Christina Boura Anne Canteaut Christophe De Cannièrefse2011.mat.dtu.dk/slides/Higher-order...

Higher-order Di�erential Properties for Ke ak and Lu�aChristina Boura1,2 Anne Canteaut1 Christophe De Cannière31SECRET Proje t-Team, INRIA, Fran e

2Gemalto, Fran e3Katholieke Universiteit Leuven,BelgiumFebruary 15, 2011

1 / 28

Outline1 Introdu tion2 New bound on the degree of iterated permutations3 Appli ation to two SHA-3 andidatesKe akLu�a4 Con lusions 2 / 28

Introdu tionOutline1 Introdu tion2 New bound on the degree of iterated permutations3 Appli ation to two SHA-3 andidatesKe akLu�a4 Con lusions 3 / 28

Introdu tionObje tive of this paperStudy the algebrai degree of some hash fun tion proposals and oftheir inner primitives.Use these results to onstru t higher-order di�erential distinguishersand zero-sum stru tures.Previous work (related with the SHA-3 ompetition)Zero-sum Distinguishers for Ke ak, Lu�a and Hamsi.[Aumasson-Meier 09, Aumasson et al. 09, Boura-Canteaut 10℄Higher-order di�erential atta k on Lu�a v1. [Watanabe et al. 10℄4 / 28

Introdu tionBound on the degree of iterated permutationsQuestionHow to estimate the algebrai degree of an iterated permutationafter r rounds?

5 / 28

Introdu tionBound on the degree of iterated permutationsQuestionHow to estimate the algebrai degree of an iterated permutationafter r rounds?Trivial Bounddeg(G ◦ F ) ≤ degGdegF

5 / 28

Introdu tionBound on the degree of iterated permutationsQuestionHow to estimate the algebrai degree of an iterated permutationafter r rounds?Trivial Bounddeg(G ◦ F ) ≤ degGdegF[Canteaut-Videau 02℄: Improvement when the Walsh spe trum of

F is divisible by a high power of 2. 5 / 28

New bound on the degree of iterated permutationsOutline1 Introdu tion2 New bound on the degree of iterated permutations3 Appli ation to two SHA-3 andidatesKe akLu�a4 Con lusions 6 / 28

New bound on the degree of iterated permutationsTowards a new bound on the degree (degF = 3)

02004006008001000120014001600

0 2 4 6 8 10 12 14 16deg(F)

Rounds Trivial Bound7 / 28

New bound on the degree of iterated permutationsS-Box

x0 x2x1 x3

y1 y2 y3y0

QuestionIf S is balan ed, what is the degreeof the produ t of k oordinates of S?

8 / 28


x0 x2x1 x3

y1 y2 y3y0

QuestionIf S is balan ed, what is the degreeof the produ t of k oordinates of S?De�nitionδk : maximum degree of the produ tof k oordinates of S

8 / 28


x0 x2x1 x3

y1 y2 y3y0


k δk1 38 / 28


x0 x2x1 x3

y1 y2 y3y0


k δk1 32 33 38 / 28


x0 x2x1 x3

y1 y2 y3y0


k δk1 32 33 34 4F permutation of Fn

2 :δk = n i� k = n. 8 / 28

New bound on the degree of iterated permutationsThe new boundTheorem. Let F be a fun tion from Fn2 into F

n2 orresponding to the on atenation of m smaller Sboxes, S1, . . . , Sm, de�ned over Fn0

2. Then,for any fun tion G from F

n2 into F

ℓ2, we have

deg(G ◦ F ) ≤ n −n − deg(G)

γ,where

γ = max1≤i≤n0−1

n0 − i

n0 − δi.Most notably, if all Sboxes are balan ed, we have

deg(G ◦ F ) ≤ n −n − deg(G)

n0 − 1. 9 / 28

New bound on the degree of iterated permutationsS1 S3 S4S2ProblemMultiply d output bits from S1, S2, S3, S4 in su h a way that thedegree of their produ t π, deg(π) is maximized.

10 / 28

New bound on the degree of iterated permutationsS1 S3 S4S2ProblemMultiply d output bits from S1, S2, S3, S4 in su h a way that thedegree of their produ t π, deg(π) is maximized.De�nition

xi = # Sboxes for whi h exa tly i oordinates are involved in π.10 / 28

New bound on the degree of iterated permutationsS1 S3 S4S2ProblemMultiply d output bits from S1, S2, S3, S4 in su h a way that thedegree of their produ t π, deg(π) is maximized.De�nition

xi = # Sboxes for whi h exa tly i oordinates are involved in π.deg(π) ≤ max

(x1,x2,x3,x4)(δ1x1 + δ2x2 + δ3x3 + δ4x4)with x1 + 2x2 + 3x3 + 4x4 = d. 10 / 28

New bound on the degree of iterated permutationsS1 S3 S4S2

d x4 x3 x2 x1 deg(π)

16 4 - - - 161514131211109... ... ... ... ... ...

11 / 28



16 4 - - - 1615 3 1 - - 1514131211109... ... ... ... ... ...

11 / 28



16 4 - - - 1615 3 1 - - 1514 3 - 1 - 15131211109... ... ... ... ... ...

11 / 28



16 4 - - - 1615 3 1 - - 1514 3 - 1 - 1513 3 - - 1 1512 2 1 - 1 1411 2 - 1 1 1410 2 - - 2 149 1 1 - 2 13... ... ... ... ... ...

11 / 28



16 4 - - - 1615 3 1 - - 1514 3 - 1 - 1513 3 - - 1 1512 2 1 - 1 1411 2 - 1 1 1410 2 - - 2 149 1 1 - 2 13... ... ... ... ... ...

16 − deg(π) ≥16 − d

3 11 / 28



16 4 - - - 1615 3 1 - - 1514 3 - 1 - 1513 3 - - 1 1512 2 1 - 1 1411 2 - 1 1 1410 2 - - 2 149 1 1 - 2 13... ... ... ... ... ...

deg(π) ≤ 16 −16 − d

3 11 / 28

Appli ation to two SHA-3 andidatesOutline1 Introdu tion2 New bound on the degree of iterated permutations3 Appli ation to two SHA-3 andidatesKe akLu�a4 Con lusions 12 / 28

Appli ation to two SHA-3 andidates Ke akKe ak [Bertoni-Daemen-Peeters-Van Ass he 08℄3rd round SHA-3 andidateSponge onstru tionKe ak-f Permutation1600-bit state, seen as a 3-dimensional5× 5× 64 matrix24 rounds RNonlinear layer: 320 parallel appli ationsof a 5× 5 S-box χ

degχ = 2, degχ−1 = 3 13 / 28

Appli ation to two SHA-3 andidates Ke akZero-Sums and Zero-sum PartitionsFor blo k iphers (known-key atta k) [Knudsen - Rijmen 07℄For hash fun tions [Aumasson - Meier 09, Boura - Canteaut 10℄De�nition[Zero-Sum℄Let F : Fn2 → F

n2 .A zero-sum for F of size K is a subset {x1, . . . , xK} ⊂ F

n2 su h that

K∑

i=1

xi =

K∑

i=1

F (xi) = 0.

14 / 28

Appli ation to two SHA-3 andidates Ke akZero-Sums and Zero-sum PartitionsFor blo k iphers (known-key atta k) [Knudsen - Rijmen 07℄For hash fun tions [Aumasson - Meier 09, Boura - Canteaut 10℄De�nition[Zero-Sum℄Let F : Fn2 → F

n2 .A zero-sum for F of size K is a subset {x1, . . . , xK} ⊂ F

n2 su h that

K∑

i=1

xi =

K∑

i=1

F (xi) = 0.De�nition[Zero-sum Partition℄Let P be a permutation from Fn2 into F

n2 . A zero-sum partition for

P of size K = 2k is a olle tion of 2n−k disjoint zero-sums. 14 / 28

Appli ation to two SHA-3 andidates Ke akThe new bound applied on Ke ak-fLet R be the round fun tion of Ke ak-f and R−1 its inverse.For any F ,deg(F ◦R) ≤ 1600 −

1600 − deg(F )

3

deg(F ◦R−1) ≤ 1600 −1600 − deg(F )

3Observation [Duan-Lai 11℄ For χ−1 : δ2 = 3Then,deg(F ◦R−1) ≤ 1600 −

1600 − deg(F )

2 15 / 28

Appli ation to two SHA-3 andidates Ke akr deg(Rr) deg(R−r)1 2 32 4 93 8 274 16 815 32 2436 64 7297 128 11648 256 13829 512 149110 1024 154511 1408 157212 1536 158613 1578 159314 1592 159615 1597 159816 1599 1599 16 / 28

Appli ation to two SHA-3 andidates Ke akZero-Sum Partitions for the full Ke ak-f (24 rounds)Starting with any olle tion of 315 rows after the linear layer in the 12-thround, we get zero-sum partitions of size 21575for the full Ke ak-f permutation.

17 / 28

Appli ation to two SHA-3 andidates Lu�aLu�a [De Cannière, Sato and Watanabe 08℄�Sponge-like� onstru tion;Linear message inje tionfun tion MI;Permutation P , splittedinto w parallel 256-bitpermutationsQ0, . . . , Qw−1;Qj : 8-round permutation.Every round alled Step; 18 / 28

Appli ation to two SHA-3 andidates Lu�aThe Step fun tion:SubCrumb: 64 parallel 4× 4 Sboxes of degree 3;MixWord: Linear layer mixing the 32-bit words two by two.

Figure: The Step fun tion 19 / 28

Appli ation to two SHA-3 andidates Lu�aThe Step fun tion:SubCrumb: 64 parallel 4× 4 Sboxes of degree 3;MixWord: Linear layer mixing the 32-bit words two by two.

Figure: The Step fun tionDi�erent Sbox for Lu�a v1 and Lu�a v2! 19 / 28

Appli ation to two SHA-3 andidates Lu�aBound on the degree of Qj for Lu�a v1For r ≤ 5, bound by Watanabe et al.r deg xr1 32 83 204 515 130

20 / 28

Appli ation to two SHA-3 andidates Lu�aBound on the degree of Qj for Lu�a v1For r ≤ 5, bound by Watanabe et al.r deg xr1 32 83 204 515 1306 2147 2428 251For r ≥ 6, we apply,

deg(Stepr+1) ≤512 + deg(Stepr)

3 20 / 28

Appli ation to two SHA-3 andidates Lu�aHigher-order di�erentials for the Lu�a v1 hash fun tionDegree of Lu�a v1 hash fun tion, applied to 256-bit messages is atmost 251.Distinguisher for full Lu�a v1 with 2240 1-blo k messages.Improvement of the previous atta k applied to Lu�a v1 redu ed to7 steps out of 8. [Watanabe et al. 10℄

21 / 28

Appli ation to two SHA-3 andidates Lu�aAn observation on the Sbox of Lu�a v2y0 = 1 + x0 + x1 + x1x2 + x0x3 + x1x3 + x0x1x3 + x0x2x3

y1 = x0 + x3 + x0x1 + x1x2 + x0x3 + x1x3 + x0x1x3 + x0x2x3

y2 = 1 + x1 + x3 + x0x2 + x1x2 + x1x3 + x2x3 + x0x1x2 + x0x1x3

y3 = 1 + x1 + x2 + x0x3 + x0x2 + x1x2 + x1x3 + x2x3 + x0x1x2

+ x0x1x3

22 / 28





+ x0x1x3

d = y0+y1+y2+y3 = 1+x1+x2+x0x1+x0x3

22 / 28





+ x0x1x3

d = y0+y1+y2+y3 = 1+x1+x2+x0x1+x0x3The sum of the four oordinates is of degree 2! 22 / 28

Appli ation to two SHA-3 andidates Lu�aAlgebrai degree of the Qj permutationSum of 2 distin t monomials of degree 3 in 4 variables, xi, xj , xk, xℓ, whered = xi + xj + xk + xl:

xixjxk + xixjxℓ = xixjxk + xixj(xi + xj + xk + d)

23 / 28



= xixjxk + xixj + xixj + xixjxk + xixjd

23 / 28



= xixjd

23 / 28



= xixjd

xr0, xr1, x

r2, x

r3 output words of r rounds of Step.

dr = xr0 + xr1 + xr2 + xr3.23 / 28



= xixjd

xr0, xr1, x

r2, x


dr = xr0 + xr1 + xr2 + xr3.Then,deg xr+1

i ≤ 2maxj

deg xrj + deg dr 23 / 28



= xixjd

xr0, xr1, x

r2, x


dr = xr0 + xr1 + xr2 + xr3.Then,deg xr+1

i ≤ 2maxj

deg xrj + deg dr

deg dr+1 ≤ 2maxj

deg xrj 23 / 28

Appli ation to two SHA-3 andidates Lu�aUpper bounds on the algebrai degree of Qj in Lu�a v2r deg xr deg dr1 3 22 8 63 22 164 60 445 164 120

24 / 28

Appli ation to two SHA-3 andidates Lu�aUpper bounds on the algebrai degree of Qj in Lu�a v2r deg xr deg dr1 3 22 8 63 22 164 60 445 164 1206 225 2107 245 2408 252 250For r ≥ 6, we apply,

deg(Stepr+1) ≤512 + deg(Stepr)

3 24 / 28

Appli ation to two SHA-3 andidates Lu�aHigher-order di�erential distinguishers for Lu�a v2ResultsDegree of the ompression fun tion at most 252.All-zero higher-order di�erentials for the full ompression fun tion.Not extendable to the hash fun tion, be ause of the addition of ablank round for all the messages.

25 / 28

Con lusionsOutline1 Introdu tion2 New bound on the degree of iterated permutations3 Appli ation to two SHA-3 andidatesKe akLu�a4 Con lusions 26 / 28

Con lusionsAppli ation to Grøstl-256Permutation P

512-bit state, seen as an8× 8 matrix.10 rounds of AES-liketransformations.AES Sbox of degree 7.

27 / 28



Round deg(Rr)1 72 493 3434 4875 5086 51127 / 28



Round deg(Rr)1 72 493 3434 4875 5086 511Zero-sum partitions of size 2509.27 / 28

Con lusionsCon lusionsNew bound on the degree of iterated permutations.Zero-sum distinguishers for the full Ke ak-f permutation.(Contradi tion of the so- alled hermeti sponge strategy)All-zero higher-order di�erentials for the Lu�a hash family.Appli ation to AES-based andidates.28 / 28

Con lusionsCon lusionsNew bound on the degree of iterated permutations.Zero-sum distinguishers for the full Ke ak-f permutation.(Contradi tion of the so- alled hermeti sponge strategy)All-zero higher-order di�erentials for the Lu�a hash family.Appli ation to AES-based andidates.Thank you for your attention! 28 / 28

Christina Boura Anne Canteaut Christophe De Cannièrefse2011.mat.dtu.dk/slides/Higher-order...

Documents

Transcript of Christina Boura Anne Canteaut Christophe De Cannièrefse2011.mat.dtu.dk/slides/Higher-order...