Cryptanalysis of the Advanced Encryption Standard Vincent Rijmen - PowerPoint PPT Presentation

Cryptanalysis of the Advanced Encryption Standard Vincent Rijmen Albena 2013

Content • AES • Bounding the EDP of differentials over 2, 4 rounds of AES • AES and the hypothesis of stochastic equivalence

The Advanced Encryption Standard round S S S S S S S S S round Key Schedule round Mixing transformation . . . . . round

AES round transformation • 10/12/14 iterations • Composed of 4 steps, each its own purpose: – SubBytes: non-linearity – ShiftRows: inter-column diffusion – MixColumns: inter-byte diffusion within columns – AddRoundKey

Message input representation a 0,0 a 0,1 a 0,2 a 0,3 a 0,4 a 0,5 a 0,6 a 0,7 a 1,0 a 1,1 a 1,2 a 1,3 a 1,4 a 1,5 a 1,6 a 1,7 a 2,0 a 2,1 a 2,2 a 2,3 a 2,4 a 2,5 a 2,6 a 2,7 a 3,0 a 3,1 a 3,2 a 3,3 a 3,4 a 3,5 a 3,6 a 3,7  Rectangular array of bytes:  4 rows  AES: 4 columns  Rijndael: 4, 6, or 8 columns (128-, 192-, 256-bit plaintext block)

Key input representation k 0,0 k 0,1 k 0,2 k 0,3 k 0,4 k 0,5 k 0,6 k 0,7 k 1,0 k 1,1 k 1,2 k 1,3 k 1,4 k 1,5 k 1,6 k 1,7 k 2,0 k 2,1 k 2,2 k 2,3 k 2,4 k 2,5 k 2,6 k 2,7 k 3,0 k 3,1 k 3,2 k 3,3 k 3,4 k 3,5 k 3,6 k 3,7 • Rectangular array of bytes: – 4 rows – 4, 6, or 8 columns (128-, 192-, 256-bit key)

Round step 1: SubBytes S-box b 0,0 b 0,1 b 0,2 b 0,3 a 0,0 a 0,1 a 0,2 a 0,3 a 1,0 a 1,1 a 1,2 a 1,3 a i,j b 1,0 b 1,1 b 1,2 b 1,3 b i,j a 2,0 a 2,1 a 2,2 a 2, 3 b 2,0 b 2,1 b 2,2 b 2,3 a 3,0 a 3,1 a 3,2 a 3,3 b 3,0 b 3,1 b 3,2 b 3,3 • Bytes are transformed by invertible S-box. • One S-box (lookup table) for complete cipher (simplicity)

The Rijndael S-box S[x] = P(x -1 ) • x -1 : good cryptographic properties – Optimally resistant against linear and differential cryptanalysis – Output functions with maximal nonlinear degree (7) • P(x): affine transformation to remove regularity

Round step 3: MixColumns a 0 ,j b 0 ,j a 0,0 a 0,1 a 0,2 a 0,3 b 0,0 b 0,1 b 0,2 b 0,3 a 1 ,j a 1,0 a 1,1 a 1,2 a 1,3 b 1 ,j b 1,0 b 1,1 b 1,2 b 1,3 a 2,0 a 2,1 a 2,2 a 2,3 a 2 ,j b 2,0 b 2,1 b 2,2 b 2,3 b 2 ,j a 3,0 a 3,1 a 3,2 a 3,3 b 3,0 b 3,1 b 3,2 b 3,3 a 3 ,j b 3 ,j • Columns transformed by matrix over GF(2 8 ) • High intra-column diffusion: – based on theory of error-correcting (MDS) codes 9

Round step 2: ShiftRows m n o p m n o p g h i j h i j g y z w x y z w x b c d e e b c d • Rows are shifted over 4 different offsets • High diffusion over multiple rounds: – Interaction with MixColumns – Bits flip in minimum 25 active S-boxes per 4 rounds 10

Key schedule k 0,0 k 0,1 k 0,2 k 0,3 k 0,4 k 0,5 k 0,6 k 0,7 k 1,0 k 1,1 k 1,2 k 1,3 k 1,4 k 1,5 k 1,6 k 1,7 k 2,0 k 2,1 k 2,2 k 2,3 k 2,4 k 2,5 k 2,6 k 2,7 k 3,0 k 3,1 k 3,2 k 3,3 k 3,4 k 3,5 k 3,6 k 3,7 round key table (virtual) 1+ 10/12/14 round keys ...

Key schedule for 128-bit keys k 0,0 k 0,1 k 0,2 k 0,3 k 1,0 k 1,1 k 1,2 k 1,3 k 2,0 k 2,1 k 2,2 k 2,3 k 3,0 k 3,1 k 3,2 k 3,3 + k 1,3 RC k 2,3 Substitution + k 3,3 k 0,3 + + + k 0,4 k 0,5 k 0,6 k 0,7 k 1,4 k 1,5 k 1,6 k 1,7 k 2,4 k 2,5 k 2,6 k 2,7 k 3,4 k 3,5 k 3,6 k 3,7

Key schedule for 192-bit keys k 0,0 k 0,1 k 0,2 k 0,3 k 0,4 k 0,5 k 1,0 k 1,1 k 1,2 k 1,3 k 1,4 k 1,5 k 2,0 k 2,1 k 2,2 k 2,3 k 2,4 k 2,5 k 3,0 k 3,1 k 3,2 k 3,3 k 3,4 k 3,5 + k 1,5 RC k 2,5 Substitution + k 3,5 k 0,5 + + + + + k 0,6 k 0,7 k 0,8 k 0,9 k 0,10 k 0,11 k 1,6 k 1,7 k 1,8 k 1,9 k 1,10 k 1,11 k 2,6 k 2,7 k 2,8 k 2,9 k 2,10 k 2,11 k 3,6 k 3,7 k 3,8 k 3,9 k 3,10 k 3,11

Key schedule for 256-bit keys k 0,0 k 0,1 k 0,2 k 0,3 k 0,4 k 0,5 k 0,6 k 0,7 k 1,0 k 1,1 k 1,2 k 1,3 k 1,4 k 1,5 k 1,6 k 1,7 k 2,0 k 2,1 k 2,2 k 2,3 k 2,4 k 2,5 k 2,6 k 2,7 k 3,0 k 3,1 k 3,2 k 3,3 k 3,4 k 3,5 k 3,6 k 3,7 + k 1,7 RC k 2,7 + Substitution k 3,7 k 0,7 + + + + + + + Substitution k 0,8 k 0,9 k 0,10 k 0,11 k 0,12 k 0,13 k 0,14 k 0,15 k 1,8 k 1,9 k 1,10 k 1,11 k 1,12 k 1,13 k 1,14 k 1,15 k 2,8 k 2,9 k 2,10 k 2,11 k 2,12 k 2,13 k 2,14 k 2,15 k 3,8 k 3,9 k 3,10 k 3,11 k 3,12 k 3,13 k 3,14 k 3,15

Alternative representations S S S S S S S S S S S S S S S S MC MC MC MC + + + + + + + + + + + + + + + + S S S S S S S S S S S S S S S S MC MC MC MC + + + + + + + + + + + + + + + +

Super Box differentials a • Differentials ( a , e ) S S S S b – with EDP( a , e ) MixColumns c = MC × b • Characteristics Q = ( a , b , c , d , e ) + + + + – with EDP( Q ) d = c • EDP( a , e ) = ∑ Q EDP( Q ) S S S S e • given a and e , only b free • EDP of Q is product of DP of S-boxes: – EDP( a , b , d , e ) = ∏ i DP S ( a i , b i ) ∏ j DP S ( d j , e j )

Branch number • DP S (0,0) = 1 • Avoid existence of trails with many zeroes X Mixing transformation L Y • Branch number B :

Branch number and codes X Mixing transformation L Y • Code C: XX L(X) • Branch number of L = minimum distance of C

Bound on EDP [Park+ ‘03] When all S-boxes are the same:

Example 0 a 0 0 0 0 S S S S S b 0 0 0 0 0 L d 0 d 1 d 4 0 0 • Sum runs over all entries in a row or + + + + + column S • Sum is largest if you S S S S combine largest with the e 4 e 0 e 1 0 0 largest, …

[Hong+ ’00] Hence:

The AES S-box a • Composed of: – x –1 in GF(2 8 ) x –1 S = b – L : affine mapping L -1 • matrix in GF(2) • linearised polynomial c • Differential properties: – those of x –1 – L : deterministic • c = L -1 b; b = L c

Differential properties of x –1 x –1 + ( x + a ) -1 = b • If x ≠ a , x ≠ 0: ( x + a ) + x = b ( x + a ) x ( x / a ) 2 + x / a + 1/ ab = 0 • 2 solutions iff Trace(1/ ab ) = 0 • x = a is solution of x 254 + ( x + a ) 254 = b – only if b = a -1 – Solutions are: 0, a , va , v 2 a with v 2 + v +1=0

DP over AES S-box • DP( a,b ) : – 2 –6 if ab = 1 , – 2 –7 if Tr( a –1 b –1 ) = 0 if Tr( a –1 b –1 ) = 1 – 0 • For fixed a : – 1 b with DP( a , b ) = 2 -6 – 126 b ’s with DP( a , b ) = 2 -7 • Same for fixed b

AES Super box EDP bounds • MixColumns has branch number 5 • Hong et al. bound: • Park et al. bound: • Keliher-Sui ‘07: the best differentials have 13.25 × 2 -32

Differential properties of x –1 • Trace function Tr( x ) – Maps extension field GF(2 8 ) to ground field GF(2) – Linear mapping: • Tr( x + y ) = Tr( x ) + Tr( y ) • Tr( ax ) = 0 : solutions x for given a defines vector space over GF(2) • Given a , values of b –1 for which DP( a , b ) > 0 form a vector space of dimension 7

Example differential • Characteristics ( a, b, d, e ) a 0 0 0 0 • Properties: – 255 possible values for b 0 S S S S – d = (2 b 0 , b 0 , b 0 , 3 b 0 ) b 0 0 0 0 – d i = u d i b 0 fixed ratio MixColumns • Conditions for b 0 and d i to d 0 d 1 d 2 d 3 define a characteristic with DP > 0 + + + + –1 L ( b 0 ) –1 ) = 0 – Tr( a 0 –1 L ( e i ) –1 ) = 0 S S S S – Tr( d i e 0 e 1 e 2 e 3

Example differential • Conditions on d i define a –1 a 0 0 0 0 vector space on b 0 – dimension is 8 minus S S S S dimension of vector space –1 )} i generated by { u d b 0 i L ( e i 0 0 0 – minimum 4, maximum 7 MixColumns – straight conditions d 0 d 1 d 2 d 3 • Condition on b 0 doesn’t – due to presence of L + + + + – blurred condition – can be approached S S S S statistically: • number of trails has e 0 e 1 e 2 e 3 hypergeometric distribution

Differentials with 5 active S-boxes • Given characteristic, nonzero b i and d j values have fixed ratios • 255 characteristics • Differential characterized by two parameters: ฀ α : dimension of: { u d –1 )} i i L ( e i ฀ β : number of different nonzero elements in: ( a 0 , u b 0 ) ( a 1 , u b 1 ) ( a 2 , u b 2 ) ( a 3 , u b 3 ) • Number of trails has hypergeometric distribution with mean and variance determined by α and β

AES Superboxes  Highest EDP values occur for  differentials with 5 active S-boxes  ... with small values for α and β  Presence of L in S-box has important impact on the distributions of Super box EDP values:  if absent: all conditions become straight  Max EDP would increase  from 13.25 × 2 –32 (12 differentials)  to 19.75 × 2 –32 (3825 differentials)

AES megabox Super box Super box Super box Super box MC MC MC MC + + + + + + + + + + + + + + + + Super box Super box Super box Super box

Megabox bounds • Hong et al.: • Park et al.: ??? – We would need all the EDP-values over the Super boxes – Computation has been finished for differentials where all trails have exactly 25 active S-boxes and where the S-box is pure inversion:

Plateau characteristics • Illustration of the difference between EDP and DP[k] • DP is a stochastic variable, with EDP as expected value • Expected value doesn’t fully characterize the distribution • Structure in the sets of right pairs • Case study for characteristics in AES (2 rounds)

Often assumed distribution of DP(Q) Pr(DP(Q) = i) ≈ z(i – EDP(Q)) • Narrow around EDP(Q) Fraction of keys DP( Q ) EDP( Q )  Hypothesis of stochastic equivalence

2-round mapping b S a c R + B [ k ] k • B[ k ]( x ) = S ( k + R ( x )) • Characteristic over B[ k ] : Q = ( a , b , c ) – Differential ( a , b ) over R , followed by – Differential ( b , c ) over S