Copyright©2017 NTT corp. All Rights Reserved.

Cube Attacks on Non-Blackbox Polynomials based on Division Property

Yosuke Todo NTT Secure Platform Laboratories and Kobe Univ.

This is joint work with

Takanori Isobe Kobe Univ.

Yonglin Hao Tsinghua Univ.

Willi Meier FHNW

ESC2017

2 Copyright©2017 NTT corp. All Rights Reserved.

Overview

• A kind of higher-order differential cryptanalysis.

‐ Especially, it’s powerful for stream ciphers.

• Experimental approach.

‐ The cube attack analyzes symmetric-key cryptosystem by regarding it as blackbox polynomials.

• New generic tools for cube attacks to exploit the internal structure of stream ciphers.

• renew best attacks.

Cube Attacks on Blackbox Polynomials

Cube Attacks on Non-Blackbox Polynomials

3 Copyright©2017 NTT corp. All Rights Reserved.

Our approach

Division property in the world of cube attacks

• What is division property? ‐ Tool to find integral distinguishers for block ciphers.

• First application to stream ciphers. ‐ Zero-sum distinguishers are trivial.

‐ But, It’s nontrivial to recover the secret key.

• New insight. ‐ What division property can do.

‐ A new how to use division property. • It is used to analyze ANF coefficients.

‐ Keys that are not involved to “superpoly” are evaluated.

4 Copyright©2017 NTT corp. All Rights Reserved.

Outline

1. Preliminaries. 1. Cube attacks (on blackbox polynomial).

2. Division property.

3. Mixed-integer linear programming.

2. Zero-sum integral distinguishers.

3. Our approach. 1. Analyze the ANF of “superpoly”.

2. What division property can do.

3. How keys are recovered.

4. Applications.

5 Copyright©2017 NTT corp. All Rights Reserved.

Model of stream ciphers.

secret variables (key) public variables (iv)

Let be regarded as the first bit of key stream.

Key initialization

6 Copyright©2017 NTT corp. All Rights Reserved.

Cube attacks on blackbox polynomials

• Let 𝐼 = 𝑖1, … , 𝑖|𝐼| ⊆ {1,2,… ,𝑚} be the indices

of active bits and 𝐶𝐼 be a set of 2|𝐼| values where {𝑣𝑖1 , … , 𝑣𝑖|𝐼|} are taking all combinations of values.

• – 𝑡𝐼 be the monomial, 𝑡𝐼 = 𝑣𝑖1⋯𝑣𝑖|𝐼| .

– 𝑝𝐼(𝑥 , 𝑣 ) is called the superpoly of 𝐶𝐼.

– 𝑞(𝑥 , 𝑣 ) misses at least one variable from 𝑡𝐼.

•

– Attackers recover 𝑥 by analyzing 𝑝𝐼(𝑥 , 𝑣 ).

7 Copyright©2017 NTT corp. All Rights Reserved.

How 𝑥 is recovered from superpoly?

• 𝑓(𝑥 , 𝑣 ) of real stream ciphers is too complicated to analyze it.

• Heuristic evaluation

‐ Randomly chosen 𝑥 .

‐ 𝑓 is regarded as blackbox

‐ We can notice whether or not the superpoly is linear for 𝑥 with high probability.

• Significant drawbacks of this approach.

‐ The size of cube is limited to experimental range.

‐ The size is at most about 40.

8 Copyright©2017 NTT corp. All Rights Reserved.

Division property

• Proposed at Eurocrypt 2015.

• Tool to find integral distinguishers.

• Definition

Let 𝕏 be a multiset whose elements take a value of 𝔽2𝑛.

Let 𝕂 be a set whose elements take a value on 𝔽2𝑛.

When the multiset 𝕏 has the division property 𝒟𝕂1𝑛 ,

it fulfills the following conditions:

9 Copyright©2017 NTT corp. All Rights Reserved.

Division property

• Since three propagation rules (copy, xor, and) are defined, we can evaluate arbitrary circuit.

• How to model three propagations by MILP.

• MILP solver can efficiently evaluate the propagation of division property.

Propagation search using MILP (Xiang et al AC16)

Bit-based division property (Todo et al FSE16)

10 Copyright©2017 NTT corp. All Rights Reserved.

Division trail

𝐹1 𝐹2 𝐹3 𝐹𝑟 𝕂0 𝕂1 𝕂2 𝕂𝑟−1 𝕂𝑟

There is a division trail 𝑘0, 𝑘1, … , 𝑘𝑟 ∈ 𝕂0 ×𝕂1 ×⋯×𝕂𝑟

satisfying the propagation characteristic. If there is NOT division trail , the 𝑗th bit of ciphertext is balanced.

11 Copyright©2017 NTT corp. All Rights Reserved.

Application to stream ciphers

• Trivial application is zero-sum distinguisher.

‐ Create MILP model ℳ that represents the propagation of division property for 𝑓(𝑥 , 𝑣 ).

‐ Let 𝐼 = 𝑖1, … , 𝑖|𝐼| ⊆ {1,2, … ,𝑚} be the indices

of active bits and evaluate 𝑓(𝑥 , 𝑣 )𝐶𝐼.

‐ Let 𝑘 be value s.t. 𝑣 𝑘 = 𝑡𝐼.

‐ If there is NOT division trail , the first bit of key stream is balanced.

• We can’t recover secret variables.

12 Copyright©2017 NTT corp. All Rights Reserved.

Our approaches for key recovery

• It’s possible if we can enough evaluate ANF coefficients of superpoly.

• A new application of division property.

‐ We never use division property to find zero-sum distinguisher.

‐ Division property is used to analyze ANF coefficient of 𝑓(𝑥 , 𝑣 ).

‐ Secret variables involved to the superpoly of given cube 𝐶𝐼 are evaluated.

13 Copyright©2017 NTT corp. All Rights Reserved.

Basic knowledge

• Algebraic Normal From

• It’s practically infeasible to analyze all 𝑎𝑢𝑓

.

Let 𝑎𝑢𝑓∈ 𝔽2 be ANF coefficients.

14 Copyright©2017 NTT corp. All Rights Reserved.

ANF of Superpoly

• Decompose according to 𝑘 s.t. 𝑥 𝑘 = 𝑡𝐼

15 Copyright©2017 NTT corp. All Rights Reserved.

What division property can do

• Assuming there is NOT trail ,

• In other words,

‐ 𝑎𝑢𝑓

is always 0 for any 𝑢 ≽ 𝑘.

• We can use division property as a tool to evaluate feature of ANF coefficients.

is always zero for any 𝑥 .

16 Copyright©2017 NTT corp. All Rights Reserved.

Extension to key recovery.

• Assuming there is NOT trail ,

𝑎𝑢𝑓

is always 0 for any 𝑢 ≽ (𝑒 𝑗||𝑘).

• Then,

• The superpoly is independent of 𝑥𝑗.

17 Copyright©2017 NTT corp. All Rights Reserved.

Attack strategy

1. Evaluation phase.

‐ Involved secret variables are evaluated in this phase.

‐ This phase is feasible by using MILP.

2. Off-line phase.

‐ Compute the sum of given cube.

‐ This phase is not practical, but the time complexity is bounded.

3. On-line phase.

‐ Query encryption oracle.

‐ Recover secret variables.

18 Copyright©2017 NTT corp. All Rights Reserved.

1st phase -- evaluation phase.

1. Decide the position of active bits 𝐼 = 𝑖1, … , 𝑖|𝐼| ⊆ {1,2,… ,𝑚}.

2. Prepare the set 𝐽 = 𝜙. 3. Evaluate whether or not there is division trail

• Let 𝑒 𝑗 be an 𝑛-bit unit vector whose 𝑗th bit is 1.

• Let 𝑘 be an 𝑚-bit vector s.t. 𝑥 𝑘 = 𝑡𝐼. 4. If there is a such trail, 𝐽 = 𝐽 ∪ {𝑗}. 5. Repeat all possible of 𝑗 ∈ {1,2,… 𝑛}.

Finally, 𝐽 contains bits that may be involved to the superpoly.

secret variables (key) public variables (iv)

19 Copyright©2017 NTT corp. All Rights Reserved.

2nd phase -- off-line phase.

1. Decide initial iv 𝑣 . 2. Prepare the set of chosen ivs by flipping bits in 𝐼. 3. Guess 𝐽 -bit secret variables (𝑥𝑗1 , 𝑥𝑗2 , … , 𝑥𝑗 𝐽 ).

For each guess, compute and store 𝑓(𝑥 , 𝑣 )𝐶𝐼.

The time complexity of this phase is 2|𝐼|+|𝐽|.

secret variables (key) public variables (iv)

20 Copyright©2017 NTT corp. All Rights Reserved.

3rd phase -- on-line phase.

1. Access encryption oracle under chosen iv setting. • Query the cube 𝐶𝐼 used in the off-line phase. • Compute the sum 𝑓(𝑥 , 𝑣 )𝐶𝐼

.

2. Compare the sum in on-line phase with the sum of each {𝑥𝑗1 , 𝑥𝑗2 , … , 𝑥𝑗 𝐽 } in off-line phase.

• If the sum is different, guessed secret variables are incorrect.

The data complexity of this phase is 2|𝐼|.

secret variables (key) public variables (iv)

21 Copyright©2017 NTT corp. All Rights Reserved.

Application to Trivium

z i

state size = 288 bits initialization = 1152 rounds

22 Copyright©2017 NTT corp. All Rights Reserved.

Application to Trivium

z i

80-bit secret key

80-bit initialization vector

state size = 288 bits initialization = 1152 rounds

23 Copyright©2017 NTT corp. All Rights Reserved.

Verify our idea experimentally

Active IVs Involved keys Round Complexity

# of active IVs = 5 0,2,4,6,8

# of involved keys=4 18,19,20,62

557 29

• Experimental results – initial IV：51 5B 66 28 BB 31 60 85 15 15

– We test 100 random keys.

• If (𝑥18|𝑥19|𝑥20|𝑥62)={0,3,4,7,8,B,D,E}, the sum is 1.

• If (𝑥18|𝑥19|𝑥20|𝑥62)={1,2,5,6,9,A,C,F}, the sum is 0.

24 Copyright©2017 NTT corp. All Rights Reserved.

Theoretical cube attacks

Active IVs Involved keys Round Complexity

# of active IVs = 66 0,1,2,…,52 54,56,58,…,78

# of involved keys=10 22,24,25,26,35,41,55,66,67,68

829 276

# of active IVs = 69 0,1,2,…,58 60,62,64,…,78

# of involved keys=7 0,36,41,55,66,67,68

830 276

# of active IVs = 71 0,1,2,…,62 64,66,68,70,72,74,76,78

# of involved keys=4 48,73,74,75

831 275

# of active IVs = 72 0,1,2,…,64 66,68,70,72,74,76,78

# of involved keys=5 33,57,58,59,60

832 277

We only execute the 1st phase (evaluation phase)

25 Copyright©2017 NTT corp. All Rights Reserved.

Other applications

• Grain128a

‐ Previous best attack is 177 rounds, and it’s only distinguisher.

‐ Our attack is 183 rounds and it’s possible to recover the secret key.

• ACORN (one of 3rd round CAESAR candidates)

‐ Previous attack is 477 rounds.

‐ Our attack is at least 604 rounds.

26 Copyright©2017 NTT corp. All Rights Reserved.

Conclusion

• Cube attacks on non-blackbox polynomials.

‐ A new method to use division property was proposed.

• It is used to analyze ANF coefficients.

‐ The task of cryptographers is only creating MILP model for division property.

• The cost is very small.

• It’s very easy to apply to various stream ciphers.

‐ We can evaluate cube attacks even if the size of cube is theoretical range.