invarianthoppingattacks on block ciphers · invarianthoppingattacks on block ciphers attack 1 2x...

Invariant Hopping Attackson Block Ciphers

attack 12x linear

attack 21x linear

attack 3

attack 4strong Bool + high degree invariant +

high success proba

Nicolas T. CourtoisUniversity College London, UK

Block Cipher Invariants

2

Roadmap

Part 1: Cold War / History Block Ciphers

Part 2: New Attacks:

Constructive Cryptanalysiswith Polynomial Invariants + Annihilators+ inside Boolean ring Bn

Algebraic Attacks on Block Ciphers Nicolas T. Courtois

3

Question 1:Why 0% of symmetric encryption

used in practice areprovably secure?

A New Frontier in Symmetric Cryptanalysis

4

MQ Problem

Dense MQ is VERY hard. Best attacks ≈ 20.8765n

• top of the top hard problem.• for both standard and PQ crypto

=> Allows to build a provably secure stream cipher based on MQ directly!C. Berbain, H. Gilbert, and J. Patarin:

QUAD: A Practical Stream Cipher with Provable Security, Eurocrypt 2005

=> provably secure encryption exists!

mqchallenge.org FXL/Joux 2017/372

Algebraic Attacks on Block Ciphers Nicolas T. Courtois

5

Question 2:Why researchers have found

so few attacks on block ciphers?

“mystified by complexity”

Algebraic Attacks on Block Ciphers Nicolas T. Courtois

6

Claim:Finding new attacks

on block ciphers isEASY and FUN

Block Cipher Invariants

7

Dr. Nicolas T. Courtois blog.bettercrypto.com

1. cryptanalysis

Block Cipher Invariants

8

Dr. Nicolas T. Courtois blog.bettercrypto.com

1. cryptanalysis

2. industrial crypto

Block Cipher Invariants

9

Code Breakers - LinkedIn

Code Breakers

Nicolas T. Courtois10

3. Crypto History

Roadmap

11

Towards Modern Crypto

Block Cipher Invariants

12

1960sNATO Cipher competition

• UK

• US

• France

• Germany

Requirements:

• “tapeless and rotorless” => semi-conductor electronic,

• high EM/SCA security!

Backdoors

Nicolas T. Courtois13

French Submission

• large period, non-linearity / removing the correlations (p.108)“…certainement la meilleure machine cryptographique de son époque…" ??????????????????????????????????????????????????????????

[2004]

Code Breakers

14

Compromise of Old Crypto

• USS Pueblo / North Korea Jan 1968

Block Cipher Invariants

15

Cold War

Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…

[Source: Cryptologia, interviews by David Kahn with gen. Andreev=first head of FAPSI=Russian NSA]

Example: In 1967 GRU (Soviet Intelligence) was intercepting cryptograms from 115 countries, using 152 cryptosystems, and among these they broke 11 codes and “obtained” 7 other codes.

Block Cipher Invariants

16

US/NATO crypto broken

Russia broke the NATO KW-7 cipher machine: Walker spy ring, rotors+keys,

• paid more than 1M USD (source: NSA)

• “greatest exploit in KGB history”

• allowed Soviets to “read millions”of US messages [1989, Washington Post]

Block Cipher Invariants

17

1970sModern block ciphers are born.

In which country??

Block Cipher Invariants

18

1970sModern block ciphers are born.

In which country??

Who knows…

Eastern Bloc also worked on these questions… and for a long time.

Block Cipher Invariants

19

1927The inventor of the

ANF = Algebraic Normal Form

en.wikipedia.org/wiki/Zhegalkin_polynomial

Russian mathematician and logician

Ива́н Ива́нович Жега́лкин [Moscow State University]

“best known for his formulation of Boolean algebra as the theory of the ring of integers mod 2”

Bn,+,*

Backdoors

Nicolas T. Courtois20

Our Sources

T-310spec

Backdoors

Nicolas T. Courtois21

Our Sources

BStU = Stasi Records Agency

ZCO = Zentrales Chiffrierorgan

der DDR

T-310

Nicolas T. Courtois22

East German T-310 Block Cipher

240 bits

long-term secret 90 bits only!

“quasi-absolute security” [1973-1990]

has a physical

RNG=>IV

Block Cipher Invariants

ReferencesNicolas T. Courtois, Jörg Drobick, Jacques Patarin, Maria-Bristena Oprisanu, Matteo Scarlata, Om Bhallamudi, Cryptographic Security Analysis of T-310, eprint.iacr.org/2017/440.pdf , 132 pages, 2017

Nicolas T. Courtois, Maria-Bristena Oprisanu: Ciphertext-Only Attacks and Weak Long-Term Keys in T-310, in Cryptologia, vol 42, iss. 4, pp. 316-336, May 2018.

Nicolas T. Courtois, Maria-Bristena Oprisanu, Klaus Schmeh:

Linear Cryptanalysis and Block Cipher Design in Eastern Germany in the 1970s, Cryptologia, Dec 2018,

https://www.tandfonline.com/doi/abs/10.1080/01611194.2018.1483981

Nicolas T. Courtois, Klaus Schmeh: Feistel ciphers in East Germany in the communist era, In Cryptologia, vol. 42, Iss. 6, 2018, pp. 427-444.

Block Cipher Invariants

24

Cipher Class Alpha –1970s

Who invented Alpha? [full document not avail.]

Block Cipher Invariants

25

T-310 [1973-1990] – 4 branches

Block Cipher Invariants

26

IBM USA 1970s

IBM have agreed with the NSA that the design criteria of DES should not be made public.

NSA have generated DES S-boxes. source: Coppersmith, invited talk@Crypto, summer 2000.

Security of DES (overview)

27

“Official” History of Cryptanalysis

• DC was known @IBM in 1970s

• Davies-Murphy attack [1982=classified, published in 1995] = early LC

• Shamir Paper [1985]……… early LC

• Differential Cryptanalysis :Biham-Shamir [1991]

• Linear Cryptanalysis: Gilbert and Matsui [1992-93]

Block Cipher Invariants

28

One form of DC was known in 1973!

Block Cipher Invariants

29

LC at ZCO - 1976!

Block Cipher Invariants

30

Discrete Differentials and HO DC – 1976 !

Higher Order:

Block Cipher Invariants

31

Computing HO Differentials for All Orders

.

.

. fast points!

Backdoors

Nicolas T. Courtois32

Contracting Feistel [1970s Eastern Germany!]

1 round of T-310

φ

Roadmap

33

Backdoors

Roadmap

34

Backdoors vs.

“Normal” Cryptanalysis

All our attacks work with relatively large probability.

– so if you are not lucky a cipher which was NOT backdoored will also be broken!

Better Card-only Attacks on Mifare Classic

Nicolas T. Courtois, 2009-1735

Any Backdoors?

Claim: Non-bijective φ – ALL broken! See:

1. Nicolas T. Courtois, Maria-Bristena Oprisanu: “Ciphertext-Only Attacks and Weak Long-Term Keys in T-310”

[Cryptologia v.42 iss. 4 2018]

Backdoors

36

How to Backdoor T-310 [yes we can]

bad long-term key

omit just 1 out of 40 conditions: ciphertext-only

Backdoors

37

LC Method to Backdoor T-310 [2017]

bad long-term key1,3,5 => 1,3,5 P=1

703P=7,14,33,23,18,36,5,2,9,16,30,12,32,26,21,1,13,25,20,8,24,15,22,29,10,28,6D=0,4,24,12,16,32,28,36,20

Block Cipher Invariants

38

Generalised Linear Cryptanalysis= GLC =

[Harpes, Kramer and Massey, Eurocrypt’95]

Block Cipher Invariants

39

Generalised Linear Cryptanalysis= GLC =

[Harpes, Kramer and Massey, Eurocrypt’95]

Concept of non-linear I/O sums.

F(inputs) = G(outputs) with some probability…

Block Cipher Invariants

40

Connecting Non-Linear Approxs.Black-Box Approach

Non-linear functions F G H I.

F(x1,…)

G(x1,…) H(y1,…)

I(z1,…)

Block Cipher Invariants

41

GLC and Feistel Ciphers ?

[Knudsen and Robshaw, EuroCrypt’96

“one-round approximations that are non-linear […] cannot be joined together”…

At Crypto 2004 Courtois shows that GLC is in fact possible for Feistel schemes!

Block Cipher Invariants

42

BLC better than LC for DES

Better than the best existing linear attack of Matsui

for 3, 7, 11, 15, … rounds.

Ex: LC 11 rounds:

BLC 11 rounds:

Block Cipher Invariants

43

Wrong Approach [!!!!]Black-Box Combination Approach

constructive BUT limited possibilities…

F(x1,…)

G(x1,…) H(y1,…)

I(z1,…)

Block Cipher Invariants

44

White Box Approach

New! [Courtois 2018]

Study of non-linear I/O sums.

P(inputs) = P(outputs)

Block Cipher Invariants

45

New White Box Approach

Study of non-linear I/O sums.

.

P(inputs) = P(outputs) with probability 1.

Formal equality of 2 polynomials.

BIG PROBLEM: 22^n possible attacks

Block Cipher Invariants

46

Variable Boolean Function

We denote by Z our Boolean function

We consider a space of ciphers where Z is variable.

Question: given a fixed polynomial Pwhat is the probability over random choice of Z that P(inputs) = P(outputs) is an invariant (for any number of rounds).

Block Cipher Invariants

47

Invariant Hopping

attack 12x linear

attack 21x linear

attack 3

attack 4strong Bool + high degree invariant +

high success proba

Block Cipher Invariants

Nicolas T. Courtois, January 200948

Group Theory – Is DES A Group?

Study of group generated by φK for any key K.

Typically AGL not GL. Any smaller sub-groups?

Block Cipher Invariants

Nicolas T. Courtois, January 200949

Group Theory – Is DES A Group?

Study of group generated by φK for any key K.

Typically AGL not GL. Any smaller sub-groups?

This question was also studied @Eastern Bloc

Block Cipher Invariants

Nicolas T. Courtois, January 200950

Group Theory – Is DES A Group?

Study of group generated by φK for any key K.

Typically AGL not GL. Any smaller sub-groups?

This question was also studied @Eastern Bloc

Block Cipher Invariants

51

Hopping in Group Lattices

attack 1

three invariantslinear Boolean function

AGL

Block Cipher Invariants

52

Hopping in Group Lattices

attack 1three invariants

linear Boolean function

attack 2two invariants

bad Boolean function

AGL

Block Cipher Invariants

53

Hopping in Group Lattices

attack 1three invariants

linear Boolean function

attack 2two invariants

bad Boolean function

attack 36one high degree invariantstrong Boolean function

AGL

Block Cipher Invariants

Nicolas T. Courtois, January 200954

Hopping in Group Lattices

attack 1

three invariantslinear Boolean function

attack 2two invariants

bad Boolean function

attack 36one complex high degree invariant

strong Boolean function

AGL

Block Cipher Invariants

55

“Hopping” Discovery Method

Making the impossible possible. How?

Learn from examples. old => new attack

• transform a linear attack on a weak cipher with a linear Boolean function

• into non-linear attack on a cipher with a “strong” Boolean function.

Block Cipher Invariants

56

“Hopping” Discovery

• We navigate inside a “product lattice” =def= set of pairs (set of invariants, cipher spec) =

-all possible invariant attacks

-all possible ciphers [we modify the spec of the cipher]

• Find a path from a trivial attack on a weak cipher to a non-trivial attack on a strong cipher.

Block Cipher Invariants

57

Linear Attack – Example

Block Cipher Invariants

58

Exact Thm. [eprint/2017/440]

Block Cipher Invariants

59

Hopping Step 1 First we look at an attack where the Boolean

function is linear and we have trivial LINEAR invariants (same as Matsui’s LC)

Example:

Backdoors

Nicolas T. Courtois60

A Vulnerable Setup

1 round of T-310

φ

Block Cipher Invariants

61

Hopping Step2Now could you please tell us if

is an invariant?

Block Cipher Invariants

62

Hopping Step2Now could you please tell us if

is an invariant?

The answer is remarkably simple.

Block Cipher Invariants

63

Hopping Step2Theorem:

is an invariant IF AND ONLY IF

a certain polynomial = FE =

is zero (as a polynomial, multiple cancellations)

Block Cipher Invariants

64

Hopping Step2Theorem:

is an invariant IF AND ONLY IF

is zero (as a polynomial, multiple cancellations)

Block Cipher Invariants

65

Hopping Step2Theorem:

is an invariant IF AND ONLY IF

is zero (as a polynomial, multiple cancellations)

subs by ANF

simplifies to:

Block Cipher Invariants

66

Hopping Step2 Theorem:

is an invariant IF AND ONLY IF

is zero (as a polynomial, multiple cancellations)

Block Cipher Invariants

67

What is Special About P 2-factoring decomposition

= AC+BD.

is invariant IF AND ONLY IF

some solutions are:

Block Cipher Invariants

68

Invariant P of Degree 4?

= ABCD.

is a 1-round invariant IF AND ONLY IF

Block Cipher Invariants

69

Invariant P of Degree 4?

= ABCD.

is a 1-round invariant IF AND ONLY IF

a multiple of the previous polynomial!

Block Cipher Invariants

70

Corollary:Easy Thm. [not included in the paper].

For every cipher in our cipher space = (LZS551+any Boolean) if AC+BD is an invariant (degree 2)then also ABCD is an invariant (degree 4).

Note: there is no invariant of degree 3 etc…

Block Cipher Invariants

71

Selective RemovalQ : Can we now have ABCD

to be an invariant of degree 4 WITHOUT any invariants of degrees 1,2,3????

Block Cipher Invariants

72

Selective RemovalQ : Can we now have ABCD

to be an invariant of degree 4 WITHOUT any invariants of degrees 1,2,3????

Answer: easy: a root of second polynomial and NOT a root of the first [almost always].

mC=YCmBCD=YBCD

Block Cipher Invariants

73

Summary1. We start with a trivial attack on a weak cipher.

Benefit: a certain polynomial has a solution.

2. Then some non-linear invariants also exist = additional roots.

3. Then we modify the cipher [manipulation of roots of our FE] and the invariant so that simple invariants are removed.

4. What you get is a bit like a backdoor!

– Potentially hard to detect.

Block Cipher Invariants

74

ConclusionWe modify the cipher and the invariant

so that simple invariants disappear.

Q: Can this be done with a really secure Boolean function? YES, see [eprint/2018/1242]

Block Cipher Invariants

75

Irreducible PolynomialsRemark:

For a long time we searched for invariant attacks where P

is an irreducible polynomial.

We were wrong!

Block Cipher Invariants

76

Product Question

Trivial NL invariants based on cycles in LC.

A ® B ® C ® D ® A

Then ABCD is a round invariant of degree 4.

Stupid??

Block Cipher Invariants

77

Product Question

Trivial NL invariants based on cycles in LC.

A ® B ® C ® D ® A

Then ABCD is a round invariant of degree 4.

Stupid?? Not at all! Some of the strongest attacks ever found are like this.

Block Cipher Invariants

78

Product Question

Trivial NL invariants based on cycles in LC.

A ® B ® C ® D ® E® A

Then ABCDE is a round invariant of degree 5.

Stupid?? Not at all! Some of the strongest attacks ever found are like this.

Trivial invariants can be REMOVED!!!!

Block Cipher Invariants

Nicolas T. Courtois, January 200979

Hopping in Group Lattices

attack 1three invariants

linear Boolean function

attack 2two invariants

bad Boolean function

attack 36one complex high degree invariant

strong Boolean function

AGL

Block Cipher Invariants

80

Phase TransitionWhen P is of degree 4, the Boolean function is

still “inevitably” degenerated [this paper].

Q: Can we backdoor or break a cipher with a random Boolean function?

Block Cipher Invariants

81

Phase TransitionWhen P is of degree 4, the Boolean function is

still “inevitably” degenerated [this paper].

Q: Can we backdoor or break a cipher with a random Boolean function?

YES, see [eprint/2018/1242]

Degree 8 attack, P =ABCDEFGH. extremely strong: 15% success rate over the choice of a random Boolean function.

Block Cipher Invariants

82

Other Ciphers? DES

Block Cipher Invariants

83

Bonus: New No-Trivial Attacksan irregular sporadic attack with P of degree 7

Block Cipher Invariants

84

New White Box Method

[Courtois 2018]

Same concept of a non-linear I/O sums.Focus on perfect invariants mostly.

P(inputs) = P(outputs) with probability 1.

Formal equality of 2 polynomials.Exploits the structure of the ring Bn.

• annihilation events absorption events

• would be unthinkable if we had unique factorisation

ABCD=A’B’C’D’

Block Cipher Invariants

85

*Lack Of Unique Factorization

sage: R.<A,B,C,D,E,F,G,H> = BooleanPolynomialRing(8)

sage: mu=(B+C)*(G+H)*(B+H)*(B+F)*(C+D)

sage: mu + (C+H+1)*(C+F+1)*(B*D*G + H*(B+D+1)*(B+G+1))

sage: 0

sage: mu + (B+D+1)*(B+G+1)*(C*F*H + G*(C+H+1)*(C+F+1))

sage: 0

sage:

Block Cipher Invariants

86

*Lack Of Unique Factorization

sage: R.<A,B,C,D,E,F,G,H> = BooleanPolynomialRing(8)

sage: mu=(B+C)*(G+H)*(B+H)*(B+F)*(C+D)

sage: mu + (C+H+1)*(C+F+1)*(B*D*G + H*(B+D+1)*(B+G+1))

sage: 0

sage: mu + (B+D+1)*(B+G+1)*(C*F*H + G*(C+H+1)*(C+F+1))

sage: 0

sage: