On the Interp olation Attacks on Blo ck Ciphers A.M. Youssef and G. Gong Center for Applied Cryptographic Research Department of Combinatorics and Optimization UniversityofWaterlo o, Waterlo o, ON N2L 3G1 fa2youssef, [email protected] o.ca Abstract. The complexityofinterp olation attacks on blo ck ciphers de- p ends on the degree of the p olynomial approximation and/or on the numb er of terms in the p olynomial approximation expression. In some situations, the round function or the S-b oxes of the blo ck cipher are expressed explicitly in terms of algebraic function, yet in many other o ccasions the S-b oxes are expressed in terms of their Bo olean function representation. In this case, the cryptanalyst has to evaluate the algebraic description of the S-b oxes or the round function using the Lagrange in- terp olation formula. A natural question is what is the e ect of the choice of the irreducible p olynomial used to construct the nite eld on the degree of the resulting p olynomial . Another question is whether or not there exists a simple linear transformation on the input or output bits of the S-b oxes (or the round function) such that the resulting p olynomial has a less degree or smaller numb er of non-zero co ecients. In this pap er we give an answer to these questions. We also present an explicit relation between the Lagrange interp olation formula and the Galois Field Fourier Transform. Keywords: Blo ck cipher, cryptanalysis, interp olation attack, nite elds, Ga- lois Field Fourier Transform 1 Intro duction Gong and Golomb[7]intro duced a new criterion for the S-b ox design. Because many blo ck ciphers can b e viewed as a Non Linear Feedback Shift Register (NLFSR) with input then the S-b oxes should not b e approximated by a mono- d mial. The reason is that the trace functions Tr( X ) and Tr(X )have the j same linear span. From the view p ointof m-sequences [10], b oth of the sequences id i n fTr( )g and fTr( )g are m-sequences of p erio d 2 1. The former i0 i0 can b e obtained from the later by decimation d. Gong and Golomb showed that the distance of DES S-b oxes approximated by monomial functions has the same distribution as for the S-b oxes approximated by linear functions. In [3] Jakobsen and Knudsen intro duced a new attack on blo ck ciphers. This attack is useful for attacking ciphers using simple algebraic functions as S-b oxes. The attack is based on the well known Lagrange interp olation formula. Let R be B. Schneier (Ed.): FSE 2000, LNCS 1978, pp. 109−120, 2001. Springer-Verlag Berlin Heidelberg 2001 110 A.M. Youssef and G. Gong a eld. Given 2n elements x ;:::;x ;y ;:::;y 2 R; where the x s are distinct. 1 n 1 n i De ne n X Y x x j : (1) f (x)= y i x x i j i=1 1j n;j 6=i Then f (x) is the only p olynomial over R of degree at most n 1 such that f (x )= y for i =1;:::;n. The main result in [3] is that for an iterated blo ck i i cipher with blo ck size m, if the cipher-text is expressed as a p olynomial with m n 2 co ecients of the plain-text, then there exists an interp olation attack of time complexity n requiring n known plain-texts encrypted with a secret key K , which nds an algorithm equivalent to encryption (or decryption) with K . This attack can also b e extended to a key recovery attack. In [4] Jakobsen extended this cryptanalysis metho d to attack blo ck ciphers with probabilistic nonlinear relation of low degree. Using recent results from co ding theory (Sudan's algorithm for deco ding Reed-Solomon co des b eyond the error correction parameter[6]), Jakobsen showed how to break ciphers where the cipher-text is expressible as evaluations of unknown univariate p olynomial of low degree m with a typically low probability . The known plain-text attack requires 2 n =2m= plain-text/cipher-text pairs. In the same pap er, Jakobsen also pre- 2 sented a second attack that needs access to n =(2m=) plain-text/cipher-text pairs and its running time is p olynomial in n. It is clear that the complexity of such cryptanalytic attacks dep ends on the degree of the p olynomial approximation or on the numb er of terms in the p oly- nomial approximation expression. In some situations, the round function or the S-b oxes of the blo ck cipher are expressed explicitly in terms of algebraic function (For example see [8]),yet in many other o ccasions the S-b oxes are expressed in terms of their Bo olean function representation. In this case, the cryptanalyst has to evaluate the algebraic description of the S-b oxes or the round function using the Lagrange interp olation formula. A natural question is what is the e ect of the choice of the irreducible p olynomial used to construct the nite eld on the de- gree of the resulting p olynomial. Another question is whether or not there exists a simple linear transformation on the input or output bits of the S-b oxes (or the round function) such that the resulting p olynomial has a less degree or smaller numb er of co ecients. In this pap er we give explicit answer to these questions. 4 4 To illustrate the idea, consider the binary mapping from GF (2) to GF (2) 4 given in the Table 1. If the Lagrange interp olation formula is applied to GF (2 ) 4 4 3 where GF (2 ) is de ned by the irreducible p olynomial X + X + 1 then wehave 2 3 4 5 6 8 9 10 12 F (X )=X + X +7X +15X +5X +14X +14X +2X +7X +9X ;X 2 4 4 GF (2 ). However, if we use the irreducible p olynomial X + X + 1 to de ne 4 3 4 GF (2 ) then wehave F (X )=X ;X 2 GF (2 ) whichisobviously a simpler description. An interesting observation follows when applying the Lagrange interp olation formula to the DES S-b oxes. In this case we consider the DES S-b oxes output On the Interpolation Attacks on Block Ciphers 111 x 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 f (x) 0 1 8 15 12 10 1 1 10 15 15 12 8 10 8 12 Table 1. 6 co ordinates as a mapping from GF (2 )toGF (2). Let f b e the Bo olean function resulting from XORing all the output co ordinates of the DES S-b oxnumber 6 6 5 four. When we de ne GF (2 ) using the irreducible p olynomial X + X +1, the p olynomial resulting from applying the Lagrange interp olation formula to f has only 39 nonzero co ecient. The Hamming weight of all the exp onents corresp onding to the nonzero co ecients was 3. It should b e noted that the exp ected value of the numb er of nonzero co ecients for a randomly selected 6 function over GF (2 ) is 63. While this observation do esn't have a cryptanalytic signi cance, it shows the e ect of changing the irreducible p olynomial when trying to search for a p olynomial representation for cipher functions. 2 Mathematical background and de nitions For a background ab out the general theory of nite elds, the reader is referred to [1] and for a background ab out nite elds of charachteristic 2, the reader is referred to [2]. Most of the results in this pap er can b e extended in a straightforward way n n from GF (2 )toGF (q ). Throughout this pap er, we use integer lab els to present P n1 4 i nite eld elements. I.e., for any element X 2 GF (2 ), X = x ;x 2 i+1 i i=0 n GF (2) where is a ro ot of the irreducible p olynomial which de nes GF (2 ), we P n1 i n represent X by x 2 as an integer in the range [0; 2 1]. The asso ciated i+1 i=0 addition and multiplication op erations of these lab els are de ned by the nite eld structure and have no resemblance to mo dular integer arithmetic. De nition 1. A p olynomial having the sp ecial form t X i 2 L(X )= X (2) i i=0 n n with co ecients from GF (2 ) is called a linearized p olynomial over GF (2 ). i De nition 2. A cyclotomic coset mo d N that contains an integer s is the set m1 C = fs;sq;:::;sq g (mo d N ) (3) s m where m is the smallest p ositiveinteger such that sq s (mo d N ). 112 A.M. Youssef and G. Gong n n Lemma 3. Let A be a linear mapping over GF (2 ), then A(X );X 2 GF (2 ) n can be expressed in terms of a linearizedpolynomial over GF (2 ). I.e., we can express A(X ) as n1 X i 2 A(X )= X (4) i i=0 n Lemma 4. Let ; ;:::; be elements in GF (2 ). Then 1 2 t k k k k 2 2 2 2 ( + + ::: + ) = + + ::: + (5) 1 2 t 1 2 t n Lemma 5.