Upload
doanh
View
242
Download
6
Embed Size (px)
Citation preview
Introduction to symmetric cryptography
Christina Boura
École de printemps en codage et cryptographieMay 17, 2016
1 / 48
Overview
Introduction to symmetric-key cryptography
Block ciphers
Boolean functions and cryptographic Sboxes
Attacks against block ciphers exploiting a low algebraic degree
Algebraic attacks
Higher-order differential attacks
Integral attacks
Estimating the algebraic degree of iterated constructions
2 / 48
Overview
Introduction to symmetric-key cryptography
Block ciphers
Boolean functions and cryptographic Sboxes
Attacks against block ciphers exploiting a low algebraic degree
Algebraic attacks
Higher-order differential attacks
Integral attacks
Estimating the algebraic degree of iterated constructions
2 / 48
Bibliography
The Block Cipher Companion, Lars Knudsen and Matt Robshaw
Lecture Notes on Cryptographic Boolean Functions, Anne Canteaut
Analyse de Fonctions de Hachage Cryptographiques, Thèse, ChristinaBoura
3 / 48
Introduction to symmetric-key cryptography
Outline
1 Introduction to symmetric-key cryptography
4 / 48
Introduction to symmetric-key cryptography
Symmetric-key encryption
Alice and Bob exchange the secret key through a secure channel.
DecryptionEncryption
5 / 48
Introduction to symmetric-key cryptography
Symmetric-key encryption
Alice and Bob exchange the secret key through a secure channel.
DecryptionEncryption
Key-exchange problem ⇒ birth of the public-key cryptography.
5 / 48
Introduction to symmetric-key cryptography
Public-key encryption
Decryption
%gTi2z*
Encryption
6 / 48
Introduction to symmetric-key cryptography
Advantages and disadvantages of each system
Advantages Disadvantages
Fast systems Need secure key-exchangeSecret-key
Relatively short-keys n users:n(n− 1)
2keys
No key-exchange needed Slow systemsPublic-key
n users: 2n keys Relatively long-keys
7 / 48
Introduction to symmetric-key cryptography
Hybrid encryption
Idea: Use a combination of asymmetric and symmetric encryption tobenefit from the strengths of every system.
DecryptionEncryption
DecryptionEncryption
8 / 48
Introduction to symmetric-key cryptography
Hybrid encryption
Use a public-key cryptosystem to exchange a key (session key).
Use the exchanged key to encrypt data by using a symmetric-keycryptosystem.
Advantages:
Slow public-key cryptosystem is used to encrypt a short string only.
Fast symmetric-key cryptosystem is used to encrypt the longercommunication session.
9 / 48
Introduction to symmetric-key cryptography
Symmetric-key authentication
Message authentication code (MAC)
Sign
Verify
Y/N
10 / 48
Introduction to symmetric-key cryptography
Public-key authentication
Digital signatures
Sign
Verify
Y/N
Alice’ssecret key
Alice’spublic key
11 / 48
Introduction to symmetric-key cryptography
Hash functions
If the message to sign is long, the signing process becomes heavy...
Idea: Use a cryptographic hash function.
H : {0, 1}∗ → {0, 1}n
A good hash function should be preimage, second-preimage andcollision resistant.
In recent hash proposals: n = 256, 512
Hash functions are considered as symmetric-key functions because theyuse similar building blocks with block-ciphers.
12 / 48
Introduction to symmetric-key cryptography
Hash and sign
Sign Verify Y/N
Alice’ssecret key
Alice’spublic key
13 / 48
Introduction to symmetric-key cryptography
The best of the two worlds
Secrecy: Hybrid encryption
Authentication: Digital signatures with hashing
There is a need for both public and symmetric-key cryptosystems.
14 / 48
Introduction to symmetric-key cryptography
Symmetric-key cryptosystems
A cryptosystem is a five-tuple (P, C,K, E ,D)
P: set of possible plaintexts
C: set of possible ciphertexts
K: set of possible keys
For each k ∈ K, there is an encryption rule ek ∈ E and a decryptionrule dk ∈ D.
For each k ∈ K : dk(ek(m)) = m, for every m ∈ P.
ekm c dk m
15 / 48
Introduction to symmetric-key cryptography
Kerckhoffs’s principle (1883)
In 1883 August Kerckhoffs stated 6 design principles for military ciphers.The 2nd principle states:
A cryptosystem should be secure even if everything about the
system, except the key, is public knowledge.
Reformulated by Claude Shannon as
“The enemy knows the system.”
i.e., “One ought design systems under the assumption that the enemy will
immediately gain full familiarity with them.”
16 / 48
Introduction to symmetric-key cryptography
Claude Shannon’s theory
“Communication Theory of Secrecy Systems”, published in 1949.
Many fundamental ideas of modern cryptography are introduced there:
Provable security.
Confusion and diffusion.
Product ciphers.
17 / 48
Introduction to symmetric-key cryptography
Shannon’s idea of perfect secrecy
“No information about the plaintext can be obtained by observingthe ciphertext”.
Shannon’s definition:
A cryptosystem has perfect secrecy if
Pr(m|c) = Pr(m) for all m ∈ P, c ∈ C.
An equivalent formulation:
Pr(c|m) = Pr(c) for all m ∈ P, c ∈ C.
18 / 48
Introduction to symmetric-key cryptography
Shannon’s theorem
A cryptosystem where |P| = |C| = |K| provides perfect secrecy iff
1 PrK(k) = 1/|K|, ∀k ∈ K
2 ∀m ∈ P, c ∈ C, exists unique k such that ek(m) = c.
Fact:
If |P| > |K| then no scheme is perfectly secure.
19 / 48
Introduction to symmetric-key cryptography
The Vernam Cipher or One-time Pad
One-time Pad
Let n ≥ 1 and P, C,K = {0, 1}n. If m = (m1, . . . ,mn) ∈ P andk = (k1, . . . , kn) ∈ K then
c = ek(m) = (m1 ⊕ k1, . . . ,mn ⊕ kn).
Decryption: dk(c) = c⊕ k = m⊕ k ⊕ k = m
The One-time Pad provides perfect secrecy if used correctly:
All keys are equally likely.
Each key is used only once.
Two-time Pad
c⊕ c′ = (m⊕ k)⊕ (m′ ⊕ k) = m⊕m′.
20 / 48
Introduction to symmetric-key cryptography
The One-time Pad is perfectly secure but...
The secret key must be as long as the message.
A new key has to be generated for each communication.
These long keys have to be exchanged in a secure way.
Problem of generating truly random sequences for the key.
21 / 48
Introduction to symmetric-key cryptography
Confusion and diffusion
Diffusion: Each digit of the plaintext and each digit of the secretkey should influence many digits of the ciphertext.
Confusion: The ciphertext statistics should depend on the plain-text statistics in a manner too complicated to be exploited by thecryptanalyst.
Idea: Use permutations to attain diffusion and substitutions to attainconfusion.
→ Product Ciphers
22 / 48
Introduction to symmetric-key cryptography
Security notions
Perfectly secret system: the key has to be at least as long as themessage.
All cryptosystems used in practice can theoretically be broken.
Symmetric-key approach:
Try to make the system secure against all known attacks.
No attack should be faster than exhaustive search on the key.
23 / 48
Introduction to symmetric-key cryptography
Exhaustive search
Expected time to recover a κ-bit key: 2κ−1 operations.
κ Time complexity Security
(bits) (operations)
40 240 easy to break
64 264 practical to break
80 280 not currently feasible
128 2128 very strong
256 2256 exceptionally strong
Table from [Knudsen, Robshaw, “The Block Cipher Companion”, 2011.]
The universe is less than 280 microseconds old!
The number of the protons in the universe is ≈ 2265.
24 / 48
Introduction to symmetric-key cryptography
Cryptanalysis of an encryption scheme
Different attack models:
Ciphertext-only attack.
Known-plaintext attack.
Chosen-plaintext/ciphertext attack.
Adaptively chosen-plaintext/ciphertext attack.
The performance of an attack is measured by its:
time complexity.
data complexity.
memory complexity.
25 / 48
Introduction to symmetric-key cryptography
Symmetric encryption schemes
Stream ciphers
Combine (XOR) plaintext bits with a keystream generated by apseudo-number generator.
Keystream should have good statistical properties.
Advantages: Performance and low hardware complexity.
Block ciphers
Operate on blocks of data.
Probably the best understood symmetric primitives.
Can be used to build hash functions, stream ciphers, MACs,authenticated encryption algorithms, PRNGs...
26 / 48
Introduction to symmetric-key cryptography
Block ciphers
Encrypt a block of message m into a block of ciphertext c under theaction of the key k.
E : {0, 1}n × {0, 1}κ → {0, 1}n
(m,k) 7→ E(m,k) = c
Em c
k
Given k, it must be easy to compute c from m.
Given m, c it must be hard to compute k such that E(m,k) = c.
27 / 48
Introduction to symmetric-key cryptography
Two important parameters:
block size, n
key size, κ
A block cipher generates a family of permutations indexedby a key k.
(2n)!
2κsubset
permutations
Ideal design: 2κ permutationschosen uniformly at random fromall 2n! ≈ 2(n−1)2n permutations.
28 / 48
Introduction to symmetric-key cryptography
Iterated block ciphers
Idea: Iterate a round function f several times. The function f r is waitedto be strong for large r.
Advantages:Compact implementation.Easier analysis.
f f fm c
k1 k2 kr
Key schedule
master key k
Use a key schedule to extend the user-supplied (or master) key to asequence of r subkeys. 29 / 48
Introduction to symmetric-key cryptography
How to build the round function?
Two major approaches:
Feistel network.
Substitution-Permutation Network (SPN).
30 / 48
Introduction to symmetric-key cryptography
Feistel Network
Introduced by Horst Feistel in the early 70’s.
Split plaintext block: m = (L0, R0)
For each round i = 0, . . . , r do:Li+1 = Ri
Ri+1 = Li ⊕ F (Ri ⊕ ki+1)
Ciphertext block c = (Rr+1, Lr+1)
k1
F
k2
F
kr
F
R0L0
Rr+1 Lr+1
Encryption
31 / 48
Introduction to symmetric-key cryptography
Feistel Network
Introduced by Horst Feistel in the early 70’s.
Split ciphertext block: c = (Rr+1, Lr+1)
For each round i = r, . . . , 0 do:Ri = Li+1
Li = Ri+1 ⊕ F (Li+1 ⊕ ki+1)
Plaintext block m = (L0, R0)
Decryption with K = (k1, . . . , kr) equalsencryption with K ′ = (kr, . . . , k1).
→ F has not to be invertible.
k1
F
kr−1
F
kr
F
R0L0
Rr+1 Lr+1
Decryption
31 / 48
Introduction to symmetric-key cryptography
Data Encryption Standard (DES)
The first and probably most famous Feistel cipher.
Designed by IBM and published in 1975.
Based on an earlier internal design called Lucifer.
1977: DES is published as a FIPS standard [FIPS 46].
32 / 48
Introduction to symmetric-key cryptography
DES
Block size: 64 bits
Key size: 56 bits
16 rounds
S1 S2 S3 S4 S5 S6 S7 S8
P
E
ki (48 bits)Ri (32 bits)
48 bits
k1
F
k2
F
k16
F
R0L0
R16 L16
IP
IP−1
32 bits32 bits
48 bits
33 / 48
Introduction to symmetric-key cryptography
Generalized Feistel Networks
F
Classical Feistel
F
Unbalanced Feistel
F
Alternating Feistel
G
F
Type-1 Feistel Type-2 Feistel
F G
34 / 48
Introduction to symmetric-key cryptography
Structrural properties of DES
The Complementation Property
DESk(m) = DESk(m)
where x := bitwise complement of x
Limited impact to the security in the classical model.
Halves the cost of the exhaustive key search.
Encrypt m and m: c = DESk(m) and c′ = DESk(m)
For each candidate t, compute d = DESt(m).
Check if d = c → t candidate for k.
Check if d = c′ (d = DESt(m)) → t candidate for k.
35 / 48
Introduction to symmetric-key cryptography
Structrural properties of DES
Weak keys
k weak: DESk(DESk(m)) = m.
4 weak keys were found for DES.
Each weak key has 232 fixed points m : DESk(m) = m.
36 / 48
Introduction to symmetric-key cryptography
Breaking DES
1992 : Differential cryptanalysis (theoretical attack, 247 chosenplaintexts).
1994 : Linear cryptanalysis (practical attack, a DES key is recovered).
1997: DESCHALL Project (brute-force project over the net). Amessage encrypted with DES is broken for the first time.
1999: Deep Crack and distributed.net break a DES key in less than 23hours.
2004: The standard is withdrawn.
Key-length too short!!!
DES still survives via its Triple-DES form.
37 / 48
Introduction to symmetric-key cryptography
Substitution Permutation Network (SPN)
m
k1
k2
k3
k4
k5
c
Substitution
Substitution
Substitution
Substitution
Permutation
Permutation
Permutation
Permutation
38 / 48
Introduction to symmetric-key cryptography
Substitution Permutation Network (SPN)
S S S S
m
k1
S S S S
k2
S S S S
k3
S S S S
k4
k5
c
38 / 48
Introduction to symmetric-key cryptography
The Advanced Encryption Standard (AES) Competition
[1997-2000]
On January 2, 1997 the NIST announced that they wished a successorto DES (to be known as AES).
Public competition, inputs from the cryptographic community.
Requirements: Block size of 128 bits, key size of 128, 192, 256 bits,security of 2-key triple-DES as minimum.
21 submissions (15 accepted for the 1st round)
5 finalists (Rijndael, Serpent, Twofish, RC6, MARS)
On October 2, 2000, Rijndael becomes the AES.
2001: Standardization [FIPS 197]
39 / 48
Introduction to symmetric-key cryptography
AES
Designed by Joan Daemen and Vincent Rijmen.
Structure: Byte-oriented Substitution-Permutation Network.
State: 128 bits, seen as a 4× 4 matrix of bytes.
3 key-lengths: 128, 192, 256 bits
Number of rounds: 10, 12, 14 rounds resp.
40 / 48
Introduction to symmetric-key cryptography
AES Representation
Each byte is viewed in two different ways:
string of 8 bits (b7, b6, b5, b4, b3, b2, b1, b0) (8th-dim vector over F2)
An element of the finite field with 28 elements F28
b7X7 + b6X
6 + b5X5 + b4X
4 + b3X3 + b2X
2 + b1X1 + b0
Irreducible polynomial RP
RP = X8 +X4 +X3 +X + 1
41 / 48
Introduction to symmetric-key cryptography
An AES round
Four byte-oriented transformations.
SubBytes
ShiftRows
MixColumns
AddRoundKey
42 / 48
Introduction to symmetric-key cryptography
The AES Sbox
S : F28 → F28
x 7→ x−1
followed by an affine transformation on F82:
y0y1y2y3y4y5y6y7
=
1 0 0 0 1 1 1 11 1 0 0 0 1 1 11 1 1 0 0 0 1 11 1 1 1 0 0 0 11 1 1 1 1 0 0 00 1 1 1 1 1 0 00 0 1 1 1 1 1 00 0 0 1 1 1 1 1
x0
x1
x2
x3
x4
x5
x6
x7
+
11000110
Good resistance against differential and linear cryptanalysis.
44 / 48
Introduction to symmetric-key cryptography
MixColumns
⊗M
02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
x0x1x2x3
=
y0y1y2y3
46 / 48
Introduction to symmetric-key cryptography
MixColumns
⊗M
MDS matrix.
Branch number = minx∈F8
2
(HW (x) +HW (M(x)) = 5.
46 / 48
Introduction to symmetric-key cryptography
AddRoundKey
⊕Ki
Lightweight non-linear key-schedule (memory, performance)
47 / 48
Introduction to symmetric-key cryptography
Cryptanalysis of AES
2000 Integral attacks
2002 Algebraic attacks: AES is claimed to be broken. Proved to benot realistic.
2009 Related-key attacks: AES-192 and AES-256 are broken underthis model. Should we care?
2010-2013 Meet-in-the-middle attacks
2011 Biclique attacks: First theoretical attacks on full AES.Complexity is quite marginal (see them as accelerated exhaustivesearch).
48 / 48
Boolean Functions
Algebraic attacks
Christina Boura
École de printemps en codage et cryptographieMay 18, 2016
1 / 42
Boolean functions and cryptographic Sboxes
Outline
1 Boolean functions and cryptographic Sboxes
2 Algebraic attacks
2 / 42
Boolean functions and cryptographic Sboxes
Boolean functions
Inspired by Anne Canteaut’s Lecture Notes
A Boolean function f of n variables is a function
f : Fn2 → F2
x = (x1, . . . , xn) 7→ f(x)
Value vector: Binary vector vf of length 2n composed of all values f(x),for x ∈ F
n2 .
Example: f : F32 → F2
vf = (f(1, 1, 1), f(1, 1, 0), f(1, 0, 1), f(1, 0, 0), f(0, 1, 1), f(0, 1, 0), f(0, 0, 1), f(0, 0, 0))
vf = (1, 0, 0, 1, 1, 0, 1, 0)3 / 42
Boolean functions and cryptographic Sboxes
Truth table
x1 1 0 1 0 1 0 1 0x2 1 1 0 0 1 1 0 0x3 1 1 1 1 0 0 0 0
f(x1, x2, x3) 1 0 0 1 1 0 1 0
4 / 42
Boolean functions and cryptographic Sboxes
Question
Question: How many different Boolean functions of n variables exist?
5 / 42
Boolean functions and cryptographic Sboxes
Question
Question: How many different Boolean functions of n variables exist?
22n
5 / 42
Boolean functions and cryptographic Sboxes
Hamming weight of a Boolean function
Let f : Fn2 → F2.
The Hamming weight of f is defined as the number of 1’s in vf .
wt(f) = wt(vf ) = #{x ∈ Fn2 : f(x) 6= 0}
For many cryptographic applications, we need Boolean functions thathave a behaviour close to random functions.⇒ Use balanced functions.
f is balanced ⇔ wt(f) = 2n−1
6 / 42
Boolean functions and cryptographic Sboxes
Balancedness and bias
Let f : Fn2 → F2. The bias of f is
E(f) =∑
x∈Fn2
(−1)f(x)
= #{x ∈ Fn2 : f(x) = 0} −#{x ∈ F
n2 : f(x) = 1}
= 2n −#{x ∈ Fn2 : f(x) = 1} −#{x ∈ F
n2 : f(x) = 1}
= 2n − 2wt(f)
f is balanced ⇔ E(f) = 0
7 / 42
Boolean functions and cryptographic Sboxes
Alternative representation of a Boolean function
Representation of a Boolean function, where the function is seen as amultivariate polynomial.
In F2:
+: XOR
×: AND
x2i = xi (as 02 = 0 and 12 = 1)
Monomial in F2[x1, . . . , xn]/(x21 + x1, . . . , x
2n + xn): product of distinct
variables
Examples: x1, x3x4, x2x4x5, x1x2 . . . xn
8 / 42
Boolean functions and cryptographic Sboxes
Monomials
Notation : Monomial in F2[x1, . . . , xn]/(x21 + x1, . . . , x
2n + xn):
xu =n∏
i=1
xui
i ,
where u = (u1, . . . , un) ∈ Fn2 .
Example: x ∈ F42: x1010 = x11x
02x
13x
04 = x1x3
9 / 42
Boolean functions and cryptographic Sboxes
Algebraic normal form (ANF)
Proposition: Any f : Fn2 → F2 can be uniquely written as a multivariate
polynomial in F2[x1, . . . , xn]/(x21 + x1, . . . , x
2n + xn):
f(x1, . . . , xn) =∑
u∈Fn2
auxu, where au ∈ F2.
This polynomial is called the Algebraic Normal Form (ANF) of f .
The coefficients au can be computed as follows:
au =∑
x�u
f(x),
where x � u ⇔ xi ≤ ui, pour 1 ≤ i ≤ n
10 / 42
Boolean functions and cryptographic Sboxes
Example
(x1, x2, x3) (1, 1, 1) (0, 1, 1) (1, 0, 1) (0, 0, 1) (1, 1, 0) (0, 1, 0) (1, 0, 0) (0, 0, 0)f(x1, x2, x3) 1 0 0 1 1 0 1 0
a000 = f(0, 0, 0) = 0
a100 = f(1, 0, 0) + f(0, 0, 0) = 1 + 0 = 1
a010 = f(0, 1, 0) + f(0, 0, 0) = 0 + 0 = 0
a110 = f(1, 1, 0)+f(0, 1, 0)+f(1, 0, 0)+f(0, 0, 0) = 1+0+1+0 = 0
a001 = f(0, 0, 1) + f(0, 0, 0) = 1 + 0 = 1
a101 = f(1, 0, 1)+f(1, 0, 0)+f(0, 0, 1)+f(0, 0, 0) = 0+1+1+0 = 0
a011 = f(0, 1, 1)+f(0, 1, 0)+f(0, 0, 1)+f(0, 0, 0) = 0+0+1+0 = 1
a111 =∑
x∈F32f(x) = wt(f) mod 2 = 0
11 / 42
Boolean functions and cryptographic Sboxes
Example
(x1, x2, x3) (1, 1, 1) (0, 1, 1) (1, 0, 1) (0, 0, 1) (1, 1, 0) (0, 1, 0) (1, 0, 0) (0, 0, 0)f(x1, x2, x3) 1 0 0 1 1 0 1 0
a000 = f(0, 0, 0) = 0
a100 = f(1, 0, 0) + f(0, 0, 0) = 1 + 0 = 1
a010 = f(0, 1, 0) + f(0, 0, 0) = 0 + 0 = 0
a110 = f(1, 1, 0)+f(0, 1, 0)+f(1, 0, 0)+f(0, 0, 0) = 1+0+1+0 = 0
a001 = f(0, 0, 1) + f(0, 0, 0) = 1 + 0 = 1
a101 = f(1, 0, 1)+f(1, 0, 0)+f(0, 0, 1)+f(0, 0, 0) = 0+1+1+0 = 0
a011 = f(0, 1, 1)+f(0, 1, 0)+f(0, 0, 1)+f(0, 0, 0) = 0+0+1+0 = 1
a111 =∑
x∈F32f(x) = wt(f) mod 2 = 0
f(x1, x2, x3) = x1 + x3 + x2x3
11 / 42
Boolean functions and cryptographic Sboxes
Degree of a Boolean function
The algebraic degree of a Boolean function f is defined as
deg(f) = maxu∈Fn
2
{wt(u) : au 6= 0}
Example: f(x1, x2, x3) = x1x2x3 + x1x3 + x1 + 1.
deg(f) = 3
12 / 42
Boolean functions and cryptographic Sboxes
Functions of degree n
Let f : Fn2 → F2.
a1...1 =⊕
x∈Fn2
f(x) = wt(f) mod 2
deg(f) = n iff wt(f) is odd.
Functions of maximum degree are not balanced.
Maximal degree functions are not used in cryptographic applications.
13 / 42
Boolean functions and cryptographic Sboxes
Affine functions
Let f : Fn2 → F2 of degree 1. Then,
wt(f) = 2n−1.
Affine functions are balanced.
Let f = b · x+ ε, with b ∈ Fn2 \ {0} and ε ∈ F2.
If ε = 1, f(x) = 1 iff b · x = 0 iff x ∈ 〈b〉⊥ (hyperplane)
If ε = 0, f(x) = 1 iff b · x = 1 iff x ∈ Fn2 \ 〈b〉⊥
14 / 42
Boolean functions and cryptographic Sboxes
Cryptographic Sboxes
An Sbox S from Fn2 into F
m2 is a collection of m Boolean functions of n
variables.
Example (PRESENT Sbox S : F42 → F
42)
x 0 1 2 3 4 5 6 7 8 9 a b c d e f
S(x) c 5 6 b 9 0 a d 3 e f 8 4 7 1 2
S1(x) 0 1 0 1 1 0 0 1 1 0 1 0 0 1 1 0
S2(x) 0 0 1 1 0 0 1 0 1 1 1 0 0 1 0 1
S3(x) 1 1 1 0 0 0 0 1 0 1 1 0 1 1 0 0
S4(x) 1 0 0 1 1 0 1 1 0 1 1 1 0 0 0 0
15 / 42
Boolean functions and cryptographic Sboxes
ANF of the Sbox
S1 = x1 + x3 + x4 + x2x3
S2 = x2 + x4 + x2x4 + x3x4 + x1x2x3 + x1x2x4 + x1x3x4
S3 = 1 + x3 + x4 + x1x2 + x1x4 + x2x4 + x1x2x4 + x1x3x4
S4 = 1 + x1 + x2 + x4 + x2x3 + x1x2x3 + x1x2x4 + x1x3x4
The functions S1, . . . , Sm are called the coordinates of the Sbox.
16 / 42
Boolean functions and cryptographic Sboxes
Components of the Sbox
Let S : Fn2 → F
m2 .
The components of the Sbox are the n-variable Boolean functions
Sλ : x 7→ λ · S(x)
for all λ ∈ Fm2 .
Examples:
S3 = S1 + S2
S15 = S1 + S2 + S3 + S4
The components of an Sbox offer a useful characterisation.
17 / 42
Boolean functions and cryptographic Sboxes
When an Sbox is a permutation
Let S : Fn2 → F
n2 .
S is a permutation iff all its non-trivial components are balanced.
Proof. (S permutation ⇒ Sλ are balanced)
Suppose S is a permutation and let λ 6= 0. Then,
E(Sλ) =∑
x∈Fn2
(−1)λ·S(x) =∑
y∈Fn2
(−1)λ·y = 0.
18 / 42
Boolean functions and cryptographic Sboxes
Algebraic degree of an Sbox
Let S : Fn2 → F
m2 .
The degree of S is the maximal degree of the ANF of its components.
Example: S = (S1, S2, S3, S4)
S1 = x1 + x3 + x4 + x2x3
S2 = x2 + x4 + x2x4 + x3x4 + x1x2x3 + x1x2x4 + x1x3x4
S3 = 1 + x3 + x4 + x1x2 + x1x4 + x2x4 + x1x2x4 + x1x3x4
S4 = 1 + x1 + x2 + x4 + x2x3 + x1x2x3 + x1x2x4 + x1x3x4
deg(S) = 3
19 / 42
Boolean functions and cryptographic Sboxes
Algebraic degree of a permutation
Boolean functions of maximal degree are not balanced.
An Sbox is a permutation iff all its non-trivial components arebalanced.
The degree of an Sbox is the maximal degree of its components.
Let S : Fn2 → F
n2 .
S is a permutation ⇔ deg(S) ≤ n− 1
20 / 42
Boolean functions and cryptographic Sboxes
Univariate representation
Identify the vector space Fn2 with the finite field F2n .
S(X) =
2n−1∑
i=0
biXi, bi ∈ F2n .
21 / 42
Boolean functions and cryptographic Sboxes
Degree in the univariate representation
Let S be an n-bit Sbox and let
F (x) =2n−1∑
i=0
bixi
be its univariate representation in F2n [x].
The degree of F is given by
deg(F ) = max{wt(i) : 0 ≤ i < 2n and bi 6= 0}.
22 / 42
Algebraic attacks
Basic algebraic attack
Principle introduced by Claude Shannon in 1949.
Express the whole cipher as a large system of multivariate algebraicequations.Known-plaintext attack
Known coefficients : plaintext and ciphertext bits
Uknowns: key bits
Solve the algebraic system and recover the secret key.
24 / 42
Algebraic attacks
Linearization (I)
The complexity of the attack depends on the degree of the system.
A (naive) method for solving such a system: linearization.
Idea: Identify the system with a linear system ofd∑
i=1
(
n
i
)
variables,
where n is the block size. Each product of i initial variables, 1 ≤ i ≤ d isseen as a new variable.
25 / 42
Algebraic attacks
Linearization (II)
Solve the linear system by linear algebra.
Complexity:(
d∑
i=1
(
n
i
)
)ω
≈ nω,
where ω depends on the method used for the resolution (ω ≈ 2.37).
Other methods for solving the system:
Gröbner basis algorithms
ad-hoc techniques: XL, XSL.
26 / 42
Algebraic attacks
Example on a toy cipher
Anne Canteaut’s Lecture Notes
Block size: n = 4 bits
Key size: 8 bits
vum c
k1
S
k2
c = k2 ⊕ S(m⊕ k1)
c⊕ k2 = S(m⊕ k1)
One plaintext-ciphertext pair gives 4 equations in 8 variables.
27 / 42
Algebraic attacks
ANF of the Sbox
x 0 1 2 3 4 5 6 7 8 9 a b c d e f
S(x) f e b c 6 d 7 8 0 3 9 a 4 2 1 5
S1 = 1 + x1 + x3 + x2x3 + x4 + x2x4 + x3x4 + x1x3x4 + x2x3x4
S2 = 1 + x1x2 + x1x3 + x1x2x3 + x4 + x1x4 + x1x2x4 + x1x3x4
S3 = 1 + x2 + x1x2 + x2x3 + x4 + x2x4 + x1x2x4 + x3x4 + x1x3x4
S4 = 1 + x3 + x1x3 + x4 + x2x4 + x3x4 + x1x3x4 + x2x3x4
28 / 42
Algebraic attacks
Write down the equations
Express each ciphertext bit ci, 1 ≤ i ≤ 4, as a multivariate polynomial inthe plaintext bits m1, . . . ,m4 and in the key bits k1, . . . , k8.
c1 + k5 = 1 + (m1 + k1) + (m3 + k3) + (m2 + k2)(m3 + k3) + (m4 + k4)
+ (m2 + k2)(m4 + k4) + (m3 + k3)(m4 + k4) + (m1 + k1)(m3 + k3)(m4 + k4)
+ (m2 + k2)(m3 + k3)(m4 + k4)
c2 + k6 = 1 + (m1 + k1)(m2 + k2) + (m1 + k1)(m3 + k3) + (m1 + k1)(m2 + k2)(m3 + k3)
+ (m4 + k4) + (m1 + k1)(m4 + k4) + (m1 + k1)(m2 + k2)(m4 + k4)
+ (m1 + k1)(m3 + k3)(m4 + k4)
c3 + k7 = 1 + (m2 + k2) + (m1 + k1)(m2 + k2) + (m2 + k2)(m3 + k3) + (m4 + k4)
+ (m2 + k2)(m4 + k4) + (m1 + k1)(m2 + k2)(m4 + k4) + (m3 + k3)(m4 + k4)
+ (m1 + k1)(m3 + k3)(m4 + k4)
c4 + k8 = 1 + (m3 + k3) + (m1 + k1)(m4 + k3) + (m4 + k4) + (m3 + k2)(m4 + k4)
+ (m3 + k3)(m4 + k4) + (m2 + k1)(m3 + k3)(m4 + k5)
+ (m2 + k2)(m3 + k4)(m4 + k4)
29 / 42
Algebraic attacks
Re-write the equations
c1 + k5 = S1(m) + (1 +m3m4)k1 + (m3 +m4 +m3m4)k2
+ (1 +m2 +m4 +m1m4 +m2m4)k3
+ (1 +m2 +m3 +m1m3 +m2m3)k4 +m4k1k3 +m3k1k4 + (1 +m4)k2k3
+ (1 +m3)k2k4 + (1 +m1 +m2)k3k4 + k1k3k4 + k2k3k4
c2 + k6 = S2(m) + (m2 +m3 +m2m3 +m4 +m2m4 +m3m4)k1
+ (m1 +m1m3 +m1m4)k2 + (m1 +m1m2 +m1m4)k3
+ (1 +m1 +m1m2 +m1m3)k4 + (1 +m3 +m4)k1k2 + (1 +m2 +m4)k1k3
+ (1 +m2 +m3)k1k4 +m1k2k3 +m1k2k4 +m1k3k4 + k1k2k3 + k1k2k4 + k1k3k4
c3 + k7 = S3(m) + (m2 +m2m4 +m3m4)k1 + (1 +m1 +m3 +m4 +m1m4)k2
+ (m2 +m4 +m1m4)k3 + (1 +m2 +m3 +m1m2 +m1m3)k4 + (1 +m4)k1k2
+ m4k1k3 + (m2 +m3)k1k4 + k2k3 +m1k3k4 + (1 +m1)k2k4 + k3k4 + k1k2k4
+ k1k3k4
c4 + k8 = S4(m) + (m3 +m3m4)k1 + (m4 +m3m4)k2
+ (1 +m1 +m4 +m1m4 +m2m4)k3 + (1 +m2 +m3 +m1m3 +m2m3)k4
+ (1 +m4)k1k3 + (m3)k1k4 +m4k2k3 + (1 +m3)k2k4 + (1 +m1 +m2)k3k4
+ k1k3k4 + k2k3k4
30 / 42
Algebraic attacks
Replace the known values
From the plaintext-ciphertext couple (m, c) = (0x0, 0x4) we get
c1 + k5 = 1 + k1 + k3 + k4 + k2k3 + k2k4 + k3k4 + k1k3k4 + k2k3k4
c2 + k6 = 1 + k4 + k1k2 + k1k3 + k1k4 + k1k2k3 + k1k2k4 + k1k3k4
c3 + k7 = 1 + k2 + k4 + k1k2 + k2k3 + k2k4 + k3k4 + k1k2k4 + k1k3k4
c4 + k8 = 1 + k3 + k4 + k1k3 + k2k4 + k3k4 + k1k3k4 + k2k3k4
Polynomial system of degree d = 3 with 8 unknowns.
31 / 42
Algebraic attacks
Linearize the system
Replace each monomial in the key bits of degree 2 or 3 with a new
unknown:
k9 = k1k2, k10 = k1k3, . . . , k14 = k3k4, k15 = k1k2k3, . . . , k18 = k2k3k4
c1 + k5 = 1 + k1 + k3 + k4 + k12 + k13 + k14 + k16 + k18
c2 + k6 = 1 + k4 + k9 + k10 + k11 + k15 + k17 + k16
c3 + k7 = 1 + k2 + k4 + k9 + k12 + k13 + k14 + k17 + k16
c4 + k8 = 1 + k3 + k4 + k10 + k13 + k14 + k16 + k18
Linear system with 8 +(
4
2
)
+(
4
3
)
= 18 unknowns.
32 / 42
Algebraic attacks
Solve the system
Here, 5 (m, c) couples are enough to solve the system(4× 5 = 20 equations).
In practice, block ciphers have a much larger block size and arecomposed of many rounds.
The degree of the polynomial system increases with the number ofrounds.
Solving such systems: infeasible even for a few rounds.
33 / 42
Algebraic attacks
Alternative solution: use intermediate variables
Use intermediate variables to control the degree of the system.
vum c
k1
S
k2
w S x
k3
Consider the 4 bits of v as additional unknowns.
One known P-C pair gives 8 equations of degree 3 with 16 unknowns(12 key bits + 4 bits of v).
For any additional P-C pair : +4 equations but +4 unknowns
N P-C pairs → 8N equations and 12 + 4N unknowns.
34 / 42
Algebraic attacks
Advanced algebraic attack
Decrease the degree of the polynomial system even if the round functionhas a high degree.
Idea introduced by Courtois and Pieprzyk in 2002.
Example: Relations of degree 2 between inputs and outputs:
x2x4 + x2S1(x1, . . . , x4) + x2S2(x1, ..., x4) = 0
We get then the following quadratic equation:
(m4+c1+c2)k2+m2k4+m2k5+m2k6+k2k4+k2k5+k2k6 = m2m4+m2c1+m2c2.
35 / 42
Algebraic attacks
Relations of degree 2
21 linearly independent relations of degree 2 between the input andthe output bits can be exhibited.
System easier to solve than the original equations.
Question: What is the least number of linearly independent relations ofdegree at most d?
d∑
i=0
(
2n
i
)
− 2n
36 / 42
Algebraic attacks
Example
Any function from F42 into F
42 has at least
2∑
i=0
(
8
i
)
− 24 = 37− 16 = 21
quadratic relations between its inputs and outputs.
37 / 42
Algebraic attacks
The case of AES (I)
The AES Sbox can be seen as the composition of the inversion over F28
with an affine function.
For the inverse operation, the input a and output b satisfy the relation
ab = 1
over F28 .
(a7X7 + a6X
6 + a5X5 + a4X
4 + a3X3 + a2X
2 + a1X + a0)
× (b7X7 + b6X
6 + b5X5 + b4X
4 + b3X3 + b2X
2 + b1X + b0)
= 1
38 / 42
Algebraic attacks
The case of AES (II)
Derive 8 multivariate quadratic equations over F2 (one for each coefficientof the previous equation).
Example
a0b0 + a7b1 + a6b2 + a5b3 + a4b4 + a3b5 + a2b6
+ a1b7 + a7b6 + a6b7 + a7b5 + a6b6 + a5b7
= 1.
Derive other equations by exploiting for example relations of the forma2b = a and ab2 = b over F28 .
39 / 42
Algebraic attacks
Quadratic system for AES
There are in total 39 quadratic relations for the AES Sbox (muchmore than for a randomly chosen mapping over F8
2.
Use these relations of degree 2 to form a quadratic system byintroducing new variables for the outputs of successive rounds.
8000 quadratic equations of 1600 variables.
40 / 42
Algebraic attacks
Solving the system
How to solve the resulting system?
XSL (eXtended Sparse Linearisation): based on linearization, butattempting to exploit the sparsity and specific structure of theequation system.
Gröbner Basis algorithms, SAT-solvers, etc.
Courtois and Pieprzyk claimed that by using XSL it was possible to mountan (at least theoretical) successful attack against AES-128.
However, it was shown by Cid and Leurent (Asiacrypt 05) that thealgorithm did not work as expected, so one could not claim that AES wasbroken.
41 / 42
Algebraic attacks
The limitations of algebraic attacks
No well-known block cipher has been broken using pure algebraictechniques faster than with other techniques.
Algebraic cryptanalysis works better in the case of stream ciphers andresistance against such attacks is a design criteria goal.
The applicability of an algebraic attack mainly depends on the algebraicdegree of the block cipher.
Other attacks depending on the algebraic degree:
Higher-order differential attacks, their derivatives and extensions.
42 / 42
Some attacks against block ciphers
Christina Boura
École de printemps en codage et cryptographieMay 19, 2016
1 / 59
Last-round attacks
Outline
1 Last-round attacks
2 Higher-order differential attacks
3 Integral attacks
4 Bounds on the degree of iterated constructions
2 / 59
Last-round attacks
Statistical attacks
Statistical attacks exploit relations that hold with a certain probability only.
Rely on the existence of a distinguisher.
A distinguisher D for a block cipher (Ek)k is an algorithm taking N pairs(xi, yi), 1 ≤ i ≤ N and returning 0 or 1.
Goal: Decide if the N pairs are input-output pairs of the target blockcipher or not:
1: If the (xi, yi) are input-output pairs of Ek for some key k.
0: If the (xi, yi) are input-output pairs of a random permutation.
3 / 59
Last-round attacks
Advantage of the distinguisher
Let p be the probability that the algorithm returns 1 (the N pairscome from the target block cipher).
Let p′ be the probability that the algorithm returns 0 (the N pairscome from a random permutation).
The capacity to distinguish the target block cipher from a randompermutation is measured as
|p− p′|
and is called advantage.
4 / 59
Last-round attacks
Consequences of a distinguisher
The existence of a distinguisher with a non-negligeable advantage isan undesirable property for a block cipher.
However, this does not always guarantee that once the distinguisheris discovered, the secret key will be recovered.
But: For iterated ciphers
Ek = Fkr ◦ Fkr−1◦ · · · ◦ Fk1
a distinguisher for the reduced cipher
Gk = Fkr−1◦ · · · ◦ Fk1
can be a serious thread.
5 / 59
Last-round attacks
Attack on the last round (I)
If an attacker finds a distinguisher D for the reduced-round cipher Gk, thenhe can run a last-round attack.
Goal: Recover the last-round subkey kr.
6 / 59
Last-round attacks
Attack on the last round (II)
F
k1
F
k2
F
kr−1
F
kr
x
Ek(x)
z
Gk(x)
Collect enough plaintext-ciphertext pairs (xi, zi), where zi = Ek(xi).
7 / 59
Last-round attacks
Attack on the last round (II)
F
k1
F
k2
F
kr−1
F
k′
x
Ek(x)
z
Gk(x)
kr
y
Collect enough plaintext-ciphertext pairs (xi, zi), where zi = Ek(xi).
For all possible values k′ compute yi = F−1k′ (zi)
7 / 59
Last-round attacks
Attack on the last round (III)
F
k1
F
k2
F
kr−1
F
kr k′
F−1 yx
Ek(x)
z
Gk(x)
8 / 59
Last-round attacks
Attack on the last round (III)
F
k1
F
k2
F
kr−1
F
kr k′
F−1 yx
Ek(x)
z
Gk(x)
If k′ is the right subkey (k′ = kr)
8 / 59
Last-round attacks
Attack on the last round (III)
F
k1
F
k2
F
kr−1
F
kr
F−1 yx
Ek(x)
z
Gk(x)
kr
If k′ is the right subkey (k′ = kr) :
P (k′) = F−1k′◦ Ek = F−1
k′◦ Fkr ◦ Fkr−1
◦ Fkr−2◦ · · · ◦ Fk1
= F−1kr◦ Fkr ◦ Fkr−1
◦ Fkr−2◦ · · · ◦ Fk1
= Fkr−1◦ Fkr−2
◦ · · · ◦ Fk1
= Gk
P (k′) belongs to the family of reduced-ciphers. 8 / 59
Last-round attacks
Attack on the last round (III)
F
k1
F
k2
F
kr−1
F
kr k′
F−1 yx
Ek(x)
z
Gk(x)
If k′ is a wrong subkey, P (k′) is assumed to have the same behaviouras a randomly chosen permutation.
This assumption is known as the wrong-key randomization hypothesis.
8 / 59
Last-round attacks
Algorithm
Data: N plaintext-ciphertext couples (xi, zi), for 1 ≤ i ≤ N
Result: A set of candidate keys for the last-round subkey krfor all possible values k′ of kr do
counter ← 0 ;for i = 0 . . . N do
compute yi = F−1k′
(zi);counter ← counter + D(xi, yi);
end
if counter ≥ τ then
return k′ ;end
end
The value τ is a threshold value fixed by the attacker.
9 / 59
Last-round attacks
Remarks
As we exhaust all values of the last round subkey, this attack onlyworks in this basic form if the subkeys have a small size (eg. not forAES-128)In practice, we only try to recover a small part of the last round key(some bits).For the other bits of the subkey, we repeat the attack by modifyingthe parameters of the attack.
Once the last subkey recovered, how do we proceed next ?
For some ciphers, once a subkey completely recovered, one cancompute back through the key schedule to retrieve the master key.If the different subkeys are not related, one can
Exhaustively search the remaining key bitsRepeat the same attack on the ciphers obtained by successivelyremoving the last roundCombine both approaches
10 / 59
Higher-order differential attacks
Outline
1 Last-round attacks
2 Higher-order differential attacks
3 Integral attacks
4 Bounds on the degree of iterated constructions
11 / 59
Higher-order differential attacks
Higher-order derivatives
Let F : Fn2 → F
n2 .
Derivative of F at a point a ∈ Fn2 :
DaF (x) := F (x⊕ a)⊕ F (x), for every x ∈ Fn2
Xuejia Lai extended this notion in 1994.
Definition[k-th order derivative of F ]For any k-dimensional subspace V of Fn
2 , the k-th order derivativeof F with respect to V is the function defined by
DV F (x) = Da1Da2 . . . DakF (x) =⊕
v∈V
F (x+ v),
for every x ∈ Fn2 , where (a1, . . . , ak) is a basis of V .
12 / 59
Higher-order differential attacks
Example
Let F : Fn2 → F
n2 and V = 〈a1, a2〉 ⊂ F
n2 of dimension 2.
The 2nd-order derivative of F with respect to V is
DV F (x) = Da1Da2F (x)
= Da1(F (x) + F (x+ a2))
= F (x) + F (x+ a1) + F (x+ a2) + F (x+ a1 + a2).
13 / 59
Higher-order differential attacks
Degree of a derivative
Let F : Fn2 → F
n2 of degree d and a = (a1, . . . , an). Then,
DaF ≤ d− 1.
Examples:
F (x1, . . . , xn) = x1. Then,
DaF (x) = Da(x1) = (x1 ⊕ a1)⊕ x1 = a1 ⇒ deg(DaF ) = 0
F (x1, . . . , xn) = x1x2. Then,
DaF (x) = Da(x1x2) = (x1 ⊕ a1)(x2 ⊕ a2)⊕ x1x2
= x1x2 ⊕ a1x2 ⊕ a2x1 ⊕ a1a2 ⊕ x1x2
= a1x2 ⊕ a2x1 ⊕ a1a2 ⇒ deg(DaF ) = 1
14 / 59
Higher-order differential attacks
Important property
Let F : Fn2 → F
n2 of degree d and a = (a1, . . . , an).
Example:
F (x1, . . . , xn) = x1x2 · · · xd. Then,
Da(x1x2 · · · xd) = (x1 ⊕ a1)(x2 ⊕ a2) . . . (xd ⊕ ad)⊕ x1x2 · · · xd
= x1 · · · xd ⊕ terms of deg ≤ d− 1⊕ x1 · · · xd
⇒ deg(DaF ) ≤ d− 1
Proposition[Lai 94]For every subspace V with dimV > degF ,
DV F (x) =⊕
v∈V
F (x+ v) = 0, for every x ∈ Fn2 .
15 / 59
Higher-order differential attacks
Attack on the last round
Attack based on a low degree.
S
S
S
L
k0
m
k1 S
S
S
L
kr−1 S
S
S
L
kr
c
F
deg < d
z = F−1k
(c)
16 / 59
Higher-order differential attacks
Use higher-order derivatives [Knudsen 94]
For all values of k check whetherm 7→ z = F−1
k (c) has degree < d.
How?
Check whether all derivatives of orderd are zero.
kr−1 S
S
S
L
kr
c
z = F−1k
(c)
17 / 59
Higher-order differential attacks
The attack
Let V be a vector space of dimension d.
Input: Choose 2d plaintexts of the form m⊕ v, v ∈ V (coset of V ) andget the corresponding ciphertexts.
Example d = 3,m = 0, V = 〈v1, v2, v3〉.
Chosen plaintexts: 0, v1, v2, v3, v1 ⊕ v2, v1 ⊕ v3, v2 ⊕ v3, v1 ⊕ v2 ⊕ v3.
If for a key k,2d−1⊕
i=0
F−1k
(ci) 6= 0,
we conclude that k is a wrong key.
18 / 59
Higher-order differential attacks
Number of candidate keys
What is the probability that for a wrong key,⊕
i F−1k (ci) = 0?
(false alarm probability)
P
2d−1⊕
i=0
F−1k (ci) = 0
= 2−n,
where n is the block size.
As there are 2κ key candidates (κ is the size of a subkey), around2κ−n among them will be proposed as candidates for the right key.
19 / 59
Higher-order differential attacks
Find the right candidate
How to find the right key among the left candidates ?
Do an exhaustive search among the remaining candidates or
Repeat the attack by choosing a different vector space of dimension d.
Data complexity: 2d chosen plaintexts.
Time complexity: 2d × 2κ.
Remark In practice, we recover smaller fragments of the key.
20 / 59
Higher-order differential attacks
The KN cipher [Knudsen-Nyberg 95]
6-round Feistel cipher
E : F322 → F
332 linear
T : F332 → F
322 linear
ki : 33-bit subkey
S : F233 → F233
with x 7→ x3
ST E
ki
xi−1 yi−1
xi yi
F322 ×F
322 → F
322 × F
322
(x, y) 7→ (y, x⊕ T ◦ S (E(x)⊕ ki))
21 / 59
Higher-order differential attacks
The role of the function S
Name initially given to the cipher: CRADIC (Cipher Resistant AgainstDifferential Cryptanalysis).
The function S plays a crucial role.
The function x 7→ x3 on the field F332 was chosen.
This function is known to be resistant against linear and differentialattacks.
But, this function is of degree 2.
22 / 59
Higher-order differential attacks
Higher-order differential attack against KN
Presented by Jacobsen and Knudsen in 1997.
Exploit the low algebraic degree of the round function.
Input: Plaintexts of the form (x0, y0) ∈ F322 ×F
322 , where y0 = c, for some
constant c.
23 / 59
Higher-order differential attacks
4 rounds of encryption
y0(x) = c
y1(x) = x⊕ Fk1(c) := x⊕ c′
y2(x) = Fk2(x⊕ c′)⊕ c
y3(x) = Fk3(Fk2(x⊕ c′)⊕ c)⊕ x⊕ c′
y4(x) = Fk4(Fk3(Fk2(x⊕ c′)⊕ c)⊕ x⊕ c′)
+ Fk2(x⊕ c′)⊕ c
Fk6
Fk1
Fk2
Fk3
Fk4
Fk5
d = 1
d = 2
d = 4
d = 8
y4
x6 y6
x0 = x y0 = c
24 / 59
Higher-order differential attacks
Evaluate the degree of y4
y4(x) = Fk4(Fk3(Fk2(x⊕ c′)⊕ c)⊕ x⊕ c′)⊕ Fk2(x⊕ c′)⊕ c
Obviously, the degree of y4 is bounded by the degree of
G = Fk4 ◦ Fk3 ◦ Fk2
As deg(Fki) = deg(S) = 2, we get that
deg(y4) ≤ deg(G) ≤ deg(Fk4)× deg(Fk3)× deg(Fk2)
≤ 23
25 / 59
Higher-order differential attacks
Write down the equations
If V is a subspace of F322 with dim(V ) = 9,
we have:
DV y4(x) =⊕
v∈V
y4(v ⊕ x) = 0,
for all x ∈ F322 . We get now the following
equation:
x6(x) = Fk6(y5(x))⊕ y4(x),
y4(x) = Fk6(y5(x))⊕ x6(x)
Fk6
Fk5
d = 8
y4
x6 y6
y5
26 / 59
Higher-order differential attacks
Attack equation
⊕
v∈V
Fk6(y5(v ⊕ w))⊕⊕
v∈V
x6(v ⊕ w) = 0.
Recover the key k6.
There will be in average 233−32 = 2 candidate keys for k6.
Recover the remaining subkeys by mounting the same attack on thereduced-round cipher.
27 / 59
Integral attacks
Outline
1 Last-round attacks
2 Higher-order differential attacks
3 Integral attacks
4 Bounds on the degree of iterated constructions
28 / 59
Integral attacks
Integral attacks - History
Attack exploiting weaknesses of the non-linear as well as the linearlayer of the target cipher.
In 1997, the SQUARE cipher was presented by Daemen, Knudsen andRijmen.
During the design, the authors discover a new chosen-plaintext attackagainst 6 rounds of the cipher.
This new attack was named the square attack.
In the beginning the attack was applied against SPN ciphers.
Later, Lucks generalizes the attack to other type of ciphers and call itthe saturation attack.
In 2002, Knudsen and Wagner unify the different aspects of theseattacks and give them the name integral attacks.
29 / 59
Integral attacks
Multisets
Multiset: Every element in the set can appear multiple times.
An element of a multiset is a pair (value, multiplicity).
Example. V = {1, 2, 2, 2, 3, 3, 4}, or V = {(1, 1), (2, 3), (3, 2), (4, 1)}
The attacker studies the propagation of the multiset through the cipher.
30 / 59
Integral attacks
Integral over a multiset
Application to word-oriented ciphers.
Notation: w number of words in a plaintext. (e.g. AES: 16 words of8-bits each).
Choose plaintexts in a way that the multiset in each word verifies aspecific property.
Definition. We call integral over a multiset S the sum
∑
v∈S
v
31 / 59
Integral attacks
Properties
An attacker tries to predict the values in the integrals after a certainnumber of rounds.
Distinguish between 3 cases.
(For the examples, the word-size is 3 bits.)
1 C: All w words in the multiset have the same constant value.The multiset S = {3, 3, 3, 3, 3, 3, 3, 3} has the property C.
2 A: The w words in the multiset take all possible values.The multiset S = {0, 1, 2, 3, 4, 5, 6, 7} has the property A.
3 B: The integral over S is 0.
32 / 59
Integral attacks
Example: AES
16 words of 8 bits.
28 chosen plaintexts mi of the form
(xi, c, c, c, c, c, c, c, c, c, c, c, c, c, c, c),
where xi = i, for i = 0, . . . , 255 and c some constant.
A
C
C
C
C
C
C
CC
C
C
C
C
C
C
C
Analyze how this multiset propagates through the different operationsof AES.
33 / 59
Integral attacks
Through AddRoundKey
The same constant value is XORed to each byte.
Example.
(0x06, . . . , 0x06)→ (0x06 ⊕ 0x01, . . . , 0x06 ⊕ 0x01) = (0x07, . . . , 0x07)
C → C
Property. If we XOR the same constant value to each different value of aset having A we get again all possible values in the set.
Example. S = {0x0,0x1,0x2,0x3}, k = 0x2, S ⊕ k = {0x2,0x3,0x0,0x1}
A → A
A
C
C
C
C
C
C
CC
C
C
C
C
C
C
C
AddRoundKey
A
C
C
C
C
C
C
CC
C
C
C
C
C
C
C
34 / 59
Integral attacks
Through SubBytes
The Sbox S is a permutation.
If all values of a multiset have the same constant value c, all valueswill have the same constant value c′ = S(x) after SubBytes. C → C
If the values of a multiset take all possible values, the Sbox will onlypermute these values. A → A
A
C
C
C
C
C
C
CC
C
C
C
C
C
C
C
SubBytes
A
C
C
C
C
C
C
CC
C
C
C
C
C
C
C
35 / 59
Integral attacks
Through ShiftRows
ShiftRows only permutes the bytes of the state.
A
C
C
C
C
C
C
CC
C
C
C
C
C
C
C
ShiftRows
A
C
C
C
C
C
C
CC
C
C
C
C
C
C
C
36 / 59
Integral attacks
Through MixColumns (I)
Inputs of the 1st column: (xi0, xi1, x
i2, x
i3), 0 ≤ i ≤ 255
Outputs of the 1st column: (yi0, yi1, y
i2, y
i3), 0 ≤ i ≤ 255
02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
xi0xi1xi2xi3
=
yi0yi1yi2yi3
y00 = 02 · x00 + 03 · x01 + 01 · x02 + 01 · x03y01 = 02 · x10 + 03 · x11 + 01 · x12 + 01 · x13
... . . .
y0255 = 02 · x2550 + 03 · x2551 + 01 · x2552 + 01 · x255337 / 59
Integral attacks
Through MixColumns (I)
Inputs of the 1st column: (xi0, xi1, x
i2, x
i3), 0 ≤ i ≤ 255
Outputs of the 1st column: (yi0, yi1, y
i2, y
i3), 0 ≤ i ≤ 255
02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
xi0xi1xi2xi3
=
yi0yi1yi2yi3
y00 = 02 · x00 + 03 · x01 + 01 · x02 + 01 · x03y01 = 02 · x10 + 03 · x11 + 01 · x12 + 01 · x13
... . . .
y0255 = 02 · x2550 + 03 · x2551 + 01 · x2552 + 01 · x255337 / 59
Integral attacks
Through MixColumns (I)
Inputs of the 1st column: (xi0, xi1, x
i2, x
i3), 0 ≤ i ≤ 255
Outputs of the 1st column: (yi0, yi1, y
i2, y
i3), 0 ≤ i ≤ 255
02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
xi0xi1xi2xi3
=
yi0yi1yi2yi3
y00 = 02 · x00 + c
y01 = 02 · x10 + c
... . . .
y0255 = 02 · x2550 + c37 / 59
Integral attacks
Through MixColumns (II)
A
C
C
C
C
C
C
CC
C
C
C
C
C
C
C
MixColumns
A
C
C
C
CC
C
C
C
C
C
C
C
A
A
A
38 / 59
Integral attacks
After 3 rounds
A
C
C
C
C
C
C
CC
C
C
C
C
C
C
C
MixColumns
A
C
C
C
CC
C
C
C
C
C
C
C
A
A
A
AddRoundRey
A
C
C
C
C
C
C
CC
C
C
C
C
C
C
C
SubBytes
ShiftRows
A
C
C
C
C
C
C
CC
C
C
C
C
C
C
C
A
C
C
C
CC
C
C
C
C
C
C
C
A
A
A
SubBytes
ShiftRows
A
C
C
C
CC
C
C
C
C
C
C
C
A
A
A
MixColumns
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
SubBytes
ShiftRows
AddRoundRey
AddRoundRey
MixColumns
?
?
?
?
?
?
?
?
? ?
? ?
? ?
? ?
39 / 59
Integral attacks
After MixColumns
02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
xi0xi1xi2xi3
=
yi0yi1yi2yi3
y00 ⊕ · · · ⊕ y2550 = 02 · x00 ⊕ 03 · x01 ⊕ 01 · x02 ⊕ 01 · x03⊕ 02 · x10 ⊕ 03 · x11 ⊕ 01 · x12 ⊕ 01 · x13
...
⊕ 02 · x2550 ⊕ 03 · x2551 ⊕ 01 · x2552 ⊕ 01 · x2553
= 02 ·255⊕
i=0
xi0 ⊕ 03 ·255⊕
i=0
xi1 ⊕ 01 ·255⊕
i=0
xi2 ⊕ 01 ·255⊕
i=0
xi3
= 02 · 00⊕ 03 · 00⊕ 01 · 00⊕ 01 · 00
= 00.40 / 59
Integral attacks
After 3 rounds of AES
A
C
C
C
C
C
C
CC
C
C
C
C
C
C
C
MixColumns
A
C
C
C
CC
C
C
C
C
C
C
C
A
A
A
AddRoundRey SubBytes
ShiftRows
A
C
C
C
C
C
C
CC
C
C
C
C
C
C
C
A
C
C
C
CC
C
C
C
C
C
C
C
A
A
A
SubBytes
ShiftRows
A
C
C
C
CC
C
C
C
C
C
C
C
A
A
A
MixColumns
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
SubBytes
ShiftRows
AddRoundRey
AddRoundRey
MixColumns
A
C
C
C
C
C
C
CC
C
C
C
C
C
C
C
B B B B
B B B B
B B B B
B B B B
41 / 59
Integral attacks
Distinguishing property for 3 rounds of AES
After the 3rd MixColumns every byte position will be balanced (XORof all 256 values in a single byte position is 0).
Property that holds with probability 1.
Property independent of the key.
A
C
C
C
C
C
C
CC
C
C
C
C
C
C
C
A
C
C
C
CC
C
C
C
C
C
C
C
A
A
A
R
B B B B
B B B B
B B B B
B B B B
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
R R
The byte taking all 256 values (saturated) can be any of the 16 bytes.
42 / 59
Integral attacks
Distinguishing property for 3 rounds of AES
After the 3rd MixColumns every byte position will be balanced (XORof all 256 values in a single byte position is 0).
Property that holds with probability 1.
Property independent on the key.
A
C
C
C
C
C
C
CC
C
C
C
C
C
C
C
A
C
C
C
CC
C
C
C
C
C
C
C
A
A
A
R
B B B B
B B B B
B B B B
B B B B
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
R R
The byte taking all 256 values (saturated) can be any of the 16 bytes.
42 / 59
Integral attacks
Attack over AES reduced to 4 rounds
Goal: Recover the subkey k4 of the 4th round of AES.
Remark No MixColumns in the last round.
Input: 256 chosen plaintexts mi of the form
(xi, c, c, c, c, c, c, c, c, c, c, c, c, c, c, c),
where xi = i, for i = 0, . . . , 255 and c some constant and thecorresponding ciphertexts ci, i = 0, . . . , 255.
SubBytes ShiftRows
k4
ciphertextState after 3rd round
B B B B
B B B B
B B B B
B B B B
43 / 59
Integral attacks
Divide and conquer
Subkey k4 is 128-bits long (exhaustive search not possible!).
Use a divide and conquer strategy and recover the last subkey byte bybyte.
SubBytes ShiftRows
k4
ciphertextState after 3rd round
B B B B
B B B B
B B B B
B B B B
44 / 59
Integral attacks
Divide and conquer
Subkey k4 is 128-bits long (exhaustive search not possible!).
Use a divide and conquer strategy and recover the last subkey byte bybyte.
SubBytes ShiftRows
k4
ciphertextState after 3rd round
B B B B
B B B B
B B B B
B B B B
vi ci
k134
ci = S(vi)⊕ k134
vi = S−1(ci ⊕ k134 )
44 / 59
Integral attacks
Divide and conquer
SubBytes ShiftRows
k4
ciphertextState after 3rd round
B B B B
B B B B
B B B B
B B B B
vi ci
k134
ci = S(vi)⊕ k134
vi = S−1(ci ⊕ k134 )
But, if k134 is the right value
255⊕
i=0
vi =
255⊕
i=0
S−1(ci ⊕ k134 ) = 0
44 / 59
Integral attacks
Complexity
Data complexity: 28 chosen plaintext-ciphertext pairs (a little bitmore to get rid off false alarms)
Time complexity: ≈ 16× 28 × 28 = 220 XOR’s.
Assume that a full encryption is composed 26 similar simpleoperations. So, time complexity ≈ 214 encryptions.
45 / 59
Integral attacks
Link with higher-order differential cryptanalysis
A differential of order d is the sum of 2d vecteurs of a well-chosenvector space, so it can be seen as an integral.
Recently, Yosuke Todo extended integral attacks to take in a clearerway the algebraic degree into account. This extension is called thedivision property.
46 / 59
Bounds on the degree of iterated constructions
Outline
1 Last-round attacks
2 Higher-order differential attacks
3 Integral attacks
4 Bounds on the degree of iterated constructions
47 / 59
Bounds on the degree of iterated constructions
Iterated permutations
Most of the symmetric constructions (hash functions, block ciphers) arebased on a permutation iterated a high number of times.
Important to estimate the algebraic degree of suchiterated permutations.
Functions with a low degree are vulnerable to:
Algebraic attacks
Higher-order differential attacks and distinguishers
48 / 59
Bounds on the degree of iterated constructions
A trivial bound
Proposition: Let F be a function from Fn2 into F
n2 and G a function from
Fn2 into F
m2 . Then
deg(G ◦ F ) ≤ deg(G) deg(F ).
Example: Round function R of AES is of degree 7. Then
deg(R2) = deg(R ◦R) ≤ 72 = 49.
49 / 59
Bounds on the degree of iterated constructions
Substitution Permutation Networks
S S S S S S
Linear Layer
S S S S S S
Linear Layer
S S S S S S
Linear Layer
How to estimate the evolution of the degreeof such constructions?
50 / 59
Bounds on the degree of iterated constructions
x0 x1 x3 x4 x5x2 x6 x7 x8 x9 x10x11 x12x13x14x15
S1 S2 S3 S4
y0 y1 y2 y3 y4 y5 y6 y7 y8 y9 y10 y11 y12 y13 y14 y15
After several rounds, all coordinates can be expressed as a sum ofmonomials.
Each monomial is a product of variables in X = {x0, . . . , x15}.
51 / 59
Bounds on the degree of iterated constructions
x0 x1 x3 x4 x5x2 x6 x7 x8 x9 x10x11 x12x13x14x15
S1 S2 S3 S4
y0 y1 y2 y3 y4 y5 y6 y7 y12y8 y9 y10 y11 y13 y14 y15
After several rounds, all coordinates can be expressed as a sum ofmonomials.
Each monomial is a product of variables in Y = {y0, . . . , y15}.
The coordinates y0 − y3 are outputs of the same Sbox (equally for theothers).
What is the consequence on the degree of the product ?
51 / 59
Bounds on the degree of iterated constructions
The notion of δk
Definition : For a permutation S define δk(S) as the maximum degree ofthe product of k coordinates of S.
→ δ1(S) := algebraic degree of S
Example:
degS = 3
S
k δk1 32 33 34 4
S permutation of Fn2 :
δk(S) = n iff k = n.
52 / 59
Bounds on the degree of iterated constructions
Example: Product of 6 coordinates.
S1 S2 S3 S4
y0 y1 y2 y3 y4 y5 y6 y7 y8 y9 y10 y11 y12 y13 y14 y15
π = y0y1y3y8y9y10.
deg(π) ≤ δ3(S1) + δ3(S3) = 6.
53 / 59
Bounds on the degree of iterated constructions
Example: Product of 6 coordinates.
S1 S2 S3 S4
y0 y1 y2 y3 y4 y5 y6 y7 y8 y9 y10 y11 y12 y13 y14 y15
π = y0y5y8y10y13y15.
deg(π) ≤ δ1(S1) + δ1(S2) + δ2(S3) + δ2(S4) = 12.
The degree of the product is relatively low if many coordinatescoming from the same Sbox are involved!
53 / 59
Bounds on the degree of iterated constructions
Towards the bound
S S S S
Find the maximal degree of the product π of d outputs.
xi = # Sboxes for which exactly i coordinates are involved in π.
54 / 59
Bounds on the degree of iterated constructions
Towards the bound
S S S S
Find the maximal degree of the product π of d outputs.
xi = # Sboxes for which exactly i coordinates are involved in π.
Example (d = 13)
x4 = 1, x3 = 3:
deg(π) ≤ δ3x3 + δ4x4 = 3 · 3 + 4 · 1 = 13.
54 / 59
Bounds on the degree of iterated constructions
Towards the bound
S S S S
Find the maximal degree of the product π of d outputs.
xi = # Sboxes for which exactly i coordinates are involved in π.
Example (d = 13)
x4 = 2, x3 = 1, x2 = 1:
deg(π) ≤ δ2x2 + δ3x3 + δ4x4 = 3 · 1 + 3 · 1 + 4 · 2 = 14.
54 / 59
Bounds on the degree of iterated constructions
Towards the bound
S S S S
Find the maximal degree of the product π of d outputs.
xi = # Sboxes for which exactly i coordinates are involved in π.
Example (d = 13)
x4 = 3, x1 = 1:
deg(π) ≤ δ1x1 + δ4x4 = 3 · 1 + 4 · 3 = 15.
54 / 59
Bounds on the degree of iterated constructions
Towards the bound
S S S S
Find the maximal degree of the product π of d outputs.
xi = # Sboxes for which exactly i coordinates are involved in π.
deg(π) ≤ max(x1,x2,x3,x4)
(δ1x1 + δ2x2 + δ3x3 + δ4x4)
with x1 + 2x2 + 3x3 + 4x4 = d.
54 / 59
Bounds on the degree of iterated constructions
d x4 x3 x2 x1 deg(π)
16 4 - - - 1615 3 1 - - 1514 3 - 1 - 1513 3 - - 1 1512 2 1 - 1 1411 2 - 1 1 1410 2 - - 2 149 1 1 - 2 13...
......
......
...
16− deg(π) ≥16− d
3
55 / 59
Bounds on the degree of iterated constructions
d x4 x3 x2 x1 deg(π)
16 4 - - - 1615 3 1 - - 1514 3 - 1 - 1513 3 - - 1 1512 2 1 - 1 1411 2 - 1 1 1410 2 - - 2 149 1 1 - 2 13...
......
......
...
deg(π) ≤ 16−16− d
3
55 / 59
Bounds on the degree of iterated constructions
A bound on the degree of SPN constructions
[Boura – Canteaut – De Cannière - 11]
Theorem. Let F be a function from Fn2 into F
n2 corresponding to the
parallel application of an Sbox, S, defined over Fn0
2 .Then, for any G from F
n2 into F
ℓ2, we have
deg(G ◦ F ) ≤ n−n− degG
γ(S),
where
γ(S) = max1≤i≤n0−1
n0 − i
n0 − δi.
56 / 59
Bounds on the degree of iterated constructions
Application to AES
One round:MC ◦ SR ◦ SB ◦ AK.
AK: AddRoundKey
SB: SubBytes (Sboxes of degree 7)
SR: ShiftRows
MC: MixColumns
57 / 59
Bounds on the degree of iterated constructions
The Super Sbox technique
Two rounds:
R2 = MC ◦ SR ◦ SB ◦ AK ◦ MC ◦ SR ◦ SB ◦ AK.
Equivalently:
R2 = MC ◦ SR ◦ SB ◦ AK ◦ MC ◦ SB ◦ SR ◦ AK.
Denote:
SuperSbox = SB ◦ AK ◦ MC ◦ SB.
Then:
R2 = MC ◦ SR ◦ SuperSbox ◦ SR ◦ AK.
58 / 59
Bounds on the degree of iterated constructions
Bound on up to 4 rounds
SuperSbox: F322 → F
322 : Two non-linear layers composed of Sboxes of
degree 7, separated by a linear layer.
deg(SuperSbox) ≤ 32−32− 7
7≤ 28.
(Trivial Bound: deg(R2) ≤ 72 = 49 !!!)
Bound for r rounds:
deg(Rr) = deg(Rr−1 ◦R) ≤ 128−128 − deg(Rr−1)
7.
r = 3: deg(R3) ≤ 113
r = 4: deg(R4) ≤ 125
59 / 59