An Im Improved Affi fine Equivalence Alg lgorithm for Random - PowerPoint PPT Presentation

An Im Improved Affi fine Equivalence Alg lgorithm for Random Permutations Itai Dinur Ben-Gurion University, Israel EUROCRYPT 2018

Affine Equivalence Problem (AEP) F G n n n n • Given two functions F,G, are there invertible affine transformations A 1 ,A 2 (over GF(2) n ) such that G = A 2 ◦ F ◦ A 1 ? • A 1 (x)= L 1 (x) ⊕ b 1 , A 2 (x)= L 2 (x) ⊕ b 2 for square matrices L 1 ,L 2 • If so, find A 1 ,A 2 • Variant in asymmetric-key cryptography: isomorphism of (low-degree) polynomials (over some field) • Importance in symmetric-key cryptography: • Design and analysis of Sboxes • Affine equivalent Sboxes share many differential\linear properties • Cryptanalysis of white-box ciphers

Best Known Algorithms for AEP G A 1 F A 2 • “ A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms” By Biryukov, De Cannière, Braeken, and Preneel (Eurocrypt 2003)

Affine Equivalence Algorithms [BCBP03] G A 1 F A 2 x 1 ,x 2 ,x 3 z 1 ,z 2 ,z 3 y 1 ,y 2 ,y 3 w 1 ,w 2 ,w 3 • Evaluate G on inputs x and F on inputs y • Assume F,G are affine equivalent • 1 ) Look for “good event”: matching triplet A 1 (x 1 )=y 1 , A 1 (x 2 )=y 2 , A 1 (x 3 )=y 3 • 2) Distinguish between good\bad events: • Use affine properties of A 1 ,A 2 to detect good\bad match • Matching triplet can be used to recover A 1 ,A 2

Affine Equivalence Algorithms [BCBP03] G A 1 F A 2 x 1 ,x 2 ,x 3 z 1 ,z 2 ,z 3 y 1 ,y 2 ,y 3 w 1 ,w 2 ,w 3 • Algorithm 1: guess and verify • Complexity ≈ 2 3n (search space: all 2 3n triplets) • After optimization ≈ 2 2n • Algorithm 2: birthday paradox • Extend triplets independently for F,G using linear relations • Look for a matching triples in a table • Complexity ≈ 2 3n/2 (square root of search space size)

New Improved Algorithm G A 1 F A 2 S’ S • Complexity: ≈ 2 n (improving the ≈ 2 3n/2 complexity) • Note: A 1 transfers an affine subspace to an affine subspace • Main idea: match affine subspaces of dimension n-1 through A 1 • Each match gives n+1 linear equations on A 1 • Need about n matches to recover A 1 • Motivation: only 2 n+1 such affine subspaces • Much less than 2 3n vector triplets • “Good event ” more likely , but how to detect it?

Restricted Functions and Masks G A 1 F A 2 S’ S • Problem: how do we know that S and S’ match? • Represent n-1 dimensional affine subspace S by linear equation with n+1 coefficients ( mask M) • For n=3, affine subspace {000,001,010,011} is represented by equation x 1 =0 • Written as 1 ∙x 1 +0 ∙x 2 +0 ∙x 3 +0=0 (M=1000) • There are 2 n+1 -2 such non-zero valid masks (equations) • If A 1 (S)=S’ write M→M’ for their masks

Restricted Functions G A 1 F A 2 F|M’ G|M M ’ M • Problem: how do we know that M→M’ ? • Restricted functions F|M’ and G|M from n-1 bits to n bits • For G|M (and F|M’ ) , represent each of the n output bits as a polynomial over GF(2) in n-1 input bits

Restricted Functions Example: G:{0,1} 3 -> {0,1} 3 G 1 (x 1 ,x 2 ,x 3 ) = x 1 x 2 ⊕ x 1 x 3 ⊕ x 2 ⊕ 1 G 2 (x 1 ,x 2 ,x 3 ) = x 1 x 2 ⊕ x 1 ⊕ x 2 G 3 (x 1 ,x 2 ,x 3 ) = x 1 x 3 ⊕ x 3 • Assume M=1000 (linear equation x 1 = 0) G 1 |M (x 2 ,x 3 ) = x 2 ⊕ 1 G 2 |M (x 2 ,x 3 ) = x 2 G 3 |M (x 2 ,x 3 ) = x 3

Restricted Functions G A 1 F A 2 F|M’ G|M M ’ M • Problem: how do we know that M→M’ ? • Restricted functions F|M’ and G|M from n-1 bits to n bits • For G|M (and F|M’ ) , represent each of the n output bits as a polynomial over GF(2) in n-1 input bits • View n polynomials as vectors (over space of monomials) and compute their rank r (0 ≤r≤ n) • Basic property : if M→M’ then rank( G|M ) = rank( F|M’ ) • Since A 1 and A 2 are invertible • Truncated polynomials : Look only at monomials of degree ≥ n -2 • Otherwise, rank is either (almost) always n (or always 1)

Restricted Functions Example: G:{0,1} 3 -> {0,1} 3 G 1 (x 1 ,x 2 ,x 3 ) = x 1 x 2 ⊕ x 1 x 3 ⊕ x 2 ⊕ 1 G 2 (x 1 ,x 2 ,x 3 ) = x 1 x 2 ⊕ x 1 ⊕ x 2 G 3 (x 1 ,x 2 ,x 3 ) = x 1 x 3 ⊕ x 3 • Assume S defined by linear equation x 1 = 0 (mask M=1000) G 1 |M (x 2 ,x 3 ) = x 2 ⊕ 1 G 2 |M (x 2 ,x 3 ) = x 2 G 3 |M (x 2 ,x 3 ) = x 3 • Keep monomials of degree ≥ n-2 = 1 • Then rank(G|M) = rank{x 2 ,x 2 ,x 3 } = 2 • If M→M’ , then rank(F|M’) = rank(G|M) = 2

Rank Table (simplified) • Rank table of G: for each 0 ≤r≤ n, entry r contains all M such that rank(G|M) = r • First step of algorithm: • Compute rank table of G: For each non-zero mask M, compute r=rank(G|M) and store M in entry r in rank table of G • Compute rank table of F: For each non-zero mask M’ , compute r’=rank(F|M’) and store M’ in entry r’ in rank table of F rank Masks 0 1 0101,0110,1010,1110 2 1000 3 0010, 0011,0100,0111,1001,1011,1100,1101,1111

Rank Table (simplified) • Rank table of G: for each 0 ≤r≤ n, entry r contains all M such that rank(G|M) = r • If M→M’ then rank(G|M)= rank(F|M’) • For each rank 0 ≤r≤n , the number of masks (r,M) in the tables of affine equivalent F,G must be equal • If entry r in rank table of G contains a single mask M, then entry r in rank table of F contains a single mask M’ • Moreover, M →M’ must hold (giving linear equations on A 1 )

Rank Table (simplified) rank Masks Rank table of G 0 1 0101,0110,1010,1110 2 1000 3 0010,0011,0100,0111,1001,1011,1100,1101,1111 Rank table rank Masks of F 0 1 1010, 0011,0100,1000 2 0111 3 0010,1001,1011,1100,1101,1111,0101,0110,1110 • 1000 → 0111 must hold

Matchings • Problem: for large n, each non-empty rank entry r in rank table of G (and F) is likely to contain many masks • Cannot directly obtain unique matches M→M’ • Main observation: matching is additive : • If M 1 →M 1 ’ and M 2 →M 2 ’ , then M 1 ⊕ M 2 → M 1 ’ ⊕ M 2 ’ • A very strong property that (usually) allows to recover A 1 using additional structures

Efficiently Computing the Rank Table • Computing rank table: for each of the 2 n+1 subspaces (masks M), need to compute rank(G|M) • There are 2 n+1 subspaces of dimension n-1 (masks M) • Each subspace contains 2 n-1 vectors • Problem: Naïve computation has complexity 2 n+1 ∙ 2 n-1 =2 2n • Main idea: use symbolic computation • Interpolate n output bit polynomials of G and keep only monomials of degree ≥ n -2 (complexity: ≈ 2 n ) • For each of the 2 n+1 masks M: • Substitute equation M (e.g., x 1 =0 ) into symbolic representation of all n polynomials to compute G|M symbolically • Perform Gaussian elimination of n polynomials (vectors) to compute rank(G|M) (complexity: ≈n 3 per mask)

Additional Algorithmic Applications • Improves some decompositions attacks on ASASA construction • Efficient way to experimentally look for high order differential distinguishers

Conclusions and Open Problems • Improved the complexity of the best known algorithm for AEP from ≈ 2 3n/2 to ≈ 2 n • Experimentally verified up to n=28 • Works for almost all functions and permutations • Based on a new algebraic algorithm which has additional application • Open Problems: • Improve the complexity of the algorithm • Devise algorithm that works for all functions\permutations (e.g., low degree permutations) • Find additional applications

Thanks for your attention!