Subspace Trail Cryptanalysis and its Applications to AES Lorenzo - PowerPoint PPT Presentation

Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rønjom March, 2017

www.iaik.tugraz.at Introduction In the case of AES, several alternative representations (algebraic representation [ MR02 ], dual ciphers of AES [ BB02 ], super-box [ DR06 ], twisted representation [ Gil14 ], ...) have been proposed to highlight some aspects of its algebraic structure, differential nature, ... We introduce Subspace Trail Cryptanalysis to formally and easily describe distinguishers and key-recovery attacks of AES-like cipher. We believe that the simplicity of the new representation can play a significant heuristic role in the investigation of structural attacks on AES-like cipher . 1 / 28

www.iaik.tugraz.at Table of Contents 1 Subspace Trail Cryptanalysis Subspace Trail Cryptanalysis for AES 2 Example of Use Case: Applications on AES Secret-Key Distinguishers Low-Data Key-Recovery Attacks (only in the paper) Key-Recovery Attacks on AES with a single Secret S-Box (basic idea - details in the paper) 3 Summary 2 / 28

www.iaik.tugraz.at Part I Subspace Trail Cryptanalysis

www.iaik.tugraz.at Invariant Subspace Cryptanalysis If an invariant subspace V exists such that F k ( V ⊕ a ) = V ⊕ a , it is possible to mount distinguishers and key-recovery attacks (e.g. [ LAA+11 ], [ LMR+15 ], ...). If no special symmetries or constants allow for invariant subspace, can subspace properties still be used? 3 / 28

www.iaik.tugraz.at Invariant Subspace Cryptanalysis If an invariant subspace V exists such that F k ( V ⊕ a ) = V ⊕ a , it is possible to mount distinguishers and key-recovery attacks (e.g. [ LAA+11 ], [ LMR+15 ], ...). If no special symmetries or constants allow for invariant subspace, can subspace properties still be used? 3 / 28

www.iaik.tugraz.at Subspace Trail Definition Let ( V 0 , V 1 , ..., V r ) denote a set of r + 1 subspaces with dim ( V i ) ≤ dim ( V i + 1 ) . If for each i = 0 , ..., r − 1 and for each a i ∈ V ⊥ i , there exists (unique) a i + 1 ∈ V ⊥ i + 1 such that F ( V i ⊕ a i ) ⊆ V i + 1 ⊕ a i + 1 , then ( V 0 , V 1 , ..., V r ) is a subspace trail of length r for the function F . 4 / 28

www.iaik.tugraz.at Subspace Trail - Example Example of Subspace Trail of length 1: ∀ a ∈ V ⊥ 1 there exists b ∈ V ⊥ 2 s.t. F k ( V 1 ⊕ a ) ⊆ V 2 ⊕ b . 5 / 28

www.iaik.tugraz.at AES High-level description of AES: block cipher based on a design principle known as substitution-permutation network ; block size of 128 bits = 16 bytes, organized in a 4 × 4 matrix; key size of 128/192/256 bits; 10/12/14 rounds: R i ( x ) = k i ⊕ MC ◦ SR ◦ S-Box ( x ) . 6 / 28

www.iaik.tugraz.at Subspaces for AES We define the following subspaces: column space C I ; diagonal space D I ; inverse-diagonal space ID I ; mixed space M I . 7 / 28

www.iaik.tugraz.at The Column Space Definition Column spaces C i for i ∈ { 0 , 1 , 2 , 3 } are defined as C i = � e 0 , i , e 1 , i , e 2 , i , e 3 , i � . E.g. C 0 corresponds to the symbolic matrix  x 1 0 0 0   x 1 0 0 0  � � � x 2 0 0 0 x 2 0 0 0   �   C 0 = � ∀ x 1 , x 2 , x 3 , x 4 ∈ F 2 8 ≡   �   x 3 0 0 0 x 3 0 0 0     x 4 0 0 0 x 4 0 0 0 8 / 28

www.iaik.tugraz.at The Diagonal Space Definition Diagonal spaces D i for i ∈ { 0 , 1 , 2 , 3 } are defined as D i = SR − 1 ( C i ) = � e 0 , i , e 1 , ( i + 1 ) , e 2 , ( i + 2 ) , e 3 , ( i + 3 ) � . E.g. D 0 corresponds to symbolic matrix  x 1 0 0 0  0 x 2 0 0   D 0 ≡   0 0 x 3 0   0 0 0 x 4 for all x 1 , x 2 , x 3 , x 4 ∈ F 2 8 . 9 / 28

www.iaik.tugraz.at The Inverse-Diagonal Space Definition Inverse-diagonal spaces ID i for i ∈ { 0 , 1 , 2 , 3 } are defined as ID i = SR ( C i ) = � e 0 , i , e 1 , ( i − 1 ) , e 2 , ( i − 2 ) , e 3 , ( i − 3 ) � . E.g. ID 0 corresponds to symbolic matrix  x 1 0 0 0  0 0 0 x 2   ID 0 ≡   0 0 x 3 0   0 x 4 0 0 for all x 1 , x 2 , x 3 , x 4 ∈ F 2 8 . 10 / 28

www.iaik.tugraz.at The Mixed Space Definition The i-th mixed spaces M i for i ∈ { 0 , 1 , 2 , 3 } are defined as M i = MC ( ID i ) . E.g. M 0 corresponds to symbolic matrix   0x02 · x 1 x 4 x 3 0x03 · x 2 x 1 x 4 0x03 · x 3 0x02 · x 2   M 0 ≡   x 1 0x03 · x 4 0x02 · x 3 x 2   0x03 · x 1 0x02 · x 4 x 3 x 2 for all x 1 , x 2 , x 3 , x 4 ∈ F 2 8 . 11 / 28

www.iaik.tugraz.at Subspaces Trail for AES Definition Let I ⊆ { 0 , 1 , 2 , 3 } . The subspaces C I , D I , ID I and M I are defined as: � � � � C I = C i , D I = D i , ID I = ID i , M I = M i . i ∈ I i ∈ I i ∈ I i ∈ I {D I , C I , M I } is a subspace trail of AES of length 2. 12 / 28

www.iaik.tugraz.at Subspace Trail for AES (1/2) For each a ∈ D ⊥ I , there exists unique b ∈ C ⊥ I s.t. R ( D I ⊕ a ) = C I ⊕ b . E.g.: S-Box ( · ) SR ( · ) MC ( · ) ARK ( · ) D 0 ⊕ a − − − − − → D 0 ⊕ b − − − → C 0 ⊕ c − − − → C 0 ⊕ d − − − − → C 0 ⊕ e         A C C C A C C C A C C C A C C C C A C C S-Box ( · ) C A C C SR ( · ) A C C C MC ( · ) A C C C         − − − − − → − − − → − − − − →         C C A C C C A C A C C C A C C C         C C C A C C C A A C C C A C C C 13 / 28

www.iaik.tugraz.at Subspace Trail for AES (2/2) For each a ∈ C ⊥ I , there exists unique b ∈ M ⊥ I s.t. R ( C I ⊕ a ) = M I ⊕ b . E.g.: S-Box ( · ) SR ( · ) MC ( · ) ARK ( · ) C 0 ⊕ a − − − − − → C 0 ⊕ b − − − → ID 0 ⊕ c − − − → M 0 ⊕ d − − − − → M 0 ⊕ e         A C C C A C C C A C C C A A A A A C C C S-Box ( · ) A C C C SR ( · ) C C C A MC ( · ) A A A A         − − − − − → − − − → − − − − →         A C C C A C C C C C A C A A A A         A C C C A C C C C A C C A A A A 14 / 28

www.iaik.tugraz.at Part II Example of Use Case: Applications on AES

www.iaik.tugraz.at Secret-Key Distinguisher up to 4 Rounds Re-describe - in a formal and easy way - Secret-Key Distinguisher up to 4 rounds that exploit a property which is independent of the secret key: Truncated Differential Impossible Differential Integral using subspace trail notation . If x , y ∈ X ⊕ a , then x ⊕ y ∈ X . 15 / 28

www.iaik.tugraz.at Secret-Key Distinguisher up to 4 Rounds Re-describe - in a formal and easy way - Secret-Key Distinguisher up to 4 rounds that exploit a property which is independent of the secret key: Truncated Differential Impossible Differential Integral using subspace trail notation . If x , y ∈ X ⊕ a , then x ⊕ y ∈ X . 15 / 28

www.iaik.tugraz.at Truncated Differential - 3-round AES Equivalent to: Prob [ R 3 ( p 1 ) ⊕ R 3 ( p 2 ) ∈ ID 0 , 1 , 3 | p 1 ⊕ p 2 ∈ D 0 ] = 2 − 32 . 16 / 28

www.iaik.tugraz.at Truncated Differential - 3-round AES Equivalent to: Prob [ R 3 ( p 1 ) ⊕ R 3 ( p 2 ) ∈ ID 0 , 1 , 3 | p 1 ⊕ p 2 ∈ D 0 ] = 2 − 32 . 16 / 28

www.iaik.tugraz.at Truncated Differential on 3-round AES - Comparison By A. Biryukov and D. Khovratovich [ BK07 ]: We will use a differential which starts with four active S-boxes at the 1st round. We choose those active S-boxes to appear in positions which arrive in one column after the ShiftRows transformation. Then with probability 2 − 6 four active S-boxes will collapse to three (one byte out of four getting a zero difference). After the second round the three active bytes are expanded into 12 active bytes and there will still remain 4 passive bytes. This differential can be schematically described as 4 → 3 → 12 . Let I , J ⊆ { 0 , 1 , 2 , 3 } with | I | = 1 and | J | = 3. For each p 1 , p 2 : R 2 ( · ) R ( · ) p 1 ⊕ p 2 ∈ D I prob . 1 c 1 ⊕ c 2 ∈ M J prob . 2 − 6 R ( p 1 ) ⊕ R ( p 2 ) ∈ C I ∩D J − − − − − → − − − − → where c 1 = R 3 ( p 1 ) and c 2 = R 3 ( p 2 ) . 17 / 28

www.iaik.tugraz.at Truncated Differential on 3-round AES - Comparison By A. Biryukov and D. Khovratovich [ BK07 ]: We will use a differential which starts with four active S-boxes at the 1st round. We choose those active S-boxes to appear in positions which arrive in one column after the ShiftRows transformation. Then with probability 2 − 6 four active S-boxes will collapse to three (one byte out of four getting a zero difference). After the second round the three active bytes are expanded into 12 active bytes and there will still remain 4 passive bytes. This differential can be schematically described as 4 → 3 → 12 . Let I , J ⊆ { 0 , 1 , 2 , 3 } with | I | = 1 and | J | = 3. For each p 1 , p 2 : R 2 ( · ) R ( · ) p 1 ⊕ p 2 ∈ D I prob . 1 c 1 ⊕ c 2 ∈ M J prob . 2 − 6 R ( p 1 ) ⊕ R ( p 2 ) ∈ C I ∩D J − − − − − → − − − − → where c 1 = R 3 ( p 1 ) and c 2 = R 3 ( p 2 ) . 17 / 28