“algebraic” attacks vs. design of block and stream...

“Algebraic” Attacks vs. Design of Block and Stream Ciphers

Nicolas T. Courtois- University College London

A New Frontier in Symmetric Cryptanalysis

Courtois, Indocrypt 20082

Modern Symmetric Cryptanalysis:

number of ciphers “broken w.r.t. claims”: O(effort).

number of ciphers “broken in practice”: o(effort).

DES, AES etc: never really broken etc..



2 Small Remarks

Winston Churchill used to say:

“the truth is so precious that she should always be attended by a bodyguard of lies”

Cryptanalysis is not very popular,

nb. of papers at major crypto conferences decreased each year… for some reason… in the last 15 years.

Alternative Title:

A New Frontier in Symmetric Cryptanalysis?

(e.g. low-data complexity attacks)

Algebraic Attacks on Block, Stream Ciphers

2001-20155

0. Intro…


2001-20156

Instead of a Summary• How to design secure ciphers ?

Nobody knows, a complex question.

• What components to choose? (bottom-up).• Most of the current cipher design paradigms can be

expressed in terms of “good” Boolean functions / “good”vectorial functions (S-boxes).

• What else? Good diffusion: WTS(later slides), avalanche.

Remark: There exist provably secure stream ciphers:QUAD, NO good candidates for secure block ciphers…


2001-20157

Boolean Functions, ANFAny function GF(2)n → GF(2).


2001-20158

The Tale of “Good”Boolean Functions..

Provable prevents correlation/differential/linear/GLC attacks….

Magical objects that

make ciphers secure ?

•“Good” Boolean functions,

•“Good” S-boxes,

=> High non-linearity…

A “Good” Boolean function…


2001-20159

Avoiding Simple Boolean Functions…

Not enough !

Main claim / result:One should rather think about avoiding

Boolean /Algebraic Relations !


2001-201510

Central Criterion for Designing Cryptographic Components

[Courtois 1999; PhD Thesis]:Non-existence of low-

degree/small size multivariate relations between the input bits and the output bits.


2001-201511

Special Case: I / O Degree:

A “good” cipher should use at least some components with high I/O degree.


2001-201512

Claim / Proposal

This criterion is proposed (can be necessary) for the security of:

• S-boxes in Block Ciphers

• Combiners in Stream Ciphers

• Trapdoor Functions (PK crypto, HFE).


2001-201513

Why ?• no proof

• some devastating attacks on some ciphers

• many ciphers not broken in the slightest

• overall, just another super-paranoid security criterion which is probably not always necessary, – frequent in crypto research


2001-201514

Another Interpretation of I/O

I = Inside block/stream cipher

O = Outside of your block/steam cipher


2001-201515

Multivariate Cryptography:Cryptosystems using polynomials with

several variables over a finite field…

Multivariate Cryptanalysis

or Algebraic Cryptanalysis:

Cryptographic attacks using polynomials with several variables

over a finite field…



Roadmap: Multivariate/Algebraic Cryptanalysis

Software / SAT SolversXL, Grobner Basis, F4, F5

dense systems of eqs, inappropriate tools in most other cases

TruncatedDifferentials (DC)

combination attacks

multiple points DC

othertools

Guess Then Determine: SAT/UNSAT strategy or mixed with many steps

MITM

ElimLin: amazingly powerful

Cube Attacks[Vielhaber, Dinur,Shamir’08]

Higher Order Differentials ”every cipher of low degree poly can be broken”

Higher Order DC

GOST, Self-Similarity and Cryptanalysis of Block Ciphers

© Nicolas T. Courtois, 2006-201317

- My Favourite Groups


2001-201518

Different Types of Cryptanalysis• The “approximation” approach:

– Linear, differential, high-order differential, impossible differential, Jakobsen-Knudsen approximation attacks, etc.. All are based on probabilistic characteristics true with some probability.

– Consequently, the security will grow exponentially with the number of rounds, and so does the number of required plaintexts in the attacks (main limitation in practice).

• The “exact algebraic” approach:– Write equations to solve, true with probability 1.

– Very small number of known plaintexts required.


2001-201519

Exact/Algebraic/Multivariate Cryptanalysis:

Breaking a « good » cipher should require:

“as much work as solving a system of simultaneous equations in a large number of unknowns of a complex type” [Shannon, 1949]

Common belief: large systems of equations become intractable very easily.


2001-201520

**However…However, what makes the problem hard is

not the number of variables,

but the balance between

the number of equations

and the number of monomials:

– The XL algorithm and Gröbner bases techniques: [Shamir, Patarin, Courtois, Klimov, Eurocrypt’2000], [Courtois, ICISC 2002], [Courtois, Patarin, CT-RSA 2003], [F5/2 by Jean-Charles Faugère], [Old papers by Lazard]…

– The XSL variant: [Courtois, Pieprzyk, Asiacrypt’02]

Consequence: systems that are overdefined, sparse, or both, turn out to be much easier to solve than expected.


2001-201521

Problem 1: Overdefined Systems

Most cryptographic security relies on the hardness of largely overdefined problems:Much more information than necessary: great many plaintexts, message and signature pairs, etc..

• Public key cryptography: the solution is: Provable security: each utilization of the cryptographic scheme does not leak useful information.

• Secret key cryptography: Yet little provable security. And yet it is here that the problems become the most overdefined: huge amounts of data encrypted with one key, fast hardware, etc.


2001-201522

Problem 2: Algebraic Sparsity

Many cryptographic schemes (for practical reasons) have a simple algebraic description.

Usually leads to a sparse system of equations.

• In software, large tables might be used…

• In hardware, the number of gates should be small, which gives a simple description with simple Boolean polynomials.


2001-201523

Problem 3: Linear Components

Linearity is commonly used for diffusion, sequence generation (LFSR) etc.

Still believed OK.

• Problem: preserves the degree of algebraic equations !!



The Role of Finite Fields, e.g. GF(2)

They allow to encode any cryptographic problem as problem of solving Boolean equations.

Multiplicative Complexity

©Nicolas T. Courtois 201225

MC = Definition

• Every function can be represented as a number of multiplications + linear functions over a finite field/ring.

• We call MC (Multiplicative Complexity)the minimum number of multiplications needed.

Home reading: set of slides multcomp.pdf Moodle.



**The Role of NP-hard Problems

Guarantee “hardness” in the worst case.

Many are not that hard in practice…

• Many concrete problems can be solved.

• Multiple reductions allow to use algorithms that solve one problem to solve another.



Algebraization:

Theorem:

Every function over finite fields is a polynomial function.

[can be proven as a corollary of Lagrange’s interpolation formula]

False over rings!

E.g. false for T-functions.


2001-201528

Problem 4: Low Degree/Low Complexity

Bottom line: “Every cipher which can be expressed by low degree polynomials is broken.”

Cf. Xuejia Lai paper.

• "Higher order derivatives and differential cryptanalysis" [1992]


2001-201529

Problem 4: Low Degree/Low Complexity

Bottom line: “Every cipher which can be expressed by low degree polynomials is broken.”

Remark for LFSR-based stream ciphers: later we will see how to substantially LOWER the degree… I/O Relations, Algebraic Immunity, Annihilators, Courtois-Meier attack, etc…


2001-201530

Lai Essential Result

=> “every cipher which can be expressed by low degree polynomials is broken.”

=>so we can decrease the non-linear degree by summing different polynomials


2001-201531

Cube Attacks[Vielhaber, Dinur,Shamir’08]


2001-201532

” Trivial – ε Attacks ”Cube attack are highly sophisticated highly

technical attack BUT they achieve NOTHING more than breaking XX – ε rounds of a cipher where XX – ε rounds is already broken by an attack which crypto community considers as excessively trivial.


2001-201533

Step By StepCube attack is about summing

COMPLEX multivariate polynomials.

– most polynomials never written.

• Online phase CPA => several concrete values added 0+1+…

• Their sum polynomial depends on the key in a very simple way.

=>Gives simple equations on the key.


2001-201534

Cube Attacks Controversies [1]Dan Bernstein: http://cr.yp.to/cubeattacks.html

• “Why haven't cube attacks broken anything?

• Cube attacks work well for random polynomials of small degree. – Real-world ciphers, when viewed as polynomials, don't have small

degree.– Lai 1992 explains how to break every small-degree cipher;

– It seems to me that "cube attacks" are simply a reinvention of Lai's HO DC attack; if Dinur and Shamir had cited Lai's paper […] then they would have been forced to drop essentially all of their advertising.

actually it broke a VERY large number of rounds of Trivium


2001-201535

*Cube Controversy [2]Plagiarism:

– Dinur and Shamir DO/DID NOT credit Michael Vielhaber's "Algebraic IV Differential Attack" (AIDA) as a precursor of the Cube attack.

– Dinur has stated at Eurocrypt 2009 that Cube generalises and improves upon AIDA.

– However, Vielhaber contends that the cube attack is no more than his attack under another name.


2001-201536

1. Finite Fields, Block Ciphers and AES

(2 separate files)


2001-201537

1.1. Block Ciphers and Algebraic Relations


2001-201538

How do We Attack AES ?

– Very ambitious…

• AES pushes the classical design principles (=high non-linearity) to their limits, optimality.

• Explore these limits. Look for pitfalls !


2001-201539

What About Block Ciphers ?

Q: Do these polynomial relations MATTER AT ALL

for Block Ciphers

(e.g. AES)?

Remark: they break a lot of stream ciphers very badly


2001-201540

YES !

Q: Do these polynomial relations MATTER AT ALL for Block Ciphers ?

YES, (at least for some of them…)


2001-201541

This Cipher is Broken for 1 M rounds !

F: Inverse in GF(2n).

[Jakobsen-Knudsen FSE’97, Courtois AES’4]


2001-201542

***Bi-linear Cryptanalysis [Courtois Crypto’04]


2001-201543

***2. Weak Cipher Number 2:

Round function:

Very secure against all known attacks on block ciphers…, but broken for 1 M rounds !


2001-201544

***3. Another Insecure Cipher

64-bit Feistel cipher, 32-bit round function:

Looks very secure…Etc.

Broken for up to 216 rounds ! [Courtois AES’4]


2001-201545

****4. Insecure Unbalanced Feistel Networks (e.g. SHA-x)

This one again looks very secure:

Again, broken for up to 216 rounds !

AES Structure and Design Nicolas T. Courtois

October 200646

Wide Trail Strategy (WTS):Assures very good diffusion, proposed by the

designers of AES.

• The “approximation” attacks:– Deadly. Forces to approximate great many S-boxes at

the same time. AES is very secure against LC/DC.

– WTS probably kills all these insecure ciphers that are very special…

• The “exact algebraic” approach:– Combine relations true with probability 1.– The wide trail strategy still plays a huge role in practice/theory.


2001-201547

*AES Under Attack


2001-201548

Controversial Paper [Asiacrypt’02 / eprint]

Cryptanalysis of Block Cipherswith Overdefined Systems of

EquationsNicolas T. Courtois

Advanced Crypto Research, Axalto Smart Cards, France

Josef PieprzykCenter for Advanced Computing - Algorithms and

Cryptography, ICS, Macquarie University, Australia


2001-201549

Echoes in the Press

Bruce Schneier, Cryptogram,[the world’s No. 1 crypto/security newsletter]:

“ AES News

AES may have been broken […], there's no need to panic. Yet. But there might be soon […]

[…]These are amazing results. […]

Many cryptographers who previously felt good about AES are having second thoughts […] “


2001-201550

*Echoes in the Press

(worlds’ largest circulated scientific magazine) 27 Sept. 2002:


2001-201551

*Cover Page of New Scientist:


2001-201552


2001-201553


2001-201554

XSL CiphersK_i

SX L



The so-called “XSL Attack” and AES

“XSL is not an attack, it is a dream“

Vincent Rijmen, AES designer

not a very efficient attack, a sort of scientific research programme…


2001-201556

XSL Attacks - SummaryAlgebraic attacks on block ciphers work in 3 stages:

1. Write good equations – overdefined, sparse or both.

2. Expand - to obtain a very overdefined system.

3. Final "in place" elimination method – completely solve.

Two Versions of Courtois-Pieprzyk paper:

• The original paper is on eprint.iacr.org/2002/044

(archive, not updated anymore): “First XSL attack”, “Second XSL attack” The most powerful versions.

• Asiacrypt’02: “ Compact Version of the First XSL Attack ”

The most general, least powerful, simpler and easier to study.



**Reinvent it in 2015:Algebraic attacks on block ciphers today:

1. Write good equations – overdefined, sparse or both. • LESS TRIVIAL than expected [new tricks: higher degree, add

variables, etc.].

2. Expand - avoid / minimise impact of…

3. Final "in place" deduction / inference / elimination method. • ElimLin alone and T’ method. Amazingly powerful.

• New tools [SAT solvers]. Amazingly powerful.


2001-201558

Part 1.

1. Find good equations: such that:

equations

__________ = 1/4 or so..

monomials


2001-201559

Part 2.

2. Expand to a very overdefined system, close to saturation:

free eqs.

__________ = close to 1

monomials


2001-201560

Part 3.

3. Final step – achieve complete saturation giving the key bits.

free eqs.

__________ = exactly 1

monomials


2001-201561

AES

• Won 2000 NIST vote.

• Serpent was second.


2001-201562

Unbelievable Security

Most people think: It is easy to achieve 2256, Just mix sufficiently many strange functions….

Security grows exponentially in the number of rounds..

Our claim: It is hard to achieve the security level of 2256.


2001-201563

Moore’s Law

The computing power of 2256

will not be available before year 2200.

Until then, so much higher mathematics and so much better methods of cryptanalysis will

be found…

Guess: all cryptosystems that claim today the security level of 2256

will be broken by then.


2001-201564

Part 1.

1. Find good equations: such that:

equations

__________ = 1/4 or so..

monomials


2001-201565

MQ Problem

Find a solution to a system of m quadratic equations with

n variablesover a field/ring.


2001-201566

MQ Problem

Find a solution (at least one),

i.e. find (x0, ...,xn-1) such that:


2001-201567

Known applications of MQMultivariate schemes such as UOV, HFE, Quartz and

Sflash are based on MQ.

• In usual applications, nobody is using these new schemes. But:

• About the only solutions known for specific applications: very short signatures with Quartz, fastest signatures in the world with Sflash [Cf. PKC 2003].

Who cares about MQ ?


2001-201568

Surprising applications of MQ

Claim: 90 % of all applied cryptography is based on MQ.

1. RSA is based on MQ with m=1 and n=2: factoring N solving x2=y2 mod N.

2. Rijndael is based on MQ ?


2001-201569

Rijndael S-boxes

(y1, …,y8) = S (x1, ...,x8) .

Theorem: For each S-box there are

r=39 quadratic equations

with 16 variables xi and yi,

that are true with probability 1.

Overdefined MQ system, 39 >> 8.


2001-201570

Origin of the equations

(cf. cryptanalysis of Matsumoto-Imai by J. Patarin, Crypto’95)

x0 1 = x y 7x x = x2 y 8 x y = y2 x 8x x3 = x4 y 8x y3 = y4 x 8

39

quadratic

23

bi-linear


2001-201571

Optimal S-boxes ?[Anne Canteaut, Marion Videau, Eurocrypt 2002]:

Optimal for linear, differential and high-order differential attacks.

We do not know any worse S-box in terms of r.

34

5

243939Equations / S-boxr=

73-1Power


2001-201572

Reduction Rijndael MQ

Rijndael 128 bit: to recover the secret key can be rewritten as MQ:

8000 quadratic equations 1600 variables in GF(2).

But how to solve it ?


2001-201573

Part 2.


free eqs.

__________ = close to 1

monomials



Simple Explanation of How

XL Algorithm Works


2001-201575

Part 2.


free eqs.

__________ = close to 1

monomials


2001-201576

How to expand ? The XL idea:

Multiplying the equations

by one or several variables.


2001-201577

X L means…

• eXtended Linerisation

• Multiply (X) and Linearise

• eXpansion in the ideaL spanned by the equations..

• doing things like x_1 * l_3

• etc…


2001-201578

XL Algorithm, F4, F5, etc…• [Shamir, Patarin, Courtois, Klimov, Eurocrypt’2000]

• [Courtois, ICISC 2002], [Courtois, Patarin, CT-RSA 2003], [J.M. Chen and Bo-Yin Yang papers]

• [Old papers by Lazard], [Buchberger algorithm and Gröbner bases], [F4, F5, F5/2 by Faugère] etc… [Magali Bardet and Gwenolé Ars work], etc…

• Asiacrypt 2004: [Claus Diem], [Gwenolé Ars, Jean-Charles Faugère, Makoto Sugita, Mitsuru Kawazoe, Hideki Imai].

XL is about the best general attack we know for MQ. Designed for systems that are overdefined.

For 128-bit Rijndael: 2330


2001-201579

The principle of XL:

Multiply the initial equations by low-degree monomials:

becomes:

(degreee 3 now).


2001-201580

The idea of XL:

Multiply equations by low-degree monomials.

• Count new equations: R

• Count new monomials present: T

One term can be obtained in many different ways, T grows slower than R.


2001-201581

How XL works:

Initial system: m equations and n2/2 terms.

Multiply each equation by a product of any D-2 variables:

• Equations

• Terms

Idea: One term can be obtained in many different ways, T grows more slowly than R.

Necessary condition: R/T > 1gives and thus D

If sufficient, the complexity of XL would be about

Sub-exponential ?Not true !


2001-201582

XL will always workTheorem:

Over any small finite field, when D>q and the field equations xi

q=xi can be included, XL always do work, for ANY SYSTEM OF EQUATIONS (worst case).

See: Jacques Patarin and Nicolas Courtois: About the XL algorithm over GF(2), In CT-RSA 2003, April 2003, San Francisco.


2001-201583

XL works quite well


2001-201584

The behaviour of XLIt is possible to predict the exact number

of linearly independent equations in XL.


2001-201585

Applying XL to Rijndael1. Make little sense, XL is a tool for dense

systems of equations…

Except if there are “degree falls”: some combinations of unusually low degree, cf. HFE attacks…


2001-201586

Known attacks on AES1. Combinatorial attacks:

Square attack [Rijmen-Daemen], Multiset attacks [Shamir, Biryukov] - only for a few rounds...

2. Approximation attacks:Differential/linear, interpolation attack, etc… The security grows exponentially with the number of rounds Nr ! (and so does the required number of plaintexts).



From XL to “XSL”

“XSL is not an attack, it is a dream“

Vincent Rijmen, AES designer


2001-201588

Pure theory ?

XL: astronomical complexity

Remark: Our system of 8000 quadratic equations with 1600 variables

is not a general MQ system.It is sparse,

there must be a better method !!!


2001-201589

The XL idea:


by one or several variables.


2001-201590

The XSL variant:


by one or several monomials (out of monomials present).


2001-201591

XSL AlgorithmMain idea:

In a sparse system R/T at the beginning is already much bigger than in a random system.

Step 1: Optimise sparsity: One variable for each input and each output bit for each S-

box.

Step 2. Multiply by selected monomials: If we multiply by products of existing terms, each resulting

term will be obtained several times, thus R/T will be the biggest possible.


2001-201592

Naive XSL Attack (on block ciphers)

Each S-box: r equations, t termsMultiply by P-1 terms for other S-boxes.

S = number of S-boxes in the cipher

• Equations: mainly

• Terms:

Result: R / T P * r/t

R / T 1 P t/r


2001-201593

The Complexity of the Naive XSL Attack

w * (Block size)O(t/r) * (Nb. of rounds)O(t/r)

Polynomial with a huge constant = (t/s)t/r

depending only on the S-box parameters.

• For a random S-box,

is double-exponential in s.

• For Rijndael S-box,

is simply exponential in s.


2001-201594

Less Naive XSL AttackOver-counting Problem:

It can be shown that an important part of the equations in R are not linearly independent.

Only at most R = (tP – (t-r)P) of these equations are linearly independent. Probably a bit less, but not much less.

Saturation Problem:

Simulations show that the number Freeof linearly independent equations

is never very close to T, and for P=2 when the number of rounds Nr ,

we have Free 96.59 % T.

How to solve the system when T - Free is big ?


2001-201595

Part 3.

3. Final step – achieve complete saturation giving the key bits.

free eqs.

__________ = exactly 1

monomials


2001-201596

The T’ Method [Courtois 2002]:Let x1 be a variable.

Let T’ = number of terms that can be multiplied by x1and still belong to the set of terms in T.

Claim: If Free > T-T’ then the system can be solved in about Tw:• Each term in T is expressed as a linear combination of terms only in T’.

• We obtain one or more equations containing only the terms of T’.

• We do the same with respect to x2 (2 variables are probably enough).

• Multiply the exceeding equations of the first system by x1.

• We obtain new linearly independent equations, the rank grows !

• Early simulations show that this heuristic works very well.

• Transfer the new equations to the other system(s), i.e. eliminate all terms that can be multiplied by x2.

• After at most T’ steps we expect to achieve Free = T-1 or so…

• It seems that the complexity of the whole is essentially Tw .


2001-201597

An Example of the T’ Method:Let n=5 variables; therefore T=16 and T'=10.

We start with a random system that has exactly one solution, and with Free > T-T' and with 2 “exceeding” equations,

i.e. Free = T-T'+2.

Here is a system in which T' is defined with respect to x1:


2001-201598

T’ Method contd.Here is the same system in which T' is defined for x2:

The two systems allow to “transfer” an “exceeding” equation from one representation to another in T’2 operations.

Kind of iterative decoding…


2001-201599

T’ Method contd.Back to the first system in which T' is defined for x1:

We have rank=8.

Multiply the 2 “exceeding” equations of the first version by x1.

Miracle: we have rank=10. New linearly independent equations !


2001-2015100

T’ Method contd.Now we have 4 “exceeding” equations (two old and two new).

Transfer them to the second system.

Then multiply them by x2:

We are not lucky, the second equation is invariant. Still we get 3 new linearly independent equations

and rank=13.


2001-2015101

T’ Method contd.We rewrite the 3 new equations with terms that can be multiplied by x1.

Still rank=13. We multiply them by x1:

We have rank=14, one more linearly independent equation.

We rewrite the first equation with terms that can be multiplied by x2.


2001-2015102

T’ Method contd.We have still rank=14.

Then we multiply the new equation by x2.

We get another new linearly independent equation. We have rank=15. The rank is the maximum that

can be achieved, there are 15 non-zero monomials here, and rank=16 can only be achieved for a

system that is contradictory.

We expect that the number of additional equations in the T' method grows quickly.


2001-2015103

Remarks on the T’ MethodTheorem:

[Coppersmith 2002, never published]:

The T’ method cannot work with only a few “special variables”.

Use all of them !

*


2001-2015104

Remarks on the T’ MethodEven in this case, the complexity is multiplied

only by n, a small factor compared to Tw.

For example n=211 and Tw=287. Moderate increase, AES would still be broken.

My simulations show that the T’ method works very well…

Which is in fact very surprising … !


2001-2015105

Application of the T’ trick:If Free > T-T’ then the system can be solved in about Tw.

For AES-256 bits, we obtain for P=5: R/(T-T’)=1.0005

Then T = 296 and T’ = 290.Consequence: If Free > 99.4 % T

Then AES-256 bits is broken in about 2203 .

Current simulations on a toy cipher give rather Free 96.59 % T

apparently a size-independent constant ! Different constant for Rijndael ? To be seen.

For example when P=7,we have R/(T-T’)=1.004 , but then XSL gives 2278, more than the exhaustive search.


2001-2015106

CTC = “Courtois Toy Cipher” [eprint]

• 3-bit S-boxes.

• Diffusion: permuting wires (as DES P-box !).

• 1,2,4,8,… S-boxes per round.

• 1,2,3,…,10,…,30,… rounds.

• Key size == Block size.

• Simple key schedule: bit permutation (as in DES !)


2001-2015107

Equations – From a Real ExampleX[0][1]*X[0][2]+Z[0][1]+X[0][3]+X[0][2]+X[0][1]+1

X[0][1]*X[0][3]+Z[0][2]+X[0][2]+1

X[0][1]*Z[0][1]+Z[0][2]+X[0][2]+1

X[0][1]*Z[0][2]+Z[0][2]+Z[0][1]+X[0][3]

X[0][2]*X[0][3]+Z[0][3]+Z[0][2]+Z[0][1]+X[0][2]+X[0][1]+1

X[0][2]*Z[0][1]+Z[0][3]+Z[0][2]+Z[0][1]+X[0][2]+X[0][1]+1

X[0][2]*Z[0][2]+X[0][1]*Z[0][3]+X[0][1]

X[0][2]*Z[0][3]+X[0][1]*Z[0][3]+Z[0][1]+X[0][3]+X[0][2]+1

X[0][3]*Z[0][1]+X[0][1]*Z[0][3]+Z[0][3]+Z[0][1]

X[0][3]*Z[0][2]+Z[0][3]+Z[0][1]+X[0][3]+X[0][1]

X[0][3]*Z[0][3]+X[0][1]*Z[0][3]+Z[0][2]+X[0][2]+X[0][1]+1

Z[0][1]*Z[0][2]+Z[0][3]+X[0][1]

Z[0][1]*Z[0][3]+Z[0][3]+Z[0][2]+X[0][2]+X[0][1]+1

Z[0][2]*Z[0][3]+Z[0][3]+Z[0][2]+Z[0][1]+X[0][3]+X[0][1]

X[1][1]*X[1][2]+Z[1][1]+X[1][3]+X[1][2]+X[1][1]+1

X[1][1]*X[1][3]+Z[1][2]+X[1][2]+1

X[1][1]*Z[1][1]+Z[1][2]+X[1][2]+1

X[1][1]*Z[1][2]+Z[1][2]+Z[1][1]+X[1][3]

X[1][2]*X[1][3]+Z[1][3]+Z[1][2]+Z[1][1]+X[1][2]+X[1][1]

X[1][2]*Z[1][1]+Z[1][3]+Z[1][2]+Z[1][1]+X[1][2]+X[1][1]

X[1][2]*Z[1][2]+X[1][1]*Z[1][3]+X[1][1]

X[1][2]*Z[1][3]+X[1][1]*Z[1][3]+Z[1][1]+X[1][3]+X[1][2]

X[1][3]*Z[1][1]+X[1][1]*Z[1][3]+Z[1][3]+Z[1][1]

X[1][3]*Z[1][2]+Z[1][3]+Z[1][1]+X[1][3]+X[1][1]

X[1][3]*Z[1][3]+X[1][1]*Z[1][3]+Z[1][2]+X[1][2]+X[1][1]

Z[1][1]*Z[1][2]+Z[1][3]+X[1][1]

Z[1][1]*Z[1][3]+Z[1][3]+Z[1][2]+X[1][2]+X[1][1]+1

Z[1][2]*Z[1][3]+Z[1][3]+Z[1][2]+Z[1][1]+X[1][3]+X[1][1]

•

•

1+X[0][1]=k_0

1+X[0][2]=k_1

1+X[0][3]=k_2

1+X[1][1]=k_3

1+X[1][2]=k_4

1+X[1][3]=k_5

Z[0][3]+X[2][1]=k_1

Z[1][1]+X[2][2]=k_2

Z[1][2]+X[2][3]=k_3

Z[1][3]+X[3][1]=k_4

Z[0][1]+X[3][2]=k_5

Z[0][2]+X[3][3]=k_0

Z[2][3]+1=k_2

Z[3][1]+1=k_3

Z[3][2]+1=k_4

Z[3][3]+1=k_5

Z[2][1]+0=k_0

Z[2][2]+1=k_1

1. Q

ua

dra

tic (

for

ea

ch S

-bo

x)

2. L

ine

ar

(co

nn

ect

ing

S-b

oxe

s vi

a k

ey

vars

)


2001-2015108

More Equations: XSL expansionIf L1 denotes

X[0][1]*X[0][2]+Z[0][1]+X[0][3]+X[0][2]+X[0][1]+1

we have:

L1*1

L1*X[1][1]

L1*X[1][2]

L1*X[1][3]

L1*Z[1][1]

L1*Z[1][2]

L1*Z[1][3]

L1*X[1][1]*Z[1][1]

L1*X[1][1]*Z[1][2]

L1*X[1][1]*Z[1][3]

L1*X[1][2]*Z[1][1]

L1*X[1][2]*Z[1][2]

L1*X[1][2]*Z[1][3]

•

•

•

L56*k_0

L56*k_1

L56*k_2

L56*k_3

L56*k_4

L56*k_5

If L57 denotes 1+X[0][1]=k_0

we have:

L57*1

L57*X[0][1]

L57*X[0][2]

L57*X[0][3]

L57*Z[0][1]

L57*Z[0][2]

L57*Z[0][3]

L57*X[0][1]*Z[0][1]

L57*X[0][1]*Z[0][2]

L57*X[0][1]*Z[0][3]

•

•

•

L57*k_1

L57*k_2

L57*k_3

L57*k_4

L57*k_5

3. P

art

R(e

ach

S-b

ox

* so

me

exi

stin

g m

on

om

ial)

4. P

art

R’(

line

ar

* so

me

exi

stin

g m

on

om

ial)


2001-2015109

How to finish ?• Initial proposal: T’ method.

– Works very well in practice, but requires to be run many

times (each time the rank increases).

• Alternatives:

– use Gröbner bases.

– better alternatives:

• SAT solvers,

• ElimLin.


2001-2015110

5. New Equations: The T’ method

Example of how the rank grows:

(4 S-boxes).

7329 + 28

7329 + 52

7329 + 56

7329 + 96

7329 + 147

7329 + 165

7329 + 172

7329 + 173

7329 + 174

A unique solution found.

249.7 seconds


2001-2015111

***Will the T’ method suffice ?

Free/(T-T’) - XSL expected to work for up to 16 rounds.

Maybe…


2001-2015112

****Less Naive XSL Attack

• Over-counting Problem:

Now assume: R = (tP – (t-r)P)

• Saturation Problem:

Use the T’ method.


2001-2015113

Complexity of the Less Naive XSL

Very surprisingly, more realistic formulas give very similar results than the naïve version:w * (Block size)O(t/r) * (Nb. of rounds)O(t/r)

Is XSL polynomial with a huge constant ?Not sure at all. Simulations show that P will rather increase (slowly) with Nr.


2001-2015114

Summary:XSL takes advantage of the fact that the

equations are overdefined and sparse. Expected (at least) to work better than XL.

For 128-bit Rijndael XSL claimed complexity

was at least 2230


2001-2015115

Is AES 256 bits broken ?

For AES-256, XSL

seems to give 2203

(the version on eprint, with cubic equations)

Not proven, based on heuristic assumptions:


2001-2015116

Remark 1

People naively believe that XSL does not work well…

The truth: nobody knows !


2001-2015117

Remark 2:

We know MUCH BETTER algebraic attacks on block ciphers today.


2001-2015118

Murphy and Robshaw Variant

[Murphy, Robshaw, Crypto 2002, seeSection 6, added after they read our paper].

They write an equivalent system of MQ equations, but over GF(28).

Much more sparse than over GF(2).For AES 128 bits, it seems that XSL could

solve such system in as little as 2100…


2001-2015119

AES-128 broken in 288 ?

Gwenolé Ars PhD thesis [June 2005]: The author presents an attack in 288 that might

“maybe” work… (?????)


2001-2015120

• The original paper (archive, not updated anymore) is available on eprint.iacr.org /2002/044 : “First XSL attack”, “Second XSL attack”The most powerful version.

• Asiacrypt 2002: the so called “ Compact Version of the First XSL Attack ” The most general version of XSL attack, least

powerful, simpler and easier to study.

Some software and tools: Do check: www.cryptosystem.net/aes/

Papers on XSL and AES

Algebraic Attacks on Block Ciphers


Fast Algebraic Attacks On Block Ciphers



Fast Algebraic Attacks on Block Ciphers

Definition [informal on purpose] Methods to lower the degree of equations that appear throughout the computations… [e.g. max deg in F4] (more generally need to substantially lower the memory requirements of algebraic attacks compared to their running time).

Very rich galaxy of attacks to be studied in the next 20 years…

How to lower the degree ? • by having several P/C pairs (bigger yet much easier !)

• by CPA, CPCA, etc…

• by fixing internal variables (Guess-then-Algebraic).

• by finding [approximate] equations on bigger blocks – by interpolation [cf. W. Meier’s talk]

– by guessing equations that have strong bias • Linear-Algebraic or Bi-Linear-Algebraic Cryptanalysis

• Differential-Algebraic.

• by clever choice of representation

• by introducing new variables (oh yes !)

• by having a larger key

• new tricks to be invented ?

cumulative effect

!!!



How to Evaluate the Quality of Alg. Attacks

Compare ONLY to other similar attacks:

• Straightforward algebraic approach. Write + solve.

• Other attacks that work given VERY SMALL quantity of plaintexts.

• NEVER compare to DC/LC etc. Doesn’t make sense. Two independent areas of research that have no intersection.

– Both allow us to write 100s of papers but do not expect to break 3DES or AES tomorrow morning.



Solving Methods

Solver Software



Fact

In 2005-2006 huge progress have been made.

• Up to 510 S-boxes broken on a laptop: Fast Algebraic attacks on block ciphers <= Cumulative effect

of improvements in many directions.



What’s New

The biggest discoveries in Science are the simplest.



3.3. ElimLin – The Most Surprising

Complete description:

• Find linear equations in the linear span.

• Substitute, and repeat.

Amazingly powerful, (Surprisingly) VERY HARD TO IMPLEMENT:

• Heuristics to preserve sparsity. Local optimization.

• Data Representation and Memory Management vs. Speed.



3.3. ElimLin – Remark:

In a way it is:

An ultra-light and super-simplified

version of F4 operating at ”degree 1.05” or ”2.01”

(makes sense: relatively small number of higher-degree monomials, and certain types of monomials much more likely to ever appear).



3.4. ANF-to-CNF - The Outsider

Before we did try, we actually never believed it could work…

Convert MQ to a SAT problem.

(both are NP-hard problems)



3.4. ANF-to-CNF - The Outsider

Principle 1: each monomial = one dummy variable.

d+1 clauses for each degree d monomial



Also

Principle 2: Handling XORs – Not obvious. Long XORs known to be hard problems for SAT solvers.

• Split longer XORs in several shorter with more dummy variables.

• About 4 h clauses for a XOR of size h.



ANF-to-CNF

This description is enough to produce a working version.

Space for non-trivial optimisations. See: Gregory V. Bard, Nicolas T. Courtois and Chris Jefferson:

“Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers”.



Ready Software

Several ready programs to perform this conversion are made available on this web page:

www.cryptosystem.net/aes/tools.html



Solving SAT

What are SAT solvers?

Heuristic algorithms for solving SAT problems.• Guess some variables.

• Examine consequences.

• If a contradiction found, I can add a new clause saying “In this set of constraints one is false”.

Very advanced area of research.

Introduction for “dummies”: Gregory Bard PhD thesis.



MiniSat 2.0.

Winner of SAT-Race 2006 competition.

An open-source SAT solver package, by Niklas Eén, Niklas Sörensson,

Later improved A LOT by Mate Soos

=> CryptoMiniSat 2.9.X



Ready Software for Windows

Several ready programs to solve SAT problems are also available on the same web page:

www.cryptosystem.net/aes/tools.html



ANF-to-CNF + MiniSat 2.0.

Gives amazing results in algebraic cryptanalysis of just any (not too complex/not too many rounds) cipher, cf. (VSH). Also for random sparse MQ.

• Certain VERY large systems solved in seconds on PC (thousands of variables !).

• Few take a couple hours/days…

• Then infeasible, sharp increase.

Jump from 0 to .



What Are the Limitations of Algebraic Attacks ?

• When the number of rounds grows: complexity jumps from 0 to .

• With new attacks and new “tricks” being proposed: some systems are suddenly broken with no effort.

=> jumps from to nearly 0 !



**What Can Be Done with SAT Solvers ?• Clearly it is not the size of the system but the nature of it.

• Sometimes more powerful than GB, sometimes less.

Paradoxes:

• If you guess some variables, can become much slower .

• Great variability in results (hard to compute an average running time, better to look at 20 % faster timings).

• Memory:– For many cases tiny: 9 Mbytes while Magma hangs at > 2Gbytes

for the same system.

– For some working cases: 1.5 Gbytes and substantial time. Then terminates with the solution as well.



***Toy Ciphers…



CTC/CT2 = “Courtois Toy Cipher” [eprint]

• 3-bit S-boxes.

• Diffusion D: permuting wires (as DES P-box !).

• 1,2,4,8,… S-boxes per round.

• 1,2,3,…,10,…,30,… rounds.

• Key size == Block size.

• Simple key schedule: bit permutation (as in DES !)



*CTC2 – more recent variant

• Virtually no difference

– Different D-box but difference only at 1 bit position (!).

– Changes everything w.r.t. linear cryptanalysis.

– Changes nothing w.r.t. algebraic cryptanalysis.• In both cases 6 rounds are broken, 7 rounds maybe this year…



**CTC vs. CTC2

CTC2: Just remove one “weak” bit:

No other difference. Same for “99 % of positions”.



CTC2 S-box:

Random on 3 bits without linear equations.

Theorem [Courtois]: 14 MQ Equations:



ToyRijndael and ToySerpent:

Basically a 4-bit version of CTC…



ToyRijndael S-box [4 bits]

Inv+Affine a in AES, borrowed from Carlos Cid.

Theorem [Courtois]: 21 MQ equations.

ToySerpent S-box [4 bits]

Sbox number 2 [chosen at random] stolen from Serpent [without permission from the authors].

Theorem [Courtois]: 21 MQ equations.



ToySerpent vs. ToyRijndael:

Both cases: 21 MQ equations.

Same degree, same number, yet TOTALLY DIFFERENT results (and we can explain why!).

Bad news for the idea (IOH) that I/O degree implies the existence of algebraic attacks.

• For some equations – good attacks [for 5 rounds].

• For some equations – little hope.

Rijndael S-box shows unexpected resistance w.r.t. our fast algebraic attack on block ciphers. [ElimLin].



Weakness in Serpent S-box 2:

4 / 21 equations of types

• 2 are “Linear+ X2”.

• 2 are “Linear+ Y2”.

0 / 21 such equations for 4-bit Rijndael S-box !



Combined Effect of These:

They allow to “avoid” / “lower the relative rank of” the set of higher degree monomials in the xi in algebraic equations that can be written for several rounds.

In other words, some quadratic monomials / some linear combinations of monomials can be systematically eliminated:

Claim: Will greatly help to compute Gröbner bases at a lower degree !

Now we will test the most optimistic version of this claim:Replace F4 by ElimLin, how many linear equations can we generate ?



Interesting and WEIRD Question

KPA. How many linear equations true with Pr=1:

0-few

rounds

0-few

rounds

0-few

rounds

more

rounds

more

rounds

more

rounds

P1

P2

P3

C1

C2

C3



Very Surprising and Powerful

Answer 1: They don’t exist (cf. LC).

Answer 2: They DO exist when the Pi are fixed !

• Can be recovered by interpolation ? I did program this. Some toy examples take ages… Most relevant cases => infeasible ! Too large matrices.

• Fact: I have found a method to compute these equations VERY EFFICIENTLY given the set of plaintexts

Pi. Arbitrary = a KPA.

Remark: A whole (big) part of the algebraic attacks that is done for a truncated cipher, i.e. without knowing the ciphertext - pre-computation possible give the spec. of the cipher (Pb. to use: only easy with CPA).



When the Pi are fixed, how many equations ?

Nb. of linear equations found, 5 rounds x 3 S-boxes, KPA

truncated (unknown ciphertext) ToySerpent & ToyRijndael.

Equations with rounds 0-5.

Some totally avoid the first 2 rounds. Rounds 3-5.

More powerful with full cipher (the ciphertexts are known => WORKS FROM both directions !!!! ElimLin even easier !



Combinatorial Explosion

Nb. of new linear equations grows FASTER than LINEAR!!!

Nb. of variables grows linearly in K.

Unstoppable force of an asymptotic…

See our lab: http://www.nicolascourtois.com/papers/ga18/AC_Lab1_ElimLin_Simon_CTC2.pdf

K



What About…

Real Life Ciphers?



DES

At a first glance,

DES seems to be a very poor target:

there is (apparently)

no strong algebraic structure

of any kind in DES



What’s Left ?

Idea 1: (IOH)

Algebraic I/O relations. Theorem [Courtois-Pieprzyk]:

Every S-box has a low I/O degree.

=>3 for DES.

Idea 2: (VSH)

DES has been designed to be implemented in hardware.

=> Very-sparse quadratic equations at the price of adding some 40 new variables per S-box.



Results ?

Both Idea 1 (IOH) and Idea 2 (VSH)(and some 20 other I have tried…)

can be exploited in working

key recovery attacks.



S-boxes S1-S4 [Matthew Kwan]



S-boxes S5-S8 [Matthew Kwan]



I / O Degree

A “good” cipher should use at least some components with high I/O degree.



Theorem



Corollary

Cubic Equations and DES

Exactly 112 for all DES S-boxes.



5. Selected Results: Some Successful Attacks



Results on CTC

Nicolas T. Courtois:

“How Fast can be Algebraic Attacks on Block Ciphers ?”. eprint.iacr.org/2006/168/

6 rounds broken: 255-bit key, 510 S-boxes.

ElimLin: 80 hours after 210/255 bits are guessed. 64 CP. About 10 times (slightly) faster than exhaustive search…



Results on CTC2

Much more resistant to LC [cf. Orr Dunkelman and Nathan Keller : Linear Cryptanalysis of CTC, eprint.iacr.org/2006/250/].

ElimLin still breaks 6 rounds in the same way (no visible difference).

10 rounds broken if block=96, key=256.



Results on ToySerpent

ToySerpent, 5 rounds, 32 S-boxes * 4 bits.

84 first key bits guessed, 44 remain unknown.

4 CP => broken in 32 hours by ElimLin.

6 rounds should be feasible for 256-bit version. Work in progress.



Results on ToyRijndael

Unexpectedly strong, the only difference is the S-box:

0/21 “Linear+X2“ equations...



Results on DES

Nicolas T. Courtois and Gregory V. Bard:

Algebraic Cryptanalysis of the D.E.S.

In IMA conference 2007, pp. 152-169, LNCS 4887, Springer.

See also:

eprint.iacr.org/2006/402/



What Can Be Done ?

Idea 1 (Cubic IOH) + ElimLin:

We recover the key of 5-round DES with 3 KP faster than brute force.

• When 23 variables fixed, takes 173 s.

• Magma crashes > 2 Gb of RAM.

Idea 2 (VSH40) + ANF-to-CNF + MiniSat 2.0.:

Key recovery for 6-round DES. Only 1 KP (!).

• Fix 20 variables takes 68 s.

• Magma crashes with > 2 Gb.



What Else Can We Do ?

Claim: Algebraic Cryptanalysis is an excellent tool TO STUDY block and stream ciphers. For all properties that hold:

• With probability 1 or close.

• For 3,4,5,6 rounds.. (already a lot, very complex to analyse by hand).

Proposed Application [probably feasible for many ciphers]:

• Find a 4-round differential that holds with probability 1.

• Show that there isn’t any (unsatisfiable/contradictory system of equations).



Example:

Looking for another special property of DES.

An attack with a known key (glass-box).

Motivation:

educational, study differential cryptanalysis.

I present this one because it works on a laptop PC for 12 full rounds of DES (which is the best result I have for now).



DC example



What We Can We Do:

Given a key, find a plaintext with difference

(`00196000',`00000000') that carries over 12 rounds.

Naïve method (exhaustive search): requires

248 trial encryptions 3 CPU years.

Idea 2 (SSH40) + MiniSat 2.0:

Only 6 hours.



This Was Easy !

Why ?

Reason:

There are many solutions (about 216).

Conclusion:

Algebraic attacks with SAT are easier when there are many solutions.

=> Algebraic cryptanalysis should be a very good tool for breaking hash functions [as shown by Mironov-Zhang, Crypto 2006 Rump Session].



Conclusion:

Keys and special properties of block ciphers CAN be computed in practice with algebraic attacks, and this with little [human] effort.


2001-2015176

Back to Bigger Picture


2001-2015177

Unified view of Algebraic Attacks

Algebraic Security Criterion [Courtois 1999]:

Non-existence of low-degree/small size multivariate relations between the input bits and the output bits.


2001-2015178

Avoid Algebraic Relations…

…between inputs/outputs.

• Applies to multivariate public key cryptosystems: Sflash, Quartz

• Applies to the non-linear part of a stream cipher, even if stateful.

• Applies to the S-boxes of a block cipher.


2001-2015179

Claim

This criterion is necessary for the security of all these ciphers.

No proof.

A precaution. Many ciphers still secure.


2001-2015180

2. Algebraic Attacks

on HFE

and Other PKCs Based on Multivariate

Polynomials


2001-2015181

Security of HFE

Special case: Matsumoto-Imai cryptosystem [Eurocrypt'88]

A power function

(as in Rijndael S-box)

x->x3


2001-2015182

Attack on Matsumoto-Imai

x->x3

Inverse function gives Boolean functions of very high degree

Attack: there are many multivariate bilinear relations that allow to break the cipher in no

time.

[Jacques Patarin, Crypto’95]


2001-2015183

Attack on HFE

x->Polynomial of degree dAgain multivariate relations,

attack in n3/2 log d.

[Nicolas Courtois PhD thesis 1998, published in CT-RSA 2001]

New paper about this: [Faugère, Joux, Crypto 2003].Same attack, but explains the origin of these equations !

Forgot to acknowledge 4 previously published papers.

[Patarin, Courtois, Shamir-Kipnis, Courtois-Daum-Felke].


2001-2015184

3. Algebraic Attacks

on Stream Ciphers

with Linear Feedback

(e.g. LFSR-based)


2001-2015185

Main Problem: Linear Feedback

Great many stream ciphers have a linear feedback (e.g. LFSRs)

state =

multivariate linear function (prev. state)

So what ?


2001-2015186

Linear Feedback is Dangerous

It preserves the degree of the equations.

My claim: If one can relate state bits and outputs bits by only one multivariate equation of low degree without extra variables then:

• the cipher is broken in polynomial time,

• hard to find the right equations, mix of insight and experimental results, but…

• such attacks may be surprisingly fast, e.g. 231.


2001-2015187

One I/O Equation => Broken∈P

I Ocombiner with memory

memory

linear component


2001-2015188

Common Opinions on Stream Ciphers

“Most real life designs centre around LFSRs combined by a non-linear Boolean function.”

“State of the art in generic stream ciphers cryptanalysis can be summarized as follows: correlation and fast correlation attacks.“

[Eric Filliol, Decimation Attack of Stream Ciphers, eprint.iacr.org, 2000]


2001-2015189

Common belief:

Ciphers with linear feedback (LFSR, etc…)

can be made secure using

highly non-linear Boolean functions.


2001-2015190


Prevent correlation and other classical attacks.

There are other attacks!

•“Good” Boolean functions

•“Good” S-boxes etc…

A “Good” Boolean function…


2001-2015191

Some Remarks ! (no comments)“We can strongly affirm that a very consequent

theory of stream encryption exists…”

“Block ciphers are not secure, one should use stream ciphers instead…”

“It is impossible to hide a trapdoor in a stream cipher …“

[Eric Filliol, Plaintext-Dependent Repetition Codes …the AES case, eprint.iacr.org, 2003]


2001-2015192


Naïve belief that ciphers build out of

such components would be secure.

In fact this approach fails, sometimes quite miserably, to produce secure ciphers:

• Algebraic attacks on AES and Serpent[Courtois-Pieprzyk, AsiaCrypt 2002].

• Stream ciphers: much worse. [For some ciphers, there is no “good” Boolean functions !]


2001-2015193

Popular stream ciphers:

Linear sequence generator +

a stateless combiner

Example: One/several LFSRs

+ a Boolean function.

linear feedback

state

non-linear filter


2001-2015194

Notations• Initial key k GF(2)n

n-bits k0, k1, k2,…,kn-1

• The state s GF(2)n

First s = k,

• Then s = L(s) etc..

• Output bits: Apply f (s )bi = f( Li(k) )

Given: some of the bi

Find: the secret key k

linear feedback

state

s0

s1

sn-1


2001-2015195

Direct Algebraic Attack Approach:

Solve this system of equations.

Extremely overdefined even for moderate quantity of keystream, e.g. 20 Kbytes.


2001-2015196

Example:

Toyocrypt, n=128, d=63.

What if the degree d is too big ?

1) Find a low degree approximation – not today, see Nicolas Courtois: Higher Order Correlation Attacks, XL algorithm and

Cryptanalysis of Toyocrypt, ICISC 2002 or eprint.iacr.org

2) Better attacks – today.


2001-2015197

Problem:

The degree is usually high…(even AFTER taking a lower degree approximation)

As for HFE and Rijndael S-box,

consider multivariate relations

instead of equations…


2001-2015198

Solution (the same as usual):

Relations instead of equations…

I/O equations = implicit eqs.

Their degree

turns out to be

much lower !


2001-2015199

Toyocrypt

One of the only two stream ciphers accepted to the

second phase of CRYPTREC

(for the Japanese government).


2001-2015200

The design of Toyocrypt

• A bent function

• add s127 to make it balanced.


2001-2015201

Fact: ToyocryptThere is a multivariate relation being of degree

3 in the 128 key bits and involving 1consecutive output bit.

Nicolas Courtois, Willi Meier:Algebraic Attacks on Stream Ciphers with Linear Feedback, Eurocrypt 2003.


2001-2015202

LILI-128

One of the NESSIE candidates,

claimed very secure,

rejected

(all the other stream ciphers were rejected too !)


2001-2015203

Fact: LILI-128There is a multivariate relation being of degree

4 in the 89 key bits and involving 1consecutive output bit.

Nicolas Courtois, Willi Meier: Algebraic Attacks on Stream Ciphers with Linear Feedback, Eurocrypt 2003.


2001-2015204

E0

stream cipher used in the wireless interface

Bluetooth


2001-2015205

Fact: E0There is a multivariate relation being of degree

4 in the 128 key bits and involving 4consecutive output bits.

Matthias Krause, Frederik Armknecht:Algebraic Attacks on Combiners with Memory, Crypto 2003.


2001-2015206

So what ?

One equation is enough to break all these !

Due to the

• Recursive structure of the cipher

• Linear feedback (e.g. in LFSRs) preserves the degree,

We may generate as many equations as we want.


2001-2015207

So what ?

One equation is enough to break all these !

• Given keystream bits -

• Using bits of memory -

• The secret key can be recovered in .

• Verified experimentally.


2001-2015208

Results

• Toyocrypt – Cryptrec submission 249

Verified, works perfectly well in practice.

• LILI-128 – Nessie submission 257

[Courtois, Meier, Eurocrypt 2003]

• E0 – Bluetooth keystream generator 270

[Armknecht, Krause, Crypto 2003]


2001-2015209

Can We Do Better ?If the keystream bits are consecutive;

Yes, much better !

Nicolas Courtois: “Fast Algebraic Attacks on Stream Ciphers with Linear Feedback”.Crypto 2003.

Studied in more details by Armknecht, and [Hawkes-Rose Crypto’04].


2001-2015210

Improved Results

Gives the best attack known so far for 3 well known stream ciphers:

• Toyocrypt – Cryptrec submission 225

• LILI-128 – Nessie submission 231

• E0 – Bluetooth keystream generator 249


2001-2015211

Broken at the First Glance…

In 2005 Braeken, Lano, Mentens, Preneel and Varbauwhede have invented a new stream cipher:

• SFINKS – ECRYPT submission 271

Nicolas Courtois: Cryptanalysis of Sfinks. eprint.iacr.org/2005/243

Simply broken once you take the time to examine the (already known) algebraic attack –BUT need to handle many computer simulations to determine if there exist suitable equations, no theoretical method to predict the result...


2001-2015212

Scary Algebraic Equations..

Goal: design an LFSR-based stream cipher with security 2128.

Problem: How to make sure that there is no algebraic relation of size 2100 that relates key bits and output bits?

Example: Linear complexity may be 2100.I cannot check if relations exist...


2001-2015213

Scary Algebraic Equations..Problem: How to make sure that there is no algebraic

relation of size 2100 ?

Crypto’03 paper clearly demonstrates that in MANY interesting cases you cannot be sure unless you can do about 2100 computations.

Also works for linear complexity (many ciphers will be broken in a time being about the linear complexity).

Murphy course: should be 240. Not enough !!!

Many other relations may exist…


2001-2015214

Conclusion – Stream Ciphers

Good Boolean functions are by far not enough to get secure ciphers.

LFSR-based stream ciphers cannot claim security UNLESS they are PROVABLY secure against algebraic attacks.

How ? OPEN PROBLEM.


2001-2015215

More on Stream Ciphers:

Linear sequence generator +

a combiner

with memory,

may be

key-dependent

linear feedback

state


2001-2015216

All Stream Ciphers Broken ?

It depends what we mean by “BROKEN”…

• Fixed size filter/combiner and a LFSR with n bits.

• Polynomial in n vs. non-polynomial in n.

• In this sense many of them are broken.


2001-2015217

All Stream Ciphers Broken ?

1. A LFSR + Boolean function (fixed number of inputs). POLYNOMIAL.

Nicolas Courtois, Willi Meier: Algebraic Attacks on Stream Ciphers with Linear Feedback, Eurocrypt 2003.


2001-2015218

Stream Ciphers Broken in Poly…

2. A LFSR + Any Combiner with Memory

POLYNOMIAL.• Matthias Krause, Frederik Armknecht: Algebraic Attacks on

Combiners with Memory, Crypto 2003.

• Nicolas Courtois: Algebraic Attacks on Combiners with Memory and Several Outputs. ICISC’04, available on eprint.iacr.org/2003/125. Different proof of the same Theorem, greatly improving the result for combiners with several outputs.


2001-2015219

More Ciphers Broken in Poly…

3. A LFSR + Secret or Key-DependentBoolean Function.

POLYNOMIAL.• - - work In progress - -

• Nicolas Courtois, Philip Hawkes: Fast Algebraic Attacks on Stream Ciphers and the Discrete Fourier Transform, Greg Rose, Philip Hawkes: Rewriting Variables: the Complexity of Fast Algebraic Attacks on Stream Ciphers

In Crypto 2004.


2001-2015220

More Ciphers Broken in P time…

4. A LFSR + Any Secret or Key-Dependent Combiner with Memory.

Conjecture [Meier-Courtois 2003] POLYNOMIAL.

• Nicolas Courtois, Philip Hawkes, Willi Meier: Algebraic Attacks on Stream Ciphers with Unknown or Key-Dependent Components, Work in progress…Not sure about the result…

“algebraic” attacks vs. design of block and stream...

Documents