Embed Size (px)
DESCRIPTION
Some integral properties of Rijndael. Marine Minier CITI Laboratory INSA de Lyon. Guideline. Description of the AES and of its little brothers Integral properties of the AES Integral properties of the different Rijndael versions Deduced distinguishers With unknown keys With known keys - PowerPoint PPT Presentation
Citation preview
Workshop MITACS - June 2009 1
Some integral properties of Rijndael
Marine MinierCITI LaboratoryINSA de Lyon
Workshop MITACS - June 2009 2
Guideline Description of the AES and of its little brothers Integral properties of the AES Integral properties of the different Rijndael
versions Deduced distinguishers
With unknown keys With known keys
LANE Conclusion
Workshop MITACS - June 2009 3
The AES and its brothers
Workshop MITACS - June 2009 4
AES and Rijndael (1/3) Rijndael, created by J. Daemen
and V. Rijmen, AES new standard
Iterative block ciphers with a parallel structure.
blocks sizes: 128, 160, 192, 224 or 256 bits.
Key sizes: 128, 192 or 256 bits.
The number of rounds vary between 10 and 14 according to the blocks sizes and the key sizes.
K0
K1
initial Key addition
Byte SubShift RowMix Column
Key Addition
round 1
Plaintexts (128, 160 192,224, 256 bits) Bytes matrix 4x, 5x, 6x, 7x, 8x4
K10
LastRound
Ciphertexts (128, 160 192,224, 256 bits) Bytes matrix 4x, 5x, 6x, 7x, 8x4
Shift RowKey Addition
Byte Sub
K9
round 9, 11 ou 13
Shift RowMix Column
Key Addition
Byte Sub
Workshop MITACS - June 2009 5
Byte Substitution Shift Row
a00 a01 a02 a03
a10 a11 a12 a13
a20 a21 a22 a23
a30 a31 a32 a33
S(a00) S(a01) S(a01) S(a00)
S(a13) S(a12) S(a11) S(a10)
S(a23) S(a22) S(a21) S(a20)
S(a33) S(a32) S(a31) S(a30)
(8x8 S-box S)
a00 a01 a02 a03
a10 a11 a12 a13
a20 a21 a22 a23
a30 a31 a32 a33
a00 a01 a02 a03
a13 a10a11 a12
a22 a23 a20 a21
a31a32 a33a30
1
23
The AES (2/3): Round function (1/2)
Workshop MITACS - June 2009 6
Mix Column Key Additiona03
a13
a23
a00
a10
a20
a30
a01
a11
a21
a31
a02
a12
a22
a32 a33
02 03 01 0101 02 03 01
01 01 02 0303 01 01 02
b00
b10
b20
b30
b01
b11
b21
b31
b02
b12
b22
b32
b03
b13
b23
b33
a00 a01 a02 a03
a10 a11 a12 a13
a20 a21 a22 a23
a30 a31 a32 a33
Ki (128 bits)
b00
b10
b20
b30
b01
b11
b21
b31
b02
b12
b22
b32
b03
b13
b23
b33
The AES (3/3): Round function (2/2)
Workshop MITACS - June 2009 7
Rijndael: main differences
Change:nb of roundsShiftRows
AES (4 col.)Rijndael-160 (5 col.)
Rijndael-192 (6 col.)Rijndael-224 (7 col.)
Rijndael-256 (8 col.)
Workshop MITACS - June 2009 8
General principle of cryptanalysis
KX
X [n bits]
f
f
f
f
Kr
x’ [ n bits]
Initi
al ro
unds
f
...
...
...
Inte
rmed
iate
roun
dsFi
nal r
ound
s
y’ [ n bits]
Y
KY
R(x’,y’)
x’ = (X,KX)
y’ = (Y,KY)
Distinguisher A: To find a relation R(x’,y’) on intermediate states which has a probability p of happening as far as possible from the uniform probability p*:
Pr[A]=Adv(A)=|p-p*|
Test over the keys sur (KX, KY)
Workshop MITACS - June 2009 9
Integral properties
Workshop MITACS - June 2009 10
R
Y
Z
S
SubBytesShiftRows
MixColumns
AddRoundKey
S(z1)S(z2)
S(z3)
S(z0)
S(y)• byte y = 0…255 •other bytes = constants
255
0s(y) = 0
y
SubBytesShiftRows
MixColumns
AddRoundKey
SubBytesShiftRows
MixColumns
AddRoundKey
z0z1z2
z3
s
y
Integral property of the AES (1/2)
Workshop MITACS - June 2009 11
3 roundsAs before
232 textes clairs
232 textes chiffrés
4 key bytes• On 6 rounds:
•For each 9 bytes of keys:
• Test if:
Good keys pass the test.
• Take care of false alarms.
255
0s(y) =? 0
y
4 key bytes
Lasr round without MixColumn
Y
S( y )
Trois rounds
Integral property of the AES (2/2)
Workshop MITACS - June 2009 12
Complexity of integral attacks
Improvement by Ferguson:Sum over the 232
values=> Complexity for 6 rounds
Nb plaintexts = 6*232
Complexity = 246 using partial sum techniques
For 7 rounds: Nb plaintexts = 2128 – 2119 (with herd technique) Complexity = 2120 cipher operations
Workshop MITACS - June 2009 13
For Rijndael
The same kind of properties But, due to the slower diffusion, => more
rounds and better extensions
Workshop MITACS - June 2009 14
Rijndael-256: first remarky
z0z1z2z3
SubBytesShiftRows
MixColumns
AddKey
z0 z1z2z3
z2 z1
a0a1a2a3
b1
b0
b2b3
Note: SR: 1, 2, 4
Nb rounds: 14 (min)
Workshop MITACS - June 2009 15
Rijndael 256Integral property
y
z0z1z2z3
0000
0000
np
First round
Second round
Third round
Fourth round
Distinguisher on 4 rounds:
• Saturation on 3 bytes
• => Complexity: 224 ciphers
Workshop MITACS - June 2009 16
Rijndael 224Integral property
Distinguisher on 4 rounds:
• Saturation on 2 bytes
• => Complexity: 216 ciphers
y
z0z1z2z3
p
First round
Second round
Third round
Fourth round0000
Workshop MITACS - June 2009 17
Rijndael 192 Integral property (1)
Distinguisher on 4 rounds:
• Saturation of 2 bytes
• => Complexity: 216 ciphers
y
z0z1z2z3
p
=1=1=2=2
Workshop MITACS - June 2009 18
Rijndael 192Integral property
Distinguisher on 4 rounds:
• Saturation on 3 bytes
• => Complexity: 224 ciphers
y
z0z1z2z3
np
=1
=1 =2=2
0000
0000
Workshop MITACS - June 2009 19
Rijndael 160Integral property
Distinguisher on 4 rounds:
• Saturation de 3 bytes
• => Complexity: 224 ciphers
y
z0z1z2z3
p
=1=1=2=2
n
0000
Workshop MITACS - June 2009 20
Unknown keys Distinguishers
Workshop MITACS - June 2009 21
Extension of 2 rounds at the end
[Ferguson and al. -00]: partial sums s directly deduced from ci,j
For each ciphertext c, we associate the partial sum:
Useto sequentially determine kk
=> Share in 4 steps the key serach
Workshop MITACS - June 2009 22
Extension at the beginning: 2 methods [Ferguson and al. - 00]: one initial round
=> attack on 5 rounds with 232 plaintexts
Workshop MITACS - June 2009 23
The herd technique One more round at the beginning:
Naively 2128 plaintexts (work, cf Nakhara and al.) Fix a particular byte x => a herd: set of 2120 ciphertexts of 288
structures Test on a single herd.
X depends on (p4,…,p7) and on 4 bytes of K0
1. Using 264 counters my
2. 232 counters nz
3. Filter information on the key guess
Workshop MITACS - June 2009 24
Combine those extensions attack over 2+4+2=8 rounds (for Rijndael-256)
1. Increment the 64 bits (c0,…,c3,p4,…, p7)2. Guess the 4 bytes of K0, compute x, separate counters into herds.3. Choose a single herd, nz en ajoutant (c0,…,c3) pour chaque y correct4. Guess the 5 bytes of K7 and of K6 of the two last rounds to decipher
each z on one byte. Sum this value over the 232 values of z and look at the 0s.
5. Repeat this point for each value of theK0 bytes.
=> The 4 bytes (p4,…, p7) and the 4 bytes of K0 give 4 bytes => 224 smaller herds => reduce the exhaustive search to 2128-2119
plaintexts.
Workshop MITACS - June 2009 25
Complexity and attacks on 9 rounds Total cost:
2128-2119 plaintexts2120 cipher operations
=> Add one round at the end using a complete exhaustive search on the subkey K9
Workshop MITACS - June 2009 26
Summary of the attacks
Workshop MITACS - June 2009 27
Known Keys Distinguishers
Workshop MITACS - June 2009 28
[Knudsen – Rijmen 07] Notion of Known Key Distinguisher
Principle: create a distinguisher beginning at the middle of the cipher
Then, determine a particular property linking plaintexts and ciphertexts
Comparison withe the complexity required to find such a structure for a random permutation
Interest: create distinguishers when block ciphers are used as hash functions
Workshop MITACS - June 2009 29
Theoritical model [Africacrypt 09]
Advantage of Distinguishers [Vaudenay 97]: AdvE(A)
Two more cases: non-adaptative, adaptative
Workshop MITACS - June 2009 30
Case of an adaptative SPRP Distinguisher
Workshop MITACS - June 2009 31
Case of a non-adaptative Known Key Distinguisher
Workshop MITACS - June 2009 32
Case of study: the AES [Knu-Rij 07]
Forward sense Backward sense
=0=0=0=0
=0=0=0=0
=0=0=0=0
=0=0=0=0
=0=0=0=0
=0=0=0=0
=0=0=0=0
=0=0=0=0
Workshop MITACS - June 2009 33
KK distinguisher for the AES
=0 =0 =0 =0
=0 =0 =0 =0
=0 =0 =0 =0
=0 =0 =0 =0
=0 =0 =0 =0
=0 =0 =0 =0
=0 =0 =0 =0
=0 =0 =0 =0
3
rounds
4
rounds
KK distinguisher on 7 rounds 3 in backward, 4 in forward
Requires 256 middletexts and 256 cipher operations For a random permutation => k-sum problem,
Complexity: 258 operations => KK distinguisher for the AES
Workshop MITACS - June 2009 34
KK distinguisher for Rijndael Same kind of properties in the backward sense Summary of the KK distinguishers for Rijndael
[Africacrypt 2009]:
Workshop MITACS - June 2009 35
A last idea…
Workshop MITACS - June 2009 36
LANE: SHA 3 hash function
Hi = h0 ||h1 = 256 bits Mi = m0 ||m1 ||m2 ||m3
= 512 bits Pi = 6 modified AES
rounds Qi = 3 modified AES
rounds
Workshop MITACS - June 2009 37
the Pi inputs
Workshop MITACS - June 2009 38
Pis and Qis (LANE 256)
The same operations than the ones of the AES SubBytes, ShiftRows, MixColumns, KeyAdd (with
constants) Two more: AddConstants and SwapColumns
Workshop MITACS - June 2009 39
Integral propertiesof LANE-256 4 rounds +
extension at the beginning:
yp
0000
0000
000
0000
00
0000
0000
000
0000
00y
p
Workshop MITACS - June 2009 40
Integral property of LANE-256 backward sense Integral property on
3 rounds + extension at the beginning:
yp
0000
0000
000
0000
00
0000
0000
000
0000
00
Workshop MITACS - June 2009 41
Combine the two properties
Distinguisher in 2112
on the right part of LANE-256
3 rounds
0000
0000
000
0000
00
0000
0000
000
0000
00
5 rounds0000
0000
000
0000
00
0000
0000
000
0000
00
5 rounds:
seen as 2^48 sets of 2^64 as we want
4 rounds: seen as 2^16 sets of 2^96 values as we want
Workshop MITACS - June 2009 42
Why only one half ? If h0=h1=m2=m3 = cte:
W0 = m0 + m1 || m0 W1 = m0 || m1 W2 = m0 + m1 || m0 W3 = 0 || 0 W4 = m0 || m1 W5 = 0 || 0
Then: over 2112 messages, a
certain number of sums is equal to 0 sum = 0
sum = 0sum = 0
sum = 0sum = 0sum = 0
sum = 0
sum = 0
Workshop MITACS - June 2009 43
Conclusion
Integral properties of Rijndael were not well studiedUnknown Keys DistinguishersKnown Keys Distinguishers
The last model is really useful to create distinguishers for the SHA-3 competition (cf: LANE)
