Algebraic--Differential Cryptanalysis of DES Algebraic cryptanalysis of DES using Minisat Algebraic...
Transcript of Algebraic--Differential Cryptanalysis of DES Algebraic cryptanalysis of DES using Minisat Algebraic...
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Algebraic�Di�erential Cryptanalysis of DES
Jean�Charles Faugère Ludovic PerretPierre�Jean Spaenlehauer
UPMC � LIP6
CNRS
INRIA Paris - Rocquencourt
SALSA team
Journées C2
1/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Plan
1 Introduction
2 Algebraic cryptanalysis of DES using MinisatData Encryption StandardModelingExperimental results
3 Algebraic�di�erential cryptanalysis of DESAlgebraic�di�erential cryptanalysisResults on six, seven and eight rounds
2/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Plan
1 Introduction
2 Algebraic cryptanalysis of DES using MinisatData Encryption StandardModelingExperimental results
3 Algebraic�di�erential cryptanalysis of DESAlgebraic�di�erential cryptanalysisResults on six, seven and eight rounds
3/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Algebraic Cryptanalysis
4/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Algebraic Cryptanalysis
Algebraic representation of a cryptographic primitive.
Tools for e�cient polynomial system solving.1 Gröbner Bases algorithms (Buchberger, Faugère F4 and F5).2 SAT Solvers.
Remark
There is a very strong link between the modeling and the tools usedfor the resolution.
Challenge
Can algebraic cryptanalysis be e�cient against block ciphers ?
5/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Our work
SAT Solvers attacks against DES using di�erent modelings ofthe DES S-boxes.
Incorporation of elements from di�erential cryptanalysis
new attacks against 6,7 and 8 rounds of DES using dedicatedcharacteristics.
Tradeo� between time and data complexity.
6/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Polynomial System Solving
SAT Solvers ?
Very e�cient and �exible dedicated softwares.
SAT-competition. Active research �eld.
Easy to use. Low memory comsumption.
7/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Courtois N.T. , Bard G.V. and Je�erson C.E�cient Methods for Conversion and Solution of Sparse
Systems of Low-Degree Multivariate Polynomials over GF (2)
via SAT-Solvers.
http://eprint.iacr.org/2007/024.pdf
Replace each monomial by a new variable.
Cut linear equations into smaller equations (by adding newvariables).
+ optimizations.
MiniSat2
Een, N. and Sorensson, N.MiniSat: A SAT solver with con�ict-clause minimization
8/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Sparse quadratic systems
9/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Data Encryption StandardModelingExperimental results
Plan
1 Introduction
2 Algebraic cryptanalysis of DES using MinisatData Encryption StandardModelingExperimental results
3 Algebraic�di�erential cryptanalysis of DESAlgebraic�di�erential cryptanalysisResults on six, seven and eight rounds
10/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Data Encryption StandardModelingExperimental results
Data Encryption Standard
Iterative Block Cipher
Bloc size : 64 bits
E�ective size of the key : 56 bits
Encryption standard between 1976 and 2002
Why did we choose to study the DES ?
11/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Data Encryption StandardModelingExperimental results
Main attacks against DES
Wiener, M.J.E�cient DES key search. Technical Report
Biham, E. and Shamir, A.Di�erential cryptanalysis of the full 16-round
DES. Crypto'1992
Knudsen, L.R.Partial and higher order di�erentials and applications to the
DES. BRICS report
Matsui, M.Linear cryptanalysis method for DES
cipher. EUROCRYPT'1993
12/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Data Encryption StandardModelingExperimental results
DES Structure
Feistel network
S-boxes : non-linear part of the system
13/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Data Encryption StandardModelingExperimental results
DES Structure
Feistel network
S-boxes : non-linear part of the system
13/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Data Encryption StandardModelingExperimental results
Algebraic cryptanalysis of DES using Minisat
Starting point
N.T. Courtois, G.V. BardAlgebraic Cryptanalysis of the Data Encryption Standard
IMA Int. Conf. 2007
General principle
1 known plaintext.
Model the cryptosystem by a set of clauses.
Use Minisat to extract the key.
Remark
We can combine this approach with an exhaustive search over somebits of the key.
14/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Data Encryption StandardModelingExperimental results
S-boxes modeling (I)
We have considered several modelings of the DES S-boxes.
The choice of the modeling is very important.
Our modeling
We search (exhaustively) for the set of polynomials which verify :
P(x1, . . . , x6, y1, . . . , y4) =∏
(xi + αi )∏
(yi + βi ), αi , βi ∈ {0, 1}
such that
S(x1, . . . , x6) = (y1, . . . , y4)⇒ P(x1, . . . , x6, y1, . . . , y4) = 0
Complexity : 310
15/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Data Encryption StandardModelingExperimental results
S-box modeling (II)
S-box Nb of clauses
S1 1624S2 1844S3 1767S4 1881S5 1812S6 1705S7 1673S8 2047
For 6 rounds : 792 variables and 90086 clauses.+ partial exhaustive search on 28 bits of the key.
16/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Data Encryption StandardModelingExperimental results
Experimental results
17/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Algebraic�di�erential cryptanalysisResults on six, seven and eight rounds
Plan
1 Introduction
2 Algebraic cryptanalysis of DES using MinisatData Encryption StandardModelingExperimental results
3 Algebraic�di�erential cryptanalysis of DESAlgebraic�di�erential cryptanalysisResults on six, seven and eight rounds
18/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Algebraic�di�erential cryptanalysisResults on six, seven and eight rounds
Our approach
Limit
Algebraic cryptanalysis usually consider only one known plaintext.
We combine algebraic cryptanalysis and statistical techniques toexploit e�ciently the knowledge of several plaintexts.
Tradeo� time/plaintexts.
In particular, we consider di�erential cryptanalysis.
19/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Algebraic�di�erential cryptanalysisResults on six, seven and eight rounds
Di�erential cryptanalysis (I)
The principle was known by the DES designers.
Based on a statistical bias of the S-boxes.
Key recovery attack.
We try to predict how the di�erence of a pair of plaintexts willdi�use through the cipher.
20/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Algebraic�di�erential cryptanalysisResults on six, seven and eight rounds
Di�erential cryptanalysis of the 3 round-reduced DES
A0L 00 00 00 00x
+ F1
00 00 00 00x A0L
00 00 00 00x00 00 00 00x
+ F2
A0L B
A0LB
+ F3
A3LA3R
∆in = B = A3L∆out = A0L
⊕ A3R
21/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Algebraic�di�erential cryptanalysisResults on six, seven and eight rounds
Di�erential cryptanalysis (II)
more than 3 rounds
Statistical method.
di�erential characteristics.
A lot of plaintexts needed.
22/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Algebraic�di�erential cryptanalysisResults on six, seven and eight rounds
Motivations
Compromise between algebraic cryptanalysis and di�erentialcryptanalysis.
We can use the strong correlation between the subkeys.
The notion of di�erence is easy to represent with clauses.
We only need one pair following the characteristic to retrievethe key.
23/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Algebraic�di�erential cryptanalysisResults on six, seven and eight rounds
General algorithm
Repeat until the key is found :
Choose a di�erential characteristic.
Choose two plaintexts with di�erence �xed by thecharacteristic.
Construct the system of clauses for DES, and add the clausescorresponding to the characteristic.
Solve with MiniSat. If the result is UNSATISFIABLE, restart(it means that the pair didn't follow the characteristic). If theresult is SATISFIABLE, then MiniSat returns the key.
24/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Algebraic�di�erential cryptanalysisResults on six, seven and eight rounds
Six rounds
Approach
Classical di�erential characteristics.
Combination of di�erent characteristics to reduce the datacomplexity.
How to combine
We can run MiniSat 6 times with 7 plaintexts.
Six 3-rounds characteristics ∆1, . . . ,∆6.
7 plaintexts m0, . . . ,m6 such that mi = m0 ⊕ δi .
25/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Algebraic�di�erential cryptanalysisResults on six, seven and eight rounds
Six rounds
Approach
Classical di�erential characteristics.
Combination of di�erent characteristics to reduce the datacomplexity.
How to combine
We can run MiniSat 6 times with 7 plaintexts.
Six 3-rounds characteristics ∆1, . . . ,∆6.
7 plaintexts m0, . . . ,m6 such that mi = m0 ⊕ δi .
25/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Algebraic�di�erential cryptanalysisResults on six, seven and eight rounds
Experimental results
Cryptanalysis Plaintexts Time
Di�erential (Biham, Shamir) 240 0,3 seconds
Di�erential (Knudsen) 46 a few seconds
Algebraic with SAT Solver(Courtois, Bard)
1 225 seconds
Algebraic-di�erential 323000 seconds
Algebraic-di�erential 22<10 hours
(combination of characteristics)
26/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Algebraic�di�erential cryptanalysisResults on six, seven and eight rounds
Seven rounds
For seven rounds and more, the classical di�erential characteristicsdon't seem to be adapted.
We have used a dedicated di�erential characteristic.
Truncated characteristic with probability 1/1000.
27/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Algebraic�di�erential cryptanalysisResults on six, seven and eight rounds
S-Box δin δout Proba
S1 4x 6x 10/648x 3x 12/64
S2 4x 10x 10/644x 12x 10/648x 9x 10/648x 10x 16/6412x 5x 14/64
S3 4x 9x 12/648x 3x 10/6412x 5x 12/6412x 6x 12/64
S4 4x 6x 12/644x 9x 12/64
Boîte-S δin δout Proba
S5 4x 6x 10/648x 6x 10/648x 10x 10/6412x 3x 10/6412x 6x 10/6412x 10x 10/64
S6 8x 6x 16/6412x 3x 12/6412x 5x 10/64
S7 8x 10x 12/6412x 12x 14/64
S8 4x 12x 10/6412x 5x 10/6412x 6x 10/64
28/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Algebraic�di�erential cryptanalysisResults on six, seven and eight rounds
∆0L= 00 20 20 00 ∆0R
= 00 00 06 00
+ Fk1
∆1L= 00 00 06 00 ∆1R
= 00 00 00 00
00 00 06 0000 20 20 00 with probability 12
64
+ Fk2
∆2L= 00 00 00 00 ∆2R
= 00 00 06 00
00 00 00 0000 00 00 00 with probability 1
+ Fk3
∆3L= 00 00 06 00 ∆3R
= 00 20 20 00
00 00 06 0000 20 20 00 with probability 12
64
+ Fk4
∆4L= 00 20 20 00 ∆4R
= 04 04 07 80
00 20 20 0004 04 01 80 with probability 100/642
+ Fk5
∆5L= 04 04 07 80 ∆5R
= %%0%00%00%%%%0000%%%0%000%0%%00%
04 04 07 80 with probability 1
29/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Algebraic�di�erential cryptanalysisResults on six, seven and eight rounds
Experimental results
7 rounds cryptanalysis
2000 chosen plaintexts
3 hours
Not so much results on 7 rounds in the literature.
30/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Algebraic�di�erential cryptanalysisResults on six, seven and eight rounds
Eight rounds
We have found a 5-round truncated di�erential characteristic withprobability 1/5800.+ partial exhaustive search over 8 bits of the key.
8 rounds cryptanalysis
11600 chosen plaintexts and 225 seconds.
31/33 PJ Spaenlehauer
IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES
Algebraic�di�erential cryptanalysisResults on six, seven and eight rounds
Summary
Rounds Cryptanalysis Nb of plaintexts Time
6 di� (Biham,Shamir) 240 (chosen) 0,3 sdi� (Knudsen) 46 (chosen) <10 s
alg (Courtois,Bard) 1 (known) 225 sdi� + alg 32 (chosen) 3000 sdi� + alg 22 (chosen) <10 h
7 di� + alg 2000 (chosen) 10000 s8 di� (Biham,Shamir) 50000 (chosen) 100 s
lin (Matsui) 220 (known) 40 sdi� + alg 11500 (chosen) 225 s
di�+lin (Hellman,Langford) 512 (chosen) few seconds
32/33 PJ Spaenlehauer
Conclusion
Use of statistical methods in algebraic cryptanalysis.
→ New attacks on 6, 7 and 8 rounds of DES using dedicatedcharacteristics.
Tradeo� plaintexts/time.
Related work (Cryptanalysis of Present)
M. Albrecht and C. CidAlgebraic Techniques in Di�erential Cryptanalysis
FSE2009
Future work
Extension of this attack for more rounds ?
Algebraic-di�erential cryptanalysis of DES withGröbner Bases ?
Other cryptosystems ?
Other statistical tools (di�erential-linear cryptanalysis, . . . ) ?
Conclusion
Use of statistical methods in algebraic cryptanalysis.
→ New attacks on 6, 7 and 8 rounds of DES using dedicatedcharacteristics.
Tradeo� plaintexts/time.
Related work (Cryptanalysis of Present)
M. Albrecht and C. CidAlgebraic Techniques in Di�erential Cryptanalysis
FSE2009
Future work
Extension of this attack for more rounds ?
Algebraic-di�erential cryptanalysis of DES withGröbner Bases ?
Other cryptosystems ?
Other statistical tools (di�erential-linear cryptanalysis, . . . ) ?
Conclusion
Use of statistical methods in algebraic cryptanalysis.
→ New attacks on 6, 7 and 8 rounds of DES using dedicatedcharacteristics.
Tradeo� plaintexts/time.
Related work (Cryptanalysis of Present)
M. Albrecht and C. CidAlgebraic Techniques in Di�erential Cryptanalysis
FSE2009
Future work
Extension of this attack for more rounds ?
Algebraic-di�erential cryptanalysis of DES withGröbner Bases ?
Other cryptosystems ?
Other statistical tools (di�erential-linear cryptanalysis, . . . ) ?