Facolta` di Scienze Matematiche Fisiche e Naturali Graduation Thesis in Mathematics Synthesis Fast Algebraic Cryptanalysis in Finite Fields of Higher Order with the Cube Attack Candidate: Supervisor: Marco Vargiu Prof. Marco Pedicini 406875 Academic year: 2011/2012 MSC AMS: 94A60; 12Y05; 13P10; 68W30; 68P30. KEYWORDS: Communication technology, Computational security, Efficient exhaustive search, Differential cryptanalysis. Synthesis On the last decades, fast evolving communication technologies have impacted the daily life of practically every person on Earth. The communication infras- tructure is a fundamental part to the global economy and will play an even more vital role for most aspects of global progress in the decades to come. The rapid development of computers, electronic transmission of information, online finance transaction, and the increasing military and diplomatic com- munications have heavily contributed to the development of cryptography by cipher-design community. Cryptography is the science of keeping secrets secret. Assume a sender, referred to as Alice, wants to send a message m to a receiver, referred to as Bob. She uses an inse- cure channel. It could be a telephone line or a computer network, for ex- ample. The message could be inter- Fig. 0.1. Alice, Bob and Eve scheme. cepted and read by an eavesdropper, see Figure 0.1. Or, even worse, the adversary, referred to as Eve, might be able to modify the message during transmission in such a way that the legitimate recipient Bob does not detect the manipulation. The message to be transmitted is called the plaintext, it can be some text, numerical data or other kind of information and its structure 4 is completely arbitrary. After encrypting the plaintext m, Alice obtains the resulting ciphertext c which is then transmitted to Bob over the channel. Bob can turn the ciphertext back into the plaintext by decryption. These ideas are described formally using the following mathematical no- tation presented in Chapter 1. For a more detailed description we refer to [DK07, Sti06, Jou09]. Definition 1 A cryptosystem is a five-tuple (P; C; K; E; D), where the follow- ing condition are satisfied: i) P is a finite set of possible plaintext; ii) C is a finite set of possible ciphertext; iii) K is a finite set of possible keys; iv) For each K 2 K, there is an encryption rule eK 2 E and a corresponding decryption rule dK 2 D. Each eK : P −! C and dK : C −! P are functions such that dK (eK (x)) = x for every plaintext element x 2 P. Typically, one has to transmit a message which consists of a finite string of symbols which are elements of some finite alphabet. In almost any crypto- graphic algorithm, this leads to the use of arithmetic in finite mathematical structures, such as finite multiplicative groups, rings, and finite fields. For instance let us consider the following widely used cryptosystems: − RC4 has no mathematical structure, it is based on permutations of order 256; − RSA is based on integer arithmetics; − AES is based on arithmetics on finite fields. Finite fields can be considered as a superset of operations of rings and multiplicative groups: multiplicative groups have only one defined operation, rings do not have multiplicative inverses defined for any element, whereas fi- nite fields feature addition-subtraction, multiplication-division and both mul- tiplicative and additive inversion operations. The basic arithmetic operations k in finite fields, Fq, where q = p , and p is a prime integer, are often used in many cryptographic algorithms as Diffie-Hellman key exchange algorithm 5 based on discrete logarithm, elliptic curve cryptography and so on. More inter- estingly, the elements of an extension field can be represented as polynomials of degree of at most k − 1 where the coefficients of the polynomial are in the base field Fq. Note that the arithmetic extension field Fq is usually performed as a regular polynomial arithmetic. The most important operation is polyno- mial multiplication and reduction by the irreducible of degree k used to define the extension field. Using sparse irreducible polynomials is a preferred method to increase the efficiency of the reduction phase of the multiplication in Fq. Chapter 2 deeply describe these notions together with those of probability and computational theory which are very useful throughout this thesis. The aforementioned analogies between cryptography and algebraic tools made the study of efficient algorithms for general extension field arithmetic a popular research area. The practical advantage of polynomials over finite fields comes to be very useful in cryptography. In fact, almost any cryptographic primitive can be described by polynomials over a finite field of characteristic q, Fq, which are, at some extent, tweakable polynomials (i.e., that can be manipulated by the attacker) containing secret and public variables (e.g., key bits in the first case, plaintext or IV bits in the second one). What Eve wants to do is to find out the plaintext or part of it from the ciphertext without knowing the secret key as well as substitute parts of the original message, forge digital signatures or find the secret key. So we can say that cryptanalysis is the science of studying attacks against cryptographic schemes. There are several attacks depending on the resources of the adversary. For example Eve might be the operator of a bank computer and she can see incoming ciphertext and the corresponding plaintext and vice versa. So the attacks can be so classified: i) Ciphertext-only attack. Eve can only obtain ciphertexts. ii) Known-plaintext attack. Eve can obtain plaintext-ciphertext pairs. iii) Chosen-plaintext attack. Eve can obtain ciphertexts for plaintexts of her choosing. 6 iv) Chosen-ciphertext attack. Eve can obtain plaintexts for ciphertexts of her choosing. v) Brute force attack. Eve can try all possible values for the key to recover until the correct one is found. vi) Algebraic attack. Algebraic cryptanalysis consists of two steps. First, Eve must convert the cipher into a system of polynomial equations. Second one, she must solve the system of equations and obtain from the solution the secret key of the cipher or part of the plaintext. Among the great set of algebraic attacks, in September 2008 Itai Dinur and Adi Shamir, in their paper \Cube attacks on tweakable black box polynomials", [DS09], introduced the Cube Attacks which is object of great study over this thesis (Chapter 3). Cube Attack has similarities with a technique called \Algebraic IV Dif- ferential Attack" (AIDA), published in 2007 by Michael Vielhaber. Con- trarily to AIDA technique directed only to the analysis of Trivium cipher, Cube Attacks can be applied to any kind of cryptosystem which can be de- scribed by random looking polynomial of degree d and with n + m variables: p(v1; : : : ; vm; x1; : : : ; xn), where • v1; : : : ; vm are the public variables (i.e., plaintext or IV bits) • x1; : : : ; xn are the secret variables which contain the key bits. Since we deal with dense polynomial of relatively high degree, their explicit representations are extremely complex, and thus we assume that they are provided only implicitly as \black boxes" which can be queried. Therefore, Cube Attacks recover a secret key through queries to a black box polynomial (see Fig 0.2) with tweakable public variables, followed Fig. 0.2. A Blackbox, or Enciphering by solving a linear system of equa- function. tions in the secret key variables. Moreover, no knowledge of the cryp- tosystem is necessary to the Cube Attack to be successful. 7 The solution consists of two phases. During the preprocessing phase, the attacker is allowed to set the values of all the variables (v1; : : : ; vm; x1; : : : ; xn) and use the blackbox in order to evaluate the corresponding output bit of p: This corresponds to the usual cryptanalytic setting in which the attacker can study the cryptosystem by running it with various keys and plaintexts. In this phase we want to find enough monomials tI (made of only public variables) such that p = tI · pS(I) + qI , where pS(I) is called the superpoly of tI in p. The goal of the preprocessing phase is to choose those public variables in which pS(I) is a linear non-constant polynomial. When enough of such linear polynomials are found we have recovered the resulting linear system. During the online phase, the n secret variables are set to unknown val- ues, and the attacker is allowed to set the values of the m public variables (v1; : : : ; vm) to any desired values and to evaluate p on the combined output. In the middle of the chapter we describe the generalization of the attack k over the field Fq, where q = p for some p. This is a very useful notion because in this way we could apply Cube Attacks to those cryptosystem based on polynomials over finite field of higher order too. Finally, in Section 3:6, we have presented a new variant of the Cube Attack called Dynamic Cube Attack, [DS10], published at the end of 2010. Dynamic Cube Attacks allow us to directly derive information on the secret key without solving any algebraic equations. The drawback of Dynamic Cube Attack, compared to standard Cube At- tack, is that it requires a more complex analysis of the internal structure of the cipher. Cube Attack was tested to the analysis of Trivium stream cipher. How- ever, the best result on Trivium is a Cube Attack on a reduced version of 767 initialization rounds instead of 1152. For what concerns Dynamic Cube Attack, it was tested on the analysis of Grain-128. In this case the attack managed to recover the full 128-bit key (but only when it belongs to a large set subset of 210 possible keys) on the full version of Grain with a complexity which is faster than exhaustive search.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages15 Page
-
File Size-