“algebraic” attacks vs. design of block and stream...
TRANSCRIPT
“Algebraic” Attacks vs. Design of Block and Stream Ciphers
Nicolas T. Courtois- University College London
A New Frontier in Symmetric Cryptanalysis
Courtois, Indocrypt 20082
Modern Symmetric Cryptanalysis:
number of ciphers “broken w.r.t. claims”: O(effort).
number of ciphers “broken in practice”: o(effort).
DES, AES etc: never really broken etc..
A New Frontier in Symmetric Cryptanalysis
Courtois, Indocrypt 20083
2 Small Remarks
Winston Churchill used to say:
“the truth is so precious that she should always be attended by a bodyguard of lies”
Cryptanalysis is not very popular,
nb. of papers at major crypto conferences decreased each year… for some reason… in the last 15 years.
Alternative Title:
A New Frontier in Symmetric Cryptanalysis?
(e.g. low-data complexity attacks)
Algebraic Attacks on Block, Stream Ciphers
2001-20155
0. Intro…
Algebraic Attacks on Block, Stream Ciphers
2001-20156
Instead of a Summary• How to design secure ciphers ?
Nobody knows, a complex question.
• What components to choose? (bottom-up).• Most of the current cipher design paradigms can be
expressed in terms of “good” Boolean functions / “good”vectorial functions (S-boxes).
• What else? Good diffusion: WTS(later slides), avalanche.
Remark: There exist provably secure stream ciphers:QUAD, NO good candidates for secure block ciphers…
Algebraic Attacks on Block, Stream Ciphers
2001-20157
Boolean Functions, ANFAny function GF(2)n → GF(2).
Algebraic Attacks on Block, Stream Ciphers
2001-20158
The Tale of “Good”Boolean Functions..
Provable prevents correlation/differential/linear/GLC attacks….
Magical objects that
make ciphers secure ?
•“Good” Boolean functions,
•“Good” S-boxes,
=> High non-linearity…
A “Good” Boolean function…
Algebraic Attacks on Block, Stream Ciphers
2001-20159
Avoiding Simple Boolean Functions…
Not enough !
Main claim / result:One should rather think about avoiding
Boolean /Algebraic Relations !
Algebraic Attacks on Block, Stream Ciphers
2001-201510
Central Criterion for Designing Cryptographic Components
[Courtois 1999; PhD Thesis]:Non-existence of low-
degree/small size multivariate relations between the input bits and the output bits.
Algebraic Attacks on Block, Stream Ciphers
2001-201511
Special Case: I / O Degree:
A “good” cipher should use at least some components with high I/O degree.
Algebraic Attacks on Block, Stream Ciphers
2001-201512
Claim / Proposal
This criterion is proposed (can be necessary) for the security of:
• S-boxes in Block Ciphers
• Combiners in Stream Ciphers
• Trapdoor Functions (PK crypto, HFE).
Algebraic Attacks on Block, Stream Ciphers
2001-201513
Why ?• no proof
• some devastating attacks on some ciphers
• many ciphers not broken in the slightest
• overall, just another super-paranoid security criterion which is probably not always necessary, – frequent in crypto research
Algebraic Attacks on Block, Stream Ciphers
2001-201514
Another Interpretation of I/O
I = Inside block/stream cipher
O = Outside of your block/steam cipher
Algebraic Attacks on Block, Stream Ciphers
2001-201515
Multivariate Cryptography:Cryptosystems using polynomials with
several variables over a finite field…
Multivariate Cryptanalysis
or Algebraic Cryptanalysis:
Cryptographic attacks using polynomials with several variables
over a finite field…
A New Frontier in Symmetric Cryptanalysis
Courtois, Indocrypt 200816
Roadmap: Multivariate/Algebraic Cryptanalysis
Software / SAT SolversXL, Grobner Basis, F4, F5
dense systems of eqs, inappropriate tools in most other cases
TruncatedDifferentials (DC)
combination attacks
multiple points DC
othertools
Guess Then Determine: SAT/UNSAT strategy or mixed with many steps
MITM
ElimLin: amazingly powerful
Cube Attacks[Vielhaber, Dinur,Shamir’08]
Higher Order Differentials ”every cipher of low degree poly can be broken”
Higher Order DC
GOST, Self-Similarity and Cryptanalysis of Block Ciphers
© Nicolas T. Courtois, 2006-201317
- My Favourite Groups
Algebraic Attacks on Block, Stream Ciphers
2001-201518
Different Types of Cryptanalysis• The “approximation” approach:
– Linear, differential, high-order differential, impossible differential, Jakobsen-Knudsen approximation attacks, etc.. All are based on probabilistic characteristics true with some probability.
– Consequently, the security will grow exponentially with the number of rounds, and so does the number of required plaintexts in the attacks (main limitation in practice).
• The “exact algebraic” approach:– Write equations to solve, true with probability 1.
– Very small number of known plaintexts required.
Algebraic Attacks on Block, Stream Ciphers
2001-201519
Exact/Algebraic/Multivariate Cryptanalysis:
Breaking a « good » cipher should require:
“as much work as solving a system of simultaneous equations in a large number of unknowns of a complex type” [Shannon, 1949]
Common belief: large systems of equations become intractable very easily.
Algebraic Attacks on Block, Stream Ciphers
2001-201520
**However…However, what makes the problem hard is
not the number of variables,
but the balance between
the number of equations
and the number of monomials:
– The XL algorithm and Gröbner bases techniques: [Shamir, Patarin, Courtois, Klimov, Eurocrypt’2000], [Courtois, ICISC 2002], [Courtois, Patarin, CT-RSA 2003], [F5/2 by Jean-Charles Faugère], [Old papers by Lazard]…
– The XSL variant: [Courtois, Pieprzyk, Asiacrypt’02]
Consequence: systems that are overdefined, sparse, or both, turn out to be much easier to solve than expected.
Algebraic Attacks on Block, Stream Ciphers
2001-201521
Problem 1: Overdefined Systems
Most cryptographic security relies on the hardness of largely overdefined problems:Much more information than necessary: great many plaintexts, message and signature pairs, etc..
• Public key cryptography: the solution is: Provable security: each utilization of the cryptographic scheme does not leak useful information.
• Secret key cryptography: Yet little provable security. And yet it is here that the problems become the most overdefined: huge amounts of data encrypted with one key, fast hardware, etc.
Algebraic Attacks on Block, Stream Ciphers
2001-201522
Problem 2: Algebraic Sparsity
Many cryptographic schemes (for practical reasons) have a simple algebraic description.
Usually leads to a sparse system of equations.
• In software, large tables might be used…
• In hardware, the number of gates should be small, which gives a simple description with simple Boolean polynomials.
Algebraic Attacks on Block, Stream Ciphers
2001-201523
Problem 3: Linear Components
Linearity is commonly used for diffusion, sequence generation (LFSR) etc.
Still believed OK.
• Problem: preserves the degree of algebraic equations !!
A New Frontier in Symmetric Cryptanalysis
Courtois, Indocrypt 200824
The Role of Finite Fields, e.g. GF(2)
They allow to encode any cryptographic problem as problem of solving Boolean equations.
Multiplicative Complexity
©Nicolas T. Courtois 201225
MC = Definition
• Every function can be represented as a number of multiplications + linear functions over a finite field/ring.
• We call MC (Multiplicative Complexity)the minimum number of multiplications needed.
Home reading: set of slides multcomp.pdf Moodle.
A New Frontier in Symmetric Cryptanalysis
Courtois, Indocrypt 200826
**The Role of NP-hard Problems
Guarantee “hardness” in the worst case.
Many are not that hard in practice…
• Many concrete problems can be solved.
• Multiple reductions allow to use algorithms that solve one problem to solve another.
A New Frontier in Symmetric Cryptanalysis
Courtois, Indocrypt 200827
Algebraization:
Theorem:
Every function over finite fields is a polynomial function.
[can be proven as a corollary of Lagrange’s interpolation formula]
False over rings!
E.g. false for T-functions.
Algebraic Attacks on Block, Stream Ciphers
2001-201528
Problem 4: Low Degree/Low Complexity
Bottom line: “Every cipher which can be expressed by low degree polynomials is broken.”
Cf. Xuejia Lai paper.
• "Higher order derivatives and differential cryptanalysis" [1992]
Algebraic Attacks on Block, Stream Ciphers
2001-201529
Problem 4: Low Degree/Low Complexity
Bottom line: “Every cipher which can be expressed by low degree polynomials is broken.”
Remark for LFSR-based stream ciphers: later we will see how to substantially LOWER the degree… I/O Relations, Algebraic Immunity, Annihilators, Courtois-Meier attack, etc…
Algebraic Attacks on Block, Stream Ciphers
2001-201530
Lai Essential Result
=> “every cipher which can be expressed by low degree polynomials is broken.”
=>so we can decrease the non-linear degree by summing different polynomials
Algebraic Attacks on Block, Stream Ciphers
2001-201531
Cube Attacks[Vielhaber, Dinur,Shamir’08]
Algebraic Attacks on Block, Stream Ciphers
2001-201532
” Trivial – ε Attacks ”Cube attack are highly sophisticated highly
technical attack BUT they achieve NOTHING more than breaking XX – ε rounds of a cipher where XX – ε rounds is already broken by an attack which crypto community considers as excessively trivial.
Algebraic Attacks on Block, Stream Ciphers
2001-201533
Step By StepCube attack is about summing
COMPLEX multivariate polynomials.
– most polynomials never written.
• Online phase CPA => several concrete values added 0+1+…
• Their sum polynomial depends on the key in a very simple way.
=>Gives simple equations on the key.
Algebraic Attacks on Block, Stream Ciphers
2001-201534
Cube Attacks Controversies [1]Dan Bernstein: http://cr.yp.to/cubeattacks.html
• “Why haven't cube attacks broken anything?
• Cube attacks work well for random polynomials of small degree. – Real-world ciphers, when viewed as polynomials, don't have small
degree.– Lai 1992 explains how to break every small-degree cipher;
– It seems to me that "cube attacks" are simply a reinvention of Lai's HO DC attack; if Dinur and Shamir had cited Lai's paper […] then they would have been forced to drop essentially all of their advertising.
actually it broke a VERY large number of rounds of Trivium
Algebraic Attacks on Block, Stream Ciphers
2001-201535
*Cube Controversy [2]Plagiarism:
– Dinur and Shamir DO/DID NOT credit Michael Vielhaber's "Algebraic IV Differential Attack" (AIDA) as a precursor of the Cube attack.
– Dinur has stated at Eurocrypt 2009 that Cube generalises and improves upon AIDA.
– However, Vielhaber contends that the cube attack is no more than his attack under another name.
Algebraic Attacks on Block, Stream Ciphers
2001-201536
1. Finite Fields, Block Ciphers and AES
(2 separate files)
Algebraic Attacks on Block, Stream Ciphers
2001-201537
1.1. Block Ciphers and Algebraic Relations
Algebraic Attacks on Block, Stream Ciphers
2001-201538
How do We Attack AES ?
– Very ambitious…
• AES pushes the classical design principles (=high non-linearity) to their limits, optimality.
• Explore these limits. Look for pitfalls !
Algebraic Attacks on Block, Stream Ciphers
2001-201539
What About Block Ciphers ?
Q: Do these polynomial relations MATTER AT ALL
for Block Ciphers
(e.g. AES)?
Remark: they break a lot of stream ciphers very badly
Algebraic Attacks on Block, Stream Ciphers
2001-201540
YES !
Q: Do these polynomial relations MATTER AT ALL for Block Ciphers ?
YES, (at least for some of them…)
Algebraic Attacks on Block, Stream Ciphers
2001-201541
This Cipher is Broken for 1 M rounds !
F: Inverse in GF(2n).
[Jakobsen-Knudsen FSE’97, Courtois AES’4]
Algebraic Attacks on Block, Stream Ciphers
2001-201542
***Bi-linear Cryptanalysis [Courtois Crypto’04]
Algebraic Attacks on Block, Stream Ciphers
2001-201543
***2. Weak Cipher Number 2:
Round function:
Very secure against all known attacks on block ciphers…, but broken for 1 M rounds !
Algebraic Attacks on Block, Stream Ciphers
2001-201544
***3. Another Insecure Cipher
64-bit Feistel cipher, 32-bit round function:
Looks very secure…Etc.
Broken for up to 216 rounds ! [Courtois AES’4]
Algebraic Attacks on Block, Stream Ciphers
2001-201545
****4. Insecure Unbalanced Feistel Networks (e.g. SHA-x)
This one again looks very secure:
Again, broken for up to 216 rounds !
AES Structure and Design Nicolas T. Courtois
October 200646
Wide Trail Strategy (WTS):Assures very good diffusion, proposed by the
designers of AES.
• The “approximation” attacks:– Deadly. Forces to approximate great many S-boxes at
the same time. AES is very secure against LC/DC.
– WTS probably kills all these insecure ciphers that are very special…
• The “exact algebraic” approach:– Combine relations true with probability 1.– The wide trail strategy still plays a huge role in practice/theory.
Algebraic Attacks on Block, Stream Ciphers
2001-201547
*AES Under Attack
Algebraic Attacks on Block, Stream Ciphers
2001-201548
Controversial Paper [Asiacrypt’02 / eprint]
Cryptanalysis of Block Cipherswith Overdefined Systems of
EquationsNicolas T. Courtois
Advanced Crypto Research, Axalto Smart Cards, France
Josef PieprzykCenter for Advanced Computing - Algorithms and
Cryptography, ICS, Macquarie University, Australia
Algebraic Attacks on Block, Stream Ciphers
2001-201549
Echoes in the Press
Bruce Schneier, Cryptogram,[the world’s No. 1 crypto/security newsletter]:
“ AES News
AES may have been broken […], there's no need to panic. Yet. But there might be soon […]
[…]These are amazing results. […]
Many cryptographers who previously felt good about AES are having second thoughts […] “
Algebraic Attacks on Block, Stream Ciphers
2001-201550
*Echoes in the Press
(worlds’ largest circulated scientific magazine) 27 Sept. 2002:
Algebraic Attacks on Block, Stream Ciphers
2001-201551
*Cover Page of New Scientist:
Algebraic Attacks on Block, Stream Ciphers
2001-201552
Algebraic Attacks on Block, Stream Ciphers
2001-201553
Algebraic Attacks on Block, Stream Ciphers
2001-201554
XSL CiphersK_i
SX L
A New Frontier in Symmetric Cryptanalysis
Courtois, Indocrypt 200855
The so-called “XSL Attack” and AES
“XSL is not an attack, it is a dream“
Vincent Rijmen, AES designer
not a very efficient attack, a sort of scientific research programme…
Algebraic Attacks on Block, Stream Ciphers
2001-201556
XSL Attacks - SummaryAlgebraic attacks on block ciphers work in 3 stages:
1. Write good equations – overdefined, sparse or both.
2. Expand - to obtain a very overdefined system.
3. Final "in place" elimination method – completely solve.
Two Versions of Courtois-Pieprzyk paper:
• The original paper is on eprint.iacr.org/2002/044
(archive, not updated anymore): “First XSL attack”, “Second XSL attack” The most powerful versions.
• Asiacrypt’02: “ Compact Version of the First XSL Attack ”
The most general, least powerful, simpler and easier to study.
A New Frontier in Symmetric Cryptanalysis
Courtois, Indocrypt 200857
**Reinvent it in 2015:Algebraic attacks on block ciphers today:
1. Write good equations – overdefined, sparse or both. • LESS TRIVIAL than expected [new tricks: higher degree, add
variables, etc.].
2. Expand - avoid / minimise impact of…
3. Final "in place" deduction / inference / elimination method. • ElimLin alone and T’ method. Amazingly powerful.
• New tools [SAT solvers]. Amazingly powerful.
Algebraic Attacks on Block, Stream Ciphers
2001-201558
Part 1.
1. Find good equations: such that:
equations
__________ = 1/4 or so..
monomials
Algebraic Attacks on Block, Stream Ciphers
2001-201559
Part 2.
2. Expand to a very overdefined system, close to saturation:
free eqs.
__________ = close to 1
monomials
Algebraic Attacks on Block, Stream Ciphers
2001-201560
Part 3.
3. Final step – achieve complete saturation giving the key bits.
free eqs.
__________ = exactly 1
monomials
Algebraic Attacks on Block, Stream Ciphers
2001-201561
AES
• Won 2000 NIST vote.
• Serpent was second.
Algebraic Attacks on Block, Stream Ciphers
2001-201562
Unbelievable Security
Most people think: It is easy to achieve 2256, Just mix sufficiently many strange functions….
Security grows exponentially in the number of rounds..
Our claim: It is hard to achieve the security level of 2256.
Algebraic Attacks on Block, Stream Ciphers
2001-201563
Moore’s Law
The computing power of 2256
will not be available before year 2200.
Until then, so much higher mathematics and so much better methods of cryptanalysis will
be found…
Guess: all cryptosystems that claim today the security level of 2256
will be broken by then.
Algebraic Attacks on Block, Stream Ciphers
2001-201564
Part 1.
1. Find good equations: such that:
equations
__________ = 1/4 or so..
monomials
Algebraic Attacks on Block, Stream Ciphers
2001-201565
MQ Problem
Find a solution to a system of m quadratic equations with
n variablesover a field/ring.
Algebraic Attacks on Block, Stream Ciphers
2001-201566
MQ Problem
Find a solution (at least one),
i.e. find (x0, ...,xn-1) such that:
Algebraic Attacks on Block, Stream Ciphers
2001-201567
Known applications of MQMultivariate schemes such as UOV, HFE, Quartz and
Sflash are based on MQ.
• In usual applications, nobody is using these new schemes. But:
• About the only solutions known for specific applications: very short signatures with Quartz, fastest signatures in the world with Sflash [Cf. PKC 2003].
Who cares about MQ ?
Algebraic Attacks on Block, Stream Ciphers
2001-201568
Surprising applications of MQ
Claim: 90 % of all applied cryptography is based on MQ.
1. RSA is based on MQ with m=1 and n=2: factoring N solving x2=y2 mod N.
2. Rijndael is based on MQ ?
Algebraic Attacks on Block, Stream Ciphers
2001-201569
Rijndael S-boxes
(y1, …,y8) = S (x1, ...,x8) .
Theorem: For each S-box there are
r=39 quadratic equations
with 16 variables xi and yi,
that are true with probability 1.
Overdefined MQ system, 39 >> 8.
Algebraic Attacks on Block, Stream Ciphers
2001-201570
Origin of the equations
(cf. cryptanalysis of Matsumoto-Imai by J. Patarin, Crypto’95)
x0 1 = x y 7x x = x2 y 8 x y = y2 x 8x x3 = x4 y 8x y3 = y4 x 8
39
quadratic
23
bi-linear
Algebraic Attacks on Block, Stream Ciphers
2001-201571
Optimal S-boxes ?[Anne Canteaut, Marion Videau, Eurocrypt 2002]:
Optimal for linear, differential and high-order differential attacks.
We do not know any worse S-box in terms of r.
34
5
243939Equations / S-boxr=
73-1Power
Algebraic Attacks on Block, Stream Ciphers
2001-201572
Reduction Rijndael MQ
Rijndael 128 bit: to recover the secret key can be rewritten as MQ:
8000 quadratic equations 1600 variables in GF(2).
But how to solve it ?
Algebraic Attacks on Block, Stream Ciphers
2001-201573
Part 2.
2. Expand to a very overdefined system, close to saturation:
free eqs.
__________ = close to 1
monomials
A New Frontier in Symmetric Cryptanalysis
Courtois, Indocrypt 200874
Simple Explanation of How
XL Algorithm Works
Algebraic Attacks on Block, Stream Ciphers
2001-201575
Part 2.
2. Expand to a very overdefined system, close to saturation:
free eqs.
__________ = close to 1
monomials
Algebraic Attacks on Block, Stream Ciphers
2001-201576
How to expand ? The XL idea:
Multiplying the equations
by one or several variables.
Algebraic Attacks on Block, Stream Ciphers
2001-201577
X L means…
• eXtended Linerisation
• Multiply (X) and Linearise
• eXpansion in the ideaL spanned by the equations..
• doing things like x_1 * l_3
• etc…
Algebraic Attacks on Block, Stream Ciphers
2001-201578
XL Algorithm, F4, F5, etc…• [Shamir, Patarin, Courtois, Klimov, Eurocrypt’2000]
• [Courtois, ICISC 2002], [Courtois, Patarin, CT-RSA 2003], [J.M. Chen and Bo-Yin Yang papers]
• [Old papers by Lazard], [Buchberger algorithm and Gröbner bases], [F4, F5, F5/2 by Faugère] etc… [Magali Bardet and Gwenolé Ars work], etc…
• Asiacrypt 2004: [Claus Diem], [Gwenolé Ars, Jean-Charles Faugère, Makoto Sugita, Mitsuru Kawazoe, Hideki Imai].
XL is about the best general attack we know for MQ. Designed for systems that are overdefined.
For 128-bit Rijndael: 2330
Algebraic Attacks on Block, Stream Ciphers
2001-201579
The principle of XL:
Multiply the initial equations by low-degree monomials:
becomes:
(degreee 3 now).
Algebraic Attacks on Block, Stream Ciphers
2001-201580
The idea of XL:
Multiply equations by low-degree monomials.
• Count new equations: R
• Count new monomials present: T
One term can be obtained in many different ways, T grows slower than R.
Algebraic Attacks on Block, Stream Ciphers
2001-201581
How XL works:
Initial system: m equations and n2/2 terms.
Multiply each equation by a product of any D-2 variables:
• Equations
• Terms
Idea: One term can be obtained in many different ways, T grows more slowly than R.
Necessary condition: R/T > 1gives and thus D
If sufficient, the complexity of XL would be about
Sub-exponential ?Not true !
Algebraic Attacks on Block, Stream Ciphers
2001-201582
XL will always workTheorem:
Over any small finite field, when D>q and the field equations xi
q=xi can be included, XL always do work, for ANY SYSTEM OF EQUATIONS (worst case).
See: Jacques Patarin and Nicolas Courtois: About the XL algorithm over GF(2), In CT-RSA 2003, April 2003, San Francisco.
Algebraic Attacks on Block, Stream Ciphers
2001-201583
XL works quite well
Algebraic Attacks on Block, Stream Ciphers
2001-201584
The behaviour of XLIt is possible to predict the exact number
of linearly independent equations in XL.
Algebraic Attacks on Block, Stream Ciphers
2001-201585
Applying XL to Rijndael1. Make little sense, XL is a tool for dense
systems of equations…
Except if there are “degree falls”: some combinations of unusually low degree, cf. HFE attacks…
Algebraic Attacks on Block, Stream Ciphers
2001-201586
Known attacks on AES1. Combinatorial attacks:
Square attack [Rijmen-Daemen], Multiset attacks [Shamir, Biryukov] - only for a few rounds...
2. Approximation attacks:Differential/linear, interpolation attack, etc… The security grows exponentially with the number of rounds Nr ! (and so does the required number of plaintexts).
A New Frontier in Symmetric Cryptanalysis
Courtois, Indocrypt 200887
From XL to “XSL”
“XSL is not an attack, it is a dream“
Vincent Rijmen, AES designer
Algebraic Attacks on Block, Stream Ciphers
2001-201588
Pure theory ?
XL: astronomical complexity
Remark: Our system of 8000 quadratic equations with 1600 variables
is not a general MQ system.It is sparse,
there must be a better method !!!
Algebraic Attacks on Block, Stream Ciphers
2001-201589
The XL idea:
Multiplying the equations
by one or several variables.
Algebraic Attacks on Block, Stream Ciphers
2001-201590
The XSL variant:
Multiplying the equations
by one or several monomials (out of monomials present).
Algebraic Attacks on Block, Stream Ciphers
2001-201591
XSL AlgorithmMain idea:
In a sparse system R/T at the beginning is already much bigger than in a random system.
Step 1: Optimise sparsity: One variable for each input and each output bit for each S-
box.
Step 2. Multiply by selected monomials: If we multiply by products of existing terms, each resulting
term will be obtained several times, thus R/T will be the biggest possible.
Algebraic Attacks on Block, Stream Ciphers
2001-201592
Naive XSL Attack (on block ciphers)
Each S-box: r equations, t termsMultiply by P-1 terms for other S-boxes.
S = number of S-boxes in the cipher
• Equations: mainly
• Terms:
Result: R / T P * r/t
R / T 1 P t/r
Algebraic Attacks on Block, Stream Ciphers
2001-201593
The Complexity of the Naive XSL Attack
w * (Block size)O(t/r) * (Nb. of rounds)O(t/r)
Polynomial with a huge constant = (t/s)t/r
depending only on the S-box parameters.
• For a random S-box,
is double-exponential in s.
• For Rijndael S-box,
is simply exponential in s.
Algebraic Attacks on Block, Stream Ciphers
2001-201594
Less Naive XSL AttackOver-counting Problem:
It can be shown that an important part of the equations in R are not linearly independent.
Only at most R = (tP – (t-r)P) of these equations are linearly independent. Probably a bit less, but not much less.
Saturation Problem:
Simulations show that the number Freeof linearly independent equations
is never very close to T, and for P=2 when the number of rounds Nr ,
we have Free 96.59 % T.
How to solve the system when T - Free is big ?
Algebraic Attacks on Block, Stream Ciphers
2001-201595
Part 3.
3. Final step – achieve complete saturation giving the key bits.
free eqs.
__________ = exactly 1
monomials
Algebraic Attacks on Block, Stream Ciphers
2001-201596
The T’ Method [Courtois 2002]:Let x1 be a variable.
Let T’ = number of terms that can be multiplied by x1and still belong to the set of terms in T.
Claim: If Free > T-T’ then the system can be solved in about Tw:• Each term in T is expressed as a linear combination of terms only in T’.
• We obtain one or more equations containing only the terms of T’.
• We do the same with respect to x2 (2 variables are probably enough).
• Multiply the exceeding equations of the first system by x1.
• We obtain new linearly independent equations, the rank grows !
• Early simulations show that this heuristic works very well.
• Transfer the new equations to the other system(s), i.e. eliminate all terms that can be multiplied by x2.
• After at most T’ steps we expect to achieve Free = T-1 or so…
• It seems that the complexity of the whole is essentially Tw .
Algebraic Attacks on Block, Stream Ciphers
2001-201597
An Example of the T’ Method:Let n=5 variables; therefore T=16 and T'=10.
We start with a random system that has exactly one solution, and with Free > T-T' and with 2 “exceeding” equations,
i.e. Free = T-T'+2.
Here is a system in which T' is defined with respect to x1:
Algebraic Attacks on Block, Stream Ciphers
2001-201598
T’ Method contd.Here is the same system in which T' is defined for x2:
The two systems allow to “transfer” an “exceeding” equation from one representation to another in T’2 operations.
Kind of iterative decoding…
Algebraic Attacks on Block, Stream Ciphers
2001-201599
T’ Method contd.Back to the first system in which T' is defined for x1:
We have rank=8.
Multiply the 2 “exceeding” equations of the first version by x1.
Miracle: we have rank=10. New linearly independent equations !
Algebraic Attacks on Block, Stream Ciphers
2001-2015100
T’ Method contd.Now we have 4 “exceeding” equations (two old and two new).
Transfer them to the second system.
Then multiply them by x2:
We are not lucky, the second equation is invariant. Still we get 3 new linearly independent equations
and rank=13.
Algebraic Attacks on Block, Stream Ciphers
2001-2015101
T’ Method contd.We rewrite the 3 new equations with terms that can be multiplied by x1.
Still rank=13. We multiply them by x1:
We have rank=14, one more linearly independent equation.
We rewrite the first equation with terms that can be multiplied by x2.
Algebraic Attacks on Block, Stream Ciphers
2001-2015102
T’ Method contd.We have still rank=14.
Then we multiply the new equation by x2.
We get another new linearly independent equation. We have rank=15. The rank is the maximum that
can be achieved, there are 15 non-zero monomials here, and rank=16 can only be achieved for a
system that is contradictory.
We expect that the number of additional equations in the T' method grows quickly.
Algebraic Attacks on Block, Stream Ciphers
2001-2015103
Remarks on the T’ MethodTheorem:
[Coppersmith 2002, never published]:
The T’ method cannot work with only a few “special variables”.
Use all of them !
*
Algebraic Attacks on Block, Stream Ciphers
2001-2015104
Remarks on the T’ MethodEven in this case, the complexity is multiplied
only by n, a small factor compared to Tw.
For example n=211 and Tw=287. Moderate increase, AES would still be broken.
My simulations show that the T’ method works very well…
Which is in fact very surprising … !
Algebraic Attacks on Block, Stream Ciphers
2001-2015105
Application of the T’ trick:If Free > T-T’ then the system can be solved in about Tw.
For AES-256 bits, we obtain for P=5: R/(T-T’)=1.0005
Then T = 296 and T’ = 290.Consequence: If Free > 99.4 % T
Then AES-256 bits is broken in about 2203 .
Current simulations on a toy cipher give rather Free 96.59 % T
apparently a size-independent constant ! Different constant for Rijndael ? To be seen.
For example when P=7,we have R/(T-T’)=1.004 , but then XSL gives 2278, more than the exhaustive search.
Algebraic Attacks on Block, Stream Ciphers
2001-2015106
CTC = “Courtois Toy Cipher” [eprint]
• 3-bit S-boxes.
• Diffusion: permuting wires (as DES P-box !).
• 1,2,4,8,… S-boxes per round.
• 1,2,3,…,10,…,30,… rounds.
• Key size == Block size.
• Simple key schedule: bit permutation (as in DES !)
Algebraic Attacks on Block, Stream Ciphers
2001-2015107
Equations – From a Real ExampleX[0][1]*X[0][2]+Z[0][1]+X[0][3]+X[0][2]+X[0][1]+1
X[0][1]*X[0][3]+Z[0][2]+X[0][2]+1
X[0][1]*Z[0][1]+Z[0][2]+X[0][2]+1
X[0][1]*Z[0][2]+Z[0][2]+Z[0][1]+X[0][3]
X[0][2]*X[0][3]+Z[0][3]+Z[0][2]+Z[0][1]+X[0][2]+X[0][1]+1
X[0][2]*Z[0][1]+Z[0][3]+Z[0][2]+Z[0][1]+X[0][2]+X[0][1]+1
X[0][2]*Z[0][2]+X[0][1]*Z[0][3]+X[0][1]
X[0][2]*Z[0][3]+X[0][1]*Z[0][3]+Z[0][1]+X[0][3]+X[0][2]+1
X[0][3]*Z[0][1]+X[0][1]*Z[0][3]+Z[0][3]+Z[0][1]
X[0][3]*Z[0][2]+Z[0][3]+Z[0][1]+X[0][3]+X[0][1]
X[0][3]*Z[0][3]+X[0][1]*Z[0][3]+Z[0][2]+X[0][2]+X[0][1]+1
Z[0][1]*Z[0][2]+Z[0][3]+X[0][1]
Z[0][1]*Z[0][3]+Z[0][3]+Z[0][2]+X[0][2]+X[0][1]+1
Z[0][2]*Z[0][3]+Z[0][3]+Z[0][2]+Z[0][1]+X[0][3]+X[0][1]
X[1][1]*X[1][2]+Z[1][1]+X[1][3]+X[1][2]+X[1][1]+1
X[1][1]*X[1][3]+Z[1][2]+X[1][2]+1
X[1][1]*Z[1][1]+Z[1][2]+X[1][2]+1
X[1][1]*Z[1][2]+Z[1][2]+Z[1][1]+X[1][3]
X[1][2]*X[1][3]+Z[1][3]+Z[1][2]+Z[1][1]+X[1][2]+X[1][1]
X[1][2]*Z[1][1]+Z[1][3]+Z[1][2]+Z[1][1]+X[1][2]+X[1][1]
X[1][2]*Z[1][2]+X[1][1]*Z[1][3]+X[1][1]
X[1][2]*Z[1][3]+X[1][1]*Z[1][3]+Z[1][1]+X[1][3]+X[1][2]
X[1][3]*Z[1][1]+X[1][1]*Z[1][3]+Z[1][3]+Z[1][1]
X[1][3]*Z[1][2]+Z[1][3]+Z[1][1]+X[1][3]+X[1][1]
X[1][3]*Z[1][3]+X[1][1]*Z[1][3]+Z[1][2]+X[1][2]+X[1][1]
Z[1][1]*Z[1][2]+Z[1][3]+X[1][1]
Z[1][1]*Z[1][3]+Z[1][3]+Z[1][2]+X[1][2]+X[1][1]+1
Z[1][2]*Z[1][3]+Z[1][3]+Z[1][2]+Z[1][1]+X[1][3]+X[1][1]
•
•
1+X[0][1]=k_0
1+X[0][2]=k_1
1+X[0][3]=k_2
1+X[1][1]=k_3
1+X[1][2]=k_4
1+X[1][3]=k_5
Z[0][3]+X[2][1]=k_1
Z[1][1]+X[2][2]=k_2
Z[1][2]+X[2][3]=k_3
Z[1][3]+X[3][1]=k_4
Z[0][1]+X[3][2]=k_5
Z[0][2]+X[3][3]=k_0
Z[2][3]+1=k_2
Z[3][1]+1=k_3
Z[3][2]+1=k_4
Z[3][3]+1=k_5
Z[2][1]+0=k_0
Z[2][2]+1=k_1
1. Q
ua
dra
tic (
for
ea
ch S
-bo
x)
2. L
ine
ar
(co
nn
ect
ing
S-b
oxe
s vi
a k
ey
vars
)
Algebraic Attacks on Block, Stream Ciphers
2001-2015108
More Equations: XSL expansionIf L1 denotes
X[0][1]*X[0][2]+Z[0][1]+X[0][3]+X[0][2]+X[0][1]+1
we have:
L1*1
L1*X[1][1]
L1*X[1][2]
L1*X[1][3]
L1*Z[1][1]
L1*Z[1][2]
L1*Z[1][3]
L1*X[1][1]*Z[1][1]
L1*X[1][1]*Z[1][2]
L1*X[1][1]*Z[1][3]
L1*X[1][2]*Z[1][1]
L1*X[1][2]*Z[1][2]
L1*X[1][2]*Z[1][3]
•
•
•
L56*k_0
L56*k_1
L56*k_2
L56*k_3
L56*k_4
L56*k_5
If L57 denotes 1+X[0][1]=k_0
we have:
L57*1
L57*X[0][1]
L57*X[0][2]
L57*X[0][3]
L57*Z[0][1]
L57*Z[0][2]
L57*Z[0][3]
L57*X[0][1]*Z[0][1]
L57*X[0][1]*Z[0][2]
L57*X[0][1]*Z[0][3]
•
•
•
L57*k_1
L57*k_2
L57*k_3
L57*k_4
L57*k_5
3. P
art
R(e
ach
S-b
ox
* so
me
exi
stin
g m
on
om
ial)
4. P
art
R’(
line
ar
* so
me
exi
stin
g m
on
om
ial)
Algebraic Attacks on Block, Stream Ciphers
2001-2015109
How to finish ?• Initial proposal: T’ method.
– Works very well in practice, but requires to be run many
times (each time the rank increases).
• Alternatives:
– use Gröbner bases.
– better alternatives:
• SAT solvers,
• ElimLin.
Algebraic Attacks on Block, Stream Ciphers
2001-2015110
5. New Equations: The T’ method
Example of how the rank grows:
(4 S-boxes).
7329 + 28
7329 + 52
7329 + 56
7329 + 96
7329 + 147
7329 + 165
7329 + 172
7329 + 173
7329 + 174
A unique solution found.
249.7 seconds
Algebraic Attacks on Block, Stream Ciphers
2001-2015111
***Will the T’ method suffice ?
Free/(T-T’) - XSL expected to work for up to 16 rounds.
Maybe…
Algebraic Attacks on Block, Stream Ciphers
2001-2015112
****Less Naive XSL Attack
• Over-counting Problem:
Now assume: R = (tP – (t-r)P)
• Saturation Problem:
Use the T’ method.
Algebraic Attacks on Block, Stream Ciphers
2001-2015113
Complexity of the Less Naive XSL
Very surprisingly, more realistic formulas give very similar results than the naïve version:w * (Block size)O(t/r) * (Nb. of rounds)O(t/r)
Is XSL polynomial with a huge constant ?Not sure at all. Simulations show that P will rather increase (slowly) with Nr.
Algebraic Attacks on Block, Stream Ciphers
2001-2015114
Summary:XSL takes advantage of the fact that the
equations are overdefined and sparse. Expected (at least) to work better than XL.
For 128-bit Rijndael XSL claimed complexity
was at least 2230
Algebraic Attacks on Block, Stream Ciphers
2001-2015115
Is AES 256 bits broken ?
For AES-256, XSL
seems to give 2203
(the version on eprint, with cubic equations)
Not proven, based on heuristic assumptions:
Algebraic Attacks on Block, Stream Ciphers
2001-2015116
Remark 1
People naively believe that XSL does not work well…
The truth: nobody knows !
Algebraic Attacks on Block, Stream Ciphers
2001-2015117
Remark 2:
We know MUCH BETTER algebraic attacks on block ciphers today.
Algebraic Attacks on Block, Stream Ciphers
2001-2015118
Murphy and Robshaw Variant
[Murphy, Robshaw, Crypto 2002, seeSection 6, added after they read our paper].
They write an equivalent system of MQ equations, but over GF(28).
Much more sparse than over GF(2).For AES 128 bits, it seems that XSL could
solve such system in as little as 2100…
Algebraic Attacks on Block, Stream Ciphers
2001-2015119
AES-128 broken in 288 ?
Gwenolé Ars PhD thesis [June 2005]: The author presents an attack in 288 that might
“maybe” work… (?????)
Algebraic Attacks on Block, Stream Ciphers
2001-2015120
• The original paper (archive, not updated anymore) is available on eprint.iacr.org /2002/044 : “First XSL attack”, “Second XSL attack”The most powerful version.
• Asiacrypt 2002: the so called “ Compact Version of the First XSL Attack ” The most general version of XSL attack, least
powerful, simpler and easier to study.
Some software and tools: Do check: www.cryptosystem.net/aes/
Papers on XSL and AES
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011121
Fast Algebraic Attacks On Block Ciphers
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011122
Fast Algebraic Attacks on Block Ciphers
Definition [informal on purpose] Methods to lower the degree of equations that appear throughout the computations… [e.g. max deg in F4] (more generally need to substantially lower the memory requirements of algebraic attacks compared to their running time).
Very rich galaxy of attacks to be studied in the next 20 years…
How to lower the degree ? • by having several P/C pairs (bigger yet much easier !)
• by CPA, CPCA, etc…
• by fixing internal variables (Guess-then-Algebraic).
• by finding [approximate] equations on bigger blocks – by interpolation [cf. W. Meier’s talk]
– by guessing equations that have strong bias • Linear-Algebraic or Bi-Linear-Algebraic Cryptanalysis
• Differential-Algebraic.
• by clever choice of representation
• by introducing new variables (oh yes !)
• by having a larger key
• new tricks to be invented ?
cumulative effect
!!!
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011123
How to Evaluate the Quality of Alg. Attacks
Compare ONLY to other similar attacks:
• Straightforward algebraic approach. Write + solve.
• Other attacks that work given VERY SMALL quantity of plaintexts.
• NEVER compare to DC/LC etc. Doesn’t make sense. Two independent areas of research that have no intersection.
– Both allow us to write 100s of papers but do not expect to break 3DES or AES tomorrow morning.
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011124
Solving Methods
Solver Software
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011125
Fact
In 2005-2006 huge progress have been made.
• Up to 510 S-boxes broken on a laptop: Fast Algebraic attacks on block ciphers <= Cumulative effect
of improvements in many directions.
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011126
What’s New
The biggest discoveries in Science are the simplest.
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011127
3.3. ElimLin – The Most Surprising
Complete description:
• Find linear equations in the linear span.
• Substitute, and repeat.
Amazingly powerful, (Surprisingly) VERY HARD TO IMPLEMENT:
• Heuristics to preserve sparsity. Local optimization.
• Data Representation and Memory Management vs. Speed.
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011128
3.3. ElimLin – Remark:
In a way it is:
An ultra-light and super-simplified
version of F4 operating at ”degree 1.05” or ”2.01”
(makes sense: relatively small number of higher-degree monomials, and certain types of monomials much more likely to ever appear).
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011129
3.4. ANF-to-CNF - The Outsider
Before we did try, we actually never believed it could work…
Convert MQ to a SAT problem.
(both are NP-hard problems)
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011130
3.4. ANF-to-CNF - The Outsider
Principle 1: each monomial = one dummy variable.
d+1 clauses for each degree d monomial
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011131
Also
Principle 2: Handling XORs – Not obvious. Long XORs known to be hard problems for SAT solvers.
• Split longer XORs in several shorter with more dummy variables.
• About 4 h clauses for a XOR of size h.
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011132
ANF-to-CNF
This description is enough to produce a working version.
Space for non-trivial optimisations. See: Gregory V. Bard, Nicolas T. Courtois and Chris Jefferson:
“Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers”.
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011133
Ready Software
Several ready programs to perform this conversion are made available on this web page:
www.cryptosystem.net/aes/tools.html
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011134
Solving SAT
What are SAT solvers?
Heuristic algorithms for solving SAT problems.• Guess some variables.
• Examine consequences.
• If a contradiction found, I can add a new clause saying “In this set of constraints one is false”.
Very advanced area of research.
Introduction for “dummies”: Gregory Bard PhD thesis.
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011135
MiniSat 2.0.
Winner of SAT-Race 2006 competition.
An open-source SAT solver package, by Niklas Eén, Niklas Sörensson,
Later improved A LOT by Mate Soos
=> CryptoMiniSat 2.9.X
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011136
Ready Software for Windows
Several ready programs to solve SAT problems are also available on the same web page:
www.cryptosystem.net/aes/tools.html
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011137
ANF-to-CNF + MiniSat 2.0.
Gives amazing results in algebraic cryptanalysis of just any (not too complex/not too many rounds) cipher, cf. (VSH). Also for random sparse MQ.
• Certain VERY large systems solved in seconds on PC (thousands of variables !).
• Few take a couple hours/days…
• Then infeasible, sharp increase.
Jump from 0 to .
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011138
What Are the Limitations of Algebraic Attacks ?
• When the number of rounds grows: complexity jumps from 0 to .
• With new attacks and new “tricks” being proposed: some systems are suddenly broken with no effort.
=> jumps from to nearly 0 !
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011139
**What Can Be Done with SAT Solvers ?• Clearly it is not the size of the system but the nature of it.
• Sometimes more powerful than GB, sometimes less.
Paradoxes:
• If you guess some variables, can become much slower .
• Great variability in results (hard to compute an average running time, better to look at 20 % faster timings).
• Memory:– For many cases tiny: 9 Mbytes while Magma hangs at > 2Gbytes
for the same system.
– For some working cases: 1.5 Gbytes and substantial time. Then terminates with the solution as well.
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011140
***Toy Ciphers…
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011141
CTC/CT2 = “Courtois Toy Cipher” [eprint]
• 3-bit S-boxes.
• Diffusion D: permuting wires (as DES P-box !).
• 1,2,4,8,… S-boxes per round.
• 1,2,3,…,10,…,30,… rounds.
• Key size == Block size.
• Simple key schedule: bit permutation (as in DES !)
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011142
*CTC2 – more recent variant
• Virtually no difference
– Different D-box but difference only at 1 bit position (!).
– Changes everything w.r.t. linear cryptanalysis.
– Changes nothing w.r.t. algebraic cryptanalysis.• In both cases 6 rounds are broken, 7 rounds maybe this year…
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011143
**CTC vs. CTC2
CTC2: Just remove one “weak” bit:
No other difference. Same for “99 % of positions”.
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011144
CTC2 S-box:
Random on 3 bits without linear equations.
Theorem [Courtois]: 14 MQ Equations:
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011145
ToyRijndael and ToySerpent:
Basically a 4-bit version of CTC…
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011146
ToyRijndael S-box [4 bits]
Inv+Affine a in AES, borrowed from Carlos Cid.
Theorem [Courtois]: 21 MQ equations.
ToySerpent S-box [4 bits]
Sbox number 2 [chosen at random] stolen from Serpent [without permission from the authors].
Theorem [Courtois]: 21 MQ equations.
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011147
ToySerpent vs. ToyRijndael:
Both cases: 21 MQ equations.
Same degree, same number, yet TOTALLY DIFFERENT results (and we can explain why!).
Bad news for the idea (IOH) that I/O degree implies the existence of algebraic attacks.
• For some equations – good attacks [for 5 rounds].
• For some equations – little hope.
Rijndael S-box shows unexpected resistance w.r.t. our fast algebraic attack on block ciphers. [ElimLin].
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011148
Weakness in Serpent S-box 2:
4 / 21 equations of types
• 2 are “Linear+ X2”.
• 2 are “Linear+ Y2”.
0 / 21 such equations for 4-bit Rijndael S-box !
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011149
Combined Effect of These:
They allow to “avoid” / “lower the relative rank of” the set of higher degree monomials in the xi in algebraic equations that can be written for several rounds.
In other words, some quadratic monomials / some linear combinations of monomials can be systematically eliminated:
Claim: Will greatly help to compute Gröbner bases at a lower degree !
Now we will test the most optimistic version of this claim:Replace F4 by ElimLin, how many linear equations can we generate ?
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011150
Interesting and WEIRD Question
KPA. How many linear equations true with Pr=1:
0-few
rounds
0-few
rounds
0-few
rounds
more
rounds
more
rounds
more
rounds
P1
P2
P3
C1
C2
C3
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011151
Very Surprising and Powerful
Answer 1: They don’t exist (cf. LC).
Answer 2: They DO exist when the Pi are fixed !
• Can be recovered by interpolation ? I did program this. Some toy examples take ages… Most relevant cases => infeasible ! Too large matrices.
• Fact: I have found a method to compute these equations VERY EFFICIENTLY given the set of plaintexts
Pi. Arbitrary = a KPA.
Remark: A whole (big) part of the algebraic attacks that is done for a truncated cipher, i.e. without knowing the ciphertext - pre-computation possible give the spec. of the cipher (Pb. to use: only easy with CPA).
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011152
When the Pi are fixed, how many equations ?
Nb. of linear equations found, 5 rounds x 3 S-boxes, KPA
truncated (unknown ciphertext) ToySerpent & ToyRijndael.
Equations with rounds 0-5.
Some totally avoid the first 2 rounds. Rounds 3-5.
More powerful with full cipher (the ciphertexts are known => WORKS FROM both directions !!!! ElimLin even easier !
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011153
Combinatorial Explosion
Nb. of new linear equations grows FASTER than LINEAR!!!
Nb. of variables grows linearly in K.
Unstoppable force of an asymptotic…
See our lab: http://www.nicolascourtois.com/papers/ga18/AC_Lab1_ElimLin_Simon_CTC2.pdf
K
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011154
What About…
Real Life Ciphers?
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011155
DES
At a first glance,
DES seems to be a very poor target:
there is (apparently)
no strong algebraic structure
of any kind in DES
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011156
What’s Left ?
Idea 1: (IOH)
Algebraic I/O relations. Theorem [Courtois-Pieprzyk]:
Every S-box has a low I/O degree.
=>3 for DES.
Idea 2: (VSH)
DES has been designed to be implemented in hardware.
=> Very-sparse quadratic equations at the price of adding some 40 new variables per S-box.
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011157
Results ?
Both Idea 1 (IOH) and Idea 2 (VSH)(and some 20 other I have tried…)
can be exploited in working
key recovery attacks.
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011158
S-boxes S1-S4 [Matthew Kwan]
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011159
S-boxes S5-S8 [Matthew Kwan]
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011160
I / O Degree
A “good” cipher should use at least some components with high I/O degree.
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011161
Theorem
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011162
Corollary
Cubic Equations and DES
Exactly 112 for all DES S-boxes.
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011163
5. Selected Results: Some Successful Attacks
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011164
Results on CTC
Nicolas T. Courtois:
“How Fast can be Algebraic Attacks on Block Ciphers ?”. eprint.iacr.org/2006/168/
6 rounds broken: 255-bit key, 510 S-boxes.
ElimLin: 80 hours after 210/255 bits are guessed. 64 CP. About 10 times (slightly) faster than exhaustive search…
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011165
Results on CTC2
Much more resistant to LC [cf. Orr Dunkelman and Nathan Keller : Linear Cryptanalysis of CTC, eprint.iacr.org/2006/250/].
ElimLin still breaks 6 rounds in the same way (no visible difference).
10 rounds broken if block=96, key=256.
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011166
Results on ToySerpent
ToySerpent, 5 rounds, 32 S-boxes * 4 bits.
84 first key bits guessed, 44 remain unknown.
4 CP => broken in 32 hours by ElimLin.
6 rounds should be feasible for 256-bit version. Work in progress.
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011167
Results on ToyRijndael
Unexpectedly strong, the only difference is the S-box:
0/21 “Linear+X2“ equations...
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011168
Results on DES
Nicolas T. Courtois and Gregory V. Bard:
Algebraic Cryptanalysis of the D.E.S.
In IMA conference 2007, pp. 152-169, LNCS 4887, Springer.
See also:
eprint.iacr.org/2006/402/
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011169
What Can Be Done ?
Idea 1 (Cubic IOH) + ElimLin:
We recover the key of 5-round DES with 3 KP faster than brute force.
• When 23 variables fixed, takes 173 s.
• Magma crashes > 2 Gb of RAM.
Idea 2 (VSH40) + ANF-to-CNF + MiniSat 2.0.:
Key recovery for 6-round DES. Only 1 KP (!).
• Fix 20 variables takes 68 s.
• Magma crashes with > 2 Gb.
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011170
What Else Can We Do ?
Claim: Algebraic Cryptanalysis is an excellent tool TO STUDY block and stream ciphers. For all properties that hold:
• With probability 1 or close.
• For 3,4,5,6 rounds.. (already a lot, very complex to analyse by hand).
Proposed Application [probably feasible for many ciphers]:
• Find a 4-round differential that holds with probability 1.
• Show that there isn’t any (unsatisfiable/contradictory system of equations).
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011171
Example:
Looking for another special property of DES.
An attack with a known key (glass-box).
Motivation:
educational, study differential cryptanalysis.
I present this one because it works on a laptop PC for 12 full rounds of DES (which is the best result I have for now).
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011172
DC example
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011173
What We Can We Do:
Given a key, find a plaintext with difference
(`00196000',`00000000') that carries over 12 rounds.
Naïve method (exhaustive search): requires
248 trial encryptions 3 CPU years.
Idea 2 (SSH40) + MiniSat 2.0:
Only 6 hours.
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011174
This Was Easy !
Why ?
Reason:
There are many solutions (about 216).
Conclusion:
Algebraic attacks with SAT are easier when there are many solutions.
=> Algebraic cryptanalysis should be a very good tool for breaking hash functions [as shown by Mironov-Zhang, Crypto 2006 Rump Session].
Algebraic Attacks on Block Ciphers
© Nicolas T. Courtois, 2006-2011175
Conclusion:
Keys and special properties of block ciphers CAN be computed in practice with algebraic attacks, and this with little [human] effort.
Algebraic Attacks on Block, Stream Ciphers
2001-2015176
Back to Bigger Picture
Algebraic Attacks on Block, Stream Ciphers
2001-2015177
Unified view of Algebraic Attacks
Algebraic Security Criterion [Courtois 1999]:
Non-existence of low-degree/small size multivariate relations between the input bits and the output bits.
Algebraic Attacks on Block, Stream Ciphers
2001-2015178
Avoid Algebraic Relations…
…between inputs/outputs.
• Applies to multivariate public key cryptosystems: Sflash, Quartz
• Applies to the non-linear part of a stream cipher, even if stateful.
• Applies to the S-boxes of a block cipher.
Algebraic Attacks on Block, Stream Ciphers
2001-2015179
Claim
This criterion is necessary for the security of all these ciphers.
No proof.
A precaution. Many ciphers still secure.
Algebraic Attacks on Block, Stream Ciphers
2001-2015180
2. Algebraic Attacks
on HFE
and Other PKCs Based on Multivariate
Polynomials
Algebraic Attacks on Block, Stream Ciphers
2001-2015181
Security of HFE
Special case: Matsumoto-Imai cryptosystem [Eurocrypt'88]
A power function
(as in Rijndael S-box)
x->x3
Algebraic Attacks on Block, Stream Ciphers
2001-2015182
Attack on Matsumoto-Imai
x->x3
Inverse function gives Boolean functions of very high degree
Attack: there are many multivariate bilinear relations that allow to break the cipher in no
time.
[Jacques Patarin, Crypto’95]
Algebraic Attacks on Block, Stream Ciphers
2001-2015183
Attack on HFE
x->Polynomial of degree dAgain multivariate relations,
attack in n3/2 log d.
[Nicolas Courtois PhD thesis 1998, published in CT-RSA 2001]
New paper about this: [Faugère, Joux, Crypto 2003].Same attack, but explains the origin of these equations !
Forgot to acknowledge 4 previously published papers.
[Patarin, Courtois, Shamir-Kipnis, Courtois-Daum-Felke].
Algebraic Attacks on Block, Stream Ciphers
2001-2015184
3. Algebraic Attacks
on Stream Ciphers
with Linear Feedback
(e.g. LFSR-based)
Algebraic Attacks on Block, Stream Ciphers
2001-2015185
Main Problem: Linear Feedback
Great many stream ciphers have a linear feedback (e.g. LFSRs)
state =
multivariate linear function (prev. state)
So what ?
Algebraic Attacks on Block, Stream Ciphers
2001-2015186
Linear Feedback is Dangerous
It preserves the degree of the equations.
My claim: If one can relate state bits and outputs bits by only one multivariate equation of low degree without extra variables then:
• the cipher is broken in polynomial time,
• hard to find the right equations, mix of insight and experimental results, but…
• such attacks may be surprisingly fast, e.g. 231.
Algebraic Attacks on Block, Stream Ciphers
2001-2015187
One I/O Equation => Broken∈P
I Ocombiner with memory
memory
linear component
Algebraic Attacks on Block, Stream Ciphers
2001-2015188
Common Opinions on Stream Ciphers
“Most real life designs centre around LFSRs combined by a non-linear Boolean function.”
“State of the art in generic stream ciphers cryptanalysis can be summarized as follows: correlation and fast correlation attacks.“
[Eric Filliol, Decimation Attack of Stream Ciphers, eprint.iacr.org, 2000]
Algebraic Attacks on Block, Stream Ciphers
2001-2015189
Common belief:
Ciphers with linear feedback (LFSR, etc…)
can be made secure using
highly non-linear Boolean functions.
Algebraic Attacks on Block, Stream Ciphers
2001-2015190
The Tale of “Good”Boolean Functions..
Prevent correlation and other classical attacks.
There are other attacks!
•“Good” Boolean functions
•“Good” S-boxes etc…
A “Good” Boolean function…
Algebraic Attacks on Block, Stream Ciphers
2001-2015191
Some Remarks ! (no comments)“We can strongly affirm that a very consequent
theory of stream encryption exists…”
“Block ciphers are not secure, one should use stream ciphers instead…”
“It is impossible to hide a trapdoor in a stream cipher …“
[Eric Filliol, Plaintext-Dependent Repetition Codes …the AES case, eprint.iacr.org, 2003]
Algebraic Attacks on Block, Stream Ciphers
2001-2015192
The Tale of “Good”Boolean Functions..
Naïve belief that ciphers build out of
such components would be secure.
In fact this approach fails, sometimes quite miserably, to produce secure ciphers:
• Algebraic attacks on AES and Serpent[Courtois-Pieprzyk, AsiaCrypt 2002].
• Stream ciphers: much worse. [For some ciphers, there is no “good” Boolean functions !]
Algebraic Attacks on Block, Stream Ciphers
2001-2015193
Popular stream ciphers:
Linear sequence generator +
a stateless combiner
Example: One/several LFSRs
+ a Boolean function.
linear feedback
state
non-linear filter
Algebraic Attacks on Block, Stream Ciphers
2001-2015194
Notations• Initial key k GF(2)n
n-bits k0, k1, k2,…,kn-1
• The state s GF(2)n
First s = k,
• Then s = L(s) etc..
• Output bits: Apply f (s )bi = f( Li(k) )
Given: some of the bi
Find: the secret key k
linear feedback
state
s0
s1
sn-1
Algebraic Attacks on Block, Stream Ciphers
2001-2015195
Direct Algebraic Attack Approach:
Solve this system of equations.
Extremely overdefined even for moderate quantity of keystream, e.g. 20 Kbytes.
Algebraic Attacks on Block, Stream Ciphers
2001-2015196
Example:
Toyocrypt, n=128, d=63.
What if the degree d is too big ?
1) Find a low degree approximation – not today, see Nicolas Courtois: Higher Order Correlation Attacks, XL algorithm and
Cryptanalysis of Toyocrypt, ICISC 2002 or eprint.iacr.org
2) Better attacks – today.
Algebraic Attacks on Block, Stream Ciphers
2001-2015197
Problem:
The degree is usually high…(even AFTER taking a lower degree approximation)
As for HFE and Rijndael S-box,
consider multivariate relations
instead of equations…
Algebraic Attacks on Block, Stream Ciphers
2001-2015198
Solution (the same as usual):
Relations instead of equations…
I/O equations = implicit eqs.
Their degree
turns out to be
much lower !
Algebraic Attacks on Block, Stream Ciphers
2001-2015199
Toyocrypt
One of the only two stream ciphers accepted to the
second phase of CRYPTREC
(for the Japanese government).
Algebraic Attacks on Block, Stream Ciphers
2001-2015200
The design of Toyocrypt
• A bent function
• add s127 to make it balanced.
Algebraic Attacks on Block, Stream Ciphers
2001-2015201
Fact: ToyocryptThere is a multivariate relation being of degree
3 in the 128 key bits and involving 1consecutive output bit.
Nicolas Courtois, Willi Meier:Algebraic Attacks on Stream Ciphers with Linear Feedback, Eurocrypt 2003.
Algebraic Attacks on Block, Stream Ciphers
2001-2015202
LILI-128
One of the NESSIE candidates,
claimed very secure,
rejected
(all the other stream ciphers were rejected too !)
Algebraic Attacks on Block, Stream Ciphers
2001-2015203
Fact: LILI-128There is a multivariate relation being of degree
4 in the 89 key bits and involving 1consecutive output bit.
Nicolas Courtois, Willi Meier: Algebraic Attacks on Stream Ciphers with Linear Feedback, Eurocrypt 2003.
Algebraic Attacks on Block, Stream Ciphers
2001-2015204
E0
stream cipher used in the wireless interface
Bluetooth
Algebraic Attacks on Block, Stream Ciphers
2001-2015205
Fact: E0There is a multivariate relation being of degree
4 in the 128 key bits and involving 4consecutive output bits.
Matthias Krause, Frederik Armknecht:Algebraic Attacks on Combiners with Memory, Crypto 2003.
Algebraic Attacks on Block, Stream Ciphers
2001-2015206
So what ?
One equation is enough to break all these !
Due to the
• Recursive structure of the cipher
• Linear feedback (e.g. in LFSRs) preserves the degree,
We may generate as many equations as we want.
Algebraic Attacks on Block, Stream Ciphers
2001-2015207
So what ?
One equation is enough to break all these !
• Given keystream bits -
• Using bits of memory -
• The secret key can be recovered in .
• Verified experimentally.
Algebraic Attacks on Block, Stream Ciphers
2001-2015208
Results
• Toyocrypt – Cryptrec submission 249
Verified, works perfectly well in practice.
• LILI-128 – Nessie submission 257
[Courtois, Meier, Eurocrypt 2003]
• E0 – Bluetooth keystream generator 270
[Armknecht, Krause, Crypto 2003]
Algebraic Attacks on Block, Stream Ciphers
2001-2015209
Can We Do Better ?If the keystream bits are consecutive;
Yes, much better !
Nicolas Courtois: “Fast Algebraic Attacks on Stream Ciphers with Linear Feedback”.Crypto 2003.
Studied in more details by Armknecht, and [Hawkes-Rose Crypto’04].
Algebraic Attacks on Block, Stream Ciphers
2001-2015210
Improved Results
Gives the best attack known so far for 3 well known stream ciphers:
• Toyocrypt – Cryptrec submission 225
• LILI-128 – Nessie submission 231
• E0 – Bluetooth keystream generator 249
Algebraic Attacks on Block, Stream Ciphers
2001-2015211
Broken at the First Glance…
In 2005 Braeken, Lano, Mentens, Preneel and Varbauwhede have invented a new stream cipher:
• SFINKS – ECRYPT submission 271
Nicolas Courtois: Cryptanalysis of Sfinks. eprint.iacr.org/2005/243
Simply broken once you take the time to examine the (already known) algebraic attack –BUT need to handle many computer simulations to determine if there exist suitable equations, no theoretical method to predict the result...
Algebraic Attacks on Block, Stream Ciphers
2001-2015212
Scary Algebraic Equations..
Goal: design an LFSR-based stream cipher with security 2128.
Problem: How to make sure that there is no algebraic relation of size 2100 that relates key bits and output bits?
Example: Linear complexity may be 2100.I cannot check if relations exist...
Algebraic Attacks on Block, Stream Ciphers
2001-2015213
Scary Algebraic Equations..Problem: How to make sure that there is no algebraic
relation of size 2100 ?
Crypto’03 paper clearly demonstrates that in MANY interesting cases you cannot be sure unless you can do about 2100 computations.
Also works for linear complexity (many ciphers will be broken in a time being about the linear complexity).
Murphy course: should be 240. Not enough !!!
Many other relations may exist…
Algebraic Attacks on Block, Stream Ciphers
2001-2015214
Conclusion – Stream Ciphers
Good Boolean functions are by far not enough to get secure ciphers.
LFSR-based stream ciphers cannot claim security UNLESS they are PROVABLY secure against algebraic attacks.
How ? OPEN PROBLEM.
Algebraic Attacks on Block, Stream Ciphers
2001-2015215
More on Stream Ciphers:
Linear sequence generator +
a combiner
with memory,
may be
key-dependent
linear feedback
state
Algebraic Attacks on Block, Stream Ciphers
2001-2015216
All Stream Ciphers Broken ?
It depends what we mean by “BROKEN”…
• Fixed size filter/combiner and a LFSR with n bits.
• Polynomial in n vs. non-polynomial in n.
• In this sense many of them are broken.
Algebraic Attacks on Block, Stream Ciphers
2001-2015217
All Stream Ciphers Broken ?
1. A LFSR + Boolean function (fixed number of inputs). POLYNOMIAL.
Nicolas Courtois, Willi Meier: Algebraic Attacks on Stream Ciphers with Linear Feedback, Eurocrypt 2003.
Algebraic Attacks on Block, Stream Ciphers
2001-2015218
Stream Ciphers Broken in Poly…
2. A LFSR + Any Combiner with Memory
POLYNOMIAL.• Matthias Krause, Frederik Armknecht: Algebraic Attacks on
Combiners with Memory, Crypto 2003.
• Nicolas Courtois: Algebraic Attacks on Combiners with Memory and Several Outputs. ICISC’04, available on eprint.iacr.org/2003/125. Different proof of the same Theorem, greatly improving the result for combiners with several outputs.
Algebraic Attacks on Block, Stream Ciphers
2001-2015219
More Ciphers Broken in Poly…
3. A LFSR + Secret or Key-DependentBoolean Function.
POLYNOMIAL.• - - work In progress - -
• Nicolas Courtois, Philip Hawkes: Fast Algebraic Attacks on Stream Ciphers and the Discrete Fourier Transform, Greg Rose, Philip Hawkes: Rewriting Variables: the Complexity of Fast Algebraic Attacks on Stream Ciphers
In Crypto 2004.
Algebraic Attacks on Block, Stream Ciphers
2001-2015220
More Ciphers Broken in P time…
4. A LFSR + Any Secret or Key-Dependent Combiner with Memory.
Conjecture [Meier-Courtois 2003] POLYNOMIAL.
• Nicolas Courtois, Philip Hawkes, Willi Meier: Algebraic Attacks on Stream Ciphers with Unknown or Key-Dependent Components, Work in progress…Not sure about the result…