Cryptanalysis of Symmetric-Key Primitives: …Cryptanalysis of Symmetric-Key Primitives: Automated...

IntroductionThree Easy, Automated Techniques

Tools for CryptographyConclusion

Cryptanalysis of Symmetric-Key Primitives:Automated Techniques

Nicky Mouha

ESAT/COSIC, KU Leuven, BelgiumIBBT, Belgium

Summer School on Tools, MykonosTuesday, May 29, 2012

1 / 39

Outline

1 Introduction

2 Three Easy, Automated TechniquesMILP ProgrammingSAT SolversRegular Expressions

3 Tools for Cryptography

4 Conclusion

2 / 39

Symmetric-key Ciphers: Types of attacks

Statistical attacksLinear and differential cryptanalysis, slide attacks,...Detect statistical non-randomness

3 / 39

Meet-in-the-middle attacksMany techniques (splice-and cut, partial matching, partialfixing,...), guess-and-determine attacks, attack on 2DES,...Separate equations into two or more groups to solve themmore efficiently

3 / 39

Meet-in-the-middle attacksMany techniques (splice-and cut, partial matching, partialfixing,...), guess-and-determine attacks, attack on 2DES,...Separate equations into two or more groups to solve themmore efficiently

Algebraic attacksSee next slide

3 / 39

Algebraic Attacks: Definition

Represent cryptographic primitive as system of equationsUse equation solver to retrieve key

4 / 39

SAT solversMiniSat2, CryptoMiniSat,...

Gröbner basis methodBuchberger’s algorithm, F4, F5,...

Mixed Integer Linear Programming (MILP)CPLEX, SYMPHONY,...

4 / 39

SAT solversMiniSat2, CryptoMiniSat,...

Gröbner basis methodBuchberger’s algorithm, F4, F5,...

Mixed Integer Linear Programming (MILP)CPLEX, SYMPHONY,...

Hopefully detects inherent structure, and

solves equations faster than brute force!

4 / 39

Algebraic Attacks: Advantages and Disadvantages

Algebraic attacks on symmetric-key ciphersBiggest disadvantages:

Can only find practical attacks, no high-complexity attacks

5 / 39

Can only find practical attacks, no high-complexity attacksExecution time (and memory requirements): unpredictable

5 / 39

Can only find practical attacks, no high-complexity attacksExecution time (and memory requirements): unpredictable“Not a single proper block cipher has been broken usingpure algebraic techniques faster than with othertechniques.” (Albrecht)

5 / 39

Biggest advantages:“Black box” technique, no crypto knowledge required

5 / 39

Biggest advantages:“Black box” technique, no crypto knowledge requiredCan work with very few plaintext-ciphertext pairs

5 / 39

Biggest advantages:“Black box” technique, no crypto knowledge requiredCan work with very few plaintext-ciphertext pairsUseful to break extremely weak ciphers: Crypto-1 in 40s,HiTag2 in 6.5h on one Xeon E5345 @ 2.33GHz (Soos)

5 / 39

Automated Techniques: Still Useful

Tool to construct statistical and MitM attacksTherefore, program execution time: not so important

6 / 39

Program: executed only once

6 / 39

Program: executed only onceMore time spent on: coding, debugging, optimizing, parallelimplementation, verifying,...Verifying correctness: very difficult

6 / 39

Program: executed only onceMore time spent on: coding, debugging, optimizing, parallelimplementation, verifying,...Verifying correctness: very difficultProgrammer’s time: costs more than CPU time!

6 / 39

Program: executed only onceMore time spent on: coding, debugging, optimizing, parallelimplementation, verifying,...Verifying correctness: very difficultProgrammer’s time: costs more than CPU time!

More important:Easy to programEasy to verifyEasy to parallelize

6 / 39

Goal of this lecture

Use three easy, automated techniquesMILP programmingSAT solversRegular expressions

as tools to construct attacks... and start breaking ciphers today!

7 / 39

MILP ProgrammingSAT SolversRegular Expressions

Outline

1 Introduction

4 Conclusion

8 / 39

Differential Cryptanalysis

Differential characteristic

9 / 39

Differential Cryptanalysis: S-box

a ⊕∆α

S(a ⊕∆α)

= ∆β?

Differential Probability DP(∆α → ∆β):

#{0 ≤ a < 28 : S(a)⊕ S(a ⊕∆α) = ∆β}

Max. diff. prob. (MDP): 4/256 = 2−6

AES: only component that isnon-linear in GF(28)

Non-active S-box: DP(0 → 0) = 1

Count active S-boxes!

10 / 39

Representation of variables

Every pair of bytes is “shrunk” to one bit xi :xi = 0 if the bytes are the samexi = 1 if the bytes are different

11 / 39

Note: simplifies the analysis!Our results prove lower bounds,but characteristics may contain a contradiction

11 / 39

Note: simplifies the analysis!Our results prove lower bounds,but characteristics may contain a contradiction

Next slides: focus on AESbut technique can analyze any cipher based on XORs,three-forked branches, MDS operations,...Details: see Mouha et al., Inscrypt 2011

11 / 39

One Round of AES

x0 x4 x8 x12

x1 x5 x9 x13

x2 x6 x10 x14

x3 x7 x11 x15

AR+SB−−−−−−→

x0 x4 x8 x12

x1 x5 x9 x13

x2 x6 x10 x14

x3 x7 x11 x15

SR−−−→

x0 x4 x8 x12

x5 x9 x13 x1

x10 x14 x2 x6

x15 x3 x7 x11

MC−−−−−−→

x16 x20 x24 x28

x17 x21 x25 x29

x18 x22 x26 x30

x19 x23 x27 x31

12 / 39

MixColumns

MDS Property:

x0 + x5 + x10 + x15 +x16 + x17 + x18 + x19 ≥ 5

x0 = x5 = x10 = x15 =x16 = x17 = x18 = x19 = 0

13 / 39

MixColumns

MDS Property:

x0 + x5 + x10 + x15 +x16 + x17 + x18 + x19 ≥ 5d

d = max( x0 , x5 , x10 , x15 ,

x16 , x17 , x18 , x19 )

14 / 39

MixColumns

MDS Property:

x0 + x5 + x10 + x15 +x16 + x17 + x18 + x19 ≥ 5d

d ≥ x0, d ≥ x5, d ≥ x10, d ≥ x15,d ≥ x16, d ≥ x17, d ≥ x18, d ≥ x19

15 / 39

Mixed-Integer Linear Programming

MimimizeSum of S-box variables

Subject To9 equations for every MixColumns step (+1 dummy variable)(SubBytes, ShiftRows, add key: no equations/variables)Sum of plaintext variables ≥ 1

BinaryAll variables / All input variables

16 / 39

Single-key AES: Bounds

# Rounds 1 2 3 4 5 6 7Min. # active S-boxes 1 5 9 25 26 30 34

# Rounds 8 9 10 11 12 13 14Min. # active S-boxes 50 51 55 59 75 76 80

Using the IBM ILOG CPLEX optimizerFree for academic use

Execution timeno problem takes longer than 0.40 s (Intel Xeon X5670 @2.93GHz)

17 / 39

Related-key AES: Strategy

Also one xi -variable per key byte, (xi = 1 iff. bytes different)

18 / 39

Related-key AES: Strategy

Also one xi -variable per key byte, (xi = 1 iff. bytes different)

Equations for every XOR operation:

xin2xin1

xin1 + xin2 + xout ≥ 2d

d ≥ xin1

d ≥ xin2

d ≥ xout

18 / 39

Related-key AES: Bounds

Minimum number of active S-boxes:

# Rounds 1 2 3 4 5 6 7

AES-128 0 1 3 9 11 13 15AES-192 0 0 1 3 4 5 11AES-256 0 0 1 3 3 5 5

# Rounds 8 9 10 11 12 13 14

AES-128 21 23 25 27 33 35 37AES-192 13 16 19 19 20 24 25AES-256 10 14 16 18 20 22 24

19 / 39

Related-key AES: Execution Time

24-core Intel Xeon X5670 @ 2.93GHzSystem used concurrently by at least 5 other people

... execution times are upper bounds

20 / 39

Related-key AES: Execution Time

24-core Intel Xeon X5670 @ 2.93GHzSystem used concurrently by at least 5 other people

... execution times are upper bounds

Bounds for full AES: all less than one minuteexcept 14-round AES-256: bound in 69.84 s

20 / 39

Comparison to other work

Biryukov, Nikolic (EUROCRYPT 2010, SAC 2010)

determine byte differences, not just zero/non-zerodifference

21 / 39

determine byte differences, not just zero/non-zerodifferenceAES-192, 11 rounds:

Biryukov, Nikolic: 31 active S-boxes, computation takes“weeks”

21 / 39

Biryukov, Nikolic: 31 active S-boxes, computation takes“weeks”Our result: 19 active S-boxes, found in 33.36 s

21 / 39

xAES-128, 10 rounds:Nikolic: more than 22 active S-boxes (“a few hours on asingle core”) using split method

21 / 39

xAES-128, 10 rounds:Nikolic: more than 22 active S-boxes (“a few hours on asingle core”) using split methodOur result: 22 active S-boxes (2.68 s, single core) usingsplit method

21 / 39

xAES-128, 10 rounds:Nikolic: more than 22 active S-boxes (“a few hours on asingle core”) using split methodOur result: 22 active S-boxes (2.68 s, single core) usingsplit methodNot using split method: 25 active S-boxes (4 minutes on asingle core, or 31.80 s using 24 cores)

21 / 39

How to program

Complex bookkeeping of variables is unnecessary!Stay as close as possible to the original C code

22 / 39

How to program

int next: index i for next unused xi

int dummy: index j for next unused dj

22 / 39

How to program

remove round constants

22 / 39

How to program

remove round constantsintercept XOR, MixColumns: generate equations, increasenext and dummy

22 / 39

How to program

remove round constantsintercept XOR, MixColumns: generate equations, increasenext and dummyintercept S-box: keep track of indices for objective function

22 / 39

How to program

remove round constantsintercept XOR, MixColumns: generate equations, increasenext and dummyintercept S-box: keep track of indices for objective functionMore details: see source code

22 / 39

How to program

remove round constantsintercept XOR, MixColumns: generate equations, increasenext and dummyintercept S-box: keep track of indices for objective functionMore details: see source code

To debug/visualize: print indices i of internal states xi andfill in solution

22 / 39

Related-key AES: How to program (2)

Reference implementation (rijndael-alg-ref.c)assume 256-bit key, 10 rounds

Implementation needs 128 · 11 = 1408 key bitsbut rounds up: 256 · 6 = 1536 key bits calculated

Result: unnecessary S-box lookups, and wrong bounds!solution: reorder loops and terminate sooner

23 / 39

Outline

1 Introduction

4 Conclusion

24 / 39

SAT solvers: Introduction

SAT solvers: input in Conjunctive Normal Form (CNF)CNF = the ‘AND’ of a set of ‘OR’-clausesEvery variable = 1 bitCryptoMiniSAT: also understands XOR clauses

Example of CNF:(x1 ∨ x5 ∨ x4)∧

(x1 ∨ x5 ∨ x3 ∨ x4)∧

(x3 ∨ x4)

Conversion from C code to CNF needed+ convert back to interpret solution

25 / 39

SAT solvers: to CNF and back

Custom approach: specific to certain (families of) cipherse.g. Grain of Salt (Soos): stream ciphers based on NLFSRs

26 / 39

Using software to synthesize hardware circuitse.g. CryptLogVer (Morawiecki et al.): Altera Quartus II +simple postprocessing

26 / 39

Using software to synthesize hardware circuitse.g. CryptLogVer (Morawiecki et al.): Altera Quartus II +simple postprocessing

Tool to convert C code to CNF and backe.g. C32SAT (Brummayer)

26 / 39

HAS-V Step Function

Ai Bi Ci Di Ei

Ai+1 Bi+1 Ci+1 Di+1 Ei+1

27 / 39

HAS-V Step Function: Local Collisions

Wt[0] W

t+1[S] W

t+2[0] W

t+3[30] W

t+4[30] W

t+5[30]

At[0] A

t+1[S] A

t+2[0] A

t+3[30] A

t+4[30] A

t+5[30]

50% (f1,f

100% (f2)

28 / 39

HAS-V: Using C32SAT

Chabaud and Joux: local collision = perturbation +correction(s)

Message words are reused: one message difference Wi

introduces many perturbations!

29 / 39

HAS-V: Using C32SAT

For HAS-V:Step 0: Msg. diff. W0 = Perturb. P0 (32-bit word)Step 1: Msg. diff. W1 = Perturb. P1 ⊕ Corr. (P0 ≪ 11)

29 / 39

HAS-V: Using C32SAT

For HAS-V:Step 0: Msg. diff. W0 = Perturb. P0 (32-bit word)Step 1: Msg. diff. W1 = Perturb. P1 ⊕ Corr. (P0 ≪ 11)Step 2: Msg. diff. W2 = Perturb. P2 ⊕ Corr. (P1 ≪ 7)

⊕ Corr. (P0∧D0)... (W0, W1,... are reused in later steps)

Dummy variable D0: indicates if Boolean function fabsorbs or propagates difference

29 / 39

HAS-V: C32SAT results

Processor: Intel Core 2 Duo E8400 @ 3GHz

If Pi ∈ {00..002,11..112}

Best solution: 192 local collisions for 60 steps (41s)No solution with fewer than 192 local collisions (42s)

30 / 39

If Pi ∈ {00..002,11..112}

If Pi ∈ {00..002,01..012,10..102,11..112}

Best solution: 144 local collisions for 60 steps (3m 14s)No solution with fewer than 144 local collisions (11m 10s)

30 / 39

If Pi ∈ {00..002,11..112}

If Pi ∈ {00..002,01..012,10..102,11..112}

Best solution: 144 local collisions for 60 steps (3m 14s)No solution with fewer than 144 local collisions (11m 10s)

More details: my Master’s thesis (only in Dutch)

30 / 39

Outline

1 Introduction

4 Conclusion

31 / 39

Regular Expressions: Introduction

Regular Expressions: to match patterns in stringsText editor’s “Find” or ”Find/Replace”, but on steroids

Included in several programming languagesJava, C++11, Apple’s Objective-C, C#, PHP, VB.NET,Python, Perl, JavaScript,...

32 / 39

Regular Expressions: Introduction

Regular Expressions: to match patterns in stringsText editor’s “Find” or ”Find/Replace”, but on steroids

Included in several programming languagesJava, C++11, Apple’s Objective-C, C#, PHP, VB.NET,Python, Perl, JavaScript,...

32 / 39

Regular Expressions: Notation

x character x. any character[ac] character a or c[^a-c] any character except a, b or c

e.g. d , A, 9,...([a-c]) save match for later use

x* zero or more x ’sx+ one or more x ’sx? zero or one x ’sx{m} exactly m x ’sx{m,} at least m x ’sx{m,n} at least m, but at most n x ’s

33 / 39

Meet-in-the-Middle Attack on XTEA

XTEA: 64 rounds, 4 subkeysOne subkey used in every round

Round key order as a string:0312213000132231001023320111203302112130031221310013223201102332

Meet-in-the-middle attack on 23 roundsFirst and last rounds: one subkey is not usedMiddle rounds: all keys can be used, max. 15 roundsDetails: Sekar, Mouha, Velichkov, Preneel, CT-RSA 2010

Regular expression?

34 / 39

[^0]*.{1,15}[^0]*,

35 / 39

[^0]*.{1,15}[^0]*, [^1]*.{1,15}[^1]*,[^2]*.{1,15}[^2]*, [^3]*.{1,15}[^3]*

36 / 39

1 # ! / usr / b in / p e r l2

3 # XTEA key schedule4 $x = " 03122130001322310010233201112033 " .5 " 02112130031221310013223201102332 " ;6

7 # subkey $ i i s excluded i n the outer rounds8 f o r ( $ i =0; $ i <4; $ i ++) {9 whi le ( $x =~ / ( [ ^ $ i ] ∗ . { 1 , 1 5 } [ ^ $ i ] ∗ ) / g ) {

10 i f ( l eng th ( $1 ) >= 23) { # show only 23−round a t tacks11 p r i n t leng th ( $1 ) , "−round a t tack : " , $1 ,12 " ( rounds : " , $− [1]+1 , "−" , $ + [ 1 ] , " ) \ n " ;13 }14 pos ( $x ) = $− [1 ]+1; # matches may over lap15 }16 }

37 / 39

ECRYPT II Tools for Cryptography

Research papers should be verifiable... releasing source code is therefore crucial!

ECRYPT II Tools for Cryptographyhttp://www.ecrypt.eu.org/tools

Currently 16 tools listedTools used in this lecture will be added todayOther new submissions are very welcome!

38 / 39

Conclusion

If we use an automated technique,The execution time is unpredictable,and the inner workings are not well understood.

39 / 39

Conclusion

Yet, such techniques can be extremely useful:typically not to break a cipher (requires too muchtime/memory)but to use as a tool to construct an attack.

39 / 39

Conclusion

How to do this? We gave examples for three approaches:MILP programming, SAT solvers, regular expressions.

39 / 39

Conclusion

How to do this? We gave examples for three approaches:MILP programming, SAT solvers, regular expressions.

Questions?

39 / 39

Cryptanalysis of Symmetric-Key Primitives: …Cryptanalysis of Symmetric-Key Primitives: Automated...

Documents

Symmetric Encryption Lesson Introduction ●Block cipher primitives ●DES ●AES ●Encrypting large message ●Message integrity

Design and Analysis of Symmetric Primitives · Abstract The subject of this thesis is the study of symmetric cryptographic primitives. We investigate these objects from three different

ENGG 5383 Applied Cryptography - Dept. of IE, CUHK Staff ...smchow/5383/5383-18F-0-Admin.pdf · § We do not discuss cryptanalysis of “symmetric-key” primitives § E.g., hash

Application-Specific Cryptographic Schemes Based on Symmetric …ask/2014/S. Hirose.pdf · 2019-08-30 · Application-Speci c Cryptographic Schemes Based on Symmetric-Key Primitives

Resource Estimation of Grovers-kind Quantum Cryptanalysis … · 2020. 11. 15. · Resource Estimation of Grovers-kind Quantum Cryptanalysis against FSR based Symmetric Ciphers Ravi

D.STVL.7 Algebraic Cryptanalysis of Symmetric Primitives · 2008-10-09 · Algebraic Cryptanalysis of Symmetric Primitives Editor Carlos Cid (RHUL) Contributors Martin Albrecht (RHUL),

Chap 2: Elementary Cryptography. Concepts of encryption Cryptanalysis: how encryption systems are “broken” Symmetric (secret key) encryption and

A New Frontier in Symmetric Cryptanalysisnicolascourtois.com/papers/front_indocrypt08_2p.pdf5 A New Frontier in Symmetric Cryptanalysis Courtois, Indocrypt 2008 9 Frontiers Frontiers

Design of Symmetric-Key Primitives for Advanced ... · 1 Introduction Block ciphers are a fundamental primitive of modern cryptography. They are used in a host of symmetric-key constructions,

ENGG 5383 Applied Cryptography - Dept. of IE, CUHK Staff ...smchow/5383/5383-17F-0-Admin.pdf§ We do not discuss cryptanalysis of “symmetric-key” primitives § E.g., hash function,

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis

The LOCAL attack: Cryptanalysis of the authenticated ... · only a single authenticated 48-byte message. 1 Introduction Cryptanalysis and design of authenticated encryption primitives

Leakage-Resilient Cryptography - COSIC · Leakage-Resilient Cryptography Sebastian Faust Aarhus University, Denmark-- for symmetric primitives 1. How to construct cryptodevices? 2

Design and Analysis of Symmetric Primitivesorbit.dtu.dk/files/119957728/phd382_Lauridsen_MM.pdfDesign and Analysis of Symmetric Primitives Martin M. Lauridsen August 2015 Advisor:

Cryptanalysis, Reverse-Engineering and Design of Symmetric ... · Cryptanalysis of Feistel networks with secret round functions (SAC’15) Biryukov, Leurent, Perrin ; [Biryukov et

cryptogra y - University of Wisconsin–Madisonpages.cs.wisc.edu/~ace/media/lectures/crypto-intro.pdf · Crypto primitives /Symmetric and asymmetric crypto /MACs /Digital signatures

New Frontiers in Symmetric Cryptanalysis · 2 Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis N. Courtois, Rump session at Eurocrypt 2007 4 Algebraic Attacks vs. DC/LC/etc

Calculating RSA, Cryptanalysis, and Crypto Ethics...Problem: people eavesdropping on network can’t share symmetric keys secretly. Public Key Cryptography Review Solution: public

Post-Quantum Zero-Knowledge and Signatures from Symmetric ... · Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives ... non-interactive zero-knowledge proof

Cosc 4765 Cryptography in action. Building protocols With the primitives –Symmetric Algorithms, Message Authentication Codes, One-way Hash Algorithms,