Hacking of the AES with Boolean Functions Michel Dubois and Eric´ Filiol Operational Cryptology and Virology Laboratory, 38 rue des Docteurs Calmette et Gurin, 53000 Laval, France Keywords: Block Cipher, Boolean Function, Cryptanalysis, AES. Abstract: One of the major issues of cryptography is the cryptanalysis of cipher algorithms. Some mechanisms for breaking codes include differential cryptanalysis, advanced statistics and brute-force. Recent works also at- tempt to use algebraic tools to reduce the cryptanalysis of a block cipher algorithm to the resolution of a system of quadratic equations describing the ciphering structure. In our study, we will also use algebraic tools but in a new way: by using Boolean functions and their properties. A Boolean function is a function from Fn F with n > 1. The arguments of Boolean functions are binary words of length n. Any Boolean function 2 → 2 can be represented, uniquely, by its algebraic normal form which is an equation which only contains additions modulo 2—the XOR function—and multiplications modulo 2—the AND function. Our aim is to describe the AES algorithm as a set of Boolean functions then calculate their algebraic normal forms by using the Moe- bius transforms. After, we use a specific representation for these equations to facilitate their analysis and particularly to try a combinatorial analysis. Through this approach we obtain a new kind of equations system. 1 INTRODUCTION nately, these approaches are infeasible because of the difficulty of solving large systems of equations. The block cipher algorithms are a family of cipher al- We will also use algebraic tools but in a new way gorithms which use symmetric key and work on fixed by using Boolean functions and their properties. Our length blocks of data. aim is to describe a block cipher algorithm as a set of Since Novembre 26, 2001, the block cipher algo- Boolean functions then calculate their algebraic nor- rithm “Rijndael”, became the successor of DES under mal forms by using the Moebius transforms. the name of “Advanced Encryption Standard” (AES). In our study, we will test our approach on the Its designers, Joan Daemen and Vincent Rijmen used AES algorithm. Our goal is to describe it under the algebraic tools to give to their algorithm an unequaled form of systems of Boolean functions and to calcu- level of assurance against the standard statistical tech- late their algebraic normal forms by using the Moe- niques of cryptanalysis. The AES can process data bius transforms. The system of equations obtained blocks of 128 bits, using cipher keys with lengths of is more easily implementable and could open new 128, 192, and 256 bits (NIST, 2001). ways to cryptanalysis of the AES. We have devel- One of the major issues of cryptography is the oped a proof of concept of our approach in python cryptanalysis of cipher algorithms. Cryptanalysis is language. The resulting programs are open source the study of methods for obtaining the meaning of and available on github at the following address: encrypted information, without access to the secret https://github.com/archoad/BooleanAES. information that is normally required. Some mech- anisms for breaking codes include differential crypt- analysis, advanced statistics and brute-force. Recent works like (Murphy and Robshaw, 2002), 2 BOOLEAN FUNCTIONS attempt to use algebraic tools to reduce the cryptanal- ysis of a block cipher algorithm to the resolution of a 2.1 Definition system of quadratic equations describing the cipher- ing structure. As an example, Nicolas Courtois and Let be the set B = 0,1 and B2 = B, , , a { n} { ∧ ∨ ¬} Josef Pieprzyk have described the AES-128 algorithm Boolean algebra, then B2 = (x1,x2, ,xn) such that as a system of 8000 quadratic equations with 1600 x B and 1 i n, is a subset of ···B containing all i ∈ 2 5 5 2 variables (Courtois and Pieprzyk, 2002). Unfortu- n-tuples of 0 and 1. The variable xi is called Boolean 599 Dubois, M. and Filiol, E. Hacking of the AES with Boolean Functions. DOI: 10.5220/0006091305990609 In Proceedings of the 3rd International Conference on Information Systems Security and Privacy (ICISSP 2017), pages 599-609 ISBN: 978-989-758-209-7 Copyright c 2017 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved ForSE 2017 - 1st International Workshop on FORmal methods for Security Engineering variable if she only accepts values from B, that is Table 1: The 16 Boolean functions of degree 2. to say, if and only if x = 0 or x = 1 regardless of i i f0 0 1 i n. 5 5 f1 x1 x2 A Boolean function of degree n with n > 1 is a ∧ n f2 x1 x2 function f defined from B B2, that is to say built ∧ ¬ 2 → f3 x1 from Boolean variables and agreeing to return values f x x only in the set B = 0,1 . 4 ¬ 1 ∧ 2 f x For example, the{ function} f (x ,x ) = x x de- 5 2 1 2 1 2 f x x fined from B2 B is a Boolean function∧¬ of degree 6 1 Y 2 2 2 f x x two with: → 7 1 2 f (x ∨ x ) 8 ¬ 1 ∨ 2 f (x x ) f (0,0) = 0 9 ¬ 1 Y 2 f x f (0,1) = 0 10 ¬ 2 f11 x1 x2 f (1,0) = 1 ∨ ¬ f12 x1 f (1,1) = 0 f x¬ x 13 ¬ 1 ∨ 2 f (x x ) 14 ¬ 1 ∧ 2 Let n and m be two positive integers. A vec- f15 1 tor Boolean function is a Boolean function f defined n m from B2 B2 . Finally,→ we can define a random Boolean function 2.2 Representations as a Boolean function f whose values are independent and identically distributed random variables, that is to There are multiple representations of Boolean func- say: tions. We’ll look at the most common—the truth table—and that we will use later—a representation in n (x1,x2, ,xn) B GF(2). ∀ ··· ∈ 2 1 P[ f (x ,x , ,x ) = 0] = 1 2 ··· n 2 2.2.1 The Truth Table The number of Boolean functions is limited and n The different values taken by a Boolean function may depends on n. Thus, there is 22 Boolean functions. be presented in the form of a table called truth table. Similarly, the number of vector Boolean functions is The truth table characterizes a Boolean function. limited and depends on n and m. Thus, there exists n (2m)2 vector Boolean functions. 2.2.2 Representation in GF(2) If we take, for example, n = 2 then there exists 2 22 = 16 Boolean functions of degree two. These A Boolean function can also be presented in the form 16 Boolean functions are presented in the table 1. of a series of conjunctions including disjunctions, Among the Boolean functions of degree 2, the best negations and/or variables. This is called the con- junctive normal form. Thus, the sequence f = (a known are the functions OR, AND and XOR. ∨ ( ) b) ( a b) is the conjunctive normal form of the f The support supp f of a Boolean function is the ∧ ¬ ∨ set of elements x such that f (x) = 0, the Hamming function. Conversely, a Boolean function can be pre- weight wt( f ) of a Boolean function6 is the cardinal sented in the form of a series of disjunctions includ- from its support and we have: ing conjunctions, negations and/or variables. This is called the disjunctive normal form. Thus, the se- n quence g = (a b) ( a b) is the disjunctive normal wt( f ) = x B f (x) = 1 ∧ ∨ ¬ ∧ |{ ∈ 2 | }| form of the function g. A Boolean function is called balanced if wt( f ) = Now let the representation of Boolean functions in n 1 n m GF( ) 2 − . Similarly, a Boolean vector function B2 B2 2 . is said to be balanced if wt( f ) = 2n m (Carlet, 2010b).→ The set B = 0,1 associated with , and − { } ∧ ∨ ¬ For example, the support of the function operations is the Boolean algebra B2 = B, , , { ∧ ∨ ¬} f (x1,x2) = x1 x2, corresponding to logical OR is with the truth tables of the operations described in supp( f ) = (0∨,1),(1,0),(1,1) and its weight is figure (see fig. 1). If we introduce the two binary op- wt(f) = 3. { } erations and defined by the truth tables in fig- ⊕ • ure (see fig. 2), then B2 and the Galois field GF(2) are similar. More specifically, the Boolean algebra 600 Hacking of the AES with Boolean Functions of ANF( f ) with non-zero coefficients. Finally, the al- 0 1 0 1 ∧ ∨ a 0 1 gebraic normal form of a Boolean function exists and 0 0 0 0 0 1 is unique. a 1 0 In summary, any Boolean function can be repre- 1 0 1 1 1 1 ¬ sented uniquely by its algebraic normal form as the equation: Figure 1: Rules for Boolean algebra with two elements. f (x , ,x ) = a + 1 ··· n 0 0 1 0 1 a x + a x + + a x + • ⊕ 1 1 2 2 ··· n n a1,2x1x2 + + an 1,nxn 1xn+ 0 0 0 0 0 1 ··· − − + 1 0 1 1 1 0 ··· a1,2,...,nx1x2 ...xn Figure 2: Truth tables of and . • ⊕ Consider an example. Let the function f described by the truth table of the table 2 (B, , , ) and the field (GF(2), , ) are related by the∧ following∨ ¬ transformation formulas:• ⊕ Table 2: Truth table of the function f . a b = a b x x x f (x) ∧ • 1 2 3 a b = a b 0 0 0 0 • ∧ a b = a b (a b) 0 0 1 1 ∨ ⊕ ⊕ • 0 1 0 0 a b = (a b) ( a b) ⊕ ∧ ¬ ∨ ¬ ∧ 0 1 1 0 a = a 1 1 0 0 0 ¬ ⊕ 1 0 1 1 We can now define a Boolean function as a func- 1 1 0 0 tion f : n with n the set of binary vectors of F2 F2 F2 1 1 1 1 length n > →1.