Invariant Hopping Attackson Block Ciphers
attack 12x linear
attack 21x linear
attack 3
attack 4strong Bool + high degree invariant +
high success proba
Nicolas T. CourtoisUniversity College London, UK
Block Cipher Invariants
2
Roadmap
Part 1: Cold War / History Block Ciphers
Part 2: New Attacks:
Constructive Cryptanalysiswith Polynomial Invariants + Annihilators+ inside Boolean ring Bn
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
3
Question 1:Why 0% of symmetric encryption
used in practice areprovably secure?
A New Frontier in Symmetric Cryptanalysis
4
MQ Problem
Dense MQ is VERY hard. Best attacks ≈ 20.8765n
• top of the top hard problem.• for both standard and PQ crypto
=> Allows to build a provably secure stream cipher based on MQ directly!C. Berbain, H. Gilbert, and J. Patarin:
QUAD: A Practical Stream Cipher with Provable Security, Eurocrypt 2005
=> provably secure encryption exists!
mqchallenge.org FXL/Joux 2017/372
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
5
Question 2:Why researchers have found
so few attacks on block ciphers?
“mystified by complexity”
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
6
Claim:Finding new attacks
on block ciphers isEASY and FUN
Block Cipher Invariants
7
Dr. Nicolas T. Courtois blog.bettercrypto.com
1. cryptanalysis
Block Cipher Invariants
8
Dr. Nicolas T. Courtois blog.bettercrypto.com
1. cryptanalysis
2. industrial crypto
Block Cipher Invariants
9
Code Breakers - LinkedIn
Code Breakers
Nicolas T. Courtois10
3. Crypto History
Roadmap
11
Towards Modern Crypto
Block Cipher Invariants
12
1960sNATO Cipher competition
• UK
• US
• France
• Germany
Requirements:
• “tapeless and rotorless” => semi-conductor electronic,
• high EM/SCA security!
Backdoors
Nicolas T. Courtois13
French Submission
• large period, non-linearity / removing the correlations (p.108)“…certainement la meilleure machine cryptographique de son époque…" ??????????????????????????????????????????????????????????
[2004]
Code Breakers
14
Compromise of Old Crypto
• USS Pueblo / North Korea Jan 1968
Block Cipher Invariants
15
Cold War
Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…
[Source: Cryptologia, interviews by David Kahn with gen. Andreev=first head of FAPSI=Russian NSA]
Example: In 1967 GRU (Soviet Intelligence) was intercepting cryptograms from 115 countries, using 152 cryptosystems, and among these they broke 11 codes and “obtained” 7 other codes.
Block Cipher Invariants
16
US/NATO crypto broken
Russia broke the NATO KW-7 cipher machine: Walker spy ring, rotors+keys,
• paid more than 1M USD (source: NSA)
• “greatest exploit in KGB history”
• allowed Soviets to “read millions”of US messages [1989, Washington Post]
Block Cipher Invariants
17
1970sModern block ciphers are born.
In which country??
Block Cipher Invariants
18
1970sModern block ciphers are born.
In which country??
Who knows…
Eastern Bloc also worked on these questions… and for a long time.
Block Cipher Invariants
19
1927The inventor of the
ANF = Algebraic Normal Form
en.wikipedia.org/wiki/Zhegalkin_polynomial
Russian mathematician and logician
Ива́н Ива́нович Жега́лкин [Moscow State University]
“best known for his formulation of Boolean algebra as the theory of the ring of integers mod 2”
Bn,+,*
Backdoors
Nicolas T. Courtois20
Our Sources
T-310spec
Backdoors
Nicolas T. Courtois21
Our Sources
BStU = Stasi Records Agency
ZCO = Zentrales Chiffrierorgan
der DDR
T-310
Nicolas T. Courtois22
East German T-310 Block Cipher
240 bits
long-term secret 90 bits only!
“quasi-absolute security” [1973-1990]
has a physical
RNG=>IV
Block Cipher Invariants
ReferencesNicolas T. Courtois, Jörg Drobick, Jacques Patarin, Maria-Bristena Oprisanu, Matteo Scarlata, Om Bhallamudi, Cryptographic Security Analysis of T-310, eprint.iacr.org/2017/440.pdf , 132 pages, 2017
Nicolas T. Courtois, Maria-Bristena Oprisanu: Ciphertext-Only Attacks and Weak Long-Term Keys in T-310, in Cryptologia, vol 42, iss. 4, pp. 316-336, May 2018.
Nicolas T. Courtois, Maria-Bristena Oprisanu, Klaus Schmeh:
Linear Cryptanalysis and Block Cipher Design in Eastern Germany in the 1970s, Cryptologia, Dec 2018,
https://www.tandfonline.com/doi/abs/10.1080/01611194.2018.1483981
Nicolas T. Courtois, Klaus Schmeh: Feistel ciphers in East Germany in the communist era, In Cryptologia, vol. 42, Iss. 6, 2018, pp. 427-444.
Block Cipher Invariants
24
Cipher Class Alpha –1970s
Who invented Alpha? [full document not avail.]
Block Cipher Invariants
25
T-310 [1973-1990] – 4 branches
Block Cipher Invariants
26
IBM USA 1970s
IBM have agreed with the NSA that the design criteria of DES should not be made public.
NSA have generated DES S-boxes. source: Coppersmith, invited talk@Crypto, summer 2000.
Security of DES (overview)
27
“Official” History of Cryptanalysis
• DC was known @IBM in 1970s
• Davies-Murphy attack [1982=classified, published in 1995] = early LC
• Shamir Paper [1985]……… early LC
• Differential Cryptanalysis :Biham-Shamir [1991]
• Linear Cryptanalysis: Gilbert and Matsui [1992-93]
Block Cipher Invariants
28
One form of DC was known in 1973!
Block Cipher Invariants
29
LC at ZCO - 1976!
Block Cipher Invariants
30
Discrete Differentials and HO DC – 1976 !
Higher Order:
Block Cipher Invariants
31
Computing HO Differentials for All Orders
.
.
. fast points!
Backdoors
Nicolas T. Courtois32
Contracting Feistel [1970s Eastern Germany!]
1 round of T-310
φ
Roadmap
33
Backdoors
Roadmap
34
Backdoors vs.
“Normal” Cryptanalysis
All our attacks work with relatively large probability.
– so if you are not lucky a cipher which was NOT backdoored will also be broken!
Better Card-only Attacks on Mifare Classic
Nicolas T. Courtois, 2009-1735
Any Backdoors?
Claim: Non-bijective φ – ALL broken! See:
1. Nicolas T. Courtois, Maria-Bristena Oprisanu: “Ciphertext-Only Attacks and Weak Long-Term Keys in T-310”
[Cryptologia v.42 iss. 4 2018]
Backdoors
36
How to Backdoor T-310 [yes we can]
bad long-term key
omit just 1 out of 40 conditions: ciphertext-only
Backdoors
37
LC Method to Backdoor T-310 [2017]
bad long-term key1,3,5 => 1,3,5 P=1
703P=7,14,33,23,18,36,5,2,9,16,30,12,32,26,21,1,13,25,20,8,24,15,22,29,10,28,6D=0,4,24,12,16,32,28,36,20
Block Cipher Invariants
38
Generalised Linear Cryptanalysis= GLC =
[Harpes, Kramer and Massey, Eurocrypt’95]
Block Cipher Invariants
39
Generalised Linear Cryptanalysis= GLC =
[Harpes, Kramer and Massey, Eurocrypt’95]
Concept of non-linear I/O sums.
F(inputs) = G(outputs) with some probability…
Block Cipher Invariants
40
Connecting Non-Linear Approxs.Black-Box Approach
Non-linear functions F G H I.
F(x1,…)
G(x1,…) H(y1,…)
I(z1,…)
Block Cipher Invariants
41
GLC and Feistel Ciphers ?
[Knudsen and Robshaw, EuroCrypt’96
“one-round approximations that are non-linear […] cannot be joined together”…
At Crypto 2004 Courtois shows that GLC is in fact possible for Feistel schemes!
Block Cipher Invariants
42
BLC better than LC for DES
Better than the best existing linear attack of Matsui
for 3, 7, 11, 15, … rounds.
Ex: LC 11 rounds:
BLC 11 rounds:
Block Cipher Invariants
43
Wrong Approach [!!!!]Black-Box Combination Approach
constructive BUT limited possibilities…
F(x1,…)
G(x1,…) H(y1,…)
I(z1,…)
Block Cipher Invariants
44
White Box Approach
New! [Courtois 2018]
Study of non-linear I/O sums.
P(inputs) = P(outputs)
Block Cipher Invariants
45
New White Box Approach
Study of non-linear I/O sums.
.
P(inputs) = P(outputs) with probability 1.
Formal equality of 2 polynomials.
BIG PROBLEM: 22^n possible attacks
Block Cipher Invariants
46
Variable Boolean Function
We denote by Z our Boolean function
We consider a space of ciphers where Z is variable.
Question: given a fixed polynomial Pwhat is the probability over random choice of Z that P(inputs) = P(outputs) is an invariant (for any number of rounds).
Block Cipher Invariants
47
Invariant Hopping
attack 12x linear
attack 21x linear
attack 3
attack 4strong Bool + high degree invariant +
high success proba
Block Cipher Invariants
Nicolas T. Courtois, January 200948
Group Theory – Is DES A Group?
Study of group generated by φK for any key K.
Typically AGL not GL. Any smaller sub-groups?
Block Cipher Invariants
Nicolas T. Courtois, January 200949
Group Theory – Is DES A Group?
Study of group generated by φK for any key K.
Typically AGL not GL. Any smaller sub-groups?
This question was also studied @Eastern Bloc
Block Cipher Invariants
Nicolas T. Courtois, January 200950
Group Theory – Is DES A Group?
Study of group generated by φK for any key K.
Typically AGL not GL. Any smaller sub-groups?
This question was also studied @Eastern Bloc
Block Cipher Invariants
51
Hopping in Group Lattices
attack 1
three invariantslinear Boolean function
AGL
Block Cipher Invariants
52
Hopping in Group Lattices
attack 1three invariants
linear Boolean function
attack 2two invariants
bad Boolean function
AGL
Block Cipher Invariants
53
Hopping in Group Lattices
attack 1three invariants
linear Boolean function
attack 2two invariants
bad Boolean function
attack 36one high degree invariantstrong Boolean function
AGL
Block Cipher Invariants
Nicolas T. Courtois, January 200954
Hopping in Group Lattices
attack 1
three invariantslinear Boolean function
attack 2two invariants
bad Boolean function
attack 36one complex high degree invariant
strong Boolean function
AGL
Block Cipher Invariants
55
“Hopping” Discovery Method
Making the impossible possible. How?
Learn from examples. old => new attack
• transform a linear attack on a weak cipher with a linear Boolean function
• into non-linear attack on a cipher with a “strong” Boolean function.
Block Cipher Invariants
56
“Hopping” Discovery
• We navigate inside a “product lattice” =def= set of pairs (set of invariants, cipher spec) =
-all possible invariant attacks
-all possible ciphers [we modify the spec of the cipher]
• Find a path from a trivial attack on a weak cipher to a non-trivial attack on a strong cipher.
Block Cipher Invariants
57
Linear Attack – Example
Block Cipher Invariants
58
Exact Thm. [eprint/2017/440]
Block Cipher Invariants
59
Hopping Step 1 First we look at an attack where the Boolean
function is linear and we have trivial LINEAR invariants (same as Matsui’s LC)
Example:
Backdoors
Nicolas T. Courtois60
A Vulnerable Setup
1 round of T-310
φ
Block Cipher Invariants
61
Hopping Step2Now could you please tell us if
is an invariant?
Block Cipher Invariants
62
Hopping Step2Now could you please tell us if
is an invariant?
The answer is remarkably simple.
Block Cipher Invariants
63
Hopping Step2Theorem:
is an invariant IF AND ONLY IF
a certain polynomial = FE =
is zero (as a polynomial, multiple cancellations)
Block Cipher Invariants
64
Hopping Step2Theorem:
is an invariant IF AND ONLY IF
is zero (as a polynomial, multiple cancellations)
Block Cipher Invariants
65
Hopping Step2Theorem:
is an invariant IF AND ONLY IF
is zero (as a polynomial, multiple cancellations)
subs by ANF
simplifies to:
Block Cipher Invariants
66
Hopping Step2 Theorem:
is an invariant IF AND ONLY IF
is zero (as a polynomial, multiple cancellations)
Block Cipher Invariants
67
What is Special About P 2-factoring decomposition
= AC+BD.
is invariant IF AND ONLY IF
some solutions are:
Block Cipher Invariants
68
Invariant P of Degree 4?
= ABCD.
is a 1-round invariant IF AND ONLY IF
Block Cipher Invariants
69
Invariant P of Degree 4?
= ABCD.
is a 1-round invariant IF AND ONLY IF
a multiple of the previous polynomial!
Block Cipher Invariants
70
Corollary:Easy Thm. [not included in the paper].
For every cipher in our cipher space = (LZS551+any Boolean) if AC+BD is an invariant (degree 2)then also ABCD is an invariant (degree 4).
Note: there is no invariant of degree 3 etc…
Block Cipher Invariants
71
Selective RemovalQ : Can we now have ABCD
to be an invariant of degree 4 WITHOUT any invariants of degrees 1,2,3????
Block Cipher Invariants
72
Selective RemovalQ : Can we now have ABCD
to be an invariant of degree 4 WITHOUT any invariants of degrees 1,2,3????
Answer: easy: a root of second polynomial and NOT a root of the first [almost always].
mC=YCmBCD=YBCD
Block Cipher Invariants
73
Summary1. We start with a trivial attack on a weak cipher.
Benefit: a certain polynomial has a solution.
2. Then some non-linear invariants also exist = additional roots.
3. Then we modify the cipher [manipulation of roots of our FE] and the invariant so that simple invariants are removed.
4. What you get is a bit like a backdoor!
– Potentially hard to detect.
Block Cipher Invariants
74
ConclusionWe modify the cipher and the invariant
so that simple invariants disappear.
Q: Can this be done with a really secure Boolean function? YES, see [eprint/2018/1242]
Block Cipher Invariants
75
Irreducible PolynomialsRemark:
For a long time we searched for invariant attacks where P
is an irreducible polynomial.
We were wrong!
Block Cipher Invariants
76
Product Question
Trivial NL invariants based on cycles in LC.
A ® B ® C ® D ® A
Then ABCD is a round invariant of degree 4.
Stupid??
Block Cipher Invariants
77
Product Question
Trivial NL invariants based on cycles in LC.
A ® B ® C ® D ® A
Then ABCD is a round invariant of degree 4.
Stupid?? Not at all! Some of the strongest attacks ever found are like this.
Block Cipher Invariants
78
Product Question
Trivial NL invariants based on cycles in LC.
A ® B ® C ® D ® E® A
Then ABCDE is a round invariant of degree 5.
Stupid?? Not at all! Some of the strongest attacks ever found are like this.
Trivial invariants can be REMOVED!!!!
Block Cipher Invariants
Nicolas T. Courtois, January 200979
Hopping in Group Lattices
attack 1three invariants
linear Boolean function
attack 2two invariants
bad Boolean function
attack 36one complex high degree invariant
strong Boolean function
AGL
Block Cipher Invariants
80
Phase TransitionWhen P is of degree 4, the Boolean function is
still “inevitably” degenerated [this paper].
Q: Can we backdoor or break a cipher with a random Boolean function?
Block Cipher Invariants
81
Phase TransitionWhen P is of degree 4, the Boolean function is
still “inevitably” degenerated [this paper].
Q: Can we backdoor or break a cipher with a random Boolean function?
YES, see [eprint/2018/1242]
Degree 8 attack, P =ABCDEFGH. extremely strong: 15% success rate over the choice of a random Boolean function.
Block Cipher Invariants
82
Other Ciphers? DES
Block Cipher Invariants
83
Bonus: New No-Trivial Attacksan irregular sporadic attack with P of degree 7
Block Cipher Invariants
84
New White Box Method
[Courtois 2018]
Same concept of a non-linear I/O sums.Focus on perfect invariants mostly.
P(inputs) = P(outputs) with probability 1.
Formal equality of 2 polynomials.Exploits the structure of the ring Bn.
• annihilation events absorption events
• would be unthinkable if we had unique factorisation
ABCD=A’B’C’D’
Block Cipher Invariants
85
*Lack Of Unique Factorization
sage: R.<A,B,C,D,E,F,G,H> = BooleanPolynomialRing(8)
sage: mu=(B+C)*(G+H)*(B+H)*(B+F)*(C+D)
sage: mu + (C+H+1)*(C+F+1)*(B*D*G + H*(B+D+1)*(B+G+1))
sage: 0
sage: mu + (B+D+1)*(B+G+1)*(C*F*H + G*(C+H+1)*(C+F+1))
sage: 0
sage:
Block Cipher Invariants
86
*Lack Of Unique Factorization
sage: R.<A,B,C,D,E,F,G,H> = BooleanPolynomialRing(8)
sage: mu=(B+C)*(G+H)*(B+H)*(B+F)*(C+D)
sage: mu + (C+H+1)*(C+F+1)*(B*D*G + H*(B+D+1)*(B+G+1))
sage: 0
sage: mu + (B+D+1)*(B+G+1)*(C*F*H + G*(C+H+1)*(C+F+1))
sage: 0
sage: