A New Structural-Differential Property of 5-Round AES Lorenzo - PowerPoint PPT Presentation

A New Structural-Differential Property of 5-Round AES Lorenzo Grassi, Christian Rechberger and Sondre Rønjom May, 2017

www.iaik.tugraz.at Introduction AES is probably the most widely studied and used block cipher. So far, non-random properties which are independent of the secret key are known for up to 4 rounds of AES. We propose a new structural property for up to 5 rounds of AES which is independent of the secret key. 1 / 30

www.iaik.tugraz.at Table of Contents 1 Secret-Key Distinguisher up to 5 Rounds of AES 2 A Formal Description 3 Sketch of the Proof 4 Open Problems 2 / 30

www.iaik.tugraz.at Part I Secret-Key Distinguisher up to 5 Rounds of AES

www.iaik.tugraz.at AES High-level description of AES: block cipher based on a design principle known as substitution-permutation network ; block size of 128 bits = 16 bytes, organized in a 4 × 4 matrix; key size of 128/192/256 bits; 10/12/14 rounds: R i ( x ) = k i ⊕ MC ◦ SR ◦ S-Box ( x ) . 3 / 30

www.iaik.tugraz.at Secret-Key Distinguisher Secret-Key Distinguisher: one of the weakest cryptographic attack. Setting: Two Oracles : one simulates the block cipher for which the cryptography key has been chosen at random; the other simulates a truly random permutation. Goal: distinguish the two oracles, i.e. decide which oracle is the cipher. Secret-Key Distinguishers are usually starting points for Key-Recovery Attacks . 4 / 30

www.iaik.tugraz.at Secret-Key Distinguisher up to 4-round AES Up to 4-round AES, Secret-Key Distinguisher exploits one of the following property: Truncated Differential; Integral/Zero Sum; Impossible Differential. They are all independent of the secret key. 5 / 30

www.iaik.tugraz.at Secret-Key Distinguisher on 4-round AES - Details Secret-Key Distinguisher on 4-round AES: Integral Property [ DKR97 ] Impossible Differential Property [ BK00 ]. Consider a set of 2 32 plaintexts with one active diagonal:  A C C C  C A C C    .   C C A C  C C C A 6 / 30

www.iaik.tugraz.at Impossible Differential Distinguisher [ BK00 ] 7 / 30

www.iaik.tugraz.at Balance/Zero-Sum Property [ DKR97 ]  A C C C   B B B B  → ? C A C C R 4 ( · ) B B B B R ( · )     − − − → − −     C C A C B B B B     C C C A B B B B Given the same initial set of plaintexts, is there any property which is independent of the secret key after 5-round AES? 8 / 30

www.iaik.tugraz.at Balance/Zero-Sum Property [ DKR97 ]  A C C C   B B B B  → ? C A C C R 4 ( · ) B B B B R ( · )     − − − → − −     C C A C B B B B     C C C A B B B B Given the same initial set of plaintexts, is there any property which is independent of the secret key after 5-round AES? 8 / 30

www.iaik.tugraz.at Related Work on 5 rounds of AES Key-Recovery Attack can be used as Secret-Key Distinguisher: the knowledge of the entire key is (usually) necessary to distinguish the block cipher from the random permutation. At CRYPTO 2016, Sun, Liu, Gou, Qu and Rijmen [ SMG+16 ] proposed a Zero-Sum Distinguisher for 5-round AES that depends on one byte - not all - of the secret key to distinguish 5-round AES from the random permutation; is independent of the S-Box but not of the MixColumns matrix; requires the full codebook. 9 / 30

www.iaik.tugraz.at Structural Property for 5 Rounds of AES Assume 5-round AES without the final MixColumns operation. Theorem Consider a set of 2 32 chosen plaintexts with one active diagonal. Let n the number of different pairs of ciphertexts which are equal in one (fixed) anti-diagonal. The number n is a multiple of 8 with probability 1, i.e. ∃ n ′ ∈ N s.t. n = 8 · n ′ , independently of the secret key, of the details of S-Box and of MixColumns matrix (assuming branch number equal to 5). A similar result holds also in decryption direction (i.e. using chosen ciphertexts instead of plaintexts). 10 / 30

www.iaik.tugraz.at Distinguisher on 5-round of AES (1/2) Goal: Distinguish 5-round of AES from random permutation. Consider 2 32 plaintexts with one active diagonal. Count the number n of pairs of ciphertexts (after 5 rounds) which are equal in one (fixed) anti-diagonal. If n mod 8 � = 0, then the permutation is a random one. 11 / 30

www.iaik.tugraz.at Distinguisher on 5-round of AES (2/2) To distinguish 5-round AES from a random permutation with probability of success higher than 99.5%: data cost: 2 32 chosen plaintexts/ciphertexts; computational cost: 2 35 . 6 table look-ups on table of size 2 36 bytes. Practically verified https://github.com/Krypto-iaik/AES_5round_SKdistinguisher 12 / 30

www.iaik.tugraz.at Part II A Formal Description

www.iaik.tugraz.at Subspace Trails for AES [ GRR16 ] (FSE 2017) We define the following subspaces: column space C I ; diagonal space D I ; inverse-diagonal space ID I ; mixed space M I . 13 / 30

www.iaik.tugraz.at The Diagonal Space Definition The diagonal spaces D i for i ∈ { 0 , 1 , 2 , 3 } are defined as D i = � e 0 , i , e 1 , ( i + 1 ) , e 2 , ( i + 2 ) , e 3 , ( i + 3 ) � . E.g. D 0 corresponds to symbolic matrix  x 1 0 0 0  0 x 2 0 0   D 0 ≡   0 0 x 3 0   0 0 0 x 4 for all x 1 , x 2 , x 3 , x 4 ∈ F 2 8 . 14 / 30

www.iaik.tugraz.at Meaning of “ p 1 ⊕ p 2 ∈ D i ” Texts p 1 and p 2 belong in D i ⊕ a (i.e. a coset of D i ) p 1 , p 2 ∈ D i ⊕ a ≡ { x ⊕ a | ∀ x ∈ D i } if and only if p 1 ⊕ p 2 ∈ D i , that is p 1 and p 2 are equal in all bytes expect for ones in the i -th diagonal. E.g. p 1 , p 2 ∈ D 0 ⊕ a iff p 1 ⊕ p 2 ∈ D 0 iff  ? 0 0 0  0 ? 0 0 p 1 ⊕ p 2 ≡     0 0 ? 0   0 0 0 ? 15 / 30

www.iaik.tugraz.at The Inverse-Diagonal Space Definition The inverse-diagonal spaces ID i for i ∈ { 0 , 1 , 2 , 3 } are defined as ID i = � e 0 , i , e 1 , ( i − 1 ) , e 2 , ( i − 2 ) , e 3 , ( i − 3 ) � . E.g. ID 0 corresponds to symbolic matrix  x 1 0 0 0  0 0 0 x 2   ID 0 ≡   0 0 x 3 0   0 x 4 0 0 for all x 1 , x 2 , x 3 , x 4 ∈ F 2 8 . 16 / 30

www.iaik.tugraz.at The Mixed Space Definition The i-th mixed spaces M i for i ∈ { 0 , 1 , 2 , 3 } are defined as M i = MC ( ID i ) . E.g. M 0 corresponds to symbolic matrix   0x02 · x 1 x 4 x 3 0x03 · x 2 x 1 x 4 0x03 · x 3 0x02 · x 2   M 0 ≡   x 1 0x03 · x 4 0x02 · x 3 x 2   0x03 · x 1 0x02 · x 4 x 3 x 2 for all x 1 , x 2 , x 3 , x 4 ∈ F 2 8 . 17 / 30

www.iaik.tugraz.at Subspace Trail for AES For I ⊆ { 0 , 1 , 2 , 3 } , let D I , ID I and M I defined as: � � � D I = D i , ID I = ID i , M I = M i . i ∈ I i ∈ I i ∈ I Theorem For each a ∈ D I , there exists (unique) b ∈ M I s.t. R 2 ( D I ⊕ a ) = M I ⊕ b . Equivalently, for each x , y: Prob ( R 2 ( x ) ⊕ R 2 ( y ) ∈ M I | x ⊕ y ∈ D I ) = 1 . 18 / 30

www.iaik.tugraz.at Subspace Trail for AES For I ⊆ { 0 , 1 , 2 , 3 } , let D I , ID I and M I defined as: � � � D I = D i , ID I = ID i , M I = M i . i ∈ I i ∈ I i ∈ I Theorem For each a ∈ D I , there exists (unique) b ∈ M I s.t. R 2 ( D I ⊕ a ) = M I ⊕ b . Equivalently, for each x , y: Prob ( R 2 ( x ) ⊕ R 2 ( y ) ∈ M I | x ⊕ y ∈ D I ) = 1 . 18 / 30

www.iaik.tugraz.at Structural Property for 5 Rounds of AES Given D I ⊕ a (i.e. a coset of D I ), consider all the 2 32 ·| I | plaintexts and the corresponding ciphertexts after 5 rounds, i.e. ( p i , c i ≡ R 5 ( p i )) for i = 0 , ..., 2 32 ·| I | − 1 where p i ∈ D I ⊕ a . Theorem For a fixed J ⊆ { 0 , 1 , 2 , 3 } , let n the number of different pairs of ciphertexts ( c i , c j ) for i � = j such that c i ⊕ c j ∈ M J n := |{ ( p i , c i ) , ( p j , c j ) | ∀ p i , p j ∈ D I ⊕ a , p i < p j and c i ⊕ c j ∈ M J }| . The number n is a multiple of 8 , i.e. ∃ n ′ ∈ N s.t. n = 8 · n ′ , independently of the secret key, of the details of S-Box and of MixColumns matrix (assuming branch number equal to 5). 19 / 30

www.iaik.tugraz.at Part III Sketch of the Proof

www.iaik.tugraz.at Reduction to a Single Round (1/2) Remember: R 2 ( D I ⊕ a ) = M I ⊕ b and for each x , y : Prob ( R 2 ( x ) ⊕ R 2 ( y ) ∈ M I | x ⊕ y ∈ D I ) = 1 . Since R 2 ( · ) R 2 ( · ) R ( · ) → D J ⊕ a ′ prob. 1 M J ⊕ b ′ , D I ⊕ a − prob. 1 M I ⊕ b − − − → − − − − − − → we can focus only on the middle round! 20 / 30

www.iaik.tugraz.at Reduction to a Single Round (1/2) Remember: R 2 ( D I ⊕ a ) = M I ⊕ b and for each x , y : Prob ( R 2 ( x ) ⊕ R 2 ( y ) ∈ M I | x ⊕ y ∈ D I ) = 1 . Since R 2 ( · ) R 2 ( · ) R ( · ) → D J ⊕ a ′ prob. 1 M J ⊕ b ′ , D I ⊕ a − prob. 1 M I ⊕ b − − − → − − − − − − → we can focus only on the middle round! 20 / 30