Out of Oddity New Cryptanalytic Techniques against Symmetric - - PowerPoint PPT Presentation

out of oddity new cryptanalytic techniques against
SMART_READER_LITE
LIVE PREVIEW

Out of Oddity New Cryptanalytic Techniques against Symmetric - - PowerPoint PPT Presentation

Dec 12, 2022 146 likes •494 views

Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for Integrity Proof Systems Tim Beyne, Anne Canteaut, Itai Dinur, Maria Eichlseder, Gregor Leander, Ga etan Leurent, L eo Perrin, Mar a Naya

slide-1
SLIDE 1

Out of Oddity – New Cryptanalytic Techniques against Symmetric Primitives Optimized for Integrity Proof Systems

Tim Beyne, Anne Canteaut, Itai Dinur, Maria Eichlseder, Gregor Leander, Ga¨ etan Leurent, L´ eo Perrin, Mar´ ıa Naya Plasencia, Yu Sasaki, Yosuke Todo, Friedrich Wiemer Crypto 2020 - August 2020

slide-2
SLIDE 2

Symmetric primitives optimized for a specific cost metric

  • FHE-friendly encryption: Low-MC [Albrecht et al. 15], Flip [M´

eaux et al. 16], Kreyvium [Canteaut et al. 16], Rasta [Dobraunig et al. 18]...

  • MPC-friendly block ciphers: MiMC [Albrecht et al. 16] and its variants
  • Primitives dedicated to new integrity proof systems (STARKs, SNARKs,

Bulletproof): hash functions specified as sequences of low-degree polynomials or low-degree rational maps over a finite field. Older examples: Cradic [Knudsen Nyberg 92], Misty [Matsui 97].

1

slide-3
SLIDE 3

SNARK-friendly and STARK-friendly primitives Performance.

  • the size of the polynomial relations representing the execution trace over a large finite

field should be minimized.

  • finite fields of odd characteristic, especially prime fields, are suitable.

Security.

  • algebraic attacks based on Gr¨
  • bner basis [Albrecht et al. 19]...
  • all other cryptanalytic techniques.

2

slide-4
SLIDE 4

Focus on STARK-friendly primitives StarkWare challenges https://starkware.co/hash-challenge/ Keyed permutations.

  • GMiMC i.e. GMiMCerf over Fp [Albrecht et al. 19]
  • HadesMiMC permutation: Starkad (F2m) and Poseidon (Fp) [Grassi et al. 19]

Hash functions. sponges using one of the previous functions as inner permutation.

3

slide-5
SLIDE 5

Sponge construction Sponge construction with blocksize t and capacity c.

π

M0, . . . , M7

π

M8, . . . , M15

  • utput

4

slide-6
SLIDE 6

Parameters Security level log2 q q (prime) q (binary) c t Variant 128 bits 64 261 + 20 × 232 + 1 263 4 12 128-d 128 2125 + 266 × 264 + 1 2125 2 4 128-a 2 12 128-c 256 2253 + 2199 + 1 2255 1 3 128-b 1 11 128-e 256 bits 128 2125 + 266 × 264 + 1 2125 4 8 256-a 4 14 256-b

5

slide-7
SLIDE 7

Keypoints

  • generalization of attacks to fields of any characteristic.
  • use of the specific algebraic structure to improve classical attacks.

6

slide-8
SLIDE 8

Outline

  • Integral attacks over fields of any characteristic
  • Integral distinguishers on the full GMiMC
  • Algebraically-controlled differential attacks on GMiMC

7

slide-9
SLIDE 9

Integral attacks over Fq When q = 2m. For any F : F2m → F2m, for any (affine) subspace V ⊂ Fm

2 with deg(F ) < |V | − 1,

  • x∈V

F (x) = 0.

Because, for V = b + a1, . . . , av,

Da1Da2 . . . DavF (b) =

  • x∈V

F (x)

Not valid in odd characteristic.

8

slide-10
SLIDE 10

Integral attacks over Fq When q = 2m. For any F : F2m → F2m, for any (affine) subspace V ⊂ Fm

2 with deg(F ) < |V | − 1,

  • x∈V

F (x) = 0.

Because, for V = b + a1, . . . , av,

Da1Da2 . . . DavF (b) =

  • x∈V

F (x)

Not valid in odd characteric.

9

slide-11
SLIDE 11

But for any q For any exponent k with 0 ≤ k < q − 1,

  • x∈Fq

xk = 0

General result. For any F : Fq → Fq with deg(F ) < q − 1,

  • x∈Fq

F (x) = 0 .

10

slide-12
SLIDE 12

However, this only works when an input is saturated For any F : Fq → Fq with deg(F ) < q − 1,

  • x∈Fq

F (x) = 0 .

Less general than the property over F2m: For any (affine) subspace V ⊂ Fm

2 such that deg(F ) < |V | − 1,

  • x∈V

F (x) = 0.

11

slide-13
SLIDE 13

Using multiplicative subgroups Let G be a multiplicative subgroup of F×

q .

For any F : Fq → Fq such that deg(F ) < |G|,

  • x∈G

F (x) = F (0) · |G| .

12

slide-14
SLIDE 14

Integral attacks on GMiMC

13

slide-15
SLIDE 15

GMiMC with 101 rounds

RC1

x3

RC2

x3

RC3

x3

14

slide-16
SLIDE 16

A differential property on (2t − 2) rounds

(t − 2) rounds

❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄

2 rounds

❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄

(t − 2) rounds

❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄

α1 α2 αt−2 x f(x)

x ∈ Fq deg f = 3 x+γ0 f(x)+γ0

γt−4γt−3 γt−2 γ1 γ2 γt−2 g(x′)x′

x′ ∈ Fq deg g = 3 g(x′)+δ1x′+δ1

δt−2δt−1 δt

15

slide-17
SLIDE 17

A differential property on (2t − 2) rounds

(2t − 2) rounds

❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄

α1 α2 αt−2 x f(x)

x ∈ Fq deg f = 3 g(x′)+δ1x′+δ1

δt−2δt−1 δt

x′ ∈ Fq deg g = 3

16

slide-18
SLIDE 18

Integral distinguisher on GMiMC

(2t − 2) rounds

❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄

(⌊log3(q−2)⌋−1) rounds

❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄

(t − 1) rounds

❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄

α1 α2 αt−2 x f(x)

x ∈ Fq deg f = 3 g(x′)+δ1x′+δ1

δt−2δt−1 δt

x′ ∈ Fq deg g = 3

z1 z2 zt−2 zt−1 zt

degx zi = 3r+1< q − 1

for r ≤ ⌊log3(q−2)⌋−1 v1 v2 vt−2 vt−1 vt t

i=2 vi−(t−2)v1

is a linear combination of the zi

17

slide-19
SLIDE 19

Integral distinguisher on GMiMC With complexity q. After 3t − 4 + ⌊log3(q − 2)⌋ rounds,

t

  • i=2

vi−(t−2)v1

is a polynomial of degree at most (q − 2) in x. ⇒ It sums to 0 when x varies in Fq. log2 q t Full nb of rounds Nb of rounds of the distinguisher 61 12 101 70 125 4 166 86 125 12 182 110 253 3 326 – 253 11 342 –

18

slide-20
SLIDE 20

Integral distinguisher on GMiMC using multiplicative subgroups For q = 2253 + 2199 + 1. After 3t − 4 + ⌊log3(|G| − 1)⌋ rounds,

t

  • i=2

vi−(t−2)v1

is a polynomial of degree at most (|G| − 1) in x. ⇒ It sums to 0 when x varies in G. log2 q t Full nb of rounds Nb of rounds of the distinguisher 61 12 101 70 125 4 166 86 125 12 182 110 253 3 326 85 with |G| = 2128 253 11 342 109 with |G| = 2128

19

slide-21
SLIDE 21

Zero-sum distinguisher on GMiMC With a multiplicative subgroup G. After 4t − 6 + 2⌊log3(|G| − 1)⌋ rounds,

t−1

  • i=1

ui−(t−2)ut

and

t

  • i=2

vi−(t−2)v1

sum to 0 when x varies in G. log2 q t Full nb of rounds Nb of rounds of the ZS |G| 61 12 101 118 q 61 12 101 102 233 · 167 · 211 ≃ 248 125 4 166 166 q 125 12 182 198 q 253 3 326 166 2128 253 11 342 198 2128

20

slide-22
SLIDE 22

Algebraically-controlled differential attacks on GMiMC

21

slide-23
SLIDE 23

Algebraically-controlled differential attacks Idea: use algebraic techniques to efficiently find hash function inputs that satisfy a differential characteristic (avoid expensive probabilistic cost) Method: represent the conditions of differential transitions as (efficiently solvable) algebraic equations Application to GMiMC:

  • exploit algebraic structure to penetrate deep into internal state
  • attack almost entirely algebraic — differential transitions too expensive to bypass

probabilistically Results:

  • basic method on 3t − 2 rounds of permutation
  • extend to more rounds and attack the hash function (e.g., practical 40-round collision
  • n GMiMC-128-d)

22

slide-24
SLIDE 24

Application to GMiMC Differential characteristic:

∆0, ∆′

0 arbitrary non-zero differences

(∆0, ∆′

0, 0, . . . , 0) R

− → (∆′

0+∆1, ∆1, . . . , ∆1, ∆0)

∆0

S

→ ∆1

R

− → (∆1+∆′

1, . . . , ∆1+∆′ 1, ∆0+∆′ 1, ∆′ 0+∆1)

∆′

0+∆1 S

→ ∆′

1

If ∆1 + ∆′

1 = 0, we get an iterative differential characteristic

(∆0, ∆′

0, 0, . . . , 0) Rt

− → (∆0 − ∆1, ∆′

0 + ∆1, 0, . . . , 0)

∆1 + ∆′

1 = 0 occurs with probability ≈ 1/q

Condition ∆1 + ∆′

1 = 0 is viewed as an equation on values

23

slide-25
SLIDE 25

Application to GMiMC Differential characteristic:

∆0, ∆′

0 arbitrary non-zero differences

(∆0, ∆′

0, 0, . . . , 0) R

− → (∆′

0+∆1, ∆1, . . . , ∆1, ∆0)

∆0

S

→ ∆1

R

− → (∆1+∆′

1, . . . , ∆1+∆′ 1, ∆0+∆′ 1, ∆′ 0+∆1)

∆′

0+∆1 S

→ ∆′

1

If ∆1 + ∆′

1 = 0, we get an iterative differential characteristic

(∆0, ∆′

0, 0, . . . , 0) Rt

− → (∆0 − ∆1, ∆′

0 + ∆1, 0, . . . , 0)

∆1 + ∆′

1 = 0 occurs with probability ≈ 1/q

Condition ∆1 + ∆′

1 = 0 is viewed as an equation on values

24

slide-26
SLIDE 26

Application to GMiMC Differential characteristic:

∆0, ∆′

0 arbitrary non-zero differences

(∆0, ∆′

0, 0, . . . , 0) R

− → (∆′

0+∆1, ∆1, . . . , ∆1, ∆0)

∆0

S

→ ∆1

R

− → (∆1+∆′

1, . . . , ∆1+∆′ 1, ∆0+∆′ 1, ∆′ 0+∆1)

∆′

0+∆1 S

→ ∆′

1

If ∆1 + ∆′

1 = 0, we get an iterative differential characteristic

(∆0, ∆′

0, 0, . . . , 0) Rt

− → (∆0 − ∆1, ∆′

0 + ∆1, 0, . . . , 0)

∆1 + ∆′

1 = 0 occurs with probability ≈ 1/q

Condition ∆1 + ∆′

1 = 0 is viewed as an equation on values

25

slide-27
SLIDE 27

A differential property on (2t − 2) rounds

(2t − 2) rounds

❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄

α1 α2 αt−2 x f(x)

x ∈ Fq deg f = 3 g(x′)+δ1x′+δ1

δt−2δt−1 δt

x′ ∈ Fq deg g = 3

26

slide-28
SLIDE 28

Satisfying (3t − 2) rounds Satisfying (2t − 2) rounds with special states values:

X0 = (α1, . . . , αt−2, x, f(x))

R2t−2

− → X2t−2 = (g(x′) + δ1, x′ + δ1, δ3, . . . , δt) Y0 = (α1, . . . , αt−2, y, f(y))

R2t−2

− → Y2t−2 = (g(y′) + δ1, y′ + δ1, δ3, . . . , δt)

Therefore

X2t−2 − Y2t−2 = (g(x′) − g(y′), x′ − y′, 0, . . . , 0)

Adding t rounds with the differential characteristic

(∆0, ∆′

0, 0, . . . , 0) Rt

− → (∆0 − ∆1, ∆′

0 + ∆1, 0, . . . , 0)

The differential transition after (3t − 2) rounds is assured if ∆2(x, y) + ∆′

2(x, y) = 0

Degree of the equation?

27

slide-29
SLIDE 29

Satisfying (3t − 2) rounds Satisfying (2t − 2) rounds with special states values:

X0 = (α1, . . . , αt−2, x, f(x))

R2t−2

− → X2t−2 = (g(x′) + δ1, x′ + δ1, δ3, . . . , δt) Y0 = (α1, . . . , αt−2, y, f(y))

R2t−2

− → Y2t−2 = (g(y′) + δ1, y′ + δ1, δ3, . . . , δt)

Therefore

X2t−2 − Y2t−2 = (g(x′) − g(y′), x′ − y′, 0, . . . , 0)

Adding t rounds with the differential characteristic

(∆0, ∆′

0, 0, . . . , 0) Rt

− → (∆0 − ∆1, ∆′

0 + ∆1, 0, . . . , 0)

The differential transition after (3t − 2) rounds is assured if ∆2(x, y) + ∆′

2(x, y) = 0

Degree of the equation?

28

slide-30
SLIDE 30

Satisfying (3t − 2) rounds Satisfying (2t − 2) rounds with special states values:

X0 = (α1, . . . , αt−2, x, f(x))

R2t−2

− → X2t−2 = (g(x′) + δ1, x′ + δ1, δ3, . . . , δt) Y0 = (α1, . . . , αt−2, y, f(y))

R2t−2

− → Y2t−2 = (g(y′) + δ1, y′ + δ1, δ3, . . . , δt)

Therefore

X2t−2 − Y2t−2 = (g(x′) − g(y′), x′ − y′, 0, . . . , 0)

Adding t rounds with the differential characteristic

(∆0, ∆′

0, 0, . . . , 0) Rt

− → (∆0 − ∆1, ∆′

0 + ∆1, 0, . . . , 0)

The differential transition after (3t − 2) rounds is assured if ∆2(x, y) + ∆′

2(x, y) = 0

Degree of the equation?

29

slide-31
SLIDE 31

Satisfying (3t − 2) rounds Satisfying (2t − 2) rounds with special states values:

X0 = (α1, . . . , αt−2, x, f(x))

R2t−2

− → X2t−2 = (g(x′) + δ1, x′ + δ1, δ3, . . . , δt) Y0 = (α1, . . . , αt−2, y, f(y))

R2t−2

− → Y2t−2 = (g(y′) + δ1, y′ + δ1, δ3, . . . , δt)

Therefore

X2t−2 − Y2t−2 = (g(x′) − g(y′), x′ − y′, 0, . . . , 0)

Adding t rounds with the differential characteristic

(∆0, ∆′

0, 0, . . . , 0) Rt

− → (∆0 − ∆1, ∆′

0 + ∆1, 0, . . . , 0)

The differential transition after (3t − 2) rounds is assured if ∆2(x, y) + ∆′

2(x, y) = 0

Degree of the equation

R2t−2

− → deg g = 3

R

− → deg = 32

R

− → deg = 33 = 27

30

slide-32
SLIDE 32

Satisfying (3t − 2) rounds Satisfying (2t − 2) rounds with special states values:

X0 = (α1, . . . , αt−2, x, f(x))

R2t−2

− → X2t−2 = (g(x′) + δ1, x′ + δ1, δ3, . . . , δt) Y0 = (α1, . . . , αt−2, y, f(y))

R2t−2

− → Y2t−2 = (g(y′) + δ1, y′ + δ1, δ3, . . . , δt)

Therefore

X2t−2 − Y2t−2 = (g(x′) − g(y′), x′ − y′, 0, . . . , 0)

Adding t rounds with the differential characteristic

(∆0, ∆′

0, 0, . . . , 0) Rt

− → (∆0 − ∆1, ∆′

0 + ∆1, 0, . . . , 0)

The differential transition after (3t − 2) rounds is assured if ∆2(x, y) + ∆′

2(x, y) = 0

Degree only 33 = 27 Set y = const and solve for x (factor polynomial)

31

slide-33
SLIDE 33

Conclusions Rounds Type Rounds Cost GMiMC 101 permutation integral distinguisher 70 261 (128 bits) ZS distinguisher 102

248

  • diff. distinguisher

66 practical hash function collisions 40 practical collisions 52 283 HadesMiMC 8+40 permutation ZS distinguisher 6+45 261 (128 bits) GMiMC 186 permutation integral distinguisher 116 2125 (256 bits) ZS distinguisher 206

2125

HadesMiMC 8+83 permutation ZS distinguisher 6+87 2125 (256 bits) hash function∗ preimages 8+any

2160

Need for new tools for analyzing primitives over fields of odd characteristic.

32

slide-34
SLIDE 34

Special thanks to StarkWare Industries and to the Ethereum Foundation

33