Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, 2016 1 / 59
Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3 Integral attacks 4 Bounds on the degree of iterated constructions 2 / 59
Last-round attacks Statistical attacks Statistical attacks exploit relations that hold with a certain probability only. Rely on the existence of a distinguisher. distinguisher D for a block cipher (E k ) k is an algorithm taking N pairs (x i,y i ), 1 i N and returning 0 or 1. Goal: Decide if the N pairs are input-output pairs of the target block cipher or not: 1: If the (x i,y i ) are input-output pairs of E k for some key k. 0: If the (x i,y i ) are input-output pairs of a random permutation. 3 / 59
Last-round attacks dvantage of the distinguisher Let p be the probability that the algorithm returns 1 (the N pairs come from the target block cipher). Let p be the probability that the algorithm returns 0 (the N pairs come from a random permutation). The capacity to distinguish the target block cipher from a random permutation is measured as p p and is called advantage. 4 / 59
Last-round attacks onsequences of a distinguisher The existence of a distinguisher with a non-negligeable advantage is an undesirable property for a block cipher. However, this does not always guarantee that once the distinguisher is discovered, the secret key will be recovered. But: For iterated ciphers a distinguisher for the reduced cipher E k = F kr F kr 1 F k1 can be a serious thread. G k = F kr 1 F k1 5 / 59
Last-round attacks ttack on the last round (I) If an attacker finds a distinguisher D for the reduced-round cipher G k, then he can run a last-round attack. Goal: Recover the last-round subkey k r. 6 / 59
Last-round attacks ttack on the last round (II) E k (x) k 1 k 2 k r 1 k r x F F F F z G k (x) ollect enough plaintext-ciphertext pairs (x i,z i ), where z i = E k (x i ). 7 / 59
Last-round attacks ttack on the last round (II) E k (x) k 1 k 2 k r 1 k r x F F F y F z G k (x) k ollect enough plaintext-ciphertext pairs (x i,z i ), where z i = E k (x i ). For all possible values k compute y i = F 1 k (z i ) 7 / 59
Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r x F F F y F z G k (x) k 8 / 59
Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r k x F F F F z F 1 y G k (x) 8 / 59
Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r k x F F F F z F 1 y G k (x) If k is the right subkey (k = k r ) 8 / 59
Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r k r x F F F F z F 1 y G k (x) If k is the right subkey (k = k r ) : P(k ) = F 1 k E k = F 1 k F kr F kr 1 F kr 2 F k1 = F 1 k r F kr F kr 1 F kr 2 F k1 = F kr 1 F kr 2 F k1 = G k P(k ) belongs to the family of reduced-ciphers. 8 / 59
Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r k x F F F F z F 1 y G k (x) If k is a wrong subkey, P(k ) is assumed to have the same behaviour as a randomly chosen permutation. This assumption is known as the wrong-key randomization hypothesis. 8 / 59
Last-round attacks lgorithm Data: N plaintext-ciphertext couples (x i,z i ), for 1 i N Result: set of candidate keys for the last-round subkey k r for all possible values k of k r do counter 0 ; for i = 0...N do compute y i = F 1 k (z i ); counter counter + D(x i,y i ); end if counter τ then return k ; end end The value τ is a threshold value fixed by the attacker. 9 / 59
Last-round attacks Remarks s we exhaust all values of the last round subkey, this attack only works in this basic form if the subkeys have a small size (eg. not for ES-128) In practice, we only try to recover a small part of the last round key (some bits). For the other bits of the subkey, we repeat the attack by modifying the parameters of the attack. Once the last subkey recovered, how do we proceed next? For some ciphers, once a subkey completely recovered, one can compute back through the key schedule to retrieve the master key. If the different subkeys are not related, one can Exhaustively search the remaining key bits Repeat the same attack on the ciphers obtained by successively removing the last round ombine both approaches 10 / 59
Higher-order differential attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3 Integral attacks 4 Bounds on the degree of iterated constructions 11 / 59
Higher-order differential attacks Higher-order derivatives Let F : F n 2 Fn 2. Derivative of F at a point a F n 2 : D a F(x) := F(x a) F(x), for every x F n 2 Xuejia Lai extended this notion in 1994. Definition[k-th order derivative of F] For any k-dimensional subspace V of F n 2, the k-th order derivative of F with respect to V is the function defined by D V F(x) = D a1 D a2...d ak F(x) = F(x+v), v V for every x F n 2, where (a 1,...,a k ) is a basis of V. 12 / 59
Higher-order differential attacks Example Let F : F n 2 Fn 2 and V = a 1,a 2 F n 2 of dimension 2. The 2 nd -order derivative of F with respect to V is D V F(x) = D a1 D a2 F(x) = D a1 (F(x)+F(x+a 2 )) = F(x)+F(x+a 1 )+F(x+a 2 )+F(x+a 1 +a 2 ). 13 / 59
Higher-order differential attacks Degree of a derivative Let F : F n 2 Fn 2 of degree d and a = (a 1,...,a n ). Then, D a F d 1. Examples: F(x 1,...,x n ) = x 1. Then, D a F(x) = D a (x 1 ) = (x 1 a 1 ) x 1 = a 1 deg(d a F) = 0 F(x 1,...,x n ) = x 1 x 2. Then, D a F(x) = D a (x 1 x 2 ) = (x 1 a 1 )(x 2 a 2 ) x 1 x 2 = x 1 x 2 a 1 x 2 a 2 x 1 a 1 a 2 x 1 x 2 = a 1 x 2 a 2 x 1 a 1 a 2 deg(d a F) = 1 14 / 59
Higher-order differential attacks Important property Let F : F n 2 Fn 2 of degree d and a = (a 1,...,a n ). Example: F(x 1,...,x n ) = x 1 x 2 x d. Then, D a (x 1 x 2 x d ) = (x 1 a 1 )(x 2 a 2 )...(x d a d ) x 1 x 2 x d = x 1 x d terms of deg d 1 x 1 x d deg(d a F) d 1 Proposition[Lai 94] For every subspace V with dim V > deg F, D V F(x) = v V F(x+v) = 0, for every x F n 2. 15 / 59
Higher-order differential attacks ttack on the last round ttack based on a low degree. F k 0 S k 1 S k r 1 S k r m S L S L S L c S S S z = F 1 k (c) deg < d 16 / 59
Higher-order differential attacks Use higher-order derivatives [Knudsen 94] For all values of k check whether m z = F 1 k (c) has degree < d. How? k r 1 S S L k r c heck whether all derivatives of order d are zero. S z = F 1 k (c) 17 / 59
Higher-order differential attacks The attack Let V be a vector space of dimension d. Input: hoose 2 d plaintexts of the form m v, v V (coset of V ) and get the corresponding ciphertexts. Example d = 3,m = 0, V = v 1,v 2,v 3. hosen plaintexts: 0,v 1,v 2,v 3,v 1 v 2,v 1 v 3,v 2 v 3,v 1 v 2 v 3. If for a key k, 2 d 1 i=0 we conclude that k is a wrong key. F 1 k (c i) 0, 18 / 59
Higher-order differential attacks Number of candidate keys What is the probability that for a wrong key, i F 1 k (c i) = 0? (false alarm probability) 2 d 1 P F 1 k (c i) = 0 = 2 n, where n is the block size. i=0 s there are 2 κ key candidates (κ is the size of a subkey), around 2 κ n among them will be proposed as candidates for the right key. 19 / 59
Higher-order differential attacks Find the right candidate How to find the right key among the left candidates? Do an exhaustive search among the remaining candidates or Repeat the attack by choosing a different vector space of dimension d. Data complexity: 2 d chosen plaintexts. Time complexity: 2 d 2 κ. Remark In practice, we recover smaller fragments of the key. 20 / 59
Higher-order differential attacks The KN cipher [Knudsen-Nyberg 95] 6-round Feistel cipher x i 1 y i 1 ki E : F 32 2 F33 2 linear T : F 33 2 F32 2 linear k i : 33-bit subkey T S E S : F 2 33 F 2 33 with x x 3 x i y i F 32 2 F32 2 F 32 2 F32 2 (x,y) (y,x T S(E(x) k i )) 21 / 59
Higher-order differential attacks The role of the function S Name initially given to the cipher: RDI (ipher Resistant gainst Differential ryptanalysis). The function S plays a crucial role. The function x x 3 on the field F 33 2 was chosen. This function is known to be resistant against linear and differential attacks. But, this function is of degree 2. 22 / 59
Higher-order differential attacks Higher-order differential attack against KN Presented by Jacobsen and Knudsen in 1997. Exploit the low algebraic degree of the round function. Input: Plaintexts of the form (x 0,y 0 ) F 32 2 F32 2, where y 0 = c, for some constant c. 23 / 59
Higher-order differential attacks 4 rounds of encryption x 0 = x y 0 = c F k1 y 0 (x) = c y 1 (x) = x F k1 (c) := x c y 2 (x) = F k2 (x c ) c y 3 (x) = F k3 (F k2 (x c ) c) x c y 4 (x) = F k4 (F k3 (F k2 (x c ) c) x c ) + F k2 (x c ) c F k2 F k3 F k4 F k5 d = 1 d = 2 d = 4 y 4 d = 8 F k6 x 6 y 6 24 / 59
Higher-order differential attacks Evaluate the degree of y 4 y 4 (x) = F k4 (F k3 (F k2 (x c ) c) x c ) F k2 (x c ) c Obviously, the degree of y 4 is bounded by the degree of G = F k4 F k3 F k2 s deg(f ki ) = deg(s) = 2, we get that deg(y 4 ) deg(g) deg(f k4 ) deg(f k3 ) deg(f k2 ) 2 3 25 / 59
Higher-order differential attacks Write down the equations If V is a subspace of F 32 2 we have: with dim(v) = 9, D V y 4 (x) = v V y 4 (v x) = 0, for all x F 32 2. We get now the following equation: y 4 F k5 d = 8 F k6 y 5 x 6 (x) = F k6 (y 5 (x)) y 4 (x), y 4 (x) = F k6 (y 5 (x)) x 6 (x) x 6 y 6 26 / 59
Higher-order differential attacks ttack equation F k6 (y 5 (v w)) x 6 (v w) = 0. v V v V Recover the key k 6. There will be in average 2 33 32 = 2 candidate keys for k 6. Recover the remaining subkeys by mounting the same attack on the reduced-round cipher. 27 / 59
Integral attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3 Integral attacks 4 Bounds on the degree of iterated constructions 28 / 59
Integral attacks Integral attacks - History ttack exploiting weaknesses of the non-linear as well as the linear layer of the target cipher. In 1997, the SQURE cipher was presented by Daemen, Knudsen and Rijmen. During the design, the authors discover a new chosen-plaintext attack against 6 rounds of the cipher. This new attack was named the square attack. In the beginning the attack was applied against SPN ciphers. Later, Lucks generalizes the attack to other type of ciphers and call it the saturation attack. In 2002, Knudsen and Wagner unify the different aspects of these attacks and give them the name integral attacks. 29 / 59
Integral attacks Multisets Multiset: Every element in the set can appear multiple times. n element of a multiset is a pair (value, multiplicity). Example. V = {1,2,2,2,3,3,4}, or V = {(1,1),(2,3),(3,2),(4,1)} The attacker studies the propagation of the multiset through the cipher. 30 / 59
Integral attacks Integral over a multiset pplication to word-oriented ciphers. Notation: w number of words in a plaintext. (e.g. ES: 16 words of 8-bits each). hoose plaintexts in a way that the multiset in each word verifies a specific property. Definition. We call integral over a multiset S the sum v v S 31 / 59
Integral attacks Properties n attacker tries to predict the values in the integrals after a certain number of rounds. Distinguish between 3 cases. (For the examples, the word-size is 3 bits.) 1 : ll w words in the multiset have the same constant value. The multiset S = {3,3,3,3,3,3,3,3} has the property. 2 : The w words in the multiset take all possible values. The multiset S = {0,1,2,3,4,5,6,7} has the property. 3 B: The integral over S is 0. 32 / 59
Integral attacks Example: ES 16 words of 8 bits. 2 8 chosen plaintexts m i of the form (m i,c,c,c,c,c,c,c,c,c,c,c,c,c,c,c), where m i = i, for i = 0,...,255 and c some constant. nalyze how this multiset propagates through the different operations of ES. 33 / 59
Integral attacks Through ddroundkey The same constant value is XORed to each byte. Example. (0x06,..., 0x06) (0x06 0x01,..., 0x06 0x01) = (0x07,..., 0x07) Property. If we XOR the same constant value to each different value of a set having we get again all possible values in the set. Example. S = {0x0,0x1,0x2,0x3}, k = 0x2, S k = {0x2,0x3,0x0,0x1} ddroundkey 34 / 59
Integral attacks Through SubBytes The Sbox S is a permutation. If all values of a multiset have the same constant value c, all values will have the same constant value c = S(x) after SubBytes. If the values of a multiset take all possible values, the Sbox will only permute these values. SubBytes 35 / 59
Integral attacks Through ShiftRows ShiftRows only permutes the bytes of the state. ShiftRows 36 / 59
Integral attacks Through Mixolumns (I) Inputs of the 1 st column: (x i 0,xi 1,xi 2,xi 3 ), 0 i 255 Outputs of the 1 st column: (y0 i,yi 1,yi 2,yi 3 ), 0 i 255 02 03 01 01 x i 0 y i 01 02 03 01 x i 0 1 01 01 02 03 x i = y i 1 2 y i 03 01 01 02 x i 2 3 y3 i y 0 0 = 02 x 0 0 +03 x 0 1 +01 x 0 2 +01 x 0 3 y 1 0 = 02 x 1 0 +03 x1 1 +01 x1 2 +01 x1 3.... y0 255 = 02 x 255 0 +03 x 255 1 +01 x 255 2 +01 x 255 3 37 / 59
Integral attacks Through Mixolumns (I) Inputs of the 1 st column: (x i 0,xi 1,xi 2,xi 3 ), 0 i 255 Outputs of the 1 st column: (y0 i,yi 1,yi 2,yi 3 ), 0 i 255 02 03 01 01 x i 0 y i 01 02 03 01 x i 0 1 01 01 02 03 x i = y i 1 2 y i 03 01 01 02 x i 2 3 y3 i y 0 0 = 02 x 0 0 +03 x 0 1 +01 x 0 2 +01 x 0 3 y 1 0 = 02 x 1 0 +03 x1 1 +01 x1 2 +01 x1 3.... y0 255 = 02 x 255 0 +03 x 255 1 +01 x 255 2 +01 x 255 3 37 / 59
Integral attacks Through Mixolumns (I) Inputs of the 1 st column: (x i 0,xi 1,xi 2,xi 3 ), 0 i 255 Outputs of the 1 st column: (y0 i,yi 1,yi 2,yi 3 ), 0 i 255 02 03 01 01 x i 0 y i 01 02 03 01 x i 0 1 01 01 02 03 x i = y i 1 2 y i 03 01 01 02 x i 2 3 y3 i y 0 0 = 02 x 0 0 +c y 1 0 = 02 x 1 0 +c.... y 255 0 = 02 x 255 0 +c 37 / 59
Integral attacks Through Mixolumns (II) Mixolumns 38 / 59
Integral attacks fter 3 rounds Mixolumns ddroundrey SubBytes ShiftRows SubBytes ShiftRows Mixolumns SubBytes ShiftRows ddroundrey ddroundrey Mixolumns???????????????? 39 / 59
Integral attacks fter Mixolumns 02 03 01 01 x i 0 y i 01 02 03 01 x i 0 1 01 01 02 03 x i = y i 1 2 y i 03 01 01 02 x i 2 3 y3 i y 0 0 y255 0 = 02 x 0 0 03 x0 1 01 x0 2 01 x0 3 02 x 1 0 03 x1 1 01 x1 2 01 x1 3. 02 x 255 0 03 x 255 1 01 x 255 2 01 x 255 3 255 255 255 = 02 x i 0 03 x i 1 01 x i 2 01 i=0 i=0 i=0 = 02 00 03 00 01 00 01 00 = 00. 255 x i 3 i=0 40 / 59
Integral attacks fter 3 rounds of ES Mixolumns ddroundrey SubBytes ShiftRows SubBytes ShiftRows Mixolumns SubBytes ShiftRows ddroundrey ddroundrey Mixolumns B B B B B B B B B B B B B B B B 41 / 59
Integral attacks Distinguishing property for 3 rounds of ES fter the 3 rd Mixolumns every byte position will be balanced (XOR of all 256 values in a single byte position is 0). Property that holds with probability 1. Property independent of the key. R B B B B B B B B B B B B B B B B R R The byte taking all 256 values (saturated) can be any of the 16 bytes. 42 / 59
Integral attacks Distinguishing property for 3 rounds of ES fter the 3 rd Mixolumns every byte position will be balanced (XOR of all 256 values in a single byte position is 0). Property that holds with probability 1. Property independent on the key. R B B B B B B B B B B B B B B B B R R The byte taking all 256 values (saturated) can be any of the 16 bytes. 42 / 59
Integral attacks ttack over ES reduced to 4 rounds Goal: Recover the subkey k 4 of the 4 th round of ES. Remark No Mixolumns in the last round. Input: 256 chosen plaintexts m i of the form (x i,c,c,c,c,c,c,c,c,c,c,c,c,c,c,c), where x i = i, for i = 0,...,255 and c some constant and the corresponding ciphertexts c i, i = 0,...,255. k 4 State after 3rd round ciphertext B B B B B B B B B B B B B B B B SubBytes ShiftRows 43 / 59
Integral attacks Divide and conquer Subkey k 4 is 128-bits long (exhaustive search not possible!). Use a divide and conquer strategy and recover the last subkey byte by byte. k 4 State after 3rd round ciphertext B B B B B B B B B B B B B B B B SubBytes ShiftRows 44 / 59
Integral attacks Divide and conquer Subkey k 4 is 128-bits long (exhaustive search not possible!). Use a divide and conquer strategy and recover the last subkey byte by byte. k 4 k4 13 State after 3rd round ciphertext B B B B Bv i B B B B B B B B B B B SubBytes ShiftRows c i c i = S(v i ) k 13 4 v i = S 1 (c i k 13 4 ) 44 / 59
Integral attacks Divide and conquer k 4 k4 13 State after 3rd round ciphertext B B B B Bv i B B B B B B B B B B B SubBytes ShiftRows c i c i = S(v i ) k 13 4 v i = S 1 (c i k 13 4 ) But, if k 13 4 is the right value 255 255 v i = S 1 (c i k4 13 ) = 0 i=0 i=0 44 / 59
Integral attacks omplexity Data complexity: 2 8 chosen plaintext-ciphertext pairs (a little bit more to get rid off false alarms) Time complexity: 16 2 8 2 8 = 2 20 XOR s. ssume that a full encryption is composed of 2 6 similar simple operations. So, time complexity 2 14 encryptions. 45 / 59
Integral attacks Link with higher-order differential cryptanalysis differential of order d is the sum of 2 d vecteurs of a well-chosen vector space, so it can be seen as an integral. Recently, Yosuke Todo extended integral attacks to take in a clearer way the algebraic degree into account. This extension is called the division property. 46 / 59
Bounds on the degree of iterated constructions Outline 1 Last-round attacks 2 Higher-order differential attacks 3 Integral attacks 4 Bounds on the degree of iterated constructions 47 / 59
Bounds on the degree of iterated constructions Iterated permutations Most of the symmetric constructions (hash functions, block ciphers) are based on a permutation iterated a high number of times. Important to estimate the algebraic degree of such iterated permutations. Functions with a low degree are vulnerable to: lgebraic attacks Higher-order differential attacks and distinguishers 48 / 59
Bounds on the degree of iterated constructions trivial bound Proposition: Let F be a function from F n 2 into Fn 2 F n 2 into Fm 2. Then and G a function from deg(g F) deg(g)deg(f). Example: Round function R of ES is of degree 7. Then deg(r 2 ) = deg(r R) 7 2 = 49. 49 / 59
Bounds on the degree of iterated constructions Substitution Permutation Networks S S S S S S Linear Layer S S S S S S Linear Layer S S S S S S Linear Layer How to estimate the evolution of the degree of such constructions? 50 / 59
Bounds on the degree of iterated constructions x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 S 1 S 2 S 3 S 4 y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 fter several rounds, all coordinates can be expressed as a sum of monomials. Each monomial is a product of variables in X = {x 0,...,x 15 }. 51 / 59
Bounds on the degree of iterated constructions x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 S 1 S 2 S 3 S 4 y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 fter several rounds, all coordinates can be expressed as a sum of monomials. Each monomial is a product of variables in Y = {y 0,...,y 15 }. The coordinates y 0 y 3 are outputs of the same Sbox (equally for the others). What is the consequence on the degree of the product? 51 / 59
Bounds on the degree of iterated constructions The notion of δ k Definition : For a permutation S define δ k (S) as the maximum degree of the product of k coordinates of S. δ 1 (S) := algebraic degree of S Example: degs = 3 S k δ k 1 3 2 3 3 3 4 4 S permutation of F n 2 : δ k (S) = n iff k = n. 52 / 59
Bounds on the degree of iterated constructions Example: Product of 6 coordinates. S 1 S 2 S 3 S 4 y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 π = y 0 y 1 y 3 y 8 y 9 y 10. deg(π) δ 3 (S 1 )+δ 3 (S 3 ) = 6. 53 / 59
Bounds on the degree of iterated constructions Example: Product of 6 coordinates. S 1 S 2 S 3 S 4 y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 π = y 0 y 5 y 8 y 10 y 13 y 15. deg(π) δ 1 (S 1 )+δ 1 (S 2 )+δ 2 (S 3 )+δ 2 (S 4 ) = 12. The degree of the product is relatively low if many coordinates coming from the same Sbox are involved! 53 / 59
Bounds on the degree of iterated constructions Towards the bound S S S S Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. 54 / 59
Bounds on the degree of iterated constructions Towards the bound S S S S Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. Example (d = 13) x 4 = 1, x 3 = 3: deg(π) δ 3 x 3 +δ 4 x 4 = 3 3+4 1 = 13. 54 / 59
Bounds on the degree of iterated constructions Towards the bound S S S S Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. Example (d = 13) x 4 = 2, x 3 = 1, x 2 = 1: deg(π) δ 2 x 2 +δ 3 x 3 +δ 4 x 4 = 3 1+3 1+4 2 = 14. 54 / 59
Bounds on the degree of iterated constructions Towards the bound S S S S Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. Example (d = 13) x 4 = 3, x 1 = 1: deg(π) δ 1 x 1 +δ 4 x 4 = 3 1+4 3 = 15. 54 / 59
Bounds on the degree of iterated constructions Towards the bound S S S S Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. deg(π) with x 1 +2x 2 +3x 3 +4x 4 = d. max (δ 1x 1 +δ 2 x 2 +δ 3 x 3 +δ 4 x 4 ) (x 1,x 2,x 3,x 4 ) 54 / 59
Bounds on the degree of iterated constructions d x 4 x 3 x 2 x 1 deg(π) 16 4 - - - 16 15 3 1 - - 15 14 3-1 - 15 13 3 - - 1 15 12 2 1-1 14 11 2-1 1 14 10 2 - - 2 14 9 1 1-2 13...... 16 deg(π) 16 d 3 55 / 59
Bounds on the degree of iterated constructions d x 4 x 3 x 2 x 1 deg(π) 16 4 - - - 16 15 3 1 - - 15 14 3-1 - 15 13 3 - - 1 15 12 2 1-1 14 11 2-1 1 14 10 2 - - 2 14 9 1 1-2 13...... deg(π) 16 16 d 3 55 / 59
Bounds on the degree of iterated constructions bound on the degree of SPN constructions [Boura anteaut De annière - 11] Theorem. Let F be a function from F n 2 into Fn 2 corresponding to the parallel application of an Sbox, S, defined over F n 0 2. Then, for any G from F n 2 into Fl 2, we have deg(g F) n n degg, γ(s) where n 0 i γ(s) = max. 1 i n 0 1 n 0 δ i 56 / 59
Bounds on the degree of iterated constructions pplication to ES One round: M SR SB K. K: ddroundkey SB: SubBytes (Sboxes of degree 7) SR: ShiftRows M: Mixolumns 57 / 59
Bounds on the degree of iterated constructions The Super Sbox technique Two rounds: R 2 = M SR SB K M SR SB K. Equivalently: R 2 = M SR SB K M SB SR K. Denote: SuperSbox = SB K M SB. Then: R 2 = M SR SuperSbox SR K. 58 / 59
Bounds on the degree of iterated constructions Bound on up to 4 rounds SuperSbox: F 32 2 F32 2 : Two non-linear layers composed of Sboxes of degree 7, separated by a linear layer. deg(supersbox) 32 32 7 7 28. (Trivial Bound: deg(r 2 ) 7 2 = 49!!!) Bound for r rounds: deg(r r ) = deg(r r 1 R) 128 128 deg(rr 1 ). 7 r = 3: deg(r 3 ) 113 r = 4: deg(r 4 ) 125 59 / 59