On Invariant Attacks Gregor Leander Ruhr University Bochum Germany - PowerPoint PPT Presentation

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Robin and iScream S-Box S-Box S-Box S-Box One square is a bit. Columns are stored in registers

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Robin and iScream S-Box S-Box S-Box S-Box S-Box One square is a bit. Columns are stored in registers

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Robin and iScream S-Box S-Box S-Box S-Box S-Box S-Box One square is a bit. Columns are stored in registers

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Robin and iScream S-Box S-Box S-Box S-Box S-Box S-Box S-Box One square is a bit. Columns are stored in registers

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Robin and iScream S-Box S-Box S-Box S-Box S-Box S-Box S-Box S-Box One square is a bit. Columns are stored in registers

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Robin and iScream L One square is a bit. Columns are stored in registers

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Robin and iScream L L One square is a bit. Columns are stored in registers

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Robin and iScream L L L One square is a bit. Columns are stored in registers

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Robin and iScream L L L L One square is a bit. Columns are stored in registers

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Robin and iScream L L L L L One square is a bit. Columns are stored in registers

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Robin and iScream L L L L L L One square is a bit. Columns are stored in registers

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Robin and iScream L L L L L L L One square is a bit. Columns are stored in registers

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Robin and iScream L L L L L L L L One square is a bit. Columns are stored in registers

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Robin and iScream c One square is a bit. Columns are stored in registers

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Applications to Zorro, Robin and iScream Easy but Powerful Allows to detect some things 32 dim subspace for Robin . . . and for Zorro Improve Afterwards The tool detects a (minimal) invariant subspace. Careful analysis increases attack and understanding.

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks The Robin Sbox 00000000 → 00000000 10000000 → 10100001 01100100 → 01100100 11100100 → 11000101 00100001 → 00100001 10100001 → 10000000 01000101 → 01000101 11000101 → 11100100 S ( ∗ , a , b , 0 , 0 , a , 0 , a ⊕ b ) = ( ∗ , α, β, 0 , 0 , α, 0 , α ⊕ β )

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks A Problem of Robin and iScream a 7 a 7 c 7 b 7 * 0 0 0 a 6 a 6 c 6 b 6 * 0 0 0 a 5 a 5 c 5 b 5 * 0 0 0 a 4 a 4 c 4 b 4 * 0 0 0 a 3 a 3 c 3 b 3 * 0 0 0 a 2 a 2 c 2 b 2 * 0 0 0 a 1 a 1 c 1 b 1 * 0 0 0 a 0 a 0 c 0 b 0 * 0 0 0 c i = a i ⊕ b i γ i = α i ⊕ β i

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks A Problem of Robin and iScream a 7 a 7 c 7 b 7 * S-Box 0 0 0 a 6 a 6 c 6 b 6 * 0 S-Box 0 0 a 5 a 5 c 5 b 5 * S-Box 0 0 0 a 4 a 4 c 4 b 4 * 0 S-Box 0 0 a 3 a 3 c 3 b 3 * 0 S-Box 0 0 a 2 a 2 c 2 b 2 * S-Box 0 0 0 a 1 a 1 c 1 b 1 * 0 S-Box 0 0 a 0 a 0 c 0 b 0 * 0 S-Box 0 0 c i = a i ⊕ b i γ i = α i ⊕ β i

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks A Problem of Robin and iScream a 7 a 7 c 7 b 7 * S-Box 0 0 0 a 6 a 6 c 6 b 6 * 0 S-Box 0 0 a 5 a 5 c 5 b 5 * 0 S-Box 0 0 a 4 a 4 c 4 b 4 * 0 S-Box 0 0 a 3 a 3 c 3 b 3 * 0 S-Box 0 0 a 2 a 2 c 2 b 2 * 0 S-Box 0 0 a 1 a 1 c 1 b 1 * 0 S-Box 0 0 α 0 α 0 γ 0 β 0 * 0 0 0 c i = a i ⊕ b i γ i = α i ⊕ β i

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks A Problem of Robin and iScream a 7 a 7 c 7 b 7 * S-Box 0 0 0 a 6 a 6 c 6 b 6 * 0 S-Box 0 0 a 5 a 5 c 5 b 5 * 0 S-Box 0 0 a 4 a 4 c 4 b 4 * 0 S-Box 0 0 a 3 a 3 c 3 b 3 * 0 S-Box 0 0 a 2 a 2 c 2 b 2 * 0 S-Box 0 0 α 1 α 1 γ 1 β 1 * 0 0 0 α 0 α 0 γ 0 β 0 * 0 0 0 c i = a i ⊕ b i γ i = α i ⊕ β i

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks A Problem of Robin and iScream a 7 a 7 c 7 b 7 * S-Box 0 0 0 a 6 a 6 c 6 b 6 * S-Box 0 0 0 a 5 a 5 c 5 b 5 * S-Box 0 0 0 a 4 a 4 c 4 b 4 * S-Box 0 0 0 a 3 a 3 c 3 b 3 * S-Box 0 0 0 α 2 α 2 γ 2 β 2 * 0 0 0 α 1 α 1 γ 1 β 1 * 0 0 0 α 0 α 0 γ 0 β 0 * 0 0 0 c i = a i ⊕ b i γ i = α i ⊕ β i

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks A Problem of Robin and iScream a 7 a 7 c 7 b 7 * S-Box 0 0 0 a 6 a 6 c 6 b 6 * 0 S-Box 0 0 a 5 a 5 c 5 b 5 * S-Box 0 0 0 a 4 a 4 c 4 b 4 * S-Box 0 0 0 α 3 α 3 γ 3 β 3 * 0 0 0 α 2 α 2 γ 2 β 2 * 0 0 0 α 1 α 1 γ 1 β 1 * 0 0 0 α 0 α 0 γ 0 β 0 * 0 0 0 c i = a i ⊕ b i γ i = α i ⊕ β i

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks A Problem of Robin and iScream a 7 a 7 c 7 b 7 * S-Box 0 0 0 a 6 a 6 c 6 b 6 * S-Box 0 0 0 a 5 a 5 c 5 b 5 * 0 S-Box 0 0 α 4 α 4 γ 4 β 4 * 0 0 0 α 3 α 3 γ 3 β 3 * 0 0 0 α 2 α 2 γ 2 β 2 * 0 0 0 α 1 α 1 γ 1 β 1 * 0 0 0 α 0 α 0 γ 0 β 0 * 0 0 0 c i = a i ⊕ b i γ i = α i ⊕ β i

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks A Problem of Robin and iScream a 7 a 7 c 7 b 7 * S-Box 0 0 0 a 6 a 6 c 6 b 6 * 0 S-Box 0 0 α 5 α 5 γ 5 β 5 * 0 0 0 α 4 α 4 γ 4 β 4 * 0 0 0 α 3 α 3 γ 3 β 3 * 0 0 0 α 2 α 2 γ 2 β 2 * 0 0 0 α 1 α 1 γ 1 β 1 * 0 0 0 α 0 α 0 γ 0 β 0 * 0 0 0 c i = a i ⊕ b i γ i = α i ⊕ β i

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks A Problem of Robin and iScream a 7 a 7 c 7 b 7 * S-Box 0 0 0 α 6 α 6 γ 6 β 6 * 0 0 0 α 5 α 5 γ 5 β 5 * 0 0 0 α 4 α 4 γ 4 β 4 * 0 0 0 α 3 α 3 γ 3 β 3 * 0 0 0 α 2 α 2 γ 2 β 2 * 0 0 0 α 1 α 1 γ 1 β 1 * 0 0 0 α 0 α 0 γ 0 β 0 * 0 0 0 c i = a i ⊕ b i γ i = α i ⊕ β i

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks A Problem of Robin and iScream α 7 α 7 γ 7 β 7 * 0 0 0 α 6 α 6 γ 6 β 6 * 0 0 0 α 5 α 5 γ 5 β 5 * 0 0 0 α 4 α 4 γ 4 β 4 * 0 0 0 α 3 α 3 γ 3 β 3 * 0 0 0 α 2 α 2 γ 2 β 2 * 0 0 0 α 1 α 1 γ 1 β 1 * 0 0 0 α 0 α 0 γ 0 β 0 * 0 0 0 c i = a i ⊕ b i γ i = α i ⊕ β i

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks A Problem of Robin and iScream α 7 α 7 γ 7 β 7 * 0 0 0 α 6 α 6 γ 6 β 6 * 0 0 0 α 5 α 5 γ 5 β 5 * 0 0 0 α 4 α 4 γ 4 β 4 * 0 0 0 L L L L L L L L α 3 α 3 γ 3 β 3 * 0 0 0 α 2 α 2 γ 2 β 2 * 0 0 0 α 1 α 1 γ 1 β 1 * 0 0 0 α 0 α 0 γ 0 β 0 * 0 0 0 c i = a i ⊕ b i γ i = α i ⊕ β i

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks A Problem of Robin and iScream α 7 α 7 γ 7 β 7 * 0 0 0 α 6 α 6 γ 6 β 6 * 0 0 0 α 5 α 5 γ 5 β 5 * 0 0 0 α 4 α 4 γ 4 β 4 * 0 0 0 L L L L L L L α 3 α 3 γ 3 β 3 * 0 0 0 α 2 α 2 γ 2 β 2 * 0 0 0 α 1 α 1 γ 1 β 1 * 0 0 0 α 0 α 0 γ 0 β 0 * 0 0 0 c i = a i ⊕ b i γ i = α i ⊕ β i

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks A Problem of Robin and iScream α 7 α 7 γ 7 β 7 * 0 0 0 α 6 α 6 γ 6 β 6 * 0 0 0 α 5 α 5 γ 5 β 5 * 0 0 0 α 4 α 4 γ 4 β 4 * 0 0 0 L L L L L L α 3 α 3 γ 3 β 3 * 0 0 0 α 2 α 2 γ 2 β 2 * 0 0 0 α 1 α 1 γ 1 β 1 * 0 0 0 α 0 α 0 γ 0 β 0 * 0 0 0 c i = a i ⊕ b i γ i = α i ⊕ β i

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks A Problem of Robin and iScream α 7 α 7 γ 7 β 7 * 0 0 0 α 6 α 6 γ 6 β 6 * 0 0 0 α 5 α 5 γ 5 β 5 * 0 0 0 α 4 α 4 γ 4 β 4 * 0 0 0 L L L L L α 3 α 3 γ 3 β 3 * 0 0 0 α 2 α 2 γ 2 β 2 * 0 0 0 α 1 α 1 γ 1 β 1 * 0 0 0 α 0 α 0 γ 0 β 0 * 0 0 0 c i = a i ⊕ b i γ i = α i ⊕ β i

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks A Problem of Robin and iScream α 7 α 7 γ 7 β 7 * 0 0 0 α 6 α 6 γ 6 β 6 * 0 0 0 α 5 α 5 γ 5 β 5 * 0 0 0 α 4 α 4 γ 4 β 4 * 0 0 0 L L L L α 3 α 3 γ 3 β 3 * 0 0 0 α 2 α 2 γ 2 β 2 * 0 0 0 α 1 α 1 γ 1 β 1 * 0 0 0 α 0 α 0 γ 0 β 0 * 0 0 0 c i = a i ⊕ b i γ i = α i ⊕ β i

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks A Problem of Robin and iScream α 7 α 7 γ 7 β 7 * 0 0 0 α 6 α 6 γ 6 β 6 * 0 0 0 α 5 α 5 γ 5 β 5 * 0 0 0 α 4 α 4 γ 4 β 4 * 0 0 0 L L L α 3 α 3 γ 3 β 3 * 0 0 0 α 2 α 2 γ 2 β 2 * 0 0 0 α 1 α 1 γ 1 β 1 * 0 0 0 α 0 α 0 γ 0 β 0 * 0 0 0 c i = a i ⊕ b i γ i = α i ⊕ β i

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks A Problem of Robin and iScream α 7 α 7 γ 7 β 7 * 0 0 0 α 6 α 6 γ 6 β 6 * 0 0 0 α 5 α 5 γ 5 β 5 * 0 0 0 α 4 α 4 γ 4 β 4 * 0 0 0 L L α 3 α 3 γ 3 β 3 * 0 0 0 α 2 α 2 γ 2 β 2 * 0 0 0 α 1 α 1 γ 1 β 1 * 0 0 0 α 0 α 0 γ 0 β 0 * 0 0 0 c i = a i ⊕ b i γ i = α i ⊕ β i

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks A Problem of Robin and iScream α 7 α 7 γ 7 β 7 * 0 0 0 α 6 α 6 γ 6 β 6 * 0 0 0 α 5 α 5 γ 5 β 5 * 0 0 0 α 4 α 4 γ 4 β 4 * 0 0 0 L α 3 α 3 γ 3 β 3 * 0 0 0 α 2 α 2 γ 2 β 2 * 0 0 0 α 1 α 1 γ 1 β 1 * 0 0 0 α 0 α 0 γ 0 β 0 * 0 0 0 c i = a i ⊕ b i γ i = α i ⊕ β i

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks A Problem of Robin and iScream α 7 α 7 γ 7 β 7 * 0 0 0 α 6 α 6 γ 6 β 6 * 0 0 0 α 5 α 5 γ 5 β 5 * 0 0 0 α 4 α 4 γ 4 β 4 * 0 0 0 α 3 α 3 γ 3 β 3 * 0 0 0 α 2 α 2 γ 2 β 2 * 0 0 0 α 1 α 1 γ 1 β 1 * 0 0 0 α 0 α 0 γ 0 β 0 * 0 0 0 c i = a i ⊕ b i γ i = α i ⊕ β i

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks A Problem of Robin and iScream α 7 α 7 γ 7 β 7 * 0 0 0 α 6 α 6 γ 6 β 6 * 0 0 0 α 5 α 5 γ 5 β 5 * 0 0 0 α 4 α 4 γ 4 β 4 * 0 0 0 α 3 α 3 γ 3 β 3 * 0 0 0 α 2 α 2 γ 2 β 2 * 0 0 0 α 1 α 1 γ 1 β 1 * 0 0 0 α 0 α 0 γ 0 β 0 * 0 0 0 c i = a i ⊕ b i γ i = α i ⊕ β i

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks A Problem of Robin and iScream α 7 α 7 γ 7 β 7 * 0 0 0 α 6 α 6 γ 6 β 6 * 0 0 0 c α 5 α 5 γ 5 β 5 * 0 0 0 α 4 α 4 γ 4 β 4 * 0 0 0 α 3 α 3 γ 3 β 3 * 0 0 0 α 2 α 2 γ 2 β 2 * 0 0 0 α 1 α 1 γ 1 β 1 * 0 0 0 α 0 α 0 γ 0 β 0 * 0 0 0 c i = a i ⊕ b i γ i = α i ⊕ β i

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks A Problem of Robin and iScream α 7 α 7 γ 7 β 7 * 0 0 0 α 6 α 6 γ 6 β 6 * 0 0 0 α 5 α 5 γ 5 β 5 * 0 0 0 α 4 α 4 γ 4 β 4 * 0 0 0 α 3 α 3 γ 3 β 3 * 0 0 0 α 2 α 2 γ 2 β 2 * 0 0 0 α 1 α 1 γ 1 β 1 * 0 0 0 α 0 α 0 γ 0 β 0 * 0 0 0 c i = a i ⊕ b i γ i = α i ⊕ β i

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Generalization Question Can we generalize this attack? Possible directions: Not focus on subspaces only Statistical Variant Allow the subspace to change Non-trivial key-scheduling

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Generalization Question Can we generalize this attack? Possible directions: Not focus on subspaces only Statistical Variant Allow the subspace to change Non-trivial key-scheduling

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Outline Intro 1 Invariant Subspace Attack 2 Non-linear Invariant Attack 3 How to prevent those attacks 4

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Non-linear Invariant Attacks ASIACRYPT 2016 joint work with Yosuke Todo and Yu Sasaki (NTT) Developed not like the storyline suggests.

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Invariant Subspace Attacks F Key-add U+a U+a U+b next round

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Nonlinear Invariant Attack (I/II) F Key-add next round

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Invariant Subspace Attacks (II/II) F Key-add next round

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Basics Definition Given a permutation F : F n 2 → F n 2 . A Boolean function g : F n 2 → F 2 is called a non linear invariant for F if g ( F ( x )) = g ( x ) + c ∀ x where c ∈ F 2 is a constant. Link to the picture: Split F n 2 into two sets 1 := { x | g ( x ) = 1 } A B := { x | g ( x ) = 0 } F ( A ) = A and F ( B ) = B ( c = 0 ) 2 F ( A ) = B and F ( B ) = A ( c = 1 ) 3

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Applications Applications This leads to attacks on iSCREAM Midori64 SCREAM (v.3) Can be extended to a cipher-text only attack when used in certain modes (e.g. CBC, CTR) mode same message encrypted multiple times with very low complexity.

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks Results weak keys recovered bits data time 2 96 32 3 SCREAM (v.3) 1/4 33 CT 2 96 32 3 iSCREAM 1/4 33 CT 2 64 32 3 Midori64 1/2 33 CT More details in the paper. In particular The details An explanation why that attack works on those ciphers

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks How it was actually developed Insider information II/III: How it was actually developed.

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks How it was actually developed Insider information II/III: How it was actually developed. Yosuke Todo was visiting RUB

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks How it was actually developed Insider information II/III: How it was actually developed. Yosuke Todo was visiting RUB Division Property A set X has division property D n k if x u = 0 � x ∈ X for all u ∈ F n 2 with wt( u ) < k . ⇔ For all f : F n 2 → F 2 with deg( f ) < k we have � f ( x ) = 0 x ∈ X

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks How it was actually developed Research Question Can we overcome one Sbox without guessing the entire key? k D n 3 y x S

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks How it was actually developed k D n 3 y x S z Find a function g : F n → F 2 2 z �→ g ( z ) g ( z ) does not depend non-linear on all bits of z . 1 Equals a quadratic function f in the inputs x 2 That is: g ( z ) = g ( S ( x )) = f ( x )

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks How it was actually developed k D n 3 y x S z f ( x ) = g ( z ) Attack Outline Guess parts of the key Compute g ( z ) For correct key we get � � g ( z ) = f ( x ) = 0 z x ∈ X

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks How it was actually developed k D n 3 y x S z Looking at many examples we found: Scream x 1 x 2 + x 0 + x 2 + x 5 = z 1 z 2 + z 0 + z 2 + z 5 + 1 That is f = g + 1.

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks How it was actually developed k D n 3 y x S z Looking at many examples we found: Scream x 1 x 2 + x 0 + x 2 + x 5 = z 1 z 2 + z 0 + z 2 + z 5 + 1 That is f = g + 1. interesting...

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks How it was actually developed k D n 3 y x S z Looking at many examples we found: Scream x 1 x 2 + x 0 + x 2 + x 5 = z 1 z 2 + z 0 + z 2 + z 5 + 1 That is f = g + 1. interesting... just a coincidence?

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks How it was actually developed k D n 3 y x S z Looking at many examples we found: Scream x 1 x 2 + x 0 + x 2 + x 5 = z 1 z 2 + z 0 + z 2 + z 5 + 1 That is f = g + 1. interesting... just a coincidence? can we do anything with that?