Proving resistance against invariant attacks: How to choose the - PowerPoint PPT Presentation

Proving resistance against invariant attacks: How to choose the round constants Christof Beierle, Anne Canteaut, Gregor Leander, Yann Rotella Ruhr-Universität Bochum, Germany Inria Paris, France BFA 2017, July 2017

Outline • A new condition on the existence of nonlinear invariants • How to check that the attack does not apply for a given cipher • Impact of the round constants and of the linear layer 1

The invariant subspace attack [Leander et al. 11] Linear subspace invariant under E k . F n F n 2 2 V : a linear subspace of F n 2 E k ( V ) = V E k ✲ V V Equivalently: Let g ( x ) := 1 iff x ∈ S g ( E k ( x )) = g ( x ) or g ( E k ( x )) = g ( x ) + 1 Such a g is called an invariant for E k . 2

The nonlinear invariant attack [Todo-Leander-Sasaki 16] Non-trivial partition of F n 2 invariant under E k : F n F n 2 2 S : any subset of F n 2 E k ( S ) = S E k ✧ ❜ ❜ ✧ ❜ ❜ ✧ ✧ ❜ ✲ ✧ ❜ ✧ or E k ( S ) = F n 2 \ S S S ❜❜ ✧ ❜✧✧ ✧ ❜❜ ❜✧✧ Equivalently: Let g ( x ) := 1 iff x ∈ S g ( E k ( x )) = g ( x ) or g ( E k ( x )) = g ( x ) + 1 Such a g is called an invariant for E k . 3

The nonlinear invariant attack [Todo-Leander-Sasaki 16] Non-trivial partition of F n 2 invariant under E k : F n F n 2 2 S : any subset of F n 2 E k ( S ) = S E k ✧ ❜ ❜ ✧ ❜ ❜ ✧ ✧ ❜ ✲ ✧ ❜ ✧ or E k ( S ) = F n 2 \ S S S ❜❜ ✧ ❜✧✧ ✧ ❜❜ ❜✧✧ Equivalently: Let g be the Boolean function defined by g ( x ) := 1 iff x ∈ S ∀ x ∈ F n 2 , g ( E k ( x )) = g ( x ) or ∀ x ∈ F n 2 , g ( E k ( x )) = g ( x ) + 1 Such a g is called an invariant for E k . 4

Using the same invariant for all layers in a key-alternating cipher Find an invariant g for the Sbox-layer and for all Add k i ◦ L . k 1 k 2 k t S L S L S L S S S S S S S If g is an invariant for all Add k i ◦ L , then: LS ( g ) contains ( k i + k j ) LS ( g ) is invariant under L . 5

Finding an invariant g for all Add k i ◦ L g ( L ( x ) + k i ) = g ( x ) + ε i g ( L ( x ) + k j ) = g ( x ) + ε j ⇒ g ( L ( x ) + k i ) = g ( L ( x ) + k j ) + ( ε i + ε j ) ⇐ ⇒ g ( y + k i + k j ) = g ( y ) + ( ε i + ε j ) ( k i + k j ) is a linear structure of g . Linear space of a Boolean function g : LS ( g ) := { α ∈ F n 2 : x �→ g ( x + α ) + g ( x ) is constant } 6

Using the same invariant for all layers in a key-alternating cipher Find an invariant g for the Sbox-layer and for all Add k i ◦ L . k 1 k 2 k t S L S L S L S S S S S S S g is an invariant for the Sbox layer and satisfies: • LS ( g ) contains ( k i + k j ) • LS ( g ) is invariant under L 7

Very simple key schedules All round-keys are defined by k i = k + c i k + c 1 k + c 2 k + c t S L S L S L S S S S S S S 8

The main condition for very simple key schedules � ( c i + c j ) such that k i = k + c i and k j = k + c j � D := W L ( D ) := smallest subspace invariant under L which contains D . Is there a non-trivial invariant g for the Sbox-layer such that W L ( D ) ⊆ LS ( g ) ? 9

Checking that such invariants do not exist 10

A simple case Question: Is there an invariant g for the Sbox-layer such that W L ( D ) ⊆ LS ( g ) ? If dim W L ( D ) ≥ n − 1 , then deg g ≤ 1 , which is impossible unless the Sbox layer has a component of degree 1 . If dim W L ( D ) ≥ n − 1 , the attack does not apply. This holds for any choice of the Sbox-layer. 11

Some lightweight ciphers Skinny-64-64. D = { RC 1 + RC 17 , RC 2 + RC 18 , RC 3 + RC 19 , RC 4 + RC 20 , RC 5 + RC 21 } dim W L ( D ) = 64 The round-constants and L guarantee that the attack does not apply. Prince. D = { RC 1 + RC 2 , RC 1 + RC 3 , RC 1 + RC 4 , RC 1 + RC 5 , α } . dim W L ( D ) = 56 Mantis-7. D = { RC 1 + RC 2 , RC 1 + RC 3 , RC 1 + RC 4 , RC 1 + RC 5 , RC 1 + RC 6 , RC 1 + RC 7 , α } . dim W L ( D ) = 42 Midori-64. W L ( D ) = { 0000 , 0001 } 16 , dim W L ( D ) = 16 12

When dim W L ( D ) < n α ∈ LS ( g ) iff g ( x + α ) + g ( x ) = ε for all x . 0 -linear structures. α ∈ LS 0 ( g ) iff g ( x + α ) + g ( x ) = 0 for all x . If a subspace Z of LS 0 ( g ) is known • g is constant on each a + Z since g ( a + z ) = g ( a ) for any z ∈ Z • g ( S ( x )) = g ( x ) + ε for all x , then g is constant on S ( Z ) . 13

If Z ⊆ LS 0 ( g ) is known L = {} repeat $ ← Z z Compute S ( z ) Add to L a representative of the coset of S ( z ) until | L | = 2 n − dim Z But W L ( D ) ⊆ LS ( g ) , while we need Z ⊆ LS 0 ( g ) ... 14

Finding a subspace of LS 0 ( g ) Prince. For any x ∈ LS ( g ) , ( x + L ( x )) ∈ LS 0 ( g ) . D ′ := � x + L ( x ) , x ∈ D } . we have dim W L ( D ′ ) = 51 . ⇒ We can check that the Sbox-layer of Prince has no non-trivial invariant g with W L ( D ′ ) ⊆ LS 0 ( g ) . Mantis-7. D = { RC 1 + RC 2 , RC 1 + RC 3 , RC 1 + RC 4 , RC 1 + RC 5 , RC 1 + RC 6 , RC 1 + RC 7 , α } . ⇒ W L ( D ) ⊆ LS 0 ( g ) We can check that the Sbox-layer of Mantis has no non-trivial invariant g with W L ( D ) ⊆ LS 0 ( g ) . 15

Very different behaviours Skinny-64-64. D = { RC 1 + RC 17 , RC 2 + RC 18 , RC 3 + RC 19 , RC 4 + RC 20 , RC 5 + RC 21 } dim W L ( D ) = 64 Prince. D = { RC 1 + RC 2 , RC 1 + RC 3 , RC 1 + RC 4 , RC 1 + RC 5 , α } . dim W L ( D ) = 56 Mantis-7. D = { RC 1 + RC 2 , RC 1 + RC 3 , RC 1 + RC 4 , RC 1 + RC 5 , RC 1 + RC 6 , RC 1 + RC 7 , α } . dim W L ( D ) = 42 16

Can we find better round-constants? 17

Maximizing the dimension of W L ( c ) W L ( c ) = � L t ( c ) , t ∈ N � . dim W L ( c ) = smallest d such that there exist λ 0 , . . . , λ d ∈ F 2 : d λ t L t ( c ) = 0 . � t =0 dim W L ( c ) is the degree of the relative minimal polynomial of c Theorem. There exists c such that dim W L ( c ) = d if and only if d is the degree of a divisor of the minimal polynomial of L . ⇒ max dim W L ( c ) = deg Min L c ∈ F n 2 18

For some lightweight ciphers LED. Min L ( X ) = ( X 8 + X 7 + X 5 + X 3 + 1) 4 ( X 8 + X 7 + X 6 + X 5 + X 2 + X + 1) 4 There exist some c such that dim W L ( c ) = 64 Skinny-64. Min L ( X ) = X 16 + 1 = ( X + 1) 16 There exist some c such that dim W L ( c ) = d for any 1 ≤ d ≤ 16 . Prince. Min L ( X ) = X 20 + X 18 + X 16 + X 14 + X 12 + X 8 + X 6 + X 4 + X 2 + 1 = ( X 4 + X 3 + X 2 + X + 1) 2 ( X 2 + X + 1) 4 ( X + 1) 4 max c dim W L ( c ) = 20 Mantis and Midori. Min L ( X ) = ( X + 1) 6 ⇒ max dim W L ( c ) = 6 c 19

Rational canonical form When deg( Min L ) = n , there is a basis for which the matrix of L is the companion matrix   0 1 0 0 . . . 0 0 1 0  . . .    .   . C ( Min L ) = .     0 0 0 1 . . .     p 0 p 1 p 2 . . . p n − 1 More generally, there is a basis for which the matrix of L is   C ( Q 1 )   C ( Q 2 )    ...      C ( Q r ) for r polynomials Q r | Q r − 1 | · · · | Q 1 = Min L Q 1 , Q 2 , ... , Q r are called the invariant factors of L . 20

Example For Prince. Min L ( X ) = X 20 + X 18 + X 16 + X 14 + X 12 + X 8 + X 6 + X 4 + X 2 + 1 = ( X 4 + X 3 + X 2 + X + 1) 2 ( X 2 + X + 1) 4 ( X + 1) 4 8 invariant factors: Q 1 ( X ) = Q 2 ( X ) = X 20 + X 18 + X 16 + X 14 + X 12 + X 8 + X 6 + X 4 + X 2 + 1 Q 3 ( X ) = Q 4 ( X ) = X 8 + X 6 + X 2 + 1 = ( X + 1) 4 ( X 2 + X + 1) 2 Q 5 ( X ) = Q 6 ( X ) = Q 7 ( X ) = Q 8 ( X ) = ( X + 1) 2 21

Maximizing the dimension of W L ( c 1 , . . . , c t ) Theorem. Let Q 1 , Q 2 , . . . , Q r be the r invariant factors of L . For any t ≤ r , t � c 1 ,...,c t dim W L ( c 1 , . . . , c t ) = max deg Q i . i =1 We need r elements to get W L ( D ) = F n 2 . For Prince. For t = 5 , max dim W L ( c 1 , . . . , c 5 ) = 20 + 20 + 8 + 8 + 2 = 58 We need 8 elements to get the full space. Mantis and Midori. r = 16 invariant factors Q 1 ( X ) = . . . , Q 8 ( X ) = ( X + 1) 6 and Q 9 ( X ) = . . . , Q 16 ( X ) = ( X + 1) 2 For t = 7 , max dim W L ( c 1 , . . . , c 7 ) = 42 , For t = 8 , max dim W L ( c 1 , . . . , c 8 ) = 48 . We need 16 elements to get the full space. 22

Maximum dimension for # D constants 64 56 max dim W L ( D ) 48 40 32 24 16 Prince 8 Mantis 0 2 4 6 8 10 12 14 16 # D 23

For random constants For t ≥ r , [ W L ( c 1 , · · · , c t ) = F n Pr 2 ] $ ← F n c 1 ,...,c t 2 can be computed from the degrees of the irreducible factors of Min L and from the invariant factors of L . LED. Min L ( X ) = ( X 8 + X 7 + X 5 + X 3 + 1) 4 ( X 8 + X 7 + X 6 + X 5 + X 2 + X + 1) 4 2 ] = (1 − 2 − 8 ) 2 ≃ 0 . 9922 [ W L ( c ) = F 64 Pr c $ ← F 64 2 24

Probability to achieve the full dimension 1 P (dim W L ( D ) = 64) 0 . 8 0 . 6 0 . 4 LED Skinny64 0 . 2 Prince Mantis 0 0 2 4 6 8 10 12 14 16 18 20 22 24 26 # D 25

Conclusions Easy to prevent the attack: • by choosing a linear layer which has a few invariant factors • by choosing appropriate round constants Open question: Can we use different invariants for the Sbox-layer and the linear layer? 26