Cryptanalysis of the Advanced Encryption Standard Vincent Rijmen - - PowerPoint PPT Presentation

Cryptanalysis of the Advanced Encryption Standard

Vincent Rijmen

Albena 2013

Content

• AES
• Bounding the EDP of differentials over 2, 4 rounds of

AES

• AES and the hypothesis of stochastic equivalence

The Advanced Encryption Standard

Key Schedule

round

. . . . .

round round round

Mixing transformation S S S S S S S S S

AES round transformation

• 10/12/14 iterations
• Composed of 4 steps, each its own purpose:

– SubBytes: non-linearity – ShiftRows: inter-column diffusion – MixColumns: inter-byte diffusion within columns – AddRoundKey

Message input representation

a0,0 a1,0 a2,0 a3,0 a0,1 a1,1 a2,1 a3,1 a0,2 a1,2 a2,2 a3,2 a0,3 a1,3 a2,3 a3,3 a0,4 a1,4 a2,4 a3,4 a0,5 a1,5 a2,5 a3,5 a0,6 a1,6 a2,6 a3,6 a0,7 a1,7 a2,7 a3,7

• Rectangular array of bytes:
• 4 rows
• AES: 4 columns
• Rijndael: 4, 6, or 8 columns (128-, 192-, 256-bit plaintext block)

Key input representation

• Rectangular array of bytes:

– 4 rows – 4, 6, or 8 columns (128-, 192-, 256-bit key)

k0,0 k1,0 k2,0 k3,0 k0,1 k1,1 k2,1 k3,1 k0,2 k1,2 k2,2 k3,2 k0,3 k1,3 k2,3 k3,3 k0,4 k1,4 k2,4 k3,4 k0,5 k1,5 k2,5 k3,5 k0,6 k1,6 k2,6 k3,6 k0,7 k1,7 k2,7 k3,7

Round step 1: SubBytes

• Bytes are transformed by invertible S-box.
• One S-box (lookup table) for complete cipher

(simplicity)

a0,0 a0,1 a0,2 a0,3 a1,0 a1,1 a1,2 a1,3 a2,0 a2,1 a2,2 a2,3 a3,0 a3,1 a3,2 a3,3 b0,0 b0,1 b0,2 b0,3 b1,0 b1,1 b1,2 b1,3 b2,0 b2,1 b2,2 b2,3 b3,0 b3,1 b3,2 b3,3

ai,j bi,j

S-box

The Rijndael S-box

S[x] = P(x-1)

• x-1: good cryptographic properties

– Optimally resistant against linear and differential cryptanalysis – Output functions with maximal nonlinear degree (7)

• P(x): affine transformation to remove regularity

9

Round step 3: MixColumns

• Columns transformed by matrix over GF(28)
• High intra-column diffusion:

– based on theory of error-correcting (MDS) codes b0,0 b0,1 b0,2 b0,3 b1,0 b1,1 b1,2 b1,3 b2,0 b2,1 b2,2 b2,3 b3,0 b3,1 b3,2 b3,3 a0,0 a0,1 a0,2 a0,3 a1,0 a1,1 a1,2 a1,3 a2,0 a2,1 a2,2 a2,3 a3,0 a3,1 a3,2 a3,3

a1,j a0,j a2,j a3,j b1,j b0,j b2,j b3,j

10

Round step 2: ShiftRows

• Rows are shifted over 4 different offsets
• High diffusion over multiple rounds:

– Interaction with MixColumns – Bits flip in minimum 25 active S-boxes per 4 rounds m n

• p

g h i j w x y z b c d e m n

• p

h i j g

y z

w x e b c d

Key schedule

1+ 10/12/14 round keys k0,0 k1,0 k2,0 k3,0 k0,1 k1,1 k2,1 k3,1 k0,2 k1,2 k2,2 k3,2 k0,3 k1,3 k2,3 k3,3 k0,4 k1,4 k2,4 k3,4 k0,5 k1,5 k2,5 k3,5 k0,6 k1,6 k2,6 k3,6 k0,7 k1,7 k2,7 k3,7

...

round key table (virtual)

Key schedule for 128-bit keys

k0,0 k1,0 k2,0 k3,0 k0,1 k1,1 k2,1 k3,1 k0,2 k1,2 k2,2 k3,2 k0,3 k1,3 k2,3 k3,3 k0,4 k1,4 k2,4 k3,4 k0,5 k1,5 k2,5 k3,5 k0,6 k1,6 k2,6 k3,6 k0,7 k1,7 k2,7 k3,7 + + + + k1,3 k2,3 k3,3 k0,3

Substitution

RC +

Key schedule for 192-bit keys

k0,0 k1,0 k2,0 k3,0 k0,3 k1,3 k2,3 k3,3 k0,4 k1,4 k2,4 k3,4 k0,5 k1,5 k2,5 k3,5 k0,6 k1,6 k2,6 k3,6 k0,9 k1,9 k2,9 k3,9 k0,10 k1,10 k2,10 k3,10 k0,11 k1,11 k2,11 k3,11 + + + + k1,5 k2,5 k3,5 k0,5

Substitution

RC + k0,1 k1,1 k2,1 k3,1 k0,7 k1,7 k2,7 k3,7 + k0,2 k1,2 k2,2 k3,2 k0,8 k1,8 k2,8 k3,8 +

Key schedule for 256-bit keys

k0,0 k1,0 k2,0 k3,0 k0,3 k1,3 k2,3 k3,3 k0,5 k1,5 k2,5 k3,5 k0,7 k1,7 k2,7 k3,7 k0,8 k1,8 k2,8 k3,8 k0,11 k1,11 k2,11 k3,11 k0,13 k1,13 k2,13 k3,13 k0,15 k1,15 k2,15 k3,15 + + + + k1,7 k2,7 k3,7 k0,7

Substitution

RC + k0,1 k1,1 k2,1 k3,1 k0,9 k1,9 k2,9 k3,9 + k0,2 k1,2 k2,2 k3,2 k0,10 k1,10 k2,10 k3,10 +

Substitution

k0,6 k1,6 k2,6 k3,6 k0,14 k1,14 k2,14 k3,14 + k0,4 k1,4 k2,4 k3,4 k0,12 k1,12 k2,12 k3,12 +

Alternative representations

S S S S MC S S S S MC S S S S MC S S S S MC

+ + + + + + + + + + + + + + + +

S S S S MC S S S S MC S S S S MC S S S S MC

+ + + + + + + + + + + + + + + +

• Differentials (a, e)

– with EDP(a, e)

• Characteristics Q = (a,b,c,d,e)

– with EDP(Q)

• EDP(a, e) = ∑Q EDP(Q)
• given a and e, only b free
• EDP of Q is product of DP of S-boxes:

– EDP(a, b, d, e) = ∏i DPS(ai, bi) ∏j DPS(dj, ej)

Super Box differentials

S S S S

MixColumns

+ + + + S S S S a b d = c c = MC × b e

Branch number

• DPS(0,0) = 1
• Avoid existence of trails with many zeroes
• Branch number B:

Mixing transformation L X Y

Branch number and codes

• Code C:
• Branch number of L = minimum distance of C

Mixing transformation L X Y XX L(X)

Bound on EDP [Park+ ‘03]

When all S-boxes are the same:

Example

S S S S

L

+ + + + S S S S a0 b0 d0 d1 d4 e0 e1 S S e4 +

• Sum runs over all

entries in a row or column

• Sum is largest if you

combine largest with the largest, …

[Hong+ ’00]

Hence:

The AES S-box

• Composed of:

– x –1 in GF(28) – L: affine mapping

• matrix in GF(2)
• linearised polynomial
• Differential properties:

– those of x –1 – L: deterministic

• c = L-1 b; b = L c

x –1 L-1

S

= a c b

Differential properties of x –1

x –1 + (x + a)-1 = b

• If x ≠ a, x ≠ 0:

(x + a) + x = b(x + a)x (x/a)2 + x/a + 1/ab = 0

• 2 solutions iff Trace(1/ab) = 0
• x = a is solution of

x254 + (x + a)254 = b

– only if b = a-1 – Solutions are: 0, a, va, v2a with v2+v+1=0

DP over AES S-box

• DP(a,b):

– 2–6 if ab = 1, – 2–7 if Tr(a–1b–1) = 0 – 0 if Tr(a–1b–1) = 1

• For fixed a:

– 1 b with DP(a,b) = 2-6 – 126 b’s with DP(a, b) = 2-7

• Same for fixed b

AES Super box EDP bounds

• MixColumns has branch number 5
• Hong et al. bound:
• Park et al. bound:
• Keliher-Sui ‘07: the best differentials have 13.25 × 2-32

Differential properties of x –1

• Trace function Tr(x)

– Maps extension field GF(28) to ground field GF(2) – Linear mapping:

• Tr( x + y ) = Tr(x) + Tr(y)
• Tr(ax) = 0 : solutions x for given a defines vector space over

GF(2)

• Given a, values of b –1 for which DP(a, b) > 0 form

a vector space of dimension 7

Example differential

S S S S

MixColumns

+ + + + S S S S a0 b0 d0 d1 d2 d3 e0 e1 e2 e3

• Characteristics (a, b, d, e)
• Properties:

– 255 possible values for b0 – d = (2b0 , b0 , b0 , 3b0)

– di = ud

i b0 fixed ratio

• Conditions for b0 and di to

define a characteristic with DP > 0 – Tr(a0

–1L(b0)–1) = 0

– Tr(di

–1L(ei)–1) = 0

Example differential

S S S S

MixColumns

+ + + + S S S S a0 b0 d0 d1 d2 d3 e0 e1 e2 e3

• Conditions on di define a

vector space on b0

–1

– dimension is 8 minus dimension of vector space generated by {ud

i L(ei –1)}i

– minimum 4, maximum 7 – straight conditions

• Condition on b0 doesn’t

– due to presence of L – blurred condition – can be approached statistically:

• number of trails has

hypergeometric distribution

Differentials with 5 active S-boxes

• Given characteristic, nonzero bi and dj values have

fixed ratios

• 255 characteristics
• Differential characterized by two parameters:

฀ α: dimension of: {ud

i L(ei –1)}i

฀ β: number of different nonzero elements in: (a0, ub

0) (a1, ub 1) (a2, ub 2) (a3, ub 3)

• Number of trails has hypergeometric distribution with

mean and variance determined by α and β

AES Superboxes

 Highest EDP values occur for

 differentials with 5 active S-boxes  ... with small values for α and β

 Presence of L in S-box has important impact

• n the distributions of Super box EDP

values:

 if absent: all conditions become straight  Max EDP would increase  from 13.25 × 2–32 (12 differentials)  to 19.75 × 2–32 (3825 differentials)

AES megabox

+ + + + + + + + + + + + + + + +

MC MC MC MC Super box Super box Super box Super box Super box Super box Super box Super box

Megabox bounds

• Hong et al.:
• Park et al.: ???

– We would need all the EDP-values over the Super boxes – Computation has been finished for differentials where all trails have exactly 25 active S-boxes and where the S-box is pure inversion:

Plateau characteristics

• Illustration of the difference between EDP and DP[k]
• DP is a stochastic variable, with EDP as expected value
• Expected value doesn’t fully characterize the

distribution

• Structure in the sets of right pairs
• Case study for characteristics in AES (2 rounds)

Often assumed distribution of DP(Q)

Pr(DP(Q) = i) ≈ z(i – EDP(Q))

• Narrow around EDP(Q)

EDP(Q) DP(Q)

 Hypothesis of stochastic equivalence

Fraction

• f keys

2-round mapping

• B[k](x) = S(k + R(x))
• Characteristic over B[k]: Q = (a, b, c)

– Differential (a, b) over R, followed by – Differential (b, c) over S

S R

a b c

+

k B[k]

Right pairs for a characteristic

• Q = (a,b,c)
• Right pairs Q = right pairs (a,b) ∩ right pairs (b,c)
• If the conditions are independent, then

DP(a,b,c) = DP(a,b) × DP(b,c)

right pairs (b, c) right pairs (a, b)

Structure in the set of right pairs of (a,b)

If DP(a,b) = 21-n

• Right pairs: {p, p+a} = p + {0, a} = p + span{a}

If DP(a,b) = 22-n

• Right pairs: {p, p+a, q, q+a} = p + {0, a, p+q, p+q+a}

= p + span{a,p+q} If DP(a,b) = 1

• Right pairs: whole vector space

In all these cases: set of right pairs = affine subspace

Planar differential

• Planar differential (a, b):

– Inputs of right pairs (x, x + a) form an affine subspace – Outputs of right pairs (y, y + b) form an affine subspace

Refresher: affine subspaces

• Affine subspace

– Translated vector subspace – Up = p + U = { p + u | u ∈ U }

• Intersection of affine subspaces:

– Up ∩ Vq = r + (U ∩ V) if (p + q) ∈ (U + V)

– Up ∩ Vq = ∅ otherwise

Plateau characteristic theorem

• If (a, b), (b, c) planar differentials
• Then DP(a, b, c) = 0, or

= 2height(Q) × 2 – n

• height(Q) is integer

S R

a b c

+

k B[k]

Proof

• Right pairs for

– (a, b): affine subspace Up – (b, c): affine subspace Vq – (a, b, c): intersection

• DP(a, b, c) = 2height(Q) – n if k ∈ KQ

= 0 else

• With height(Q) = dim(U ∩ V)
• KQ = p + q + U + V

Possible distributions of DP(Q)

• DP(Q) = 2h(Q) – n for 22n – h(Q) EDP(Q) keys
• DP(Q) = 0 for the other keys

21-n 22-n 23-n 24-n

EDP DP

Q1 Q2 Q3

#(k)

Structure in the set of right pairs

Up ∩ Vq = r + (U ∩ V), or ∅

• The intermediate values of the right pairs form an affine

space

• Linear algebra allows to efficiently determine this affine

space

• Used to accelerate differential attacks on hash functions

• Efficiently determine right pairs of a differential over this

structure

S S S S Linear mixing layer S S S S S S S S S S S S

AES superbox

S S S S MixColumns + + + + k S S S S

AES superbox characteristics

• All superbox characteristics are plateau

characteristics

• All characteristics over 2 rounds AES are

plateau characteristics

• Height(Q) can be computed efficiently for

all superbox characteristics

AES superbox characteristics

1 2 3 4 5 5 48.0 47.5 36.2 26.4 11.0 6 62.7 53.4 33.4 17.5 7 75.9 50.9 24.9 8 87.9 54.1 15.0

height(Q) # active S-boxes

Binary logarithms

Concluding remarks

• Advanced differential cryptanalysis of AES leads to

interesting mathematical structures

– Applies also to other ciphers

• Still several open problems
• Best attacks on AES use different observations

– Related-key – biclique