Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping Shi and San Ling 10 October, 2018 @ Milano, Italy Ling Song Key-Recovery Attacks on Keccak-Based Constructions Milano, Italy 1 / 41
Outlines 1 Introduction 2 Cube Attacks 3 MILP Model for Searching Cubes 4 Main Results Ling Song Key-Recovery Attacks on Keccak-Based Constructions Milano, Italy 2 / 41
Introduction Outline 1 Introduction Keyed Keccak Constructions Our Work 2 Cube Attacks 3 MILP Model for Searching Cubes 4 Main Results Ling Song Key-Recovery Attacks on Keccak-Based Constructions Milano, Italy 3 / 41
Introduction Its relatives Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song Permutation: Xoodoo Pseudorandom function: Kravatte Authenticated encrytion: Keyak , Ketje Keccak under keyed modes: KMAC , Keccak -MAC Keyed Keccak Constructions Selected as SHA-3 standard Gilles Van Assche Designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Permutation-based hash function Keccak 3 / 41 Underlying permutation: Keccak - p [1600 , 24]
Introduction state bits Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song http://www.iacr.org/authors/tikz/ Row Lane Column Slice 4 / 41 Keyed Keccak Constructions steps: each round R consists of fjve b of Keccak - p [ b , n r ] Permutation b bits: seen as a 5 × 5 array 25 -bit lanes, A [ x , y ] n r rounds R = ι ◦ χ ◦ π ◦ ρ ◦ θ χ : S-box on each row π, ρ : change the position of
Introduction Keyed Keccak Constructions http://keccak.noekeon.org/ The Column Parity kernel Ling Song Key-Recovery Attacks on Keccak-Based Constructions Milano, Italy 5 / 41 Keccak - p Round Function: θ θ step: adding two columns to the current bit C [ x ] = A [ x , 0 ] ⊕ A [ x , 1 ] ⊕ A [ x , 2 ] ⊕ A [ x , 3 ] ⊕ A [ x , 4 ] D [ x ] = C [ x − 1 ] ⊕ ( C [ x + 1 ] ≪ 1 ) A [ x , y ] = A [ x , y ] ⊕ D [ x ] If C [ x ] = 0 , 0 ≤ x < 5, then the state A is in the CP kernel.
Introduction 2,4 0,2 0,3 0,4 1,0 1,1 1,2 1,3 1,4 2,0 2,1 2,2 2,3 3,0 0,0 3,1 3,2 3,3 3,4 4,0 4,1 4,2 4,3 4,4 Ling Song Key-Recovery Attacks on Keccak-Based Constructions Milano, Italy 0,1 4,0 Keyed Keccak Constructions 2,3 http://keccak.noekeon.org/ 0,4 0,3 0,2 0,1 0,0 1,4 1,3 1,2 1,1 1,0 2,4 2,2 3,1 4,1 4,2 4,3 4,4 3,0 3,2 3,3 3,4 2,0 2,1 6 / 41 Keccak - p Round Function: ρ, π ρ step: lane level rotations, A [ x , y ] = A [ x , y ] ≪ r [ x , y ] π step: permutation on lanes, A [ y , 2 ∗ x + 3 ∗ y ] = A [ x , y ] π
Introduction Keyed Keccak Constructions Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song The algebraic degree of n rounds is 2 n . Nonlinear term: product of two adjacent bits in a row. 7 / 41 Keccak - p Round Function: χ χ step: 5-bit S-boxes, nonlinear operation on rows x 0 x 1 x 2 x 3 x 4 y 0 = x 0 + ( x 1 + 1 ) · x 2 , y 1 = x 1 + ( x 2 + 1 ) · x 3 , y 2 = x 2 + ( x 3 + 1 ) · x 4 , y 3 = x 3 + ( x 4 + 1 ) · x 0 , y 4 = x 4 + ( x 0 + 1 ) · x 1 . y 0 y 1 y 2 y 3 y 4
Introduction Keyed Keccak Constructions Sponge construction [BDPV11] b -bit permutation f Keccak -MAC Ling Song Key-Recovery Attacks on Keccak-Based Constructions Milano, Italy 8 / 41 Keccak : Keccak - p [1600 , 24] + Sponge Two parameters: bitrate r , capacity c , and b = r + c . Take K || M as input
Introduction KMAC Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song Ketje Keyak Keyed Keccak Constructions 9 / 41 Keyed Keccak Constructions output N || S M || L ||00 K ⌊⋅⌋ L pad pad pad r 0 f f f f f ... c 0 absorbing squeezing σ 0 σ 1 K ||Nonce K ||Nonce σ 0 σ j Z 0 M 0 M 0 Z 0 ⌊⋅⌋ ρ pad pad pad pad pad r r ... ... ... ... ... ... ... ... 0 f f f 0 f 0 f 1 f 1 f 1
Introduction Solve the open problem of “Full State Keyed Duplex (Sponge)” Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song — the Keyak designers by exploiting full-state absorbing remains an open question”. “Whether these attacks can still be extended to more rounds Ketje and Keccak-MAC so far Our Work Best key recovery attacks on round-reduced KMAC , Keyak , types of cube attacks Mixed Integer Linear Programming models for searching two Contributions cube attacks. Key Recovery Attacks 10 / 41 Intuition : deg ( χ ) = 2. Consider algebraic cryptanalsis, in paticular,
Introduction Solve the open problem of “Full State Keyed Duplex (Sponge)” Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song — the Keyak designers by exploiting full-state absorbing remains an open question”. “Whether these attacks can still be extended to more rounds Ketje and Keccak-MAC so far Our Work Best key recovery attacks on round-reduced KMAC , Keyak , types of cube attacks Mixed Integer Linear Programming models for searching two Contributions cube attacks. Key Recovery Attacks 10 / 41 Intuition : deg ( χ ) = 2. Consider algebraic cryptanalsis, in paticular,
Introduction Solve the open problem of “Full State Keyed Duplex (Sponge)” Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song — the Keyak designers by exploiting full-state absorbing remains an open question”. “Whether these attacks can still be extended to more rounds Ketje and Keccak-MAC so far Our Work Best key recovery attacks on round-reduced KMAC , Keyak , types of cube attacks Mixed Integer Linear Programming models for searching two Contributions cube attacks. Key Recovery Attacks 10 / 41 Intuition : deg ( χ ) = 2. Consider algebraic cryptanalsis, in paticular,
Introduction Solve the open problem of “Full State Keyed Duplex (Sponge)” Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song Cube Attacks on Keccak-based Constructions . To appear in ASIACRYPT 2018 Ling Song, Jian Guo, Danping Shi, San Ling: New MILP Modeling: Improved Conditional MILP . IACR Transactions on Symmetric Cryptology, 2018(3), 182-214. Ling Song, Jian Guo: Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using Ketje and Keccak-MAC so far Our Work Best key recovery attacks on round-reduced KMAC , Keyak , types of cube attacks Mixed Integer Linear Programming models for searching two Contributions cube attacks. Key Recovery Attacks 11 / 41 Intuition : deg ( χ ) = 2. Consider algebraic cryptanalsis, in paticular,
Cube Attacks Outline 1 Introduction 2 Cube Attacks auxCube conCube 3 MILP Model for Searching Cubes 4 Main Results Ling Song Key-Recovery Attacks on Keccak-Based Constructions Milano, Italy 12 / 41
Cube Attacks The the cube sum is exactly Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song Cube Attacks [DS09] (Higher Order Difgerential Cryptanalysis) 12 / 41 q contains terms that are not divisible by t I Given a Boolean polynomial f ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) and a monomial t I = v i 1 ... v i d , I = { v i 1 , ..., v i d } , f can be written as f ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) = t I · p S I + q p S I is called the superpoly of I in f v i 1 , ..., v i d are called cube variables. d is the dimension. ∑ f ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) = p S I ( v i 1 ,..., v id ) ∈ C I Cube attacks: p S I is a linear polynomial in key bits. Cube testers: distinguish p S I from a random function. If deg ( f ) < d , p S I = 0
Cube Attacks auxCube Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song the cipher to obtain the cube sum; look up the table to 10110... 11...11 ... ... 11010... 00...01 01011... 00...00 Cube sum Renamed auxCube Cube-Attack-Like Cryptanalysis [DMP+15] 13 / 41 Idea: do not recover the exact linear p S I but try to limit the number ( n i ) of key bits involved in p S I using n a auxiliary variables. Preprocessing phase Build a lookup table. The complexity is 2 n i + d . n i key bits Online phase Guess the value of n a auxiliary variables and then query recover the n i key bits. The complexity is 2 n a + d .
Find balanced attacks where n i and n a are close and as small as Cube Attacks avoiding adjacent cube variables. Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song possible. (low complexity). 2 (attack more rounds). 1 -dimensional cubes where n is as large as possible; Find 2 n 1 Task of the MILP Model The algebraic degree of n rounds is 2 n . Linearize the fjrst round by auxCube auxCube On Keccak 14 / 41 k 0 k 1 v a v i ρ, π θ i d = 64, n a = 64, n i = 64,
Cube Attacks auxCube Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song possible. (low complexity). 2 (attack more rounds). 1 Task of the MILP Model avoiding adjacent cube variables. The algebraic degree of n rounds is 2 n . Linearize the fjrst round by auxCube On Keccak 14 / 41 k 0 k 1 v a v i ρ, π θ i d = 64, n a = 64, n i = 64, Find 2 n − 1 -dimensional cubes where n is as large as possible; Find balanced attacks where n i and n a are close and as small as
Recommend
More recommend