1 / 26

Outline

Outline. Introduction Feistel Structures and Two Basic Attacks Mathematical Foundations Improved Interpolation Attack New Integral Cryptanalysis Results of Attack on PURE Conclusion. Introduction.

preston-mccoy
Download Presentation

Outline

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Outline • Introduction • Feistel Structures and Two Basic Attacks • Mathematical Foundations • Improved Interpolation Attack • New Integral Cryptanalysis • Results of Attack on PURE • Conclusion FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  2. Introduction • For some ciphers, the round function can be described either by a low degree polynomial or by a quotient of two low degree polynomials over finite field with characteristic 2. • Such ciphers are breakable by using interpolation attack, which is first introduced by Jakobsen and Knudsen at FSE 1997. • Interpolation attack can be applied to some ciphers which have provable securities against differential and linear cryptanalysis (PURE). FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  3. Introduction • Integral cryptanalysis considers the propagation of sums of (many) values. They are especially well-suited to ciphers with bijective components (Rijndael). FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  4. Introduction In this paper, by using an algebraic method, an improved interpolation attack and a new integral attack are proposed: • 1) Instead of guessing the keys one by one, we find the round keys by solving some algebraic equations; • 2) Instead of using the Lagrange Interpolations formula, we compute the coefficients of polynomials by Galois Field Fourier Transformation, which can be seen as an extension of SQUARE attack. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  5. Feistel Structures and Basic Attacks Round function of a Feistel cipher ai=bi-1 bi=f(bi-1ki)ai-1 ai=bi-1 bi=f(bi-1,ki)ai-1 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  6. Feistel Structures and Basic Attacks Complexity of the attack: Degree of thepolynomial(N) Number of keys to beguessed(2n). Interpolation Attack for a r-round cipher: • Step 1: compute the degree of (r-1)-round cipher, say N; • Step 2: choose N+2 plaintexts P at random and compute the corresponding ciphertexts C; • Step 3: guess the r-th round key K, and partially decrypt the ciphertexts, the results are denoted by D; • Step 4: apply the Lagrange Interpolation formula to N+1 pairs of (P,D), to get the polynomial; • Step 5: Use the (N+2)th pair (P,D) to check whether the polynomial is correct, if not, K is a wrong key. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  7. Feistel Structures and Basic Attacks • Integral in previous papers:(S,c)=SxS c(x); • Integral in this paper: (S,c,i)=SxS xic(x); FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  8. Mathematical Foundations • Proposition 1. LetP=(C,x)be the input to an r-round Feistel cipher, whereCF2nis a constant. Let m be the degree of the round function. Let (at(x),bt(x))be the output of the t-th round, if0<t<rand mt-1<2n, then degat=mt-1 degbt=mt Furthermore, the leading coefficients of bothat(x)andbt(x)are 1. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  9. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  10. Mathematical Foundations • Proposition 2. For a Feistel cipher, assuming the degree of the round function is an odd integer m, and the coefficient of the second highest term of round function isam-1. Considering right half of t-th round, say bt , then the coefficient of the second highest term ofbtis k1am-1 ( note this value is the same for many t ), given that t < r0 -1, where r0 = logm(2n-1) +1, FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  11. Improved Interpolation Attack - Algorithm 1 • Theorem 1. For an r-round 2n-bit Feistel cipher, let the algebraic degree of the round function be an odd integer m,r0= logm(2n-1)+1 and r<r0. Choosing plaintexts as P=(C,x)where CF2nis a constant, then the right half of the ciphertext is of the form his the yesCR(x)=xmr-1(k1am-1)xmr-1-1q(x) hiswhere q(x)F2n[x]is a polynomial with degree< mr-1-1. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  12. Improved Interpolation Attack - Algorithm 1 In this paper, coefficient of the second highest term is computed, which is only related withk1and am-1. In original interpolation attack,CR=xmr-1g(x), there is no information about the second highest term. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  13. Improved Interpolation Attack - Algorithm 1 Algorithm 1: Attack on Block Ciphers with rr0 (I): • Step 1:Encrypt P=(C,x)for mr-1+1different xF2nwhere CF2nis a constant. The corresponding ciphertexts are(CL(x),CR(x)); • Step 2:Compute g(x) = xmr-1sxmr-1-1…F2n[x]by interpolation such thatg(x)=CR(x); • Step 3:k1=sam-1 is the right key. Complexity of this attack: mr-1+1 (N) encryptions, and the plaintext/ciphertext should be stored in order to apply the Lagrange Interpolation formula. Complexity of the original attack: Degree of thepolynomial(N) Number of keys to beguessed(2n). FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  14. Improved Interpolation Attack • Theorem 2. Let r0=logm(2n-1)+1 and r=r0+1, then for anr-round 2n-bit Feistel cipher with the algebraic degree of the round function being an odd integer m, if the input to the cipher is of the form P=(x,C)where CF2nis a constant, then the right half of the ciphertext is of the formyesCR(x) = xmr-2(f(k1C)k2am-1)xmr-2-1p(x)yeyewhere p(x)F2n[x]is a polynomial with degree less thanmr-2-1. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  15. Improved Interpolation Attack Algorithm 2: Attack on Block Ciphers with rr0+1 (I): • Step 1:Encrypt P=(x,C1) for mr-2+1 different xF2nwhere C1F2nis a constant. The corresponding ciphertexts are(C(1)L(x),C(1)R(x)); • Step 2:Compute g(x)=xmr-2s1xmr-2-1…F2n[x]by interpolation such thatg(x)=C(1)R(x), thus congratulationss1=f(k1C1)k2 am-1; • Step 3:Choose another two constants C2 andC3, repeat step 1 and step 2, and gets2=f(k1C2)k2 am-1 , s3=f(k1C3)k2 am-1; Continue… FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  16. Improved Interpolation Attack Algorithm 2: Attack on Block Ciphers with rr0+1 (I): • Step 4:Find the common roots of the following equations: s1=f(k1C1)k2 am-1, s2=f(k1C2)k2 am-1, s3=f(k1C3)k2 am-1. Complexity of this attack: 3mr-1+3 encryptions, and the plaintext/ciphertext should be stored in order to apply the Lagrange Interpolation formula. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  17. New Integral Cryptanalysis 2 2n • For 2n pairs(xi,yi)F where xis are distinct, to find the polynomial f(x) of degree2n-1such thatyi=f(xi), we can use the Lagrange interpolation formula. However, there is another way to computef(x). • Theorem 3. Letf(x)=SaixiF2n[x]be a polynomial with degree at most2n-1, thenai = Sxx2n-1-if(x)if i0mod2n-1, f(0) if i=0, Sxf(x) if i= 2n-1. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  18. New Integral Cryptanalysis Algorithm 3: Attack on Block Ciphers with rr0 (II): • Step 1:Encrypt P=(C,x) for allxF2n where CF2nis a constant. The corresponding ciphertexts are(CL(x),CR(x)); • Step 2:Computes=Sxx2n-mr-1CR(x); • Step 3:k1=sam-1 is the right key. Complexity of this attack: 2n encryptions, but there is no need to store plaintext/ciphertext, thus the memories this attack needs is almost 0. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  19. New Integral Cryptanalysis Algorithm 4: Attack on Block Ciphers with rr0+1 (II): • Step 1:EncryptP(1) =(x,C1)for allxF2nwhere C1F2nis a constant. The corresponding ciphertexts are(C(x),C (x)); • Step 2:Compute s1=Sxx2n-mr-2C(x); • Step 3:Choose another two constants C2 andC3, repeat step 1 and step 2, and get s2=Sxx2n-mr-2C (x), s3=Sxx2n-mr-2C (x); (1) L (1) R (1) R (2) R (3) R Continue… FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  20. New Integral Cryptanalysis Algorithm 4: Attack on Block Ciphers with rr0+1 (II): • Step 4:Find the common roots of the following equations: s1=f(k1C1)k2 am-1, s2=f(k1C2)k2 am-1, s3=f(k1C3)k2 am-1. Complexity of this attack: 32n encryptions, but there is no need to store plaintext/ciphertext, thus the memories this attack needs is almost 0. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  21. New Integral Cryptanalysis Comparing Algorithm 3 with 1, also Algorithm 4 with 2, there are some merits of the new integral attacks: • (1) There is no need to store plaintexts and corresponding ciphertexts while these data should be stored in the original interpolation attack as well as Algorithms 1 and 2; • (2) There is no need to guess the key candidates. Thus the complexity of these attacks are 2n and 32n respectively, number of plaintexts to be encrypted. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  22. Results of Attack on PURE As an example, we implemented the above attacks onPURE. PUREis a Feistel cipher with 2n=64 andf(x)=x3F232[x]. New attacks show thatPUREwith round22 is breakable on a personal computer. The following results are computed by using the algebraic software Magma. Experimental Results of Attacks on Reduced-round PURE FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  23. Conclusion Both interpolation and integral attacks are improved in this paper. As an application, 22-round PURE can be breakable on a personal computer, while not breakable on a personal computer if using the original method introduced at FSE 1997. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  24. Conclusion Two interesting problems: • SQUARE attack can be seen as a special case of this attack, sinceSxyis a special case ofSxxiy. So can we use similar method to analyze AES? • How to extend this attack to the case of rational polynomials, that is, if the cipher can be described as g1(x)/g2(x)(SNAKE cipher), how to apply this attack? FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

  25. Thank You ! Q & A ? FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

More Related