new milp modeling improved conditional cube attacks on
play

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based - PowerPoint PPT Presentation

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song, Jian Guo, Danping Shi, San Ling 4 Dec 2018 @ Brisbane, Australia Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 1 / 25


  1. New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song, Jian Guo, Danping Shi, San Ling 4 Dec 2018 @ Brisbane, Australia Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 1 / 25

  2. Outline 1 Introduction 2 Conditional Cube Attacks 3 MILP Model for Searching Cubes 4 Main Results Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 2 / 25

  3. Introduction Outline 1 Introduction Keyed Keccak Constructions Our Contributions 2 Conditional Cube Attacks 3 MILP Model for Searching Cubes 4 Main Results Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 3 / 25

  4. Introduction Keyed Keccak Constructions Keccak Permutation-based hash function Designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche Selected as SHA-3 standard Keccak under keyed modes: KMAC , Keccak -MAC Its relatives Authenticated encrytion: Keyak , Ketje Pseudorandom function: Kravatte Permutation: Xoodoo Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 3 / 25 Underlying permutation: Keccak - p [1600 , 24]

  5. Introduction Keyed Keccak Constructions Improved Conditional Cube Attacks on Keccak-Based Constructions Song et al. http://www.iacr.org/authors/tikz/ Row Lane Column Slice state bits 4 / 25 steps: each round R consists of fjve b of Keccak - p [ b , n r ] Permutation b bits: seen as a 5 × 5 array 25 -bit lanes, A [ x , y ] n r rounds R = ι ◦ χ ◦ π ◦ ρ ◦ θ χ : S-box on each row π, ρ : change the position of

  6. Introduction Keyed Keccak Constructions http://keccak.noekeon.org/ The Column Parity kernel Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 5 / 25 Keccak - p Round Function: θ θ step: adding two columns to the current bit C [ x ] = A [ x , 0 ] ⊕ A [ x , 1 ] ⊕ A [ x , 2 ] ⊕ A [ x , 3 ] ⊕ A [ x , 4 ] D [ x ] = C [ x − 1 ] ⊕ ( C [ x + 1 ] ≪ 1 ) A [ x , y ] = A [ x , y ] ⊕ D [ x ] If C [ x ] = 0 , 0 ≤ x < 5, then the state A is in the CP kernel.

  7. Introduction 2,3 0,1 0,2 0,3 0,4 1,0 1,1 1,2 1,3 1,4 2,0 2,1 2,2 2,4 Keyed Keccak Constructions 3,0 3,1 3,2 3,3 3,4 4,0 4,1 4,2 4,3 4,4 Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 0,0 4,0 4,1 2,4 http://keccak.noekeon.org/ 0,4 0,3 0,2 0,1 0,0 1,4 1,3 1,2 1,1 1,0 2,3 2,2 4,2 4,3 4,4 3,0 3,1 3,2 3,3 3,4 2,0 2,1 6 / 25 Keccak - p Round Function: ρ, π ρ step: lane level rotations, A [ x , y ] = A [ x , y ] ≪ r [ x , y ] π step: permutation on lanes, A [ y , 2 ∗ x + 3 ∗ y ] = A [ x , y ] π

  8. Introduction Keyed Keccak Constructions Improved Conditional Cube Attacks on Keccak-Based Constructions Song et al. The algebraic degree of n rounds is 2 n . Nonlinear term: product of two adjacent bits in a row. 7 / 25 Keccak - p Round Function: χ χ step: 5-bit S-boxes, nonlinear operation on rows x 0 x 1 x 2 x 3 x 4 y 0 = x 0 + ( x 1 + 1 ) · x 2 , y 1 = x 1 + ( x 2 + 1 ) · x 3 , y 2 = x 2 + ( x 3 + 1 ) · x 4 , y 3 = x 3 + ( x 4 + 1 ) · x 0 , y 4 = x 4 + ( x 0 + 1 ) · x 1 . y 0 y 1 y 2 y 3 y 4

  9. Introduction Keyed Keccak Constructions Sponge construction [BDPV11] b -bit permutation f Keccak -MAC Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 8 / 25 Keccak : Keccak - p [1600 , 24] + Sponge Two parameters: bitrate r , capacity c , and b = r + c . Take K || M as input

  10. Introduction KMAC Improved Conditional Cube Attacks on Keccak-Based Constructions Song et al. Ketje Keyak Keyed Keccak Constructions 9 / 25 Keyed Keccak Constructions output N || S M || L ||00 K ⌊⋅⌋ L pad pad pad r 0 f f f f f ... c 0 absorbing squeezing σ 0 σ 1 K ||Nonce K ||Nonce σ 0 σ j Z 0 M 0 M 0 Z 0 ⌊⋅⌋ ρ pad pad pad pad pad r r ... ... ... ... ... ... ... ... 0 f f f 0 f 0 f 1 f 1 f 1

  11. Introduction larger versions of Ketje so far Improved Conditional Cube Attacks on Keccak-Based Constructions Song et al. — the Keyak designers by exploiting full-state absorbing remains an open question”. “Whether these attacks can still be extended to more rounds Solve the open problem of “Full State Keyed Duplex (Sponge)” Best key recovery attacks on round-reduced KMAC , Keyak and Our Contributions types of cube attacks Mixed Integer Linear Programming models for searching two Contributions cube attacks. Key Recovery Attacks 10 / 25 Intuition : deg ( χ ) = 2. Consider algebraic cryptanalsis, in paticular,

  12. Introduction larger versions of Ketje so far Improved Conditional Cube Attacks on Keccak-Based Constructions Song et al. — the Keyak designers by exploiting full-state absorbing remains an open question”. “Whether these attacks can still be extended to more rounds Solve the open problem of “Full State Keyed Duplex (Sponge)” Best key recovery attacks on round-reduced KMAC , Keyak and Our Contributions types of cube attacks Mixed Integer Linear Programming models for searching two Contributions cube attacks. Key Recovery Attacks 10 / 25 Intuition : deg ( χ ) = 2. Consider algebraic cryptanalsis, in paticular,

  13. Introduction larger versions of Ketje so far Improved Conditional Cube Attacks on Keccak-Based Constructions Song et al. — the Keyak designers by exploiting full-state absorbing remains an open question”. “Whether these attacks can still be extended to more rounds Solve the open problem of “Full State Keyed Duplex (Sponge)” Best key recovery attacks on round-reduced KMAC , Keyak and Our Contributions types of cube attacks Mixed Integer Linear Programming models for searching two Contributions cube attacks. Key Recovery Attacks 10 / 25 Intuition : deg ( χ ) = 2. Consider algebraic cryptanalsis, in paticular,

  14. Conditional Cube Attacks Outline 1 Introduction 2 Conditional Cube Attacks 3 MILP Model for Searching Cubes 4 Main Results Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 11 / 25

  15. Conditional Cube Attacks q contains terms that are not divisible by t I Improved Conditional Cube Attacks on Keccak-Based Constructions Song et al. Cube Attacks [DS09] The the cube sum is exactly 11 / 25 Higher Order Difgerential Cryptanalysis [Lai94] Given a Boolean polynomial f ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) and a monomial t I = v i 1 ... v i d , I = { v i 1 , ..., v i d } , f can be written as f ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) = t I · p S I + q p S I is called the superpoly of I in f v i 1 , ..., v i d are called cube variables. d is the dimension. ∑ f ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) = p S I ( v i 1 ,..., v id ) ∈ C I Cube attacks: p S I is a linear polynomial in key bits. Cube testers: distinguish p S I from a random function. If deg ( f ) < d , p S I = 0

  16. Conditional Cube Attacks Conditional Cube Testers of Keccak [HWX+17] Improved Conditional Cube Attacks on Keccak-Based Constructions Song et al. conditions are met. n -round Keccak if the Given such a cube with Type II conCube conditions are met. n -round Keccak if the 12 / 25 Given such a cube with Type I conCube We classify two types of conditional cubes: cube variable even in the second round under certain conditions . There exist p cube variables that are not multiplied with any Linearize the fjrst round. conCube Renamed conCube p = 1. p = d . d = 2 n − 2 + 1, p S I = 0 for d = 2 n − 1 , p S I = 0 for

  17. 1 (2 n 2 Improved Conditional Cube Attacks on Keccak-Based Constructions Song et al. The number of conditions is minimized. (low complexity). 2 as large as possible; (attack more rounds). 1) where n is Conditional Cube Attacks ConCube on Keccak Find Type I (II) cubes with dimension 2 n 1 Task of the MILP Model How to fjnd good cubes? recover the key. If the conditions involve the key, the conditional cube can be used to 13 / 25

  18. 1 (2 n 2 Improved Conditional Cube Attacks on Keccak-Based Constructions Song et al. The number of conditions is minimized. (low complexity). 2 as large as possible; (attack more rounds). 1) where n is Conditional Cube Attacks ConCube on Keccak Find Type I (II) cubes with dimension 2 n 1 Task of the MILP Model How to fjnd good cubes? recover the key. If the conditions involve the key, the conditional cube can be used to 13 / 25

  19. Conditional Cube Attacks ConCube on Keccak If the conditions involve the key, the conditional cube can be used to recover the key. How to fjnd good cubes? Task of the MILP Model 1 as large as possible; (attack more rounds). 2 The number of conditions is minimized. (low complexity). Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 13 / 25 Find Type I (II) cubes with dimension 2 n − 1 (2 n − 2 + 1) where n is

  20. MILP Model for Searching Cubes Outline 1 Introduction 2 Conditional Cube Attacks 3 MILP Model for Searching Cubes 4 Main Results Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 14 / 25

  21. MILP Model for Searching Cubes Mixed Integer Linear Programming An MILP problem is of the form min c T x Solvers Gurobi, CPLEX, SCIP, ... Application to cryptanalysis since Mouha et al.’s pioneering work [MWGP11] Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 14 / 25 Ax ≥ b x i ≥ 0 x i ∈ Z

Recommend


More recommend