outline - wordpress.com · 2019. 11. 21. · 1st round july 2009 14 candidates accepted r fo the...
TRANSCRIPT
New bounds on the algebrai degree of iteratedpermutationsChristina Boura(joint work with Anne Canteaut and Christophe De Cannière)SECRET Proje t-Team, INRIA Paris-Ro quen ourtGemalto, Fran eNovember 10, 20111 / 38
Outline1 Motivation2 A �rst bound on the degree3 Conne ting the degree with the inverse permutation4 Appli ation on the KN blo k ipher
2 / 38
MotivationOutline1 Motivation2 A �rst bound on the degree3 Conne ting the degree with the inverse permutation4 Appli ation on the KN blo k ipher
3 / 38
MotivationThe SHA-3 ompetition for hash fun tionsIn 2004, Wang et al. provided ollision atta ks for most of thestandardized hash fun tions (MD4, MD5, SHA-0, SHA-1 et ..)
4 / 38
MotivationThe SHA-3 ompetition for hash fun tionsIn 2004, Wang et al. provided ollision atta ks for most of thestandardized hash fun tions (MD4, MD5, SHA-0, SHA-1 et ..)Little on�den e on the se urity of SHA-2.
4 / 38
MotivationThe SHA-3 ompetition for hash fun tionsIn 2004, Wang et al. provided ollision atta ks for most of thestandardized hash fun tions (MD4, MD5, SHA-0, SHA-1 et ..)Little on�den e on the se urity of SHA-2.In 2007 NIST laun hed the SHA-3 publi ompetition for de�ning anew hash fun tion standard.
4 / 38
MotivationSHA-3 timelineO tober 2008 64 andidates re eivedDe ember 2008 51 andidates a epted for the 1st roundJuly 2009 14 andidates a epted for the 2nd roundDe ember 2010 5 �nalists sele ted2012 Winner must be announ edImportant to evaluate the se urity of the left andidates under:Atta ks (preimages, se ond-preimages, ollisions)Distinguishers5 / 38
MotivationSHA-3 timelineO tober 2008 64 andidates re eivedDe ember 2008 51 andidates a epted for the 1st roundJuly 2009 14 andidates a epted for the 2nd roundDe ember 2010 5 �nalists sele ted2012 Winner must be announ edImportant to evaluate the se urity of the left andidates under:Atta ks (preimages, se ond-preimages, ollisions)DistinguishersDistinguishers an invalidate se urity proofs and an be thestarting point for atta ks. 5 / 38
MotivationAlgebrai degree of a ve torial fun tion F : Fn2 → F
m2Example:
F (x0, x1, x2, x3, x4) = (x0 + x2 + x4 + x1x2 + x1x4 + x3x4 + x1x3x4,
x0 + x1 + x3 + x0x2 + x0x4 + x2x3 + x0x2x4,
x1 + x2 + x4 + x0x1 + x1x3 + x3x4 + x0x1x3,
x0 + x2 + x3 + x0x4 + x1x2 + x2x4 + x1x2x4,
x1 + x3 + x4 + x0x1 + x0x3 + x2x3 + x0x2x3).
6 / 38
MotivationAlgebrai degree of a ve torial fun tion F : Fn2 → F
m2Example:
F (x0, x1, x2, x3, x4) = (x0 + x2 + x4 + x1x2 + x1x4 + x3x4 + x1x3x4,
x0 + x1 + x3 + x0x2 + x0x4 + x2x3 + x0x2x4,
x1 + x2 + x4 + x0x1 + x1x3 + x3x4 + x0x1x3,
x0 + x2 + x3 + x0x4 + x1x2 + x2x4 + x1x2x4,
x1 + x3 + x4 + x0x1 + x0x3 + x2x3 + x0x2x3).The algebrai degree of F is 3. 6 / 38
MotivationHigher order di�erential ryptanalysis [Knudsen 94℄Generalization of � lassi al � di�erential ryptanalysis.Let F : Fn2 → F
n2 .De�nition[k-th order derivative of F ℄For any k-dimensional subspa e V of Fn
2 , the k-th order derivativeof F with respe t to V is the fun tion de�ned byDV F (x) =
⊕
v∈V
F (x+ v), for every x ∈ Fn2 .PropositionFor every subspa e V with dimV > degF ,
DV F (x) =⊕
v∈V
F (x+ v) = 0, for every x ∈ Fn2 . 7 / 38
MotivationHigher order di�erential ryptanalysis [Knudsen 94℄Some alternatives:Cube atta ks [Dinur-Shamir08℄Algebrai atta ks [Courtois-Meier 02℄[Courtois-Meier 03℄Zero-sum distinguishers [Aumasson-Meier09℄[Boura-Canteaut10℄Vulnerable to these atta ks : Fun tions posseding a low algebrai degree.8 / 38
MotivationHigher order di�erential ryptanalysis [Knudsen 94℄Some alternatives:Cube atta ks [Dinur-Shamir08℄Algebrai atta ks [Courtois-Meier 02℄[Courtois-Meier 03℄Zero-sum distinguishers [Aumasson-Meier09℄[Boura-Canteaut10℄Vulnerable to these atta ks : Fun tions posseding a low algebrai degree.Our work : Evaluating the se urity of some SHA-3 andidatesunder these types of atta ks. 8 / 38
MotivationIterative stru ture of symmetri onstru tionsMost symmetri onstru tions (i.e. blo k iphers, hash fun tions) arebased on an inner fun tion, alled the round fun tion, that is iterated manytimes.Most of these inner fun tions, are permutations.Examples :AES-128: (10 rounds of F : F1282 → F128
2 )DES: (16 rounds of F : F642 → F64
2 )Ke ak hash fun tion: (24 rounds of F : F16002 → F1600
2 )What is the algebrai degree of su h iterated onstru tions after a ertain number of rounds ? 9 / 38
MotivationBound on the degree of iterated permutationsQuestionHow to estimate the algebrai degree of an iterated permutationafter r rounds?
10 / 38
MotivationBound on the degree of iterated permutationsQuestionHow to estimate the algebrai degree of an iterated permutationafter r rounds?Trivial Bounddeg(G ◦ F ) ≤ degGdegF
10 / 38
MotivationBound on the degree of iterated permutationsQuestionHow to estimate the algebrai degree of an iterated permutationafter r rounds?Trivial Bounddeg(G ◦ F ) ≤ degGdegFTheorem [Canteaut-Videau 02℄ Let F be a fun tion from Fn
2 intoFn2 su h that all values wt(ϕb ◦ F + ϕa), a, b ∈ Fn
2 , b = 0 aredivisible by 2ℓ , for some integer ℓ. Then, for any G : Fn2 → Fn
2 , wehave deg(G ◦ F ) ≤ n− 1− ℓ+ deg(G). 10 / 38
A �rst bound on the degreeOutline1 Motivation2 A �rst bound on the degree3 Conne ting the degree with the inverse permutation4 Appli ation on the KN blo k ipher
11 / 38
A �rst bound on the degreeCase of SP NetworksNon-linear layer : Parallel appli ation of small-sized SboxesLinear layer : Linear permutationS1 S2
S1
S3 S4
S4
S3
S3
S2
S2S1
S4
12 / 38
A �rst bound on the degreeCase of SP NetworksNon-linear layer : Parallel appli ation of small-sized SboxesLinear layer : Linear permutationS1 S2
S1
S3 S4
S4
S3
S3
S2
S2S1
S4
How an we bound the degree of su h onstru tions ? 12 / 38
A �rst bound on the degreedegS = 3
S-Boxx0 x2x1 x3
y1 y2 y3y0
QuestionIf S is a permutation, what is thedegree of the produ t of k oordinates of S?
13 / 38
A �rst bound on the degreedegS = 3
S-Boxx0 x2x1 x3
y1 y2 y3y0
QuestionIf S is a permutation, what is thedegree of the produ t of k oordinates of S?De�nitionδk : maximum degree of the produ tof k oordinates of S
13 / 38
A �rst bound on the degreedegS = 3
S-Boxx0 x2x1 x3
y1 y2 y3y0
QuestionIf S is a permutation, what is thedegree of the produ t of k oordinates of S?De�nitionδk : maximum degree of the produ tof k oordinates of S
k δk1 313 / 38
A �rst bound on the degreedegS = 3
S-Boxx0 x2x1 x3
y1 y2 y3y0
QuestionIf S is a permutation, what is thedegree of the produ t of k oordinates of S?De�nitionδk : maximum degree of the produ tof k oordinates of S
k δk1 32 33 313 / 38
A �rst bound on the degreedegS = 3
S-Boxx0 x2x1 x3
y1 y2 y3y0
QuestionIf S is a permutation, what is thedegree of the produ t of k oordinates of S?De�nitionδk : maximum degree of the produ tof k oordinates of S
k δk1 32 33 34 4F permutation of Fn
2 :δk = n i� k = n. 13 / 38
A �rst bound on the degreeThe new boundTheorem. Let F be a fun tion from Fn2 into F
n2 orresponding to the on atenation of m smaller Sboxes, S1, . . . , Sm, de�ned over Fn0
2 . Then,for any fun tion G from Fn2 into F
ℓ2, we have
deg(G ◦ F ) ≤ n −n − deg(G)
γ,where
γ = max1≤i≤n0−1
n0 − i
n0 − δi.Most notably, if all Sboxes are balan ed, we have
deg(G ◦ F ) ≤ n −n − deg(G)
n0 − 1. 14 / 38
A �rst bound on the degreeS1 S3 S4S2ProblemMultiply d output bits from S1, S2, S3, S4 in su h a way that thedegree of their produ t π, deg(π) is maximized.
15 / 38
A �rst bound on the degreeS1 S3 S4S2ProblemMultiply d output bits from S1, S2, S3, S4 in su h a way that thedegree of their produ t π, deg(π) is maximized.De�nition
xi = # Sboxes for whi h exa tly i oordinates are involved in π.15 / 38
A �rst bound on the degreeS1 S3 S4S2ProblemMultiply d output bits from S1, S2, S3, S4 in su h a way that thedegree of their produ t π, deg(π) is maximized.De�nition
xi = # Sboxes for whi h exa tly i oordinates are involved in π.deg(π) ≤ max
(x1,x2,x3,x4)(δ1x1 + δ2x2 + δ3x3 + δ4x4)with x1 + 2x2 + 3x3 + 4x4 = d. 15 / 38
A �rst bound on the degreeS1 S3 S4S2
d x4 x3 x2 x1 deg(π)
16 4 - - - 161514131211109... ... ... ... ... ...
deg(π) = δ4 · x4 = 4 · 4 = 16 16 / 38
A �rst bound on the degreeS1 S3 S4S2
d x4 x3 x2 x1 deg(π)
16 4 - - - 1615 3 1 - - 1514131211109... ... ... ... ... ...
deg(π) = δ3 · x3 + δ4 · x4 = 3 · 1 + 4 · 3 = 15 16 / 38
A �rst bound on the degreeS1 S3 S4S2
d x4 x3 x2 x1 deg(π)
16 4 - - - 1615 3 1 - - 1514 3 - 1 - 15131211109... ... ... ... ... ...
deg(π) = δ2 · x2 + δ4 · x4 = 3 · 1 + 4 · 3 = 15 16 / 38
A �rst bound on the degreeS1 S3 S4S2
d x4 x3 x2 x1 deg(π)
16 4 - - - 1615 3 1 - - 1514 3 - 1 - 1513 3 - - 1 1512 2 1 - 1 1411 2 - 1 1 1410 2 - - 2 149 1 1 - 2 13... ... ... ... ... ...
16 / 38
A �rst bound on the degreeS1 S3 S4S2
d x4 x3 x2 x1 deg(π)
16 4 - - - 1615 3 1 - - 1514 3 - 1 - 1513 3 - - 1 1512 2 1 - 1 1411 2 - 1 1 1410 2 - - 2 149 1 1 - 2 13... ... ... ... ... ...
16 − deg(π) ≥16 − d
3 16 / 38
A �rst bound on the degreeS1 S3 S4S2
d x4 x3 x2 x1 deg(π)
16 4 - - - 1615 3 1 - - 1514 3 - 1 - 1513 3 - - 1 1512 2 1 - 1 1411 2 - 1 1 1410 2 - - 2 149 1 1 - 2 13... ... ... ... ... ...
deg(π) ≤ 16 −16 − d
3 16 / 38
A �rst bound on the degreeTrivial bound vs. New bound
02004006008001000120014001600
0 2 4 6 8 10 12 14 16deg(F)
Rounds Trivial Bound17 / 38
A �rst bound on the degreeTrivial bound vs. New bound
02004006008001000120014001600
0 2 4 6 8 10 12 14 16deg(F)
Rounds Trivial Bound17 / 38
A �rst bound on the degreeAn appli ation: The Ke ak aseKe ak [Bertoni-Daemen-Peeters-VanAss he 08℄3rd round SHA-3 andidateSponge onstru tionKe ak-f Permutation1600-bit state, seen as a 3-dimensional5× 5× 64 matrix24 rounds RNonlinear layer: 320 parallel appli ationsof a 5× 5 S-box χ
degχ = 2, degχ−1 = 3 18 / 38
A �rst bound on the degreeThe new bound applied on Ke ak-fLet R be the round fun tion of Ke ak-f and R−1 its inverse.For any F ,deg(F ◦R) ≤ 1600 −
1600 − deg(F )
3
deg(F ◦R−1) ≤ 1600 −1600 − deg(F )
3
19 / 38
A �rst bound on the degreeThe new bound applied on Ke ak-fLet R be the round fun tion of Ke ak-f and R−1 its inverse.For any F ,deg(F ◦R) ≤ 1600 −
1600 − deg(F )
3
deg(F ◦R−1) ≤ 1600 −1600 − deg(F )
3Example:deg(R11) = deg(R10 ◦R) ≤ 1600 −
1600 − deg(R10)
3≤ 1408 19 / 38
A �rst bound on the degreer deg(Rr) deg(R−r)1 2 32 4 93 8 274 16 815 32 2436 64 7297 128 11648 256 13829 512 149110 1024 154511 1408 157212 1536 158613 1578 159314 1592 159615 1597 159816 1599 1599 20 / 38
A �rst bound on the degreeZero-SumsFor blo k iphers (known-key atta k) [Knudsen - Rijmen 07℄For hash fun tions [Aumasson - Meier 09, Boura - Canteaut 10℄De�nition[Zero-Sum℄Let F : Fn2 → F
n2 .A zero-sum for F of size K is a subset {x1, . . . , xK} ⊂ F
n2 su h that
K⊕
i=1
xi =K⊕
i=1
F (xi) = 0.
21 / 38
A �rst bound on the degreeZero-sums for full Ke ak-fV + a
R24
(R−1)11 R12
Xa = {(R−1)11(a+ z), z ∈ V }, a ∈ Wis a zero-sum of size 21575 for 24 rounds of Ke ak-f .22 / 38
A �rst bound on the degreeZero-sums for full Ke ak-fV + a
R24
(R−1)11 R12
Xa = {(R−1)11(a+ z), z ∈ V }, a ∈ Wis a zero-sum of size 21575 for 24 rounds of Ke ak-f .Invalidates the hermeti sponge strategy. 22 / 38
A �rst bound on the degreeZero-sums permit to gain Belgian beers !
23 / 38
Conne ting the degree with the inverse permutationOutline1 Motivation2 A �rst bound on the degree3 Conne ting the degree with the inverse permutation4 Appli ation on the KN blo k ipher
24 / 38
Conne ting the degree with the inverse permutationAn observation on Ke akχ(x0, x1, x2, x3, x4) = (x0 + x2 + x1x2,
x1 + x3 + x2x3,
x2 + x4 + x3x4,
x3 + x0 + x4x0,
x4 + x1 + x0x1).
χ−1(x0, x1, x2, x3, x4) = (x0 + x2 + x4 + x1x2 + x1x4 + x3x4 + x1x3x4,
x0 + x1 + x3 + x0x2 + x0x4 + x2x3 + x0x2x4,
x1 + x2 + x4 + x0x1 + x1x3 + x3x4 + x0x1x3,
x0 + x2 + x3 + x0x4 + x1x2 + x2x4 + x1x2x4,
x1 + x3 + x4 + x0x1 + x0x3 + x2x3 + x0x2x3).25 / 38
Conne ting the degree with the inverse permutationAn observation on Ke akχ(x0, x1, x2, x3, x4) = (x0 + x2 + x1x2,
x1 + x3 + x2x3,
x2 + x4 + x3x4,
x3 + x0 + x4x0,
x4 + x1 + x0x1).
χ−1(x0, x1, x2, x3, x4) = (x0 + x2 + x4 + x1x2 + x1x4 + x3x4 + x1x3x4,
x0 + x1 + x3 + x0x2 + x0x4 + x2x3 + x0x2x4,
x1 + x2 + x4 + x0x1 + x1x3 + x3x4 + x0x1x3,
x0 + x2 + x3 + x0x4 + x1x2 + x2x4 + x1x2x4,
x1 + x3 + x4 + x0x1 + x0x3 + x2x3 + x0x2x3).Observation of [Duan-Lai 11℄: δ2(χ−1) = 3. 25 / 38
Conne ting the degree with the inverse permutationA new resultQuestion: Is δ2(χ−1) related to deg(χ)?
26 / 38
Conne ting the degree with the inverse permutationA new resultQuestion: Is δ2(χ−1) related to deg(χ)?Theorem: Let F be a permutation on Fn
2 . Then, for any integersk and ℓ,
δℓ(F ) < n− k if and only if δk(F−1) < n− ℓ.
26 / 38
Conne ting the degree with the inverse permutationProof: We show that ifδℓ(F
−1) < n− k then δk(F ) < n− ℓ.Let π(x) = ∏i∈K Fi(x), with |K| = k. The oe� ient a of ∏j 6∈L xj inthe ANF of π for |L| = ℓ,
a =∑
x∈Fn2
xj=0,j∈L
π(x) mod 2
= #{x ∈ Fn2 : xj = 0, j ∈ L and Fi(x) = 1, i ∈ K} mod 2
= #{y ∈ Fn2 : yi = 1, i ∈ K and F−1
j (y) = 0, j ∈ L} mod 2
= #{y ∈ Fn2 : yi = 1, i ∈ K and ∏
j∈L
(1 + F−1j (y)) = 1, j ∈ L} mod 2
= 0sin e, deg∏j∈L(1 + F−1j (y)) < n− k. 27 / 38
Conne ting the degree with the inverse permutationAppli ation to Ke akCorollary: Let F be a permutation on Fn
2 . Then, for any integer ℓδℓ(F ) < n− 1 if and only if deg(F−1) < n− ℓ.Case of Ke ak: For F = χ−1 and ℓ = 2,
δ2(χ−1) < 5− 1 i� deg(χ) < 5− 2
28 / 38
Conne ting the degree with the inverse permutationA new bound on the degreeCorollary: Let F be a permutation of Fn
2 and let G be a fun tionfrom Fn2 into Fm
2 . Then, we havedeg(G ◦ F ) < n−
⌊n− 1− degG
deg(F−1)
⌋.
29 / 38
Appli ation on the KN blo k ipherOutline1 Motivation2 A �rst bound on the degree3 Conne ting the degree with the inverse permutation4 Appli ation on the KN blo k ipher
30 / 38
Appli ation on the KN blo k ipherThe KN ipher [Knudsen-Nyberg 95℄6-round Feistel ipherL : F32
2 → F332 linear
L′ : F332 → F32
2 linearki : 33-bit subkey
σ : x 7→ x3 over F29
S : F233 → F233with x 7→ x3
F322 ×F32
2 → F322 × F32
2
(x, y) 7→ (y, x+ L′ ◦ S (L(x) + ki)) 31 / 38
Appli ation on the KN blo k ipherHigher-order di�erential atta k on KN ipher[Jakobsen-Knudsen 97℄If y0 is onstant, thendegxr ≤ (deg S)r−2Distinguishing property for r rounds.For any y0 ∈ F32
2 , for any a�ne subspa e V ⊂ F322 of dimension 2r−2 + 1,
⊕
x∈V
[E(r)k (x, y0)] = 0.For 6-round KNDistinguisher on 4 rounds with data omplexity 25, using that
deg x4 < 5.Distinguisher on 5 rounds with data omplexity 29, using thatdeg x5 < 9.Atta k on 6-round KN with data omplexity 25 and time omplexity270. 32 / 38
Appli ation on the KN blo k ipherHow to �repair� the ipher ?[Nyberg 93℄: Repla e S by the inverse of a quadrati permutation.The quadrati permutation and its inverse will have the sameproperties regarding di�erential and linear atta ks.The quadrati permutation is not involved neither in the en ryption,nor in the de ryption. 33 / 38
Appli ation on the KN blo k ipherThe KN ′ ipherσ̃ : F8
2 → F82
x 7→ t ◦ σ (e(x)))
e : F82 → F9
2 a�ne expansiont : F9
2 → F82 trun ation
x : σ(x) = x171 (the inverse of x3over F29)deg(S̃) = 5
F322 ×F32
2 → F322 × F32
2
(x, y) 7→ (y, x+ L′ ◦ S̃ (L(x) + ki)) 34 / 38
Appli ation on the KN blo k ipherAtta king KN ′Jakobsen-Knudsen atta k:deg(x5) ≤ 5× 5× 5
35 / 38
Appli ation on the KN blo k ipherAtta king KN ′Jakobsen-Knudsen atta k:deg(x5) ≤ 5× 5× 5infeasible
35 / 38
Appli ation on the KN blo k ipherAtta king KN ′Jakobsen-Knudsen atta k:deg(x5) ≤ 5× 5× 5infeasibleSet,
Fk(x) = L′ ◦ S̃ (L(x) + k) .Then,x2 = x0 + Fk1(y0)
x3 = y0 + Fk2 (x0 + Fk1(y0))
x4 = x0 + Fk1(y0) + Fk3 (y0 + Fk2 (x0 + Fk1(y0)))
x5 = x3 + Fk4(x4) 35 / 38
Appli ation on the KN blo k ipherAppli ation of the new boundx5 + x3 = G ◦ S(x)Using the new bound :
deg(G ◦ S) < 36−⌊35 − deg(G)
2
⌋,From a previous Corollary: deg(G) ≤ 22, thus
deg(x5) ≤ deg(G ◦ S) ≤ 29
36 / 38
Appli ation on the KN blo k ipherAppli ation of the new boundx5 + x3 = G ◦ S(x)Using the new bound :
deg(G ◦ S) < 36−⌊35 − deg(G)
2
⌋,From a previous Corollary: deg(G) ≤ 22, thus
deg(x5) ≤ deg(G ◦ S) ≤ 29Distinguisher on 5 rounds of KN ′ with data omplexity 230that improves the generi distinguisher. 36 / 38
Appli ation on the KN blo k ipherGeneralization to balan ed fun tions (not permutations)DES: Eight di�erent 6× 4 Sboxes.Can the new bound be generalized to balan ed fun tions from Fn2into Fm
2 with m < n?
37 / 38
Appli ation on the KN blo k ipherGeneralization to balan ed fun tions (not permutations)DES: Eight di�erent 6× 4 Sboxes.Can the new bound be generalized to balan ed fun tions from Fn2into Fm
2 with m < n?Corollary: Let F be a balan ed fun tion from Fn2 into Fm
2 and Gbe a fun tion from Fm2 into Fk
2. For any permutation F ∗ expandingF , we have
deg(G ◦ F ) < n−⌊n− 1− degG
deg(F ∗−1)
⌋. 37 / 38
Con lusionCon lusionNew bound on the degree of iterated permutations, having as anon-linear layer small balan ed Sboxes.The degree of F−1 a�e ts the degree of G ◦ F .Generalization of this result to balan ed fun tions from Fn2 into Fm
2with m < n.Appli ation of these results to various hash fun tions (Ke ak, JH,Grøstl, ECHO, Photon, Hamsi, Lu�a) and blo k iphers (AES, KN ).38 / 38
Con lusionCon lusionNew bound on the degree of iterated permutations, having as anon-linear layer small balan ed Sboxes.The degree of F−1 a�e ts the degree of G ◦ F .Generalization of this result to balan ed fun tions from Fn2 into Fm
2with m < n.Appli ation of these results to various hash fun tions (Ke ak, JH,Grøstl, ECHO, Photon, Hamsi, Lu�a) and blo k iphers (AES, KN ).Mer i pour votre attention ! 38 / 38