Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A...
Transcript of Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A...
![Page 1: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/1.jpg)
Key-Recovery Attacks on ASASA
Brice Minaud1, Patrick Derbez2, Pierre-Alain Fouque3, Pierre Karpman4
1 Université Rennes 1 2 Université du Luxembourg
3 Université Rennes 1 et Institut Universitaire de France 4 Inria et Nanyang Technological University, Singapour
ASIACRYPT 2015
![Page 2: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/2.jpg)
ASASA Structure
2
ASA
Affine layerNonlinear layer
F = A◦S◦A◦S◦ASA
e.g. S-boxes
At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered various applications of the ASASA structure.
![Page 3: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/3.jpg)
ASASA
3
Three uses cases were proposed in [BBK14]:
•1 “black-box” scheme ≈ block cipher
•2 “strong whitebox” schemes ≈ public-key encryption scheme
- “Expanding S-box” scheme- “𝝌-based” scheme
•1 “weak whitebox” scheme
✘ Crypto’15 [GPT15]✘ this paper
✘ this paper
✘ this paper & [DDKL15]
same attack!
![Page 4: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/4.jpg)
1. Public-key 𝝌-based ASASA scheme.
2. Cryptanalysis.
3. Secret-key ASASA scheme.
4. Cryptanalysis (same).
Plan
4
![Page 5: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/5.jpg)
Public-key ASASA
5
![Page 6: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/6.jpg)
Multivariate Cryptography
6
Hard problem: solving a system of random, say, quadratic, equations over some finite field.
→ How to get an encryption scheme :
Public key: encryption function F given as sequence of n quadratic polynomials in n variables.
Private key: hidden structure (decomposition) of F that makes it easy to invert.
Fnq ! Fnq
+: small message space, fast with private key.-: slow public-key operations, large key, no reduction.
![Page 7: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/7.jpg)
ASA
7
A
S
A
F = A◦S◦A
Fnq
FnqMany proposed scheme follow an ASA structure.
Matsumoto-Imai, Hidden Field Equations, Oil and Vinegar…
Almost all have been broken.
Affine layer
Nonlinear layer
Affine layer
![Page 8: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/8.jpg)
ASASA
8
A
S
A
Fnq
Fnq
S
A
![Page 9: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/9.jpg)
History of ASASA
9
Idea already proposed by Goubin and Patarin: “2R” scheme (ICICS’97).
Broken by decomposition attacks.
• Introduced by Ding-Feng, Lam Kwok-Yan, and Dai Zong-Duo.
• Developped in a general setting by Faugère et al.
![Page 10: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/10.jpg)
Structure ASASA + P [BBK14]
A
S
A
Quadratic layer
Fn2
S
A
Quadratic layer
PPerturbation:
random polynomials of degree 4
Fn�p2Fp2
Note : this is slightly different from BBK14.
![Page 11: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/11.jpg)
Instances of ASASA + P
11
Two instances were proposed in BBK14 :
•“Expanding S-boxes” : decomposition attack by Gilbert, Plût and Treger, Crypto’15.
•𝝌-based scheme: using the 𝝌 function of Keccak.
![Page 12: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/12.jpg)
𝝌 function of Keccak
12
a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11
b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11b = �(a)
bi = ai � ai+1 · ai+2
a 2 Fn2
Introduced by Daemen in 1995, known for its use in Keccak.
Invertible for odd number of bits.
![Page 13: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/13.jpg)
𝝌-based instance
13
A
S
A
𝝌
S
A
𝝌
PRandom degree-4
polynomials
Random invertible affine layers
F242
F1272
F1032
![Page 14: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/14.jpg)
Attack!
14
![Page 15: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/15.jpg)
Cubes
15
A cube is an affine subspace [DS08].
Property : Let f be a degree-d polynomial over binary variables. If C is a cube of dimension d+1, then :�
c2Cf (c) = 0
![Page 16: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/16.jpg)
Degree deficiency
16
a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11
b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11b = �(a)
bi = ai � ai+1 · ai+2
a 2 Fn2
c = bi · bi+1= (ai � ai+1 · ai+2) · (ai+1 � ai+2 · ai+3)
c
➞ c has degree 3. Sums up to 0 over cube of dim 4.
![Page 17: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/17.jpg)
ASASA Cryptanalysis
17
a
A
A
𝝌
𝝌
b
▸ Let b = product of 2 non-adjacent bits at the output of 𝝌.
Then b has degree 8.
▸ Let a = product of 2 adjacent bits at the output of 𝝌.
Then a has degree 6.
![Page 18: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/18.jpg)
ASASA Cryptanalysis
18
A
A
FG
mask
mask
Let be an output mask, i.e. we look at .
Then there exists a mask s.t. .
�FhF |�F i = x 7! hF (x)|�F i
�GhF |�F i = hG|�Gi
�G
�F
A𝝌
𝝌
![Page 19: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/19.jpg)
ASASA Cryptanalysis
19
A
A
A
FG
Let , be two output masks, and , the associated masks.�F �
0F
masks , �F �0F
masks ,�G �0G
�G �0G
▸ If and activate single adjacent bits, has degree 6.
▸ Otherwise has degree 8.
�G �0GhF |�F i · hF |�0F i
hF |�F i · hF |�0F i
𝝌
𝝌
![Page 20: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/20.jpg)
ASASA Cryptanalysis
20
A
A
A
FG
Let C be a dimension-7 cube. Then :⌃c2ChF (c)|�F i · hF (c)|�0F i = 0
➞ we get an equation on , .�F �0F
masks , �F �0F
�F �0FGoal : Find , such that
deg(hF |�F i · hF |�0F i) = 6𝝌
𝝌
masks ,�G �0G
![Page 21: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/21.jpg)
ASASA Cryptanalysis
21
View , as two vectors of n binary unknowns: and . Then:
�F �0F
(�0, . . . ,�n�1) (�00, . . . ,�0n�1)
⇒ We get a quadratic equation on the , ’s.
�c2ChF (c)|�ihF (c)|�0i =
�c2C
�i<n
�iFi(c)�j<n
�0jFj(c)
=�i ,j<n
� �c2CFi(c)Fj(c)
��i�
0j
= 0
�i �0i
![Page 22: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/22.jpg)
ASASA Cryptanalysis
22
Each cube yields 1 quadratic equation on the , ’s.�i �0i
Using relinearization, there are 1272≈214 terms ➞ we need 214 cubes of dimension 7.
�i�0j
Resolving the system yields solution masks.The last A layer is peeled off.The rest (ASAS) can be broken in negligible time.
Conclusion: the scheme is broken using 221 CP, and time complexity ≈ 239 (for inverting a binary matrix of size 213).
![Page 23: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/23.jpg)
“Black-box” ASASA
23
![Page 24: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/24.jpg)
SASAS structure
24
A
SSSSSSSS
A
SSSSSSSS
SSSSSSSSAnalyzed by Biryukov and Shamir at Eurocrypt 2001.
→ Goal: recover all internal components (affine layers A and S-boxes) with only “black-box” access (KP/CP/CC).
Fn2
Fn2
Random independent S-boxes over k bits each.
Random Affine layer over n bits.
![Page 25: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/25.jpg)
Black-box ASASA [BBK14]
25
16 random independent S-boxes
Random Affine layer over 128 bits.A
SSSSSSSS
A
SSSSSSSS
A
F1282
F1282
8 bitsGoal : recover all internal components.
Note: degree ≤ 49 ⇒ distinguisher w. 250 CP
![Page 26: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/26.jpg)
ASASA cryptanalysis
26
Degree of an S-box = 7.
▸ Let a = product of 2 output bits of a single common S-box. Then a has degree 7x7 = 49.
▸ Let b = product of 2 output bits of two distinct S-boxes. Then b has max degree (127).
ba
ASSSS
ASSSS
![Page 27: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/27.jpg)
Cryptanalyse de ASASA
27
ASSSS
ASSSS
A
FG
deg(hF |�F i · hF |�0F i) = 49
masks , �F �0F
masks ,�G �0G
Let C be a dimension-50 cube. Then:⌃c2ChF (c)|�F i · hF (c)|�0F i = 0
➞ we get an equation on , .�F �0F
�F �0FGoal : Find , such that
Conclusion : All internal components are recovered in time and data complexity 263. In general: n22(m-1)².For comparison: the distinguisher is in 250. In general 2(m-1)²+1.
![Page 28: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/28.jpg)
Cryptanalysis de SASASASAS
28
Recent work by Biryukov et Khovratovich: the same attack extends ASASASA and even SASASASAS (ePrint, june 2015).
Indeed the main obstacle is that the overall function must not be full degree (➞ use results by Boura, Canteaut and Cannière on the degree of composite boolean functions).
![Page 29: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/29.jpg)
Conclusion
29
• A new attack on ASASA-type structures.
• Not presented: LPN-based attack on the 𝝌-based scheme, heuristic attack on white-box scheme.
• Regarding multivariate ASASA proposals, [GPT15] and our result are somewhat complementary.
•Open problems:
Other applications of this type of attack.Secure white-box scheme.
![Page 30: Key-Recovery Attacks on ASASAASASA Structure 2 A S A Affine layer Nonlinear layer F = A S A S A S A e.g. S-boxes At Asiacrypt 2014, Biryukov, Bouillaguet and Khovratovich considered](https://reader033.fdocuments.us/reader033/viewer/2022051920/600d1d85a7f5ef7a083297af/html5/thumbnails/30.jpg)
Conclusion
30
Thank you for your attention!
Questions ?