Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and Secret Spns

Home , Kuznyechik

Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs

Alex Biryukov1,2, Dmitry Khovratovich2, Léo Perrin2

1CSC, University of Luxembourg 2SnT, University of Luxembourg https://www.cryptolux.org

March 6, 2017 Fast Soware Encryption 2017 How many layers can we aack?

Introduction

S S0 S1 ... Sn/m−1

A L

n bits

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 1 / 17 Introduction

S S0 S1 ... Sn/m−1

A L

n bits

How many layers can we aack?

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 1 / 17 For aacking actual block ciphers For aacking White-box schemes ASASA AES white-box implementations SPNbox

For decomposing S-Boxes

Introduction Generic Aacks Against SPNs

... but why?

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 2 / 17 For aacking White-box schemes ASASA AES white-box implementations SPNbox

For decomposing S-Boxes

Introduction Generic Aacks Against SPNs

... but why?

For aacking actual block ciphers

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 2 / 17 For decomposing S-Boxes

Introduction Generic Aacks Against SPNs

... but why?

For aacking actual block ciphers For aacking White-box schemes ASASA AES white-box implementations SPNbox

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 2 / 17 Introduction Generic Aacks Against SPNs

... but why?

For aacking actual block ciphers For aacking White-box schemes ASASA AES white-box implementations SPNbox

For decomposing S-Boxes

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 2 / 17 Talk Outline Outline

1 Introduction

2 Aacks Against 5 rounds

3 More Rounds!

4 Division Property

5 Conclusion

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 3 / 17 Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion Plan

1 Introduction

2 Aacks Against 5 rounds Aack SASAS Aack ASASA

3 More Rounds!

4 Division Property

5 Conclusion

Lemma If F : {0, 1}n → {0, 1}m has degree d, then M F (x) = 0 x ∈C for all cube C = {a + v, ∀v ∈ V}, where V is a vector space of size ≥ 2d+1.

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 4 / 17 L0

A A

Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion Distinguisher for S-layer

S S0 S1 ... Sn/m−1

For all cube C of size ≥ 2m: M S (x) = 0. x ∈C

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 5 / 17 L0

Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion Distinguisher for S-layer

S S0 S1 ... Sn/m−1

For all cube C of size ≥ 2m: M SA(x) = 0. x ∈C

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 5 / 17 Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion Distinguisher for S-layer

S S0 S1 ... Sn/m−1

For all cube C of size ≥ 2m: M ASA(x) = 0. x ∈C

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 5 / 17 S0,0

S0,1 ... S0,n/m−1

S1,0 S1,1 ... S1,n/m−1

m For the cubes Ci of size ≥ 2 corresponding to the inputs of Si, M SASA(x) = 0.

x ∈Ci

Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion Free S-Layer Trick

Observation If V consists in the input bits of some S-Boxes, then S(V) = V. Cubes based on V simply change their osets.

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 6 / 17 S0,0

m For the cubes Ci of size ≥ 2 corresponding to the inputs of Si, M SASA(x) = 0.

x ∈Ci

Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion Free S-Layer Trick

Observation If V consists in the input bits of some S-Boxes, then S(V) = V. Cubes based on V simply change their osets.

S0,0 S0,1 ... S0,n/m−1

S1,0 S1,1 ... S1,n/m−1

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 6 / 17 S0,0

Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion Free S-Layer Trick

Observation If V consists in the input bits of some S-Boxes, then S(V) = V. Cubes based on V simply change their osets.

S0,0 S0,1 ... S0,n/m−1

S1,0 S1,1 ... S1,n/m−1

m For the cubes Ci of size ≥ 2 corresponding to the inputs of Si, M SASA(x) = 0.

x ∈Ci Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 6 / 17 Zero sums

L2m−1 j j=0 S2,i (yi ) = 0, for all i. Repeat for dierent constant then solve system [Biryukov, Shamir, 2001]

Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion S-Box Recovery Against SASAS

j 0 0

S0,0 S0,1 ... S0,n/m−1

S1,0 S1,1 ... S1,n/m−1

S2,0 S2,1 ... S2,n/m−1

j j j y0 y1 yn/m−1

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 7 / 17 L2m−1 j j=0 S2,i (yi ) = 0, for all i. Repeat for dierent constant then solve system [Biryukov, Shamir, 2001]

Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion S-Box Recovery Against SASAS

j 0 0

S0,0 S0,1 ... S0,n/m−1

S1,0 S1,1 ... S1,n/m−1

L1 Zero sums

S2,0 S2,1 ... S2,n/m−1

j j j y0 y1 yn/m−1

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 7 / 17 Repeat for dierent constant then solve system [Biryukov, Shamir, 2001]

Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion S-Box Recovery Against SASAS

j 0 0

S0,0 S0,1 ... S0,n/m−1

S1,0 S1,1 ... S1,n/m−1

L1 Zero sums

S2,0 S2,1 ... S2,n/m−1

j j j y0 y1 yn/m−1

L2m−1 j j=0 S2,i (yi ) = 0, for all i.

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 7 / 17 Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion S-Box Recovery Against SASAS

j 0 0

S0,0 S0,1 ... S0,n/m−1

S1,0 S1,1 ... S1,n/m−1

L1 Zero sums

S2,0 S2,1 ... S2,n/m−1

j j j y0 y1 yn/m−1

L2m−1 j j=0 S2,i (yi ) = 0, for all i. Repeat for dierent constant then solve system [Biryukov, Shamir, 2001] Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 7 / 17 For SASAS and ASASA, algebraic degree bound is crucial!

Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion Aack Against ASASA

Observation [Minaud et. al, 2015]

Consider S with two parallel S-Boxes S0, S1. The scalar product of...

... two outputs of S0 has degree at most m − 1;

... one output of S0 and one of S1 has degree at most 2(m − 1)

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 8 / 17 Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion Aack Against ASASA

Observation [Minaud et. al, 2015]

Consider S with two parallel S-Boxes S0, S1. The scalar product of...

... two outputs of S0 has degree at most m − 1;

... one output of S0 and one of S1 has degree at most 2(m − 1)

For SASAS and ASASA, algebraic degree bound is crucial!

1 Introduction

2 Aacks Against 5 rounds

3 More Rounds! Iterated Degree Bound How Many Rounds? Applications to Actual Block Ciphers

4 Division Property

5 Conclusion

Theorem ([Boura et al 2011]) n n Let P be an arbitrary function on F2. Let S be an S-Box layer of F2 corresponding to the parallel application ofm-bit bijective S-Boxes of degreem − 1. Then

n − deg(P) deg(P ◦ S) ≤ n − . & m − 1 '

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 9 / 17 2

Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion Example

120

100

60 SPN Degree 40

0 0 2 4 6 8 Number of rounds n = 128 ; m = 4

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 10 / 17 Theorem (greatly simplified)

Basic Aack: ifr ≤ 2` andn /(m − 1)` > 1 then

deg ((AS)r ) ≤ (n − 2)

Free-S-layer Aack: ifr ≤ 2` andn /(m − 1)` > 2 then

deg ((AS)r ) ≤ (n − m − 1)

Other similar results depend on the base-(m − 1) expansion ofn

Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion How Many Rounds Can We Aack?

` = logm−1(n).

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 11 / 17 Free-S-layer Aack: ifr ≤ 2` andn /(m − 1)` > 2 then

deg ((AS)r ) ≤ (n − m − 1)

Other similar results depend on the base-(m − 1) expansion ofn

Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion How Many Rounds Can We Aack?

` = logm−1(n).

Theorem (greatly simplified)

Basic Aack: ifr ≤ 2` andn /(m − 1)` > 1 then

deg ((AS)r ) ≤ (n − 2)

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 11 / 17 Other similar results depend on the base-(m − 1) expansion ofn

Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion How Many Rounds Can We Aack?

` = logm−1(n).

Theorem (greatly simplified)

Basic Aack: ifr ≤ 2` andn /(m − 1)` > 1 then

deg ((AS)r ) ≤ (n − 2)

Free-S-layer Aack: ifr ≤ 2` andn /(m − 1)` > 2 then

deg ((AS)r ) ≤ (n − m − 1)

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 11 / 17 Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion How Many Rounds Can We Aack?

` = logm−1(n).

Theorem (greatly simplified)

Basic Aack: ifr ≤ 2` andn /(m − 1)` > 1 then

deg ((AS)r ) ≤ (n − 2)

Free-S-layer Aack: ifr ≤ 2` andn /(m − 1)` > 2 then

deg ((AS)r ) ≤ (n − m − 1)

Other similar results depend on the base-(m − 1) expansion ofn

m n “Key” size ASASAS SASASAS ASASASAS SASASASAS 12 270 211 - - - 4 16 420 211 215 215 - 24 1060 211 215 215 224 12 728 212 - - - 18 1200 217 - - - 6 24 1744 221 - - - 36 3048 228 236 236 - 120 214 228 236 2106 2114 128 215 252 264 2118 2128 8 256 217 252 264 2230 2240

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 12 / 17 MDS linear layer operating on 16 bytes

7-round Aack We use that deg(4-r Kuzn.) ≤ 126. Add 1-round at the top, 2 at the boom.

Time = 2154.5, Memory = 2140, Data = 2128.

Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion Kuznyechik

Standardized in 2015 (GOST) 128-bit block ; 8-bit S-Box (remember π?) 9 rounds, 256-bit key

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 13 / 17 7-round Aack We use that deg(4-r Kuzn.) ≤ 126. Add 1-round at the top, 2 at the boom.

Time = 2154.5, Memory = 2140, Data = 2128.

Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion Kuznyechik

Standardized in 2015 (GOST) 128-bit block ; 8-bit S-Box (remember π?) 9 rounds, 256-bit key MDS linear layer operating on 16 bytes

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 13 / 17 Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion Kuznyechik

Standardized in 2015 (GOST) 128-bit block ; 8-bit S-Box (remember π?) 9 rounds, 256-bit key MDS linear layer operating on 16 bytes

7-round Aack We use that deg(4-r Kuzn.) ≤ 126. Add 1-round at the top, 2 at the boom.

Time = 2154.5, Memory = 2140, Data = 2128.

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 13 / 17 6-round Aack We use that deg(3-r Khaz.) ≤ 62. Add 1-round at the top, 2 at the boom.

Time = 290, Memory = 272, Data = 264.

Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion Khazad

Published in 2000 (NESSIE candidate) 64-bit block ; 8-bit S-Box 8 rounds, 128-bit key

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 14 / 17 Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion Khazad

Published in 2000 (NESSIE candidate) 64-bit block ; 8-bit S-Box 8 rounds, 128-bit key

6-round Aack We use that deg(3-r Khaz.) ≤ 62. Add 1-round at the top, 2 at the boom.

Time = 290, Memory = 272, Data = 264.

1 Introduction

2 Aacks Against 5 rounds

3 More Rounds!

4 Division Property

5 Conclusion

Definition (Division Property (simplified)) X n Dn A multiset on F2 has division property k if M xu = 0 x ∈X

n u Qn−1 ui for all u in F2 such that hw(u) < k; where x = i=0 xi .

Example

k Dn A cube of size 2 has division property k Dn Dn If a multiset with k is mapped to one with 2 , it sums to 0.

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 15 / 17 Division Property and Algebraic Degree The increase in the division property is the increase in the algebraic degree of the indicator function!

Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion Algebraic View

IX (x) = 1 if and only if x ∈ X

Theorem X Dn A multiset has division property k if and only if

deg(IX ) ≤ n − k .

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 16 / 17 Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion Algebraic View

IX (x) = 1 if and only if x ∈ X

Theorem X Dn A multiset has division property k if and only if

deg(IX ) ≤ n − k .

Division Property and Algebraic Degree The increase in the division property is the increase in the algebraic degree of the indicator function!

1 Introduction

2 Aacks Against 5 rounds

3 More Rounds!

4 Division Property

5 Conclusion

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 16 / 17 Thank you!

Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion Conclusion

Secure ASASA-like cryptosystems:

Block Layers Structure S-layer BB mem. WB mem. Security 12 bits 7 SASASAS 2×(6 bits) 512 B 8 KB 64 bits 16 bits 7 SASASAS 2×(8 bits) 2 KB 132 KB 64 bits 24 bits 7 SASASAS 3×(8 bits) 3 KB 50 MB 128 bits 32 bits 7 SASASAS 4×(8 bits) 4 KB 18 GB 128 bits 64 bits 7 SASASAS 8×(8 bits) 8 KB – 128 bits 128 bits 11 S(AS)5 16×(8 bits) 24 KB – 128 bits

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 17 / 17 Introduction Aacks Against 5 rounds More Rounds! Division Property Conclusion Conclusion

Secure ASASA-like cryptosystems:

Thank you!

Biryukov, Khovratovich, Perrin Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs 17 / 17