Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP - PowerPoint PPT Presentation

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @ Paris, France Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 1 / 27

Outlines 1 Keccak and its Relatives 2 Cube-Attack-Like Crytanalysis 3 MILP Model for Searching Cubes 4 Main Results Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 2 / 27

Keccak and its Relatives Outline 1 Keccak and its Relatives 2 Cube-Attack-Like Crytanalysis 3 MILP Model for Searching Cubes 4 Main Results Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 3 / 27

Keccak and its Relatives Keccak Permutation-based primitive Designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche Selected as SHA-3 standard Keccak under keyed modes: KMAC , Keccak -MAC Its relatives Authenticated encrytion: Keyak , Ketje Pseudorandom function: Kravatte Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 3 / 27 Underlying permutation: Keccak - p [1600 , 24]

Keccak and its Relatives Motivation Cube attacks on Keyed Keccak : Cube-attak-like cryptanalysis (Dinur et al., EC’15) Conditional cube attacks (Huang et al., EC’17) Mixed Integer Linear Programming (MILP) models greatly improved conditional cube attacks on keyed Keccak Li et al., AC’17 Song et al., AC’18 How about cube-attack-like cryptanalysis using MILP? Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 4 / 27

Keccak and its Relatives 2 33 2 15 this 80 6/13 2 25 this Ketje Sr V2 128 7/13 2 48 [DLWQ17] 128 7/13 2 99 this 5/13 128 6/- 2 89 2 55 this Keccak -MAC-512 128 7/24 2 111 2 46 this Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 Our Work 5 / 27 96 [DLWQ17] Propose an MILP model for cube-attack-like cryptanalysis of keyed Keccak Apply the model to Ketje , Keccak -MAC and Xoodoo Target Rounds T M Source Ketje Jr V1 96 5/13 2 56 2 38 [DLWQ17] 96 5/13 2 34 2 32 5/13 96 Ketje Jr V2 this 6/13 72 this 2 18 | K | 2 36 . 86 2 68 . 04 2 50 . 32 2 34 . 91 2 59 . 17 2 113 . 58 Xoodoo ∗ ∗ In the Ketje mode.

Keccak and its Relatives state bits FSE 2019 Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Song, Guo http://www.iacr.org/authors/tikz/ Row Lane Column Slice 6 / 27 steps: each round R consists of fjve b of Keccak - p [ b , n r ] Permutation b bits: seen as a 5 × 5 array 25 -bit lanes, A [ x , y ] n r rounds R = ι ◦ χ ◦ π ◦ ρ ◦ θ χ : S-box on each row π, ρ : change the position of

Keccak and its Relatives Keccak - p Round Function FSE 2019 Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Song, Guo 7 / 27 Internal state A: a 5 × 5 array of lanes θ step C [ x ] = A [ x , 0 ] ⊕ A [ x , 1 ] ⊕ A [ x , 2 ] ⊕ A [ x , 3 ] ⊕ A [ x , 4 ] D [ x ] = C [ x − 1 ] ⊕ ( C [ x + 1 ] ≪ 1 ) A [ x , y ] = A [ x , y ] ⊕ D [ x ] ρ step A [ x , y ] = A [ x , y ] ≪ r [ x , y ] - The constants r [ x , y ] are the rotation ofgsets. π step A [ y , 2 ∗ x + 3 ∗ y ] = A [ x , y ] χ step A [ x , y ] = A [ x , y ] ⊕ (( A [ x + 1 , y ])& A [ x + 2 , y ]) ι step A [ 0 , 0 ] = A [ 0 , 0 ] ⊕ RC [ i ] - RC [ i ] are the round constants. The only non-linear operation is χ step.

Keccak and its Relatives http://keccak.noekeon.org/ The Column Parity kernel Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 8 / 27 Keccak - p Round Function: θ θ step: adding two columns to the current bit C [ x ] = A [ x , 0 ] ⊕ A [ x , 1 ] ⊕ A [ x , 2 ] ⊕ A [ x , 3 ] ⊕ A [ x , 4 ] D [ x ] = C [ x − 1 ] ⊕ ( C [ x + 1 ] ≪ 1 ) A [ x , y ] = A [ x , y ] ⊕ D [ x ] If C [ x ] = 0 , 0 ≤ x < 5, then the state A is in the CP kernel.

Keccak and its Relatives 2,4 0,2 0,3 0,4 1,0 1,1 1,2 1,3 1,4 2,0 2,1 2,2 2,3 3,0 0,0 3,1 3,2 3,3 3,4 4,0 4,1 4,2 4,3 4,4 Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 0,1 9 / 27 2,4 2,3 0,3 0,2 0,1 0,0 1,4 1,3 1,2 1,1 1,0 4,0 2,2 http://keccak.noekeon.org/ 2,1 2,0 3,4 3,3 3,2 3,1 3,0 4,4 4,3 4,2 4,1 0,4 Keccak - p Round Function: ρ, π ρ step: lane level rotations, A [ x , y ] = A [ x , y ] ≪ r [ x , y ] π step: permutation on lanes, A [ y , 2 ∗ x + 3 ∗ y ] = A [ x , y ] π

Keccak and its Relatives Nonlinear term: product of two adjacent bits in a row. FSE 2019 Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Song, Guo 10 / 27 Keccak - p Round Function: χ χ step: 5-bit S-boxes, nonlinear operation on rows x 0 x 1 x 2 x 3 x 4 y 0 = x 0 + ( x 1 + 1 ) · x 2 , y 1 = x 1 + ( x 2 + 1 ) · x 3 , y 2 = x 2 + ( x 3 + 1 ) · x 4 , y 3 = x 3 + ( x 4 + 1 ) · x 0 , y 4 = x 4 + ( x 0 + 1 ) · x 1 . y 0 y 1 y 2 y 3 y 4

Keccak and its Relatives Xoodoo Permutation Sister of Keccak - p Round function R : Column Lane Plane Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 11 / 27 384 bits: 4 × 3 × 32 R = ρ east ◦ χ ◦ ι ◦ ρ west ◦ θ χ : S-box on each column ρ west , ρ east : change the position of bits in a plane

Keccak and its Relatives Xoodoo Round Function FSE 2019 Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Song, Guo 12 / 27 Internal state A: a 3 × 4 array of 32-bit lanes θ step C [ x ] = A [ x , 0 ] ⊕ A [ x , 1 ] ⊕ A [ x , 2 ] D [ x ] = ( C [ x − 1 ] ≪ 5 ) ⊕ ( C [ x + 1 ] ≪ 14 ) B [ x , y ] = A [ x , y ] ⊕ D [ x ] ρ west step A [ x , 0 ] = B [ x , 0 ] , A [ x , 1 ] = B [ x − 1 , 1 ] , A [ x , 2 ] = B [ x , 2 ] ≪ 11 ι step A [ 0 , 0 ] = A [ 0 , 0 ] ⊕ RC [ i ] χ step B [ x , y ] = A [ x , y ] ⊕ (( A [ x , y + 1 ])& A [ x , y + 2 ]) ρ east step A [ x , 0 ] = B [ x , 0 ] , A [ x , 1 ] = B [ x , 1 ] ≪ 1 , A [ x , 2 ] = B [ x − 2 , 2 ] ≪ 8 The only non-linear operation is χ step.

Keccak and its Relatives Sponge construction [BDPV11] b -bit permutation f Keccak -MAC Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 13 / 27 Keccak : Keccak - p [1600 , 24] + Sponge Two parameters: bitrate r , capacity c , and b = r + c . Take K || M as input

Keccak and its Relatives 4 variants FSE 2019 Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Song, Guo Xoodoo can be an alternative permutation. Major: Sr: Minor: Jr: 14 / 27 Ketje : Keccak - p ⋆ + MonkeyDuplex σ i σ j K ||Nonce Z i Z j pad pad pad r r ... ... ... ... f 2 0 f 0 f 1 n start n step n stride Keccak - p ⋆ [ b , n r ] = π ◦ Keccak - p [ b , n r ] ◦ π − 1 n start = 12, n step = 1, n stride = 6 b = 200 r = 16, b = 800 r = 128 b = 400 r = 32, b = 1600 r = 256

Cube-Attack-Like Crytanalysis Outline 1 Keccak and its Relatives 2 Cube-Attack-Like Crytanalysis 3 MILP Model for Searching Cubes 4 Main Results Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 15 / 27

Cube-Attack-Like Crytanalysis The the cube sum is exactly FSE 2019 Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Song, Guo Solve a set of linear equations and recover the key. Cube Attacks [DS09] (Higher Order Difgerential Cryptanalysis) 15 / 27 q contains terms that are not divisible by t I Given a Boolean polynomial f ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) and a monomial t I = ∧ i r ∈ I v i r , I = ( i 1 , ..., i d ) , f can be written as f ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) = t I · p S I + q ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) p S I is called the superpoly of I in f v i 1 , ..., v i d are called cube variables. d is the dimension. ∑ f ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) = p S I ( v i 1 ,..., v id ) ∈ C I Cube attacks: p S I = L ( k 0 , ..., k n − 1 ) is a linear polynomial.

Cube-Attack-Like Crytanalysis Cube-Attack-Like Cryptanalysis [DMP+15] FSE 2019 Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Song, Guo 3 Query the cipher to obtain the cube sum. 2 1 10110... 11...11 ... ... 11010... 00...01 01011... 00...00 Cube sum 16 / 27 Cube attack: p S I = L ( k 0 , ..., k n − 1 ) Cube-attack-like: using n a aux. vars, p ′ S I = L ′ ( k i 1 , ..., k i ni ) , n i < n Offmine phase Build a lookup table. T = 2 n i + d , M = 2 n i . k i 1 ... k i ni Online phase T = 2 n a + d Set the value of n a aux. vars. Look up the table to recover the n i key bits

Cube-Attack-Like Crytanalysis Task of the MILP Model The algebraic degree of n rounds is 2 n . The fjrst round can be linearized by avoiding adjacent cube variables. 1 (attack more rounds). 2 possible. (low complexity). Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 17 / 27 Find 2 n − 1 -dimensional cubes where n is as large as possible; Find balanced attacks where n i and n a are close and as small as

MILP Model for Searching Cubes Outline 1 Keccak and its Relatives 2 Cube-Attack-Like Crytanalysis 3 MILP Model for Searching Cubes 4 Main Results Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 18 / 27