Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Introduction to Design and Cryptanalysis of BlockCiphers
Lars R. Knudsen
Oktober 2015
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
What is cryptography?
Cryptography is communication in the presence of an adversaryRon Rivest.
Coding theory
Detection and correction of random errors
Cryptography
Detection and protection of hostile “errors”
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
What is cryptography about?
Secrecy (confidentiality)
Keeping things secret (data, communication, entity, etc.)
Authentication
Assurance about authenticity (of data, origin, entity, etc.)
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
Symmetric encryption
Message MessageEncryption Decryption
%AC&@9^(
Secure channel
Classical encryption
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
Public-key encryption
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
Public-key versus symmetric cryptosystems
Advantages Disadvantages
Symmetric fast systems
secure key-exchange
Public-key slow systems
built-in key-exchange
Hybrid encryption
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
Introduction to symmetric cryptosystems
Cryptosystem (P, C,K, E ,D)
P : set of plaintexts
C : set of ciphertexts
K : set of keys
E : for k ∈ K : ek(x) encryption rule
D : for k ∈ K : dk(x) decryption rule
For every k ∈ K : it holds for all m that dk(ek(m)) = m
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
Symmetric encryption
Kerckhoffs’ principle
Everything is known to an attacker except for the value of thesecret key.
Attack scenarios
Ciphertext only
Known plaintext
Chosen plaintext/ciphertext
Adaptive chosen plaintext/ciphertext (black-box)
Typical goal
High security even under black-box attack
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
Claude E. Shannon, 1916-2001
Communication Theory of Secrecy Systems, published in 1949.
Theory
First person to establish a theory for provable security.
Principles
His ideas for building (symmetric) ciphers still used today.
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
Shannon’s Theory
Definition
Perfect secrecy ⇐⇒ PrP(x |y) = PrP(x), ∀x ∈ P, y ∈ C
Fact
A cryptosystem where |K| = |P| = |C| provides perfect secrecy ifand only if
1 PrK(K ) = 1|K| , ∀K ∈ K
2 ∀x ∈ P, y ∈ C, ∃ unique K such that eK (x) = y
Example
One-time pad: eK (x1, . . . , xn) = (x1 ⊕ k1, . . . , xn ⊕ kn)
All keys equally likely
Each key used only once
Key as long as plaintext and ciphertext
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
Unicity distance
Definition (Redundancy)
RL: which percentage of a language L is redundant
Example
th weathr is nice 2d.RL for English is 75%.
Definition (Unicity distance)
minimum number of ciphertext blocks attacker needs in order tobe able to uniquely identify secret key
t0 'log2(|K|)
RLlog2(|P|)
t0 = mint : s.t. essentially only one value of the key could haveencrypted c1, . . . , ct
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
Unicity distance in known/chosen plaintext attack
Question
What is the unicity distance under a known plaintext attack ??
Assume that we are given t encryptions, that is, the plaintext blocksand the corresponding ciphertext blocks.
Question - again
How big does t have to be, before it is likely that only one value ofthe key could have encrypted the texts?
t1 =log2(|K|)log2(|P|)
t1 = mint : s.t. essentially only one value of the key could haveencrypted m1 to c1, m2 to c2, . . . , mt to ct
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
Shannon’s Principles
Definition (Confusion)
The ciphertext statistics should depend on the plaintext statisticsin a manner too complicated to be exploited by the cryptanalyst
Definition (Diffusion)
Each digit of the plaintext and each digit of the secret key shouldinfluence many digits of the ciphertext
Substitutions (confusion)
Permutations (diffusion)
Product = Substitution × Permutation
Most popular symmetric ciphers are product ciphers
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
Shannon’s Thoughts
Question
How can we be sure an attacker will require a large amount of workto break a non-perfect system with every method???
Hard to achieve! But we can at least
Thoughts/ideas
1 make it secure against all known attacks, and/or
2 make it reducible to some known difficult problem
1 is what is done today in symmetric cryptography
2 is what is done today in public-key cryptography
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
From classical crypto to modern crypto
looking back..
(almost) all ciphers before 1920s very weak
1920s, rotor machines, mechanical crypto
Enigma, Germany
Sigaba, USA
Typex, UK
1949, Shannon’s work
1970s, computers take over from rotor machines
ciphers operate on long sequence of bits (bytes)
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
Symmetric encryption today - two types
Block cipher
Operate on from 8 to 16 bytes typically
No or small internal state
Stream cipher
Operate on from 1 bit to 4 bytes typically
Internal state, can be big?
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
Block ciphers
Input block m, output block c , key k
e c
k
m - -
?
e : {0, 1}n × {0, 1}κ → {0, 1}n
given k easy to encrypt and decrypt
given m, c hard to compute k , such that ek(m) = c
one-way function: f (k) = ek(m0) for fixed m0
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
Block ciphers
Applications
block encryption (symmetric)
stream ciphers
message authentication codes
building block in hash functions
one-way functions
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
Block ciphers
Block cipher, n-bit blocks, κ-bit key
Family of 2κ n-bit bijections
How many n-bit bijections are there?
2n! ' (2n−1)2n
Design dream/aim
2κ bijections chosen uniformly at random from all 2n! bijections
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
Famous block ciphers
block size, n key size, κ year
DES 64 56 1977Kasumi 64 128 1999AES 128 128, 192, 256 2000Present 64 80, 128 2007
Ciphers pick only a tiny fraction of all possible n-bit bijections
Unicity distance, known-plaintext attack?
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
Iterated block ciphers (DES, AES, . . . )
m −→k1↓g −→
k2↓g −→
k3↓g −→ · · · · · · −→
kr↓g −→ c
plaintext m, ciphertext c , key k
key-schedule: user-selected key k → k0, . . . , kr
round function, g , weak by itself
idea: g r , strong for “large” r
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
DES
Data Encryption Standard
blocks: 64 bits, keys: 56 bits
iterated cipher, 16 rounds
developed in early 70’s by IBM using 17 man years
evaluation by National Security Agency (US)
1977: publication of FIPS 46 (DES)
1991: differential cryptanalysis, 247 chosen plaintexts
1993: linear cryptanalysis, 245 known plaintexts
1999: world-wide effort to find one DES-key: 22 hours
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
AES
Advanced Encryption Standard
blocks: 128 bits
keys: choice of 128-bit, 192-bit, and 256-bit keys
iterated cipher, 10, 12 or 14 iterations depending on key
FIPS (US governmental) encryption standard
open (world) competition announced January 97
October 2000: AES=Rijndael
Attacks on reduced-round versions of AES, up to 7 rounds(128 bits), (8 rounds (192 and 256 bits)
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
Cryptanalysis
Assumption
Assume cryptanalyst has access to black-box implementing thecipher with secret key k
Aims of cryptanalyst
find key k, or
find (m, c) such that ek(m) = c for unknown k , or
show non-random behaviour of the cipher
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
Generic attacks. Block size n, key size κ
Exhaustive key search
try all keys, one by one
dκ/ne texts, time 2κ, storage small
Table attack
store ek(m0) for all k
storage 2κ, time (of attack) small
Trade-offs
Hellman tradeoff, 22κ/3 time, 22κ/3 memory
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
Generic attacks (continued)
Dictionary and birthday attacks on block ciphers
known plaintexts: Collect pairs (m, c)
ciphertext-only: Collect ciphertexts, look for matches ci = cj .
Example (CBC mode)
1 Collect 2n/2 ciphertext blocks
2 With 2 equal ciphertext blocksci = cj ⇒ ek(mi ⊕ ci−1) = ek(mj ⊕ cj−1)⇒ mi ⊕mj = ci−1 ⊕ cj−1
(similar attacks for ECB and CFB)
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
Short-cut attacks
Success dependent on intrinsic properties of e(·)
Differential cryptanalysis
Linear cryptanalysis
Higher-order differentials. Truncated differentials. Boomerangattack. Rectangle attack
Integral attack. Related key attack. Interpolation attack
Multiple linear cryptanalysis. Zero-correlation attack
Side-channel cryptanalysis
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
The Block Cipher Companion
By Lars R. Knudsen and Matt Robshaw.
Available online for free via Springer,hard copies also available from Springer, Amazon etc.
L.R. Knudsen Introduction to Design and Cryptanalysis of Block Ciphers
Advanced Encryption Standard
Lars R. Knudsen
October 2015
L.R. Knudsen Advanced Encryption Standard
AES - Advanced Encryption Standard
US governmental encryption standard
Open (world) competition announced January 97
Blocks: 128 bits
Keys: choice of 128-bit, 192-bit, and 256-bit keys
October 2000: AES=Rijndael
Standard: FIPS 197, November 2001
L.R. Knudsen Advanced Encryption Standard
AES=Rijndael
Designed by Joan Daemen and Vincent Rijmen
Simple design, byte-oriented
Operations: XOR and table lookup
S-box, substitutes a byte by a byte
Rounds 10 12 14
Key size 128 192 256
Focus on 128-bit key version with 10 iterations
L.R. Knudsen Advanced Encryption Standard
Multiplication in GF(256) - AES
In AES the finite field GF (28) is determined by irreduciblepolynomial
m(x) = x8 + x4 + x3 + x + 1
Elements of GF (28) are all polynomials of degree less thaneight and with coefficients in GF (2)
1-to-1 correspondence between 8-bit vectors and elements inGF (28):
finite field element p(x) =∑7
i=0 bixi .
8-bit vector v = (b7, b6, b5, b4, b3, b2, b1, b0)
L.R. Knudsen Advanced Encryption Standard
Multiplication in GF(256) (cont.)
Compute p(x) times q(x), where p(x) =∑7
i=0 bixi ,
q(x) =∑7
i=0 cixi :
Do straightforward multiplication of polynomials p(x) · q(x);
Reduce result modulo m(x).
Example
Compute x6 + x4 + x2 + x + 1 times x7 + x + 1(x6 + x4 + x2 + x + 1)(x7 + x + 1) =x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1
x13+x11+x9+x8+x6+x5+x4+x3+1 mod x8+x4+x3+x+1 =x7 + x6 + 1
Alternative representation: 57x × 83x = c1x (hex notation)
L.R. Knudsen Advanced Encryption Standard
Multiplication by x in GF(256)
Find the product r(x) of p(x) =∑7
i=0 bixi and x in GF (28):
Compute p(x) · x =∑7
i=0 bixi+1
If b7 = 0, r(x) = p(x) · xIf b7 = 1, r(x) = p(x) · x mod m(x) = p(x) · x + m(x)
Example
(x7 + x6 + x5 + x4 + x2) × x = x8 + x7 + x6 + x5 + x3
reduce modulo m(x) = x8 + x4 + x3 + x + 1
result is x7 + x6 + x5 + x4 + x + 1
Hex notation: f 4x × 02x = f 3x
L.R. Knudsen Advanced Encryption Standard
Multiplication by x+1 in GF(256)
Find the product r(x) of p(x) =∑7
i=0 bixi and x + 1 in GF (28):
Compute (p(x) · x) + p(x) =∑7
i=0 bi (xi + x i+1)
If b7 = 0, r(x) = p(x) · x + p(x)If b7 = 1,r(x) = (p(x) · x) + p(x) mod m(x) = p(x) · x + p(x) + m(x)
Example
(x7 + x6 + x5 + x4 + x2) × (x + 1) = x8 + x4 + x3 + x2
reduce modulo m(x) = x8 + x4 + x3 + x + 1
result is x2 + x + 1
Hex notation: f 4x × 03x = 07x
L.R. Knudsen Advanced Encryption Standard
AES - iterated cipher, key schedule
Input: user selected key of 128 bits
Output: 11 round keys k0, k1, k2, . . . , k10
p = c0 plaintext
ci = F (ki , ci−1)
c10 ciphertext
Details of key-schedule are self-study
L.R. Knudsen Advanced Encryption Standard
AES round tranformation
Arrange the 16 input bytes in a 4× 4 matrix
Subfunctions1 SubBytes (byte substitution via S-box)
2 ShiftRows
3 MixColumns
4 AddRoundKey
L.R. Knudsen Advanced Encryption Standard
SubBytes
a0,0
a1,0
a2,0
a3,0
a0,1
a1,1
a2,1
a3,1
a0,2
a1,2
a2,2
a3,2
a0,3
a1,3
a2,3
a3,3
b0,0
b1,0
b2,0
b3,0
b0,1
b1,1
b2,1
b3,1
b0,2
b1,2
b2,2
b3,2
b0,3
b1,3
b2,3
b3,3
S-
S-boxS is the S-box (invertible)One S-box for the whole cipher (simplicity)
L.R. Knudsen Advanced Encryption Standard
ShiftRows
a
e
i
m
b
f
j
n
c
g
k
o
d
h
l
p
a
f
k
p
b
g
l
m
c
h
i
n
d
e
j
o
-
-
-
Rows shifted over different offsets: 0,1,2, and 3
L.R. Knudsen Advanced Encryption Standard
MixColumns
a0,0
a1,0
a2,0
a3,0
a0,1
a1,1
a2,1
a3,1
a0,2
a1,2
a2,2
a3,2
a0,3
a1,3
a2,3
a3,3
b0,0
b1,0
b2,0
b3,0
b0,1
b1,1
b2,1
b3,1
b0,2
b1,2
b2,2
b3,2
b0,3
b1,3
b2,3
b3,3
mix four bytes-
Each of four bi ,j in a column depends on all four ai ,j from samecolumn
L.R. Knudsen Advanced Encryption Standard
AddRoundKey (bit-wise XOR)
a0,0
a1,0
a2,0
a3,0
a0,1
a1,1
a2,1
a3,1
a0,2
a1,2
a2,2
a3,2
a0,3
a1,3
a2,3
a3,3
⊕
k0,0
k1,0
k2,0
k3,0
k0,1
k1,1
k2,1
k3,1
k0,2
k1,2
k2,2
k3,2
k0,3
k1,3
k2,3
k3,3
=
b0,0
b1,0
b2,0
b3,0
b0,1
b1,1
b2,1
b3,1
b0,2
b1,2
b2,2
b3,2
b0,3
b1,3
b2,3
b3,3
bi ,j = ai ,j ⊕ ki ,j
L.R. Knudsen Advanced Encryption Standard
AES - 10-round version
Arrange the 16 input bytes in a 4× 4 matrix
AddRoundKey
Do nine timesSubBytes (byte substitution via S-box)
ShiftRows
MixColumns
AddRoundKey
SubBytes
ShiftRows
AddRoundKey
L.R. Knudsen Advanced Encryption Standard
SubBytes
Input a, output b, both bytes
Let f (x) = x−1 in GF (28)/{0} and f (0) = 0
Then b = A(f (a)), where A is affine mapping over GF (2).With t = f (a) = (t7, t6, . . . , t1, t0) output is:
1 0 0 0 1 1 1 11 1 0 0 0 1 1 11 1 1 0 0 0 1 11 1 1 1 0 0 0 11 1 1 1 1 0 0 00 1 1 1 1 1 0 00 0 1 1 1 1 1 00 0 0 1 1 1 1 1
t0t1t2t3t4t5t6t7
⊕
11000110
L.R. Knudsen Advanced Encryption Standard
MixColumns
a0,0
a1,0
a2,0
a3,0
a0,1
a1,1
a2,1
a3,1
a0,2
a1,2
a2,2
a3,2
a0,3
a1,3
a2,3
a3,3
b0,0
b1,0
b2,0
b3,0
b0,1
b1,1
b2,1
b3,1
b0,2
b1,2
b2,2
b3,2
b0,3
b1,3
b2,3
b3,3
2 3 1 11 2 3 11 1 2 33 1 1 2
×-
Bytes in columns are combined linearly
b0,2 = {2} × a0,2 + {3} × a1,2 + {1} × a2,2 + {1} × a3,2
Multiplication is over GF(28)
L.R. Knudsen Advanced Encryption Standard
Diffusion in AES
♠ ♠♠♠♠♠
ShiftRows-
MixCol.-
♠
♠♠♠
♠♠♠♠
♠♠♠♠
♠♠♠♠
♠♠♠♠
ShiftRows-
MixCol.-
L.R. Knudsen Advanced Encryption Standard
Differential characteristics and active S-boxes
Consider SP-networks like AES, where a round consists ofkey additionS-box layerlinear layer (linear mapping)
DefinitionIn a differential characteristic an S-box is active if the inputs to theS-box are assumed to be different.
Fact (or assumption)
The transition of differencesis deterministic through the key additions and linear layers.
is non-deterministic through the S-box layers.
L.R. Knudsen Advanced Encryption Standard
Differential characteristics and active S-boxes (2)
Max probabilityLet pmax be the maximum probability for a non-trivial characteristicfor the S-boxes.
Active S-boxesLet d be the minimum number of active S-boxes in an r -roundcharacteristic.
Bound
Then pdmax is an upper bound of any r -round characteristic.
L.R. Knudsen Advanced Encryption Standard
AES and Wide-Trail
The AES design uses the wide-trail strategy:
TheoremAny differential/linear characteristic over 4 rounds of AES has atleast 25 active Sboxes.
AES has 10 (or more) roundsTogether with the good Sbox: More than enough.
L.R. Knudsen Advanced Encryption Standard
2 Rounds
S
S
S
S
S
S
S
S
Linear Layer L
AimGive a bound on the number of active Sboxes in a differentialcharacteristic.
We assume S and L are bijective.L linear, so L(x ⊕ y) = L(x)⊕ L(y).No further assumptions on S
L.R. Knudsen Advanced Encryption Standard
2 Rounds
S
S
S
S
S
S
S
S
Linear Layer L
AimGive an lower bound on the number of active Sboxes in adifferential characteristic.
Trivial bounds:Lower Bound for the lower bound: 2Upper Bound for the lower bound: #sboxes + 1 (here 5).
L.R. Knudsen Advanced Encryption Standard
2 Rounds
Picture with differences:
S
S
α0
β0
γ0
S
S
α1
β1
γ1
S
S
α2
β2
γ2
S
S
α3
β3
γ3
Linear Layer L
∆ = α
∆ = β
∆ = γ
γ = L(β)
# active Sboxes is
|{i | αi 6= 0}|+ |{j | γj 6= 0}| = |{i | βi 6= 0}|+ |{j | γj 6= 0}|
L.R. Knudsen Advanced Encryption Standard
Trivial lower bound on 2 rounds
S
S
α0
β0
γ0
S
S
α1
β1
γ1
S
S
α2
β2
γ2
S
S
α3
β3
γ3
Linear Layer L
∆ = α
∆ = β
∆ = γ
Lower bound: 2α 6= 0 (at least one αi 6= 0).⇒ β 6= 0 (at least one βi 6= 0). (Sbox bijective)⇒ γ 6= 0 (at least one γi 6= 0). (L is bijective)⇒ |{i | αi 6= 0}|+ |{j | γj 6= 0}| ≥ 1 + 1 = 2
L.R. Knudsen Advanced Encryption Standard
Trivial upper bound on 2 rounds
S
S
α0
β0
γ0
S
S
α1
β1
γ1
S
S
α2
β2
γ2
S
S
α3
β3
γ3
Linear Layer L
∆ = α
∆ = β
∆ = γ
Upper bound on the lower bound: #sboxes + 1 (here 5).
|{i | αi 6= 0}|+ |{j | γj 6= 0}| ≤ 1 + 4 = 5
DefinitionThe branch number of a linear transformation L is the minimumnumber of active words (Sboxes) in the inputs and outputs of L.
L.R. Knudsen Advanced Encryption Standard
AES MixColumns - branch number
MixColumns: multiplication of a (4× 1) GF(28)-column vector bya (4× 4) GF(28)-matrix M given by
M =
02 03 01 0101 02 03 0101 01 02 0303 01 01 02
.
M derived from MDS code over GF (28) with parameters [8, 4, 5].
FactThe branch number of MixColumns is five.
L.R. Knudsen Advanced Encryption Standard
4 rounds of AES - the super box
S S S S
L1-layer
S S S S
S S S S
L1-layer
S S S S
S S S S
L1-layer
S S S S
S S S S
L1-layer
S S S S
L2-Layer
S S S S
L1-layer
S S S S
S S S S
L1-layer
S S S S
S S S S
L1-layer
S S S S
S S S S
L1-layer
S S S S
L.R. Knudsen Advanced Encryption Standard
4 rounds of AES
Choose L1 to ensure b1 sboxes in each Super-BoxChoose L2 to ensure b2 active Super-Boxes
Concatenation of CodesEach characteristic over 4 rounds has at least b1 · b2 active Sboxes.
For AES: b1 = b2 = 5 thus 25 active Sboxes over 4 rounds.
L.R. Knudsen Advanced Encryption Standard
Bounds of probabilities of characteristics of the AES
25 active Sboxes over 4 rounds.S-box is differentially 4-uniform, so maximum probability ofcharacteristic is
4/28 = 2−6.
maximum probability for characteristic over 4 rounds is 2−150.maximum probability for characteristic over 8 rounds is 2−300.
L.R. Knudsen Advanced Encryption Standard
Integral cryptanalysis or the Square attack
Lars R. Knudsen
October 2015
L.R. Knudsen Integral cryptanalysis or the Square attack
Integral cryptanalysis
(G ,+) finite abelian group, order k
S a set of vectors in G × G × · · · × G
An integral over S : ∑v∈S
v
where summation is defined by ’+’
Typically, a vector element is a plaintext/ciphertext word anda vector represents a plaintext or ciphertext
L.R. Knudsen Integral cryptanalysis or the Square attack
Integrals, cont.
Let v(i) = (v0(i), v1(i), . . . , vn−1(i)) ∈ Gn
Let S a set of vectors {v(i)}
Three distinct cases where cj and s are some known values
Case Notation
vj(i) = cj for all v(i) ∈ S C “constant”
{vj(i) | v(i) ∈ S} = G A “all”∑v(i)∈S vj(i) = s S sum is known
In most (all?) cases the integral over S can be determined
L.R. Knudsen Integral cryptanalysis or the Square attack
Useful facts
Theorem
(G ,+) finite abelian additive group, let H = {g ∈ G | g + g = 0}.Then s(G ) =
∑g∈G g =
∑h∈H h .
Example
G = Z/mZ , even m: s(G ) = m/2, odd m: s(G ) = 0.G = GF (2s): s(G ) = 0.
Theorem
(G , ∗) finite abelian multiplicative group, letH = {g ∈ G | g ∗ g = 1}. Then p(G ) =
∏g∈G g =
∏h∈H h .
Example
For G = Z/pZ for p prime: p(G ) = p − 1.
L.R. Knudsen Integral cryptanalysis or the Square attack
AES - (first-order) 3-round integral, 256 texts
A C C C
C C C C
C C C C
C C C C
−→
A C C C
A C C C
A C C C
A C C C
−→
A A A A
A A A A
A A A A
A A A A
−→
S S S S
S S S S
S S S S
S S S S
Here S = 0
L.R. Knudsen Integral cryptanalysis or the Square attack
Attack on AES reduced to four rounds
Use three-round integrals with 28 texts
Compute backwards from ciphertexts “to S” guessing onebyte of last-round key
Repeat for all sixteen bytes in last-round key
Running time is approximately that of c × 16× 28 encryptionsfor small c > 1
L.R. Knudsen Integral cryptanalysis or the Square attack
Attack on AES reduced to five rounds
One byte after i rounds of encryption, affects only 4 bytesafter i + 1 rounds of encryption
Use three-round fourth-order integral with 28 texts
Compute backwards from ciphertexts “to S” guessing fourbytes in last-round key and one byte of second-to-last roundkey
Repeat for all sets of four bytes in last-round key
Running time is approximately that of c2 × 4× 240
encryptions for c2 small
L.R. Knudsen Integral cryptanalysis or the Square attack
Higher Order Integrals
Sets of vectors S̃ = S1 ∪ · · · ∪ Ss where each Si forms an integral
If integral over each Si is known, the integral over S̃ known
Suppose a word can take m values
a first-order integral:a set of m vectors different in only in one word
a dth-order integral:a set of md vectors different in d components, s.t. each of md
possible values for the d-tuple occurs exactly once
Notation: Ad
L.R. Knudsen Integral cryptanalysis or the Square attack
AES: four-round fourth-order integral
A4 C C C
C A4 C C
C C A4 C
C C C A4
−→
A4 C C C
A4 C C C
A4 C C C
A4 C C C
−→
A4 A4 A4 A4
A4 A4 A4 A4
A4 A4 A4 A4
A4 A4 A4 A4
−→A4 A4 A4 A4
A4 A4 A4 A4
A4 A4 A4 A4
A4 A4 A4 A4
−→
S S S S
S S S S
S S S S
S S S S
L.R. Knudsen Integral cryptanalysis or the Square attack
Attack on AES reduced to six rounds
Use four-round fourth-order integral with 232 texts
Compute backwards from ciphertexts guessing 5 bytes ofsecret key
Running time is approximately that of 242 encryptions
L.R. Knudsen Integral cryptanalysis or the Square attack
Higher order differentials
Higher Order Differentials
Lars R. Knudsen
October 2015
Lars R. Knudsen Higher Order Differentials
Higher order differentials
Outline
1 Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Higher order differentials (Lai)
1st-order differentialthe conventional differential where
f (x)⊕ f (x ⊕ α)
where α 6= 0 is well-chosen value.
2nd-order differentialinvolves tuple of 4 texts and difference
f (x)⊕ f (x ⊕ α)⊕ f (x ⊕ β)⊕ f (x ⊕ α⊕ β)
where α, β are distinct, non-zero values.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Higher order differentials
Consider difference α 6= 0 through f .
DefinitionThe (first-order) derivative of f at point α:
∆αf (x) = f (x ⊕ α)⊕ f (x).
Definitiond th order derivative of f at point α1, . . . , αd is defined
∆α1,...,αd f (x) = ∆αd (∆α1,...,αd−1 f (x)).
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Higher order differentials
Consider functions over GF (2).
A d th order derivative involves 2d function values of f .
The points (α1, . . . , αd ) must be linearly independent whenviewed as bit-vectors.
The arguments to f form a d th dimensional subspace.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Algebraic degree
Let f : {0,1}3 → {0,1} be a Boolean function, s.t.,
f (x) = f (x2, x1, x0) = x2x1x0 + x0 + 1.
The algebraic degree of f is three.
Let g : {0,1}3 → {0,1} be a Boolean function, s.t.,
g(x2, x1, x0) = x2x1 + x0x2 + x2 + x1 + 1.
The algebraic degree of g is two.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Algebraic degree and higher order differentials
Let f : {0,1}3 → {0,1} be function, s.t.,
f (x2, x1, x0) = x2x1x0 + x0 + 1.
Algebraic degree of f is three.
Consider the first order derivative at the point 1 = (0,0,1)
∆1f (x) = x2x1 + 1.
The algebraic degree of ∆1f (x) is two.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Algebraic degree and higher order differentials
Consider the second order derivative of f
∆1,2f (x) = x2.
The algebraic degree of ∆1,2f (x) is one.
Consider the third order derivative of f
∆1,2,4f (x) = 1.
The algebraic degree of ∆1,2,4f (x) is zero.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Algebraic degree and higher order differentials
FactLet f be a Boolean function of algebraic degree d.The algebraic degree of a dth order derivative of f is zero.
ExtensionLet h : {0,1}n → {0,1}m be function. h can be described asconcatenation of m Boolean functions hi : {0,1}n → {0,1}. Thehis are called coordinate functions of h.
DefinitionLet h : {0,1}n → {0,1}m be function. The algebraic degree of his maximum algebraic degree of the coordination functions hi .
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Algebraic degree and higher order differentials
DefinitionLet h : {0,1}n → {0,1}m be function. The algebraic degree of his maximum algebraic degree of the coordination functions hi .
FactLet h be a function of algebraic degree d.The algebraic degree of a dth order derivative of h is zero.
FactLet h be a function of algebraic degree d.The value of a (d + 1)st order derivative of h is zero.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Higher order differential attack
Consider the iterated cipher
m −→
k0↓g −→
k1↓g −→
k2↓g −→
k3↓g −→ x −→
k4↓g −→ c
Assume algebraic degree of g is two.Algebraic degree of x (as a function of m) is a most 16.Specify 17th order differential.Guess k4, compute backwards, check if value is zero.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Boomerang attack - 2nd order differential (Wagner)
assume encryption process ENCk (m) can be written
m −→
k1↓
E1 −→ x −→
kA↓
Ak −→ y −→
k2↓
E2 −→ c
where Ak is key-dependent affine transformation
suppose there exist differentials of probs p1 and p2
αENC1−−−−→ β and β
DEC1−−−−→ α
suppose there is differential of prob q: γDEC2−−−−→ φ
combine to boomerang of probability p1p2q2
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Boomerang attack - a 2nd order differential
m −→ E1 −→ x1 −→ Ak −→ y1 −→ E2 −→ c
m3 ←− E1 ←− x3 ←− Ak ←− y3 ←− E2 ←− c ⊕ γ
m ⊕ α −→ E1 −→ x2 −→ Ak −→ y2 −→ E2 −→ c2
m4 ←− E1 ←− x4 ←− Ak ←− y4 ←− E2 ←− c2 ⊕ γ
if∑
yi = 0 then∑
xi = 0
if boomerang holds then m3 ⊕m4 = α
four half-cipher differentials, boomerang probability p1p2q2
note that we pass through Ak “for free”.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Boomerang attack - a 2nd order differential
m −→ E1 −→ x1 −→ Ak −→ y1 −→ E2 −→ c
m3 ←− E1 ←− x3 ←− Ak ←− y3 ←− E2 ←− c ⊕ γ
m ⊕ α −→ E1 −→ x2 −→ Ak −→ y2 −→ E2 −→ c2
m4 ←− E1 ←− x4 ←− Ak ←− y4 ←− E2 ←− c2 ⊕ γ
if∑
yi = 0 then∑
xi = 0
if boomerang holds then m3 ⊕m4 = α
four half-cipher differentials, boomerang probability p1p2q2
note that we pass through Ak “for free”.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Boomerang attack - a 2nd order differential
m −→ E1 −→ x1 −→ Ak −→ y1 −→ E2 −→ c
m3 ←− E1 ←− x3 ←− Ak ←− y3 ←− E2 ←− c ⊕ γ
m ⊕ α −→ E1 −→ x2 −→ Ak −→ y2 −→ E2 −→ c2
m4 ←− E1 ←− x4 ←− Ak ←− y4 ←− E2 ←− c2 ⊕ γ
if∑
yi = 0 then∑
xi = 0
if boomerang holds then m3 ⊕m4 = α
four half-cipher differentials, boomerang probability p1p2q2
note that we pass through Ak “for free”.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Boomerang attack - a 2nd order differential
m −→ E1 −→ x1 −→ Ak −→ y1 −→ E2 −→ c
m3 ←− E1 ←− x3 ←− Ak ←− y3 ←− E2 ←− c ⊕ γ
m ⊕ α −→ E1 −→ x2 −→ Ak −→ y2 −→ E2 −→ c2
m4 ←− E1 ←− x4 ←− Ak ←− y4 ←− E2 ←− c2 ⊕ γ
if∑
yi = 0 then∑
xi = 0
if boomerang holds then m3 ⊕m4 = α
four half-cipher differentials, boomerang probability p1p2q2
note that we pass through Ak “for free”.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Boomerang attack - a 2nd order differential
m −→ E1 −→ x1 −→ Ak −→ y1 −→ E2 −→ c
m3 ←− E1 ←− x3 ←− Ak ←− y3 ←− E2 ←− c ⊕ γ
m ⊕ α −→ E1 −→ x2 −→ Ak −→ y2 −→ E2 −→ c2
m4 ←− E1 ←− x4 ←− Ak ←− y4 ←− E2 ←− c2 ⊕ γ
if∑
yi = 0 then∑
xi = 0
if boomerang holds then m3 ⊕m4 = α
four half-cipher differentials, boomerang probability p1p2q2
note that we pass through Ak “for free”.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Boomerang attack - a 2nd order differential
m −→ E1 −→ x1 −→ Ak −→ y1 −→ E2 −→ c
m3 ←− E1 ←− x3 ←− Ak ←− y3 ←− E2 ←− c ⊕ γ
m ⊕ α −→ E1 −→ x2 −→ Ak −→ y2 −→ E2 −→ c2
m4 ←− E1 ←− x4 ←− Ak ←− y4 ←− E2 ←− c2 ⊕ γ
if∑
yi = 0 then∑
xi = 0
if boomerang holds then m3 ⊕m4 = α
four half-cipher differentials, boomerang probability p1p2q2
note that we pass through Ak “for free”.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Boomerang attack - a 2nd order differential
m −→ E1 −→ x1 −→ Ak −→ y1 −→ E2 −→ c
m3 ←− E1 ←− x3 ←− Ak ←− y3 ←− E2 ←− c ⊕ γ
m ⊕ α −→ E1 −→ x2 −→ Ak −→ y2 −→ E2 −→ c2
m4 ←− E1 ←− x4 ←− Ak ←− y4 ←− E2 ←− c2 ⊕ γ
if∑
yi = 0 then∑
xi = 0
if boomerang holds then m3 ⊕m4 = α
four half-cipher differentials, boomerang probability p1p2q2
note that we pass through Ak “for free”.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Concluding remarks
modern block ciphers introduced with DES and later AES
differential and linear cryptanalysis started new era
many advanced attacks on block ciphers today
many interesting designs, many unbroken proposals
good understanding of block cipher security
latest trend: lightweight block ciphers
Lars R. Knudsen Higher Order Differentials