A Generic Approach to Invariant Subspace Attacks Cryptanalysis of - - PowerPoint PPT Presentation

a generic approach to invariant subspace attacks
SMART_READER_LITE
LIVE PREVIEW

A Generic Approach to Invariant Subspace Attacks Cryptanalysis of - - PowerPoint PPT Presentation

Feb 17, 2024 156 likes •594 views

A Generic Approach to Invariant Subspace Attacks Cryptanalysis of Robin, iSCREAM and Zorro Gregor Leander 1 , Brice Minaud 2 , Sondre Rnjom 3 1 Ruhr-Universitt Bochum, Germany 2 ANSSI and Universit Rennes 1, France 3 Nasjonal

slide-1
SLIDE 1

A Generic Approach to Invariant Subspace Attacks Cryptanalysis of Robin, iSCREAM and Zorro

Gregor Leander1, Brice Minaud2, Sondre Rønjom3

1 Ruhr-Universität Bochum, Germany 2 ANSSI and Université Rennes 1, France 3 Nasjonal Sikkerhetsmyndighet, Norway

EUROCRYPT 2015

slide-2
SLIDE 2
  • 1. Introduction: invariant subspace attacks.
  • 2. Finding invariant subspaces: a generic algorithm.
  • 3. Results on Robin, iSCREAM and Zorro.
  • 4. Commuting linear maps in Robin and Zorro.
  • 5. Conclusion.

Plan

2

slide-3
SLIDE 3

Invariant Subspace Attacks were introduced at CRYPTO 2011. Used to break PRINTCIPHER in practical time [LAKZ11]. Take advantage of weak key schedules.

Invariant Subspace Attacks

3

slide-4
SLIDE 4

Invariant Subspace Attacks

4

F a + ~ V b + ~ V Assume the round function sends a some affine space to a coset of the same space. …

slide-5
SLIDE 5

Invariant Subspace Attacks

5

F a + ~ V b + ~ V Now assume … K ∈ b − a + ~ V a + ~ V … K ∈ b − a + ~ V

slide-6
SLIDE 6

Invariant Subspace Attacks

6

F a + ~ V b + ~ V Now assume … Then this process repeats itself. Plaintexts in are mapped to ciphertexts in K ∈ b − a + ~ V F a + ~ V b + ~ V … a + ~ V b + ~ V K ∈ b − a + ~ V

slide-7
SLIDE 7

Confidentiality is broken. Density of weak keys:

Invariant Subspace Attacks

7

F a + ~ V b + ~ V K ∈ b − a + ~ V F a + ~ V b + ~ V … 2−codim ~

V

slide-8
SLIDE 8

Finding invariant subspace attacks: a generic algorithm

8

slide-9
SLIDE 9

A Generic Algorithm

9

F a + ~ V b + ~ V Bootstrap: assume we know … s, t ∈ a + ~ V Then so F(s) − F(t) ∈ ~ V Now we know one more vector of . F(s), F(t) ∈ b + ~ V ~ V

slide-10
SLIDE 10

A Generic Algorithm

10

F a + ~ V b + ~ V

“Closure” Algorithm Input: such that Output:

  • 1. Pick
  • 2. Add to
  • 3. Iterate steps 1 and 2 until remains stable for

N iterations.

  • 4. Return

… a + ~ V w ←$ ~ W F(s + w) − F(s) ~ W s, ~ W s + ~ W ⊆ a + ~ V ~ W s + ~ W

slide-11
SLIDE 11

A Generic Algorithm

A few remarks…

  • The algorithm only outputs the smallest

invariant subspace containing the input.

  • … we still need to bootstrap.
slide-12
SLIDE 12

We cheated a little.

Bootstrapping the Algorithm

12

F a + ~ V b + ~ V F a + ~ V b + ~ V … K

slide-13
SLIDE 13

We cheated a little.

Bootstrapping the Algorithm

12

F a + ~ V b + ~ V F a + ~ V b + ~ V … K Ci Ci+1

slide-14
SLIDE 14

We really want

Bootstrapping the Algorithm

13

F a + ~ V b + ~ V F a + ~ V b + ~ V … K Ci Ci+1 ∀i, Ci ∈ ~ V

slide-15
SLIDE 15

We really want

Bootstrapping the Algorithm

13

F a + ~ V b + ~ V F a + ~ V b + ~ V … K Ci Ci+1 ∀i, Ci ∈ ~ V ~ W = span{Ci} ⊆ ~ V This gives us a “nucleon”

slide-16
SLIDE 16

We really want

Bootstrapping the Algorithm

13

F a + ~ V b + ~ V F a + ~ V b + ~ V … K Ci Ci+1 ∀i, Ci ∈ ~ V ~ W = span{Ci} ⊆ ~ V This gives us a “nucleon” s ∈ a + ~ V a 6= 0 If , it remains to find an offset . We simply try many random offsets.

slide-17
SLIDE 17

Complexity

14

Generic Invariant Subspace Algorithm 1.

  • 2. Guess offset
  • 3. Compute
  • 4. Repeat until

~ W ← span {Ci} s Closure(s + ~ W) dim(Closure) < n

slide-18
SLIDE 18

Complexity

14

Generic Invariant Subspace Algorithm 1.

  • 2. Guess offset
  • 3. Compute
  • 4. Repeat until

~ W ← span {Ci} s Closure(s + ~ W) dim(Closure) < n 2−codim ~

V

a + ~ V If is actually a linear space : instant result. Otherwise, on average: tries.

slide-19
SLIDE 19

Properties of the algorithm

15

  • Generic: black-box use of round functions
  • Does not disprove the existence of “small” spaces
  • Public implementation:

http://invariant-space.gforge.inria.fr

slide-20
SLIDE 20

Results on Robin, iSCREAM and Zorro

16

slide-21
SLIDE 21

Robin, iSCREAM and Zorro

Robin and Fantomas: lightweight ciphers, created to illustrate LS-designs, FSE 2014 [GLSV14]. SCREAM and iSCREAM: authenticated variants of Fantomas and Robin, CAESAR competition entries. Zorro: lightweight cipher with partial nonlinear layer [GGNS13]. Broken by differential and linear attacks. Best attack: 240 data/complexity [BDDLKT14].

slide-22
SLIDE 22

Results on various ciphers

18

➡ Weak key set of density 2-32, leading to immediate break of confidentiality for Robin, iSCREAM, Zorro.

Result Running Time Robin Subspace found! codimension 32 22h iSCREAM Subspace found! codimension 32 22h Zorro Subspace found! codimension 32 <1h Fantomas NOEKEON LED Keccak With probability 99.9%: No invariant subspace of codimension < 32

slide-23
SLIDE 23

Commuting linear maps in Robin

19

slide-24
SLIDE 24

Robin

20

Robin and Fantomas [GLSV14], FSE 2014. Lightweight block ciphers with efficient masking. Block =128 bits — Security = 128 bits Robin = involutive version. Simple and elegant design: “LS-design”.

slide-25
SLIDE 25

Robin: L layer

21

State 16 x 8 bits L layer The same linear map L is applied to each row.

slide-26
SLIDE 26

Robin: LS layers

22

L layer S layer same linear map on each row same S-box

  • n each

column

slide-27
SLIDE 27
  • L layer
  • S layer
  • Constant addition
  • Key addition

Robin round function

23

One round = Encryption: 16 rounds.

slide-28
SLIDE 28

P

Invariant permutations

State A State B State B = permutation of the columns of state A

slide-29
SLIDE 29

P

Invariant permutations

L layer L layer P State A State B Assume PL = LP. Then State B remains a permutation of State A through the L layer.

slide-30
SLIDE 30

P

Invariant permutations

L layer S layer L layer P P S layer State A State B

The S layer comes for free!

slide-31
SLIDE 31

Invariant permutations

StateB remains permutation of State A through…

  • L layer: OK if LP = PL.
  • S layer: OK.
  • Constant addition: OK if P(Ci) = Ci.
  • Key addition: OK if P(KA) = KB.

➡ P commutes with the round function!

slide-32
SLIDE 32

If and : then for related keys , related plaintexts remain related through encryption and yield related ciphertexts .

Invariant permutation attack

LP = PL ∀i, Ci ∈ ker(P + Id) K2 = P(K1) C2 = P(C1) P2 = P(P1)

slide-33
SLIDE 33

If and : then for related keys , related plaintexts remain related through encryption and yield related ciphertexts .

Invariant permutation attack

LP = PL ∀i, Ci ∈ ker(P + Id) K2 = P(K1) C2 = P(C1) P2 = P(P1) If and : then for self-related key , related plaintexts remain related through encryption and yield related ciphertexts . LP = PL ∀i, Ci ∈ ker(P + Id) C2 = P(C1) P2 = P(P1) K = P(K)

slide-34
SLIDE 34

If and : then for a self-related key , self-related plaintexts yield self-related ciphertexts .

Invariant permutation attack

LP = PL ∀i, Ci ∈ ker(P + Id) K = P(K) M = P(M) C = P(C)

slide-35
SLIDE 35

If and : then for a self-related key , self-related plaintexts yield self-related ciphertexts .

Invariant permutation attack

LP = PL ∀i, Ci ∈ ker(P + Id) K = P(K) M = P(M) C = P(C) This is an invariant subspace attack! The invariant subspace is . ker(P + Id)

slide-36
SLIDE 36

Attack on Robin and iSCREAM

Robin and iSCREAM : one suitable permutation P .

  • Weak key attack. Density
  • Related key attack.
  • Attacks require 2 chosen plaintexts, practically

no time or memory. In addition, for weak keys:

  • Fixed points of P form a subcipher.
  • Key recovery in time 264.

2−codim ker(P +Id) = 2−32

slide-37
SLIDE 37

Robin vs Zorro

Zorro is a variant of AES with some key differences:

  • No key schedule.
  • S-boxes affect a single row.

S S S S

slide-38
SLIDE 38

Robin vs Zorro

Zorro is a variant of AES with some key differences:

  • No key schedule.
  • S-boxes affect a single row.

S S S S

Yet: there still exists M that commutes with the round function!

Id Id

Swap Linear M =

slide-39
SLIDE 39

Robin vs Zorro

Zorro is a variant of AES with some key differences:

  • No key schedule.
  • S-boxes affect a single row.

S S S S

Yet: there still exists M that commutes with the round function!

Id Id

Swap Linear M = ➡ All the same weaknesses as Robin. In particular, weak key set of density 2-32.

slide-40
SLIDE 40

Attack comparison

32

Type Data Time Reference Robin, iSCREAM Weak key, density 2-32 2 CP negligible this paper Weak key, density 2-32 2 CP negligible this paper Zorro Differential 241.5 CP 245 [BDDLKT14] Linear 245 KP 245 [BDDLKT14]

slide-41
SLIDE 41

Conclusion

33

  • A generic algorithm to find invariant subspaces.

Automatically finds attacks on Robin, iSCREAM and Zorro.

  • Practical break of Robin, iSCREAM and Zorro.

Weak key set of density 2-32 in all cases. Based on a new self-similarity property. Uncovers more properties : commuting linear map, subcipher, faster key recovery…

slide-42
SLIDE 42

Conclusion

34

Thank you for your attention! Questions ?