Symmetric Cryptography [2] 9781789451474

Table of contents :
Cover
Title Page
Copyright Page
Contents
Preface
Part 1. Cryptanalysis of Symmetric-key Algorithms
Chapter 1. Differential Cryptanalysis
1.1. Statistical attacks on block ciphers: preliminaries
1.2. Principle of differential cryptanalysis and application to DES
1.2.1. Differential transitions and differential characteristics
1.2.2. Derivation of non-trivial differential characteristics
1.2.3. Leveraging characteristics to mount a key-recovery attack
1.3. Some refinements and generalizations
1.3.1. Differential effect
1.3.2. Truncated differentials
1.4. Design strategies and evaluation
1.4.1. Case of the AES
1.4.2. Automated analysis
1.5. Further notes and references
1.6. References
Chapter 2. Linear Cryptanalysis
2.1. History
2.2. Correlation and linear hull
2.3. Multidimensional linear approximation
2.4. Walsh-Hadamard transform
2.5. Linear approximation of an iterative block cipher
2.6. Matsui’s Algorithm 1 type of key recovery
2.7. Matsui’s Algorithm 2 type of key recovery
2.8. Searching for linear approximations and estimating correlations
2.9. Speeding up key recovery
2.10. Key-recovery distinguisher
2.11. Classical model of Algorithm 2
2.12. Algorithm 2 with distinct known plaintext and randomized key
2.13. Multiple linear approximations
2.14. Multidimensional linear cryptanalysis
2.15. References
Chapter 3. Impossible Differential Cryptanalysis
3.1. Finding impossible differentials
3.2. Key recovery
3.2.1. Data, time and memory complexities
3.3. Some improvements
3.3.1. Early abort technique
3.3.2. Multiple impossible differentials or multiple extension paths
3.4. Applications
3.5. References
Chapter 4. Zero-Correlation Cryptanalysis
4.1. Correlation and linear cryptanalysis
4.1.1. Correlation matrix
4.1.2. Linear trails and linear hulls
4.1.3. Approximations of linear functions
4.1.4. Computing the correlations over a permutation
4.2. Attacks using a linear hull with correlation zero
4.2.1. Correlation zero in random permutations
4.2.2. Distinguisher
4.2.3. Reducing the data complexity
4.3. Linear hulls with correlation zero
4.3.1. Feistel ciphers
4.3.2. AES
4.3.3. Extended result on AES
4.4. References
Chapter 5. Differential-Linear Cryptanalysis
5.1. Brief introduction of differential-linear attacks
5.2. How to estimate correlations of a differential-linear distinguisher
5.3. On the key recovery
5.4. State of the art for differential-linear attacks
5.4.1. Differential-linear connecting table
5.4.2. Three techniques to improve differential-linear attacks
5.5. References
Chapter 6. Boomerang Cryptanalysis
6.1. Basic boomerang attack
6.2. Variants and refinements
6.3. Tricks and failures
6.4. Formalize the dependency
6.5. References
Chapter 7. Meet-in-the-Middle Cryptanalysis
7.1. Introduction
7.2. Basic meet-in-the-middle framework
7.2.1. The 2DES attack
7.2.2. Algorithmic framework
7.2.3. Complexity analysis and memory usage
7.3. Meet-in-the-middle techniques
7.3.1. Filtering
7.3.2. Splice-and-cut
7.3.3. Bicliques
7.4. Automatic tools
7.5. References
Chapter 8. Meet-in-the-Middle Demirci-Selçuk Cryptanalysis
8.1. Original Demirci-Selçuk attack
8.2. Improvements
8.2.1. Data/time/memory trade-off
8.2.2. Difference instead of value
8.2.3. Multiset
8.2.4. Linear combinations
8.2.5. Differential enumeration technique
8.3. Finding the best attacks
8.3.1. Tools
8.3.2. Results
8.4. References
Chapter 9. Invariant Cryptanalysis
9.1. Introduction
9.2. Invariants for permutations and block ciphers
9.2.1. Invariant subspaces
9.2.2. Quadratic invariants
9.3. On design criteria to prevent attacks based on invariants
9.4. A link to linear approximations
9.5. References
Chapter 10. Higher Order Differentials, Integral Attacks and Variants
10.1. Integrals and higher order derivatives
10.2. Algebraic degree of an iterated function
10.3. Division property
10.4. Attacks based on integrals
10.4.1. Distinguishers
10.4.2. Attacks
10.5. References
Chapter 11. Cube Attacks and Distinguishers
11.1. Cube attacks and cube testers
11.1.1. Terminology
11.1.2. Main observation
11.1.3. The basic cube attack
11.1.4. The preprocessing phase on cube attacks
11.1.5. Cube testers
11.1.6. Applications
11.2. Conditional differential attacks and dynamic cube attacks
11.2.1. Conditional differential attacks
11.2.2. Dynamic cube attacks
11.2.3. A toy example
11.3. References
Chapter 12. Correlation Attacks on Stream Ciphers
12.1. Correlation attacks on the nonlinear combination generator
12.2. Correlation attacks and decoding linear codes
12.3. Fast correlation attacks
12.3.1. Fast correlation attacks and low weight feedback polynomials
12.3.2. Finding low weight multiples of the feedback polynomial
12.3.3. Fast correlation attacks by reducing the code dimension
12.4. Generalizing fast correlation attacks
12.4.1. The E0 stream cipher
12.4.2. The A5/1 stream cipher
12.5. References
Chapter 13. Addition, Rotation, XOR
13.1. What is ARX?
13.1.1. Structure of an ARX-based primitive
13.1.2. Development of ARX
13.2. Understanding modular addition
13.2.1. Expressing modular addition in Fn2
13.2.2. Cryptographic properties of modular addition
13.3. Analyzing ARX-based primitives
13.3.1. Searching for differential and linear trails
13.3.2. Proving security against differential and linear attacks
13.3.3. Other cryptanalysis techniques
13.4. References
Chapter 14. SHA-3 Contest Related Cryptanalysis
14.1. Chapter overview
14.2. Differences between attacks against keyed and keyless primitives
14.3. Rebound attack
14.3.1. Basic strategy of the rebound attack
14.3.2. Rebound attack against AES-like structures
14.4. Improving rebound attacks with Super-Sbox
14.5. References for further reading about rebound attacks
14.6. Brief introduction of other cryptanalysis
14.6.1. Internal differential cryptanalysis
14.6.2. Rotational cryptanalysis
14.7. References
Chapter 15. Cryptanalysis of SHA-1
15.1. Design of SHA-1
15.2. SHA-1 compression function
15.3. Differential analysis
15.4. Near-collision attacks
15.5. Near-collision search
15.6. Message expansion differences
15.7. Differential trail
15.8. Local collisions
15.9. Disturbance vector
15.10. Disturbance vector selection
15.11. Differential trail construction
15.12. Message modification techniques
15.13. Overview of published collision attacks
15.14. References
Part 2. Future Directions
Chapter 16. Lightweight Cryptography
16.1. Lightweight cryptography standardization efforts
16.2. Desired features
16.3. Design approaches in lightweight cryptography
16.4. References
Chapter 17. Post-Quantum Symmetric Cryptography
17.1. Different considered models
17.1.1. With respect to the queries
17.1.2. With respect to memory
17.2. On Simon’s and Q2 attacks
17.2.1. Off-line Simon’s attack
17.3. Quantizing classical attacks in Q1
17.3.1. About collisions
17.4. On the design of quantum-safe primitives
17.5. Perspectives and conclusion
17.5.1. About losing the quantum and classical surname
17.5.2. No panic
17.6. References
Chapter 18. New Fields in Symmetric Cryptography
18.1. Arithmetization-oriented symmetric primitives (ZK proof systems)
18.1.1. The current understanding of this new language
18.1.2. The first attempts
18.1.3. Cryptanalysis
18.2. Symmetric ciphers for hybrid homomorphic encryption
18.2.1. The current understanding of this new language
18.2.2. First design strategies
18.3. Parting thoughts
18.4. References
Chapter 19. Deck-function-based Cryptography
19.1. Block-cipher centric cryptography
19.2. Permutation-based cryptography
19.3. The problem of the random permutation security model
19.4. Deck functions
19.5. Modes of deck functions and instances
19.6. References
List of Authors
Index
Summary of Volume 1
EULA

Citation preview

Symmetric Cryptography 2

SCIENCES Computer Science, Field Directors – Valérie Berthé and Jean-Charles Pomerol Cryptography, Data Security, Subject Head – Damien Vergnaud

Symmetric Cryptography 2 Cryptanalysis and Future Directions

Coordinated by

Christina Boura María Naya-Plasencia

First published 2023 in Great Britain and the United States by ISTE Ltd and John Wiley & Sons, Inc.

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licenses issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the under mentioned address: ISTE Ltd 27-37 St George’s Road London SW19 4EU UK

John Wiley & Sons, Inc. 111 River Street Hoboken, NJ 07030 USA

www.iste.co.uk

www.wiley.com

© ISTE Ltd 2023 The rights of Christina Boura and María Naya-Plasencia to be identified as the authors of this work have been asserted by them in accordance with the Copyright, Designs and Patents Act 1988. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s), contributor(s) or editor(s) and do not necessarily reflect the views of ISTE Group. Library of Congress Control Number: 2023930938 British Library Cataloguing-in-Publication Data A CIP record for this book is available from the British Library ISBN 978-1-78945-147-4 ERC code: PE6 Computer Science and Informatics PE6_5 Cryptology, security, privacy, quantum cryptography

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Christina B OURA and María NAYA -P LASENCIA

xiii

Part 1. Cryptanalysis of Symmetric-key Algorithms . . . . . . . . . . .

1

Chapter 1. Differential Cryptanalysis . . . . . . . . . . . . . . . . . . . . . Henri G ILBERT and Jérémy J EAN

3

1.1. Statistical attacks on block ciphers: preliminaries . . . . . . . . . 1.2. Principle of differential cryptanalysis and application to DES . . 1.2.1. Differential transitions and differential characteristics . . . 1.2.2. Derivation of non-trivial differential characteristics . . . . 1.2.3. Leveraging characteristics to mount a key-recovery attack . 1.3. Some refinements and generalizations . . . . . . . . . . . . . . . 1.3.1. Differential effect . . . . . . . . . . . . . . . . . . . . . . . . 1.3.2. Truncated differentials . . . . . . . . . . . . . . . . . . . . . 1.4. Design strategies and evaluation . . . . . . . . . . . . . . . . . . 1.4.1. Case of the AES . . . . . . . . . . . . . . . . . . . . . . . . 1.4.2. Automated analysis . . . . . . . . . . . . . . . . . . . . . . 1.5. Further notes and references . . . . . . . . . . . . . . . . . . . . . 1.6. References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

4 7 7 10 14 18 18 19 20 21 23 23 26

Chapter 2. Linear Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . Kaisa N YBERG and Antonio F LÓREZ -G UTIÉRREZ

29

2.1. History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2. Correlation and linear hull . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3. Multidimensional linear approximation . . . . . . . . . . . . . . . . . .

29 30 31

vi

Symmetric Cryptography 2

2.4. Walsh-Hadamard transform . . . . . . . . . . . . . . . . . . . . . 2.5. Linear approximation of an iterative block cipher . . . . . . . . . 2.6. Matsui’s Algorithm 1 type of key recovery . . . . . . . . . . . . 2.7. Matsui’s Algorithm 2 type of key recovery . . . . . . . . . . . . 2.8. Searching for linear approximations and estimating correlations 2.9. Speeding up key recovery . . . . . . . . . . . . . . . . . . . . . . 2.10. Key-recovery distinguisher . . . . . . . . . . . . . . . . . . . . . 2.11. Classical model of Algorithm 2 . . . . . . . . . . . . . . . . . . 2.12. Algorithm 2 with distinct known plaintext and randomized key 2.13. Multiple linear approximations . . . . . . . . . . . . . . . . . . 2.14. Multidimensional linear cryptanalysis . . . . . . . . . . . . . . 2.15. References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

32 32 33 34 35 36 38 39 40 40 42 43

Chapter 3. Impossible Differential Cryptanalysis . . . . . . . . . . . . . Christina B OURA and María NAYA -P LASENCIA

47

3.1. Finding impossible differentials . . . . . . . . . . . . . . . . . . . . 3.2. Key recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2.1. Data, time and memory complexities . . . . . . . . . . . . . . 3.3. Some improvements . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.1. Early abort technique . . . . . . . . . . . . . . . . . . . . . . 3.3.2. Multiple impossible differentials or multiple extension paths 3.4. Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5. References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . .

48 49 50 52 52 53 54 54

Chapter 4. Zero-Correlation Cryptanalysis . . . . . . . . . . . . . . . . . Vincent R IJMEN

57

4.1. Correlation and linear cryptanalysis . . . . . . . . . 4.1.1. Correlation matrix . . . . . . . . . . . . . . . . 4.1.2. Linear trails and linear hulls . . . . . . . . . . . 4.1.3. Approximations of linear functions . . . . . . . 4.1.4. Computing the correlations over a permutation 4.2. Attacks using a linear hull with correlation zero . . 4.2.1. Correlation zero in random permutations . . . 4.2.2. Distinguisher . . . . . . . . . . . . . . . . . . . 4.2.3. Reducing the data complexity . . . . . . . . . . 4.3. Linear hulls with correlation zero . . . . . . . . . . . 4.3.1. Feistel ciphers . . . . . . . . . . . . . . . . . . 4.3.2. AES . . . . . . . . . . . . . . . . . . . . . . . . 4.3.3. Extended result on AES . . . . . . . . . . . . . 4.4. References . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

57 57 58 59 60 60 61 61 62 62 63 64 64 64

Contents

Chapter 5. Differential-Linear Cryptanalysis . . . . . . . . . . . . . . . . Yosuke T ODO 5.1. Brief introduction of differential-linear attacks . . . . . . . . . . . 5.2. How to estimate correlations of a differential-linear distinguisher . 5.3. On the key recovery . . . . . . . . . . . . . . . . . . . . . . . . . . 5.4. State of the art for differential-linear attacks . . . . . . . . . . . . . 5.4.1. Differential-linear connecting table . . . . . . . . . . . . . . . 5.4.2. Three techniques to improve differential-linear attacks . . . 5.5. References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

67 69 71 72 72 73 76

Chapter 6. Boomerang Cryptanalysis . . . . . . . . . . . . . . . . . . . . Ling S ONG

77

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

77 79 80 83 86

Chapter 7. Meet-in-the-Middle Cryptanalysis . . . . . . . . . . . . . . . . Brice M INAUD

89

7.1. Introduction . . . . . . . . . . . . . . . . . . . 7.2. Basic meet-in-the-middle framework . . . . . 7.2.1. The 2DES attack . . . . . . . . . . . . . 7.2.2. Algorithmic framework . . . . . . . . . 7.2.3. Complexity analysis and memory usage 7.3. Meet-in-the-middle techniques . . . . . . . . 7.3.1. Filtering . . . . . . . . . . . . . . . . . . 7.3.2. Splice-and-cut . . . . . . . . . . . . . . 7.3.3. Bicliques . . . . . . . . . . . . . . . . . 7.4. Automatic tools . . . . . . . . . . . . . . . . . 7.5. References . . . . . . . . . . . . . . . . . . . .

. . . . .

. . . . . . . . . . .

. . . . .

. . . . . . . . . . .

. . . . .

. . . . . . . . . . .

. . . . .

. . . . . . . . . . .

. . . . .

. . . . . . . . . . .

. . . . .

. . . . . . . . . . .

. . . . .

. . . . . . . . . . .

. . . . .

. . . . . . . . . . .

. . . . .

. . . . . . . . . . .

. . . . .

. . . . . . . . . . .

. . . . .

. . . . . . . . . . .

. . . . .

. . . . . . . . . . .

. . . . .

. . . . . . .

67

. . . . . . .

6.1. Basic boomerang attack . 6.2. Variants and refinements . 6.3. Tricks and failures . . . . 6.4. Formalize the dependency 6.5. References . . . . . . . . .

. . . . . . .

vii

. . . . . . . . . . .

. . . . .

. . . . . . . . . . .

. . . . . . . . . . .

89 90 90 91 92 94 94 96 97 98 98

Chapter 8. Meet-in-the-Middle Demirci-Selçuk Cryptanalysis . . . . . 101 Patrick D ERBEZ 8.1. Original Demirci-Selçuk attack . . . . . . 8.2. Improvements . . . . . . . . . . . . . . . . 8.2.1. Data/time/memory trade-off . . . . . 8.2.2. Difference instead of value . . . . . 8.2.3. Multiset . . . . . . . . . . . . . . . . 8.2.4. Linear combinations . . . . . . . . . 8.2.5. Differential enumeration technique .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

101 103 104 104 105 105 106

viii

Symmetric Cryptography 2

8.3. Finding the best attacks 8.3.1. Tools . . . . . . . . 8.3.2. Results . . . . . . . 8.4. References . . . . . . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

108 108 109 109

Chapter 9. Invariant Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . 111 Christof B EIERLE 9.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 9.2. Invariants for permutations and block ciphers . . . . . . 9.2.1. Invariant subspaces . . . . . . . . . . . . . . . . . . 9.2.2. Quadratic invariants . . . . . . . . . . . . . . . . . 9.3. On design criteria to prevent attacks based on invariants 9.4. A link to linear approximations . . . . . . . . . . . . . . 9.5. References . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

111 112 113 117 117 119 121

Chapter 10. Higher Order Differentials, Integral Attacks and Variants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Anne C ANTEAUT 10.1. Integrals and higher order derivatives . . 10.2. Algebraic degree of an iterated function 10.3. Division property . . . . . . . . . . . . . 10.4. Attacks based on integrals . . . . . . . . 10.4.1. Distinguishers . . . . . . . . . . . . 10.4.2. Attacks . . . . . . . . . . . . . . . . 10.5. References . . . . . . . . . . . . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

123 126 128 130 130 130 131

Chapter 11. Cube Attacks and Distinguishers . . . . . . . . . . . . . . . 133 Itai D INUR 11.1. Cube attacks and cube testers . . . . . . . . . . . . . . . . 11.1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 11.1.2. Main observation . . . . . . . . . . . . . . . . . . . . 11.1.3. The basic cube attack . . . . . . . . . . . . . . . . . . 11.1.4. The preprocessing phase on cube attacks . . . . . . . 11.1.5. Cube testers . . . . . . . . . . . . . . . . . . . . . . . 11.1.6. Applications . . . . . . . . . . . . . . . . . . . . . . . 11.2. Conditional differential attacks and dynamic cube attacks 11.2.1. Conditional differential attacks . . . . . . . . . . . . 11.2.2. Dynamic cube attacks . . . . . . . . . . . . . . . . . 11.2.3. A toy example . . . . . . . . . . . . . . . . . . . . . . 11.3. References . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

133 134 135 136 137 138 139 140 140 140 140 141

Contents

ix

Chapter 12. Correlation Attacks on Stream Ciphers . . . . . . . . . . . 143 Thomas J OHANSSON 12.1. Correlation attacks on the nonlinear combination generator . . . . . 12.2. Correlation attacks and decoding linear codes . . . . . . . . . . . . . 12.3. Fast correlation attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 12.3.1. Fast correlation attacks and low weight feedback polynomials . 12.3.2. Finding low weight multiples of the feedback polynomial . . . 12.3.3. Fast correlation attacks by reducing the code dimension . . . . 12.4. Generalizing fast correlation attacks . . . . . . . . . . . . . . . . . . 12.4.1. The E0 stream cipher . . . . . . . . . . . . . . . . . . . . . . . . 12.4.2. The A5/1 stream cipher . . . . . . . . . . . . . . . . . . . . . . . 12.5. References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . .

144 145 146 147 148 150 151 151 152 153

Chapter 13. Addition, Rotation, XOR . . . . . . . . . . . . . . . . . . . . . 155 Léo P ERRIN 13.1. What is ARX? . . . . . . . . . . . . . . . . . . . . . . . . . . 13.1.1. Structure of an ARX-based primitive . . . . . . . . . . 13.1.2. Development of ARX . . . . . . . . . . . . . . . . . . 13.2. Understanding modular addition . . . . . . . . . . . . . . . 13.2.1. Expressing modular addition in Fn2 . . . . . . . . . . . 13.2.2. Cryptographic properties of modular addition . . . . . 13.3. Analyzing ARX-based primitives . . . . . . . . . . . . . . . 13.3.1. Searching for differential and linear trails . . . . . . . 13.3.2. Proving security against differential and linear attacks 13.3.3. Other cryptanalysis techniques . . . . . . . . . . . . . 13.4. References . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

155 156 156 157 158 158 160 160 161 162 163

Chapter 14. SHA-3 Contest Related Cryptanalysis . . . . . . . . . . . . 167 Yu S ASAKI 14.1. Chapter overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.2. Differences between attacks against keyed and keyless primitives 14.3. Rebound attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.3.1. Basic strategy of the rebound attack . . . . . . . . . . . . . 14.3.2. Rebound attack against AES-like structures . . . . . . . . . 14.4. Improving rebound attacks with Super-Sbox . . . . . . . . . . . . 14.5. References for further reading about rebound attacks . . . . . . . 14.6. Brief introduction of other cryptanalysis . . . . . . . . . . . . . . 14.6.1. Internal differential cryptanalysis . . . . . . . . . . . . . . . 14.6.2. Rotational cryptanalysis . . . . . . . . . . . . . . . . . . . . 14.7. References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

167 168 169 169 171 173 175 176 176 177 177

x

Symmetric Cryptography 2

Chapter 15. Cryptanalysis of SHA-1 . . . . . . . . . . . . . . . . . . . . . 181 Marc S TEVENS 15.1. Design of SHA-1 . . . . . . . . . . . . . 15.2. SHA-1 compression function . . . . . . 15.3. Differential analysis . . . . . . . . . . . . 15.4. Near-collision attacks . . . . . . . . . . . 15.5. Near-collision search . . . . . . . . . . . 15.6. Message expansion differences . . . . . 15.7. Differential trail . . . . . . . . . . . . . . 15.8. Local collisions . . . . . . . . . . . . . . 15.9. Disturbance vector . . . . . . . . . . . . 15.10. Disturbance vector selection . . . . . . 15.11. Differential trail construction . . . . . . 15.12. Message modification techniques . . . 15.13. Overview of published collision attacks 15.14. References . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

181 182 184 184 185 186 187 187 188 189 190 190 191 192

Part 2. Future Directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Chapter 16. Lightweight Cryptography . . . . . . . . . . . . . . . . . . . 197 Meltem S ÖNMEZ T URAN 16.1. Lightweight cryptography standardization efforts 16.2. Desired features . . . . . . . . . . . . . . . . . . . 16.3. Design approaches in lightweight cryptography . 16.4. References . . . . . . . . . . . . . . . . . . . . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

197 198 200 202

Chapter 17. Post-Quantum Symmetric Cryptography . . . . . . . . . . 203 María NAYA -P LASENCIA 17.1. Different considered models . . . . . . . . . . . . . . . 17.1.1. With respect to the queries . . . . . . . . . . . . . 17.1.2. With respect to memory . . . . . . . . . . . . . . 17.2. On Simon’s and Q2 attacks . . . . . . . . . . . . . . . 17.2.1. Off-line Simon’s attack . . . . . . . . . . . . . . . 17.3. Quantizing classical attacks in Q1 . . . . . . . . . . . . 17.3.1. About collisions . . . . . . . . . . . . . . . . . . . 17.4. On the design of quantum-safe primitives . . . . . . . 17.5. Perspectives and conclusion . . . . . . . . . . . . . . . 17.5.1. About losing the quantum and classical surname 17.5.2. No panic . . . . . . . . . . . . . . . . . . . . . . . 17.6. References . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

204 204 205 206 207 207 207 208 209 209 209 209

Contents

xi

Chapter 18. New Fields in Symmetric Cryptography . . . . . . . . . . 215 Léo P ERRIN 18.1. Arithmetization-oriented symmetric primitives (ZK proof systems) 18.1.1. The current understanding of this new language . . . . . . . . 18.1.2. The first attempts . . . . . . . . . . . . . . . . . . . . . . . . . 18.1.3. Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.2. Symmetric ciphers for hybrid homomorphic encryption . . . . . . 18.2.1. The current understanding of this new language . . . . . . . . 18.2.2. First design strategies . . . . . . . . . . . . . . . . . . . . . . . 18.3. Parting thoughts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.4. References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . .

. . . . . . . . .

216 217 218 219 220 221 221 223 223

Chapter 19. Deck-function-based Cryptography . . . . . . . . . . . . . 227 Joan DAEMEN 19.1. Block-cipher centric cryptography . . . . . . . . . . . . 19.2. Permutation-based cryptography . . . . . . . . . . . . . 19.3. The problem of the random permutation security model 19.4. Deck functions . . . . . . . . . . . . . . . . . . . . . . . 19.5. Modes of deck functions and instances . . . . . . . . . . 19.6. References . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

227 227 228 228 229 230

List of Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Summary of Volume 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Preface Christina B OURA1 and María N AYA -P LASENCIA2 1

University of Paris-Saclay, UVSQ, CNRS, Versailles, France 2 Inria, Paris, France

Symmetric-key cryptology is one of the two main branches of modern cryptology. It comprises all primitives, modes and constructions used to ensure the confidentiality, authenticity and integrity of communications by means of a single key shared between the two communicating parties. Hash functions and some other keyless constructions are equally considered as symmetric constructions because of the similarity in the design and analysis with classical keyed symmetric ciphers. Symmetric algorithms are essential for establishing secure communications, as they can have very compact implementations and achieve high speed in both software and hardware. Furthermore, compared to public-key algorithms, keys used in symmetric cryptography are short, typically of 128 or 256 bits only. The goal of this two-volume project is to provide a thorough overview of the most important design, cryptanalysis and proof techniques for symmetric designs. The first volume is dedicated to the most popular design trends for symmetric primitives, modes and constructions, and to the presentation of the most important proof techniques. On the other hand, the current volume describes and analyzes some of the most well-established and powerful cryptanalysis techniques against symmetric constructions. Cryptanalysis is an essential process for establishing trust toward the symmetric ciphers to be used and deployed. Indeed, in symmetric cryptography, it is common to provide security proofs for the modes of operation and high-level constructions. These security proofs, analyzed in Volume 1, are fundamental for having confidence in the high-level constructions themselves, but they often rely on unrealistic assumptions, for example, by considering the internal functions to be perfect random ones. Therefore, in order to trust the primitives, cryptanalysis is a necessary process to be taken into account together with the security proofs.

Symmetric Cryptography 2, coordinated by Christina B OURA and María NAYA -P LASENCIA. © ISTE Ltd 2023.

xiv

Symmetric Cryptography 2

The first modern symmetric cryptanalysis techniques started developing almost together with the appearance of the first symmetric designs. These first cryptanalysis techniques have not stopped evolving since. Moreover, the appearance of new designs had as a consequence the development of new analysis techniques adapted to these new schemes. The goal of this second volume is to present the most powerful and the most promising attacks among those that have emerged since the 1980s. The book is divided into two parts. The first part contains 15 chapters and gives an overview of the most important cryptanalysis techniques. The second part is composed of four chapters and investigates some future directions for the field of symmetric cryptology. Chapter 1 is dedicated to differential cryptanalysis, the oldest and probably the most well-studied attack against block ciphers and related primitives. First, a general background for statistical attacks is provided and the notion of distinguisher is introduced. Then, the most important notions encountered in differential cryptanalysis are given. Some possible refinements and extensions of the basic attack are provided, notably the differential effect and truncated differential characteristics. Finally, the most prominent design approaches to achieve resistance against this class of attacks are given. Together with differential cryptanalysis, linear cryptanalysis is without doubt the second most well-known analysis technique against block ciphers. This technique is described in Chapter 2. After a brief historical note, the main notions for this attack, notably those of correlation, linear hull and multidimensional linear approximations are presented. Then, two well-known algorithms for key recovery, namely Matsui’s algorithms 1 and 2, are given. The problem of finding good linear approximations for a given cipher is analyzed next and some techniques to speed up key recovery are given. Finally, two extensions of classical linear cryptanalysis are provided: the use of multiple linear approximations and the technique of multidimensional linear cryptanalysis. Impossible differential cryptanalysis is another powerful attack against block ciphers. The idea, explained in Chapter 3, is to exploit differentials of probability zero. The distinguishing part, consisting of finding good impossible differentials, is first analyzed. Techniques for the key recovery part are given next. In this part, closed formulas for estimating the complexity of an attack are given. Some improvements to the classical version of this cryptanalysis technique are provided at the end of this chapter. Zero-correlation attacks are an extension of linear cryptanalysis. These attacks, presented in Chapter 4, are based on linear approximations with correlation exactly zero. First, this chapter presents the central notion of correlation matrices. The

Preface

xv

notions of linear trails and hulls are defined once again and some results on computing the correlations over a permutation are provided next. Then, this chapter analyzes how linear hulls with correlation zero can be used to mount an attack and techniques for reducing the data complexity are given. Finally, some important applications for Feistel ciphers and for the advanced encryption standard (AES) are discussed. Chapter 5 is dedicated to differential-linear attacks. This cryptanalysis technique consists of successfully combining a differential attack together with a linear one. First, the attack framework is presented and ways to estimate correlations of a differential-linear distinguisher are given next. Then, the key recovery part is discussed and the notion of differential-linear connecting table (DLCT) is presented. At the end, three techniques to improve differential-linear attacks are discussed. Boomerang attacks are statistical attacks against block ciphers based on differential cryptanalysis. Chapter 6 introduces this type of cryptanalysis and some of its refinements, namely, the amplified boomerang and rectangle attacks. A discussion on the probability computation of boomerangs is next given, and several ways to improve or formalize this computation are discussed. Finally, a recent tool to calculate the boomerang probability for a single S-box, called Boomerang connectivity table (BCT) is presented together with its Feistel variant, FBCT. Chapter 7 gives an overview of another famous cryptanalysis technique called meet-in-the-middle cryptanalysis. Meet-in-the-middle attacks are among the oldest symmetric cryptanalysis techniques and still continue to evolve. This chapter starts by presenting the basic meet-in-the-middle framework together with a first complexity analysis. The most important techniques used in modern meet-in-the-middle cryptanalysis are given next, such as the partial or indirect matching, the sieve-in-the-middle or the slice-and-cut technique. Finally, a method called biclique, which permits extension of the number of rounds of a meet-in-the-middle attack, is presented. Chapter 8 presents meet-in-the-middle Demirci-Selçuk attacks, an advanced form of meet-in-the-middle cryptanalysis, particularly successful on reduced versions of the AES. The chapter starts by presenting the basic form of this attack and discusses its application to the AES. Then, several refinements and techniques are given. A discussion of how to choose the best parameters for mounting such an attack is provided, and finally a series of tools for applying a meet-in-the-middle attack in an automated way are briefly presented. Invariant attacks are a form of structural cryptanalysis against block ciphers and cryptographic permutations that showed to be particularly efficient against some lightweight cryptographic designs. Chapter 9 presents the most important concepts and ideas behind two important invariant attacks classes, the invariant subspace

xvi

Symmetric Cryptography 2

attacks and the nonlinear invariant attacks. Methods to detect potential vulnerabilities in cryptographic designs that could lead to the presence of invariants are discussed. Finally, design criteria to prevent attacks based on invariants are provided, and a link between invariant attacks and linear approximations is discussed. Chapter 10 gives an overview of higher order differential and integral attacks as well as some of their most important variants. All these attacks exploit either some algebraic or some structural property of the underlying design, or sometimes both type of properties at the same time. The chapter starts by describing the notions of integrals and higher order derivatives. The notion of algebraic degree, essential for these attacks, and its properties for iterated permutations are presented next. A powerful tool, called the division property, that can be seen as a combination of integral and higher order differential cryptanalysis is given. Finally, attacks based on integrals are discussed. Cube attacks and cube testers are additional methods of algebraic cryptanalysis that target designs with a relatively low number of nonlinear operations. Chapter 11 is dedicated to this class of attacks and summarizes the main ideas of these techniques. The classical cube attack that aims at recovering the secret key by analyzing the algebraic form of the cipher is described first. Then, a related distinguishing technique, called cube testers, is presented. Finally, conditional differential attacks and dynamic cube attacks, key recovery techniques related to cube attacks, are briefly given. Chapter 12 describes correlation attacks against stream ciphers, one of the most well-studied and efficient cryptanalysis technique against this class of algorithms. The main idea of attacks against nonlinear combination generators is first presented. The link between correlation attacks and the linear codes decoding problem is next presented. Notably, the so-called fast correlation attacks that are attacks exploiting the above link to speed up the decoding problem are extensively analyzed. Finally, the chapter is concluded with two generalizations of correlation attacks on the stream ciphers E0 and A5/1. ARX ciphers are constructions that only use the operations of modular addition, rotation and XOR to compute their output. These ciphers, described in Chapter 13, permit constant-time and extremely fast implementations in software and have been used in several popular designs and standards. The basic structure of such schemes is first described. Then, the development of ARX ciphers since the 1980s until today is provided. The properties of modular addition, the only nonlinear operation in these constructions, are discussed next as these properties are crucial for understanding the security of these schemes. Finally, methods and tools for analyzing the security of ARX ciphers are presented. The NIST SHA-3 competition was a public competition held by the US National Institute of Standards and Technology (NIST) between 2008 and 2012. Its goal was

Preface

xvii

to develop and standardize a new hash function called SHA-3. During the 4 years of the competition, many new hash function cryptanalysis techniques emerged. Chapter 14 is dedicated to the presentation of some of these techniques. First, a discussion of the difference between attacks against keyed and keyless primitives is provided. Then, the biggest part of this chapter is dedicated to the description of the rebound attack, probably the most powerful technique that emerged in this context against substitution-permutation network (SPN)-based hash functions. At the end of this chapter, other new cryptanalysis methods developed against some SHA-3 candidates, notably the internal differential and the rotation cryptanalysis, are presented. SHA-1 is a standardized cryptographic hash function, deprecated since 2011, but that was implemented inside a multitude of industrial products for decades and is still in use in many applications. The cryptanalysis efforts against this standard form a fascinating series of results until the practical break of the function in 2017. Chapter 15 is dedicated to the cryptanalysis of SHA-1 and describes the most important cryptanalysis techniques that were developed while trying to break SHA-1. The second part of this book is consecrated to the discussion of some promising future directions for the field of symmetric cryptology. During the last decade, many resource-constrained computing environments were developed and largely deployed. Most of them treat sensitive data and need to implement cryptographic algorithms to ensure their security. However, most of the general-purpose cryptographic algorithms cannot be implemented on such constrained devices while keeping decent performances, thus new cryptographic constructions are needed. Lightweight cryptography encompasses all cryptographic primitives, schemes and protocols that are optimized for resource-constrained devices. Chapter 16 is dedicated to lightweight cryptography and provides an overview of the standardization efforts, desired features and design trends for these applications. The NIST standardization process for lightweight cryptography, a public competition launched in 2018, is notably discussed. The future arrival of quantum computers will have enormous consequences for the field of cryptography. The cryptographic community has been devoting significant time and effort over several years in anticipation of these potential effects. We know today that the most deployed public key schemes will be broken, because notably of Shor’s algorithm, and for this reason the public key community is actively searching for solutions and replacements. However, for symmetric algorithms, the situation is different. The main quantum algorithm relevant to symmetric cryptography is Grover’s algorithm that permits to accelerate the generic exhaustive search attack by a square root. Thus, doubling the size of the key would potentially be sufficient to overcome this problem. However, it is naïve to believe that this will be the only consequence for symmetric schemes. For this reason, for some years, a

xviii

Symmetric Cryptography 2

new domain dedicated to the quantum cryptanalysis of symmetric primitives, modes and constructions emerged. The most important of these efforts and the latest results are described in Chapter 17 of this book. Not all symmetric algorithms are intended to be run on classical computing environments such as CPUs or smartcards. Chapter 18 describes the last efforts made in designing the newly introduced arithmetization-oriented (AO) symmetric ciphers, intended to be used within some particular zero-knowledge protocols, homomorphic encryption (HE) or multi-party computation (MPC) schemes. This chapter describes the most important design strategies for this family of ciphers and briefly discusses the most promising cryptanalysis techniques against them. Chapter 19 describes finally some promising future directions for the design of symmetric primitives. In particular, doubly extendable cryptographic keyed (deck) functions are discussed. The field of cryptography has never stopped evolving since the appearance of the first commercial cryptographic applications in the 1970s. Due to this constant evolution, providing a complete survey of all the design trends, cryptanalysis techniques or proof methods is an extremely difficult task. We believe, however, that this book offers a good starting point to all readers interested in learning about the most important and promising results of the field, in particularly to all those wishing to learn how to design and analyze a secure symmetric cipher. We believe that the two volumes of this work will be helpful to researchers, master’s and PhD students studying or working in the field of cryptography as well as to all professionals working in the field of cybersecurity.

July 2023

PART 1

Cryptanalysis of Symmetric-key Algorithms

1

Differential Cryptanalysis Henri G ILBERT and Jérémy J EAN ANSSI, Paris, France

Differential cryptanalysis is a statistical chosen-plaintext attack method applicable to many block ciphers. It was discovered by Biham and Shamir (1990), whose seminal paper “Differential Cryptanalysis of DES-like Cryptosystems” introduced the main underlying concepts and their application to the cryptanalysis of Data Encryption Standard (DES), the main standard block cipher at that time. While this paper only described how to break up to 15 of the 16 rounds of DES faster than exhaustive key search, the authors showed a few months later that an enhanced differential cryptanalysis allows to break the full 16-round DES using about 247 chosen plaintexts and a computational effort equivalent to about 247 DES encryptions (Biham and Shamir 1992). This was the first published cryptanalysis allowing to break DES faster than exhaustive key search. The main idea of differential cryptanalysis can be outlined as follows. For many block ciphers, if two plaintext blocks differ only in well-selected bit positions, then even after nearly all rounds, the bits where the resulting partial encryptions differ tend to stay confined in prescribed positions. This phenomenon can often be explained by the limited diffusion operated by the internal round function of the block cipher. Consequently, the two resulting inputs to the last round(s) can tend to differ in certain bit positions with an abnormally high probability. Under some conditions on the last round(s), such a partial (statistical) a priori knowledge of the input to the final round(s) can be leveraged for guessing partial information on the last round(s) subkey(s) with a smaller time complexity than an exhaustive search and thus initiate a divide-andconquer process that eventually leads to a full key recovery.

Symmetric Cryptography 2, coordinated by Christina B OURA and María NAYA -P LASENCIA. © ISTE Ltd 2023.

4

Symmetric Cryptography 2

Outline: in this chapter, we first provide in section 1.1 some general background on the (statistical) cryptanalysis of iterated block ciphers and introduce the notion of distinguisher that is instrumental in most known classes of attacks on such ciphers. We then present, in section 1.2, the main notions encountered in differential cryptanalysis, for example, the notions of differential characteristic and differential, using Biham and Shamir’s seminal attack against up to 15 DES rounds as our main guiding thread. For that purpose, we successively focus on the distinguishing part and the key-recovery part of differential cryptanalysis. We complete this presentation by outlining, in section 1.3, a few examples of the possible refinements or extensions of differential cryptanalysis, in particular the differential effect and the case of truncated differential characteristics. We summarize in section 1.4 some of the strategies followed by block cipher designers to achieve resistance against differential cryptanalysis, in particular the wide trail strategy that represents the main design rationale behind the AES standard. Finally, we conclude the chapter in section 1.5 by providing a few notes and references to some notable results related to differential cryptanalysis. 1.1. Statistical attacks on block ciphers: preliminaries Throughout this chapter, we are using the notation E = (EK )K∈{0,1}k to refer to an iterative r-round block cipher and the notation EK to refer to a particular instance of E parameterized by a k-bit key K. We denote the block size in bits of E by n. The r rounds of E are numbered from 1 to r. For any two round numbers i, j, 1 ≤ i ≤ j ≤ r, we denote the composition of the consecutive rounds i, i + 1, . . . , j by E [i,j] [i,j] and the instance of E [i,j] parameterized by a k-bit key K by EK . K • P

 EK

PRP distinguisher

X

 EK

C

Key guess

Figure 1.1. Overall structure of a statistical attack on an iterative block cipher

Most statistical key-recovery attacks against iterative block ciphers, including differential cryptanalysis, have the following overall structure. – Initial versus final rounds: following the notation introduced above, we denote the attacked block cipher by E and the targeted instance of E by EK . The block  cipher E is viewed as the composition E  ◦ E  of an initial permutation E  = E [1,r ] that consists of a suitable number r < r of initial rounds of E and a final permutation

Differential Cryptanalysis

5



E  = E [r +1,r] that consists of the r = r − r remaining rounds of E. Typical values of r are low, for instance one round or two rounds. Such a split of E reflects the frequently encountered situation, illustrated in Figure 1.1, where the key guessing part of the attack targets the final round(s) of E. We will only consider such attacks in the following for simplification purposes. Indeed, while there also exist attacks where the key guessing part targets the initial round(s) or both the initial and final rounds, the techniques to handle all these attack structures are essentially the same. – Distinguisher on the initial rounds: the engine of the attack consists of a distinguisher on E  also sometimes referred to as a PRP distinguisher, that is, a pseudo-random permutation distinguisher. Such a distinguisher essentially expresses  a non-trivial correlation between chosen plaintexts and their encryptions under EK that holds for all keys K or a large fraction of the key space. Slightly more in detail, a distinguisher is a testing algorithm A equipped with an oracle access to an n-bit to n-bit function O, that is, able to query the function O repeatedly (DA times) in a black-box manner, to process the collected responses and to return a binary output AO ∈ {0, 1}. The oracle O is queried by A with non-adaptively chosen inputs in the case of distinguishers used in differential attacks, but potentially with known or (adaptively) chosen inputs and/or outputs in distinguishers used for other attacks. A  of E  associated with a must allow to efficiently tell apart a random instance of EK secret random key K from a uniformly drawn random permutation P of the block  space {0, 1}n using its binary output AO ∈ {AEK , AP }. Let us assume that before O is invoked for the first time, both kinds of oracle are equiprobable and that A predicts that a random instance of E  has been queried if and only if AO = 0. Let us denote by p0 (respectively, p1 ) the probability that AO outputs 0 if O is a random instance of E  (respectively, a random instance P of a perfect random permutation of 1 of making the correct {0, 1}n ). We want A’s success probability pwin = 12 + p0 −p 2 prediction to be close to one.1 Finding a distinguisher A usable for an attack, that is, that covers a number of rounds r sufficiently close to r and requires a sufficiently low number DA  2n of n-bit black-box queries and a sufficiently moderate computation time TA  2k (where TA is measured as an equivalent number of E computations, and satisfies by definition TA ≥ DA ), often represents the most demanding part of the attack.

1 In order to quantify the efficiency of A in telling apart a random instance of E  from a random instance P of a perfect random permutation, a slightly more general measure than pwin =  1 1 + p0 −p is often used, the advantage of A : Adv(A) = | Pr(AEK = 0) − Pr(AP = 2 2 0)| = |p0 − p1 |. While pwin and Adv(A) equivalently measure this efficiency when p0 ≥ p1 , Adv(A) also allows to measure this efficiency in the situation where p1 > p0 . Indeed, A can still be leveraged in that case, with the modified convention that A predicts that E  has been queried if and only if AO = 1. This leads, as in the p0 ≥ p1 case, to a prediction success . probability of 12 + Adv(A) 2

6

Symmetric Cryptography 2

– Recovering information on the final round(s) subkey(s): once a suitable distinguisher A on E  has been identified, it can be leveraged for setting up a hypothesis testing in order to extract information on the r subkeys Kr +1 to Kr of  . In order to test the validity of an assumption κ ˆ on a relevant t-bit part κ of these EK subkeys (where t is assumed to satisfy the condition t ≤ k), the adversary collects DA chosen plaintexts X i , with i = 1, . . . , DA , as well as the associated ciphertexts Y i = EK (X i ) and performs the following computations: 1) it partially decrypts the Y i under the instance of E  parameterized by κ ˆ , thus  (X i ); obtaining assumed values Zˆi of the DA -tuple of intermediate blocks Z i = EK 2) it applies the test A, using the X i as oracle queries and the Zˆi as oracle

responses. Only those κ ˆ values for which A outputs the value 0 are retained as candidate values for the actual value κ.

The following heuristic argument shows why this procedure can be expected to retain the right assumption κ and to discard a large fraction of wrong assumptions with a high probability. If κ ˆ = κ (H0 assumption), the responses Zˆi to the oracle i  −1  (X i ) and therefore A is expected to output queries X are equal to EK (Y i ) = EK ˆ = κ (alternate H1 assumption), the 0 with probability p0 . If on the contrary κ decryption of the Y i ciphertexts under the instance of E  parameterized by the wrong key assumption κ ˆ can be viewed as a further randomization of the Y i by r extra rounds instead of the decryption of the r last round. This suggests that for most such keys, the obtained values Zˆi behave as the result of applying a uniformly drawn permutation of the blockspace to the X i . Consequently, the distinguisher A can be expected to output 0 with a probability close to p1 . The former procedure provides a list of candidate values κ ˆ for κ that contains the actual value κ with probability p0 . Moreover, the average length of this list is p0 + p1 · (2|κ| − 1). In other words, if p0 is sufficiently close to 1 and p1 is sufficiently small, the obtained list is likely to contain κ and the number of candidate values for κ is reduced by a factor close to p1 . Once the right value of κ or a short list of candidate values for κ has been recovered, this initial information on the last round subkeys can often be completed by extra information on the same subkeys until the adversary is  and is essentially left with the problem of recovering the key able to fully decrypt EK   , that can be expected to be easier than of EK or an equivalent representation of EK the initial problem of recovering the key of EK or an equivalent representation of EK  since EK has less rounds. In summary, recovering initial information on κ is often the most critical step of a divide-and-conquer key-recovery process that eventually leads to recovering the whole key faster than an exhaustive search.

Differential Cryptanalysis

7

1.2. Principle of differential cryptanalysis and application to DES 1.2.1. Differential transitions and differential characteristics In differential cryptanalysis, the following point of view is adopted. Let us consider a fixed or keyed n-bit to m-bit function F , respectively, F = (FK )K∈{0,1}k – for example, a block cipher E = (EK ) or an underlying transformation such as a keyless S-box S. Instead or viewing F or F as a (keyed) deterministic function, one partitions the possible pairs (X, X  ) of input values of F or F of associated pair of output values (Y, Y  ) according to their difference value, that is, their exclusive2 or ΔX = X ⊕ X  , and one views the output difference ΔY = Y ⊕ Y  as a probabilistic function of ΔX. D EFINITION 1.1 (Differential transition probability, differential).– Given any pair (δin , δout ) ∈ {0, 1}n × {0, 1}m , the probability associated with the differential transition δin → δout (also called the differential δin → δout ) for F (respectively, for F ) is defined as the conditional probability DPF [δin → δout ] =

$

[ΔY = δout |ΔX = δin ],

Pr

X ←{0,1}n

respectively:3 DPF [δin → δout ] =

$

Pr

$

[ΔY = δout |ΔX = δin ].

X ←{0,1}n ,K ←{0,1}k

The difference values δin and δout are named the input difference and output difference of the differential δin → δout . A short notation for expressing the existence of a differential δin → δout of probability p = DPF orF [δin → δout ] is δin → δout

[p].

Unless otherwise specified, concrete values for such characteristics will be given in hexadecimal notation in the following.

2 The difference ΔX between two n-bit values X and X  is here defined as their difference under the exclusive or addition law ⊕, that is, X ⊕ X  , since X  is its own opposite according to this law. There are rare cases where differential cryptanalysis can be more efficiently applied when considering differences under another law, for example X and X  might represent integers modulo 2n and their difference would be defined as X − X  mod 2n . We will not detail such cases in the following. 3 We note that DPF [δin → δout ] is sometimes also named the expected differential probability (EDP) of the differential D : δin → δout .

8

Symmetric Cryptography 2

0 1 2 3 4 5 6 7

0 8 -

1 2 2 2 2

2 2 2 2 2

3 2 2 2 2 -

4 2 2 2 2

5 2 2 2 2 -

6 2 2 2 2 -

7 2 2 2 2

Table 1.1. DDT of the 3-bit permutation from example 1.1

1.2.1.1. Differential behavior of keyless or fully instantiated keyed functions In the simple case of a F2 -linear function L, ΔY actually behaves as a deterministic function of ΔX. P ROPOSITION 1.1 (Differential transition probabilities for a linear function).– For any F2 -linear n-bit to m-bit function L and any input/output difference pair (δin , δout ) ∈ {0, 1}n × {0, 1}m , the probability of the differential δin → δout is equal to 1 if δout = L(δin ) and 0 otherwise. Proof. For any (X, X  ) pair such that X ⊕ X  = δin , the F2 -linearity of L implies that L(X) ⊕ L(X  ) = L(X ⊕ X  ) = L(δin ). Proposition 1.1 more generally holds in the case of an F2 -affine function. In the case of a n-bit to m-bit function F that is non F2 -affine, ΔY no longer behaves as a deterministic function of ΔX, but as a probabilistic function of ΔX. D EFINITION 1.2 (Differential transition probability and difference distribution table for a keyless function).– One can associate to a keyless function F the difference distribution table (DDT) of F or equivalently its differential transition probability table, that is, the 2n × 2m table whose entry associated with row δin ∈ {0, 1}n and column δout ∈ {0, 1}m is DDTF [δin → δout ] = #{x|F (x) ⊕ F (x ⊕ δin ) = δout }, respectively, the differential transition probability DPF [δin → δout ], that is equal to DDTF [δin → δout ]/2n . E XAMPLE 1.1.– Take S = [5,2,7,4,3,6,0,1] as an example of a 3-bit nonlinear permutation given by its lookup table. This function is almost perfect nonlinear (APN), and its differential distribution table is given in Table 1.1. P ROPOSITION 1.2 (Differential transition probabilities for the composition of a key addition and a keyless function).– If a keyed n-bit to m-bit function F  is the

Differential Cryptanalysis

9

composition of a key addition AddK : x → x ⊕ κ and a keyless n-bit to m-bit function F , that is, F  = F ◦ AddK , then for any (δin , δout ) pair the differential transition probability DPF  [δin → δout ] is independent of the value of κ and equal to DPF [δin → δout ]. Proof. We have DPF  [δin → δout ] = Pr 

$

x←{0,1}n

[F (x ⊕ κ) ⊕ F (x ⊕ δin ⊕ κ) =

δout ]. Thus, the change of variable x = x ⊕ κ allows to get: DPF  [δin → δout ] = [F (x ) ⊕ F (x ⊕ δin ) = δout ] = DPF [δin → δout ]. Pr  $ n x ←{0,1}

1.2.1.2. Differential behavior of keyed functions An r-round iterated block cipher E is vulnerable to differential cryptanalysis if there exists a differential of exceptionally high (or exceptionally low) differential probability for the composition of a sufficient number t ≤ r of consecutive round of E, for example, the composition E[1,t] of the t = r − 1 or r − 2 first rounds of E. Such a differential plays the role of the statistical distinguisher on E [1,t] introduced in section 1.1. The reason why this situation is frequently encountered is that many iterated block ciphers exhibit the following statistical behavior. If a random input block X0 is replaced by the exclusive or X0 = X0 ⊕ δ0 of X0 with a well-chosen input difference value δ0 , then if we denote the partial encryption of X0 (respectively, X0 ) under i ≤ r rounds by Xi (respectively, Xi ), the probability distribution of the sequence of difference values ΔX1 = X1 ⊕ X1 , ΔX2 = X2 ⊕ X2 , ΔXt = Xt ⊕ Xt is: i) strongly non-uniform: there exists a particularly likely t-tuple of values (δ1 , δ2 , . . . , δr ) for the t-tuple (ΔX1 , ΔX2 , . . . , ΔXr ); ii) totally or at least largely independent from the value of the key K. Such a statistical behavior is captured by the notion of differential characteristic. D EFINITION 1.3 (Differential characteristic).– A differential characteristic for the  composition E [t,t ] of t − t + 1 consecutive rounds of an r-round block cipher E (where 1 ≤ t ≤ t ≤ r) is a t − t + 1-tuple C = (δt−1 , δt , . . . , δt ) of n-bit difference values also equivalently denoted δt−1 → δt → · · · → δt . For a given key,  ) of n-bit inputs to round t is a good pair for C if and only if a pair (Xt−1 , Xt−1 (ΔXt−1 , ΔXt , . . . , ΔXt ) = C. The probability of the differential characteristic C is the probability p over a random key K that a uniformly drawn random pair  ) of difference value ΔXt = δt−1 be a good pair for C. This is (Xt−1 , Xt−1 summarized by the compact notation C:

δt−1 → δt → · · · → δt

[p].

10

Symmetric Cryptography 2

1.2.2. Derivation of non-trivial differential characteristics 1.2.2.1. Derivation of the probability of one-round characteristics In the specific case of one-round characteristics, the notions of differential characteristic (definition 1.3) and differential (definition 1.1) coincide. Thus, all the remarks of the former section on the computation of differential transition probabilities for linear or nonlinear, keyed or non-keyed functions apply to the computation of the probability of one-round characteristics. E XAMPLE 1.2 (One-round characteristic for DES).– Let us remind the structure of each of the 16 DES rounds, where the round function is denoted by R (see Chapter 3 of volume 1 for the description and figure of a classical Feistel round function). It is parameterized by a 48-bit subkey Ki derived for the considered round number i ∈ [1, · · · , r] from the 56-bit DES key K. The function R is derived from a 32-bit to 32-bit function Φ = (ΦKi ) (see Figure 1.2) also parameterized by Ki using the Feistel scheme. In other words, if we decompose RKi ’s n-bit input and output blocks X and Y = RKi (X) into a left and a right 32-bit half-block, as X = (XL , XR ) and Y = (YL , YR ), RKi is given by: YL = XR , YR = ΦKi (XR ) ⊕ XL . The function ΦKi can be in turn decomposed as ΦKi = P ◦ SB ◦ AddKi ◦ Exp, where Exp is a 32-bit to 48-bit expansion function, AddKi is an exclusive or between the 48-bit input word and Ki , SB, the single non-affine component of Φ, is the 48-bit to 32-bit mapping resulting from the parallel application of the eight 6-bit to 4-bit DES S-boxes and P is the final permutation (wirecrossing).

Figure 1.2. DES Feistel F-function Φ   The probability of any one-round characteristic (δL , δR ) → (δL , δR ) can be derived from the knowledge of the transition probabilities DPΦ [δ → δ  ] for input/output difference pairs (δ, δ  ) of {0, 1}32 . Indeed, it is easy to show that    , δR )] equals DPΦ [δR → δR ⊕ δL ] proposition 1.2 implies that DPR [(δL , δR ) → (δL  if δL = δR , or 0 otherwise.

Differential Cryptanalysis

11

To illustrate this by a concrete example of characteristic for Φ, the knowledge of the DDT of the DES S-box S2 allows to show that each instance ΦKi of Φ and thus Φ itself satisfies the following differential transition (difference values are expressed in hexadecimal notation): 04000000 → 40080000 [1/4], that essentially expresses that the S-box S2 satisfies the 6-bit to 4-bit differential transition (given in binary): 001000 → 1010 [1/4]. Consequently, the DES round function R = (RKi ) satisfies the following one-round characteristic (represented in Figure 1.3 up to the final swap): 00000000 04000000 → 04000000 40080000

[1/4].

Figure 1.3 is using the notational convention that will be followed throughout this chapter. The values indicated in the inputs, outputs and branches of the scheme represent difference values. 0x04000000

0x00000000 0x40080000

ΦK i

0x40080000

0x04000000

•

0x04000000

Figure 1.3. One-round DES characteristic of probability 1/4

Another consequence of the former characteristic for Φ is that R also satisfies the following one-round characteristic, where the left input difference value 00000000 is replaced by 40080000 to cancel out the output difference of Φ: 40080000 04000000 → 04000000 00000000

[1/4].

1.2.2.2. Composition of characteristics 

Under some conditions, a differential characteristic on E[t,t ] (where t ≥ t) can be concatenated with a differential characteristic on rounds E [t +1,t ] (where t ≥ t +1)  and the probability of the resulting t −t+1-round differential characteristic on E [t,t ] can be computed. D EFINITION 1.4 (Composition of two differential characteristics).– A characteristic  C : δt−1 → δt → · · · → δt for E [t,t ] and a characteristic C  : δt  → δt  +1 →   · · · → δt for E [t +1,t ] are composable if and only if δt = δt  . If this condition is  met, the composition (or equivalently, the concatenation) of C and C  is the E [t,t ] characteristic (CC  ) : δt−1 → δt → · · · → δt → δt  +1 → · · · → δt .

12

Symmetric Cryptography 2

It was shown in Lai et al. (1991) that under some conditions, the probability of the composition of two composable characteristics C and C  of probabilities p and p is exactly equal to the product pp . P ROPOSITION 1.3 (Markov cipher).– If the following two conditions are met: 1) E is parameterized by independent uniformly drawn m-bit subkeys Ki , i = 1, . . . , r, and 2) for any one-round characteristic Ci : δi−1 → δi and for each possible input value Xi−1 ∈ {0, 1}n , the contribution PrKi [Ri (Xi−1 ) ⊕ Ri (Xi−1 ⊕ δi−1 ) = δi ] of each input block Xi−1 to DPRi [δi−1 → δi ] = pi is constant and equal to pi ,  then the probability p of any E [t,t ] characteristic C : δt−1 → δt → · · · → δt for consecutive rounds of E is the product of the probabilities pi of the t −t+1 one-round  t characteristics Ci whose composition is C, that is, p = i=t pi . Proof. The probability p is equal to Pr[ΔXt = δt ∧ ΔXt −1 = δt −1 ∧ · · · ∧ ΔXt−1 = δt−1 |ΔXt−1 = δt−1 ] t and thus to j=t Pr[ΔXj = δi |ΔXj−1 = δj−1 ∧ · · · ∧ ΔXt−1 = δt−1 ] as a consequence of the identity Pr[a ∧ b|c] = Pr |a|b ∧ c] Pr[b|c]. However, the second condition of proposition 1.3 implies that the following Markov property is satisfied: Pr[ΔXj = δj |ΔXj−1 = δj−1 ∧ · · · ∧ ΔXt−1 = δt−1 ] = Pr[ΔXj = δi |ΔXj−1 = δj−1 ] = pj . Discussion: the second condition is satisfied by block ciphers whose round function is the composition of a key addition (i.e. an exclusive or with a one-block subkey) followed by a keyless bijection, for example, an SP block cipher. It can be shown to be also satisfied by the DES, as a consequence of the structure of the DES round function (Biham and Shamir 1993). Therefore, for DES with independent keys, composable characteristics would behave multiplicatively. While DES subkeys are not independent, we will make the heuristic assumption in the following (that is reasonably well satisfied in practice) that composable DES characteristics nearly behave multiplicatively. E XAMPLE 1.3 (Three-round DES characteristic of probability approximately 1/16).– Figure 1.4 shows the three-round DES characteristic obtained by concatenating three one-round characteristics. The first and third characteristics have been presented in the former DES example and have a probablity of 1/4. The second is a trivial characteristic with an input difference to Φ equal to zero and therefore a probability of one. While of exceptionally high probability, the former three-round characteristic

Differential Cryptanalysis

13

cannot be extended to a high probability four-round characteristic because the best achievable transition probability of Φ with input difference 4008000000 is much lower than 1/4. 0x40080000 0x40080000 0

0

•

0x04000000

p = 1/4

0x40080000 0x40080000

ΦK i ΦKi+1 ΦKi+2 p = 1/4

0x04000000 0

• 0x04000000

0x04000000 0x04000000 • 0x04000000

Figure 1.4. Three-round DES characteristic of probability approximately 1/16. For a color version of this figure, see www.iste.co.uk/boura/symmetric2.zip

Particularly useful characteristics for building longer characteristics of sufficiently high probability consist of characteristics that can be composed with themselves, named iterative characteristics. 1.2.2.3. Iterative characteristics D EFINITION 1.5 (Iterative characteristic).– An iterative characteristic over the composition E [i,i+t] of t + 1 consecutive rounds of a block cipher E is a characteristic C : δ0 → δ1 → · · · → δt [p] such that δt = δ0 , that is, the output difference is equal to the input difference. P ROPOSITION 1.4.– In the frequently encountered situation where the probabilities of differential characteristics of E behave (nearly) multiplicatively, an iterative t-round characteristic of probability p can be concatenated any number s of times with itself to provide an st-round characteristic of probability (close to) ps . 1 E XAMPLE 1.4 (Iterative two-round DES characteristics of probability about 234 ).– In order to construct an iterative two-round characteristic for DES, it suffices to leverage the well-known non-bijectivity of the DES F-function Φ to find a transition δ → 032 of high probability for Φ for a non-zero δ ∈ {0, 1}32 . Indeed, if DPΦ [δ → 0] = p, then for any round number i, the ith round function Ri follows the one-round characteristic (0, δ) → (δ, 0) with probability p. Moreover, this one-round characteristic can be trivially concatenated with the one-round characteristic of probability one (δ, 0) → (0, δ) at round Ri+1 . Thus, the composition E [i,i+1] of rounds Ri and Ri+1 follows the two-round iterative characteristic (0, δ) → (0, δ) [p]. Now, it remains to exhibit a concrete value δ ∈ {0, 1}32 such that p = DPE [i,i+1] [(δ, 0) → (δ, 0)] is as large as possible. Two such difference values can be shown to exist (Biham and Shamir 1993), namely δ1 = 0x19600000 and 1 . δ2 = 0x1b600000, of associated probability p = 35/213 ≈ 234

14

Symmetric Cryptography 2

More in detail, if δ = δ1 , then, as shown in Biham and Shamir (1990), p is the average of the equally weighted transition probabilities: DPE [i,i+1] [(δ, 0) → (0, δ)] = K

1 1 ≈ 146 (respectively, 2712 ≈ 585 ) for those key values such that the XOR value of the two Ki bits located on the 6-th bit of the S-box S3 and the second bit of S-box S2 is 1 (respectively, 0). The same holds if δ = δ2 except that the sets of Ki values for which the probabilities 2710 and 2712 are obtained are switched. 7 210

δ •

0

δ

0

δ = 0x19600000 δ

ΦK i ΦKi+1

0 0

•

p≈

1 234

0

Figure 1.5. Two-round iterative characteristic for DES. For a color version of this figure, see www.iste.co.uk/boura/symmetric2.zip

1.2.3. Leveraging characteristics to mount a key-recovery attack In differential attacks against a r-round block cipher E, the existence of a high probability differential characteristic C of probability p  2−n over r = r − r rounds, where r  r is typically equal to one, two or three rounds, is leveraged according to the general statistical attack framework of section 1.1 to provide a keyrecovery attack. We assume here in order to simplify the explanations that C holds for rounds 1 to r of E, that is, DPE [1,r ] [δ0 → δ1 → · · · → δr ] = p. The distinguisher over r rounds used in the attack leverages the differential D : δ0 → δr induced by the characteristic C, or more generally the differential Dπ :   δ0 → π(δr ) for the left composition π ◦ E [1,r ] of E [1,r ] and a suitably chosen n bits to t ≤ n bits F2 -linear transformation π. In practice, π can typically be the extraction of a t-bit, t ≤ n subword xr of the n-bit word Xr , for instance, the identity or the extraction of the first byte. In the following, the probability of the differential Dπ , which is assumed to be significantly higher than 2−t , will be named the signal probability and denoted by pS . It is at least as large as the probability of D (and thus as p) and may be substantially larger in some cases. Note that while we have assumed here that the existence of the n-bit to t-bit differential Dπ of high probability pS stems from the existence of a high probability characteristic C, the rest of the attack discussed below is not affected if this is not the case. The attacker encrypts a sufficiently large number M of random plaintext pairs (X0 , X0 ) of fixed input difference Δ0 = X0 ⊕X0 = δ0 and collects the corresponding ciphertext pairs (Xr , Xr ) = (EK (X0 ), EK (X0 )) under a fixed unknown key K. If we

Differential Cryptanalysis

15

[1,r  ]

denote by (xr , xr ) the pair (π(Xr ), π(Xr  )), where Xr = EK (X0 ) and Xr  = [1,r  ] EK (X0 ), and by Δxr the difference xr ⊕ xr , we can observe the following. – On the one hand, the adversary knows a priori that Pr [Δxr = π(δr )] = DPπ◦E [1,r ] [δ0 → π(δr )] = pS .

X0 ,K

[1.1]

In other words, the probability that a random pair of input difference δ0 is a right pair, that is, satisfies Δxr = π(δr ) is pS when averaged over the possible values of the main key K. [r,r  +1]

= – On the other hand, the decryption of the r last rounds DK −1   [r +1,r] EK that relates Xr to Xr and Xr to Xr  induces a relation between (Xr , Xr ) and Δxr that involves a portion κ, of size |κ| ≤ k, of the main key K or the last r round subkeys, namely Δxr = ϕ(κ, Xr , Xr ).

[1.2]

We assume here that a suitable choice of r , C and π has been made that ensures that the number |κ| of bits of κ is substantially smaller than the number k of bits of K. Key recovery: to retrieve information on the value of κ, a hypothesis testing crafted to leverage the high probability r -round differential Dπ is performed on all possible key guesses κ ˆ , following the approach introduced in section 1.1. The testing of a key κ) = #{(Xr , Xr )|ϕ(ˆ κ, Xr , Xr ) = π(δr )}. Given a guess κ ˆ uses the indicator IM (ˆ  cipher text pair (Xr , Xr ), ϕ(ˆ κ, Xr , Xr ) represents the estimated value Δx r  of Δxr  under the assumption κ ˆ as shown by [1.2]. IM (ˆ κ) is thus a counter that measures the estimated number of right pairs among the M tested pairs. In most differential attacks, the two following heuristic assumptions about the probability that a random tested pair  is estimated a right pair, that is, Δx r  = π(δr  ), are being made:  – For the valid guess κ ˆ = κ, Δx r  = Δxr  , we make the assumption that for almost all values of the key K, the fixed key probability PrX0 [Δxr = π(δr )] that a random pair is a right pair and its expected probablity (averaged over all K values) pS encountered in [1.1] are nearly equal. This classical assumption was termed the hypothesis of stochastic equivalence in Lai et al. (1991).  – For an invalid guess κ ˆ = κ, we make the assumption that Δx r  = π(δr  ) is only satisfied with a noise probability pN ≈ 2−t  pS . Under the former heuristic assumptions, we can expect the counter value IM (ˆ κ) to follow: ˆ = κ; – the binomial probability distribution B(M, pS ) if κ – the binomial probability distribution B(M, pN ≈ 2−t ) if κ ˆ = κ.

16

Symmetric Cryptography 2

The following counter-based test procedure, which is essentially a statistical ˆ distinguisher between the two above laws, is applied to all 2|κ| possible κ assumptions: κ ˆ is accepted, that is, retained as a candidate value for the actual κ if κ) ≥ τ (where τ is a suitably chosen threshold value comprised between one and IM (ˆ M pS ) and rejected otherwise. The number M of samples of plaintext pairs (X0 , X0 ) needed for the attack is highly dependent upon the ratio (pS − pN )/pN , which we named the signal to noise ratio. A frequently encountered situation in differential cryptanalysis, in particular N  when π is the identity function, is the one of a large signal to noise ratio (i.e. pSp−p N 1 and therefore pS  pN ). We only address this case in the following and further restrict ourselves to the threshold value τ = 1, which is often suitable in this case. Thus, the test procedure simply keeps those κ ˆ values that suggest at least one right pair. Non-detection probability: the probability that the right key value κ is missed by this procedure is pnd = Pr[IM (κ) < 1] = (1 − pS )M ≈ e−M pS . Consequently, it suffices to take a suitable multiple of p1S for M in order to render the failure probability arbitrarily small. For instance, M ≈ 4.6 pS ensures pnd ≤ 1%. False alarm probability: conversely, the probability pf a for a wrong key value κ ˆ to be kept among the key candidate is κ) > 0] = 1 − (1 − pN )M ≈ 1 − e−M pN pf a = Pr[IM (ˆ Let us assume that M ≈ 4.6 pS . If the signal to noise ratio pS /pN − 1 is sufficiently large to ensure that pS  4.6pN , then pf a ≈ 4.6pN /pS  1. Thus, the number of candidate values for κ is reduced by a substantial factor 4.6pN /pS . Time complexity of the above procedure: while a naive application of the above testing procedure would lead to a time complexity T = M · 2|κ| , there are frequent situations where a much lower time complexity T ∈ {min(M, 2|κ| ), M · 2|κ| } can be reached, typically because a combination of the following techniques can be applied. – Filtering: first, one part of the condition ϕ(κ, Xr , Xr ) = π(δr ) may be independent from κ. For instance, let us assume that π is the identity function, ˆ is the last that r = 1, that E has as a Feistel scheme structure and that κ round subkey that parameterizes the F-function Φκ . Let us denote the left and right halves of a block X by XL and XR . The condition ϕ(κ, Xr , Xr ) = π(δr ) can be rewritten as the conjunction of the two conditions (a) : ΔXr,L = δr ,R and  )). Equation (a), that is independent from κ, can (b) : ΔXr,R ⊕ Φκ (Xr,L ⊕ Φκ (Xr,L be used to filter out a fraction about 2−n/2 of the M plaintext/ciphertext pairs before testing equation (b) on κ assumptions κ ˆ.

Differential Cryptanalysis

17

– Partitioning: instead of depending on the whole value of (Xr , Xr ), ϕ(ˆ κ, Xr , Xr ) can be sometimes re-expressed as a function of κ and a τ -bit function ψ(Xr , Xr ), where τ  n. This can be leveraged, for instance, by precomputing once ˆ values it suggests – and then for all, for each of the 2τ possible ψ values, which κ partitioning the M  ≤ M (filtered) pairs (Xr , Xr ) according to their ψ value and deducing all suggested candidate κ values. E XAMPLE 1.5 (Attack on 14-round DES).– In order to illustrate the former key-recovery principles and the filtering and partitioning techniques by a simple application, we summarize Biham and Shamir’s differential attack on DES reduced to 14 rounds outlined in the seminal paper (Biham and Shamir 1990), which is technically simpler than the attack on DES reduced to 15 rounds also presented in the same paper. The attack leverages the 13-round differential characteristic C for DES[1,13] obtained by concatenating the trivial 1-round characteristic (δ1 , 0) → (0, δ1 ) [1] and six iterations of the iterative two-round characteristic C1 of example 1.4 (and Figure 1.5). Thus, C : (δ1 , 0) → (0, δ1 ) → · · · → (δ1 , 0) → (0, δ1 ), where δ1 = 0x19600000, and the probability of C is  6  pS ≈ 235 ≈ 2−47 . Therefore, if we encrypt M ≥ 4.6 13 pS plaintext pairs (X0 , X0 ) such that ΔX0 = (δ1 , 0), at the output of round 13 at least one of them satisfies ΔX13 = (0, δ1 ). The last round decryption on the corresponding ciphertext pair  ) provides the relations (X14 , X14 (a) : ΔX14,L = δ1 and (b) : ΔX14,R ⊕ ΔFK14 (X14,L ) = 032 .  Due to (a), the 48-bit expanded values Exp(X14,L ) and Exp(X14,L ) only differ on the 18 bit positions input to S-boxes S1 , S2 and S3 , and therefore condition (b) can be decomposed into the following: – a key-independent condition (b ) that ΔX14,R be equal to zero on all 20 bit positions corresponding (up to the final permutation P ) to the outputs of S-boxes S4 to S8 ; – a key-dependent condition (b ) that only involves the 18-tuple κ of bits of subkey  K14 located at the input of S-boxes S1 , S2 and S3 , and only 14 bits of X14,L , X14,L and 12 bits of ΔX14,R .

If we filter out those ciphertext pairs that satisfy the keyless relations (a) and (b ), we expect only about M · (252 + pS ) ≈ M · pS pairs to remain. For each remaining pair, the 12-bit condition (b ) can be tested, and this suggests about 218−12 ≈ 26 candidate values for κ. Overall, the attack extracts about 12 bits of information on κ. Its complexity, expressed as an equivalent number of DES encryptions, is T ≈ 2M ≈ 251 since the cost of the encryption of the M pairs clearly dominates the one of filtering the pairs and computing candidate values for κ suggested by the filtered pairs.

18

Symmetric Cryptography 2

Performance analysis of differential attacks: the purpose of the former outline of the key-recovery aspects of differential attacks was only to informally describe a typical key-recovery procedure accompanied by a rough performance and success probability analysis, not to propose a rigorous statistical treatment. While the treatment of the data complexity and success probability estimates in early papers on differential cryptanalysis was rather ad hoc, a more rigorous treatment of success probability estimates (under various heuristic assumptions) was introduced in Selçuk (2008), which was later on refined in the data complexity and success probability estimates in Blondeau et al. (2011). These papers have the extra merit of offering a unified treatment for various other classes of statistical attacks and show the continuum between attacks with a high to medium signal to noise ratio such as differential cryptanalysis and attacks with a low signal to noise ratio such as linear cryptanalysis. 1.3. Some refinements and generalizations The basic ideas around differential cryptanalysis have been presented in the previous section; however, there are numerous possible generalizations or refinements, depending on the context of applications. In the following, we briefly mention two generalizations: the differential effect and the case of truncated differences. 1.3.1. Differential effect In the previous section, we recalled the definitions of a differential characteristic and a differential. In practice, to apply differential cryptanalysis to, say, a block cipher E (or the initial part of a block cipher, that we still denote by E), one starts by finding a differential characteristic C : δ0 → δ1 → · · · → δr over r rounds of E that holds with high probability. This fixes the input difference δ0 for the chosen-plaintext queries to EK for a secret key K, as well as the output difference δr expected in the ciphertext pairs. In practice, however, all the internal differences δi of the differential characteristic, 1 ≤ i ≤ r − 1, will not necessarily be reached for a pair having plaintext (respectively, ciphertext) difference δ0 (respectively, δr ). Indeed, it is possible that there are other differential characteristics that share the same input and output differences: this is called the differential effect. Formally, DPE (δ0 → δr ) =



 DPE (δ0 → δ1 → · · · → δr−1 → δr )

 δ1 ,...,δr−1

≥ DPE (C),

Differential Cryptanalysis

19

or said differently, the differential probability of the differential δ0 → δr is at least as high as the probability of any differential characteristic sharing the same input/output differences, and in particular higher than the differential characteristic having the highest differential probability. In some cases, the probability of the differential δ0 → δr can be substantially higher than DPE (C) because the probabilities of the  → δr distinct from C also provide a characteristics C  : δ0 → δ1 → · · · → δr−1 non-negligible contribution to the above sum. 1.3.2. Truncated differentials As another generalization of differential cryptanalysis, we recall the concept of truncated differential introduced by Knudsen (1994). As detailed in the previous part of this chapter, classical differential cryptanalysis relies on a differential δ0 → δ1 having high probability, so that an adversary can extract information from the secret key from chosen-plaintext queries having input difference δ0 by partially decrypting and checking whether the pair of intermediate values has difference δ1 . The idea of truncated differentials is to only predict part of the ciphertext difference δ1 , and let the other bits of δ1 take any possible value. It relies on truncated differences. D EFINITION 1.6 (Truncated difference).– A truncated difference δ¯ corresponding to a difference δ ∈ {0, 1}n consists of a partially defined difference over k < n prescribed bits, such that the projection of δ to these k bits positions is fully defined. The part of the difference with unknown value is represented as *, which can either be zero or non-zero. E XAMPLE 1.6 (Truncated differential on an S-box).– Taking again the 3-bit S-box from example 1.1, one has that the differential (given in binary) δ0 = 001 → δ1 = 001 has probability 1/4, however, if one truncates the output difference to δ¯1 = **1, where a * indicates a wildcard bit value, then δ0 → δ¯1 becomes a truncated differential with probability one. Indeed, as can be seen from the DDT (Table 1.1), all the possible output differences for the input difference δ0 are odd values. While the concept of truncated differences apparently imposes less constraints on the data collection step of a differential attack, it can nevertheless apply on some ciphers either to yield distinguishers (e.g. one can predict partial bit differences in the output) or key-recovery attacks. The definitions of differential and differential characteristics introduced previously naturally carry over to truncated differences. D EFINITION 1.7 (Truncated differential and truncated differential characteristics).– A truncated differential is a differential where the input and output differences are truncated. A truncated differential characteristic is a differential characteristic where all the differences are truncated.

20

Symmetric Cryptography 2

E XAMPLE 1.7 (Four-round truncated differential characteristic on DES).– This example appears in Knudsen (1994) and constructs a truncated differential characteristic on the DES cipher reduced to four rounds that has a probability of one (see Figure 1.6). The construction relies on two properties of the internal components of the DES round function Φ (see Figure 1.2). First, a truncated difference equal to zero at the input of any function (e.g. an S-box) yields a truncated differential also equal to zero at its output. This simply results from the definition of a function f : any value is mapped to a single value by f . Second, the permutation P at the end of Φ ensures that any DES S-box output affects at most six S-box inputs in the next round. Specifically here, the output of S-box S1 at Round i does not affect the input of S-boxes S1 and S7 at Round i + 1. Combining these observations, we can construct a probability one truncated differential distinguisher on four rounds of DES. Assume two plaintexts only differ in a single 4-bit nibble in such a way that the resulting difference after the Exp transformation (see Figure 1.2) of Φ stays in this same nibble.4 In Figure 1.2, we represent by 0 (respectively, *) a zero (respectively, non-zero) truncated difference at the word level (i.e. either 32 or 6 bits). The differential transition holds trivially with probability one in the first round, and for the second round, the input difference of Φ activates only the first S-box: in Figure 1.6, we represent this activity pattern of the S-box layer as *0000000. Due to the previous observations, only the inputs to S1 are different, which affect all nibbles at the output except nibbles at Positions 1 and 7 in the third round. Hence, the S-box activity pattern for Φ at the third round equals 0*****0*. Therefore, the output difference Δ of Φ in the third round ensures that P −1 (Δ ) also has activity pattern 0*****0*. The last round propagates the difference to an uncontrolled difference ΔR , but the left difference ΔL is such that ΔL = Δin ⊕ Δ is constrained on 8 bits. Indeed, the activity pattern of P −1 (ΔL ⊕ Δin ) equals the activity pattern of the third S-box layer, which is 0*****0* and has 8-bit constraints. Finally, we have a truncated differential characteristic that holds with probability one, which provides a distinguisher for four-round DES that succeeds with advantage 1 1 − 256 . We note that this distinguisher can be exploited to mount a key-recovery attack on six-round DES (see Knudsen 1994). 1.4. Design strategies and evaluation Since the design of DES and the publication of the differential cryptanalysis technique, several academic results have focused on the cryptanalytical side to mount

4 There are three possible different values for this difference, namely: 20000000, 40000000 or 60000000.

Differential Cryptanalysis

21

attacks on various ciphers, but several other papers have tried to devise design strategies to thwart differential cryptanalysis from a theoretical point. One major contribution in this latter area has been proposed by Daemen and Rijmen (2002) and culminated in the design of the block cipher family, which won the AES competition and became the AES standard, the most used encryption standard to date (NIST 2001). 0

Δin 0

Δin •

Δin

Δ

• ΔL

Δ ⊕ Δin

S: 00000000 ΦK S: *0000000 ΦK S: 0*****0* ΦK S: ******** ΦK

0

• 0

Δ

Δ

•Δ

ΔR ΔR

Figure 1.6. Truncated differential characteristic on DES reduced to four rounds  holding with probability one: Pr P −1 (ΔL ⊕ Δin ) = 0*****0* = 1

In the following, we highlight the principal design decisions that have been made for the AES, and we briefly sketch how resistance against differential cryptanalysis can sometimes be evaluated automatically. 1.4.1. Case of the AES As described previously, the AES relies on an SP construction, which applies a highly nonlinear S-box in the S-layer, and a linear transformation based on an MDS linear code for the P-layer. In comparison to older ciphers like DES, the AES relies on a strongly aligned algebraic structure, which allows to derive theoretical upper bounds on the differential probabilities of differential characteristics. This design approach, introduced as the wide trail strategy, offers a tradeoff between efficiency of the design and its resistance against differential (and linear) cryptanalysis. It relies on the following definition. D EFINITION 1.8 (Active S-box).– We say that an S-box is active (respectively, inactive) if it has an input difference different from zero (respectively, equal to zero). This definition more generally holds for any function.

22

Symmetric Cryptography 2

Using this definition, proving upper bounds for the differential characteristics probabilities is possible by counting the number of active S-boxes over a given number of rounds. That is, for any non-zero truncated difference at the input of four rounds of AES, what is the minimal number of S-boxes that have a non-zero input difference. P ROPOSITION 1.5 (Number of active S-boxes for four-round AES).– There are at least 25 active S-boxes in any non-trivial truncated differential characteristic of four-round AES. The proof is given in Daemen and Rijmen (2002) and relies on the differential branch number of the P-layer being equal to 5, as well as the full diffusion in the AES round function being reached after two rounds. We give an example of a truncated differential characteristic reaching this bound in Figure 1.7.

1R

1R

1R

1R

Figure 1.7. Example of a truncated differential characteristic for four rounds of AES reaching the minimal number of 25 active S-boxes. A cell marked with indicates a non-zero truncated difference

Combining this result for truncated differential characteristics with the differential property of the AES S-box allows to derive the following proposition. P ROPOSITION 1.6 (Probability bound for four-round AES).– Any non-trivial differential characteristic for four rounds of AES has a probability at most 2−150 . Proof. The AES S-box S has been chosen to locally offer a high resistance against differential cryptanalysis. Indeed, its maximal differential probability DPS over all possible non-trivial differentials equals 2−6 . Consequently, in the most favorable case where all the 25 active S-boxes of a differential characteristic all hold with probability 2−6 , the differential probability of the associated characteristic will be (2−6 )25 = 2−150 . Using this proposition, the resistance of the AES against classical differential cryptanalysis can be proven since the most probable reachable differential characteristic over 4 (out of the 10+ rounds) reaches a probability 2−150  2−128 .

Differential Cryptanalysis

23

1.4.2. Automated analysis Following the design choices of the AES, many more academic ciphers have been proposed with similar arguments to bound the probabilities of differential characteristic by counting active S-boxes. While the AES structure makes this counting easy, some less structured ciphers prevent designers from counting the number of active S-boxes by hand. However, most cipher specifications can see the problem of counting S-boxes encoded into a SAT, SMT (Satisfiability, Satisfiability Modulo Theories), or MILP (Mixed-Integer Linear Programming) problems to offload the counting to third-party software. This strategy was for instance applied using MILP on the AES in Mouha et al. (2011), essentially as a proof-of-concept to introduce a new automated way to perform cryptanalysis. In the past 5–10 years, most new designs now rely on these automated tools to check/verify the bounds for differential (and linear) characteristics. 1.5. Further notes and references The paper by Coppersmith (1994), who was a member of the team who designed DES around 1974, revealed that differential cryptanalysis had been known in essence to this team at that time, under the name “T attack”, and that “[the knowledge] of this technique, and the necessity to strengthen DES against attacks using it, played a large part in the design of the S-boxes and the permutation P”. Except from the DES, another block cipher that played a major role in the discovery of differential cryptanalysis and other statistical attack techniques is FEAL, a 64-bit block cipher with a Feistel structure whose number of rounds gradually evolved from four to eight rounds and later on an unspecified number of rounds to address the progress of cryptanalysis. This may be due to the fact that since the single non-F2 -affine ingredient of FEAL is the addition of integers modulo 256, getting a first intuition of nonlinear effects in FEAL is easier than for many other ciphers. It is now known that Eli Biham and Adi Shamir discovered a large part of the extremely efficient differential cryptanalyses of various FEAL versions (including the eight-round version) that they published in Biham and Shamir (1991) before discovering their seminal results on the differential cryptanalysis of DES, even though they eventually decided to publish their results in the opposite chronological order. Countless differential cryptanalyses of other full or round-reduced block ciphers were published after 1990 and many of the other statistical or non-statistical block cipher cryptanalysis techniques that were discovered afterwards were at least partly inspired by differential cryptanalysis. An excellent survey of differential

24

Symmetric Cryptography 2

cryptanalysis techniques and their connection to prominent other classes of attacks can be found, as well as noticeable differential cryptanalysis results on various block ciphers published until 2011, in the relevant chapters of Lars Knudsen and Matthew Robshaw’s monograph on block ciphers (Knudsen and Robshaw 2011). Most block ciphers that were proposed after 1990 were accompanied by an estimate of (upper bounds on) the maximum value of the probability of their non-trivial differential characteristics over a sufficient number t ≤ r of rounds (termed the maximum expected differential characteristic probability [MEDCP]). Or, even better, by an estimate of (upper bounds on) the probability of their non-trivial t-round differentials (termed the MEDP, the maximum expected differential probability). This was the result of considerable research efforts to develop construction strategies and/or computation techniques for getting such upper bounds, typically under the assumption that the block cipher is parameterized by independent subkeys. In particular, upper bounds on the probability of differentials of a four-round DES-like Feistel scheme parameterized by independent subkeys were established by Nyberg and Knudsen (1995) and improved upper bounds were established for variants of this construction by Aoki and Ohta (1996) and Matsui (1996). The use of these constructions at several levels of an embedded structure formed, together with the choice of S-boxes offering optimal differential and linear transition properties, the basis of the design of the block cipher MISTY (Matsui 1997). This design is supported by provable upper bounds on the expected probability of differential and linear transitions. Outside from the former bundle of results on Feistel-oriented constructions with provable security against differential cryptanalysis illustrated by MISTY and the wide trail strategy for block ciphers with an SPN structure illustrated by AES, another example of approach for designing block ciphers with strong security arguments against differential cryptanalysis and many other attacks is decorrelation theory, a line of research pioneered by Vaudenay (2003). Decorrelation theory provides a theoretical framework for analyzing the transition probabilities between d-tuples of input and outputs of a (round-reduced) block cipher. The use by designers of so-called decorrelation modules allows to achieve provable bounds of resistance against many classes of statistical attacks, including differential cryptanalysis. Computing the MEDP for a round-reduced block cipher or tight upper bounds on this MEDP is a notoriously more difficult task than computing its MEDCP or tight upper bounds on its MEDCP even though the second problem is far from being trivial in the general case. To take a specific example, much research effort has been focused on the computation of (tight upper bounds on) the MEDP for the two-round version of AES and a broader family of SPN ciphers with a similar structure. The upper bounds established in the early days of the AES (Hong et al. 2000; Daemen and Rijmen 2002) were improved around 2003 in Park et al. (2003); Chun et al. (2003), and then

Differential Cryptanalysis

25

further improved around 2014 in Canteaut and Roué (2015a, 2015b) Unlike all former bounds, the latter bounds are not invariant under F2 -affine equivalence, thus allowing to analyze the influence of the “affine part” of an S-box on the MEDP. Besides such tight upper bounding formulas, the exact MEDP value for the actual two-round AES was computed in Keliher and Sui (2007). From the very beginning of differential cryptanalysis, the analysis of the differential behavior of block ciphers has been almost exclusively focused on computing or upper bounding the expected probabilities of differential characteristics (their EDCP) or differentials (their EDP), that is, probabilities that are averaged over all possible key values. However, little can be told about the resulting vulnerability or resistance to attacks if nothing is known about the distribution over a uniformly chosen key of the fixed key probability of a differential characteristic (its DCP) or a differential (its DP) outside from its average value ED(C)P. For instance, we have seen in section 1.2.3 that to assess the performance of differential attacks, it is customary to make the hypothesis of stochastic equivalence that for a vast majority of keys, D(C)P ≈ ED(C)P. Even though attack performance estimates allowed by this hypothesis are in many cases in surprisingly good agreement with attack experiments, it is well known that the behavior of many (round-reduced) ciphers strongly deviates from this hypothesis. In particular, Daemen and Rijmen (2007a) have shown that all two-round differential characteristics of AES are so-called plateau characteristics, whose fixed-key probability can only take two values, 0 or 2h−n , where n is the block size and h < n is termed the height of the characteristic, and that most AES characteristics over four or more rounds are also plateau characteristics. In another publication (Daemen and Rijmen 2007b), the same authors gave some theoretic and experimental evidence that another (quite different) behavior can be expected in many cases: the distribution over fixed key values of the number of unordered pairs following a given characteristic or differential – whose division by the scaling factor N = 2n−1 represents the D(C)P – approximately follows a Poisson distribution of parameter the ED(C)P. Blondeau et al. (2013) show that, under the related assumption that this number approximately follows a binomial distribution of parameters N and the EDCP, the knowledge of upper bounds on the EDCP of a characteristic can be used for deriving a lower bound on the probability over the keys that this characteristic is followed by at most B pairs, and thus to quantify the security implications of EDCP bounds in a fixed-key setting. Regarding cryptographic criteria for S-boxes related to differential cryptanalysis and related constructions, we refer the reader to Chapter 8 of volume 1. We will only mention here one well-known application of this line of research: Nyberg (1993) introduced various algebraic S-box constructions achieving an optimal or nearly optimal maximum non-trivial differential transition probability one of which, based on the inversion in F256 , was eventually reused by the AES designers in the AES S-box.

26

Symmetric Cryptography 2

While this chapter only addressed the differential cryptanalysis of block ciphers, differential techniques play a prominent role in the cryptanalysis of various other cryptographic primitives, for example, stream ciphers and hash functions, and their application to these other primitives has given rise to the development of important new concepts and techniques. 1.6. References Aoki, K. and Ohta, K. (1996). Stricter evaluation for the maximum average of differential probability and the maximum average of linear probability (in Japanese). Proceedings of SCIS’96, SCIS96-4A. Biham, E. and Shamir, A. (1990). Differential cryptanalysis of DES-like cryptosystems. In CRYPTO ’90, vol. 537 of Lecture Notes in Computer Science, Menezes, A., Vanstone, S.A. (eds). Springer. Biham, E. and Shamir, A. (1991). Differential cryptanalysis of Feal and N-Hash. In EUROCRYPT ’91, vol. 547 of Lecture Notes in Computer Science, Davies, D.W. (ed.). Springer. Biham, E. and Shamir, A. (1992). Differential cryptanalysis of the full 16-round DES. In CRYPTO ’92, vol. 740 of Lecture Notes in Computer Science, Brickell, E.F. (ed.). Springer. Biham, E. and Shamir, A. (1993). Differential Cryptanalysis of the Data Encryption Standard. Springer-Verlag, Berlin, Heidelberg. Blondeau, C., Bogdanov, A., Leander, G. (2013). Bounds in shallows and in miseries. In CRYPTO 2013, Part I, vol. 8042 of Lecture Notes in Computer Science, Canetti, R., Garay, J.A. (eds). Springer. Blondeau, C., Gérard, B., Tillich, J.-P. (2011). Accurate estimates of the data complexity and success probability for various cryptanalyses. Designs, Codes and Cryptography, 59(1), 3–34. Canteaut, A. and Roué, J. (2015a). Extended differential properties of cryptographic functions. Topics in Finite Fields, 632, 43–70. Canteaut, A. and Roué, J. (2015b). On the behaviors of affine equivalent S-boxes regarding differential and linear attacks. In EUROCRYPT 2015, Part I, vol. 9056 of Lecture Notes in Computer Science, Oswald, E., Fischlin, M. (eds). Springer. Chun, K., Kim, S., Lee, S., Sung, S.H., Yoon, S. (2003). Differential and linear cryptanalysis for 2-round SPNs. Information Processing Letters, 87(5), 277–282. Coppersmith, D. (1994). The Data Encryption Standard (DES) and its strength against attacks. IBM Journal of Research and Development, 38(3), 243–250. Daemen, J. and Rijmen, V. (2002). The Design of Rijndael: AES – The Advanced Encryption Standard (Information Security and Cryptography). 1 edition. Springer. Daemen, J. and Rijmen, V. (2007a). Plateau characteristics. IET Inf. Secur., 1, 11–17. Daemen, J. and Rijmen, V. (2007b). Probability distributions of correlation and differentials in block ciphers. Journal of Mathematical Cryptology, 1(3), 221–242.

Differential Cryptanalysis

27

Hong, S., Lee, S., Lim, J., Sung, J., Cheon, D.H., Cho, I. (2000). Provable security against differential and linear cryptanalysis for the SPN structure. In FSE 2000, vol. 1978 of Lecture Notes in Computer Science, Schneier, B. (ed.). Springer. Keliher, L. and Sui, J. (2007). Exact maximum expected differential and linear probability for two-round advanced encryption standard. IET Information Security, 1, 53–57. Knudsen, L.R. (1994). Truncated and higher order differentials. In FSE ’94, vol. 1008 of Lecture Notes in Computer Science, Preneel, B. (ed.). Springer. Knudsen, L.R. and Robshaw, M.J.B. (2011). The Block Cipher Companion. Springer. Lai, X., Massey, J.L., Murphy, S. (1991). Markov ciphers and differential cryptanalysis. In EUROCRYPT ’91, vol. 547 of Lecture Notes in Computer Science, Davies, D.W. (ed.). Springer. Matsui, M. (1996). New structure of block ciphers with provable security against differential and linear cryptanalysis. In FSE ’96, vol. 1039 of Lecture Notes in Computer Science, Gollmann, D. (ed.). Springer. Matsui, M. (1997). New block encryption algorithm MISTY. In FSE ’97, vol. 1267 of Lecture Notes in Computer Science, Biham, E. (ed.). Springer. Mouha, N., Wang, Q., Gu, D., Preneel, B. (2011). Differential and linear cryptanalysis using mixed-integer linear programming. In Inscrypt, vol. 7537 of Lecture Notes in Computer Science, Wu, C., Yung, M., Lin, D. (eds). Springer. NIST (2001). Advanced Encryption Standard. NIST. Nyberg, K. (1993). Differentially uniform mappings for cryptography. In EUROCRYPT ’93, vol. 765 of Lecture Notes in Computer Science, Helleseth, T. (ed.). Springer. Nyberg, K. and Knudsen, L.R. (1995). Provable security against a differential attack. J. Cryptol., 8(1), 27–37. Park, S., Sung, S.H., Lee, S., Lim, J. (2003). Improving the upper bound on the maximum differential and the maximum linear hull probability for SPN structures and AES. In FSE 2003, vol. 2887 of Lecture Notes in Computer Science, Johansson, T. (ed.). Springer. Selçuk, A.A. (2008). On probability of success in linear and differential cryptanalysis. J. Cryptol., 21(1), 131–147. Vaudenay, S. (2003). Decorrelation: A theory for block cipher security. J. Cryptol., 16(4), 249–286.

2

Linear Cryptanalysis Kaisa N YBERG1 and Antonio F LÓREZ -G UTIÉRREZ2 1

Aalto University School of Science, Espoo, Finland 2 Inria, Paris, France

2.1. History Throughout the history of encryption, ciphers have been designed to generate random-looking ciphertext. This design goal was formalized in 1949 by Claude Shannon, who laid the information theoretic foundations of security of encryption and gave the first design criteria to achieve security against ciphertext-only attacks. It was not until the late 1980s that it was observed in the public literature that, even if the ciphertexts EK (x) for unknown plaintexts x look perfectly random, it may happen that the graph of the cipher formed by pairs (x, EK (x)) can be distinguished from random. For example, differential cryptanalysis exploits non-zero differences in the graph that occur exceptionally often. Linear cryptanalysis exploits linear combinations of bits of the graph points a, x ⊕ b, EK (x), which are unbalanced, contrary to what one would expect if the cipher were a random permutation. Such analysis requires data of the graph points, that is, plaintexts and their corresponding ciphertexts. Linear cryptanalysis of block ciphers has its origins in stream cipher cryptanalysis. In the mid 1980s, it was observed that adding memory to a nonlinear state-update function of a stream cipher improves resistance against correlation attacks. Modular addition with the carry function offered a simple solution to introduce memory. One of the first designs to exploit this idea was a combiner

Symmetric Cryptography 2, coordinated by Christina B OURA and María NAYA -P LASENCIA. © ISTE Ltd 2023.

30

Symmetric Cryptography 2

generator named as the SUMMATION CIPHER (Rueppel 1985). Subsequently, modular addition was adopted as the main nonlinear function in the design of the FEAL family of block ciphers (Shimizu and Miyaguchi 1987). Meier and Staffelbach (1992) studied correlation properties of combiners with memory and focused particularly on the properties of modular addition. Exploiting this information, Tardy-Corfdir and Gilbert discovered linear combinations of plaintext and ciphertext bits of FEAL-4 and FEAL-6 with large bias. They managed to recover 15 key bits of FEAL-4 and FEAL-6 with 1000 and 20,000 known plaintext-ciphertext pairs, respectively. The study of biasedness of linear approximations was further extended to the Sboxes of the DES algorithm (Matsui 1993). In this seminal work, an approach to linear cryptanalysis of iterative block ciphers was introduced, including tools such as the piling-up lemma and a statistical model for estimating the data requirement of a key-recovery attack. Linear combinations of bits of the graph points a, x ⊕ b, EK (x) were called linear approximations (Tardy-Corfdir and Gilbert 1991) or linear approximative relations (Matsui 1993). Linear approximations are a tool for creating a simplified picture of the action of the cipher, or a part of it, while retaining a controllable amount of information that can be used to recover some secret key bits. Together with differential cryptanalysis, linear cryptanalysis is today one of the main methods to evaluate the security of a block cipher. 2.2. Correlation and linear hull Let EK be the encryption function of an n-bit block cipher with n-bit plaintext x = (x1 , . . . , xn ) ∈ {0, 1}n . A linear approximation a, x ⊕ b, EK (x) of EK is a single bit computed as a1 x1 ⊕ · · · ⊕ an xn ⊕ b1 y1 ⊕ · · · ⊕ bn yn , where y = (y1 , . . . , yn ) = EK (x). The n-bit vectors a = (a1 . . . an ) and b = (b1 . . . bn ) are called input and output masks, respectively. The correlation of the linear approximation is defined as  corEK (a, b) = 2−n (−1)a,x⊕b,EK (x) , [2.1] x∈{0,1}n

and takes values between 1 and −1 included, and is a function of the key variable K. Given a mask τ of length k for the k-bit key variable K, let us denote by COR(a, b, τ ) the correlation of the combination of the bits a, x ⊕ b, EK (x) ⊕ τ, K, that is,  COR(a, b, τ ) = 2−n−k (−1)a,x⊕b,EK (x)⊕τ,K . x∈{0,1}n ,K∈{0,1}k

This quantity is independent of the key and satisfies  corEK (a, b) = (−1)τ,K COR(a, b, τ ). τ ∈{0,1}k

[2.2]

Linear Cryptanalysis

31

For some fixed input and output masks a and b, the set {a, x ⊕ b, EK (x) ⊕ τ, K | τ ∈ {0, 1}k } is called the linear hull of the linear approximation a, x ⊕ b, EK (x). The average of the squared correlations corEK (a, b)2 taken over all keys K ∈ {0, 1}k is its expected linear potential (ELP), denoted by ELP(a, b). The following result is also known as the linear hull theorem (Nyberg 1994): ELP(a, b) = 2−k





corEK (a, b)2 =

K∈{0,1}k

COR(a, b, τ )2 .

[2.3]

τ ∈{0,1}k

Linear cryptanalysis is fundamentally based on the fact that the correlations COR(a, b, τ ) are independent of the key. In some cases, they can be computed and used to estimate corEK (a, b) and the probability distribution of corEK (a, b) over the key variable K based on [2.2] and [2.3]. Such information obtained in offline analysis of the cipher is then compared with information derived from data pairs (x, EK (x)) obtained from the cipher with a fixed unknown key K. 2.3. Multidimensional linear approximation A multidimensional linear approximation is a collection of linear approximations a, x ⊕ b, EK (x), which form a linear space. We denote this linear space by L, its dimension by t and the vectorial Boolean function that has these linear approximations as its components by Λ. In other words, a linear approximation a, x ⊕ b, EK (x) corresponds to a unique mask on the output of Λ. We donote this mask by γ(a, b) ∈ {0, 1}t . Then γ(a, b), Λ(x) = a, x ⊕ b, EK (x) for all x. In many applications, the input mask a takes all possible values in certain input bit positions, and similarly, b takes, independently of a, all possible values in certain output bit positions. Let us denote by a the value of a truncated to these positions, and similarly, by b the truncated value of b. Then we can take γ(a, b) = (a, b), and t is the total number of the bits of a and b. Multidimensional linear cryptanalysis exploits the non-randomness of the probability distribution of the values of Λ, which can be expressed in terms of the correlations of the linear approximations through the following relation: Pr(Λ(x) = η) = 2−t

 (a,b)∈L

(−1)γ(a,b),η corEK (a, b) .

[2.4]

32

Symmetric Cryptography 2

2.4. Walsh-Hadamard transform Given a complex-valued function F : {0, 1}n → C, its Walsh-Hadamard transform (WHT) is another complex-valued function WF : {0, 1}n → C defined as 1 WF (w) = √ 2n



(−1)w,x F (x).

[2.5]

x∈{0,1}n

Then G = WF if and only if F = WG , as the transformation [2.5] is involutive. Given the values of F , the transform WF can be computed using the fast WalshHadamard transform (FWHT) algorithm, which is analogous to the FFT algorithm of Cooley and Tukey (1965) and takes exactly n2n additions/substractions and 2n memory. The WHT has numerous applications in linear cryptanalysis. Given b = 0, the correlations corEK (a, b) for all a can be computed by applying the WHT to the function x → (−1)b,EK (x) . While usually infeasible for the full cipher, this can be applied to smaller nonlinear components. Another application is the computation of [2.4]. An application to accelerate key-recovery will be discussed in section 2.9. 2.5. Linear approximation of an iterative block cipher An iterative key-alternating block cipher of block size n processes plaintexts x ∈ {0, 1}n and round keys K0 , K1 , . . . , Kr (derived from K) by iterating key-independent round functions gi , i = 1, . . . , r, to obtain a ciphertext EK (x). To simplify notation, we denote the expanded key K0 , . . . , Kr by K and restrict to the case where Ki ∈ {0, 1}n are added to the data between rounds using XOR addition: K0 ⊕-

g1

K1 ⊕-

g2

K2 ⊕

-

gr−1

Kr−1 ⊕-

gr

Kr ⊕-

 Let r ≤ r and EK be a composition of r rounds of the cipher. Then the correlation  can be expressed as of a linear approximation over EK

 (a, b) = corEK

 τ τ0 =a, τr =b



(−1)

τ,K

r 

corgi (τi−1 , τi ) ,

[2.6]

i=1

where the sum is taken over all (r + 1)-tuples τ = (τ0 , τ1 , . . . , τr ) such that τ0 = a and τr = b. This representation was first given by Daemen et al. (1994), who introduced the notion of correlation matrix and observed that the correlation matrix

Linear Cryptanalysis

33

of a composition of functions is the matrix product of their correlation matrices. The  . The sequence τ is called a linear trail of the linear approximation a, x ⊕ b, EK r  quantity i=1 corgi (τi−1 , τi ) is called the trail correlation of τ and is independent of the key. The term τ, K = τ0 , K0  ⊕ τ1 , K1  ⊕ · · · ⊕ τr , Kr  depends solely on the key schedule. The impact of various key schedules on the correlations has been studied, for example, in Abdelraheem et al. (2012). If the round keys K0 , K1 , . . . , Kr are selected independently and uniformly from {0, 1}n , then 

COR(a, b, τ ) =

r 



corgi (τi−1 , τi ) , and ELP(a, b) =

r  

2

corgi (τi−1 , τi ) .

τ i=1 τ0 =a τr =b

i=1

 (x), the Given a sample S of N plaintexts x and the corresponding values EK  (a, b) and defined as follows: sample correlation is denoted by cor EK −1  (a, b) = N cor EK





(−1)a,x⊕b,EK (x) .

[2.7]

x∈S

In order to recover some key bits, the sample correlations are compared to the correlations obtained in the offline analysis of the cipher. There are two basic types of key recovery methods: Matsui’s Algorithm 1 and Matsui’s Algorithm 2 (Matsui 1993). 2.6. Matsui’s Algorithm 1 type of key recovery  (a, b) is a sum of signed trail correlations, By equation [2.6], the correlation corEK where the signs depend on the key, so the correlation takes different values as the key varies. Algorithm 1 type attacks are possible for ciphers in which, for a significant  (a, b) is small. proportion of the keys, the number of different values of corEK

In the original attack on the DES, Matsui used a linear approximation over the 16 rounds, which has a single trail τ for which corEK (a, b) ≈ (−1)τ,K c holds for all keys, where c is the trail correlation of τ . Given a sample of sufficiently large size N , the cryptanalyst can determine the sign of corEK (a, b) = (−1)τ,K c based on the sign of the sample correlation cor EK (a, b), which gives one bit of information of the key K. The size N was shown to be inversely proportional to c2 up to a small constant. In this case, c = −1, 49 · 2−23 giving N = 247 , which is significantly less than the full codebook size of 264 . Modern ciphers are designed so that a single trail cannot determine the correlation of a linear approximation. For ciphers such as P RESENT and S IMON, it has been attempted to identify linear approximations dominated by a small number

34

Symmetric Cryptography 2

of trails, which would mean that the correlation can only take a small number of sufficiently separated values as the key varies, and the correct key can be distinguished given a sufficiently large sample (Röck and Nyberg 2013; Ashur and Rijmen 2016). For DES, this approach of using multiple trails was investigated in Bogdanov and Vejre (2017). 2.7. Matsui’s Algorithm 2 type of key recovery This type of key recovery algorithms target key bits used in some of the first and/or  ◦GK )(x), where last rounds. The cipher is split as a composition EK (x) = (HK ◦EK  corresponds to GK and HK represent the first and last rounds, respectively, and EK  is chosen so that there exist linear the remaining r < r rounds. The middle part EK  (x), which have correlations larger than what one approximations a, x ⊕ b, EK would expect from a random permutation. Matsui’s Algorithm 2 on the full 16-round DES with round keys K0 , . . . , K15  splits the cipher to EK (x) = g16 (EK (x) ⊕ K15 ). A similar 15-round linear τ,K  (a, b) ≈ (−1) c, where c approximation to the 16-round one is used, and corEK is constant, holds for all keys K (Matsui 1993). The sample correlation can be computed by guessing six bits of K15 corresponding to one S-box. Then the sample correlation for each of the 64-key candidates is computed and the key candidate giving the largest sample correlation is selected as the most likely value of the six key  . bits. One more bit of the key can be recovered by applying Algorithm 1 to EK Similarly, by changing the roles of encryption and decryption another seven bits of K can be recovered. The data complexity was shown to be inversely proportional to c2 with a slightly larger constant than in Algorithm 1. It was estimated that the value c = 1, 19 · 2−21 allows to recover 14 bits of the key with large success rate using N = 247 known plaintexts. The remaining 42 unknown key bits are then recovered using exhaustive search. The time complexity (if we ignore any final exhaustive search step) mainly depends on two factors: the data complexity and the number of key bits the attacker has to guess. If N plaintext-ciphertext pairs are used, and s key bits are guessed, then computing the sample correlation for each key candidate separately results in the total of N 2s partial encryptions. Matsui observed that many plaintext-ciphertext pairs share the same computation for the partial decryption and introduced an algorithm to reduce redundant computations (Matsui 1994a). It first classifies the plaintexts according to the part which is necessary for the key recovery and counts the number of appearances of each possibility (distillation phase), and then performs the partial decryption once for each grouping and each key guess (analysis phase). The time complexity is then reduced to N memory accesses for the first step and 22s partial decryptions for the second. This improved algorithm, along with some other improvements, permitted an attack with 243 data complexity and a high success

Linear Cryptanalysis

35

probability of 85%, which was tested experimentally on a PC by recovering a full DES key. The total time and memory complexities of the key-recovery algorithms should not exceed the ones of the generic attack of exhaustive key search. Methods for speeding up the key recovery in Algorithm 2 attacks are described in section 2.9. Arguably, while the accuracy of Matsui’s Algorithm 1 is weakened when several strong trails for the linear approximation are present, this is not a problem for Algorithm 2. The reason is that the latter only uses the trail correlation as a lower bound on the ELP of the linear approximation. For a brief survey of related statistical models, see section 2.11. Algorithm 2 has become the main method for linear cryptanalysis of iterated block ciphers. Instead of one linear approximation, it is common to exploit multiple and multidimensional linear approximations in a similar way. For a brief survey of methods to find suitable linear approximations, see section 2.8, and for the related statistical models, see sections 2.13 and 2.14. 2.8. Searching for linear approximations and estimating correlations An important problem is that of finding linear approximations of a given cipher construction that exhibit large correlations. This is not only of interest to cryptanalysts: designers also require tools which provide lower bounds for the correlation of any linear trail and the ELP of any linear approximation in order to estimate security margins accurately. The main difficulty is the prohibitively large size of the search space. A branchand-bound type algorithm was proposed in Matsui (1994b). It proceeds iteratively by extending a collection Γr−1 = {τ = (τ0 , . . . , τr−1 )} of r − 1-round trails to a collection of r-round trails as follows: 1) For each τ ∈ Γr−1 , consider all τr for which corgr (τr−1 , τr ) = 0. Each one provides an r-round trail τ  = (τ0 , . . . , τr−1 , τr ). 2) Of all the r-round trails, only keep those whose trail correlation surpasses a certain threshold, which depends on the computational resources. The first step can often be performed efficiently because of the structure of gr as small parallel S-boxes. For larger functions, such as modular addition, special algorithms to allow efficient mask searches have been developed (Nyberg and Wallén 2006). Another approach that has drawn some attention is using mixed integer linear programming (MILP) in order to automatize the search. The idea consists of translating the design of the cipher into a set of linear constraints on a collection of integer-valued variables, so that each solution in the feasible region corresponds to a

36

Symmetric Cryptography 2

linear trail. The problem of finding a maximal correlation linear trail becomes a linear optimization problem, which can be solved using widely available software. The technique was first introduced in Mouha et al. (2011), where a word-oriented model helps prove some lower bounds on the number of active S-boxes in AES linear trails. However, its word-oriented nature made it unable to construct explicit linear trails and incompatible with bit-oriented ciphers. Works by Sun et al. (2013, 2014) introduced bit-oriented models for SPN constructions as well as methods to model S-box linear approximations, which permitted the search for explicit linear trails. The method was adapted to ARX constructions in Fu et al. (2016). However, bit-oriented models often result in computationally expensive optimization problems, so there has been a noticeable effort to develop more efficient models, such as the work on S-boxes in Abdelkhalek et al. (2017); Boura and Coggia (2020). A similar approach consists of translating the trail search problem to a satisfiability (SAT) problem, which was used to find differentials in Biryukov and Velichkov (2014); Ankele and Kölbl (2018). Since these techniques are not fully suited to enumerating large numbers of trails, which is often needed to handle modern ciphers, new techniques have been developed, for example, using sparse correlation matrices (Abdelraheem 2012) and multistage graphs (Hall-Andersen and Vejre 2018). The latter also gives a summary of the known trails for 17 ciphers. To compute the probability distribution of a multidimensional linear approximation, two main approaches exist. First, valid estimates of the correlations of all single-bit linear approximations can be acquired using the previous methods. Then one can use equation [2.4] to compute the probability distribution (or just its parameters, and then assume its normal or non-central χ2 ). Second, algorithms have been developed to compute probability distributions directly given probability distributions of the components of the cipher (Englund and Maximov 2005; Maximov and Johansson 2005). 2.9. Speeding up key recovery The analysis phase of the two-step variant of Algorithm 2 as described in section 2.7 can be accelerated and the time complexity reduced from O(22s ) to O(s2s ) using the FWHT (see section 2.4), as first shown in Collard et al. (2007). A key-recovery attack that separates the last round of a block cipher EK (x) =   )(x) ⊕ Kr is considered given a linear approximation a, x ⊕ b, EK (x) (gr ◦ EK over the first r − 1 rounds. The mask b determines certain s, s ≤ n, bit positions of the ciphertext EK (x) that are needed to invert the last round and compute the bit  (x) = b, gr−1 (EK (x) ⊕ Kr ). If this s-bit part of EK (x) equals i, we denote b, EK x → i. Let us denote by κ the corresponding s-bit part of Kr . The aim is to recover κ.

Linear Cryptanalysis

37

Let κ be any last round key where the s-bit part coincides with κ. Then there is a Boolean function ϕ from {0, 1}s to {0, 1} such that ϕ(i ⊕ κ) = b, gr−1 (EK (x) ⊕ κ) for all κ ∈ {0, 1}s , i ∈ {0, 1}s and x such that x → i. To test a key candidate κ,   (x) is computed by replacing EK (x) with the sample correlation of a, x ⊕ b, EK a value computed from the ciphertext using κ. We denote this test sample correlation by

c(κ). Then we can write

c(κ) = N −1



−1

(−1)a,x⊕b,gr

x∈S

= N −1



i∈{0,1}s

(−1)ϕ(i⊕κ)

(EK (x)⊕κ)



(−1)a,x .

[2.8]

x∈S, x →i

The sum on the right is independent of κ. It can be computed in the distillation  phase in N steps and results in a vector u = (ui ), ui = x∈S, x →i (−1)a,x , i ∈ {0, 1}s . Let us denote by v = (vj ) the vector where vj = (−1)ϕ(j) , j ∈ {0, 1}s . This vector is also independent of κ and can be computed in 2s steps. Then by expression c(κ), κ ∈ {0, 1}s , is the convolution u ∗ v  [2.8], the vector

where (u ∗ v)κ = i vi⊕κ ui . The best-known algorithm is based on the convolution theorem, which states that the WHT of the convolution of two vectors is the component-wise product of the WHTs of these vectors. Hence, it takes three applications of the FWHT and one component-wise product of vectors of length 2s , giving the total time complexity of 3s2s + 2s steps using a memory of size 2s . Adding the time taken to construct u and v, we get the total time complexity (3s + 2)2s + N . The FWHT acceleration has been extended in several ways, like cases where key bits from more than one round are guessed. A version adapted to multidimensional linear cryptanalysis was introduced in Nguyen et al. (2011), and has the advantage that the cost of the distillation phase is independent of the number of approximations. More recently, Flórez-Gutiérrez and Naya-Plasencia (2020) introduced a generalized matrix description, which allows the attacker to optimize attacks with multiple rounds of key recovery, as well as providing pruned FWHT algorithms that can take advantage of the cipher’s key schedule. The FWHT can also be used to speed up key recovery in a multidimensional Algorithm 1 type attack (see section 2.14). There are other techniques that allow the adversary to improve the time complexity of a linear key-recovery attack. In Chen and Wang (2016), a guess-split-combine approach is introduced as part of an attack on S IMON: the attacker first guesses some keybits. With this guess, the plaintext-ciphertext pairs are

38

Symmetric Cryptography 2

split into groups so that within each one, some yet-to-be-guessed keybits interact linearly with the approximation and the key-recovery cost is lower. Finally, the information from each group is combined to obtain the experimental correlation for all key guesses. 2.10. Key-recovery distinguisher In a linear key-recovery attack, the cryptanalyst is given N plaintext-ciphertext  (x)) and it wants to recover a part of K. For each possible key pairs (x, EK candidate, a test statistic TN is computed. It is assumed that the probability distribution of TN is known for both wrong and right key guesses. The key candidate being wrong (respectively, right) is the null hypothesis (respectively, alternative hypothesis) of the key-recovery test. The efficiency of the test is described by its error probability α = Pr(guess is accepted | guess is wrong) and its success probability PS = Pr(guess is accepted | guess is right). If the number of key candidates is 2s , then around α2s = 2s−d will be accepted, where d = − log(α). This is akin to saying that the distinguisher recovers d key bits. The difference PS − α is called the distinguishing advantage of the test. Let us now assume the cumulative distribution functions of TN are known: FW for the wrong keys and FR for the right key that on input θ measure the probability that the value of TN be at most θ. Although in linear cryptanalysis the probability distribution functions are discrete, continuous approximations are usually considered. Let us assume there is a threshold value Θ for which FW (Θ) > FR (Θ). After computing the value T of TN , it is decided that TN is drawn from the distribution FW (respectively, FR ) if T ≤ Θ (respectively, T > Θ). Then α = 1 − FW (Θ) and PS = 1 − FR (Θ), so that FW (Θ) > FR (Θ) guarantees that PS > α. Then −1 (1 − α) = FR−1 (1 − PS ) and Θ = FW −1 (1 − α)). PS = 1 − FR (FW

[2.9]

The parameters of FW and FR depend on N and we want α to decrease and PS to increase as N increases. The test equation [2.9] provides trade-offs between α, PS and N , and determines Θ. In practice, it can be difficult to obtain the exact distribution functions FW and FR , so certain assumptions are made. It is commonly assumed that the wrong-key distribution FW of TN is computed from pairs (x, P (x)), where P is a random permutation. This assumption is known as the wrong-key hypothesis. The rest of this chapter describes the wrong-key and right-key probability distributions for some commonly used linear cryptanalysis statistics. Studies on linear cryptanalysis often assume plaintext-ciphertext pairs to be drawn independently, which implies sampling with replacement, with the argument that sampling without replacement would imply choosing plaintexts and contradict

Linear Cryptanalysis

39

the essence of a “known plaintext attack”. On the other hand, it is acknowledged that duplicated plaintext-ciphertext pairs do not provide new information, so experimental linear cryptanalysis on practical ciphers typically use distinct known plaintexts. In practical applications, the raw data are rarely non-repeating, so it requires removing duplicates anyway before being used for statistical analysis (in O(N ) memory and time). Linear cryptanalysis is most commonly used to estimate how many rounds of an iterative block cipher can be attacked when the whole codebook is available. Obtaining the whole codebook using sampling with replacement introduces unnecessary uncertainty to the model that can be avoided if sampling is without replacement. 2.11. Classical model of Algorithm 2 This model applies to Matsui’s Algorithm 2 using a single linear approximation  (a, b) described in section 2.7. In the wrong-key case, the expected EK and TN = cor value is zero, while in the right-key case significant deviation from zero can be expected. The sample is drawn with replacement. Then the wrong-key distribution of T  (a, b) = 2 EK TN can be approximated by N (0, 1/N ), since cor N − 1, where the counter T is drawn from the binomial distribution B(N, 1/2) corresponding to a sample of N independent binary variables with correlation zero. For a fixed right key, T is drawn from the binomial distribution B(N, p), where p = 1/2, and the distribution of the sample correlation can be approximated by N (2p − 1, 4p(1 − p)/N ). It is assumed (see section 2.7) that the mean has only two possible values ±c each occurring with probability 1/2. Let FR− and FR+ be the 2 cumulative distribution functions of N (±c, 1−c N ) with respective signs. We can assume c > 0. Then a threshold Θ > 0 can be fixed so that the null hypothesis is accepted if −Θ ≤ TN ≤ Θ. For this two-sided test, we have α = 2(1 − FW (Θ)) and 1 1 − (FR (−Θ)) + (1 − FR+ (Θ)) = FR− (−Θ) = 1 − FR+ (Θ) 2 2 

−1 c − Φ (1 − 2−(d+1) ) 1/N √ =Φ , 1 − c2

PS =

[2.10]

where Φ denotes the standard normal cumulative distribution function. By approximating 1 − c2 ≈ 1, the formula presented in Selçuk (2008) is obtained. When fixing PS and d, the sample size N is inversely proportional to c2 . This model assumes a linear approximation with a single dominant linear trail. Since this is false and the correlation is key dependent with average value zero for most modern ciphers, we must consider randomization over the keyspace.

40

Symmetric Cryptography 2

2.12. Algorithm 2 with distinct known plaintext and randomized key Let us start by estimating the probability distribution of the sample correlation  (a, b) over a uniformly distributed key. For an n-bit random permutation P , corEK this distribution can be approximated by N (0, 2−n ) (Daemen and Rijmen 2007). For the right-key case, it is common to estimate the mean c and variance ELP(a, b) − c2 of the correlation and then assume a normal distribution.  (a, b) assuming distinct plaintexts with a The sample correlation TN = cor EK fixed key K is modeled using the normal approximation of a hypergeometric distribution (Blondeau and Nyberg 2017). Then the right-key (respectively, wrong-key) sample correlation taken over a random a random sample  1key and −n without replacement follows the distribution N c, − 2 + ELP(a, b) − c2 N  1 (respectively, N 0, N ). For most modern ciphers, it is realistic to assume c = 0.

If ELP(a, b) > 2−n , the cryptanalyst can define a two-sided test, for which Φ

−1

 2

−(d+1)



= 1 + N (ELP(a, b) − 2−n )Φ−1



1 − PS 2

 ,

which shows that N is inversely proportional to ELP(a, b) − 2−n . Another interesting possibility is the case ELP(a, b) = 0, which is exploited in zero-correlation linear cryptanalysis (see Chapter 4). Then the probability distributions to be distinguished are N (0, N1 ) and N (0, N1 − 2−n ) if the sampling is without replacement. The two-sided tests discussed above are equivalent with one-sided tests that use the squared sample correlation as the test statistic and χ2 distribution. If we consider a uniformly distributed key and a random data sample with N distinct plaintexts, the 2 2  (a, b) follows a χ distribution with one degree of freedom if EK statistic TN = N cor −1

the key is wrong, and so does (1 + N (ELP − 2−n )) TN for the right key assuming that ELP > 2−n . Then we can define a one-sided χ2 test as described in section 2.10. 2.13. Multiple linear approximations The idea of using multiple linear approximations started with using several linear approximations involving the same key bits (Kaliski Jr. and Robshaw 1994; Junod and Vaudenay 2003). A new statistic combining information from multiple independent linear approximations was presented in Biryukov et al. (2004). It generalizes Matsui’s Algorithm 1 and assumes the correlations of the  linear approximations are known

Linear Cryptanalysis

41

 (aj , bj ) depending on the key. The bits and have two possible values (−1)zj corEK zi , . . . , z divide the keys into 2 key classes. The test statistic is

TN =

 

z  (aj , bj ) − (−1) j corE  (aj , bj ) cor EK K

2

.

j=1

The correct key class is the binary vector (z1 , . . . , z ), which minimizes this statistic. A measurement of the success of the test called gain was introduced, and it was shown that for a fixed gain the data complexity is inversely proportional to the  2  (aj , bj ) . capacity of the set of linear approximations C = j=1 corEK A more advanced model with key randomization is obtained by generalizing the χ2 statistic presented at the end of section 2.12 to multiple linear approximations. It applies to Algorithm 2 type of attacks. Let us assume that the cryptanalyst is given   (x), such that their correlations have equal linear approximations aj , x ⊕ bj , EK ELP(aj , bj ) = ELP. We also assume the sample correlations are pairwise statistically  2  (aj , bj ) independent. The statistic TN = N j=1 cor EK follows a χ2 distribution −1

with  degrees of freedom in the wrong-key case, as does (1 + N (ELP − 2−n )) TN in the right key case assuming ELP > 2−n . Then we can define a one-sided test as shown in Blondeau and Nyberg (2017); Bogdanov et al. (2018). To give an impression about how the data complexity N depends on  and ELP, we use the normal approximation of the χ2 distribution (valid for large ) to get N = 

Φ−1 (1 − α) + Φ−1 (PS )  . /2 − Φ−1 (PS ) (ELP − 2−n )

Since Φ−1 (PS ) is typically small, we deduce that linear cryptanalysis of an n-bit block cipher using a large number  of equally strong√ linear approximations has data complexity (approximately) inversely proportional to  (ELP − 2−n ). The best linear attack on the P RESENT-80 cipher known today covers 28 rounds of the cipher. It exploits the χ2 model given above with correlations of 296 linear approximations over 24 rounds (Flórez-Gutiérrez and Naya-Plasencia 2020). Since the statistical independence of linear approximations cannot be proven theoretically, the validity of the results is often tested experimentally. One approach to handle dependency called multivariate profiling was proposed in Bogdanov et al. (2018). In Biham and Perle (2018), it was observed that when two linear approximations are dependent, the bias of one can increase by fixing the value of the other (conditional linear cryptanalysis). These considerations can be avoided by using all linear approximations in a linear subspace, as is done in multidimensional linear cryptanalysis.

42

Symmetric Cryptography 2

2.14. Multidimensional linear cryptanalysis Multidimensional linear cryptanalysis was introduced in Baignères et al. (2004). The idea is to distinguish a probability distribution obtained from a (not necessarily binary) cipher from a random one. The attacker is given a sample distribution p (η) and has to decide from which of the two candidates p0 (η) and p1 (η) it was drawn. The optimal distinguisher is based on the log-likelihood ratio (LLR) statistic 

TN = N

p (η) log

η∈{0,1}t

p1 (η) . p0 (η)

In multidimensional linear cryptanalysis, p0 and p1 are the wrong and right-key probability distributions of η = Λ(x) ∈ {0, 1}t , where Λ is the multidimensional linear approximation determined by a linear space L of linear approximations a, x⊕ b, EK (x) as described in section 2.3. The null hypothesis is typically accepted if TN < 0. The efficiency of the test depends on the squared Euclidean imbalance (SEI) of p1 C = 2t





p1 (η) − 2−t

2

η∈{0,1}t



=

2  (a, b) , corEK

(a,b)∈L,(a,b)=(0,0)

also called the capacity of Λ. The equality of the two expressions of SEI (capacity) is due to [2.4]. For fixed α and PS , the data complexity N is inversely proportional to the SEI of the right-key distribution (Baignères et al. 2004; Hermelin et al. 2019). More recently, (Lee and Kim 2019) introduced a new statistic, as well as showing that the LLR statistic (see section 2.14) is separable, which means it can be used in multiple linear cryptanalysis under the independence assumption. Another common goodness-of-fit test of probability distributions is the χ2 test, which for multidimensional linear cryptanalysis is defined as T N = N 2t

 η∈{0,1}t



p η − 2−t

2

=N



2  (a, b) . cor EK

(a,b)∈L,(a,b)=(0,0)

Although the χ2 test is theoretically weaker than the LLR test, it can be computed without the right-key correlations of the approximations (Vaudenay 1996). Knowledge of the capacity is only needed to set up the test and estimate its efficiency. The wrong and right-key χ2 distributions of TN over a random sample of N known plaintextciphertext pairs are given in Hermelin et √ al. (2019). It is also shown that the data complexity is inversely proportional to C/ 2t − 1. Other tests for multidimensional linear cryptanalysis have been proposed. For example, the method of Biryukov et al. (2004) can be extended to handle all linear

Linear Cryptanalysis

43

approximations spanned by the base approximations. The resulting multidimensional statistics is equivalent to the convolution statistic proposed in Hermelin and Nyberg (2010). Due to the fast computation of convolution using the FWHT, the time complexity of the Algorithm 1 type key-recovery algorithm is O(2 ), that is, about the same as when using  linearly independent approximations and the multiple linear cryptanalysis method of Biryukov et al. (2004). When forming linear subspaces of linear approximations, it is sometimes unavoidable to include approximations where either the input or the output mask is zero, and which do not contribute to the capacity. This can be avoided by using approximations in an affine subspace (Nyberg 2019). The probability distributions of the multidimensional χ2 statistic TN over both random sample and a random key are given in Blondeau and Nyberg (2017). A more detailed analysis of the wrong-key distributions is presented in Ashur et al. (2022) for linear approximations that form a linear or an affine subspace. To conclude, let us briefly discuss the links between linear and differential cryptanalysis. The search algorithms for linear trails and differential characteristics are mostly identical. The structural properties of a cipher imply in many cases similar resistance, or vulnerabilities, against differential and linear type cryptanalysis (e.g. Sun et al. 2015). The mathematical link between linear and differential cryptanalysis discovered in Chabaud and Vaudenay (1994) was later extended to show that the capacity of a multidimensional linear approximation is equal to the probability of a certain truncated differential (Blondeau and Nyberg 2014). While no differential attack based on a direct search for differential characteristics of P RESENT could break more than 20 rounds of the cipher, this link allows to turn the known multidimensional linear attack over 26 rounds (Cho 2010) into a differential type attack breaking equally many rounds with about the same data complexity and a slightly reduced estimated memory complexity. 2.15. References Abdelkhalek, A., Sasaki, Y., Todo, Y., Tolba, M., Youssef, A.M. (2017). MILP modeling for (large) S-boxes to optimize probability of differential characteristics. IACR Trans. Symmetric Cryptol., 2017(4), 99–129. Abdelraheem, M.A. (2012). Estimating the probabilities of low-weight differential and linear approximations on PRESENT-like ciphers. In ICISC 2012, vol. 7839 of Lecture Notes in Computer Science, Kwon, T., Lee, M., Kwon, D. (eds). Springer. Abdelraheem, M.A., Ågren, M., Beelen, P., Leander, G. (2012). On the distribution of linear biases: Three instructive examples. In CRYPTO 2012, vol. 7417 of Lecture Notes in Computer Science, Safavi-Naini, R., Canetti, R. (eds). Springer. Ankele, R. and Kölbl, S. (2018). Mind the gap – A closer look at the security of block ciphers against differential cryptanalysis. In SAC 2018, vol. 11349 of Lecture Notes in Computer Science. Cid Jr., C., M.J.J. (eds). Springer.

44

Symmetric Cryptography 2

Ashur, T. and Rijmen, V. (2016). On linear hulls and trails. In INDOCRYPT 2016, vol. 10095 of Lecture Notes in Computer Science. Springer. Ashur, T., Khan, M., Nyberg, K. (2022). Structural and statistical analysis of multidimensional linear approximations of random functions and permutations. IEEE Transactions on Information Theory, 68(2), 1296–1315. Baignères, T., Junod, P., Vaudenay, S. (2004). How far can we go beyond linear cryptanalysis? In ASIACRYPT 2004, vol. 3329 of Lecture Notes in Computer Science, Lee, P.J. (ed.). Springer. Biham, E. and Perle, S. (2018). Conditional linear cryptanalysis – Cryptanalysis of DES with less than 242 complexity. IACR Trans. Symmetric Cryptol., 2018(3), 215–264. Biryukov, A. and Velichkov, V. (2014). Automatic search for differential trails in ARX ciphers. In CT-RSA 2014, vol. 8366 of Lecture Notes in Computer Science, Benaloh, J. (ed.). Springer. Biryukov, A., Cannière, C.D., Quisquater, M. (2004). On multiple linear approximations. In CRYPTO 2004, vol. 3152 of Lecture Notes in Computer Science. Springer. Blondeau, C. and Nyberg, K. (2014). Links between truncated differential and multidimensional linear properties of block ciphers and underlying attack complexities. In EUROCRYPT 2014, vol. 8441 of Lecture Notes in Computer Science, Nguyen, P.Q., Oswald, E. (eds). Springer. Blondeau, C. and Nyberg, K. (2017). Joint data and key distribution of simple, multiple, and multidimensional linear cryptanalysis test statistic and its impact to data complexity. Des. Codes Cryptogr., 82(1–2), 319–349. Bogdanov, A. and Vejre, P.S. (2017). Linear cryptanalysis of DES with asymmetries. In ASIACRYPT 2017, Part I, vol. 10624 of Lecture Notes in Computer Science, Takagi, T., Peyrin, T. (eds). Springer. Bogdanov, A., Tischhauser, E., Vejre, P.S. (2018). Multivariate profiling of hulls for linear cryptanalysis. IACR Trans. Symmetric Cryptol., 2018(1), 101–125. Boura, C. and Coggia, D. (2020). Efficient MILP modelings for S-boxes and linear layers of SPN ciphers. IACR Trans. Symmetric Cryptol., 2020(3), 327–361. Chabaud, F. and Vaudenay, S. (1994). Links between differential and linear cryptanalysis. In EUROCRYPT ’94, vol. 950 of Lecture Notes in Computer Science, Santis, A.D. (ed.). Springer. Chen, H. and Wang, X. (2016). Improved linear hull attack on round-reduced Simon with dynamic key-guessing techniques. In FSE 2016, vol. 9783 of Lecture Notes in Computer Science. Springer. Cho, J.Y. (2010). Linear cryptanalysis of reduced-round PRESENT. In CT-RSA 2010, vol. 5985 of Lecture Notes in Computer Science, Pieprzyk, J. (ed.). Springer. Collard, B., Standaert, F., Quisquater, J. (2007). Improving the time complexity of Matsui’s linear cryptanalysis. In ICISC 2007, vol. 4817 of Lecture Notes in Computer Science, Nam, K., Rhee, G. (eds). Springer. Cooley, J. and Tukey, J. (1965). An algorithm for the machine calculation of complex Fourier series. Mathematics of Computation, 19, 297–301. Daemen, J. and Rijmen, V. (2007). Probability distributions of correlation and differentials in block ciphers. J. Mathematical Cryptology, 1(3), 221–242.

Linear Cryptanalysis

45

Daemen, J., Govaerts, R., Vandewalle, J. (1994). Correlation matrices. In FSE ’94, vol. 1008 of Lecture Notes in Computer Science, Preneel, B. (ed.). Springer. Englund, H. and Maximov, A. (2005). Attack the dragon. In INDOCRYPT 2005, vol. 3797 of Lecture Notes in Computer Science, Maitra, S., Madhavan, C.E.V., Venkatesan, R. (eds). Springer. Flórez-Gutiérrez, A. and Naya-Plasencia, M. (2020). Improving key-recovery in linear attacks: Application to 28-round PRESENT. In EUROCRYPT 2020, Part I, vol. 12105 of Lecture Notes in Computer Science, Canteaut, A., Ishai, Y. (eds). Springer. Fu, K., Wang, M., Guo, Y., Sun, S., Hu, L. (2016). MILP-based automatic search algorithms for differential and linear trails for Speck. In FSE 2016, vol. 9783 of Lecture Notes in Computer Science, Peyrin, T. (ed.). Springer. Hall-Andersen, M. and Vejre, P.S. (2018). Generating graphs packed with paths: Estimation of linear approximations and differentials. IACR Trans. Symmetric Cryptol., 2018(3), 265–289. Hermelin, M. and Nyberg, K. (2010). Dependent linear approximations: The algorithm of Biryukov and others revisited. In CT-RSA 2010, vol. 5985 of Lecture Notes in Computer Science, Pieprzyk, J. (ed.). Springer. Hermelin, M., Cho, J.Y., Nyberg, K. (2019). Multidimensional linear cryptanalysis. J. Cryptology, 32(1), 1–34. Junod, P. and Vaudenay, S. (2003). Optimal key ranking procedures in a statistical cryptanalysis. In FSE 2003, vol. 2887 of Lecture Notes in Computer Science, Johansson, T. (ed.). Springer. Kaliski Jr., B.S. and Robshaw, M.J.B. (1994). Linear cryptanalysis using multiple approximations. In CRYPTO ’94, vol. 839 of Lecture Notes in Computer Science. Springer. Lee, J. and Kim, W. (2019). Multiple linear cryptanalysis using linear statistics. IACR Trans. Symmetric Cryptol., 2019(4), 369–406. Matsui, M. (1993). Linear cryptanalysis method for DES cipher. In EUROCRYPT ’93, vol. 765 of Lecture Notes in Computer Science, Helleseth, T. (ed.). Springer. Matsui, M. (1994a). The first experimental cryptanalysis of the data encryption standard. In CRYPTO ’94, vol. 839 of Lecture Notes in Computer Science, Desmedt, Y. (ed.). Springer. Matsui, M. (1994b). On correlation between the order of S-boxes and the strength of DES. In EUROCRYPT ’94, vol. 950 of Lecture Notes in Computer Science, Santis, A.D. (ed.). Springer. Maximov, A. and Johansson, T. (2005). Fast computation of large distributions and its cryptographic applications. In ASIACRYPT 2005, vol. 3788 of Lecture Notes in Computer Science, Roy, B.K. (ed.). Springer. Meier, W. and Staffelbach, O. (1992). Correlation properties of combiners with memory in stream ciphers. J. Cryptol., 5(1), 67–86. Mouha, N., Wang, Q., Gu, D., Preneel, B. (2011). Differential and linear cryptanalysis using mixed-integer linear programming. In Inscrypt 2011, vol. 7537 of Lecture Notes in Computer Science, Wu, C., Yung, M., Lin, D. (eds). Springer. Nguyen, P.H., Wu, H., Wang, H. (2011). Improving the algorithm 2 in multidimensional linear cryptanalysis. In ACISP 2011, vol. 6812 of Lecture Notes in Computer Science, Parampalli, U., Hawkes, P. (eds). Springer.

46

Symmetric Cryptography 2

Nyberg, K. (1994). Linear approximation of block ciphers. In EUROCRYPT ’94, vol. 950 of Lecture Notes in Computer Science, Santis, A.D. (ed.). Springer. Nyberg, K. (2019). Affine linear cryptanalysis. Cryptography and Communications, 11(3), 367–377. Nyberg, K. and Wallén, J. (2006). Improved linear distinguishers for SNOW 2.0. In FSE 2006, vol. 4047 of Lecture Notes in Computer Science, Robshaw, M.J.B. (ed.). Springer. Röck, A. and Nyberg, K. (2013). Generalization of Matsui’s Algorithm 1 to linear hull for key-alternating block ciphers. Des. Codes Cryptography, 66(1–3), 175–193. Rueppel, R.A. (1985). Correlation immunity and the summation generator. In CRYPTO ’85, vol. 218 of Lecture Notes in Computer Science, Williams, H.C. (ed.). Springer. Selçuk, A.A. (2008). On probability of success in linear and differential cryptanalysis. J. Cryptology, 21(1), 131–147. Shimizu, A. and Miyaguchi, S. (1987). Fast data encipherment algorithm FEAL. In EUROCRYPT ’87, vol. 304 of Lecture Notes in Computer Science, Chaum, D., Price, W.L. (eds). Springer. Sun, S., Hu, L., Song, L., Xie, Y., Wang, P. (2013). Automatic security evaluation of block ciphers with S-bP structures against related-key differential attacks. In Inscrypt 2013, vol. 8567 of Lecture Notes in Computer Science, Lin, D., Xu, S., Yung, M. (eds). Springer. Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L. (2014). Automatic security evaluation and (related-key) differential characteristic search: Application to Simon, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In ASIACRYPT 2014, Part I, vol. 8873 of Lecture Notes in Computer Science, Sarkar, P., Iwata, T. (eds). Springer. Sun, B., Liu, Z., Rijmen, V., Li, R., Cheng, L., Wang, Q., AlKhzaimi, H., Li, C. (2015). Links among impossible differential, integral and zero correlation linear cryptanalysis. In CRYPTO 2015, Part I, vol. 9215 of Lecture Notes in Computer Science, Gennaro, R., Robshaw, M. (eds). Springer. Tardy-Corfdir, A. and Gilbert, H. (1991). A known plaintext attack of FEAL-4 and FEAL-6. In CRYPTO ’91, vol. 576 of Lecture Notes in Computer Science, Feigenbaum, J. (ed.). Springer. Vaudenay, S. (1996). An experiment on DES statistical cryptanalysis. In CCS ’96, Gong, L., Stearn, J. (eds). ACM.

3

Impossible Differential Cryptanalysis Christina B OURA1 and María N AYA -P LASENCIA2 1

University of Paris-Saclay, UVSQ, CNRS, Versailles, France 2 Inria, Paris, France

Impossible differential cryptanalysis is a powerful family of attacks against block ciphers that was independently introduced by Knudsen (1998) and Biham et al. (1999a) in the late 1990s. The idea of these attacks is to exploit impossible differentials, that is differentials occurring with probability zero. The general approach is then to extend the impossible differential by some rounds; possibly in both directions, we guess the key bits that intervene in these rounds and check whether a trial pair is partially encrypted (or decrypted) to the impossible differential. In this case, we know that the guessed key bits are certainly wrong and we can remove the subsequent key from the space of candidate keys, that is, the set that contains all keys that could pretend to be the right encryption key. These attacks have successfully been applied so far to a high number of block ciphers following both the Feistel and the SPN construction. In some cases, these attacks lead to the best cryptanalysis results for the target cipher, as this is, for example, the case for the multiple standardized Feistel cipher C AMELLIA (Liu et al. 2012; Boura et al. 2014). Furthermore, impossible differential attacks were for a long time the most successful attacks against AES-128 (Zhang et al. 2007; Lu et al. 2008a; Mala et al. 2010). As in the case of most cryptanalysis techniques, an impossible differential attack is divided into two parts: a distinguisher part followed by a key-recovery step. The

Symmetric Cryptography 2, coordinated by Christina B OURA and María NAYA -P LASENCIA. © ISTE Ltd 2023.

48

Symmetric Cryptography 2

first one deals with the discovery of a maximum-length impossible differential, that is an input difference DX and an output difference DY such that the probability that DX propagates after a certain number of rounds, rD , to DY is zero. The key-recovery step, whose main part is the key sieving, consists of the addition of some rounds potentially in both directions. These extra added rounds serve to verify which keys would partially encrypt (respectively, decrypt) data to the impossible differential. As this impossible differential is of probability zero, keys showing such behavior cannot be the master key we are looking for and are thus removed from the space of candidate keys. In the following, we describe the current techniques for both the distinguisher and the key recovery step. We start with the first one. 3.1. Finding impossible differentials The most popular technique for finding an impossible differential distinguisher of maximal length is the miss-in-the-middle technique, first introduced in Biham et al. (1999a,b) for the cryptanalysis of round-reduced versions of S KIPJACK, IDEA and K HUFU. The idea of this technique consists of propagating with probability one, a difference DX for rf rounds in the forward direction and a difference DY for rb rounds in the backward direction and searching for a contradictory event in the middle. If this is the case, we conclude that the differential (DX , DY ) has probability zero for the analyzed rf + rb rounds. For word-oriented ciphers, the easiest way to detect a contradictory event in the middle is by using truncated differentials. In this case, the contradictory event is often that some word of the state is active with probability one in one direction, but inactive, also with probability one, in the other direction. Note, however, that the contradiction does not need to happen on a whole word, but could be of any nature and only affect one bit or few bits for example. An example of the application of the miss-in-the-middle technique for four rounds of AES is shown in Figure 3.1. Active bytes are shown with a dot, inactive bytes are empty and the number 3 in a column indicates that due to the branch number of the MixColumns (MC) (operation), at least three out of the four bytes of this column must be active. In this example, the contradiction occurs on the leftmost column of the state, after propagating rf = 1 round in the forward direction and rb = 3 rounds in the backward direction. Indeed, in the forward propagation, all bytes of the column are inactive, while in the other direction, the same bytes are all active. Finding impossible differentials with the meet-in-the-middle approach is usually done by using some automated method or tool. The first method to be largely applied was the so-called U -method introduced in Kim et al. (2003). Other methods appeared later, for example, the UID-method (Luo et al. 2009, 2014) and an extension of it (Wu and Wang 2012), that permitted to detect more complex contradictions in the middle.

Impossible Differential Cryptanalysis

49

Figure 3.1. Impossible differential for four rounds of AES

In 2017, Sasaki and Todo (2017) proposed a different approach for searching impossible differential distinguishers. Their idea was to use a mixed-integer-linear-programming (MILP)-based tool to search for contradictions. The use of their tool has two major advantages. First, the attacker does not have to predict the contradiction mechanism in advance. This led in particular to the discovery of new types of contradictions for some ciphers (e.g. MIDORI-128) that it would be difficult to discover by hand or with some of the previous tools. Second, this tool permits, for some dimensions, to take the details of the S-box and the linear layer into account and to search for sharp contradictions at the bit level. 3.2. Key recovery In this section, we describe techniques for the key-recovery part of an impossible differential attack. For this, we introduce notations that will permit to accurately describe the basic attack and its refinements. In all this part, we closely follow the formalism and theory introduced in Boura et al. (2014, 2018). As discussed before, the key recovery part starts once a convenient impossible differential DX → DY , covering rΔ rounds, has been discovered. This differential is extended rin rounds backwards to obtain a difference that we will denote by Din and rout rounds forwards to obtain a difference called Dout . The log2 of the size of a set D will be denoted by Δ. This scenario is depicted in Figure 3.2. A first important quantity for the success of an impossible differential attack is the number of bit-conditions that must be satisfied during the first and the last appended rounds. For this, we denote by cin (respectively, cout ) the number of bit-conditions to be satisfied in order to get DX from Din (respectively, DY from Dout ). The corresponding probabilities to these events are 2−cin and 2−cout . Another

50

Symmetric Cryptography 2

important quantity is the total number of key bits that intervene in the rin + rout appended rounds, called the information key bits of the attack. To estimate this number, one starts by determining all the subkey bits that are involved in the attack. Let kin be the subset of subkey bits involved in the attack during the first rin rounds, and kout during the last rout rounds. However, some of these subkey bits can be related between them. For example, two different subkey bits can actually be the same bit of the master key. Alternatively, a bit in the set can be some combination, or can be easily determined by some other bits of the set. The way that the different key bits in the target set are related is determined by the key schedule. What we call the information key bits and denote by |kkin ∪ kout |, which is the log of the entropy of the involved key bits.

Figure 3.2. Basic impossible differential attack. For a color version of this figure, see www.iste.co.uk/boura/symmetric2.zip

3.2.1. Data, time and memory complexities From now on, we suppose that we are attacking a block cipher of block size n parameterized by a key K of size |K|. The goal is, for each given pair of inputs (and their corresponding outputs), to discard the keys that generate a difference DX at the beginning of round (rin + 1) and at the same time, a difference DY at the output of round (rin + rΔ ). We need then enough pairs so that the number of non-discarded keys is significantly lower than the a priori total number of key candidates. To decide on the efficiency of an attack, different parameters have to be accurately estimated. We start by discussing the number of needed plaintext (or ciphertext) pairs, corresponding to the memory complexity of the attack.

Impossible Differential Cryptanalysis

51

3.2.1.1. Number of pairs required for an attack The probability that for a given key, a pair of inputs already satisfying the differences Din and Dout satisfies all the (cin + cout ) bit-conditions is 2−(cin +cout ) . In other words, this is the probability that for a correct pair of inputs a key is discarded from the set of candidate keys. Therefore, by repeating the procedure with N different input (or output) pairs, the probability that a trial key is not discarded is P = (1 − 2−(cin +cout ) )N . A popular strategy for the first impossible differential attacks was to choose N such that only the right key is left after the sieving procedure. This amounts to choose P as P = (1 − 2−(cin +cout ) )N
2−n , which is the same as in the basic boomerang attack. Another refinement on the boomerang attack is to give a tighter estimation of the probability by considering multiple intermediate differences in the middle (Wagner 1999; Biham et al. 2001). It was observed that instead of requiring specific α2 and β3 as shown in Figure 6.1(a), we can count on all possible α2 and β3 values for which Pr(α1 → α2 ) and Pr(β3 → β4 ) are not zero. Thus, the probability of obtaining a right boomerang quartet is 

Pr[α1 → α2 ]2

α2



Pr[β3 → β4 ]2 .

β3

Let pˆ =



Pr[α1 → α2 ]2 ,

qˆ =



α2

Pr[β3 → β4 ]2 .

β3

The probability of the boomerang can be rewritten as pˆ2 qˆ2 . Moreover, the intermediate differences on opposite faces can be different. Specifically, on one face the difference α1 causes some difference α2 at the end of E0 , while on the opposite face α1 propagates to α2 through E0 , where α2 and α2 can be different. It is the same case for the input difference of E1 . This way, the probability of the boomerang is 

Pr[α1 → α2 ]Pr[α1 → α2 ]

α2 ,α2



Pr[β3 → β4 ]Pr[β3 ⊕ α2 ⊕ α2 → β4 ].

β3

The above formula counts the probabilities with all possible intermediate differences. However, it is very difficult to do the exact calculation. A common practice is to count as many intermediate differences as possible. When incorporating the above refinement into the amplified boomerang attack, we obtain the rectangle attack (Biham et al. 2001), a chosen-plaintext variant of the boomerang attack that considers multiple possible differences in the middle. 6.3. Tricks and failures Interestingly, it has been pointed out (Biham et al. 2005; Biryukov and Khovratovich 2009; Murphy 2011) that there is no a priori reason for the probabilistic argument concerning the boomerang attack and therefore for the related

Boomerang Cryptanalysis

81

amplified boomerang and rectangle attack, to be correct. Indeed, the computation of the probabilities above can be inaccurate in certain cases. In some cases, the probability of boomerang can be improved by using “tricks”, while in other cases the boomerang will not come back at all. In what follows, we demonstrate such phenomena with examples. Ladder switch: instead of decomposing a cipher into rounds by default, the ladder switch decomposes the cipher regarding smaller operations, like operations on columns or words, which may lead to better distinguishers. That is, the boundary of E0 and E1 does not need to be defined on a full state. The computation of some words of the state can be in E0 and the computation of the other words can be in E1 . Suppose that half of the state is active only in E0 and the other half is active only in E1 . Then, by regarding the former as a part of E1 and the latter as a part of E0 , the probability on all the active S-boxes becomes 1. This technique is called the ladder switch.

S-box Layer

S-box Layer

S-box Layer

S-box Layer

E XAMPLE 6.2.– Figure 6.2 shows an example of ladder switch. We define a toy SPN cipher that operates on four cells and iterates a round function consisting of an S-box layer and a linear layer borrowed from SKINNY (Beierle et al. 2016). As the key addition plays no essential role in the analysis, it is ignored in the figure for the sake of simplicity. Consider an encryption E with two rounds where the linear layer of the second round is omitted. Let E0 cover the first round and E1 the second S-box layer, as displayed in Figure 6.2 (left) which also presents two differentials with colored cells. Since the probabilities p and q of the two differentials are less than 1, the probability of the boomerang p2 q 2 is less than 1 as well. Suppose the same differentials are used but we change the decomposition into the one depicted in Figure 6.2 (right). As can be seen, there is no active S-box in neither E0 nor E1 . In this way, the probability of boomerang is 1, which is confirmed by experiments. This example shows that the real probability of boomerang can be much larger than the probability suggested by p2 q 2 .

Figure 6.2. Decompose the cipher into rounds (left), and decompose the cipher into words (right). For a color version of this figure, see www.iste.co.uk/boura/symmetric2.zip

S-box switch: the S-box switch refers to the case when both differential characteristics activate the same S-box with identical input and output differences, the probability of this S-box counts only once for the boomerang. See Figure 6.3(a)

82

Symmetric Cryptography 2

S-box Layer

S-box Layer

for an example. Suppose on one face α0 → α1 through the active S-box in E0 and the output pair of this S-box is (x, x ⊕ α1 ). Then on the opposite face this pair is shifted to (x ⊕ α1 , x) when α1 = β1 and propagates back with difference α0 for free.





 

(a) S-box switch

(b) Feistel switch

Figure 6.3. S-box and Feistel switches. For a color version of this figure, see www.iste.co.uk/boura/symmetric2.zip

However, when α1 = β1 , there are cases where the boomerang fails for this S-box. Suppose the S-box layer is made of four parallel 4-bit S-boxes, which are borrowed from SKINNY and presented in Table 6.1. For example, if α0 = 1, α1 = 8 and β1 = 1, a search through all 24 possible inputs to the S-box shows that no right quartet can be obtained for this S-box. x

0 1 2 3 4 5 6 7 8 9 a b c d e f

S[x] c 6 9 0 1 a 2 b 3 8 5 d 4 e 7 f Table 6.1. SKINNY’s 4-bit S-box

Feistel switch: the Feistel switch stands for a free middle round in the boomerang for a Feistel cipher with an arbitrary round function. We take a balanced Feistel with two branches as an example shown in Figure 6.3(b), although this applies to other variants of Feistel ciphers. The core observation is that when α1 = β1 (see Figure 6.3(b)), the round function in E0 will be passed for free. Let us explain this in detail. Suppose (X, Y ) and (X ⊕ α0 , Y ⊕ α1 ) is the chosen pair of plaintexts. Suppose the boomerang comes back with difference (β1 , β2 ) at the input of the second round. Then the newly generated pair of plaintexts will be i i (Y ) ⊕ β2 ⊕ FK (Y ⊕ β1 ), Y ⊕ β1 ) and (X ⊕ FK i i (Y ⊕ α1 ) ⊕ β2 ⊕ FK (Y ⊕ α1 ⊕ β1 ), Y ⊕ α1 ⊕ β1 ), and the (X ⊕ α0 ⊕ FK difference is i i i i (FK (Y ) ⊕ FK (Y ⊕ β1 ) ⊕ FK (Y ⊕ α1 ) ⊕ FK (Y ⊕ α1 ⊕ β1 ) ⊕ α0 , α1 ).

It is clear now that if α1 = β1 , the difference of this pair is (α0 , α1 ), which means the boomerang comes back for free for this round.

Boomerang Cryptanalysis

83

However, when α1 = β1 , the boomerang may fail for this round function. For simplicity, let us assume that the round function is just a 4-bit S-box of SKINNY. We can verify through a simple search that no solution for Y can be found so that i i i i (Y ) ⊕ FK (Y ⊕ β1 ) ⊕ FK (Y ⊕ α1 ) ⊕ FK (Y ⊕ α1 ⊕ β1 ) = 0 when α1 = 2 but FK β1 = 1. Indeed, the actual probability of boomerang may significantly differ from the probability suggested by the formula p2 q 2 or pˆ2 qˆ2 . These formulas implicitly require that the two differentials are independent of different faces. However, it is not the case. At the connecting point to the two differentials (see 6.1(a)), two pairs (X1 , X2 ) and (X3 , X4 ) form a quartet where the latter is shifted by β3 from the former. Note that in the basic boomerang attack β3 is a constant. At least, these two pairs are dependent, implying that dependency exists at least in one round. In the next section, we will formalize the dependency of the two differentials in the boomerang attack. 6.4. Formalize the dependency To give an accurate estimation of the probability that a boomerang comes back, we have to handle the dependency and understand the issues presented in the previous section in a better way. In the literature, several efforts have been made to this end. Sandwich attack: the first effort is the introduction of the sandwich attack (Dunkelman et al. 2010, 2014), as depicted in Figure 6.1(b). It regards the block cipher E as E1 ◦ Em ◦ E0 , where Em involves dependency and contains a relatively small number of operations. If the probability of generating a right quartet for Em is r, then the probability of the whole boomerang is   Pr E −1 (E(P1 ) ⊕ β4 ) ⊕ E −1 (E(P1 ⊕ α1 ) ⊕ β4 ) = α1 = p2 q 2 r, where p (respectively, q) is the probability of the differential of E0 (respectively, E1 ). Let (X1 , X2 , X3 , X4 ) and (Y1 , Y2 , Y3 , Y4 ) be input and output quartet values for Em , where Yi = Em (Xi ). The differential for E0 specifies the input differences α2 to Em , namely X1 ⊕ X2 = X3 ⊕ X4 = α2 , and E1 specifies the output differences β3 to Em , namely Y1 ⊕ Y3 = Y2 ⊕ Y4 = β3 . Then, r is formally defined as   r = Pr (X3 ⊕ X4 ) = α2 |(X1 ⊕ X2 = α2 ) ∧ (Y1 ⊕ Y3 = β3 ) ∧ (Y2 ⊕ Y4 = β3 ) , or equivalently −1 −1 (Em (X) ⊕ β3 ) ⊕ Em (Em (X ⊕ α2 ) ⊕ β3 ) = α2 }. r = 2−n · #{X ∈ Fn2 |Em

However, evaluating r directly as above is difficult as it has to traverse 2n values for X where n is usually 64 or 128. To calculate r, two tools regarding SPN ciphers

84

Symmetric Cryptography 2

and Feistel ciphers have been proposed respectively, that is, the boomerang connectivity table (BCT) (Cid et al. 2018) and the Feistel boomerang connectivity table (FBCT) (Boukerrou et al. 2020). BCT: suppose E is an SPN cipher. If Em is composed of a single S-box layer with b-bit parallel S-boxes, r can be computed by looking up the BCT for each S-box, that is, n b

r = 2−n Πi=1 BCTi , n/b

where the BCT for S-box S : Fb2 → Fb2 is defined as follows: BCT(α, β) = #{x ∈ Fb2 : S −1 (S(x) ⊕ β) ⊕ S −1 (S(x ⊕ α) ⊕ β) = α}, where α, β ∈ Fb2 . When Em is composed of a round defined by a linear layer, an S-box layer and a key addition, r can be computed similarly. As the size of the S-box b is small, like 4 or 8, it is easy to pre-compute such tables. Figure 6.4(a) shows the BCT of SKINNY’s 4-bit S-box. Now, phenomena presented in the previous section can be unified with BCT. – Incompatibility: (α, β) is incompatible when its entry in the BCT is 0. – Ladder switch: it corresponds to the first row and the first column of BCT, in which either one of the input or output difference is zero, while the other is non-zero. As suggested by Figure 6.4(a), in these cases r = 1. – S-box switch: it corresponds to the claim that a DDT entry with a non-zero value v would imply that the corresponding BCT entry is at least v. The BCT also shows that a BCT entry can in fact be much larger than the corresponding DDT entry, for example, BCT(1, 2) = 16 while DDT(1, 2) = 0 for SKINNY’s 4-bit S-box. FBCT: suppose that E is a Feistel cipher and that Em covers one round where the round function F : Ft2 → Ft2 is defined by a round key addition, an S-box layer and a linear layer. As described in the previous section, when the boomerang comes back for such Em , the input X to F should satisfy the following condition: F (X) ⊕ F (X ⊕ β) ⊕ F (X ⊕ α) ⊕ F (X ⊕ α ⊕ β) = 0, where α, β ∈ Ft2 are given and suggested by differentials of E0 and E1 . That is, r = 2−t · #{X ∈ Ft2 |F (X) ⊕ F (X ⊕ β) ⊕ F (X ⊕ α) ⊕ F (X ⊕ α ⊕ β) = 0}.

Boomerang Cryptanalysis

85

As the linear layer of F plays no essential role in the analysis, for simplicity Em can be treated as an S-box layer made by the concatenation of b-bit S-boxes. In addition, the inverse of F is never used, so the S-boxes can be either bijective or not. Let S : Fb2 → Fw 2 with possibly b = w. For each S-box, the Feistel boomerang connectivity table is defined as FBCT(α, β) = #{x ∈ Fb2 |S(x) ⊕ S(x ⊕ α) ⊕ S(s ⊕ β) ⊕ S(x ⊕ α ⊕ β) = 0}, where α ∈ Fb2 and β ∈ Fw 2 . Once the table is built, the probability r for one-round Feistel cipher is simply the product of the corresponding entries of the FBCT divided by 2n . 0 1 2 3 4 5 6 7 8 9 a b c d e f

0 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16

1 16 0 8 0 0 0 2 2 4 4 4 4 0 0 2 2

2 16 16 0 0 8 8 0 0 0 0 0 0 8 8 0 0

3 16 0 8 0 0 0 2 2 4 4 4 4 0 0 2 2

4 16 0 8 0 0 0 2 2 4 4 4 4 0 0 2 2

5 16 0 16 0 0 0 0 0 8 8 8 8 0 0 0 0

6 16 0 8 0 2 2 0 0 4 4 4 4 2 2 0 0

7 16 0 0 0 2 2 2 2 0 0 0 0 2 2 2 2

8 16 8 0 2 4 4 2 0 0 0 2 0 4 4 0 2

(a) BCT

9 16 8 0 2 4 4 0 2 0 0 2 0 4 4 2 0

a 16 8 0 2 4 4 2 0 0 0 2 0 4 4 0 2

b 16 8 0 2 4 4 0 2 0 0 2 0 4 4 2 0

c 16 0 0 2 2 2 0 2 2 2 0 2 0 0 0 2

d 16 0 0 2 2 2 2 0 2 2 0 2 0 0 2 0

e 16 0 0 2 0 0 2 0 2 2 0 2 2 2 2 0

f 16 0 0 2 0 0 0 2 2 2 0 2 2 2 0 2

0 1 2 3 4 5 6 7 8 9 a b c d e f

0 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16

1 16 16 0 0 8 8 0 0 0 0 0 0 8 8 0 0

2 16 0 16 0 0 0 0 0 8 8 8 8 0 0 0 0

3 16 0 0 16 0 0 0 0 0 0 0 0 0 0 0 0

4 16 8 0 0 16 8 0 0 0 0 0 0 0 0 0 0

5 16 8 0 0 8 16 0 0 0 0 0 0 0 0 0 0

6 16 0 0 0 0 0 16 0 0 0 0 0 0 0 0 0

7 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0

8 16 0 8 0 0 0 0 0 16 0 8 0 0 0 0 0

9 16 0 8 0 0 0 0 0 0 16 0 8 0 0 0 0

a 16 0 8 0 0 0 0 0 8 0 16 0 0 0 0 0

b 16 0 8 0 0 0 0 0 0 8 0 16 0 0 0 0

c 16 8 0 0 0 0 0 0 0 0 0 0 16 8 0 0

d 16 8 0 0 0 0 0 0 0 0 0 0 8 16 0 0

e 16 0 0 0 0 0 0 0 0 0 0 0 0 0 16 0

f 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 16

(b) FBCT

Figure 6.4. BCT and FBCT of SKINNY’s 4-bit S-box

Figure 6.4(b) presents the FBCT of SKINNY’s 4-bit S-box. A remarkable property of the FBCT is that the diagonal entries are all 2b which correspond to the Feistel switch. Similar to BCT, zero entries correspond to incompatibility which leads to failures of the boomerang attack. It also shows that the boomerang may come back even if the two differences to the S-box are not equal. Compute r for generic Em . We have already known the calculation of r for oneround Em (either for SPN cipher or for Feistel ciphers). When Em contains multiple rounds, how can we calculate r? When Em is of one round, the difference α and β, suggested by the differentials of E0 and E1 , respectively, are fixed. When Em contains multiple rounds, however, the differences in the middle are not fixed and should take all possible values. By traversing all possible intermediate differences, the calculation of r of one-round Em can be extended to the generic case where Em has multiple rounds. Let us do a calculation for the simple example shown in Figure 6.3(a). Suppose Em contains the two rounds with α0 and β2 suggested by the differentials

86

Symmetric Cryptography 2

 of its outer parts. Then r = 2−2b β1 BCT(α0 , β1 )DDT(β1 , β2 ) where b is the size of the S-box. Calculations of r for Em of real block ciphers can be found in Song et al. (2019); Boukerrou et al. (2020). Then how many rounds should Em contain? To obtain an accurate estimation of the probability of a boomerang, we have to determine the exact length of Em , that is, the number of middle rounds for which there exists a dependency between the differential of E0 and the differential of E1 . Once this is done, we calculate r and the formula p2 q 2 r introduced with the sandwich attack. In this way, the probability suggested by p2 q 2 r would give a good estimate for the boomerang under the assumption of random subkeys. In order to determine the length of Em , we could initialize Em with a middle round. Then additional rounds are added to Em as long as the probability of the newly added round is higher than the probability that would have been obtained if there were no dependencies. In essence, the upper boundary of Em is delineated by the round where the differences extended from the differential of E1 are distributed (almost) uniformly. Also, the lower boundary of Em is marked by the round where the differences extended from the differential of E0 for its active S-boxes are distributed (almost) uniformly. Due to this, the length of Em heavily depends on the diffusion properties of the cipher. For a more detailed algorithm for determining the length of Em , please refer to Song et al. (2019). Note that, even though BCT and FBCT help to give formulas for the boomerang probability r for the middle part Em where there exist dependencies, calculating r is possibly impractical as there might be too many intermediate differences that should be taken into consideration. It is therefore good practice in cryptanalysis to back up theoretical complexity statements by implementation results whenever possible. 6.5. References Beierle, C., Jean, J., Kölbl, S., Leander, G., Moradi, A., Peyrin, T., Sasaki, Y., Sasdrich, P., Sim, S.M. (2016). The SKINNY family of block ciphers and its low-latency variant MANTIS. In CRYPTO 2016, Part II, vol. 9815 of Lecture Notes in Computer Science, Robshaw, M., Katz, J. (eds). Springer. Biham, E., Dunkelman, O., Keller, N. (2001). The rectangle attack – Rectangling the Serpent. In EUROCRYPT 2001, vol. 2045 of Lecture Notes in Computer Science, Pfitzmann, B. (ed.). Springer. Biham, E., Dunkelman, O., Keller, N. (2005). Related-key boomerang and rectangle attacks. In EUROCRYPT 2005, vol. 3494 of Lecture Notes in Computer Science, Cramer, R. (ed.). Springer. Biryukov, A. and Khovratovich, D. (2009). Related-key cryptanalysis of the full AES-192 and AES-256. In ASIACRYPT 2009, vol. 5912 of Lecture Notes in Computer Science, Matsui, M. (ed.). Springer.

Boomerang Cryptanalysis

87

Boukerrou, H., Huynh, P., Lallemand, V., Mandal, B., Minier, M. (2020). On the Feistel counterpart of the boomerang connectivity table introduction and analysis of the FBCT. IACR Trans. Symmetric Cryptol., 2020(1), 331–362. Cid, C., Huang, T., Peyrin, T., Sasaki, Y., Song, L. (2018). Boomerang connectivity table: A new cryptanalysis tool. In EUROCRYPT 2018, Part II, vol. 10821 of Lecture Notes in Computer Science, Nielsen, J.B., Rijmen, V. (eds). Springer. Dunkelman, O., Keller, N., Shamir, A. (2010). A practical-time related-key attack on the KASUMI cryptosystem used in GSM and 3G telephony. In CRYPTO 2010, vol. 6223 of Lecture Notes in Computer Science, Rabin, T. (ed.). Springer. Dunkelman, O., Keller, N., Shamir, A. (2014). A practical-time related-key attack on the KASUMI cryptosystem used in GSM and 3G telephony. J. Cryptology, 27(4), 824–849. Kelsey, J., Kohno, T., Schneier, B. (2000). Amplified boomerang attacks against reduced-round MARS and Serpent. In FSE 2000, vol. 1978 of Lecture Notes in Computer Science, Schneier, B. (ed.). Springer. Murphy, S. (2011). The return of the cryptographic boomerang. IEEE Trans. Information Theory, 57(4), 2517–2521. Song, L., Qin, X., Hu, L. (2019). Boomerang connectivity table revisited. Application to SKINNY and AES. IACR Trans. Symmetric Cryptol., 2019(1), 118–141. Vaudenay, S. (1998). Provable security for block ciphers by decorrelation. In STACS 98, vol. 1373 of Lecture Notes in Computer Science, Morvan, M., Meinel, C., Krob, D. (eds). Springer. Wagner, D.A. (1999). The boomerang attack. In FSE ’99, vol. 1636 of Lecture Notes in Computer Science, Knudsen, L.R. (ed.). Springer.

7

Meet-in-the-Middle Cryptanalysis Brice M INAUD1,2 1

2

Inria, Paris, France École Normale Supérieure, CNRS, PSL, Paris, France

7.1. Introduction Meet-in-the-middle attacks are one of the oldest symmetric cryptanalysis techniques, dating back to the cryptanalysis of 2DES (Diffie and Hellman 1977). Since then, meet-in-the-middle attacks have remained a staple of symmetric cryptanalysis. Over the years, their study has split into two main branches: “standard” meet-in-the-middle attacks and Demirci-Selçuk attacks, a particularly advanced form of meet-in-the-middle attack. These two branches are the topic of this chapter and the next chapter, respectively. Both types of meet-in-the-middle attacks are active avenues of research. Today, new block cipher and hash function designs are expected to argue resistance against those attacks as a matter of course. Meet-in-the-middle attacks yield some of the best attacks (in the sense of breaking the highest number of rounds) against a wide variety of block ciphers and hash functions: among many others, they have been used to break the preimage resistance of full MD4 (Leurent 2008) and MD5 (Sasaki and Aoki 2009), provide the current best preimage attacks against W HIRLPOOL and G RØSTL, and the best key-recovery attacks against some versions of SKINNY (Dong et al. 2021). As will be discussed in the next chapter, the Demirci-Selçuk variant also represents the state of the art in AES cryptanalysis. In a different

Symmetric Cryptography 2, coordinated by Christina B OURA and María NAYA -P LASENCIA. © ISTE Ltd 2023.

90

Symmetric Cryptography 2

direction, meet-in-the-middle attacks can be used for the structural cryptanalysis of certain Even-Mansour and Feistel schemes, regardless of the instantiation of the round functions (e.g. Dinur et al. 2014). On the other hand, meet-in-the-middle attacks are typically less effective against permutation-based cryptography and stream ciphers. Another notable feature of meet-in-the-middle attacks is that they usually require a low amount of data, often just a handful of known plaintext/ciphertext pairs. For many block ciphers, they are the most efficient attack in low-data settings. The more basic forms of these attacks can also be made memoryless, and even parallelizable (section 7.2.3). As a result, meet-in-the-middle attacks include some of the most practically applicable attacks within symmetric cryptanalysis, both in terms of data requirements, and in terms of efficiency. For example, a simple memoryless variant of the 2DES attack mentioned earlier would incur a little over 256 DES encryptions, with no hidden cost, using only two known plaintext/ciphertext pairs – making it not only a certificational break, but a devastating attack in practice. 7.2. Basic meet-in-the-middle framework This section introduces meet-in-the-middle attacks. Section 7.2.1 starts with a summary of the original 2DES attack, which illustrates the core idea. Section 7.2.2 then extrapolates a basic framework for meet-in-the-middle attacks. 7.2.1. The 2DES attack The data encryption standard (DES) uses a 56-bit key. A simple way of extending the key length is to compose two instances of DES, using two distinct keys K1 and K2 . The resulting cipher DESK2 ◦ DESK1 has an effective key length of 112 bits, in the hope that it achieves 112 bits of security. Diffie and Hellman’s classic attack shows that this is not the case (Diffie and Hellman 1977). Consider an attacker having access to a single known plaintext/ciphertext pair (P, C). Since C = DESK2 (DESK1 (P )), it holds that DESK1 (P ) = DES−1 K2 (C).

[7.1]

Taking advantage of that equality, the attacker computes DESK1 (P ) for all K1 , stores the results in a table, then computes DES−1 K2 (C) for all K2 , looking for a match in the table. Each match yields a candidate key (K1 , K2 ). Using one additional plaintext-ciphertext pair (P  , C  ), the attacker can validate whether each candidate key is the correct key, by checking whether DESK2 (DESK1 (P  )) = C  . The end result is that the correct key will be recovered in roughly 256 operations: despite its 112-bit key, 2DES achieves only 56 bits of security.

Meet-in-the-Middle Cryptanalysis

91

7.2.2. Algorithmic framework The 2DES attack provides the blueprint for more general meet-in-the-middle cryptanalysis: the idea is to split the cipher into two parts that can be computed with partial knowledge of the key, and validate partial key guesses by checking for a match in the middle. A framework to that effect is introduced below. While the framework only covers basic meet-in-the-middle attacks, it will serve as a reference point for the enhancements presented in the next section. Consider a block cipher with a secret key K of length k bits, built by iterating a (key-dependent) round function r times on an inner state. Number the key bits of K from 1 to k, so that the set of indices of the key bits is I = {1, . . . , k}. Let Si denote the inner state after i iterations of the round function. The input of the cipher is equal to S0 , and its output is equal to Sr . Fix some middle state m ∈ {1, . . . , r − 1}. The state Sm can be computed forward from S0 by iterating the round function m times. Conversely, Sm can be computed backward from Sr by iterating the inverse round function r − m times. Suppose that the forward (respectively, backward) computation can be carried out by knowing a strict subset of the key bits If ⊂ I (respectively, Ib ⊂ I). Let I∩ = If ∩ Ib denote the key bits that are common to both computations. Then a meet-in-the-middle attack can be mounted as follows. (In the algorithm below, an element of {0, 1}X for some set X is viewed in the usual way as a subset of X × {0, 1}, so that combining partial key guesses can be denoted simply by a set union.) If the set S of key candidates contains more than one key, one or more additional known plaintext/ciphertext pairs can be used to find the correct key among the candidates. The crucial point is that the correct key is guaranteed to be among the candidates. The algorithm is presented in the setting of block ciphers. It also applies to preimage attacks on hash functions built using certain modes of operation, including (but not limited to) Davies-Meyer (Sasaki 2011). In that context, the input message plays the role of the key, and the target image plays the role of the known ciphertext. This technique was developed especially by Aoki and Sasaki in a series of works, which are at the origin of many of the improvements discussed in the next section. The approach can also be extended to collision attacks (e.g. Li et al. 2012; Dong et al. 2021). R EMARK 7.1.– It is sometimes helpful to guess bits of an equivalent representation of the key, rather than bits of the original key. As a simple example, if two bits a and b only occur in tandem as a + b, then guessing a + b is cheaper than guessing both a and b. For ease of exposition, this chapter focuses on subsets of bits of the original key.

92

Symmetric Cryptography 2

Let S = ∅  Set of key candidates  Guess the common part of the key for all K∩ ∈ {0, 1}I∩ do Initialize a hash table T : T [x] = ∅ for all x.  Guess the remaining part of Kf for all Kf ∈ {0, 1}If \I∩ do  If Kf ← K∩ ∪ Kf ∈ {0, 1} Compute Sm forward from S0 using Kf . Add Kf to T [Sm ]. end for  Guess the remaining part of Kb for all Kb ∈ {0, 1}Ib \I∩ do Kb ← K∩ ∪ Kb ∈ {0, 1}Ib Compute Sm backward from Sr using Kb .  Skip if T [Sm ] = ∅ for all Kf ∈ T [Sm ] do  Add key candidate Add Kf ∪ Kb ∈ {0, 1}I to S. end for end for end for return S Algorithm 7.1. Basic meet-in-the-middle algorithm

7.2.3. Complexity analysis and memory usage Continuing with the same notation, the time complexity of Algorithm 7.1 can be estimated to 2max(|If |,|Ib |) encryption-equivalents for the forward and backward computations, and the memory complexity can be estimated to 2|If |−|I∩ | memory words. It may be observed that guessing the bits of K∩ first does not reduce the time complexity, but it divides the memory size by 2|K∩ | . If |Ib | < |If |, then the roles of Ib and If can be swapped in the algorithm, so that memory usage becomes 2|Ib |−|I∩ | . If the state size is b bits, then a fraction 2−b of key combinations can be heuristically expected to pass the equality test in the middle. This implies that the expected size of the candidate key set is 2k−b . If 2k−b is large, each candidate key could be immediately tested against additional plaintext/ciphertext pairs before being appended to S to ensure that S contains at most a few keys. In practice, as soon as some additional plaintext/ciphertext pairs are available, the size of S should be viewed as a cost in time complexity, rather than memory: |S| keys will need to be tested against additional plaintext/ciphertext pairs, but they need not be stored. In the end, the time complexity can be estimated to 2max(|If |,|Ib |) + 2k−b , and the memory complexity can be estimated to 2min(|If |,|Ib |)−|I∩ | . As long as not all key bits need to be guessed for the forward or backward computation (i.e. |If |, |Ib | < |I|),

Meet-in-the-Middle Cryptanalysis

93

the attack outperforms brute force. An attack of that form on a full cipher is usually enough to constitute a certificational break of the cipher, as security claims rarely put a limit on memory usage. Nevertheless, it should be noted that the previous estimates neglect the cost of memory accesses. In theory, they hold in a random access machine model, where an arbitrary memory location can be queried in unit time. In practice, if the memory usage of the attack is large, the time complexity estimate of 2max(|If |,|Ib |) encryption-equivalents is too optimistic. Going back to the example of the 2DES attack, performing a random access on a table of size 256 words (hundreds of petabytes) is many orders of magnitude more expensive than a DES computation. The 2DES attack, as it was sketched in section 7.2.1, is completely impractical. However, many meet-in-the-middle attacks can be made memoryless. The key insight is that the attack amounts to looking for a collision between the outputs of two functions, with respective inputs Kb and Kf . In the case of 2DES, equation [7.1] makes this fact immediately obvious. Building a table registering the outputs of one function, and looking for a match when computing the other function, is merely one way to find a collision. Any other collision search algorithm is also applied. When the input size of the two functions is the same, called the balanced case, Floyd’s cycle-finding algorithm (best known within cryptography for its use in Pollard’s rho algorithm) yields a collision in essentially the same time complexity as Algorithm 7.1, using only negligible memory.1 Parallel collision search algorithms also apply. If p parallel processors are available, the time complexity of the attack is divided by p, using only p memory words (van Oorschot and Wiener 1996). If the collision search is unbalanced, memoryless algorithms become more expensive, but may still offer useful trade-offs (Nikolic and Sasaki 2016). R EMARK 7.2.– In a quantum setting, quantum collision search can also be used (Chailloux et al. 2017). Evaluating the benefits of those algorithms requires some care, as they depend on the cost model: see the discussion at the end of section 3.3 in the previously cited work and the references therein.

1 Floyd’s algorithm only yields a single collision. In a meet-in-the-middle attack, each collision yields a candidate key, of which there can be many. To ensure that Floyd’s algorithm returns the secret key within a constant number of runs in expectation, it suffices to ensure that the set of candidate keys only contains a few keys with high probability. For that purpose, the generic filter strengthening technique discussed in section 7.3.1.1 can be applied.

94

Symmetric Cryptography 2

7.3. Meet-in-the-middle techniques This section covers some techniques used in modern meet-in-the-middle cryptanalysis. The terminology will generally follow the pioneering work of Aoki and Sasaki (2008, 2009), as is customary in the literature. Notation introduced for the basic attack in the previous section will continue to be used throughout this section. 7.3.1. Filtering 7.3.1.1. Partial matching Meet-in-the-middle attacks rely on the ability to test whether two partial key guesses Kf and Kb are consistent with known data. In the basic attack mentioned in section 7.2, it is done by computing an inner state at an intermediate round in two different ways, using the two partial keys, and checking for equality on the whole state. Instead, equality can be checked on only part of the state. This is called partial matching. The benefit of partial matching is that a well-chosen subset of the state may depend on a smaller number of key bits, compared to the whole state. This reduces the size of the forward and backward keys, and may in turn allow the attack to cover more rounds. The price to pay is that the equality test discards a smaller ratio of keys, resulting in a larger candidate key set at the output of the algorithm. Matching on b bits can be expected to retain a ratio 2−b of keys, resulting in a candidate key set of size 2k−b . If b is small, the strength of the filter can be generically increased by performing the attack on several plaintext/ciphertext pairs in parallel. That is, the forward and backward computation are carried out on x plaintext/ciphertext pairs for each key guess, testing for equality in the middle on every pair. This amounts to testing equality on xb bits, and the candidate key set can be expected to be of size 2k−xb (noting that it can never be smaller than one). This technique is quite useful, as matching on a single bit is attractive, since it can help minimize the number of key bits involved in the forward and backward computations. The technique increases the data and computation costs linearly by a factor x, but reduces the size of the candidate key set, and hence the number of keys that need to be tested, exponentially with x. 7.3.1.2. Indirect matching Let If = If \ I∩ be the indices of key bits unique to the forward computation. Assume that a subset L of those key bits contribute only linearly to the inner state Sm (when viewed as a function of Kf , via the forward computation from S0 ). That is, some linear combination of those key bits is added to each bit of the state, when

Meet-in-the-Middle Cryptanalysis

95

computing Sm . Then instead of adding those combination of key bits during the forward computation, they could be subtracted from the output of the backward computation. This transformation clearly preserves the equality between the outputs of the forward and backward computations, when the key guesses are correct. At the same time, it effectively moves the bits in L from Kf to Kb . In the case that |Kf | > |Kb ∪ L|, the complexity of the attack is decreased. Of course, the same reasoning applies if some key bits contribute only linearly to the output of the backward computation. In summary, whenever a key bit contributes only linearly to the output of either the forward or backward computation, it can be freely moved between the two. This technique can enable some optimization in the size of the partial keys. The optimization may be especially significant in the case of SPN ciphers with partial S-box layers, since a large number of key bits will then have a linear influence on the state, as in Banik et al. (2020), although equivalent representations of those ciphers can also yield similar benefits (Dinur et al. 2019). 7.3.1.3. Sieve-in-the-middle So far, compatibility between the two partial key guesses is checked with a simple equality test at a given round in the cipher. More advanced tests than equality may also be used. For example, using the specificities of a particular cipher, an attacker may be able to observe that some (full or partial) inner state Si at round i is incompatible with another (full or partial) inner state Sj at round j, in the sense that no value of the two inner states and the round keys that separate them is consistent with both Si and Sj . In general, two states are incompatible if they can never be reached together during a valid encryption of the plaintext. Let R denote the compatibility relation, such that if R(Sj , Sj ) does not hold, then Si and Sj are incompatible. If R is simple enough, the attacker may be able to mount an attack as follows. The attacker performs the forward computation up to round i and stores each result in a table Tf . The attacker then performs the backward computation up to round j > i and stores each result in a second table Tb . As in Algorithm 7.1, the table Tf (respectively, Tb ) records, together with an inner state Si (respcetively, Sj ), the list of partial keys that have led to that state. The attacker then looks for pairs of states (Si , Sj ) from the two tables that are compatible with respect to R. For each such pair of states, the combination(s) of the associated forward and backward partial key(s) yield one or more key candidates. 



Since Tf can have up to 2|If | entries, and Tb can have up to 2|Ib | entries, for the attack to make sense, it should be the case that finding compatible pairs between the two tables can be done faster than by computing R on every possible pair. This is doable for certain relations, of which the equality used in standard meet-in-the-middle attacks is a special case. Several such relations were investigated

96

Symmetric Cryptography 2

in Naya-Plasencia (2011), originally in the context of rebound attacks, then applied to meet-in-the-middle attacks in Canteaut et al. (2013). Another method to match states using a non-equality relation is the Match Box technique from Fuhr and Minaud (2014). 7.3.2. Splice-and-cut Basic meet-in-the-middle attacks compute forward from S0 and backward from Sr to meet at a middle state Sm . If it is more advantageous, the adversary may instead cut the cipher at some intermediate round Sc , typically close to one of the endpoints. Assume for now c < m. The adversary chooses a value for Sc and computes forward from Sc to Sm as normal (see Figure 7.1). For the backward computation, the adversary must guess all round keys to compute the full state S0 backward from Sc . An encryption oracle is called to get Sr from S0 . The backward computation resumes normally from Sr to Sm . If c > m, the process is reversed: the backward computation proceeds normally, and the forward computation requires a decryption oracle to go back from Sr to S0 . Encryption oracle Backward comp. S0

Sc

Forward computation

Match Sm

Sr

Figure 7.1. Meet-in-the-middle attack with splice-and-cut

In summary, an encryption or decryption oracle can be used to splice the two endpoints S0 and Sr of the computation, which in turn allows the attacker to freely choose the starting state Sc . This technique is beneficial when peculiarities of the cipher make certain starting rounds more attractive than others. One price to pay is that all round keys between Sc and S0 (or Sr ) must be guessed, since the full state must be known when calling the oracle. Moreover, the attack model now requires an encryption or decryption oracle, rather than only known plaintexts. The data complexity also increases. In an actual implementation of the attack, the oracle can be called in advance on all possible inputs arising from the attack, rather than online during each key guess. The splice-and-cut technique also applies to hash functions and was in fact developed in that setting (Aoki and Sasaki 2008). The splicing must be done differently. In the case of the Davies-Meyer mode, the feed-forward is used to deduce the output from the input (or conversely), using the target image. The attack becomes

Meet-in-the-Middle Cryptanalysis

97

a pseudo-preimage attack rather than a preimage attack, since the input is no longer chosen. R EMARK 7.3.– Many attacks in symmetric cryptanalysis can be broadly cast as meet-in-the-middle attacks. For instance, all statistical attacks based on a distinguisher coupled with a key-recovery component can be construed as meet-in-the-middle variants, where the forward computation is keyless. Some techniques, including splice-and-cut, can also be helpful in that broader context. 7.3.3. Bicliques A biclique is a technique to extend the number of rounds of a meet-in-the-middle attack. To construct a biclique over b rounds, an initial structure is required, covering the first b rounds, as depicted in Figure 7.2. The meet-in-the-middle attack proper starts from Sb rather than from S0 , and should be compatible with the initial structure, as explained next. There must exist some  initial states (S01 , . . . , S0 ), and some  states at round b (Sb1 , . . . , Sb ), together with keys Ki,j for i, j ≤ , satisfying the following properties: – The encryption of S0i over b rounds with key Ki,j yields state Sbj . – The forward computation of the meet-in-the-middle attack from Sb to a state Sm in the middle should be entirely determined by K∗,j : that is to say, all keys Ki,j for fixed j should yield the same result. – Conversely, the backward computation from Sr to Sm should be entirely determined by Ki,∗ : that is to say, all keys Ki,j for fixed i should yield the same result. Sb

S0

.. S0j . . S0i .. . S01 ..

Ki,j

Biclique

.. Sbj . . Sbi .. . Sb1 ..

Sr

K∗,j Sm (Match)

Ki,∗

. Srj .. . Sri .. . Sr1 ..

Meet-in-the-Middle

Figure 7.2. Meet-in-the-middle attack with a biclique

With that setup, an attack can be mounted as follows. Let Sri be the encryption of S0i using an encryption oracle. For each choice of K∗,j , the forward computation of the meet-in-the-middle attack is carried out from state Sbj . As in Algorithm 7.1, each outcome is stored in a table T . Then, for each choice of Ki,∗ , the backward

98

Symmetric Cryptography 2

computation of the meet-in-the-middle attack is carried out from state Sri . If the result matches a previous outcome of the forward computation in T for some K∗,j , then Ki,j is output as a key candidate. As with the basic meet-in-the-middle attack from section 7.2, the crux of the matter is that the correct key must be among the key candidates. Indeed, if the correct key is Ki,j , then the encryption of S0i will reach state Sbj at round b, then Sri at round r, by construction of the biclique structure (see Figure 7.2). It follows that a forward computation from Sbj using K∗,j and a backward computation from Sri using Ki,∗ must meet in the middle. The setup of a biclique is rather demanding, but such structures have been identified on a number of hash functions and block ciphers, including round-reduced AES, KATAN, S KEIN and SHA-2 (see, for instance, Khovratovich et al. 2012). As discussed in the introduction of this book, biclique attacks have also been used for accelerated key searches, wherein all possible keys are tested, but each test costs less than a full encryption, for a certain cost model. The examples cited in this chapter are attacks in the standard sense, and do not amount to trying every key. The benefit of a biclique is that it reduces the number of rounds that the meet-in-the-middle component of the attack needs to cover. The price to pay is that, in addition to requiring a biclique structure, the attacker needs  chosen plaintexts. 7.4. Automatic tools The techniques discussed in this chapter make up a large part of the arsenal of contemporary meet-in-the-middle attacks. It should be stressed that they can virtually all be combined. However, this leads to complex attacks, with a large number of variables for the cryptanalyst to tune. Automatic tools are very helpful in that respect. One of the first complete toolsets was proposed in Derbez and Fouque (2016), although the focus was mainly on Demirci-Selçuk variants. Recently, approaches based on mixed integer linear programming have proved effective: the reader is referred to Bao et al. (2021) and a recent follow-up (Dong et al. 2021). 7.5. References Aoki, K. and Sasaki, Y. (2008). Preimage attacks on one-block MD4, 63-step MD5 and more. In SAC 2008, vol. 5381 of Lecture Notes in Computer Science, Avanzi, R.M., Keliher, L., Sica, F. (eds). Springer. Aoki, K. and Sasaki, Y. (2009). Meet-in-the-middle preimage attacks against reduced SHA-0 and SHA-1. In CRYPTO 2009, vol. 5677 of Lecture Notes in Computer Science, Halevi, S. (ed.). Springer. Banik, S., Barooti, K., Durak, F.B., Vaudenay, S. (2020). Cryptanalysis of LowMC instances using single plaintext/ciphertext pair. IACR Transactions on Symmetric Cryptology, 2020(4), 130–146.

Meet-in-the-Middle Cryptanalysis

99

Bao, Z., Dong, X., Guo, J., Li, Z., Shi, D., Sun, S., Wang, X. (2021). Automatic search of meet-in-the-middle preimage attacks on AES-like hashing. In EUROCRYPT 2021, Part I, vol. 12696 of Lecture Notes in Computer Science, Canteaut, A., Standaert, F. (eds). Springer. Canteaut, A., Naya-Plasencia, M., Vayssière, B. (2013). Sieve-in-the-middle: Improved MITM attacks. In CRYPTO 2013, Part I, vol. 8042 of Lecture Notes in Computer Science, Canetti, R., Garay, J.A. (eds). Springer. Chailloux, A., Naya-Plasencia, M., Schrottenloher, A. (2017). An efficient quantum collision search algorithm and implications on symmetric cryptography. In ASIACRYPT 2017, Part II, vol. 10625 of Lecture Notes in Computer Science, Takagi, T., Peyrin, T. (eds). Springer. Derbez, P. and Fouque, P. (2016). Automatic search of meet-in-the-middle and impossible differential attacks. In CRYPTO 2016, Part II, vol. 9815 of Lecture Notes in Computer Science, Robshaw, M., Katz, J. (eds). Springer. Diffie, W. and Hellman, M. (1977). Special feature exhaustive cryptanalysis of the NBS Data Encryption Standard. Computer, 10(6), 74–84. Dinur, I., Dunkelman, O., Keller, N., Shamir, A. (2014). Cryptanalysis of iterated EvenMansour schemes with two keys. In ASIACRYPT 2014, Part I, vol. 8873 of Lecture Notes in Computer Science, Sarkar, P., Iwata, T. (eds). Springer. Dinur, I., Kales, D., Promitzer, A., Ramacher, S., Rechberger, C. (2019). Linear equivalence of block ciphers with partial non-linear layers: Application to LowMC. In EUROCRYPT 2019, Part I, vol. 11476 of Lecture Notes in Computer Science, Ishai, Y., Rijmen, V. (eds). Springer. Dong, X., Hua, J., Sun, S., Li, Z., Wang, X., Hu, L. (2021). Meet-in-the-middle attacks revisited: Key-recovery, collision, and preimage attacks. In CRYPTO 2021, Part III, vol. 12827 of Lecture Notes in Computer Science, Malkin, T., Peikert, C. (eds). Springer. Fuhr, T. and Minaud, B. (2014). Match box meet-in-the-middle attack against KATAN. In FSE 2014, vol. 8540 of Lecture Notes in Computer Science, Cid, C., Rechberger, C. (eds). Springer. Khovratovich, D., Rechberger, C., Savelieva, A. (2012). Bicliques for preimages: Attacks on Skein-512 and the SHA-2 family. In FSE 2012, vol. 7549 of Lecture Notes in Computer Science, Canteaut, A. (ed.). Springer. Leurent, G. (2008). MD4 is not one-way. In FSE 2008, vol. 5086 of Lecture Notes in Computer Science, Nyberg, K. (ed.). Springer. Li, J., Isobe, T., Shibutani, K. (2012). Converting meet-in-the-middle preimage attack into pseudo collision attack: Application to SHA-2. In FSE 2012, vol. 7549 of Lecture Notes in Computer Science, Canteaut, A. (ed.). Springer. Naya-Plasencia, M. (2011). How to improve rebound attacks. In CRYPTO 2011, vol. 6841 of Lecture Notes in Computer Science, Rogaway, P. (ed.). Springer. Nikolic, I. and Sasaki, Y. (2016). A new algorithm for the unbalanced meet-in-the-middle problem. In ASIACRYPT 2016, Part I, vol. 10031 of Lecture Notes in Computer Science, Cheon, J.H., Takagi, T. (eds). van Oorschot, P.C. and Wiener, M.J. (1996). Improving implementable meet-in-the-middle attacks by orders of magnitude. In CRYPTO ’96, vol. 1109 of Lecture Notes in Computer Science, Koblitz, N. (ed.). Springer.

100

Symmetric Cryptography 2

Sasaki, Y. (2011). Meet-in-the-middle preimage attacks on AES hashing modes and an application to Whirlpool. In FSE 2011, vol. 6733 of Lecture Notes in Computer Science, Joux, A. (ed.). Springer. Sasaki, Y. and Aoki, K. (2009). Finding preimages in full MD5 faster than exhaustive search. In EUROCRYPT 2009, vol. 5479 of Lecture Notes in Computer Science, Joux, A. (ed.). Springer.

8

Meet-in-the-Middle Demirci-Selçuk Cryptanalysis Patrick D ERBEZ University of Rennes, CNRS, IRISA, France

8.1. Original Demirci-Selçuk attack At FSE 2008, Demirci and Selçuk (2008) proposed new attacks against roundreduced versions of both AES-192 and AES-256. Those attacks rely on advanced meet-in-the-middle techniques and generalize the seven-round attack from Gilbert and Minier (2000). Before describing the attack, we need to introduce the definition of a particular structure of internal states called δ-set. D EFINITION 8.1 (δ-set).– We call δ-set a collection of internal states such that one byte takes all the 256 possible values while the others remain constant. The starting point of Demirci and Selçuk is to consider the set of functions f : {0, 1}8 → {0, 1}8 that map a message from a δ-set indexed according to the active byte to a byte of the state after four AES rounds. A convenient way is to view each f as an ordered byte sequence [f (0), . . . , f (255)], so that it can be represented by 256 bytes. The crucial observation made by Demirci and Selçuk is that this set can be described using 25 byte-parameters (225·8 = 2200 ). This is very small compared with 8 the set of all functions of this type which counts as many as 28·2 = 22048 elements. Let xi denote the internal state at the beginning of round i. For a δ-set on xi , we identify these parameters as follows: Symmetric Cryptography 2, coordinated by Christina B OURA and María NAYA -P LASENCIA. © ISTE Ltd 2023.

102

Symmetric Cryptography 2

– 4 bytes of state xi+1 ; – the full state xi+2 ; – 4 bytes of state xi+3 ; – 1 byte of state xi+4 . Actually there are the state bytes required to propagate the differences from the δ-set to the final byte, as depicted in Figure 8.1. Let us denote by zi the internal state ShiftRows◦SubBytes(xi ). The four bytes of the state x1 only depend on the column of z0 where the active byte of the δ-set is located; for instance, if it is column 0, and using a column-wise indexation, those bytes are x1 [0, 1, 2, 3]. Similarly, the four bytes of x3 depend on the column of x4 where the byte we want to determine is located; as an example, if it is column 0, then those bytes are x3 [0, 5, 10, 15].

zi

xi+1

zi+1

xi+2

zi+2

xi+3

zi+3

xi+4

Figure 8.1. 4 AES-rounds. The 25 black bytes are the parameters of describing function f . Hatched bytes play no role. The differences are null in white squares

Demirci and Selçuk first used this property to mount a basic meet-in-the-middle attack on seven rounds of AES-256 depicted in Figure 8.2 and its procedure is roughly as follows: – Preprocessing phase: compute all the 2200 possible sequences from the 25-byte parameters and store them in a hash table. – Online phase: 1) Ask for a structure of 232 chosen plaintexts such that the main diagonal can take the 232 possible values and the remaining bytes are constant. 2) Choose one plaintext and guess the first column of its intermediate state z0 and byte z1 [0]. 3) For each of the 255 non-zero values of Δz1 , compute the corresponding difference in the plaintext using the guessed bytes. 4) Order the obtained δ-set according to the value of the state byte z1 [0]. 5) Guess the first column of x6 and the byte x5 [0] for one of the messages and deduce those state bytes for the 256 ciphertexts. 6) Build the sequence and check whether it exists in the hash table. If not, discard the guess. Note that the parameters of both the online and offline phases are state bytes, which we shall refer in the following as Bon and Boff . The complexity of the attack depends directly on how many values those state bytes can assume and how fast we

Meet-in-the-Middle Demirci-Selçuk Cryptanalysis

103

can enumerate them. Indeed, bytes of Boff (respectively, Bon ∪ P ∪ C) are related by the AES equations and thus lead to the knowledge of some linear combinations of the (sub)keys bytes. Then some relations derived from the key schedule may exist between them, allowing to reduce the number of assumed values. In the following, we will denote by Koff (respectively, Kon ) the vector space generated from these linear combinations. For instance, in the case of the described attack and if the last MixColumns is omitted, – {k−1 [0], k−1 [5], k−1 [10], k−1 [15], k0 [0], u5 [0], k6 [0], k6 [7], k6 [10], k6 [13]} is a basis of Kon ; – {u1 [0], u2 [0], u2 [7], u2 [10], u2 [13], k3 [0], k3 [5], k3 [10], k3 [15], k4 [0]} is a basis of Koff . x0

z0

P

x1

z1

x5 3 rounds

z5

x6

z6 C

Figure 8.2. Online phase of Demirci and Selçuk attack. Bon is composed by gray and black bytes. Gray bytes are used to identify a δ-set and to order it. Black bytes are used to build the sequence from ciphertexts. Hatched bytes play no role. The differences are null in white squares

Additionally, this attack has a data complexity of 232 chosen plaintexts, a time complexity of 280 × 28 partial encryptions/decryptions for the online phase, and a memory requirement of 2200 256-byte sequences. Building the hash table also requires 2208 partial encryptions and thus the overall complexity of this attack is too high to apply it on the 128 and 192-bit versions. Extension to 8-round AES-256: the time complexity of the 7-round attack is low enough to mount an attack from it on eight rounds of AES-256. This is done by fully guessing the last round key, decrypting the last round and applying the seven-round attack, which increases the time complexity by a factor 2128 . Application to other ciphers: the technique is general enough to be applied on most block ciphers as, for instance, SKINNY, TWINE or C AMELLIA. In the following, we focus on AES for the sake of simplicity. 8.2. Improvements Many works improved the cryptanalysis technique behind the seven-round attacks (e.g. Dunkelman et al. 2010; Derbez et al. 2013; Derbez and Fouque 2013; Li et al. 2014). In this section, we give an overview of all of them.

104

Symmetric Cryptography 2

8.2.1. Data/time/memory trade-off One can do a classical trade-off by storing in the hash table only a fraction of the possible sequences. Then the attacker has to repeat the online phase many times to compensate the probability of failure if the sequence is not present in the table, which will increase the data and time complexities. In other words, if the attack has a complexity (D, T, M ) (D for the data, T for the time complexity of the online phase and M for the memory), then it is possible to modify it to reach a complexity equal to (D × N, T × N, M/N ) for any positive N such that D × N is smaller than the size of the codebook. This trade-off allows to adapt the attack on seven rounds of AES-256 to attack the 192-bit version. Data recycling: the structure of 232 plaintexts used in the attack contains 224 δsets. Thus, the data may be reused 224 times in the data/time/memory trade-off. Switching phases: as shown in Derbez and Perrin (2015) and Bonnetain et al. (2019), it is possible to switch the online and offline phases of the attack to modify the memory complexity. In that case, both phases are performed online, but we store in a hash table the sequences obtained from the actual plaintext/ciphertext pairs. This is useful when the memory complexity is the bottleneck of the attack. 8.2.2. Difference instead of value Demirci and Selçuk showed that the number of parameters can be reduced to 24 for their distinguisher by considering the sequence of the differences instead of values because in that case xi+4 [0] is not needed. Actually considering the sequence of the differences instead of values allows to remove xi+4 [0] from Boff (as Demirci and Selçuk did) or from Bon , leading to a simple time/memory trade-off. The sequences stored in the table have thus the form [f (0) + f (0), . . . , f (0) + f (255)] where f is a function that maps the value of zi [0] to the value of xi+4 [0] ⊕ ki+3 [0]. But, as shown in Derbez and Fouque (2013), the procedure used to build the table produces functions that map the value of Δzi [0] to the value of Δxi+4 [0] and then the only effect of mapping the value of zi [0] is to set the value of the round key byte ui [0] (i.e. ui [0] ∈ Koff ). On the other hand, if we store in the table sequences of the form [f (0), . . . , f (255)] where f is a function that maps the value of Δzi [0] to the value of Δxi+4 [0], then each δ-set can be ordered in 256 ways, saving data in the classical data/time/memory trade-off. Furthermore, in the case of a δ-set encryption, each byte of the first columns of xi+1 assumes the 256 values. As a result, setting one of those bytes to 0 when building the hash table can be compensated by trying the 256 orders of a δ-set without making the attack probabilistic.

Meet-in-the-Middle Demirci-Selçuk Cryptanalysis

105

8.2.3. Multiset A multiset is an unordered set in which elements can occur many times. In Dunkelman et al. (2010), the authors introduce them to replace the functional concept used in the Demirci-Selçuk attack and propose to store in the hash table unordered sequences of 256 bytes instead of ordered sequences. Moreover, they show that a multiset still contains enough information to make the attack possible. Indeed, they showed that given two random functions f, g : F256 −→ F256 , the multisets [f (0), . . . , f (255)] and [g(0), . . . , g(255)] are equal with a probability smaller than 2−467.6 . Combined with the fact that the S-box is a bijection, the main gain is to remove z1 [0] from Bon since it was used only to order the δ-set, and thus the time complexity is decreased by a factor 28 . Finally, we note that a multiset contains about 512 bits of information and its representation can be easily compressed into 512 bits of space while an ordered sequence needs 256 × 8 = 2048 bits. Hence, it decreases the memory requirements by a factor of 4. Note that, given a sequence of 256 bytes b0 , . . . , b255 , bi = bj implies that the multisets [bi + b0 , . . . , bi + b255 ] and [bj + b0 , . . . , bj + b255 ] are equal. But Dunkelman et al. showed that given a random function f : F256 −→ F256 , the multiset [f (0) + f (1), . . . , f (0) + f (255)] contains on average 162 different values out of 256. Thus we conclude that a δ-set can be reused 162 ≈ 27.34 times on average. This remark holds on for the multisets stored in the hash table during the precompution phase and so the memory requirements must be corrected by a factor of 2−0.66 . 8.2.4. Linear combinations To improve the attack of Demirci and Selçuk, another idea introduced in Derbez and Fouque (2013) is to store in the sequences the 256 differences in a linear combination of bytes of x4+i instead of the 256 differences in a byte. Since the matrix involved in the MixColumns operation is MDS, minimal equations involving Δzi and Δxi+1 contains exactly five variables such that m are on a column c of Δzi and 5 − m are on the column c of Δxi+1 , with 1 ≤ m ≤ 4 for any round number i. The original attack of Demirci and Selçuk corresponds to cases m = 1 and m = 4. The size of the set Bon (respectively, Boff ) is determined by m and it decreases (respectively, increases) when m is increased. Thus, we can trade time by memory and vice versa without affecting the data complexity. Furthermore, contrary to the other data/time/memory trade-offs, the attack does not become probabilistic. The same idea can also be applied to the δ-set. Instead of considering sets of 256 plaintexts such that one byte assumes the 256 values and the others are constant, we consider a set of 256 plaintexts such that exactly five bytes of zi and xi+1 are active. We still call such a set a δ-set. The consequences on the attack are the same as the previous trade-off but it now affects the size of the structure needed and bytes of zi must be guessed in the online phase despite the use of unordered sequences.

106

Symmetric Cryptography 2

8.2.5. Differential enumeration technique In Dunkelman et al. (2010), the authors introduce a more sophisticated trade-off which reduces the memory without increasing the time complexity which was later improved by Derbez et al. (2013). The main idea is to add restrictions on the parameters used to build the table such that those restrictions can be checked (at least partially) during the online phase. More precisely, they impose that sequences stored come from a δ-set containing a message m which belongs to a pair (m, m ) that follows a well-chosen differential path. Then the attacker first focuses on finding such a pair before identifying a δ-set and build the sequence. We explain how this technique works by describing an attack on eight rounds of AES-192. Attack on 8 rounds of AES-192: let us consider the eight-round attacks on AES192 depicted in Figure 8.3. The bytes of Boff are the first column of x2 , the entire state x3 , the two last columns of z4 and bytes 2 and 3 of z5 . The bytes of Bon are the second column of z0 , the three first columns of x7 and the first column of x6 excepted byte 1. Because of the key-schedule, they take only 28×17 = 2136 values because u6 [0] = u7 [4] + u7 [8] and u6 [7] = u7 [11] + u7 [15]. Finally, the time complexity is equivalent to 2138 encryptions and the memory requirement is 2241.34 AES blocks. x0

z0

x1

z1

x2

z2

x3

z3

x4

z4

x5

z5

x6

z6

x7

z7

P

C Figure 8.3. Attack on 8 AES rounds. Bytes of Bof f are in black. Bytes of Bon are in gray. Hatched bytes play no role. The differences are null in white squares

The idea of the differential enumeration technique is to store in the hash table only the multisets built from a δ-set containing a message m that belongs to a pair (m, m ) following a well-chosen differential characteristic. In our case, this is the truncated differential characteristic 4 → 1 → 4 → 16 → 8 → 2 → 3 → 12 depicted in Figure 8.4. Then the bytes of Boff can take only 216×8 values for such a pair. Indeed, if we guess the differences in circled bytes then we obtain the difference before and after the S-box for each byte of Boff , and thus we can derive their absolute value. Storing only those sequences in the hash table decreases the memory requirement by a factor 2112 . However, we now need to find a pair that follows this truncated differential characteristic and so the procedure of the online phase becomes slightly more complicated:

Meet-in-the-Middle Demirci-Selçuk Cryptanalysis

x0

z0

x1

z1

x2

z2

x3

z3

x4

z4

x5

z5

x6

z6

x7

z7

107

P

C

Figure 8.4. Differential characteristic on 8 AES rounds. The differences are null in white squares. The value of bytes of Bof f can be derived from the differences in circled bytes

1) Ask for a structure of 232 plaintexts such that the second diagonal assumes the 2 possible values and other bytes are constant. 2) Store the corresponding ciphertexts in a hash table to identify the pairs that have a non-zero probability to follow the differential path. 3) For each of these pairs: 32

a) guess Δz6 [0], Δz6 [7] and Δz6 [10] and compute the difference in the three first columns of x7 ; b) deduce the value of the three first columns of x7 using Δz7 ; c) deduce u6 [0] and u6 [7] using u7 [4], u7 [8], u7 [11] and u7 [15]; d) deduce z6 [0] and z6 [7] and compute Δx6 [0] and Δx6 [3]; e) check if the equation between Δx6 [0] and Δx6 [3] is satisfied; f) deduce Δx6 [2] and then compute x6 [2] using Δz6 [10]; g) guess Δx1 [5] and compute the difference in the second column of z0 ; h) deduce the value of the second column of z0 using Δx0 ; i) get the δ-set associated to one of the messages of the pair and build the multiset from the corresponding ciphertexts; j) check whether the multiset exists in the hash table. If not, discard the key guess. 4) Restart with a new structure if no check found. As each structure contains 263 pairs and each of these pairs follows the differential with probability 2−144 , we need 281 structures on average. Then, for each structure we have to study only 263−32 = 231 pairs and for each of them we have to perform 224 × 28 partial encryptions that is equivalent to 228 encryptions. Additionally, this leads to an attack with 2113 chosen plaintexts, a time complexity equivalent to 2140 encryptions and a memory requirement of 2130 AES blocks.

108

Symmetric Cryptography 2

Reducing the data complexity: note that for each possible choice of the active diagonal in the plaintext, there are 96 attacks with the same complexity. As the corresponding differential characteristics are different, it is possible to perform many attacks in parallel to save data in exchange of memory. For instance, if we use a structure with three active diagonals, it is possible to reach a complexity of 2104.83 chosen plaintexts and 2138.17 AES blocks, the time remaining unchanged. 8.3. Finding the best attacks We saw that many variants of the Demirci-Selçuk attack can be mounted on a cipher and finding the best set of parameters can be a hard task. We identify the following difficulties: – Linear combinations: the number of linear combinations to consider may be quite huge depending on the cipher. Whilefor  AES the linear layer relies on a small MDS 4 × 4 matrix, there are already (4 × 85 )2 ≈ 215.6 different attacks to consider. For ARIA, the linear layer is composed of a 16 × 16 non-MDS matrix, leading to a huge number of possible variants. – Complexities: once the parameters of the attack are chosen, computing the corresponding complexity requires to answer the two following questions for both the sets Bon and Boff : - How many values those state bytes can assume? - How fast can we enumerate them? While for linear key-schedules it is only about computing the dimension of a vector space, for more complicated key-schedules (i.e. involving nonlinear operations), there are no straightforward methods. – Differential enumeration technique: computing the complexities under the constraints of a differential characteristic increases the difficulty of the task. Another difficulty comes from the choice of the differential characteristic. While for AES it is fully synchronized with the attack (i.e. there is only one natural choice), at CT-RSA 2015, Dong et al. (2015) showed a new attack against C AMELLIA -256 for which both the truncated differential characteristic used for the differential enumeration technique and the underlying Demirci-Selçuk attack were desynchronized. 8.3.1. Tools Several researchers provided tools to automatically search for the best Demirci-Selçuk attacks against several classes of block ciphers. For instance, Derbez and Fouque (2016) provided a tool searching for the best Demirci-Selçuk attacks for a large class of block ciphers. The complexities are computed based on the work from Bouillaguet et al. (2011), who developed a technique to solve AES-like systems

Meet-in-the-Middle Demirci-Selçuk Cryptanalysis

109

of equations. Another tool was proposed by Shi et al. (2018), relying on a constraint programming solver to first search on the smallest sets Bon and Boff . Then, in a second step, a tool dedicated to the key-bridging technique (i.e. finding relations between round keys separated by several rounds) is used to refine the complexities. However, both tools do not handle the differential enumeration technique. 8.3.2. Results Demirci-Selçuk attacks are the best known attacks against several round-reduced ciphers including AES, S QUARE, C RYPTON / M C RYPTON and TWINE. More generally, the technique is powerful against AES-like ciphers: composed of few rounds with strong S-boxes. When applied without the differential enumeration technique, they also lead to efficient low data complexity attacks. 8.4. References Bonnetain, X., Naya-Plasencia, M., Schrottenloher, A. (2019). Quantum security analysis of AES. IACR Trans. Symmetric Cryptol., 2019(2), 55–93. Bouillaguet, C., Derbez, P., Fouque, P. (2011). Automatic search of attacks on round-reduced AES and applications. In CRYPTO 2011, vol. 6841 of Lecture Notes in Computer Science, Rogaway, P. (ed.). Springer. Demirci, H. and Selçuk, A.A. (2008). A meet-in-the-middle attack on 8-round AES. In FSE 2008, vol. 5086 of Lecture Notes in Computer Science, Nyberg, K. (ed.). Springer. Derbez, P. and Fouque, P. (2013). Exhausting Demirci-Selçuk meet-in-the-middle attacks against reduced-round AES. In FSE 2013, vol. 8424 of Lecture Notes in Computer Science, Moriai, S. (ed.). Springer. Derbez, P. and Fouque, P. (2016). Automatic search of meet-in-the-middle and impossible differential attacks. In CRYPTO 2016, Part II, vol. 9815 of Lecture Notes in Computer Science, Robshaw, M., Katz, J. (eds). Springer. Derbez, P. and Perrin, L. (2015). Meet-in-the-middle attacks and structural analysis of round-reduced PRINCE. In FSE 2015, vol. 9054 of Lecture Notes in Computer Science, Leander, G. (ed.). Springer. Derbez, P., Fouque, P., Jean, J. (2013). Improved key recovery attacks on reduced-round AES in the single-key setting. In EUROCRYPT 2013, vol. 7881 of Lecture Notes in Computer Science, Johansson, T., Nguyen, P.Q. (eds). Springer. Dong, X., Li, L., Jia, K., Wang, X. (2015). Improved attacks on reduced-round Camellia128/192/256. In CT-RSA 2015, vol. 9048 of Lecture Notes in Computer Science, Nyberg, K. (ed.). Springer. Dunkelman, O., Keller, N., Shamir, A. (2010). Improved single-key attacks on 8-round AES-192 and AES-256. In ASIACRYPT 2010, vol. 6477 of Lecture Notes in Computer Science, Abe, M. (ed.). Springer. Gilbert, H. and Minier, M. (2000). A collision attack on 7 rounds of Rijndael. In AES Candidate Conference.

110

Symmetric Cryptography 2

Li, L., Jia, K., Wang, X. (2014). Improved single-key attacks on 9-round AES-192/256. In FSE 2014, vol. 8540 of Lecture Notes in Computer Science, Cid, C., Rechberger, C. (eds). Springer. Shi, D., Sun, S., Derbez, P., Todo, Y., Sun, B., Hu, L. (2018). Programming the DemirciSelçuk meet-in-the-middle attack with constraints. In ASIACRYPT 2018, Part II, vol. 11273 of Lecture Notes in Computer Science, Peyrin, T., Galbraith, S.D. (eds). Springer.

9

Invariant Cryptanalysis Christof B EIERLE Ruhr University Bochum, Germany

9.1. Introduction Compared to statistical cryptanalytic attacks such as differential and linear attacks, invariant attacks exploit an undesired (from the view of a designer), structural property of block ciphers and cryptographic permutations, namely, the property that a partition of the plaintext space into a set S and its complement is preserved under the application of the block cipher (the cryptographic permutation). Those kinds of attacks have their origin in the late 1990s, but became popular several years later with the introduction of invariant subspace attacks (Leander et al. 2011) and nonlinear invariant attacks (Todo et al. 2019), both of which were successfully applied for cryptanalyzing lightweight cryptographic designs. Especially lightweight block ciphers, respectively, lightweight cryptographic permutations which employ very simple round functions and structured round keys tend to be vulnerable against invariant attacks. In this chapter, we present the important concepts and ideas behind invariant subspace attacks and nonlinear invariant attacks. We discuss methods to spot potential vulnerabilities in cryptographic designs and also methods that allow designers to provide arguments on the security of their designs with respect to those attacks. The chapter is concluded by presenting a link between invariant attacks and linear approximations. We do not discuss how invariants for a block cipher or a cryptographic permutation might lead to attacks on the underlying mode of operation.

Symmetric Cryptography 2, coordinated by Christina B OURA and María NAYA -P LASENCIA. © ISTE Ltd 2023.

112

Symmetric Cryptography 2

9.2. Invariants for permutations and block ciphers We start with the definition of a general notion of invariants, which covers both the invariant subspace attack, as well as nonlinear invariant attacks. D EFINITION 9.1.– Let F : Fn2 → Fn2 be a permutation. An invariant for F is a Boolean function g : Fn2 → F2 such that g ⊕ (g ◦ F ) is constant. An invariant g : Fn2 → F2 for a permutation F : Fn2 → Fn2 defines a set Sg := {x ∈ Fn2 | g(x) = 1} such that F preserves the partition of Fn2 into Sg and Fn2 \ Sg . In other words, we have F (Sg ) = Sg or F (Sg ) = Fn2 \ Sg (see Figure 9.1). A constant Boolean function g : Fn2 → F2 is trivially an invariant for every n-bit permutation, so we simply call it a trivial invariant. If two Boolean functions g and h are invariants for a permutation F , also the sum g ⊕ h is an invariant for F . Therefore, the set of invariants for a permutation F forms a binary vectorspace, denoted as U (F ). Only non-constant invariants are interesting for cryptanalytic reasons and we call them non-trivial invariants. F Sg

F Sg

Sg

Sg

F −1 Fn2

Fn2

Fn2

F −1

Fn2

Figure 9.1. The partition of Fn 2 into Sg and its complement for an invariant g. On the left, we have F (Sg ) = Sg , and on the right, we have F (Sg ) = Fn 2 \ Sg . For a color version of this figure, see www.iste.co.uk/boura/symmetric2.zip

The reason a cryptanalyst is interested in invariants is that the knowledge of a nontrivial invariant g for a permutation (or keyed instance of a block cipher) F could be used as a distinguisher: evaluate F on few (known or chosen) inputs x1 , . . . , xt and check whether g(xi ) ⊕ g(F (xi )), i = 1, . . . , t is constant. Note that a permutation F which is randomly chosen from the set of n-bit permutations is likely to admit a non-trivial invariant (e.g. if F has a fixed point). However, not all non-trivial invariants are meaningful in cryptanalysis. We are basically interested in those non-trivial invariants that are detectable in a reasonable amount of time1 and which fall in at least one of the following two cases: 1) An invariant for a cryptographic permutation F is likely to result in a weakness of the cryptographic scheme, depending on the underlying mode of operation. 1 It is not totally clear that existing, but not easy to detect, invariants do not lead to other attacks on the cryptographic scheme, see also the link to linear attacks presented in section 9.4.

Invariant Cryptanalysis

113

2) In case we have a block cipher, that is, a family of permutations F, a non-constant Boolean function g is an invariant for many permutations in F simultaneously. The second case above leads to the notion of weak keys of a block cipher. Let us consider a block cipher E : Fk2 × Fn2 → Fn2 . The set of weak keys of E with respect k to the invariant g is defined as WKE g := {K ∈ F2 | g is an invariant for EK }. We remark that in this notion, the constant function g ⊕ (g ◦ EK ) can be different (i.e. either 0 or 1) for each weak key. In the remainder of this chapter, we focus on two special cases of invariants that correspond to the majority of the known cryptographic attacks based on invariants. In the first case, the invariant is an indicator function of an affine space and, in the second case, the invariant is quadratic, that is, it has algebraic degree equal to two. As we will see, those kinds of invariants are easier to study than invariants in its full generality. 9.2.1. Invariant subspaces In this section, we present the basic idea behind invariant subspace attacks on block ciphers (Leander et al. 2011). D EFINITION 9.2.– Let g : Fn2 → F2 be defined as the indicator function of an affine space, that is, Sg = U ⊕ a for a linear space U ⊆ Fn2 and a vector a ∈ Fn2 . If g = g ◦ F (i.e. if F (U ⊕ a) = U ⊕ a), the affine space U ⊕ a is called an invariant subspace for F . If we consider a block cipher E : Fk2 × Fn2 → Fn2 , the goal of the attacker is to find an affine space U ⊕ a that is an invariant subspace for many keyed instances EK . If g is the indicator function of U ⊕ a, we also write WKE U ⊕a for the set of weak keys of E with respect to the invariant g. Let us now assume that E is an iterative key-alternating block cipher, that is, each keyed instance EK can be decomposed as EK = RKr ◦ RKr−1 ◦ · · · ◦ RK1 , where RKi (x) := R(x) ⊕ Ki for a round function R : Fn2 → Fn2 and for which the round keys K1 , . . . , Kr−1 , Kr are derived from the master key K by a key schedule. The round function R usually is of a very simple form, so we can start by analyzing R for properties that might lead to invariant subspaces over a multiple iteration of keyed rounds. As we will see, it is especially interesting if R maps a coset of a non-trivial linear space to a (potentially different) coset of the same linear space. In particular, suppose there exist a linear subspace U ⊆ Fn2 and two vectors a, b ∈ Fn2 such that R(U ⊕ a) = U ⊕ b. If now all of the round keys Ki , i = 1, . . . , r are contained in the affine space U ⊕ a ⊕ b, we have RKi (U ⊕ a) = R(U ⊕ a) ⊕ Ki = U ⊕ b ⊕ Ki = U ⊕ a (see Figure 9.2). In other words, U ⊕ a is an invariant subspace over RKi , i = 1, . . . , r

114

Symmetric Cryptography 2

and thus is an invariant subspace over EK . With this idea, if R(U ⊕ a) = U ⊕ b, we have: {K ∈ Fk2 | ∀i ∈ {1, . . . , r} : Ki ∈ U ⊕ a ⊕ b} ⊆ WKE U ⊕a . ⊕Ki

R U ⊕a

U ⊕a U ⊕b ⊕Ki

R−1 Fn2

Fn2

Fn2

Figure 9.2. Propagation of invariant subspaces in key-alternating block ciphers. We assume to have a round function R such that R(U ⊕ a) = U ⊕ b and Ki ∈ U ⊕ a ⊕ b

From the above observations, one can deduce that the definition of the key schedule plays a major role in the security analysis of a block cipher with regard to attacks based on invariant subspaces, especially the situation in which the key schedule derives identical round keys K1 = · · · = Kr−1 = Kr favors the existence and detection of an invariant subspace with a potentially large set of weak keys. Since a secure block cipher should not use identical round keys (e.g. to prevent slide attacks), some lightweight block ciphers employ a slightly more complex key schedule that derives the round keys by the addition of a round-dependent constant to a fixed key, that is, Ki = K  ⊕ ci , i = 1, . . . , r, where c1 , . . . , cr , K  ∈ Fn2 . In case that a very complex and nonlinear key schedule is used, the analysis of the block cipher with regard to invariant subspaces (and also more general invariants) is a difficult task. However, a vulnerability based on the existence of invariants seems also to be less likely. In the remainder of this chapter, we therefore put a special focus on the case in which the round keys only differ by round-dependent constants. E XAMPLE 9.1 (LS-designs; Grosso et al. 2014).– Let t, m ∈ N and let n := tm. We are given an iterative key-alternating block cipher E : Fk2 × Fn2 → Fn2 , which employs the (unkeyed) round function R = L ◦ S interleaved with round-key additions, where the substitution layer S and the linear layer L are defined as follows: tm t t – S : Ftm 2 → F2 applies m-times in parallel a bijective S-box Sb : F2 → F2 to the tm-bit state, that is, for x1 , x2 , . . . , xm ∈ Ft2 , we have S : (x1 , x2 , . . . , xm ) → (Sb(x1 ), Sb(x2 ), . . . , Sb(xm )). tm – L : Ftm 2 → F2 XORs the outputs of the S-boxes according to a bit-wise linear operation M . More precisely, let M := [αi,j ]i,j=1,...,m be an invertible matrix with elements in F2 . For x1 , x2 , . . . , xm ∈ Ft2 , we then have m L : (x1 , x2 , . . . , xm ) → (y1 , y2 , . . . , ym ) with yj := i=1 αi,j xi .

Invariant Cryptanalysis

115

Let U ⊆ Ft2 be a linear space and let a1 , a2 , . . . , am , c1 , c2 , . . . , cm ∈ Ft2 be such that Sb(U ⊕ ai ) = U ⊕ ci for each i ∈ {1, 2, . . . , m}. Let us define a := (a1 , a2 , . . . , am ) and c := (c1 , c2 , . . . , cm ). Then, for the linear space U m = U × U × · · · × U , we have S(U m ⊕ a) = U m ⊕ c. By definition, the linear layer L preserves a m m m partition of Ftm 2 into cosets of U . In particular, we have L(U ⊕c) = U ⊕b, where m m m b := L(c). Thus, R(U ⊕ a) = U ⊕ b. If each round key Ki lies in U ⊕ a ⊕ b, we can iterate the invariant subspace U m ⊕ a over each keyed round RKi . 9.2.1.1. Automatic detection of invariant subspaces There is a very simple but powerful method to detect invariant subspaces of large dimension (Leander et al. 2015). In the following, we outline this approach. Let us be given an arbitrary permutation F : Fn2 → Fn2 . The question is how we can efficiently detect two non-trivial affine spaces A, B ⊆ Fn2 with F (A) = B. To answer this, let us assume there exists a d-dimensional linear subspace U ⊆ Fn2 , U = {0} and two vectors a, b ∈ Fn2 such that F (U ⊕ a) = U ⊕ b. As the most basic idea for detecting A ⊆ U ⊕ a and B ⊆ U ⊕ b, we start by guessing two elements u , a ∈ Fn2 , u = 0 and applying the following steps: 1) Set i = 0 and define the one-dimensional linear subspace U0 := {0, u }. 2) Compute the linear subspace Ui+1 := span ((F (Ui ⊕ a ) ⊕ F (a )) ∪ Ui ). 3) If dim Ui+1 = dim Ui , return A := Ui+1 ⊕ a and B := Ui+1 ⊕ F (a ). 4) If dim Ui+1 > dim Ui , increase i by 1 and go to Step 2. The above algorithm terminates after at most n iterations and returns affine spaces A and B with |A| = |B| > 1 such that F (A) = B. Indeed, at the final iteration we have Ui = Ui+1 and thus, F (Ui+1 ⊕ a ) = F (Ui ⊕ a ) = (F (Ui ⊕ a ) ⊕ F (a )) ⊕ F (a ) ⊆ Ui+1 ⊕F (a ). Since F is a bijection, we have F (Ui+1 ⊕a ) = Ui+1 ⊕F (a ). Most importantly, if our initial choices for u and a were such that both u ∈ U and a ∈ U ⊕ a, the algorithm terminates after at most d iterations and returns A ⊆ U ⊕ a and B ⊆ U ⊕ b. Let us analyze why this is the case by considering a fixed iteration i. By definition, we have Ui ⊆ Ui+1 . Further, if Ui is a subspace of U and if a ∈ U ⊕ a, we have F (Ui ⊕ a ) ⊕ F (a ) ⊆ F (U ⊕ a) ⊕ F (U ⊕ a) = U ⊕ b ⊕ U ⊕ b = U and therefore, Ui+1 is also subspace of U . If we are unlucky with guessing u or a , the above algorithm only returns the trivial affine spaces A = B = Fn2 . In this case, we can repeat by choosing other values for u and a . This way, we expect to make at most 22(n−d) guesses (u , a ) in order to detect non-trivial affine spaces A ⊆ U ⊕ a and B ⊆ U ⊕ b. In particular, the larger the dimension d of U , the more efficient the above method. To obtain a practical complexity, instead of computing each Ui+1 in a deterministic way, we can use the probabilistic procedure described in Algorithm 9.1. The function C LOSURE executed for inputs F, U  and a returns the smallest affine subspaces A ⊇ span(U  ) ⊕ a and B ⊇ span(U  ) ⊕ F (a ) such that, for a ∈ A,

116

Symmetric Cryptography 2

the relation F (a) ∈ B holds with high probability. The parameter N controls this probability and needs to be defined before the execution of the algorithm.

1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13:

function C LOSURE(permutation F : Fn2 → Fn2 , subset U  ⊆ Fn2 , vector a ∈ Fn2 ) initialize i to 0 and initialize Q to {} while i < N do choose an element u ∈ span(U  ) \ Q uniformly at random if F (u ⊕ a ) ⊕ F (a ) ∈ span(U  ) then increase i by 1 and include u in the set Q else include F (u ⊕ a ) ⊕ F (a ) in the set U  set i to 0 and set Q to {} end if end while return A := span(U  ) ⊕ a and B := span(U  ) ⊕ F (a ) end function Algorithm 9.1. Detection of minimal invariant subspaces

Let us consider a key-alternating block cipher E : Fk2 × Fn2 → Fn2 for which each keyed instance EK is composed of round functions RKi : x → R(x) ⊕ K  ⊕ ci , i = 1 . . . , r, that is, the round keys differ by the addition of a round-dependent constant. Suppose that an adversary is looking for an invariant subspace U ⊕ a for each round function. As we have already explained, if there exists a vector b ∈ Fn2 such that k  R(U ⊕ a) = U ⊕ b, we have WKE U ⊕a ⊇ T := {K ∈ F2 | ∀i ∈ {1, . . . , r} : K ⊕ ci ∈ U ⊕ a ⊕ b}. In particular, for a weak key K ∈ T and for any two indices i, j ∈ {1, . . . , r}, we then have K  ⊕ ci ⊕ K  ⊕ cj = ci ⊕ cj ∈ U . Therefore, an adversary can run C LOSURE on inputs R, U  = {ci ⊕ cj | 1 ≤ i ≤ j ≤ r}, and a guess a for a, to detect an invariant subspace. This way, one expects to obtain a nontrivial invariant subspace after at most 2n−d executions of C LOSURE. By choosing the parameter N as 50, this method was successfully applied in Leander et al. (2015) to detect non-trivial invariant subspaces of dimension 96 in the lightweight designs ROBIN, I SCREAM and Z ORRO. We remark that, since the above method becomes more efficient the larger the dimension of the invariant subspace, more serious attacks are likely to be detected faster than less dangerous attacks. However, since this tool only detects minimal invariant subspaces, more cryptanalysis is needed for extending them to larger invariant subspaces.

Invariant Cryptanalysis

117

9.2.2. Quadratic invariants In general, similarly to invariant subspaces, the goal of the adversary is to exploit properties of a single round function, or only parts of the round function, to obtain an invariant of the whole cryptographic permutation, respectively, keyed instance of a block cipher. This way, obtaining invariants of large algebraic degree is still a difficult task. The following theorem by Todo et al. (2019) states how an invariant of algebraic degree at most two for an S-box can be turned into an invariant of the whole (unkeyed) round function in an LS-design. T HEOREM 9.1.– Let R := L ◦ S be the round function of an LS-design as defined in example 9.1 for which the matrix M is orthogonal, that is, ∀x, y ∈ Fm 2 : x, y = xM, yM . Further, let g : Ft2 → F2 be a Boolean function of algebraic degree at most → F2 , (x1 , x2 , . . . , xm ) → g(x1 ) ⊕ g(x2 ) ⊕ · · · ⊕ g(xm ) is an two. Then, h : Ftm 2 invariant for L. In particular, if g is an invariant for Sb, the function h is an invariant for R. Proof. Since the Boolean function g : Ft2→ F2 is of algebraic degree at most two, we have g(x) = g(x1 , x2 , . . . , xt ) = c ⊕ j1 ,j2 ∈{1,...,t} λj1 ,j2 xj1 xj2 with coefficients c, λj1 ,j2 ∈ F2 . For x1 , x2 , . . . , xm ∈ Ft2 , by defining xjk := (x1,jk , x2,jk , . . . , xm,jk ), m we then have h(x1 , x2 , . . . , xm ) = i=1 g(xi ) = j1 ,j2 ∈{1,...,t} λj1 ,j2 xj1 , xj2  ⊕ m i=1 c. 1 , x2 , . . . , xm ), we have h(y1 , y2 , . . . , ym ) =   By defining (y1 , y2 , . . . , ym ) := L(x m λ  x M,  x M ⊕ j ,j j j 1 2 1 2 j1 ,j2 ∈{1,...,t} i=1 c. From the orthogonality of M , we then deduce h(x1 , x2 , . . . , xm ) = h(y1 , y2 , . . . , ym ). The last statement simply follows from the fact that g ∈ U(Sb) ⇒ h ∈ U(S) and from the fact that U (S) ∩ U (L) ⊆ U (L ◦ S).

The invariant h as defined in theorem 9.1 carries over to an invariant for the whole block cipher (respectively, cryptographic permutation) if, for all the round keys (respectively, round constants) Ki , we have that h(x) ⊕ h(x ⊕ Ki ) is constant. This way, the invariant attacks against M IDORI 64, SCREAM and I SCREAM presented in Todo et al. (2019) were obtained. 9.3. On design criteria to prevent attacks based on invariants Designers of block ciphers are expected to provide arguments on why their design is secure against attacks based on invariants. This especially holds if a block cipher uses round keys that only differ by the addition of round-dependent constants.2 In the

2 Note that such an analysis is also of interest in the case of a cryptographic permutation. It can be seen as a keyed instance of a block cipher with a publicly known key.

118

Symmetric Cryptography 2

case of invariant subspaces, a designer could simply run the algorithm explained in section 9.2.1.1 to deduce that invariant subspaces of large dimension for each round are unlikely to occur. More recently, other approaches were developed which also cover invariants in general. Below, we will explain the approach published in Beierle et al. (2017) on how to choose the round constants of block ciphers. We consider a key-alternating block cipher E : Fk2 × Fn2 → Fn2 with (unkeyed) round function R = L ◦ S, where S and L are bijective and L is linear. Let DEK := {Ki ⊕Kj | Ki , Kj are round keys of EK } be the setof differences  between the round i keys of EK , and let WL (DEK ) := c∈DEK span {L (c), i ≥ 0 ) be the smallest L-invariant subspace of Fn2 that contains DEK . For a round key Ki ∈ Fn2 , we define LKi : x → L(x) ⊕ Ki . Then, the following theorem holds (Beierle et al. 2017). T HEOREM 9.2.– Let r denote the number of rounds of EK . If S has no component of algebraic r degree equal to one and if WL (DEK ) has dimension at least n − 1, then U (S) ∩ i=1 U (LKi ) only contains constant Boolean functions. Proof. We recall that for a Boolean function g : Fn2 → F2 , the space of linear structures is defined as LS(g) := {α ∈ Fn2 | g(x) ⊕ g(x ⊕ α) is constant for all x ∈ Fn2 }. To prove the statement, we first observe that for an invariant g ∈ U (LKi ) ∩ U (LKj ), the set LS(g) is an L-invariant linear r space that contains (Ki ⊕ Kj ). We deduce that for a function g ∈ i=1 U (LKi ), we have WL (DEK ) ⊆ LS(g). By assumption on the dimension of WL (DEK ), the dimension of LS(g) is either n − 1 or n. This implies that g must be either a function of algebraic degree equal to one or a constant function (Carlet 2021, Prop. 28). However, if g is an invariant of S it cannot be of algebraic degree equal to one, since S has no component of algebraic degree equal to one by assumption. This theorem can be used as a security argument. Indeed, if the designer of a block cipher can ensure that, for each keyed instance EK , the dimension of WL (DEK ) is at least n − 1 and that the S-box layer has no linear or affine component,3 then there cannot exist a non-trivial invariant for both the S-box layer S and for all LKi (i.e. the remaining part of the rounds) simultaneously. In particular, if the key schedule is such that the round keys only differ by round-dependent constants, the set DEK is the same for each K and only contains the difference between the round constants. Note that this security argument is independent of the S-box layer S (assuming that S has no component of algebraic degree equal to one). However, a designer cannot always guarantee that WL (DEK ) has dimension at least n − 1. Therefore, designers also often analyze the S-box with regard to the existence of invariants. Since usual S-box choices are of small size, we can exhaustively search for S-box invariants of

3 It should be avoided anyway to be secure against linear cryptanalysis.

Invariant Cryptanalysis

119

low algebraic degree, and we can check for the existence of cosets of a linear space U that are mapped to different cosets of U . For more elaborated design criteria of Sboxes (in combination with the choice of round constants) with regard to attacks based on invariants, we refer to Beierle et al. (2017); Guo et al. (2016); Wei et al. (2018). Wei et al. (2018) work is particularly interesting as it takes into account an even more general notion of invariants, the so-called closed-loop invariants. The security argument presented in this section has the advantage of covering invariants in general and not only invariant subspaces. However, it also has a major disadvantage compared to the approach presented in section 9.2.1.1. Namely, the argument above depends on the decomposition of the round into the nonlinear layer S and the linear layer L. A different representation L ◦ S  of the same round function R = L ◦ S might lead to different conclusions on the security with regard to attacks based on invariants. For example, the dimension of WL (DEK ) could be low, although the dimension of WL (DEK ) is high. Therefore, a designer must be very careful and should combine several approaches to analyze the security of the underlying design. 9.4. A link to linear approximations Suppose that, for a permutation F : Fn2 → Fn2 , there exists an invariant subspace of dimension n − 1. Then, this invariant subspace can be given as an affine hyperplane H := {x ∈ Fn2 | α, x ⊕ c = 0} of Fn2 for fixed values α ∈ Fn2 \ {0} and c ∈ F2 . This implies that the linear approximation over F with the same input and output mask α holds with correlation 1. Interestingly, even in the case in which we have an invariant subspace over F of large dimension d < n − 1 we can deduce the existence of a highly biased linear approximation over F . A first observation of this kind was already stated in Leander et al. (2011). This link between invariant subspace attacks and linear cryptanalysis was later refined in Beierle et al. (2018), which we present in theorem 9.3. In the following, let U ⊥ := {x ∈ Fn2 | for all u ∈ U : x, u = 0} denote the orthogonal complement of a linear space U . T HEOREM 9.3.– Let F : Fn2 → Fn2 be a permutation, U ⊆ Fn2 be a linear space of dimension d and let a ∈ Fn2 be such that U ⊕ a is an invariant subspace for F . Then, for each non-zero γ  ∈ U ⊥ , there exists a non-zero element γ ∈ U ⊥ such that |corF (γ, γ  )| ≥ 2d−n .

120

Symmetric Cryptography 2

Proof. Let us fix an output mask γ  ∈ U ⊥ \ {0}. We first recall the following well-known result for the sake of clarity: 

(−1)γ,a corF (γ, γ  ) = 2−n

γ∈U ⊥

=2−n

 x∈Fn 2

⎛ (−1)γ



,F (x)

⎝

 γ∈U ⊥



(−1)γ,a ⎞



(−1)γ,x⊕γ



,F (x)

x∈Fn 2

(−1)γ,a⊕x ⎠ = 2−d



(−1)γ



,F (x)

.

x∈U ⊕a

γ∈U ⊥

Since F (U ⊕ a) = U ⊕ a, by using thefact that γ  ∈ U ⊥ , we have γ  , F (x) =   γ , a for all x ∈ U ⊕ a. We deduce that x∈U ⊕a (−1)γ ,F (x) = 2d (−1)γ ,a , or equivalently, 



(−1)γ,a corF (γ, γ  ) = (−1)γ



,a

.

[9.1]

γ∈U ⊥

It follows that there exists an element γ ∈ U ⊥ such that |corF (γ, γ  )| ≥ 2d−n . Obviously, this γ differs from 0 since corF (0, γ  ) = 0 for γ  = 0. Also for balanced quadratic invariants, the existence of a highly biased linear approximation could be deduced. We state the following result by Beierle et al. (2018) without proof. T HEOREM 9.4.– Let F : Fn2 → Fn2 be a permutation and let g : Fn2 → F2 be a balanced quadratic4 invariant for F . Then, there exist non-zero elements γ, γ  ∈ Fn2 such that |corF (γ, γ  )| ≥ |{α ∈ Fn2 | corg (α) = 0}|−1 . Note that theorems 9.3 and 9.4 state the mere existence of the highly biased linear approximations and they provide no method on how to find them. Moreover, in case of a block cipher, the particular approximations can be different for each keyed instance with a weak key. We would like to remark that the result given by equation [9.1] states that the submatrix CF,U ⊥ := [corF (γ, γ  )](γ  ,γ)∈U ⊥ ×U ⊥ of the correlation matrix of   F has the eigenvector v := (−1)γ,a γ∈U ⊥ with eigenvalue 1, that is, CF,U ⊥ ·v = v. A similar observation was already established in Abdelraheem et al. (2012). Later it was shown that, in general, invariants of a permutation correspond to eigenvectors of the (whole) correlation matrix of the permutation (Beyne 2020). 4 Instead of quadratic functions, the theorem was more generally shown for plateaued functions.

Invariant Cryptanalysis

121

9.5. References Abdelraheem, M.A., Ågren, M., Beelen, P., Leander, G. (2012). On the distribution of linear biases: Three instructive examples. In CRYPTO 2012, vol. 7417 of Lecture Notes in Computer Science, Safavi-Naini, R., Canetti, R. (eds). Springer. Beierle, C., Canteaut, A., Leander, G., Rotella, Y. (2017). Proving resistance against invariant attacks: How to choose the round constants. In CRYPTO 2017, Part II, vol. 10402 of Lecture Notes in Computer Science, Katz, J., Shacham, H. (eds). Springer. Beierle, C., Canteaut, A., Leander, G. (2018). Nonlinear approximations in cryptanalysis revisited. IACR Trans. Symmetric Cryptol., 2018(4), 80–101. Beyne, T. (2020). Block cipher invariants as eigenvectors of correlation matrices. J. Cryptol., 33(3), 1156–1183. Carlet, C. (2021). Boolean Functions for Cryptography and Coding Theory. Cambridge University Press. Grosso, V., Leurent, G., Standaert, F., Varici, K. (2014). LS-designs: Bitslice encryption for efficient masked software implementations. In FSE 2014, vol. 8540 of Lecture Notes in Computer Science, Cid, C., Rechberger, C. (eds). Springer. Guo, J., Jean, J., Nikolic, I., Qiao, K., Sasaki, Y., Sim, S.M. (2016). Invariant subspace attack against Midori64 and the resistance criteria for S-box designs. IACR Trans. Symmetric Cryptol., 2016(1), 33–56. Leander, G., Abdelraheem, M.A., AlKhzaimi, H., Zenner, E. (2011). A cryptanalysis of PRINTcipher: The invariant subspace attack. In CRYPTO 2011, vol. 6841 of Lecture Notes in Computer Science, Rogaway, P. (ed.). Springer. Leander, G., Minaud, B., Rønjom, S. (2015). A generic approach to invariant subspace attacks: Cryptanalysis of Robin, iSCREAM and Zorro. In EUROCRYPT 2015, Part I, vol. 9056 of Lecture Notes in Computer Science, Oswald, E., Fischlin, M. (eds). Springer. Todo, Y., Leander, G., Sasaki, Y. (2019). Nonlinear invariant attack: Practical attack on full SCREAM, iSCREAM, and Midori64. J. Cryptol., 32(4), 1383–1422. Wei, Y., Ye, T., Wu, W., Pasalic, E. (2018). Generalized nonlinear invariant attack and a new design criterion for round constants. IACR Trans. Symmetric Cryptol., 2018(4), 62–79.

10

Higher Order Differentials, Integral Attacks and Variants Anne C ANTEAUT Inria, Paris, France

Higher order differential cryptanalysis, introduced by Knudsen (1994) and Lai (1994), exploits some properties of the polynomial representation of a (round-reduced) symmetric primitive, typically a low algebraic degree. Another potential vulnerability may arise from its structure, especially from the fact that all transformations within the primitive consist of the concatenation of smaller functions operating on bytes or on nibbles. In such a situation, the set composed of the images of some specific linear spaces has a particular structure. Since it has been originally exhibited on the block cipher S QUARE (Daemen et al. 1997), this type of attacks was first known as “Square attack”, and it was then generalized under different names, including “saturation attacks” or “multiset attacks”. All these types of attacks have then been unified under the name integral attacks by Knudsen and Wagner (2002). 10.1. Integrals and higher order derivatives D EFINITION 10.1 (Knudsen and Wagner 2002).– For any multiset1 S  of elements in Fn2 , the integral of S is defined as the sum of all elements in S, that is, y∈S y.

1 That is, multiple instances of the same element are allowed. Symmetric Cryptography 2, coordinated by Christina B OURA and María NAYA -P LASENCIA. © ISTE Ltd 2023.

124

Symmetric Cryptography 2

Integral attacks then make use of the particular value taken by the integral for F over some well-chosen input set X , that is, the integral of F (X ): x∈X F (x). When X is a linear or affine subspace, such an integral corresponds to the value of a higher order differential of the function, in the sense of the following definition. n D EFINITION 10.2 (Lai 1994).– Let F be a function from Fn2 into Fm 2 . For any a ∈ F2 , the derivative of F with respect to a is the function

Da F (x) := F (x ⊕ a) ⊕ F (x) . For any k-dimensional linear subspace V of Fn2 , the k th order derivative of F with respect to V is the function DV F := Da1 Da2 . . . Dak F , where (a1 , . . . , ak ) is any basis of V . P ROPOSITION 10.1 (Lai 1994).– Let F be a function from Fn2 into Fm 2 and V be a linear subspace of Fn2 . Then, for any x ∈ Fn2 , DV F (x) =

!

F (x + v).

v∈V

In other words, the values of the derivative of F : Fn2 → Fm 2 with respect to V are equal to the integrals of the multisets corresponding to the values taken by F when saturating the input subspace V or its cosets x + V . Recall that a vectorial Boolean function F can be uniquely represented as a collection of m multivariate polynomials with binary coefficients corresponding to the algebraic normal forms (ANF) of its coordinates (see Chapter 8 of volume 1). This representation leads to the notion of algebraic degree. D EFINITION 10.3.– Let F be a function from Fn2 into Fm 2 . Its (multivariate) algebraic degree , deg(F ), is the maximal number of variables appearing in a monomial of the ANF of one of its coordinates. Then, the integral for F over an affine subspace can be easily predicted when the dimension of the considered subspace exceeds the algebraic degree of the function. P ROPOSITION 10.2 (Lai 1994).– Let F be a function from Fn2 into Fm 2 and V be a linear subspace of Fn2 . Then, deg(DV F ) ≤ max(0, deg F − dim V ). Most notably, for any V with dim V > deg F , we have ! v∈V

F (x + v) = 0, ∀x ∈ Fn2 .

Higher Order Differentials, Integral Attacks and Variants

125

When the degree of the involved function is known to be strictly smaller than the value expected for a randomly chosen function with similar properties (typically, strictly smaller than (n − 1) when F is a permutation of Fn2 ), the previous proposition then leads to a distinguisher with data complexity 2deg F +1 . Integral distinguishers with lower data complexity can also be exhibited based on the absence of some specific monomials in the ANF of some coordinate of F . In the following, in the ANF of a Boolean f of n variables x1 , . . . , xn , we denote function n by xu with u ∈ Fn2 the monomial i=1 xui i = i∈Supp(u) xi where Supp(u) = {i : u u i = 0}. It is worth noticing that the coefficient of x in the ANF of f is equal to  n xu F (x) where two elements a and b in F2 satisfy a  b if and only if ai ≤ bi for all 1 ≤ i ≤ n. It follows that, when V is a linear space spanned by some vectors of the canonical basis {e1 , . . . , en }, the ANF of each coordinate of DV F can be easily derived from the ANF of the corresponding coordinate of F .  P ROPOSITION 10.3.– Let f be a function from Fn2 into F2 with ANF u∈Fn cu xu . 2 Let I = {i1 , . . . , ik } be a subset of {1, . . . , n} and V = ei1 , . . . , eik . Then, the ANF of DV f is the polynomial such that f (x1 , . . . , xn ) = DV f (x1 , . . . , xn )xi1 xi2 . . . xik + g(x1 , . . . , xn ) where none of the monomials in g is a multiple of xi1 xi2 . . . xik . Equivalently, DV f (x1 , . . . , xn ) =



cu xu⊕1I

u∈U

where U = {u ∈ Fn2 : ui1 = ui2 = . . . = uik = 1} and 1I =



1≤j≤k eij .

It is worth noticing that, when V = ei1 , . . . , eik , the ANF of DV f corresponds to the notion of superpoly of {i1 , . . . , ik } in f , which is the terminology used in cube attacks (see Chapter 11). E XAMPLE 10.1.– Figure 10.1 depicts the original Square attack (Daemen et al. 1997) applied to the AES (see Chapter 3 of volume 1). This attack is based on the following integral for three rounds of encryption EK over any affine subspace x + V , where V is the subspace spanned by the eight consecutive basis vectors corresponding to a byte of the internal state, that is, V = e8j+1 , . . . , e8j+8 : ! v∈V

EK (x + v) = 0, ∀x ∈ F128 2 .

126

Symmetric Cryptography 2

Since these integrals correspond to the values of the eighth-order derivative DV EK , this property equivalently means that the ANF of any coordinate of EK , seen as a 128-variable polynomial in x1 , . . . , x128 , does not contain any monomial multiple of x8j+1 x8j+2 . . . x8j+8 .

Figure 10.1. Three-round integral for the AES as depicted in Knudsen and Wagner (2002). The symbol C means that the value in the corresponding byte is constant. The symbol A means that all values for this byte appear when the input varies. The symbol S means that the integral for this byte equals 0

10.2. Algebraic degree of an iterated function Since most symmetric primitives consist of the composition of several similar round functions, estimating the algebraic degree of an iterated function Fr ◦ . . . ◦ F1 when all Fi are functions from Fn2 into Fn2 is of great importance in the context of integral attacks. Obviously, the degree of the composition G ◦ F can be upper bounded by deg(G ◦ F ) ≤ deg(G) deg(F ), although this trivial bound is often very loose and much higher than the true degree of the primitive, especially if we are trying to estimate the degree after a large number of rounds. Most notably, this phenomenon occurs in the case of substitution–permutation networks, when the nonlinear layer of the iterated function is composed of a number of smaller S-boxes. When such a function is iterated, the algebraic degree grows in a much slower way than expected when it approaches the number of variables. T HEOREM 10.1 (Boura et al. 2011).– Let F be a function from Fn2 into Fn2 corresponding to the concatenation of s copies of a smaller S-box S defined over Fm 2 . Let δk be the maximal degree of the product of any k coordinates of S. Then, for any function G from Fn2 into F 2 , we have deg(G ◦ F ) ≤ n −

m−i n − deg(G) where γ = max . 1≤i≤m−1 m − δi γ

[10.1]

This result comes from the fact that any coordinate of G ◦ F can be seen as a sum of terms corresponding to the product of at most deg(G) outputs of the S-boxes. However, when k outputs from the same copy of the S-box are multiplied together, the degree of the result does not exceed a quantity δk which is usually much smaller than deg(S)k . For instance, δk can never exceed the number m of variables of S.

Higher Order Differentials, Integral Attacks and Variants

127

E XAMPLE 10.2 (Algebraic degree of P RESENT).– P RESENT is a block cipher operating on 64 bits, whose nonlinear layer consists of 16 copies of the same 4-bit S-box. Since this S-box has algebraic degree 3, the trivial bound shows that, for any fixed key, r rounds of P RESENT have degree at most 3r , implying that three rounds have degree at most 27, but four rounds may achieve the maximal degree expected m for a 64-bit permutation. However, for any bijective function from Fm 2 to F2 , we have δk = m if and only if k = m (Boura et al. 2011). It follows that the P RESENT S-box satisfies δk = 3 for all 1 ≤ k ≤ 3 and δ4 = 4. We then derive that γ = 3, and deg(P RESENTr ) ≤ 64 −

64 − deg(P RESENTr−1 ) . 3

Therefore, four rounds of P RESENT have degree at most 51, and at least seven rounds are needed to achieve the maximal degree for a 64-bit permutation. A more precise information on the presence or absence of some monomials in the ANF of the coordinates of the iterated function can be easily obtained by combining the previous information on the algebraic degree with structural properties of the function. For instance, one round of P RESENT maps the affine space α + e1 , . . . , e52 , which is obtained by saturating 13 S-boxes, to another affine space β + V  of dimension 52. Since four rounds of P RESENT have degree at most 51, we get, for any α ∈ F64 2 , ! ! P RESENT5 (x) = P RESENT4 (y) = 0 , x∈α+V

y∈β+V 

which means that the ANFs of the coordinates of P RESENT5 , for any fixed key, do not contain any monomial multiple of x1 . . . x52 . In most practical situations, the number of variables of the S-box S is small enough and the values δk and γ can be explicitly computed. Otherwise, for instance where S corresponds to a Super-S-box depending on a large number of variables, the following upper bound on γ can also be used. P ROPOSITION 10.4 (Boura and Canteaut 2013).– Let S be a bijective function from m Fm 2 into F2 and let γ be defined as in equation [10.1]. Then,   m−1 m −1 , − 1, deg(S ) . γ ≤ max m − deg(S) 2 E XAMPLE 10.3.– Two rounds of the AES can be seen as the parallel application of eight copies of a function S32 operating on 32-bit words, called the AES Super-Sbox (Daemen and Rijmen 2006), followed by a linear layer. Since the nonlinear layer in this Super-S-box is based on an eight-bit S-box of degree 7, we deduce that deg(S32 ) ≤ 32 −

32 − 7 < 29 , 7

128

Symmetric Cryptography 2

−1 and the same bound obviously holds for its inverse S32 . Then, the previous −1 ) ≤ 28. proposition shows the value of γ for the Super-S-box is at most deg(S32 This comes from the fact that, for any permutation S of Fm 2 , min{k : δk ≥ m − 1} = m − deg(S −1 ), implying that S32 satisfies δk ≤ 30 for all k ≤ 3. This observation leads, for instance, to improved bounds on the degree of several rounds of R IJNDAEL -256 (Boura and Canteaut 2013).

10.3. Division property Instead of focusing on the degree of the primitive, integral attacks with a lower data complexity may also be mounted based on the absence in the ANF of a given monomial with a lower degree, as in the example depicted in Figure 10.1. Exhibiting such a monomial is a priori much more difficult than finding an upper bound on the degree, but this can be done by a cryptanalytic tool called the division property, introduced by Todo (2015b). This tool and its variants (Todo and Morii 2016; Boura and Canteaut 2016; Hao et al. 2020; Hu et al. 2020) aim at tracing key-independent values of integrals (or equivalently the presence or absence of monomials) through the rounds of an iterated cipher. It has proved very helpful for finding integral attacks against several ciphers, including the full M ISTY-1 (Todo 2015a). In its original formulation, the division property generalizes the notion of integrals. D EFINITION 10.4.– A multiset S ⊆ Fn2 is said to have the division property of order k, Dkn , for some 1 ≤ k ≤ n, if the integrals of all monomials of degree strictly less than k over S are equal to 0, that is !

xu = 0 for all u ∈ Fn2 such that wt(u) < k ,

x∈S

where wt() denotes the Hamming weight. Obviously, D2n means that the integral of S vanishes, while Dnn means that S is saturated. But the novelty is that it introduces intermediate properties, Dkn for 3 ≤ k ≤ n − 1, which do not appear in classical integral attacks. For instance, the subset {00101, 01011, 00001, 01111, 10101, 11011, 10000, 11101, 11100, 10010, 11110, 10011} satisfies D35 since all coordinates and the product of any two coordinates of these elements have an even Hamming weight. These intermediate properties allow for easy propagation of the property through the successive rounds of a cipher by capturing some information resulting from the ANF of the round function. This propagation is then formalized by the notion of integral characteristics, or division trails, similarly to the corresponding notions used in statistical attacks.

Higher Order Differentials, Integral Attacks and Variants

129

A stronger variant, named bit-based division property (Todo and Morii 2016), characterizes the exponents u corresponding to zero integrals in the following more precise way: S is said to satisfy the bit-based division property DK where K ⊆ Fn2 , if !

xu = 0 for all u ∈ Fn2 such that u ≺ k for all k ∈ K.

x∈S

Most notably, if K = {k}, the set S = {x ∈ Fn2 : x  s} satisfies DK if none of the Boolean components of F , x → F u (x), for u ≺ k, contains the monomial xs . Alternative formulations of the division property have been proposed in Boura and Canteaut (2016) through the concept of parity set, and in Todo and Morii (2016); Hao et al. (2020); Hu et al. (2020) with the notions of three-subset division property (without unknown subsets). These notions also capture the case where the integral  u x equals 1, implying that they can help to find all monomials in the ANF of x∈S the coordinates of a vectorial function whose coefficients do not depend on the key. As detailed in Hu et al. (2020) and Hebborn et al. (2020a), this technique can be used to determine the exact degree of a primitive or to find lower bounds on this degree, which may be especially helpful to designers. Indeed, the following algebraic approach of the bit-based division property consists of predicting the existence of some monomials in the ANF of an iterated primitive by propagating this property through its rounds. The approach makes use of the following notation, which has been introduced in Hu et al. (2020) and Hebborn et al. (2020a) under different names corresponding to different F n m → v means that viewpoints. For a function F : Fn2 → Fm 2 , u ∈ F2 and v ∈ F2 , u − the monomial xu belongs to the ANF of F v . D EFINITION 10.5.– Let F = Fr ◦ . . . F1 be an iterated function with Fi : Fn2 → Fn2 , 1 ≤ i ≤ r. A sequence (u0 , . . . , ur ) is called a monomial trail for F if F

F

Fr−1

F

1 2 r u0 −→ u1 −→ . . . −−−→ ur−1 −→ ur .

The presence or absence of a given monomial in the ANF of a component of the whole function F can then be derived from monomial trails. P ROPOSITION 10.5 (Hu et al. 2020, Prop. 1; Hebborn et al. 2020a, Coro. 2).– Let F = Fr ◦ . . . ◦ F1 be an iterated function with Fi : Fn2 → Fn2 , 1 ≤ i ≤ r. The coefficient of the monomial xu in the ANF of x → F v (x) is equal to the number of monomial trails (u, a1 , . . . , ar−1 , v), ai ∈ Fn2 , modulo 2. Most notably, showing that there is no monomial trail starting with a given u and ending with v is enough for proving the absence of xu in the ANF of F v . The key idea of the division property is then that monomial trails can be analyzed when the primitive is decomposed into elementary functions Fi for which the list of

130

Symmetric Cryptography 2

F

i all pairs (u, v) verifying u −→ v can be explicitly determined. Such propagation rules have been established when Fi corresponds to xor, and, copy or a concatenation (e.g. Todo and Morii 2016, Section 4.4; Hebborn et al. 2020b, Appendix E). Also, when Fi consists of the concatenation of several copies of a small S-box S, the pairs S → v can be explicitly computed as described in Boura and Canteaut (u, v) such that u − (2016).

Exactly as for differential characteristics, the existence of monomial trails can be easily modeled as a mixed integer linear programming (MILP) problem, as shown in Todo et al. (2017): detailed MILP models for the previously mentioned propagation rules are described in Hebborn et al. (2020b, Appendix F). The number of monomial trails starting and ending with prescribed u and v can then be computed with the enumeration tool of MILP solvers. This technique has been successfully applied, for instance, in the context of cube attacks against round-reduced versions of T RIVIUM (Hao et al. 2020; Hu et al. 2020), and also for finding lower bounds on the degree of some lightweight block ciphers (Hebborn et al. 2020a). 10.4. Attacks based on integrals 10.4.1. Distinguishers As previously mentioned, the existence of integrals with key-independent values gives a distinguishing property in the sense that it allows to distinguish the primitive from a randomly chosen function (or permutation). In the particular case of unkeyed primitives, like hash functions, or in the known-key setting, integral properties involving intermediate values of the internal state of the primitive can also be used: starting from the middle of an iterated function, zero integrals can be found both for several rounds of the function and its inverse, leading to so-called zero-sum distinguishers (Aumasson et al. 2010; Boura and Canteaut 2010). A zero-sum for F is a multiset of inputs which sum to zero, and whose images by F also sum to zero. Such zero-sum distinguishers have been exhibited, for instance, for several SHA-3 candidates. However, it appears very difficult to build an attack on such properties. 10.4.2. Attacks The situation is rather different for iterated block ciphers, where the existence of integrals with fixed values can be exploited in a key-recovery attack. The simplest idea consists of mounting a last-round attack where candidates for the last-round key(s) are selected or discarded depending on the values of the corresponding integrals for the round-reduced primitive, as in the higher order differential attack on the KN cipher in Jakobsen and Knudsen (1997).

Higher Order Differentials, Integral Attacks and Variants

131

Another technique for key-recovery consists of replacing the exhaustive search for the last-round key by the resolution of a system of low-degree polynomial equations in some last-round key bits (Shimoyama et al. 1997). Indeed, in some cases, such a system can be derived from the explicit algebraic representation of the function f , which associates the key-independent integral z to the ciphertext   x and the unknown  u v . last-round key k: z = f (x, k) = u∈Fκ k v∈Fn αu,v x 2

2

Instead of considering the last-round key bits as the unknowns of the system, the interpolation attack (Jakobsen and Knudsen 1997) and its variants, represent the same function f as a function of the known ciphertext bits with unknown coefficients:  z = v∈Fn xv βv (k) with βv (k) = u∈Fκ αu,v k u . For any value of the ciphertext, 2 2 this leads to an equation of degree 1 in the unknown coefficients βv (k), which can then be recovered by solving a linear system. The keypoint is that this setting may decrease the degree and the number of unknowns of the system that needs to be solved. The number of unknowns of the system can even be minimized by combining both approaches as in Dinur et al. (2015), where the set of unknowns includes a few low-degree monomials k u in the key bits and some unknown coefficients βv (k). Recovering the unknown coefficients usually provides some information on the secret key. The easiest case corresponds to the original interpolation attack against the KN cipher (Jakobsen and Knudsen 1997) where f corresponds to the full decryption function: recovering the coefficients βv (k) does not recover the secret key but provides the algebraic expression of the decryption function under the user’s key. 10.5. References Aumasson, J., Käsper, E., Knudsen, L.R., Matusiewicz, K., Ódegård, R.S., Peyrin, T., Schläffer, M. (2010). Distinguishers for the compression function and output transformation of Hamsi256. In ACISP 2010, vol. 6168 of Lecture Notes in Computer Science, Steinfeld, R., Hawkes, P. (eds). Springer. Boura, C. and Canteaut, A. (2010). Zero-sum distinguishers for iterated permutations and application to Keccak-f and Hamsi-256. In SAC 2010, vol. 6544 of Lecture Notes in Computer Science, Biryukov, A., Gong, G., Stinson, D.R. (eds). Springer. Boura, C. and Canteaut, A. (2013). On the influence of the algebraic degree of F −1 on the algebraic degree of G ◦ F . IEEE Transactions on Information Theory, 59(1), 691–702. Boura, C. and Canteaut, A. (2016). Another view of the division property. In CRYPTO 2016, Part I, vol. 9814 of Lecture Notes in Computer Science, Robshaw, M., Katz, J. (eds). Springer. Boura, C., Canteaut, A., Cannière, C.D. (2011). Higher-order differential properties of Keccak and Luffa. In FSE 2011, vol. 6733 of Lecture Notes in Computer Science, Joux, A. (ed.). Springer. Daemen, J. and Rijmen, V. (2006). Understanding two-round differentials in AES. In Security and Cryptography for Networks – SCN 2006, vol. 4116 of Lecture Notes in Computer Science, Prisco, R.D., Yung, M. (eds). Springer.

132

Symmetric Cryptography 2

Daemen, J., Knudsen, L.R., Rijmen, V. (1997). The block cipher square. In FSE ’97, vol. 1267 of Lecture Notes in Computer Science, Biham, E. (ed.). Springer. Dinur, I., Liu, Y., Meier, W., Wang, Q. (2015). Optimized interpolation attacks on LowMC. In ASIACRYPT 2015, Part II, vol. 9453 of Lecture Notes in Computer Science, Iwata, T., Cheon, J.H. (eds). Springer. Hao, Y., Leander, G., Meier, W., Todo, Y., Wang, Q. (2020). Modeling for three-subset division property without unknown subset – Improved cube attacks against Trivium and Grain128AEAD. In EUROCRYPT 2020, Part I, vol. 12105 of Lecture Notes in Computer Science, Canteaut, A., Ishai, Y. (eds). Springer. Hebborn, P., Lambin, B., Leander, G., Todo, Y. (2020a). Lower bounds on the degree of block ciphers. In ASIACRYPT 2020, Part I, vol. 12491 of Lecture Notes in Computer Science, Moriai, S., Wang, H. (eds). Springer. Hebborn, P., Lambin, B., Leander, G., Todo, Y. (2020b). Lower bounds on the degree of block ciphers. Cryptology ePrint Archive, Report 2020/1051 [Online]. Available at: https://eprint.iacr.org/2020/1051. Hu, K., Sun, S., Wang, M., Wang, Q. (2020). An algebraic formulation of the division property: Revisiting degree evaluations, cube attacks, and key-independent sums. In ASIACRYPT 2020, Part I, vol. 12491 of Lecture Notes in Computer Science, Moriai, S., Wang, H. (eds). Springer. Jakobsen, T. and Knudsen, L.R. (1997). The interpolation attack on block ciphers. In FSE ’97, vol. 1267 of Lecture Notes in Computer Science, Biham, E. (ed.). Springer. Knudsen, L.R. (1994). Truncated and higher order differentials. In FSE ’94, vol. 1008 of Lecture Notes in Computer Science, Preneel, B. (ed.). Springer. Knudsen, L.R. and Wagner, D.A. (2002). Integral cryptanalysis. In FSE 2002, vol. 2365 of Lecture Notes in Computer Science, Daemen, J., Rijmen, V. (eds). Springer. Lai, X. (1994). Higher order derivatives and differential cryptanalysis. In Proc. Symposium on Communication, Coding and Cryptography, in honor of J. L. Massey on the occasion of his 60th birthday. Kluwer Academic Publishers. Shimoyama, T., Moriai, S., Kaneko, T. (1997). Improving the higher order differential attack and cryptanalysis of the KN cipher. In ISW ’97, vol. 1396 of Lecture Notes in Computer Science, Okamoto, E., Davida, G.I., Mambo, M. (eds). Springer. Todo, Y. (2015a). Integral cryptanalysis on full MISTY1. In CRYPTO 2015, Part I, vol. 9215 of Lecture Notes in Computer Science, Gennaro, R., Robshaw, M. (eds). Springer. Todo, Y. (2015b). Structural evaluation by generalized integral property. In EUROCRYPT 2015, Part I, vol. 9056 of Lecture Notes in Computer Science, Oswald, E., Fischlin, M. (eds). Springer. Todo, Y. and Morii, M. (2016). Bit-based division property and application to Simon family. In FSE 2016, vol. 9783 of Lecture Notes in Computer Science, Peyrin, T. (ed.). Springer. Todo, Y., Isobe, T., Hao, Y., Meier, W. (2017). Cube attacks on non-blackbox polynomials based on division property. In CRYPTO 2017, Part III, vol. 10403 of Lecture Notes in Computer Science, Katz, J., Shacham, H. (eds). Springer.

11

Cube Attacks and Distinguishers Itai D INUR Department of Computer Science, Ben-Gurion University Be’er Sheva, Israel

Cube attacks (Dinur and Shamir 2011) and cube testers (Aumasson et al. 2009) are methods of cryptanalysis that target cryptosystems, which do not employ sufficient nonlinear operations before producing the output. This chapter summarizes the main ideas of these techniques in section 11.1, along with the related methods (Knellwolf et al. 2010; Dinur and Shamir 2011) in section 11.2. The chapter is not meant to be exhaustive and several important related works were left out due to lack of space. 11.1. Cube attacks and cube testers The general problem of solving multivariate systems of nonlinear equations over a finite field is considered very difficult both in theory and practice. The main observation behind cube attacks is that the polynomial equations defined by many symmetric-key cryptosystems are not arbitrary and unrelated. Instead, they are typically variants derived from a single master polynomial by setting some tweakable variables to any desired value by the attacker. For example, in block ciphers and message authentication codes (MACs) the output depends on key bits that are secret and fixed, and on message bits which are public and controllable by the attacker in a chosen plaintext attack. Similarly, in stream ciphers the output depends on secret fixed key bits and on public IV bits, which can be chosen arbitrarily.

Symmetric Cryptography 2, coordinated by Christina B OURA and María NAYA -P LASENCIA. © ISTE Ltd 2023.

134

Symmetric Cryptography 2

11.1.1. Terminology This section describes the formal notation we use in the rest of the chapter. We consider a symmetric-key cipher with n + m inputs bits (x1 , . . . , xn , v1 , . . . , vm ) and assume for simplicity that it outputs a single bit. The input bits x1 , . . . , xn are the secret variables, while v1 , . . . , vm are the public variables. We will be interested in the algebraic normal form (ANF) of the output bit over F2 , denoted by P , which is a sum of products of variables (called monomials or terms). The cube attack consists of two phases. During the preprocessing phase, the attacker is allowed to analyze the cipher (e.g. by setting the values of all the variables (x1 , . . . , xn , v1 , . . . , vm ) and evaluating P ). This corresponds to the usual cryptanalytic setting in which the attacker can study the cryptosystem by running it with various keys and plaintexts. During the online phase, the n secret variables are set to unknown values, and the attacker is allowed to set the values of the m public variables (v1 , . . . , vm ) to any desired value and to evaluate P on the combined input. To simplify notation, we ignore the distinction between secret and public variables, and denote all of them by z1 , . . . , z . Given a multivariate polynomial P and any index subset I ⊆ {1, . . . , } of size |I|, we can factor the common subterm tI out of some of the terms in P and represent the polynomial as the sum of terms that are supersets of I and terms that are not supersets of I: P (z1 , . . . , z ) = tI · PS(I) + Q(z1 , . . . , z ). We call PS(I) the superpoly of I in P . Note that for any P and I, the superpoly of I in P is a polynomial that does not contain any common variable with tI , and each term in Q(z1 , . . . , z ) misses at least one variable from I. We denote by PI← v the polynomial derived from P by assigning the variables of I the value of the bit vector v . Let CI be the |I|-dimensional Boolean cube of 2|I| vectors in which we assign all the possible combinations of 0/1 values to variables in I. We call the variables of I cube variables. To demonstrate these notions, let P (z1 , z2 , z3 , z4 , z5 ) = z1 z2 z3 + z1 z2 z4 + z2 z4 z5 + z1 z2 + z2 + z3 z5 + z5 + 1 [11.1] be a polynomial of degree 3 in five variables, and let I = {1, 2} be a set of two cube variables. We can represent P as P (z1 , z2 , z3 , z4 , z5 ) = z1 z2 (z3 + z4 + 1) + (z2 z4 z5 + z3 z5 + z2 + z5 + 1)

Cube Attacks and Distinguishers

135

where tI = z1 z2 , PS(I) = z3 + z4 + 1, Q(z1 , z2 , z3 , z4 , z5 ) = z2 z4 z5 + z3 z5 + z2 + z5 + 1. If v = {0, 1}, then PI← v = z4 z5 + z3 z5 + z5 . D EFINITION 11.1.– A maxterm of P is a term tI such that deg(pS(I) ) = 1, that is, the superpoly of I in P is a linear polynomial, which is not a constant. 11.1.2. Main observation T HEOREM 11.1.– For  v = PS(I) . v ∈CI PI←

any

polynomial

P

and

variable

subset

I,

Thus, the sum of the 2|I| polynomials derived from the original polynomial P by assigning all the possible values to the |I| variables in I eliminates all the terms except those which are contained in the superpoly of I in P . The summation thus reduces the total degree of the master polynomial by at least |I|, and if tI is any maxterm in P , this sum yields a linear equation in the remaining variables. For example, if we sum the polynomial [11.1] over the four possible values of z1 and z2 in the maxterm tI = z1 z2 , we get the linear expression PS(I) = z3 + z4 + 1. This theorem can be proven algebraically using the fact that over F2 addition and subtraction are the same operation. Thus, the sum over the derived polynomials obtained from the master polynomial by assigning all the possible values to a subset of variables is equivalent to differentiating the master polynomial with respect to these variables. Below, we give an alternative combinatorial proof. Proof. Write P (z1 , . . . , z ) = tI · PS(I) + Q(z1 , . . . , z ). Consider a term tJ of Q(z1 , . . . , z ), where J is the subset containing the variable indexes that are the variables in I, it is added multiplied together in tJ . Since tJ misses at least one of  an even number of times, which cancels it out mod 2 in v∈CI PI← v . Next, examine the polynomial tI · PS(I) : all v ∈ CI zero tI , except when we assign the value 1 to all the variables in I. This implies that the polynomial pS(I) is summed only once, when tI is set to 1. Consequently, the formal sum of all the derived polynomials is exactly the superpoly PS(I) of the term we sum over. R EMARK 11.1.– Over F2 cube attacks sum the outputs of the cipher over a linear subspace of its public inputs. This is the same formal operator used in several attacks such as higher order differential attacks (Lai 1994) (see Chapter 10). There, the outcome of each sum is generally a fixed constant, which gives a distinguishing

136

Symmetric Cryptography 2

property. When applied to block ciphers, the distinguisher can be extended to a key recovery attack, for example, by guessing part of the last round-key and performing partial decryption. For stream ciphers and MACs, such partial decryption is typically not possible. In contrast, in cube attacks we view the outcome of each sum as a function of the other (secret) inputs, which allows to recover the secret key as described in the following. 11.1.3. The basic cube attack We describe the basic algorithm of the cube attack. 11.1.3.1. The preprocessing phase We start with a high-level description of the preprocessing phase, where the attacker is allowed to evaluate the cryptosystem (modeled by a polynomial P ) by setting both the public and private variables. 1) Find n subsets of public variables I1 , . . . , In such that PS(I1 ) , . . . , PS(In ) are linear (or affine) expressions in x1 , . . . , xn , which are linearly independent.1 Each PS(Ij ) for j ∈ {1, . . . , n} is represented as a vector of n coefficients of x1 , . . . , xn , aj , and an additional free coefficient cj over F2 . 2) Define an n × n matrix A over F2 whose jth row is aj . In addition, define the vector c whose jth entry is cj . Finally, invert A (namely, compute A−1 ) and output I1 , . . . , In , A−1 and c. Given any subset I, the coefficients PS(I) can be  c and a of the linear polynomial n easily interpolated. Recalling that v∈CI PI← v (x) = PS(I) (x) = c + i=1 ai xi , c=

 v ∈CI

PI← v (0), and ai = c +



PI← v (ei ), for i ∈ {1, . . . , n},

v ∈CI

where ei is the ith unit vector. Assuming that I contains d public variables, the computation of coefficients requires (n + 1) · 2d evaluations of P . Therefore, given that the size of each I1 , . . . , In is bounded by d and we are given these subsets, the complexity of the preprocessing phase is about (n2 + n) · 2d evaluations of P for computing A and additional n3 bit operations for inverting it. This complexity may be reduced if the n subsets overlap. The main challenge in cube attacks is to find such subsets I1 , . . . , In , and we will deal with this in section 11.1.4. 1 For each j ∈ {1, . . . , n}, the public variables not in Ij are set to constants (e.g. 0) in PS(Ij ) . Therefore, it is only a function of the key bits.

Cube Attacks and Distinguishers

137

11.1.3.2. The online phase In the online phase, the key of the cipher x = (x1 , . . . , xn ) is set to an unknown value and the goal of the attacker is to recover it. 1) Given I1 , . . . , In computed in the preprocessing phase, for each j ∈ {1, . . . , n}, request the evaluation of PIj ← v (x) for all v ∈ CIj (i.e. obtain evaluations of the cipher in a chosen plaintext attack).  2) For each j ∈ {1, . . . , n}, compute bj  v∈CI PIj ← v (x). Define the vector j b whose jth entry is bj . Finally, compute and return the key x = A−1 · b + c. The algorithm is correct as the main property of cube attacks implies that for each j,  bj = PIj ← v (x) = PS(Ij ) (x), v ∈CIj

and therefore aj · x + cj = bj . Given that the size of each I1 , . . . , In is bounded by d, the attack requires n · 2d chosen plaintexts and about n2 + n additional computation time. 11.1.4. The preprocessing phase on cube attacks As noted above, the main challenge in cube attacks is to find subsets I1 , . . . , In such that PS(I1 ) , . . . , PS(In ) are linearly independent polynomials of degree 1. 11.1.4.1. Preprocessing random polynomials In Dinur and Shamir (2009), this phase was rigorously analyzed in a probabilistic model where P is chosen as a uniform polynomial of degree g (in fact, only certain coefficients need to be chosen at random). Note that a slightly larger subset of g + log n public variables already contains n such subsets of size g − 1 (note that g+log ng    g n g = g+log ≈ g logg n = n). The proof that PS(I1 ) , . . . , PS(In ) are g logg n linearly independent with high probability is based on the rank distribution of random matrices. In this model, the success of the basic cube attack is guaranteed with high probability without any additional overhead in the preprocessing phase. Furthermore, a particular construction of a stream cipher (built as a filtered LFSR generator) was shown to behave as such a uniform polynomial of degree g. Although it is a toy cipher, the attack on it demonstrates the power of cube attacks, whose complexity is about 2g (up to small polynomial factors in n). Furthermore, it is a structural attack that does not need to know the internal implementation details of the cipher, but rather treats it as a black-box. In contrast, the complexity of standard linearization attacks that  allocate an independent variable for each monomial of the secret key is at least ng  2g .

138

Symmetric Cryptography 2

11.1.4.2. Preprocessing non-random polynomials When the polynomial representation of the cryptosystem is arbitrary, there are no guarantees about the success rate of the attack. In Dinur and Shamir (2009), a randomized preprocessing procedure was proposed. The attacker chooses a subset I of public variables whose size is between 1 and m and sets the remaining m − |I| public variable to constant values (e.g. 0). Then, the attacker tests the superpoly PS(I) for linearity using the BLR test (Blum et al. 1990) by choosing vectors (secret keys) x, y ∈ {0, 1}n independently and uniformly at random, and verifying that PS(I) (0) + PS(I) (x) + PS(I) (y ) = PS(I) (x + y ). If PS(I) is linear (or affine), the test always succeeds, whereas if pS(I) is far from being linear, the test fails with high probability. The test is repeated sufficiently many times until the attacker is convinced that PS(I) is very close to being linear (e.g. it is linear, except for a few high degree terms which almost always evaluate to zero). By using the cube attack in this case, we can find most but not all of the possible keys, which is good enough for cryptanalytic applications. If the subset I is too large, the superpoly evaluations will be a constant value (regardless of the choice of secret variables). In this case, the attacker drops one of the public variables from I and repeats the process. If the subset I is too small, the corresponding PS(I) is likely to be a nonlinear function in the secret variables and the linearity tests will fail. In this case, the attacker adds a public variable to I and repeats the process. The attacker may restart with a different initial I at any stage. There are many possible optimizations to this process. For example, the attacker can analyze many superpolys in parallel by choosing a large cube of dimension d and   considering all of its dd subcubes of dimension d < d. Additionally, in practice, several output bits of the cipher are typically available to the attacker, extending the search space for superpolys. The attack may fail to obtain the n superpolys even if the master polynomial P is guaranteed to be of low degree. In case the attacker is only able to obtain n < n linearly independent superpolys, then in the online phase a subsequent exhaustive  search for the remaining key material with complexity 2n−n can be performed. Yet, if all the terms in P contain at least two secret variables, we will never be able to get any linear superpoly during the preprocessing phase, regardless of the choice of I. In this case, the attacker may collect quadratic equations and attempt to solve them. 11.1.5. Cube testers Similarly to cube attacks, cube testers work by evaluating superpolys of terms of public variables. However, while cube attacks aim to recover the secret key, the goal of cube testers is to distinguish a cryptographic scheme from a random function, or detect general non-randomness by using algebraic property testing on the superpoly (as formally described in Aumasson et al. 2009).

Cube Attacks and Distinguishers

139

When the cipher is constructed with components of low degree, its output function in the public and private variables may be algebraically sparse, and is likely to have some property that is efficiently detectable. One of the natural algebraic properties that can be tested is balance: a random function is expected to contain roughly as many zeroes as ones in its truth table. A superpoly that has a strongly unbalanced truth table can thus be distinguished from random polynomials by testing whether it evaluates as often to one as to zero. For vulnerable cryptosystems, the ANF of a superpoly may have a sparse representation with a few high-degree monomials, and is thus biased toward 0. Such a bias can be approximated empirically during a preprocessing phase by evaluating the superpoly on several randomly chosen inputs. Other efficiently detectable properties include low degree, presence of linear variables and presence of neutral variables. Although cube testers do not recover the secret key and hence are weaker than cube attacks, they are generally applicable to a wider class of superpolys. The preprocessing phase of cube testers is generally simpler than that of cube attacks. The attacker chooses a subset I of public variables, evaluates its superpoly PS(I) on several randomly chosen values for the private variables and checks whether the superpoly has the efficiently testable property. In case the superpoly fails the property tests, the attacker may add a public variable to I and repeat the process. Of course, one can select several subsets with the aim of strengthening the distinguisher. 11.1.6. Applications The main application of cube attacks has been in cryptanalysis of variants of the stream cipher T RIVIUM (De Cannière and Preneel 2008), where the number of initialization rounds is reduced from 1152. T RIVIUM is an interesting target due to its elegant design that employs relatively few nonlinear operations. In Dinur and Shamir (2009), a reduced variant of T RIVIUM with 767 initialization rounds was broken with complexity 245 bit operations using a total of about 236 chosen IVs. In Fouque and Vannet (2013), practical attacks on T RIVIUM with slightly less than 800 initialization rounds were published, using linear as well as quadratic superpolys. The attacks essentially modeled the cipher as a black-box and used low-degree tests to obtain low-degree superpolys. However, some (limited) additional insight about T RIVIUM’s structure was used in the search for low-degree superpolys. Subsequently, more analytical approaches to computing superpolys based on the division property were proposed (e.g. see Todo et al. 2017 and followup works). These attacks are applicable up to about 840 initialization rounds, but their complexity is close to exhaustive search. Finally, as expected, cube testers (Aumasson et al. 2009) could detect non-random properties in stronger reduced T RIVIUM variants with up to 885 initialization rounds.

140

Symmetric Cryptography 2

11.2. Conditional differential attacks and dynamic cube attacks We briefly describe approaches for key recovery, which are alternatives to cube attacks, and mainly target the initialization process of stream ciphers (e.g. they have been used in cryptanalysis of G RAIN -128; Hell et al. 2006). However, we note that these and related techniques are applicable to a wider range of cryptosystems such as MACs (see Dinur et al. 2015). In general, unlike cube attacks and cube testers, these attacks require careful analysis of the cipher’s internal components and cannot view it as a black-box. 11.2.1. Conditional differential attacks The main idea behind conditional differential attacks (Knellwolf et al. 2010) is to identify conditions on the internal state of the cipher that allow for a (high order) differential characteristic for a large number of rounds. This is done by imposing conditions on the initial operations of the cipher whose goal is to limit the diffusion of a subset of public variables. As these conditions may depend on the secret key, the attack allows for partial key recovery. Specifically, Knellwolf et al. (2010) define three types of conditions: Type 0 involves public variables, Type 1 involves both public and secret variables and Type 2 involves secret variables. 11.2.2. Dynamic cube attacks Dynamic cube attacks (Dinur and Shamir 2011) build on cube testers to mount key recovery attacks. They generally weaken the resistance of the cipher to cube testers and improve their complexity. They impose similar conditions as in conditional differential attacks, although the methodology is different as summarized below. 11.2.3. A toy example We describe a simple unified toy example that gives the main ideas of conditional differential and dynamic cube attacks. Consider a polynomial P which is a function of the three polynomials P1 , P2 and P3 (representing internal state bits of the cipher). Specifically, P = P1 P2 + P3 , where P1 , P2 and P3 are polynomials in five secret variables x1 , x2 , x3 , x4 , x5 and five public variables v1 , v2 , v3 , v4 , v5 : P1 = v2 v3 x1 x2 x3 + v3 v4 x1 x3 + v2 x1 + v5 x1 + v1 + v2 + x2 + x3 + x4 + x5 + 1, P2 = arbitrary dense polynomial in the 10 variables, P3 = v 1 v 4 x 3 x 4 + v 2 x 2 x 3 + v 3 x 1 x 4 + v 4 x 2 x 4 + v 5 x 3 x 5 + x 1 x 2 x 4 + v 1 + x 2 + x 4 .

Cube Attacks and Distinguishers

141

Since P2 is unrestricted, P is likely to behave arbitrarily. However, assume we set v4 = 0 and exploit the linearity of v1 in P1 to set v1 = v2 v3 x1 x2 x3 + v2 x1 + v5 x1 + v2 + x2 + x3 + x4 + x5 + 1 (using a Type 1 condition (Knellwolf et al. 2010) or using a dynamic variable (Dinur and Shamir 2011)). This forces P1 ≡ 0 and simplifies P : P = v 2 v 3 x1 x2 x3 + v 2 x2 x3 + v 3 x1 x4 + v 5 x3 x5 + x1 x2 x4 + v2 x1 + v5 x1 + v2 + x3 + x5 + 1. P is now of degree 2 in the public variables, and there is only one term (v2 v3 x1 x2 x3 ) of this degree. We have three remaining public variables (v2 , v3 , v5 ) that are not assigned and can use them as cube variables. If we think of P as the actual output of the cipher, then the sum over the big cube defined by {v2 , v3 , v5 } and two of its subcubes {v2 , v5 } and {v3 , v5 } is always zero. Moreover, the superpoly of {v2 , v3 } is x1 x2 x3 , which is zero for most keys. Thus, we can easily distinguish P from a random function using cube testers. However, calculating v1 requires knowledge of the values of the expressions x1 x2 x3 , x1 and x2 + x3 + x4 + x5 + 1, which we guess. For each of the eight possible guesses,2 we run the cube tester and get four 0/1 values – a value for each cube sum. During each cube summation, the value of v1 will change according to its assigned function. We expect the cube sums for the correct guess to be distinguishable from (most) incorrect ones, giving information about the secret key. 11.2.3.1. Methodology and practical considerations If we decompose the output of a modern cipher as P = P1 P2 +P3 , then P1 , P2 , P3 are likely to contain a huge number of monomials and they cannot be computed and stored efficiently. In Knellwolf et al. (2010), P actually represents an internal state bit that is the outcome of an initial computation of the cipher. Conditions are set to limit the diffusion of (monomials of) the chosen subset in a way that increases the bias at the output. In contrast, Dinur and Shamir (2011) use a “top-down” approach: P1 cannot be nullified in a direct decomposition of the output P , but we attempt to reduce its degree (or simplify its ANF) by a recursive decomposition. The goal is to identify specific internal state bits whose nullification reduces the resistance of the cipher. 11.3. References Aumasson, J., Dinur, I., Meier, W., Shamir, A. (2009). Cube testers and key recovery attacks on reduced-round MD6 and Trivium. In FSE 2009, vol. 5665 of Lecture Notes in Computer Science, Dunkelman, O. (ed.). Springer. 2 There are actually six valid guesses since x1 = 0 implies x1 x2 x3 = 0, but we ignore this for simplicity.

142

Symmetric Cryptography 2

Blum, M., Luby, M., Rubinfeld, R. (1990). Self-testing/correcting with applications to numerical problems. In ACM Symposium on Theory of Computing. ACM. De Cannière, C. and Preneel, B. (2008). Trivium. In New Stream Cipher Designs – The eSTREAM Finalists, vol. 4986 of Lecture Notes in Computer Science, Robshaw, M.J.B., Billet, O. (eds). Springer. Dinur, I. and Shamir, A. (2009). Cube attacks on tweakable black box polynomials. In EUROCRYPT 2009, vol. 5479 of Lecture Notes in Computer Science, Joux, A. (ed.). Springer. Dinur, I. and Shamir, A. (2011). Breaking Grain-128 with dynamic cube attacks. In FSE 2011, vol. 6733 of Lecture Notes in Computer Science, Joux, A. (ed.). Springer. Dinur, I., Morawiecki, P., Pieprzyk, J., Srebrny, M., Straus, M. (2015). Cube attacks and cubeattack-like cryptanalysis on the round-reduced Keccak sponge function. In EUROCRYPT 2015, Part I, vol. 9056 of Lecture Notes in Computer Science, Oswald, E., Fischlin, M. (eds). Springer. Fouque, P. and Vannet, T. (2013). Improving key recovery to 784 and 799 rounds of Trivium using optimized cube attacks. In FSE 2013, vol. 8424 of Lecture Notes in Computer Science, Moriai, S. (ed.). Springer. Hell, M., Johansson, T., Maximov, A., Meier, W. (2006). A stream cipher proposal: Grain-128. In ISIT 2006. IEEE. Knellwolf, S., Meier, W., Naya-Plasencia, M. (2010). Conditional differential cryptanalysis of NLFSR-based cryptosystems. In ASIACRYPT 2010, vol. 6477 of Lecture Notes in Computer Science, Abe, M. (ed.). Springer. Lai, X. (1994). Higher order derivatives and differential cryptanalysis. In Communications and Cryptography, vol. 276 of The Springer International Series in Engineering and Computer Science., Blahut, R.E., Costello, D.J., Maurer, U., Mittelholzer, T. (eds). Springer. Todo, Y., Isobe, T., Hao, Y., Meier, W. (2017). Cube attacks on non-blackbox polynomials based on division property. In CRYPTO 2017, Part III, vol. 10403 of Lecture Notes in Computer Science, Katz, J., Shacham, H. (eds). Springer.

12

Correlation Attacks on Stream Ciphers Thomas J OHANSSON Lund University (LTH), Sweden

Correlation attacks apply mainly to stream ciphers and can be considered as an extension of the idea of distinguishing attacks (Hell et al. 2009) to collect information on secret key bits. We assume synchronous additive stream ciphers, the most widespread family of stream ciphers (see Chapter 2 of volume 1). Recall that to encrypt a message m = (m0 , m1 , . . .), we first generate a binary sequence, the keystream s = (s0 , s1 , . . .), and then combine it bitwise with the message to produce the corresponding ciphertext c = (c0 , c1 , . . .) as ci = mi ⊕ si , i ≥ 0. The scenario for the attack is usually to consider a known-plaintext attack, that is, the adversary knows both the plaintext and the ciphertext sequences. The adversary can then compute the keystream sequence by simply computing si = mi ⊕ ci , i ≥ 0. Variations of this assumption can be considered, for example, when the number of known plaintext symbols is limited to a fixed number. A correlation attack is a key-recovery attack that can be launched if a simple dependency between the keystream sequence s = (s0 , s1 , . . .) and the secret state/key has been identified. If we can find a low-complexity approach to determining the full state from the identified dependency, we have a successful correlation attack.

Symmetric Cryptography 2, coordinated by Christina B OURA and María NAYA -P LASENCIA. © ISTE Ltd 2023.

144

Symmetric Cryptography 2

The most common correlation attacks are targeting state recovery, using a single keystream sequence. One uses a time-invariant relationship that is then shifted in time. However, we can also target the secret key and find relationships between the key and the first few keystream symbols of many different keystreams, all generated by the same key but with different IV values. 12.1. Correlation attacks on the nonlinear combination generator The original correlation attack was proposed by Siegenthaler (1984) on nonlinear combination generators. In a nonlinear combination generator, the keystream is generated as the output of a Boolean function with inputs being sequences from (k) several LFSRs. In more detail, suppose the outputs ai of r LFSRs, 1 ≤ k ≤ r, are used as input of a Boolean function f to produce keystream bits si as (1)

(r)

si = f (ai , . . . , ai ), for i = 0, 1, . . .. The state of the generator is the contents of the set of LFSRs. The keystream depends on the state. The attack is formed from the observation that the keystream sequence may be correlated to the output sequence of a single or a few of the LFSRs. Suppose that the keystream sequence is correlated to the output of an LFSR, that is, P (ai = si ) = 0.5, where ai and si are the ith output symbols of the LFSR and the keystream, respectively. This leads to a divide-and-conquer attack, that is, we may recover the state of single LFSRs independently of others. E XAMPLE 12.1.– Let r = 3, and let f be the majority function, y = f (x1 , x2 , x3 ) = x1 x2 ⊕ x1 x3 ⊕ x2 x3 . Then P (y = xk ) = 0.75 for k = 1, 2, 3. A nonlinear combination generator using f as the combining function is then susceptible to a correlation attack because (j) P (si = ai ) = 0.75 for j = 1, 2, 3. The straight forward approach to finalizing the described correlation attack is then to exhaustively test all possible LFSR sequences from the targeted LFSR and then check whether the dependency is identified for the particular sequence that is tested. Apart from the feedback connection of the LFSR, no further knowledge is required on the explicit structure of the generator. E XAMPLE 12.2 (Example 12.1 continued).– Continuing the previous example, let us assume that the three LFSRs have lengths L1 , L2 , L3 , respectively. A nonlinear combination generator using f from the previous example was susceptible to a

.

Correlation Attacks on Stream Ciphers

145

(j)

correlation attack because P (si = ai ) = 0.75 for j = 1, 2, 3. Although an exhaustive state-recovery would require testing 2L1 +L2 +L3 different initial states, a correlation attack can perform this task much faster. One targets a single LFSR, say the one with length L1 . For each of the 2L1 initial states, compute the sequence (1) ai , i = 0, 1, . . . up to a suitable length L. Then compare with the keystream by (1) computing ai ⊕ si , i = 0, 1, . . .. The correct initial state will leave about 75% zeros, whereas other initial states will give about 50% zeros. In this way, the correct initial state is easily detected. Using the same procedure on the other two LFSRs will give a final complexity of at most about 2L1 + 2L2 + 2L3 ≈ 2max(L1 ,L2 ,L3 ) . Let us return to the Boolean function f with r variables. We can see that if y = f (x1 , . . . , xr ), then if P (y = xi ) = 1/2 on uniform input, we can launch a direct correlation attack. If, on the other hand, P (y = xi ) = 1/2 for all input variables, we call the Boolean function correlation immune (of first order). If f in addition is balanced, we call f a resilient function (of first order). If f is a resilient function of first order, then we cannot launch a correlation attack using a single LFSR. Still, if there is a correlation to a pair of variables, that is, P (y = xi ⊕ xj ) = 1/2, we can proceed as before if we run through all pairs of initial states of the two LFSRs and generate the sum of the two LFSR sequences. The complexity is higher, but depending on the individual lengths it can still be a strong attack (Meier and Staffelbach 1989b). Other extensions are possible (Courtois 2002). Expanding these basic ideas for attacking other kinds of stream ciphers has followed, such as irregularly clocked generators (Johansson 1998; Jönsson and Johansson 2002), filter generators (Englund and Johansson 2004), nonlinear feedback shift registers with small period (Johansson et al. 2006) and similar constructions (Cid et al. 2006; Berbain et al. 2006). 12.2. Correlation attacks and decoding linear codes Generalizing the ideas in the previous section, but still considering the binary case, a correlation attack can be launched if we can identify a correlation between a part of the state that is linearly updated and the keystream, as depicted in Figure 12.1. We now target the reconstruction of the initial state of a single length n LFSR, producing a sequence denoted by a = (ai ), i ≥ 0, from the keystream. Observe that any linear sequential circuit can be considered instead of the LFSR. Our requirement n−1 is that a is formed as a linear function of an initial state, that is, ai = j=0 cij aj , where we let (a0 , a1 , . . . , an−1 ) denote the initial state and cij be arbitrary known

146

Symmetric Cryptography 2

binary constants. However, we keep the assumption that a is a LFSR sequence and the initial state is simply the first n symbols in the sequence.

LFSR

ai si

Keystream generator

P (ai = si ) = 1/2

Figure 12.1. Scenario for correlation attacks

Correlation attacks can now be viewed as a decoding problem. For a LFSR of length n, we may consider all possible output sequences of a fixed length L as an [n, L] linear code C. Thus, the truncated LFSR sequence a = (a0 , a1 , ..., aL−1 ) is interpreted as a codeword in this code, and the keystream sequence s = (s0 , s1 , .., sL−1 ) is considered as a noisy channel output. Assuming 1 − δ = P (ai = si ) > 1/2, the problem can now be formulated as follows: given a received word s = (s0 , s1 , .., sL−1 ), find the codeword c ∈ C that is closest in Hamming distance, that is, c ⊕ s is smallest in Hamming weight among all codewords. In coding theory, this corresponds to a transmission of a codeword on the binary symmetric channel with error probability δ (BSC(δ)). From coding arguments, it follows that the channel capacity of BSC(δ) is 1 − h(δ)) for unique decoding, where h() is the binary entropy function. This implies that the length L should be roughly at least L0 = C · n/(1 − h(δ)) for unique decoding, where C is a constant. 12.3. Fast correlation attacks Assuming a length n LFSR generating the code C, the correlation attack was described as solving a decoding problem in the Hamming metric. If the code length L is chosen large enough, the solution to the decoding problem is most likely also the initial state of the LFSR. The structure of the code C usually does not allow decoding shortcuts, but C is modeled as a random code. Following the approach in section 12.1, the most basic approach to solving the decoding problem is to generate all 2n codewords, compute the Hamming distance to s for each codeword and choose the one that is closest. The approach costs about 2n such vector comparisons. If δ is much smaller than 1/2, then the use of information set decoding (ISD) algorithms can provide an improved performance. This is the class of decoding

Correlation Attacks on Stream Ciphers

147

algorithms for random codes in the Hamming metric, showing the best asymptotic performance. However, for correlation attacks that have significance in practice, the correlation probability δ is usually very close to 1/2, and we may introduce 1 − δ = 1/2(1 + ). For small , ISD algorithms do not give much of a gain. Furthermore, it is very important to note that our decoding problem is very far from decoding problems that are usually considered in coding theory. First, the code is a random code and the error probability is extremely large as  is very small (say 2−10 or 2−64 ). The dimension of the code is fixed to the LFSR length, but the code length can often be chosen as long as desired. This means that the rate of the code can be arbitrary low. An important problem is now to find algorithms that can solve the decoding problem for the typical parameters appearing in correlation attacks much faster than exhaustively trying all codewords in the original code. Fast correlation attacks is the notion for such attacks. 12.3.1. Fast correlation attacks and low weight feedback polynomials In some constructions the LFSR has a feedback polynomial of low weight, chosen because it allows for an efficient implementation. In such cases, the LFSR sequence can possibly be recovered through iterative decoding techniques (Meier and Staffelbach 1989a). This is a major decoding method in coding theory. Let us illustrate the procedure in the simplest case when the weight of the feedback polynomial is 3. This means that the LFSR sequence obeys a recursion of the form ai = ai−r0 + ai−n , for some r0 , when the feedback polynomial is of the form a(x) = xn + xr0 + 1. Since any multiple of this polynomial also gives a valid recursion for the LFSR sequence, we 2 may, in particular, repeatedly square the polynomial and consider a(x)2 , a(x)2 , . . . and the corresponding recursions. This gives rise to new weight 3 checks that can be used in the decoding process. If we square m times and consider an interval of a bit more than 2m · n LFSR symbols, then for most of them we can write up close to 3m weight 3 checks. For example, for the symbol ai , the first recursion gives 3 checks for ai by shifting in time, ai−n + ai−r0 + ai = 0, = 0, ai−n+r0 + ai + ai+r0 + ai+n−r0 + ai+n = 0. ai By using the next recursion from a(x)2 , we get checks as

148

Symmetric Cryptography 2

ai−2n +

ai−2r0 + ai = 0, = 0, ai−2n+2r0 + ai + ai+2r0 + ai+2n−2r0 + ai+2n = 0. ai

In this way, we derive all possible weight 3 checks for the symbol ai . If we have defined an interval in which we know the keystream, some checks may use symbols outside the interval and such checks cannot be used. The next step in the process of recovering the LFSR sequence is to predict the symbol ai from the known keystream. The best prediction comes from si as we assume that P (ai = si ) = 1/2(1 + ) > 1/2. But from the checks we may additionally get many other predictions of ai . For example, the check ai = ai+n−r0 + ai+n = 0 will give us the prediction of ai as si+n−r0 ⊕ si+n . Such a prediction is correct with probability (1/2(1 + ))2 + (1/2(1 − ))2 = 1/2(1 + 2 ). The probability here is much closer to 1/2, but on the other hand, we have many such checks. A simple procedure to complete the task is to use Gallager’s iterative bit-flipping algorithm. We first assign ai the value si , for all i in our keystream interval. Then we run through all values of i in this interval and for each i we compute its number of satisfied (weight 3) checks and its number of unsatisfied checks. For the values of i where we have the largest number of unsatisfied checks (in relation to the total number), we flip the value of ai . If there are more values that are corrected than there are values that are erroneously flipped, the total number of errors is decreasing and we may expect that the procedure will converge to a correct sequence. Of course, recovering n correct sequence symbols is sufficient to compute the initial state. A better performance can be achieved if we instead of assigning ai a {0, 1} value choose to keep a soft value γi , corresponding to a probability γi = P (ai = 0), initially set conditioned on the si value. Then we run through all i values, and for each i we update γi conditioned on what we learn from the checks. Iteratively repeating this a few times will lead to the γi values converging toward {0, 1}. 12.3.2. Finding low weight multiples of the feedback polynomial A low weight feedback polynomial is usually avoided due to the direct approach described above. Still, if the observed keystream is very long, we may search for a low weight multiple of the feedback polynomial and use this relation instead. If a(x) is the feedback polynomial, then the problem is to find a multiple h(x) = c(x)a(x) that has very low weight. Let us first investigate the case when h(x) has weight 3. It is clear that h(x) can then be assumed to be in the form h(x) = xJ1 + xJ0 + 1. Since h(x) mod a(x) = 0, we see that xJ1 mod a(x) must equal xJ0 + 1 mod a(x). From the birthday paradox ,

Correlation Attacks on Stream Ciphers

149

we can argue that it requires to compute to degree about 2n/2 to get a collision, that is, finding (J1 , J0 ) such that xJ1 mod a(x) = xJ0 + 1 mod a(x). So the complexity of finding a weight 3 multiple is of order 2n/2 and the required memory is also of order 2n/2 , since we need to store the value of xi mod a(x) for i = 1, 2, . . .. The length of the required keystream has to be around 2n/2 , if we are going to be able to use the low weight multiple. If we want to seek other performance values, we may, for example, search for a weight 5 multiple. Then h(x) = xJ3 + xJ2 + xJ1 + xJ0 + 1. It would now be sufficient to compute powers xi up to degree about 2n/4 to get a collision. This leads to a much shorter required keystream length (2n/4 ), but the computational complexity as well as memory requirements remain the same. In the generalized birthday problem (Wagner 2002), we consider finding t elements from t lists, xj ∈ Lj , j = 1, . . . , t such that x1 ⊕ . . . ⊕ xt = 0. One application is finding low-weight parity checks. The approach is similar to what has been described: let each list Lj be populated with the elements xi mod a(x), i = 1, 2, . . . , N . An efficient algorithm for solving the generalized birthday problem follows. We need N ≈ 2n/(1+log t) to expect to find a desired multiple. The weight will be t + 1, the degree will be about 2n/(1+log t) and the complexity log t · 2/(1+log t) n. Notably, with d ≤ 2n/log t finding d checks will only cost a factor d/(1+log t) 1 more. Considering the case when t is a power of 2, we give the algorithm idea. The t lists Lj initially contain the elements (xi mod a(x), i) for i = 1, 2, . . . , N , where the lists are sorted according to xi mod a(x). We then run log t steps and pairwise collide lists. In the first step, first consider L1 , L2 and create a new list L1,2 that contains elements (xi ⊕ xj mod a(x), i, j) such that the n/(1 + log t) most significant bits in the expressions xi ⊕ xj mod a(x) are all zero. The creation of L1,2 is efficiently done with complexity N ≈ 2n/(1+log t) as the lists are sorted. The expected number of elements in the new list is about N ≈ 2n/(1+log t) . The same is then done for the next two lists, creating a new list L3,4 , and so on for all initial lists. In our case, all lists are identical. In the second step, we collide L1,2 and L3,4 to form a new list L1,2,3,4 where the list now contains (xi ⊕ xj ⊕ xk ⊕ xl mod a(x), i, j, k, l) such that xi ⊕ xj ⊕ xk ⊕ xl mod a(x) has the 2n/(1 + log t) most significant bits being all zero. The degree of each element in the list is now at most n · (1 + log t − 2)/(1 + log t). Other lists on this level are identical and the complexity and the expected number of elements in a list is still the same as before. Further steps are done in a similar fashion and finally we reach the last step, when we have to process the final two lists L1,...,t/2 and Lt/2+1,...,t . We now consider

150

Symmetric Cryptography 2

collisions between the two lists, but now we need only a single surviving element. Since L1,...,t/2 and Lt/2+1,...,t both have elements with all but 2n/(1 + log t) positions being zero, we may expect that there are two elements such that their sum is 1. Then we have found a weight (t + 1) multiple of a(x). We may evaluate and compare parameters for weight (1 + t) = 5. Since t = 4 is a power of 2, we get the complexity and the memory requirements to be around 2n/3 and that the length of the keystream needs to be in the order of 2n/3 . The method may be used in combination with follow-up approaches to correlation attacks (Johansson and Jönsson 1999; Canteaut and Trabbia 2000; Johansson and Jönsson 2000). 12.3.3. Fast correlation attacks by reducing the code dimension Returning to the original problem from section 12.2, we may introduce other means of efficiently solving it (Chepyzhov et al. 2000). In particular, if the observed keystream is not extremely large, previous methods may not be applicable. Recall that the LFSR sequences of a fixed length L form an [n, L] linear code C, a = (a0 , a1 , ..., aL−1 ) is a codeword, and the keystream s = (s0 , s1 , .., sL−1 ) is a noisy channel output, where P (ai = si ) = 1/2(1 + ) > 1/2. Since every ai is a linear combination of the initial LFSR state, we may write up a known generator matrix G of the code. It has dimension n and length L. Instead of running through all 2n codewords in decoding, we can instead reduce to another decoding problem for another code of lower  dimension. If the original generator  T , where gi are length n vectors, giT its matrix is written as G = g0T g1T · · · gL−1 transpose, we use the methods described before to find many different combinations of t + 1 such column vectors such that gi0 ⊕ gi1 ⊕ · · · ⊕ git is zero in all but the last m positions. This will result in a new code with generator matrix G such that gi = gi0 ⊕ gi1 ⊕ · · · ⊕ git . Since all but the last m positions in each new vector are zero, the dimension of this new code is only m. The length L depends on how many new vectors that have been created. Finally, we can create a channel output symbol in position i by computing si = si0 ⊕ si1 ⊕ · · · ⊕ sit . The initial state is now T a0 = (a0 , . . . , am−1 ). The noise has increased because if ai = a0 · g i , then P (ai = si ) = 1/2(1 + t+1 ). As long as the code is still decodable, the decoding complexity is now reduced to running through 2m different codewords and measure the Hamming distance to the created received word s = (s0 , s1 , . . . sL ). If L ≈ 2m a basic approach would require 22m bit operations to test each of the 2m codewords, each of length 2m . A very nice trick using the Walsh-Hadamard transform (WHT) can be used to reduce the overall complexity to m · 2m (Chose et al. 2002). Let f (x) =

 L −1

j=0



1gj =x (−1)sj ,

Correlation Attacks on Stream Ciphers

151

 where x ∈ Zm 2 . Here 1gj =x denotes a function that equals 1 if and only if x = gj and 0 otherwise. The idea is to calculate the WHT of f , that is,

fˆ(α) =



f (x)(−1)

x,α

x∈Zm 2

=

 L −1





(−1)gj ,α+sj .

j=0

When α takes the value of the correct initial state a0 we have gj , α = aj which   leads to P ((−1)gj ,α+sj = 1) = 1/2(1 + t+1 ). Thus fˆ(α) is a summation of L slightly biased values when α is the correct initial state. For other values of α,   P ((−1)+sj = 1) = 1/2 and the sum is unbiased. The Fast WHT (FWHT) is a well-known algorithm to efficiently compute the WHT in complexity m · 2m and with the same memory. The correct value of the considered initial state is obtained by first computing f (x) with cost L and then computing the FWHT to get fˆ(α) using complexity m · 2m and the same memory. Finally, the value of α for which fˆ(α) is maximum is chosen as the most likely initial state. In order for the above approach to deliver the correct initial state with large probability, the noise has to be large enough. The condition is roughly that L > C · 1/(t+1 )2 for some small constant C. All the presented theory can be generalized to the non-binary case, applicable to word-based stream ciphers (a keystream symbol is a word of bits). Examples of such work can be found in Lee et al. (2008) and Zhang et al. (2015). 12.4. Generalizing fast correlation attacks Two examples of basic generalized correlation attacks are given in this section. 12.4.1. The E0 stream cipher The E0 stream cipher in the Bluetooth standard uses sequences from four different LFSRs entering a finite state machine (FSM). The keystream is formed from XORing the LFSR sequences but also adding a binary contribution from the FSM, as shown in Figure 12.2. The reader should look up the details of the generator in a standard description, but in short the generator includes four LFSR binary sequences that are summed over the integers to form a 3-bit vector. The least significant bit of this vector, denoted ai , is simply the XOR of the LFSR sequences. The FSM takes the 3-bit vector as input and produces the bit ci as output as well as updates its internal state of size 4 bits. The keystream is given as si = ci ⊕ ai .

152

Symmetric Cryptography 2

LFSR 4

+

LFSR 1

FSM

ci

ai si

Figure 12.2. Overview of the E0 stream cipher

Detecting a correlation in this case is not direct as si is independent of the output of each LFSR in time i. However, the trick is to combine symbols from different time instances to get a correlation. If the internal state of the FSM is 4 bits, then there must exist a linear combination of at most five consecutive output symbols that is biased. For E0, one such biased combination is ci ⊕ ci+5 , for which we have P (ci ⊕ ci+5 = 0) = 1/2 + 25/512. This is the starting point for several powerful correlation attacks (Lu et al. 2005). The best attack finds the original encryption key for two-level E0 using the first 24 bits of 223.8 frames and with only 238 computations. 12.4.2. The A5/1 stream cipher A5/1 is a stream cipher used in the old GSM mobile communication standard, protecting communication from mobile to base station. A GSM conversation is sent as a sequence of frames. For each frame to be sent, the 64-bit session key K is mixed with a publicly known frame counter, denoted F , and the result serves as the initial state of the shift registers in the A5/1 generator. It then produces a 228-bit keystream, which is XORed with the 228 bits of plaintext to produce the ciphertext. A5/1 consists of three short LFSRs of lengths 19, 22, 23, denoted as R1, R2, R3, respectively. The keystream of A5/1 is given as the XOR of the output of the three LFSRs. Security is obtained from LFSRs being clocked in an irregular fashion. It is a stop/go clocking with a majority rule as follows. Each time the LFSRs are clocked, three clocking taps (one from each LFSR) determine which of the LFSRs are clocked. For example, R1 and R2 are clocked, but not R3, if the values of the clocking tap position in R1 and R2 are the same, but different in R3. All LFSRs are clocked if all three values are the same. At each step, at least two LFSRs are clocked, and the probability for an individual LFSR being clocked is 3/4. The initialization for each frame is as follows. First, the LFSRs are initialized with key and frame counter with regular clocking, which means that the initial state of the LFSRs can be written as linear combinations of key bits. Let us call the contents of the LFSRs at this time the initial state of the frame. In the final initialization step, the three registers are clocked for 100 additional clock cycles with the irregular clocking, but ignoring the output. Then finally the three registers are

Correlation Attacks on Stream Ciphers

153

irregularly clocked for 228 additional clock cycles, producing the 228-bit keystream. For one frame, the keystream symbols si can be written as (1)

(2)

(3)

si = acl1 ⊕ acl2 ⊕ acl3 ⊕ fi , where fi is a known contribution from the frame counter and (cl1 , cl2 , cl3 ) is the unknown number of times the three LFSRs have been clocked in the irregular clocking. Since each LFSR clocks on average three times out of four, we may assume that after the 100 initial irregular clocks, each cli is around 75. For example, we may compute P ((cl1 , cl2 , cl3 ) = (76, 76, 76)|101 clocks) ≈ 10−3 which in turn gives correlation P (a76 ⊕ a76 ⊕ a76 = s1 ⊕ f1 ) ≈ 1/2 + 1/2 · 10−3 . (1)

(2)

(3)

Collecting many such correlated expressions for different combinations of (cl1 , cl2 , cl3 ) and many frames gives us enough to launch recovery attacks using methods of the previous subsections (Ekdahl and Johansson 2003). Enhanced versions of this correlation attack need a few seconds of known conversation to find the key in seconds. 12.5. References Berbain, C., Gilbert, H., Maximov, A. (2006). Cryptanalysis of grain. In FSE 2006, vol. 4047 of Lecture Notes in Computer Science, Robshaw, M.J.B. (ed.). Springer. Canteaut, A. and Trabbia, M. (2000). Improved fast correlation attacks using parity-check equations of weight 4 and 5. In EUROCRYPT 2000, vol. 1807 of Lecture Notes in Computer Science, Preneel, B. (ed.). Springer. Chepyzhov, V.V., Johansson, T., Smeets, B.J.M. (2000). A simple algorithm for fast correlation attacks on stream ciphers. In FSE 2000, vol. 1978 of Lecture Notes in Computer Science, Schneier, B. (ed.). Springer. Chose, P., Joux, A., Mitton, M. (2002). Fast correlation attacks: An algorithmic point of view. In EUROCRYPT 2002, vol. 2332 of Lecture Notes in Computer Science, Knudsen, L.R. (ed.). Springer. Cid, C., Gilbert, H., Johansson, T. (2006). Cryptanalysis of Pomaranch. IEE ProceedingsInformation Security, 153(2), 51–53. Courtois, N.T. (2002). Higher order correlation attacks, XL algorithm and cryptanalysis of Toyocrypt. In ICISC 2002, vol. 2587 of Lecture Notes in Computer Science, Lee, P.J., Lim, C.H. (eds). Springer. Ekdahl, P. and Johansson, T. (2003). Another attack on A5/1. IEEE Transactions on Information Theory, 49(1), 284–289. Englund, H. and Johansson, T. (2004). A new simple technique to attack filter generators and related ciphers. In SAC 2004, vol. 3357 of Lecture Notes in Computer Science, Handschuh, H., Hasan, M.A. (eds). Springer.

154

Symmetric Cryptography 2

Hell, M., Johansson, T., Brynielsson, L. (2009). An overview of distinguishing attacks on stream ciphers. Cryptography and Communications, 1(1), 71–94. Johansson, T. (1998). Reduced complexity correlation attacks on two clock-controlled generators. In ASIACRYPT ’98, vol. 1514 of Lecture Notes in Computer Science, Ohta, K., Pei, D. (eds). Springer. Johansson, T. and Jönsson, F. (1999). Improved fast correlation attacks on stream ciphers via convolutional codes. In EUROCRYPT ’99, vol. 1592 of Lecture Notes in Computer Science, Stern, J. (ed.). Springer. Johansson, T. and Jönsson, F. (2000). Fast correlation attacks through reconstruction of linear polynomials. In CRYPTO 2000, vol. 1880 of Lecture Notes in Computer Science, Bellare, M. (ed.). Springer. Johansson, T., Meier, W., Muller, F. (2006). Cryptanalysis of Achterbahn. In FSE 2006, vol. 4047 of Lecture Notes in Computer Science, Robshaw, M.J.B. (ed.). Springer. Jönsson, F. and Johansson, T. (2002). A fast correlation attack on LILI-128. Information Processing Letters, 81(3), 127–132. Lee, J., Lee, D.H., Park, S. (2008). Cryptanalysis of Sosemanuk and SNOW 2.0 using linear masks. In ASIACRYPT 2008, vol. 5350 of Lecture Notes in Computer Science, Pieprzyk, J. (ed.). Springer. Lu, Y., Meier, W., Vaudenay, S. (2005). The conditional correlation attack: A practical attack on bluetooth encryption. In CRYPTO 2005, vol. 3621 of Lecture Notes in Computer Science, Shoup, V. (ed.). Springer. Meier, W. and Staffelbach, O. (1989a). Fast correlation attacks on certain stream ciphers. Journal of Cryptology, 1(3), 159–176. Meier, W. and Staffelbach, O. (1989b). Nonlinearity criteria for cryptographic functions. In EUROCRYPT ’89, vol. 434 of Lecture Notes in Computer Science, Quisquater, J., Vandewalle, J. (eds). Springer. Siegenthaler, T. (1984). Correlation-immunity of nonlinear combining functions for cryptographic applications (corresp.). IEEE Transactions on Information Theory, 30(5), 776–780. Wagner, D.A. (2002). A generalized birthday problem. In CRYPTO 2002, vol. 2442 of Lecture Notes in Computer Science, Yung, M. (ed.). Springer. Zhang, B., Xu, C., Meier, W. (2015). Fast correlation attacks over extension fields, large-unit linear approximation and cryptanalysis of SNOW 2.0. In CRYPTO 2015, Part I, vol. 9215 of Lecture Notes in Computer Science, Gennaro, R., Robshaw, M. (eds). Springer.

13

Addition, Rotation, XOR Léo P ERRIN Inria, Paris, France

13.1. What is ARX? A substitution-permutation network is usually best described by abstracting away the specifics of the CPU registers implementing it, and by instead relying on operations defined, for example, over F82 . On the other hand, some primitives are best described as a sequence of operations over words intended to closely resemble a sequence of CPU instructions operating over registers. Such algorithms use, for example, bitwise operations corresponding to simple logical gates (i.e. a word-wise XOR). At the same time, the only bit permutations used by such algorithms correspond to word-wise bit rotations. The term “ARX” is then intended to describe such primitives. While this acronym stands for “Addition, Rotation, XOR”, it has been used more loosely to describe, for example, SHA-1, a hash function, which is described using these operations as well as bitwise logical AND and OR. To make a distinction, the term “pure ARX” describes algorithms that rely only on the three corresponding gates.

Symmetric Cryptography 2, coordinated by Christina B OURA and María NAYA -P LASENCIA. © ISTE Ltd 2023.

156

Symmetric Cryptography 2

13.1.1. Structure of an ARX-based primitive The basic operations of an ARX-based primitive are defined on Fn2 as follows. – XOR: it corresponds to the bitwise XOR operation and is denoted ⊕. – Modular Addition: this operation relies on the interpretation of a word of Fn2 as an integer of Z/2n Z and is denoted as : " :

Fn2 × Fn2 (x, y)

→ Fn2 where

→ z

n−1  i=0

i

xi 2 +

n−1  i=0

 yi 2

i

mod 2n =

n−1 

zi 2i .

i=0

– Rotation: unlike the other two, this one has only one operand (once the rotation amount is fixed). Rotations can be to the “left” or to the “right”, which can cause confusion as the meaning of these words depends on the endianness of the platform. The value of n varies in the literature. The smaller values n = 8 and n = 16 are used by the lightweight block ciphers HIGHT (Hong et al. 2006) and SPARX (Dinu et al. 2016), respectively, while the larger n = 64 is used by S KEIN (Ferguson et al. 2010). Smaller values are best suited for smaller microcontrollers and can yield simpler masked implementations. On the other hand, n = 64 is ideal for modern 64-bit processors. However, the most common value is n = 32 as it offers a good trade-off between these two extremes; it is the value used among others by the hash functions of the SHA-2 family (see below), the stream cipher C HACHA (Bernstein 2008b) and the SPARKLE family of primitives (Beierle et al. 2020b). 13.1.2. Development of ARX The 80s: this decade saw the first developments of modern symmetric cryptography in public academia. It saw the publication of FEAL (Shimizu and Miyaguchi 1987), a 64-bit block cipher with a Feistel structure that relies on 8-bit ARX operations to construct its round function. It has been the target of many successful cryptanalyses, and in fact played an important role in the discovery of linear cryptanalysis (Tardy-Corfdir and Gilbert 1991; Matsui and Yamagishi 1992) (see Chapter 2). The 90s: during these years, many hash functions were published. For example, SHA-1 is a 160-bit hash function that was quickly published in 1995 to remedy a flaw in SHA-0. 1 This primitive is known to be insecure (see Chapter 15). These hash functions were usually built similarly, that is, using a Merkle-Damgård structure with a

1 A missing 32-bit rotation by 1 led to the existence of efficient attacks against SHA-0. Thanks to the added rotation, SHA-1 is immuned from these attacks.

Addition, Rotation, XOR

157

compression function constructed using an ARX-based block cipher. Such algorithms include the (also broken) hash functions MD4 and MD5, as well as the (currently secure) functions of the SHA-2 family. These functions are usually not “pure” ARX as they also use bitwise AND and OR operations. None of these algorithms received peer-review before their publication. The 2000s: marked by the eSTREAM project (see Chapter 2 of volume 1) and the SHA-3 competition, this decade saw the publication of the stream cipher S ALSA (Bernstein 2008a), and the hash functions S KEIN (Ferguson et al. 2010) and BLAKE (Aumasson et al. 2008). These primitives differ from the ARX-based hash functions from the previous decade in several ways. First, their authors published their design rationale (see Chapter 9 of volume 1). Second, they made an effort to argue that their algorithms are safe from known cryptanalysis techniques, in particular differential attack (see Chapter 1). Finally, these algorithms are “pure” ARX, meaning that they only rely on the three main operations. The 2010s: the last decade was marked by the publication of a staggering number of “lightweight” algorithms (Biryukov and Perrin 2017), some of which were ARX-based. As the operation a ← (a + b) mod 2n corresponds to a single CPU cycle (provided that n is the register size), relying on ARX operations allows the design of algorithms that are fast, and use little space in both RAM and ROM. As a result, lightweight algorithms intended to run on microcontrollers can be built using this approach. For example, the South Korean standard LEA (Hong et al. 2013), first published in 2013 uses only 32-bit rotations, addition and XOR. The NIST lightweight standardization effort: several pure ARX-based algorithms were submitted to the NIST lightweight cryptography standardization process, whose first round started at the end of that decade (see Chapter 16). In the first round, SNEIK (Saarinen 2019) turned out to have a vulnerability based on the probability 1 differential of observation 13.2 (Perrin 2019; Khairallah 2019). C HAM (Koo et al. 2017) and SPECK (Beaulieu et al. 2013), two block ciphers published earlier in that decade are used by COMET (Shay Gueron 2019), which made it to the second round. Finally, SPARKLE is one of the 10 finalists of this competition. It takes heavy inspiration from the block cipher SPARX (Dinu et al. 2016). 13.2. Understanding modular addition Modular addition is the only nonlinear operation in a pure ARX-based round function. As a result, its cryptographic properties have been closely analyzed. They can be established by expressing modular addition using operations over F2 (section 13.2.1) and are presented in section 13.2.2.

158

Symmetric Cryptography 2

13.2.1. Expressing modular addition in Fn2 Modular addition can be expressed bit by bit using the following induction. If z = x  y, then it holds that z0 = x0 ⊕ y0 and zi = xi ⊕ yi ⊕ maj(xi−1 , yi−1 , xi−1 ⊕ yi−1 ⊕ zi−1 ), where xi ⊕ yi ⊕ zi is the carry bit at position i, and where maj is the majority function which maps F32 to F2 and is equal to 1 if at least two of its inputs are set to 1. We deduce the following observations from this induction formula. O BSERVATION 13.1.– z0 is a linear function of the input, meaning in particular that the linear approximation x0 ⊕ y0 ⊕ z0 = 0 has probability 1. O BSERVATION 13.2.– The most significant bit is given by zn−1 = xn−1 ⊕ yn−1 ⊕ cn−2 , and neither xn−1 nor yn−1 appear anywhere else in the expression of z. As a result, modular addition has some probability 1 differentials. Let δ = (0, ..., 0, 1) be the element of Fn2 where only the most significant bit is set to 1. If z = x  y, then the following equations hold with probability 1: (x ⊕ δ)  y = z ⊕ δ, x  (y ⊕ δ) = z ⊕ δ, and (x ⊕ δ)  (y ⊕ δ) = z. Given that the existence of probability 1 differentials and linear approximations would be considered a significant issue if they were encountered, for example, in an S-box, how then can ARX primitives be secure? The security offered by the ARX paradigm can be understood using two different approaches. First, we can simply see modular addition as a nonlinear operation of Fn2 . The probability 1 patterns discussed above are the only ones that exist: if the linear operations successfully prevent their iteration, then the primitive will be secure. Second, we can interpret ARX as an implementation of the design strategy of the IDEA block cipher, namely “mixing operations from different algebraic groups having the same number of elements” (Lai and Massey 1990). In this case, we mix operations best defined over Fn2 (XOR, rotations) and over Z/2n Z (modular addition). 13.2.2. Cryptographic properties of modular addition The main cryptographic properties of modular addition are summarized in the following two theorems. They use the notions of cover and Hamming weight: we write x  y for two elements x and y of Fn2 if xi ≤ yi for all i ∈ {0, ..., n − 1}, and we let hw(x) be the number of indices i such that xi = 1.

Addition, Rotation, XOR

159

T HEOREM 13.1 (Differential Properties).– Let α, β, γ be elements of Fn2 . Then the probability Pr (α, β → γ) = Pr [(x ⊕ α)  (y ⊕ β) = (x  y) ⊕ γ] that the specific differential (α, β) → γ occurs is given by " 

Pr (α, β → γ) =

0 2−hw(θ)

if σ ⊕ (σ  1)  θ otherwise,

where σ = α ⊕ β ⊕ γ, and where θ = ((α ⊕ γ) ∨ (β ⊕ γ))  1. T HEOREM 13.2 (Linear Properties).– Let α, β, γ be elements of Fn2 , and let M : Fn2 → Fn2 be the linear function with matrix representation ⎡

0 ⎢ 1 ⎢ M =⎢ ⎢ 1 ⎣ ... 1

⎤ 0 0 ⎥ ⎥ 0 ⎥ ⎥, ... ⎦ 1 1 ... 1 0 0 ... 0 ... 1 0 ...

and let σ = M (α ⊕ β ⊕ γ). Then the Walsh spectrum of modular addition can be computed as follows: 

" (−1)

(α·x)⊕(β·y)⊕(γ·(xy))

=

x,y∈Fn 2

0 if (α ⊕ γ)  σ or (β ⊕ γ)  σ (α·γ)+(β·γ) (−1) × 22n−hw(σ) otherwise.

These theorems are used, for instance, when computing the probability of a differential or a linear trail (see section 13.3.1). They were first established in Lipmaa and Moriai (2001) and Wallén (2003), although the simpler forms presented here are from Schulte-Geers (2013). In fact, in the latter paper, Schulte-Geers re-established these result using the CCZ-equivalence2 of modular addition with a much simpler quadratic function. The theorem below is equivalent to this result. T HEOREM 13.3.– Let μ : Fn2 → Fn2 be the linear function whose output bits are recursively defined by μ0 (x) = 0 and μi+1 (x) = xi ⊕ μi (x). Then, for any x, y, z in Fn2 such that z = x  y, it holds that   z = x ⊕ y ⊕ μ (x ⊕ z) ∧ (y ⊕ z) . In fact, (x, y) → xy is CCZ-equivalent to (x, y) → μ(x∧y), which is quadratic.

2 The details of CCZ-equivalence do not matter here.

160

Symmetric Cryptography 2

13.3. Analyzing ARX-based primitives The theorems mentioned in the previous section can only handle one modular addition. However, a primitive will obviously involve many such operations, combined with other ones. How then can we find differential or linear trails with a high enough probability for a cryptanalysis to be possible? And, from a designers perspective, how can we prove that no differential trails exist that have a probability higher than a given threshold? While the first question has been fruitfully investigated since the early 1990s with the first attacks against FEAL, the latter has only been developed recently. 13.3.1. Searching for differential and linear trails In a primitive whose round function uses a small S-box, it is easy to investigate first truncated differential trails, and then to find a high probability differential trail within a promising truncated one. The same approach can be used for linear cryptanalysis. However, for ARX-based round functions, this approach can a priori not work. For instance, in the stream cipher C HAC HA, the round function relies on a 128-bit permutation called the “half-round”, which involves four additions modulo 232 , four XORS and several rotations. Four of these transformations are applied in parallel each time, in a fashion that is not dissimilar to a layer of S-boxes. However, unlike for small S-boxes, it is not possible to fully characterize the DDT and LAT of such a 128-bit transformation, meaning that the modular approach used in the S-box case cannot be applied. As a result, significant efforts have been dedicated to the investigation of search algorithms capable of finding a good differential trail. To this end, it is possible to rely on Matsui’s branch-and-bound algorithm (Matsui 1994), which works as follows. Suppose that we want to find a differential trail with probability at most p which covers r rounds of a primitive. Suppose also that the best trail we found covering i < r rounds has probability pi . If pr−i > p/pi , then the search will fail and we can abort. This heuristic allows a cryptanalyst to cut a substantial number of branches in their tree search for the best differential trail, which in turn allows them to analyze more rounds. It is the approach used, for example, in Velichkov’s YAARX.3 This basic method can then be enhanced using various heuristics tailored to handle modular addition. For example, the use of a partial DDT (Biryukov and Velichkov 2014) can steer the tree search toward higher probability differential trails by ignoring those involving transitions with a probability that is too low. Another approach consists of identifying short high probability trails, and then finding a way to connect them at the center by propagating the constraints they imply

3 Available at: http://vesselinux.github.io/yaarx/.

Addition, Rotation, XOR

161

toward the center rounds using a meet-in-the-middle approach. The rounds covered in this way will correspond to a low probability trail, but the resulting characteristic may still have a high enough probability to be useful (Leurent 2013). This approach is implemented in the ARX Toolkit4, and the differential used to find collisions in SHA-1 was found using hashclash, a tool based on a similar approach (see Chapter 15). 13.3.2. Proving security against differential and linear attacks The techniques presented above allow a cryptanalyst to find trails that are hopefully suitable for their attack. However, from a designer’s perspective, what matters is the non-existence of trails with a certain probability. It is thus necessary to devise an algorithm that can identify the best trail of all, not merely the best that can be found. It is in fact possible to use Matsui’s algorithm-like techniques to this end. For example, Biryukov et al. (2016) presented some bounds for the probability of the best differential trails for round-reduced versions of SPECK – at least its variants with the smallest block sizes. Similar techniques were re-used in to prove bounds for the differential trail probabilities of A LZETTE, a component of SPARKLE, CRAX and TRAX (Beierle et al. 2020a). These techniques can also be applied to prove bounds on the correlation of a primitive, thus arguing its security against linear attacks. A more recent technique consists in encoding the existence of a differential (or linear) trail as an MILP instance, and then to use an off-the-shelf solver. Since MILP solvers can return the best solution according to a cost function, cryptanalysts can use them to find the best possible differential and linear trails by designing a cost function that corresponds to the probability of the trail. This technique is presented, for example, in Liu et al. (2021). All bounding techniques mentioned in this section are computationally expensive, and their complexity increases quickly with the block size of the round function investigated. As a result, they cannot be used to derive useful bounds for primitives operating on more than 128-bit blocks. Unfortunately, such a block size only permits the design of an AEAD based on a block cipher with a small block size: hash functions and permutation-based constructions need to operate on bigger states. To answer this problem, the Long Trail Strategy was proposed by the designers of SPARX in Dinu et al. (2016). It is a general approach that allows the construction of a round function based on a wide S-box. Then, the security arguments are based on the analysis of the security provided by multiple iterations of the S-box. In the case

4 Available at: https://who.paris.inria.fr/Gaetan.Leurent/arxtools.html.

162

Symmetric Cryptography 2

of SPARX, this S-box is a simple SPECK-like block cipher operating on 32 bits. This approach was then used to build SPARKLE using the 64-bit transformation A LZETTE; the latter being also at the core of some (tweakable) block ciphers called CRAX and TRAX. A key aspect of the long trail strategy is that the round function should ensure the existence of “long trails”, that is, of differential and linear trails involving sequential iterations of the S-box. These long trails are then analyzed using the properties of multiple iterations of the S-box. 13.3.3. Other cryptanalysis techniques Impossible differential cryptanalysis (see Chapter 3) tends to be less of a threat to ARX-based ciphers than it is to block ciphers based on small S-boxes, because modular addition diffuses information from each bit to all the bits of higher weight through the carry. While the probability of this diffusion decreases with the length of the carry chain, it remains non-zero. As a result, impossible differentials tend to cover fewer ARX-based rounds. SPARX is the only exception due to its SPN structure. Differential-linear cryptanalysis (see Chapter 5) is a technique combining two short high probability trails; a differential one for the first rounds and a linear one over the last ones. It has been successfully used against the MAC CHASKEY (Mouha et al. 2014) to attack seven out of eight rounds of its inner permutation. Rotational cryptanalysis is another attack vector that is particularly relevant for ARX-based primitives. Those leverage the fact that rotation commutes with other rotations and with worldwide XORs with probability 1, and with modular addition with a possibly high probability. This principle can be used directly in order to attack a primitive E by finding rotations R and R such that R ◦ E ◦ R (x) = E(x) with a high enough probability. Alternatively, in a Rotational-XOR cryptanalysis, attackers exploit instead bias in the probability of a difference of the shape (R ◦ E)(x) ⊕ (E ◦ R )(x) (see, for instance, the attack against SPECK presented in Liu et al. 2017). Integral cryptanalysis can also be applied to ARX-based primitives, although it tends to be less efficient in this context than against SPNs using small S-boxes (SPARX being an exception, like for impossible differential attacks). As with differential and linear trails, identifying a useful integral pattern in an ARX-based primitive is computationally expensive. The most recent advances on this topic (Sun et al. 2017) have identified a two-step process to find them. First, the existence of an integral distinguisher is encoded into an MILP problem using an approach based on the division property (see Chapter 10). Then, this MILP instance is solved using an off-the-shelf MILP solver, and an integral distinguisher is extracted from its output.

Addition, Rotation, XOR

163

13.4. References Aumasson, J.-P., Henzen, L., Meier, W., Phan, R.C.-W. (2008). SHA-3 proposal BLAKE. Submission to NIST. Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L. (2013). The SIMON and SPECK families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013/404. Available at: http://eprint.iacr.org/2013/404. Beierle, C., Biryukov, A., dos Santos, L.C., Großschädl, J., Perrin, L., Udovenko, A., Velichkov, V., Wang, Q. (2020a). Alzette: A 64-bit ARX-box – (feat. CRAX and TRAX). In CRYPTO 2020, Part III, vol. 12172 of Lecture Notes in Computer Science, Micciancio, D., Ristenpart, T. (eds). Springer. Beierle, C., Biryukov, A., dos Santos, L.C., Großschädl, J., Perrin, L., Udovenko, A., Velichkov, V., Wang, Q. (2020b). Lightweight AEAD and hashing using the Sparkle permutation family. IACR Trans. Symmetric Cryptol., 2020(S1), 208–261. Bernstein, D.J. (2008a). The Salsa20 family of stream ciphers. In New Stream Cipher Designs. Springer. Bernstein, D.J. (2008b). ChaCha, a variant of Salsa20. In Workshop Record of SASC, vol. 8. Biryukov, A. and Perrin, L. (2017). State of the art in lightweight symmetric cryptography. Cryptology ePrint Archive, Report 2017/511 [Online]. Available at: http://eprint.iacr.org/ 2017/511. Biryukov, A. and Velichkov, V. (2014). Automatic search for differential trails in ARX ciphers. In CT-RSA 2014, vol. 8366 of Lecture Notes in Computer Science, Benaloh, J. (ed.). Springer. Biryukov, A., Velichkov, V., Corre, Y.L. (2016). Automatic search for the best trails in ARX: Application to block cipher Speck. In FSE 2016, vol. 9783 of Lecture Notes in Computer Science, Peyrin, T. (ed.). Springer. Dinu, D., Perrin, L., Udovenko, A., Velichkov, V., Großschädl, J., Biryukov, A. (2016). Design strategies for ARX with provable bounds: Sparx and LAX. In ASIACRYPT 2016, Part I, vol. 10031 of Lecture Notes in Computer Science, Cheon, J.H., Takagi, T. (eds). Springer. Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J. (2010). The Skein hash function family. Submission to NIST (round 3). Gueron, S., Jha, A., Nandi, M. (2019). COMET: COunter Mode Encryption with authentication Tag. Submission the NIST lightweight standardization effort [Online]. Available at: https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/ zspec-doc-rnd2/comet-spec-round2.pdf. Hong, D., Lee, J., Kim, D., Kwon, D., Ryu, K.H., Lee, D. (2013). LEA: A 128-bit block cipher for fast encryption on common processors. In WISA 2013, vol. 8267 of Lecture Notes in Computer Science, Kim, Y., Lee, H., Perrig, A. (eds). Springer. Hong, D., Sung, J., Hong, S., Lim, J., Lee, S., Koo, B., Lee, C., Chang, D., Lee, J., Jeong, K. et al. (2006). HIGHT: A new block cipher suitable for low-resource device. In CHES 2006, vol. 4249 of Lecture Notes in Computer Science, Goubin, L., Matsui, M. (eds). Springer. Khairallah, M. (2019). Forgery attack on SNEIKEN. Cryptology ePrint Archive, Report 2019/408 [Online]. Available at: https://eprint.iacr.org/2019/408.

164

Symmetric Cryptography 2

Koo, B., Roh, D., Kim, H., Jung, Y., Lee, D., Kwon, D. (2017). CHAM: A family of lightweight block ciphers for resource-constrained devices. In ICISC 2017, vol. 10779 of Lecture Notes in Computer Science, Kim, H., Kim, D. (eds). Springer. Lai, X. and Massey, J.L. (1990). A proposal for a new block encryption standard. In EUROCRYPT ’90, vol. 473 of Lecture Notes in Computer Science, Damgård, I. (ed.). Springer. Leurent, G. (2013). Construction of differential characteristics in ARX designs application to Skein. In CRYPTO 2013, Part I, vol. 8042 of Lecture Notes in Computer Science, Canetti, R., Garay, J.A. (eds). Springer. Lipmaa, H. and Moriai, S. (2001). Efficient algorithms for computing differential properties of addition. In FSE 2001, vol. 2355 of Lecture Notes in Computer Science, Matsui, M. (ed.). Springer. Liu, Y., Witte, G.D., Ranea, A., Ashur, T. (2017). Rotational-XOR cryptanalysis of reducedround SPECK. IACR Trans. Symmetric Cryptol., 2017(3), 24–36. Liu, Z., Li, Y., Jiao, L., Wang, M. (2021). A new method for searching optimal differential and linear trails in ARX ciphers. IEEE Transactions on Information Theory, 67(2), 1054–1068. Matsui, M. (1994). On correlation between the order of S-boxes and the strength of DES. In EUROCRYPT ’94, vol. 950 of Lecture Notes in Computer Science, Santis, A.D. (ed.). Springer. Matsui, M. and Yamagishi, A. (1992). A new method for known plaintext attack of FEAL cipher. In EUROCRYPT ’92, vol. 658 of Lecture Notes in Computer Science, Rueppel, R.A. (ed.). Springer. Mouha, N., Mennink, B., Herrewege, A.V., Watanabe, D., Preneel, B., Verbauwhede, I. (2014). Chaskey: An efficient MAC algorithm for 32-bit microcontrollers. In SAC 2014, vol. 8781 of Lecture Notes in Computer Science, Joux, A., Youssef, A.M. (eds), Springer. Perrin, L. (2019). Probability 1 iterated differential in the SNEIK permutation. Cryptology ePrint Archive, Report 2019/374 [Online]. Available at: https://eprint.iacr.org/2019/374. Saarinen, M.-J.O. (2019). SNEIKEN and SNEIKHA: Authenticated encryption and cryptographic hashing. Submission to the NIST lightweight standardization effort [Online]. Available at: https://csrc.nist.gov/CSRC/media/Projects/Lightweight-Cryptography/ documents/round-1/spec-doc/sneik-spec.pdf. Schulte-Geers, E. (2013). On CCZ-equivalence of addition mod 2n . Designs, Codes and Cryptography, 66(1), 111–127. Shimizu, A. and Miyaguchi, S. (1987). Fast data encipherment algorithm FEAL. In EUROCRYPT ’87, vol. 304 of Lecture Notes in Computer Science, Chaum, D., Price, W.L. (eds). Springer. Sun, L., Wang, W., Wang, M. (2017). Automatic search of bit-based division property for ARX ciphers and word-based division property. In ASIACRYPT 2017, Part I, vol. 10624 of Lecture Notes in Computer Science, Takagi, T., Peyrin, T. (eds). Springer.

Addition, Rotation, XOR

165

Tardy-Corfdir, A. and Gilbert, H. (1991). A known plaintext attack of FEAL-4 and FEAL-6. In CRYPTO ’91, vol. 576 of Lecture Notes in Computer Science, Feigenbaum, J. (ed.). Springer. Wallén, J. (2003). Linear approximations of addition modulo 2n . In FSE 2003, vol. 2887 of Lecture Notes in Computer Science, Johansson, T. (ed.). Springer.

14

SHA-3 Contest Related Cryptanalysis Yu S ASAKI NTT Social Informatics Laboratories, Tokyo, Japan

14.1. Chapter overview Cryptographic hash functions are fundamental primitives in cryptography that take an almost arbitrary-length message as input and generate its digital fingerprint. After a series of groundbreaking cryptanalysis against the MD4-family, particularly against SHA-1, the National Institute of Standards and Technology (NIST) conducted a public competition to determine a next-generation hash function standard. This competition was called the SHA-3 competition (National Institute of Standards and Technology 2010). The SHA-3 competition received 64 submissions; 51 among these were selected for the first round of the competition, and in 2012 K ECCAK was selected as the winner. Although the goal of the SHA-3 competition was to support industry by developing the standard, it significantly contributed to the development of new attack strategies against hash functions. Most of the techniques before the SHA-3 competition targeted keyed primitives such as block ciphers and message authentication codes; hence, accumulated knowledge to attack keyless primitives such as hash functions was insufficient at the time of the competition. During the

Symmetric Cryptography 2, coordinated by Christina B OURA and María NAYA -P LASENCIA. © ISTE Ltd 2023.

168

Symmetric Cryptography 2

contest, a lot of researchers were devoted to finding new attacks against the candidate algorithms. The goal of this chapter is to introduce the rebound attack (Mendel et al. 2009; Lamberger et al. 2015), which was one of the most powerful attacks against keyless primitives developed during the SHA-3 competition. At the end of this chapter, several other attacks will also be briefly presented. 14.2. Differences between attacks against keyed and keyless primitives Hash functions are required to resist any attack that finds a collision of the hash values of two distinct input messages. The collision resistance can be particularly important among the fundamental security requirements because the generic collision attack based on the birthday paradox against n-bit hash functions only requires O(2n/2 ) computational cost, while the generic preimage attack requires O(2n ) computational cost. Intuitively, a natural approach for the collision attack is to adopt differential cryptanalysis against keyed primitives, namely, an attacker aims to find a differential propagation that maps an input difference Δi = 0 to an output difference Δo = 0 with some probability that is higher than 2−n/2 . Then, by computing the hash values of two messages m and m ⊕ Δi for various m, a collision can be generated faster than the generic attack. The challenge here is to find a more efficient approach that exploits the fact that no secret key is used in hash functions. It would be useful to first learn what kind of differences exist between attacks against keyed and keyless primitives. Such differences can be seen in the simple example of Figure 14.1, in which the transformation for the keyed primitive (left-hand side) is composed of a single non-bijective S-box and two key additions around the S-box, while the transformation for the keyless primitive (right-hand side) does not operate those key additions. For keyless primitives, input values to the nonlinear component can be chosen by an attacker.

Figure 14.1. Basic differences of attacks against keyed (left) and keyless (right) primitives

Suppose that the attacker has the ability to choose the input values to the transformation, and thus it is easy to choose multiple paired input values with a difference Δi. Then, think about the difficulty to find the input pair whose corresponding output values have difference 0. In the keyed primitive, the input

SHA-3 Contest Related Cryptanalysis

169

values are masked by the secret key, which prevents the attacker from knowing the input values to the S-box. As a result, the attacker needs to rely on some probability to obtain an output pair having difference 0. In contrast, in the keyless primitive, the attacker can directly choose the input values to the S-box. If the size of the S-box is small enough, the attacker can analyze the S-box behavior with a small cost, and can choose two values that will collide on the output. To sum up, keyless primitives allow the attacker to choose the input and output values of the S-box or any other sensitive operation, which significantly changes the best strategy for the attacker to satisfy differential propagation. 14.3. Rebound attack The rebound attack was originally proposed to efficiently find collisions against hash functions that adopt a substitution-permutation network (SPN), in particular, an AES-like round function. Its basic concept will be explained by using a simplified structure in section 14.3.1. The rebound attack against a reduced-round AES-like structure (AES with MixColumns in the last round) will be explained in section 14.3.2. 14.3.1. Basic strategy of the rebound attack The attack discussed here is the collision attack against the compression function that is composed of the Matyas-Meyer-Oseas (MMO) mode. Let EK (P ) be the encryption of the plaintext P with the block cipher E under the key K. In the MMO mode, the key value K is replaced with a fixed constant called IV and the plaintext P is replaced with an input message M . The output is computed as EIV (M ) ⊕ M . The underlying block cipher E is now assumed to be simple, only having two rounds and the round function is composed of a single column of AES. Namely, both the key size and the block size are 4 bytes, and the round function consists of the application of the AES S-box to each byte, the application of the AES MDS matrix to the column (L), and the XOR with the key state. The key schedule function (KSF) may need to be newly defined. However, because the details of the KSF are not important to understand the idea of the rebound attack, KSF is now assumed to be some random-looking mapping from 4 bytes to 4 bytes. In other words, the attacker assumes that all subkey values are randomly chosen constants. The diagram of the computation is depicted in Figure 14.2. IV is a fixed constant and thus no difference can be injected to IV . Hence, the strategy to generate a collision is to inject some non-zero difference to the input message and to control the differential propagation so that the same difference will appear after computing EIV (M ). Then the differences on M and EIV (M ) cancel each other at the last XOR of the MMO mode.

170

Symmetric Cryptography 2

Suppose that the message difference ΔM has a single active byte at the top byte. This difference expands to four bytes after the first round because of the property of the MDS matrix. For the same reason, the difference can return to a single active byte after the second round. Finally, the message difference and the difference after two rounds will cancel each other with probability about 2−8 . To sum up, by generating 28 paired values that start with a single active-byte difference at the top byte and end with a single active-byte difference in the same position, a collision will be expected.

Figure 14.2. Toy function with a simple SPN structure. Both the block size and the key size are four bytes. S is the AES S-box and L is the AES MDS matrix. KSF is assumed to be any bijective map. Bytes filled with black have a non-zero difference

What is the complexity to find such a pair? In a straightforward manner that simply examines M and M ⊕ΔM for various randomly chosen M , the computational cost to satisfy this transformation is 224 , for being a single active-byte difference at the second round. Because the cost of the generic collision attack by the birthday paradox is 216 for a 32-bit function, this straightforward attempt is less efficient than the generic attack, and is not regarded as a meaningful attack. The rebound attack generates such a pair more efficiently, with an amortized cost of 1 per pair. The attacker first chooses a difference of the form (A, 0, 0, 0) between the application of the S-box S and the linear layer L in the first round. Because L is linear, the corresponding difference of L(A, 0, 0, 0) can be computed without specifying paired values. The difference L(A, 0, 0, 0) does not change with the key addition, hence the attacker obtains the input difference of all the S-boxes in the second round. Then, the attacker chooses a difference of the form (A , 0, 0, 0) after L in the second round. Because L−1 is linear, L−1 (A , 0, 0, 0) can be computed without specifying paired values, hence the attacker obtains the output difference of all the S-boxes in the second round. At this stage, for each S-box in the second round, the input and the output differences are independently determined without specifying

SHA-3 Contest Related Cryptanalysis

171

paired values. The probability that there exist paired values to satisfy the input and the output differences depends on the specification of the S-box. For the AES, this probability is about 2−1 per S-box application. This can be checked by the differential distribution table (DDT) of the AES S-box, in which almost half of the entries of the table have a value “2”, hence the probability for having paired values with randomly determined input and output differences is about 2−1 . The probability that all the four S-boxes have paired values for L(A, 0, 0, 0) and L−1 (A , 0, 0, 0) is 2−4 . Once this event is satisfied, there are two ways to assign the paired values per S-box, that is, when x and x are two values forming the pair, the first value of the pair and the second value of the pair can be either x, x and x , x. Hence, the attacker obtains 24 paired values of the four-byte state that satisfy the differential propagation from (A, 0, 0, 0) in the first round to (A , 0, 0, 0) in the second round. Because 24 paired values are obtained by examining 24 choices of (A, A ), the amortized cost to find a pair that conforms the differential propagation is 1. After generating such pairs, the attacker computes S −1 in the first round to obtain the message difference. If it matches (A , 0, 0, 0) with probability 2−8 , a collision is generated. Because the amortized cost to satisfy the propagation from (A, 0, 0, 0) to (A , 0, 0, 0) is 1, the entire attack complexity is 28 , which is faster than the generic attack with the birthday paradox. 14.3.2. Rebound attack against AES-like structures The attack discussed here is the collision attack against the MMO mode instantiated with a four-round AES-like structure, in which the MixColumns operation is executed in the last round. The diagram of the computation is depicted in Figure 14.3. The 16-byte state in round i, i = 1, 2, 3, 4 before the SubBytes operation, before the ShiftRows operation, before the MixColumns operation and before the AddRoundKey operation are denoted by #X i , #Y i , #Z i , and #W i , respectively. The omission of the MixColumns operation enables an attacker to generate collisions for one more round. Because this is particular to AES, the attack is explained for a general construction where all rounds execute exactly the same operation. Similarly to the toy function in the previous section, it is assumed that the key input is fixed to IV , thus the attacker cannot inject any difference to the key state. The differential propagation starts and ends with a single active-byte difference at a particular byte position, which is the top and the left-most position in Figure 14.3. The number of active bytes will propagate as 1 → 4 → 16 → 4 → 1 for each round. The rebound attack first generates many paired values that satisfy the differential propagation 4 → 16 → 4 in the middle rounds with an amortized cost of 1. The analysis of this part is called inbound phase. Then, the paired values are propagated to satisfy the propagation 1 ← 4 in the backward direction and 4 → 1 in the forward

172

Symmetric Cryptography 2

direction with some probability. The analysis of this part is called the outbound phase. The differential propagation for the inbound and outbound phases are usually designed to be dense and sparse, respectively. The intuition behind this strategy is to exploit degrees of freedom of the paired values to satisfy the low-probability propagation in the inbound phase and to preserve the probability high for probabilistic propagation in the outbound phase.

Figure 14.3. Differential propagation of the rebound attack against a four-round AES-like structure with the MMO mode. The states surrounded by a double line are determined during the inbound phase

The attacker first chooses the 4-byte difference at #Z 2 and propagates the difference through the linear computation up to #X 3 . Then, the attacker chooses the 4-byte difference at #W 3 and propagates the difference through the inverse of the linear computation up to #Y 3 . For each S-box in round three, the input and the output differences are fixed and the probability that paired values satisfying the differences exist is about 2−1 per S-box. The probability that all 16 S-boxes have paired values is 2−16 , and once this event is satisfied, there are 216 ways to choose the paired values of the 16-byte state. Hence, the attacker obtains paired values that satisfy 4 → 16 → 4 with an amortized cost of 1. It is important to evaluate the maximum number of paired values produced in the inbound phase, because those are used to satisfy the propagation in the outbound phase. The number of 4-byte differences that can be chosen at #Z 2 and #W 3 are 232 for both. Hence, the match of the differences during the inbound phase can be examined at most 232 × 232 = 264 times. Only 248 (= 264 × 2−16 ) choices can have

SHA-3 Contest Related Cryptanalysis

173

byte values for 16 bytes and there are 264 (= 248 × 216 ) ways to assign the 16-byte state. Therefore, the maximum number of the paired values produced by the inbound phase is 264 . After the inbound phase, the attacker propagates them both in the forward and backward directions to check whether or not a collision occurs at the output of the function. The collision occurs if the differential propagation 1 ← 4 is satisfied in the first round, 4 → 1 is satisfied in the fourth round, and two differences cancel at the last XOR of the MMO mode. The probabilities of those events are 2−24 , 2−24 and 2−8 , respectively. That is to say, the collision occurs with a probability 2−56 (= 2−24 × 2−24 × 2−8 ). By generating 256 paired values in the inbound phase at a computational cost of 256 , a colliding pair is expected. This complexity is smaller than 264 , which is a cost for the generic attack on a 128-bit function by the birthday paradox, thus is regarded as a meaningful collision attack. It should also be noted that the maximum number of the paired values generated in the inbound phase is 264 , thus generating 256 paired values is surely possible. 14.4. Improving rebound attacks with Super-Sbox In this section, a technique to improve the number of attacked rounds by one by combining the rebound attack with the idea of the Super-Sbox (Gilbert and Peyrin 2010; Lamberger et al. 2009) will be explained. The strategy is to extend the number of rounds covered by the inbound phase, while the outbound phase is the same as the one in the rebound attack. The differential propagation for five rounds is depicted in Figure 14.4. Compared to the rebound attack, a round with fully active bytes is added in the middle. Because the outbound phase does not change, the probability of satisfying the differential propagation for the outbound phase is 2−56 . Hence, the goal of the attacker is to generate 256 paired values that satisfy the differential propagation for the inbound phase with an amortized cost of 1. It is known in the context of the security analysis of keyed AES that two rounds of AES can be decomposed into four 32-bit to 32-bit nonlinear maps and a single linear layer. In fact, a sequence of the following five operations, SubBytes, ShiftRows, MixColumns, AddRoundKey and SubBytes, can be decomposed to four independent nonlinear computations of four bytes. This nonlinear computation is called SuperSbox. Hence, two rounds of AES can be viewed as the application of four SuperSboxes followed by a single linear layer that is composed of ShiftRows, MixColumns and AddRoundKey. The idea of the Super-Sbox can be applied to the inbound phase in Figure 14.4. The attacker first chooses the 4-byte difference at #Z 2 and propagates the difference up to #X 3 . Then, for all 232 choices of the 4-byte difference at #W 4 , the differences are propagated up to #Y 4 and the results are stored in a table T . The transformation

174

Symmetric Cryptography 2

from #X 3 to #Y 4 is exactly the sequence of the five operations for the Super-Sbox, thus can be computed independently for each group of four bytes. The four groups of four bytes forming a Super-Sbox are denoted by a number in Figure 14.4. Bytes with the same number belong to the same Super-Sbox. For each Super-Sbox, the attacker examines all the 232 paired values at #X 3 and propagates them to #Y 4 to check the corresponding difference at #Y 4 . By assuming that the differences at #Y 4 are uniformly distributed, each of the 232 differences stored in T will be reached once after examining 232 paired values at #X 3 . The same analysis is applied to all the four Super-Sboxes. As a result, each of the 232 differences in T will expect a pair of values (and difference) at #X 3 . The attack requires a computational cost of 232 to propagate 232 values from #X 3 to #Y 4 , while the attacker obtains 232 paired values after the analysis. Hence, the attacker obtains paired values that satisfy 4 → 16 → 16 → 4 with an amortized cost of 1. Note that the maximum number of paired values that can be generated in the inbound phase is 264 , because the above analysis for generating 232 paired values can be iterated for 232 choices of the difference at #Z 2 .

Figure 14.4. Rebound attack with Super-Sboxes. Numbers between #X 3 and #Y 3 denote four groups of four bytes forming a Super-Sbox

As mentioned earlier, the differential transformation for the outbound phase is satisfied with probability 2−56 . By generating 256 paired values in the inbound phase at a computational cost of 256 , a colliding pair is expected. It is also important to

SHA-3 Contest Related Cryptanalysis

175

confirm that the attack complexity is less than the generic attack complexity of 264 and the maximum number of the paired values generated in the inbound phase is sufficiently larger than 256 . 14.5. References for further reading about rebound attacks There are many follow-up works of the rebound attack from various view points. Some reduced the attack complexity, some improved the number of rounds of the collision attack, some improved the attack by injecting differences in IV , some applied the rebound attack to other hash functions with different SPN structures and so on. In this section, several references are given for further study. Note that those are only a small portion of the tremendous number of related works on the rebound attacks. W HIRLPOOL is an international hash function standard specified by ISO/IEC. W HIRLPOOL has an AES-like structure and the internal state size is 512 bits by using 8 × 8 = 64 bytes. Its key schedule function resembles the round function. Because of the large state size and the property of the KSF, several interesting observations have been made. One of the most notable results is the differential distinguisher on the full-round W HIRLPOOL (Lamberger et al. 2009). It was also pointed out that differential distinguishers can be constructed by avoiding a fully active state in the middle rounds, which reduces the required memory amount (Sasaki et al. 2010), and the inbound phase can include one more round at a cost of extra attack complexity (Jean et al. 2012, 2014). The rebound attacks against G RØSTL (Peyrin 2010) also exploited the similarity between the round transformations of two states. The AES round function can be computed significantly faster than other ciphers operations because of the AES-NI, however the 128-bit block size of AES is too small and thus unsuitable for hash functions.This motivated many designers to propose hash functions by processing multiple AES states and by adding a simple operation to mix the values from multiple AES states. Such constructions were notably seen in the SHA-3 competition. The use of multiple AES states may give the attacker additional degrees of freedom to control the differential propagation for the inbound phase. Some examples can be seen in the rebound attack against LANE (Matusiewicz et al. 2009) and AESQ (Bagheri et al. 2016). The state size of the AES-like structure can be rectangle. G RØSTL -512 is an example of such hash functions as it uses an AES-like permutation of 8 × 16 = 128 bytes. Then, the differential propagation needs to be carefully optimized for a given rectangle state size (Sasaki et al. 2014; Cauchois et al. 2017). Attacks against those structures often need to merge large lists, which can be the bottleneck of the attack cost. A general framework to improve the cost of merging large lists (Naya-Plasencia 2011) can be used to optimize the attack cost.

176

Symmetric Cryptography 2

The SPN structure can be combined with the Feistel network, and the rebound attacks can also be applied to such a structure. The rebound attacks against SHAVITE -3 (Minier et al. 2011) and F EISTEL -SP (Sasaki and Yasuda 2011) are two such examples. The framework of the rebound attacks can generally be applied to any computation structure that alternately applies a small nonlinear function and a large linear function, though the attack optimization may be much more complicated than the case with the above-mentioned SPN structures. SHA-3, the latest hash function standard determined by NIST, has a large state size of 1600 bits and adopts more complicated computations than the simple SPN structure. It has been observed that the rebound attack can also be applied to SHA-3 if the number of rounds is reduced (Duc et al. 2012). Last remarks are collision attacks using quantum machines. It has been recently pointed out that quantum machines may find collisions of hash functions for more rounds than the classical machines do. Then, several researchers revisited the rebound attacks developed during the SHA-3 competition (Hosoyamada and Sasaki 2020; Dong et al. 2020). The rebound attack will be an interesting research subject even in the future. 14.6. Brief introduction of other cryptanalysis Besides the rebound attack, several attacks were devised during the SHA-3 competition. Intuitively, these can be classified into two types: one is to utilize attacker’s ability to choose the internal state value due to the keyless nature of hash functions, and the other is to exploit the fact that a large state is processed by iteratively applying similar update functions on a small size. The rebound attack against the standard AES-like structure is an example of the former case. The latter case may appear if a large state is composed of multiple AES states and each of them is updated by the AES-round function. 14.6.1. Internal differential cryptanalysis The underlying permutation of SHA-3 has a state size of 1600 bits, which is significantly larger than that of conventional block cipher designs, for example, 128 bits for AES. To process such a large state efficiently, the permutation iteratively applies a similar update function defined on a small size. Dinur et al. (2013) observed that this property can be exploited by differential cryptanalysis. Suppose that the entire large state is divided into S1 S2 and each of S1 and S2 are updated by applying a similar function. The attack considers the difference between S1 and S2 inside a single text, which is called internal difference. Namely, the attacker

SHA-3 Contest Related Cryptanalysis

177

considers an input message of the form xx ⊕ Δi. Due to the similarity, it can be expected that the difference will not change drastically, hence the state after a few rounds will preserve a form of x x ⊕ Δo with a high probability. 14.6.2. Rotational cryptanalysis Rotational cryptanalysis (Khovratovich and Nikoli´c 2010; Khovratovich et al. 2015) is usually applied to hash functions adopting the ARX structure, where the round function consists of modular additions, rotations and XOR operations (see Chapter 13). Rotational cryptanalysis exploits a pair of input values called rotational pairs, which is defined as x and (x ≪ i) for some i, typically i = 1. Let y and y  be the output values by processing x and (x ≪ i) with a hash function H, that is, y = H(x) and y  = H(x ≪ i). Rotational cryptanalysis exploits the fact that y and y  will satisfy y = (y  ≪ i) with a relatively high probability. The theory is backed up with several observations such as ((X ⊕ Y ) ≪ i) = (X ≪ i) ⊕ (Y ≪ i) and ((X ≪ j) ≪ i) = ((X ≪ i) ≪ j) always hold, and a modular addition X + Y can be approximated by X ⊕ Y with a certain probability particularly when the Hamming weight of X and Y is small. The constant addition, that is, (X ⊕ c) and ((X ≪ i) ⊕ c), can give a significant impact on the preservation of the rotational pair. This fact imposes hash function designers a dilemma on the choice of the round constant; a heavyweight round constant is more secure while a lightweight round constant allows more efficient implementations. In general, the value of X for the second computation is adjusted to X  = X ⊕  in advance with a constant  so that ((X  ≪ i) ⊕ c) will match (X ⊕ c) with a high probability. Notably, the rotational cryptanalysis has been combined with the rebound attack (Khovratovich et al. 2010) against the hash function S KEIN in a setting in which the attacker can choose both the key input and the state input. The round function of S KEIN has an ARX structure and key values are added to the state every four rounds. The attack first chooses key values and state values so that rotational pairs are generated in the middle eight rounds. Then, the fixed values are extended to the forward and backward directions like the outbound phase of rebound attacks. 14.7. References Bagheri, N., Mendel, F., Sasaki, Y. (2016). Improved rebound attacks on AESQ: Core permutation of CAESAR candidate PAEQ. In ACISP 2016, Part II, vol. 9723 of Lecture Notes in Computer Science, Liu, J.K., Steinfeld, R. (eds). Springer. Cauchois, V., Gomez, C., Lercier, R. (2017). Grøstl distinguishing attack: A new rebound attack of an AES-like permutation. IACR Trans. Symmetric Cryptol., 2017(3), 1–23. Dinur, I., Dunkelman, O., Shamir, A. (2013). Collision attacks on up to 5 rounds of SHA-3 using generalized internal differentials. In FSE 2013, vol. 8424 of Lecture Notes in Computer Science, Moriai, S. (ed.). Springer.

178

Symmetric Cryptography 2

Dong, X., Sun, S., Shi, D., Gao, F., Wang, X., Hu, L. (2020). Quantum collision attacks on AES-like hashing with low quantum random access memories. In ASIACRYPT 2020, Part II, vol. 12492 of Lecture Notes in Computer Science, Moriai, S., Wang, H. (eds). Springer. Duc, A., Guo, J., Peyrin, T., Wei, L. (2012). Unaligned rebound attack: Application to Keccak. In FSE 2012, vol. 7549 of Lecture Notes in Computer Science, Canteaut, A. (ed.). Springer. Gilbert, H. and Peyrin, T. (2010). Super-Sbox cryptanalysis: Improved attacks for AES-like permutations. In FSE 2010, vol. 6147 of Lecture Notes in Computer Science, Hong, S., Iwata, T. (eds). Springer. Hosoyamada, A. and Sasaki, Y. (2020). Finding hash collisions with quantum computers by using differential trails with smaller probability than birthday bound. In EUROCRYPT 2020, Part II, vol. 12106 of Lecture Notes in Computer Science, Canteaut, A., Ishai, Y. (eds). Springer. Jean, J., Naya-Plasencia, M., Peyrin, T. (2012), Improved rebound attack on the finalist Grøstl. In FSE 2012, vol. 7549 of Lecture Notes in Computer Science, Canteaut, A. (ed.). Springer. Jean, J., Naya-Plasencia, M., Peyrin, T. (2014). Improved cryptanalysis of AES-like permutations. J. Cryptol., 27(4), 772–798. Khovratovich, D. and Nikoli´c, I. (2010). Rotational cryptanalysis of ARX. In FSE 2010, vol. 6147 of Lecture Notes in Computer Science, Hong, S., Iwata, T. (eds). Springer. Khovratovich, D., Nikoli´c, I., Rechberger, C. (2010). Rotational rebound attacks on reduced Skein. In ASIACRYPT 2010, vol. 6477 of Lecture Notes in Computer Science, Abe, M. (ed.). Springer. Khovratovich, D., Nikoli´c, I., Pieprzyk, J., Sokolowski, P., Steinfeld, R. (2015). Rotational cryptanalysis of ARX revisited. In FSE 2015, vol. 9054 of Lecture Notes in Computer Science, Leander, G. (ed.). Springer. Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schlöffer, M. (2009). Rebound distinguishers: Results on the full Whirlpool compression function. In ASIACRYPT 2009, vol. 5912 of Lecture Notes in Computer Science, Matsui, M. (ed.). Springer. Lamberger, M., Mendel, F., Schlöffer, M., Rechberger, C., Rijmen, V. (2015). The rebound attack and subspace distinguishers: Application to Whirlpool. J. Cryptol., 28(2), 257–296. Matusiewicz, K., Naya-Plasencia, M., Nikoli´c, I., Sasaki, Y., Schlöffer, M. (2009). Rebound attack on the full Lane compression function. In ASIACRYPT 2009, vol. 5912 of Lecture Notes in Computer Science, Matsui, M. (ed.). Springer. Mendel, F., Rechberger, C., Schlöffer, M., Thomsen, S.S. (2009). The rebound attack: Cryptanalysis of reduced Whirlpool and Grøstl. In FSE 2009, vol. 5665 of Lecture Notes in Computer Science, Dunkelman, O. (ed.). Springer. Minier, M., Naya-Plasencia, M., Peyrin, T. (2011). Analysis of reduced-SHAvite-3-256 v2. In FSE 2011, vol. 6733 of Lecture Notes in Computer Science, Joux, A. (ed.). Springer. National Institute of Standards and Technology (2010). Cryptographic hash algorithm competition [Online]. Available at: https://www.nist.gov/programs-projects/cryptographichash-algorithm-competition. Naya-Plasencia, M. (2011). How to improve rebound attacks. In CRYPTO 2011, vol. 6841 of Lecture Notes in Computer Science, Rogaway, P. (ed.). Springer.

SHA-3 Contest Related Cryptanalysis

179

Peyrin, T. (2010). Improved differential attacks for ECHO and Grøstl. In CRYPTO 2010, vol. 6223 of Lecture Notes in Computer Science, Rabin, T. (ed.). Springer. Sasaki, Y. and Yasuda, K. (2011). Known-key distinguishers on 11-round Feistel and collision attacks on its hashing modes. In FSE 2011, vol. 6733 of Lecture Notes in Computer Science, Joux, A. (ed.). Springer. Sasaki, Y., Li, Y., Wang, L., Sakiyama, K., Ohta, K. (2010). Non-full-active Super-Sbox analysis: Applications to ECHO and Grøstl. In ASIACRYPT 2010, vol. 6477 of Lecture Notes in Computer Science, Abe, M. (ed.). Springer. Sasaki, Y., Tokushige, Y., Wang, L., Iwamoto, M., Ohta, K. (2014). An automated evaluation tool for improved rebound attack: New distinguishers and proposals of ShiftBytes parameters for Grøstl. In CT-RSA 2014, vol. 8366 of Lecture Notes in Computer Science, Benaloh, J. (ed.). Springer.

15

Cryptanalysis of SHA-1 Marc S TEVENS CWI, Cryptology Group, Amsterdam, The Netherlands

SHA-1 is a standardized cryptographic hash function (National Institute of Standards and Technology 1995). Together with MD5, it was a de facto industry standard for decades. In particular, it was widely deployed for digital signatures and digital certificates, for which it was officially deprecated by NIST in 2011 due to fundamental security weaknesses. Nevertheless, it remains in use in many applications, including Git. This chapter presents at a basic level the core techniques behind the cryptanalytic attacks on SHA-1, with pointers to more advanced techniques. In particular, it focuses on a basic identical-prefix collision attack on SHA-1 that produces collisions of the following form SHA-1(P C1 S) = SHA-1(P C2 S), that share the same prefix P and suffix S and only differ in the bit strings C1 = C2 . 15.1. Design of SHA-1 SHA-1: {0, 1}∗ → {0, 1}160 is a hash function that outputs a hash of 160 bits. It was designed using the Merkle-Damgård hash function mode of operation (Merkle 1989; Damgård 1989) and a compression function f that processes 512-bit message blocks and updates a 160-bit chaining value. The last chaining value is output as the

Symmetric Cryptography 2, coordinated by Christina B OURA and María NAYA -P LASENCIA. © ISTE Ltd 2023.

182

Symmetric Cryptography 2

resulting hash value. The compression function f itself is a dedicated block cipher E with inputs a 160-bit plain-text block and 512-bit key in Davies-Meyer feed-forward mode:  {0, 1}160 × {0, 1}512 → {0, 1}160 f: (hi−1 , mi ) → hi = hi−1 + Emi (hi−1 ) The compression function uses 32-bit words, interpreted both as a 32-bit vector in 32 F32 in Z/232 Z, and written down in base-16 notation (e.g. 2 and an integer modulo 2 fedcba9816 ) with the following operations: – X ⊕ Y : coefficient-wise addition in F32 2 (XOR); – X ∧ Y : coefficient-wise multiplication in F32 2 (AND); – X ∨ Y = (X ∧ Y ) ⊕ (X ⊕ Y ) (OR); – X = X ⊕ FFFFFFFF16 : coefficient-wise add 1 in F32 2 (NOT); – X n / X n : left/right-rotate vector over n bit positions (e.g. (230 )5 = 23 ); – X + Y : addition in Z/232 Z; – X[i] is the ith bit of X (i.e. corresponding to 2i ). A 32-bit word is a common machine word size, and these operations can be very efficiently executed in both software and hardware. When interpreting a byte string as a word, SHA-1 uses the big endian standard, that is, the first byte forms the most significant 8 bits. Most machines are actually little endian and have to perform additional operations to switch between these endian formats. This endian complexity is simplified here by operating only on 32-bit words. Following the Merkle-Damgård mode of operation, given an input message M it is padded with a 8016 -byte followed by 0-bytes and the bit-length of M as a 64-bit big-endian integer. The number of 0-bytes is the minimum number such that the padded message length is a multiple of 64 bytes. The padded message is split into 512-bit blocks m1 , . . . , mk , and iteratively processed using f and then output: h0 = IV = (6745230116 , efcdab891616 , 98badcfe1616 , 103254761616 , c3d2e1f01616 ) hi = f (hi−1 , mi ) for i = 1, . . . , k SHA-1(M ) = hk 15.2. SHA-1 compression function The compression function f (h, m) takes as input a five-word chaining value h = (a, b, c, d, e) and a 16-word message block m = (w0 , . . . , w15 ). These are input to the

Cryptanalysis of SHA-1

183

internal block cipher Em (h). The message block is expanded to 80 message words through a linear recurrence relation: wi = (wi−3 ⊕ wi−8 ⊕ wi−14 ⊕ wi−16 )1

for i ≥ 16

Then it performs 80 rounds of a five-branch Feistel structure1 depicted in Figure 15.1. Below we give an equivalent unrolled definition (expressed in the internal variables ai+1 output by round i) as this helps the exposition of its cryptanalysis. (a0 , . . . , a−4 ) fi ai+1 Em (h) f (h, m)

= = = = =

(a, b, c2 , d2 , e2 ) 30 φi (ai−1 , a30 i−2 , ai−3 ) 30 fi + aci + wi + a5 i + ai−4 30 30 (a80 , a79 , a30 78 , a77 , a76 ) h + Em (h)

Figure 15.1. Internal round of the compression function of SHA-1. For a color version of this figure, see www.iste.co.uk/boura/symmetric2.zip

Each round i uses a fixed addition constant aci and a Boolean function φi : i

aci

φi (x, y, z)

0, . . . , 19 20, . . . , 39 40, . . . , 59 60, . . . , 79

5a82799916 6ed9eba116 8f1bbcdc16 ca62c1d616

(x ∧ y) ⊕ (x ∧ z) x⊕y⊕z (x ∧ y) ∨ (x ∧ z) ∨ (y ∧ z) x⊕y⊕z

=: φIF =: φXOR =: φM AJ =: φXOR

1 This is a generalization of the basic 2-branch Feistel structure. In each iteration it updates 1 branch and then rotates all branches by 1.

184

Symmetric Cryptography 2

15.3. Differential analysis Differential analysis is the study of differences between two related evaluations of a function, and how input differences propagate through the function and lead to a desirable output difference. In the case of collision attacks, the aim is to obtain a zero output difference using a non-zero input difference. From its introduction, differential analysis (Biham and Shamir 1990) is focused on either the difference in Fn2 or Z/2n Z. Because SHA-1 (and its predecessors) mixes operations of these two spaces, using only either difference in cryptanalysis is not very effective. Using a signed bit-wise integer difference, which can represent differences both in Fn2 and Z/2n Z has been a vital technique in SHA-1 cryptanalysis. Consider two related evaluations f (h, m) and f (h , m ). For any internal word X in the evaluation of f (h, m), there is a corresponding word X  in the evaluation of f (h , m ). Differences are denoted as: 32 – ΔX := (X  [i] − X[i])31 i=0 is the vector of bit-wise differences in {−1, 0, +1} ; – δX := X  − X is the additive difference in Z/2n Z; 31 – ΔX and δX are related as δX = σ(ΔX) := i=0 (ΔX)[i] · 2i ; – ∇X := X  ⊕ X is the XOR-difference in Fn2 ; – ΔX and ∇X are related as ∇X[i] = |ΔX[i]|. 15.4. Near-collision attacks Collision attacks on SHA-1 are constructed from near-collision attacks on its compression function f (h, m) = Em (h) + h. A near-collision attack is an attack of the following form: for a chosen output difference d and given chaining values hi−1 , hi−1 find message blocks mi , mi such that δEm (hi−1 ) = Emi (hi−1 ) − Emi (hi−1 ) = d ⇒ δhi = f (hi−1 , mi ) − f (hi−1 , mi ) = δhi−1 + d. A near-collision attack for d is also a near-collision attack for −d by swapping the inputs hi−1 and hi−1 and outputs. Hence, given any such near-collision attack for a certain output difference d, we can construct a two-block identical-prefix collision attack on SHA-1 as depicted in Figure 15.2 and following the steps below: 1) choose any common prefix P = m1  . . . mp consisting of p message blocks; 2) let hp be the chaining value after processing the prefix blocks m0 , . . . , mp ; 3) execute the first near-collision attack for d on (hp , hp ); 4) obtain blocks mp+1 , mp+1 and hp+1 , hp+1 with δhp+1 = δhp + d = d; 5) execute the second near-collision attack for −d on (hp+1 , hp+1 );

Cryptanalysis of SHA-1

185

6) obtain blocks mp+2 , mp+2 and hp+2 , hp+2 with δhp+2 = d − d = 0; 7) output the collision: M = P mp+1 mp+2 ,

M  = P mp+1 mp+2 .

Figure 15.2. Two-block attack. For a color version of this figure, see www.iste.co.uk/boura/symmetric2.zip

Note that due to the iterative construction of SHA-1, once a collision (M, M  ) has been produced, one can generate an arbitrary number of collisions for free of the form (M S, M  S) for any common suffix S ∈ {0, 1}∗ . 15.5. Near-collision search The near-collision attack for input chaining values h, h and target output difference d is constructed in two main steps. The first step designs a differential attack and derives a system of equations over just one compression function evaluation, namely over f (h, m) for the unknown message block m: linear equations on message bits wi [b] (for i = 0, . . . , 15) and state bits aj [b] (for j = −4, . . . , 80). (The basic differential cryptanalytic techniques against the internal block cipher Em (h) to construct these input linear equations are explained in later sections below.) The second step is the near-collision search to find a solution for this system of equations, where a 512-bit message block M is called a t-round conforming message block if it satisfies all equations for w0 , . . . , wt and a−4 , . . . , at+1 . The near-collision search algorithm can be modeled as a depth-first tree search, where nodes at level t correspond to t-round conforming message blocks. Once the search finds a new node at level t, it iterates over all remaining degrees of freedom in round t + 1 to modify the message block. If any of the modified message blocks is a (t + 1)-round conforming message block, then it represents a new node at level t + 1. The search is finished once an 80-round conforming message block has been found.

186

Symmetric Cryptography 2

This depth-first tree search can be divided into three layers. The first layer covers rounds 0, . . . , 15, where at each level t it is entirely free to pick any value of wt that satisfies the equations. After the first layer the straightforward degrees of freedom in the message block have been exhausted. In the second layer, the only degrees of freedom are those given by message modification techniques as explained below and reach, for example, up to round 25. The last layer has no degrees of freedom and simply checks whether the message block is 80-round conforming, and back-tracks otherwise. Heuristically assuming that all bit equations are independent and satisfied with probability 1/2, the cost of the attack can be estimated recursively as follows. Let Ct be the cost of finding a t-round conforming message block, and let C0 = 1. Then a simplified cost equation to analyze the complexity is Ct = 2xt · ((Ct−1 · 2−yt ) + 1), where xt is the number of bit equations for round t and yt the number of degrees of freedom in bits for round t. Note that any degrees of freedom at level t essentially amortizes the cost of finding a (t − 1)-round conforming message block. It follows that the main factor in the complexity consists of the number of equations in the third layer, and to a lesser extent those in the second layer. 15.6. Message expansion differences To design the near-collision attack, the differential analysis of the message expansion and the 80 state update rounds are treated differently. The message expansion is a F2 -linear recurrence relation and thus the sequence of XOR-differences ∇wi = wi ⊕ wi between message words also satisfies the linear recurrence relation. Hence, the XOR-difference of the input message blocks m, m determines all expanded message word XOR-differences ∇wi . For non-zero XOR-differences ∇wi [b], the sign of the additive difference Δwi [b] depends on the value of the bit wi [b], that is: ⎧ ⎪ ⎨+1 ∇wi [b] = 0 ∧ wi [b] = 0 Δwi = −1 ∇wi [b] = 0 ∧ wi [b] = 1 ⎪ ⎩ 0 ∇wi [b] = 0 The additive difference δwi can be controlled by choosing the signs Δwi [b] = ±1 of bits with non-zero XOR-difference ∇wi [b] = 0. This is achieved via a bit condition wi [b] = ci,b with ci,b ∈ {0, 1}. Through the linear recurrence relation, any bit condition wi [b] = ci,b can be expressed as a F2 -linear equation over the bits of the message block m. Combining

Cryptanalysis of SHA-1

187

multiple such conditions may lead to a redundant or contradicting set of linear equations over the message block bits. Hence, care must be taken to ensure no contradicting linear equations arise. Given a set of linear equations, these can be brought in echelon form. Due to the echelon form, for t ∈ {0, . . . , 15} and given w0 , . . . , wt−1 , sampling a message word wt with satisfying the set of equations can be done very efficiently, even when combined with additional conditions on the state at+1 . 15.7. Differential trail A differential trail is a precise description of the propagation of input differences, by specifying the internal differences for all state update rounds T :

(Δai )80 i=−4 ,

(Δfi )79 i=0 .

These uniquely determine the required message differences after the expansion δwi = σ(Δai+1 ) − σ(Δfi ) − σ((Δai )5 ) − σ((Δai−4 )30 ). From a differential trail, we can determine a set C of state conditions that are both sufficient and necessary for the entire differential trail to hold. These state conditions are very simple equations of either of two forms: ai [b] = u,

ai [b] = aj [c] ⊕ v,

where u, v ∈ {0, 1}.

Note that these conditions only relate to one evaluation f (h, m) and not the other related evaluation f (h , m ), hence their use simplifies and improves attacks. The state conditions over the first 16 rounds as well as all linear message block equations (to control the message word additive differences) can all be satisfied at little to no cost. Even state conditions up to round 25 might have relatively low cost. Hence, it is important to minimize the number of conditions in particular over rounds 25 to 79 using the following techniques. 15.8. Local collisions SHA-1’s internal block cipher has a recursive message expansion, where changing any bit in the first 16 words w0 , . . . , w15 leads to many bit differences in the succeeding words w16 , . . . , w79 . The main structure in this message expansion is that it is a linear recurrence relation, which can be exploited using several local collisions in a pattern described by a disturbance vector that satisfies the linear recurrence relation (Chabaud and Joux 1998).

188

Symmetric Cryptography 2

A local collision is a local disturbance created in the state at any given round i and bit position b that is immediately cancelled over the next five rounds to prevent it propagating further. This can be achieved by the following sequence of six message word differences between two evaluations: ±(δwi , . . . , δwi+5 ) = ±(2b , −2b5 , ±2b , ±2b30 , ±2b30 , −2b30 ) The first difference in this sequence results in a new state difference 2b (or −2b ) introduced to δai+1 , which affects the next five round computations. The remaining five message word differences in the local collision are designed to cancel out the effect of δai+1 = 2b resulting in δai+2 = . . . = δai+6 = 0. Note that for j = i + 2, i + 3, i + 4, depending on the Boolean function φj and of specific state bits, the resulting output difference δfj may have arbitrary sign that must be cancelled with an opposing sign of the corresponding message word δwj . Although φIF and φM AJ may result in no differences that have to be cancelled, at least φXOR always has a non-zero output difference for a single non-zero input difference. Therefore, this local collision pattern (up to sign changes) is the only pattern compatible with all possible starting rounds. 15.9. Disturbance vector Local collisions can be initiated at any given round and bit position and can be arbitrarily combined. A combination can be described by a disturbance vector: a sequence DV = (DVi )79 i=0 of 80 words where each non-zero bit DVi [b] = 1 corresponds a local collision starting in round i and bit position b. Based on the local collision pattern, the disturbance vector determines the XOR-difference ∇wi = wi ⊕ wi between each related message word pair (wi , wi ): 5 30 30 30 ∇wi = DVi ⊕ DVi−1 ⊕ DVi−2 ⊕ DVi−3 ⊕ DVi−4 ⊕ DVi−5 .

If the disturbance vector satisfies the linear recurrence relation of the message expansion then, by F2 -linearity, this sequence of message word XOR-differences also satisfies the linear recurrence relation and can be used for a cryptanalytic attack. While the disturbance vector uniquely determines all XOR-differences ∇wi [b], there is significant freedom in the resulting message word additive differences δwi . For any non-zero XOR-difference ∇wi [b] = 1, the message signed bit difference Δwi [b] = (wi [b] ⊕ ∇wi [b]) − wi [b] is either −1 or 1, which can be analyzed and controlled through the bit value of wi [b].

Cryptanalysis of SHA-1

189

In each round, only the additive-difference δwi is relevant, which enables local collision compression: disturbances starting in the same round at consecutive bit positions2 can be compressed to effectively a single local collision by choosing appropriate signs (Wang et al. 2005b). For instance, for (∇wi [6], ∇wi [7], ∇wi [8]) = (1, 1, 1) we can choose signed differences as follows: (Δwi [6], Δwi [7], Δwi [8]) = (−1, −1, +1) ⇒ δwi = 28 − 27 − 26 = 26 . 15.10. Disturbance vector selection The disturbance vector determines the message block XOR-difference and the combination of (compressed) local collisions and is the first step to build a differential attack against the compression function. It is important to choose the best disturbance vector that leads to the best collision attack. As the resulting attack complexity is difficult to model, this choice is made using a simpler evaluation function: – DV hamming weight (e.g. Biham and Chen 2004); – state condition count (e.g. Wang et al. 2005b); – combining local collision probabilities (e.g. Mendel et al. 2006); – precise probability analysis covering many differential trails (Stevens 2013). The first three are very efficient to compute and have been used to identify small sets of potential good candidate disturbance vectors. These candidates have found to be one of two parameterized forms denoted as I(k, b) and II(k, b): " 0 i = k, . . . , k + 14 I(k, b) : DVi = 2b i = k + 15 ⎧ ⎪ i = k, k + 2, k + 4, . . . , k + 14 ⎨0 b31 II(k, b) : DVi = 2 i = k + 1, k + 3 ⎪ ⎩ b i = k + 15 2 Only 16 consecutive words in the disturbance vector are given, the remaining 80 words are uniquely determined through the linear recurrence relation. The last evaluation function is rather costly to compute, however it achieves a more precise cost evaluation and produces optimized conditions for state bits and message bits as well. This has resulted in the choice for disturbance vector II(52, 0), which has been the basis for the successful collision attacks on SHA-1 (Stevens 2013; Stevens et al. 2017; Leurent and Peyrin 2020).

2 The bit position pairs (1, 2) and (26, 27) are not considered consecutive for local collision compression, since they are not consecutive after the left rotation by either 30 or 5 bit positions in the round function resulting in bit position pair (31, 0).

190

Symmetric Cryptography 2

15.11. Differential trail construction Once the disturbance vector and the corresponding part of the differential trail over rounds 25, . . . , 79 have been fixed, the next step in constructing a near-collision attack consists of searching for a suitable differential trail over the remaining rounds 0, . . . , 24 and which connects the input chaining value pair (with fixed differences) to the local collision-based differential trail. The first successful construction of a custom trail for SHA-1 was crafted entirely by hand by Wang et al. (2005a). Subsequently, several efficient algorithms have been developed to construct such trails using two different approaches. The first approach is a guess-and-determine strategy (Cannière and Rechberger 2006). This approach keeps trace of the set of allowed values Vi,b ⊆ {(0, 0), (0, 1), (1, 0), (1, 1)} for each bit pair (ai [b], ai [b]) in the two related evaluations. The initial constraints are the input chaining value and the disturbance vector-based trail. It then repeatedly adds a constraint (by removing allowed values for a particular bit pair) and propagates this information (i.e. it determines and removes previously allowed values that contradict the new constraint). It backtracks whenever it reaches a contradiction, and it finishes when a full differential trail has been determined. The second approach is a meet-in-the-middle strategy (Yajima et al. 2007; Stevens 2012), which consists of a forward phase, a backward phase and a connect phase. The forward phase starts with an initial partial differential trail from the input chaining value pair and extends it for several rounds up to round t. The backward phase extends the disturbance vector-based partial differential trail backwards down to round t + 6. The final connect phase takes a pair of a forward differential trail and a backward differential trail. Simplified, the forward trail covers state differences up to . . . , Δat+1 and the backward trail covers the remaining state differences Δat+2 , . . .. The connect phase then performs an exhaustive search over possible Boolean function differences Δft+1 , . . . , Δft+5 that create a complete possible differential trail. Typically one has to consider many pairs of forward and backward trails until it succeeds. Actual implementations use a more refined partial differential trail representation and improve the exhaustive search by a bit-scanning algorithm (Stevens 2009). Once the combination of the full differential trail and the expanded message differences have been constructed, they can be converted to linear equations on message bits wi [b] (for i = 0, . . . , 15) and state bits ai [b] (for i = −4, . . . , 80). These are input to the near-collision search. 15.12. Message modification techniques The near-collision search can be sped up significantly by moving degrees of freedom over the first 16 rounds to later rounds. The idea of message modification is

Cryptanalysis of SHA-1

191

to make targeted small changes in a message block conforming up to round t such that the result is message block conforming up to round t. The first example was called neutral bits (Biham and Chen 2004), where the change was simply flipping a single message bit wi [b]. Generalizations were called advanced message modifications (Wang et al. 2005a) or boomerangs (Joux and Peyrin 2007), where several state and message bit flips work together as an auxiliary partial differential trail. The most common form is that of a single local collision. Such a boomerang produces a single degree of freedom in a later round, but the degrees of freedom of the state and message bits flipped are lost. Where advanced message modification was introduced as working very targeted to correct a failing state condition, boomerangs were defined as simply producing degrees of freedom at a later round. While the search for such neutral bits, advanced message modifications and boomerangs can be prepared, they have to be pair-wise compatible as well as compatible with the full differential trail. Hence, finding these speedups and determining which combination to use are the last details needed to implement the near-collision search. 15.13. Overview of published collision attacks This chapter concludes with an overview of published (identical-prefix) collision attacks against SHA-1 including variant attacks. Practical collision attacks against SHA-1 remained out of reach since the first theoretical SHA-1 collision attack (Wang et al. 2005a). This was not only due to the high cost, but also due to apparent discrepancies between (simplified) theoretical analysis and practical implementations. Hence, the main focus has been on refining techniques and easier relaxed variant attacks targeting reduced-round SHA-1 and/or producing freestart collision attacks. Freestart collision attacks give the attacker the additional freedom to choose its own IV and do not form actual collisions for SHA-1. Note that there has also been some attention to more powerful and more costly chosen-prefix collision attacks starting from two different chosen prefixes: SHA-1(P1 C1 S) = SHA-1(P2 C2 S). These can typically be constructed with additional techniques from identical-prefix collisions attacks.

192

Symmetric Cryptography 2

Reference (Wang et al. 2005a) (Stevens 2013) (Stevens et al. 2017)

Attack Collision Collision Collision

(Biham et al. 2005) 40-round collision (Cannière and Rechberger 2006) 64-round collision (Cannière et al. 2007) 70-round collision (Grechnikov 2010) 73-round collision (Grechnikov and Adinetz 2011) 75-round collision (Karpman et al. 2015) 76-round freestart collision (Stevens et al. 2016) Freestart collision (Stevens 2013) (Leurent and Peyrin 2019) (Leurent and Peyrin 2020)

Chosen-prefix collision Chosen-prefix collision Chosen-prefix collision

Cost

Ex.

GPU

Y

Y

Y Y Y Y Y Y Y

Y Y Y Y

Y

Y Y

69

2 261 263.1 57

2 235 245 250.7 257.7 250 257 277.1 266.9 263.4

Note: the column “Ex.” shows whether an example collision was produced and published (otherwise a theoretical attack). The column “GPU” marks attacks using graphics cards as the main computation power, which are more power and time effective though have a slightly different cost measure compared to CPUs. 15.14. References Biham, E. and Chen, R. (2004). Near-collisions of SHA-0. In CRYPTO 2004, vol. 3152 of Lecture Notes in Computer Science, Franklin, M.K. (ed.). Springer. Biham, E. and Shamir, A. (1990). Differential cryptanalysis of DES-like cryptosystems. In CRYPTO ’90, vol. 537 of Lecture Notes in Computer Science, Menezes, A., Vanstone, S.A. (eds). Springer. Biham, E., Chen, R., Joux, A., Carribault, P., Lemuet, C., Jalby, W. (2005). Collisions of SHA-0 and reduced SHA-1. In EUROCRYPT 2005, vol. 3494 of Lecture Notes in Computer Science, Cramer, R. (ed.). Springer. Cannière, C.D. and Rechberger, C. (2006). Finding SHA-1 characteristics: General results and applications. In ASIACRYPT 2006, vol. 4284 of Lecture Notes in Computer Science, Lai, X., Chen, K. (eds). Springer. Cannière, C.D., Mendel, F., Rechberger, C. (2007). Collisions for 70-step SHA-1: On the full cost of collision search. In SAC 2007, vol. 4876 of Lecture Notes in Computer Science, Adams, C.M., Miri, A., Wiener, M.J. (eds). Springer. Chabaud, F. and Joux, A. (1998). Differential collisions in SHA-0. In CRYPTO ’98, vol. 1462 of Lecture Notes in Computer Science, Krawczyk, H. (ed.). Springer. Damgård, I. (1989). A design principle for hash functions. In CRYPTO ’89, vol. 435 of Lecture Notes in Computer Science, Brassard, G. (ed.). Springer.

Cryptanalysis of SHA-1

193

Grechnikov, E.A. (2010). Collisions for 72-step and 73-step SHA-1: Improvements in the method of characteristics. IACR Cryptol. ePrint Arch., 2010, 413 [Online]. Available at: http://eprint.iacr.org/2010/413. Grechnikov, E.A. and Adinetz, A.V. (2011). Collision for 75-step SHA-1: Intensive parallelization with GPU. IACR Cryptol. ePrint Arch., 2011, 641 [Online]. Available at: http://eprint.iacr.org/2011/641. Joux, A. and Peyrin, T. (2007). Hash functions and the (amplified) boomerang attack. In CRYPTO 2007, vol. 4622 of Lecture Notes in Computer Science, Menezes, A. (ed.). Springer. Karpman, P., Peyrin, T., Stevens, M. (2015). Practical free-start collision attacks on 76-step SHA-1. In CRYPTO 2015, Part 1, vol. 9215 of Lecture Notes in Computer Science, Gennaro, R., Robshaw, M. (eds). Springer. Leurent, G. and Peyrin, T. (2019). From collisions to chosen-prefix collisions application to full SHA-1. In EUROCRYPT 2019, Part 3, vol. 11478 of Lecture Notes in Computer Science, Ishai, Y., Rijmen, V. (eds). Springer. Leurent, G. and Peyrin, T. (2020). SHA-1 is a shambles: First chosen-prefix collision on SHA-1 and application to the PGP web of trust. In USENIX Security Symposium, Capkun, S., Roesner, F. (eds). USENIX Association. Mendel, F., Pramstaller, N., Rechberger, C., Rijmen, V. (2006). The impact of carries on the complexity of collision attacks on SHA-1. In FSE 2006, vol. 4047 of Lecture Notes in Computer Science, Robshaw, M.J.B. (ed.). Springer. Merkle, R.C. (1989). One way hash functions and DES. In CRYPTO ’89, vol. 435 of Lecture Notes in Computer Science, Brassard, G. (ed.). Springer. National Institute of Standards and Technology (1995). FIPS 180-1: Secure hash standard. Stevens, M. (2009). Hashclash repository [Online]. Available at: lhttps://github.com/crmarcstevens/hashclash. Stevens, M. (2012). Attacks on hash functions and applications. PhD Thesis, Leiden University. Stevens, M. (2013). New collision attacks on SHA-1 based on optimal joint local-collision analysis. In EUROCRYPT 2013, vol. 7881 of Lecture Notes in Computer Science, Johansson, T., Nguyen, P.Q. (eds). Springer. Stevens, M., Karpman, P., Peyrin, T. (2016). Freestart collision for full SHA-1. In EUROCRYPT 2016, Part 1, vol. 9665 of Lecture Notes in Computer Science, Fischlin, M., Coron, J. (eds). Springer. Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y. (2017). The first collision for full SHA-1. In CRYPTO 2017, Part 1, vol. 10401 of Lecture Notes in Computer Science, Katz, J., Shacham, H. (eds). Springer. Wang, X., Yin, Y.L., Yu, H. (2005a). Finding collisions in the full SHA-1. In CRYPTO 2005, vol. 3621 of Lecture Notes in Computer Science, Shoup, V. (ed.). Springer. Wang, X., Yu, H., Yin, Y.L. (2005b). Efficient collision search attacks on SHA-0. In CRYPTO 2005, vol. 3621 of Lecture Notes in Computer Science, Shoup, V. (ed.). Springer. Yajima, J., Sasaki, Y., Naito, Y., Iwasaki, T., Shimoyama, T., Kunihiro, N., Ohta, K. (2007). A new strategy for finding a differential path of SHA-1. In ACISP 2007, vol. 4586 of Lecture Notes in Computer Science, Pieprzyk, J., Ghodosi, H., Dawson, E. (eds). Springer.

PART 2

Future Directions

16

Lightweight Cryptography Meltem S ÖNMEZ T URAN NIST, Gaithersburg, MD, USA

General-purpose cryptographic algorithms are usually optimized for desktop and server environments, where there are no significant constraints on available resources. The security margins of these algorithms are often more than enough for long-term security (Aumasson 2019), even in cases where the attacker is assumed to have more capabilities and possible actions compared to real-world applications. Algorithms with high security margins (e.g. 50%–60%) are usually difficult or even impossible to implement in resource-constrained devices (e.g. RFID tags, industrial controllers, sensor nodes) with acceptable performance. The goal of lightweight cryptography is to provide cryptographic primitives, schemes and protocols that are optimized for resource-constrained devices having a wide array of performance attributes while also having adequate security margin against known attacks. In this chapter, we provide an overview of the standardization efforts, desired features and design trends used in lightweight cryptography1 . 16.1. Lightweight cryptography standardization efforts Over the last decade, a number of standardization efforts and public competitions were organized focusing on lightweight cryptography. The International

1. Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST, nor does it imply that the products mentioned are necessarily the best available for the purpose. Symmetric Cryptography 2, coordinated by Christina B OURA and María NAYA -P LASENCIA. © ISTE Ltd 2023.

198

Symmetric Cryptography 2

Organization for Standards (ISO) and the International Electrotechnical Commission (IEC) have published (i) the seven-part ISO/IEC 29192, Lightweight Cryptography, and (ii) ISO/IEC 29167, Automatic Identification and Data Capture Techniques, approving a number of lightweight algorithms. CAESAR (Competition for Authenticated Encryption: Security, Applicability, and Robustness) included a specific use case dedicated to lightweight cryptography. In 2017, the Cryptography Research and Evaluation Committees of Japan published an extensive report that compared the suitability of lightweight designs for various target applications (CRYPTREC 2017). The eSTREAM stream cipher competition, organized by the European Network of Excellence for Cryptology, included a hardware profile for applications with highly restricted resources (Cid et al. 2012). In 2018, the National Institute of Standards and Technology (NIST) officially announced its lightweight cryptography standardization process, soliciting cryptographic algorithms that are suitable for use in constrained environments where the performance of the current NIST cryptography standards, namely Advanced Encryption Standard-Galois/Counter Mode (AES-GCM) for authenticated encryption and Secure Hash Algorithm-2 (SHA-2) for hashing, is not acceptable. In 2019, the process received 57 authenticated encryption with associated data (AEAD) schemes with optional hashing functionality, and 32 of these schemes moved forward for the second round of the process (Turan et al. 2019). In 2021, NIST announced 10 finalists, namely A SCON, E LEPHANT, GIFT-COFB (COmbined FeedBack), ROMULUS, S PARKLE, G RAIN -128AEAD, ISAP, PHOTON-B EETLE, T INY JAMBU and X OODYAK, for the last round of the process. These finalists provide a wide range of solutions for applications that need high performance and security in constrained environments. 16.2. Desired features The main engineering challenge in lightweight cryptography is to find an optimal balance between security, performance and cost that is specific to target applications and the devices. Next, we highlight some of the desired features of the lightweight algorithms for different use cases. Security: similar to general-purpose cryptographic algorithms, security is the most important criterion in lightweight designs. These designs are expected to withstand all known cryptographic attacks, however different threat models might apply due to additional protections that a protocol can provide. For example, in applications that guarantee a proper generation of keys (e.g. using key derivation functions), security against related-key attacks might not be a serious concern. Similarly, in applications where nonce values are generated randomly, the algorithms may not need to have additional measures for nonce-misuse resistance. Additionally, the constraints of the devices might limit the number of known plaintext/ciphertext

Lightweight Cryptography

199

available to the attackers, and smaller state sizes and internal counters may be suitable. Hardware performance: the hardware performance of the algorithms is one of the most relevant features in lightweight cryptography, and the target metrics for hardware implementations can be listed as (i) the physical area needed for a circuit to implement the algorithm, (ii) latency, that is, the amount of time it takes to obtain the circuit’s output, (iii) throughput, that is, the amount of input data processed per time unit and (iv) the amount of power and energy needed to use the circuit. In applications such as supply-chain management or anti-counterfeiting, radio-frequency identification (RFID) tags with a small amount of memory are commonly used to identify and track products. Hardware-oriented algorithms with a low memory footprint are preferred for such applications. In automotive industry applications, or applications using fast and secure payments, the latency of the hardware implementations is more relevant. Additionally, in applications using battery-powered devices (e.g. embedded medical devices or environmental sensors), the algorithms with low energy requirements are more suitable. Software performance: the software performance of the algorithms in 8-, 16- and 32-bit microcontrollers is also important for lightweight designs. The target metrics for software implementations can be listed as (i) execution time, (ii) memory requirements (RAM/ROM), (iii) the size of the compiled code and (iv) the throughput, that is, the amount of input processed during each clock cycle. In smart home applications using appliances with low-end processing units, software-oriented algorithms that consume a small amount of memory are desired. Performance in high-end servers: in typical Internet of Things (IoT) applications, a large number of small devices get connected to a central high-end server, and then each device periodically sends short encrypted messages to the server, and the server decrypts these messages in real-time. Although lightweight ciphers are optimized for constrained devices, their performance in high-end systems is also important. Side-channel resistance: for applications where a potential attacker has physical control of the constrained devices and has the ability to measure side channels such as power consumption or electromagnetic radiation, algorithms that can provide inherent side-channel resistance or lend themselves to efficient countermeasures such as masking may be desirable. Handling short messages: most general-purpose cryptography algorithms are optimized for handling long messages to achieve high throughput. However, for applications in automotive and industrial controllers, many small messages are processed. For such applications, algorithms with small computational overhead that are optimized to handle short messages are preferred. Additionally, for applications that may update keys frequently, algorithms that use simple key scheduling algorithms are favored.

200

Symmetric Cryptography 2

Multiple functionalities: all-in-one algorithms that use the same underlying primitive to provide multiple functionalities (e.g. authenticated encryption, hashing or message authentication code [MAC]) provide benefits in hardware area requirements when the application requires more than one functionality. Simplicity: the security of simple designs is easier to understand through cryptanalysis. Since the security margins of lightweight algorithms are tighter compared to general-purpose algorithms, it is very important to have a good understanding of the designs, which can be achieved using simple components, and round structures. Flexibility: designs that can provide flexibility in terms of the selection of internal parameters, such as word sizes, number of rounds or capacity and rate selection for permutation-based designs, can provide the best tradeoff for applications that use specific message sizes. Additionally, designs that provide implementation flexibility are also preferred. 16.3. Design approaches in lightweight cryptography The initial attempts to design lightweight ciphers included choices that adversely affected the security of the candidates, such as using smaller key sizes (e.g. 80 bits), having very tight security margins (e.g. around 10%) or using smaller block sizes (e.g. 64 bits rather than 128) that significantly reduced the amount of data that can be processed securely. Similarly, some designers preferred using over-simplified key schedules that resulted in large weak-key classes. As the body of scientific knowledge on lightweight cryptography increased, new robust lightweight designs that do not compromise security have emerged. Note that the security requirements of the NIST standardization process for lightweight AEAD and hashing schemes are aligned with the generic security requirements expected for general-purpose cryptography algorithms. The second-round candidates of the NIST standardization process used block ciphers, permutations, tweakable block ciphers, and stream ciphers as underlying primitives to construct AEAD schemes and hash functions (see Table 16.1). Using block ciphers and tweakable block ciphers is usually preferred to achieve a small hardware area by the candidates that offer AEAD only functionality. Tweakable block ciphers tend to use small tweaks (e.g. less than 8 bits) to efficiently achieve domain separation for different types of input data (associated data or message) or differentiating between empty and non-empty inputs or partial blocks. Permutation-based designs following the sponge construction and its variants are preferred by candidates that aim to achieve better performance in both constrained hardware and software, providing AEAD and hashing functionalities. Sponge

Lightweight Cryptography

201

Candidates providing AEAD only functionality Permutation Block cipher Tweakable Block Cipher Stream cipher

E LEPHANT, ISAP, O RIBATIDA , SPIX, S PO C, WAGE COMET, GIFT-COFB, H Y ENA, MIX F EED , P YJAMASK , SAEAES, SUNDAE-GIFT, T INY JAMBU F ORK AE, ESTATE, LOTUS-AEAD & LOCUS-AEAD, ROMULUS , S POOK G RAIN -128AEAD

Candidates providing AEAD and hashing functionalities ACE, A SCON , D RY GASCON, G IMLI , KNOT, ORANGE, PHOTON-B EETLE , SPARKLE, S UBTERRANEAN 2.0, Permutation X OODYAK Block cipher

S ATURNIN

Tweakable Block Cipher

SKINNY-AEAD & SKINNY-HASH

Table 16.1. Underlying primitives of the second-round candidates

designs are attractive for lightweight applications, since they do not need a separate key schedule algorithm. Additionally, the sponge construction and its variants also support using different underlying permutations, which provides flexibility to adjust the number of rounds during processing different blocks (e.g. smaller number of rounds to process associated data blocks). The flexibility to adjust the rate and capacity is also useful for making additional optimization when the message size is fixed. Compared to general-purpose block ciphers, simpler nonlinear and linear layers are preferred in lightweight block cipher designs. For nonlinear layers, 4-bit or 5-bit S-boxes (rather than 8-bit ones) are commonly used to achieve significant area savings. For example, the smallest AES S-box implementation using standard gates requires 113 gates (32 AND, 77 XOR, 4 XNOR), whereas the S-box used for A SCON can be implemented using only 22 gates (5 AND, 11 XOR, 6 NOT). Low-degree S-boxes that can be implemented with a small number of AND gates are also easier to mask with a small overhead for side-channel protection. Simple linear layers constructed with bit permutations are more beneficial than complex linear layers in hardware-oriented designs. However, designs with very simple rounds need to iterate over a large number of rounds to achieve security. It is still challenging to design robust ciphers with provable security properties that would be suitable for a wide range of real-world applications. However, partially due to the standardization efforts, there have been many improvements in the understanding of lightweight designs over the last decade.

202

Symmetric Cryptography 2

16.4. References Aumasson, J.-P. (2019). Too much crypto. Cryptology ePrint Archive, Report 2019/1492 [Online]. Available at: https://eprint.iacr.org/2019/1492. Cid, C., Robshaw, M., Babbage, S., Borghoff, J., Velichkov, V. (2012). The eSTREAM Portfolio in 2012. Technical Report, Cryptographic Technology Guidelines [Online]. Available at: https://www.ecrypt.eu.org/stream/. CRYPTREC (2017). CRYPTREC Cryptographic Technology Guideline (Lightweight Cryptography). Technical Report, Cryptographic Technology Guidelines [Online]. Available at: https://www.cryptrec.go.jp/en/tech_guidelines.html. Turan, M.S., McKay, K., Çalık, Ç., Chang, D., Bassham, L. (2019). NISTIR 8268 status report on the first round of the NIST lightweight cryptography standardization process [Online]. Available at: https://csrc.nist.gov/publications/detail/nistir/8268/final.

17

Post-Quantum Symmetric Cryptography María N AYA -P LASENCIA Inria, Paris, France

The scientific community is expending significant effort to anticipate the enormous consequences of the arrival of quantum computers in cryptography. Most widely used asymmetric systems would become unsecure due to Shor’s algorithm, and the community is very actively looking for replacements. Until recently, the consequences of quantum adversaries on symmetric primitives were much less studied. The main quantum algorithm relevant to symmetric cryptography is Grover’s algorithm, which allows the search of an unsorted database of size N in time O(N 1/2 ), reducing the security of symmetric primitives to its square root. Doubling the key length is sufficient to address that, and thus most of the cryptographic community considered the matter settled: unlike Shor’s result on RSA, which exploited the specificity of integer factorization, the symmetric primitives had only been approached by Grover’s acceleration of the generic “exhaustive search” attack. In a seminal work in 2010 and 2012, Kuwakado and Morii (2010, 2012) showed that three rounds of the Feistel and the Even-Mansour constructions, both safe classically, were not safe anymore in a very strong quantum model, the superposition model, where the attacker is allowed to perform quantum superposition queries to the

Symmetric Cryptography 2, coordinated by Christina B OURA and María NAYA -P LASENCIA. © ISTE Ltd 2023.

204

Symmetric Cryptography 2

primitives: these constructions could be attacked using Simon’s algorithm (Simon 1994) in polynomial time O(n3 ). Besides this, only two other papers in quantum cryptanalysis were published: Leurent (2010) proposed a quantum attack on a hash function candidate to the SHA-3 competition, and Kaplan (2014) showed how to build quantum attacks against iterated block ciphers. In the past few years, many new quantum symmetric cryptanalysis results have been proposed. The main quantum algorithms used in symmetric cryptanalysis so far have used mainly Grover’s algorithm (Grover 1996) and Simon’s algorithm (Simon 1994). Using Simon’s algorithm, some results have showed how some widely used classical constructions would turn insecure in the superposition quantum setting and how some classical families of cryptanalysis can suffer from a quantum exponential speed-up. Using Grover’s algorithm, some results have also showed how to quantize classical attacks in less powerful settings, where the best achieved speed up was, until recently, quadratic. We briefly point out in this section the main ones, as well as some short discussions to put these results in context. The aim of this short chapter is to give not technical details but a summarized overview of the state of the art for this topic. The main quantum algorithms used in symmetric cryptanalysis are Grover (1996) and its generalization, which allow the search for a marked element in a random space with a square root cost of the classical time (Simon 1994), which allows the recovery of a period with a polynomial complexity, implying an exponential speed-up with regard to the best classical algorithms, and BHT (Brassard et al. 1998), which allows the finding of collisions with a cost of around 2n/3 in time, queries and quantum memory, improving with respect to the optimal clasical query complexity of 2n/2 . We will also see next that some other quantum algorithms have been proposed. 17.1. Different considered models 17.1.1. With respect to the queries There are two main models considered to classify quantum attacks on symmetric schemes. We will adopt the terminology from Kaplan et al. (2016b); Hosoyamada and Sasaki (2018b); Bonnetain et al. (2019c) to describe them: the often called Q1 model, where the attacker can only perform classical queries to the encryption oracle, but he has a quantum computer for performing some offline computations; the Q2 model, also known as “quantum chosen-plaintext attack” (qCPA) in Ito et al. (2019); Cid et al. (2020) and already mentioned, where the attacker, in addition to having access to a quantum machine, can perform superposition queries to a quantum encryption oracle, which supposes that the encryption function has been implemented in a quantum computer. Note that hash functions or any other key-less primitive would not require a Q2 setting for performing these attacks, as the whole

Post-Quantum Symmetric Cryptography

205

publicly known construction could be implemented in a quantum computer by the attacker where he could perform the superposition queries, placing the attack in Q1 1. While the first model seems much more realistic, the second one is also interesting to study. Some of the reasons are that it is a model simple to define, and therefore used in security proofs: if the security proofs consider this model, then it is absolutely necessary to consider it in cryptanalysis to verify if the proofs indeed work or, on the contrary, if there have some problem. It is also a non-trivial model, which means that we can construct safe primitives in it. In some cases, like when using obfuscation, this model could be particularly relevant. Additionaly, a construction not having attacks in Q2 can be considered secure in all the intermediate possible settings, which is very reassuring. A third even more powerful model could be imagined. Indeed, in a very nice result from Roetteler and Steinwandt (2015) the authors show that if we consider the attacker to have access to a superposition of differences on the secret key (a quantum version of related-key attacks), all primitives are broken using Simon’s algorithm. This shows that in this very strong model all primitives are trivially broken and therefore this model is not interesting to study. As we will later see, recently some new results have been proposed showing how to adapt some superposition attacks to less powerful settings for the adversary. These results show additionally the importance of attacks in the Q2 setting: they might be able to be extended in the Q1 one, improving the best known bounds. 17.1.2. With respect to memory Depending on the attacks, we can sometimes consider access to different types of memory. Like classical memory; a small amount of qubits; or QRAMs, which are quantum memories that can be again classified in two types as done by Kuperberg (2003): QRACMs allow access in superposition to a classical memory, and QRAQM that are quantum accessible quantum memory. It goes without saying that the smaller or simpler the memory, the more realistic or efficient the attack, when considering the rest of the parameters equivalent. This is why a question often asked is: how can we reduce the memory of the attacks, or how can we reduce the type of memory requirements and provide the best possible time complexity. Algorithms and attacks using QRAM are definitely of theoretical interest, and, in addition, they may provide new ideas that can be further exploited in new algorithms and attacks. Nevertheless, the scenario not needing QRAM nor QAQM is particularly

1 This is why many have tried to build Simon attacks on hash functions, but for now, no interesting results have been found to the best of our knowledge.

206

Symmetric Cryptography 2

meaningful, as it is widely accepted that big memories of this type are going to be very difficult to build. 17.2. On Simon’s and Q2 attacks After Kuwakado and Morii’s first results, other attacks were proposed. For instance, in Kaplan et al. (2016a) and Santoli and Schaffner (2017), several classically secure authentication and authenticated encryption modes were attacked in the superposition setting with Simon’s algorithm. In Leander and May (2017), a combination of Grover and Simon’s algorithms is used to attack the FX construction, previously one of the most logical candidate constructions to use for key extension. In Bonnetain (2017), Bonnetain and Jaques (2022) and Shi et al. (2021), the constructions AEZ, E LEPHANT and S ESTATE (respectively) were attacked using Simon’s algorithm, also in this setting. Also in Kaplan et al. (2016a), a quantized version of the classical slide attacks was proposed, in the superposition setting and with polynomial complexity, this being one the first (and for now only) exponential speed-up of a classical cryptanalysis family. In Bonnetain et al. (2019a), a more detailed evaluation of quantum slide attacks is proposed. Many more such superposition attacks have been proposed since then in other constructions, as quantum chosen-ciphertext attacks on Feistel (Ito et al. 2019), reaching four rounds of the Feistel construction. In Canale et al. (2021), an automatized method for detecting the existence of periods is proposed, which is a very promising direction, as it is not always trivial to identify. Linearization attacks, introduced in Bonnetain et al. (2021), target forgeries on MACs in the Q2 model using inputs of multiple blocks as an interface to a function hiding a linear structure. Besides using Simon’s algorithm, some variants use other quantum algorithms for the first time in quantum forgeries or key-recovery attacks: Deutsch’s (1985) algorithm, Bernstein-Vazirani’s (1997) algorithm, and Shor’s (1994) algorithm. Some other polynomial attacks in the superposition setting have been proposed using different algorithms than Simon. In Xie and Yang (2019), attacks on three-round Feistel and Even-Mansour are proposed using also the Bernstein-Vazirani algorithm. The paper by Alagic and Russell (2017) provided possible tweaks against Simon’s attacks, and the most realistic and interesting of them was using modular addition instead of XOR operations. In Bonnetain and Naya-Plasencia (2018), the implications of this tweak were studied and new attacks using Kuperberg’s algorithm (Kuperberg 2005) instead of Simon were proposed, and an algorithm for considering the intermediate case of having several parallel modular additions, “Simon-meets-Kuperberg”, was proposed. In the case of modular additions, instead of having a polynomial complexity on the size of the secret, we have a √ subexponential complexity of 2O( n) .

Post-Quantum Symmetric Cryptography

207

17.2.1. Off-line Simon’s attack Beside these attacks in the superposition setting, an off-line version of the Simon attack was proposed in Bonnetain et al. (2019c). In this work, Simon’s algorithm is applied in the Q1 setting by extending a technique that allowed to considerately reduce the number of queries of Simon attack when combined with Grover. To do this, the secret of the analyzed function is decomposed in two parts. One will be recovered by applying Grover, and the other will be recovered by applying Simon after first simulating the needed partial superposition queries from classical ones, not needing therefore quantum queries to the oracle. This off-line Simon attack allows the improvement of several of the parameters of the previously best known attacks. Even more, in a very recent work (Bonnetain et al. 2022), using this technique on a particular construction, the authors were able, for the first time, to achieve better than quadratic speedup relative to classical attacks in the Q1 setting. A complete implementation of Simon’s offline algorithm has been provided in Bonnetain and Jaques (2022). 17.3. Quantizing classical attacks in Q1 Many new results have recently appeared regarding quantized versions of classical attacks. We present here some of the main ones. For instance, quantum differential, truncated and linear cryptanalysis were presented in Kaplan et al. (2016b), obtaining some non-intuitive results, for instance, the best attack in a classical world might not stay the best attack in the post-quantum one. In Bonnetain et al. (2019b), a generalized framework for quantizing symmetric attacks, using imbricated Grover’s, is proposed; together with some tools it allowed the first detailed evaluation of the AES quantum security. A side result of this work is that some ideas could be applied to the best classical attacks, improving also their best known complexity. A quantum version of Demirci-Selçuk meet-in-the-middle attacks and quantum boomerang attacks are presented in Hosoyamada and Sasaki (2018b) and Frixons et al. (2021), respectively. In Xie and Yang (2019, 2017), the authors propose to use quantum algorithms to efficiently find truncated and impossible differential paths (but no actual speedup of these attacks is presented). In Hosoyamada and Sasaki (2018a), several attacks in the Q1 model are proposed in some popular constructions, though these results were considerably improved with the off-line Simon’s algorithm. In order to correctly compare these quantum attacks with a fair estimation of the generic attacks, an in detail study of the cost of Grover for each primitive should be performed, as was the case with AES and L OW MC in Jaques et al. (2020). 17.3.1. About collisions The quantum algorithm BHT (Brassard et al. 1998) allowed the discovery of collisions on n bits with a cost in queries, time and QRAM of about 2n/3 .

208

Symmetric Cryptography 2

In Chailloux et al. (2017), a new quantum algorithm was proposed that allowed a solution to the collision problem with less computations than classical algorithms, while needing only a polynomial number of qubits, which had been an open problem since 2004. The cost of this algorithm is around 22n/5 in time and a classical memory need of 2n/5 . In a very exciting result from Hosoyamada and Sasaki (2020), the authors exploit the fact that quantum collision speedup is smaller than quadratic to show how can the number of attacked rounds through collision on some hash functions be higher in a post-quantum setting than in the classical one. They consider different memory models for this and the gain can be different depending on the model. They also built in Hosoyamada and Sasaki (2021) quantum collision attacks on SHA-256 and SHA-512 that considerably improve on the classical number of attacked rounds (38 and 39, respectively, versus 31 and 27). Some results on quantum multicollisions are presented by Hosoyamada et al. (2017, 2019, 2020). New quantum algorithms for efficiently solving the generalized birthday problem, with several implications on cryptanalysis, are proposed by Grassi et al. (2018), Naya-Plasencia and Schrottenloher (2020) and Schrottenloher (2021). An algorithm for finding quantum golden collisions with no QRAM is proposed by Jaques and Schrottenloher (2020). 17.4. On the design of quantum-safe primitives Besides the natural need for having bigger keys in the post-quantum world for an equivalent ideal security, the need also for bigger than usual internal states for avoiding internal quantum collisions seems like a good idea. In particular, the candidate S ATURNIN (Canteaut et al. 2020) in the NIST lightweight competition was designed with the purpose of providing quantum resistance also in the superposition model. Many authentication constructions suffer from superposition attacks, in particular the most efficient ones, like OCB (Krovetz and Rogaway 2021). In Bhaumik et al. (2021), a new efficient authentication mode resistant to superposition attacks is proposed. In addition, sponge constructions (Bertoni et al. 2008) and their variants seem resistant to the most powerful quantum attacks when the instances provide big enough capacities. The quantum indistinguishability of random sponges was studied by Czajkowski et al. (2018, 2019). Otherwise, four-round Luby-Rackoff is proved to be a qPRP in Hosoyamada and Iwata (2019), the tight quantum security of HMAC and NMAC is analyzed by Hosoyamada and Iwata (2021a) and provable quantum secure tweakable-block ciphers are proposed by Hosoyamada and Iwata (2021b).

Post-Quantum Symmetric Cryptography

209

17.5. Perspectives and conclusion 17.5.1. About losing the quantum and classical surname We expect that in a post-quantum world the surname “classical” or “quantum” for identifying the attacks will disappear, and that only the best attacks with respect to the best generic ones will be important (where the best generic attack will surely be Grover). In this context, the knowledge of the best current quantum attacks seems very important, as they will define the future security margin, even though the number of rounds might be decreased: they can be paradoxically more secure against quantum adversaries, as the generic attack will also be better. Some results are of course particularly motivating, as the collision attacks that allow to reach more rounds in the post-quantum setting, or the attacks that allow to perform a better than quadratic speed-up in Q1. 17.5.2. No panic Most of the modern constructions seem to resist quantum adversaries. We need to remain vigilant and continue analyzing possible quantum adversary capacities, but symmetric cryptography seems to be holding up very well. As a future interesting field of work, new generic ways of extending the internal state size, as well as the key size, with a quantum security proof could be very useful for securely extending the use of current secure block ciphers to post-quantum applications. 17.6. References Alagic, G. and Russell, A. (2017). Quantum-secure symmetric-key cryptography based on hidden shifts. In EUROCRYPT 2017, Part III, vol. 10212 of Lecture Notes in Computer Science, Coron, J., Nielsen, J.B. (eds). Springer. Bernstein, E. and Vazirani, U.V. (1997). Quantum complexity theory. SIAM J. Comput., 26(5), 1411–1473. Bertoni, G., Daemen, J., Peeters, M., Assche, G.V. (2008). On the indifferentiability of the sponge construction. In EUROCRYPT 2008, vol. 4965 of Lecture Notes in Computer Science, Smart, N.P. (ed.). Springer. Bhaumik, R., Bonnetain, X., Chailloux, A., Leurent, G., Naya-Plasencia, M., Schrottenloher, A., Seurin, Y. (2021). QCB: Efficient quantum-secure authenticated encryption. In ASIACRYPT 2021, Part I, vol. 13090 of Lecture Notes in Computer Science, Tibouchi, M., Wang, H. (eds). Springer. Bonnetain, X. (2017). Quantum key-recovery on full AEZ. In SAC 2017, vol. 10719 of Lecture Notes in Computer Science, Adams, C., Camenisch, J. (eds). Springer.

210

Symmetric Cryptography 2

Bonnetain, X. and Jaques, S. (2022). Quantum period finding against symmetric primitives in practice. In IACR Trans. Cryptogr. Hardw. Embed. Syst., 2022(1), 1–27. Bonnetain, X. and Naya-Plasencia, M. (2018). Hidden shift quantum cryptanalysis and implications. In ASIACRYPT 2018, Part I, vol. 11272 of Lecture Notes in Computer Science, Peyrin, T., Galbraith, S.D. (eds). Springer. Bonnetain, X., Naya-Plasencia, M., Schrottenloher, A. (2019a). On quantum slide attacks. In SAC 2019, vol. 11959 of Lecture Notes in Computer Science, Paterson, K.G., Stebila, D. (eds). Springer. Bonnetain, X., Naya-Plasencia, M., Schrottenloher, A. (2019b). Quantum security analysis of AES. IACR Trans. Symmetric Cryptol., 2019(2), 55–93. Bonnetain, X., Hosoyamada, A., Naya-Plasencia, M., Sasaki, Y., Schrottenloher, A. (2019c), Quantum attacks without superposition queries: The offline Simon’s algorithm. In ASIACRYPT 2019, Part I, vol. 11921 of Lecture Notes in Computer Science, Galbraith, S.D., Moriai, S. (eds). Springer. Bonnetain, X., Leurent, G., Naya-Plasencia, M., Schrottenloher, A. (2021). Quantum linearization attacks. In ASIACRYPT 2021, Part I, vol. 13090 of Lecture Notes in Computer Science, Tibouchi, M., Wang, H. (eds). Springer. Bonnetain, X., Schrottenloher, A., Sibleyras, F. (2022). Beyond quadratic speedups in quantum attacks on symmetric schemes. In EUROCRYPT 2022, Part III, vol. 13277 of Lecture Notes in Computer Science, Dunkelman, O., Dziembowski, S. (eds). Springer. Brassard, G., Høyer, P., Tapp, A. (1998). Quantum cryptanalysis of hash and claw-free functions. In LATIN ’98, vol. 1380 of Lecture Notes in Computer Science, Lucchesi, C.L., Moura, A.V. (eds). Springer. Canale, F., Leander, G., Stennes, L. (2021). Automatic detection of periods in symmetric crypto. Dagstuhl Seminar 21421 – Quantum Cryptanalysis. Canteaut, A., Duval, S., Leurent, G., Naya-Plasencia, M., Perrin, L., Pornin, T., Schrottenloher, A. (2020). Saturnin: A suite of lightweight symmetric algorithms for post-quantum security. IACR Trans. Symmetric Cryptol., 2020(S1), 160–207. Chailloux, A., Naya-Plasencia, M., Schrottenloher, A. (2017). An efficient quantum collision search algorithm and implications on symmetric cryptography. In ASIACRYPT 2017, Part II, vol. 10625 of Lecture Notes in Computer Science, Takagi, T., Peyrin, T. (eds). Springer. Cid, C., Hosoyamada, A., Liu, Y., Sim, S.M. (2020). Quantum cryptanalysis on contracting feistel structures and observation on related-key settings. In INDOCRYPT 2020, vol. 12578 of Lecture Notes in Computer Science, Bhargavan, K., Oswald, E., Prabhakaran, M. (eds). Springer. Czajkowski, J., Bruinderink, L.G., Hülsing, A., Schaffner, C., Unruh, D. (2018). Post-quantum security of the sponge construction. In PQCrypto 2018, vol. 10786 of Lecture Notes in Computer Science, Lange, T., Steinwandt, R. (eds). Springer. Czajkowski, J., Hülsing, A., Schaffner, C. (2019). Quantum indistinguishability of random sponges. In CRYPTO 2019, Part II, vol. 11693 of Lecture Notes in Computer Science, Boldyreva, A., Micciancio, D. (eds). Springer. Deutsch, D. (1985). Quantum theory, the church-turing principle and the universal quantum computer. Proceedings of the Royal Society London A, 400, 97–117.

Post-Quantum Symmetric Cryptography

211

Frixons, P., Naya-Plasencia, M., Schrottenloher, A. (2021). Quantum boomerang attacks and some applications. In SAC 2021, vol. 13203 of Lecture Notes in Computer Science, AlTawy, R., Hülsing, A. (eds). Springer. Grassi, L., Naya-Plasencia, M., Schrottenloher, A. (2018). Quantum algorithms for the k-xor problem. In ASIACRYPT 2018, Part I, vol. 11272 of Lecture Notes in Computer Science, Peyrin, T., Galbraith, S.D. (eds). Springer. Grover, L.K. (1996). A fast quantum mechanical algorithm for database search. In STOC, Miller, G.L. (ed.). ACM. Hosoyamada, A. and Iwata, T. (2019). Four-round Luby-Rackoff construction is a qPRP. In ASIACRYPT 2019, Part I, vol. 11921 of Lecture Notes in Computer Science, Galbraith, S.D., Moriai, S. (eds). Springer. Hosoyamada, A. and Iwata, T. (2021a). On tight quantum security of HMAC and NMAC in the quantum random oracle model. In CRYPTO 2021, Part I, vol. 12825 of Lecture Notes in Computer Science, Malkin, T., Peikert, C. (eds). Springer. Hosoyamada, A. and Iwata, T. (2021b). Provably quantum-secure tweakable block ciphers. IACR Trans. Symmetric Cryptol., 2021(1), 337–377. Hosoyamada, A. and Sasaki, Y. (2018a). Cryptanalysis against symmetric-key schemes with online classical queries and offline quantum computations. In CT-RSA 2018, vol. 10808 of Lecture Notes in Computer Science, Smart, N.P. (ed.). Springer. Hosoyamada, A. and Sasaki, Y. (2018b). Quantum Demiric-Selçuk meet-in-the-middle attacks: Applications to 6-round generic Feistel constructions. In SCN 2018, vol. 11035 of Lecture Notes in Computer Science, Catalano, D., Prisco, R.D. (eds). Springer. Hosoyamada, A. and Sasaki, Y. (2020). Finding hash collisions with quantum computers by using differential trails with smaller probability than birthday bound. In EUROCRYPT 2020, Part II, vol. 12106 of Lecture Notes in Computer Science, Canteaut, A., Ishai, Y. (eds). Springer. Hosoyamada, A. and Sasaki, Y. (2021). Quantum collision attacks on reduced SHA-256 and SHA-512. In CRYPTO 2021, Part I, vol. 12825 of Lecture Notes in Computer Science, Malkin, T., Peikert, C. (eds). Springer. Hosoyamada, A., Sasaki, Y., Xagawa, K. (2017). Quantum multicollision-finding algorithm. In ASIACRYPT 2017, Part II, vol. 10625 of Lecture Notes in Computer Science, Takagi, T., Peyrin, T. (eds). Springer. Hosoyamada, A., Sasaki, Y., Tani, S., Xagawa, K. (2019). Improved quantum multicollisionfinding algorithm. In PQCrypto 2019, vol. 11505 of Lecture Notes in Computer Science, Ding, J., Steinwandt, R. (eds). Springer. Hosoyamada, A., Sasaki, Y., Tani, S., Xagawa, K. (2020). Quantum algorithm for the multicollision problem. Theor. Comput. Sci., 842, 100–117. Ito, G., Hosoyamada, A., Matsumoto, R., Sasaki, Y., Iwata, T. (2019). Quantum chosenciphertext attacks against feistel ciphers. In CT-RSA 2019, vol. 11405 of Lecture Notes in Computer Science, Matsui, M. (ed.). Springer. Jaques, S. and Schrottenloher, A. (2020). Low-gate quantum golden collision finding. In SAC 2020, vol. 12804 of Lecture Notes in Computer Science, Dunkelman Jr., O., M.J.J., O’Flynn, C. (eds). Springer.

212

Symmetric Cryptography 2

Jaques, S., Naehrig, M., Roetteler, M., Virdia, F. (2020). Implementing Grover oracles for quantum key search on AES and LowMC. In EUROCRYPT 2020, Part II, vol. 12106 of Lecture Notes in Computer Science, Canteaut, A., Ishai, Y. (eds). Springer. Kaplan, M. (2014). Quantum attacks against iterated block ciphers. CoRR [Online]. Available at: http://arxiv.org/abs/1410.1434. Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M. (2016a). Breaking symmetric cryptosystems using quantum period finding. In CRYPTO 2016, Part II, vol. 9815 of Lecture Notes in Computer Science, Robshaw, M., Katz, J. (eds). Springer. Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M. (2016b). Quantum differential and linear cryptanalysis. IACR Trans. Symmetric Cryptol., 2016(1), 71–94. Krovetz, T. and Rogaway, P. (2021). The design and evolution of OCB. J. Cryptol., 34(4), 36. Kuperberg, G. (2003). The capacity of hybrid quantum memory. IEEE Trans. Inf. Theory, 49(6), 1465–1473. Kuperberg, G. (2005). A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput., 35(1), 170–188. Kuwakado, H. and Morii, M. (2010). Quantum distinguisher between the 3-round Feistel cipher and the random permutation. In ISIT 2010. Kuwakado, H. and Morii, M. (2012). Security on the quantum-type Even-Mansour cipher. In ISITA 2012. Leander, G. and May, A. (2017). Grover meets Simon – Quantumly attacking the FXconstruction. In ASIACRYPT 2017, Part II, vol. 10625 of Lecture Notes in Computer Science, Takagi, T., Peyrin, T. (eds). Springer. Leurent, G. (2010). Quantum preimage and collision attacks on CubeHash. IACR Cryptol. ePrint Arch., 506 [Online]. Available at: http://eprint.iacr.org/2010/506. Naya-Plasencia, M. and Schrottenloher, A. (2020). Optimal merging in quantum k-xor and k-xor-sum algorithms. In EUROCRYPT 2020, Part II, vol. 12106 of Lecture Notes in Computer Science, Canteaut, A., Ishai, Y. (eds). Springer. Roetteler, M. and Steinwandt, R. (2015). A note on quantum related-key attacks. Information Processing Letters, 115(1), 40–44. Santoli, T. and Schaffner, C. (2017). Using Simon’s algorithm to attack symmetric-key cryptographic primitives. Quantum Inf. Comput., 17(1&2), 65–78. Schrottenloher, A. (2021). Improved quantum algorithms for the k-XOR problem. In SAC 2021, vol. 13203 of Lecture Notes in Computer Science, AlTawy, R., Hülsing, A. (eds). Springer. Shi, T., Wu, W., Hu, B., Guan, J., Wang, S. (2021). Breaking LWC candidates: sESTATE and Elephant in quantum setting. Des. Codes Cryptogr., 89(7), 1405–1432. Shor, P.W. (1994). Algorithms for quantum computation: Discrete logarithms and factoring. In FOCS ’94. IEEE Computer Society. Simon, D.R. (1994). On the power of quantum cryptography. In FOCS ’94. IEEE Computer Society.

Post-Quantum Symmetric Cryptography

213

Xie, H. and Yang, L. (2017). Quantum impossible differential and truncated differential cryptanalysis. CoRR [Online]. Available at: http://arxiv.org/abs/1712.06997. Xie, H. and Yang, L. (2019). Using Bernstein-Vazirani algorithm to attack block ciphers. Des. Codes Cryptogr., 87(5), 1161–1182.

18

New Fields in Symmetric Cryptography Léo P ERRIN Inria, Paris, France

As evidenced by the content of this encyclopedia, there is ample knowledge and literature about both the design and the analysis of symmetric primitives implemented on processors or electronic circuits and operating over bitstrings. Of course, some areas still require further attention, such as low latency designs, and the cryptanalysis of current and future standards, as well as other recommended algorithms, remains of crucial importance as these standards are used to secure the digital data created and transmitted everyday. Nevertheless, there is no denying that this area has reached a certain maturity. Still, many problems in symmetric remain open. Perhaps counter-intuitively, not all symmetric algorithms are intended to be run on regular CPUs or smartcards: instead, there is a growing need for primitives tailored to some “virtual machines” where the instructions available do not correspond directly to CPU instructions or logical gates but to sophisticated computations embedded inside high level protocols. In this chapter, we will focus on two such directions that have already seen some preliminary exploration in the last years. Nevertheless, a lot remains to be uncovered for both, and the emergence of yet unthought needs is always a possibility.

Symmetric Cryptography 2, coordinated by Christina B OURA and María NAYA -P LASENCIA. © ISTE Ltd 2023.

216

Symmetric Cryptography 2

The first direction we will discuss is related to the arithmetization needed by some zero-knowledge (ZK) protocols (section 18.1); the second deals with the minimization of the multiplicative complexity required by some homomorphic encryption protocols (section 18.2). As we will see, while both have already received substantial attention, significant (arguably even the majority) work remains to be done. 18.1. Arithmetization-oriented symmetric primitives (ZK proof systems) While the concept of “zero-knowledge” proof is more than 30 years old (Goldwasser et al. 1989), it has found a renewed interest in recent years. One of the main motivations for this increased popularity comes from the blockchain world. Indeed, instead of being mere public ledgers as originally intended for Bitcoin, these can now offer more sophisticated features such as smart contracts. As a result, there is a need for security guarantees not only on data (as can be provided by symmetric cryptography), but on full computations. This allows complex computations to be offloaded to third parties without needing to trust them as they would provide a proof that they indeed ran the computation they were expected to. These guarantees can be obtained using advanced ZK protocols. These allow, for instance, a prover to argue that a secret input is contained in a given set, or that a specific arithmetic circuit was evaluated correctly on a given input without revealing what this input is. Examples of such protocols include, in no particular order, STARKs (Ben-Sasson et al. 2018), Bulletproof (Bünz et al. 2018), or Plonk (Gabizon et al. 2019). In practice, such protocols require the use of some hash functions within their internal language, meaning that the hash functions themselves must be amenable to this logic. What it means is that verifying if a hash function was evaluated correctly should involve arithmetic circuits that satisfy some specific constraints (see below), for instance, that they contain as little multiplications as possible. In turn, this implies that the round function R of the inner primitive of the hash function must be such that, given a pair (x, y), verifying if y = R(x) involves evaluating an “efficient” circuit. Furthermore, the multiplications considered – and indeed all the operations – are done in a finite field Fq where q is typically at most equal to 264 , and is either an odd power of 2 or a prime number. Usual hash functions such as SHA-3 (Bertoni et al. 2013) are not well suited for this process. Indeed, their round function is defined over F2 , meaning that their verification in a protocol would imply encoding elements of F2 , along with the corresponding operations, using operations over Fq . This is prohibitively expensive, as established in Ben-Sasson et al. (2020).

New Fields in Symmetric Cryptography

217

In order to decrease the cost of such protocols, dedicated algorithms are needed that were designed from the ground up to operate within such contexts. Such algorithms have been termed arithmetization-oriented (AO) by Aly et al. (2020). Below, we discuss first our current understanding of arithmetization-orientation (section 18.1.1), and then the first attempts that have been made in this direction (section 18.1.2). We then pay some special attention to the new challenges that emerge in terms of cryptanalysis in this new field (section 18.1.3). 18.1.1. The current understanding of this new language As hinted above and as a first approximation, AO algorithms use elementary operations corresponding to finite field arithmetic, that is, addition and multiplication. Their internal state is then an element of Ftq , where t is typically . between 2 and 12, a stark difference with, for example, SHA-3 as its state is in F1600 2 The value of q is not a choice of the designer of the symmetric primitive. Instead, it is imposed by the higher level protocol requiring the arithmetization. For example, some protocols like Plonk are based on pairing-friendly elliptic curves. In such cases, the field Fq corresponds to the underlying field of the elliptic curve, so that q is a 381-bit long prime when the curve BLS12-381 is used. Alternatively, in the STARK case, a prime q ≈ 261 such that q − 1 is a multiple of 232 can be used. As we can see, there are substantial differences in the value of q, meaning that AO algorithms need to be flexible and allow users to pick safe values of t and the number of rounds to reach a given security level. It is difficult to give a general estimate of what the cost of a primitive is in these contexts. Indeed, different arithmetization techniques exist that imply different costs for the different operations. For instance, Bulletproof (Groth 2016) relies on what is called Rank-1 Constraint Satisfaction (R1CS), where the verification corresponds to the evaluation of an arithmetic circuit such that affine gates are free, and where the cost is proportional to the total number of multiplications needed. For instance, enforcing that y ← c(ax + b)10 + x would be done with the following constraints: 1) t0 = ax 2) t1 = t0 + b 3) t2 = t1 × t1

5) t4 = t3 × t3

4) t3 = t2 × t2

8) y = t6 + x

6) t5 = t2 × t4 7) t6 = ct5

where Constraints 1, 2, 7 and 8 are free (as they correspond to affine operations), and where Constraints 3, 4, 5 and 6 have a cost of 1 each. The aim to design an R1CSfriendly primitive is then to decrease the number of such multiplications.

218

Symmetric Cryptography 2

For Plonk (Gabizon et al. 2019), the situation is different. This proof system has a more complex arithmetization process where additions have a cost. On the other hand, it has been augmented to allow the design of custom gates (Gabizon and Williamson 2019) that can evaluate more complex operations with a much lower cost than in R1CS. As a result, the efficiency of a primitive in this context is very much dependent on the skill and the time devoted to said implementation. For example, a basic implementation of P OSEIDON uses about 600 Plonk gates, but a tailored made one with custom gates requires closer to 100 gates (Ambrona et al. 2022). As a rule of thumb, it is the total number of operations (both linear and nonlinear) that must be limited for Plonk, while keeping in mind that reusing a specific operation can open the door to the use of custom gates. 18.1.2. The first attempts How do existing AO algorithms achieve this property? Below, we separate the existing AO algorithms into two distinct waves that are more or less aligned with the times of publication. 18.1.2.1. First wave: basic arithmetization The first AO algorithms were focused on limiting the number of nonlinear operations. To this end, they took a straightforward approach: if R can be implemented using a circuit with a low number of multiplications in Fq , then y = R(x) can be verified by evaluating a low number of multiplications. Equivalently, if the round function has a low degree, then it is trivial to verify it using low-degree functions. This method was pioneered by M I MC (Albrecht et al. 2016): this block cipher operates on F2129 by iterating the simple round function x → (x + k + ci )3 , where k is the 129-bit master key, and where the values {ci }i≥0 are pseudo-random round constants. In the same paper, a Feistel-based variant was proposed, which was then generalized to obtain the ciphers in the gM I MC family (Albrecht et al. 2019), which are based on generalized Feistel structures. HadesM I MC is another AO block cipher (Grassi et al. 2020) that is built on a different principle. It is an SPN with a low-degree S-box (usually x → x3 or x → x5 ) and an MDS matrix as a diffusion layer. However, there is a twist: the first four and the last four rounds are “full”, meaning that the S-box is applied in parallel on all the elements of the internal state, but, in the inner rounds, the S-box is only applied on one of the elements, while the linear layer still mixes the full state. It allows the degree to grow with each round, while the number of R1CS constraints remains contained. HadesM I MC served as the basis for the permutation used by the P OSEIDON (Grassi et al. 2021b) hash function. More recently, the AO authenticated cipher C IMINION (Dobraunig et al. 2021a) relies on a low-degree permutation of (Fq )3 with a simple round function where the nonlinear operation is simply (x, y, z) ← (x + yz, y, z).

New Fields in Symmetric Cryptography

219

Again, for all these algorithms, the approach to achieve arithmetization-orientation is based on the use of a low-degree round function. As we will see below, it is possible to use more subtle methods. 18.1.2.2. Second wave: beyond the low-degree round function R ESCUE (Aly et al. 2020) is a block cipher presented in 2020 that enables a more sophisticated arithmetization strategy. Suppose that a permutation R is such that R−1 can be efficiently verified. Then, given x and y, it is cheap to check if y = R(x): instead of evaluating the expensive circuit of R, we will instead check if x = R−1 (y), which involves only the cheap R−1 function. As a resullt, the round function of R ESCUE consists of two “steps”, each having an S-box layer, a multiplication of the internal state by an MDS matrix, and a constant addition. During the first step, x → xα is used as the S-box (where α is typically equal to 3 or 5), and its inverse x → x1/α is used in the second step. Thanks to this approach, the verification remains of a low degree. On the other hand, the round function has a much higher degree than in P OSEIDON, which will prevent some attacks. An even more recent design pushes the boundaries of what can be arithmetized further, namely R EINFORCED C ONCRETE (Grassi et al. 2021a). This algorithm is specifically tailored for use with an augmented version of Plonk, and in particular relies on its ability to evaluate arbitrary functions for a reasonable cost – though there are of course conditions on what these functions can be. It relies on a slightly unusual nonlinear layer that is more subtle than a simple monomial and an MDS matrix. These are used to make “usual” rounds. However, the main novelty of this permutation lies at its center: a specific permutation is applied in the middle round that divides Fp into a Cartesian product of much smaller sets, and then an S-box1 is applied on each of these sets. As we can see, one of the difficulties when designing AO algorithms is that the very definition of arithmetization is a complex topic – and a changing one as well. 18.1.3. Cryptanalysis If the primitives are defined over F2n , then many of the known techniques are directly applicable. First, the definition and the behavior of differential and linear cryptanalysis are the same. Furthermore, since AO algorithms tend to rely on power functions applied on elements of F2n , these attacks are easily thwarted: x → x3 is an APN function, meaning that the maximum probability for a non-trivial differential traversing it is 21−n . Given that n is at least equal to 60 in most cases, differential attacks are essentially a non-issue.

1 In this case, “S-box” is used in the usual sense of “operation working over a small enough set that it can be defined via its lookup table”.

220

Symmetric Cryptography 2

The same cannot be said for other attack techniques, and in particular for higher order differential attacks (see Chapter 10). Those are especially suited to target algorithms with a low-degree round function, meaning that first-wave AO primitives may be vulnerable to it. As shown in Beyne et al. (2020), the principle behind this attack can be adapted to Fq when q is a prime number, and in fact allow zero-sum distinguishers for some full permutations in the gM I MC family. Assessing the security level of primitives against such attacks can be complex, even when q = 2n . As shown in Bouvier et al. (2022), merely computing the algebraic degree (a key quantity when mounting a higher order differential attack) of M I MC is a very involved task, and the behavior of this quantity is surprisingly complex. There are of course attacks targeting specific constructions, such as the ones presented in Beyne et al. (2020) and Keller and Rosemarin (2021) against P OSEIDON. In these works, the authors showed that some weak choices of the linear layer could lead to the emergence of subspace trails covering all the center (partial) rounds “for free”. A key aspect of the cryptanalysis of AO algorithms is their inherent vulnerability to a class of attacks that we will nickname “root-finding attacks”2. Let Fr be the round function used at round r in an AO primitive, and let xr be the internal state at the start of round r (so that the input of the primitive is x0 ). Then, by definition of arithmetization-orientation, there exist polynomials Pr with low multiplication count such that Pr (xr , xr+1 ) = 0 for all r. As a result, the values of the internal state are solutions of a low-degree system of polynomial equations that can be solved using an off-the-shelf solver, typically based on finding a Gröbner basis of the system and then using this to find its roots. 18.2. Symmetric ciphers for hybrid homomorphic encryption We use (G, +, ×) to denote a ring consisting of the set of elements G, with addition “+”, and with multiplication “×”. A homomorphic encryption (HE) is a function E mapping a plaintext in a ring (G, +, ×) to a ciphertext in a ring (H, ⊕, ), so that E(x + y) = E(x) ⊕ E(y), and E(x × y) = E(x) E(y). Constructing such a scheme is a priori well out of the scope of symmetric cryptography. However, promising directions in this area actually require symmetric encryption. Let Hk be a homomorphic encryption algorithm with key k, and let E be a symmetric encryption algorithm. The core idea to encrypt a message m is to generate a temporary key t, encrypt it homomorphically using Hk , and then operate on the   tuple Hk (t), Et (m) .

2 The term “algebraic attack” has been used in this context, but this term is so overloaded that we deem it beneficial to use another term here.

New Fields in Symmetric Cryptography

221

18.2.1. The current understanding of this new language In order for this technique to work, it is necessary that the circuit implementing the symmetric cipher instance Et can be efficiently evaluated homomorphically. To better understand what this means in practice, it is necessary to do a short detour through homomorphic encryption. To the best of our knowledge, one of the most promising direction for HE at this stage is based on learning with errors (LWE). The specifics of this technique do not matter here, but we refer the interested reader to the seminal work of Gentry (2009), and to all its follow-ups. However, a key aspect of homomorphic schemes based on LWE or its generalization is that of noise. It is a quantity that is increased by the homomorphic evaluation of each logical gate, and such that the ciphertext can no longer be decrypted accurately once it reaches a certain threshold. The breakthrough of Gentry is a process to bypass this issue by essentially resetting the noise at the cost of a re-encryption called bootstrapping. Nevertheless, the increase of the noise needs to remain under control, which in turn has an impact on the design of HE-friendly symmetric ciphers. Most work in the area of HE-friendly symmetric encryption has focused on the case where the underlying alphabet corresponds to bitstrings, and where the core operations are the bit-wise addition (i.e. the XOR) and the bit-wise multiplication (i.e. the logical AND). The HE schemes for which those are intended yield little to no noise increase for addition, but a higher increase for multiplication. As a result, it is necessary to limit the number of nonlinear operations while linear ones can be used liberally. Nevertheless, much like the ZK protocols mentioned in section 18.1, HE is a fast-moving field, so that the cost of each operation can change with each improvement. For example, fully HE over the torus (TFHE) (Chillotti et al. 2016) can combine a bootstrapping with the application of an arbitrary lookup table. 18.2.2. First design strategies The symmetric designs intended to satisfy constraints can fit into two broad categories. The first exploits the comparatively low cost of the linear operations (section 18.2.2.1), while the second brings back a style of primitive that was perhaps falling out of favor otherwise: the register-based stream cipher (section 18.2.2.2). 18.2.2.1. Heavy linear layers In 2015, Albrecht et al. (2015) published L OW MC, a block cipher intended for use in various emerging areas where a symmetric primitive is needed but where the relevant performance metrics are not the usual ones. HE is one of its intended targets, and indeed it is built to minimize the number of nonlinear operations while relying on very heavy linear layers for its security. It uses a quadratic 3-bit S-box that is applied on a part of the internal state only, while a pseudo-randomly generated dense full rank binary matrix is applied to the full state in the linear layer. It is worth mentioning

222

Symmetric Cryptography 2

that multiple attacks have targeted this algorithm, the most recent requiring only one plaintext/ciphertext pair (Banik et al. 2020). The idea of relying on a very heavy linear layer for security was pushed even further in R ASTA (Dobraunig et al. 2018). It is a stream cipher where a wide permutation is a applied to a secret key to generate the key stream, the permutation being both nonce and counter dependent. While the nonlinear is fixed to be a simple quadratic permutation applied to the full state, the linear layers are dense full rank binary matrices that are regenerated pseudo randomly for each nonce and counter value. Since each permutation is applied only once, its security requirements are more relaxed than for a permutation intended to be used in a sponge-based hash function. R ASTA paved the way for multiple variants, namely DASTA (Hebborn and Leander 2020), which uses a more efficient method to derive linear layers, PASTA (Dobraunig et al. 2021b) and M ASTA (Ha et al. 2020), both of which operate on a different alphabet, so that they have to use modular arithmetic. 18.2.2.2. Register-based stream cipher A completely different approach was initiated in parallel that relies on tailor-made stream ciphers. In the context of HE, the only functionality that would be required from the symmetric primitive is encryption. As a result, a stream cipher is sufficient: there is no need for a more sophisticated mode of operation. The first HE-oriented stream cipher was K REYVIUM (Canteaut et al. 2016), which was proposed at FSE’16. It can be seen as an updated version of the T RIVIUM (Cannière 2006) stream cipher, a natural choice as its state update function consists of three NLFSRs, meaning that it contains very few AND gates. A different approach for a similar goal was introduced by the authors of FLIP (Méaux et al. 2016). It is also a stream cipher, but its inner workings are completely different from those of T RIVIUM and K REYVIUM. FLIP is a filter permutator: it uses a large key (with a size much higher than the intended security level) and generates the keystream by selecting some bits from the large key (using public randomness from a nonce and a counter) and then applying a filter to them. The filter is a Boolean function sophisticated properties intended to thwart some attacks, and with a low number of multiplications to maintain a low noise. The original FLIP was attacked by Duval et al. (2016) before its publication. Its authors also updated their cipher and created F I LIP (Méaux et al. 2019). Some of the same authors again used a similar principle to construct a stream cipher called E LIZABETH (Cosseron et al. 2022), which is intended for use with TFHE, meaning that it operates on modular ring elements rather than bit strings, and that its filter uses a low number of lookup table calls rather than a low number of AND gates.

New Fields in Symmetric Cryptography

223

18.3. Parting thoughts In this chapter, we have briefly summarized the substantial research in symmetric cryptography that was triggered by the advances in two completely different fields, namely ZK protocols, and (fully) homomorphic encryption. In both cases, “traditional” primitives are not suitable because their underlying alphabet and the cost associated to each operation differs widely from the usual case of CPUs and electronic circuits. Interestingly, most recent primitives can in fact be thought of as “primitive factories” or “meta-primitives” in the sense that, rather than a primitive, designers describe a method to construct a primitive given as inputs, for instance a field size, and a security parameter. This significantly changes the attack surface, and raises the problem of the secure generation of parameters. Furthermore, the very foundation corresponding to said alphabets and costs is still shaky as new advances in high level protocols change the requirements that the symmetric algorithms have to fill. As a result, much remains to be done in these areas and in all the new areas that have yet to emerge! 18.4. References Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M. (2015). Ciphers for MPC and FHE. In EUROCRYPT 2015, Part I, vol. 9056 of Lecture Notes in Computer Science, Oswald, E., Fischlin, M. (eds). Springer. Albrecht, M.R., Grassi, L., Rechberger, C., Roy, A., Tiessen, T. (2016). MiMC: Efficient encryption and cryptographic hashing with minimal multiplicative complexity. In ASIACRYPT 2016, Part I, vol. 10031 of Lecture Notes in Computer Science, Cheon, J.H., Takagi, T. (eds). Albrecht, M.R., Grassi, L., Perrin, L., Ramacher, S., Rechberger, C., Rotaru, D., Roy, A., Schofnegger, M. (2019). Feistel structures for MPC, and more. In ESORICS 2019, Part II, vol. 11736 of Lecture Notes in Computer Science. Springer. Aly, A., Ashur, T., Ben-Sasson, E., Dhooghe, S., Szepieniec, A. (2020). Design of symmetrickey primitives for advanced cryptographic protocols. IACR Trans. Symmetric Cryptol., 2020(3), 1–45. Ambrona, M., Schmitt, A., Toledo, R.R., Willems, D. (2022). New optimization techniques for PlonK’s arithmetization. IACR Cryptol. ePrint Arch., 462 [Online]. Available at: https://eprint.iacr.org/2022/462. Banik, S., Barooti, K., Durak, F.B., Vaudenay, S. (2020). Cryptanalysis of LowMC instances using single plaintext/ciphertext pair. IACR Trans. Symmetric Cryptol., 2020(4), 130–146. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M. (2018). Scalable, transparent, and post-quantum secure computational integrity. Cryptology ePrint Archive, Paper 2018/046 [Online]. Available at: https://eprint.iacr.org/2018/046. Ben-Sasson, E., Goldberg, L., Levit, D. (2020). STARK friendly hash – Survey and recommendation. Cryptology ePrint Archive, Paper 2020/948 [Online]. Available at: https://eprint.iacr.org/2020/948.

224

Symmetric Cryptography 2

Bertoni, G., Daemen, J., Peeters, M., Assche, G.V. (2013). Keccak. In EUROCRYPT 2013, vol. 7881 of Lecture Notes in Computer Science, Johansson, T., Nguyen, P.Q. (eds). Springer. Beyne, T., Canteaut, A., Dinur, I., Eichlseder, M., Leander, G., Leurent, G., Naya-Plasencia, M., Perrin, L., Sasaki, Y., Todo, Y., Wiemer, F. (2020). Out of oddity – New cryptanalytic techniques against symmetric primitives optimized for integrity proof systems. In CRYPTO 2020, Part III, vol. 12172 of Lecture Notes in Computer Science, Micciancio, D., Ristenpart, T. (eds). Springer. Bouvier, C., Canteaut, A., Perrin, L. (2022). On the algebraic degree of iterated power functions. IACR Cryptol. ePrint Arch., 366. Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G. (2018). Bulletproofs: Short proofs for confidential transactions and more. In IEEE-SP 2018. IEEE Computer Society. Cannière, C.D. (2006). Trivium: A stream cipher construction inspired by block cipher design principles. In ISC 2006, vol. 4176 of Lecture Notes in Computer Science, Katsikas, S.K., López, J., Backes, M., Gritzalis, S., Preneel, B. (eds). Springer. Canteaut, A., Carpov, S., Fontaine, C., Lepoint, T., Naya-Plasencia, M., Paillier, P., Sirdey, R. (2016). Stream ciphers: A practical solution for efficient homomorphic-ciphertext compression. In FSE 2016, vol. 9783 of Lecture Notes in Computer Science, Peyrin, T. (ed.). Springer. Chillotti, I., Gama, N., Georgieva, M., Izabachène, M. (2016). Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds. In ASIACRYPT 2016, Part I, vol. 10031 of Lecture Notes in Computer Science, Cheon, J.H., Takagi, T. (eds). Cosseron, O., Hoffmann, C., Méaux, P., Standaert, F. (2022). Towards globally optimized hybrid homomorphic encryption – Featuring the Elisabeth stream cipher. IACR Cryptol. ePrint Arch., 180 [Online]. Available at: https://eprint.iacr.org/2022/180. Dobraunig, C., Eichlseder, M., Grassi, L., Lallemand, V., Leander, G., List, E., Mendel, F., Rechberger, C. (2018). Rasta: A cipher with low ANDdepth and few ANDs per bit. In CRYPTO 2018, Part I, vol. 10991 of Lecture Notes in Computer Science, Shacham, H., Boldyreva, A. (eds). Springer. Dobraunig, C., Grassi, L., Guinet, A., Kuijsters, D. (2021a). Ciminion: Symmetric encryption based on Toffoli-gates over large finite fields. In EUROCRYPT 2021, Part II, vol. 12697 of Lecture Notes in Computer Science, Canteaut, A., Standaert, F. (eds). Springer. Dobraunig, C., Grassi, L., Helminger, L., Rechberger, C., Schofnegger, M., Walch, R. (2021b). Pasta: A case for hybrid homomorphic encryption. Cryptology ePrint Archive, Paper 2021/731 [Online]. Available at: https://eprint.iacr.org/2021/731. Duval, S., Lallemand, V., Rotella, Y. (2016). Cryptanalysis of the FLIP family of stream ciphers. In CRYPTO 2016, Part I, vol. 9814 of Lecture Notes in Computer Science, Robshaw, M., Katz, J. (eds). Springer. Gabizon, A. and Williamson, Z.J. (2019). Proposal: The turbo-plonk program syntax for specifying snark programs [Online]. Available at: https://docs.zkproof.org/pages/standards/ accepted-workshop3/proposal-turboplonk.pdf.

New Fields in Symmetric Cryptography

225

Gabizon, A., Williamson, Z.J., Ciobotaru, O. (2019). PLONK: Permutations over lagrangebases for oecumenical noninteractive arguments of knowledge. Cryptology ePrint Archive, Paper 2019/953 [Online]. Available at: https://eprint.iacr.org/2019/953. Gentry, C. (2009). Fully homomorphic encryption using ideal lattices. In STOC 2009, Mitzenmacher, M. (ed.). ACM. Goldwasser, S., Micali, S., Rackoff, C. (1989). The knowledge complexity of interactive proof systems. SIAM J. Comput., 18(1), 186–208. Grassi, L., Lüftenegger, R., Rechberger, C., Rotaru, D., Schofnegger, M. (2020). On a generalization of substitution-permutation networks: The HADES design strategy. In EUROCRYPT 2020, Part II, vol. 12106 of Lecture Notes in Computer Science, Canteaut, A., Ishai, Y. (eds). Springer. Grassi, L., Khovratovich, D., Lüftenegger, R., Rechberger, C., Schofnegger, M., Walch, R. (2021a). Reinforced concrete: A fast hash function for verifiable computation. Cryptology ePrint Archive, Paper 2021/1038 [Online]. Available at: https://eprint.iacr.org/2021/1038. Grassi, L., Khovratovich, D., Rechberger, C., Roy, A., Schofnegger, M. (2021b). Poseidon: A new hash function for zero-knowledge proof systems. In USENIX 2021, Bailey, M., Greenstadt, R. (eds). USENIX Association. Groth, J. (2016). On the size of pairing-based non-interactive arguments. In EUROCRYPT 2016, Part II, vol. 9666 of Lecture Notes in Computer Science, Fischlin, M., Coron, J. (eds). Springer. Ha, J., Kim, S., Choi, W., Lee, J., Moon, D., Yoon, H., Cho, J. (2020). Masta: An HE-friendly cipher using modular arithmetic. IEEE Access, 8, 194741–194751. Hebborn, P. and Leander, G. (2020). Dasta – Alternative linear layer for Rasta. IACR Trans. Symmetric Cryptol., 2020(3), 46–86. Keller, N. and Rosemarin, A. (2021). Mind the middle layer: The HADES design strategy revisited. In EUROCRYPT 2021, Part II, vol. 12697 of Lecture Notes in Computer Science, Canteaut, A., Standaert, F. (eds). Springer. Méaux, P., Journault, A., Standaert, F., Carlet, C. (2016). Towards stream ciphers for efficient FHE with low-noise ciphertexts. In EUROCRYPT 2016, Part I, vol. 9665 of Lecture Notes in Computer Science, Fischlin, M., Coron, J. (eds). Springer. Méaux, P., Carlet, C., Journault, A., Standaert, F. (2019). Improved filter permutators for efficient FHE: Better instances and implementations. In INDOCRYPT 2019, vol. 11898 of Lecture Notes in Computer Science, Hao, F., Ruj, S., Gupta, S.S. (eds). Springer.

19

Deck-function-based Cryptography Joan DAEMEN Radboud University, Nijmegen, The Netherlands

19.1. Block-cipher centric cryptography Modern cryptographic schemes built as a mode of use of a keyed block cipher come with a security guarantee: assuming the underlying block cipher is (S)PRPsecure, the cryptographic scheme can be proven secure. The PRP and SPRP security notions have become so accepted that they are referred to as the standard model. Because of the split in block ciphers and provably secure modes, the assurance of block-cipher-based cryptographic schemes can be fully based on public scrutiny of the block cipher with respect to its PRP (or SPRP) security. Cryptanalysts can focus their efforts on trying to find attacks that distinguish the block cipher from a random permutation in the simple scenario of having query access and a fixed unknown key. 19.2. Permutation-based cryptography During the last decade, a field of permutation-based cryptography has appeared that, similarly to block-cipher-based crypto, defines modes and constructions on top

Symmetric Cryptography 2, coordinated by Christina B OURA and María NAYA -P LASENCIA. © ISTE Ltd 2023.

228

Symmetric Cryptography 2

of permutations. Moreover, many new permutations have been proposed, even including some decent ones. Most of the modes have at their core the sponge construction (Bertoni et al. 2011a), or its variant, the duplex construction (Bertoni et al. 2011b) More recently, more parallel modes have been proposed based on the Farfalle construction (Bertoni et al. 2017). 19.3. The problem of the random permutation security model Similar to block-cipher-based modes, several modes of permutations have been proven secure assuming the underlying permutation is ideal. At this level, a philosophical problem presents itself that casts a dark shadow over permutation-based crypto: the absence of a standard model. While it is reasonable to assume one can build a block cipher that, when keyed with an unknown and uniformly chosen key, is hard to distinguish from a random permutation, it is simply impossible to formalize what it means for a permutation to behave like an ideal permutation. This is due to the absence of a dedicated key input in a permutation: in (S)PRP security, the block cipher can hide behind the unknown key while a permutation has nothing to hide behind. This is in fact no problem unique to permutation-based crypto. Also constructions that call an unkeyed block cipher, like in the Davies-Meyer construction used in Merkle-Damgård style hashing (as in MD5, SHA-1 and all SHA-2 instances), have that problem as they can only be proven secure assuming the block cipher was uniformly selected from the set of all possible block ciphers with given dimensions. These are proofs in the ideal permutation or ideal (block) cipher model. One may ask the question: what do these security proofs in the ideal model mean then? There is no consensus on the answer to this question. Clearly, a construction with a good bound does not introduce weaknesses at construction level: any attack must make use of specific properties of the permutation or block cipher. However, for keyed modes, (S)PRP gives a clear criterion for block cipher designers, namely build something that is hard to distinguish from a random permutation, and likewise a clear goal for cryptanalysts. For permutations, such a clear criterion appears absent. Taking some distance, it seems that there should not be a difference between block-cipher-based crypto and permutation-based crypto. Internally they make use of the same types of operations and at the top level they offer the same kind of services: encryption and/or MAC computation under some secret key. So is there a fundamental difference? 19.4. Deck functions The answer is that there is a difference but not a fundamental one. Permutation-based crypto can have its own standard model by trading in the block

Deck-function-based Cryptography

229

cipher by instances of the keyed duplex construction and the Farfalle construction (or variants of these two) as central primitive. Both are instances of what we call doubly extendable cryptographic keyed functions, or deck functions for short (Daemen et al. 2018a). Informally, deck functions are keyed cryptographic functions that have an arbitrary-length input, can generate an arbitrary-length output and are efficiently extendable. The latter means that after computing some output string given an input string, it is efficient to generate more output (like in most modern stream ciphers) and to generate output to a longer input that contains the former input as a prefix (like in most modern MAC functions). The equivalent for (S)PRP security of block ciphers is the pseudorandom function (PRF) security of deck functions: the difficulty of distinguishing a deck function with a fixed and unknown key from a random oracle. Modes can be defined in terms of deck functions and proven secure in the setting where the deck function is replaced by a random oracle. Similar to a block cipher, a deck function itself cannot be proven secure but rather its security is based on public scrutiny. Hence the standard model for deck functions is just their PRF security. Similar to modern block ciphers that decompose into a datapath and a key schedule, deck functions are built from smaller components. In the case of duplex, the main building block is a permutation, and in the case of Farfalle it is one or more permutations and rolling functions. The design criteria for these building blocks is to result in a deck function that is PRF secure. The main difference between block ciphers and deck functions is that the latter take variable-length input and generate variable-length output. Cryptanalysts describe attacks on instances based on reduced-round permutations and the difference between the nominal number of rounds and the number of rounds that can be broken is the safety margin. So in the practice of cryptanalysis, there is no difference. In any case, it is plausible that a PRF secure deck function can be built for the same reason that a (S)PRP block cipher can be built, and for any given deck function public scrutiny will deliver the assurance. 19.5. Modes of deck functions and instances With their extendable input and output, and their efficient extension property, duplex and Farfalle, and deck functions in general, allow the definition of very simple modes for building (authenticated) encryption schemes. These modes are so simple that their security proofs, building on the PRF security of the underlying deck function, are either immediate, or very simple. A deck function can be used as stream cipher by taking a nonce as input and the output as keystream. It can be used as a MAC function by taking the message

230

Symmetric Cryptography 2

as input and the output as tag. Different modes for session authenticated encryption have been defined in the X OODOO Cookbook (Daemen et al. 2018b), one relying on a user-provided nonce and a synthetic IV mode that is more robust under nonce misuse. In Gunsing et al. (2019), there is even a deck-function-based wide block cipher mode, supporting a tweakeable block cipher with variable block length that can be arbitrarily large. The first concrete deck function coined as such was X OOFFF, a Farfalle instance with the permutation X OODOO (Daemen et al. 2018a). It is very efficient on a wide range of platforms and even faster than AES in counter mode on modern CPUs with dedicated AES instructions. A more recent deck function is Subterranean-Deck (Daemen et al. 2020). This is more specialized and especially designed for low power in dedicated hardware. We believe these are just the beginning and we will see a transition from block ciphers to deck functions as the central primitive in keyed symmetric cryptography. 19.6. References Bertoni, G., Daemen, J., Peeters, M., Assche, G.V. (2011a). Cryptographic sponge functions [Online]. Available at: https://keccak.team/files/SpongeFunctions.pdf. Bertoni, G., Daemen, J., Peeters, M., Assche, G.V. (2011b). Duplexing the sponge: Single-pass authenticated encryption and other applications. In SAC 2011, vol. 7118 of Lecture Notes in Computer Science, Miri, A., Vaudenay, S. (eds). Springer. Bertoni, G., Daemen, J., Hoffert, S., Peeters, M., Assche, G.V., Keer, R.V. (2017). Farfalle: Parallel permutation-based cryptography. IACR Trans. Symmetric Cryptol., 2017(4), 1–38. Daemen, J., Hoffert, S., Assche, G.V., Keer, R.V. (2018a). The design of Xoodoo and Xoofff. IACR Trans. Symmetric Cryptol., 2018(4), 1–38. Daemen, J., Hoffert, S., Assche, G.V., Keer, R.V. (2018b). Xoodoo cookbook. IACR Cryptol. ePrint Arch., 2018, 767 [Online]. Available at: https://eprint.iacr.org/2018/767. Daemen, J., Massolino, P.M.C., Mehrdad, A., Rotella, Y. (2020). The Subterranean 2.0 cipher suite. IACR Trans. Symmetric Cryptol., 2020(S1), 262–294. Gunsing, A., Daemen, J., Mennink, B. (2019). Deck-based wide block cipher modes and an exposition of the blinded keyed hashing model. IACR Trans. Symmetric Cryptol., 2019(4), 1–22.

List of Authors

Christof B EIERLE

Itai D INUR

Ruhr University Bochum Germany

Department of Computer Science Ben-Gurion University Be’er Sheva Israel

Christina B OURA University of Paris-Saclay UVSQ CNRS Versailles France

Anne C ANTEAUT Inria Paris France

Joan DAEMEN Radboud University Nijmegen The Netherlands

Patrick D ERBEZ University of Rennes CNRS IRISA France

Antonio F LÓREZ -G UTIÉRREZ Inria Paris France

Henri G ILBERT ANSSI Paris France

Jérémy J EAN ANSSI Paris France

Thomas J OHANSSON Lund University (LTH) Sweden

232

Symmetric Cryptography 2

Brice M INAUD

Yu S ASAKI

Inria and École Normale Supérieure CNRS PSL Paris France

NTT Social Informatics Laboratories Tokyo Japan

María NAYA -P LASENCIA Inria Paris France

Kaisa N YBERG Aalto University School of Science Espoo Finland

Léo P ERRIN Inria Paris France

Vincent R IJMEN imec-COSIC ESAT KU Leuven Belgium and University of Bergen Norway

Ling S ONG Jinan University Guangzhou China

Meltem S ÖNMEZ T URAN NIST Gaithersburg, MD USA

Marc S TEVENS CWI Cryptology Group Amsterdam The Netherlands

Yosuke T ODO NTT Social Informatics Laboratories Tokyo Japan

Index

A AES, 21, 25, 47, 53, 54, 64, 101, 125, 169, 175, 201, 207 Affine Equivalence (AE) relation, 25 algebraic degree, 124, 126 multivariate, 124 ARX, 155, 177 associated data, 200 Authenticated Encryption (AE) scheme AEZ, 206 Ciminion, 218 COMET, 157, 201 Elephant, 198, 201, 206 ESTATE, 201 ForkAE, 201 GIFT-COFB, 198, 201 Grain-128AEAD, 198, 201 HyENA, 201 ISAP, 198, 201 iSCREAM, 116, 117 LOCUS-AEAD, 201 LOTUS-AEAD, 201 mixFeed, 201 Oribatida, 201 Pyjamask, 201 Romulus, 198, 201 SAEAES, 201 SCREAM, 117 sESTATE, 206

SNEIK, 157 SPIX, 201 SpoC, 201 Spook, 201 SUNDAE-GIFT, 201 TinyJambu, 198, 201 WAGE, 201 Authenticated Encryption scheme with Associated Data (AEAD), 198 B biclique technique, 97 birthday paradox, 148 block cipher (see also tweakable block cipher), 4, 201 2DES, 89 attack, 90 Camellia, 47, 54, 63, 103, 108 CAST-256, 63 Cham, 157 CLEFIA, 63 COCONUT98, 79 CRAX, 161, 162 Crypton, 109 FEAL, 23, 30, 156, 160 Feistel-SP, 176 gMiMC, 218 HadesMiMC, 218 HIGHT, 63, 156

234

Symmetric Cryptography 2

IDEA, 48, 158 KASUMI, 63 Khufu, 48 KN, 130, 131 LBlock, 54, 63 LEA, 157 LowMC, 207, 221 MIDORI, 49 MiMC, 218 MISTY, 24, 128 PRESENT, 33, 41, 127 Rescue, 219 Rijndael, 21, 128 Robin, 116 Simeck, 63 Simon, 33, 63 Skein, 156 Skipjack, 48 SPARX, 156, 157, 162 SPECK, 157 Square, 109, 123 TWINE, 103, 109 Zorro, 116 Boolean function, 112, 144 correlation immune, 145 linear structure, 118 resilient, 145 vectorial, 124 boomerang attack, 77 amplified, 79 Feistel switch, 82 ladder switch, 81 S-box switch, 81 Boomerang Connectivity Table (BCT), 84 branch-and-bound linear trail search, 35 C cipher ACE, 201 Ascon, 198, 201 DryGASCON, 201 KNOT, 201 ORANGE, 201 PHOTON-Beetle, 198, 201 Saturnin, 201, 208 Subterranean 2.0, 201 Xoodyak, 198, 201

collision search algorithm, 93 competition, 197 CAESAR, 198 eSTREAM, 157, 198 NIST lightweight, 157, 198 SHA-3, 130, 157, 167 conditional differential attack, 140 correlation attack, 143 fast, 147 zero, 40, 57 correlation matrix, 32, 58 cryptographic permutation, 201 AESQ, 175 Gimli, 201 SPARKLE, 156, 157, 161, 162, 198, 201 Xoodoo, 230 cube attack, 125, 136 maxterm, 135 superpoly, 134 cube tester, 138 D Davies-Meyer construction, 182 deck function, 229 Subterranean-Deck, 230 Xoofff, 230 decoding problem, 146 decorrelation theory, 24 Demirci-Selçuk attack, 101 DES, 3, 10, 12, 13, 17, 20, 23, 30, 33, 34, 90 design properties flexibility, 200 hardware performance, 199 misuse robustness nonce misuse, 230 simplicity, 200 software performance, 199 Difference Distribution Table (DDT), 8 differential, 7 -linear attack, 67, 162 active S-box, 21 characteristic, 9 composable differential characteristic, 11 cryptanalysis, 3, 184

Index

effect, 18 enumeration technique, 106 guess-and-determine strategy, 190 iterative characteristic, 13 meet-in-the-middle strategy, 190 trail, 187 trail construction, 190 Differential-Linear Connecting Table (DLCT), 72 distinguisher, 5, 38, 48, 61, 68, 70, 77, 112, 125, 130, 136 distinguishing advantage, 5 attack, 143 disturbance vector, 187, 188 divide-and-conquer attack, 144 division property, 128 domain separation, 200 duplex construction, 228, 229 dynamic cube attack, 140 E, F early-abort technique, 52 exhaustive key search, 35, 52, 203 expected linear potential (ELP), 31 false alarm probability, 16 Farfalle construction, 229 Fast Fourier Transformation (FFT), 71 Fast Walsh-Hadamard Transform (FWHT), 36, 37 Feistel boomerang connectivity table (FBCT), 84 construction, 63 generalized construction, 183 G, H generalized birthday problem, 149, 208 generic attack, 168, 207, 209 hash function, 167 BLAKE, 157 Grøstl, 89, 175 Keccak, 167 LANE, 175 MD4, 89, 157 MD5, 89, 157, 181, 228 Poseidon, 218

235

SHA0, 156 1, 156, 181, 228 2, 156, 208, 228 3, 176 SHAvite-3, 176 Skein, 157, 177 Whirlpool, 89, 175 higher-order derivative, 124 hypothesis of stochastic equivalence, 15 testing, 6 I identical-prefix collision attack, 181 impossible differential cryptanalysis, 47, 162 information key bits, 50 set decoding (ISD) algorithm, 146 integral, 123 internal differential cryptanalysis, 176 interpolation attack, 131 invariant, 112 attack, 111 quadratic, 117 subspace, 113 iterative decoding technique, 147 K, L key recovery, 15, 33, 49, 71, 136, 140 schedule, 33, 50, 103, 114, 199 LFSR, 144 lightweight cryptography, 197 linear hull, 59 trail, 58 correlation, 33 linear approximation, 30, 59, 119 capacity of a set of, 41 correlation, 30, 58 linear hull of the, 31 linear trail of the, 33 multidimensional, 31

236

Symmetric Cryptography 2

multivariate profiling of approximations, 41 sample correlation of, 33 linear attack analysis phase of, 34 distillation phase of, 34 linear cryptanalysis, 29 affine, 43 conditional, 41 linear mask, 30 multidimensional, 31, 42 LLR test for, 42 multiple, 40 local collision, 187 compression, 189 LS-Design, 114, 117

N, P

M

S

MAC algorithm CHASKEY, 162 Markov cipher, 12 Matsui’s Algorithm 1, 33 2, 34 Matsui’s branch-and-bound algorithm, 160 Maximum Expected Differential Characteristic Probability (MEDCP), 24 Probability (MEDP), 24 meet-in-the-middle attack, 89, 101 Merkle-Damgård construction, 181 message modification technique, 190 advanced, 191 boomerang, 191 neutral bits, 191 MILP-based cryptanalysis, 23, 35, 49, 98, 130, 161, 162 miss-in-the-middle approach, 48 modular addition, 156 multidimensional approximation capacity of, 42 multidimensional attack chi-square test for, 42 multiple impossible differentials, 53

S-box (see also Super-Sbox), 126, 160, 168, 201 Alzette, 161, 162 design, 118 sandwich attack, 83 framework, 71 security margin, 35, 197, 200, 209, 229 pseudorandom function (PRF), 229 sieve-in-the-middle attack, 95 signal to noise ratio, 16 splice-and-cut technique, 96 SPN construction, 24, 36, 84, 126, 169 sponge construction, 228 Square attack, 123, 125 standardization, 197 state-test technique, 53 statistical attack, 97 cryptanalysis, 4 stream cipher, 143, 201 A5/1, 152 ChaCha, 156, 160 Dasta, 222 E0, 151 Elizabeth, 223

near-collision attack, 184 nonce, 198, 229 nonlinear approximation, 112 combination generator, 144 partial matching, 94 performance software, 199 permutation-based cryptography, 227 plateau characteristic, 25 Q, R quantum cryptanalysis, 176 rebound attack, 168, 169 rectangle attack, 80 rotational cryptanalysis, 162, 177

Index

FiLIP, 222 FLIP, 222 Grain, 140 Kreyvium, 222 Masta, 222 Pasta, 222 Rasta, 222 Salsa, 157 Trivium, 130, 139 summation cipher, 30 Super-Sbox, 127, 173 T T attack, 23 tool-assisted cryptography, 23, 98 tool-based cryptanalysis, 36, 108, 161 trade-off data-time, 51 data-time-memory, 104

237

truncated difference, 19 differential, 19 characteristic, 19 tweakable block cipher, 201 Mantis, 63 Midori, 117 QARMA, 63 SKINNY, 63, 89, 103, 201 TRAX, 161, 162 U, W, Z U-method, 48 UID-method, 48 Walsh-Hadamard Transform (WHT), 32, 150 Fast (FWHT), 32, 71, 151 weak key, 113, 200 wide trail strategy, 4, 21 zero-sum distinguisher, 130

Summary of Volume 1 Preface Christina BOURA and María NAYA-PLASENCIA Part 1. Design of Symmetric-key Algorithms Chapter 1. Introduction to Design in Symmetric Cryptography Joan DAEMEN 1.1. Introduction 1.2. Cryptographic building blocks 1.2.1. The block cipher and its variants 1.3. Differentially uniform functions 1.4. Arbitrary-length schemes 1.4.1. Modes and constructions 1.4.2. Dedicated schemes 1.4.3. Modes and constructions versus primitives 1.5. Iterated (tweakable) block ciphers and permutations 1.5.1. Cryptanalysis and safety margin 1.5.2. Designing the round function of primitives 1.6. A short history 1.6.1. The data encryption standard 1.6.2. The block cipher FEAL 1.6.3. Differential and linear cryptanalysis 1.6.4. The block cipher IDEA 1.6.5. The advanced encryption standard 1.6.6. Cache attacks 1.6.7. KECCAK 1.6.8. Lightweight cryptography 1.7. Acknowledgments 1.8. References

Symmetric Cryptography

Chapter 2. The Design of Stream Ciphers Chaoyun LI and Bart PRENEEL 2.1. Introduction 2.1.1. What is a synchronous additive stream cipher? 2.1.2. Generic construction 2.1.3. Generic attacks 2.1.4. Open competitions 2.1.5. Standards 2.2. Constructions based on FSRs 2.2.1. LFSR-based constructions 2.2.2. NFSR-based constructions 2.3. Table-based constructions 2.4. Block ciphers and permutations in stream cipher mode 2.4.1. Block cipher modes OFB and CTR 2.4.2. Permutations in stream cipher mode 2.5. Authenticated encryption (AE) 2.5.1. Block ciphers and permutations in stream cipher modes 2.6. Emerging low-complexity stream ciphers 2.7. References Chapter 3. Block Ciphers Orr DUNKELMAN 3.1. General purpose block ciphers 3.1.1. Feistel block ciphers 3.1.2. Substitution permutation networks 3.2. Key schedule algorithms 3.3. Generic attacks 3.4. Tweakable block ciphers 3.5. Some positive results concerning security 3.6. The case of algebraic ciphers 3.7. References Chapter 4. Hash Functions Gilles VAN ASSCHE 4.1. Definitions and requirements 4.1.1. An ideal model: the random oracle 4.1.2. Expressing security claims 4.2. Design of hash functions 4.2.1. The Merkle-Damgård construction 4.2.2. Fixing the Merkle-Damgård construction 4.2.3. Building a compression function

Summary of Volume 1

4.2.4. Indifferentiability 4.2.5. The sponge construction 4.2.6. KECCAK, SHA-3 and beyond 4.3. Tree hashing 4.4. References Chapter 5. Modes of Operation Gaëtan LEURENT 5.1. Encryption schemes 5.1.1. Cipher block chaining 5.1.2. Counter mode 5.2. Message authentication codes 5.2.1. CBC-MAC 5.2.2. PMAC 5.2.3. Hash-based MACs 5.2.4. Wegman-Carter MACs and GMAC 5.3. Security of modes: generic attacks 5.3.1. The birthday bound 5.3.2. Generic attack against iterated MACs 5.3.3. Generic attack against Wegman-Carter MACs 5.3.4. Generic attack against CBC 5.3.5. Generic attack against CTR 5.3.6. Small block sizes 5.3.7. Misuse 5.3.8. Limitations of encryption 5.4. References Chapter 6. Authenticated Encryption Schemes Maria EICHLSEDER 6.1. Introduction 6.2. Security notions 6.3. Design strategies for authenticated encryption 6.3.1. Generic composition 6.3.2. Dedicated primitive-based designs 6.3.3. Fully dedicated designs 6.3.4. Standards and competitions 6.4. References Chapter 7. MDS Matrices Gaëtan LEURENT 7.1. Definition

Symmetric Cryptography

7.1.1. Differential and linear properties 7.1.2. Near-MDS matrices 7.2. Constructions 7.3. Implementation cost 7.3.1. Optimizing the implementation of a matrix 7.3.2. Implementation of the inverse matrix 7.4. Construction of lightweight MDS matrices 7.4.1. Choice of the field or ring 7.4.2. MDS matrices with the lowest XOR count 7.4.3. Iterative MDS matrices 7.4.4. Involutory MDS matrices 7.5. References Chapter 8. S-boxes Christina BOURA 8.1. Important design criteria 8.1.1. Differential properties 8.1.2. Linear properties 8.1.3. Algebraic properties 8.1.4. Other properties 8.2. Popular S-boxes for different dimensions 8.2.1. S-boxes with an odd number of variables 8.2.2. 4-bit S-boxes 8.2.3. 8-bit S-boxes 8.3. Further reading 8.4. References Chapter 9. Rationale, Backdoors and Trust Léo PERRIN 9.1. Lifecycle of a cryptographic primitive 9.1.1. Design phase 9.1.2. Public cryptanalysis 9.1.3. Deployment? 9.1.4. The limits of this process 9.2. When a selection process fails 9.2.1. Under-engineered algorithms 9.2.2. Primitives with hidden properties 9.3. Can we trust modern algorithms? 9.3.1. Standardization and normalization 9.3.2. Some rules of thumb 9.4. References

Summary of Volume 1

Part 2. Security Proofs for Symmetric-key Algorithms Chapter 10. Modeling Security Bart MENNINK 10.1. Different types of adversary models 10.2. When is an attack considered successful? 10.3. Random oracle 10.4. Distinguishing advantage 10.5. Understanding the distinguishing advantage 10.5.1. Adversarial complexity 10.5.2. Claiming security 10.5.3. Breaking claims 10.6. Adaptation to block ciphers 10.6.1. Distinguishing advantage 10.6.2. Security of AES 10.7. Acknowledgments 10.8. References Chapter 11. Encryption and Security of Counter Mode Bart MENNINK 11.1. Block encryption 11.1.1. Padding 11.1.2. Cipher block chaining 11.2. Stream encryption 11.2.1. Output feedback mode 11.2.2. Counter mode 11.3. Provable security of modes: the case of counter mode 11.4. Acknowledgments 11.5. References Chapter 12. Message Authentication and Authenticated Encryption Tetsu IWATA 12.1. Message authentication 12.1.1. WCS construction 12.1.2. Provable security 12.2. Authenticated encryption 12.2.1. GCM, Galois/counter mode 12.2.2. Provable security 12.3. References

Symmetric Cryptography

Chapter 13. H-coefficients Technique Yannick SEURIN 13.1. The H-Coefficients technique 13.2. A worked out example: the three-round Feistel construction 13.3. The Even-Mansour construction 13.3.1. H-coefficients security proof 13.3.2. Extension to multiple rounds 13.4. References Chapter 14. Chi-square Method Mridul NANDI 14.1. Introduction 14.2. Preliminaries 14.2.1. PRF-security definition 14.2.2. Hypergeometric distribution 14.3. Truncation of random permutation 14.3.1. PRF-security of truncation 14.4. XOR of random permutations 14.5. Other applications of the chi-squared method 14.6. Acknowledgments 14.7. References Part 3. Appendices Appendix 1. Data Encryption Standard (DES) Christina BOURA Appendix 2. Advanced Encryption Standard (AES) Christina BOURA and Orr DUNKELMAN Appendix 3. PRESENT Christina BOURA Appendix 4. KECCAK Christina BOURA

WILEY END USER LICENSE AGREEMENT Go to www.wiley.com/go/eula to access Wiley’s ebook EULA.