new frontiers in symmetric cryptanalysis · 2 algebraic attacks: a new frontier in symmetric...

1

New Frontiers in Symmetric Cryptanalysis

�� !�� "#��$

Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis

N. Courtois, Rump session at Eurocrypt 20072

Motivation%'& (')'*'+,*'('-.-'& / /0)'+1)'(#23& *'465�+ 7�8920*'('*'4 7;:�& :=<':�<'*>4 4 7+?)'@'<'& +1) A'<'B')C@'<>*'(920& 23& )': D9/FE�('D#GH(9I05�A'D':�)'(8>4 *>& (#23)9J623:6K

L=M N A'*#2FE�& ('-CD#/F5�+ 7�8923*'('*>4 7�:�& :=& :=8'D>:�:�& O'4 )GCA')'(P23A').*92Q23*'5�E6)'+,A'*':D'('4 7RD'(').E�('D9GC(C8>4 *>& (#23)9J62 S1D'+UT�)'+ 7=/3)9GHV,W

X 4 *'& Y M Z A'& :[@'<')>:\20& D'(.->& -.('D92F+1)>5�)'& T�).:�<#/ /3& 56& )'(92*#2 20)'(920& D'(>K']>J�56)':6:�& T�)P/3D>5�<':=D'(.% X *'('-.^ X K



Algebraic Attacks vs. DC/LC/etc..

• Algebraic attack: 2 KP+ 270 operations => the only feasible in the real life !

• LC in 243 operations – infeasible.– Hard to get 243 KP !

2



Algebraic Attacks vs. DC/LC/etc..CLAIM: The two worlds CANNOT be

compared. • They are going in a very different direction:

what these two CAN ACHIEVE in practice are two very rich sets of cryptanalytic results that are rather disjoint.

So we are really discovering a new frontier for the whole of symmetric cryptanalysis.



Algebraic Cryptanalysis [Shannon]Breaking a « good » cipher should require:

“as much work as solving a system of simultaneous equations in a large number of unknowns of a complex type”

[Shannon, 1949]



Algebraic Attacks on Block Ciphers_ � `�a��b��c"�d� efhg ��iR� �� !C� �!��1� �� j�ilk�� C� �\�c� ��c� ��1k\�!�� m�� c�\��n�� c fho ��?� �=� �� a�� C� ��m�� 1� ��p�� n�e qr� �� k�� i�� !�� ?� �� k�� Cn��=n��ck�a\�� cn��?k��!�� Ca� ��s�� m�k�� k\�� C��tu�Rn�� !��!�v1n�� m�k� ��1� �� !� �t=��1k\��1� �� "��1k\�� Cn��\�ck

�� n�m�� w

3



Fast Algebraic Attacks on Block Ciphersx�y{z | }{| ~ | ��} � | }{z �{� ��{�0�{}��{� ��{�0y��{��y�~ ��{��~ �� {��y��~ �{y��{y��{� y�y��z{y{��{��~ | ��}{��~ ��{~��{��{y��{�9~ �� {��{��{��~{~ �{y��0��{��~ ��~ | ��}��…� y{� �{�{��y{��| }��#�{�

��{��~ �� y��~ �{y��{y��{� y�y��• � �\��{� �{�?� �?� � ¡ ¢�£?�¥¤ � ��¦ §¥¤ ¨?¨��?�Q©{� ª�«U�¥¬®c�?� �{¤ �?�0¯ °• § ©�¬®� � �\�¥�0¬® ±�¤ ¬ ��±?²�� ¥£?� � �{�?³ ª � ª ¤ ±�³• § ©�¢��1´• § ©�� µ¥µ�¤ ³ ¨U¶��¥� � ·w¬ ±¥�\�¥³U¬ ±�³ � ª � �?¤ ³ ª �• � ª ¬ …

cumulative effect

!!!



One Example

The biggest discoveries in Science are the simplest.



ElimLinX D'Y.8'4 )920)C-')':65�+?& 8#23& D'( M• ¸ & ('-.4 & (>)'*'+;)'@'<>*923& D'(>:=& (P23A').4 & (')'*'+,:�8'*'(>K• ¹ <'O>:\20& 23<923)>º�*'('-.+1)'8')>*920K

»�Y.*#¼�& ('B'4 7R8'D9GH)'+ /3<'4 º'A'<'B').:\7;:\20)'Y.:=5�D'4 4 *'8':�)GC& 23A.('DC)#/ /0D'+ 20K

]½KQB'K'O'+?)'*'E6:[¾.+1D'<'('->:[D#/F^l] ¹ B>& T�)'(.¿.À½ÁuK¹ )') eprint.iacr.org/2006/402/

4



ElimLin – Something Wrong ?L=Â K N A#7Ã-'DPGH).A'*9T�).4 & (')'*'+,)'@'<'*920& D>(':=& (P20A')/0& +1:{2�8>4 *>5�).W

• ¹ 23<>8'& -.& (.YC*#23A')'Y.*920& 5�: …• ÄQÅ Á½Æ ¹u¹½ÄQÇ %>] Z ÆÈ»uÉ�Æ Ä ^Ê& (.5�+ 7�8920*'('*'4 7�:6& :�K

– Ë �� s¥�� $�Ì� –q�!�!�i�� Íw�ck\��1� �� \�

– Ë � �c



ElimLin – Still A Bit Weird FeelingL=Î K N A#7Ã-'D'(

’2'GC).)'4 & YC& ('*#23)P23A')'YÏW

• ¸ & +?:\2F*'(':{GH)'+1º'& /'GH).-'D'º9GH).4 D'D':�).:68'*'+1:6& 2 7R*'('-20A').5�*'8'*>5�& 2Q7=23D.5�D'Y.8'<923).*'(97623A'& ('B.*92F*'4 4 K• ¹ )'56D'('-C*'(>:\GH)>+ M GH).-'D'º'O'<92'20A')'(.Ð�] N% Ä Ð�]>»[ÑÊ] L=Ò » Z Ä Æ=Ð ¹ *'8'8')>*'+1K “

»½T;*'4 *'('5�A'))#/ /0)'5\2

”K

– Ó �� wm�w� c� �� –��Ô�� w

–q�!�!�� 1� ��\��?�?�w� ��s?��k\�� m�� C� �Í�� k��1k\�“�� k��

”m� ��?k�� u��1�\�cs

…



**CTC = “Courtois Toy Cipher” [eprint]

• ÕÕ ÕÕ�ÖÖ ÖÖ × | ~{Ø× | ~{Ø× | ~{Ø× | ~{Ø ÖÖ ÖÖ × ��0y{�0�× ��0y{�0�× ��0y{�0�× ��0y{�0�•x'| z z �{�0| ��}�x�Ù{��y{� ��~ | }{��| � y{��Ú �{��x�Û�ØÝÜx'| z z �{�0| ��}�x�Ù{��y{� ��~ | }{��| � y{��Ú �{��x�Û�ØÝÜx'| z z �{�0| ��}�x�Ù{��y{� ��~ | }{��| � y{��Ú �{��x�Û�ØÝÜx'| z z �{�0| ��}�x�Ù{��y{� ��~ | }{��| � y{��Ú �{��x�Û�ØÝÜ ÖÖ ÖÖ × ��Þ ß �× ��Þ ß �× ��Þ ß �× ��Þ ß �

• à1á â�á � á ã�áà1á â�á � á ã�áà1á â�á � á ã�áà1á â�á � á ã�á … ØØ ØØ ÖÖ ÖÖ × �{�0y��y{�9� ��{}��{�× �{�0y��y{�9� ��{}��{�× �{�0y��y{�9� ��{}��{�× �{�0y��y{�9� ��{}��{�• à1á â�á Õ�áà1á â�á Õ�áà1á â�á Õ�áà1á â�á Õ�á … á®à ä�áá®à ä�áá®à ä�áá®à ä�á … á Õ�ä{áá Õ�ä{áá Õ�ä{áá Õ�ä{á … � ��{}��{�0�� {}��{�0�� {}��{�0�� {}��{�0�• å y{æ��0| ç0y�è�è�é6� ��0ê��0| ç0y{�å y{æ��0| ç0y�è�è�é6� ��0ê��0| ç0y{�å y{æ��0| ç0y�è�è�é6� ��0ê��0| ç0y{�å y{æ��0| ç0y�è�è�é6� ��0ê��0| ç0y{�•Ø6| �� y�ê0y{æ��0�0�{y��{�{� y�Ù × | ~{��y{� ��~ ��~ | �{}�Ú �{��| }�x�Û�ØÝÞ ßØ6| �� y�ê0y{æ��0�0�{y��{�{� y�Ù × | ~{��y{� ��~ ��~ | �{}�Ú �{��| }�x�Û�ØÝÞ ßØ6| �� y�ê0y{æ��0�0�{y��{�{� y�Ù × | ~{��y{� ��~ ��~ | �{}�Ú �{��| }�x�Û�ØÝÞ ßØ6| �� y�ê0y{æ��0�0�{y��{�{� y�Ù × | ~{��y{� ��~ ��~ | �{}�Ú �{��| }�x�Û�ØÝÞ ß

5



**CTC2

•É[& + 20<'*>4 4 7R('D.-'& / /0)'+?)'(>5�)É[& + 20<'*>4 4 7R('D.-'& / /0)'+?)'(>5�)É[& + 20<'*>4 4 7R('D.-'& / /0)'+?)'(>5�)É[& + 20<'*>4 4 7R('D.-'& / /0)'+?)'(>5�)

•��{�0��0~ � �{}��{y��9�{�{��| }{�0~{ë�ì��{�0��0~ � �{}��{y��9�{�{��| }{�0~{ë�ì��{�0��0~ � �{}��{y��9�{�{��| }{�0~{ë�ì��{�0��0~ � �{}��{y��9�{�{��| }{�0~{ë�ìÚ �0z ��x��{}�ê0y{� ��}Ú �0z ��x��{}�ê0y{� ��}Ú �0z ��x��{}�ê0y{� ��}Ú �0z ��x��{}�ê0y{� ��} ÖÖ ÖÖ å y{� � y{�9��~ ~ �{�0ê0ß �å y{� � y{�9��~ ~ �{�0ê0ß �å y{� � y{�9��~ ~ �{�0ê0ß �å y{� � y{�9��~ ~ �{�0ê0ß �



CTC2 Cipher

]½@><'*#23& D>(':=B>)'(')>+1*#23& ('B.8>+1D'B'+?*'YÏ(>D9Gí*#T�*'& 4 *'O>4 )]½@><'*#23& D>(':=B>)'(')>+1*#23& ('B.8>+1D'B'+?*'YÏ(>D9Gí*#T�*'& 4 *'O>4 )]½@><'*#23& D>(':=B>)'(')>+1*#23& ('B.8>+1D'B'+?*'YÏ(>D9Gí*#T�*'& 4 *'O>4 )]½@><'*#23& D>(':=B>)'(')>+1*#23& ('B.8>+1D'B'+?*'YÏ(>D9Gí*#T�*'& 4 *'O>4 )GlG�GHKQ5�+ 7;8920D':\7;:\20)'Y.KQ(')#2 IGlG�GHKQ5�+ 7;8920D':\7;:\20)'Y.KQ(')#2 IGlG�GHKQ5�+ 7;8920D':\7;:\20)'Y.KQ(')#2 IGlG�GHKQ5�+ 7;8920D':\7;:\20)'Y.KQ(')#2 I\*')':*')':*')':*')':�II II

23D#7�56& 8'A>)'+1:23D#7�56& 8'A>)'+1:23D#7�56& 8'A>)'+1:23D#7�56& 8'A>)'+1:cK A#23Y.4K A#23Y.4K A#23Y.4K A#23Y.4



Attacks on CTC2• key size > block size:

I can break up to 6 rounds.• Current frontier: nobody can break

CTC2(255,255,7). Can anybody ? Please try !

• If key size > block size =>more rounds.

• CTC2(96,256,10) can be broken.

6



Gr î bner Bases Soon to be Forgotten ?ÐlÆ Z » Z »�%'%>º�O'<#2F*92Q23)'(920& D>(CY.<':{2FO').:�A'& /Q23)'-/0+1D'YÏA>& B'A.-')'B>+1)').ï *'4 4{GHD'+1E=D'( ¸ ¾#ð'23DA'*>('-'4 & (>B Å ÒlX�ñ Ç½ÄQò=ò ]½ÑÊ:{7�:{23)'Y.:=O'<#2

*92F* É[]½Ñ�óô%'Æ N ^�] ò Ñ�]u]S1& (.*.:�)'(':�).4 )':�:�20A'*'( Î V1K



Gr î bner Bases Soon to be Forgotten ?Á½D#GH)'+ /3<'465�D'YC8>)923& 20D'+ M ¹ » Z ¹ D>4 T�)'+1:=õ56D'(9T�)>+1:�& D'(>K

Before we did try, we actually never believed it could work…



3.4. ANF-to-CNF - The OutsiderConvert MQ to a SAT problem.(both are NP-hard problems)

� � �

7



Fact:

¹ 8>*'+1:�).+1*'('-'D'Y Å L 5�*'(.O')CO>+1D'E�)'(.& (C8>+1*'5{23& 5�)>º:6D'YC).& (.:�)>5�D'('-':6K

N D'+?E�:�/3D>+ *'(97 :{7�:{23)'YÏD#/F)'@'<'*#23& D'(':=ö,& /F:�8'*'+?:�))'(>D'<'B'AC*'(>-9I3D>+;D#T�)'+1ö1-')#/3& (')'-.)'('D'<'B'A

…

Z A'& :=A'*':=(')9T�)>+;O')')'(.:�A>D9GH(CO>)9/3D'+1)>K



Algebraic Attacks on DES»½2F*P/0& +1:{2�B>4 *'('56)'º¹ )>)'Y.:[8'D>& (#234 )':6: M

23A')>+1).& :[('D.:{23+1D'('B.*'4 B')'O'+1*>& 5=:{23+1<>5\20<'+1)D9/F*'(#7RE�& ('-.& (.^l] ¹



DES – One Problem^l)#T�)'4 D'8C*“B'D'D'-

”+1)'8'+1)':6)'(923*#23& D'(.D9/F^�] ¹ K

Æ=<'+,)'@'<'*920& D>(':=5�*'(.O').-'D9GH(>4 D'*'->)'-P/3+1D'YGlG�GHKQ5�+ 7;8920D':\7;:\20)'Y.KQ(')#2 IGlG�GHKQ5�+ 7;8920D':\7;:\20)'Y.KQ(')#2 IGlG�GHKQ5�+ 7;8920D':\7;:\20)'Y.KQ(')#2 IGlG�GHKQ5�+ 7;8920D':\7;:\20)'Y.KQ(')#2 I\*')':*')':*')':*')':�II IIw20D97;5�& 8>A')'+?:20D97;5�& 8>A')'+?:20D97;5�& 8>A')'+?:20D97;5�& 8>A')'+?:UK A#23Y.4K A#23Y.4K A#23Y.4K A#23Y.4

Á½4 )>*':�)P23+ 7=23DC:6D'4 T�)P23A')>YÏO97=7�D'<>+U/3*9T�D'<>+1& 20)Y.)920A'D'-.÷

8



Results on DES

Nicolas T. Courtois and Gregory V. Bard: “Algebraic Cryptanalysis of the D.E.S.”.

eprint.iacr.org/2006/402/



What Can Be Done ?

Attack 1: Cubic Representation + ElimLin: Attack 1: Cubic Representation + ElimLin: Attack 1: Cubic Representation + ElimLin: We recover the key of We recover the key of We recover the key of 555---round DES with round DES with round DES with

3 KP3 KP3 KP faster than brute force. faster than brute force. faster than brute force. ••• When When When 232323 variables fixed, takes variables fixed, takes variables fixed, takes 173 s173 s173 s...••• Magma crashes > 2 Magma crashes > 2 Magma crashes > 2 GbGbGb of RAM.of RAM.of RAM.Attack 2: Optimised Gate-level representation + our

ANF-to-CNF conversion+ MiniSat 2.0.: Key recovery for 6-round DES. Only 1 KP (!).••• Fix Fix Fix 202020 variables takes variables takes variables takes 68 s68 s68 s. . . ••• Magma crashes with > 2 Magma crashes with > 2 Magma crashes with > 2 GbGbGb...



DES – New Frontier:

Break 8 rounds given 1 KP and in less than 255.

We encourage researchers to try.We cannot do it so far.

9



What Are the Limitations of Algebraic Attacks ?

• When the number of rounds grows: complexity jumps from 0 to ∞.

• With new attacks and new “tricks” being proposed: some systems are suddenly broken with no effort.

=> jumps from ∞ to nearly 0 !



Finally

What About AES?

Laws of Prediction [Arthur C. Clarke]:When a distinguished elder scientist tells you

something is not possible => he is wrong…



Limitations

¹ D>YC).4 & Y.& 23*920& D'(>:[D#/F*'4 B')'O'+1*>& 5=5�+ 7�8#23*'('*>4 7;:�& :=*'+1)T;)'+ 7RA'*'+1->º9GH)“A'& 2'20A')PGH*'4 4

”S1)>K B'K9GHA')'(P23A')

('<>YCO')'+,D#/�+1D'<'(>-':=& (>5�+1)'*>:�)':�V?K

¹ D>YC).*'+1).:�8')>5\23*>5�<'4 *'+?4 7R('* ïT�).S1)>K B'K'Y.*9J�& Y.<'Y

-')>B'+1)').& ( ò + ö O'(')'+,O'*':6& :=5�D'Y.8'<923*#23& D'('V,*'('-*>+1)C)'*>:�& 4 7R5�& +156<'YPT�)'(#23)'-'K

10



Exploring the New FrontierN ).(')')'-P7�)#2�20D -'& :�5�D#T�)'+ GHA'*92F& :=A'*'+1-.*'('-PGHA'*92& :=('D#23K

ø�ù

Ä 8'+1D'8'D>:�).* (')#GÊ23D'D'4 23D.A')'4 8.+1)':�)'*'+?5�A')'+1:Y.*'E6& ('B A'D'(')':{2 *'('- +1)':�8'D'(>:�& O'4 ) :\23*#23)'Y.)'(920: M

ø�ù Ç )920:=D'(P23A')P/0<923<'+1).*#2 23*>5�E�:6K



New Tool - Bets

¸ D'+U23A')P/0& +?:\2'20& Y.).& (.A>& :{23D'+ 7�º'& 2F& :=8'D':6:�& O'4 )�20D.O')92D'(.56+ 7�8#23D'B'+1*'8'A>& 5[*>4 B'D>+1& 23A'Y.:�GC& 23AC+?)'*'4�Y.D'(')#7�KZ A'& :=A'*':=(')9T�)>+ O')')'(.8'D>:�:�& O'4 )CO>)9/3D'+1)>K

¹ )>) GlGlGCK 5�+ 7�8923D>O')920K 5�D'Y K

Á½<>+18'D':�) M A'*9T�)P/0<'( *'('-.:�A'D#GÊ23A').*'-9T�*'('56)'YC)>(92D#/F5�+ 7;8923D'B'+?*'8'A'& 5=+1)':6)'*'+15�A>K Ä 2F& :=*CB>*'YC)>K



Current Bets:

Ä )'('56D'<'+1*'B')8')>D'8'4 )P23D8>+1D'8'D':�)(')#GúO')#23:+?)'4 *923)'-P23D20A')'& +,D9GH(+?)':�)'*'+?5�A'K

new frontiers in symmetric cryptanalysis · 2 algebraic attacks: a new frontier in symmetric...

Documents