Nonlinear Invariant Attack

September 28, 2016 @ASK2016

NTT Secure Platform Laboratories and Kobe University Yosuke Todo

• Joint work with Gregor Leander and Yu Sasaki. • New type of cryptanalyses. ‐ This attack works on the weak-key setting. • Surprising practical extensions. ‐ Ciphertext-only message recovery attack!! • Good applications. ‐ Scream, iScream, and Midori64.

Distinguishing attack under known-plaintext setting. Target # of weak keys Data complexity. Distinguishing probability. SCREAM 296 iSCREAM 296 푘 1 − 21−푘 Midori64 264 The distinguishing attack incidentally recovers 1 bit of secret key. Message-recovery attack under ciphertext-only setting. Target # of weak keys Maximum # of Data Time recovered bits. complexity. complexity. SCREAM 296 32 bits 33 ciphertexts 323 = 215 iSCREAM 296 32 bits 33 ciphertexts 323 = 215 Midori64-CTR 264 32h bits 33h ciphertexts 323ℎ = 215ℎ ℎ is the number of blocks in the mode of operations.

1. Nonlinear invariant attack. ‐ Map of related attacks. • Linear and nonlinear cryptanalyses. • Invariant subspace attack. ‐ Distinguishing attack. 2. Surprising extension toward practical attack. ‐ What’s happened if vulnerable ciphers are used in well- known mode of operations? 3. How to find nonlinear invariant. ‐ Appropriate nonlinear invariants. ‐ How to find nonlinear invariant for KSP round functions. 4. Practical attack on full SCREAM.

Linear attack [Matsui 1993]

Nonlinear attack [Harpes et al. 1995] Invariant subspace attack [Gregor et al. 2011]

Nonlinear invariant attack [Todo, Gregor, Yu 2016]

Linear attack [Matsui 1993]

Nonlinear attack [Harpes et al. 1995] Invariant subspace attack [Gregor et al. 2011]

Nonlinear invariant attack [Todo, Gregor, Yu 2016]

Key-alternating structure.

푘푖

푥푖 F 푥푖+1

푓푖 푥푖 ⊕ 푓푖+1 푥푖+1 ≈ const 푓푖 푥푖 holds with high probability. 푓푖+1 푥푖+1

next-round

푓푖 and 푓푖+1 are linearly Boolean functions.

Key-alternating structure.

푘푖

푥푖 F 푥푖+1

푔푖 푥푖 ⊕ 푔푖+1 푥푖+1 ≈ const 푔푖 푥푖 holds with high probability. 푔푖+1 푥푖+1

next-round

푔푖 and 푔푖+1 are nonlinearly Boolean functions.

Key-alternating structure.

푘푖

푥푖 F 푥푖+1

• The actual propagation of nonlinear mask depends on the specific value of the state. • Therefore, we cannot join nonlinear masks for two rounds.

Key-alternating structure. Alternatively, we limit the space of secret keys. 푘푖

푥푖 F 푥푖+1

푔푖 푥푖 ⊕ 푔푖+1 푥푖+1 = const 푔푖 푥푖 with probability one. 푔푖+1 푥푖+1

next-round

푔푖 and 푔푖+1 are nonlinearly Boolean functions.

Linear attack [Matsui 1993]

Nonlinear attack [Harpes et al. 1995] Invariant subspace attack [Gregor et al. 2011]

Nonlinear invariant attack [Todo, Gregor, Yu 2016]

Key-alternating structure. weak keys. 푘푖

푥푖 F 푥푖+1

key-add F

U+a U+a

U+b

Key-alternating structure. weak keys. 푘푖

푥푖 F 푥푖+1

key-add F

푔0 푔0 푔0

푔1 푔1 푔1

Key-alternating structure. weak keys. 푘푖

푥푖 F 푥푖+1

key-add F

푔0 푔0 푔0

푔1 푔1 푔1

• If the block cipher has the nonlinear invariant, we can easily distinguish from ideal ciphers.

1. Collect 푘 known plaintexts (푝푖, 푐푖).

2. Compute 푔푝 푝푖 ⊕ 푔푐(푐푖) for 푘 pair. Then 푘 XORs are always the same. The probability that ideal ciphers have this property is 2−푘+1. • At most one bit of information leaks from 푔푝 푝푖 ⊕ 푔푐(푐푖).

 is debatable in practical case. Assumption. Known-plaintext attacks (KPA)  is very weak assumption for cryptographers.

 sometimes holds in practical case.

Ciphertext-only attacks (COA)  is unlikely to happen for cryptographers.  is information-theoretically impossible w/o assumptions.  causes non-negligible risks in practical use if possible. weak

• Attackers can collect multiple ciphertext blocks whose original message is the same but the IV is different. • Then, we can recover the part of message.

퐸 푘,퐼푉1 Ciphertext block

퐸푘,퐼푉2

Plaintext 퐸푘,퐼푉3 Ciphertext block block

Ciphertext block

• It’s very difficult questions because it depends on applications. • We believe it’s more practical than KPA. • Example of vulnerable application. ‐ Application sometimes sends the ciphertext of a password for the authentication. And, attackers know the behavior of the application.

P1 P2 P3 Ph

IV (C0)

EK EK EK EK

C1 C2 C3 Ch

If Ek has nonlinear invariants, 푔푝 퐶푖−1 ⊕ 푃푖 ⊕ 푔푐 퐶푖 = const

• Attackers know IV and ciphertexts, and 푔푝 퐶푖−1 ⊕ 푃푖 ⊕ 푔푐 퐶푖 is always constant. • We collect multiple (퐶푖−1, 퐶푖) whose corresponding 푃푖 is the same. • By guessing 푃푖, we can recover it only from ciphertexts. ‐ Bits of 푃푖 that involve the nonlinear term of the function 푔 can be recovered. ‐ Practically, the time complexity to recover 푡 bits 3 of 푃푖 is at most 푡 .

Key-alternating structure. Alternatively, we limit the space of secret keys. 푘푖

푥푖 F 푥푖+1

푔푖 푥푖 ⊕ 푔푖+1 푥푖+1 = const 푔푖 푥푖 with probability one. 푔푖+1 푥푖+1

next-round We have to search for nonlinear invariants that hold in arbitrary number of rounds.

Key-alternating structure. Alternatively, we limit the space of secret keys. 푘푖

푥푖 F 푥푖+1

푔 푥푖 ⊕ 푔 푥푖+1 = const 푔 푥푖 with probability one. 푔 푥푖+1

next-round

The property tribially holds if 푔푖 = 푔푖+1.

• Assume that KSP-type round function.

S L S

푥1 S 푔푖 푥푖 ⊕ 푔푖 푆 푥푖 = cons 푥2 S L 푥3 S

푥4 S

• Because the bit size of S-boxes is generally small, it’s not difficult to find nonlinear invariant for S-boxes.

• Nonlinear invariant for the S-box in Scream. 푔 푥 = 푥1푥2 ⊕ 푥0 ⊕ 푥2 ⊕ 푥5 8 Then, for all 푥 ∈ 픽2, 푔 푥 = 푔 푆 푥 ⊕ 1.

• Nonlinear invariant for the S-box in Midori64. 푔 푥 = 푥2푥3 ⊕ 푥0 ⊕ 푥1 ⊕ 푥2 4 Then, for all 푥 ∈ 픽2, 푔 푥 = 푔 푆 푥 .

푥1 S 푔푖 푥푖 ⊕ 푔푖 푆 푥푖 = cons 푥2 S L 푥3 S 푔 푥 = 푔푖(푥푖) 푖∈Λ 푥4 S

• If the function 푔푖 is nonlinear invariant for the 𝑖th S-box, the function 푖∈Λ 푔푖(푥푖) becomes nonlinear invariant for the S-box layer for any set Λ.

푥1 S 푔 푥 ⊕ 푔 푥 ⊕ 푘 = cons 푥2 S L 푥3 S 푔 푥 = 푔푖(푥푖) 푖∈Λ 푥4 S

• If “1s” in 푘 are involved in only linear term of the function 푔, 푔 푥 ⊕ 푘 = 푔 푥 ⊕ 푔(푘). • 푔 푥 ⊕ 푔 푥 ⊕ 푘 = 푔 푘 = cons.

• Nonlinear invariant for the S-box in Scream. 푔 푥 = 푥1푥2 ⊕ 푥0 ⊕ 푥2 ⊕ 푥5 If 푘1 = 푘2 = 0, 푔 푥 ⊕ 푘 = 푔 푥 ⊕ 푔(푘)

• Nonlinear invariant for the S-box in Midori64. 푔 푥 = 푥2푥3 ⊕ 푥0 ⊕ 푥1 ⊕ 푥2 If 푘2 = 푘3 = 0, 푔 푥 ⊕ 푘 = 푔 푥 ⊕ 푔(푘)

Nonlinear invariant for linear layer.

푥1 S 푔 푥 ⊕ 푔 퐿 푥 = cons

푥2 S 푛 L 푥3 S 푔 푥 = 푔푖(푥푖) 푖=1 푥4 S

• If the linear function is binary orthogonal and there is a quadratic invariant for the S-box, 푛 푔푖=1(푥푖) is nonlinear invariant for the linear layer.

• Let 푥 푖 be the bit-string by concatenating 𝑖th input of all S-boxes. Then, the quadratic invariant is represented as 푛 푚 푚 ⊕푖=1 푔푖 푥푖 =⊕푖=1⊕푗=1 훾푖,푗〈푥 푖, 푥 푗〉

Linear 푥 푖

box

• Let 푥 푖 be the bit-string by concatenating 𝑖th input of all S-boxes. Then, the quadratic invariant is represented as 푛 푔 푥 =⊕푖=1 푔푖 푥푖 푚 푚 =⊕푖=1⊕푗=1 훾푖,푗〈푥 푖, 푥 푗〉 • Let 푀 be the binary orthogonal matrix, and 푚 푚 푔 퐿(푥) =⊕푖=1⊕푗=1 훾푖,푗 푀푥 푖, 푀푥 푗 푚 푚 =⊕푖=1⊕푗=1 훾푖,푗〈푥 푖, 푥 푗〉 푛 =⊕푖=1 푔푖 푥푖

• AE proposed for CAESAR. • LS-design with an orthogonal matrix. • The secret key is directly used as round keys.

• The round constant is XORed with only 푥 0.

Linear 푥 0

box

• Nonlinear invariant for Scream. 푔 푥 = 〈푥 1, 푥 2〉 ⊕ |푥 0| ⊕ |푥 2| ⊕ |푥 5| • Since 푥 0 is linearly affected by the function 푔, the distributive law holds for addConst. ‐ 푔 푥 ⊕ 푟푐 = 푔 푥 ⊕ 푔(푟푐) .

• If 푘 1 and 푘 2 of the secret key are zero (weak keys), the distributive law holds for addRK. ‐ 푔 푥 ⊕ 푘 = 푔 푥 ⊕ 푔(푘) .

Application to SCREAM AE.

• SCREAM authenticated encryption.

P0 P1 Pm -2 Pm -1

T0 E K T1 E K Tm -2 E K Tm -1 E K

C0 C1 Cm -2 Pm -1

Cm -1

• SCREAM authenticated encryption.

P0 P1 Pm -2 Pm -1

T0 E K T1 E K Tm -2 E K Tm -1 E K

C0 C1 Cm -2 Pm -1

Cm -1

푔 |푃푚−1| ⊕ 푔 푃푚−1 ⊕ 퐶푚−1 = const known guess known

Distinguishing attack under known-plaintext setting. Target # of weak keys Data complexity. Distinguishing probability. SCREAM 296 iSCREAM 296 푘 1 − 21−푘 Midori64 264 Message-recover attack under ciphertext-only setting. Target # of weak keys Maximum # of Data Time recovered bits. complexity. complexity. SCREAM 296 32 bits 33 ciphertexts 323 = 215 iSCREAM 296 32 bits 33 ciphertexts 323 = 215 Midori64-CTR 264 32h bits 33h ciphertexts 323ℎ = 215ℎ ℎ is the number of blocks in the mode of operations.

• Proposal of nonlinear invariant attack. • Method to find nonlinear invariants. • Nonlinear invariant attack on Scream, iScream, and Midori64. ‐ We can recover the 32bits of message in the last block on SCREAM (iSCREAM) AEs. ‐ We can recover the 32bits of message in every block on CBC, CTR, CFB, OFB modes.