Block cipher invariants as eigenvectors of correlation matrices Tim Beyne COSIC / ESAT, KULeuven December 3, 2018 COSIC
Joan Daemen 2
Joan Daemen 2
Invariant subspaces and nonlinear invariants [Leander et al., 2011] x y E K K is a weak key 3 F n F n 2 2 a + V a + V
Invariant subspaces and nonlinear invariants y y S x S [Todo et al., 2016] or x S S 4 F n F n 2 2 E K 1 F n F n 2 2 E K 2
Three problems 1. Improve understanding (theory) 2. Invariants which are not invariant under the round function 3. Attacks based on invariants that work for all round constants cf. [Beierle et al., 2017] 5
Representing the state x p x 6 x p ( x ) F 4 0 2 1/2 ← → ← → { (0 , 1) ⊤ , (1 , 0) ⊤ } 1/2 0
Representing the state x x 6 p ( x ) F 4 0 2 1/2 ← → ← → { (0 , 1) ⊤ , (1 , 0) ⊤ } 1/2 0 p ( x ) F 4 − 1/4 2 1/4 ← → ← → { (0 , 1) ⊤ , (1 , 0) ⊤ } 1/4 − 1/4
Operations on the state x v u y 7 � 0 0 1 0 � � 0 � � 1 � · 1 = 1 0 0 0 1 1 0 1 0 0 0 2 1 2 0 0 1 0 0 0 1 p ( x ) q ( y ) y = x + c F F (1 , 0) ⊤ � p ( u ) � q ( v ) � 1 0 0 �� � � 1 � 0 1 0 1 0 0 0 0 = 0 0 − 1 0 0 0 − 1 0 0 0 − 1 1
Operations on the state x v u y 7 � 0 0 1 0 � � 0 � � 1 � · 1 = 1 0 0 0 1 1 0 1 0 0 0 2 1 2 0 0 1 0 0 0 1 p ( x ) q ( y ) y = x + c F F (1 , 0) ⊤ � p ( u ) � q ( v ) � 1 0 0 �� � � 1 � 0 1 0 1 0 0 0 0 = 0 0 − 1 0 0 0 − 1 0 0 0 − 1 1
Operations on the state x v u y 7 � 0 0 1 0 � � 0 � � 1 � · 1 = 1 0 0 0 1 1 0 1 0 0 0 2 1 2 0 0 1 0 0 0 1 p ( x ) q ( y ) y = x + c F F (1 , 0) ⊤ � p ( u ) � q ( v ) � 1 0 0 �� � � 1 � 0 1 0 1 0 0 0 0 = 0 0 − 1 0 0 0 − 1 0 0 0 − 1 1
Operations on the state x F F Correlation matrix q p C F v u y 8 = p q T F p ( x ) q ( y ) F F y = F ( G ( x )) y = F ( x ) � p ( u ) � q ( v ) � = �
Operations on the state x Correlation matrix q p C F C G v u y 8 p = q T F T G p ( x ) q ( y ) F ◦ G F F y = F ( G ( x )) y = F ( x ) � p ( u ) � q ( v ) F ◦ G � = �
The invariants of a block cipher E K are the eigenvectors of C E K . Eigenvectors of correlation matrices E K p p C E K or 9 u u u C E K � p ( u ) � p ( u ) C E K � p ( u )
Eigenvectors of correlation matrices E K p p u or C E K u u 9 C E K � p ( u ) � p ( u ) C E K � p ( u ) � = λ � The invariants of a block cipher E K are the eigenvectors of C E K .
Rank one states in Midori-64 Midori-64 state p i or p i Equivalently: Independence: 10 ∈ R 2 64 ∼ = ( R 2 4 ) ⊗ 16 16 � p ( x 1 , x 2 , . . . , x 16 ) = p i ( x i ) x 1 x 5 x 9 x 13 i =1 x 2 x 6 x 10 x 14 x 3 x 7 x 11 x 15 16 16 � � p = � p = � x 4 x 8 x 12 x 16 i =1 i =1
Overview of Midori-64 R 15 P 11 K 0 + K 1 K 0 + K 1 K 0 K 1 K 0 . . . S R 1 R 2 K 1 S M γ 2
Overview of Midori-64 R 15 P 11 K 0 + K 1 K 0 + K 1 K 0 K 1 K 0 . . . S R 1 R 2 K 1 S M γ 2
Key addition . n . . ... . . . . . . 12 Correlation matrix for addition of K = ( k 1 , k 2 , . . . , k n ) ∈ F n 2 : 1 0 · · · 0 � 1 � 0 ( − 1) k 1 0 � · · · 0 = 0 ( − 1) k i i =1 � n 0 0 ( − 1) · · · i =1 k i
Boxed mappings p i 13 q 1 = C S � � p 1 x 1 x 5 x 9 x 13 C S = ( C S ) ⊗ 16 x 2 x 6 x 10 x 14 C M = ( C M ) ⊗ 4 x 3 x 7 x 11 x 15 x 4 x 8 x 12 x 16 q i = C M � � ⊗ 16 ⊗ 16 i =13 � i =13 �
Three problems eigenvectors of correlation matrices 2. Invariants which are not invariant under the round function 14 1. Improve understanding (theory) 3. Attacks based on invariants that work for all round constants
Invariants in the intersection of eigenspaces 15 ◮ We want to solve C E K v = λ v ◮ To simplify things, let’s assume v = w ⊗ 16 ◮ Require invariance under S , M and key addition: ( C S ) ⊗ 16 w ⊗ 16 = λ 1 w ⊗ 16 ( C M ) ⊗ 4 w ⊗ 16 = λ 2 w ⊗ 16 C K i + γ i w ⊗ 16 = λ 3 w ⊗ 16 → Invariants from [Guo et al., 2016, Todo et al., 2016].
Somewhat more general invariants Most important solution: (Perfect linear approximation) v u 16 u ⊗ 16 v ⊗ 16 u ⊗ 16 �→ �→ · · · · · · M ◦ P ◦ S M ◦ P ◦ S K 1 ⊕ γ i − 1 K 0 ⊕ γ i K 1 ⊕ γ i +1 C S u = v C M u ⊗ 4 = u ⊗ 4 , C M v ⊗ 4 = v ⊗ 4
Somewhat more general invariants Most important solution: (Perfect linear approximation) 16 u ⊗ 16 v ⊗ 16 u ⊗ 16 �→ �→ · · · · · · M ◦ P ◦ S M ◦ P ◦ S K 1 ⊕ γ i − 1 K 0 ⊕ γ i K 1 ⊕ γ i +1 C S u = v C M u ⊗ 4 = u ⊗ 4 , C M v ⊗ 4 = v ⊗ 4 u = (0 , 0 , 0 , 0 , 0 , 1 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0) ⊤ v = (0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , − 1 , − 1 , 0 , 0 , 1 , − 1) ⊤ /2
Midori-64 round constants Midori-64 0001 0101 1011 0011 0111 1000 1100 0000 1010 0100 0011 0101 0110 0010 0001 0011 0001 0000 0100 1111 1101 0001 0111 0000 0000 0010 0110 0110 0000 1011 1100 1100 1001 0100 1000 0001 0100 0000 1011 1000 17 · · · → 2 64 weak keys
Midori-64 round constants Midori-64 0800 0000 8088 8000 8008 0800 8000 0008 0000 8088 8800 8800 0000 0080 0880 0880 8808 0008 0888 0000 0008 0000 0800 8888 0880 0080 0008 0088 8080 0800 0088 0808 0888 8000 8800 0000 0008 0808 8088 0088 “Almost” Midori-64 0100 0000 1011 1000 1001 0100 1000 0001 0000 1011 1100 1100 0000 0010 0110 0110 1101 0001 0111 0000 0001 0000 0100 1111 0110 0010 0001 0011 1010 0100 0011 0101 0111 1000 1100 0000 0001 0101 1011 0011 17 · · · · · · → 2 64 weak keys → 2 96 . 02 weak keys
Midori-64 round constants Midori-64 0a64 c6cf ee81 14a4 0aa0 a088 0088 2a22 410d 5161 db17 8b17 8028 a888 0aa2 a202 6182 5031 b4ed 0c0d 0a80 822a 80a2 0a82 a374 8d6a dd67 62eb 0280 880a a22a 8a2a 01cc 510f 2b77 349a 082a 2888 028a 0a80 “Almost” Midori-64 0100 0000 1011 1000 1001 0100 1000 0001 0000 1011 1100 1100 0000 0010 0110 0110 1101 0001 0111 0000 0001 0000 0100 1111 0110 0010 0001 0011 1010 0100 0011 0101 0111 1000 1100 0000 0001 0101 1011 0011 17 · · · · · · → 2 64 weak keys → 2 96 weak keys
Three problems eigenvectors of correlation matrices 2. Invariants which are not invariant under the round function real-world example: modifjed Midori-64 3. Attacks based on invariants that work for all round constants 18 1. Improve understanding (theory)
Both attacks: Attacks on Midori-64 and MANTIS block cipher calls, but bits of the key almost for free Guess the remaining bits (no optimizations) 19 ◮ Independent of the round constants ◮ 10 rounds of Midori-64 ◮ 2 96 (out of 2 128 ) weak keys ◮ ∼ 1 . 25 · 2 21 chosen plaintexts ◮ MANTIS -4 ◮ 2 32 (out of 2 64 ) weak tweaks ◮ ∼ 640 chosen plaintexts
Attacks on Midori-64 and MANTIS 19 ◮ Independent of the round constants ◮ 10 rounds of Midori-64 ◮ 2 96 (out of 2 128 ) weak keys ◮ ∼ 1 . 25 · 2 21 chosen plaintexts ◮ MANTIS -4 ◮ 2 32 (out of 2 64 ) weak tweaks ◮ ∼ 640 chosen plaintexts ◮ Both attacks: 2 56 block cipher calls, but ◮ 40 + 32 bits of the key almost for free ◮ Guess the remaining 56 bits (no optimizations)
Attack on 10 rounds of Midori-64 A C C C C A A A A A A C A A A A A A A A A C C C Integral property 20 C f ( x ) = � 16 i =1 f i ( x 4 i − 3 , x 4 i − 2 , x 4 i − 1 , x 4 i ) with f i balanced K 0 + K 1 K 0 ≃ γ 7 K 0 + K 1 S R 1 R 2 R 3 R 4 R 5 R 6 R 7 R 8 R 9 g ( x ) = � 16 i =1 g i ( x 4 i − 3 , . . . , x 4 i ) I 1 I 2 � A 1 C f ( x ) = 0 A 2 C x ∈I 2 A 3 C A 4
Attack on 10 rounds of Midori-64 A C C C C A A A A A A C A A A A A A A A A C 20 C C C Integral property f ( x ) = � 16 i =1 f i ( x 4 i − 3 , x 4 i − 2 , x 4 i − 1 , x 4 i ) with f i balanced K 0 + K 1 K 0 ≃ γ 7 K 0 + K 1 S R 1 R 2 R 3 R 4 R 5 R 6 R 7 R 8 R 9 g ( x ) = � 16 i =1 g i ( x 4 i − 3 , . . . , x 4 i ) I 1 I 2 � A 1 C f ( x ) = 0 A 2 C x ∈I 2 � ⇒ g ( x ) = 0 A 3 C x ∈ E K ( I 1 ) A 4
Attack on 10 rounds of Midori-64 A C C C C A A A A A A C A A A A A A A A A C 20 C C C Integral property f ( x ) = � 16 i =1 f i ( x 4 i − 3 , x 4 i − 2 , x 4 i − 1 , x 4 i ) with f i balanced K 0 + K 1 K 0 ≃ γ 7 K 0 + K 1 S R 1 R 2 R 3 R 4 R 5 R 6 R 7 R 8 R 9 g ( x ) = � 16 i =1 g i ( x 4 i − 3 , . . . , x 4 i ) I 1 I 2 � A 1 C f ( x ) = 0 A 2 C x ∈I 2 � ⇒ g ( x + K 0 + K 1 ) = 0 A 3 C x ∈ E K ( I 1 ) A 4
Recommend
More recommend