Correlation Cube Attacks: From Weak-Key Distinguisher to Key - PowerPoint PPT Presentation

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun Yang, Wenhao Wang, Dongdai Lin Eurocrypt 2018 May 2 2018, Tel Aviv, Israel 1/25

Algebraic Degree and Security of Cryptosystems ◮ Tweakable Boolean functions - Most cryptographic primitives can be described by tweakable Boolean functions - contain both secret variables ( e.g. , key bits) and public variables ( e.g. , plaintext bits, IV bits) ◮ a cryptographic primitive with low algebraic degree is vulnerable to many known attacks - higher order differential attacks - algebraic attacks - cube attacks - integral attacks 2/25

Cube Attacks and Cube Testers ◮ Given a Boolean function f and a term t I = x i 1 x i 2 · · · x i d , I = { i 1 , i 2 , · · · , i d } , the function can be written as f ( x 1 , x 2 , · · · , x n ) = f S · t I ⊕ q ( x 1 , x 2 , · · · , x n ) - q is the sum of terms that miss at least one variable from I - f S is called the superpoly of I in f ◮ The basic idea of cube attacks and cube testers � f S = f ( x 1 , x 2 , · · · , x n ) ( x i 1 , x i 2 , ··· , x id ) ∈ F d 2 3/25

Cube Attacks and Cube Testers ◮ Given a Boolean function f and a term t I = x i 1 x i 2 · · · x i d , I = { i 1 , i 2 , · · · , i d } , the function can be written as f ( x 1 , x 2 , · · · , x n ) = f S · t I ⊕ q ( x 1 , x 2 , · · · , x n ) ◮ The basic idea of cube attacks and cube testers � f S = f ( x 1 , x 2 , · · · , x n ) ( x i 1 , x i 2 , ··· , x id ) ∈ F d 2 Example. f ( x ) = x 3 · x 1 x 2 + x 1 + x 2 + x 3 . ( x 1 , x 2 ) f ( x 1 , x 2 , · ) (0 , 0) x 3 (0 , 1) x 3 + 1 (1 , 0) x 3 + 1 (1 , 1) 0 � x 3 4/25

Cube Attacks ◮ Cube attacks [DS09] - superpoly f is a low-degree polynomial in key bits ◮ Cube testers [ADMS09] - distinguish superpoly f from a random function ◮ Dynamic cube attacks [DS11,DGP+11] - when a set of conditions involving both the key bits and the dynamic variables are satisfied, the intermediate polynomials can be simplified, and cube testers are used to extract the nonrandomness of superpoly f ◮ Conditional cube attacks [HWX+17] - introduce conditional cube variables and impose conditions to restrain the propagation of conditional cube variables 5/25

The idea of assigning (dynamic) constraints to public variables and using them to recover key bits was earlier appeared in conditional differential attacks [KMN10]. The conditions can be classified into three types: ◮ Type 0 conditions only involve public bits; ◮ Type 1 conditions involve both public bits and secret bits; ◮ Type 2 conditions only involve secret bits. Type 1 Type 2 conditional differential attacks dynamic cube attacks conditional cube attacks 6/25

The idea of assigning (dynamic) constraints to public variables and using them to recover key bits was earlier appeared in conditional differential attacks [KMN10]. The conditions can be classified into three types: ◮ Type 0 conditions only involve public bits; ◮ Type 1 conditions involve both public bits and secret bits; ◮ Type 2 conditions only involve secret bits. Type 1 Type 2 conditional differential attacks dynamic cube attacks conditional cube attacks correlation cube attacks (this talk) 6/25

� � Cube Attacks Correlation Cube Attacks Correlation Attacks 7/25

Correlation Cube Attacks ◮ The general idea ◮ find a low-degree decomposition of superpoly f ◮ evaluate the correlation relations between the low-degree basis and the superpoly ◮ recover the key by solving systems of probabilistic equations ◮ low-degree decomposition: ◮ Given a Boolean function f , we call f = � u i =1 g i · f i a decomposition of f , and G = { g 1 , g 2 , · · · , g u } a basis of f . ◮ Fact: g = � u i =1 ( g i + 1) is an annihilator of f , i.e. , g · f = 0. ◮ correlation relation: the conditional probability Pr( g i = 0 | f ( key , · ) ≡ 0) and Pr( g i = 1 | f ( key , · ) �≡ 0) for a random key 8/25

� � � � superpoly f f = � u i =1 g i · f i Pr( g i = 0 | f ( key , · ) ≡ 0) Pr( g i = 1 | f ( key , · ) �≡ 0) � u i =1 ( g i + 1) = 0 9/25

The Preprocessing Phase Algorithm 1 Correlation Cube Attacks (Preprocessing Phase) 1: Generate a cube set C ; 2: For each cube c in C do: Q c ← Decomposition ( c ); 3: /* try to find a basis of the superpoly f c of c in the output bits of the cipher */ Estimate the conditional probability Pr( g = b | f c ) for each 4: function g in the basis Q c of the superpoly f c , and select ( c , g , b ) that satisfies Pr( g = b | f c ) > p . 10/25

Example Given a Boolean polynomial f on five public variables v = ( v 1 , v 2 , v 3 , v 4 , v 5 ) and five secret variables x = ( x 1 , x 2 , x 3 , x 4 , x 5 ), f ( v , x ) = f 7 ( v 5 , x ) v 1 v 2 v 3 v 4 + f 6 ( v 5 , x ) v 1 v 2 v 4 + f 5 ( v 5 , x ) v 2 v 3 v 4 + f 4 ( v 5 , x ) v 1 v 4 + f 3 ( v 5 , x ) v 2 v 4 + f 2 ( v 5 , x ) v 3 + f 1 ( v 5 , x ) v 4 + f 0 ( v 5 , x ) f 7 ( v 5 , x ) = h 1 ( v 5 , x 2 , x 3 , x 4 , x 5 ) x 1 + h 2 ( v 5 , x 1 , x 2 , x 3 , x 4 ) x 5 where h 1 , h 2 and f i (0 ≤ i ≤ 6) are arbitrary Boolean functions. We can build a weak-key cube tester for the polynomial f , by using the cube { v 1 , v 2 , v 3 , v 4 } under the conditions x 1 = x 5 = 0, while it seems to be immune to cube or dynamic cube attacks. 11/25

Example To convert from a weak-key cube tester to a key recovery , we test the correlation properties between the superpoly f 7 and its basis { x 1 , x 5 } . We observe the values of f 7 ( v 5 , x ) for v 5 = 0 , 1, and estimate the conditional probability Pr( x i = 0 | f 7 (0 , x ) = f 7 (1 , x ) = 0) and Pr( x i = 1 | f 7 (0 , x ) � = 0 or f 7 (1 , x ) � = 0) for i = 1 , 5. Noting that ( x 1 + 1)( x 5 + 1) f 7 = 0, we also have ( x 1 + 1)( x 5 + 1) = 0 if f 7 (0 , x ) � = 0 or f 7 (1 , x ) � = 0 . This allows us to derive information regarding the secret key. 12/25

How to find a basis of the superpoly f c for a given cube c ? 13/25

The Procedure Decomposition Algorithm 6 Decomposition ( c ) Require: a cube c of size n 1: Set Q to the empty set and X to the variable set { v i | i ∈ c } ; / ∗ find a basis Q ∗ / 14/25

The Procedure Decomposition Algorithm 6 Decomposition ( c ) Require: a cube c of size n 1: Set Q to the empty set and X to the variable set { v i | i ∈ c } ; / ∗ find a basis Q ∗ / 2: For t from 0 to N 0 do: Compute the ANF of s t and set d t = deg( s t , X ); 3: Q t ← { the coefficients of all the terms with degree d t of s t } ; 4: If d t ≥ 1 and 1 �∈ Q t , then set Q = Q ∪ Q t and d t = 5: deg( s ′ t , X ), where s ′ t is the function formed by removing all the terms with degree d t from s t ; 14/25

The Procedure Decomposition Algorithm 6 Decomposition ( c ) Require: a cube c of size n 1: Set Q to the empty set and X to the variable set { v i | i ∈ c } ; / ∗ find a basis Q ∗ / 2: For t from 0 to N 0 do: Compute the ANF of s t and set d t = deg( s t , X ); 3: Q t ← { the coefficients of all the terms with degree d t of s t } ; 4: If d t ≥ 1 and 1 �∈ Q t , then set Q = Q ∪ Q t and d t = 5: deg( s ′ t , X ), where s ′ t is the function formed by removing all the terms with degree d t from s t ; 6: Given { d t } and under the conditions that g = 0 for each g ∈ Q , find an upper bound d ( Q ) on the degree of the output bit; 14/25

The Procedure Decomposition Algorithm 6 Decomposition ( c ) Require: a cube c of size n 1: Set Q to the empty set and X to the variable set { v i | i ∈ c } ; / ∗ find a basis Q ∗ / 2: For t from 0 to N 0 do: Compute the ANF of s t and set d t = deg( s t , X ); 3: Q t ← { the coefficients of all the terms with degree d t of s t } ; 4: If d t ≥ 1 and 1 �∈ Q t , then set Q = Q ∪ Q t and d t = 5: deg( s ′ t , X ), where s ′ t is the function formed by removing all the terms with degree d t from s t ; 6: Given { d t } and under the conditions that g = 0 for each g ∈ Q , find an upper bound d ( Q ) on the degree of the output bit; 7: If d ( Q ) ≥ n , then Return ∅ ; 14/25

The Procedure Decomposition Algorithm 6 Decomposition ( c ) Require: a cube c of size n 1: Minimize N 0 such that d ( Q ) < n , and generate a new Q ; / ∗ minimize the basis Q ∗ / 2: For each g in Q do: Set Q ′ = Q \ { g } ; 3: For t ≤ N 0 , if zero( Q ′ ) ⊆ zero( Q t ) then set d t = 4: deg( s ′ t , X ), otherwise set d t = deg( s t , X ), where zero( Q ) is the solution set of { g = 0 | g ∈ Q } ; If d ( Q ′ ) < n , then set Q = Q ′ ; 5: 6: Return Q . 15/25

Algorithm 7 Correlation Cube Attacks (Online Phase) Require: a cube set C and Ω = { ( c , g , b ) | Pr( g = b | f c ) > p } 1: Set G 0 and G 1 to empty sets; 2: For each cube c in cube set C do: Request α 2 n keystream bits/ciphertexts corresponding to 3: the cube c of size n and α non-cube public inputs; Compute the α values of the superpoly f c over the cube c ; 4: If all the values of f c equal 0, then G 0 = G 0 ∪ { g = 5: 0 | ( c , g , 0) ∈ Ω } , otherwise G 1 = G 1 ∪ { g = 1 | ( c , g , 1) ∈ Ω } ; 6: Deal with the case { g | g = 0 ∈ G 0 and g = 1 ∈ G 1 } � = ∅ ; 7: Randomly choose r 0 equations from G 0 and r 1 equations from G 1 , solve these r 0 + r 1 equations and check whether the solutions are correct; 8: Repeat Step 7 if none of the solutions is correct. 16/25