Some Cryptanalytic Results on TRIAD Abhishek Kesarwani IIT Madras, - - PowerPoint PPT Presentation

Some Cryptanalytic Results on TRIAD

Abhishek Kesarwani

IIT Madras, India

INDOCRYPT 2019 16 December 2019

(Joint work Santanu Sarkar and Ayineedi Venkateswarlu)

Outline

2

Introduction TRIAD adopts Trivium-like Structure Attacks on Trivium-like ciphers Our Contribution Conclusion

◮ Call for Lightweight Cryptographic Algorithms

◮ Call for Lightweight Cryptographic Algorithms ◮ Total 56 candidates selected for Round 1

◮ Call for Lightweight Cryptographic Algorithms ◮ Total 56 candidates selected for Round 1 ◮ TRIAD [2] is one of them

TRIAD Family

4

TRIAD TRIAD-AE Triad-SC Triad-MAC TRIAD-HASH ◮ TRIAD-AE provides authenticated encryption with associated data

TRIAD Family

4

TRIAD TRIAD-AE Triad-SC Triad-MAC TRIAD-HASH ◮ TRIAD-AE provides authenticated encryption with associated data ◮ TRIAD-HASH follows the extended sponge based construction

TRIAD Family

5

TRIAD TRIAD-AE Triad-SC Triad-MAC TRIAD-HASH ◮ TRIAD-AE provides authenticated encryption with associated data ◮ TRIAD-HASH follows the extended sponge based construction

TRIAD adopts Trivium-like Structure

TRIAD-AE Vs Trivium

TRIAD-AE Vs Trivium State size 256 bits 288 bits

TRIAD-AE Vs Trivium State size 256 bits 288 bits Key size 128 bits 80 bits

TRIAD-AE Vs Trivium State size 256 bits 288 bits Key size 128 bits 80 bits Nonce/IV size 96 bits 80 bits

TRIAD-AE Vs Trivium State size 256 bits 288 bits Key size 128 bits 80 bits Nonce/IV size 96 bits 80 bits Initialization 1024 round 1152 round

TRIAD-AE Vs Trivium State size 256 bits 288 bits Key size 128 bits 80 bits Nonce/IV size 96 bits 80 bits Initialization 1024 round 1152 round Type AEAD

• AEAD - Authenticated encryption with associated data

Attacks on Trivium-like ciphers

Cube Attack

9

◮ Introduced by Dinur and Shamir [3] in 2009

Cube Attack

9

◮ Introduced by Dinur and Shamir [3] in 2009 ◮ Attempts to guess atleast one bit of secret key

Cube Attack

9

◮ Introduced by Dinur and Shamir [3] in 2009 ◮ Attempts to guess atleast one bit of secret key ◮ With complexity less than the brute-force attack

Cube Attack

9

◮ Introduced by Dinur and Shamir [3] in 2009 ◮ Attempts to guess atleast one bit of secret key ◮ With complexity less than the brute-force attack ◮ Cube attacks are closely related to higher order differential attacks

Cube Attack

9

◮ Introduced by Dinur and Shamir [3] in 2009 ◮ Attempts to guess atleast one bit of secret key ◮ With complexity less than the brute-force attack ◮ Cube attacks are closely related to higher order differential attacks ◮ Cube attacks use algebraic rather than statistical techniques to find the secret key

Cube Tester

10

◮ Introduced by Aumasson et. al [1] in 2009

Cube Tester

10

◮ Introduced by Aumasson et. al [1] in 2009 ◮ Cube testers detect non-random behavior rather than performing key extraction

Cube Tester

10

◮ Introduced by Aumasson et. al [1] in 2009 ◮ Cube testers detect non-random behavior rather than performing key extraction ◮ Cube tester distinguishes a given cipher from a truly random scenario

Cube Tester

10

◮ Introduced by Aumasson et. al [1] in 2009 ◮ Cube testers detect non-random behavior rather than performing key extraction ◮ Cube tester distinguishes a given cipher from a truly random scenario ◮ Cube testers are based on efficient testing properties

Cube Tester

10

◮ Introduced by Aumasson et. al [1] in 2009 ◮ Cube testers detect non-random behavior rather than performing key extraction ◮ Cube tester distinguishes a given cipher from a truly random scenario ◮ Cube testers are based on efficient testing properties Distinguisher

(control over the public variables only)

Non-randomness

(control over the public and private variables both)

Structure of TRIAD-AE

11

zt = f(K, IV ), where f is a Boolean function

Cube and Superpoly

12

Example ◮ f(k1, k2, k3, n1, n2, n3) = k1 + k1k2n1 + k3n1n2 + n1n2

Cube and Superpoly

12

Example ◮ f(k1, k2, k3, n1, n2, n3) = k1 + k1k2n1 + k3n1n2 + n1n2 ◮ Rewrite f as f(k1, k2, k3, n1, n2, n3) = (k3 + 1)

• superpoly

term

• n1n2 +(k1 + k1k2n1)

Cube and Superpoly

12

Example ◮ f(k1, k2, k3, n1, n2, n3) = k1 + k1k2n1 + k3n1n2 + n1n2 ◮ Rewrite f as f(k1, k2, k3, n1, n2, n3) = (k3 + 1)

• superpoly

term

• n1n2 +(k1 + k1k2n1)

◮ {n1, n2} involved in term are referred as cube variables

Cube and Superpoly

12

Example ◮ f(k1, k2, k3, n1, n2, n3) = k1 + k1k2n1 + k3n1n2 + n1n2 ◮ Rewrite f as f(k1, k2, k3, n1, n2, n3) = (k3 + 1)

• superpoly

term

• n1n2 +(k1 + k1k2n1)

◮ {n1, n2} involved in term are referred as cube variables ◮ Observe

• {n1,n2}∈F2

2

f(·) = k3 + 1 = superpoly

Algebraic Degree

13

◮ The no. of variables in the highest order monomial with non-zero coefficient

Algebraic Degree

13

◮ The no. of variables in the highest order monomial with non-zero coefficient

• Ex. The algebraic degree of f w.r.t. IV as variable is 2

Algebraic Degree

13

◮ The no. of variables in the highest order monomial with non-zero coefficient

• Ex. The algebraic degree of f w.r.t. IV as variable is 2

◮ Cryptographic primitives with low algebraic degree are vulnerable to many attacks

Algebraic Degree

13

◮ The no. of variables in the highest order monomial with non-zero coefficient

• Ex. The algebraic degree of f w.r.t. IV as variable is 2

◮ Cryptographic primitives with low algebraic degree are vulnerable to many attacks Question: Can we do the algebraic calculation?

Algebraic Degree

13

◮ The no. of variables in the highest order monomial with non-zero coefficient

• Ex. The algebraic degree of f w.r.t. IV as variable is 2

◮ Cryptographic primitives with low algebraic degree are vulnerable to many attacks Question: Can we do the algebraic calculation? Answer: It is a hard problem.

Algebraic Degree

13

◮ The no. of variables in the highest order monomial with non-zero coefficient

• Ex. The algebraic degree of f w.r.t. IV as variable is 2

◮ Cryptographic primitives with low algebraic degree are vulnerable to many attacks Question: Can we do the algebraic calculation? Answer: It is a hard problem. Since after sufficient no. of rounds, a well-designed stream cipher has complicated expression

Our Contribution

Our Contribution

15

◮ We give an algorithm which iteratively approximates the algebraic degree of TRIAD-AE

Our Contribution

15

◮ We give an algorithm which iteratively approximates the algebraic degree of TRIAD-AE ◮ We provide a method to search good cube

Our Contribution

15

◮ We give an algorithm which iteratively approximates the algebraic degree of TRIAD-AE ◮ We provide a method to search good cube ◮ We observe some cubes in the reduced version of the cipher

Approximation of Algebraic Degree of TRIAD-AE

16

Let At, Bt and Ct be the corresponding states of NFSRs1 A, B and C (resp. of length nA, nB and nC) at clock t given by

1Non-linear feedback shift registers

Approximation of Algebraic Degree of TRIAD-AE

16

Let At, Bt and Ct be the corresponding states of NFSRs1 A, B and C (resp. of length nA, nB and nC) at clock t given by At = (at, at−1, . . . , at−nA+1), Bt = (bt, bt−1, . . . , bt−nB+1), Ct = (ct, ct−1, . . . , ct−nC+1). And the corresponding feedback functions are given by at = ct−i1 · ct−i2 ⊕ lA(s(t−1)), bt = at−j1 · at−j2 ⊕ bt−j3 · ct−j3 ⊕ lB(s(t−1)), ct = bt−k1 · bt−k2 ⊕ lC(s(t−1)),

1Non-linear feedback shift registers

Approximation of Algebraic Degree of TRIAD-AE

16

Let At, Bt and Ct be the corresponding states of NFSRs1 A, B and C (resp. of length nA, nB and nC) at clock t given by At = (at, at−1, . . . , at−nA+1), Bt = (bt, bt−1, . . . , bt−nB+1), Ct = (ct, ct−1, . . . , ct−nC+1). And the corresponding feedback functions are given by at = ct−i1 · ct−i2 ⊕ lA(s(t−1)), bt = at−j1 · at−j2 ⊕ bt−j3 · ct−j3 ⊕ lB(s(t−1)), ct = bt−k1 · bt−k2 ⊕ lC(s(t−1)), where 1 ≤ j1 < j2 < nA and j2 < j3 < nB = nC.

1Non-linear feedback shift registers

Algorithm 1

17

◮ To estimate the degree of bt, calculate the degree of quadratic and linear part separately and take their max

Algorithm 1

17

◮ To estimate the degree of bt, calculate the degree of quadratic and linear part separately and take their max ◮ Handle 4 different cases for clock t

◮ (t − j1) ≤ 0

Algorithm 1

17

◮ To estimate the degree of bt, calculate the degree of quadratic and linear part separately and take their max ◮ Handle 4 different cases for clock t

◮ (t − j1) ≤ 0 ◮ 1 + j1 ≤ t ≤ j2

Algorithm 1

17

◮ To estimate the degree of bt, calculate the degree of quadratic and linear part separately and take their max ◮ Handle 4 different cases for clock t

◮ (t − j1) ≤ 0 ◮ 1 + j1 ≤ t ≤ j2 ◮ 1 + j2 ≤ t ≤ j3

Algorithm 1

17

◮ To estimate the degree of bt, calculate the degree of quadratic and linear part separately and take their max ◮ Handle 4 different cases for clock t

◮ (t − j1) ≤ 0 ◮ 1 + j1 ≤ t ≤ j2 ◮ 1 + j2 ≤ t ≤ j3 ◮ (t − j3) ≥ 1

Algorithm 1

17

◮ To estimate the degree of bt, calculate the degree of quadratic and linear part separately and take their max ◮ Handle 4 different cases for clock t

◮ (t − j1) ≤ 0 ◮ 1 + j1 ≤ t ≤ j2 ◮ 1 + j2 ≤ t ≤ j3 ◮ (t − j3) ≥ 1

◮ In each case, if the state variables are the initial variables then simply calculate its degree

Algorithm 1

17

◮ To estimate the degree of bt, calculate the degree of quadratic and linear part separately and take their max ◮ Handle 4 different cases for clock t

◮ (t − j1) ≤ 0 ◮ 1 + j1 ≤ t ≤ j2 ◮ 1 + j2 ≤ t ≤ j3 ◮ (t − j3) ≥ 1

◮ In each case, if the state variables are the initial variables then simply calculate its degree ◮ Otherwise, use recurrence relation to get an expression for the state variable in terms of the previous round and then estimate its degree

Algorithm 1

17

◮ To estimate the degree of bt, calculate the degree of quadratic and linear part separately and take their max ◮ Handle 4 different cases for clock t

◮ (t − j1) ≤ 0 ◮ 1 + j1 ≤ t ≤ j2 ◮ 1 + j2 ≤ t ≤ j3 ◮ (t − j3) ≥ 1

◮ In each case, if the state variables are the initial variables then simply calculate its degree ◮ Otherwise, use recurrence relation to get an expression for the state variable in terms of the previous round and then estimate its degree ◮ In approximating the algebraic degree, we follow the approach of Liu [4]

Discovering the Good Cubes

18

◮ The backbone of cube tester is to obtain a (as minimal as possible) set of public variables i.e., cube

Discovering the Good Cubes

18

◮ The backbone of cube tester is to obtain a (as minimal as possible) set of public variables i.e., cube ◮ Then experimentally check for the presence of bias for this set, if any, at some round over certain number of iterations

Discovering the Good Cubes

18

◮ The backbone of cube tester is to obtain a (as minimal as possible) set of public variables i.e., cube ◮ Then experimentally check for the presence of bias for this set, if any, at some round over certain number of iterations ◮ Existing work: GreedyBitSet [5]

Discovering the Good Cubes

18

◮ The backbone of cube tester is to obtain a (as minimal as possible) set of public variables i.e., cube ◮ Then experimentally check for the presence of bias for this set, if any, at some round over certain number of iterations ◮ Existing work: GreedyBitSet [5]

◮ Limitation: Not useful in finding a bigger size cube

Our Idea

19

◮ We combined a greedy approach with the degree evaluation to find good cubes

Our Idea

19

◮ We combined a greedy approach with the degree evaluation to find good cubes

◮ Calculate an upper bound of the degree of keystream bit

• ver cube variables (C) i.e., deg(zp, C) at round p

Our Idea

19

◮ We combined a greedy approach with the degree evaluation to find good cubes

◮ Calculate an upper bound of the degree of keystream bit

• ver cube variables (C) i.e., deg(zp, C) at round p

◮ Calculate the last round LR at which the superpoly of C is zero

Our Idea

19

◮ We combined a greedy approach with the degree evaluation to find good cubes

◮ Calculate an upper bound of the degree of keystream bit

• ver cube variables (C) i.e., deg(zp, C) at round p

◮ Calculate the last round LR at which the superpoly of C is zero

◮ We look for a cube whose approximate degree of the keystream bit is strictly less than the size of a cube ◮ Hence the superpoly corresponding to this cube will be zero

Algorithm 2

20

◮ Start with an empty cube set and keep adding only one nonce bit

Algorithm 2

20

◮ Start with an empty cube set and keep adding only one nonce bit ◮ Repeat till you get a cube of the desired size

Algorithm 2

20

◮ Start with an empty cube set and keep adding only one nonce bit ◮ Repeat till you get a cube of the desired size ◮ Select the nonce bit as a cube variable whose

Algorithm 2

20

◮ Start with an empty cube set and keep adding only one nonce bit ◮ Repeat till you get a cube of the desired size ◮ Select the nonce bit as a cube variable whose

1: deg(zp, C) is minimum

Algorithm 2

20

◮ Start with an empty cube set and keep adding only one nonce bit ◮ Repeat till you get a cube of the desired size ◮ Select the nonce bit as a cube variable whose

1: deg(zp, C) is minimum 2: If tie in the 1 then choose bit whose LR is maximum

Algorithm 2

20

◮ Start with an empty cube set and keep adding only one nonce bit ◮ Repeat till you get a cube of the desired size ◮ Select the nonce bit as a cube variable whose

1: deg(zp, C) is minimum 2: If tie in the 1 then choose bit whose LR is maximum

◮ If again a clash in LR then choose the first variable by fixing some ordering for the variables

Algorithm 2

20

◮ Start with an empty cube set and keep adding only one nonce bit ◮ Repeat till you get a cube of the desired size ◮ Select the nonce bit as a cube variable whose

1: deg(zp, C) is minimum 2: If tie in the 1 then choose bit whose LR is maximum

◮ If again a clash in LR then choose the first variable by fixing some ordering for the variables ◮ Repeat this by varying p from 1 to R and generate many such cube sets

Algorithm 2

20

◮ Start with an empty cube set and keep adding only one nonce bit ◮ Repeat till you get a cube of the desired size ◮ Select the nonce bit as a cube variable whose

1: deg(zp, C) is minimum 2: If tie in the 1 then choose bit whose LR is maximum

◮ If again a clash in LR then choose the first variable by fixing some ordering for the variables ◮ Repeat this by varying p from 1 to R and generate many such cube sets ◮ Select the one which gives superpoly zero for maximum number of rounds

Results

21 Table: Some good cubes of different size for TRIAD-AE

Cube distinguisher round # key Confi. Cube Variable Indices size exact (round, level zero-sum bias) 10 501 (501, 0.00) 10000 ≈ 100% 2, 3, 4, 5, 6, 7, 10, 88, 89, 93 2, 3, 6, 7, 8, 9, 21, 22, 23, 24, 20 519 (520, 0.464) 6400 ≈ 97.9% 27, 28, 32, 47, 51, 75, 83, 89, 92, 94 2, 6, 7, 8, 12, 13, 17, 18, 22, 30 533 (534, 0.213) 1856 ≈ 99.7% 23, 24, 25, 26, 31, 36, 37, 49, 54, 55, 60, 61, 72, 73, 74, 78, 79, 84, 90, 91, 92 1, 5, 6, 9, 10, 11, 15, 19, 22, 23, 32 540 (546, 0.473) 4800 ≈ 90.1% 24, 28, 29, 30, 34, 35, 39, 43, 47, 48, 53, 54, 58, 66, 67, 71, 72, 77, 81, 90, 91, 95 1, 4, 5, 6, 9, 10, 11, 15, 19, 22, 23, 34 540 (550, 0.423) 896 ≈ 94.8% 24, 28, 29, 30, 34, 39, 43, 47, 48, 53, 57, 58, 63, 66, 67, 71, 72, 76, 77, 81, 90, 91, 95 0, 2, 3, 4, 7, 8, 9, 10, 17, 19, 20, 36 536 (542, 0.333) 1074 ≈ 100% 21, 24, 25, 28, 29, 33, 44, 48, 52, 59, 61, 62, 63, 67, 71, 75, 76, 79, 86, 87, 90, 91, 93, 94, 95 In fact for 90% confidence level, one requires 6.6/pq2 random samples to distinguish A and B

Conclusion

22

◮ We obtained several cubes which distinguish TRIAD-AE up to 550 initialization rounds

Conclusion

22

◮ We obtained several cubes which distinguish TRIAD-AE up to 550 initialization rounds ◮ Note that cube testers are useful not only in distinguishing attacks but also in key recovery attacks

Conclusion

22

◮ We obtained several cubes which distinguish TRIAD-AE up to 550 initialization rounds ◮ Note that cube testers are useful not only in distinguishing attacks but also in key recovery attacks ◮ One can use this idea of finding cubes for stream ciphers relying on NFSRs

References

23

• J. Aumasson, I. Dinur, W. Meier, and A. Shamir.

Cube testers and key recovery attacks on reduced-round MD6 and Trivium. In Fast Software Encryption, volume 5665 of LNCS, pages 1–22. Springer, 2009.

• S. Banik, T. Isobe, W. Meier, Y. Todo, and B. Zhang.

TRIAD v1- A lightweight AEAD and hash function based on stream cipher, 2018.

• I. Dinur and A. Shamir.

Cube attacks on tweakable black box polynomials. In EUROCRYPT, volume 5479 of LNCS, pages 278–299. Springer, 2009.

• M. Liu.

Degree evaluation of NFSR-based cryptosystems. In CRYPTO, volume 10403 of LNCS, pages 227–249. Springer, 2017.

• P. Stankovski.

Greedy distinguishers and nonrandomness detectors. In INDOCRYPT, volume 6498 of LNCS, pages 210–226. Springer, 2010.

Thank You