1 / 27

Analysis and design of symmetric ciphers

Analysis and design of symmetric ciphers. David Wagner University of California, Berkeley. x. k. E k (x). What’s a block cipher?. E k : X → X bijective for all k. x. x. . k. E. block cipher. random permutation.  (x). E k (x). When is a block cipher secure?.

branden-blackburn
Download Presentation

Analysis and design of symmetric ciphers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Analysis and design of symmetric ciphers David Wagner University of California, Berkeley

  2. x k Ek(x) What’s a block cipher? Ek : X→X bijective for all k

  3. x x  k E block cipher random permutation (x) Ek(x) When is a block cipher secure? Answer: when these two black boxes are indistinguishable.

  4. S S S S S S S S S S S S S S S S 4×4 matrix 4×4 matrix 4×4 matrix 4×4 matrix Example: The AES One round byte re-ordering S(x) = l(l’(x)-1) in GF(28), where l,l’ are GF(2)-linearand the MDS matrix and byte re-ordering are GF(28)-linear

  5. In this talk: • Survey of cryptanalysis of block ciphers • Steps towards a unifying view of this field • Algebraic attacks How do we tell if a block cipher is secure? How do we design good ones?

  6. 1. Identify local properties of its round functions 2. Piece these together into global properties of the whole cipher X X f1 X Ek = X fn X X How to attack a product cipher

  7. X Y where: fk = original round function fk gk’ gk’ = reduced round function ’ and: X Y gk’○  = ’ ○ fk Motif #1: projection Identify local properties using commutative diagrams:

  8.  X Y X Y f1 g1 f1 g1 ’ ’ X Y X Y ’ + f2 g2 = X Y ” X Y f2 g2 ” X Y Concatenating local properties Build global commutative diagrams out of local ones:

  9. X Y Ek g ’ X Y Exploiting global properties Use global properties to build a known-text attack: • The distinguisher: • Let (x, y) be a plaintext/ciphertext pair • If g((x)) =’(y), it’s probably from Ek • Otherwise, it’s from 

  10. Madryga leaves parity unchanged Let (x) = parity of x We see (Ek(x)) = (x) This yields a distinguisher Pr[((x)) = (x)] = ½ Pr[(Ek(x)) = (x)] = 1  GF(2) GF(2)64 id f1  GF(2) GF(2)64  GF(2) GF(2)64 id fn  GF(2) GF(2)64 Example: linearity in Madryga

  11. Suffices to find a property that holds with large enough probability Maybe probabilistic commutative diagrams?  X Y Ek g ’ X Y Motif #2: statistics Prob. p where p = Pr[’(Ek(x)) = g((x))]

  12. Stochastic comm. diagrams Ek , , ’ induce a stochastic process M (hopefully Markov); , , ’ yield M’ Pick a distance measure d(M, M’), say 1/||M(x) – M’(x)||2 where the r.v. x is uniform on X Then d(M,M’) known texts suffice to distinguish Ek from    X X Y Y  Ek M’ M ’ ’ X X Y Y A better formulation?

  13. Matsui’s linear cryptanalysis Set X = GF(2)64, Y = GF(2) Cryptanalyst chooses linear maps , ’ cleverly to make d(M,M’) as small as possible Then M is a 2×2 matrix of the form shown here, and 1/2known texts break the cipher  X Y Ek M [ ] ’ M = X Y Example: Linear cryptanalysis and d(M, M’) = 1/2

  14. Y M ’ Y Motif #3: higher-order attacks Use many encryptions to find better properties: X ×X • Here we’ve definedÊk(x,x’) = (Ek(x), Ek(x’)) Êk X ×X

  15. X M  X Example: Complementation Complementation properties are a simple example: X ×X • Take (x,x’) = x’ – x • Suppose M(Δ,Δ) = 1 for some cleverly chosen Δ • Then we obtain a complementation property • Exploit with chosen texts Êk X ×X

  16. X M  X Example: Differential crypt. Differential cryptanalysis: X ×X • Set X = GF(2)n, and take (x,x’) = x’ – x • If p = M(Δ,Δ’)» 0 for some clever choice of Δ, Δ’: • can distinguish with 2/p chosen plaintexts Êk X ×X

  17. X M  X Example: Impossible diff.’s Impossible differential cryptanalysis: X ×X • Set X = GF(2)n, and take (x,x’) = x’ – x • If M(Δ,Δ’)= 0 for some clever choice of Δ, Δ’: • can distinguish with 2/M’(Δ,Δ’) known texts Êk X ×X

  18. 1 Y M 2 Y Example: Truncated diff. crypt. Truncated differential cryptanalysis: • Set X = GF(2)n, Y = GF(2)m, cleverly choose linear maps φ1, φ2 : X → Y, and take i(x,x’) = φi(x’ – x) • If M(Δ,Δ’)» 0 for some clever choice of Δ, Δ’, we can distinguish X ×X Êk X ×X

  19. 1 Y1 M 2 Y2 Generalized truncated d.c. Generalized truncated differential cryptanalysis: • Take X, Yi,i as before; then= maxx||M(x) – M’(x)|| measures the distinguishing power of the attack • Generalizes the other attacks X ×X Êk X ×X

  20. The attacks, compared generalized truncated diff. crypt. truncated d.c. l.c. with multiple approximations impossible d.c. differential crypt. linear crypt. complementation props. linear factors

  21. Summary (1) • A few leitmotifs generate many known attacks • Many other attack methods can also be viewed this way (higher-order d.c., slide attacks, mod n attacks, d.c. over other groups, diff.-linear attacks, algebraic attacks, etc.) • Are there other powerful attacks in this space?Can we prove security against all commutative diagram attacks? • We’re primarily exploiting linearities in ciphers • E.g., the closure properties of GL(Y, Y)  Perm(X) • Are there other subgroups with useful closure properties?Are there interesting “non-linear’’ attacks?Can we prove security against all “linear” comm. diagram attacks?

  22. Part 2: Algebraic attacks

  23. id X X Ek p id X X Example: Interpolation attacks Express cipher as a polynomial in the message & key: • Write Ek(x) = p(x), then interpolate from known texts • Or, p’(Ek(x)) = p(x) • Generalization: probabilistic interpolation attacks • Noisy polynomial reconstruction, decoding Reed-Muller codes

  24. id X X Ek p/q id X X Example: Rational inter. attacks Express the cipher as a rational polynomial: • If Ek(x) = p(x)/q(x), then: • Write Ek(x)×q(x) = p(x), and apply linear algebra • Note: rational poly’s are closed under composition • Are probabilistic rational interpolation attacks feasible?

  25. X f1 p1 p2 X X X f2 X A generalization: resultants A possible direction: bivariate polynomials: • The small diagrams commute ifpi(x, fi(x)) = 0 for all x • Small diagrams can be composed to obtain q(x, f2(f1(x))) = 0, where q(x,z) = resy(p1(x,y), p2(y,z)) • Some details not worked out...

  26. Algebraic attacks, compared probabilistic bivariate attacks prob. rational interpol. bivariate attacks probabilistic interpol. rational interpol. MITM interpolation interpolation attacks

  27. Summary • Many cryptanalytic methods can be understood using only a few basic ideas • Commutative diagrams as a unifying theme? • Algebraic attacks of growing importance • Collaboration between cryptographic and mathematical communities might prove fruitful here

More Related