Some attacks against block ciphers

Similar documents
Introduction to symmetric cryptography

Analysis of cryptographic hash functions

Division Property: a New Attack Against Block Ciphers

Structural Evaluation by Generalized Integral Property

Algebraic properties of SHA-3 and notable cryptanalysis results

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Another view of the division property

Higher-order differential properties of Keccak and Luffa

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Extended Criterion for Absence of Fixed Points

Higher-order differential properties of Keccak and Luffa

Higher-order differential properties of Keccak and Luffa

FFT-Based Key Recovery for the Integral Attack

Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT

Low Complexity Differential Cryptanalysis and Fault Analysis of AES

Towards Provable Security of Substitution-Permutation Encryption Networks

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Complementing Feistel Ciphers

Lecture 12: Block ciphers

Some integral properties of Rijndael, Grøstl-512 and LANE-256

Block Cipher Cryptanalysis: An Overview

Differential Attack on Five Rounds of the SC2000 Block Cipher

Revisit and Cryptanalysis of a CAST Cipher

Algebraic Techniques in Differential Cryptanalysis

Subspace Trail Cryptanalysis and its Applications to AES

Akelarre. Akelarre 1

Cryptanalysis of PRESENT-like ciphers with secret S-boxes

Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation

Improved Multiple Impossible Differential Cryptanalysis of Midori128

Block Ciphers and Feistel cipher

3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis

Differential Fault Analysis on DES Middle Rounds

Lecture Notes on Cryptographic Boolean Functions

Public-key Cryptography: Theory and Practice

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Linear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015

Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs

Data Complexity and Success Probability for Various Cryptanalyses

MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia

Integrals go Statistical: Cryptanalysis of Full Skipjack Variants

Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers

Key Difference Invariant Bias in Block Ciphers

Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA

Structural Cryptanalysis of SASAS

Cryptanalysis of SP Networks with Partial Non-Linear Layers

A Five-Round Algebraic Property of the Advanced Encryption Standard

Chapter 2 - Differential cryptanalysis.

Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs

Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)

Type 1.x Generalized Feistel Structures

Nonlinear Invariant Attack

Security of the AES with a Secret S-box

Impossible differential and square attacks: Cryptanalytic link and application to Skipjack

Cube Attacks on Stream Ciphers Based on Division Property

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version)

S-box (Substitution box) is a basic component of symmetric

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Optimized Interpolation Attacks on LowMC

Linear Cryptanalysis of Reduced-Round PRESENT

Differential Fault Analysis of AES using a Single Multiple-Byte Fault

Zero-Sum Partitions of PHOTON Permutations

Subspace Trail Cryptanalysis and its Applications to AES

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

A Stochastic Model for Differential Side Channel Cryptanalysis

The Hash Function JH 1

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Sieve-in-the-Middle: Improved MITM Attacks (Full Version )

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher

A Weak Cipher that Generates the Symmetric Group

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Differential-Linear Cryptanalysis of Serpent

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

Integral and Multidimensional Linear Distinguishers with Correlation Zero

Data complexity and success probability of statisticals cryptanalysis

The Improbable Differential Attack. Cryptanalysis of Reduced Round CLEFIA

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

DK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,

ON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD

First-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure

and Céline Blondeau October 8, 2012 joint work with Benoît Gérard and Kaisa Nyberg Multiple differential cryptanalysis using LLR and October, 8 1/27

MasterMath Cryptology /2 - Cryptanalysis

Similarities between encryption and decryption: how far can we go?

How Fast can be Algebraic Attacks on Block Ciphers?

Improbable Differential Cryptanalysis and Undisturbed Bits

DD2448 Foundations of Cryptography Lecture 3

Structural Cryptanalysis of SASAS

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

Table Of Contents. ! 1. Introduction to AES

Linear Cryptanalysis of Reduced-Round Speck

Bit-Pattern Based Integral Attack

Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis

Chapter 1 - Linear cryptanalysis.

Impossible Differential Cryptanalysis of Mini-AES

Symmetric Crypto Systems

UNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY

Transcription:

Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, 2016 1 / 59

Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3 Integral attacks 4 Bounds on the degree of iterated constructions 2 / 59

Last-round attacks Statistical attacks Statistical attacks exploit relations that hold with a certain probability only. Rely on the existence of a distinguisher. distinguisher D for a block cipher (E k ) k is an algorithm taking N pairs (x i,y i ), 1 i N and returning 0 or 1. Goal: Decide if the N pairs are input-output pairs of the target block cipher or not: 1: If the (x i,y i ) are input-output pairs of E k for some key k. 0: If the (x i,y i ) are input-output pairs of a random permutation. 3 / 59

Last-round attacks dvantage of the distinguisher Let p be the probability that the algorithm returns 1 (the N pairs come from the target block cipher). Let p be the probability that the algorithm returns 0 (the N pairs come from a random permutation). The capacity to distinguish the target block cipher from a random permutation is measured as p p and is called advantage. 4 / 59

Last-round attacks onsequences of a distinguisher The existence of a distinguisher with a non-negligeable advantage is an undesirable property for a block cipher. However, this does not always guarantee that once the distinguisher is discovered, the secret key will be recovered. But: For iterated ciphers a distinguisher for the reduced cipher E k = F kr F kr 1 F k1 can be a serious thread. G k = F kr 1 F k1 5 / 59

Last-round attacks ttack on the last round (I) If an attacker finds a distinguisher D for the reduced-round cipher G k, then he can run a last-round attack. Goal: Recover the last-round subkey k r. 6 / 59

Last-round attacks ttack on the last round (II) E k (x) k 1 k 2 k r 1 k r x F F F F z G k (x) ollect enough plaintext-ciphertext pairs (x i,z i ), where z i = E k (x i ). 7 / 59

Last-round attacks ttack on the last round (II) E k (x) k 1 k 2 k r 1 k r x F F F y F z G k (x) k ollect enough plaintext-ciphertext pairs (x i,z i ), where z i = E k (x i ). For all possible values k compute y i = F 1 k (z i ) 7 / 59

Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r x F F F y F z G k (x) k 8 / 59

Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r k x F F F F z F 1 y G k (x) 8 / 59

Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r k x F F F F z F 1 y G k (x) If k is the right subkey (k = k r ) 8 / 59

Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r k r x F F F F z F 1 y G k (x) If k is the right subkey (k = k r ) : P(k ) = F 1 k E k = F 1 k F kr F kr 1 F kr 2 F k1 = F 1 k r F kr F kr 1 F kr 2 F k1 = F kr 1 F kr 2 F k1 = G k P(k ) belongs to the family of reduced-ciphers. 8 / 59

Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r k x F F F F z F 1 y G k (x) If k is a wrong subkey, P(k ) is assumed to have the same behaviour as a randomly chosen permutation. This assumption is known as the wrong-key randomization hypothesis. 8 / 59

Last-round attacks lgorithm Data: N plaintext-ciphertext couples (x i,z i ), for 1 i N Result: set of candidate keys for the last-round subkey k r for all possible values k of k r do counter 0 ; for i = 0...N do compute y i = F 1 k (z i ); counter counter + D(x i,y i ); end if counter τ then return k ; end end The value τ is a threshold value fixed by the attacker. 9 / 59

Last-round attacks Remarks s we exhaust all values of the last round subkey, this attack only works in this basic form if the subkeys have a small size (eg. not for ES-128) In practice, we only try to recover a small part of the last round key (some bits). For the other bits of the subkey, we repeat the attack by modifying the parameters of the attack. Once the last subkey recovered, how do we proceed next? For some ciphers, once a subkey completely recovered, one can compute back through the key schedule to retrieve the master key. If the different subkeys are not related, one can Exhaustively search the remaining key bits Repeat the same attack on the ciphers obtained by successively removing the last round ombine both approaches 10 / 59

Higher-order differential attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3 Integral attacks 4 Bounds on the degree of iterated constructions 11 / 59

Higher-order differential attacks Higher-order derivatives Let F : F n 2 Fn 2. Derivative of F at a point a F n 2 : D a F(x) := F(x a) F(x), for every x F n 2 Xuejia Lai extended this notion in 1994. Definition[k-th order derivative of F] For any k-dimensional subspace V of F n 2, the k-th order derivative of F with respect to V is the function defined by D V F(x) = D a1 D a2...d ak F(x) = F(x+v), v V for every x F n 2, where (a 1,...,a k ) is a basis of V. 12 / 59

Higher-order differential attacks Example Let F : F n 2 Fn 2 and V = a 1,a 2 F n 2 of dimension 2. The 2 nd -order derivative of F with respect to V is D V F(x) = D a1 D a2 F(x) = D a1 (F(x)+F(x+a 2 )) = F(x)+F(x+a 1 )+F(x+a 2 )+F(x+a 1 +a 2 ). 13 / 59

Higher-order differential attacks Degree of a derivative Let F : F n 2 Fn 2 of degree d and a = (a 1,...,a n ). Then, D a F d 1. Examples: F(x 1,...,x n ) = x 1. Then, D a F(x) = D a (x 1 ) = (x 1 a 1 ) x 1 = a 1 deg(d a F) = 0 F(x 1,...,x n ) = x 1 x 2. Then, D a F(x) = D a (x 1 x 2 ) = (x 1 a 1 )(x 2 a 2 ) x 1 x 2 = x 1 x 2 a 1 x 2 a 2 x 1 a 1 a 2 x 1 x 2 = a 1 x 2 a 2 x 1 a 1 a 2 deg(d a F) = 1 14 / 59

Higher-order differential attacks Important property Let F : F n 2 Fn 2 of degree d and a = (a 1,...,a n ). Example: F(x 1,...,x n ) = x 1 x 2 x d. Then, D a (x 1 x 2 x d ) = (x 1 a 1 )(x 2 a 2 )...(x d a d ) x 1 x 2 x d = x 1 x d terms of deg d 1 x 1 x d deg(d a F) d 1 Proposition[Lai 94] For every subspace V with dim V > deg F, D V F(x) = v V F(x+v) = 0, for every x F n 2. 15 / 59

Higher-order differential attacks ttack on the last round ttack based on a low degree. F k 0 S k 1 S k r 1 S k r m S L S L S L c S S S z = F 1 k (c) deg < d 16 / 59

Higher-order differential attacks Use higher-order derivatives [Knudsen 94] For all values of k check whether m z = F 1 k (c) has degree < d. How? k r 1 S S L k r c heck whether all derivatives of order d are zero. S z = F 1 k (c) 17 / 59

Higher-order differential attacks The attack Let V be a vector space of dimension d. Input: hoose 2 d plaintexts of the form m v, v V (coset of V ) and get the corresponding ciphertexts. Example d = 3,m = 0, V = v 1,v 2,v 3. hosen plaintexts: 0,v 1,v 2,v 3,v 1 v 2,v 1 v 3,v 2 v 3,v 1 v 2 v 3. If for a key k, 2 d 1 i=0 we conclude that k is a wrong key. F 1 k (c i) 0, 18 / 59

Higher-order differential attacks Number of candidate keys What is the probability that for a wrong key, i F 1 k (c i) = 0? (false alarm probability) 2 d 1 P F 1 k (c i) = 0 = 2 n, where n is the block size. i=0 s there are 2 κ key candidates (κ is the size of a subkey), around 2 κ n among them will be proposed as candidates for the right key. 19 / 59

Higher-order differential attacks Find the right candidate How to find the right key among the left candidates? Do an exhaustive search among the remaining candidates or Repeat the attack by choosing a different vector space of dimension d. Data complexity: 2 d chosen plaintexts. Time complexity: 2 d 2 κ. Remark In practice, we recover smaller fragments of the key. 20 / 59

Higher-order differential attacks The KN cipher [Knudsen-Nyberg 95] 6-round Feistel cipher x i 1 y i 1 ki E : F 32 2 F33 2 linear T : F 33 2 F32 2 linear k i : 33-bit subkey T S E S : F 2 33 F 2 33 with x x 3 x i y i F 32 2 F32 2 F 32 2 F32 2 (x,y) (y,x T S(E(x) k i )) 21 / 59

Higher-order differential attacks The role of the function S Name initially given to the cipher: RDI (ipher Resistant gainst Differential ryptanalysis). The function S plays a crucial role. The function x x 3 on the field F 33 2 was chosen. This function is known to be resistant against linear and differential attacks. But, this function is of degree 2. 22 / 59

Higher-order differential attacks Higher-order differential attack against KN Presented by Jacobsen and Knudsen in 1997. Exploit the low algebraic degree of the round function. Input: Plaintexts of the form (x 0,y 0 ) F 32 2 F32 2, where y 0 = c, for some constant c. 23 / 59

Higher-order differential attacks 4 rounds of encryption x 0 = x y 0 = c F k1 y 0 (x) = c y 1 (x) = x F k1 (c) := x c y 2 (x) = F k2 (x c ) c y 3 (x) = F k3 (F k2 (x c ) c) x c y 4 (x) = F k4 (F k3 (F k2 (x c ) c) x c ) + F k2 (x c ) c F k2 F k3 F k4 F k5 d = 1 d = 2 d = 4 y 4 d = 8 F k6 x 6 y 6 24 / 59

Higher-order differential attacks Evaluate the degree of y 4 y 4 (x) = F k4 (F k3 (F k2 (x c ) c) x c ) F k2 (x c ) c Obviously, the degree of y 4 is bounded by the degree of G = F k4 F k3 F k2 s deg(f ki ) = deg(s) = 2, we get that deg(y 4 ) deg(g) deg(f k4 ) deg(f k3 ) deg(f k2 ) 2 3 25 / 59

Higher-order differential attacks Write down the equations If V is a subspace of F 32 2 we have: with dim(v) = 9, D V y 4 (x) = v V y 4 (v x) = 0, for all x F 32 2. We get now the following equation: y 4 F k5 d = 8 F k6 y 5 x 6 (x) = F k6 (y 5 (x)) y 4 (x), y 4 (x) = F k6 (y 5 (x)) x 6 (x) x 6 y 6 26 / 59

Higher-order differential attacks ttack equation F k6 (y 5 (v w)) x 6 (v w) = 0. v V v V Recover the key k 6. There will be in average 2 33 32 = 2 candidate keys for k 6. Recover the remaining subkeys by mounting the same attack on the reduced-round cipher. 27 / 59

Integral attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3 Integral attacks 4 Bounds on the degree of iterated constructions 28 / 59

Integral attacks Integral attacks - History ttack exploiting weaknesses of the non-linear as well as the linear layer of the target cipher. In 1997, the SQURE cipher was presented by Daemen, Knudsen and Rijmen. During the design, the authors discover a new chosen-plaintext attack against 6 rounds of the cipher. This new attack was named the square attack. In the beginning the attack was applied against SPN ciphers. Later, Lucks generalizes the attack to other type of ciphers and call it the saturation attack. In 2002, Knudsen and Wagner unify the different aspects of these attacks and give them the name integral attacks. 29 / 59

Integral attacks Multisets Multiset: Every element in the set can appear multiple times. n element of a multiset is a pair (value, multiplicity). Example. V = {1,2,2,2,3,3,4}, or V = {(1,1),(2,3),(3,2),(4,1)} The attacker studies the propagation of the multiset through the cipher. 30 / 59

Integral attacks Integral over a multiset pplication to word-oriented ciphers. Notation: w number of words in a plaintext. (e.g. ES: 16 words of 8-bits each). hoose plaintexts in a way that the multiset in each word verifies a specific property. Definition. We call integral over a multiset S the sum v v S 31 / 59

Integral attacks Properties n attacker tries to predict the values in the integrals after a certain number of rounds. Distinguish between 3 cases. (For the examples, the word-size is 3 bits.) 1 : ll w words in the multiset have the same constant value. The multiset S = {3,3,3,3,3,3,3,3} has the property. 2 : The w words in the multiset take all possible values. The multiset S = {0,1,2,3,4,5,6,7} has the property. 3 B: The integral over S is 0. 32 / 59

Integral attacks Example: ES 16 words of 8 bits. 2 8 chosen plaintexts m i of the form (m i,c,c,c,c,c,c,c,c,c,c,c,c,c,c,c), where m i = i, for i = 0,...,255 and c some constant. nalyze how this multiset propagates through the different operations of ES. 33 / 59

Integral attacks Through ddroundkey The same constant value is XORed to each byte. Example. (0x06,..., 0x06) (0x06 0x01,..., 0x06 0x01) = (0x07,..., 0x07) Property. If we XOR the same constant value to each different value of a set having we get again all possible values in the set. Example. S = {0x0,0x1,0x2,0x3}, k = 0x2, S k = {0x2,0x3,0x0,0x1} ddroundkey 34 / 59

Integral attacks Through SubBytes The Sbox S is a permutation. If all values of a multiset have the same constant value c, all values will have the same constant value c = S(x) after SubBytes. If the values of a multiset take all possible values, the Sbox will only permute these values. SubBytes 35 / 59

Integral attacks Through ShiftRows ShiftRows only permutes the bytes of the state. ShiftRows 36 / 59

Integral attacks Through Mixolumns (I) Inputs of the 1 st column: (x i 0,xi 1,xi 2,xi 3 ), 0 i 255 Outputs of the 1 st column: (y0 i,yi 1,yi 2,yi 3 ), 0 i 255 02 03 01 01 x i 0 y i 01 02 03 01 x i 0 1 01 01 02 03 x i = y i 1 2 y i 03 01 01 02 x i 2 3 y3 i y 0 0 = 02 x 0 0 +03 x 0 1 +01 x 0 2 +01 x 0 3 y 1 0 = 02 x 1 0 +03 x1 1 +01 x1 2 +01 x1 3.... y0 255 = 02 x 255 0 +03 x 255 1 +01 x 255 2 +01 x 255 3 37 / 59

Integral attacks Through Mixolumns (I) Inputs of the 1 st column: (x i 0,xi 1,xi 2,xi 3 ), 0 i 255 Outputs of the 1 st column: (y0 i,yi 1,yi 2,yi 3 ), 0 i 255 02 03 01 01 x i 0 y i 01 02 03 01 x i 0 1 01 01 02 03 x i = y i 1 2 y i 03 01 01 02 x i 2 3 y3 i y 0 0 = 02 x 0 0 +03 x 0 1 +01 x 0 2 +01 x 0 3 y 1 0 = 02 x 1 0 +03 x1 1 +01 x1 2 +01 x1 3.... y0 255 = 02 x 255 0 +03 x 255 1 +01 x 255 2 +01 x 255 3 37 / 59

Integral attacks Through Mixolumns (I) Inputs of the 1 st column: (x i 0,xi 1,xi 2,xi 3 ), 0 i 255 Outputs of the 1 st column: (y0 i,yi 1,yi 2,yi 3 ), 0 i 255 02 03 01 01 x i 0 y i 01 02 03 01 x i 0 1 01 01 02 03 x i = y i 1 2 y i 03 01 01 02 x i 2 3 y3 i y 0 0 = 02 x 0 0 +c y 1 0 = 02 x 1 0 +c.... y 255 0 = 02 x 255 0 +c 37 / 59

Integral attacks Through Mixolumns (II) Mixolumns 38 / 59

Integral attacks fter 3 rounds Mixolumns ddroundrey SubBytes ShiftRows SubBytes ShiftRows Mixolumns SubBytes ShiftRows ddroundrey ddroundrey Mixolumns???????????????? 39 / 59

Integral attacks fter Mixolumns 02 03 01 01 x i 0 y i 01 02 03 01 x i 0 1 01 01 02 03 x i = y i 1 2 y i 03 01 01 02 x i 2 3 y3 i y 0 0 y255 0 = 02 x 0 0 03 x0 1 01 x0 2 01 x0 3 02 x 1 0 03 x1 1 01 x1 2 01 x1 3. 02 x 255 0 03 x 255 1 01 x 255 2 01 x 255 3 255 255 255 = 02 x i 0 03 x i 1 01 x i 2 01 i=0 i=0 i=0 = 02 00 03 00 01 00 01 00 = 00. 255 x i 3 i=0 40 / 59

Integral attacks fter 3 rounds of ES Mixolumns ddroundrey SubBytes ShiftRows SubBytes ShiftRows Mixolumns SubBytes ShiftRows ddroundrey ddroundrey Mixolumns B B B B B B B B B B B B B B B B 41 / 59

Integral attacks Distinguishing property for 3 rounds of ES fter the 3 rd Mixolumns every byte position will be balanced (XOR of all 256 values in a single byte position is 0). Property that holds with probability 1. Property independent of the key. R B B B B B B B B B B B B B B B B R R The byte taking all 256 values (saturated) can be any of the 16 bytes. 42 / 59

Integral attacks Distinguishing property for 3 rounds of ES fter the 3 rd Mixolumns every byte position will be balanced (XOR of all 256 values in a single byte position is 0). Property that holds with probability 1. Property independent on the key. R B B B B B B B B B B B B B B B B R R The byte taking all 256 values (saturated) can be any of the 16 bytes. 42 / 59

Integral attacks ttack over ES reduced to 4 rounds Goal: Recover the subkey k 4 of the 4 th round of ES. Remark No Mixolumns in the last round. Input: 256 chosen plaintexts m i of the form (x i,c,c,c,c,c,c,c,c,c,c,c,c,c,c,c), where x i = i, for i = 0,...,255 and c some constant and the corresponding ciphertexts c i, i = 0,...,255. k 4 State after 3rd round ciphertext B B B B B B B B B B B B B B B B SubBytes ShiftRows 43 / 59

Integral attacks Divide and conquer Subkey k 4 is 128-bits long (exhaustive search not possible!). Use a divide and conquer strategy and recover the last subkey byte by byte. k 4 State after 3rd round ciphertext B B B B B B B B B B B B B B B B SubBytes ShiftRows 44 / 59

Integral attacks Divide and conquer Subkey k 4 is 128-bits long (exhaustive search not possible!). Use a divide and conquer strategy and recover the last subkey byte by byte. k 4 k4 13 State after 3rd round ciphertext B B B B Bv i B B B B B B B B B B B SubBytes ShiftRows c i c i = S(v i ) k 13 4 v i = S 1 (c i k 13 4 ) 44 / 59

Integral attacks Divide and conquer k 4 k4 13 State after 3rd round ciphertext B B B B Bv i B B B B B B B B B B B SubBytes ShiftRows c i c i = S(v i ) k 13 4 v i = S 1 (c i k 13 4 ) But, if k 13 4 is the right value 255 255 v i = S 1 (c i k4 13 ) = 0 i=0 i=0 44 / 59

Integral attacks omplexity Data complexity: 2 8 chosen plaintext-ciphertext pairs (a little bit more to get rid off false alarms) Time complexity: 16 2 8 2 8 = 2 20 XOR s. ssume that a full encryption is composed of 2 6 similar simple operations. So, time complexity 2 14 encryptions. 45 / 59

Integral attacks Link with higher-order differential cryptanalysis differential of order d is the sum of 2 d vecteurs of a well-chosen vector space, so it can be seen as an integral. Recently, Yosuke Todo extended integral attacks to take in a clearer way the algebraic degree into account. This extension is called the division property. 46 / 59

Bounds on the degree of iterated constructions Outline 1 Last-round attacks 2 Higher-order differential attacks 3 Integral attacks 4 Bounds on the degree of iterated constructions 47 / 59

Bounds on the degree of iterated constructions Iterated permutations Most of the symmetric constructions (hash functions, block ciphers) are based on a permutation iterated a high number of times. Important to estimate the algebraic degree of such iterated permutations. Functions with a low degree are vulnerable to: lgebraic attacks Higher-order differential attacks and distinguishers 48 / 59

Bounds on the degree of iterated constructions trivial bound Proposition: Let F be a function from F n 2 into Fn 2 F n 2 into Fm 2. Then and G a function from deg(g F) deg(g)deg(f). Example: Round function R of ES is of degree 7. Then deg(r 2 ) = deg(r R) 7 2 = 49. 49 / 59

Bounds on the degree of iterated constructions Substitution Permutation Networks S S S S S S Linear Layer S S S S S S Linear Layer S S S S S S Linear Layer How to estimate the evolution of the degree of such constructions? 50 / 59

Bounds on the degree of iterated constructions x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 S 1 S 2 S 3 S 4 y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 fter several rounds, all coordinates can be expressed as a sum of monomials. Each monomial is a product of variables in X = {x 0,...,x 15 }. 51 / 59

Bounds on the degree of iterated constructions x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 S 1 S 2 S 3 S 4 y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 fter several rounds, all coordinates can be expressed as a sum of monomials. Each monomial is a product of variables in Y = {y 0,...,y 15 }. The coordinates y 0 y 3 are outputs of the same Sbox (equally for the others). What is the consequence on the degree of the product? 51 / 59

Bounds on the degree of iterated constructions The notion of δ k Definition : For a permutation S define δ k (S) as the maximum degree of the product of k coordinates of S. δ 1 (S) := algebraic degree of S Example: degs = 3 S k δ k 1 3 2 3 3 3 4 4 S permutation of F n 2 : δ k (S) = n iff k = n. 52 / 59

Bounds on the degree of iterated constructions Example: Product of 6 coordinates. S 1 S 2 S 3 S 4 y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 π = y 0 y 1 y 3 y 8 y 9 y 10. deg(π) δ 3 (S 1 )+δ 3 (S 3 ) = 6. 53 / 59

Bounds on the degree of iterated constructions Example: Product of 6 coordinates. S 1 S 2 S 3 S 4 y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 π = y 0 y 5 y 8 y 10 y 13 y 15. deg(π) δ 1 (S 1 )+δ 1 (S 2 )+δ 2 (S 3 )+δ 2 (S 4 ) = 12. The degree of the product is relatively low if many coordinates coming from the same Sbox are involved! 53 / 59

Bounds on the degree of iterated constructions Towards the bound S S S S Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. 54 / 59

Bounds on the degree of iterated constructions Towards the bound S S S S Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. Example (d = 13) x 4 = 1, x 3 = 3: deg(π) δ 3 x 3 +δ 4 x 4 = 3 3+4 1 = 13. 54 / 59

Bounds on the degree of iterated constructions Towards the bound S S S S Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. Example (d = 13) x 4 = 2, x 3 = 1, x 2 = 1: deg(π) δ 2 x 2 +δ 3 x 3 +δ 4 x 4 = 3 1+3 1+4 2 = 14. 54 / 59

Bounds on the degree of iterated constructions Towards the bound S S S S Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. Example (d = 13) x 4 = 3, x 1 = 1: deg(π) δ 1 x 1 +δ 4 x 4 = 3 1+4 3 = 15. 54 / 59

Bounds on the degree of iterated constructions Towards the bound S S S S Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. deg(π) with x 1 +2x 2 +3x 3 +4x 4 = d. max (δ 1x 1 +δ 2 x 2 +δ 3 x 3 +δ 4 x 4 ) (x 1,x 2,x 3,x 4 ) 54 / 59

Bounds on the degree of iterated constructions d x 4 x 3 x 2 x 1 deg(π) 16 4 - - - 16 15 3 1 - - 15 14 3-1 - 15 13 3 - - 1 15 12 2 1-1 14 11 2-1 1 14 10 2 - - 2 14 9 1 1-2 13...... 16 deg(π) 16 d 3 55 / 59

Bounds on the degree of iterated constructions d x 4 x 3 x 2 x 1 deg(π) 16 4 - - - 16 15 3 1 - - 15 14 3-1 - 15 13 3 - - 1 15 12 2 1-1 14 11 2-1 1 14 10 2 - - 2 14 9 1 1-2 13...... deg(π) 16 16 d 3 55 / 59

Bounds on the degree of iterated constructions bound on the degree of SPN constructions [Boura anteaut De annière - 11] Theorem. Let F be a function from F n 2 into Fn 2 corresponding to the parallel application of an Sbox, S, defined over F n 0 2. Then, for any G from F n 2 into Fl 2, we have deg(g F) n n degg, γ(s) where n 0 i γ(s) = max. 1 i n 0 1 n 0 δ i 56 / 59

Bounds on the degree of iterated constructions pplication to ES One round: M SR SB K. K: ddroundkey SB: SubBytes (Sboxes of degree 7) SR: ShiftRows M: Mixolumns 57 / 59

Bounds on the degree of iterated constructions The Super Sbox technique Two rounds: R 2 = M SR SB K M SR SB K. Equivalently: R 2 = M SR SB K M SB SR K. Denote: SuperSbox = SB K M SB. Then: R 2 = M SR SuperSbox SR K. 58 / 59

Bounds on the degree of iterated constructions Bound on up to 4 rounds SuperSbox: F 32 2 F32 2 : Two non-linear layers composed of Sboxes of degree 7, separated by a linear layer. deg(supersbox) 32 32 7 7 28. (Trivial Bound: deg(r 2 ) 7 2 = 49!!!) Bound for r rounds: deg(r r ) = deg(r r 1 R) 128 128 deg(rr 1 ). 7 r = 3: deg(r 3 ) 113 r = 4: deg(r 4 ) 125 59 / 59

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback