Improved Division Property Based Cube Attacks Exploiting Algebraic - PowerPoint PPT Presentation

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju Wang 1 Yonglin Hao 2 Yosuke Todo 3 Chaoyun Li 4 Takanori Isobe 5 Willi Meier 6 1 SnT, University of Luxembourg, LU 2 State Key Laboratory of Cryptology, Beijing, CN 3 NTT Secure Platform Laboratories, JP 4 imec-COSIC, KU Leuven, BE 5 University of Hyogo, JP 6 FHNW, CH August 20, 2018

Outline 1 Introduction 2 Motivations: TodoIHM17 and Its Limitations 3 Our Approach 4 Applications 5 Conclusions and Future Works Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 1 / 29

Introduction Outline 1 Introduction Stream Ciphers Cube Attacks 2 Motivations: TodoIHM17 and Its Limitations 3 Our Approach 4 Applications 5 Conclusions and Future Works Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 1 / 29

Introduction Why Stream Ciphers? Fast in software - RC4, Chacha Efficient in hardware - Grain, Trivium Low multiplications - Trivium, Kreyvium, FLIP, Rasta Used as authenticated encryptions - Acorn Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 2 / 29

Introduction Stream Ciphers Stream Ciphers - n -bit secret variables (key) ⃗ x = ( x 1 , x 2 , · · · , x n ) - m -bit public variables (iv) v = ( v 1 , v 2 , · · · , v m ) ⃗ - s i + 1 = Upd ( s i ) , 0 ≤ i ≤ r − 1, where s 0 = ( ⃗ x , ⃗ v ) . - z is the first bit of the key stream. z = f ( ⃗ x , ⃗ v ) ∑︂ 𝛽 f v ⃗ u , = u ⃗ ⃗ u ∈ F m ⃗ 2 u = ∏︁ m i = 1 v u i v ⃗ where ⃗ i Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 3 / 29

Introduction Cube Attacks The Idea of the Classical Cube Attacks Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 4 / 29

Introduction Cube Attacks The Idea of the Classical Cube Attacks - I = { i 1 , i 2 , · · · i | I | } is the indices set of active bits of iv. - C I is the set of all 2 | I | values of v i where i ∈ I . - z = f ( ⃗ v ) = t I · p I ( ⃗ v ) + q I ( ⃗ v ) , x , ⃗ x , ⃗ x , ⃗ q I has at least one term in t I missing. - ⨁︁ v ∈ C I z = p I ( ⃗ v ) is called superpoly of C I . x , ⃗ Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 4 / 29

Introduction Cube Attacks The Idea of the Classical Cube Attacks - I = { i 1 , i 2 , · · · i | I | } is the indices set of active bits of iv. - C I is the set of all 2 | I | values of v i where i ∈ I . - z = f ( ⃗ v ) = t I · p I ( ⃗ v ) + q I ( ⃗ v ) , x , ⃗ x , ⃗ x , ⃗ q I has at least one term in t I missing. - ⨁︁ v ∈ C I z = p I ( ⃗ v ) is called superpoly of C I . x , ⃗ Attackers can recover secret information of ⃗ x by analyzing p I . Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 4 / 29

Introduction Cube Attacks The Idea of the Classical Cube Attacks - I = { i 1 , i 2 , · · · i | I | } is the indices set of active bits of iv. - C I is the set of all 2 | I | values of v i where i ∈ I . - z = f ( ⃗ v ) = t I · p I ( ⃗ v ) + q I ( ⃗ v ) , x , ⃗ x , ⃗ x , ⃗ q I has at least one term in t I missing. - ⨁︁ v ∈ C I z = p I ( ⃗ v ) is called superpoly of C I . x , ⃗ Attackers can recover secret information of ⃗ x by analyzing p I . We cannot decompose f in real since stream ciphers are complicated. Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 4 / 29

Introduction Cube Attacks Experimental Approach for Classical Cube Attacks Stream cipher is regarded as a black box. How to recover the ANF of p I ( ⃗ x , ⃗ v ) : 1 Compute ⨁︁ v ∈ C I f ( ⃗ v ) = p I ( ⃗ v ) for a randomly chosen ⃗ x . x , ⃗ x , ⃗ ⃗ 2 Linearity tests are executed many times to see whether v ) ⊕ p I ( ⃗ x ⊕ ⃗ p I ( ⃗ v ) = p I ( ⃗ v ) . x , ⃗ x ′ , ⃗ x ′ , ⃗ 3 If the test is passed, the ANF of the superpoly can be recovered. Drawbacks of this approach: The size of cube is limited to experimental range: ≤ 40. Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 5 / 29

Introduction Cube Attacks Contributions of TodoIHM17 Introduce division property to cube attacks for the first time: analyze the ANF of the superpoly. The first theoretical attack: exploit very large cubes: e.g. 72 for 832-round Trivium. Provide upper bounds to recover the ANF of the superpoly. Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 6 / 29

Motivations: TodoIHM17 and Its Limitations Outline 1 Introduction 2 Motivations: TodoIHM17 and Its Limitations Division Property and Division Trails Cube Attacks Based on Division Property Limitations of TodoIHM17 3 Our Approach 4 Applications 5 Conclusions and Future Works Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 6 / 29

Motivations: TodoIHM17 and Its Limitations Division Property and Division Trails (Bit-Based) Division Property, Todo Eurocrypt’15 2 be a multiset, and K = { ⃗ k | ⃗ Let X ∈ F n k ∈ F n 2 } . When X has the division property 𝒠 n K , it fulfills {︄ if there exist ⃗ u ⪰ ⃗ unknown k ∈ K s.t. ⃗ k , u = ⨁︂ x ⃗ ⃗ 0 otherwise , x ∈ X ⃗ u ⪰ ⃗ where ⃗ k if u i ≥ k i for all i . Division Trail, Xiang et al. Asiacrypt’16 Assume the initial division property of a cipher be K 0 � 𝒠 K 0 , and the division property after the i -th round function R is K i � 𝒠 K i . We have a trail of r rounds division property propagations R R R − → K 1 − → · · · − → K r . K 0 For ( ⃗ k 0 , ⃗ k 1 , · · · , ⃗ k r ) ∈ ( K 0 , K 1 , · · · , K r ) , if ⃗ k i → ⃗ k i + 1 , for all 0 ≤ i ≤ r − 1, then ( ⃗ k 0 , ⃗ k 1 , · · · ⃗ k r ) is called an r -round division trail. Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 7 / 29

Motivations: TodoIHM17 and Its Limitations Division Property and Division Trails Evaluation of Division Trials Ask for CP-based solver’s help (Xiang et al., Asiacrypt’16) Create a MILP model ℳ for the propagation of division property. - MILP, SAT/SMT, constraint programming etc. Upd Upd Upd Upd ⃗ → · · · ⃗ ⃗ → ⃗ − − − − → − − → · · · − − k 0 k i k i + 1 k r . - Entries of ⃗ k 0 , · · · , ⃗ k r are binary variables of ℳ . var . - Upd ( · ) is described by some constraints ℳ . con . Solvers can efficiently evaluate the feasibility of division trails. If ⃗ k 0 → ⃗ e j is infeasible, the j th bit is balanced (the sum is always 0). Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 8 / 29

Motivations: TodoIHM17 and Its Limitations Cube Attacks Based on Division Property Evaluate ANF Coefficients of Superpoly by Division Property k ) ? k = t I . v ⃗ e j , ⃗ e j , ⃗ k ) ∈ F n 2 × F m Check division trail ( ⃗ → 1, where ( ⃗ − 2 and ⃗ e j , ⃗ If no division trail ( ⃗ k ) → 1 ⇒ x j is not involved in superpoly. Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 9 / 29

Motivations: TodoIHM17 and Its Limitations Cube Attacks Based on Division Property Evaluate ANF Coefficients of Superpoly by Division Property k ) ? k = t I . v ⃗ e j , ⃗ e j , ⃗ k ) ∈ F n 2 × F m Check division trail ( ⃗ − → 1, where ( ⃗ 2 and ⃗ e j , ⃗ If no division trail ( ⃗ k ) → 1 ⇒ x j is not involved in superpoly. By repeating this procedure, all the secret variables of ⃗ x involved in the superpoly can be determined and denoted as J = { x j 1 , x j 2 , · · · , x j | J | } . Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 9 / 29

Motivations: TodoIHM17 and Its Limitations Cube Attacks Based on Division Property Overview of Attack Strategy in TodoIHM17 1 Evaluation phase. - Construct a random set I . - Determine the key bits J involved in the corresponding superpoly p I . This phase is feasible: several hours by using Gurobi. 2 Off-line phase. - Sum the output over the given cube ( C I ) and construct the whole truth table of the superpoly p I . This phase is not practical, but time & memory complexity is bounded by 2 | I | + | J | and 2 | J | . 3 On-line phase. - Query encryption oracle to attain the exact value of the superpoly. - Check the precomputed truth table and recover secret variables. Time & data complexity is 2 | I | . Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 10 / 29

Motivations: TodoIHM17 and Its Limitations Limitations of TodoIHM17 Limitation 1: Finding Proper ⃗ IV s May Require Multiple Trials In The 2nd Phase. x , ⃗ Assumptions on the existence of IVs that can guarantee p I ( ⃗ IV ) ̸≡ 0 are proposed. When | I | + | J | is small, practical experiments can be executed to find a specific IV. The rationality of assumptions is hard to be proved, especially when | I | + | J | is close to n . Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 11 / 29