September 28, 2016 @ASK2016
Nonlinear Invariant Attack
NTT Secure Platform Laboratories and Kobe University Yosuke Todo
Copyright©2016 NTT corp. All Rights Reserved. Overview.
• Joint work with Gregor Leander and Yu Sasaki. • New type of cryptanalyses. ‐ This attack works on the weak-key setting. • Surprising practical extensions. ‐ Ciphertext-only message recovery attack!! • Good applications. ‐ Scream, iScream, and Midori64.
Copyright©2016 NTT corp. All Rights Reserved. 2 Summary of results.
Distinguishing attack under known-plaintext setting. Target # of weak keys Data complexity. Distinguishing probability. SCREAM 296 iSCREAM 296 푘 1 − 21−푘 Midori64 264 The distinguishing attack incidentally recovers 1 bit of secret key. Message-recovery attack under ciphertext-only setting. Target # of weak keys Maximum # of Data Time recovered bits. complexity. complexity. SCREAM 296 32 bits 33 ciphertexts 323 = 215 iSCREAM 296 32 bits 33 ciphertexts 323 = 215 Midori64-CTR 264 32h bits 33h ciphertexts 323ℎ = 215ℎ ℎ is the number of blocks in the mode of operations.
Copyright©2016 NTT corp. All Rights Reserved. 3 Outline
1. Nonlinear invariant attack. ‐ Map of related attacks. • Linear and nonlinear cryptanalyses. • Invariant subspace attack. ‐ Distinguishing attack. 2. Surprising extension toward practical attack. ‐ What’s happened if vulnerable ciphers are used in well- known mode of operations? 3. How to find nonlinear invariant. ‐ Appropriate nonlinear invariants. ‐ How to find nonlinear invariant for KSP round functions. 4. Practical attack on full SCREAM.
Copyright©2016 NTT corp. All Rights Reserved. 4 Two streams join in new attacks.
Linear attack [Matsui 1993]
Nonlinear attack [Harpes et al. 1995] Invariant subspace attack [Gregor et al. 2011]
Nonlinear invariant attack [Todo, Gregor, Yu 2016]
Copyright©2016 NTT corp. All Rights Reserved. 5 Stream from linear attacks.
Linear attack [Matsui 1993]
Nonlinear attack [Harpes et al. 1995] Invariant subspace attack [Gregor et al. 2011]
Nonlinear invariant attack [Todo, Gregor, Yu 2016]
Copyright©2016 NTT corp. All Rights Reserved. 6 Linear attack [Matsui 93].
Key-alternating structure.
푘푖
푥푖 F 푥푖+1
푓푖 푥푖 ⊕ 푓푖+1 푥푖+1 ≈ const 푓푖 푥푖 holds with high probability. 푓푖+1 푥푖+1
next-round
푓푖 and 푓푖+1 are linearly Boolean functions.
Copyright©2016 NTT corp. All Rights Reserved. 7 Nonlinear attack [Harpes et al.95].
Key-alternating structure.
푘푖
푥푖 F 푥푖+1
푔푖 푥푖 ⊕ 푔푖+1 푥푖+1 ≈ const 푔푖 푥푖 holds with high probability. 푔푖+1 푥푖+1
next-round
푔푖 and 푔푖+1 are nonlinearly Boolean functions.
Copyright©2016 NTT corp. All Rights Reserved. 8 Insurmountable problem.
Key-alternating structure.
푘푖
푥푖 F 푥푖+1
• The actual propagation of nonlinear mask depends on the specific value of the state. • Therefore, we cannot join nonlinear masks for two rounds.
Copyright©2016 NTT corp. All Rights Reserved. 9 Nonlinear invariant attack.
Key-alternating structure. Alternatively, we limit the space of secret keys. 푘푖
푥푖 F 푥푖+1
푔푖 푥푖 ⊕ 푔푖+1 푥푖+1 = const 푔푖 푥푖 with probability one. 푔푖+1 푥푖+1
next-round
푔푖 and 푔푖+1 are nonlinearly Boolean functions.
Copyright©2016 NTT corp. All Rights Reserved. 10 Stream from invariant subspace attacks.
Linear attack [Matsui 1993]
Nonlinear attack [Harpes et al. 1995] Invariant subspace attack [Gregor et al. 2011]
Nonlinear invariant attack [Todo, Gregor, Yu 2016]
Copyright©2016 NTT corp. All Rights Reserved. 11 Invariant subspace attacks
Key-alternating structure. weak keys. 푘푖
푥푖 F 푥푖+1
key-add F
U+a U+a
U+b
next-round Copyright©2016 NTT corp. All Rights Reserved. 12 Nonlinear invarinat attack.
Key-alternating structure. weak keys. 푘푖
푥푖 F 푥푖+1
key-add F
푔0 푔0 푔0
푔1 푔1 푔1
next-round Copyright©2016 NTT corp. All Rights Reserved. 13 Nonlinear invarinat attack.
Key-alternating structure. weak keys. 푘푖
푥푖 F 푥푖+1
key-add F
푔0 푔0 푔0
푔1 푔1 푔1
next-round Copyright©2016 NTT corp. All Rights Reserved. 14 Distinguishing attack.
• If the block cipher has the nonlinear invariant, we can easily distinguish from ideal ciphers.
1. Collect 푘 known plaintexts (푝푖, 푐푖).
2. Compute 푔푝 푝푖 ⊕ 푔푐(푐푖) for 푘 pair. Then 푘 XORs are always the same. The probability that ideal ciphers have this property is 2−푘+1. • At most one bit of information leaks from 푔푝 푝푖 ⊕ 푔푐(푐푖).
Copyright©2016 NTT corp. All Rights Reserved. 15 Outline
1. Nonlinear invariant attack. ‐ Map of related attacks. • Linear and nonlinear cryptanalyses. • Invariant subspace attack. ‐ Distinguishing attack. 2. Surprising extension toward practical attack. ‐ What’s happened if vulnerable ciphers are used in well- known mode of operations? 3. How to find nonlinear invariant. ‐ Appropriate nonlinear invariants. ‐ How to find nonlinear invariant for KSP round functions. 4. Practical attack on full SCREAM.
Copyright©2016 NTT corp. All Rights Reserved. 16 Practical attacks. strong Chosen-plaintext attacks (CPA) is natural assumption for cryptographers.
is debatable in practical case. Assumption. Known-plaintext attacks (KPA) is very weak assumption for cryptographers.
sometimes holds in practical case.
Ciphertext-only attacks (COA) is unlikely to happen for cryptographers. is information-theoretically impossible w/o assumptions. causes non-negligible risks in practical use if possible. weak
Copyright©2016 NTT corp. All Rights Reserved. 17 Our attack assumptions.
• Attackers can collect multiple ciphertext blocks whose original message is the same but the IV is different. • Then, we can recover the part of message.
퐸 푘,퐼푉1 Ciphertext block
퐸푘,퐼푉2
Plaintext 퐸푘,퐼푉3 Ciphertext block block
Ciphertext block
Copyright©2016 NTT corp. All Rights Reserved. 18 Is this assumption practical?
• It’s very difficult questions because it depends on applications. • We believe it’s more practical than KPA. • Example of vulnerable application. ‐ Application sometimes sends the ciphertext of a password for the authentication. And, attackers know the behavior of the application.
Copyright©2016 NTT corp. All Rights Reserved. 19 CBC mode.
P1 P2 P3 Ph
IV (C0)
EK EK EK EK
C1 C2 C3 Ch
If Ek has nonlinear invariants, 푔푝 퐶푖−1 ⊕ 푃푖 ⊕ 푔푐 퐶푖 = const
Copyright©2016 NTT corp. All Rights Reserved. 20 Message-recovery attacks.
• Attackers know IV and ciphertexts, and 푔푝 퐶푖−1 ⊕ 푃푖 ⊕ 푔푐 퐶푖 is always constant. • We collect multiple (퐶푖−1, 퐶푖) whose corresponding 푃푖 is the same. • By guessing 푃푖, we can recover it only from ciphertexts. ‐ Bits of 푃푖 that involve the nonlinear term of the function 푔 can be recovered. ‐ Practically, the time complexity to recover 푡 bits 3 of 푃푖 is at most 푡 .
Copyright©2016 NTT corp. All Rights Reserved. 21 Outline
1. Nonlinear invariant attack. ‐ Map of related attacks. • Linear and nonlinear cryptanalyses. • Invariant subspace attack. ‐ Distinguishing attack. 2. Surprising extension toward practical attack. ‐ What’s happened if vulnerable ciphers are used in well- known mode of operations? 3. How to find nonlinear invariant. ‐ Appropriate nonlinear invariants. ‐ How to find nonlinear invariant for KSP round functions. 4. Practical attack on full SCREAM.
Copyright©2016 NTT corp. All Rights Reserved. 22 Nonlinear invariant attack.
Key-alternating structure. Alternatively, we limit the space of secret keys. 푘푖
푥푖 F 푥푖+1
푔푖 푥푖 ⊕ 푔푖+1 푥푖+1 = const 푔푖 푥푖 with probability one. 푔푖+1 푥푖+1
next-round We have to search for nonlinear invariants that hold in arbitrary number of rounds.
Copyright©2016 NTT corp. All Rights Reserved. 23 Nonlinear invariant attack.
Key-alternating structure. Alternatively, we limit the space of secret keys. 푘푖
푥푖 F 푥푖+1
푔 푥푖 ⊕ 푔 푥푖+1 = const 푔 푥푖 with probability one. 푔 푥푖+1
next-round
The property tribially holds if 푔푖 = 푔푖+1.
Copyright©2016 NTT corp. All Rights Reserved. 24 Searching for nonlinear invariants.
• Assume that KSP-type round function.
S
S L S
S
Copyright©2016 NTT corp. All Rights Reserved. 25 Nonlinear invariants for S-box.
푥1 S 푔푖 푥푖 ⊕ 푔푖 푆 푥푖 = cons 푥2 S L 푥3 S
푥4 S
• Because the bit size of S-boxes is generally small, it’s not difficult to find nonlinear invariant for S-boxes.
Copyright©2016 NTT corp. All Rights Reserved. 26 Example.
• Nonlinear invariant for the S-box in Scream. 푔 푥 = 푥1푥2 ⊕ 푥0 ⊕ 푥2 ⊕ 푥5 8 Then, for all 푥 ∈ 픽2, 푔 푥 = 푔 푆 푥 ⊕ 1.
• Nonlinear invariant for the S-box in Midori64. 푔 푥 = 푥2푥3 ⊕ 푥0 ⊕ 푥1 ⊕ 푥2 4 Then, for all 푥 ∈ 픽2, 푔 푥 = 푔 푆 푥 .
Copyright©2016 NTT corp. All Rights Reserved. 27 Nonlinear invariant for S-box layer.
푥1 S 푔푖 푥푖 ⊕ 푔푖 푆 푥푖 = cons 푥2 S L 푥3 S 푔 푥 = 푔푖(푥푖) 푖∈Λ 푥4 S
• If the function 푔푖 is nonlinear invariant for the 𝑖th S-box, the function 푖∈Λ 푔푖(푥푖) becomes nonlinear invariant for the S-box layer for any set Λ.
Copyright©2016 NTT corp. All Rights Reserved. 28 Nonlinear invariants for key XORing.
푥1 S 푔 푥 ⊕ 푔 푥 ⊕ 푘 = cons 푥2 S L 푥3 S 푔 푥 = 푔푖(푥푖) 푖∈Λ 푥4 S
• If “1s” in 푘 are involved in only linear term of the function 푔, 푔 푥 ⊕ 푘 = 푔 푥 ⊕ 푔(푘). • 푔 푥 ⊕ 푔 푥 ⊕ 푘 = 푔 푘 = cons.
Copyright©2016 NTT corp. All Rights Reserved. 29 Example.
• Nonlinear invariant for the S-box in Scream. 푔 푥 = 푥1푥2 ⊕ 푥0 ⊕ 푥2 ⊕ 푥5 If 푘1 = 푘2 = 0, 푔 푥 ⊕ 푘 = 푔 푥 ⊕ 푔(푘)
• Nonlinear invariant for the S-box in Midori64. 푔 푥 = 푥2푥3 ⊕ 푥0 ⊕ 푥1 ⊕ 푥2 If 푘2 = 푘3 = 0, 푔 푥 ⊕ 푘 = 푔 푥 ⊕ 푔(푘)
Copyright©2016 NTT corp. All Rights Reserved. 30
Nonlinear invariant for linear layer.
푥1 S 푔 푥 ⊕ 푔 퐿 푥 = cons
푥2 S 푛 L 푥3 S 푔 푥 = 푔푖(푥푖) 푖=1 푥4 S
• If the linear function is binary orthogonal and there is a quadratic invariant for the S-box, 푛 푔푖=1(푥푖) is nonlinear invariant for the linear layer.
Copyright©2016 NTT corp. All Rights Reserved. 31 Why binary orthogonal is weak?
• Let 푥 푖 be the bit-string by concatenating 𝑖th input of all S-boxes. Then, the quadratic invariant is represented as 푛 푚 푚 ⊕푖=1 푔푖 푥푖 =⊕푖=1⊕푗=1 훾푖,푗〈푥 푖, 푥 푗〉
Linear 푥 푖
S
-
box
푥푖 Copyright©2016 NTT corp. All Rights Reserved. 32 Why binary orthogonal is weak?
• Let 푥 푖 be the bit-string by concatenating 𝑖th input of all S-boxes. Then, the quadratic invariant is represented as 푛 푔 푥 =⊕푖=1 푔푖 푥푖 푚 푚 =⊕푖=1⊕푗=1 훾푖,푗〈푥 푖, 푥 푗〉 • Let 푀 be the binary orthogonal matrix, and 푚 푚 푔 퐿(푥) =⊕푖=1⊕푗=1 훾푖,푗 푀푥 푖, 푀푥 푗 푚 푚 =⊕푖=1⊕푗=1 훾푖,푗〈푥 푖, 푥 푗〉 푛 =⊕푖=1 푔푖 푥푖
Copyright©2016 NTT corp. All Rights Reserved. 33 Outline
1. Nonlinear invariant attack. ‐ Map of related attacks. • Linear and nonlinear cryptanalyses. • Invariant subspace attack. ‐ Distinguishing attack. 2. Surprising extension toward practical attack. ‐ What’s happened if vulnerable ciphers are used in well- known mode of operations? 3. How to find nonlinear invariant. ‐ Appropriate nonlinear invariants. ‐ How to find nonlinear invariant for KSP round functions. 4. Practical attack on full SCREAM.
Copyright©2016 NTT corp. All Rights Reserved. 34 SCREAM.
• AE proposed for CAESAR. • LS-design with an orthogonal matrix. • The secret key is directly used as round keys.
• The round constant is XORed with only 푥 0.
Linear 푥 0
S
-
box
푥0 Copyright©2016 NTT corp. All Rights Reserved. 35 Nonlinear invariant of SCREAM.
• Nonlinear invariant for Scream. 푔 푥 = 〈푥 1, 푥 2〉 ⊕ |푥 0| ⊕ |푥 2| ⊕ |푥 5| • Since 푥 0 is linearly affected by the function 푔, the distributive law holds for addConst. ‐ 푔 푥 ⊕ 푟푐 = 푔 푥 ⊕ 푔(푟푐) .
• If 푘 1 and 푘 2 of the secret key are zero (weak keys), the distributive law holds for addRK. ‐ 푔 푥 ⊕ 푘 = 푔 푥 ⊕ 푔(푘) .
Copyright©2016 NTT corp. All Rights Reserved. 36
Application to SCREAM AE.
• SCREAM authenticated encryption.
P0 P1 Pm -2 Pm -1
T0 E K T1 E K Tm -2 E K Tm -1 E K
C0 C1 Cm -2 Pm -1
Cm -1
Copyright©2016 NTT corp. All Rights Reserved. 37 Application to SCREAM AE.
• SCREAM authenticated encryption.
P0 P1 Pm -2 Pm -1
T0 E K T1 E K Tm -2 E K Tm -1 E K
C0 C1 Cm -2 Pm -1
Cm -1
푔 |푃푚−1| ⊕ 푔 푃푚−1 ⊕ 퐶푚−1 = const known guess known
Copyright©2016 NTT corp. All Rights Reserved. 38 Summary of results.
Distinguishing attack under known-plaintext setting. Target # of weak keys Data complexity. Distinguishing probability. SCREAM 296 iSCREAM 296 푘 1 − 21−푘 Midori64 264 Message-recover attack under ciphertext-only setting. Target # of weak keys Maximum # of Data Time recovered bits. complexity. complexity. SCREAM 296 32 bits 33 ciphertexts 323 = 215 iSCREAM 296 32 bits 33 ciphertexts 323 = 215 Midori64-CTR 264 32h bits 33h ciphertexts 323ℎ = 215ℎ ℎ is the number of blocks in the mode of operations.
Copyright©2016 NTT corp. All Rights Reserved. 39 Conclusion.
• Proposal of nonlinear invariant attack. • Method to find nonlinear invariants. • Nonlinear invariant attack on Scream, iScream, and Midori64. ‐ We can recover the 32bits of message in the last block on SCREAM (iSCREAM) AEs. ‐ We can recover the 32bits of message in every block on CBC, CTR, CFB, OFB modes.
Copyright©2016 NTT corp. All Rights Reserved. 40