of large data sets o Gauss Elimination algorithm for solving a system of equations o Computer Graphics o Reduction in required silicon to implement digital circuits SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 19
Multiplicative Complexity o Cryptanalysis based on SAT-solvers benefits immediately from MC reductions as the time taken for a SAT solver to find a solution depends on the compactness of the circuit o Develop certain bitslice parallel-simd software implementations of block ciphers o Optimization wrt MC is a countermeasure against Side Channel Attacks (SCA) on smart cards such as Differential Power Analysis. XOR gates are easier to protect against such attacks. o Block ciphers with lower MC are less resistant against algebraic attacks (heuristically demonstrated in [4,5]) o A lot of energy and silicon in smart cards and hardware devices to handle SSL traffic in web servers can be saved with crypto with less multiplications (RSA, ECC, Diffie Hellman Key Exchange algorithm) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 20
Multiplicative Complexity Boyar and Peralta heuristic [BP2013] to obtain more efficient implementations of arbitrary digital circuits with respect to Boolean Complexity is based on the notion of MC: (2-step) Optimize wrt AND gates Optimize with respect to XOR gates separately equivalent to gate optimization problems of circuits for linear functions (NP-hard [BMP2013]) No formal method (and unlikely to be true in general) that optimization wrt to AND gates yields circuits with optimal Boolean Complexity However, this technique gives sufficiently good results. Applied to AES S-box and gave the smallest circuit known (32 AND, 83 XOR/XNOR gates) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 21
Multiplicative Complexity Boyar and Peralta results [BP2013]: Inversion in F 2 8 : 5 AND, 11 XOR SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 22
Multiplicative Complexity AES S-box: 32 AND (115 gates in total) [BP2013] SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 23
Multiplicative Complexity Automated tool based on SAT-solvers which can compute optimal values in MM and MC computational problems [4,5,8]. It consists of 3 major steps: 1. Write the problem as a set of algebraic equations based on the target value of MC 2. Convert it to its Conjunctive Normal Form (CNF) 3. Attempt to solve this using SAT solvers SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 24
Multiplicative Complexity Tricky part: derivation of the algebraic representation encoding step Conversion from ANF to CNF can be done by ready software (e.g. Courtois-Bard-Jefferson) We have applied this methodology to three areas: 1. Matrix Multiplication [4,6,7,8] 2. MC computation of circuits [4,6,7] 3. Optimization of digital circuits with respect to more complex metrics [7] [Important] We can achieve optimal results for sufficiently small problems e.g. S-boxes from 4-bits to 4-bits, multiplication of matrices up to dimension 4 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 25
Matrix Multiplication One of the most important problem in Computer Science (well-studied) Multiplication of n n matrices with entries over arbitrary rings Naïve algorithm: O n 3 Coppersmith-Winograd (1987): O n 2.3755 Andrew Stothers (2010): O n 2.3737 Virginia Vassilevska (2011): O n 2.3727 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 26
Matrix Multiplication [However,] solving for smaller instances of the same problem (e.g. 3x3 matrices) might yield to improvements in the general case (Divide-and-Conquer paradigm) Strassen s algorithm for multiplying 2x2 matrices in 7 multiplications instead of 8 Applying this algorithm recursively: O(n 2.807 ) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 27
Matrix Multiplication Brent Equations as form of encoding for discovering tri-linear algorithms of specified number of multiplications [6,7,8] We solved it firstly over F 2 and then heuristically lifted the solution to more general rings SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 28
Matrix Multiplication Applied to multiplication of 3x3 matrices Result: Another tri-linear algorithm with 23 multiplications Proved to be non-isomorphic with Laderman s solution Doing with 22 is a big challenge (if feasible) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 29
Matrix Multiplication SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 30
Automated MC Reduction Computing MC for arbitrary digital circuits is more complex! Encoding step (tricky part) [Important] A method to show that no better can be done do not exist - We present one which works BUT for sufficiently small dimensions (based on SAT-solvers) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 31
Automated MC Reduction Input: Truth Table, MC Output: A circuit representation of desired MC [7,8] STEPS: Encode the circuit as a straight-line program SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 32
Automated MC Reduction Input: Truth Table, MC Output: A circuit representation of desired MC [7,8] STEPS: Encode the circuit as a straight-line program Start with the input variables x 1, x 2,, x n in the circuit and let S = {x 1, x 2,, x n } SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 33
Automated MC Reduction Input: Truth Table, MC Output: A circuit representation of desired MC [7,8] STEPS: Encode the circuit as a straight-line program Start with the input variables x 1, x 2,, x n in the circuit and let S = {x 1, x 2,, x n } Allow new variable z to be the product of two elements of the form a 1 x 1 + a 2 x 2 + + a n x n where x 1, x 2,, x n S SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 34
Automated MC Reduction Input: Truth Table, MC Output: A circuit representation of desired MC [7,8] STEPS: Encode the circuit as a straight-line program Start with the input variables x 1, x 2,, x n in the circuit and let S = {x 1, x 2,, x n } Allow new variable z to be the product of two elements of the form a 1 x 1 + a 2 x 2 + + a n x n where x 1, x 2,, x n S Insert z in S and repeat generating MC such variables SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 35
Automated MC Reduction Input: Truth Table, MC Output: A circuit representation of desired MC [7,8] STEPS: Encode the circuit as a straight-line program Start with the input variables x 1, x 2,, x n in the circuit and let S = {x 1, x 2,, x n } Allow new variable z to be the product of two elements of the form a 1 x 1 + a 2 x 2 + + a n x n where x 1, x 2,, x n S Insert z in S and repeat generating MC such variables Write affine equations that make each output of the circuit an affine combination from elements in S SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 36
Automated MC Reduction Input: Truth Table, MC Output: A circuit representation of desired MC [7,8] STEPS: Encode the circuit as a straight-line program Start with the input variables x 1, x 2,, x n in the circuit and let S = {x 1, x 2,, x n } Allow new variable z to be the product of two elements of the form a 1 x 1 + a 2 x 2 + + a n x n where x 1, x 2,, x n S Insert z in S and repeat generating MC such variables Write affine equations that make each output of the circuit an affine combination from elements in S SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 37
Automated MC Reduction Input: Truth Table, MC Output: A circuit representation of desired MC [7,8] STEPS: Encode the circuit as a straight-line program Start with the input variables x 1, x 2,, x n in the circuit and let S = {x 1, x 2,, x n } Allow new variable z to be the product of two elements of the form a 1 x 1 + a 2 x 2 + + a n x n where x 1, x 2,, x n S Insert z in S and repeat generating MC such variables Write affine equations that make each output of the circuit an affine combination from elements in S Substitute all input/output pairs from the truth table of the circuit to generate more equations SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 38
Automated MC Reduction Optimality SAT obtained for K = k Keep decreasing K until UNSAT MC: minimum k with SAT but UNSAT for all K < k Constraints: Works sufficiently well for small problems Complexity of SAT solver performance is unpredicted SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 39
Automated MC Reduction SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 40
Automated MC Reduction Applied to PRESENT S-box Naïve Implementation 39 gates MC=4 (proved) Further optimizations: Best-known bitslice implementation with 14 gates SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 41
Automated MC Reduction 4-bits to 4-bits S-boxes Applied to the 8 principal GOST S-boxes GOST is a 256-bits key block cipher that operates on 64-bits inputs (32 rounds) maximum MC is 5 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 42
Automated MC Reduction Applied to Majority Function [7,8] 3 inputs 5 inputs 7 inputs SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 43
Automated MC Reduction SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 44
Automated MC Reduction Number of Inputs 3 5.0 5 8.1 7 16.0 Time taken with MiniSat (s) (Intel i7 1.73GHz/4GB RAM) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 45
Optimization of Circuits wrt other metrics Another 3 more complex metrics Bitslice Gate Complexity: The minimum number of 2-input gates of type XOR, OR, AND, NOT needed to compute a given circuit (Bitslice implementation of block ciphers on standard CPUs) Gate Complexity: The minimum number of 2-input gates of type XOR, AND, OR, NAND, NOR, NXOR needed to compute a given circuit (Bitslice parallel-simd implementations of block ciphers) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 46
Optimization of Circuits wrt other metrics NAND complexity: The minimum number of 2-input NAND gates required to compute a circuit The encoding part becomes trickier. Consider six sort of variables for this problem [7,8] x: input to the truth table y: output of the truth table q, q : inputs of internal gates t: output of gates b: variables which define the function of this gate (of the form b uv + b u + v + b ) a: variables which will be the unknown connections between different gates SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 47
Optimization of Circuits wrt other metrics Each element of the set S (as previously defined) can be a combination of other variables which corresponds to an allowed gate representation which is encoded through b coefficients Variables a are used in order to ensure that the combination of two elements yield only one gate avoid extra XOR gates SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 48
Optimization of Circuits wrt other metrics SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 49
Optimization of Circuits wrt other metrics Applied to CTC S-box (3-bits to 3-bits) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 50
Optimization of Circuits wrt other metrics Bitslice Gate Complexity is 8 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 51
Optimization of Circuits wrt other metrics Gate Complexity is 6 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 52
Extension to Optimization of Circuits wrt other metrics NAND complexity is 12 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 53
MC Reductions in Cryptanalysis (GOST) Official Encryption standard of Russian Federation Declassified in 1994 Submitted to ISO 18033-3 to become an international standard of encryption 32-round Feistel Network 256-bits key and 64-bit blocks Very simple key algorithm Round Function: - Linear: XOR and Rotation by 11 bits to the left - Non-linear: 8 4-bits to 4-bits S-boxes, 2 32 modular addition SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 54
MC Reductions in Cryptanalysis We applied an algebraic attack to an optimized version (wrt MC) of GOST cipher using SAT solvers [4,5]: 1. Write all the equations in their ANF: - For the S-boxes use the optimized versions (wrt MC) - Do not further optimize with respect to XOR gates ( more linearity ) - For modular addition use the following encoding which is optimal and has MC=31 [4,5,8] SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 55
MC Reductions in Cryptanalysis 2. For each input of each AND gate we add one new variable. All the other gates give linear equations over F 2 3. Convert to CNF using ready software 4. Solve using SAT solver Successful in all random cases we tried. SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 56
MC Reductions in Cryptanalysis MC Reductions might yield better results in algebraic attacks (heuristically demonstrated) MC Reduction as pre-processing in algebraic attacks Algebraic attack on SIMON cipher [eprint 2013/404] (MC=32 per round) of very low MC: [Courtois et al, SECRYPT 2013] - (10/44) round broken faster than brute-force using SAT-solvers (using truncated differentials of low Hamming Distance) - No key guessing is required SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 57
MC Reductions in Cryptanalysis Elliptic Curves over GF(2 n ) In char 2 and most common NIST curves the P1+P2=P3 (P3 fixed) corresponds to Semaev S3 Equation as follows: In a model where linearized polynomials (with powers of 2) are for free (x3 fixed) Lemma: This equation can be written with MC=1 over GF(2 n ) by a suitable variable change Consequence: all known very compact representations of this equation over GF(2) will be derived from this fact. SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 58
MC Reductions in Cryptanalysis Open Problem: Relation between MC and algebraic attacks MC Reduction might speed up algebraic attacks (?) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 59
MC Reductions in Cryptanalysis Multiplicative Reductions And One-wayness SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 60
MC Reductions in Cryptanalysis MC and One-Wayness [BP2013] If a function f has multiplicative complexity MC, then it can be inverted in at most 2 MC evaluations of f [3] MC f n 2 NL 2n 1 2 n MC 1 [3] Theorem [Boyar and Peralta -2013]: Collision resistance of a function f: F 2 n F 2 m requires that MC f n m SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 61
MC Reductions in Cryptanalysis If a function f has multiplicative complexity MC, then it can be inverted in at most 2 MC evaluations of f [3] [Sketch of Proof]: - Consider a circuit C for f with MC AND gates and suppose y has a non-empty pre-image under f. - Guessing the Boolean value of one input of each AND gate results in a linear system of equations L - Solve L to obtain a candidate input x and test if f(x) = y - This finds a pre-image of y after at most 2 MC iterations SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 62
MC Reductions in Cryptanalysis Theorem [Boyar and Peralta -2013]: Collision resistance of a function f: F 2 n F 2 m requires that MC f n m [Sketch of Proof]: Let C be a circuit of f and wlog assume C has no negations (negations can be pushed to the outputs of the circuit without changing the number of AND gates) - Search for two inputs tat map to 0 - Since there are no negations, one such point is 0 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 63
MC Reductions in Cryptanalysis We next show how to obtain a second pre-image of 0 - Pick a topologically minimal AND gate and set one of its inputs to 0 (this generates one homogeneous linear equation on the inputs to f and allows us to remove the AND gate from C ) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 64
MC Reductions in Cryptanalysis - Repeat until no AND gates are left in C -> Homogeneous system S with at most MC equations plus a circuit C which computes a homogeneous linear system with m equations. The system has 2 n m MC distinct solutions If m + MC < n then standard linear algebra yields non-zero solutions These are second pre-images of 0. SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 65
End of Presentation THANKS! SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 66
References [1] Boyar, J., Matthews, P., & Peralta, R. (2013). Logic minimization techniques with applications to cryptology. Journal of cryptology, 26(2), 280-312. [2] Boyar, J., & Peralta, R. (2010). A new combinational logic minimization technique with applications to cryptology. In Experimental Algorithms (pp. 178-189). Springer Berlin Heidelberg. [3] Boyar, J., & Peralta, R. (2013). Four Measures of Nonlinearity. In Algorithms and Complexity (pp. 61-72). Springer Berlin Heidelberg. [4] Courtois, N., Hulme, D., & Mourouzis, T. (2011). Solving Circuit Optimisation Problems in Cryptography and Cryptanalysis. IACR Cryptology eprint Archive,2011, 475. [5] Courtois, N., Hulme, D., & Mourouzis, T. (2012). Solving Circuit Optimisation Problems in Cryptography and Cryptanalysis. SHARCS Workshop, 2012. [6] Courtois, N., Hulme, D., & Mourouzis, T. (2012). Multiplicative Complexity and Solving Generalized Brent Equations With SAT Solvers. In COMPUTATION TOOLS 2012, The Third International Conference on Computational Logics, Algebras, Programming, Tools, and Benchmarking (pp. 22-27). [7] Courtois, N., Mourouzis, T., & Hulme, D. (2013). Exact Logic Minimization and Multiplicative Complexity of Concrete Algebraic and Cryptographic Circuits. International Journal On Advances in Intelligent Systems, 6(3 and 4), 165-176. [8] Mourouzis, T. (2015). Optimizations in Algebraic and Differential Cryptanalysis(Doctoral dissertation, UCL (University College London)). [9] Courtois, N. Extended Slides on the topic of Multiplicative Complexity. http://www.nicolascourtois.com/papers/multcomp.pdf SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 67