nonlinearpolynomial invariant attacks · nonlinearpolynomial invariant attacks or how to backdoor a...
Post on 08-Aug-2020
9 Views
Preview:
TRANSCRIPT
NonLinear Polynomial Invariant Attacksor How to Backdoor a Block Cipher
Nicolas T. CourtoisUniversity College London, UK
blog.bettercrypto.com
eprint = 2018/1242
Block Cipher Invariants
2
Roadmap
• Non-Linear Cryptanalysis
– Polynomial Invariants
– Backdoors
• What makes ciphers insecure? Nothing!
– Boolean functions
– Annihilators [very hard to avoid]
– Strong structural attack = “product attack”
– Lack of Unique Factorization inside the ring of Boolean functions Bn.
eprint/2018/1242
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
3
Question 1:Why 0% of symmetric encryption
used in practice areprovably secure?
A New Frontier in Symmetric Cryptanalysis
4
Provably Secure Encryption!
Based on MQ Problem. Dense MQ is VERY hard. Best attack ≈ 20.8765n
• top of the top hard problem.• for both standard and PQ crypto
=> Allows to build a provably secure stream cipher based on MQ directly!
C. Berbain, H. Gilbert, and J. Patarin:
QUAD: A Practical Stream Cipher with Provable Security, Eurocrypt 2005
mqchallenge.org FXL/Joux 2017/372
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
5
Question 2:Why researchers have found
so few attacks on block ciphers?
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
6
Question 2:Why researchers have found
so few attacks on block ciphers?
because there are so many!(many attacks)
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
7
Question 2:Why researchers have found
so few attacks on block ciphers?
“mystified by complexity” lack of working examples: how a NL attack actually looks like??
-for a long time I thought it would about some irreducible polynomials-
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
8
?
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
9
Claim:Finding new attacks
on block ciphers isEASY and FUN
Block Cipher Invariants
10
Dr. Nicolas T. Courtois blog.bettercrypto.com
1. cryptanalysis
Block Cipher Invariants
11
Dr. Nicolas T. Courtois blog.bettercrypto.com
1. cryptanalysis
2. industrial crypto
Block Cipher Invariants
12
Dr. Nicolas T. Courtois blog.bettercrypto.com
1. cryptanalysis
Block Cipher Invariants
13
Code Breakers - LinkedIn
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
14
Cryptanalysis=def=Making the impossible possible.
How? two very large polynomials with 16+ vars are simply equal
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
15
Big Winner
“product attack”
a product of Boolean polynomials.
Claimed extremely powerful.Why?
@eprint/2018/1242
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
16
Definition
We say that P => Q for 1R
if
P(inputs) = Q(outputs)with proba =1, i.e. for every input
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
17
Another notation:P = Q
<=> P => Q for 1R
<=>
P(inputs) = Q(outputs)for any input with P=1
is 1 round of encryption
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
18
alsoP = Q
<=> P => Q for 1R
<=>
P(inputs) Q(output ANFs)formal equality of polynomials
is 1 round of encryption
must perform a substitution with
coded as ANFs
Block Cipher Invariants
Main Problem:Two polynomials P => Q.
P(x1,…)
Q(y1,…)
is P=Q possible??
“Invariant Theory” [Hilbert]: set of all invariants for any block cipher forms a [graded] finitely generated [polynomial] ring. A+B; A*B
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
20
Key Remark:
To insure that P * R => P * R
we only need to make sure that P=>P but ONLY for a subspace
where R(inp)=1 and R(out)=1
Code Breakers
Nicolas T. Courtois21
3. Crypto History
Block Cipher Invariants
22
1970sModern block ciphers are born.
In which country??
Block Cipher Invariants
23
1970sModern block ciphers are born.
In which country??
Who knows…
Eastern Bloc also worked on these questions… and for a long time.
Block Cipher Invariants
24
1927The real inventor of the
ANF = Algebraic Normal Form, see
en.wikipedia.org/wiki/Zhegalkin_polynomial
Russian mathematician and logician
Ива́н Ива́нович Жега́лкин [Moscow State University]
“best known for his formulation of Boolean algebra as the theory of the ring of integers mod 2”
Bn,+,*
T-310
Nicolas T. Courtois25
East German T-310 Block Cipher
240 bits
long-term secret 90 bits only!
“quasi-absolute security” [1973-1990]
has a physical
RNG=>IV
Block Cipher Invariants
Technical ReferencesNicolas T. Courtois, Jörg Drobick, Jacques Patarin, Maria-Bristena Oprisanu, Matteo Scarlata, Om Bhallamudi, Cryptographic Security Analysis of T-310, eprint.iacr.org/2017/440.pdf , 132 pages, 2017.
Nicolas T. Courtois, Maria-Bristena Oprisanu, Klaus Schmeh:
Linear Cryptanalysis and Block Cipher Design in Eastern Germany in the 1970s, Cryptologia, Dec 2018.
Nicolas T. Courtois, Klaus Schmeh: Feistel ciphers in East Germany in the communist era, In Cryptologia, vol. 42, Iss. 6, 2018, pp. 427-444.
Block Cipher Invariants
27
Cipher Class Alpha –1970s
Who invented Alpha? [full document not avail.]
Block Cipher Invariants
28
T-310 [1973-1990] – Feistel with 4 branches
Block Cipher Invariants
29
blog.bettercrypto.com
Roadmap
30
Backdoors vs.
“Normal” Cryptanalysis
All our attacks work with relatively large probability.
– so if you are not lucky a cipher which was NOT backdoored will also be broken!
Block Cipher Invariants
34
LC in 1976 [Eastern Germany]
Block Cipher Invariants
35
Generalised Linear Cryptanalysis= GLC =
[Harpes, Kramer and Massey, Eurocrypt’95]
Block Cipher Invariants
36
Generalised Linear Cryptanalysis= GLC =
[Harpes, Kramer and Massey, Eurocrypt’95]
Concept of [invariant] non-linear I/O sums.
P(inputs) = P(outputs) with some probability…
Block Cipher Invariants
37
Connecting Non-Linear Approxs.Black-Box Approach
Non-linear functions F G H I.
F(x1,…)
G(y1,…) H(y1,…)
I(z1,…)
Block Cipher Invariants
38
GLC and Feistel Ciphers?
[Knudsen and Robshaw, EuroCrypt’96
“one-round approximations that are non-linear […] cannot be joined together”…
At Crypto 2004 Courtois shows that GLC is in fact possible for Feistel schemes!
Block Cipher Invariants
39
BLC better than LC for DES
Better than the best existing linear attack of Matsui
for 3, 7, 11, 15, … rounds.
Ex: LC 11 rounds:
BLC 11 rounds:
Block Cipher Invariants
40
Better Is Enemy of Good!DES = Courtois @ Crypto 2004 :
proba=1.0
deg 1
deg 2
deg 10
Block Cipher Invariants
41
Wrong Approach [!!!!]Black-Box Combination Approach
constructive BUT limited possibilities…
F(x1,…)
G(y1,…) H(y1,…)
I(z1,…)
Block Cipher Invariants
42
White Box Approach
New! [Courtois 2018]
Study of non-linear I/O sums.
P(inputs) = P(outputs)
notion of “primitive” or “sporadic” attacks not decomposed into simpler attacks
Example: 127 R periodic property, 127 being prime.
Block Cipher Invariants
43
New White Box Approach
Study of non-linear I/O sums.
.
P(inputs) = P(outputs) with probability 1.
Formal equality of 2 polynomials.
BIG PROBLEM: 22^n possible attacks
Block Cipher Invariants
44
Variable Boolean Function
We denote by Z our Boolean function
We consider a space of ciphers where Z is variable.
Question: given a fixed polynomial Pwhat is the probability over random choice of Z that P(inputs) = P(outputs) is an invariant (for any number of rounds).
Block Cipher Invariants
45
How Do You Find An Attack?
22^n possible attacks
Block Cipher Invariants
46
Invariant Hopping
attack 12x linear
attack 21x linear
attack 3
attack 4strong Bool + high degree invariant +
high success proba
Block Cipher Invariants
Nicolas T. Courtois, January 200947
Group Theory – Is DES A Group?
Study of group generated by φK for any key K.
Typically AGL not GL. Any smaller sub-groups?
Block Cipher Invariants
48
Hopping in Group Lattices
attack 1three invariants
linear Boolean function
AGL
Block Cipher Invariants
49
Hopping in Group Lattices
attack 1three invariants
linear Boolean function
attack 2two invariants
bad Boolean function
AGL
Block Cipher Invariants
50
Hopping in Group Lattices
attack 1three invariants
linear Boolean function
attack 2two invariants
bad Boolean function
attack 36one high degree invariantstrong Boolean function
AGL
Block Cipher Invariants
Nicolas T. Courtois, January 200951
Hopping in Group Lattices
attack 1three invariants
linear Boolean function
attack 2two invariants
bad Boolean function
attack 36one complex high degree invariant
strong Boolean function
AGL
Block Cipher Invariants
52
“Hopping” Discovery
• Learn from examples.
• Find a path from a trivial attack on a weak cipher to a non-trivial attack on a strong cipher.
Backdoors
Nicolas T. Courtois53
T-310 [Contracting Feistel, 1970s, Eastern Germany!]
1 round of T-310
φ
Block Cipher Invariants
54
Linear Attack – Example
Block Cipher Invariants
55
Our Thm. [eprint/2017/440]
Block Cipher Invariants
56
Impossible => Possible?
• We literally use “impossible” linear properties, which cannot happen and do not happen,
and construct a non-linear attack which works.
Key insight:
• P => Q 1R might be impossible to achieve.
• P*R =>Q*R may be possible to achieve.we only need to take care of a restricted subspace where either R(inputs)=1 or R(outputs)=1. Also typically strongly correlated.
Block Cipher Invariants
57
Hopping Step 1 [WCC’19]First we look at an attack where the Boolean
function is linear and we have trivial LINEAR invariants (same as Matsui’s LC)
Example:
?
impossibletransition
Block Cipher Invariants
58
Impossible?
“Only those who attempt the absurd will achieve the impossible.”
-- M. C. Escher
?
Backdoors
Nicolas T. Courtois59
A Vulnerable Setup
1 round of T-310
φ
Block Cipher Invariants
60
Hopping Step2 [WCC’19]Now could you please tell us if
is an invariant?
Block Cipher Invariants
61
Hopping Step2 Now could you please tell us if
is an invariant?
The answer is remarkably simple.
Block Cipher Invariants
62
Hopping Step2Theorem:
is an invariant IF AND ONLY IF
a certain polynomial = FE =
is zero (as a polynomial, multiple cancellations)
Block Cipher Invariants
63
Hopping Step2 Theorem:
is an invariant IF AND ONLY IF
a certain polynomial = FE =
is zero (as a polynomial, multiple cancellations)
FundamentalEquation
Block Cipher Invariants
64
Compute FE?Theorem:
is an invariant IF AND ONLY IF
is zero (as a polynomial, multiple cancellations)
= FE
Block Cipher Invariants
65
NotationTheorem:
is an invariant IF AND ONLY IF
is zero (as a polynomial, multiple cancellations)
= FE
P = P(inputs) P(output ANF) = P
Block Cipher Invariants
66
NotationWe have
is an invariant IF AND ONLY IF
IF AND ONLY IF
is zero (as a polynomial, multiple cancellations)= FE
P = P(inputs) = P(output ANF) = P ?
P+P
Block Cipher Invariants
67
Compact Notation
is an invariant IF AND ONLY IF
IF AND ONLY IF
(as a polynomial, multiple cancellations)= FE is zero
P = P ?
P+P
Block Cipher Invariants
68
*Action of on polynomials.With P = P(inputs) there is no ambiguity.
With P(output ANF) = P we mean F,K,L
where F,K,L is the secret key+IV on 3 bits.
Trick: the result does NOT depend on F,K,L.
P = P(output ANF) =
P(a , b, c, d, … … … ) =
Block Cipher Invariants
69
*Action of on polynomials.With P = P(inputs) there is no ambiguity.
With P(output ANF) = P we mean F,K,L
where F,K,L is the secret key+IV on 3 bits.
Trick: the result does NOT depend on F,K,L.
P = P(output ANF) =
P(a , b, c, d, … … … ) =
subs by ANF
Block Cipher Invariants
70
White Box Cryptanalysis = New
[Courtois 2018]
Same concept of a non-linear I/O sums.Focus on perfect invariants mostly.
P(inputs) = P(outputs) with probability 1.
Formal equality of 2 polynomials.Exploits the structure of the ring Bn.
• annihilation events absorption events, nb. of vars collapses
• would be unthinkable if we had unique factorisation
ABCD=A’B’C’D’
Block Cipher Invariants
71
Reynolds/Noether Maps in Invariant Theory
Goal: transform bc into an invariant. In maths:
���(bc ����) =1
|�|� bc�
�∈�
G=full group of transformations acting on polynomials
generated by the full cipher for any key and any Nr
huge non-commutative grouptoo large to work with?
thanks to Felix Ulmer
duplication/left cosetsG <=bijection=> {h+g}, where h has no effect,g belongs in a smaller subgroup
not commutative
Block Cipher Invariants
72
*Reynolds Revisited
Goal: transform bc into an invariant. In maths:
��� bc ���� =1
�� bc�
�∈�
G=smaller group of transformations acting on degree 2 monomials which is dictated by the structure of the cipher • blue terms cancel in , • steps with ? are not guaranteed to work unless FE==0
Block Cipher Invariants
73
**Reynolds Revisited
Goal: transform bc into an invariant. In maths:
��� bc ���� =1
�� bc�
�∈�G=smaller cyclic group => simply a cycle starting from bc.Example for DES cipher (for a specific choice of S-boxes): • start with a degree 4 monomial, e.g.
L02*L05*R02*R05 => period = 8 mindeg=4 maxdeg=14
• summing over this cycle gives the following invariant:sum is of size=3 deg=14
L01*L02*L08*L29*L30*L31*L32*R01*R29*R30*R31*R32+L01*L05*L08*L29*L30*L31*L32*R01*R05*R08*R29*R30*R31*R32+L01*L29*L30*L31*L32*R01*R02*R08*R29*R30*R31*R32can be factored as === L01*L29*L30*L31*L32*R01*R29*R30*R31*R32* (L02*L08+L05*L08*R05*R08+R08*R02)
• with another set of S-boxes we get a period = 24 mindeg=4 maxdeg=20 and sum is of size=184 deg=20• L08*R08*(very complex polynomial)
Block Cipher Invariants
74
Conclusion Step2Theorem:
is an invariant IF AND ONLY IF
is zero (as a polynomial, multiple cancellations)
Block Cipher Invariants
75
What is Special About P2-factoring decomposition
= AC+BD.
is invariant IF AND ONLY IF
some solutions are:
Block Cipher Invariants
76
Invariant P of Degree 4?
= ABCD.
is a 1-round invariant IF AND ONLY IF
= FE
Block Cipher Invariants
77
Invariant P of Degree 4?
= ABCD.
is a 1-round invariant IF AND ONLY IF
a multiple of the previous polynomial!
Block Cipher Invariants
78
Corollary:Easy Thm. [not included in the paper].
For every cipher in our cipher space = (LZS551+any Boolean) if AC+BD is an invariant (degree 2)then also ABCD is an invariant (degree 4).
Note: there is no invariant of degree 3 etc
Block Cipher Invariants
79
[Graded] Ring Of InvariantsAny more invariants?
As always in Maths we have a Ring* of Invariants denoted by
B[a,b..]G where B[a,b..]==IF2[a,b..]/(a2=a..)
and G=huge group generated by our block cipher. Here this ring has only 5 elements:
B[a,b..]G ={0, 1, AC+BD, ABCD, ABCD+AC+BD}
Not more! Well actually there could be more @higher degrees.
*Classical tool: Molien formal power series = 1 + z2 + z4 and no more terms.
*finitely generatedcf. Hilbert
absorber
Block Cipher Invariants
80
Hilbert Basis (always Finite)We say that
{AC+BD, ABCD}
For a Hilbert basis of our Ring of Invariants
B[a,b..]G =
{0, 1, AC+BD, ABCD, ABCD+AC+BD}
we also have a POSET
and a lattice (w.r.t division | ).absorber
or maximal
*def. every invariant is
a polynomial function of basis elements
0
1
ABCD
Block Cipher Invariants
81
Selective RemovalQ : Can we now have ABCD
to be an invariant of degree 4 WITHOUT any invariants of degrees 1,2,3????
Block Cipher Invariants
82
Selective RemovalQ : Can we now have ABCD
to be an invariant of degree 4 WITHOUT any invariants of degrees 1,2,3????
Answer: easy: a root of second polynomial and NOT a root of the first [almost always].
mC=YCmBCD=YBCD
= FE
Block Cipher Invariants
83
Summary [WCC’19]1. We start with a trivial attack on a weak cipher.
Benefit: FE has a solution.
2. Then some non-linear invariants P also exist.
3. Another Boolean function Z works because FE has more roots.
4. In several steps we modify the cipher wiring, Z[manipulation of roots of our FE] so that simple invariants P are removed.
5. What you get is like a backdoor! – Potentially hard to detect. High degree P.
Block Cipher Invariants
84
A Better Attack?
problem: “strong” Boolean functions
Block Cipher Invariants
85
Conclusion@WCCWe modify the cipher and the invariant
so that simple invariants disappear.
Q: Can this be done with a really secure Boolean function? YES, see [eprint/2018/1242]
The degree of P must increase to 8.
Block Cipher Invariants
86
Irreducible PolynomialsRemark:
For a long time we searched for invariant attacks where P
is an irreducible polynomial.
We were wrong!
Block Cipher Invariants
87
New Paradigm [1905.04684]
Block Cipher Invariants
88
Product Attack
Trivial NL invariants based on cycles in LC.
A B C D A
Then ABCD is a round invariant of degree 4. Invariants form a ring B[a,b..]G
Stupid??
*finitely generated
Block Cipher Invariants
89
Product Question
Trivial NL invariants based on cycles in LC.
A B C D E A
Then ABCDE is a round invariant of degree 5.
Stupid?? Not at all! Some of the strongest attacks ever found are like this.
Block Cipher Invariants
90
Product Attack
Trivial NL invariants based on cycles in LC.
A B C D E A
Then ABCDE is a round invariant of degree 5.
Stupid?? Not at all! Some of the strongest attacks ever found are like this.
Simpler invariants can be REMOVED!!!!
Block Cipher Invariants
Nicolas T. Courtois, January 200991
Hopping in Group Lattices
attack 1three invariants
linear Boolean function
attack 2two invariants
bad Boolean function
attack 36one complex high degree invariant
strong Boolean function
AGL
Block Cipher Invariants
92
Phase TransitionWhen P is of degree 4, the Boolean function is
still “inevitably” degenerated [this paper].
Q: Can we backdoor or break a cipher with a random Boolean function?
Block Cipher Invariants
93
Strong Structural AttackNot as strong as a “generic attack” but close.
Can work for a LOT MORE rounds!
Block Cipher Invariants
94
Phase TransitionWhen P is of degree 4, the Boolean function is
still “inevitably” degenerated [this paper].
Q: Can we backdoor or break a cipher with a “strong” (e.g. random) Boolean function?
YES, see [eprint/2018/1242]
Degree 8 attack, P =ABCDEFGH.
Block Cipher Invariants
95
Thm 5.5. In eprint/2018/1242 page 18.
P =ABCDEFGH
is invariant if and only if this polynomial vanishes:
Can a polynomial with 16 variables with 2 very complex Boolean functions just disappear?
Block Cipher Invariants
96
Hard Becomes EasyPhase transition: eprint/2018/1242.
• When P degree grows, attacks become a
LOT easier.
• Degree 8: extremely strong:
15% success rate over the choice of a random Boolean function and with P =ABCDEFGH.
(3 variants)
WHAT??????????
Block Cipher Invariants
97
Let Y = Random Bool.Can we HOPE that for
we have for example:
mBCD=YBCD i.e.
0=(Y+m)BCD
Thm 6.0.1: Courtois-Meier Eurocypt 2003.
For any Z with 6 variables, Z or Z+1 always has some cubic annihilators.
Thm 6.4: [eprint/2018/1242] For Z(a+b)(c+d)(e+f)=0, any Boolean function works with probability of 5%.
= FE
Block Cipher Invariants
98
Bonus: New Non-Trivial Attacksan irregular sporadic attack with P of degree 7
Block Cipher Invariants
99
Proof [Outline]sage: R.<A,B,C,D,E,F,G,H> = BooleanPolynomialRing(8)
sage: mu=(B+C)*(G+H)*(B+H)*(B+F)*(C+D) =def= sage: mu + (C+H+1)*(C+F+1)*(B*D*G + H*(B+D+1)*(B+G+1))
sage: 0
sage: mu + (B+D+1)*(B+G+1)*(C*F*H + G*(C+H+1)*(C+F+1))
sage: 0
sage:
Proof involves absorptions of type W= and Y=.
polynomials W,Y operate on disjoint inputs
Block Cipher Invariants
100
Interesting Events inside Our Proof
sage: R.<A,B,C,D,E,F,G,H> = BooleanPolynomialRing(8)
sage: mu=(B+C)*(G+H)*(B+H)*(B+F)*(C+D)
sage: mu + (C+H+1)*(C+F+1)*(B*D*G + H*(B+D+1)*(B+G+1))
sage: 0
sage: mu + (B+D+1)*(B+G+1)*(C*F*H + G*(C+H+1)*(C+F+1))
sage: 0
sage:
degree 2 out 56 out 16 variables each
100% disjoint sets
Block Cipher Invariants
101
**another example
sage: R.<A,B,C,D,E,F,G,H> = BooleanPolynomialRing(8)
sage: mu=(B+C)*(G+H)*(B+H)*(B+F)*(C+D)
sage: mu + (C+H+1)*(C+F+1)*(B*D*G + H*(B+D+1)*(B+G+1))
sage: 0
sage: mu + (B+D+1)*(B+G+1)*(C*F*H + G*(C+H+1)*(C+F+1))
sage: 0
sage:
90% disjoint
Block Cipher Invariants
102
DES
problem:
a LOT more key bits
48 instead of 2 in each round
Block Cipher Invariants
103
Simple BLC Backdoor on DES
Block Cipher Invariants
104
Closed Loops
Key concept: “closed loop configurations”.
term used in paper which won the best paper award at Asiacrypt 2018
not new
Block Cipher Invariants
105
Closed Loops–works for DES, GOST, etc
In GOST block cipher:
GOST cipher
Block Cipher Invariants
106
Closed LoopsFor T-310 cipher
Block Cipher Invariants
107
Closed Loops…For DES – with original P-box
DES loops
Z7
07
Block Cipher Invariants
108
reality is more interesting than fiction!
Security of DES (overview)
Nicolas T. Courtois, September 2007109
DES P-box1
02244
32
321
1 2 3 4 5 6
1 2 3 4
A B C D E F
W X Y Z
P-box
Block Cipher Invariants
110
Degree 5 Attack on DESTheorem: Let P =
(1+L06+L07)*L12 * R13*R24*R28
IF
(1+c+d)*W2==0 and (1+c+d)*X2==0
e*W3==0 and f*Z3==0
ae*X7==0 and ae*Z7==0
THEN P is an invariant for
1 round of DES.
top related