invarianthoppingattacks on block ciphers · invarianthoppingattacks on block ciphers attack 1 2x...

Invariant Hopping Attackson Block Ciphers

attack 12x linear

attack 21x linear

attack 3

attack 4strong Bool + high degree invariant +

high success proba

Nicolas T. CourtoisUniversity College London, UK

Block Cipher Invariants

2

Roadmap

Part 1: Cold War / History Block Ciphers

Part 2: New Attacks:

Constructive Cryptanalysiswith Polynomial Invariants + Annihilators+ inside Boolean ring Bn

Algebraic Attacks on Block Ciphers Nicolas T. Courtois

3

Question 1:Why 0% of symmetric encryption

used in practice areprovably secure?

A New Frontier in Symmetric Cryptanalysis

4

MQ Problem

Dense MQ is VERY hard. Best attacks ≈ 20.8765n

• top of the top hard problem.• for both standard and PQ crypto

=> Allows to build a provably secure stream cipher based on MQ directly!C. Berbain, H. Gilbert, and J. Patarin:

QUAD: A Practical Stream Cipher with Provable Security, Eurocrypt 2005

=> provably secure encryption exists!

mqchallenge.org FXL/Joux 2017/372


5

Question 2:Why researchers have found

so few attacks on block ciphers?

“mystified by complexity”


6

Claim:Finding new attacks

on block ciphers isEASY and FUN


7

Dr. Nicolas T. Courtois blog.bettercrypto.com

1. cryptanalysis


8

Dr. Nicolas T. Courtois blog.bettercrypto.com

1. cryptanalysis

2. industrial crypto


9

Code Breakers - LinkedIn

Code Breakers

Nicolas T. Courtois10

3. Crypto History

Roadmap

11

Towards Modern Crypto


12

1960sNATO Cipher competition

• UK

• US

• France

• Germany

Requirements:

• “tapeless and rotorless” => semi-conductor electronic,

• high EM/SCA security!

Backdoors


French Submission

• large period, non-linearity / removing the correlations (p.108)“…certainement la meilleure machine cryptographique de son époque…" ??????????????????????????????????????????????????????????

[2004]

Code Breakers

14

Compromise of Old Crypto

• USS Pueblo / North Korea Jan 1968


15

Cold War

Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…

[Source: Cryptologia, interviews by David Kahn with gen. Andreev=first head of FAPSI=Russian NSA]

Example: In 1967 GRU (Soviet Intelligence) was intercepting cryptograms from 115 countries, using 152 cryptosystems, and among these they broke 11 codes and “obtained” 7 other codes.


16

US/NATO crypto broken

Russia broke the NATO KW-7 cipher machine: Walker spy ring, rotors+keys,

• paid more than 1M USD (source: NSA)

• “greatest exploit in KGB history”

• allowed Soviets to “read millions”of US messages [1989, Washington Post]


17

1970sModern block ciphers are born.

In which country??


18

1970sModern block ciphers are born.

In which country??

Who knows…

Eastern Bloc also worked on these questions… and for a long time.


19

1927The inventor of the

ANF = Algebraic Normal Form

en.wikipedia.org/wiki/Zhegalkin_polynomial

Russian mathematician and logician

Ива́н Ива́нович Жега́лкин [Moscow State University]

“best known for his formulation of Boolean algebra as the theory of the ring of integers mod 2”

Bn,+,*

Backdoors


Our Sources

T-310spec

Backdoors


Our Sources

BStU = Stasi Records Agency

ZCO = Zentrales Chiffrierorgan

der DDR

T-310


East German T-310 Block Cipher

240 bits

long-term secret 90 bits only!

“quasi-absolute security” [1973-1990]

has a physical

RNG=>IV


ReferencesNicolas T. Courtois, Jörg Drobick, Jacques Patarin, Maria-Bristena Oprisanu, Matteo Scarlata, Om Bhallamudi, Cryptographic Security Analysis of T-310, eprint.iacr.org/2017/440.pdf , 132 pages, 2017

Nicolas T. Courtois, Maria-Bristena Oprisanu: Ciphertext-Only Attacks and Weak Long-Term Keys in T-310, in Cryptologia, vol 42, iss. 4, pp. 316-336, May 2018.

Nicolas T. Courtois, Maria-Bristena Oprisanu, Klaus Schmeh:

Linear Cryptanalysis and Block Cipher Design in Eastern Germany in the 1970s, Cryptologia, Dec 2018,

https://www.tandfonline.com/doi/abs/10.1080/01611194.2018.1483981

Nicolas T. Courtois, Klaus Schmeh: Feistel ciphers in East Germany in the communist era, In Cryptologia, vol. 42, Iss. 6, 2018, pp. 427-444.


24

Cipher Class Alpha –1970s

Who invented Alpha? [full document not avail.]


25

T-310 [1973-1990] – 4 branches


26

IBM USA 1970s

IBM have agreed with the NSA that the design criteria of DES should not be made public.

NSA have generated DES S-boxes. source: Coppersmith, invited talk@Crypto, summer 2000.

Security of DES (overview)

27

“Official” History of Cryptanalysis

• DC was known @IBM in 1970s

• Davies-Murphy attack [1982=classified, published in 1995] = early LC

• Shamir Paper [1985]……… early LC

• Differential Cryptanalysis :Biham-Shamir [1991]

• Linear Cryptanalysis: Gilbert and Matsui [1992-93]


28

One form of DC was known in 1973!


29

LC at ZCO - 1976!


30

Discrete Differentials and HO DC – 1976 !

Higher Order:


31

Computing HO Differentials for All Orders

.

.

. fast points!

Backdoors


Contracting Feistel [1970s Eastern Germany!]

1 round of T-310

φ

Roadmap

33

Backdoors

Roadmap

34

Backdoors vs.

“Normal” Cryptanalysis

All our attacks work with relatively large probability.

– so if you are not lucky a cipher which was NOT backdoored will also be broken!

Better Card-only Attacks on Mifare Classic

Nicolas T. Courtois, 2009-1735

Any Backdoors?

Claim: Non-bijective φ – ALL broken! See:

1. Nicolas T. Courtois, Maria-Bristena Oprisanu: “Ciphertext-Only Attacks and Weak Long-Term Keys in T-310”

[Cryptologia v.42 iss. 4 2018]

Backdoors

36

How to Backdoor T-310 [yes we can]

bad long-term key

omit just 1 out of 40 conditions: ciphertext-only

Backdoors

37

LC Method to Backdoor T-310 [2017]

bad long-term key1,3,5 => 1,3,5 P=1

703P=7,14,33,23,18,36,5,2,9,16,30,12,32,26,21,1,13,25,20,8,24,15,22,29,10,28,6D=0,4,24,12,16,32,28,36,20


38

Generalised Linear Cryptanalysis= GLC =

[Harpes, Kramer and Massey, Eurocrypt’95]


39

Generalised Linear Cryptanalysis= GLC =

[Harpes, Kramer and Massey, Eurocrypt’95]

Concept of non-linear I/O sums.

F(inputs) = G(outputs) with some probability…


40

Connecting Non-Linear Approxs.Black-Box Approach

Non-linear functions F G H I.

F(x1,…)

G(x1,…) H(y1,…)

I(z1,…)


41

GLC and Feistel Ciphers ?

[Knudsen and Robshaw, EuroCrypt’96

“one-round approximations that are non-linear […] cannot be joined together”…

At Crypto 2004 Courtois shows that GLC is in fact possible for Feistel schemes!


42

BLC better than LC for DES

Better than the best existing linear attack of Matsui

for 3, 7, 11, 15, … rounds.

Ex: LC 11 rounds:

BLC 11 rounds:


43

Wrong Approach [!!!!]Black-Box Combination Approach

constructive BUT limited possibilities…

F(x1,…)

G(x1,…) H(y1,…)

I(z1,…)


44

White Box Approach

New! [Courtois 2018]

Study of non-linear I/O sums.

P(inputs) = P(outputs)


45

New White Box Approach

Study of non-linear I/O sums.

.

P(inputs) = P(outputs) with probability 1.

Formal equality of 2 polynomials.

BIG PROBLEM: 22^n possible attacks


46

Variable Boolean Function

We denote by Z our Boolean function

We consider a space of ciphers where Z is variable.

Question: given a fixed polynomial Pwhat is the probability over random choice of Z that P(inputs) = P(outputs) is an invariant (for any number of rounds).


47

Invariant Hopping

attack 12x linear

attack 21x linear

attack 3

attack 4strong Bool + high degree invariant +

high success proba


Nicolas T. Courtois, January 200948

Group Theory – Is DES A Group?

Study of group generated by φK for any key K.

Typically AGL not GL. Any smaller sub-groups?






This question was also studied @Eastern Bloc


51

Hopping in Group Lattices

attack 1

three invariantslinear Boolean function

AGL


52


attack 1three invariants

linear Boolean function

attack 2two invariants

bad Boolean function

AGL


53






attack 36one high degree invariantstrong Boolean function

AGL




attack 1

three invariantslinear Boolean function



attack 36one complex high degree invariant

strong Boolean function

AGL


55

“Hopping” Discovery Method

Making the impossible possible. How?

Learn from examples. old => new attack

• transform a linear attack on a weak cipher with a linear Boolean function

• into non-linear attack on a cipher with a “strong” Boolean function.


56

“Hopping” Discovery

• We navigate inside a “product lattice” =def= set of pairs (set of invariants, cipher spec) =

-all possible invariant attacks

-all possible ciphers [we modify the spec of the cipher]

• Find a path from a trivial attack on a weak cipher to a non-trivial attack on a strong cipher.


57

Linear Attack – Example


58

Exact Thm. [eprint/2017/440]


59

Hopping Step 1 First we look at an attack where the Boolean

function is linear and we have trivial LINEAR invariants (same as Matsui’s LC)

Example:

Backdoors


A Vulnerable Setup

1 round of T-310

φ


61

Hopping Step2Now could you please tell us if

is an invariant?


62

Hopping Step2Now could you please tell us if

is an invariant?

The answer is remarkably simple.


63

Hopping Step2Theorem:

is an invariant IF AND ONLY IF

a certain polynomial = FE =

is zero (as a polynomial, multiple cancellations)


64





65




subs by ANF

simplifies to:


66

Hopping Step2 Theorem:




67

What is Special About P 2-factoring decomposition

= AC+BD.

is invariant IF AND ONLY IF

some solutions are:


68

Invariant P of Degree 4?

= ABCD.

is a 1-round invariant IF AND ONLY IF


69

Invariant P of Degree 4?

= ABCD.

is a 1-round invariant IF AND ONLY IF

a multiple of the previous polynomial!


70

Corollary:Easy Thm. [not included in the paper].

For every cipher in our cipher space = (LZS551+any Boolean) if AC+BD is an invariant (degree 2)then also ABCD is an invariant (degree 4).

Note: there is no invariant of degree 3 etc…


71

Selective RemovalQ : Can we now have ABCD

to be an invariant of degree 4 WITHOUT any invariants of degrees 1,2,3????


72

Selective RemovalQ : Can we now have ABCD

to be an invariant of degree 4 WITHOUT any invariants of degrees 1,2,3????

Answer: easy: a root of second polynomial and NOT a root of the first [almost always].

mC=YCmBCD=YBCD


73

Summary1. We start with a trivial attack on a weak cipher.

Benefit: a certain polynomial has a solution.

2. Then some non-linear invariants also exist = additional roots.

3. Then we modify the cipher [manipulation of roots of our FE] and the invariant so that simple invariants are removed.

4. What you get is a bit like a backdoor!

– Potentially hard to detect.


74

ConclusionWe modify the cipher and the invariant

so that simple invariants disappear.

Q: Can this be done with a really secure Boolean function? YES, see [eprint/2018/1242]


75

Irreducible PolynomialsRemark:

For a long time we searched for invariant attacks where P

is an irreducible polynomial.

We were wrong!


76

Product Question

Trivial NL invariants based on cycles in LC.

A ® B ® C ® D ® A

Then ABCD is a round invariant of degree 4.

Stupid??


77

Product Question


A ® B ® C ® D ® A

Then ABCD is a round invariant of degree 4.

Stupid?? Not at all! Some of the strongest attacks ever found are like this.


78

Product Question


A ® B ® C ® D ® E® A

Then ABCDE is a round invariant of degree 5.

Stupid?? Not at all! Some of the strongest attacks ever found are like this.

Trivial invariants can be REMOVED!!!!








attack 36one complex high degree invariant

strong Boolean function

AGL


80

Phase TransitionWhen P is of degree 4, the Boolean function is

still “inevitably” degenerated [this paper].

Q: Can we backdoor or break a cipher with a random Boolean function?


81

Phase TransitionWhen P is of degree 4, the Boolean function is

still “inevitably” degenerated [this paper].

Q: Can we backdoor or break a cipher with a random Boolean function?

YES, see [eprint/2018/1242]

Degree 8 attack, P =ABCDEFGH. extremely strong: 15% success rate over the choice of a random Boolean function.


82

Other Ciphers? DES


83

Bonus: New No-Trivial Attacksan irregular sporadic attack with P of degree 7


84

New White Box Method

[Courtois 2018]

Same concept of a non-linear I/O sums.Focus on perfect invariants mostly.

P(inputs) = P(outputs) with probability 1.

Formal equality of 2 polynomials.Exploits the structure of the ring Bn.

• annihilation events absorption events

• would be unthinkable if we had unique factorisation

ABCD=A’B’C’D’


85

*Lack Of Unique Factorization

sage: R.<A,B,C,D,E,F,G,H> = BooleanPolynomialRing(8)

sage: mu=(B+C)*(G+H)*(B+H)*(B+F)*(C+D)

sage: mu + (C+H+1)*(C+F+1)*(B*D*G + H*(B+D+1)*(B+G+1))

sage: 0

sage: mu + (B+D+1)*(B+G+1)*(C*F*H + G*(C+H+1)*(C+F+1))

sage: 0

sage:


86

*Lack Of Unique Factorization

sage: R.<A,B,C,D,E,F,G,H> = BooleanPolynomialRing(8)

sage: mu=(B+C)*(G+H)*(B+H)*(B+F)*(C+D)

sage: mu + (C+H+1)*(C+F+1)*(B*D*G + H*(B+D+1)*(B+G+1))

sage: 0

sage: mu + (B+D+1)*(B+G+1)*(C*F*H + G*(C+H+1)*(C+F+1))

sage: 0

sage:

invarianthoppingattacks on block ciphers · invarianthoppingattacks on block ciphers attack 1 2x...

Documents