Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Computer Algebra and Cryptography
Ludovic Perret(joint work with Jean-Charles Faugère)
SALSALIP6, Université Paris 6 & INRIA Paris-Rocquencourt
Workshop on block ciphers and their security
Outline
1 Algebraic CryptanalysisHow to Solve it : Gröbner basics
2 Cryptanalysis of Multivariate SchemesMultivariate Public Key CryptographyAlgebraic Cryptanalysis of UOVMinRank
A Fresh Look at Kipnis-Shamir’s AttackExperimental ResultsTheoretical Analysis
3 Algebraic Aspects of Block CiphersBasic IdeaFlurry : a Family of Toy CiphersToward an Efficient Cryptanalysis of Flurry
4 Conclusion
General Context
C.E. Shannon
Communication Theory of Secrecy Systems (1949)
“Breaking a good cipher should require as much work assolving a system of simultaneous equations in a large numberof unknowns of a complex type.”
Algebraic Cryptanalysis
Principle
Model a cryptosystem as a set of algebraic equationsTry to solve this system (or estimate the difficulty of solving)
Pioneers
J. Patarin, A. Shamir, N. Courtois, W. Meier, J.-C. Faugère, . . .
Approach
Difficulties
Model a cryptosystemas a set of algebraic ofequations
“universal" approach(PoSSo is NP-Hard)⇒ several models are
possible !!!
Solving⇒ Minimize the number
of variables/degree⇒ Maximize the number
of equations
Specificity
Solving algebraic systems:use the cryptographic contextGröbner bases
Outline
1 Algebraic CryptanalysisHow to Solve it : Gröbner basics
2 Cryptanalysis of Multivariate SchemesMultivariate Public Key CryptographyAlgebraic Cryptanalysis of UOVMinRank
A Fresh Look at Kipnis-Shamir’s AttackExperimental ResultsTheoretical Analysis
3 Algebraic Aspects of Block CiphersBasic IdeaFlurry : a Family of Toy CiphersToward an Efficient Cryptanalysis ofFlurry
4 Conclusion
W. Gröbner
System Solving
Problem
f1(x1, . . . , xn), . . . , fm(x1, . . . , xn) ∈ K[x1, . . . , xn]
Compute VK(f1, . . . , fm) ={z = (z1, . . . , zn) ∈ Kn : f1(z) = 0, . . . , fm(z) = 0
}Lemma
Let I =⟨f1, . . . , fm, x
p1 − x1, . . . , x
pn − xn〉, with p = Char(K).
A LEX Gröbner basis of a zero-dimensional system is alwaysas follows :{
g1(x1),g2(x1, x2), . . . ,gk2(x1, x2),gk2+1(x1, x2, x3), . . . , . . .}
Change of ordering
Computing LEX is much more slower than computing DRL
J.-C. Faugère , P. Gianni, D. Lazard, T. Mora.Efficient Computation of Zero-dimensional Gröbner Basesby Change of Ordering.J. Symb. Comp., 1993.
Fact
D : the nb. of zeroes (with multiplicities) of I ⊂ K[x1, . . . , xn].FGLM computes a DRL-Gröbner basis of I knowing a LEXGröbner basis in :
O(nD3).
Zero-dim solving : a two steps process
Compute a DRL Gröbner basisBuchberger’s algorithm (1965)F4 (J.-C. Faugère, 1999)F5 (J.-C. Faugère, 2002)
⇒ For a zero-dim system (n variables) :
O(n3·dreg
),
dreg being the max. degree reached during thecomputation.
If #eq.= #var :dreg is gen. equal to n + 1.#Sol ≤
∏ni=1 degreei (Bezout’s bound)
Complexity of F5
For a semi-regular system of m (> n) quadratic equations overK[x1, . . . , xn] the degree of regularity is given by:∑
i≥0
aiz i =(1− z2)m
(1− z)n .
M. Bardet, J-C. Faugère, B. Salvyand B-Y. Yang.Asymptotic Behaviour of the Degreeof Regularity of Semi-RegularPolynomial Systems.MEGA 2005.
If m = n + 1,dreg ∼n→∞
⌈(n+1)
2
⌉.
Complexity of F5
For a semi-regular system of m (> n) quadratic equations overK[x1, . . . , xn] the degree of regularity is given by:
∑i≥0
aiz i =(1− z2)m
(1− z)n .
If m = n + 1 :
dreg =
⌈(n + 1)
2
⌉.
A. Szanto.Multivariate Subresultants usingJouanolou’s Resultant Matrices.Journal of Pure and Applied Algebra.
Outline
1 Algebraic CryptanalysisHow to Solve it : Gröbner basics
2 Cryptanalysis of Multivariate SchemesMultivariate Public Key CryptographyAlgebraic Cryptanalysis of UOVMinRank
A Fresh Look at Kipnis-Shamir’s AttackExperimental ResultsTheoretical Analysis
3 Algebraic Aspects of Block CiphersBasic IdeaFlurry : a Family of Toy CiphersToward an Efficient Cryptanalysis of Flurry
4 Conclusion
Motivation
A. Bogdanov, T. Eisenbarth, A. Rupp and C. WolfTime-Area Optimized Public-Key Engines:MQ-Cryptosystems as Replacement for Elliptic Curves?CHES 2008
Multivariate Public Key Cryptography (MPKC)
General Idea (Matsumoto–Imai, 88/83)
Let f = (f1, . . . , fm) ∈ K[x1, . . . , xn]m be s. t. ∀c = (c1, . . . , cm) ∈ Km:
VK(f1−c1, . . . , fm−cm
)= {z ∈ Kn : f1(z)−c1 = 0, . . . , fm(z)−cm = 0},
can be computed efficiently.Secret key
(S,U) ∈ GLn(K)×GLn(K) & f = (f1, . . . , fm) ∈ K[x1, . . . , xn]m.
Public key
p(x) =(p1(x), . . . ,pm(x)
)=(f1(x·S), . . . , fm(x · S)
)U = f(x · S) · U,
with x = (x1, . . . , xn).
Encryption
To encrypt m ∈ Kn, compute :
c = p(m) =(p1(m), . . . ,pm(m)
).
To decrypt, compute m′ ∈ Kn s.t. :
f(m′) = c · U−1.
We then have m = m′ · S−1, if #VK(〈f− c · U−1〉
)= 1.
Proof.
p(m′ · S−1) = f(m′ · S−1 · S) · U = c · U−1 · U = c.
Signature
To verify the signature s ∈ Kn of a digest H ∈ Km :
p(s) = H.
To generate s ∈ Kn from a digest H ∈ Km, we apply thedecryption process to H, i.e. we compute s′ ∈ Kn s.t. :
f(s′) = H · U−1.
The signature is then s = s′ · S−1.
Proof.
p(s) = f(s′ · S−1 · S) · U = H · U−1 · U = H.
Outline
1 Algebraic CryptanalysisHow to Solve it : Gröbner basics
2 Cryptanalysis of Multivariate SchemesMultivariate Public Key CryptographyAlgebraic Cryptanalysis of UOVMinRank
A Fresh Look at Kipnis-Shamir’s AttackExperimental ResultsTheoretical Analysis
3 Algebraic Aspects of Block CiphersBasic IdeaFlurry : a Family of Toy CiphersToward an Efficient Cryptanalysis of Flurry
4 Conclusion
Unbalanced Oil and Vinegar Scheme
Principle
The set f = (f1, . . . , fm) ∈ K[x1, . . . , xn]m is constructed bysplitting the variables x1, . . . , xn into :
{xi}i∈V , with V = {1, . . . ,n −m} the set of vinegar indices{xi}i∈O, with O = {n −m + 1, . . . ,n} the set of oil indices
For all k ,1 ≤ k ≤ m, the polynomial fk are :∑{(i,j)∈V×V :i≤j}
αi,j · xi · xj +∑
(i,j)∈V×O
βi,j · xi · xj .
A. Kipnis, J. Patarin, and L. Goubin.Unbalanced Oil and Vinegar Signature Schemes.EUROCRYPT 1999.
Property of the Secret key
Fact
Let c1, . . . , cn−m ∈ K. For all k ,1 ≤ k ≤ m :
fk (c1, . . . , cn−m, xn−m+1, . . . , xn),
is linear in the oil variables.fk (c1, . . . , cn−m, xn−m+1, . . . , xn) =∑
{(i,j)∈V×V :i≤j}
αi,j · ci · cj +∑
(i,j)∈V×O
βi,j · ci · xj .
Previous Security Result
Recommended Values for UOV
UOV is not secure when m = n.
A. Kipnis, and A. Shamir.Cryptanalysis of the Oil and Vinegar Signature Scheme.CRYPTO 1999.
We must have n ≥ 2mIn particular, K = F24 ,m = 16,n = 32 (or 48).
Signature Forgery Attack
Specific Context
Given H ∈ Km, find z ∈ Kn such that :
p1(z)− H1 = 0, . . . ,pm(z)− Hm = 0.
nb. of polynomials (m) is smaller than nb. of variables (n)
K = F24 ⇒ we have not included the field equ. (x24
i − xi)
DRL-GB difficult to computecomplexity of FGLM very high
DRL-GB + LEX-GB with FGLM : automatic in almost allcomputer algebra systems
For instance : Variety in Magma
Specifying Variables – (I)
One can randomly fix n −m variables.
A. Braeken, C. Wolf, B. Preneel.A Study of the Security of Unbalanced Oil and VinegarSignature Schemes.CT’RSA 2005.
Working Hypothesis
new system behaves like a (semi-)regular system.
dreg = m + 1 (17)
VK(.) ≈ 2m (Bézout’s bound)
Specifying Variables – (II)
You can randomly fix n −m − r variables (r > 0).
decrease the degree of regularity (r = 1,dreg =⌈m
2
⌉)
decrease the size of the varietyincrease the number of Gröbner bases to compute (#K)r
Experimental Results
m m − r r dreg (theoretical) dreg (observed)16 15 1 8 916 14 2 7 716 13 3 6 6
m m − r r TF5 Mem NopF5N
16 15 1 ≈ 1 h. 3532 Mb. 236.9 240.9
16 14 2 126 s. 270 Mb. 232.3 240.5
16 13 3 9.41 s. 38 Mb. 228.7 240.7
Remark
L. Bettale, J.-C. Faugère, and L. Perret,Hybrid approach for solving multivariate systems over finitefields.Journal of Mathematical Cryptology, 2009 (to appear).
Evaluation of the complexity of the attack for differentvalues of the parametersPositive result for the security of UOVA systematic method (quasi automatic) for evaluating thesecurity of multivariate systems
A. Braeken, C. Wolf, B. Preneel.A Study of the Security of Unbalanced Oil and VinegarSignature Schemes.CT’RSA 2005.
Outline
1 Algebraic CryptanalysisHow to Solve it : Gröbner basics
2 Cryptanalysis of Multivariate SchemesMultivariate Public Key CryptographyAlgebraic Cryptanalysis of UOVMinRank
A Fresh Look at Kipnis-Shamir’s AttackExperimental ResultsTheoretical Analysis
3 Algebraic Aspects of Block CiphersBasic IdeaFlurry : a Family of Toy CiphersToward an Efficient Cryptanalysis of Flurry
4 Conclusion
The MinRank problem
MR
Input : n, k ∈ N∗; M1, . . . ,Mk ∈Mn×n(K), r ∈ N∗.Question : decide if there exists λ = (λ1, . . . , λk ) ∈ Kk s. t. :
Rk
k∑j=1
λjMj
= r .
Theorem (Courtois, ASIACRYPT 2001)
MR is NP-Complete.
Applications of MinRank
Zero-Knowledge authentication protocol based on MR
N. Courtois.Efficient Zero-knowledge Authentication Based on aLinear Algebra Problem MinRank. ASIACRYPT 2001.
Security of Multivariate Public Key Cryptosystems
A. Kipnis and A. Shamir.Cryptanalysis of the HFE Public Key Cryptosystem byRelinearization. CRYPTO 99.
N. Courtois and L. Goubin.Cryptanalysis of the TTM Cryptosystem. ASIACRYPT2000.
O. Billet, and H. Gilbert.Cryptanalysis of Rainbow. SCN 2006
Kipnis-Shamir’s approach – (I)
A. Kipnis and A. Shamir.Cryptanalysis of the HFE Public Key Cryptosystem byRelinearization. CRYPTO 99.
Given n, k ∈ N∗; M1, . . . ,Mk ∈Mn×n(K), r ∈ N∗; the goal is tofind λ = (λ1, . . . , λk ) ∈ Kk s. t. :
Rk
k∑j=1
λjMj
= r .
Set Eλ =∑k
j=1 λjMj . Thus :
Rk(Eλ) = r ⇔ ∃(n−r) linearly indep. vectors X (i) ∈ Ker(Eλ).
We have then : k∑j=1
λjMj
X (i) = 0n, ∀1 ≤ i ≤ n − r .
Kipnis-Shamir’s approach – (II)
Set Eλ =∑k
j=1 λjMj . Thus :
Rk(Eλ) = r ⇔ ∃(n−r) linearly indep. vectors X (i) ∈ Ker(Eλ).
Let X (i) = (x (i)1 , . . . , x (i)
n ), where x (i)j s are variables. Then :
k∑j=1
yjMj
x (1)1 · · · x (n−r)
1x (1)
2 · · · x (n−r)2
......
...x (1)
n · · · x (n−r)n
=
0 · · · 00 · · · 0...
......
0 · · · 0
Kipnis-Shamir’s approach – (III)
Write X (i) = (ei , x(i)1 , . . . , x (i)
r ) , where ei ∈ Kn−r and x (i)j s
are variables
k∑j=1
yjMj
1 0 · · · 00 1 · · · 0...
......
...0 0 · · · 1
x (1)1 · · · · · · x (n−r)
1...
......
...x (1)
r · · · · · · x (n−r)r
=
0 · · · 00 · · · 0...
......
0 · · · 0
is a quadratic system of (n − r)n equations in r(n − r) + kunknowns.IKS : the ideal generated by these equations.
Properties of KS equations
Theorem
Let (n, k ,M1, . . . ,Mk , r) be an instance of MR and IKS be theideal generated by the KS equations. There is (generically) aone-to-one correspondence between Sol(n, k ,M1, . . . ,Mk , r) –the set of solutions of MinRank – and :
VK(IKS) = {z ∈ Kr ·(n−r)+k : f (z) = 0, for all f ∈ IKS}.
Courtois’ Authentication Scheme – Challenges
F65521
A: n = 6, k = 10, r = 318 eq., 19 var.
B: n = 7, k = 10, r = 421 eq., 22 variables
C: n = 11, k = 10, r = 833 eq., 35 variables
Courtois’ Authentication Scheme – Challenges
F65521
A: n = 6, k = 10, r = 3⇒ n = 6, k = 9, r = 318 eq., 19 var. ⇒ 18 eq., 18 var.
B: n = 7, k = 10, r = 4⇒ n = 7, k = 9, r = 421 eq., 22 variables⇒ 21 eq., 21 var.
C: n = 11, k = 10, r = 8⇒ n = 11, k = 9, r = 834 eq., 35 variables⇒ 34 eq., 34 var.
Experimental results with FGb
K = F65521
n k r TFGb Mem NFGb [Cou]
A 6 9 3 1 min. 400 Mb. 230.5 2106
B 7 9 4 1h45min. 3 Gb. 237.1 2122
8 9 5 91 h. 58.5 Gb. 243.4
C 11 9 8 264.4 2136
“not rigorous"
n k r dreg (theor.) dreg (observed) Bezout #SolA 6 9 3 19 5 218 210
B 7 9 4 22 6 221 212
8 9 5 28 8 227 213
C 11 9 8 33 ? 234 ?
Efficient attack but no theoretical explanation !!
Theoretical Complexity – (I)
Definition
Let S = {f1(x1, . . . , xn) = 0, . . . , fm(x1, . . . , xn) = 0} be analgebraic system of equations, and T = {X (1), . . . ,X (k)} be apartition of X = {x1, . . . , xn} s.t. :
X (j) = {xj1 , . . . , xjkj}.
S is multi-homogeneous if the polynomials fi are homogenousw.r.t. the X (j)’s.
Property
The ideal IKS is multi-homogeneous.new bounds for the degree of regularitymulti-homogeneous Bézout bound
Theoretical Complexity – (I)
Definition
Let S = {f1(x1, . . . , xn) = 0, . . . , fm(x1, . . . , xn) = 0} be analgebraic system of equations, and T = {X (1), . . . ,X (k)} be apartition of X = {x1, . . . , xn} s.t. :
X (j) = {xj1 , . . . , xjkj}.
S is multi-homogeneous if the polynomials fi are homogenousw.r.t. the X (j)’s.
Property
The ideal IKS is multi-homogeneous.new bounds for the degree of regularitymulti-homogeneous Bézout boundwork in progress
Multi-Homogeneous Structure
k∑j=1
yjMj
1 0 · · · 00 1 · · · 0...
......
...0 0 · · · 1
x (1)1 · · · · · · x (n−r)
1...
......
...x (1)
r · · · · · · x (n−r)r
=
0 · · · 00 · · · 0...
......
0 · · · 0
Theoretical Complexity – (II)
Theorem
Let r ′ = n − r be a constant. We consider instances of MR withparameters
(n, k = r ′2, r = n − r ′
). For those particular
instances, we can compute the variety of IKS using Gröbnerbases in :
O(
ln (#K) n3 r ′2),
The complexity of our attack is polynomial for instances ofMinRank with
(n, k = r ′2, r = n − r ′
).
(n, k , r) A = (6,9,3) B = (7,9,4) C = (11,9,8)#Sol (MH Bézout bound) 213 215 222
Experimental #Sol 210 212
Complexity bound 238.9 246.2 266.3
Experimental Bound 230.5 237.1 264.3
Remark
Efficient attack supported by theoretical resultsMost interesting parameters of the MinRank authenticationscheme have been broken, but :
A second set of parameters (over K = F2) proposed byCourtois remains secure :
(n, k , r) (19,81,10) (21,121,10) (29,190,15)
Outline
1 Algebraic CryptanalysisHow to Solve it : Gröbner basics
2 Cryptanalysis of Multivariate SchemesMultivariate Public Key CryptographyAlgebraic Cryptanalysis of UOVMinRank
A Fresh Look at Kipnis-Shamir’s AttackExperimental ResultsTheoretical Analysis
3 Algebraic Aspects of Block CiphersBasic IdeaFlurry : a Family of Toy CiphersToward an Efficient Cryptanalysis of Flurry
4 Conclusion
Algebraic Attacks against Block Ciphers – Theory
General principle
x0 ← m ∈ Kt
For i from 0 to r − 1 doxi+1 ←T(Ki , xi ) # Ki ∈ Kt subkey at round i
EndForc ← xr
Courtois, Pieprzyk, ASIACRYPT 2002
Fix a pair (m,c) ∈ Kt ×Kt variables :intermediate states {xi}1≤i≤r−1
components of the master key K
coefficient ring : KCipher Crisis !!!
Algebraic Attacks against Block Ciphers – Practice
[Bardet, Ph.D. Thesis 2004]
Cryposystem #unk . #Eq.quad . dreg #MatrixKhazad 4800 6000 379 22076
Mysti1 1848 1845 179 21040
Kasumi 2000 2000 193 21129
Camelia-128 1664 4304 78 2538
AES-128 1600 4600 69 2479
Serpent-128 8320 9360 703 24196
The degree of regularity dreg is obtained from:
(1 + z)n
(1 + z2)m .
Flurry : a Family of Feistel ciphers
[Buchmann, Pyshkin, Weinmann, CT-RSA’06]
The parameters of Flurry(n, t , r , f ,D) :#K = k = 2n,n ∈ {8,16,32,64}t ∈ N∗ is the size of a message blockr ∈ N∗ is the number of roundsf is a non-linear function describing theSbox. Here :
the power function f (x) = fp(x) = xp,with p ∈ {3,5,7, k − 2},
D ∈Mm×m(K) is a matrix describingthe linear diffusion layer
A Gröbner Basis without Computation !
Property [Buchmann, Pyshkin, and Weinmann, CT-RSA’06]
Let PFlurry be the system describing Flurry(n, t , r , f ,D).variables : intermediate states; components of the keycoefficient ring : K a degree n extension of F2
There exists a (degree) order ≺∗ for which PFlurry is already aGröbner basis. Moreover, it holds that #VK
(PFlurry
)= deg(f )
t2 ·r .
Complexity of FGLM
O(deg(f )3· t2 ·r
).
Remark
The same result holds for AES-128.
Toward an Efficient Cryptanalysis of Flurry
[Faugère, P. – 2008]
PNFlurry ← ∅
For j from 1 to N do“Randomly" select a pair (mj,cj) ∈ Kt ×Kt
PNFlurry ← PN
Flurry ∪ PFlurry(mj,cj)EndForTry to solve PN
Flurry
variables : intermediate states; components of the keycoefficient ring : K a degree n extension of F2
Toward an Efficient Cryptanalysis of Flurry
[Faugère, P. – 2008]
PNFlurry ← ∅
For j from 1 to N doSelect a “correlated" pair (mj,cj) ∈ Kt ×Kt
PNFlurry ← PN
Flurry ∪ PFlurry(mj,cj)EndForTry to solve PN
Flurry
variables : intermediate states; components of the keycoefficient ring : K a degree n extension of F2
How to Select the Sequence – Intuition
Let N > 1 be an integer. We fix :m0 = (0, . . . ,0), and r1 = (1, . . . ,0).We define ri , for all i ,2 ≤ i ≤ N, s.t. ri+1 = θ · ri .
We then solve :
PNFlurry =
⋃r∈L[r1,...,rN ]
PFlurry(m0 + r , cr ).
Rationale
∆(i)r1,...,ri
TK =∑
δ∈L[r1,...,ri ]
TK(x + δ).
Experimental Results
Flurry(n, t , r , f ,D) N Dmax T Nbop MemFlurry(16,2,6, f−1, I1) 3 3 0.6 s. 225 1.8 Gb.Flurry(16,2,7, f−1, I1) 3 4 0.4 s. 224 1 Gb.Flurry(16,2,8, f−1, I1) 4 4 37.6 s. 231 1.4 Gb.Flurry(16,2,9, f−1, I1) 10 4 37296 s. 241 6.4 Gb.Flurry(16,4,5, f−1,D2) 2 4 0.5 s. 224.2 1.7 Gb.Flurry(16,4,6, f−1,D2) 4 4 810.3 s. 236.0 4.6 Gb.Flurry(16,8,5, f−1,D4) 3 4 3755.2 s. 237.5 5.4 Gb.Flurry(16,4,6, f3,D2) 14 3 3.4 s. 227.4 1.3 Gb.Flurry(16,4,8, f3,D2) 90 3 1952 s. 236.1 117 Gb.
100 3 2058 s. 236.2 130 Gb.Flurry(16,8,6, f3,D4) 20 3 35.8 s. 226.1 47 Gb.
Outline
1 Algebraic CryptanalysisHow to Solve it : Gröbner basics
2 Cryptanalysis of Multivariate SchemesMultivariate Public Key CryptographyAlgebraic Cryptanalysis of UOVMinRank
A Fresh Look at Kipnis-Shamir’s AttackExperimental ResultsTheoretical Analysis
3 Algebraic Aspects of Block CiphersBasic IdeaFlurry : a Family of Toy CiphersToward an Efficient Cryptanalysis of Flurry
4 Conclusion
Cryptanalysis of multivariate schemesAlgebraic cryptanalysis of block ciphersAlgebraic cryptanalysis of stream ciphers
Algebraic immunityEstream candidates (Trivium,. . .)
Algebraic cryptanalysis of hash functions (new trend)Factorization with know bitsDesign
Stream cipherHash function
Lattice Polly Cracker
Gröbner Basis in Cryptography : Overview
Guest Editors : D. Augot, J.-C. Faugère, L. Perret.
Gröbner bases in Coding Theory and Cryptography.
Special Issue Journal of Symbolic Computation; In press.
Editors : M. Sala., T. Mora, L. Perret, S. Sakata, and C.Traverso.
Bases, Coding, and Cryptography.
Springer, RISC Book Series, In press.