“Algebraic” Attacks vs. Design of Block and Stream Ciphers

Nicolas T. Courtois - University College London A New Frontier in Symmetric Cryptanalysis Modern Symmetric Cryptanalysis: number of ciphers “broken w.r.t. claims”: O(effort).

number of ciphers “broken in practice”: o(effort).

DES, AES etc: never really broken etc..

2 Courtois, Indocrypt 2008 A New Frontier in Symmetric Cryptanalysis 2 Small Remarks Winston Churchill used to say: “the truth is so precious that she should always be attended by a bodyguard of lies”

Cryptanalysis is not very popular, nb. of papers at major crypto conferences decreased each year… for some reason… in the last 15 years.

3 Courtois, Indocrypt 2008 Alternative Title: A New Frontier in Symmetric Cryptanalysis? (e.g. low-data complexity attacks) Algebraic Attacks on Block, Stream Ciphers

0. Intro…

5 2001-2015 Algebraic Attacks on Block, Stream Ciphers Instead of a Summary • How to design secure ciphers ? Nobody knows, a complex question. Remark: There exist provably secure stream ciphers:QUAD, NO good candidates for secure block ciphers…

• What components to choose? (bottom-up). • Most of the current cipher design paradigms can be expressed in terms of “good” Boolean functions / “good” vectorial functions (S-boxes). • What else? Good diffusion: WTS(later slides), avalanche.

6 2001-2015 Algebraic Attacks on Block, Stream Ciphers Boolean Functions, ANF Any function GF(2)n → GF(2).

7 2001-2015 Algebraic Attacks on Block, Stream Ciphers The Tale of “Good” Boolean Functions.. •“Good” Boolean functions, •“Good” S-boxes, => High non-linearity…

 Provable prevents correlation/differential/linear/ GLC attacks…. A “Good” Boolean function… Magical objects that make ciphers secure ? 8 2001-2015 Algebraic Attacks on Block, Stream Ciphers Avoiding Simple Boolean Functions…  Not enough !

Main claim / result: One should rather think about avoiding Boolean /Algebraic Relations !

9 2001-2015 Algebraic Attacks on Block, Stream Ciphers Central Criterion for Designing Cryptographic Components [Courtois 1999; PhD Thesis]: Non-existence of low- degree/small size multivariate relations between the input bits and the output bits.

10 2001-2015 Algebraic Attacks on Block, Stream Ciphers Special Case: I / O Degree:

A “good” cipher should use at least some components with high I/O degree.

11 2001-2015 Algebraic Attacks on Block, Stream Ciphers Claim / Proposal This criterion is proposed (can be necessary) for the security of: • S-boxes in Block Ciphers • Combiners in Stream Ciphers • Trapdoor Functions (PK crypto, HFE).

12 2001-2015 Algebraic Attacks on Block, Stream Ciphers Why ? • no proof • some devastating attacks on some ciphers • many ciphers not broken in the slightest

• overall, just another super-paranoid security criterion which is probably not always necessary, – frequent in crypto research

13 2001-2015 Algebraic Attacks on Block, Stream Ciphers Another Interpretation of I/O I = Inside block/stream cipher

O = Outside of your block/steam cipher

14 2001-2015 Algebraic Attacks on Block, Stream Ciphers Multivariate Cryptography: Cryptosystems using polynomials with several variables over a finite field…

Multivariate Cryptanalysis or Algebraic Cryptanalysis: Cryptographic attacks using polynomials with several variables over a finite field… 15 2001-2015 A New Frontier in Symmetric Cryptanalysis Roadmap: Multivariate/Algebraic Cryptanalysis

Guess Then Determine: MITM SAT/UNSAT strategy or mixed with many steps

Software / SAT Solvers ElimLin: amazingly powerful XL, Grobner Basis, F4, F5 dense systems of eqs, inappropriate tools in most other cases Cube Attacks [Vielhaber, Dinur,Shamir’08] other combination tools

attacks Truncated Differentials (DC) Higher Order Differentials ”every cipher of low degree poly can be broken” multiple points DC 16 Courtois, Indocrypt 2008 Higher Order DC GOST, Self-Similarity and Cryptanalysis of Block Ciphers - My Favourite Groups

17 © Nicolas T. Courtois, 2006-2013 Algebraic Attacks on Block, Stream Ciphers Different Types of Cryptanalysis • The “approximation” approach: – Linear, differential, high-order differential, impossible differential, Jakobsen-Knudsen approximation attacks, etc.. All are based on probabilistic characteristics true with some probability. – Consequently, the security will grow exponentially with the number of rounds, and so does the number of required plaintexts in the attacks (main limitation in practice). • The “exact algebraic” approach: – Write equations to solve, true with probability 1. – Very small number of known plaintexts required.

18 2001-2015 Algebraic Attacks on Block, Stream Ciphers

Exact/Algebraic/Multivariate Cryptanalysis:

Breaking a « good » cipher should require:

“as much work as solving a system of simultaneous equations in a large number of unknowns of a complex type” [Shannon, 1949]

Common belief: large systems of equations become intractable very easily. 19 2001-2015 Algebraic Attacks on Block, Stream Ciphers **However… However, what makes the problem hard is not the number of variables, but the balance between the number of equations and the number of monomials: – The XL algorithm and Gröbner bases techniques: [Shamir, Patarin, Courtois, Klimov, Eurocrypt’2000], [Courtois, ICISC 2002], [Courtois, Patarin, CT- RSA 2003], [F5/2 by Jean-Charles Faugère], [Old papers by Lazard]… – The XSL variant: [Courtois, Pieprzyk, Asiacrypt’02] Consequence: systems that are overdefined, sparse, or both, turn out to be much easier to solve than expected.

20 2001-2015 Algebraic Attacks on Block, Stream Ciphers Problem 1: Overdefined Systems Most cryptographic security relies on the hardness of largely overdefined problems: Much more information than necessary: great many plaintexts, message and signature pairs, etc.. • Public key cryptography: the solution is: Provable security: each utilization of the cryptographic scheme does not leak useful information. • Secret key cryptography: Yet little provable security. And yet it is here that the problems become the most overdefined: huge amounts of data encrypted with one key, fast hardware, etc.

21 2001-2015 Algebraic Attacks on Block, Stream Ciphers Problem 2: Algebraic Sparsity

Many cryptographic schemes (for practical reasons) have a simple algebraic description. Usually leads to a sparse system of equations. • In software, large tables might be used… • In hardware, the number of gates should be small, which gives a simple description with simple Boolean polynomials.

22 2001-2015 Algebraic Attacks on Block, Stream Ciphers Problem 3: Linear Components Linearity is commonly used for diffusion, sequence generation (LFSR) etc. Still believed OK.

• Problem: preserves the degree of algebraic equations !!

23 2001-2015 A New Frontier in Symmetric Cryptanalysis The Role of Finite Fields, e.g. GF(2) They allow to encode any cryptographic problem as problem of solving Boolean equations.

24 Courtois, Indocrypt 2008 Multiplicative Complexity MC = Definition • Every function can be represented as a number of multiplications + linear functions over a finite field/ring. • We call MC (Multiplicative Complexity) the minimum number of multiplications needed.

Home reading: set of slides multcomp.pdf Moodle.

25 ©Nicolas T. Courtois 2012 A New Frontier in Symmetric Cryptanalysis **The Role of NP-hard Problems Guarantee “hardness” in the worst case.

Many are not that hard in practice…

• Many concrete problems can be solved. • Multiple reductions allow to use algorithms that solve one problem to solve another.

26 Courtois, Indocrypt 2008 A New Frontier in Symmetric Cryptanalysis Algebraization: Theorem: Every function over finite fields is a polynomial function. [can be proven as a corollary of Lagrange’s interpolation formula]

False over rings! E.g. false for T-functions.

27 Courtois, Indocrypt 2008 Algebraic Attacks on Block, Stream Ciphers Problem 4: Low Degree/Low Complexity

Bottom line: “Every cipher which can be expressed by low degree polynomials is broken.”

Cf. Xuejia Lai paper. • "Higher order derivatives and differential cryptanalysis" [1992]

28 2001-2015 Algebraic Attacks on Block, Stream Ciphers Problem 4: Low Degree/Low Complexity

Bottom line: “Every cipher which can be expressed by low degree polynomials is broken.”

Remark for LFSR-based stream ciphers: later we will see how to substantially LOWER the degree… I/O Relations, Algebraic Immunity, Annihilators, Courtois-Meier attack, etc…

29 2001-2015 Algebraic Attacks on Block, Stream Ciphers Lai Essential Result

=>so we can decrease the non-linear degree by summing different polynomials => “every cipher which can be expressed by low degree polynomials is broken.”

30 2001-2015 Algebraic Attacks on Block, Stream Ciphers

Cube Attacks [Vielhaber, Dinur,Shamir’08]

31 2001-2015 Algebraic Attacks on Block, Stream Ciphers ” Trivial – ε Attacks ” Cube attack are highly sophisticated highly technical attack BUT they achieve NOTHING more than breaking XX – ε rounds of a cipher where XX – ε rounds is already broken by an attack which crypto community considers as excessively trivial.

32 2001-2015 Algebraic Attacks on Block, Stream Ciphers Step By Step Cube attack is about summing COMPLEX multivariate polynomials. – most polynomials never written. • Online phase CPA => several concrete values added 0+1+… • Their sum polynomial depends on the key in a very simple way. =>Gives simple equations on the key.

33 2001-2015 Algebraic Attacks on Block, Stream Ciphers Cube Attacks Controversies [1] Dan Bernstein: http://cr.yp.to/cubeattacks.html • “Why haven't cube attacks broken anything? actually it broke a VERY large number of rounds of Trivium • Cube attacks work well for random polynomials of small degree. – Real-world ciphers, when viewed as polynomials, don't have small degree. – Lai 1992 explains how to break every small-degree cipher; – It seems to me that "cube attacks" are simply a reinvention of Lai's HO DC attack; if Dinur and Shamir had cited Lai's paper […] then they would have been forced to drop essentially all of their advertising.

34 2001-2015 Algebraic Attacks on Block, Stream Ciphers *Cube Controversy [2] Plagiarism: – Dinur and Shamir DO/DID NOT credit Michael Vielhaber's "Algebraic IV Differential Attack" (AIDA) as a precursor of the Cube attack. – Dinur has stated at Eurocrypt 2009 that Cube generalises and improves upon AIDA. – However, Vielhaber contends that the cube attack is no more than his attack under another name.

35 2001-2015 Algebraic Attacks on Block, Stream Ciphers

1. Finite Fields, Block Ciphers and AES (2 separate files)

36 2001-2015 Algebraic Attacks on Block, Stream Ciphers

1.1. Block Ciphers and Algebraic Relations

37 2001-2015 Algebraic Attacks on Block, Stream Ciphers

How do We Attack AES ? – Very ambitious…

• AES pushes the classical design principles (=high non-linearity) to their limits, optimality. • Explore these limits. Look for pitfalls !

38 2001-2015 Algebraic Attacks on Block, Stream Ciphers What About Block Ciphers ? Q: Do these polynomial relations MATTER AT ALL for Block Ciphers (e.g. AES)?

Remark: they break a lot of stream ciphers very badly

39 2001-2015 Algebraic Attacks on Block, Stream Ciphers YES ! Q: Do these polynomial relations MATTER AT ALL for Block Ciphers ?

YES, (at least for some of them…)

40 2001-2015 Algebraic Attacks on Block, Stream Ciphers This Cipher is Broken for 1 M rounds !

F: Inverse in GF(2n).

[Jakobsen-Knudsen FSE’97, Courtois AES’4]

41 2001-2015 Algebraic Attacks on Block, Stream Ciphers ***Bi-linear Cryptanalysis [Courtois Crypto’04]

42 2001-2015 Algebraic Attacks on Block, Stream Ciphers ***2. Weak Cipher Number 2:

Round function:

Very secure against all known attacks on block ciphers…, but broken for 1 M rounds !

43 2001-2015 Algebraic Attacks on Block, Stream Ciphers ***3. Another Insecure Cipher 64-bit Feistel cipher, 32-bit round function:

Looks very secure…Etc. Broken for up to 216 rounds ! [Courtois AES’4]

44 2001-2015 Algebraic Attacks on Block, Stream Ciphers ****4. Insecure Unbalanced Feistel Networks (e.g. SHA-x) This one again looks very secure:

Again, broken for up to 216 rounds !

45 2001-2015 AES Structure and Design Nicolas T. Courtois Wide Trail Strategy (WTS): Assures very good diffusion, proposed by the designers of AES.

• The “approximation” attacks: – Deadly. Forces to approximate great many S-boxes at the same time. AES is very secure against LC/DC. – WTS probably kills all these insecure ciphers that are very special… • The “exact algebraic” approach: – Combine relations true with probability 1. – The wide trail strategy still plays a huge role in practice/theory.

46 October 2006 Algebraic Attacks on Block, Stream Ciphers

*AES Under Attack

47 2001-2015 Algebraic Attacks on Block, Stream Ciphers Controversial Paper [Asiacrypt’02 / eprint] Cryptanalysis of Block Ciphers with Overdefined Systems of Equations Nicolas T. Courtois Advanced Crypto Research, Axalto Smart Cards, France Josef Pieprzyk Center for Advanced Computing - Algorithms and Cryptography, ICS, Macquarie University, Australia

48 2001-2015 Algebraic Attacks on Block, Stream Ciphers Echoes in the Press Bruce Schneier, Cryptogram, [the world’s No. 1 crypto/security newsletter]: “ AES News AES may have been broken […], there's no need to panic. Yet. But there might be soon […] […]These are amazing results. […]

Many cryptographers who previously felt good about AES are having second thoughts […] “

49 2001-2015 Algebraic Attacks on Block, Stream Ciphers *Echoes in the Press

(worlds’ largest circulated scientific magazine) 27 Sept. 2002:

50 2001-2015 Algebraic Attacks on Block, Stream Ciphers *Cover Page of New Scientist:

51 2001-2015 Algebraic Attacks on Block, Stream Ciphers

52 2001-2015 Algebraic Attacks on Block, Stream Ciphers

53 2001-2015 Algebraic Attacks on Block, Stream Ciphers XSL Ciphers

K_i

X S L

54 2001-2015 A New Frontier in Symmetric Cryptanalysis

The so-called “XSL Attack” and AES not a very efficient attack, a sort of scientific research programme…

“XSL is not an attack, it is a dream“ Vincent Rijmen, AES designer

55 Courtois, Indocrypt 2008 Algebraic Attacks on Block, Stream Ciphers XSL Attacks - Summary Algebraic attacks on block ciphers work in 3 stages: 1. Write good equations – overdefined, sparse or both. 2. Expand - to obtain a very overdefined system. 3. Final "in place" elimination method – completely solve.

Two Versions of Courtois-Pieprzyk paper: • The original paper is on eprint.iacr.org/2002/044 (archive, not updated anymore): “First XSL attack”, “Second XSL attack”  The most powerful versions. • Asiacrypt’02: “ Compact Version of the First XSL Attack ”  The most general, least powerful, simpler and easier to study. 56 2001-2015 A New Frontier in Symmetric Cryptanalysis **Reinvent it in 2015: Algebraic attacks on block ciphers today: 1. Write good equations – overdefined, sparse or both. • LESS TRIVIAL than expected [new tricks: higher degree, add variables, etc.]. 2. Expand - avoid / minimise impact of… 3. Final "in place" deduction / inference / elimination method. • ElimLin alone and T’ method. Amazingly powerful. • New tools [SAT solvers]. Amazingly powerful.

57 Courtois, Indocrypt 2008 Algebraic Attacks on Block, Stream Ciphers Part 1. 1. Find good equations: such that:

equations ______= 1/4 or so..

monomials

58 2001-2015 Algebraic Attacks on Block, Stream Ciphers Part 2. 2. Expand to a very overdefined system, close to saturation:

free eqs. ______= close to 1

monomials

59 2001-2015 Algebraic Attacks on Block, Stream Ciphers Part 3. 3. Final step – achieve complete saturation giving the key bits.

free eqs. ______= exactly 1

monomials 60 2001-2015 Algebraic Attacks on Block, Stream Ciphers AES

• Won 2000 NIST vote. • Serpent was second.

61 2001-2015 Algebraic Attacks on Block, Stream Ciphers Unbelievable Security Most people think: It is easy to achieve 2256, Just mix sufficiently many strange functions…. Security grows exponentially in the number of rounds..

Our claim: It is hard to achieve the security level of 2256.

62 2001-2015 Algebraic Attacks on Block, Stream Ciphers Moore’s Law The computing power of 2256 will not be available before year 2200. Until then, so much higher mathematics and so much better methods of cryptanalysis will be found…

Guess: all cryptosystems that claim today the security level of 2256 will be broken by then. 63 2001-2015 Algebraic Attacks on Block, Stream Ciphers Part 1. 1. Find good equations: such that:

equations ______= 1/4 or so..

monomials

64 2001-2015 Algebraic Attacks on Block, Stream Ciphers MQ Problem

Find a solution to a system of m quadratic equations with n variables over a field/ring.

65 2001-2015 Algebraic Attacks on Block, Stream Ciphers MQ Problem Find a solution (at least one),

i.e. find (x0, ...,xn-1) such that:

66 2001-2015 Algebraic Attacks on Block, Stream Ciphers Known applications of MQ Multivariate schemes such as UOV, HFE, Quartz and Sflash are based on MQ. • In usual applications, nobody is using these new schemes. But: • About the only solutions known for specific applications: very short signatures with Quartz, fastest signatures in the world with Sflash [Cf. PKC 2003].

Who cares about MQ ?

67 2001-2015 Algebraic Attacks on Block, Stream Ciphers Surprising applications of MQ Claim: 90 % of all applied cryptography is based on MQ.

1. RSA is based on MQ with m=1 and n=2: factoring N  solving x2=y2 mod N.

2. Rijndael is based on MQ ?

68 2001-2015 Algebraic Attacks on Block, Stream Ciphers Rijndael S-boxes

(y1, …,y8) = S (x1, ...,x8) .

Theorem: For each S-box there are r=39 quadratic equations

with 16 variables xi and yi, that are true with probability 1.

Overdefined MQ system, 39 >> 8. 69 2001-2015 Algebraic Attacks on Block, Stream Ciphers Origin of the equations

(cf. cryptanalysis of Matsumoto-Imai by J. Patarin, Crypto’95)

23 x0 1 = x y 7 2 bi-linear x x = x y 8 x y = y2 x 8 x x3 = x4 y 8 quadratic x y3 = y4 x 8 39

70 2001-2015 Algebraic Attacks on Block, Stream Ciphers Optimal S-boxes ? [Anne Canteaut, Marion Videau, Eurocrypt 2002]: Optimal for linear, differential and high-order differential attacks.

We do not know any worse S-box in terms of r. Power -1 3 5 7 Equations / S-box 39 39 34 24 r=

71 2001-2015 Algebraic Attacks on Block, Stream Ciphers Reduction Rijndael  MQ Rijndael 128 bit: to recover the secret key can be rewritten as MQ:

8000 quadratic equations 1600 variables in GF(2).

But how to solve it ?

72 2001-2015 Algebraic Attacks on Block, Stream Ciphers Part 2. 2. Expand to a very overdefined system, close to saturation:

free eqs. ______= close to 1

monomials

73 2001-2015 A New Frontier in Symmetric Cryptanalysis

Simple Explanation of How XL Algorithm Works

74 Courtois, Indocrypt 2008 Algebraic Attacks on Block, Stream Ciphers Part 2. 2. Expand to a very overdefined system, close to saturation:

free eqs. ______= close to 1

monomials

75 2001-2015 Algebraic Attacks on Block, Stream Ciphers How to expand ? The XL idea: Multiplying the equations by one or several variables.

76 2001-2015 Algebraic Attacks on Block, Stream Ciphers X L means… • eXtended Linerisation • Multiply (X) and Linearise • eXpansion in the ideaL spanned by the equations.. • doing things like x_1 * l_3 • etc… 77 2001-2015 Algebraic Attacks on Block, Stream Ciphers XL Algorithm, F4, F5, etc… • [Shamir, Patarin, Courtois, Klimov, Eurocrypt’2000] • [Courtois, ICISC 2002], [Courtois, Patarin, CT-RSA 2003], [J.M. Chen and Bo-Yin Yang papers] • [Old papers by Lazard], [Buchberger algorithm and Gröbner bases], [F4, F5, F5/2 by Faugère] etc… [Magali Bardet and Gwenolé Ars work], etc… • Asiacrypt 2004: [Claus Diem], [Gwenolé Ars, Jean-Charles Faugère, Makoto Sugita, Mitsuru Kawazoe, Hideki Imai]. XL is about the best general attack we know for MQ. Designed for systems that are overdefined. For 128-bit Rijndael: 2330

78 2001-2015 Algebraic Attacks on Block, Stream Ciphers The principle of XL: Multiply the initial equations by low-degree monomials:

becomes:

(degreee 3 now).

79 2001-2015 Algebraic Attacks on Block, Stream Ciphers The idea of XL: Multiply equations by low-degree monomials. • Count new equations: R • Count new monomials present: T One term can be obtained in many different ways,  T grows slower than R.

80 2001-2015 Algebraic Attacks on Block, Stream Ciphers How XL works:

Initial system: m equations and n2/2 terms. Multiply each equation by a product of any D-2 variables: • Equations • Terms Idea: One term can be obtained in many different ways, T grows more slowly than R. Necessary condition: R/T > 1 gives and thus D  If sufficient, the complexity of XL would be about Sub-exponential ? Not true !

81 2001-2015 Algebraic Attacks on Block, Stream Ciphers XL will always work Theorem: Over any small finite field, when D>q and the q field equations xi =xi can be included, XL always do work, for ANY SYSTEM OF EQUATIONS (worst case). See: Jacques Patarin and Nicolas Courtois: About the XL algorithm over GF(2), In CT-RSA 2003, April 2003, San Francisco.

82 2001-2015 Algebraic Attacks on Block, Stream Ciphers XL works quite well

83 2001-2015 Algebraic Attacks on Block, Stream Ciphers The behaviour of XL It is possible to predict the exact number of linearly independent equations in XL.

84 2001-2015 Algebraic Attacks on Block, Stream Ciphers Applying XL to Rijndael 1. Make little sense, XL is a tool for dense systems of equations…

Except if there are “degree falls”: some combinations of unusually low degree, cf. HFE attacks…

85 2001-2015 Algebraic Attacks on Block, Stream Ciphers Known attacks on AES 1. Combinatorial attacks: Square attack [Rijmen-Daemen], Multiset attacks [Shamir, Biryukov] - only for a few rounds... 2. Approximation attacks: Differential/linear, interpolation attack, etc… The security grows exponentially with the number of

rounds Nr ! (and so does the required number of plaintexts).

86 2001-2015 A New Frontier in Symmetric Cryptanalysis

From XL to “XSL”

“XSL is not an attack, it is a dream“ Vincent Rijmen, AES designer

87 Courtois, Indocrypt 2008 Algebraic Attacks on Block, Stream Ciphers Pure theory ?

XL: astronomical complexity

Remark: Our system of 8000 quadratic equations with 1600 variables is not a general MQ system. It is sparse,  there must be a better method !!!

88 2001-2015 Algebraic Attacks on Block, Stream Ciphers The XL idea: Multiplying the equations by one or several variables.

89 2001-2015 Algebraic Attacks on Block, Stream Ciphers The XSL variant: Multiplying the equations by one or several monomials

(out of monomials present). 90 2001-2015 Algebraic Attacks on Block, Stream Ciphers XSL Algorithm Main idea: In a sparse system R/T at the beginning is already much bigger than in a random system.

Step 1: Optimise sparsity: One variable for each input and each output bit for each S- box.

Step 2. Multiply by selected monomials: If we multiply by products of existing terms, each resulting term will be obtained several times, thus R/T will be the biggest possible.

91 2001-2015 Algebraic Attacks on Block, Stream Ciphers Naive XSL Attack (on block ciphers)

Each S-box: r equations, t terms Multiply by P-1 terms for other S-boxes. S = number of S-boxes in the cipher • Equations: mainly • Terms:

Result: R / T  P * r/t R / T  1  P  t/r

92 2001-2015 Algebraic Attacks on Block, Stream Ciphers The Complexity of the Naive XSL Attack

w * (Block size)O(t/r) * (Nb. of rounds)O(t/r) Polynomial with a huge constant  = (t/s)t/r depending only on the S-box parameters.

• For a random S-box,  is double-exponential in s. • For Rijndael S-box,  is simply exponential in s. 93 2001-2015 Algebraic Attacks on Block, Stream Ciphers Less Naive XSL Attack Over-counting Problem: It can be shown that an important part of the equations in R are not linearly independent. Only at most R = (tP – (t-r)P) of these equations are linearly independent. Probably a bit less, but not much less.

Saturation Problem: Simulations show that the number Free of linearly independent equations is never very close to T, and for P=2 when the number of rounds Nr , we have Free  96.59 % T.

How to solve the system when T - Free is big ? 94 2001-2015 Algebraic Attacks on Block, Stream Ciphers Part 3. 3. Final step – achieve complete saturation giving the key bits.

free eqs. ______= exactly 1

monomials 95 2001-2015 Algebraic Attacks on Block, Stream Ciphers The T’ Method [Courtois 2002]: Let x1 be a variable. Let T’ = number of terms that can be multiplied by x1 and still belong to the set of terms in T. Claim: If Free > T-T’ then the system can be solved in about Tw: • Each term in T is expressed as a linear combination of terms only in T’. • We obtain one or more equations containing only the terms of T’.

• We do the same with respect to x2 (2 variables are probably enough). • Multiply the exceeding equations of the first system by x1. • We obtain new linearly independent equations, the rank grows ! • Early simulations show that this heuristic works very well. • Transfer the new equations to the other system(s), i.e. eliminate all terms that can be multiplied by x2. • After at most T’ steps we expect to achieve Free = T-1 or so… • It seems that the complexity of the whole is essentially Tw .

96 2001-2015 Algebraic Attacks on Block, Stream Ciphers An Example of the T’ Method: Let n=5 variables; therefore T=16 and T'=10. We start with a random system that has exactly one solution, and with Free > T-T' and with 2 “exceeding” equations, i.e. Free = T-T'+2.

Here is a system in which T' is defined with respect to x1:

97 2001-2015 Algebraic Attacks on Block, Stream Ciphers T’ Method contd. Here is the same system in which T' is defined for x2:

The two systems allow to “transfer” an “exceeding” equation from one representation to another in T’2 operations. Kind of iterative decoding…

98 2001-2015 Algebraic Attacks on Block, Stream Ciphers T’ Method contd.

Back to the first system in which T' is defined for x1:

We have rank=8.

Multiply the 2 “exceeding” equations of the first version by x1.

Miracle: we have rank=10. New linearly independent equations !

99 2001-2015 Algebraic Attacks on Block, Stream Ciphers T’ Method contd. Now we have 4 “exceeding” equations (two old and two new). Transfer them to the second system.

Then multiply them by x2:

We are not lucky, the second equation is invariant. Still we get 3 new linearly independent equations and rank=13. 1002001-2015 Algebraic Attacks on Block, Stream Ciphers T’ Method contd.

We rewrite the 3 new equations with terms that can be multiplied by x1.

Still rank=13. We multiply them by x1:

We have rank=14, one more linearly independent equation.

We rewrite the first equation with terms that can be multiplied by x2.

1012001-2015 Algebraic Attacks on Block, Stream Ciphers T’ Method contd. We have still rank=14. Then we multiply the new equation by x2.

We get another new linearly independent equation. We have rank=15. The rank is the maximum that can be achieved, there are 15 non-zero monomials here, and rank=16 can only be achieved for a system that is contradictory.

We expect that the number of additional equations in the T' method grows quickly.

1022001-2015 Algebraic Attacks on Block, Stream Ciphers Remarks on the T’ Method Theorem: [Coppersmith 2002, never published]:

The T’ method cannot work with only a few “special variables”.

 Use all of them !

*

1032001-2015 Algebraic Attacks on Block, Stream Ciphers Remarks on the T’ Method Even in this case, the complexity is multiplied only by n, a small factor compared to Tw. For example n=211 and Tw=287. Moderate increase, AES would still be broken.

My simulations show that the T’ method works very well… Which is in fact very surprising … !

1042001-2015 Algebraic Attacks on Block, Stream Ciphers Application of the T’ trick: If Free > T-T’ then the system can be solved in about Tw.

For AES-256 bits, we obtain for P=5: R/(T-T’)=1.0005 Then T = 296 and T’ = 290. Consequence: If Free > 99.4 % T Then AES-256 bits is broken in about 2203 .

Current simulations on a toy cipher give rather Free  96.59 % T apparently a size-independent constant ! Different constant for Rijndael ? To be seen. For example when P=7,we have R/(T-T’)=1.004 , but then XSL gives 2278, more than the exhaustive search.

1052001-2015 Algebraic Attacks on Block, Stream Ciphers CTC = “Courtois Toy Cipher” [eprint]

• 3-bit S-boxes. • Diffusion: permuting wires (as DES P-box !). • 1,2,4,8,… S-boxes per round. • 1,2,3,…,10,…,30,… rounds. • Key size == Block size. • Simple key schedule: bit permutation (as in DES !)

1062001-2015 Algebraic Attacks on Block, Stream Ciphers Equations – From a Real Example

X[0][1]*X[0][2]+Z[0][1]+X[0][3]+X[0][2]+X[0][1]+1 X[0][1]*X[0][3]+Z[0][2]+X[0][2]+1 1+X[0][1]=k_0 X[0][1]*Z[0][1]+Z[0][2]+X[0][2]+1 1+X[0][2]=k_1 X[0][1]*Z[0][2]+Z[0][2]+Z[0][1]+X[0][3] X[0][2]*X[0][3]+Z[0][3]+Z[0][2]+Z[0][1]+X[0][2]+X[0][1]+1 1+X[0][3]=k_2 X[0][2]*Z[0][1]+Z[0][3]+Z[0][2]+Z[0][1]+X[0][2]+X[0][1]+1 1+X[1][1]=k_3 X[0][2]*Z[0][2]+X[0][1]*Z[0][3]+X[0][1] X[0][2]*Z[0][3]+X[0][1]*Z[0][3]+Z[0][1]+X[0][3]+X[0][2]+1 1+X[1][2]=k_4

box) X[0][3]*Z[0][1]+X[0][1]*Z[0][3]+Z[0][3]+Z[0][1]

- 1+X[1][3]=k_5 X[0][3]*Z[0][2]+Z[0][3]+Z[0][1]+X[0][3]+X[0][1]

S X[0][3]*Z[0][3]+X[0][1]*Z[0][3]+Z[0][2]+X[0][2]+X[0][1]+1 Z[0][3]+X[2][1]=k_1 Z[0][1]*Z[0][2]+Z[0][3]+X[0][1] Z[1][1]+X[2][2]=k_2 Z[0][1]*Z[0][3]+Z[0][3]+Z[0][2]+X[0][2]+X[0][1]+1 Z[0][2]*Z[0][3]+Z[0][3]+Z[0][2]+Z[0][1]+X[0][3]+X[0][1]

boxes via key vars) via key boxes Z[1][2]+X[2][3]=k_3 - X[1][1]*X[1][2]+Z[1][1]+X[1][3]+X[1][2]+X[1][1]+1 Z[1][3]+X[3][1]=k_4 X[1][1]*X[1][3]+Z[1][2]+X[1][2]+1 Z[0][1]+X[3][2]=k_5

X[1][1]*Z[1][1]+Z[1][2]+X[1][2]+1 S ng X[1][1]*Z[1][2]+Z[1][2]+Z[1][1]+X[1][3] Z[0][2]+X[3][3]=k_0

ratic (for each (for ratic X[1][2]*X[1][3]+Z[1][3]+Z[1][2]+Z[1][1]+X[1][2]+X[1][1] Z[2][3]+1=k_2 X[1][2]*Z[1][1]+Z[1][3]+Z[1][2]+Z[1][1]+X[1][2]+X[1][1] X[1][2]*Z[1][2]+X[1][1]*Z[1][3]+X[1][1] Z[3][1]+1=k_3 X[1][2]*Z[1][3]+X[1][1]*Z[1][3]+Z[1][1]+X[1][3]+X[1][2] Z[3][2]+1=k_4 X[1][3]*Z[1][1]+X[1][1]*Z[1][3]+Z[1][3]+Z[1][1]

. Quad . X[1][3]*Z[1][2]+Z[1][3]+Z[1][1]+X[1][3]+X[1][1] Z[3][3]+1=k_5 1 X[1][3]*Z[1][3]+X[1][1]*Z[1][3]+Z[1][2]+X[1][2]+X[1][1] Z[2][1]+0=k_0 Z[1][1]*Z[1][2]+Z[1][3]+X[1][1] Z[1][1]*Z[1][3]+Z[1][3]+Z[1][2]+X[1][2]+X[1][1]+1 Z[2][2]+1=k_1 Z[1][2]*Z[1][3]+Z[1][3]+Z[1][2]+Z[1][1]+X[1][3]+X[1][1] • 2. Linear (connecti 2. • 1072001-2015 Algebraic Attacks on Block, Stream Ciphers More Equations: XSL expansion If L1 denotes If L57 denotes 1+X[0][1]=k_0 X[0][1]*X[0][2]+Z[0][1]+X[0][3]+X[0][2]+X[0][1]+1

nomial) we have: we have: L1*1 L1*X[1][1] L57*1 L1*X[1][2] L1*X[1][3] L57*X[0][1] L1*Z[1][1] L57*X[0][2] L1*Z[1][2] L57*X[0][3] L1*Z[1][3] e existing mo e L57*Z[0][1] L1*X[1][1]*Z[1][1] L1*X[1][1]*Z[1][2] L57*Z[0][2] L1*X[1][1]*Z[1][3] L57*Z[0][3] L1*X[1][2]*Z[1][1] L57*X[0][1]*Z[0][1]

L1*X[1][2]*Z[1][2] existing monomial) some L57*X[0][1]*Z[0][2] box * som * box L1*X[1][2]*Z[1][3] - • L57*X[0][1]*Z[0][3] • • ch S ch • • L56*k_0 * (linear (ea L56*k_1 • R’

R L56*k_2 L57*k_1 L56*k_3 L57*k_2 L56*k_4 L57*k_3 L56*k_5 4. Part 4.

3. Part 3. L57*k_4 1082001-2015 L57*k_5 Algebraic Attacks on Block, Stream Ciphers How to finish ? • Initial proposal: T’ method. – Works very well in practice, but requires to be run many times (each time the rank increases).

• Alternatives: – use Gröbner bases. – better alternatives: • SAT solvers, • ElimLin.

1092001-2015 Algebraic Attacks on Block, Stream Ciphers 5. New Equations: The T’ method

Example of how the rank grows: (4 S-boxes).

7329 + 28 7329 + 52 7329 + 56 7329 + 96 7329 + 147 7329 + 165 7329 + 172 7329 + 173 7329 + 174

A unique solution found. 249.7 seconds

110 2001-2015 Algebraic Attacks on Block, Stream Ciphers ***Will the T’ method suffice ?

Maybe…

Free/(T-T’) - XSL expected to work for up to 16 rounds.

111 2001-2015 Algebraic Attacks on Block, Stream Ciphers ****Less Naive XSL Attack • Over-counting Problem: Now assume: R = (tP – (t-r)P)

• Saturation Problem: Use the T’ method.

112 2001-2015 Algebraic Attacks on Block, Stream Ciphers Complexity of the Less Naive XSL

Very surprisingly, more realistic formulas give very similar results than the naïve version: w * (Block size)O(t/r) * (Nb. of rounds)O(t/r)

Is XSL polynomial with a huge constant  ? Not sure at all. Simulations show that

P will rather increase (slowly) with Nr.

113 2001-2015 Algebraic Attacks on Block, Stream Ciphers Summary: XSL takes advantage of the fact that the equations are overdefined and sparse. Expected (at least) to work better than XL.

For 128-bit Rijndael XSL claimed complexity was at least 2230

114 2001-2015 Algebraic Attacks on Block, Stream Ciphers Is AES 256 bits broken ? For AES-256, XSL seems to give 2203 (the version on eprint, with cubic equations) Not proven, based on heuristic assumptions:

115 2001-2015 Algebraic Attacks on Block, Stream Ciphers Remark 1

People naively believe that XSL does not work well… The truth: nobody knows !

116 2001-2015 Algebraic Attacks on Block, Stream Ciphers Remark 2:

We know MUCH BETTER algebraic attacks on block ciphers today.

117 2001-2015 Algebraic Attacks on Block, Stream Ciphers

Murphy and Robshaw Variant

[Murphy, Robshaw, Crypto 2002, see Section 6, added after they read our paper].

They write an equivalent system of MQ equations, but over GF(28). Much more sparse than over GF(2). For AES 128 bits, it seems that XSL could solve such system in as little as 2100…

118 2001-2015 Algebraic Attacks on Block, Stream Ciphers AES-128 broken in 288 ? Gwenolé Ars PhD thesis [June 2005]: The author presents an attack in 288 that might “maybe” work… (?????)

119 2001-2015 Algebraic Attacks on Block, Stream Ciphers Papers on XSL and AES • The original paper (archive, not updated anymore) is available on eprint.iacr.org /2002/044 : “First XSL attack”, “Second XSL attack”The most powerful version. • Asiacrypt 2002: the so called “ Compact Version of the First XSL Attack ”  The most general version of XSL attack, least powerful, simpler and easier to study.

Some software and tools: Do check: www.cryptosystem.net/aes/ 1202001-2015 Algebraic Attacks on Block Ciphers

Fast Algebraic Attacks On Block Ciphers

121© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers Fast Algebraic Attacks on Block Ciphers Definition [informal on purpose] Methods to lower the degree of equations that appear throughout the computations… [e.g. max deg in F4] (more generally need to substantially lower the memory requirements of algebraic attacks compared to their running time).  Very rich galaxy of attacks to be studied in the next 20 years… How to lower the degree ? • by having several P/C pairs (bigger yet much easier !) • by CPA, CPCA, etc… • by fixing internal variables (Guess-then-Algebraic). • by finding [approximate] equations on bigger blocks – by interpolation [cf. W. Meier’s talk] cumulative – by guessing equations that have strong bias • Linear-Algebraic or Bi-Linear-Algebraic Cryptanalysis effect • Differential-Algebraic. !!! • by clever choice of representation • by introducing new variables (oh yes !) • by having a larger key • new tricks to be invented ?

122© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers How to Evaluate the Quality of Alg. Attacks Compare ONLY to other similar attacks: • Straightforward algebraic approach. Write + solve. • Other attacks that work given VERY SMALL quantity of plaintexts.

• NEVER compare to DC/LC etc. Doesn’t make sense. Two independent areas of research that have no intersection. – Both allow us to write 100s of papers but do not expect to break 3DES or AES tomorrow morning.

123© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers

Solving Methods Solver Software

124© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers Fact

In 2005-2006 huge progress have been made. • Up to 510 S-boxes broken on a laptop: Fast Algebraic attacks on block ciphers <= Cumulative effect of improvements in many directions.

125© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers What’s New The biggest discoveries in Science are the simplest.

126© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers 3.3. ElimLin – The Most Surprising

Complete description: • Find linear equations in the linear span. • Substitute, and repeat.

Amazingly powerful, (Surprisingly) VERY HARD TO IMPLEMENT: • Heuristics to preserve sparsity. Local optimization. • Data Representation and Memory Management vs. Speed.

127© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers 3.3. ElimLin – Remark: In a way it is: An ultra-light and super-simplified version of F4 operating at ”degree 1.05” or ”2.01” (makes sense: relatively small number of higher- degree monomials, and certain types of monomials much more likely to ever appear).

128© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers 3.4. ANF-to-CNF - The Outsider Before we did try, we actually never believed it could work…

  

Convert MQ to a SAT problem. (both are NP-hard problems)

129© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers 3.4. ANF-to-CNF - The Outsider Principle 1: each monomial = one dummy variable.

d+1 clauses for each degree d monomial

130© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers Also Principle 2: Handling XORs – Not obvious. Long XORs known to be hard problems for SAT solvers.

• Split longer XORs in several shorter with more dummy variables. • About 4 h clauses for a XOR of size h.

131© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers ANF-to-CNF This description is enough to produce a working version.

Space for non-trivial optimisations. See: Gregory V. Bard, Nicolas T. Courtois and Chris Jefferson: “Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers”.

132© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers Ready Software Several ready programs to perform this conversion are made available on this web page:

www.cryptosystem.net/aes/tools.html

133© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers Solving SAT What are SAT solvers? Heuristic algorithms for solving SAT problems. • Guess some variables. • Examine consequences. • If a contradiction found, I can add a new clause saying “In this set of constraints one is false”.

Very advanced area of research. Introduction for “dummies”: Gregory Bard PhD thesis. 134© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers MiniSat 2.0. Winner of SAT-Race 2006 competition.

An open-source SAT solver package, by Niklas Eén, Niklas Sörensson,

Later improved A LOT by Mate Soos => CryptoMiniSat 2.9.X

135© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers Ready Software for Windows Several ready programs to solve SAT problems are also available on the same web page:

www.cryptosystem.net/aes/tools.html

136© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers ANF-to-CNF + MiniSat 2.0. Gives amazing results in algebraic cryptanalysis of just any (not too complex/not too many rounds) cipher, cf. (VSH). Also for random sparse MQ. • Certain VERY large systems solved in seconds on PC (thousands of variables !). • Few take a couple hours/days… • Then infeasible, sharp increase.

Jump from 0 to .

137© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers What Are the Limitations of Algebraic Attacks ? • When the number of rounds grows: complexity jumps from 0 to .

• With new attacks and new “tricks” being proposed: some systems are suddenly broken with no effort.

=> jumps from  to nearly 0 !

138© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers **What Can Be Done with SAT Solvers ? • Clearly it is not the size of the system but the nature of it. • Sometimes more powerful than GB, sometimes less.

Paradoxes: • If you guess some variables, can become much slower . • Great variability in results (hard to compute an average running time, better to look at 20 % faster timings). • Memory: – For many cases tiny: 9 Mbytes while Magma hangs at > 2Gbytes for the same system. – For some working cases: 1.5 Gbytes and substantial time. Then terminates with the solution as well.

139© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers

***Toy Ciphers…

140© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers CTC/CT2 = “Courtois Toy Cipher” [eprint]

• 3-bit S-boxes. • Diffusion D: permuting wires (as DES P-box !). • 1,2,4,8,… S-boxes per round. • 1,2,3,…,10,…,30,… rounds. • Key size == Block size. • Simple key schedule: bit permutation (as in DES !)

141© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers *CTC2 – more recent variant

• Virtually no difference – Different D-box but difference only at 1 bit position (!). – Changes everything w.r.t. linear cryptanalysis. – Changes nothing w.r.t. algebraic cryptanalysis. • In both cases 6 rounds are broken, 7 rounds maybe this year…

142© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers **CTC vs. CTC2

CTC2: Just remove one “weak” bit:

No other difference. Same for “99 % of positions”.

143© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers CTC2 S-box: Random on 3 bits without linear equations. Theorem [Courtois]: 14 MQ Equations:

144© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers ToyRijndael and ToySerpent: Basically a 4-bit version of CTC…

145© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers ToyRijndael S-box [4 bits] Inv+Affine a in AES, borrowed from Carlos Cid. Theorem [Courtois]: 21 MQ equations.

ToySerpent S-box [4 bits] Sbox number 2 [chosen at random] stolen from Serpent [without permission from the authors]. Theorem [Courtois]: 21 MQ equations.

146© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers ToySerpent vs. ToyRijndael: Both cases: 21 MQ equations. Same degree, same number, yet TOTALLY DIFFERENT results (and we can explain why!).

Bad news for the idea (IOH) that I/O degree implies the existence of algebraic attacks. • For some equations – good attacks [for 5 rounds]. • For some equations – little hope.

Rijndael S-box shows unexpected resistance w.r.t. our fast algebraic attack on block ciphers. [ElimLin].

147© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers Weakness in Serpent S-box 2: 4 / 21 equations of types • 2 are “Linear+ X2”.

• 2 are “Linear+ Y2”.

0 / 21 such equations for 4-bit Rijndael S-box !

148© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers Combined Effect of These: They allow to “avoid” / “lower the relative rank of” the set of

higher degree monomials in the xi in algebraic equations that can be written for several rounds. In other words, some quadratic monomials / some linear combinations of monomials can be systematically eliminated:

Claim: Will greatly help to compute Gröbner bases at a lower degree ! Now we will test the most optimistic version of this claim: Replace F4 by ElimLin, how many linear equations can we generate ?

149© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers Interesting and WEIRD Question KPA. How many linear equations true with Pr=1: 0-few more P1 C1 rounds rounds

0-few more P2 C2 rounds rounds 0-few more P3 C3 rounds rounds 150© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers Very Surprising and Powerful Answer 1: They don’t exist (cf. LC).

Answer 2: They DO exist when the Pi are fixed ! • Can be recovered by interpolation ? I did program this. Some toy examples take ages… Most relevant cases => infeasible ! Too large matrices. • Fact: I have found a method to compute these equations VERY EFFICIENTLY given the set of plaintexts

Pi. Arbitrary = a KPA. Remark: A whole (big) part of the algebraic attacks that is done for a truncated cipher, i.e. without knowing the ciphertext - pre-computation possible give the spec. of the cipher (Pb. to use: only easy with CPA).

151© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers

When the Pi are fixed, how many equations ? Nb. of linear equations found, 5 rounds x 3 S-boxes, KPA truncated (unknown ciphertext) ToySerpent & ToyRijndael.

Equations with rounds 0-5. Some totally avoid the first 2 rounds. Rounds 3-5. More powerful with full cipher (the ciphertexts are known => WORKS FROM both directions !!!! ElimLin even easier !

152© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers Combinatorial Explosion Nb. of new linear equations grows FASTER than LINEAR!!! Nb. of variables grows linearly in K.

K

Unstoppable force of an asymptotic…

See our lab: http://www.nicolascourtois.com/papers/ga18/AC_Lab1_Eli mLin_Simon_CTC2.pdf 153© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers What About… Real Life Ciphers?

154© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers DES At a first glance, DES seems to be a very poor target:

there is (apparently) no strong algebraic structure of any kind in DES

155© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers What’s Left ? Idea 1: (IOH) Algebraic I/O relations. Theorem [Courtois-Pieprzyk]: Every S-box has a low I/O degree. =>3 for DES.

Idea 2: (VSH) DES has been designed to be implemented in hardware. => Very-sparse quadratic equations at the price of adding some 40 new variables per S-box.

156© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers Results ? Both Idea 1 (IOH) and Idea 2 (VSH) (and some 20 other I have tried…) can be exploited in working key recovery attacks.

157© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers

S-boxes S1-S4 [Matthew Kwan]

158© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers

S-boxes S5-S8 [Matthew Kwan]

159© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers I / O Degree

A “good” cipher should use at least some components with high I/O degree.

160© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers Theorem

161© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers Corollary Cubic Equations and DES

Exactly 112 for all DES S-boxes. 162© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers

5. Selected Results: Some Successful Attacks

163© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers Results on CTC Nicolas T. Courtois: “How Fast can be Algebraic Attacks on Block Ciphers ?”. eprint.iacr.org/2006/168/

6 rounds broken: 255-bit key, 510 S-boxes. ElimLin: 80 hours after 210/255 bits are guessed. 64 CP. About 10 times (slightly) faster than exhaustive search…

164© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers Results on CTC2 Much more resistant to LC [cf. Orr Dunkelman and Nathan Keller : Linear Cryptanalysis of CTC, eprint.iacr.org/2006/250/].

ElimLin still breaks 6 rounds in the same way (no visible difference).

10 rounds broken if block=96, key=256.

165© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers Results on ToySerpent ToySerpent, 5 rounds, 32 S-boxes * 4 bits. 84 first key bits guessed, 44 remain unknown. 4 CP => broken in 32 hours by ElimLin.

6 rounds should be feasible for 256-bit version. Work in progress.

166© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers Results on ToyRijndael Unexpectedly strong, the only difference is the S-box: 0/21 “Linear+X2“ equations...

167© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers Results on DES Nicolas T. Courtois and Gregory V. Bard: Algebraic Cryptanalysis of the D.E.S. In IMA conference 2007, pp. 152-169, LNCS 4887, Springer.

See also: eprint.iacr.org/2006/402/

168© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers What Can Be Done ? Idea 1 (Cubic IOH) + ElimLin: We recover the key of 5-round DES with 3 KP faster than brute force. • When 23 variables fixed, takes 173 s. • Magma crashes > 2 Gb of RAM. Idea 2 (VSH40) + ANF-to-CNF + MiniSat 2.0.: Key recovery for 6-round DES. Only 1 KP (!). • Fix 20 variables takes 68 s. • Magma crashes with > 2 Gb. 169© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers What Else Can We Do ? Claim: Algebraic Cryptanalysis is an excellent tool TO STUDY block and stream ciphers. For all properties that hold: • With probability 1 or close. • For 3,4,5,6 rounds.. (already a lot, very complex to analyse by hand).

Proposed Application [probably feasible for many ciphers]: • Find a 4-round differential that holds with probability 1. • Show that there isn’t any (unsatisfiable/contradictory system of equations).

170© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers Example: Looking for another special property of DES. An attack with a known key (glass-box). Motivation: educational, study differential cryptanalysis.

I present this one because it works on a laptop PC for 12 full rounds of DES (which is the best result I have for now).

171© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers DC example

172© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers What We Can We Do: Given a key, find a plaintext with difference (`00196000',`00000000') that carries over 12 rounds.

Naïve method (exhaustive search): requires 248 trial encryptions  3 CPU years.

Idea 2 (SSH40) + MiniSat 2.0: Only 6 hours. 173© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers This Was Easy ! Why ? Reason: There are many solutions (about 216).

Conclusion: Algebraic attacks with SAT are easier when there are many solutions. => Algebraic cryptanalysis should be a very good tool for breaking hash functions [as shown by Mironov-Zhang, Crypto 2006 Rump Session].

174© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block Ciphers Conclusion: Keys and special properties of block ciphers CAN be computed in practice with algebraic attacks, and this with little [human] effort.

175© Nicolas T. Courtois, 2006-2011 Algebraic Attacks on Block, Stream Ciphers

Back to Bigger Picture

1762001-2015 Algebraic Attacks on Block, Stream Ciphers Unified view of Algebraic Attacks Algebraic Security Criterion [Courtois 1999]: Non-existence of low-degree/small size multivariate relations between the input bits and the output bits.

1772001-2015 Algebraic Attacks on Block, Stream Ciphers Avoid Algebraic Relations… …between inputs/outputs. • Applies to multivariate public key cryptosystems: Sflash, Quartz • Applies to the non-linear part of a stream cipher, even if stateful. • Applies to the S-boxes of a block cipher.

1782001-2015 Algebraic Attacks on Block, Stream Ciphers Claim This criterion is necessary for the security of all these ciphers.

No proof. A precaution. Many ciphers still secure.

1792001-2015 Algebraic Attacks on Block, Stream Ciphers

2. Algebraic Attacks on HFE and Other PKCs Based on Multivariate Polynomials

1802001-2015 Algebraic Attacks on Block, Stream Ciphers Security of HFE Special case: Matsumoto-Imai cryptosystem [Eurocrypt'88]

A power function (as in Rijndael S-box) x->x3

1812001-2015 Algebraic Attacks on Block, Stream Ciphers Attack on Matsumoto-Imai x->x3 Inverse function gives Boolean functions of very high degree

Attack: there are many multivariate bilinear relations that allow to break the cipher in no time.

[Jacques Patarin, Crypto’95] 1822001-2015 Algebraic Attacks on Block, Stream Ciphers Attack on HFE x->Polynomial of degree d Again multivariate relations, attack in n3/2 log d. [Nicolas Courtois PhD thesis 1998, published in CT-RSA 2001] New paper about this: [Faugère, Joux, Crypto 2003]. Same attack, but explains the origin of these equations ! Forgot to acknowledge 4 previously published papers. [Patarin, Courtois, Shamir-Kipnis, Courtois-Daum-Felke].

1832001-2015 Algebraic Attacks on Block, Stream Ciphers

3. Algebraic Attacks on Stream Ciphers with Linear Feedback (e.g. LFSR-based)

1842001-2015 Algebraic Attacks on Block, Stream Ciphers Main Problem: Linear Feedback Great many stream ciphers have a linear feedback (e.g. LFSRs)

state = multivariate linear function (prev. state)

So what ?

1852001-2015 Algebraic Attacks on Block, Stream Ciphers Linear Feedback is Dangerous

It preserves the degree of the equations.

My claim: If one can relate state bits and outputs bits by only one multivariate equation of low degree without extra variables then: • the cipher is broken in polynomial time, • hard to find the right equations, mix of insight and experimental results, but… • such attacks may be surprisingly fast, e.g. 231.

1862001-2015 Algebraic Attacks on Block, Stream Ciphers One I/O Equation => Broken∈P

memory linear component combiner with I memory O

1872001-2015 Algebraic Attacks on Block, Stream Ciphers Common Opinions on Stream Ciphers “Most real life designs centre around LFSRs combined by a non-linear Boolean function.” “State of the art in generic stream ciphers cryptanalysis can be summarized as follows: correlation and fast correlation attacks.“ [Eric Filliol, Decimation Attack of Stream Ciphers, eprint.iacr.org, 2000]

1882001-2015 Algebraic Attacks on Block, Stream Ciphers Common belief: Ciphers with linear feedback (LFSR, etc…) can be made secure using highly non-linear Boolean functions.

1892001-2015 Algebraic Attacks on Block, Stream Ciphers The Tale of “Good” Boolean Functions..

•“Good” Boolean functions •“Good” S-boxes etc…

 Prevent correlation and other classical attacks.

A “Good” Boolean function… There are other attacks!

1902001-2015 Algebraic Attacks on Block, Stream Ciphers Some Remarks ! (no comments) “We can strongly affirm that a very consequent theory of stream encryption exists…” “Block ciphers are not secure, one should use stream ciphers instead…” “It is impossible to hide a trapdoor in a stream cipher …“

[Eric Filliol, Plaintext-Dependent Repetition Codes … the AES case, eprint.iacr.org, 2003]

1912001-2015 Algebraic Attacks on Block, Stream Ciphers The Tale of “Good” Boolean Functions.. Naïve belief that ciphers build out of such components would be secure. In fact this approach fails, sometimes quite miserably, to produce secure ciphers: • Algebraic attacks on AES and Serpent [Courtois-Pieprzyk, AsiaCrypt 2002]. • Stream ciphers: much worse. [For some ciphers, there is no “good” Boolean functions !]

1922001-2015 Algebraic Attacks on Block, Stream Ciphers linear Popular stream ciphers: feedback Linear sequence generator + a stateless combiner non-linear filter

Example: One/several LFSRs + a Boolean function. state 1932001-2015 Algebraic Attacks on Block, Stream Ciphers Notations linear • Initial key k  GF(2)n feedback n-bits k0, k1, k2,…,kn-1 • The state s  GF(2)n

s0 First s = k, s1 • Then s = L(s) etc.. • Output bits: Apply f (s ) i bi = f( L (k) ) Given: some of the b sn-1 i state Find: the secret key k 1942001-2015 Algebraic Attacks on Block, Stream Ciphers Direct Algebraic Attack Approach:

Solve this system of equations. Extremely overdefined even for moderate quantity of keystream, e.g. 20 Kbytes.

1952001-2015 Algebraic Attacks on Block, Stream Ciphers Example: Toyocrypt, n=128, d=63.

What if the degree d is too big ?

1) Find a low degree approximation – not today, see Nicolas Courtois: Higher Order Correlation Attacks, XL algorithm and Cryptanalysis of Toyocrypt, ICISC 2002 or eprint.iacr.org 2) Better attacks – today.

1962001-2015 Algebraic Attacks on Block, Stream Ciphers

Problem: The degree is usually high… (even AFTER taking a lower degree approximation)

As for HFE and Rijndael S-box, consider multivariate relations instead of equations… 1972001-2015 Algebraic Attacks on Block, Stream Ciphers Solution (the same as usual): Relations instead of equations… I/O equations = implicit eqs.

Their degree turns out to be much lower !

1982001-2015 Algebraic Attacks on Block, Stream Ciphers Toyocrypt One of the only two stream ciphers accepted to the second phase of CRYPTREC (for the Japanese government).

1992001-2015 Algebraic Attacks on Block, Stream Ciphers The design of Toyocrypt • A bent function

• add s127 to make it balanced.

2002001-2015 Algebraic Attacks on Block, Stream Ciphers Fact: Toyocrypt There is a multivariate relation being of degree 3 in the 128 key bits and involving 1 consecutive output bit.

Nicolas Courtois, Willi Meier: Algebraic Attacks on Stream Ciphers with Linear Feedback, Eurocrypt 2003.

2012001-2015 Algebraic Attacks on Block, Stream Ciphers LILI-128

One of the NESSIE candidates, claimed very secure, rejected

(all the other stream ciphers were rejected too !)

2022001-2015 Algebraic Attacks on Block, Stream Ciphers Fact: LILI-128 There is a multivariate relation being of degree 4 in the 89 key bits and involving 1 consecutive output bit.

Nicolas Courtois, Willi Meier: Algebraic Attacks on Stream Ciphers with Linear Feedback, Eurocrypt 2003.

2032001-2015 Algebraic Attacks on Block, Stream Ciphers E0

stream cipher used in the wireless interface Bluetooth

2042001-2015 Algebraic Attacks on Block, Stream Ciphers Fact: E0 There is a multivariate relation being of degree 4 in the 128 key bits and involving 4 consecutive output bits.

Matthias Krause, Frederik Armknecht: Algebraic Attacks on Combiners with Memory, Crypto 2003.

2052001-2015 Algebraic Attacks on Block, Stream Ciphers So what ?

One equation is enough to break all these !

Due to the • Recursive structure of the cipher • Linear feedback (e.g. in LFSRs) preserves the degree, We may generate as many equations as we want.

2062001-2015 Algebraic Attacks on Block, Stream Ciphers So what ?

One equation is enough to break all these ! • Given keystream bits - • Using bits of memory - • The secret key can be recovered in . • Verified experimentally.

2072001-2015 Algebraic Attacks on Block, Stream Ciphers Results

• Toyocrypt – Cryptrec submission  249 Verified, works perfectly well in practice. • LILI-128 – Nessie submission  257 [Courtois, Meier, Eurocrypt 2003]

• E0 – Bluetooth keystream generator  270 [Armknecht, Krause, Crypto 2003]

2082001-2015 Algebraic Attacks on Block, Stream Ciphers Can We Do Better ? If the keystream bits are consecutive; Yes, much better !

Nicolas Courtois: “Fast Algebraic Attacks on Stream Ciphers with Linear Feedback”. Crypto 2003. Studied in more details by Armknecht, and [Hawkes-Rose Crypto’04].

2092001-2015 Algebraic Attacks on Block, Stream Ciphers Improved Results

Gives the best attack known so far for 3 well known stream ciphers: • Toyocrypt – Cryptrec submission  225 • LILI-128 – Nessie submission  231 • E0 – Bluetooth keystream generator  249

2102001-2015 Algebraic Attacks on Block, Stream Ciphers Broken at the First Glance… In 2005 Braeken, Lano, Mentens, Preneel and Varbauwhede have invented a new stream cipher: • SFINKS – ECRYPT submission  271 Nicolas Courtois: Cryptanalysis of Sfinks. eprint.iacr.org/2005/243

Simply broken once you take the time to examine the (already known) algebraic attack – BUT need to handle many computer simulations to determine if there exist suitable equations, no theoretical method to predict the result...

211 2001-2015 Algebraic Attacks on Block, Stream Ciphers Scary Algebraic Equations.. Goal: design an LFSR-based stream cipher with security 2128.

Problem: How to make sure that there is no algebraic relation of size 2100 that relates key bits and output bits?

Example: Linear complexity may be 2100. I cannot check if relations exist...

2122001-2015 Algebraic Attacks on Block, Stream Ciphers Scary Algebraic Equations.. Problem: How to make sure that there is no algebraic relation of size 2100 ?

Crypto’03 paper clearly demonstrates that in MANY interesting cases you cannot be sure unless you can do about 2100 computations.

Also works for linear complexity (many ciphers will be broken in a time being about the linear complexity). Murphy course: should be 240. Not enough !!! Many other relations may exist… 2132001-2015 Algebraic Attacks on Block, Stream Ciphers Conclusion – Stream Ciphers Good Boolean functions are by far not enough to get secure ciphers. LFSR-based stream ciphers cannot claim security UNLESS they are PROVABLY secure against algebraic attacks. How ? OPEN PROBLEM.

2142001-2015 Algebraic Attacks on Block, Stream Ciphers linear More on Stream Ciphers: feedback Linear sequence generator + a combiner with memory, may be key-dependent state 2152001-2015 Algebraic Attacks on Block, Stream Ciphers All Stream Ciphers Broken ? It depends what we mean by “BROKEN”… • Fixed size filter/combiner and a LFSR with n bits. • Polynomial in n vs. non-polynomial in n. • In this sense many of them are broken.

2162001-2015 Algebraic Attacks on Block, Stream Ciphers All Stream Ciphers Broken ? 1. A LFSR + Boolean function (fixed number of inputs).  POLYNOMIAL. Nicolas Courtois, Willi Meier: Algebraic Attacks on Stream Ciphers with Linear Feedback, Eurocrypt 2003.

2172001-2015 Algebraic Attacks on Block, Stream Ciphers Stream Ciphers Broken in Poly… 2. A LFSR + Any Combiner with Memory  POLYNOMIAL. • Matthias Krause, Frederik Armknecht: Algebraic Attacks on Combiners with Memory, Crypto 2003. • Nicolas Courtois: Algebraic Attacks on Combiners with Memory and Several Outputs. ICISC’04, available on eprint.iacr.org/2003/125. Different proof of the same Theorem, greatly improving the result for combiners with several outputs.

2182001-2015 Algebraic Attacks on Block, Stream Ciphers More Ciphers Broken in Poly… 3. A LFSR + Secret or Key-Dependent Boolean Function.  POLYNOMIAL. • - - work In progress - - • Nicolas Courtois, Philip Hawkes: Fast Algebraic Attacks on Stream Ciphers and the Discrete Fourier Transform, Greg Rose, Philip Hawkes: Rewriting Variables: the Complexity of Fast Algebraic Attacks on Stream Ciphers In Crypto 2004.

2192001-2015 Algebraic Attacks on Block, Stream Ciphers More Ciphers Broken in P time… 4. A LFSR + Any Secret or Key-Dependent Combiner with Memory. Conjecture [Meier-Courtois 2003]  POLYNOMIAL. • Nicolas Courtois, Philip Hawkes, Willi Meier: Algebraic Attacks on Stream Ciphers with Unknown or Key- Dependent Components, Work in progress… Not sure about the result…

2202001-2015