September 28, 2016 @ASK2016 Nonlinear Invariant Attack NTT Secure Platform Laboratories and Kobe University Yosuke Todo Copyright©2016 NTT corp. All Rights Reserved. Overview. • Joint work with Gregor Leander and Yu Sasaki. • New type of cryptanalyses. ‐ This attack works on the weak-key setting. • Surprising practical extensions. ‐ Ciphertext-only message recovery attack!! • Good applications. ‐ Scream, iScream, and Midori64. Copyright©2016 NTT corp. All Rights Reserved. 2 Summary of results. Distinguishing attack under known-plaintext setting. Target # of weak keys Data complexity. Distinguishing probability. SCREAM 296 iSCREAM 296 1−푘 푘 1 − 2 Midori64 264 The distinguishing attack incidentally recovers 1 bit of secret key. Message-recovery attack under ciphertext-only setting. Target # of weak keys Maximum # of Data Time recovered bits. complexity. complexity. 96 3 15 SCREAM 2 32 bits 33 ciphertexts 32 = 2 96 3 15 iSCREAM 2 32 bits 33 ciphertexts 32 = 2 64 3 15 Midori64-CTR 2 32h bits 33h ciphertexts 32 ℎ = 2 ℎ ℎ is the number of blocks in the mode of operations. Copyright©2016 NTT corp. All Rights Reserved. 3 Outline 1. Nonlinear invariant attack. ‐ Map of related attacks. • Linear and nonlinear cryptanalyses. • Invariant subspace attack. ‐ Distinguishing attack. 2. Surprising extension toward practical attack. ‐ What’s happened if vulnerable ciphers are used in well- known mode of operations? 3. How to find nonlinear invariant. ‐ Appropriate nonlinear invariants. ‐ How to find nonlinear invariant for KSP round functions. 4. Practical attack on full SCREAM. Copyright©2016 NTT corp. All Rights Reserved. 4 Two streams join in new attacks. Linear attack [Matsui 1993] Nonlinear attack [Harpes et al. 1995] Invariant subspace attack [Gregor et al. 2011] Nonlinear invariant attack [Todo, Gregor, Yu 2016] Copyright©2016 NTT corp. All Rights Reserved. 5 Stream from linear attacks. Linear attack [Matsui 1993] Nonlinear attack [Harpes et al. 1995] Invariant subspace attack [Gregor et al. 2011] Nonlinear invariant attack [Todo, Gregor, Yu 2016] Copyright©2016 NTT corp. All Rights Reserved. 6 Linear attack [Matsui 93]. Key-alternating structure. 푘푖 푥푖 F 푥푖+1 푓푖 푥푖 ⊕ 푓푖+1 푥푖+1 ≈ const 푓푖 푥푖 holds with high probability. 푓푖+1 푥푖+1 next-round 푓푖 and 푓푖+1 are linearly Boolean functions. Copyright©2016 NTT corp. All Rights Reserved. 7 Nonlinear attack [Harpes et al.95]. Key-alternating structure. 푘푖 푥푖 F 푥푖+1 푔푖 푥푖 ⊕ 푔푖+1 푥푖+1 ≈ const 푔푖 푥푖 holds with high probability. 푔푖+1 푥푖+1 next-round 푔푖 and 푔푖+1 are nonlinearly Boolean functions. Copyright©2016 NTT corp. All Rights Reserved. 8 Insurmountable problem. Key-alternating structure. 푘푖 푥푖 F 푥푖+1 • The actual propagation of nonlinear mask depends on the specific value of the state. • Therefore, we cannot join nonlinear masks for two rounds. Copyright©2016 NTT corp. All Rights Reserved. 9 Nonlinear invariant attack. Key-alternating structure. Alternatively, we limit the space of secret keys. 푘푖 푥푖 F 푥푖+1 푔푖 푥푖 ⊕ 푔푖+1 푥푖+1 = const 푔푖 푥푖 with probability one. 푔푖+1 푥푖+1 next-round 푔푖 and 푔푖+1 are nonlinearly Boolean functions. Copyright©2016 NTT corp. All Rights Reserved. 10 Stream from invariant subspace attacks. Linear attack [Matsui 1993] Nonlinear attack [Harpes et al. 1995] Invariant subspace attack [Gregor et al. 2011] Nonlinear invariant attack [Todo, Gregor, Yu 2016] Copyright©2016 NTT corp. All Rights Reserved. 11 Invariant subspace attacks Key-alternating structure. weak keys. 푘푖 푥푖 F 푥푖+1 key-add F U+a U+a U+b next-round Copyright©2016 NTT corp. All Rights Reserved. 12 Nonlinear invarinat attack. Key-alternating structure. weak keys. 푘푖 푥푖 F 푥푖+1 key-add F 푔0 푔0 푔0 푔1 푔1 푔1 next-round Copyright©2016 NTT corp. All Rights Reserved. 13 Nonlinear invarinat attack. Key-alternating structure. weak keys. 푘푖 푥푖 F 푥푖+1 key-add F 푔0 푔0 푔0 푔1 푔1 푔1 next-round Copyright©2016 NTT corp. All Rights Reserved. 14 Distinguishing attack. • If the block cipher has the nonlinear invariant, we can easily distinguish from ideal ciphers. 1. Collect 푘 known plaintexts (푝푖, 푐푖). 2. Compute 푔푝 푝푖 ⊕ 푔푐(푐푖) for 푘 pair. Then 푘 XORs are always the same. The probability that ideal ciphers have this property is 2−푘+1. • At most one bit of information leaks from 푔푝 푝푖 ⊕ 푔푐(푐푖). Copyright©2016 NTT corp. All Rights Reserved. 15 Outline 1. Nonlinear invariant attack. ‐ Map of related attacks. • Linear and nonlinear cryptanalyses. • Invariant subspace attack. ‐ Distinguishing attack. 2. Surprising extension toward practical attack. ‐ What’s happened if vulnerable ciphers are used in well- known mode of operations? 3. How to find nonlinear invariant. ‐ Appropriate nonlinear invariants. ‐ How to find nonlinear invariant for KSP round functions. 4. Practical attack on full SCREAM. Copyright©2016 NTT corp. All Rights Reserved. 16 Practical attacks. strong Chosen-plaintext attacks (CPA) is natural assumption for cryptographers. is debatable in practical case. Assumption. Known-plaintext attacks (KPA) is very weak assumption for cryptographers. sometimes holds in practical case. Ciphertext-only attacks (COA) is unlikely to happen for cryptographers. is information-theoretically impossible w/o assumptions. causes non-negligible risks in practical use if possible. weak Copyright©2016 NTT corp. All Rights Reserved. 17 Our attack assumptions. • Attackers can collect multiple ciphertext blocks whose original message is the same but the IV is different. • Then, we can recover the part of message. 퐸 푘,퐼푉1 Ciphertext block 퐸푘,퐼푉2 Plaintext 퐸푘,퐼푉3 Ciphertext block block Ciphertext block Copyright©2016 NTT corp. All Rights Reserved. 18 Is this assumption practical? • It’s very difficult questions because it depends on applications. • We believe it’s more practical than KPA. • Example of vulnerable application. ‐ Application sometimes sends the ciphertext of a password for the authentication. And, attackers know the behavior of the application. Copyright©2016 NTT corp. All Rights Reserved. 19 CBC mode. P1 P2 P3 Ph IV (C0) EK EK EK EK C1 C2 C3 Ch If Ek has nonlinear invariants, 푔푝 퐶푖−1 ⊕ 푃푖 ⊕ 푔푐 퐶푖 = const Copyright©2016 NTT corp. All Rights Reserved. 20 Message-recovery attacks. • Attackers know IV and ciphertexts, and 푔푝 퐶푖−1 ⊕ 푃푖 ⊕ 푔푐 퐶푖 is always constant. • We collect multiple (퐶푖−1, 퐶푖) whose corresponding 푃푖 is the same. • By guessing 푃푖, we can recover it only from ciphertexts. ‐ Bits of 푃푖 that involve the nonlinear term of the function 푔 can be recovered. ‐ Practically, the time complexity to recover 푡 bits 3 of 푃푖 is at most 푡 . Copyright©2016 NTT corp. All Rights Reserved. 21 Outline 1. Nonlinear invariant attack. ‐ Map of related attacks. • Linear and nonlinear cryptanalyses. • Invariant subspace attack. ‐ Distinguishing attack. 2. Surprising extension toward practical attack. ‐ What’s happened if vulnerable ciphers are used in well- known mode of operations? 3. How to find nonlinear invariant. ‐ Appropriate nonlinear invariants. ‐ How to find nonlinear invariant for KSP round functions. 4. Practical attack on full SCREAM. Copyright©2016 NTT corp. All Rights Reserved. 22 Nonlinear invariant attack. Key-alternating structure. Alternatively, we limit the space of secret keys. 푘푖 푥푖 F 푥푖+1 푔푖 푥푖 ⊕ 푔푖+1 푥푖+1 = const 푔푖 푥푖 with probability one. 푔푖+1 푥푖+1 next-round We have to search for nonlinear invariants that hold in arbitrary number of rounds. Copyright©2016 NTT corp. All Rights Reserved. 23 Nonlinear invariant attack. Key-alternating structure. Alternatively, we limit the space of secret keys. 푘푖 푥푖 F 푥푖+1 푔 푥푖 ⊕ 푔 푥푖+1 = const 푔 푥푖 with probability one. 푔 푥푖+1 next-round The property tribially holds if 푔푖 = 푔푖+1. Copyright©2016 NTT corp. All Rights Reserved. 24 Searching for nonlinear invariants. • Assume that KSP-type round function. S S L S S Copyright©2016 NTT corp. All Rights Reserved. 25 Nonlinear invariants for S-box. 푥1 S 푔푖 푥푖 ⊕ 푔푖 푆 푥푖 = cons 푥2 S L 푥3 S 푥4 S • Because the bit size of S-boxes is generally small, it’s not difficult to find nonlinear invariant for S-boxes. Copyright©2016 NTT corp. All Rights Reserved. 26 Example. • Nonlinear invariant for the S-box in Scream. 푔 푥 = 푥1푥2 ⊕ 푥0 ⊕ 푥2 ⊕ 푥5 8 Then, for all 푥 ∈ 픽2, 푔 푥 = 푔 푆 푥 ⊕ 1. • Nonlinear invariant for the S-box in Midori64. 푔 푥 = 푥2푥3 ⊕ 푥0 ⊕ 푥1 ⊕ 푥2 4 Then, for all 푥 ∈ 픽2, 푔 푥 = 푔 푆 푥 . Copyright©2016 NTT corp. All Rights Reserved. 27 Nonlinear invariant for S-box layer. 푥1 S 푔푖 푥푖 ⊕ 푔푖 푆 푥푖 = cons 푥2 S L 푥3 S 푔 푥 = 푔푖(푥푖) 푖∈Λ 푥4 S • If the function 푔푖 is nonlinear invariant for the th S-box, the function 푖∈Λ 푔푖(푥푖) becomes nonlinear invariant for the S-box layer for any set Λ. Copyright©2016 NTT corp. All Rights Reserved. 28 Nonlinear invariants for key XORing. 푥 1 S 푔 푥 ⊕ 푔 푥 ⊕ 푘 = cons 푥2 S L 푥3 S 푔 푥 = 푔푖(푥푖) 푖∈Λ 푥4 S • If “1s” in 푘 are involved in only linear term of the function 푔, 푔 푥 ⊕ 푘 = 푔 푥 ⊕ 푔(푘). • 푔 푥 ⊕ 푔 푥 ⊕ 푘 = 푔 푘 = cons. Copyright©2016 NTT corp. All Rights Reserved. 29 Example. • Nonlinear invariant for the S-box in Scream. 푔 푥 = 푥1푥2 ⊕ 푥0 ⊕ 푥2 ⊕ 푥5 If 푘1 = 푘2 = 0, 푔 푥 ⊕ 푘 = 푔 푥 ⊕ 푔(푘) • Nonlinear invariant for the S-box in Midori64. 푔 푥 = 푥2푥3 ⊕ 푥0 ⊕ 푥1 ⊕ 푥2 If 푘2 = 푘3 = 0, 푔 푥 ⊕ 푘 = 푔 푥 ⊕ 푔(푘) Copyright©2016 NTT corp. All Rights Reserved. 30 Nonlinear invariant for linear layer. 푥 1 S 푔 푥 ⊕ 푔 퐿 푥 = cons 푥2 S 푛 L 푥3 S 푔 푥 = 푔푖(푥푖) 푖=1 푥4 S • If the linear function is binary orthogonal and there is a quadratic invariant for the S-box, 푛 푔푖=1(푥푖) is nonlinear invariant for the linear layer.