Correlation Cube Attacks: From Weak-Key Distinguisher to Key - - PowerPoint PPT Presentation

correlation cube attacks from weak key distinguisher to
SMART_READER_LITE
LIVE PREVIEW

Correlation Cube Attacks: From Weak-Key Distinguisher to Key - - PowerPoint PPT Presentation

Aug 16, 2022 40 likes •364 views

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun Yang, Wenhao Wang, Dongdai Lin Eurocrypt 2018 May 2 2018, Tel Aviv, Israel 1/25 Algebraic Degree and Security of Cryptosystems Tweakable Boolean

slide-1
SLIDE 1

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery

Meicheng Liu, Jingchun Yang, Wenhao Wang, Dongdai Lin Eurocrypt 2018 May 2 2018, Tel Aviv, Israel

1/25

slide-2
SLIDE 2

Algebraic Degree and Security of Cryptosystems

◮ Tweakable Boolean functions

  • Most cryptographic primitives can be described by tweakable

Boolean functions

  • contain both secret variables (e.g., key bits) and public

variables (e.g., plaintext bits, IV bits)

◮ a cryptographic primitive with low algebraic degree is

vulnerable to many known attacks

  • higher order differential attacks
  • algebraic attacks
  • cube attacks
  • integral attacks

2/25

slide-3
SLIDE 3

Cube Attacks and Cube Testers

◮ Given a Boolean function f and a term tI = xi1xi2 · · · xid,

I = {i1, i2, · · · , id}, the function can be written as f (x1, x2, · · · , xn) = fS · tI ⊕ q(x1, x2, · · · , xn)

  • q is the sum of terms that miss at least one variable from I
  • fS is called the superpoly of I in f

◮ The basic idea of cube attacks and cube testers

fS =

  • (xi1,xi2,··· ,xid )∈Fd

2

f (x1, x2, · · · , xn)

3/25

slide-4
SLIDE 4

Cube Attacks and Cube Testers

◮ Given a Boolean function f and a term tI = xi1xi2 · · · xid,

I = {i1, i2, · · · , id}, the function can be written as f (x1, x2, · · · , xn) = fS · tI ⊕ q(x1, x2, · · · , xn)

◮ The basic idea of cube attacks and cube testers

fS =

  • (xi1,xi2,··· ,xid )∈Fd

2

f (x1, x2, · · · , xn)

  • Example. f (x) = x3 · x1x2 + x1 + x2 + x3.

(x1, x2) f (x1, x2, ·) (0, 0) x3 (0, 1) x3 + 1 (1, 0) x3 + 1 (1, 1)

  • x3

4/25

slide-5
SLIDE 5

Cube Attacks

◮ Cube attacks [DS09]

  • superpoly f is a low-degree polynomial in key bits

◮ Cube testers [ADMS09]

  • distinguish superpoly f from a random function

◮ Dynamic cube attacks [DS11,DGP+11]

  • when a set of conditions involving both the key bits and the

dynamic variables are satisfied, the intermediate polynomials can be simplified, and cube testers are used to extract the nonrandomness of superpoly f

◮ Conditional cube attacks [HWX+17]

  • introduce conditional cube variables and impose conditions

to restrain the propagation of conditional cube variables

5/25

slide-6
SLIDE 6

The idea of assigning (dynamic) constraints to public variables and using them to recover key bits was earlier appeared in conditional differential attacks [KMN10]. The conditions can be classified into three types:

◮ Type 0 conditions only involve public bits; ◮ Type 1 conditions involve both public bits and secret bits; ◮ Type 2 conditions only involve secret bits.

Type 1 Type 2 conditional differential attacks dynamic cube attacks conditional cube attacks

6/25

slide-7
SLIDE 7

The idea of assigning (dynamic) constraints to public variables and using them to recover key bits was earlier appeared in conditional differential attacks [KMN10]. The conditions can be classified into three types:

◮ Type 0 conditions only involve public bits; ◮ Type 1 conditions involve both public bits and secret bits; ◮ Type 2 conditions only involve secret bits.

Type 1 Type 2 conditional differential attacks dynamic cube attacks conditional cube attacks correlation cube attacks (this talk)

6/25

slide-8
SLIDE 8

Cube Attacks

  • Correlation Cube Attacks

Correlation Attacks

  • 7/25
slide-9
SLIDE 9

Correlation Cube Attacks

◮ The general idea

◮ find a low-degree decomposition of superpoly f ◮ evaluate the correlation relations between the low-degree

basis and the superpoly

◮ recover the key by solving systems of probabilistic equations

◮ low-degree decomposition:

◮ Given a Boolean function f , we call f = u

i=1 gi · fi a

decomposition of f , and G = {g1, g2, · · · , gu} a basis of f .

◮ Fact: g = u

i=1(gi + 1) is an annihilator of f , i.e., g · f = 0. ◮ correlation relation: the conditional probability

Pr(gi = 0|f (key, ·) ≡ 0) and Pr(gi = 1|f (key, ·) ≡ 0) for a random key

8/25

slide-10
SLIDE 10

superpoly f

  • f = u

i=1 gi · fi

  • Pr(gi = 0|f (key, ·) ≡ 0)

Pr(gi = 1|f (key, ·) ≡ 0)

  • u

i=1(gi + 1) = 0

9/25

slide-11
SLIDE 11

The Preprocessing Phase

Algorithm 1 Correlation Cube Attacks (Preprocessing Phase)

1: Generate a cube set C; 2: For each cube c in C do: 3:

Qc ← Decomposition(c);

/* try to find a basis of the superpoly fc of c in the output bits of the cipher */ 4:

Estimate the conditional probability Pr(g = b|fc) for each function g in the basis Qc of the superpoly fc, and select (c, g, b) that satisfies Pr(g = b|fc) > p.

10/25

slide-12
SLIDE 12

Example

Given a Boolean polynomial f on five public variables v = (v1, v2, v3, v4, v5) and five secret variables x = (x1, x2, x3, x4, x5), f (v, x) =f7(v5, x)v1v2v3v4 + f6(v5, x)v1v2v4 + f5(v5, x)v2v3v4 + f4(v5, x)v1v4 + f3(v5, x)v2v4 + f2(v5, x)v3 + f1(v5, x)v4 + f0(v5, x) f7(v5, x) = h1(v5, x2, x3, x4, x5)x1 + h2(v5, x1, x2, x3, x4)x5 where h1, h2 and fi (0 ≤ i ≤ 6) are arbitrary Boolean functions. We can build a weak-key cube tester for the polynomial f , by using the cube {v1, v2, v3, v4} under the conditions x1 = x5 = 0, while it seems to be immune to cube or dynamic cube attacks.

11/25

slide-13
SLIDE 13

Example

To convert from a weak-key cube tester to a key recovery, we test the correlation properties between the superpoly f7 and its basis {x1, x5}. We observe the values of f7(v5, x) for v5 = 0, 1, and estimate the conditional probability Pr(xi = 0|f7(0, x) = f7(1, x) = 0) and Pr(xi = 1|f7(0, x) = 0 or f7(1, x) = 0) for i = 1, 5. Noting that (x1 + 1)(x5 + 1)f7 = 0, we also have (x1 + 1)(x5 + 1) = 0 if f7(0, x) = 0 or f7(1, x) = 0. This allows us to derive information regarding the secret key.

12/25

slide-14
SLIDE 14

How to find a basis of the superpoly fc for a given cube c?

13/25

slide-15
SLIDE 15

The Procedure Decomposition

Algorithm 6 Decomposition(c) Require: a cube c of size n

1: Set Q to the empty set and X to the variable set {vi|i ∈ c}; /∗ find a basis Q ∗/

14/25

slide-16
SLIDE 16

The Procedure Decomposition

Algorithm 6 Decomposition(c) Require: a cube c of size n

1: Set Q to the empty set and X to the variable set {vi|i ∈ c}; /∗ find a basis Q ∗/ 2: For t from 0 to N0 do: 3:

Compute the ANF of st and set dt = deg(st, X);

4:

Qt ← {the coefficients of all the terms with degree dt of st};

5:

If dt ≥ 1 and 1 ∈ Qt, then set Q = Q ∪ Qt and dt = deg(s′

t, X), where s′ t is the function formed by removing all the

terms with degree dt from st;

14/25

slide-17
SLIDE 17

The Procedure Decomposition

Algorithm 6 Decomposition(c) Require: a cube c of size n

1: Set Q to the empty set and X to the variable set {vi|i ∈ c}; /∗ find a basis Q ∗/ 2: For t from 0 to N0 do: 3:

Compute the ANF of st and set dt = deg(st, X);

4:

Qt ← {the coefficients of all the terms with degree dt of st};

5:

If dt ≥ 1 and 1 ∈ Qt, then set Q = Q ∪ Qt and dt = deg(s′

t, X), where s′ t is the function formed by removing all the

terms with degree dt from st;

6: Given {dt} and under the conditions that g = 0 for each g ∈ Q,

find an upper bound d(Q) on the degree of the output bit;

14/25

slide-18
SLIDE 18

The Procedure Decomposition

Algorithm 6 Decomposition(c) Require: a cube c of size n

1: Set Q to the empty set and X to the variable set {vi|i ∈ c}; /∗ find a basis Q ∗/ 2: For t from 0 to N0 do: 3:

Compute the ANF of st and set dt = deg(st, X);

4:

Qt ← {the coefficients of all the terms with degree dt of st};

5:

If dt ≥ 1 and 1 ∈ Qt, then set Q = Q ∪ Qt and dt = deg(s′

t, X), where s′ t is the function formed by removing all the

terms with degree dt from st;

6: Given {dt} and under the conditions that g = 0 for each g ∈ Q,

find an upper bound d(Q) on the degree of the output bit;

7: If d(Q) ≥ n, then Return ∅;

14/25

slide-19
SLIDE 19

The Procedure Decomposition

Algorithm 6 Decomposition(c) Require: a cube c of size n

1: Minimize N0 such that d(Q) < n, and generate a new Q; /∗ minimize the basis Q ∗/ 2: For each g in Q do: 3:

Set Q′ = Q \ {g};

4:

For t ≤ N0, if zero(Q′) ⊆ zero(Qt) then set dt = deg(s′

t, X), otherwise set dt = deg(st, X), where zero(Q) is

the solution set of {g = 0|g ∈ Q};

5:

If d(Q′) < n, then set Q = Q′;

6: Return Q.

15/25

slide-20
SLIDE 20

Algorithm 7 Correlation Cube Attacks (Online Phase) Require: a cube set C and Ω = {(c, g, b)| Pr(g = b|fc) > p}

1: Set G0 and G1 to empty sets; 2: For each cube c in cube set C do: 3:

Request α2n keystream bits/ciphertexts corresponding to the cube c of size n and α non-cube public inputs;

4:

Compute the α values of the superpoly fc over the cube c;

5:

If all the values of fc equal 0, then G0 = G0 ∪ {g = 0|(c, g, 0) ∈ Ω}, otherwise G1 = G1 ∪ {g = 1|(c, g, 1) ∈ Ω};

6: Deal with the case {g|g = 0 ∈ G0 and g = 1 ∈ G1} = ∅; 7: Randomly choose r0 equations from G0 and r1 equations from

G1, solve these r0+r1 equations and check whether the solutions are correct;

8: Repeat Step 7 if none of the solutions is correct.

16/25

slide-21
SLIDE 21

Applications to Trivium Stream Cipher

◮ Generating a Candidate Set of Favorite Cubes

  • Earlier, an exhaustive search was done on the cubes of size

37 ≤ n ≤ 40 that contain no adjacent indexes, by using the tool of numeric mapping [Liu17].

  • Similarly, we exhaustively search the cubes of size

36 ≤ n ≤ 40 that contain no adjacent indexes, and pick up the cubes such that the corresponding superpolys after 815 rounds are zero constants.

  • Then we find 37595 and 3902 cubes of sizes 36 and 37 that

satisfy the requirement.

  • This step is done in a few hours on a desktop computer.

17/25

slide-22
SLIDE 22

Applications to Trivium Stream Cipher

◮ Finding the Basis and Free Non-Cube IV Bits

  • Apply the procedure Decomposition to each cube c from

the candidate set, and find a set of free non-cube IV bits.

  • Then get 1085 and 99 cubes of sizes 36 and 37 such that a

basis of the superpoly after 833 rounds can be found.

  • The maximum number of rounds after which we can still

find a basis is 841.

  • Done in several hours on a desktop computer.

18/25

slide-23
SLIDE 23

Applications to Trivium Stream Cipher

◮ Computing the Probability

  • Computing the value of the superpoly fc over a big cube is

time consuming. We test 13 cubes of size 37 and 28 cubes

  • f size 36, each of which has a different basis with less than

8 elements after 835 rounds.

  • In each test, we compute the values of the superpoly fc for

128 random keys with at most α = 8 non-cube IVs, and evaluate the conditional probability Pr(g = 0|fc(key, ·) ≡ 0) and Pr(g = 1|fc(key, ·) ≡ 0) for a random fixed key.

  • Our experiment shows that all the computations need about

6 · 128 · (13 · 237 + 28 · 236) ≈ 251 cipher operations.

19/25

slide-24
SLIDE 24

Complexity and Success Probability of the Attack

Table 1: Success Probability of the Attack

805 rounds: #key bits 7.2 6.9 6.5 6.1 5.7 success rate 31% 60% 77% 86% 93% 835 rounds: #key bits 5.0 4.6 4.2 3.8 3.4 success rate 44% 72% 83% 95% 98% Preprocessing time: 251 Data: 244 Time: 244 ⋆ It is a practical partial key recovery attack.

20/25

slide-25
SLIDE 25

Improvements of the Attack

◮ make use of more cubes

21/25

slide-26
SLIDE 26

Improvements of the Attack

◮ make use of more cubes ◮ test more random keys

21/25

slide-27
SLIDE 27

Improvements of the Attack

◮ make use of more cubes ◮ test more random keys ◮ increase the number of different IVs

21/25

slide-28
SLIDE 28

Improvements of the Attack

◮ make use of more cubes ◮ test more random keys ◮ increase the number of different IVs

⋆ the crux: computing resource

21/25

slide-29
SLIDE 29

Comparisons of the Previous Key Recovery Attacks

Table 2: Key Recovery Attacks on Round-Reduced Trivium

#Rounds Preproc. Data Time Ref. 576

  • 212

233 [Vielhaber07] 672

  • 215

255 [Fischer08] 735

  • 229

230 [DinurS09] 767

  • 234

236 [DinurS09] 784

  • 239

238 [FouqueV13] 799

  • 240

262 [FouqueV13] 805 247 237 277 this talk 805 251 244 273 this talk 832 277 272 N.A. [TodoIHM17] 835 251 244 275 this talk full

  • 261.5

299.5 [MaximovB07] full

  • 280

Brute Force

22/25

slide-30
SLIDE 30

Applications to TriviA-SC and Kreyvium

◮ We find some cubes whose superpolys after 1047 and 852

rounds have a low-degree basis with a few elements for TriviA-SC and Kreyvium respectively.

◮ The cubes for TriviA-SC have size larger than 60, and for

Kreyvium the size is at least 54.

◮ Computing the conditional probability Pr(g|fc) for such large

cubes is infeasible for us. ⋆ We believe that there is a high chance of validness of the attack due to their similar structures with Trivium.

23/25

slide-31
SLIDE 31

Summary

◮ Correlation Cube Attacks

◮ a new model of cube attacks

  • a hybrid of correlation attacks and cube attacks
  • can convert a weak-key distinguisher to a key recovery

attack

◮ applied it to Trivium stream cipher, and gained a

practical partial key recovery attack for 835-round Trivium

24/25

slide-32
SLIDE 32

Thank you! Any Questions?

25/25