Application of cube attack to block and stream ciphers

Application of cube attack to block and stream ciphers Janusz Szmidt joint work with Piotr Mroczkowski Military University of Technology Military Telecommunication Institute Poland 23 czerwca 2009

1. Papers ItaiDinurandAdiShamir,CubeAttackson Tweakable Black Box Polynomials, Eurocrypt, 2009. S.S.BediandR.Pillai,CubeattacksonTrivium, IACR Cryptology eprint Archive, 2009/15. J-P. Aumasson, W. Meier, I. Dinur, A. Shamir, Cube testers and key recovery attacks on reduced round MD6 and Trivium, Fast Software Encryption, 2009. I. Dinur, A. Shamir, Side channel cube attacks on block ciphers, IACR Cryptology eprint Archive, 2009/127. J. Lathrop, Cube Attacks on Cryptographic Hash Functions, Master s Thesis, Rochester Institte of Technology, 2009.

Paper Miachael Vielhaber, Breaking One.Fivium by AIDA an Algebraic IV Differential Attack, IACR Cryptology eprint Archive, 2007.

2. The structure of attack Let us consider cryptosystem described by the polynomial: p(v 1,...,v m,x 1,...,x n ) dependingonmpublicvariablesv 1,...,v m (theinitial valueorplaintext)andonnsecretvariablesx 1,...,x n (thekey). The value of the polynomial represents the ciphertext bit. In general, the polynomial p is not explicitelly known; it canbeablackbox. We will consider the known plaintext attack, where at the preprocessing stage the attacker has also an access to secret variables(initial values or keys).

3. The structure of attack, cont. 1 The preprocessing stage. The attacker can change the valuesofpublicandsecretvariables.thetaskistoobtain a system of linear equations on secret variables. 2 Thestageonlineoftheattack.Thekeyissecret now. The attacker can change the values of public variables. He adds the output bits, where the inputs run over some multi-dimennsional cubes. The task is to obtain the right hand sides of linear equations. The system of linearequationcanbesolvedgivingsomebitsofthekey.

4. Mathematical background Foramomentweshallnotdistinguishthesecretand public variables. Letpbeapolynomialofnvariablesx 1,...,x n overthe fieldgf(2). ForasubsetofindexesI ={i 1,...,i k } {1,...,n}let ustakeamonomial t I =x i1...x ik Then we have a decomposition p(x 1,...,x n ) =t I p S(I) +q(x 1,...,x n ) wherethepolynomialp S(I) doesnotdependonthe variablesx i1,...,x ik.

5.Example1 Letusconsiderapolynomialpofdegree3dependingon 5 variables: p(x 1,x 2,x 3,x 4,x 5 ) =x 1 x 2 x 3 +x 1 x 2 x 4 +x 2 x 4 x 5 + x 1 x 2 +x 3 x 5 +x 2 +x 5 =1 LetI ={1.2}beachosensubsetofindexes. Then the polynomial p can be decomposed as: p(x 1,x 2,x 3,x 4,x 5 ) =x 1 x 2 (x 3 +x 4 +1)+ (x 2 x 4 x 5 +x 3 x 5 +x 2 +x 5 +1)

6. Example 1, cont. Using the introduced above notation: t I =x 1 x 2, p S(I) =x 3 +x 4 +1, q(x 1,x 2,x 3,x 4,x 5 ) =x 2 x 4 x 5 +x 3 x 5 +x 2 +x 5 +1

7. Definition 1 Themaxtermofthepolynomialpwecallthemonomialt I, such that deg(p S(I) ) =1, itmeansthatthepolynomialp S(I) correspondingtothesubset ofindexesiisalinearone,whichisnotaconstant.

8. Summation over cubes LetI ={i 1,...,i k } {1,...,n}beafixedsubsetofk indexes. ThesetIdefinesthek-dimensionalbooleancubeC I, whereontheplaceofeachoftheindexesweput0or1. Agivenvectorv C I definesthederivedpolynomoalp v dependingonn kvariables,whereinthebasic polynomoal p we put the values corresponding to the vectorv. SummingoverallvectorsinthecubeC I weobtainthe polynomial: p I = v C I p v

9.Theorem1 LetpbeapolynomialoverthefieldGF(2)andI {1,...,n} theindexsubset.thenwehave: p I =p S(I) mod2

10. Example 2 Let us consider a polynomial: p(v 1,v 2,v 3,x 1,x 2,x 3 ) =v 1 v 2 v 3 +v 1 v 2 x 1 +v 1 v 3 x 1 +v 2 v 3 x 1 + v 1 v 2 x 3 +v 1 v 3 x 2 +v 2 v 3 x 2 +v 1 v 3 x 3 +v 1 x 1 x 3 +v 3 x 2 x 3 +x 1 x 2 x 3 + v 1 v 2 +v 1 x 3 +v 3 x 1 +x 1 x 2 +x 2 x 3 +x 2 +v 1 +v 3 +1 ofdegreed=3dependingonpublicvariablesv 1,v 2,v 3 andsecretvariablesx 1,x 2,x 3. Substituting on public variables the values 0/1 we get the eight derived polynomials.

11. Example 2, cont. p(0,0,0,x 1,x 2,x 3 ) =x 1 x 2 x 3 +x 1 x 2 +x 2 x 3 +x 2 +1 p(0,0,1,x 1,x 2,x 3 ) =x 1 x 2 x 3 +x 1 x 2 +x 1 +x 2 p(0,1,0,x 1,x 2,x 3 ) =x 1 x 2 x 3 +x 1 x 2 +x 2 x 3 +x 2 +1 p(0,1,1,x 1,x 2,x 3 ) =x 1 x 2 x 3 +x 1 x 2 p(1,0,0,x 1,x 2,x 3 ) =x 1 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 2 +x 3 p(1,0,1,x 1,x 2,x 3 ) =x 1 x 2 x 3 +x 1 x 2 +x 1 x 3 +1 p(1,1,0,x 1,x 2,x 3 ) =x 1 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 1 +x 2 +1 p(1,1,1,x 1,x 2,x 3 ) =x 1 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 +x 3 +1

12. Example 2, cont. Summingthefourderivedpolynomialswithv 1 =0weget x 1 +x 2, Summingthefourderivedpolynomialswithv 2 =0weget x 1 +x 2 +x 3, Summingthefourderivedpolynomialswithv 3 =0weget x 1 +x 3 +1. The obtained expressions lead to a system of linear equationsusedinthestageonlineoftheattack.

13. The preprocessing stage 1 Thefirsttaskistofixdimensionofthecubeandthe public variables over which we will sum; they are called the tweakable variables, and the other public variables are puttozero.inthecaseweknowthedegreedofthe basicpolynomial,weputthecubedimensiontod 1. 2 Wedothesummationoverafixedcubeforseveralvalues of secret variables and collect the obtained values. 3 Wedothelineartestsfortheobtainedfunctionofsecret variablesandstoreitwhenitislinear: f (x x ) =f (x) f(x ) f(0), wherex= (x 1,...,x n )aresecretvariables(thekey).

14. The preprocessing stage, cont. Thenexttaskistocalculatetheexactform(the coefficients) of the obtained linear function of secret variables. Thefreetermofthelinearfunctionweobtanputtingits all argument equal zero. Thecoefficientofthevariablex i isequal1ifandonlyif thechangeofthisvariableimpliesthechangeofvaluesof the function. Thecoefficientofthevariablex i isequal0ifandonlyif thechangeofthisvariabledoesnotimplythechangeof values of the function.

15. The preprocessing stage, cont. Thetaskofthisstageofattackistocollectpossible many independent linear terms- they constitute the system of linear equations on secret variables. Thissystemoflinearequationswillbeusedintheonline stage of attack. The preprocessing stage is done only once in cryptanalysis of the algorithm.

16.Thestageonlineofattack Now an attacker has the access only to public variables (thr plaintext for block ciphers, the initial values for stream ciphers), which he can change and calculates the corresponding bits of the ciphertext under the unknown value of secret variables. Thetaskofthisstageofattackistofindsomebitsof secret key with complexity, which would be lower than the exhuastive search in the brute force attack. The attacker uses the derived system of linear equations for secret variables(the unknown bits of the key), where therighthandsidesoftheseequationsarethevaluesof bits of ciphertext obtained after summation over the same cubesasinthepreprocessingstage,butnowthekeyis not known.

17.Thestageonlineofattack,cont. The cube attach is applicable to symmetric ciphers for which the polynomials descibing the system have relatively low degree. Thenonecaneventuallyfindsomebitsofunknownkey. Theremainingbitsofthekeymaybefoundbybrute force search. After successful preprocwssing stage, the stage on line of attack can be done many times for different unknown keys The cube attack is applicable, in general, to cryptosystems without knowing their inner structure. The attacker must have the possibility to realize the preprocessingstageandintheonlinestageanaccessto the implementation of the algorithm(to perform the summation over cubes under unknown key).

18.CTC-CourtoisToyCipher Specification CTC was designed by Nicolais Courtois to apply and test the methods of algebraic analysis. ItisaSPNnetworkwhichisscalableinthenumberof rounds, the block and key size. Each round performs the same operation on the input data,exceptthatadifferentroundkeyisaddedeach time.thenumberofroundsisdenotedbyn r.the outputofroundi 1istheinputtoroundi. Each round consists of parallel applications of B S-boxes (S), the application of the linear diffusion layer (D), and afinalkeyadditionoftheroundkey.theroundkeyk 0 is added to the plaitext block before the first round.

19.CTCovervievforB=10

20.CTC-CourtoisToyCipher Specyfication, cont. Theplaintextbitsp 0...p Bs 1 areidentifiedwith Z 0,0...Z 0,Bs 1 andtheciphertextbitsc 0...c Bs 1 are identifiedwithx Nr+1,0...X Nr+1,Bs 1tohaveanuniform notation. The S-box was chosen as the permutation [7,6,0,4,2,5,1,3] Ithas2 3 =8inputsand8outputs.Theoutputbitsare quadratic boolean functions of the input bits. The explicit formofthesefunctionsisnotusedincubeattack.

21.CTC-CourtoisToyCipher Specyfication, cont. The diffusion layer (D) is defined as foralli =1...N r, Z i,257modbs =Y i,0 Z i,(1987j+257)modbs =Y i,j +Y i,(j+137)modbs forj 0andalli,whereY i,j representsinputbotsand Z i,j representsoutputbits.

22.CTC-CourtoisToyCipher Specyfication, cont. The key schedule is a simple permutation of bits: K i,j =K 0,(i+j)modBs foralliandj,wherek 0 isthemainkey. Key addition is performed bit-wise: X i+1,j =Z i,j +K i,j foralli =1...N r andj =1...Bs 1,whereZ i,j represents output bits of the previous diffusion layer, X i+1,j theinputbitsofthenextround,andk i,j thebitsof the current round key.

23.CubeattackonCTC WehaveappliedthecubeattacktotheversionofCTC withfourroundsandb=40ofs-boxes,i.e.theblock andthekeysizesbeing120bits. In the preprocessing stage we have done the summation over 50000 randomly chosen four dimensional cubes taken fromtheplaintext(otherbitsoftheplaintextareputto zero). Then 757 boxes lead to linear expresions (maxterms)forbitsofthekey.forderivationofeach linear expresion we used 5000 linear tests. We have chosen 120 linearly independent maxterms. They give the solvable system of linear equation for bits of the key.

24. The linear equations The equation Cube indexes 1+x66+x68 = c66 {4,5,22,52} x27+x28 = c105 {1,60,62,90} 1+x58 = c18 {16,17,60,110} 1+x14 = c80 {29,38,61,106} 1+x54+x56 = c36 {41,55,64,115} 1+x115+x116 = c66 {5,10,22,89} 1+x43 = c11 {73,74,75,118} x69+x70 = c28 {48,68,77,110} 1+x25 = c70 {73,76,93,104} x78+x79 = c114 {10,39,70,118} There are together 120 linearly independent such equations for thebitsx 0,...,x 119 ofthekey;c 0,...,c 119 areoutputbits.

25.CubeattackonCTC,cont. Intheonlinestageoftheattackweneedtosumover 120chosencubes(thekeyisunknown)tofindtheright hand sides of the linear equations. Thecomplexityoftheattackhereisabout2 7 2 4 =2 11 encryptionsofthefourroundctctorecoverthefull 120-bit key. Infact,thisreducedroundcipherisdescribedbyasystem of linear equations. Probably, for biger number of rounds, it is impossible to find such a description.

26.The stream cipher Trivium The specification of algorithm Algorithm Trivium(the authors: C. de Canniere and B. Preneel)isoneofthefinalistsofeSTREAM competitions. Thebasicparametersarethe80-bitkeyandthe80-bit initial value. TheinnerstateofTriviumare288bitsloadedtothree nonlinear registers of different lengths. Ineachroundofthealgorithmtheregistersareshiftedon one bit. Thefeedbackineachregisterisgivenbyanonlinear function.

27. The specification of Trivium (s 1,s 2,...,s 93 ) (k 1,k 2,...,k 80,0,...,0) (s 94,s 95,...,s 177 ) (IV 1,IV 2,...,IV 80,0,...,0) (s 178,s 179,...,s 288 ) (0,0,...,0,1,1,1) fori=1to1152 t 1 s 66 +s 93 t 2 s 162 +s 177 t 3 s 243 +s 288 t 1 t 1 +s 91 s 92 +s 171 t 2 t 2 +s 175 s 176 +s 264 t 3 t 3 +s 286 s 287 +s 69

28. The specification of Trivium, cont. (s 1,s 2,...,s 93 ) (t 3,s 1,...,s 92 ) (s 94,s 95,...,s 177 ) (t 1,s 94,...,s 176 ) (s 178,s 179,...,s 288 ) (t 2,s 178,...,s 287 ) end for

29. The specification of Trivium, cont. Thegenerationoftheouputbtstring (z i )ofthemaximal lengthupto N =2 64 bits,canberepresentedas: fori=1ton t 1 s 66 +s 93 t 2 s 162 +s 177 t 3 s 243 +s 288 z i t 1 +t 2 +t 3 t 1 t 1 +s 91 s 92 +s 171 t 2 t 2 +s 175 s 176 +s 264 t 3 t 3 +s 286 s 287 +s 69

30. The specification of Trivium, cont. (s 1,s 2,...,s 93 ) (t 3,s 1,...,s 92 ) (s 94,s 95,...,s 177 ) (t 1,s 94,...,s 176 ) (s 178,s 179,...,s 288 ) (t 2,s 178,...,s 287 ) end for

31.ThecubeattackonTrivium Dinur and Shamir investigated the reduced version of Trivium which contains 672(instead of 1152) initialization rounds. During the preprocessing stage they obtained 63 linearly independent maxterms corresponding to 12-dimensional cubesandoutputbitsoftheindicesfrom672to685.

32. The cube attack on Trivium, cont. Intheonlinestagetheattackermustfindthevaluesof the maxterms summing over 63 12-dimensional cubes. After solving the system of linear equations the attacker obtains63bitsofthekeyandtheremaining17bitsof thekeyarefoundbybruteforcesearch. Thecomplexityoftheattack(intheonlinestage)isca. 2 19 evaluatioinsoftheinvestigated,reducedalgorithm.it issmallerthanthecomplexity2 55 inthepreviousattacks on this version of Trivium.

Cube attack Thank you