Presentation is loading. Please wait.

Presentation is loading. Please wait.

Outline Introduction Feistel Structures and Two Basic Attacks

Published bySophie Trudeau Modified over 5 years ago

Similar presentations

Presentation on theme: "Outline Introduction Feistel Structures and Two Basic Attacks"— Presentation transcript:

1

2 Outline Introduction Feistel Structures and Two Basic Attacks
Mathematical Foundations Improved Interpolation Attack New Integral Cryptanalysis Results of Attack on PURE Conclusion 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

3 Introduction For some ciphers, the round function can be described either by a low degree polynomial or by a quotient of two low degree polynomials over finite field with characteristic 2. Such ciphers are breakable by using interpolation attack, which is first introduced by Jakobsen and Knudsen at FSE 1997. Interpolation attack can be applied to some ciphers which have provable securities against differential and linear cryptanalysis (PURE). 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

4 Introduction Integral cryptanalysis considers the propagation of sums of (many) values. They are especially well-suited to ciphers with bijective components (Rijndael). 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

5 Introduction In this paper, by using an algebraic method, an improved interpolation attack and a new integral attack are proposed: 1) Instead of guessing the keys one by one, we find the round keys by solving some algebraic equations; 2) Instead of using the Lagrange Interpolations formula, we compute the coefficients of polynomials by Galois Field Fourier Transformation, which can be seen as an extension of SQUARE attack. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

6 Feistel Structures and Basic Attacks
Round function of a Feistel cipher ai=bi-1 bi=f(bi-1,ki)ai-1 ai=bi-1 bi=f(bi-1ki)ai-1 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

7 Feistel Structures and Basic Attacks
Complexity of the attack: Degree of the polynomial(N)  Number of keys to be guessed(2n). Interpolation Attack for a r-round cipher: Step 1: compute the degree of (r-1)-round cipher, say N; Step 2: choose N+2 plaintexts P at random and compute the corresponding ciphertexts C; Step 3: guess the r-th round key K, and partially decrypt the ciphertexts, the results are denoted by D; Step 4: apply the Lagrange Interpolation formula to N+1 pairs of (P,D), to get the polynomial; Step 5: Use the (N+2)th pair (P,D) to check whether the polynomial is correct, if not, K is a wrong key. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

8 Feistel Structures and Basic Attacks
Integral in previous papers: (S,c)=SxS c(x); Integral in this paper: (S,c,i)=SxS xic(x); 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

9 Mathematical Foundations
Proposition 1. Let P=(C,x) be the input to an r-round Feistel cipher, where CF2n is a constant. Let m be the degree of the round function. Let (at(x),bt(x)) be the output of the t-th round, if 0<t<r and mt-1<2n, then deg at=mt-1 deg bt=mt Furthermore, the leading coefficients of both at(x) and bt(x) are 1. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

10 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

11 Mathematical Foundations
Proposition 2. For a Feistel cipher, assuming the degree of the round function is an odd integer m, and the coefficient of the second highest term of round function is am-1. Considering right half of t-th round, say bt , then the coefficient of the second highest term of bt is k1am-1 ( note this value is the same for many t ), given that t < r0 -1, where r0 = logm(2n-1) +1, 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

12 Improved Interpolation Attack - Algorithm 1
Theorem 1. For an r-round 2n-bit Feistel cipher, let the algebraic degree of the round function be an odd integer m, r0= logm(2n-1) +1 and r<r0. Choosing plaintexts as P=(C,x) where CF2n is a constant, then the right half of the ciphertext is of the form his the yes CR(x)=xmr-1(k1am-1)xmr-1-1q(x) his where q(x)F2n[x] is a polynomial with degree < mr-1-1. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

13 Improved Interpolation Attack - Algorithm 1
In this paper, coefficient of the second highest term is computed, which is only related with k1 and am-1. In original interpolation attack, CR=xmr-1  g(x), there is no information about the second highest term. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

14 Improved Interpolation Attack - Algorithm 1
Algorithm 1: Attack on Block Ciphers with rr0 (I) : Step 1: Encrypt P=(C,x) for mr-1+1different xF2n where CF2n is a constant. The corresponding ciphertexts are (CL(x),CR(x)); Step 2: Compute g(x) = xmr-1sxmr-1-1…F2n[x] by interpolation such that g(x)=CR(x); Step 3: k1=sam-1 is the right key. Complexity of this attack: mr-1+1 (N) encryptions, and the plaintext/ciphertext should be stored in order to apply the Lagrange Interpolation formula. Complexity of the original attack: Degree of the polynomial(N)  Number of keys to be guessed(2n). 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

15 Improved Interpolation Attack
Theorem 2. Let r0=logm(2n-1)+1 and r=r0+1, then for an r-round 2n-bit Feistel cipher with the algebraic degree of the round function being an odd integer m, if the input to the cipher is of the form P=(x,C) where CF2n is a constant, then the right half of the ciphertext is of the form yes CR(x) = xmr-2(f(k1C)k2am-1)xmr-2-1p(x)yeye where p(x)F2n[x] is a polynomial with degree less than mr-2-1. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

16 Improved Interpolation Attack
Algorithm 2: Attack on Block Ciphers with rr0+1 (I) : Step 1: Encrypt P=(x,C1) for mr-2+1 different xF2n where C1F2n is a constant. The corresponding ciphertexts are (C(1)L(x),C(1)R(x)); Step 2: Compute g(x)=xmr-2s1xmr-2-1…F2n[x] by interpolation such that g(x)=C(1)R(x), thus congratulations s1=f(k1C1)k2  am-1; Step 3: Choose another two constants C2 and C3, repeat step 1 and step 2, and get s2=f(k1C2)k2  am-1 , s3=f(k1C3)k2  am-1; Continue… 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

17 Improved Interpolation Attack
Algorithm 2: Attack on Block Ciphers with rr0+1 (I) : Step 4: Find the common roots of the following equations: s1=f(k1C1)k2 am-1, s2=f(k1C2)k2 am-1, s3=f(k1C3)k2 am-1. Complexity of this attack: 3mr-1+3 encryptions, and the plaintext/ciphertext should be stored in order to apply the Lagrange Interpolation formula. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

18 New Integral Cryptanalysis
For 2n pairs (xi,yi) F where xis are distinct, to find the polynomial f(x) of degree 2n-1 such that yi=f(xi), we can use the Lagrange interpolation formula. However, there is another way to compute f(x). 2 2n Theorem 3. Let f(x)=SaixiF2n[x] be a polynomial with degree at most 2n-1, then ai = Sxx2n-1-if(x) if i0 mod 2n-1, f(0) if i=0, Sxf(x) if i= 2n-1. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

19 New Integral Cryptanalysis
Algorithm 3: Attack on Block Ciphers with rr0 (II) : Step 1: Encrypt P=(C,x) for all xF2n where CF2n is a constant. The corresponding ciphertexts are (CL(x),CR(x)); Step 2: Compute s=Sxx2n-mr-1CR(x); Step 3: k1=sam-1 is the right key. Complexity of this attack: 2n encryptions, but there is no need to store plaintext/ciphertext, thus the memories this attack needs is almost 0. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

20 New Integral Cryptanalysis
Algorithm 4: Attack on Block Ciphers with rr0+1 (II) : Step 1: Encrypt P(1) =(x,C1) for all xF2n where C1F2n is a constant. The corresponding ciphertexts are (C (x),C (x)); Step 2: Compute s1=Sxx2n-mr-2C (x); Step 3: Choose another two constants C2 and C3, repeat step 1 and step 2, and get s2=Sxx2n-mr-2C (x), s3=Sxx2n-mr-2C (x); (1) L (1) R (1) R (2) R (3) R Continue… 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

21 New Integral Cryptanalysis
Algorithm 4: Attack on Block Ciphers with rr0+1 (II) : Step 4: Find the common roots of the following equations: s1=f(k1C1)k2  am-1, s2=f(k1C2)k2  am-1, s3=f(k1C3)k2  am-1. Complexity of this attack: 32n encryptions, but there is no need to store plaintext/ciphertext, thus the memories this attack needs is almost 0. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

22 New Integral Cryptanalysis
Comparing Algorithm 3 with 1, also Algorithm 4 with 2, there are some merits of the new integral attacks: (1) There is no need to store plaintexts and corresponding ciphertexts while these data should be stored in the original interpolation attack as well as Algorithms 1 and 2; (2) There is no need to guess the key candidates. Thus the complexity of these attacks are 2n and 32n respectively, number of plaintexts to be encrypted. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

23 Results of Attack on PURE
As an example, we implemented the above attacks on PURE. PURE is a Feistel cipher with 2n=64 and f(x)=x3F232[x]. New attacks show that PURE with round 22 is breakable on a personal computer. The following results are computed by using the algebraic software Magma. Experimental Results of Attacks on Reduced-round PURE Round Algorithm Data Memory Time 8 10 15 22 1 2 3 4 37+1 36+1 38+1 39+1 232 3232 neglectable 3.5 seconds 1 seconds 4.5 minutes 1.5minites 31 hours 148 hours 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

24 Conclusion Both interpolation and integral attacks are improved in this paper. As an application, 22-round PURE can be breakable on a personal computer, while not breakable on a personal computer if using the original method introduced at FSE 1997. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

25 Conclusion Two interesting problems:
SQUARE attack can be seen as a special case of this attack, since Sxy is a special case of Sxxiy. So can we use similar method to analyze AES? How to extend this attack to the case of rational polynomials, that is, if the cipher can be described as g1(x)/g2(x)(SNAKE cipher), how to apply this attack? 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

26 Thank You ! Q & A ? 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

Download ppt "Outline Introduction Feistel Structures and Two Basic Attacks"

Similar presentations

Notes 6.6 Fundamental Theorem of Algebra

Notes 6.6 Fundamental Theorem of Algebra
DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
Rational Root Theorem.

Rational Root Theorem.
Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.

Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.

Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
FEAL FEAL 1.

FEAL FEAL 1.
Elliptic Curve. p2. Outline EC over Z p EC over GF(2 n )

Elliptic Curve. p2. Outline EC over Z p EC over GF(2 n )
1 A simple algebraic representation of Rijndael Niels Ferguson Richard Schroeppel Doug Whiting.

1 A simple algebraic representation of Rijndael Niels Ferguson Richard Schroeppel Doug Whiting.
The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 89321032 游精允.

The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 游精允.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Announcements: Quizzes graded, but not in gradebook. (Current grade gives 0 on the parts you shouldn’t have done .) Quizzes graded, but not in gradebook.

Announcements: Quizzes graded, but not in gradebook. (Current grade gives 0 on the parts you shouldn’t have done .) Quizzes graded, but not in gradebook.
Tallinn University of Technology Quantum computer impact on public key cryptography Roman Stepanenko.

Tallinn University of Technology Quantum computer impact on public key cryptography Roman Stepanenko.
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on “A Tutorial on Linear and Differential Cryptanalysis” by Howard Heys.] Modern block ciphers.

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on “A Tutorial on Linear and Differential Cryptanalysis” by Howard Heys.] Modern block ciphers.
Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June.

Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June.
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference.

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference.
AES Background and Mathematics CSCI 5857: Encoding and Encryption.

AES Background and Mathematics CSCI 5857: Encoding and Encryption.
Copyright © 2014, 2010 Pearson Education, Inc. Chapter 2 Polynomials and Rational Functions Copyright © 2014, 2010 Pearson Education, Inc.

Copyright © 2014, 2010 Pearson Education, Inc. Chapter 2 Polynomials and Rational Functions Copyright © 2014, 2010 Pearson Education, Inc.
Rijndael Advanced Encryption Standard. Overview Definitions Definitions Who created Rijndael and the reason behind it Who created Rijndael and the reason.

Rijndael Advanced Encryption Standard. Overview Definitions Definitions Who created Rijndael and the reason behind it Who created Rijndael and the reason.
Advanced Algebraic Algorithms on Integers and Polynomials Prepared by John Reif, Ph.D. Analysis of Algorithms.

Advanced Algebraic Algorithms on Integers and Polynomials Prepared by John Reif, Ph.D. Analysis of Algorithms.
SYMMETRIC CRYPTOSYSTEMS Symmetric Cryptosystems 20/10/2015 | pag. 2.

SYMMETRIC CRYPTOSYSTEMS Symmetric Cryptosystems 20/10/2015 | pag. 2.

Similar presentations

Ads by Google