“Algebraic” Attacks vs. Design of Block and Stream Ciphers Nicolas T. Courtois - University College London A New Frontier in Symmetric Cryptanalysis Modern Symmetric Cryptanalysis: number of ciphers “broken w.r.t. claims”: O(effort). number of ciphers “broken in practice”: o(effort). DES, AES etc: never really broken etc.. 2 Courtois, Indocrypt 2008 A New Frontier in Symmetric Cryptanalysis 2 Small Remarks Winston Churchill used to say: “the truth is so precious that she should always be attended by a bodyguard of lies” Cryptanalysis is not very popular, nb. of papers at major crypto conferences decreased each year… for some reason… in the last 15 years. 3 Courtois, Indocrypt 2008 Alternative Title: A New Frontier in Symmetric Cryptanalysis? (e.g. low-data complexity attacks) Algebraic Attacks on Block, Stream Ciphers 0. Intro… 5 2001-2015 Algebraic Attacks on Block, Stream Ciphers Instead of a Summary • How to design secure ciphers ? Nobody knows, a complex question. Remark: There exist provably secure stream ciphers:QUAD, NO good candidates for secure block ciphers… • What components to choose? (bottom-up). • Most of the current cipher design paradigms can be expressed in terms of “good” Boolean functions / “good” vectorial functions (S-boxes). • What else? Good diffusion: WTS(later slides), avalanche. 6 2001-2015 Algebraic Attacks on Block, Stream Ciphers Boolean Functions, ANF Any function GF(2)n → GF(2). 7 2001-2015 Algebraic Attacks on Block, Stream Ciphers The Tale of “Good” Boolean Functions.. •“Good” Boolean functions, •“Good” S-boxes, => High non-linearity… Provable prevents correlation/differential/linear/ GLC attacks…. A “Good” Boolean function… Magical objects that make ciphers secure ? 8 2001-2015 Algebraic Attacks on Block, Stream Ciphers Avoiding Simple Boolean Functions… Not enough ! Main claim / result: One should rather think about avoiding Boolean /Algebraic Relations ! 9 2001-2015 Algebraic Attacks on Block, Stream Ciphers Central Criterion for Designing Cryptographic Components [Courtois 1999; PhD Thesis]: Non-existence of low- degree/small size multivariate relations between the input bits and the output bits. 10 2001-2015 Algebraic Attacks on Block, Stream Ciphers Special Case: I / O Degree: A “good” cipher should use at least some components with high I/O degree. 11 2001-2015 Algebraic Attacks on Block, Stream Ciphers Claim / Proposal This criterion is proposed (can be necessary) for the security of: • S-boxes in Block Ciphers • Combiners in Stream Ciphers • Trapdoor Functions (PK crypto, HFE). 12 2001-2015 Algebraic Attacks on Block, Stream Ciphers Why ? • no proof • some devastating attacks on some ciphers • many ciphers not broken in the slightest • overall, just another super-paranoid security criterion which is probably not always necessary, – frequent in crypto research 13 2001-2015 Algebraic Attacks on Block, Stream Ciphers Another Interpretation of I/O I = Inside block/stream cipher O = Outside of your block/steam cipher 14 2001-2015 Algebraic Attacks on Block, Stream Ciphers Multivariate Cryptography: Cryptosystems using polynomials with several variables over a finite field… Multivariate Cryptanalysis or Algebraic Cryptanalysis: Cryptographic attacks using polynomials with several variables over a finite field… 15 2001-2015 A New Frontier in Symmetric Cryptanalysis Roadmap: Multivariate/Algebraic Cryptanalysis Guess Then Determine: MITM SAT/UNSAT strategy or mixed with many steps Software / SAT Solvers ElimLin: amazingly powerful XL, Grobner Basis, F4, F5 dense systems of eqs, inappropriate tools in most other cases Cube Attacks [Vielhaber, Dinur,Shamir’08] other combination tools attacks Truncated Differentials (DC) Higher Order Differentials ”every cipher of low degree poly can be broken” multiple points DC 16 Courtois, Indocrypt 2008 Higher Order DC GOST, Self-Similarity and Cryptanalysis of Block Ciphers - My Favourite Groups 17 © Nicolas T. Courtois, 2006-2013 Algebraic Attacks on Block, Stream Ciphers Different Types of Cryptanalysis • The “approximation” approach: – Linear, differential, high-order differential, impossible differential, Jakobsen-Knudsen approximation attacks, etc.. All are based on probabilistic characteristics true with some probability. – Consequently, the security will grow exponentially with the number of rounds, and so does the number of required plaintexts in the attacks (main limitation in practice). • The “exact algebraic” approach: – Write equations to solve, true with probability 1. – Very small number of known plaintexts required. 18 2001-2015 Algebraic Attacks on Block, Stream Ciphers Exact/Algebraic/Multivariate Cryptanalysis: Breaking a « good » cipher should require: “as much work as solving a system of simultaneous equations in a large number of unknowns of a complex type” [Shannon, 1949] Common belief: large systems of equations become intractable very easily. 19 2001-2015 Algebraic Attacks on Block, Stream Ciphers **However… However, what makes the problem hard is not the number of variables, but the balance between the number of equations and the number of monomials: – The XL algorithm and Gröbner bases techniques: [Shamir, Patarin, Courtois, Klimov, Eurocrypt’2000], [Courtois, ICISC 2002], [Courtois, Patarin, CT- RSA 2003], [F5/2 by Jean-Charles Faugère], [Old papers by Lazard]… – The XSL variant: [Courtois, Pieprzyk, Asiacrypt’02] Consequence: systems that are overdefined, sparse, or both, turn out to be much easier to solve than expected. 20 2001-2015 Algebraic Attacks on Block, Stream Ciphers Problem 1: Overdefined Systems Most cryptographic security relies on the hardness of largely overdefined problems: Much more information than necessary: great many plaintexts, message and signature pairs, etc.. • Public key cryptography: the solution is: Provable security: each utilization of the cryptographic scheme does not leak useful information. • Secret key cryptography: Yet little provable security. And yet it is here that the problems become the most overdefined: huge amounts of data encrypted with one key, fast hardware, etc. 21 2001-2015 Algebraic Attacks on Block, Stream Ciphers Problem 2: Algebraic Sparsity Many cryptographic schemes (for practical reasons) have a simple algebraic description. Usually leads to a sparse system of equations. • In software, large tables might be used… • In hardware, the number of gates should be small, which gives a simple description with simple Boolean polynomials. 22 2001-2015 Algebraic Attacks on Block, Stream Ciphers Problem 3: Linear Components Linearity is commonly used for diffusion, sequence generation (LFSR) etc. Still believed OK. • Problem: preserves the degree of algebraic equations !! 23 2001-2015 A New Frontier in Symmetric Cryptanalysis The Role of Finite Fields, e.g. GF(2) They allow to encode any cryptographic problem as problem of solving Boolean equations. 24 Courtois, Indocrypt 2008 Multiplicative Complexity MC = Definition • Every function can be represented as a number of multiplications + linear functions over a finite field/ring. • We call MC (Multiplicative Complexity) the minimum number of multiplications needed. Home reading: set of slides multcomp.pdf Moodle. 25 ©Nicolas T. Courtois 2012 A New Frontier in Symmetric Cryptanalysis **The Role of NP-hard Problems Guarantee “hardness” in the worst case. Many are not that hard in practice… • Many concrete problems can be solved. • Multiple reductions allow to use algorithms that solve one problem to solve another. 26 Courtois, Indocrypt 2008 A New Frontier in Symmetric Cryptanalysis Algebraization: Theorem: Every function over finite fields is a polynomial function. [can be proven as a corollary of Lagrange’s interpolation formula] False over rings! E.g. false for T-functions. 27 Courtois, Indocrypt 2008 Algebraic Attacks on Block, Stream Ciphers Problem 4: Low Degree/Low Complexity Bottom line: “Every cipher which can be expressed by low degree polynomials is broken.” Cf. Xuejia Lai paper. • "Higher order derivatives and differential cryptanalysis" [1992] 28 2001-2015 Algebraic Attacks on Block, Stream Ciphers Problem 4: Low Degree/Low Complexity Bottom line: “Every cipher which can be expressed by low degree polynomials is broken.” Remark for LFSR-based stream ciphers: later we will see how to substantially LOWER the degree… I/O Relations, Algebraic Immunity, Annihilators, Courtois-Meier attack, etc… 29 2001-2015 Algebraic Attacks on Block, Stream Ciphers Lai Essential Result =>so we can decrease the non-linear degree by summing different polynomials => “every cipher which can be expressed by low degree polynomials is broken.” 30 2001-2015 Algebraic Attacks on Block, Stream Ciphers Cube Attacks [Vielhaber, Dinur,Shamir’08] 31 2001-2015 Algebraic Attacks on Block, Stream Ciphers ” Trivial – ε Attacks ” Cube attack are highly sophisticated highly technical attack BUT they achieve NOTHING more than breaking XX – ε rounds of a cipher where XX – ε rounds is already broken by an attack which crypto community considers as excessively trivial. 32 2001-2015 Algebraic Attacks on Block, Stream Ciphers Step By Step Cube attack is about summing COMPLEX multivariate polynomials. – most polynomials never written. • Online phase CPA => several concrete values added 0+1+… • Their sum polynomial depends on the key in a very simple way. =>Gives simple equations on the key. 33 2001-2015 Algebraic Attacks on Block, Stream Ciphers Cube Attacks Controversies [1] Dan Bernstein: http://cr.yp.to/cubeattacks.html • “Why haven't cube attacks broken anything?
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages220 Page
-
File Size-