260 likes | 313 Views
Outline. Introduction Feistel Structures and Two Basic Attacks Mathematical Foundations Improved Interpolation Attack New Integral Cryptanalysis Results of Attack on PURE Conclusion. Introduction.
E N D
Outline • Introduction • Feistel Structures and Two Basic Attacks • Mathematical Foundations • Improved Interpolation Attack • New Integral Cryptanalysis • Results of Attack on PURE • Conclusion FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
Introduction • For some ciphers, the round function can be described either by a low degree polynomial or by a quotient of two low degree polynomials over finite field with characteristic 2. • Such ciphers are breakable by using interpolation attack, which is first introduced by Jakobsen and Knudsen at FSE 1997. • Interpolation attack can be applied to some ciphers which have provable securities against differential and linear cryptanalysis (PURE). FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
Introduction • Integral cryptanalysis considers the propagation of sums of (many) values. They are especially well-suited to ciphers with bijective components (Rijndael). FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
Introduction In this paper, by using an algebraic method, an improved interpolation attack and a new integral attack are proposed: • 1) Instead of guessing the keys one by one, we find the round keys by solving some algebraic equations; • 2) Instead of using the Lagrange Interpolations formula, we compute the coefficients of polynomials by Galois Field Fourier Transformation, which can be seen as an extension of SQUARE attack. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
Feistel Structures and Basic Attacks Round function of a Feistel cipher ai=bi-1 bi=f(bi-1ki)ai-1 ai=bi-1 bi=f(bi-1,ki)ai-1 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
Feistel Structures and Basic Attacks Complexity of the attack: Degree of thepolynomial(N) Number of keys to beguessed(2n). Interpolation Attack for a r-round cipher: • Step 1: compute the degree of (r-1)-round cipher, say N; • Step 2: choose N+2 plaintexts P at random and compute the corresponding ciphertexts C; • Step 3: guess the r-th round key K, and partially decrypt the ciphertexts, the results are denoted by D; • Step 4: apply the Lagrange Interpolation formula to N+1 pairs of (P,D), to get the polynomial; • Step 5: Use the (N+2)th pair (P,D) to check whether the polynomial is correct, if not, K is a wrong key. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
Feistel Structures and Basic Attacks • Integral in previous papers:(S,c)=SxS c(x); • Integral in this paper: (S,c,i)=SxS xic(x); FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
Mathematical Foundations • Proposition 1. LetP=(C,x)be the input to an r-round Feistel cipher, whereCF2nis a constant. Let m be the degree of the round function. Let (at(x),bt(x))be the output of the t-th round, if0<t<rand mt-1<2n, then degat=mt-1 degbt=mt Furthermore, the leading coefficients of bothat(x)andbt(x)are 1. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
Mathematical Foundations • Proposition 2. For a Feistel cipher, assuming the degree of the round function is an odd integer m, and the coefficient of the second highest term of round function isam-1. Considering right half of t-th round, say bt , then the coefficient of the second highest term ofbtis k1am-1 ( note this value is the same for many t ), given that t < r0 -1, where r0 = logm(2n-1) +1, FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
Improved Interpolation Attack - Algorithm 1 • Theorem 1. For an r-round 2n-bit Feistel cipher, let the algebraic degree of the round function be an odd integer m,r0= logm(2n-1)+1 and r<r0. Choosing plaintexts as P=(C,x)where CF2nis a constant, then the right half of the ciphertext is of the form his the yesCR(x)=xmr-1(k1am-1)xmr-1-1q(x) hiswhere q(x)F2n[x]is a polynomial with degree< mr-1-1. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
Improved Interpolation Attack - Algorithm 1 In this paper, coefficient of the second highest term is computed, which is only related withk1and am-1. In original interpolation attack,CR=xmr-1g(x), there is no information about the second highest term. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
Improved Interpolation Attack - Algorithm 1 Algorithm 1: Attack on Block Ciphers with rr0 (I): • Step 1:Encrypt P=(C,x)for mr-1+1different xF2nwhere CF2nis a constant. The corresponding ciphertexts are(CL(x),CR(x)); • Step 2:Compute g(x) = xmr-1sxmr-1-1…F2n[x]by interpolation such thatg(x)=CR(x); • Step 3:k1=sam-1 is the right key. Complexity of this attack: mr-1+1 (N) encryptions, and the plaintext/ciphertext should be stored in order to apply the Lagrange Interpolation formula. Complexity of the original attack: Degree of thepolynomial(N) Number of keys to beguessed(2n). FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
Improved Interpolation Attack • Theorem 2. Let r0=logm(2n-1)+1 and r=r0+1, then for anr-round 2n-bit Feistel cipher with the algebraic degree of the round function being an odd integer m, if the input to the cipher is of the form P=(x,C)where CF2nis a constant, then the right half of the ciphertext is of the formyesCR(x) = xmr-2(f(k1C)k2am-1)xmr-2-1p(x)yeyewhere p(x)F2n[x]is a polynomial with degree less thanmr-2-1. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
Improved Interpolation Attack Algorithm 2: Attack on Block Ciphers with rr0+1 (I): • Step 1:Encrypt P=(x,C1) for mr-2+1 different xF2nwhere C1F2nis a constant. The corresponding ciphertexts are(C(1)L(x),C(1)R(x)); • Step 2:Compute g(x)=xmr-2s1xmr-2-1…F2n[x]by interpolation such thatg(x)=C(1)R(x), thus congratulationss1=f(k1C1)k2 am-1; • Step 3:Choose another two constants C2 andC3, repeat step 1 and step 2, and gets2=f(k1C2)k2 am-1 , s3=f(k1C3)k2 am-1; Continue… FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
Improved Interpolation Attack Algorithm 2: Attack on Block Ciphers with rr0+1 (I): • Step 4:Find the common roots of the following equations: s1=f(k1C1)k2 am-1, s2=f(k1C2)k2 am-1, s3=f(k1C3)k2 am-1. Complexity of this attack: 3mr-1+3 encryptions, and the plaintext/ciphertext should be stored in order to apply the Lagrange Interpolation formula. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
New Integral Cryptanalysis 2 2n • For 2n pairs(xi,yi)F where xis are distinct, to find the polynomial f(x) of degree2n-1such thatyi=f(xi), we can use the Lagrange interpolation formula. However, there is another way to computef(x). • Theorem 3. Letf(x)=SaixiF2n[x]be a polynomial with degree at most2n-1, thenai = Sxx2n-1-if(x)if i0mod2n-1, f(0) if i=0, Sxf(x) if i= 2n-1. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
New Integral Cryptanalysis Algorithm 3: Attack on Block Ciphers with rr0 (II): • Step 1:Encrypt P=(C,x) for allxF2n where CF2nis a constant. The corresponding ciphertexts are(CL(x),CR(x)); • Step 2:Computes=Sxx2n-mr-1CR(x); • Step 3:k1=sam-1 is the right key. Complexity of this attack: 2n encryptions, but there is no need to store plaintext/ciphertext, thus the memories this attack needs is almost 0. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
New Integral Cryptanalysis Algorithm 4: Attack on Block Ciphers with rr0+1 (II): • Step 1:EncryptP(1) =(x,C1)for allxF2nwhere C1F2nis a constant. The corresponding ciphertexts are(C(x),C (x)); • Step 2:Compute s1=Sxx2n-mr-2C(x); • Step 3:Choose another two constants C2 andC3, repeat step 1 and step 2, and get s2=Sxx2n-mr-2C (x), s3=Sxx2n-mr-2C (x); (1) L (1) R (1) R (2) R (3) R Continue… FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
New Integral Cryptanalysis Algorithm 4: Attack on Block Ciphers with rr0+1 (II): • Step 4:Find the common roots of the following equations: s1=f(k1C1)k2 am-1, s2=f(k1C2)k2 am-1, s3=f(k1C3)k2 am-1. Complexity of this attack: 32n encryptions, but there is no need to store plaintext/ciphertext, thus the memories this attack needs is almost 0. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
New Integral Cryptanalysis Comparing Algorithm 3 with 1, also Algorithm 4 with 2, there are some merits of the new integral attacks: • (1) There is no need to store plaintexts and corresponding ciphertexts while these data should be stored in the original interpolation attack as well as Algorithms 1 and 2; • (2) There is no need to guess the key candidates. Thus the complexity of these attacks are 2n and 32n respectively, number of plaintexts to be encrypted. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
Results of Attack on PURE As an example, we implemented the above attacks onPURE. PUREis a Feistel cipher with 2n=64 andf(x)=x3F232[x]. New attacks show thatPUREwith round22 is breakable on a personal computer. The following results are computed by using the algebraic software Magma. Experimental Results of Attacks on Reduced-round PURE FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
Conclusion Both interpolation and integral attacks are improved in this paper. As an application, 22-round PURE can be breakable on a personal computer, while not breakable on a personal computer if using the original method introduced at FSE 1997. FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
Conclusion Two interesting problems: • SQUARE attack can be seen as a special case of this attack, sinceSxyis a special case ofSxxiy. So can we use similar method to analyze AES? • How to extend this attack to the case of rational polynomials, that is, if the cipher can be described as g1(x)/g2(x)(SNAKE cipher), how to apply this attack? FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)
Thank You ! Q & A ? FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)