cube attacks on stream ciphers based on division property
play

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun - PowerPoint PPT Presentation

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan Cube Attack: An Introduction 1 Cube Attacks with


  1. Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23

  2. Plan Cube Attack: An Introduction 1 Cube Attacks with Division Property 2 Our Results 3 Conclusion and Future work 4 Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 2 / 23

  3. Motivation Symmetric key ciphers for FHE, MPC, ... Trivium [Canni` ere-Preneel ’07] LowMC [Albrecht et al. ’15] Kreyvium [Canteaut et al. ’16] Low Multiplicative Complexity (MC) is crucial Minimize the number of ANDs and multiplicative depth Our goal Cube attacks on low MC ciphers Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 3 / 23

  4. Low MC stream ciphers Trivium [Canni` ere-Preneel ’07] Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 4 / 23

  5. Low MC stream ciphers Kreyvium [Canteaut et al. ’16] Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 5 / 23

  6. Cube attacks [Dinur-Shamir ’09] Extension of Higher Order Differential Attack and Algebraic Attacks Chosen plaintext key recovery attack - Keyed hash functions - Stream ciphers - Block ciphers - MAC algorithms Powerful for primitives with low-degree component - Stream ciphers based on low-degree NFSR - Permutations with only a few XORs and ANDs Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 6 / 23

  7. Cube attack in a nutshell Preprocessing: Sum over outputs of subspaces over chosen public variables Store equations between sums and secret variables Online: Evaluate sums over outputs of chosen plaintexts Recover key bits by solving equations Dinur-Shamir attack only needs blackbox access to the cipher Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 7 / 23

  8. Main observation Cube sum of Boolean functions f ( x 1 , x 2 , x 3 , x 4 ) = x 1 + x 1 x 2 + x 3 x 4 + x 1 x 2 x 3 + x 1 x 3 x 4 = x 1 + x 1 x 2 + x 3 x 4 (1 + x 1 ) + x 1 x 2 x 3 Fix x 1 , x 2 , sum over all values of ( x 3 , x 4 ) � f ( x 1 , x 2 , x 3 , x 4 ) = 4 x 1 + 4 x 1 x 2 + 1 + x 1 + 2 x 1 x 2 ( x 3 , x 4 ) ∈ F 2 2 = 1 + x 1 The set { ( c 1 , c 2 , x 3 , x 4 ) ∈ F 4 2 } is a cube with dim 2 The resulting sum is the superpoly of the cube Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 8 / 23

  9. The attack Write a cipher by f ( x , v ) �→ Output Public variables v controlled by the attacker, e.g., a message or nonce Secret variables x Output: Ciphertext, keystream, or a hash bit Preprocessing Find cubes with simple (eg. linear) superpoly p ( x ) Reconstruct p ( x ) Online Collect a system of linear equations p ( x ) = b Recover key bits by solving the equations and exhaustive search for remaining key bits if necessary Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 9 / 23

  10. Preprocessing phase Given cube I of size C Find cubes with simple (eg. linear) superpoly p ( x ) Property test of superpoly Complexity O ( N 1 2 C ), N 1 is number of queries Reconstruct superpoly p ( x ) � f ( v , x ) = p ( x ) v ∈ I Superpoly p ( x ) can be recovered by Moebius Transformation Complexity O ( N 2 2 C ), N 2 is number of queries More information on p , smaller N 2 Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 10 / 23

  11. Problems and Progress How to find the most efficient cube? Random walk heuristic algorithm [Dinur-Shamir’09] Cube variables with conditions [Dinur et al. ’15] Conditional cube attack [Huang et al. ’17] Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 11 / 23

  12. Problems and Progress Attack in blackbox model - Cannot leverage the specific structural properties Size cube exploitable is limited ( ≤ 40) - Due to large complexity of testing superpoly - Cannot predict what will happen if bigger cube chosen Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 12 / 23

  13. Problems and Progress Attack in blackbox model - Cannot leverage the specific structural properties Size cube exploitable is limited ( ≤ 40) - Due to large complexity of testing superpoly - Cannot predict what will happen if bigger cube chosen Kill two birds with one stone: Division property Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 12 / 23

  14. Division property [Todo ’15] A method to construct higher order differential/integral distinguisher Successfully used to analyze block ciphers and hash functions Efficient evaluation by MILP [Xiang et al. ’16] Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 13 / 23

  15. Cube attacks with division property Ideas of the new attack [Todo et al. ’17] Analyze involved variables in the ANF of superpoly by division property + Non-Blackbox attack + Applied to nonlinear superpoly Model and solve the division propagation by MILP + Much more efficient than cube sum + Allow to search large cubes since no need to do cube sum to test the property of superpoly Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 14 / 23

  16. What’s new Apply division property to analyze stream ciphers Exploit large cubes Improve key recovery attacks on stream ciphers, e.g. Trivium Round Complexity Cube size Ref 2 36 767 30 [Dinur-Shamir ’09] 2 62 799 40 [Fouque-Vannet ’13] 2 79 832 72 [Todo et al. ’17] Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 15 / 23

  17. Our idea Investigate higher-degree monomials in the ANF of superpoly by division property Improve the MILP model by removing redundant division trails Highlights of improved method Detect more information on superpoly Reduce complexity of superpoly recovery Attack more rounds Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 16 / 23

  18. Trivium [Canni` ere-Preneel ’07] 80 bit key and 80 bit IV, 288 bit state 1152 rounds in initialization phase ( s 1 , s 2 , . . . , s 93 ) ← ( K 1 , K 2 , . . . , K 80 , 0 , ..., 0) ( s 94 , s 95 , . . . , s 177 ) ← ( IV 1 , IV 2 , . . . , IV 80 , 0 , ..., 0) ( s 178 , s 279 , . . . , s 288 ) ← (0 , ..., 0 , 1 , 1 , 1) t 1 ← s 66 ⊕ s 93 t 2 ← s 162 ⊕ s 177 t 3 ← s 243 ⊕ s 288 z ← t 1 ⊕ t 2 ⊕ t 3 t 1 ← t 1 ⊕ s 91 · s 92 ⊕ s 171 t 2 ← t 2 ⊕ s 175 · s 176 ⊕ s 264 t 3 ← t 3 ⊕ s 286 · s 287 ⊕ s 69 ( s 1 , s 2 , . . . , s 93 ) ← ( t 3 , s 1 , . . . , s 92 ) ( s 94 , s 95 , . . . , s 177 ) ← ( t 1 , s 94 , . . . , s 176 ) ( s 178 , s 279 , . . . , s 288 ) ← ( t 2 , s 178 , . . . , s 287 ) Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 17 / 23

  19. Results on reduced-round Trivium Improved key recovery attack on Trivium Round Complexity Cube size Ref 2 62 799 40 [Fouque-Vannet ’13] 2 79 832 72 [Todo et al. ’17] 2 75 833 74 new Possible to further improve attack rounds! Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 18 / 23

  20. Kreyvium [Canteaut et al. ’16] 128-bit variant of Trivium, | K | = | IV | = 128 1152 rounds initialization ( K ∗ 127 , K ∗ 126 , . . . , K ∗ 0 ) ← ( K 1 , K 2 , . . . , K 128 ) ( IV ∗ 127 , IV ∗ 126 , . . . , IV ∗ 0 ) ← ( IV 1 , IV 2 , . . . , IV 128 ) ( s 1 , s 2 , . . . , s 93 ) ← ( K 1 , K 2 , . . . , K 93 ) ( s 94 , s 95 , . . . , s 177 ) ← ( IV 1 , IV 2 , . . . , IV 84 ) ( s 178 , s 279 , . . . , s 288 ) ← ( IV 85 , IV 86 , ..., IV 128 , 1 , ..., 1 , 0) t 1 ← s 66 ⊕ s 93 t 2 ← s 162 ⊕ s 177 t 3 ← s 243 ⊕ s 288 ⊕ K ∗ 0 z ← t 1 ⊕ t 2 ⊕ t 3 t 1 ← t 1 ⊕ s 91 · s 92 ⊕ s 171 ⊕ IV ∗ 0 t 2 ← t 2 ⊕ s 175 · s 176 ⊕ s 264 t 3 ← t 3 ⊕ s 286 · s 287 ⊕ s 69 ( s 1 , s 2 , . . . , s 93 ) ← ( t 3 , s 1 , . . . , s 92 ) ( s 94 , s 95 , . . . , s 177 ) ← ( t 1 , s 94 , . . . , s 176 ) ( s 178 , s 279 , . . . , s 288 ) ← ( t 2 , s 178 , . . . , s 287 ) ( K ∗ 127 , K ∗ 126 , . . . , K ∗ 0 ) ← ( K ∗ 0 , K ∗ 127 , K ∗ 126 , . . . , K ∗ 1 ) ( IV ∗ 127 , IV ∗ 126 , . . . , IV ∗ 0 ) ← ( IV ∗ 0 , IV ∗ 127 , IV ∗ 126 , . . . , IV ∗ 1 ) Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 19 / 23

  21. Results on reduced-round Kreyvium Improved key recovery attack on Kreyvium Round Complexity Cube size Ref 2 124 872 85 [Todo et al. ’17] 2 124 884 95 new Still no clue on the security margin Lower security margin than Trivium - see also Conditional Differential Cryptanalysis [Watanabe et al. ’17] Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 20 / 23

  22. Conclusion Apply division property to analyze stream cipher Capable to search large cubes Reduce complexity of superpoly recovery Improve key recovery attack on stream ciphers Trivium and Kreyvium Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 21 / 23

  23. Future work Find the most efficient cube for stream ciphers Optimize the complexity of key recovery phase Apply to other designs - Cube attack + structural properties Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 22 / 23

  24. Thank you! Questions? Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 23 / 23

Recommend


More recommend