Algebraic Analysis of AES Carlos Cid Information Security Group, Royal Holloway, University of London ECRYPT II AES Day 18 Oct 2012 Algebraic Analysis of AES Carlos Cid
Algebraic Analysis of AES AES is an algorithm with a simple and very elegant design. it has been designed to offer strong resistance against known attacks, in particular differential and linear cryptanalysis, while enabling efficient implementation on different platforms. given its careful design criteria, it has always seemed unlikely that its security can be affected by conventional methods of cryptanalysis. Algebraic Analysis of AES Carlos Cid
Algebraic Analysis of AES The AES has also a highly algebraic structure. Fundamental component: byte as element of K = GF(2 8 ). SubBytes: inversion + linearised polynomial in K [ x ] + addition in K . ShiftRows + MixColumns: linear operation in K 16 . AddRoundKey: addition in K . The selection of AES led to a growing interest in the study of algebraic properties of block ciphers, and applications in cryptanalysis. Algebraic Analysis of AES Carlos Cid
Algebraic Techniques in Cryptanalysis Algebra is the default tool in the analysis of asymmetric cryptosystems (RSA, ECC, Lattice-based, MPKC, etc). For symmetric cryptography (block and stream ciphers), the most commonly used techniques are statistical in nature: block ciphers: in linear and differential cryptanalysis (and variants), the attacker attempts to construct statistical patterns through many interactions of the cipher. stream ciphers: linear/differential, correlation attacks, distinguishing attacks, etc. The selection of AES (and proposal of algebraic attacks against stream ciphers) led to an increasing interest in the use of algebraic techniques in the analysis of symmetric cryptosystems in the past 10 years. Algebraic Analysis of AES Carlos Cid
Algebraic Structure of AES The algebraic properties of Rijndael were not really explored in detail during the AES selection process. focus mostly on the proposal of dedicated attacks, eg square and bottleneck attacks. There were however some early observations, eg: moving F 2 -affine S-Box operation into augmented linear layer (and key schedule). (Murphy and Robshaw) description of AES encryption using a form of continued fractions (fully expanded expression for the full 10-round AES encryption would have around 2 50 terms). (Ferguson et al.) Algebraic Analysis of AES Carlos Cid
Big Encryption System - BES Due to Murphy and Robshaw (2002), BES operated on 128-byte blocks with 128-byte keys, with very simple algebraic structure: S-Box Layer: inversion in GF(2 8 ); Linear Diffusion Layer: GF(2 8 )-linear transformation; Subkey Layer : addition of round subkey. The AES can be embedded into the BES via a vector conjugate mapping φ ( a ) = ( a , a 2 , a 4 , . . . , a 128 ) BES restricted to a subspace provides an alternative description of AES. Algebraic Analysis of AES Carlos Cid
Polynomial Representation In principle, one can always attempt to represent a cipher as a system of polynomial equations (over F 2 ), and study its security based on the properties of this system. we can therefore consider polynomial system solving as a cryptanalytic technique. this has recently become an increasingly common technique to try to analyse symmetric-key encryption algorithms. Algebraic Analysis of AES Carlos Cid
Polynomial System Solving in Symmetric-Key Cryptanalysis In the context of (symmetric-key) cryptanalysis, solving systems of polynomial equations is typically associated with the technique called Algebraic Attacks . Algebraic Attacks: set up and solve a system of equations arising from a stream cipher or block cipher, to recover the encryption key (or other secret information, eg stream cipher secret state). More generally, Algebraic Cryptanalysis : study algebraic systems to obtain some non-trivial insight into the algorithm. A form of analysis with several attractive features. Algebraic Analysis of AES Carlos Cid
Algebraic Cryptanalysis Two well-defined tasks/challenges for the cryptanalyst: 1 How to construct the system of equations. 2 How to solve the resulting system (or obtain some insight into the cipher). Both areas have attracted much attention of researchers. Algebraic Analysis of AES Carlos Cid
Block Ciphers For m-bit blocks and n-bits keys, we can describe a block cipher as F m × F n F m E : → ( P , K ) �→ C Block cipher encryption gives rise to a natural polynomial system: for known ( P , C ), the encryption C = E ( P , K ) provides at the bit level m equations over n variables (the key bits). furthermore, we can add more equations to our system by using other plaintext-ciphertext pairs. as the encryption operation is by design a complex function, we expect these polynomials to be very dense and of very high degree. This form of attack is obviously impractical, and was never really considered a threat. Algebraic Analysis of AES Carlos Cid
Block Cipher Structure However block ciphers are in practice designed with a very particular structure: most block ciphers present an iterated structure. they are built in blocks, using low-cost simple operations, which are repeated for several rounds. this allows more efficient implementation and better study of the security of the cipher. Algebraic Analysis of AES Carlos Cid
Algebraic Attack against Block Ciphers: second attempt We can consider a different way to generate a system of equations for a block cipher. rather than one very complex equation for each ciphertext bit, we obtain simpler polynomials (low degree and sparse) for the round/layer functions. This approach gives rise to very large systems. we need to add new variables for the intermediate unknown values. encrypting more data does not seem to help (more equations, but more variables). Algebraic Analysis of AES Carlos Cid
Algebraic Attack against AES This approach was proposed in 2003 against the AES (Courtois and Piepryzk), and attracted a lot of attention from the cryptographic community. The system for the AES was presented, together with a dedicated method for solving the system. the AES S-box (the only provider of non-linearity) gives rise to several quadratic equations. instead of y = x 254 , use xy = 1, x 2 y = x and xy 2 = y . it was claimed that this was a particularly bad feature, and the proposed methods could exploit this fact. Algebraic Analysis of AES Carlos Cid
Algebraic Analysis of AES Two tasks: 1 How to construct the system of equations. over GF(2): 8000 equations and 1600 variables. over GF(2 8 ): 8576 equations, 4288 variables (derived from BES). 2 How to solve the resulting system (or obtain some insight into the cipher). XSL (eXtended Sparse Linearisation): based on linearization, but attempting to exploit the sparsity and specific structure of the equation system. Gr¨ obner Basis algorithms, SAT-solvers, etc. Algebraic Analysis of AES Carlos Cid
XSL against AES The claim was that with XSL one could: mount a (at least theoretical) successful attack against the AES with 256-bit keys (using the system over GF(2)); mount a (at least theoretical) successful attack against the AES with 128-bit keys (using the system over GF(2 8 )). This initial work spurred frantic activity (and much speculation) in the area of algebraic cryptanalysis of block ciphers (and AES in particular). Algebraic Analysis of AES Carlos Cid
AES news (Crypto-Gram Newsletter - Sep 15, 2002) AES may have been broken. Serpent, too. Or maybe not. In either case, there’s no need to panic. Yet. But there might be soon. Maybe. ... Basically, the attack works by trying to express the entire algorithm as multivariate quadratic polynomials, and then using an innovative technique to treat the terms of those polynomials as individual variables. ... There are a bunch of minimization techniques, and several other clever tricks you can use to make the solution easier. (This is a gross oversimplification of the paper; read it for more detail.). ... These are amazing results. ... There was some buzz about the paper in the academic community, but it quickly died down. I believe the problem was that the paper was dense and hard to understand. The attack technique, something called XSL, was brand new. ... In any case, there’s no cause for alarm yet. These attacks can be no more implemented in the field than they can be tested in a lab....There’s so much security margin in these ciphers that the attacks are irrelevant. But there is call for worry. If the attack really works, it can only get better. My fear is that we could see optimizations of the XSL attack breaking AES with a 2 80 -ish complexity, in which case things starts to get dicey about ten years from now... The work is fascinating... ... We’re starting to see the new attack tools that work against some of the AES finalists. It’s an open question as to how long the tools will remain theoretical. But many cryptographers who previously felt good about AES are having second thoughts. Algebraic Analysis of AES Carlos Cid
Recommend
More recommend