nonlinearpolynomial invariant attacks · nonlinearpolynomial invariant attacks or how to backdoor a...

NonLinear Polynomial Invariant Attacksor How to Backdoor a Block Cipher

Nicolas T. CourtoisUniversity College London, UK

blog.bettercrypto.com

eprint = 2018/1242

Block Cipher Invariants

Roadmap

• Non-Linear Cryptanalysis

– Polynomial Invariants

– Backdoors

• What makes ciphers insecure? Nothing!

– Boolean functions

– Annihilators [very hard to avoid]

– Strong structural attack = “product attack”

– Lack of Unique Factorization inside the ring of Boolean functions Bn.

eprint/2018/1242

Algebraic Attacks on Block Ciphers Nicolas T. Courtois

Question 1:Why 0% of symmetric encryption

used in practice areprovably secure?

A New Frontier in Symmetric Cryptanalysis

Provably Secure Encryption!

Based on MQ Problem. Dense MQ is VERY hard. Best attack ≈ 20.8765n

• top of the top hard problem.• for both standard and PQ crypto

=> Allows to build a provably secure stream cipher based on MQ directly!

C. Berbain, H. Gilbert, and J. Patarin:

QUAD: A Practical Stream Cipher with Provable Security, Eurocrypt 2005

mqchallenge.org FXL/Joux 2017/372

Question 2:Why researchers have found

so few attacks on block ciphers?

because there are so many!(many attacks)

“mystified by complexity” lack of working examples: how a NL attack actually looks like??

-for a long time I thought it would about some irreducible polynomials-

Claim:Finding new attacks

on block ciphers isEASY and FUN

Dr. Nicolas T. Courtois blog.bettercrypto.com

1. cryptanalysis

2. industrial crypto

1. cryptanalysis

Code Breakers - LinkedIn

Cryptanalysis=def=Making the impossible possible.

How? two very large polynomials with 16+ vars are simply equal

Big Winner

“product attack”

a product of Boolean polynomials.

Claimed extremely powerful.Why?

@eprint/2018/1242

Definition

We say that P => Q for 1R

P(inputs) = Q(outputs)with proba =1, i.e. for every input

Another notation:P = Q

<=> P => Q for 1R

P(inputs) = Q(outputs)for any input with P=1

is 1 round of encryption

alsoP = Q

<=> P => Q for 1R

P(inputs) Q(output ANFs)formal equality of polynomials

is 1 round of encryption

must perform a substitution with

coded as ANFs

Main Problem:Two polynomials P => Q.

P(x1,…)

Q(y1,…)

is P=Q possible??

“Invariant Theory” [Hilbert]: set of all invariants for any block cipher forms a [graded] finitely generated [polynomial] ring. A+B; A*B

Key Remark:

To insure that P * R => P * R

we only need to make sure that P=>P but ONLY for a subspace

where R(inp)=1 and R(out)=1

Code Breakers

Nicolas T. Courtois21

3. Crypto History

1970sModern block ciphers are born.

In which country??

1970sModern block ciphers are born.

In which country??

Who knows…

Eastern Bloc also worked on these questions… and for a long time.

1927The real inventor of the

ANF = Algebraic Normal Form, see

en.wikipedia.org/wiki/Zhegalkin_polynomial

Russian mathematician and logician

Ива́н Ива́нович Жега́лкин [Moscow State University]

“best known for his formulation of Boolean algebra as the theory of the ring of integers mod 2”

Bn,+,*

East German T-310 Block Cipher

240 bits

long-term secret 90 bits only!

“quasi-absolute security” [1973-1990]

has a physical

RNG=>IV

Technical ReferencesNicolas T. Courtois, Jörg Drobick, Jacques Patarin, Maria-Bristena Oprisanu, Matteo Scarlata, Om Bhallamudi, Cryptographic Security Analysis of T-310, eprint.iacr.org/2017/440.pdf , 132 pages, 2017.

Nicolas T. Courtois, Maria-Bristena Oprisanu, Klaus Schmeh:

Linear Cryptanalysis and Block Cipher Design in Eastern Germany in the 1970s, Cryptologia, Dec 2018.

Nicolas T. Courtois, Klaus Schmeh: Feistel ciphers in East Germany in the communist era, In Cryptologia, vol. 42, Iss. 6, 2018, pp. 427-444.

Cipher Class Alpha –1970s

Who invented Alpha? [full document not avail.]

T-310 [1973-1990] – Feistel with 4 branches

blog.bettercrypto.com

Roadmap

Backdoors vs.

“Normal” Cryptanalysis

All our attacks work with relatively large probability.

– so if you are not lucky a cipher which was NOT backdoored will also be broken!

LC in 1976 [Eastern Germany]

Generalised Linear Cryptanalysis= GLC =

[Harpes, Kramer and Massey, Eurocrypt’95]

Generalised Linear Cryptanalysis= GLC =

[Harpes, Kramer and Massey, Eurocrypt’95]

Concept of [invariant] non-linear I/O sums.

P(inputs) = P(outputs) with some probability…

Connecting Non-Linear Approxs.Black-Box Approach

Non-linear functions F G H I.

F(x1,…)

G(y1,…) H(y1,…)

I(z1,…)

GLC and Feistel Ciphers?

[Knudsen and Robshaw, EuroCrypt’96

“one-round approximations that are non-linear […] cannot be joined together”…

At Crypto 2004 Courtois shows that GLC is in fact possible for Feistel schemes!

BLC better than LC for DES

Better than the best existing linear attack of Matsui

for 3, 7, 11, 15, … rounds.

Ex: LC 11 rounds:

BLC 11 rounds:

Better Is Enemy of Good!DES = Courtois @ Crypto 2004 :

proba=1.0

deg 10

Wrong Approach [!!!!]Black-Box Combination Approach

constructive BUT limited possibilities…

F(x1,…)

G(y1,…) H(y1,…)

I(z1,…)

White Box Approach

New! [Courtois 2018]

Study of non-linear I/O sums.

P(inputs) = P(outputs)

notion of “primitive” or “sporadic” attacks not decomposed into simpler attacks

Example: 127 R periodic property, 127 being prime.

New White Box Approach

Study of non-linear I/O sums.

P(inputs) = P(outputs) with probability 1.

Formal equality of 2 polynomials.

BIG PROBLEM: 22^n possible attacks

Variable Boolean Function

We denote by Z our Boolean function

We consider a space of ciphers where Z is variable.

Question: given a fixed polynomial Pwhat is the probability over random choice of Z that P(inputs) = P(outputs) is an invariant (for any number of rounds).

How Do You Find An Attack?

22^n possible attacks

Invariant Hopping

attack 12x linear

attack 21x linear

attack 3

attack 4strong Bool + high degree invariant +

high success proba

Nicolas T. Courtois, January 200947

Group Theory – Is DES A Group?

Study of group generated by φK for any key K.

Typically AGL not GL. Any smaller sub-groups?

Hopping in Group Lattices

attack 1three invariants

linear Boolean function

attack 2two invariants

bad Boolean function

attack 36one high degree invariantstrong Boolean function

attack 36one complex high degree invariant

strong Boolean function

“Hopping” Discovery

• Learn from examples.

• Find a path from a trivial attack on a weak cipher to a non-trivial attack on a strong cipher.

Backdoors

T-310 [Contracting Feistel, 1970s, Eastern Germany!]

1 round of T-310

Linear Attack – Example

Our Thm. [eprint/2017/440]

Impossible => Possible?

• We literally use “impossible” linear properties, which cannot happen and do not happen,

and construct a non-linear attack which works.

Key insight:

• P => Q 1R might be impossible to achieve.

• P*R =>Q*R may be possible to achieve.we only need to take care of a restricted subspace where either R(inputs)=1 or R(outputs)=1. Also typically strongly correlated.

Hopping Step 1 [WCC’19]First we look at an attack where the Boolean

function is linear and we have trivial LINEAR invariants (same as Matsui’s LC)

Example:

impossibletransition

Impossible?

“Only those who attempt the absurd will achieve the impossible.”

-- M. C. Escher

Backdoors

A Vulnerable Setup

1 round of T-310

Hopping Step2 [WCC’19]Now could you please tell us if

is an invariant?

Hopping Step2 Now could you please tell us if

is an invariant?

The answer is remarkably simple.

Hopping Step2Theorem:

is an invariant IF AND ONLY IF

a certain polynomial = FE =

is zero (as a polynomial, multiple cancellations)

Hopping Step2 Theorem:

a certain polynomial = FE =

FundamentalEquation

Compute FE?Theorem:

NotationTheorem:

P = P(inputs) P(output ANF) = P

NotationWe have

IF AND ONLY IF

is zero (as a polynomial, multiple cancellations)= FE

P = P(inputs) = P(output ANF) = P ?

Compact Notation

IF AND ONLY IF

(as a polynomial, multiple cancellations)= FE is zero

P = P ?

*Action of on polynomials.With P = P(inputs) there is no ambiguity.

With P(output ANF) = P we mean F,K,L

where F,K,L is the secret key+IV on 3 bits.

Trick: the result does NOT depend on F,K,L.

P = P(output ANF) =

P(a , b, c, d, … … … ) =

*Action of on polynomials.With P = P(inputs) there is no ambiguity.

With P(output ANF) = P we mean F,K,L

where F,K,L is the secret key+IV on 3 bits.

Trick: the result does NOT depend on F,K,L.

P = P(output ANF) =

P(a , b, c, d, … … … ) =

subs by ANF

White Box Cryptanalysis = New

[Courtois 2018]

Same concept of a non-linear I/O sums.Focus on perfect invariants mostly.

P(inputs) = P(outputs) with probability 1.

Formal equality of 2 polynomials.Exploits the structure of the ring Bn.

• annihilation events absorption events, nb. of vars collapses

• would be unthinkable if we had unique factorisation

ABCD=A’B’C’D’

Reynolds/Noether Maps in Invariant Theory

Goal: transform bc into an invariant. In maths:

��(bc ��) =1

|�|� bc�

�∈�

G=full group of transformations acting on polynomials

generated by the full cipher for any key and any Nr

huge non-commutative grouptoo large to work with?

thanks to Felix Ulmer

duplication/left cosetsG <=bijection=> {h+g}, where h has no effect,g belongs in a smaller subgroup

not commutative

*Reynolds Revisited

�� bc �� =1

�� bc�

�∈�

G=smaller group of transformations acting on degree 2 monomials which is dictated by the structure of the cipher • blue terms cancel in , • steps with ? are not guaranteed to work unless FE==0

**Reynolds Revisited

�� bc �� =1

�� bc�

�∈�G=smaller cyclic group => simply a cycle starting from bc.Example for DES cipher (for a specific choice of S-boxes): • start with a degree 4 monomial, e.g.

L02*L05*R02*R05 => period = 8 mindeg=4 maxdeg=14

• summing over this cycle gives the following invariant:sum is of size=3 deg=14

L01*L02*L08*L29*L30*L31*L32*R01*R29*R30*R31*R32+L01*L05*L08*L29*L30*L31*L32*R01*R05*R08*R29*R30*R31*R32+L01*L29*L30*L31*L32*R01*R02*R08*R29*R30*R31*R32can be factored as === L01*L29*L30*L31*L32*R01*R29*R30*R31*R32* (L02*L08+L05*L08*R05*R08+R08*R02)

• with another set of S-boxes we get a period = 24 mindeg=4 maxdeg=20 and sum is of size=184 deg=20• L08*R08*(very complex polynomial)

Conclusion Step2Theorem:

What is Special About P2-factoring decomposition

= AC+BD.

is invariant IF AND ONLY IF

some solutions are:

Invariant P of Degree 4?

= ABCD.

is a 1-round invariant IF AND ONLY IF

Invariant P of Degree 4?

= ABCD.

is a 1-round invariant IF AND ONLY IF

a multiple of the previous polynomial!

Corollary:Easy Thm. [not included in the paper].

For every cipher in our cipher space = (LZS551+any Boolean) if AC+BD is an invariant (degree 2)then also ABCD is an invariant (degree 4).

Note: there is no invariant of degree 3 etc

[Graded] Ring Of InvariantsAny more invariants?

As always in Maths we have a Ring* of Invariants denoted by

B[a,b..]G where B[a,b..]==IF2[a,b..]/(a2=a..)

and G=huge group generated by our block cipher. Here this ring has only 5 elements:

B[a,b..]G ={0, 1, AC+BD, ABCD, ABCD+AC+BD}

Not more! Well actually there could be more @higher degrees.

*Classical tool: Molien formal power series = 1 + z2 + z4 and no more terms.

*finitely generatedcf. Hilbert

absorber

Hilbert Basis (always Finite)We say that

{AC+BD, ABCD}

For a Hilbert basis of our Ring of Invariants

B[a,b..]G =

{0, 1, AC+BD, ABCD, ABCD+AC+BD}

we also have a POSET

and a lattice (w.r.t division | ).absorber

or maximal

*def. every invariant is

a polynomial function of basis elements

Selective RemovalQ : Can we now have ABCD

to be an invariant of degree 4 WITHOUT any invariants of degrees 1,2,3????

Selective RemovalQ : Can we now have ABCD

to be an invariant of degree 4 WITHOUT any invariants of degrees 1,2,3????

Answer: easy: a root of second polynomial and NOT a root of the first [almost always].

mC=YCmBCD=YBCD

Summary [WCC’19]1. We start with a trivial attack on a weak cipher.

Benefit: FE has a solution.

2. Then some non-linear invariants P also exist.

3. Another Boolean function Z works because FE has more roots.

4. In several steps we modify the cipher wiring, Z[manipulation of roots of our FE] so that simple invariants P are removed.

5. What you get is like a backdoor! – Potentially hard to detect. High degree P.

A Better Attack?

problem: “strong” Boolean functions

Conclusion@WCCWe modify the cipher and the invariant

so that simple invariants disappear.

Q: Can this be done with a really secure Boolean function? YES, see [eprint/2018/1242]

The degree of P must increase to 8.

Irreducible PolynomialsRemark:

For a long time we searched for invariant attacks where P

is an irreducible polynomial.

We were wrong!

New Paradigm [1905.04684]

Product Attack

Trivial NL invariants based on cycles in LC.

A B C D A

Then ABCD is a round invariant of degree 4. Invariants form a ring B[a,b..]G

Stupid??

*finitely generated

Product Question

A B C D E A

Then ABCDE is a round invariant of degree 5.

Stupid?? Not at all! Some of the strongest attacks ever found are like this.

Product Attack

A B C D E A

Then ABCDE is a round invariant of degree 5.

Stupid?? Not at all! Some of the strongest attacks ever found are like this.

Simpler invariants can be REMOVED!!!!

attack 36one complex high degree invariant

strong Boolean function

Phase TransitionWhen P is of degree 4, the Boolean function is

still “inevitably” degenerated [this paper].

Q: Can we backdoor or break a cipher with a random Boolean function?

Strong Structural AttackNot as strong as a “generic attack” but close.

Can work for a LOT MORE rounds!

Phase TransitionWhen P is of degree 4, the Boolean function is

still “inevitably” degenerated [this paper].

Q: Can we backdoor or break a cipher with a “strong” (e.g. random) Boolean function?

YES, see [eprint/2018/1242]

Degree 8 attack, P =ABCDEFGH.

Thm 5.5. In eprint/2018/1242 page 18.

P =ABCDEFGH

is invariant if and only if this polynomial vanishes:

Can a polynomial with 16 variables with 2 very complex Boolean functions just disappear?

Hard Becomes EasyPhase transition: eprint/2018/1242.

• When P degree grows, attacks become a

LOT easier.

• Degree 8: extremely strong:

15% success rate over the choice of a random Boolean function and with P =ABCDEFGH.

(3 variants)

WHAT??????????

Let Y = Random Bool.Can we HOPE that for

we have for example:

mBCD=YBCD i.e.

0=(Y+m)BCD

Thm 6.0.1: Courtois-Meier Eurocypt 2003.

For any Z with 6 variables, Z or Z+1 always has some cubic annihilators.

Thm 6.4: [eprint/2018/1242] For Z(a+b)(c+d)(e+f)=0, any Boolean function works with probability of 5%.

Bonus: New Non-Trivial Attacksan irregular sporadic attack with P of degree 7

Proof [Outline]sage: R.<A,B,C,D,E,F,G,H> = BooleanPolynomialRing(8)

sage: mu=(B+C)*(G+H)*(B+H)*(B+F)*(C+D) =def= sage: mu + (C+H+1)*(C+F+1)*(B*D*G + H*(B+D+1)*(B+G+1))

sage: 0

sage: mu + (B+D+1)*(B+G+1)*(C*F*H + G*(C+H+1)*(C+F+1))

sage: 0

Proof involves absorptions of type W= and Y=.

polynomials W,Y operate on disjoint inputs

Interesting Events inside Our Proof

sage: R.<A,B,C,D,E,F,G,H> = BooleanPolynomialRing(8)

sage: mu=(B+C)*(G+H)*(B+H)*(B+F)*(C+D)

sage: mu + (C+H+1)*(C+F+1)*(B*D*G + H*(B+D+1)*(B+G+1))

sage: 0

degree 2 out 56 out 16 variables each

100% disjoint sets

**another example

sage: R.<A,B,C,D,E,F,G,H> = BooleanPolynomialRing(8)

sage: mu=(B+C)*(G+H)*(B+H)*(B+F)*(C+D)

sage: mu + (C+H+1)*(C+F+1)*(B*D*G + H*(B+D+1)*(B+G+1))

sage: 0

90% disjoint

problem:

a LOT more key bits

48 instead of 2 in each round

Simple BLC Backdoor on DES

Closed Loops

Key concept: “closed loop configurations”.

term used in paper which won the best paper award at Asiacrypt 2018

not new

Closed Loops–works for DES, GOST, etc

In GOST block cipher:

GOST cipher

Closed LoopsFor T-310 cipher

Closed Loops…For DES – with original P-box

DES loops

reality is more interesting than fiction!

Security of DES (overview)

Nicolas T. Courtois, September 2007109

DES P-box1

1 2 3 4 5 6

1 2 3 4

A B C D E F

W X Y Z

Degree 5 Attack on DESTheorem: Let P =

(1+L06+L07)*L12 * R13*R24*R28

(1+c+d)*W2==0 and (1+c+d)*X2==0

e*W3==0 and f*Z3==0

ae*X7==0 and ae*Z7==0

THEN P is an invariant for

1 round of DES.

nonlinearpolynomial invariant attacks · nonlinearpolynomial invariant attacks or how to backdoor a...

Documents

el arte de dirigir - gaston courtois

stéphane courtois: the black book of communism

practical algebraic attacks on the hitag2 tm stream...

new frontiers in symmetric cryptanalysis · 2 algebraic...

on optimal size in truncated differential...

courtois gérard - manuel pratique de culture maraichère

early antoine courtois cornets - brass...

semantic structures and logic properties of computer-based...

the security of hidden field equations - nicolas...

o livro negro do comunismo stephane courtois

tpe elisabeth dao, marie-emilie esclangon, paul courtois

ze jam afane et vincent courtois - auxheuresete.com

invariant world, invariant mind. evolutionary psychology...

courtois, gaston - l'éducation de la volontè

invariant variational problems invariant curve flows

practical algebraic attacks on the hitag2 tm stream...

stephane courtois (coord.)- black book of communism

le roman courtois

complex trauma christine a. courtois, ph.d.€¦ · u...

security notions and definitions - nicolas courtois ·...