Gröbner - Crypto J.-C. Faugère Plan Gröbner bases: properties Gröbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher: FLURRY Feistel cipher modelling Jean-Charles Faugère Algorithms Buchberger and INRIA, Université Paris 6, CNRS Macaulay E¢cient Algorithms F 5 algorithm with partial support of Celar/DGA Zero dim solve Other strategies Substitution of 1 FSE 20007 - Luxembourg variable Several plaintexts Conclusion
Gröbner - Crypto Goal: how Gröbner bases can be used to break J.-C. Faugère (block) ciphers ? Plan Gröbner bases: properties Description of the 1. Basic Properties of Gröbner Bases Cipher Families Feistel cipher: FLURRY Feistel cipher modelling Algorithms Buchberger and Macaulay E¢cient Algorithms F 5 algorithm Zero dim solve Other strategies Substitution of 1 variable Several plaintexts Conclusion
Gröbner - Crypto Goal: how Gröbner bases can be used to break J.-C. Faugère (block) ciphers ? Plan Gröbner bases: properties Description of the 1. Basic Properties of Gröbner Bases Cipher Families Feistel cipher: FLURRY 2. Use the same benchmark during the talk: non-trivial Feistel cipher modelling iterated block ciphers from Algorithms "Block Ciphers Sensitive to Gröbner Basis Buchberger and Macaulay Attacks" , J. Buchmann, A. Pyshkin and R.-P. E¢cient Algorithms F 5 algorithm Weinmann, CT-RSA 2006 Zero dim solve Other strategies Substitution of 1 variable Several plaintexts Conclusion
Gröbner - Crypto Goal: how Gröbner bases can be used to break J.-C. Faugère (block) ciphers ? Plan Gröbner bases: properties Description of the 1. Basic Properties of Gröbner Bases Cipher Families Feistel cipher: FLURRY 2. Use the same benchmark during the talk: non-trivial Feistel cipher modelling iterated block ciphers from Algorithms "Block Ciphers Sensitive to Gröbner Basis Buchberger and Macaulay Attacks" , J. Buchmann, A. Pyshkin and R.-P. E¢cient Algorithms F 5 algorithm Weinmann, CT-RSA 2006 Zero dim solve 3. E¢cient algorithms for computing Gröbner Bases Other strategies Substitution of 1 variable Several plaintexts Conclusion
Gröbner - Crypto Goal: how Gröbner bases can be used to break J.-C. Faugère (block) ciphers ? Plan Gröbner bases: properties Description of the 1. Basic Properties of Gröbner Bases Cipher Families Feistel cipher: FLURRY 2. Use the same benchmark during the talk: non-trivial Feistel cipher modelling iterated block ciphers from Algorithms "Block Ciphers Sensitive to Gröbner Basis Buchberger and Macaulay Attacks" , J. Buchmann, A. Pyshkin and R.-P. E¢cient Algorithms F 5 algorithm Weinmann, CT-RSA 2006 Zero dim solve 3. E¢cient algorithms for computing Gröbner Bases Other strategies Substitution of 1 variable 4. Test di¤erent algorithms and strategies: Direct, Several plaintexts Substitution of some variables, several Conclusion plaintexts/ciphertexts.
Gröbner - Crypto Properties of Gröbner bases I J.-C. Faugère K a …eld, K [ x 1 , . . . , x n ] polynomials in n variables. Plan Gröbner bases: Linear systems Polynomial equations properties 8 8 < l 1 ( x 1 , . . . , x n ) = 0 < f 1 ( x 1 , . . . , x n ) = 0 Description of the Cipher Families � � � � � � Feistel cipher: : : FLURRY l m ( x 1 , . . . , x n ) = 0 f m ( x 1 , . . . , x n ) = 0 Feistel cipher modelling Ideal generated by f i : Algorithms V = Vect K ( l 1 , . . . , l m ) Buchberger and I = Id ( f 1 , . . . , f m ) Macaulay E¢cient Algorithms Triangular/diagonal F 5 algorithm Gröbner basis of I basis of V Zero dim solve Other strategies Substitution of 1 variable De…nition (Buchberger) Several plaintexts Conclusion < admissible ordering (lexicographical, total degree, DRL) G � K [ x 1 , . . . , x n ] is a Gröbner basis of an ideal I if 8 f 2 I , exists g 2 G such that LT < ( g ) j LT < ( f )
Gröbner - Crypto Properties of Gröbner bases II J.-C. Faugère Solving algebraic systems: Plan Computing the algebraic variety: K � L (for instance L = K Gröbner bases: properties the algebraic closure) Description of the Cipher Families Feistel cipher: FLURRY V L = f ( z 1 , . . . , z n ) 2 L n j f i ( z 1 , . . . , z n ) = 0 , i = 1 , . . . , m g Feistel cipher modelling Algorithms Buchberger and Macaulay E¢cient Algorithms Solutions in …nite …elds: F 5 algorithm We compute the Gröbner basis of G F 2 of Zero dim solve [ f 1 , . . . , f m , x 2 1 � x 1 , . . . , x 2 n � x n ] , in F 2 [ x 1 , . . . , x n ] . It is a Other strategies Substitution of 1 variable description of all the solutions of V F 2 . Several plaintexts Conclusion
Gröbner - Crypto Properties of Gröbner bases III J.-C. Faugère Theorem Plan Gröbner bases: I V F 2 = ∅ ( no solution) i¤ G F 2 = [ 1 ] . properties I V F 2 has exactly one solution i¤ Description of the Cipher Families G F 2 = [ x 1 � a 1 , . . . , x n � a n ] where ( a 1 , . . . , a n ) 2 F n 2 . Feistel cipher: FLURRY Feistel cipher modelling Shape position: Algorithms Buchberger and If m � n and the number of solutions is …nite ( # V K < ∞ ), Macaulay E¢cient Algorithms then in general the shape of a lexicographical Gröbner basis: F 5 algorithm x 1 > � � � > x n : Zero dim solve Other strategies 8 Substitution of 1 h n ( x n )(= 0 ) > variable > > Several plaintexts < x n � 1 � h n � 1 ( x n )(= 0 ) Conclusion Shape Position . . > > . > : x 1 � h 1 ( x n )(= 0 )
Gröbner - Crypto Feistel cipher: FLURRY I J.-C. Faugère Plan Gröbner bases: Flurry ( k , t , r , f , D ) the parameters used are: properties Description of the I k size of the …nite …eld K . Cipher Families Feistel cipher: I t is the size of the message/secret key and m = t FLURRY 2 the Feistel cipher modelling half size. Algorithms I r the number of rounds . Buchberger and Macaulay E¢cient Algorithms I f a non-linear mapping giving the S-Box of the round F 5 algorithm Zero dim solve function. Other strategies In practice: f ( x ) = f p ( x ) = x p or f ( x ) = f inv ( x ) = x k � 2 . Substitution of 1 variable Several plaintexts I D a m � m matrix describing the linear di¤usion Conclusion mapping of the round function (coe¢cients in K ).
Gröbner - Crypto Feistel cipher: FLURRY II J.-C. Faugère We set L = [ l 1 , . . . , l m ] 2 K m and R = [ r 1 , . . . , r m ] the Plan left/right side of the current state. and K = [ k 1 , . . . , k m ] the Gröbner bases: secret key . properties We de…ne the round function Description of the ρ : K m � K m � K m ! K m � K m as Cipher Families Feistel cipher: FLURRY Feistel cipher modelling ρ ( L , R , K ) = ( R , D . T [ f ( r 1 + k 1 ) , . . . , f ( r m + k m )]) Algorithms Buchberger and Macaulay E¢cient Algorithms F 5 algorithm Zero dim solve The key schedule. from an initial secret key [ K 0 , K 1 ] (size Other strategies t = 2 m ) we compute subsequent round keys for Substitution of 1 variable 2 � i � r + 1 as follows: Several plaintexts Conclusion K i = D . T K i � 1 + K i � 2 + v i , i = 2 , 3 , . . . , ( r + 1 ) where v i are round constants.
Gröbner - Crypto Feistel cipher: FLURRY III J.-C. Faugère Plan Gröbner bases: properties Description of the A plaintext [ L 0 , R 0 ] (size t ) is encrypted into a ciphertext Cipher Families Feistel cipher: ( L r , R r ) by iterating the round function ρ over r rounds: FLURRY Feistel cipher modelling Algorithms Buchberger and ( L i , R i ) = ρ ( L i � 1 , R i � 1 , K i � 1 ) for i = 1 , 2 , . . . , ( r � 1 ) Macaulay E¢cient Algorithms ( L r , R r ) = ρ ( L r � 1 , R r � 1 , K r � 1 ) + ( 0 , K r + 1 ) F 5 algorithm Zero dim solve Other strategies and L i = R i � 1 . Substitution of 1 variable Several plaintexts Conclusion
Gröbner - Crypto Feistel cipher: algebraic attack. I J.-C. Faugère Algebraic attack: The encryption process can be described by very simple polynomial equations: introduce variables for Plan each round L j = [ x 1 , j , . . . , x m , j ] , R j = [ x m + 1 , j , . . . , x t , j ] and Gröbner bases: properties K j = [ k 1 , j , . . . , k m , j ] � ! F algebraic set of equations . Description of the Cipher Families Feistel cipher: plaintex: ~ p = L 0 [ R 0 FLURRY Feistel cipher for ciphertext: ~ c = L r + 1 [ R r + 1 of size t equations: modelling Algorithms secret key: ~ k = K 0 [ K 1 Buchberger and Macaulay E¢cient Algorithms F 5 algorithm Zero dim solve S ~ k ( ~ p , ~ c ) is the corresponding algebraic system Other strategies Substitution of 1 variable Several plaintexts p � ; In the following: if ~ p is explicitly known then we note ~ Conclusion p � , ~ c � ) hence we obtain S ~ k ( ~
Gröbner - Crypto Feistel cipher: algebraic attack. II J.-C. Faugère Plan Gröbner bases: properties Theorem Description of the [Buchmann, Pyshkin, Weinmann]. If f ( x ) = x p , for an Cipher Families Feistel cipher: p � , ~ c � ) is already FLURRY appropriate variable order x i , j , k i , j then S ~ k ( ~ Feistel cipher modelling a Gröbner basis for a total degree ordering. Algorithms Buchberger and Macaulay E¢cient Algorithms F 5 algorithm Main problem : we are computing V K and not V K ! Zero dim solve Other strategies and many solutions: p m r Substitution of 1 variable Several plaintexts Conclusion
Recommend
More recommend
