Introduction to symmetric cryptography - Inria · Introduction to symmetric cryptography Christina...

Introduction to symmetric cryptography

Christina Boura

École de printemps en codage et cryptographieMay 17, 2016

1 / 48

Overview

Introduction to symmetric-key cryptography

Block ciphers

Boolean functions and cryptographic Sboxes

Attacks against block ciphers exploiting a low algebraic degree

Algebraic attacks

Higher-order differential attacks

Integral attacks

Estimating the algebraic degree of iterated constructions

2 / 48

Overview


Block ciphers


Attacks against block ciphers exploiting a low algebraic degree

Algebraic attacks


Integral attacks

Estimating the algebraic degree of iterated constructions

2 / 48

Bibliography

The Block Cipher Companion, Lars Knudsen and Matt Robshaw

Lecture Notes on Cryptographic Boolean Functions, Anne Canteaut

Analyse de Fonctions de Hachage Cryptographiques, Thèse, ChristinaBoura

3 / 48


Outline

1 Introduction to symmetric-key cryptography

4 / 48


Symmetric-key encryption

Alice and Bob exchange the secret key through a secure channel.

DecryptionEncryption

5 / 48


Symmetric-key encryption

Alice and Bob exchange the secret key through a secure channel.


Key-exchange problem ⇒ birth of the public-key cryptography.

5 / 48


Public-key encryption

Decryption

%gTi2z*

Encryption

6 / 48


Advantages and disadvantages of each system

Advantages Disadvantages

Fast systems Need secure key-exchangeSecret-key

Relatively short-keys n users:n(n− 1)

2keys

No key-exchange needed Slow systemsPublic-key

n users: 2n keys Relatively long-keys

7 / 48


Hybrid encryption

Idea: Use a combination of asymmetric and symmetric encryption tobenefit from the strengths of every system.



8 / 48


Hybrid encryption

Use a public-key cryptosystem to exchange a key (session key).

Use the exchanged key to encrypt data by using a symmetric-keycryptosystem.

Advantages:

Slow public-key cryptosystem is used to encrypt a short string only.

Fast symmetric-key cryptosystem is used to encrypt the longercommunication session.

9 / 48


Symmetric-key authentication

Message authentication code (MAC)

Sign

Verify

Y/N

10 / 48


Public-key authentication

Digital signatures

Sign

Verify

Y/N

Alice’ssecret key

Alice’spublic key

11 / 48


Hash functions

If the message to sign is long, the signing process becomes heavy...

Idea: Use a cryptographic hash function.

H : {0, 1}∗ → {0, 1}n

A good hash function should be preimage, second-preimage andcollision resistant.

In recent hash proposals: n = 256, 512

Hash functions are considered as symmetric-key functions because theyuse similar building blocks with block-ciphers.

12 / 48


Hash and sign

Sign Verify Y/N

Alice’ssecret key

Alice’spublic key

13 / 48


The best of the two worlds

Secrecy: Hybrid encryption

Authentication: Digital signatures with hashing

There is a need for both public and symmetric-key cryptosystems.

14 / 48


Symmetric-key cryptosystems

A cryptosystem is a five-tuple (P, C,K, E ,D)

P: set of possible plaintexts

C: set of possible ciphertexts

K: set of possible keys

For each k ∈ K, there is an encryption rule ek ∈ E and a decryptionrule dk ∈ D.

For each k ∈ K : dk(ek(m)) = m, for every m ∈ P.

ekm c dk m

15 / 48


Kerckhoffs’s principle (1883)

In 1883 August Kerckhoffs stated 6 design principles for military ciphers.The 2nd principle states:

A cryptosystem should be secure even if everything about the

system, except the key, is public knowledge.

Reformulated by Claude Shannon as

“The enemy knows the system.”

i.e., “One ought design systems under the assumption that the enemy will

immediately gain full familiarity with them.”

16 / 48


Claude Shannon’s theory

“Communication Theory of Secrecy Systems”, published in 1949.

Many fundamental ideas of modern cryptography are introduced there:

Provable security.

Confusion and diffusion.

Product ciphers.

17 / 48


Shannon’s idea of perfect secrecy

“No information about the plaintext can be obtained by observingthe ciphertext”.

Shannon’s definition:

A cryptosystem has perfect secrecy if

Pr(m|c) = Pr(m) for all m ∈ P, c ∈ C.

An equivalent formulation:

Pr(c|m) = Pr(c) for all m ∈ P, c ∈ C.

18 / 48


Shannon’s theorem

A cryptosystem where |P| = |C| = |K| provides perfect secrecy iff

1 PrK(k) = 1/|K|, ∀k ∈ K

2 ∀m ∈ P, c ∈ C, exists unique k such that ek(m) = c.

Fact:

If |P| > |K| then no scheme is perfectly secure.

19 / 48


The Vernam Cipher or One-time Pad

One-time Pad

Let n ≥ 1 and P, C,K = {0, 1}n. If m = (m1, . . . ,mn) ∈ P andk = (k1, . . . , kn) ∈ K then

c = ek(m) = (m1 ⊕ k1, . . . ,mn ⊕ kn).

Decryption: dk(c) = c⊕ k = m⊕ k ⊕ k = m

The One-time Pad provides perfect secrecy if used correctly:

All keys are equally likely.

Each key is used only once.

Two-time Pad

c⊕ c′ = (m⊕ k)⊕ (m′ ⊕ k) = m⊕m′.

20 / 48


The One-time Pad is perfectly secure but...

The secret key must be as long as the message.

A new key has to be generated for each communication.

These long keys have to be exchanged in a secure way.

Problem of generating truly random sequences for the key.

21 / 48


Confusion and diffusion

Diffusion: Each digit of the plaintext and each digit of the secretkey should influence many digits of the ciphertext.

Confusion: The ciphertext statistics should depend on the plain-text statistics in a manner too complicated to be exploited by thecryptanalyst.

Idea: Use permutations to attain diffusion and substitutions to attainconfusion.

→ Product Ciphers

22 / 48


Security notions

Perfectly secret system: the key has to be at least as long as themessage.

All cryptosystems used in practice can theoretically be broken.

Symmetric-key approach:

Try to make the system secure against all known attacks.

No attack should be faster than exhaustive search on the key.

23 / 48


Exhaustive search

Expected time to recover a κ-bit key: 2κ−1 operations.

κ Time complexity Security

(bits) (operations)

40 240 easy to break

64 264 practical to break

80 280 not currently feasible

128 2128 very strong

256 2256 exceptionally strong

Table from [Knudsen, Robshaw, “The Block Cipher Companion”, 2011.]

The universe is less than 280 microseconds old!

The number of the protons in the universe is ≈ 2265.

24 / 48


Cryptanalysis of an encryption scheme

Different attack models:

Ciphertext-only attack.

Known-plaintext attack.

Chosen-plaintext/ciphertext attack.

Adaptively chosen-plaintext/ciphertext attack.

The performance of an attack is measured by its:

time complexity.

data complexity.

memory complexity.

25 / 48


Symmetric encryption schemes

Stream ciphers

Combine (XOR) plaintext bits with a keystream generated by apseudo-number generator.

Keystream should have good statistical properties.

Advantages: Performance and low hardware complexity.

Block ciphers

Operate on blocks of data.

Probably the best understood symmetric primitives.

Can be used to build hash functions, stream ciphers, MACs,authenticated encryption algorithms, PRNGs...

26 / 48


Block ciphers

Encrypt a block of message m into a block of ciphertext c under theaction of the key k.

E : {0, 1}n × {0, 1}κ → {0, 1}n

(m,k) 7→ E(m,k) = c

Em c

k

Given k, it must be easy to compute c from m.

Given m, c it must be hard to compute k such that E(m,k) = c.

27 / 48


Two important parameters:

block size, n

key size, κ

A block cipher generates a family of permutations indexedby a key k.

(2n)!

2κsubset

permutations

Ideal design: 2κ permutationschosen uniformly at random fromall 2n! ≈ 2(n−1)2n permutations.

28 / 48


Iterated block ciphers

Idea: Iterate a round function f several times. The function f r is waitedto be strong for large r.

Advantages:Compact implementation.Easier analysis.

f f fm c

k1 k2 kr

Key schedule

master key k

Use a key schedule to extend the user-supplied (or master) key to asequence of r subkeys. 29 / 48


How to build the round function?

Two major approaches:

Feistel network.

Substitution-Permutation Network (SPN).

30 / 48


Feistel Network

Introduced by Horst Feistel in the early 70’s.

Split plaintext block: m = (L0, R0)

For each round i = 0, . . . , r do:Li+1 = Ri

Ri+1 = Li ⊕ F (Ri ⊕ ki+1)

Ciphertext block c = (Rr+1, Lr+1)

k1

F

k2

F

kr

F

R0L0

Rr+1 Lr+1

Encryption

31 / 48


Feistel Network

Introduced by Horst Feistel in the early 70’s.

Split ciphertext block: c = (Rr+1, Lr+1)

For each round i = r, . . . , 0 do:Ri = Li+1

Li = Ri+1 ⊕ F (Li+1 ⊕ ki+1)

Plaintext block m = (L0, R0)

Decryption with K = (k1, . . . , kr) equalsencryption with K ′ = (kr, . . . , k1).

→ F has not to be invertible.

k1

F

kr−1

F

kr

F

R0L0

Rr+1 Lr+1

Decryption

31 / 48


Data Encryption Standard (DES)

The first and probably most famous Feistel cipher.

Designed by IBM and published in 1975.

Based on an earlier internal design called Lucifer.

1977: DES is published as a FIPS standard [FIPS 46].

32 / 48


DES

Block size: 64 bits

Key size: 56 bits

16 rounds

S1 S2 S3 S4 S5 S6 S7 S8

P

E

ki (48 bits)Ri (32 bits)

48 bits

k1

F

k2

F

k16

F

R0L0

R16 L16

IP

IP−1

32 bits32 bits

48 bits

33 / 48


Generalized Feistel Networks

F

Classical Feistel

F

Unbalanced Feistel

F

Alternating Feistel

G

F

Type-1 Feistel Type-2 Feistel

F G

34 / 48


Structrural properties of DES

The Complementation Property

DESk(m) = DESk(m)

where x := bitwise complement of x

Limited impact to the security in the classical model.

Halves the cost of the exhaustive key search.

Encrypt m and m: c = DESk(m) and c′ = DESk(m)

For each candidate t, compute d = DESt(m).

Check if d = c → t candidate for k.

Check if d = c′ (d = DESt(m)) → t candidate for k.

35 / 48


Structrural properties of DES

Weak keys

k weak: DESk(DESk(m)) = m.

4 weak keys were found for DES.

Each weak key has 232 fixed points m : DESk(m) = m.

36 / 48


Breaking DES

1992 : Differential cryptanalysis (theoretical attack, 247 chosenplaintexts).

1994 : Linear cryptanalysis (practical attack, a DES key is recovered).

1997: DESCHALL Project (brute-force project over the net). Amessage encrypted with DES is broken for the first time.

1999: Deep Crack and distributed.net break a DES key in less than 23hours.

2004: The standard is withdrawn.

Key-length too short!!!

DES still survives via its Triple-DES form.

37 / 48


Substitution Permutation Network (SPN)

m

k1

k2

k3

k4

k5

c

Substitution

Substitution

Substitution

Substitution

Permutation

Permutation

Permutation

Permutation

38 / 48


Substitution Permutation Network (SPN)

S S S S

m

k1

S S S S

k2

S S S S

k3

S S S S

k4

k5

c

38 / 48


The Advanced Encryption Standard (AES) Competition

[1997-2000]

On January 2, 1997 the NIST announced that they wished a successorto DES (to be known as AES).

Public competition, inputs from the cryptographic community.

Requirements: Block size of 128 bits, key size of 128, 192, 256 bits,security of 2-key triple-DES as minimum.

21 submissions (15 accepted for the 1st round)

5 finalists (Rijndael, Serpent, Twofish, RC6, MARS)

On October 2, 2000, Rijndael becomes the AES.

2001: Standardization [FIPS 197]

39 / 48


AES

Designed by Joan Daemen and Vincent Rijmen.

Structure: Byte-oriented Substitution-Permutation Network.

State: 128 bits, seen as a 4× 4 matrix of bytes.

3 key-lengths: 128, 192, 256 bits

Number of rounds: 10, 12, 14 rounds resp.

40 / 48


AES Representation

Each byte is viewed in two different ways:

string of 8 bits (b7, b6, b5, b4, b3, b2, b1, b0) (8th-dim vector over F2)

An element of the finite field with 28 elements F28

b7X7 + b6X

6 + b5X5 + b4X

4 + b3X3 + b2X

2 + b1X1 + b0

Irreducible polynomial RP

RP = X8 +X4 +X3 +X + 1

41 / 48


An AES round

Four byte-oriented transformations.

SubBytes

ShiftRows

MixColumns

AddRoundKey

42 / 48


SubBytes

S

43 / 48


The AES Sbox

S : F28 → F28

x 7→ x−1

followed by an affine transformation on F82:

y0y1y2y3y4y5y6y7

=

1 0 0 0 1 1 1 11 1 0 0 0 1 1 11 1 1 0 0 0 1 11 1 1 1 0 0 0 11 1 1 1 1 0 0 00 1 1 1 1 1 0 00 0 1 1 1 1 1 00 0 0 1 1 1 1 1

x0

x1

x2

x3

x4

x5

x6

x7

+

11000110

Good resistance against differential and linear cryptanalysis.

44 / 48


ShiftRows

45 / 48


MixColumns

⊗M

02 03 01 01

01 02 03 01

01 01 02 03

03 01 01 02

x0x1x2x3

=

y0y1y2y3

46 / 48


MixColumns

⊗M

MDS matrix.

Branch number = minx∈F8

2

(HW (x) +HW (M(x)) = 5.

46 / 48


AddRoundKey

⊕Ki

Lightweight non-linear key-schedule (memory, performance)

47 / 48


Cryptanalysis of AES

2000 Integral attacks

2002 Algebraic attacks: AES is claimed to be broken. Proved to benot realistic.

2009 Related-key attacks: AES-192 and AES-256 are broken underthis model. Should we care?

2010-2013 Meet-in-the-middle attacks

2011 Biclique attacks: First theoretical attacks on full AES.Complexity is quite marginal (see them as accelerated exhaustivesearch).

48 / 48

Boolean Functions

Algebraic attacks

Christina Boura


1 / 42


Outline

1 Boolean functions and cryptographic Sboxes

2 Algebraic attacks

2 / 42


Boolean functions

Inspired by Anne Canteaut’s Lecture Notes

A Boolean function f of n variables is a function

f : Fn2 → F2

x = (x1, . . . , xn) 7→ f(x)

Value vector: Binary vector vf of length 2n composed of all values f(x),for x ∈ F

n2 .

Example: f : F32 → F2

vf = (f(1, 1, 1), f(1, 1, 0), f(1, 0, 1), f(1, 0, 0), f(0, 1, 1), f(0, 1, 0), f(0, 0, 1), f(0, 0, 0))

vf = (1, 0, 0, 1, 1, 0, 1, 0)3 / 42


Truth table

x1 1 0 1 0 1 0 1 0x2 1 1 0 0 1 1 0 0x3 1 1 1 1 0 0 0 0

f(x1, x2, x3) 1 0 0 1 1 0 1 0

4 / 42


Question

Question: How many different Boolean functions of n variables exist?

5 / 42


Question

Question: How many different Boolean functions of n variables exist?

22n

5 / 42


Hamming weight of a Boolean function

Let f : Fn2 → F2.

The Hamming weight of f is defined as the number of 1’s in vf .

wt(f) = wt(vf ) = #{x ∈ Fn2 : f(x) 6= 0}

For many cryptographic applications, we need Boolean functions thathave a behaviour close to random functions.⇒ Use balanced functions.

f is balanced ⇔ wt(f) = 2n−1

6 / 42


Balancedness and bias

Let f : Fn2 → F2. The bias of f is

E(f) =∑

x∈Fn2

(−1)f(x)

= #{x ∈ Fn2 : f(x) = 0} −#{x ∈ F

n2 : f(x) = 1}

= 2n −#{x ∈ Fn2 : f(x) = 1} −#{x ∈ F

n2 : f(x) = 1}

= 2n − 2wt(f)

f is balanced ⇔ E(f) = 0

7 / 42


Alternative representation of a Boolean function

Representation of a Boolean function, where the function is seen as amultivariate polynomial.

In F2:

+: XOR

×: AND

x2i = xi (as 02 = 0 and 12 = 1)

Monomial in F2[x1, . . . , xn]/(x21 + x1, . . . , x

2n + xn): product of distinct

variables

Examples: x1, x3x4, x2x4x5, x1x2 . . . xn

8 / 42


Monomials

Notation : Monomial in F2[x1, . . . , xn]/(x21 + x1, . . . , x

2n + xn):

xu =n∏

i=1

xui

i ,

where u = (u1, . . . , un) ∈ Fn2 .

Example: x ∈ F42: x1010 = x11x

02x

13x

04 = x1x3

9 / 42


Algebraic normal form (ANF)

Proposition: Any f : Fn2 → F2 can be uniquely written as a multivariate

polynomial in F2[x1, . . . , xn]/(x21 + x1, . . . , x

2n + xn):

f(x1, . . . , xn) =∑

u∈Fn2

auxu, where au ∈ F2.

This polynomial is called the Algebraic Normal Form (ANF) of f .

The coefficients au can be computed as follows:

au =∑

x�u

f(x),

where x � u ⇔ xi ≤ ui, pour 1 ≤ i ≤ n

10 / 42


Example

(x1, x2, x3) (1, 1, 1) (0, 1, 1) (1, 0, 1) (0, 0, 1) (1, 1, 0) (0, 1, 0) (1, 0, 0) (0, 0, 0)f(x1, x2, x3) 1 0 0 1 1 0 1 0

a000 = f(0, 0, 0) = 0

a100 = f(1, 0, 0) + f(0, 0, 0) = 1 + 0 = 1

a010 = f(0, 1, 0) + f(0, 0, 0) = 0 + 0 = 0

a110 = f(1, 1, 0)+f(0, 1, 0)+f(1, 0, 0)+f(0, 0, 0) = 1+0+1+0 = 0

a001 = f(0, 0, 1) + f(0, 0, 0) = 1 + 0 = 1

a101 = f(1, 0, 1)+f(1, 0, 0)+f(0, 0, 1)+f(0, 0, 0) = 0+1+1+0 = 0

a011 = f(0, 1, 1)+f(0, 1, 0)+f(0, 0, 1)+f(0, 0, 0) = 0+0+1+0 = 1

a111 =∑

x∈F32f(x) = wt(f) mod 2 = 0

11 / 42


Example

(x1, x2, x3) (1, 1, 1) (0, 1, 1) (1, 0, 1) (0, 0, 1) (1, 1, 0) (0, 1, 0) (1, 0, 0) (0, 0, 0)f(x1, x2, x3) 1 0 0 1 1 0 1 0

a000 = f(0, 0, 0) = 0

a100 = f(1, 0, 0) + f(0, 0, 0) = 1 + 0 = 1

a010 = f(0, 1, 0) + f(0, 0, 0) = 0 + 0 = 0

a110 = f(1, 1, 0)+f(0, 1, 0)+f(1, 0, 0)+f(0, 0, 0) = 1+0+1+0 = 0

a001 = f(0, 0, 1) + f(0, 0, 0) = 1 + 0 = 1

a101 = f(1, 0, 1)+f(1, 0, 0)+f(0, 0, 1)+f(0, 0, 0) = 0+1+1+0 = 0

a011 = f(0, 1, 1)+f(0, 1, 0)+f(0, 0, 1)+f(0, 0, 0) = 0+0+1+0 = 1

a111 =∑

x∈F32f(x) = wt(f) mod 2 = 0

f(x1, x2, x3) = x1 + x3 + x2x3

11 / 42


Degree of a Boolean function

The algebraic degree of a Boolean function f is defined as

deg(f) = maxu∈Fn

2

{wt(u) : au 6= 0}

Example: f(x1, x2, x3) = x1x2x3 + x1x3 + x1 + 1.

deg(f) = 3

12 / 42


Functions of degree n

Let f : Fn2 → F2.

a1...1 =⊕

x∈Fn2

f(x) = wt(f) mod 2

deg(f) = n iff wt(f) is odd.

Functions of maximum degree are not balanced.

Maximal degree functions are not used in cryptographic applications.

13 / 42


Affine functions

Let f : Fn2 → F2 of degree 1. Then,

wt(f) = 2n−1.

Affine functions are balanced.

Let f = b · x+ ε, with b ∈ Fn2 \ {0} and ε ∈ F2.

If ε = 1, f(x) = 1 iff b · x = 0 iff x ∈ 〈b〉⊥ (hyperplane)

If ε = 0, f(x) = 1 iff b · x = 1 iff x ∈ Fn2 \ 〈b〉⊥

14 / 42


Cryptographic Sboxes

An Sbox S from Fn2 into F

m2 is a collection of m Boolean functions of n

variables.

Example (PRESENT Sbox S : F42 → F

42)

x 0 1 2 3 4 5 6 7 8 9 a b c d e f

S(x) c 5 6 b 9 0 a d 3 e f 8 4 7 1 2

S1(x) 0 1 0 1 1 0 0 1 1 0 1 0 0 1 1 0

S2(x) 0 0 1 1 0 0 1 0 1 1 1 0 0 1 0 1

S3(x) 1 1 1 0 0 0 0 1 0 1 1 0 1 1 0 0

S4(x) 1 0 0 1 1 0 1 1 0 1 1 1 0 0 0 0

15 / 42


ANF of the Sbox

S1 = x1 + x3 + x4 + x2x3

S2 = x2 + x4 + x2x4 + x3x4 + x1x2x3 + x1x2x4 + x1x3x4

S3 = 1 + x3 + x4 + x1x2 + x1x4 + x2x4 + x1x2x4 + x1x3x4

S4 = 1 + x1 + x2 + x4 + x2x3 + x1x2x3 + x1x2x4 + x1x3x4

The functions S1, . . . , Sm are called the coordinates of the Sbox.

16 / 42


Components of the Sbox

Let S : Fn2 → F

m2 .

The components of the Sbox are the n-variable Boolean functions

Sλ : x 7→ λ · S(x)

for all λ ∈ Fm2 .

Examples:

S3 = S1 + S2

S15 = S1 + S2 + S3 + S4

The components of an Sbox offer a useful characterisation.

17 / 42


When an Sbox is a permutation

Let S : Fn2 → F

n2 .

S is a permutation iff all its non-trivial components are balanced.

Proof. (S permutation ⇒ Sλ are balanced)

Suppose S is a permutation and let λ 6= 0. Then,

E(Sλ) =∑

x∈Fn2

(−1)λ·S(x) =∑

y∈Fn2

(−1)λ·y = 0.

18 / 42


Algebraic degree of an Sbox

Let S : Fn2 → F

m2 .

The degree of S is the maximal degree of the ANF of its components.

Example: S = (S1, S2, S3, S4)

S1 = x1 + x3 + x4 + x2x3

S2 = x2 + x4 + x2x4 + x3x4 + x1x2x3 + x1x2x4 + x1x3x4

S3 = 1 + x3 + x4 + x1x2 + x1x4 + x2x4 + x1x2x4 + x1x3x4

S4 = 1 + x1 + x2 + x4 + x2x3 + x1x2x3 + x1x2x4 + x1x3x4

deg(S) = 3

19 / 42


Algebraic degree of a permutation

Boolean functions of maximal degree are not balanced.

An Sbox is a permutation iff all its non-trivial components arebalanced.

The degree of an Sbox is the maximal degree of its components.

Let S : Fn2 → F

n2 .

S is a permutation ⇔ deg(S) ≤ n− 1

20 / 42


Univariate representation

Identify the vector space Fn2 with the finite field F2n .

S(X) =

2n−1∑

i=0

biXi, bi ∈ F2n .

21 / 42


Degree in the univariate representation

Let S be an n-bit Sbox and let

F (x) =2n−1∑

i=0

bixi

be its univariate representation in F2n [x].

The degree of F is given by

deg(F ) = max{wt(i) : 0 ≤ i < 2n and bi 6= 0}.

22 / 42

Algebraic attacks

Outline

1 Boolean functions and cryptographic Sboxes

2 Algebraic attacks

23 / 42

Algebraic attacks

Basic algebraic attack

Principle introduced by Claude Shannon in 1949.

Express the whole cipher as a large system of multivariate algebraicequations.Known-plaintext attack

Known coefficients : plaintext and ciphertext bits

Uknowns: key bits

Solve the algebraic system and recover the secret key.

24 / 42

Algebraic attacks

Linearization (I)

The complexity of the attack depends on the degree of the system.

A (naive) method for solving such a system: linearization.

Idea: Identify the system with a linear system ofd∑

i=1

(

n

i

)

variables,

where n is the block size. Each product of i initial variables, 1 ≤ i ≤ d isseen as a new variable.

25 / 42

Algebraic attacks

Linearization (II)

Solve the linear system by linear algebra.

Complexity:(

d∑

i=1

(

n

i

)

)ω

≈ nω,

where ω depends on the method used for the resolution (ω ≈ 2.37).

Other methods for solving the system:

Gröbner basis algorithms

ad-hoc techniques: XL, XSL.

26 / 42

Algebraic attacks

Example on a toy cipher

Anne Canteaut’s Lecture Notes

Block size: n = 4 bits

Key size: 8 bits

vum c

k1

S

k2

c = k2 ⊕ S(m⊕ k1)

c⊕ k2 = S(m⊕ k1)

One plaintext-ciphertext pair gives 4 equations in 8 variables.

27 / 42

Algebraic attacks

ANF of the Sbox

x 0 1 2 3 4 5 6 7 8 9 a b c d e f

S(x) f e b c 6 d 7 8 0 3 9 a 4 2 1 5

S1 = 1 + x1 + x3 + x2x3 + x4 + x2x4 + x3x4 + x1x3x4 + x2x3x4

S2 = 1 + x1x2 + x1x3 + x1x2x3 + x4 + x1x4 + x1x2x4 + x1x3x4

S3 = 1 + x2 + x1x2 + x2x3 + x4 + x2x4 + x1x2x4 + x3x4 + x1x3x4

S4 = 1 + x3 + x1x3 + x4 + x2x4 + x3x4 + x1x3x4 + x2x3x4

28 / 42

Algebraic attacks

Write down the equations

Express each ciphertext bit ci, 1 ≤ i ≤ 4, as a multivariate polynomial inthe plaintext bits m1, . . . ,m4 and in the key bits k1, . . . , k8.

c1 + k5 = 1 + (m1 + k1) + (m3 + k3) + (m2 + k2)(m3 + k3) + (m4 + k4)

+ (m2 + k2)(m4 + k4) + (m3 + k3)(m4 + k4) + (m1 + k1)(m3 + k3)(m4 + k4)

+ (m2 + k2)(m3 + k3)(m4 + k4)

c2 + k6 = 1 + (m1 + k1)(m2 + k2) + (m1 + k1)(m3 + k3) + (m1 + k1)(m2 + k2)(m3 + k3)

+ (m4 + k4) + (m1 + k1)(m4 + k4) + (m1 + k1)(m2 + k2)(m4 + k4)

+ (m1 + k1)(m3 + k3)(m4 + k4)

c3 + k7 = 1 + (m2 + k2) + (m1 + k1)(m2 + k2) + (m2 + k2)(m3 + k3) + (m4 + k4)

+ (m2 + k2)(m4 + k4) + (m1 + k1)(m2 + k2)(m4 + k4) + (m3 + k3)(m4 + k4)

+ (m1 + k1)(m3 + k3)(m4 + k4)

c4 + k8 = 1 + (m3 + k3) + (m1 + k1)(m4 + k3) + (m4 + k4) + (m3 + k2)(m4 + k4)

+ (m3 + k3)(m4 + k4) + (m2 + k1)(m3 + k3)(m4 + k5)

+ (m2 + k2)(m3 + k4)(m4 + k4)

29 / 42

Algebraic attacks

Re-write the equations

c1 + k5 = S1(m) + (1 +m3m4)k1 + (m3 +m4 +m3m4)k2

+ (1 +m2 +m4 +m1m4 +m2m4)k3

+ (1 +m2 +m3 +m1m3 +m2m3)k4 +m4k1k3 +m3k1k4 + (1 +m4)k2k3

+ (1 +m3)k2k4 + (1 +m1 +m2)k3k4 + k1k3k4 + k2k3k4

c2 + k6 = S2(m) + (m2 +m3 +m2m3 +m4 +m2m4 +m3m4)k1

+ (m1 +m1m3 +m1m4)k2 + (m1 +m1m2 +m1m4)k3

+ (1 +m1 +m1m2 +m1m3)k4 + (1 +m3 +m4)k1k2 + (1 +m2 +m4)k1k3

+ (1 +m2 +m3)k1k4 +m1k2k3 +m1k2k4 +m1k3k4 + k1k2k3 + k1k2k4 + k1k3k4

c3 + k7 = S3(m) + (m2 +m2m4 +m3m4)k1 + (1 +m1 +m3 +m4 +m1m4)k2

+ (m2 +m4 +m1m4)k3 + (1 +m2 +m3 +m1m2 +m1m3)k4 + (1 +m4)k1k2

+ m4k1k3 + (m2 +m3)k1k4 + k2k3 +m1k3k4 + (1 +m1)k2k4 + k3k4 + k1k2k4

+ k1k3k4

c4 + k8 = S4(m) + (m3 +m3m4)k1 + (m4 +m3m4)k2

+ (1 +m1 +m4 +m1m4 +m2m4)k3 + (1 +m2 +m3 +m1m3 +m2m3)k4

+ (1 +m4)k1k3 + (m3)k1k4 +m4k2k3 + (1 +m3)k2k4 + (1 +m1 +m2)k3k4

+ k1k3k4 + k2k3k4

30 / 42

Algebraic attacks

Replace the known values

From the plaintext-ciphertext couple (m, c) = (0x0, 0x4) we get

c1 + k5 = 1 + k1 + k3 + k4 + k2k3 + k2k4 + k3k4 + k1k3k4 + k2k3k4

c2 + k6 = 1 + k4 + k1k2 + k1k3 + k1k4 + k1k2k3 + k1k2k4 + k1k3k4

c3 + k7 = 1 + k2 + k4 + k1k2 + k2k3 + k2k4 + k3k4 + k1k2k4 + k1k3k4

c4 + k8 = 1 + k3 + k4 + k1k3 + k2k4 + k3k4 + k1k3k4 + k2k3k4

Polynomial system of degree d = 3 with 8 unknowns.

31 / 42

Algebraic attacks

Linearize the system

Replace each monomial in the key bits of degree 2 or 3 with a new

unknown:

k9 = k1k2, k10 = k1k3, . . . , k14 = k3k4, k15 = k1k2k3, . . . , k18 = k2k3k4

c1 + k5 = 1 + k1 + k3 + k4 + k12 + k13 + k14 + k16 + k18

c2 + k6 = 1 + k4 + k9 + k10 + k11 + k15 + k17 + k16

c3 + k7 = 1 + k2 + k4 + k9 + k12 + k13 + k14 + k17 + k16

c4 + k8 = 1 + k3 + k4 + k10 + k13 + k14 + k16 + k18

Linear system with 8 +(

4

2

)

+(

4

3

)

= 18 unknowns.

32 / 42

Algebraic attacks

Solve the system

Here, 5 (m, c) couples are enough to solve the system(4× 5 = 20 equations).

In practice, block ciphers have a much larger block size and arecomposed of many rounds.

The degree of the polynomial system increases with the number ofrounds.

Solving such systems: infeasible even for a few rounds.

33 / 42

Algebraic attacks

Alternative solution: use intermediate variables

Use intermediate variables to control the degree of the system.

vum c

k1

S

k2

w S x

k3

Consider the 4 bits of v as additional unknowns.

One known P-C pair gives 8 equations of degree 3 with 16 unknowns(12 key bits + 4 bits of v).

For any additional P-C pair : +4 equations but +4 unknowns

N P-C pairs → 8N equations and 12 + 4N unknowns.

34 / 42

Algebraic attacks

Advanced algebraic attack

Decrease the degree of the polynomial system even if the round functionhas a high degree.

Idea introduced by Courtois and Pieprzyk in 2002.

Example: Relations of degree 2 between inputs and outputs:

x2x4 + x2S1(x1, . . . , x4) + x2S2(x1, ..., x4) = 0

We get then the following quadratic equation:

(m4+c1+c2)k2+m2k4+m2k5+m2k6+k2k4+k2k5+k2k6 = m2m4+m2c1+m2c2.

35 / 42

Algebraic attacks

Relations of degree 2

21 linearly independent relations of degree 2 between the input andthe output bits can be exhibited.

System easier to solve than the original equations.

Question: What is the least number of linearly independent relations ofdegree at most d?

d∑

i=0

(

2n

i

)

− 2n

36 / 42

Algebraic attacks

Example

Any function from F42 into F

42 has at least

2∑

i=0

(

8

i

)

− 24 = 37− 16 = 21

quadratic relations between its inputs and outputs.

37 / 42

Algebraic attacks

The case of AES (I)

The AES Sbox can be seen as the composition of the inversion over F28

with an affine function.

For the inverse operation, the input a and output b satisfy the relation

ab = 1

over F28 .

(a7X7 + a6X

6 + a5X5 + a4X

4 + a3X3 + a2X

2 + a1X + a0)

× (b7X7 + b6X

6 + b5X5 + b4X

4 + b3X3 + b2X

2 + b1X + b0)

= 1

38 / 42

Algebraic attacks

The case of AES (II)

Derive 8 multivariate quadratic equations over F2 (one for each coefficientof the previous equation).

Example

a0b0 + a7b1 + a6b2 + a5b3 + a4b4 + a3b5 + a2b6

+ a1b7 + a7b6 + a6b7 + a7b5 + a6b6 + a5b7

= 1.

Derive other equations by exploiting for example relations of the forma2b = a and ab2 = b over F28 .

39 / 42

Algebraic attacks

Quadratic system for AES

There are in total 39 quadratic relations for the AES Sbox (muchmore than for a randomly chosen mapping over F8

2.

Use these relations of degree 2 to form a quadratic system byintroducing new variables for the outputs of successive rounds.

8000 quadratic equations of 1600 variables.

40 / 42

Algebraic attacks

Solving the system

How to solve the resulting system?

XSL (eXtended Sparse Linearisation): based on linearization, butattempting to exploit the sparsity and specific structure of theequation system.

Gröbner Basis algorithms, SAT-solvers, etc.

Courtois and Pieprzyk claimed that by using XSL it was possible to mountan (at least theoretical) successful attack against AES-128.

However, it was shown by Cid and Leurent (Asiacrypt 05) that thealgorithm did not work as expected, so one could not claim that AES wasbroken.

41 / 42

Algebraic attacks

The limitations of algebraic attacks

No well-known block cipher has been broken using pure algebraictechniques faster than with other techniques.

Algebraic cryptanalysis works better in the case of stream ciphers andresistance against such attacks is a design criteria goal.

The applicability of an algebraic attack mainly depends on the algebraicdegree of the block cipher.

Other attacks depending on the algebraic degree:

Higher-order differential attacks, their derivatives and extensions.

42 / 42

Some attacks against block ciphers

Christina Boura


1 / 59

Last-round attacks

Outline

1 Last-round attacks

2 Higher-order differential attacks

3 Integral attacks

4 Bounds on the degree of iterated constructions

2 / 59

Last-round attacks

Statistical attacks

Statistical attacks exploit relations that hold with a certain probability only.

Rely on the existence of a distinguisher.

A distinguisher D for a block cipher (Ek)k is an algorithm taking N pairs(xi, yi), 1 ≤ i ≤ N and returning 0 or 1.

Goal: Decide if the N pairs are input-output pairs of the target blockcipher or not:

1: If the (xi, yi) are input-output pairs of Ek for some key k.

0: If the (xi, yi) are input-output pairs of a random permutation.

3 / 59

Last-round attacks

Advantage of the distinguisher

Let p be the probability that the algorithm returns 1 (the N pairscome from the target block cipher).

Let p′ be the probability that the algorithm returns 0 (the N pairscome from a random permutation).

The capacity to distinguish the target block cipher from a randompermutation is measured as

|p− p′|

and is called advantage.

4 / 59

Last-round attacks

Consequences of a distinguisher

The existence of a distinguisher with a non-negligeable advantage isan undesirable property for a block cipher.

However, this does not always guarantee that once the distinguisheris discovered, the secret key will be recovered.

But: For iterated ciphers

Ek = Fkr ◦ Fkr−1◦ · · · ◦ Fk1

a distinguisher for the reduced cipher

Gk = Fkr−1◦ · · · ◦ Fk1

can be a serious thread.

5 / 59

Last-round attacks

Attack on the last round (I)

If an attacker finds a distinguisher D for the reduced-round cipher Gk, thenhe can run a last-round attack.

Goal: Recover the last-round subkey kr.

6 / 59

Last-round attacks

Attack on the last round (II)

F

k1

F

k2

F

kr−1

F

kr

x

Ek(x)

z

Gk(x)

Collect enough plaintext-ciphertext pairs (xi, zi), where zi = Ek(xi).

7 / 59

Last-round attacks

Attack on the last round (II)

F

k1

F

k2

F

kr−1

F

k′

x

Ek(x)

z

Gk(x)

kr

y

Collect enough plaintext-ciphertext pairs (xi, zi), where zi = Ek(xi).

For all possible values k′ compute yi = F−1k′ (zi)

7 / 59

Last-round attacks

Attack on the last round (III)

F

k1

F

k2

F

kr−1

F

k′

x

Ek(x)

z

Gk(x)

kr

y

8 / 59

Last-round attacks


F

k1

F

k2

F

kr−1

F

kr k′

F−1 yx

Ek(x)

z

Gk(x)

8 / 59

Last-round attacks


F

k1

F

k2

F

kr−1

F

kr k′

F−1 yx

Ek(x)

z

Gk(x)

If k′ is the right subkey (k′ = kr)

8 / 59

Last-round attacks


F

k1

F

k2

F

kr−1

F

kr

F−1 yx

Ek(x)

z

Gk(x)

kr

If k′ is the right subkey (k′ = kr) :

P (k′) = F−1k′◦ Ek = F−1

k′◦ Fkr ◦ Fkr−1

◦ Fkr−2◦ · · · ◦ Fk1

= F−1kr◦ Fkr ◦ Fkr−1

◦ Fkr−2◦ · · · ◦ Fk1

= Fkr−1◦ Fkr−2

◦ · · · ◦ Fk1

= Gk

P (k′) belongs to the family of reduced-ciphers. 8 / 59

Last-round attacks


F

k1

F

k2

F

kr−1

F

kr k′

F−1 yx

Ek(x)

z

Gk(x)

If k′ is a wrong subkey, P (k′) is assumed to have the same behaviouras a randomly chosen permutation.

This assumption is known as the wrong-key randomization hypothesis.

8 / 59

Last-round attacks

Algorithm

Data: N plaintext-ciphertext couples (xi, zi), for 1 ≤ i ≤ N

Result: A set of candidate keys for the last-round subkey krfor all possible values k′ of kr do

counter ← 0 ;for i = 0 . . . N do

compute yi = F−1k′

(zi);counter ← counter + D(xi, yi);

end

if counter ≥ τ then

return k′ ;end

end

The value τ is a threshold value fixed by the attacker.

9 / 59

Last-round attacks

Remarks

As we exhaust all values of the last round subkey, this attack onlyworks in this basic form if the subkeys have a small size (eg. not forAES-128)In practice, we only try to recover a small part of the last round key(some bits).For the other bits of the subkey, we repeat the attack by modifyingthe parameters of the attack.

Once the last subkey recovered, how do we proceed next ?

For some ciphers, once a subkey completely recovered, one cancompute back through the key schedule to retrieve the master key.If the different subkeys are not related, one can

Exhaustively search the remaining key bitsRepeat the same attack on the ciphers obtained by successivelyremoving the last roundCombine both approaches

10 / 59


Outline



3 Integral attacks


11 / 59


Higher-order derivatives

Let F : Fn2 → F

n2 .

Derivative of F at a point a ∈ Fn2 :

DaF (x) := F (x⊕ a)⊕ F (x), for every x ∈ Fn2

Xuejia Lai extended this notion in 1994.

Definition[k-th order derivative of F ]For any k-dimensional subspace V of Fn

2 , the k-th order derivativeof F with respect to V is the function defined by

DV F (x) = Da1Da2 . . . DakF (x) =⊕

v∈V

F (x+ v),

for every x ∈ Fn2 , where (a1, . . . , ak) is a basis of V .

12 / 59


Example

Let F : Fn2 → F

n2 and V = 〈a1, a2〉 ⊂ F

n2 of dimension 2.

The 2nd-order derivative of F with respect to V is

DV F (x) = Da1Da2F (x)

= Da1(F (x) + F (x+ a2))

= F (x) + F (x+ a1) + F (x+ a2) + F (x+ a1 + a2).

13 / 59


Degree of a derivative

Let F : Fn2 → F

n2 of degree d and a = (a1, . . . , an). Then,

DaF ≤ d− 1.

Examples:

F (x1, . . . , xn) = x1. Then,

DaF (x) = Da(x1) = (x1 ⊕ a1)⊕ x1 = a1 ⇒ deg(DaF ) = 0

F (x1, . . . , xn) = x1x2. Then,

DaF (x) = Da(x1x2) = (x1 ⊕ a1)(x2 ⊕ a2)⊕ x1x2

= x1x2 ⊕ a1x2 ⊕ a2x1 ⊕ a1a2 ⊕ x1x2

= a1x2 ⊕ a2x1 ⊕ a1a2 ⇒ deg(DaF ) = 1

14 / 59


Important property

Let F : Fn2 → F

n2 of degree d and a = (a1, . . . , an).

Example:

F (x1, . . . , xn) = x1x2 · · · xd. Then,

Da(x1x2 · · · xd) = (x1 ⊕ a1)(x2 ⊕ a2) . . . (xd ⊕ ad)⊕ x1x2 · · · xd

= x1 · · · xd ⊕ terms of deg ≤ d− 1⊕ x1 · · · xd

⇒ deg(DaF ) ≤ d− 1

Proposition[Lai 94]For every subspace V with dimV > degF ,

DV F (x) =⊕

v∈V

F (x+ v) = 0, for every x ∈ Fn2 .

15 / 59


Attack on the last round

Attack based on a low degree.

S

S

S

L

k0

m

k1 S

S

S

L

kr−1 S

S

S

L

kr

c

F

deg < d

z = F−1k

(c)

16 / 59


Use higher-order derivatives [Knudsen 94]

For all values of k check whetherm 7→ z = F−1

k (c) has degree < d.

How?

Check whether all derivatives of orderd are zero.

kr−1 S

S

S

L

kr

c

z = F−1k

(c)

17 / 59


The attack

Let V be a vector space of dimension d.

Input: Choose 2d plaintexts of the form m⊕ v, v ∈ V (coset of V ) andget the corresponding ciphertexts.

Example d = 3,m = 0, V = 〈v1, v2, v3〉.

Chosen plaintexts: 0, v1, v2, v3, v1 ⊕ v2, v1 ⊕ v3, v2 ⊕ v3, v1 ⊕ v2 ⊕ v3.

If for a key k,2d−1⊕

i=0

F−1k

(ci) 6= 0,

we conclude that k is a wrong key.

18 / 59


Number of candidate keys

What is the probability that for a wrong key,⊕

i F−1k (ci) = 0?

(false alarm probability)

P

2d−1⊕

i=0

F−1k (ci) = 0

= 2−n,

where n is the block size.

As there are 2κ key candidates (κ is the size of a subkey), around2κ−n among them will be proposed as candidates for the right key.

19 / 59


Find the right candidate

How to find the right key among the left candidates ?

Do an exhaustive search among the remaining candidates or

Repeat the attack by choosing a different vector space of dimension d.

Data complexity: 2d chosen plaintexts.

Time complexity: 2d × 2κ.

Remark In practice, we recover smaller fragments of the key.

20 / 59


The KN cipher [Knudsen-Nyberg 95]

6-round Feistel cipher

E : F322 → F

332 linear

T : F332 → F

322 linear

ki : 33-bit subkey

S : F233 → F233

with x 7→ x3

ST E

ki

xi−1 yi−1

xi yi

F322 ×F

322 → F

322 × F

322

(x, y) 7→ (y, x⊕ T ◦ S (E(x)⊕ ki))

21 / 59


The role of the function S

Name initially given to the cipher: CRADIC (Cipher Resistant AgainstDifferential Cryptanalysis).

The function S plays a crucial role.

The function x 7→ x3 on the field F332 was chosen.

This function is known to be resistant against linear and differentialattacks.

But, this function is of degree 2.

22 / 59


Higher-order differential attack against KN

Presented by Jacobsen and Knudsen in 1997.

Exploit the low algebraic degree of the round function.

Input: Plaintexts of the form (x0, y0) ∈ F322 ×F

322 , where y0 = c, for some

constant c.

23 / 59


4 rounds of encryption

y0(x) = c

y1(x) = x⊕ Fk1(c) := x⊕ c′

y2(x) = Fk2(x⊕ c′)⊕ c

y3(x) = Fk3(Fk2(x⊕ c′)⊕ c)⊕ x⊕ c′

y4(x) = Fk4(Fk3(Fk2(x⊕ c′)⊕ c)⊕ x⊕ c′)

+ Fk2(x⊕ c′)⊕ c

Fk6

Fk1

Fk2

Fk3

Fk4

Fk5

d = 1

d = 2

d = 4

d = 8

y4

x6 y6

x0 = x y0 = c

24 / 59


Evaluate the degree of y4

y4(x) = Fk4(Fk3(Fk2(x⊕ c′)⊕ c)⊕ x⊕ c′)⊕ Fk2(x⊕ c′)⊕ c

Obviously, the degree of y4 is bounded by the degree of

G = Fk4 ◦ Fk3 ◦ Fk2

As deg(Fki) = deg(S) = 2, we get that

deg(y4) ≤ deg(G) ≤ deg(Fk4)× deg(Fk3)× deg(Fk2)

≤ 23

25 / 59


Write down the equations

If V is a subspace of F322 with dim(V ) = 9,

we have:

DV y4(x) =⊕

v∈V

y4(v ⊕ x) = 0,

for all x ∈ F322 . We get now the following

equation:

x6(x) = Fk6(y5(x))⊕ y4(x),

y4(x) = Fk6(y5(x))⊕ x6(x)

Fk6

Fk5

d = 8

y4

x6 y6

y5

26 / 59


Attack equation

⊕

v∈V

Fk6(y5(v ⊕ w))⊕⊕

v∈V

x6(v ⊕ w) = 0.

Recover the key k6.

There will be in average 233−32 = 2 candidate keys for k6.

Recover the remaining subkeys by mounting the same attack on thereduced-round cipher.

27 / 59

Integral attacks

Outline



3 Integral attacks


28 / 59

Integral attacks

Integral attacks - History

Attack exploiting weaknesses of the non-linear as well as the linearlayer of the target cipher.

In 1997, the SQUARE cipher was presented by Daemen, Knudsen andRijmen.

During the design, the authors discover a new chosen-plaintext attackagainst 6 rounds of the cipher.

This new attack was named the square attack.

In the beginning the attack was applied against SPN ciphers.

Later, Lucks generalizes the attack to other type of ciphers and call itthe saturation attack.

In 2002, Knudsen and Wagner unify the different aspects of theseattacks and give them the name integral attacks.

29 / 59

Integral attacks

Multisets

Multiset: Every element in the set can appear multiple times.

An element of a multiset is a pair (value, multiplicity).

Example. V = {1, 2, 2, 2, 3, 3, 4}, or V = {(1, 1), (2, 3), (3, 2), (4, 1)}

The attacker studies the propagation of the multiset through the cipher.

30 / 59

Integral attacks

Integral over a multiset

Application to word-oriented ciphers.

Notation: w number of words in a plaintext. (e.g. AES: 16 words of8-bits each).

Choose plaintexts in a way that the multiset in each word verifies aspecific property.

Definition. We call integral over a multiset S the sum

∑

v∈S

v

31 / 59

Integral attacks

Properties

An attacker tries to predict the values in the integrals after a certainnumber of rounds.

Distinguish between 3 cases.

(For the examples, the word-size is 3 bits.)

1 C: All w words in the multiset have the same constant value.The multiset S = {3, 3, 3, 3, 3, 3, 3, 3} has the property C.

2 A: The w words in the multiset take all possible values.The multiset S = {0, 1, 2, 3, 4, 5, 6, 7} has the property A.

3 B: The integral over S is 0.

32 / 59

Integral attacks

Example: AES

16 words of 8 bits.

28 chosen plaintexts mi of the form

(xi, c, c, c, c, c, c, c, c, c, c, c, c, c, c, c),

where xi = i, for i = 0, . . . , 255 and c some constant.

A

C

C

C

C

C

C

CC

C

C

C

C

C

C

C

Analyze how this multiset propagates through the different operationsof AES.

33 / 59

Integral attacks

Through AddRoundKey

The same constant value is XORed to each byte.

Example.

(0x06, . . . , 0x06)→ (0x06 ⊕ 0x01, . . . , 0x06 ⊕ 0x01) = (0x07, . . . , 0x07)

C → C

Property. If we XOR the same constant value to each different value of aset having A we get again all possible values in the set.

Example. S = {0x0,0x1,0x2,0x3}, k = 0x2, S ⊕ k = {0x2,0x3,0x0,0x1}

A → A

A

C

C

C

C

C

C

CC

C

C

C

C

C

C

C

AddRoundKey

A

C

C

C

C

C

C

CC

C

C

C

C

C

C

C

34 / 59

Integral attacks

Through SubBytes

The Sbox S is a permutation.

If all values of a multiset have the same constant value c, all valueswill have the same constant value c′ = S(x) after SubBytes. C → C

If the values of a multiset take all possible values, the Sbox will onlypermute these values. A → A

A

C

C

C

C

C

C

CC

C

C

C

C

C

C

C

SubBytes

A

C

C

C

C

C

C

CC

C

C

C

C

C

C

C

35 / 59

Integral attacks

Through ShiftRows

ShiftRows only permutes the bytes of the state.

A

C

C

C

C

C

C

CC

C

C

C

C

C

C

C

ShiftRows

A

C

C

C

C

C

C

CC

C

C

C

C

C

C

C

36 / 59

Integral attacks

Through MixColumns (I)

Inputs of the 1st column: (xi0, xi1, x

i2, x

i3), 0 ≤ i ≤ 255

Outputs of the 1st column: (yi0, yi1, y

i2, y

i3), 0 ≤ i ≤ 255

02 03 01 01

01 02 03 01

01 01 02 03

03 01 01 02

xi0xi1xi2xi3

=

yi0yi1yi2yi3

y00 = 02 · x00 + 03 · x01 + 01 · x02 + 01 · x03y01 = 02 · x10 + 03 · x11 + 01 · x12 + 01 · x13

... . . .

y0255 = 02 · x2550 + 03 · x2551 + 01 · x2552 + 01 · x255337 / 59

Integral attacks



i2, x

i3), 0 ≤ i ≤ 255


i2, y

i3), 0 ≤ i ≤ 255

02 03 01 01

01 02 03 01

01 01 02 03

03 01 01 02

xi0xi1xi2xi3

=

yi0yi1yi2yi3

y00 = 02 · x00 + 03 · x01 + 01 · x02 + 01 · x03y01 = 02 · x10 + 03 · x11 + 01 · x12 + 01 · x13

... . . .

y0255 = 02 · x2550 + 03 · x2551 + 01 · x2552 + 01 · x255337 / 59

Integral attacks



i2, x

i3), 0 ≤ i ≤ 255


i2, y

i3), 0 ≤ i ≤ 255

02 03 01 01

01 02 03 01

01 01 02 03

03 01 01 02

xi0xi1xi2xi3

=

yi0yi1yi2yi3

y00 = 02 · x00 + c

y01 = 02 · x10 + c

... . . .

y0255 = 02 · x2550 + c37 / 59

Integral attacks

Through MixColumns (II)

A

C

C

C

C

C

C

CC

C

C

C

C

C

C

C

MixColumns

A

C

C

C

CC

C

C

C

C

C

C

C

A

A

A

38 / 59

Integral attacks

After 3 rounds

A

C

C

C

C

C

C

CC

C

C

C

C

C

C

C

MixColumns

A

C

C

C

CC

C

C

C

C

C

C

C

A

A

A

AddRoundRey

A

C

C

C

C

C

C

CC

C

C

C

C

C

C

C

SubBytes

ShiftRows

A

C

C

C

C

C

C

CC

C

C

C

C

C

C

C

A

C

C

C

CC

C

C

C

C

C

C

C

A

A

A

SubBytes

ShiftRows

A

C

C

C

CC

C

C

C

C

C

C

C

A

A

A

MixColumns

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

SubBytes

ShiftRows

AddRoundRey

AddRoundRey

MixColumns

?

?

?

?

?

?

?

?

? ?

? ?

? ?

? ?

39 / 59

Integral attacks

After MixColumns

02 03 01 01

01 02 03 01

01 01 02 03

03 01 01 02

xi0xi1xi2xi3

=

yi0yi1yi2yi3

y00 ⊕ · · · ⊕ y2550 = 02 · x00 ⊕ 03 · x01 ⊕ 01 · x02 ⊕ 01 · x03⊕ 02 · x10 ⊕ 03 · x11 ⊕ 01 · x12 ⊕ 01 · x13

...

⊕ 02 · x2550 ⊕ 03 · x2551 ⊕ 01 · x2552 ⊕ 01 · x2553

= 02 ·255⊕

i=0

xi0 ⊕ 03 ·255⊕

i=0

xi1 ⊕ 01 ·255⊕

i=0

xi2 ⊕ 01 ·255⊕

i=0

xi3

= 02 · 00⊕ 03 · 00⊕ 01 · 00⊕ 01 · 00

= 00.40 / 59

Integral attacks

After 3 rounds of AES

A

C

C

C

C

C

C

CC

C

C

C

C

C

C

C

MixColumns

A

C

C

C

CC

C

C

C

C

C

C

C

A

A

A

AddRoundRey SubBytes

ShiftRows

A

C

C

C

C

C

C

CC

C

C

C

C

C

C

C

A

C

C

C

CC

C

C

C

C

C

C

C

A

A

A

SubBytes

ShiftRows

A

C

C

C

CC

C

C

C

C

C

C

C

A

A

A

MixColumns

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

SubBytes

ShiftRows

AddRoundRey

AddRoundRey

MixColumns

A

C

C

C

C

C

C

CC

C

C

C

C

C

C

C

B B B B

B B B B

B B B B

B B B B

41 / 59

Integral attacks

Distinguishing property for 3 rounds of AES

After the 3rd MixColumns every byte position will be balanced (XORof all 256 values in a single byte position is 0).

Property that holds with probability 1.

Property independent of the key.

A

C

C

C

C

C

C

CC

C

C

C

C

C

C

C

A

C

C

C

CC

C

C

C

C

C

C

C

A

A

A

R

B B B B

B B B B

B B B B

B B B B

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

R R

The byte taking all 256 values (saturated) can be any of the 16 bytes.

42 / 59

Integral attacks

Distinguishing property for 3 rounds of AES

After the 3rd MixColumns every byte position will be balanced (XORof all 256 values in a single byte position is 0).

Property that holds with probability 1.

Property independent on the key.

A

C

C

C

C

C

C

CC

C

C

C

C

C

C

C

A

C

C

C

CC

C

C

C

C

C

C

C

A

A

A

R

B B B B

B B B B

B B B B

B B B B

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

R R

The byte taking all 256 values (saturated) can be any of the 16 bytes.

42 / 59

Integral attacks

Attack over AES reduced to 4 rounds

Goal: Recover the subkey k4 of the 4th round of AES.

Remark No MixColumns in the last round.

Input: 256 chosen plaintexts mi of the form

(xi, c, c, c, c, c, c, c, c, c, c, c, c, c, c, c),

where xi = i, for i = 0, . . . , 255 and c some constant and thecorresponding ciphertexts ci, i = 0, . . . , 255.

SubBytes ShiftRows

k4

ciphertextState after 3rd round

B B B B

B B B B

B B B B

B B B B

43 / 59

Integral attacks

Divide and conquer

Subkey k4 is 128-bits long (exhaustive search not possible!).

Use a divide and conquer strategy and recover the last subkey byte bybyte.

SubBytes ShiftRows

k4


B B B B

B B B B

B B B B

B B B B

44 / 59

Integral attacks

Divide and conquer

Subkey k4 is 128-bits long (exhaustive search not possible!).

Use a divide and conquer strategy and recover the last subkey byte bybyte.

SubBytes ShiftRows

k4


B B B B

B B B B

B B B B

B B B B

vi ci

k134

ci = S(vi)⊕ k134

vi = S−1(ci ⊕ k134 )

44 / 59

Integral attacks

Divide and conquer

SubBytes ShiftRows

k4


B B B B

B B B B

B B B B

B B B B

vi ci

k134

ci = S(vi)⊕ k134

vi = S−1(ci ⊕ k134 )

But, if k134 is the right value

255⊕

i=0

vi =

255⊕

i=0

S−1(ci ⊕ k134 ) = 0

44 / 59

Integral attacks

Complexity

Data complexity: 28 chosen plaintext-ciphertext pairs (a little bitmore to get rid off false alarms)

Time complexity: ≈ 16× 28 × 28 = 220 XOR’s.

Assume that a full encryption is composed 26 similar simpleoperations. So, time complexity ≈ 214 encryptions.

45 / 59

Integral attacks

Link with higher-order differential cryptanalysis

A differential of order d is the sum of 2d vecteurs of a well-chosenvector space, so it can be seen as an integral.

Recently, Yosuke Todo extended integral attacks to take in a clearerway the algebraic degree into account. This extension is called thedivision property.

46 / 59

Bounds on the degree of iterated constructions

Outline



3 Integral attacks


47 / 59


Iterated permutations

Most of the symmetric constructions (hash functions, block ciphers) arebased on a permutation iterated a high number of times.

Important to estimate the algebraic degree of suchiterated permutations.

Functions with a low degree are vulnerable to:

Algebraic attacks

Higher-order differential attacks and distinguishers

48 / 59


A trivial bound

Proposition: Let F be a function from Fn2 into F

n2 and G a function from

Fn2 into F

m2 . Then

deg(G ◦ F ) ≤ deg(G) deg(F ).

Example: Round function R of AES is of degree 7. Then

deg(R2) = deg(R ◦R) ≤ 72 = 49.

49 / 59


Substitution Permutation Networks

S S S S S S

Linear Layer

S S S S S S

Linear Layer

S S S S S S

Linear Layer

How to estimate the evolution of the degreeof such constructions?

50 / 59


x0 x1 x3 x4 x5x2 x6 x7 x8 x9 x10x11 x12x13x14x15

S1 S2 S3 S4

y0 y1 y2 y3 y4 y5 y6 y7 y8 y9 y10 y11 y12 y13 y14 y15

After several rounds, all coordinates can be expressed as a sum ofmonomials.

Each monomial is a product of variables in X = {x0, . . . , x15}.

51 / 59


x0 x1 x3 x4 x5x2 x6 x7 x8 x9 x10x11 x12x13x14x15

S1 S2 S3 S4

y0 y1 y2 y3 y4 y5 y6 y7 y12y8 y9 y10 y11 y13 y14 y15

After several rounds, all coordinates can be expressed as a sum ofmonomials.

Each monomial is a product of variables in Y = {y0, . . . , y15}.

The coordinates y0 − y3 are outputs of the same Sbox (equally for theothers).

What is the consequence on the degree of the product ?

51 / 59


The notion of δk

Definition : For a permutation S define δk(S) as the maximum degree ofthe product of k coordinates of S.

→ δ1(S) := algebraic degree of S

Example:

degS = 3

S

k δk1 32 33 34 4

S permutation of Fn2 :

δk(S) = n iff k = n.

52 / 59


Example: Product of 6 coordinates.

S1 S2 S3 S4


π = y0y1y3y8y9y10.

deg(π) ≤ δ3(S1) + δ3(S3) = 6.

53 / 59


Example: Product of 6 coordinates.

S1 S2 S3 S4


π = y0y5y8y10y13y15.

deg(π) ≤ δ1(S1) + δ1(S2) + δ2(S3) + δ2(S4) = 12.

The degree of the product is relatively low if many coordinatescoming from the same Sbox are involved!

53 / 59


Towards the bound

S S S S

Find the maximal degree of the product π of d outputs.

xi = # Sboxes for which exactly i coordinates are involved in π.

54 / 59


Towards the bound

S S S S



Example (d = 13)

x4 = 1, x3 = 3:

deg(π) ≤ δ3x3 + δ4x4 = 3 · 3 + 4 · 1 = 13.

54 / 59


Towards the bound

S S S S



Example (d = 13)

x4 = 2, x3 = 1, x2 = 1:

deg(π) ≤ δ2x2 + δ3x3 + δ4x4 = 3 · 1 + 3 · 1 + 4 · 2 = 14.

54 / 59


Towards the bound

S S S S



Example (d = 13)

x4 = 3, x1 = 1:

deg(π) ≤ δ1x1 + δ4x4 = 3 · 1 + 4 · 3 = 15.

54 / 59


Towards the bound

S S S S



deg(π) ≤ max(x1,x2,x3,x4)

(δ1x1 + δ2x2 + δ3x3 + δ4x4)

with x1 + 2x2 + 3x3 + 4x4 = d.

54 / 59


d x4 x3 x2 x1 deg(π)

16 4 - - - 1615 3 1 - - 1514 3 - 1 - 1513 3 - - 1 1512 2 1 - 1 1411 2 - 1 1 1410 2 - - 2 149 1 1 - 2 13...

......

......

...

16− deg(π) ≥16− d

3

55 / 59


d x4 x3 x2 x1 deg(π)

16 4 - - - 1615 3 1 - - 1514 3 - 1 - 1513 3 - - 1 1512 2 1 - 1 1411 2 - 1 1 1410 2 - - 2 149 1 1 - 2 13...

......

......

...

deg(π) ≤ 16−16− d

3

55 / 59


A bound on the degree of SPN constructions

[Boura – Canteaut – De Cannière - 11]

Theorem. Let F be a function from Fn2 into F

n2 corresponding to the

parallel application of an Sbox, S, defined over Fn0

2 .Then, for any G from F

n2 into F

ℓ2, we have

deg(G ◦ F ) ≤ n−n− degG

γ(S),

where

γ(S) = max1≤i≤n0−1

n0 − i

n0 − δi.

56 / 59


Application to AES

One round:MC ◦ SR ◦ SB ◦ AK.

AK: AddRoundKey

SB: SubBytes (Sboxes of degree 7)

SR: ShiftRows

MC: MixColumns

57 / 59


The Super Sbox technique

Two rounds:

R2 = MC ◦ SR ◦ SB ◦ AK ◦ MC ◦ SR ◦ SB ◦ AK.

Equivalently:

R2 = MC ◦ SR ◦ SB ◦ AK ◦ MC ◦ SB ◦ SR ◦ AK.

Denote:

SuperSbox = SB ◦ AK ◦ MC ◦ SB.

Then:

R2 = MC ◦ SR ◦ SuperSbox ◦ SR ◦ AK.

58 / 59


Bound on up to 4 rounds

SuperSbox: F322 → F

322 : Two non-linear layers composed of Sboxes of

degree 7, separated by a linear layer.

deg(SuperSbox) ≤ 32−32− 7

7≤ 28.

(Trivial Bound: deg(R2) ≤ 72 = 49 !!!)

Bound for r rounds:

deg(Rr) = deg(Rr−1 ◦R) ≤ 128−128 − deg(Rr−1)

7.

r = 3: deg(R3) ≤ 113

r = 4: deg(R4) ≤ 125

59 / 59

Date post:	09-May-2018
Category:	Documents
Upload:	doanh
View:	236 times
Download:	6 times

Introduction to symmetric cryptography - Inria · Introduction to symmetric cryptography Christina...

Documents