Algebraic Analysis of AES Carlos Cid Information Security Group, - - PowerPoint PPT Presentation

Algebraic Analysis of AES

Carlos Cid

Information Security Group, Royal Holloway, University of London

ECRYPT II AES Day 18 Oct 2012

Algebraic Analysis of AES Carlos Cid

Algebraic Analysis of AES

AES is an algorithm with a simple and very elegant design. it has been designed to offer strong resistance against known attacks, in particular differential and linear cryptanalysis, while enabling efficient implementation on different platforms. given its careful design criteria, it has always seemed unlikely that its security can be affected by conventional methods of cryptanalysis.

Algebraic Analysis of AES Carlos Cid

Algebraic Analysis of AES

The AES has also a highly algebraic structure. Fundamental component: byte as element of K = GF(28). SubBytes: inversion + linearised polynomial in K[x] + addition in K. ShiftRows + MixColumns: linear operation in K16. AddRoundKey: addition in K. The selection of AES led to a growing interest in the study of algebraic properties of block ciphers, and applications in cryptanalysis.

Algebraic Analysis of AES Carlos Cid

Algebraic Techniques in Cryptanalysis

Algebra is the default tool in the analysis of asymmetric cryptosystems (RSA, ECC, Lattice-based, MPKC, etc). For symmetric cryptography (block and stream ciphers), the most commonly used techniques are statistical in nature:

block ciphers: in linear and differential cryptanalysis (and variants), the attacker attempts to construct statistical patterns through many interactions of the cipher. stream ciphers: linear/differential, correlation attacks, distinguishing attacks, etc.

The selection of AES (and proposal of algebraic attacks against stream ciphers) led to an increasing interest in the use of algebraic techniques in the analysis of symmetric cryptosystems in the past 10 years.

Algebraic Analysis of AES Carlos Cid

Algebraic Structure of AES

The algebraic properties of Rijndael were not really explored in detail during the AES selection process. focus mostly on the proposal of dedicated attacks, eg square and bottleneck attacks. There were however some early observations, eg: moving F2-affine S-Box operation into augmented linear layer (and key schedule). (Murphy and Robshaw) description of AES encryption using a form of continued fractions (fully expanded expression for the full 10-round AES encryption would have around 250 terms). (Ferguson et al.)

Algebraic Analysis of AES Carlos Cid

Big Encryption System - BES

Due to Murphy and Robshaw (2002), BES operated on 128-byte blocks with 128-byte keys, with very simple algebraic structure: S-Box Layer: inversion in GF(28); Linear Diffusion Layer: GF(28)-linear transformation; Subkey Layer : addition of round subkey. The AES can be embedded into the BES via a vector conjugate mapping φ(a) = (a, a2, a4, . . . , a128) BES restricted to a subspace provides an alternative description of AES.

Algebraic Analysis of AES Carlos Cid

Polynomial Representation

In principle, one can always attempt to represent a cipher as a system of polynomial equations (over F2), and study its security based on the properties of this system. we can therefore consider polynomial system solving as a cryptanalytic technique. this has recently become an increasingly common technique to try to analyse symmetric-key encryption algorithms.

Algebraic Analysis of AES Carlos Cid

Polynomial System Solving in Symmetric-Key Cryptanalysis

In the context of (symmetric-key) cryptanalysis, solving systems of polynomial equations is typically associated with the technique called Algebraic Attacks. Algebraic Attacks: set up and solve a system of equations arising from a stream cipher or block cipher, to recover the encryption key (or other secret information, eg stream cipher secret state). More generally, Algebraic Cryptanalysis: study algebraic systems to

• btain some non-trivial insight into the algorithm.

A form of analysis with several attractive features.

Algebraic Analysis of AES Carlos Cid

Algebraic Cryptanalysis

Two well-defined tasks/challenges for the cryptanalyst:

1 How to construct the system of equations. 2 How to solve the resulting system (or obtain some insight into the

cipher). Both areas have attracted much attention of researchers.

Algebraic Analysis of AES Carlos Cid

Block Ciphers

For m-bit blocks and n-bits keys, we can describe a block cipher as E : Fm × Fn → Fm (P, K) → C Block cipher encryption gives rise to a natural polynomial system: for known (P, C), the encryption C = E(P, K) provides at the bit level m equations over n variables (the key bits). furthermore, we can add more equations to our system by using other plaintext-ciphertext pairs. as the encryption operation is by design a complex function, we expect these polynomials to be very dense and of very high degree. This form of attack is obviously impractical, and was never really considered a threat.

Algebraic Analysis of AES Carlos Cid

Block Cipher Structure

However block ciphers are in practice designed with a very particular structure: most block ciphers present an iterated structure.

they are built in blocks, using low-cost simple operations, which are repeated for several rounds. this allows more efficient implementation and better study of the security of the cipher.

Algebraic Analysis of AES Carlos Cid

Algebraic Attack against Block Ciphers: second attempt

We can consider a different way to generate a system of equations for a block cipher. rather than one very complex equation for each ciphertext bit, we

• btain simpler polynomials (low degree and sparse) for the

round/layer functions. This approach gives rise to very large systems. we need to add new variables for the intermediate unknown values. encrypting more data does not seem to help (more equations, but more variables).

Algebraic Analysis of AES Carlos Cid

Algebraic Attack against AES

This approach was proposed in 2003 against the AES (Courtois and Piepryzk), and attracted a lot of attention from the cryptographic community. The system for the AES was presented, together with a dedicated method for solving the system. the AES S-box (the only provider of non-linearity) gives rise to several quadratic equations.

instead of y = x254, use xy = 1, x2y = x and xy 2 = y.

it was claimed that this was a particularly bad feature, and the proposed methods could exploit this fact.

Algebraic Analysis of AES Carlos Cid

Algebraic Analysis of AES

Two tasks:

1 How to construct the system of equations.

• ver GF(2): 8000 equations and 1600 variables.
• ver GF(28): 8576 equations, 4288 variables (derived from BES).

2 How to solve the resulting system (or obtain some insight into the

cipher).

XSL (eXtended Sparse Linearisation): based on linearization, but attempting to exploit the sparsity and specific structure of the equation system. Gr¨

• bner Basis algorithms, SAT-solvers, etc.

Algebraic Analysis of AES Carlos Cid

XSL against AES

The claim was that with XSL one could: mount a (at least theoretical) successful attack against the AES with 256-bit keys (using the system over GF(2)); mount a (at least theoretical) successful attack against the AES with 128-bit keys (using the system over GF(28)). This initial work spurred frantic activity (and much speculation) in the area of algebraic cryptanalysis of block ciphers (and AES in particular).

Algebraic Analysis of AES Carlos Cid

AES news (Crypto-Gram Newsletter - Sep 15, 2002)

AES may have been broken. Serpent, too. Or maybe not. In either case, there’s no need to panic. Yet. But there might be soon. Maybe. ... Basically, the attack works by trying to express the entire algorithm as multivariate quadratic polynomials, and then using an innovative technique to treat the terms of those polynomials as individual variables. ... There are a bunch of minimization techniques, and several other clever tricks you can use to make the solution easier. (This is a gross oversimplification of the paper; read it for more detail.). ... These are amazing results. ... There was some buzz about the paper in the academic community, but it quickly died down. I believe the problem was that the paper was dense and hard to understand. The attack technique, something called XSL, was brand new. ... In any case, there’s no cause for alarm yet. These attacks can be no more implemented in the field than they can be tested in a lab....There’s so much security margin in these ciphers that the attacks are irrelevant. But there is call for worry. If the attack really works, it can only get better. My fear is that we could see

• ptimizations of the XSL attack breaking AES with a 280-ish complexity, in which case things starts to get dicey

about ten years from now... The work is fascinating... ... We’re starting to see the new attack tools that work against some of the AES finalists. It’s an open question as to how long the tools will remain theoretical. But many cryptographers who previously felt good about AES are having second thoughts. Algebraic Analysis of AES Carlos Cid

More on AES Cryptanalysis (Crypto-Gram Newsletter - Oct 15, 2002)

I can say with certainty that no one knows for certain if XSL can break Rijndael or Serpent or anything else. Actually, I can say something stronger: no one has produced an actual demonstration of XSL breaking even a simplified version of Rijndael or Serpent or anything else. This makes a lot of people skeptical. Demonstrations are important.... ... The XSL techniques have not been demonstrated yet. A number of respectable cryptographers, whose opinions I value highly, don’t think the techniques work. Don Coppersmith has published a note on the topic. And T. Moh has a Web page about this... ... I know that several groups are working on the techniques, and if they work one of those groups should be able to demonstrate something, on something, soon. I’ll provide additional information when I learn of it.

Algebraic Analysis of AES Carlos Cid

XSL against AES

The XSL method was certainly a valid attempt to exploit the particular structure of the AES system; it was however shown (Asiacrypt 05 and FSE 07) that the algorithm did not work as expected (in particular, it is not an efficient method to solve the system arising from the AES). Other attempts: neat tricks (eg Meet-in-the-Middle) and known methods

• f solving (eg GB, SAT-solvers) do not seem to have provide much success

either.

Algebraic Analysis of AES Carlos Cid

Algebraic Attacks: New Approaches to Generate the System

Note that much early work assumed that the method of generation of system of equations was the best approach, and concentrated in studying/proposing methods for solving the system. Maybe we have to concentrate on finding new forms of generating the polynomial systems. Some promising approaches. Combining statistical and algebraic cryptanalysis (Albrecht and Cid, 2009): use probabilistic methods to simplify the system of equations; use the algebraic structure to help distinguishing non-random patterns. Study algebraically the behaviour of encryption operation on structured input (eg Albrecht et al., 2010; Cube Attacks – Dinur and Shamir, 2009). These gave rise to interesting results, but yet no significant progress or breakthrough in this area (in particular, not against the AES)

Algebraic Analysis of AES Carlos Cid

Algebraic Attacks: Limitations

In fact, despite early inflated hopes, results have been somewhat disappointing. it is safe to say that no known (serious) block cipher has been broken using pure algebraic techniques faster than with other techniques. early work concentrated on solving methods; more recently we have considered how to generate more tractable systems and/or combine these with other techniques.

Algebraic Analysis of AES Carlos Cid

Algebraic Attacks: Limitations

Maybe one of the reasons of the overestimation of success of these attacks is a flaw on the approach. One considers the several layers separately.

S-Box is the only source of non-linearity, so we do not need to worry about the linear layer (it is linear!!).

Modern ciphers have however well-chosen linear layers, to provide very strong diffusion (in place to protect against conventional statistical attacks). This same mechanism may provide more protection against algebraic cryptanalysis than originally thought (by providing strong symbol mixing between layers).

Algebraic Analysis of AES Carlos Cid

Algebraic Attacks against AES

The AES features a particularly strong diffusion layer (it is one of its main features against conventional cryptanalysis). Conjecture: the AES is a particularly strong cipher against (polynomial system-solving) algebraic cryptanalysis (despite low degree S-Boxes). Ideally we would be able to quantify the protection provided by the diffusion layer (it seems however very difficult to achieve).

Algebraic Analysis of AES Carlos Cid

Conclusions

AES has a very elegant algebraic structure. It provides an interesting platform for study. despite early buzz, algebraic attacks have had limited practical success so far against block ciphers; no progress against AES! in fact, AES may be particularly strong against system-solving attacks. One could however try to go beyond solving the system (Algebraic Analysis: obtain non-trivial information within cipher operation). This is an interesting and active area of research... new ideas needed. Thank you!

Algebraic Analysis of AES Carlos Cid