nonlinearpolynomial invariant attacks · nonlinearpolynomial invariant attacks or how to backdoor a...

NonLinear Polynomial Invariant Attacksor How to Backdoor a Block Cipher

Nicolas T. CourtoisUniversity College London, UK

blog.bettercrypto.com

eprint = 2018/1242

Block Cipher Invariants

2

Roadmap

• Non-Linear Cryptanalysis

– Polynomial Invariants

– Backdoors

• What makes ciphers insecure? Nothing!

– Boolean functions

– Annihilators [very hard to avoid]

– Strong structural attack = “product attack”

– Lack of Unique Factorization inside the ring of Boolean functions Bn.

eprint/2018/1242

Algebraic Attacks on Block Ciphers Nicolas T. Courtois

3

Question 1:Why 0% of symmetric encryption

used in practice areprovably secure?

A New Frontier in Symmetric Cryptanalysis

4

Provably Secure Encryption!

Based on MQ Problem. Dense MQ is VERY hard. Best attack ≈ 20.8765n

• top of the top hard problem.• for both standard and PQ crypto

=> Allows to build a provably secure stream cipher based on MQ directly!

C. Berbain, H. Gilbert, and J. Patarin:

QUAD: A Practical Stream Cipher with Provable Security, Eurocrypt 2005

mqchallenge.org FXL/Joux 2017/372


5

Question 2:Why researchers have found

so few attacks on block ciphers?


6



because there are so many!(many attacks)


7



“mystified by complexity” lack of working examples: how a NL attack actually looks like??

-for a long time I thought it would about some irreducible polynomials-


8

?


9

Claim:Finding new attacks

on block ciphers isEASY and FUN


10

Dr. Nicolas T. Courtois blog.bettercrypto.com

1. cryptanalysis


11


1. cryptanalysis

2. industrial crypto


12


1. cryptanalysis


13

Code Breakers - LinkedIn


14

Cryptanalysis=def=Making the impossible possible.

How? two very large polynomials with 16+ vars are simply equal


15

Big Winner

“product attack”

a product of Boolean polynomials.

Claimed extremely powerful.Why?

@eprint/2018/1242


16

Definition

We say that P => Q for 1R

if

P(inputs) = Q(outputs)with proba =1, i.e. for every input


17

Another notation:P = Q

<=> P => Q for 1R

<=>

P(inputs) = Q(outputs)for any input with P=1

is 1 round of encryption


18

alsoP = Q

<=> P => Q for 1R

<=>

P(inputs) Q(output ANFs)formal equality of polynomials

is 1 round of encryption

must perform a substitution with

coded as ANFs


Main Problem:Two polynomials P => Q.

P(x1,…)

Q(y1,…)

is P=Q possible??

“Invariant Theory” [Hilbert]: set of all invariants for any block cipher forms a [graded] finitely generated [polynomial] ring. A+B; A*B


20

Key Remark:

To insure that P * R => P * R

we only need to make sure that P=>P but ONLY for a subspace

where R(inp)=1 and R(out)=1

Code Breakers

Nicolas T. Courtois21

3. Crypto History


22

1970sModern block ciphers are born.

In which country??


23

1970sModern block ciphers are born.

In which country??

Who knows…

Eastern Bloc also worked on these questions… and for a long time.


24

1927The real inventor of the

ANF = Algebraic Normal Form, see

en.wikipedia.org/wiki/Zhegalkin_polynomial

Russian mathematician and logician

Ива́н Ива́нович Жега́лкин [Moscow State University]

“best known for his formulation of Boolean algebra as the theory of the ring of integers mod 2”

Bn,+,*

T-310


East German T-310 Block Cipher

240 bits

long-term secret 90 bits only!

“quasi-absolute security” [1973-1990]

has a physical

RNG=>IV


Technical ReferencesNicolas T. Courtois, Jörg Drobick, Jacques Patarin, Maria-Bristena Oprisanu, Matteo Scarlata, Om Bhallamudi, Cryptographic Security Analysis of T-310, eprint.iacr.org/2017/440.pdf , 132 pages, 2017.

Nicolas T. Courtois, Maria-Bristena Oprisanu, Klaus Schmeh:

Linear Cryptanalysis and Block Cipher Design in Eastern Germany in the 1970s, Cryptologia, Dec 2018.

Nicolas T. Courtois, Klaus Schmeh: Feistel ciphers in East Germany in the communist era, In Cryptologia, vol. 42, Iss. 6, 2018, pp. 427-444.


27

Cipher Class Alpha –1970s

Who invented Alpha? [full document not avail.]


28

T-310 [1973-1990] – Feistel with 4 branches


29

blog.bettercrypto.com

Roadmap

30

Backdoors vs.

“Normal” Cryptanalysis

All our attacks work with relatively large probability.

– so if you are not lucky a cipher which was NOT backdoored will also be broken!


34

LC in 1976 [Eastern Germany]


35

Generalised Linear Cryptanalysis= GLC =

[Harpes, Kramer and Massey, Eurocrypt’95]


36

Generalised Linear Cryptanalysis= GLC =

[Harpes, Kramer and Massey, Eurocrypt’95]

Concept of [invariant] non-linear I/O sums.

P(inputs) = P(outputs) with some probability…


37

Connecting Non-Linear Approxs.Black-Box Approach

Non-linear functions F G H I.

F(x1,…)

G(y1,…) H(y1,…)

I(z1,…)


38

GLC and Feistel Ciphers?

[Knudsen and Robshaw, EuroCrypt’96

“one-round approximations that are non-linear […] cannot be joined together”…

At Crypto 2004 Courtois shows that GLC is in fact possible for Feistel schemes!


39

BLC better than LC for DES

Better than the best existing linear attack of Matsui

for 3, 7, 11, 15, … rounds.

Ex: LC 11 rounds:

BLC 11 rounds:


40

Better Is Enemy of Good!DES = Courtois @ Crypto 2004 :

proba=1.0

deg 1

deg 2

deg 10


41

Wrong Approach [!!!!]Black-Box Combination Approach

constructive BUT limited possibilities…

F(x1,…)

G(y1,…) H(y1,…)

I(z1,…)


42

White Box Approach

New! [Courtois 2018]

Study of non-linear I/O sums.

P(inputs) = P(outputs)

notion of “primitive” or “sporadic” attacks not decomposed into simpler attacks

Example: 127 R periodic property, 127 being prime.


43

New White Box Approach

Study of non-linear I/O sums.

.

P(inputs) = P(outputs) with probability 1.

Formal equality of 2 polynomials.

BIG PROBLEM: 22^n possible attacks


44

Variable Boolean Function

We denote by Z our Boolean function

We consider a space of ciphers where Z is variable.

Question: given a fixed polynomial Pwhat is the probability over random choice of Z that P(inputs) = P(outputs) is an invariant (for any number of rounds).


45

How Do You Find An Attack?

22^n possible attacks


46

Invariant Hopping

attack 12x linear

attack 21x linear

attack 3

attack 4strong Bool + high degree invariant +

high success proba


Nicolas T. Courtois, January 200947

Group Theory – Is DES A Group?

Study of group generated by φK for any key K.

Typically AGL not GL. Any smaller sub-groups?


48

Hopping in Group Lattices

attack 1three invariants

linear Boolean function

AGL


49




attack 2two invariants

bad Boolean function

AGL


50






attack 36one high degree invariantstrong Boolean function

AGL








attack 36one complex high degree invariant

strong Boolean function

AGL


52

“Hopping” Discovery

• Learn from examples.

• Find a path from a trivial attack on a weak cipher to a non-trivial attack on a strong cipher.

Backdoors


T-310 [Contracting Feistel, 1970s, Eastern Germany!]

1 round of T-310

φ


54

Linear Attack – Example


55

Our Thm. [eprint/2017/440]


56

Impossible => Possible?

• We literally use “impossible” linear properties, which cannot happen and do not happen,

and construct a non-linear attack which works.

Key insight:

• P => Q 1R might be impossible to achieve.

• P*R =>Q*R may be possible to achieve.we only need to take care of a restricted subspace where either R(inputs)=1 or R(outputs)=1. Also typically strongly correlated.


57

Hopping Step 1 [WCC’19]First we look at an attack where the Boolean

function is linear and we have trivial LINEAR invariants (same as Matsui’s LC)

Example:

?

impossibletransition


58

Impossible?

“Only those who attempt the absurd will achieve the impossible.”

-- M. C. Escher

?

Backdoors


A Vulnerable Setup

1 round of T-310

φ


60

Hopping Step2 [WCC’19]Now could you please tell us if

is an invariant?


61

Hopping Step2 Now could you please tell us if

is an invariant?

The answer is remarkably simple.


62

Hopping Step2Theorem:

is an invariant IF AND ONLY IF

a certain polynomial = FE =

is zero (as a polynomial, multiple cancellations)


63

Hopping Step2 Theorem:


a certain polynomial = FE =


FundamentalEquation


64

Compute FE?Theorem:



= FE


65

NotationTheorem:



= FE

P = P(inputs) P(output ANF) = P


66

NotationWe have


IF AND ONLY IF

is zero (as a polynomial, multiple cancellations)= FE

P = P(inputs) = P(output ANF) = P ?

P+P


67

Compact Notation


IF AND ONLY IF

(as a polynomial, multiple cancellations)= FE is zero

P = P ?

P+P


68

*Action of on polynomials.With P = P(inputs) there is no ambiguity.

With P(output ANF) = P we mean F,K,L

where F,K,L is the secret key+IV on 3 bits.

Trick: the result does NOT depend on F,K,L.

P = P(output ANF) =

P(a , b, c, d, … … … ) =


69

*Action of on polynomials.With P = P(inputs) there is no ambiguity.

With P(output ANF) = P we mean F,K,L

where F,K,L is the secret key+IV on 3 bits.

Trick: the result does NOT depend on F,K,L.

P = P(output ANF) =

P(a , b, c, d, … … … ) =

subs by ANF


70

White Box Cryptanalysis = New

[Courtois 2018]

Same concept of a non-linear I/O sums.Focus on perfect invariants mostly.

P(inputs) = P(outputs) with probability 1.

Formal equality of 2 polynomials.Exploits the structure of the ring Bn.

• annihilation events absorption events, nb. of vars collapses

• would be unthinkable if we had unique factorisation

ABCD=A’B’C’D’


71

Reynolds/Noether Maps in Invariant Theory

Goal: transform bc into an invariant. In maths:

��(bc ��) =1

|�|� bc�

�∈�

G=full group of transformations acting on polynomials

generated by the full cipher for any key and any Nr

huge non-commutative grouptoo large to work with?

thanks to Felix Ulmer

duplication/left cosetsG <=bijection=> {h+g}, where h has no effect,g belongs in a smaller subgroup

not commutative


72

*Reynolds Revisited


�� bc �� =1

�� bc�

�∈�

G=smaller group of transformations acting on degree 2 monomials which is dictated by the structure of the cipher • blue terms cancel in , • steps with ? are not guaranteed to work unless FE==0


73

**Reynolds Revisited


�� bc �� =1

�� bc�

�∈�G=smaller cyclic group => simply a cycle starting from bc.Example for DES cipher (for a specific choice of S-boxes): • start with a degree 4 monomial, e.g.

L02*L05*R02*R05 => period = 8 mindeg=4 maxdeg=14

• summing over this cycle gives the following invariant:sum is of size=3 deg=14

L01*L02*L08*L29*L30*L31*L32*R01*R29*R30*R31*R32+L01*L05*L08*L29*L30*L31*L32*R01*R05*R08*R29*R30*R31*R32+L01*L29*L30*L31*L32*R01*R02*R08*R29*R30*R31*R32can be factored as === L01*L29*L30*L31*L32*R01*R29*R30*R31*R32* (L02*L08+L05*L08*R05*R08+R08*R02)

• with another set of S-boxes we get a period = 24 mindeg=4 maxdeg=20 and sum is of size=184 deg=20• L08*R08*(very complex polynomial)


74

Conclusion Step2Theorem:




75

What is Special About P2-factoring decomposition

= AC+BD.

is invariant IF AND ONLY IF

some solutions are:


76

Invariant P of Degree 4?

= ABCD.

is a 1-round invariant IF AND ONLY IF

= FE


77

Invariant P of Degree 4?

= ABCD.

is a 1-round invariant IF AND ONLY IF

a multiple of the previous polynomial!


78

Corollary:Easy Thm. [not included in the paper].

For every cipher in our cipher space = (LZS551+any Boolean) if AC+BD is an invariant (degree 2)then also ABCD is an invariant (degree 4).

Note: there is no invariant of degree 3 etc


79

[Graded] Ring Of InvariantsAny more invariants?

As always in Maths we have a Ring* of Invariants denoted by

B[a,b..]G where B[a,b..]==IF2[a,b..]/(a2=a..)

and G=huge group generated by our block cipher. Here this ring has only 5 elements:

B[a,b..]G ={0, 1, AC+BD, ABCD, ABCD+AC+BD}

Not more! Well actually there could be more @higher degrees.

*Classical tool: Molien formal power series = 1 + z2 + z4 and no more terms.

*finitely generatedcf. Hilbert

absorber


80

Hilbert Basis (always Finite)We say that

{AC+BD, ABCD}

For a Hilbert basis of our Ring of Invariants

B[a,b..]G =

{0, 1, AC+BD, ABCD, ABCD+AC+BD}

we also have a POSET

and a lattice (w.r.t division | ).absorber

or maximal

*def. every invariant is

a polynomial function of basis elements

0

1

ABCD


81

Selective RemovalQ : Can we now have ABCD

to be an invariant of degree 4 WITHOUT any invariants of degrees 1,2,3????


82

Selective RemovalQ : Can we now have ABCD

to be an invariant of degree 4 WITHOUT any invariants of degrees 1,2,3????

Answer: easy: a root of second polynomial and NOT a root of the first [almost always].

mC=YCmBCD=YBCD

= FE


83

Summary [WCC’19]1. We start with a trivial attack on a weak cipher.

Benefit: FE has a solution.

2. Then some non-linear invariants P also exist.

3. Another Boolean function Z works because FE has more roots.

4. In several steps we modify the cipher wiring, Z[manipulation of roots of our FE] so that simple invariants P are removed.

5. What you get is like a backdoor! – Potentially hard to detect. High degree P.


84

A Better Attack?

problem: “strong” Boolean functions


85

Conclusion@WCCWe modify the cipher and the invariant

so that simple invariants disappear.

Q: Can this be done with a really secure Boolean function? YES, see [eprint/2018/1242]

The degree of P must increase to 8.


86

Irreducible PolynomialsRemark:

For a long time we searched for invariant attacks where P

is an irreducible polynomial.

We were wrong!


87

New Paradigm [1905.04684]


88

Product Attack

Trivial NL invariants based on cycles in LC.

A B C D A

Then ABCD is a round invariant of degree 4. Invariants form a ring B[a,b..]G

Stupid??

*finitely generated


89

Product Question


A B C D E A

Then ABCDE is a round invariant of degree 5.

Stupid?? Not at all! Some of the strongest attacks ever found are like this.


90

Product Attack


A B C D E A

Then ABCDE is a round invariant of degree 5.

Stupid?? Not at all! Some of the strongest attacks ever found are like this.

Simpler invariants can be REMOVED!!!!








attack 36one complex high degree invariant

strong Boolean function

AGL


92

Phase TransitionWhen P is of degree 4, the Boolean function is

still “inevitably” degenerated [this paper].

Q: Can we backdoor or break a cipher with a random Boolean function?


93

Strong Structural AttackNot as strong as a “generic attack” but close.

Can work for a LOT MORE rounds!


94

Phase TransitionWhen P is of degree 4, the Boolean function is

still “inevitably” degenerated [this paper].

Q: Can we backdoor or break a cipher with a “strong” (e.g. random) Boolean function?

YES, see [eprint/2018/1242]

Degree 8 attack, P =ABCDEFGH.


95

Thm 5.5. In eprint/2018/1242 page 18.

P =ABCDEFGH

is invariant if and only if this polynomial vanishes:

Can a polynomial with 16 variables with 2 very complex Boolean functions just disappear?


96

Hard Becomes EasyPhase transition: eprint/2018/1242.

• When P degree grows, attacks become a

LOT easier.

• Degree 8: extremely strong:

15% success rate over the choice of a random Boolean function and with P =ABCDEFGH.

(3 variants)

WHAT??????????


97

Let Y = Random Bool.Can we HOPE that for

we have for example:

mBCD=YBCD i.e.

0=(Y+m)BCD

Thm 6.0.1: Courtois-Meier Eurocypt 2003.

For any Z with 6 variables, Z or Z+1 always has some cubic annihilators.

Thm 6.4: [eprint/2018/1242] For Z(a+b)(c+d)(e+f)=0, any Boolean function works with probability of 5%.

= FE


98

Bonus: New Non-Trivial Attacksan irregular sporadic attack with P of degree 7


99

Proof [Outline]sage: R.<A,B,C,D,E,F,G,H> = BooleanPolynomialRing(8)

sage: mu=(B+C)*(G+H)*(B+H)*(B+F)*(C+D) =def= sage: mu + (C+H+1)*(C+F+1)*(B*D*G + H*(B+D+1)*(B+G+1))

sage: 0

sage: mu + (B+D+1)*(B+G+1)*(C*F*H + G*(C+H+1)*(C+F+1))

sage: 0

sage:

Proof involves absorptions of type W= and Y=.

polynomials W,Y operate on disjoint inputs


100

Interesting Events inside Our Proof

sage: R.<A,B,C,D,E,F,G,H> = BooleanPolynomialRing(8)

sage: mu=(B+C)*(G+H)*(B+H)*(B+F)*(C+D)

sage: mu + (C+H+1)*(C+F+1)*(B*D*G + H*(B+D+1)*(B+G+1))

sage: 0


sage: 0

sage:

degree 2 out 56 out 16 variables each

100% disjoint sets


101

**another example

sage: R.<A,B,C,D,E,F,G,H> = BooleanPolynomialRing(8)

sage: mu=(B+C)*(G+H)*(B+H)*(B+F)*(C+D)

sage: mu + (C+H+1)*(C+F+1)*(B*D*G + H*(B+D+1)*(B+G+1))

sage: 0


sage: 0

sage:

90% disjoint


102

DES

problem:

a LOT more key bits

48 instead of 2 in each round


103

Simple BLC Backdoor on DES


104

Closed Loops

Key concept: “closed loop configurations”.

term used in paper which won the best paper award at Asiacrypt 2018

not new


105

Closed Loops–works for DES, GOST, etc

In GOST block cipher:

GOST cipher


106

Closed LoopsFor T-310 cipher


107

Closed Loops…For DES – with original P-box

DES loops

Z7

07


108

reality is more interesting than fiction!

Security of DES (overview)

Nicolas T. Courtois, September 2007109

DES P-box1

02244

32

321

1 2 3 4 5 6

1 2 3 4

A B C D E F

W X Y Z

P-box


110

Degree 5 Attack on DESTheorem: Let P =

(1+L06+L07)*L12 * R13*R24*R28

IF

(1+c+d)*W2==0 and (1+c+d)*X2==0

e*W3==0 and f*Z3==0

ae*X7==0 and ae*Z7==0

THEN P is an invariant for

1 round of DES.

nonlinearpolynomial invariant attacks · nonlinearpolynomial invariant attacks or how to backdoor a...

Documents