Some rst b ounds on the degree A b ound on the degree of - PowerPoint PPT Presentation

Some �rst b ounds on the degree A b ound on the degree of SPN onstru tions In�uen e of the inverse p ermutation Bounds on the algeb rai degree of iterated onstru tions Christina Boura DTU Compute June 10, 2013 1 / 43

Some �rst b ounds on the degree A b ound on the degree of SPN onstru tions In�uen e of the inverse p ermutation fun tion F : F n 2 → F n 2 Algeb rai degree of a ve to rial of F 4 ermutation F 2 Example ( ANF of a p ) ( y 0 , y 1 , y 2 , y 3 ) = F ( x 0 , x 1 , x 2 , x 3 ) y 0 = x 0 x 2 + x 1 + x 2 + x 3 = x 0 x 1 x 2 + x 0 x 1 x 3 + x 0 x 2 x 3 + x 1 x 2 + x 0 x 3 + x 2 x 3 + x 0 + x 2 y 1 y 2 = x 0 x 1 x 3 + x 0 x 2 x 3 + x 1 x 2 + x 1 x 3 + x 2 x 3 + x 0 + x 1 + x 3 = x 0 x 1 x 2 + x 1 x 3 + x 0 + x 1 + x 2 + 1 . y 3 is 3 of F The algeb rai degree . 2 / 43

Some �rst b ounds on the degree A b ound on the degree of SPN onstru tions In�uen e of the inverse p ermutation Iterated p ermutations Most of the symmetri onstru tions (hash fun tions, blo k iphers) a re based on a p ermutation iterated a high numb er of times . Imp o rtant to estimate the algeb rai degree of su h iterated p ermutations. F un tions with a lo w degree a re vulnerable to: • Algeb rai atta ks • Higher-o rder di�erential atta ks and distinguishers • Cub e atta ks 3 / 43

Some �rst b ounds on the degree A b ound on the degree of SPN onstru tions In�uen e of the inverse p ermutation Higher-o rder derivatives Let F : F n 2 → F m 2 . at a ∈ F n of F : D a ( x ) = F ( x ) ⊕ F ( x + a ) 2 Derivative . of F n any k subspa e V the k 2 De�nition. F o r -dimensional , -th of F to V o rder derivative with resp e t is the fun tion de�ned b y � x ∈ F n D V F ( x ) = D a 1 . . . D a k ( x ) = F ( x + v ) , 2 . fo r every v ∈ V where ( a 1 , . . . , a k ) of V is a basis . , V = � a, b � ( k = 2 Example: ) D V ( x ) = D a D b ( x ) = D a ( F ( x ) ⊕ F ( x + b )) = F ( x ) ⊕ F ( x + a ) ⊕ F ( x + b ) ⊕ F ( x + a + b ) 4 / 43

Some �rst b ounds on the degree A b ound on the degree of SPN onstru tions In�uen e of the inverse p ermutation Higher-o rder di�erential ryptanalysis Intro du ed b y Knudsen in 1994. Based on the follo wing p rop erties: Let F : F n 2 → F m degree d 2 of . every a ∈ F n 2 Prop osition. F o r w e have D a F ≤ d − 1 . every V ⊂ F n with dim V > d 2 Prop osition. [Lai 94℄ F o r , every x ∈ F n D V ( x ) = 0 , 2 . fo r 5 / 43

Some �rst b ounds on the degree A b ound on the degree of SPN onstru tions In�uen e of the inverse p ermutation The KN ipher [Knudsen � Nyb erg 95℄ 6 x i − 1 y i − 1 -round F eistel ipher k i • E : F 32 2 → F 33 2 T S E linea r • T : F 33 2 → F 32 2 linea r • k i : 33 -bit subk ey • S : x �→ x 3 over F 33 2 x i y i of S Algeb rai degree : 2 6 / 43

Some �rst b ounds on the degree A b ound on the degree of SPN onstru tions In�uen e of the inverse p ermutation on KN Higher-o rder di�erential atta k [Jak obsen � Knudsen 97℄ x 0 = x y 0 = c y 0 ( x ) = c F k 1 x + F k 1 ( c ) := x + c ′ y 1 ( x ) = F k 2 ( x + c ′ ) + c y 2 ( x ) = F k 2 d = 1 F k 3 ( F k 2 ( x + c ′ ) + c ) + x + c ′ y 3 ( x ) = F k 4 ( F k 3 ( F k 2 ( x + c ′ ) + c ) + x + c ′ ) F k 3 y 4 ( x ) = d = 2 F k 2 ( x + c ′ ) + c + F k 4 d = 4 y 4 G = F k 4 ◦ F k 3 ◦ F k 2 . F k 5 d = 8 F k 6 deg( G ) ≤ 2 3 y 6 x 6 7 / 43

Some �rst b ounds on the degree A b ound on the degree of SPN onstru tions In�uen e of the inverse p ermutation If V ⊂ F 32 with dim( V ) = 9 2 , then: all x ∈ F 32 D V y 4 ( x ) = 0 , 2 . fo r By de�nition: � all w ∈ F 32 y 4 ( v + w ) = 0 , 2 . fo r (1) v ∈ V W e an see that: x 6 ( x ) = F k 6 ( y 6 ( x )) + y 4 ( x ) , and b y inverting the terms: y 4 ( x ) = x 6 ( x ) + F k 6 ( y 6 ( x )) . (2) 8 / 43

Some �rst b ounds on the degree A b ound on the degree of SPN onstru tions In�uen e of the inverse p ermutation Key re overy By ombining equations (1 ) and (2), w e obtain the atta k equation: � � F k 6 ( y 6 ( v + w )) + x 6 ( v + w ) = 0 . v ∈ V v ∈ V ey k 6 The right subk is the one fo r whi h the equation is veri�ed. Complexit y of the atta k: 2 9 • Data Complexit y: plaintexts. 2 33+8 • Time Complexit y: . y 2 5 and 2 9 Distinguisher fo r 4 and 5 rounds with data omplexit resp e tively . 9 / 43

Some �rst b ounds on the degree A b ound on the degree of SPN onstru tions In�uen e of the inverse p ermutation SHA-3 [Bertoni � Daemen � P eeters � V anAss he 08℄ Sp onge onstru tion Ke ak - f P ermutation • 1600 a 3 -bit state, seen as -dimensional 5 × 5 × 64 matrix • 24 rounds R • er: 320 Nonlinea r la y pa rallel appli ations a 5 × 5 x χ of S-b o , deg χ − 1 = 3 • deg χ = 2 10 / 43

Some �rst b ounds on the degree A b ound on the degree of SPN onstru tions In�uen e of the inverse p ermutation Outline Some �rst b ounds on the degree A b ound on the degree of SPN onstru tions In�uen e of the inverse p ermutation 11 / 43

Some �rst b ounds on the degree A b ound on the degree of SPN onstru tions In�uen e of the inverse p ermutation Outline Some �rst b ounds on the degree A b ound on the degree of SPN onstru tions In�uen e of the inverse p ermutation 12 / 43

Some �rst b ounds on the degree A b ound on the degree of SPN onstru tions In�uen e of the inverse p ermutation A trivial b ound from F n into F n Let F and G 2 2 Prop osition: b e a fun tion a from F n into F m 2 2 fun tion . Then deg( G ◦ F ) ≤ deg( G ) deg( F ) . fun tion R degree 7 Example: Round of AES is of . Then deg( R 2 ) = deg( R ◦ R ) ≤ 7 2 = 49 . 13 / 43

Some �rst b ounds on the degree A b ound on the degree of SPN onstru tions In�uen e of the inverse p ermutation A b ound based on the W alsh sp e trum [Canteaut � Videau '02℄ of F : F n 2 → F n 2 De�nition (W alsh sp e trum ) � ( − 1) b · F ( x )+ a · x , a, b ∈ F n {F ( ϕ b ◦ F + ϕ α ) = 2 , b � = 0 } . x ∈ F n 2 of F Theo rem: If all the values in the W alsh sp e trum a re divisible y 2 ℓ every G : F n 2 → F n 2 b , then fo r deg( G ◦ F ) ≤ n − ℓ + deg( G ) . 14 / 43

Some �rst b ounds on the degree A b ound on the degree of SPN onstru tions In�uen e of the inverse p ermutation Appli ation to SHA-3 It an b e omputed that: and χ − 1 y 2 3 • of χ The W alsh sp e tra a re divisible b . re 320 of χ As there a pa rallel appli ations in a round w e have: y 2 3 · 320 = 2 960 and R − 1 • of R The W alsh sp e tra a re divisible b . of R − 7 Bound fo r the degree deg( R − 7 ) = deg( R − 6 ◦ R − 1 ) ≤ 1600 − 960+deg( R − 6 ) ≤ 1369 . 15 / 43

Some �rst b ounds on the degree A b ound on the degree of SPN onstru tions In�uen e of the inverse p ermutation Appli ation to SHA-3 It an b e omputed that: and χ − 1 y 2 3 • of χ The W alsh sp e tra a re divisible b . re 320 of χ As there a pa rallel appli ations in a round w e have: y 2 3 · 320 = 2 960 and R − 1 • of R The W alsh sp e tra a re divisible b . of R − 7 Bound fo r the degree deg( R − 7 ) = deg( R − 6 ◦ R − 1 ) ≤ 1600 − 960+deg( R − 6 ) ≤ 1369 . deg( R 7 ) ≤ min(1599 , 2187) 15 / 43

Some �rst b ounds on the degree A b ound on the degree of SPN onstru tions In�uen e of the inverse p ermutation Outline Some �rst b ounds on the degree A b ound on the degree of SPN onstru tions In�uen e of the inverse p ermutation 16 / 43

Some �rst b ounds on the degree A b ound on the degree of SPN onstru tions In�uen e of the inverse p ermutation Substitution P ermutation Net w o rks S S S S S S Linear Layer S S S S S S Linear Layer S S S S S S Linear Layer Ho w to estimate the evolution of the degree of su h onstru tions? 17 / 43

Some �rst b ounds on the degree A b ound on the degree of SPN onstru tions In�uen e of the inverse p ermutation x 0 x 1 x 3 x 4 x 5 x 6 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 S 1 S 2 S 3 S 4 y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 After several rounds, all o o rdinates an b e exp ressed as a sum of monomials. in X = { x 0 , . . . , x 15 } Ea h monomial is a p ro du t of va riables . 18 / 43