Experimentally Verifying a Complex Algebraic Attack on the Grain-128 - - PowerPoint PPT Presentation

Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated Reconfigurable Hardware

SHARCS 2012 – Washington D.C.

Itai Dinur1, Tim Güneysu2, Christof Paar2, Adi Shamir1, and Ralf Zimmermann2

1 Computer Science Dept., The Weizmann Institute, Israel 2 Horst Görtz Institute for IT Security, Ruhr-University Bochum

18.03.2012

2 SHARCS 2012 | Washington D.C. | 18.03.2012

• Introduction
• Implementation
• Problems and Solutions
• Results and Conclusion

Outline

3 SHARCS 2012 | Washington D.C. | 18.03.2012

Experimentally Verifying Complex Algebraic Attack Grain-128 Cipher Dedicated Reconfigurable Hardware a

• n the

Using

Introduction

Experimentally Explaining The Title

4 SHARCS 2012 | Washington D.C. | 18.03.2012

Grain-128 Cipher Experimentally Verifying Complex Algebraic Attack Dedicated Reconfigurable Hardware a

• n the

Using

Introduction

Experimentally Explaining The Title

5 SHARCS 2012 | Washington D.C. | 18.03.2012

Complex Algebraic Attack Experimentally Verifying Grain-128 Cipher Dedicated Reconfigurable Hardware a

• n the

Using

Introduction

Experimentally Explaining The Title

6 SHARCS 2012 | Washington D.C. | 18.03.2012

Experimentally Verifying Complex Algebraic Attack Grain-128 Cipher Dedicated Reconfigurable Hardware a

• n the

Using

Introduction

Experimentally Explaining The Title

7 SHARCS 2012 | Washington D.C. | 18.03.2012

Dedicated Reconfigurable Hardware Experimentally Verifying Complex Algebraic Attack Grain-128 Cipher a

• n the

Using

Introduction

Experimentally Explaining The Title

8 SHARCS 2012 | Washington D.C. | 18.03.2012

• 128-bit key, 96-bit IV
• Boolean functions
• 256 clock cycles

Introduction

Grain-128

9 SHARCS 2012 | Washington D.C. | 18.03.2012

• Algebraic Attack
• Dinur/Shamir (FSE 2011), improved (Asiacrypt 2011)
• Complexity d*2d+e-10 (d = 50, e = 39)
• Implication: 2128  285

Introduction

Cube Attack (very brief )

10 SHARCS 2012 | Washington D.C. | 18.03.2012

• Algebraic Attack
• Dinur/Shamir (FSE 2011), improved (Asiacrypt 2011)
• Complexity d*2d+e-10 (d = 50, e = 39)
• Implication: 2128  285
• Uses CubeTesters
• Aumasson/Dinur/Meier/Shamir (FSE 2009)
• Related to higher order differential attacks
• Distinguishes (special) polynomials from random functions

Introduction

Cube Attack (very brief )

11 SHARCS 2012 | Washington D.C. | 18.03.2012

• Algebraic Attack
• Dinur/Shamir (FSE 2011), improved (Asiacrypt 2011)
• Complexity d*2d+e-10 (d = 50, e = 39)
• Implication: 2128  285
• Uses CubeTesters
• Aumasson/Dinur/Meier/Shamir (FSE 2009)
• Related to higher order differential attacks
• Distinguishes (special) polynomials from random functions
• Multiple Steps
• Guess and generate scores
• Determine most likely values of secret expression
• Recover the key

Introduction

Cube Attack (very brief )

12 SHARCS 2012 | Washington D.C. | 18.03.2012

• Motivation:
• Attack complexity only estimated
• Theoretical success probability realistic?

Introduction

Cube Attack - Partial Simulation

13 SHARCS 2012 | Washington D.C. | 18.03.2012

• Motivation:
• Attack complexity only estimated
• Theoretical success probability realistic?
• Simulate correct guess for known key

1. Compute cube summations 2. Compute score of correct guess 3. Estimate position in sorted guess list

Introduction

Cube Attack - Partial Simulation

14 SHARCS 2012 | Washington D.C. | 18.03.2012

• Motivation:
• Attack complexity only estimated
• Theoretical success probability realistic?
• Simulate correct guess for known key

1. Compute cube summations 2. Compute score of correct guess 3. Estimate position in sorted guess list

Details: Dinur et al. (Asiacrypt 2011)

Introduction

Cube Attack - Partial Simulation

15 SHARCS 2012 | Washington D.C. | 18.03.2012

• Introduction
• Implementation
• Problems and Solutions
• Results and Conclusion

Outline

16 SHARCS 2012 | Washington D.C. | 18.03.2012

• Considerations
• Flexibility
• Operability

Implementation

Hardware Design Goals

17 SHARCS 2012 | Washington D.C. | 18.03.2012

• Considerations
• Needs high performance!
• Data complexity?
• Bottlenecks?
• Flexibility
• Operability

Implementation

Hardware Design Goals

18 SHARCS 2012 | Washington D.C. | 18.03.2012

• Considerations
• Needs high performance!
• Data complexity?
• Bottlenecks?
• Flexibility
• Adaptable to modified cube attacks
• Adaptable to modified parameter sets
• Operability

Implementation

Hardware Design Goals

19 SHARCS 2012 | Washington D.C. | 18.03.2012

• Considerations
• Needs high performance!
• Data complexity?
• Bottlenecks?
• Flexibility
• Adaptable to modified cube attacks
• Adaptable to modified parameter sets
• Operability
• Fully working post-place and route design
• Fully working on RIVYERA FPGA Cluster

Implementation

Hardware Design Goals

20 SHARCS 2012 | Washington D.C. | 18.03.2012

• 8 Spartan-3 5000 FPGAs

Implementation

RIVYERA Architecture

21 SHARCS 2012 | Washington D.C. | 18.03.2012

• 8 Spartan-3 5000 FPGAs
• 16 Boards

Implementation

RIVYERA Architecture

22 SHARCS 2012 | Washington D.C. | 18.03.2012

• 8 Spartan-3 5000 FPGAs
• 16 Boards
• i7 Processor

Implementation

RIVYERA Architecture

23 SHARCS 2012 | Washington D.C. | 18.03.2012

Implementation

The Algorithm - Hands-On

24 SHARCS 2012 | Washington D.C. | 18.03.2012

Implementation

The Algorithm - Hands-On

25 SHARCS 2012 | Washington D.C. | 18.03.2012

Implementation

The Algorithm - Hands-On

26 SHARCS 2012 | Washington D.C. | 18.03.2012

Implementation

The Algorithm - Hands-On

27 SHARCS 2012 | Washington D.C. | 18.03.2012

Implementation

The Algorithm - Hands-On

• Focus on time consuming steps

1. Chose random key 2. Generate boolean functions (polynomials to evaluate) 3. Compute 250 times the first output bit (Grain-128 Initialization) 4. XOR the results in some way

28 SHARCS 2012 | Washington D.C. | 18.03.2012

Implementation

The Algorithm - Hands-On

• Focus on time consuming steps

1. Chose random key 2. Generate boolean functions (polynomials to evaluate) 3. Compute 250 times the first output bit (Grain-128 Initialization) 4. XOR the results in some way

Sounds easy! Let’s try it in Software…

29 SHARCS 2012 | Washington D.C. | 18.03.2012

1 1 0 1 1 0 0 1 0 0 1 0 …

• Prepare IV in an array
• Unfilled: initial IV (unchanged)
• Red: cube indices
• Blue: dynamic variables

Implementation

Software View

Example

1

30 SHARCS 2012 | Washington D.C. | 18.03.2012

1 1 0 1 1 0 0 1 0 0 1 0 …

• Prepare IV in an array
• Unfilled: initial IV (unchanged)
• Red: cube indices
• Blue: dynamic variables
• Update the IV:
• Increment cube indices by 1

Implementation

Software View

Example

0 0 1

31 SHARCS 2012 | Washington D.C. | 18.03.2012

1 1 0 1 1 0 0 1 0 0 1 0 …

• Prepare IV in an array
• Unfilled: initial IV (unchanged)
• Red: cube indices
• Blue: dynamic variables
• Update the IV:
• Increment cube indices by 1

Implementation

Software View

Example

0 0 1 1

32 SHARCS 2012 | Washington D.C. | 18.03.2012

1 1 0 1 1 0 0 1 0 0 1 0 …

• Prepare IV in an array
• Unfilled: initial IV (unchanged)
• Red: cube indices
• Blue: dynamic variables
• Update the IV:
• Increment cube indices by 1

Implementation

Software View

Example

0 0 1 1 1

33 SHARCS 2012 | Washington D.C. | 18.03.2012

1 1 1 1 0 0 1 0 0 1 0 …

• Prepare IV in an array
• Unfilled: initial IV (unchanged)
• Red: cube indices
• Blue: dynamic variables
• Update the IV:
• Increment cube indices by 1
• Evaluate polynomials
• Polynomial Evaluation
• Loop over all Monomials
• Simple Array-Lookup

Implementation

Software View

Example

and xor and and

0 0 1 1 1

34 SHARCS 2012 | Washington D.C. | 18.03.2012

1 1 1 1 0 0 1 0 0 1 0 …

• Prepare IV in an array
• Unfilled: initial IV (unchanged)
• Red: cube indices
• Blue: dynamic variables
• Update the IV:
• Increment cube indices by 1
• Evaluate polynomials
• Polynomial Evaluation
• Loop over all Monomials
• Simple Array-Lookup
• But: Very slow in Software (250 Grain iterations per key)

Implementation

Software View

Example

and xor and and

0 0 1 1 1

35 SHARCS 2012 | Washington D.C. | 18.03.2012

1 1 1 1 0 0 1 0 0 1 0 …

• Prepare IV in an array
• Unfilled: initial IV (unchanged)
• Red: cube indices
• Blue: dynamic variables
• Update the IV:
• Increment cube indices by 1
• Evaluate polynomials
• Polynomial Evaluation
• Loop over all Monomials
• Simple Array-Lookup
• But: Very slow in Software (250 Grain iterations per key)

Implementation

Software View

Example

and xor and and

0 0 1 1 1

Let’s try hardware!

36 SHARCS 2012 | Washington D.C. | 18.03.2012

• Introduction
• Implementation
• Problems and Solutions
• Results and Conclusion

Outline

37 SHARCS 2012 | Washington D.C. | 18.03.2012

• Multiplex Signals to Register Input
• Unfilled: initial IV (unchanged)
• Red: cube indices

Problems

Flexibility  Feasibility ?

1 0 1 0 1 0 0 0 1 0 0 1 0 1 …

1

38 SHARCS 2012 | Washington D.C. | 18.03.2012

• Multiplex Signals to Register Input
• Unfilled: initial IV (unchanged)
• Red: cube indices
• Blue: dynamic variables

Problems

Flexibility  Feasibility ?

1 0 1 0 1 0 0 0 1 0 0 1 0 1 …

00 01 10 11 p1 p2

39 SHARCS 2012 | Washington D.C. | 18.03.2012

1 2 3 p1 p2 n pn

• Multiplex Signals to Register Input
• Unfilled: initial IV (unchanged)
• Red: cube indices
• Blue: dynamic variables

Problems

Flexibility  Feasibility ?

1 0 1 0 1 0 0 0 1 0 0 1 0 1 …

40 SHARCS 2012 | Washington D.C. | 18.03.2012

1 2 3 p1 p2 n pn

• Multiplex Signals to Register Input
• Unfilled: initial IV (unchanged)
• Red: cube indices
• Blue: dynamic variables
• Updating the IV:
• HW adder to increment on cube indices
• 96-bit adder
• Addition constant depends on positions
• Evaluate polynomials somehow (?)

Problems

Flexibility  Feasibility ?

1 0 1 0 1 0 0 0 1 0 0 1 0 1 …

41 SHARCS 2012 | Washington D.C. | 18.03.2012

Problems come with polynomials…

• All possible monomials over d positions

 ∑ d k d k=1 (with d = 50  1015)

Problems

Flexibility  Impossibility

42 SHARCS 2012 | Washington D.C. | 18.03.2012

Problems come with polynomials…

• All possible monomials over d positions

 ∑ d k d k=1 (with d = 50  1015)

• And the d positions are not fixed

Problems

Flexibility  Impossibility

43 SHARCS 2012 | Washington D.C. | 18.03.2012

Problems come with polynomials…

• All possible monomials over d positions

 ∑ d k d k=1 (with d = 50  1015)

• And the d positions are not fixed
• Polynomials connect multiple monomials

Problems

Flexibility  Impossibility

44 SHARCS 2012 | Washington D.C. | 18.03.2012

Problems come with polynomials…

• All possible monomials over d positions

 ∑ d k d k=1 (with d = 50  1015)

• And the d positions are not fixed
• Polynomials connect multiple monomials
• We need up to n different polynomials…

Problems

Flexibility  Impossibility

45 SHARCS 2012 | Washington D.C. | 18.03.2012

Solution

• Locally fix the d positions and n polynomials
•  only needed monomials are computed
•  no space wasted
•  no additional multiplexing

Solutions

Flexibility and Feasibility

46 SHARCS 2012 | Washington D.C. | 18.03.2012

Solution

• Locally fix the d positions and n polynomials
•  only needed monomials are computed
•  no space wasted
•  no additional multiplexing
• But: FPGA must be reconfigured for each
• Parameter-Set
• Random-Key

Solutions

Flexibility and Feasibility

47 SHARCS 2012 | Washington D.C. | 18.03.2012

Solution

• Locally fix the d positions and n polynomials
•  only needed monomials are computed
•  no space wasted
•  no additional multiplexing
• But: FPGA must be reconfigured for each
• Parameter-Set
• Random-Key

Solutions

Flexibility and Feasibility

48 SHARCS 2012 | Washington D.C. | 18.03.2012

Solution

• Locally fix the d positions and n polynomials
•  only needed monomials are computed
•  no space wasted
•  no additional multiplexing
• But: FPGA must be reconfigured for each
• Parameter-Set
• Random-Key

Solutions

Flexibility and Feasibility

49 SHARCS 2012 | Washington D.C. | 18.03.2012

Solution

• Locally fix the d positions and n polynomials
•  only needed monomials are computed
•  no space wasted
•  no additional multiplexing
• But: FPGA must be reconfigured for each
• Parameter-Set
• Random-Key

Solutions

Flexibility and Feasibility

50 SHARCS 2012 | Washington D.C. | 18.03.2012

• Multiple workers per FPGA
• Each worker generates IVs locally

Solutions

Top-Level Design

51 SHARCS 2012 | Washington D.C. | 18.03.2012

• Hardware
• Divides search space
• Computes 250 Grain iterations

Solutions

Hardware / Software Process

52 SHARCS 2012 | Washington D.C. | 18.03.2012

• Hardware
• Divides search space
• Computes 250 Grain iterations
• Software
• Generates key-specific VHDL
• Generates FPGA configuration
• Reconfigures cluster
• Fetches results from cluster
• Computes post-processing

Solutions

Hardware / Software Process

53 SHARCS 2012 | Washington D.C. | 18.03.2012

• Introduction
• Implementation
• Problems and Solutions
• Results and Conclusion

Outline

54 SHARCS 2012 | Washington D.C. | 18.03.2012

• Experimentally verified the main components of the attack
• More than 150 tests with randomly-chosen keys
• Each test requires running the initialization process 250 times

Results and Conclusion

Getting back to the Cube Attack

55 SHARCS 2012 | Washington D.C. | 18.03.2012

• Experimentally verified the main components of the attack
• More than 150 tests with randomly-chosen keys
• Each test requires running the initialization process 250 times
• Software vs Hardware

Results and Conclusion

Getting back to the Cube Attack

56 SHARCS 2012 | Washington D.C. | 18.03.2012

• Experimentally verified the main components of the attack
• More than 150 tests with randomly-chosen keys
• Each test requires running the initialization process 250 times
• Software vs Hardware

Results and Conclusion

Getting back to the Cube Attack

Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated Reconfigurable Hardware

SHARCS 2012 – Washington D.C.

Itai Dinur1, Tim Güneysu2, Christof Paar2, Adi Shamir1, and Ralf Zimmermann2

1 Computer Science Dept., The Weizmann Institute, Israel 2 Horst Görtz Institute for IT Security, Ruhr-University Bochum

18.03.2012

Thank you for your attention! Any Questions?

58 SHARCS 2012 | Washington D.C. | 18.03.2012

• Polynomials have high impact
• Building Time up to 8 hours

Results and Conclusion

Hardware Results