A Generic Approach to Invariant Subspace Attacks Cryptanalysis of - PowerPoint PPT Presentation

A Generic Approach to Invariant Subspace Attacks Cryptanalysis of Robin, iSCREAM and Zorro Gregor Leander 1 , Brice Minaud 2 , Sondre Rønjom 3 1 Ruhr-Universität Bochum, Germany 2 ANSSI and Université Rennes 1, France 3 Nasjonal Sikkerhetsmyndighet, Norway EUROCRYPT 2015

Plan 1. Introduction: invariant subspace attacks. 2. Finding invariant subspaces: a generic algorithm. 3. Results on Robin, iSCREAM and Zorro. 4. Commuting linear maps in Robin and Zorro. 5. Conclusion. 2

Invariant Subspace Attacks Invariant Subspace Attacks were introduced at CRYPTO 2011. Used to break P RINT CIPHER in practical time [LAKZ11]. Take advantage of weak key schedules. 3

Invariant Subspace Attacks … F a + ~ b + ~ V V Assume the round function sends a some a ffi ne space to a coset of the same space. 4

Invariant Subspace Attacks K ∈ b − a + ~ V … F a + ~ b + ~ a + ~ V V V Now assume … K ∈ b − a + ~ V 5

Invariant Subspace Attacks K ∈ b − a + ~ V … F F a + ~ b + ~ a + ~ b + ~ V V V V Now assume … K ∈ b − a + ~ V Then this process repeats itself. Plaintexts in are mapped to ciphertexts in a + ~ b + ~ V V 6

Invariant Subspace Attacks K ∈ b − a + ~ V … F F a + ~ b + ~ a + ~ b + ~ V V V V Confidentiality is broken. 2 − codim ~ Density of weak keys: V 7

Finding invariant subspace attacks: a generic algorithm 8

A Generic Algorithm … F a + ~ b + ~ V V Bootstrap: assume we know s, t ∈ a + ~ V Then so F ( s ) − F ( t ) ∈ ~ F ( s ) , F ( t ) ∈ b + ~ V V Now we know one more vector of . ~ V 9

A Generic Algorithm … F a + ~ b + ~ V V “ Closure ” Algorithm Input : such that s, ~ s + ~ W ⊆ a + ~ W V Output : a + ~ V w ← $ ~ 1. Pick W ~ 2. Add to F ( s + w ) − F ( s ) W ~ 3. Iterate steps 1 and 2 until remains stable for W N iterations. s + ~ 4. Return W 10

A Generic Algorithm A few remarks… • The algorithm only outputs the smallest invariant subspace containing the input. • … we still need to bootstrap.

Bootstrapping the Algorithm K … F F a + ~ b + ~ a + ~ b + ~ V V V V We cheated a little. 12

Bootstrapping the Algorithm C i +1 K C i … F F a + ~ b + ~ a + ~ b + ~ V V V V We cheated a little. 12

Bootstrapping the Algorithm C i +1 K C i … F F a + ~ b + ~ a + ~ b + ~ V V V V We really want ∀ i, C i ∈ ~ V 13

Bootstrapping the Algorithm C i +1 K C i … F F a + ~ b + ~ a + ~ b + ~ V V V V We really want ∀ i, C i ∈ ~ V This gives us a “nucleon” W = span { C i } ⊆ ~ ~ V 13

Bootstrapping the Algorithm C i +1 K C i … F F a + ~ b + ~ a + ~ b + ~ V V V V We really want ∀ i, C i ∈ ~ V This gives us a “nucleon” W = span { C i } ⊆ ~ ~ V s ∈ a + ~ If , it remains to find an o ff set . a 6 = 0 V We simply try many random o ff sets. 13

Complexity Generic Invariant Subspace Algorithm ~ 1. W ← span { C i } 2. Guess o ff set s 3. Compute Closure( s + ~ W ) 4. Repeat until dim(Closure) < n 14

Complexity Generic Invariant Subspace Algorithm ~ 1. W ← span { C i } 2. Guess o ff set s 3. Compute Closure( s + ~ W ) 4. Repeat until dim(Closure) < n a + ~ If is actually a linear space : instant result. V 2 − codim ~ Otherwise, on average: tries. V 14

Properties of the algorithm • Generic: black-box use of round functions • Does not disprove the existence of “small” spaces • Public implementation: http://invariant-space.gforge.inria.fr 15

Results on Robin, iSCREAM and Zorro 16

Robin, iSCREAM and Zorro Robin and Fantomas: lightweight ciphers, created to illustrate LS-designs, FSE 2014 [GLSV14]. SCREAM and iSCREAM : authenticated variants of Fantomas and Robin, CAESAR competition entries. Zorro : lightweight cipher with partial nonlinear layer [GGNS13]. Broken by di ff erential and linear attacks. Best attack: 2 40 data/complexity [BDDLKT14].

Results on various ciphers Result Running Time Subspace found! codimension 32 Robin 22h Subspace found! codimension 32 iSCREAM 22h Subspace found! codimension 32 Zorro <1h Fantomas With probability 99.9%: NOEKEON No invariant subspace of LED codimension < 32 Keccak ➡ Weak key set of density 2 -32 , leading to immediate break of confidentiality for Robin, iSCREAM, Zorro. 18

Commuting linear maps in Robin 19

Robin Robin and Fantomas [GLSV14], FSE 2014. Lightweight block ciphers with e ffi cient masking. Block =128 bits — Security = 128 bits Robin = involutive version. Simple and elegant design: “LS-design”. 20

Robin: L layer State L layer 16 x 8 bits The same linear map L is applied to each row. 21

Robin: LS layers same linear L layer map on each row same S-box S layer on each column 22

Robin round function • L layer • S layer One round = • Constant addition • Key addition Encryption: 16 rounds. 23

Invariant permutations State A State B P State B = permutation of the columns of state A

Invariant permutations State A State B P L layer L layer P Assume PL = LP . Then State B remains a permutation of State A through the L layer.

Invariant permutations State A State B P L layer L layer P S layer S layer P The S layer comes for free!

Invariant permutations StateB remains permutation of State A through… • L layer: OK if LP = PL. • S layer: OK. • Constant addition: OK if P(C i ) = C i . • Key addition: OK if P(K A ) = K B . ➡ P commutes with the round function!

Invariant permutation attack If and : ∀ i, C i ∈ ker( P + Id) LP = PL then for related keys , K 2 = P ( K 1 ) related plaintexts remain related through P 2 = P ( P 1 ) encryption and yield related ciphertexts . C 2 = P ( C 1 )

Invariant permutation attack If and : ∀ i, C i ∈ ker( P + Id) LP = PL then for related keys , K 2 = P ( K 1 ) related plaintexts remain related through P 2 = P ( P 1 ) encryption and yield related ciphertexts . C 2 = P ( C 1 ) If and : ∀ i, C i ∈ ker( P + Id) LP = PL then for self-related key , K = P ( K ) related plaintexts remain related through P 2 = P ( P 1 ) encryption and yield related ciphertexts . C 2 = P ( C 1 )

Invariant permutation attack If and : ∀ i, C i ∈ ker( P + Id) LP = PL then for a self-related key , K = P ( K ) self-related plaintexts yield self-related M = P ( M ) ciphertexts . C = P ( C )

Invariant permutation attack If and : ∀ i, C i ∈ ker( P + Id) LP = PL then for a self-related key , K = P ( K ) self-related plaintexts yield self-related M = P ( M ) ciphertexts . C = P ( C ) This is an invariant subspace attack! The invariant subspace is . ker( P + Id)

Attack on Robin and iSCREAM Robin and iSCREAM : one suitable permutation P . • Weak key attack. Density 2 − codim ker( P +Id) = 2 − 32 • Related key attack. • Attacks require 2 chosen plaintexts, practically no time or memory. In addition, for weak keys: • Fixed points of P form a subcipher. • Key recovery in time 2 64 .

Robin vs Zorro Zorro is a variant of AES with some S S S S key di ff erences: • No key schedule. • S-boxes a ff ect a single row.

Robin vs Zorro Zorro is a variant of AES with some S S S S key di ff erences: • No key schedule. • S-boxes a ff ect a single row. Swap Id Id Yet: there still exists M that commutes with the round M = Linear function!

Robin vs Zorro Zorro is a variant of AES with some S S S S key di ff erences: • No key schedule. • S-boxes a ff ect a single row. Swap Id Id Yet: there still exists M that commutes with the round M = Linear function! ➡ All the same weaknesses as Robin. In particular, weak key set of density 2 -32 .

Attack comparison Type Data Time Reference Robin, Weak key, 2 CP negligible this paper iSCREAM density 2 -32 Weak key, 2 CP negligible this paper density 2 -32 Zorro Differential 2 41.5 CP 2 45 [BDDLKT14] Linear 2 45 KP 2 45 [BDDLKT14] 32

Conclusion • A generic algorithm to find invariant subspaces. Automatically finds attacks on Robin, iSCREAM and Zorro. • Practical break of Robin, iSCREAM and Zorro. Weak key set of density 2 -32 in all cases. Based on a new self-similarity property. Uncovers more properties : commuting linear map, subcipher, faster key recovery… 33

Conclusion Thank you for your attention! Questions ? 34