New Frontiers in Symmetric Cryptanalysis · 2 Algebraic Attacks: A New Frontier in Symmetric...
Transcript of New Frontiers in Symmetric Cryptanalysis · 2 Algebraic Attacks: A New Frontier in Symmetric...
1
New Frontiers in Symmetric Cryptanalysis
��� ����� ���� ������� � ��� ���� ����� �� � ������� � ��������� �����!���� "#��$
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 20072
Motivation%'& (')'*'+,*'('-.-'& / /0)'+1)'(#23& *'465�+ 7�8920*'('*'4 7;:�& :=<':�<'*>4 4 7+?)'@'<'& +1) A'<'B')C@'<>*'(920& 23& )': D9/FE�('D#GH(9I05�A'D':�)'(8>4 *>& (#23)9J623:6K
L=M N A'*#2FE�& ('-CD#/F5�+ 7�8923*'('*>4 7�:�& :=& :=8'D>:�:�& O'4 )GCA')'(P23A').*92Q23*'5�E6)'+,A'*':D'('4 7RD'(').E�('D9GC(C8>4 *>& (#23)9J62 S1D'+UT�)'+ 7=/3)9GHV,W
X 4 *'& Y M Z A'& :[@'<')>:\20& D'(.->& -.('D92F+1)>5�)'& T�).:�<#/ /3& 56& )'(92*#2 20)'(920& D'(>K']>J�56)':6:�& T�)P/3D>5�<':=D'(.% X *'('-.^ X K
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 20073
Algebraic Attacks vs. DC/LC/etc..
• Algebraic attack: 2 KP+ 270 operations => the only feasible in the real life !
• LC in 243 operations – infeasible.– Hard to get 243 KP !
2
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 20074
Algebraic Attacks vs. DC/LC/etc..CLAIM: The two worlds CANNOT be
compared. • They are going in a very different direction:
what these two CAN ACHIEVE in practice are two very rich sets of cryptanalytic results that are rather disjoint.
So we are really discovering a new frontier for the whole of symmetric cryptanalysis.
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 20075
Algebraic Cryptanalysis [Shannon]Breaking a « good » cipher should require:
“as much work as solving a system of simultaneous equations in a large number of unknowns of a complex type”
[Shannon, 1949]
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 20076
Algebraic Attacks on Block Ciphers_ � `�a�������b����c"�d� efhg ��iR� �������� !C� �!������1� ����� ��j�ilk�� � �C� �\�c� ���c� �����1k\�!����� �������m���� �c�\��n�� ��� c fho ����?� �=� ��� ���� a�� �C� ��m�� ����1� ����p��� ��� n�e qr� ������� ������ ��k�� ����i�� ������!�� � �����?� ��� ��k���� ����� �Cn������=n����ck�a\�� � ���cn���?k���!�� �Ca� ���s��� m�k���� � ���k\������ �C��tu�Rn���� ���!���������!�v1n���� ����m�k� ��1� ����� ��!� �t=���1k\���������1� ��� ��"��1k\������ �Cn��\�ck
�� n�m�� ���w
3
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 20077
Fast Algebraic Attacks on Block Ciphersx�y{z | }{| ~ | ��} � | }{z �{� ���{�0�{}����{� ���{�0y��{��y�~ ���{����~ ��� �{��y���~ �{y��{y��{� y�y��z{y{���{��~ | ��}{��~ ���{~��{���{y��{�9~ ��� �{���{���{��~{~ �{y��0�����{��~ ��~ | ��}��…� y{� �{�{��������y{��| }��#�{�
���{��~ ��� ����y���~ �{y��{y��{� y�y��• � �\���{� �{�?� �?� � ¡ ¢�£?�¥¤ � ��¦ §¥¤ ¨?¨��?�Q©{� ª�«U�¥¬®c�?� �{¤ �?�0¯ °• § ©�¬®� � �\�¥�0¬® ±�¤ ¬ ��±?²�� �¥£?� � �{�?³ ª � ª ¤ ±�³• § ©�¢��1´• § ©�� µ¥µ�¤ ³ ¨U¶��¥� � ·w¬ ±¥�\�¥³U¬ ±�³ � ª � �?¤ ³ ª �• � ª ¬ …
cumulative effect
!!!
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 20078
One Example
The biggest discoveries in Science are the simplest.
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 20079
ElimLinX D'Y.8'4 )920)C-')':65�+?& 8#23& D'( M• ¸ & ('-.4 & (>)'*'+;)'@'<>*923& D'(>:=& (P23A').4 & (')'*'+,:�8'*'(>K• ¹ <'O>:\20& 23<923)>º�*'('-.+1)'8')>*920K
»�Y.*#¼�& ('B'4 7R8'D9GH)'+ /3<'4 º'A'<'B').:\7;:\20)'Y.:=5�D'4 4 *'8':�)GC& 23A.('DC)#/ /0D'+ 20K
]½KQB'K'O'+?)'*'E6:[¾.+1D'<'('->:[D#/F^l] ¹ B>& T�)'(.¿.À½ÁuK¹ )') eprint.iacr.org/2006/402/
4
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200710
ElimLin – Something Wrong ?L=Â K N A#7Ã-'DPGH).A'*9T�).4 & (')'*'+,)'@'<'*920& D>(':=& (P20A')/0& +1:{2�8>4 *>5�).W
• ¹ 23<>8'& -.& (.YC*#23A')'Y.*920& 5�: …• ÄQÅ Á½Æ ¹u¹½ÄQÇ %>] Z ÆÈ»uÉ�Æ Ä ^Ê& (.5�+ 7�8920*'('*'4 7�:6& :�K
– Ë �� �� ��s¥��������� ����$�Ì� –q�!�!�i���� � Íw�ck\��������������1� ��� �\�
– Ë � �c
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200711
ElimLin – Still A Bit Weird FeelingL=Î K N A#7Ã-'D'(
’2'GC).)'4 & YC& ('*#23)P23A')'YÏW
• ¸ & +?:\2F*'(':{GH)'+1º'& /'GH).-'D'º9GH).4 D'D':�).:68'*'+1:6& 2 7R*'('-20A').5�*'8'*>5�& 2Q7=23D.5�D'Y.8'<923).*'(97623A'& ('B.*92F*'4 4 K• ¹ )'56D'('-C*'(>:\GH)>+ M GH).-'D'º'O'<92'20A')'(.Ð�] N% Ä Ð�]>»[ÑÊ] L=Ò » Z Ä Æ=Ð ¹ *'8'8')>*'+1K “
»½T;*'4 *'('5�A'))#/ /0)'5\2
”K
– Ó �� � �����wm�w� c� ���� –����������Ô���� � ��� ���w
–q�!�!�� �1� ���\���?�?�w� ��s?�������k\��� m�� �C� �Í�� ��������k��1k\�“������ ������k��
”m� �������?k�������� u��1�\�cs
…
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200712
**CTC = “Courtois Toy Cipher” [eprint]
• ÕÕ ÕÕ�ÖÖ ÖÖ × | ~{Ø× | ~{Ø× | ~{Ø× | ~{Ø ÖÖ ÖÖ × ���0y{�0�× ���0y{�0�× ���0y{�0�× ���0y{�0�•x'| z z �{�0| ��}�x�Ù{��y{� ����~ | }{����| � y{��Ú �{��x�Û�ØÝÜx'| z z �{�0| ��}�x�Ù{��y{� ����~ | }{����| � y{��Ú �{��x�Û�ØÝÜx'| z z �{�0| ��}�x�Ù{��y{� ����~ | }{����| � y{��Ú �{��x�Û�ØÝÜx'| z z �{�0| ��}�x�Ù{��y{� ����~ | }{����| � y{��Ú �{��x�Û�ØÝÜ ÖÖ ÖÖ × ����Þ ß �× ����Þ ß �× ����Þ ß �× ����Þ ß �
• à1á â�á � á ã�áà1á â�á � á ã�áà1á â�á � á ã�áà1á â�á � á ã�á … ØØ ØØ ÖÖ ÖÖ × �{�0y�����y{�9� ���{}��{�× �{�0y�����y{�9� ���{}��{�× �{�0y�����y{�9� ���{}��{�× �{�0y�����y{�9� ���{}��{�• à1á â�á Õ�áà1á â�á Õ�áà1á â�á Õ�áà1á â�á Õ�á … á®à ä�áá®à ä�áá®à ä�áá®à ä�á … á Õ�ä{áá Õ�ä{áá Õ�ä{áá Õ�ä{á … � ���{}��{�0�� ���{}��{�0�� ���{}��{�0�� ���{}��{�0�• å y{æ��0| ç0y�è�è�é6� ���0ê��0| ç0y{�å y{æ��0| ç0y�è�è�é6� ���0ê��0| ç0y{�å y{æ��0| ç0y�è�è�é6� ���0ê��0| ç0y{�å y{æ��0| ç0y�è�è�é6� ���0ê��0| ç0y{�•Ø6| ����� y�ê0y{æ��0�0�{y��{�{� y�Ù × | ~{��y{� ����~ ��~ | �{}�Ú �{��| }�x�Û�ØÝÞ ßØ6| ����� y�ê0y{æ��0�0�{y��{�{� y�Ù × | ~{��y{� ����~ ��~ | �{}�Ú �{��| }�x�Û�ØÝÞ ßØ6| ����� y�ê0y{æ��0�0�{y��{�{� y�Ù × | ~{��y{� ����~ ��~ | �{}�Ú �{��| }�x�Û�ØÝÞ ßØ6| ����� y�ê0y{æ��0�0�{y��{�{� y�Ù × | ~{��y{� ����~ ��~ | �{}�Ú �{��| }�x�Û�ØÝÞ ß
5
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200713
**CTC2
•É[& + 20<'*>4 4 7R('D.-'& / /0)'+?)'(>5�)É[& + 20<'*>4 4 7R('D.-'& / /0)'+?)'(>5�)É[& + 20<'*>4 4 7R('D.-'& / /0)'+?)'(>5�)É[& + 20<'*>4 4 7R('D.-'& / /0)'+?)'(>5�)
•���{�0���0~ � �{}��{y��9�{�{��| }{�0~{ë�ì���{�0���0~ � �{}��{y��9�{�{��| }{�0~{ë�ì���{�0���0~ � �{}��{y��9�{�{��| }{�0~{ë�ì���{�0���0~ � �{}��{y��9�{�{��| }{�0~{ë�ìÚ �0z ��x��{}�ê0y{� ����}Ú �0z ��x��{}�ê0y{� ����}Ú �0z ��x��{}�ê0y{� ����}Ú �0z ��x��{}�ê0y{� ����} ÖÖ ÖÖ å y{� � y{�9��~ ~ �{�0ê0ß �å y{� � y{�9��~ ~ �{�0ê0ß �å y{� � y{�9��~ ~ �{�0ê0ß �å y{� � y{�9��~ ~ �{�0ê0ß �
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200714
CTC2 Cipher
]½@><'*#23& D>(':=B>)'(')>+1*#23& ('B.8>+1D'B'+?*'YÏ(>D9Gí*#T�*'& 4 *'O>4 )]½@><'*#23& D>(':=B>)'(')>+1*#23& ('B.8>+1D'B'+?*'YÏ(>D9Gí*#T�*'& 4 *'O>4 )]½@><'*#23& D>(':=B>)'(')>+1*#23& ('B.8>+1D'B'+?*'YÏ(>D9Gí*#T�*'& 4 *'O>4 )]½@><'*#23& D>(':=B>)'(')>+1*#23& ('B.8>+1D'B'+?*'YÏ(>D9Gí*#T�*'& 4 *'O>4 )GlG�GHKQ5�+ 7;8920D':\7;:\20)'Y.KQ(')#2 IGlG�GHKQ5�+ 7;8920D':\7;:\20)'Y.KQ(')#2 IGlG�GHKQ5�+ 7;8920D':\7;:\20)'Y.KQ(')#2 IGlG�GHKQ5�+ 7;8920D':\7;:\20)'Y.KQ(')#2 I\*')':*')':*')':*')':�II II
23D#7�56& 8'A>)'+1:23D#7�56& 8'A>)'+1:23D#7�56& 8'A>)'+1:23D#7�56& 8'A>)'+1:cK A#23Y.4K A#23Y.4K A#23Y.4K A#23Y.4
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200715
Attacks on CTC2• key size > block size:
I can break up to 6 rounds.• Current frontier: nobody can break
CTC2(255,255,7). Can anybody ? Please try !
• If key size > block size =>more rounds.
• CTC2(96,256,10) can be broken.
6
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200716
Gr î bner Bases Soon to be Forgotten ?ÐlÆ Z » Z »�%'%>º�O'<#2F*92Q23)'(920& D>(CY.<':{2FO').:�A'& /Q23)'-/0+1D'YÏA>& B'A.-')'B>+1)').ï *'4 4{GHD'+1E=D'( ¸ ¾#ð'23DA'*>('-'4 & (>B Å ÒlX�ñ ǽÄQò=ò ]½ÑÊ:{7�:{23)'Y.:=O'<#2
*92F* É[]½Ñ�óô%'Æ N ^�] ò Ñ�]u]S1& (.*.:�)'(':�).4 )':�:�20A'*'( Î V1K
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200717
Gr î bner Bases Soon to be Forgotten ?Á½D#GH)'+ /3<'465�D'YC8>)923& 20D'+ M ¹ » Z ¹ D>4 T�)'+1:=õ56D'(9T�)>+1:�& D'(>K
Before we did try, we actually never believed it could work…
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200718
3.4. ANF-to-CNF - The OutsiderConvert MQ to a SAT problem.(both are NP-hard problems)
� � �
7
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200719
Fact:
¹ 8>*'+1:�).+1*'('-'D'Y Å L 5�*'(.O')CO>+1D'E�)'(.& (C8>+1*'5{23& 5�)>º:6D'YC).& (.:�)>5�D'('-':6K
N D'+?E�:�/3D>+ *'(97 :{7�:{23)'YÏD#/F)'@'<'*#23& D'(':=ö,& /F:�8'*'+?:�))'(>D'<'B'AC*'(>-9I3D>+;D#T�)'+1ö1-')#/3& (')'-.)'('D'<'B'A
…
Z A'& :=A'*':=(')9T�)>+;O')')'(.:�A>D9GH(CO>)9/3D'+1)>K
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200720
Algebraic Attacks on DES»½2F*P/0& +1:{2�B>4 *'('56)'º¹ )>)'Y.:[8'D>& (#234 )':6: M
23A')>+1).& :[('D.:{23+1D'('B.*'4 B')'O'+1*>& 5=:{23+1<>5\20<'+1)D9/F*'(#7RE�& ('-.& (.^l] ¹
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200721
DES – One Problem^l)#T�)'4 D'8C*“B'D'D'-
”+1)'8'+1)':6)'(923*#23& D'(.D9/F^�] ¹ K
Æ=<'+,)'@'<'*920& D>(':=5�*'(.O').-'D9GH(>4 D'*'->)'-P/3+1D'YGlG�GHKQ5�+ 7;8920D':\7;:\20)'Y.KQ(')#2 IGlG�GHKQ5�+ 7;8920D':\7;:\20)'Y.KQ(')#2 IGlG�GHKQ5�+ 7;8920D':\7;:\20)'Y.KQ(')#2 IGlG�GHKQ5�+ 7;8920D':\7;:\20)'Y.KQ(')#2 I\*')':*')':*')':*')':�II IIw20D97;5�& 8>A')'+?:20D97;5�& 8>A')'+?:20D97;5�& 8>A')'+?:20D97;5�& 8>A')'+?:UK A#23Y.4K A#23Y.4K A#23Y.4K A#23Y.4
Á½4 )>*':�)P23+ 7=23DC:6D'4 T�)P23A')>YÏO97=7�D'<>+U/3*9T�D'<>+1& 20)Y.)920A'D'-.÷
8
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200722
Results on DES
Nicolas T. Courtois and Gregory V. Bard: “Algebraic Cryptanalysis of the D.E.S.”.
eprint.iacr.org/2006/402/
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200723
What Can Be Done ?
Attack 1: Cubic Representation + ElimLin: Attack 1: Cubic Representation + ElimLin: Attack 1: Cubic Representation + ElimLin: We recover the key of We recover the key of We recover the key of 555---round DES with round DES with round DES with
3 KP3 KP3 KP faster than brute force. faster than brute force. faster than brute force. ••• When When When 232323 variables fixed, takes variables fixed, takes variables fixed, takes 173 s173 s173 s...••• Magma crashes > 2 Magma crashes > 2 Magma crashes > 2 GbGbGb of RAM.of RAM.of RAM.Attack 2: Optimised Gate-level representation + our
ANF-to-CNF conversion+ MiniSat 2.0.: Key recovery for 6-round DES. Only 1 KP (!).••• Fix Fix Fix 202020 variables takes variables takes variables takes 68 s68 s68 s. . . ••• Magma crashes with > 2 Magma crashes with > 2 Magma crashes with > 2 GbGbGb...
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200724
DES – New Frontier:
Break 8 rounds given 1 KP and in less than 255.
We encourage researchers to try.We cannot do it so far.
9
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200725
What Are the Limitations of Algebraic Attacks ?
• When the number of rounds grows: complexity jumps from 0 to ∞.
• With new attacks and new “tricks” being proposed: some systems are suddenly broken with no effort.
=> jumps from ∞ to nearly 0 !
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200726
Finally
What About AES?
Laws of Prediction [Arthur C. Clarke]:When a distinguished elder scientist tells you
something is not possible => he is wrong…
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200727
Limitations
¹ D>YC).4 & Y.& 23*920& D'(>:[D#/F*'4 B')'O'+1*>& 5=5�+ 7�8#23*'('*>4 7;:�& :=*'+1)T;)'+ 7RA'*'+1->º9GH)“A'& 2'20A')PGH*'4 4
”S1)>K B'K9GHA')'(P23A')
('<>YCO')'+,D#/�+1D'<'(>-':=& (>5�+1)'*>:�)':�V?K
¹ D>YC).*'+1).:�8')>5\23*>5�<'4 *'+?4 7R('* ïT�).S1)>K B'K'Y.*9J�& Y.<'Y
-')>B'+1)').& ( ò + ö O'(')'+,O'*':6& :=5�D'Y.8'<923*#23& D'('V,*'('-*>+1)C)'*>:�& 4 7R5�& +156<'YPT�)'(#23)'-'K
10
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200728
Exploring the New FrontierN ).(')')'-P7�)#2�20D -'& :�5�D#T�)'+ GHA'*92F& :=A'*'+1-.*'('-PGHA'*92& :=('D#23K
ø�ù
Ä 8'+1D'8'D>:�).* (')#GÊ23D'D'4 23D.A')'4 8.+1)':�)'*'+?5�A')'+1:Y.*'E6& ('B A'D'(')':{2 *'('- +1)':�8'D'(>:�& O'4 ) :\23*#23)'Y.)'(920: M
ø�ù Ç )920:=D'(P23A')P/0<923<'+1).*#2 23*>5�E�:6K
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200729
New Tool - Bets
¸ D'+U23A')P/0& +?:\2'20& Y.).& (.A>& :{23D'+ 7�º'& 2F& :=8'D':6:�& O'4 )�20D.O')92D'(.56+ 7�8#23D'B'+1*'8'A>& 5[*>4 B'D>+1& 23A'Y.:�GC& 23AC+?)'*'4�Y.D'(')#7�KZ A'& :=A'*':=(')9T�)>+ O')')'(.8'D>:�:�& O'4 )CO>)9/3D'+1)>K
¹ )>) GlGlGCK 5�+ 7�8923D>O')920K 5�D'Y K
Á½<>+18'D':�) M A'*9T�)P/0<'( *'('-.:�A'D#GÊ23A').*'-9T�*'('56)'YC)>(92D#/F5�+ 7;8923D'B'+?*'8'A'& 5=+1)':6)'*'+15�A>K Ä 2F& :=*CB>*'YC)>K
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200730
Current Bets:
Ä )'('56D'<'+1*'B')8')>D'8'4 )P23D8>+1D'8'D':�)(')#GúO')#23:+?)'4 *923)'-P23D20A')'& +,D9GH(+?)':�)'*'+?5�A'K