division property: a new attack against block ciphers · block ciphers iterated block ciphers idea:...
TRANSCRIPT
![Page 1: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/1.jpg)
Division Property: a New Attack Against Block Ciphers
Christina Boura
(joint on-going work with Anne Canteaut)
Séminaire du groupe Algèbre et Géometrie, LMVNovember 24, 2015
1 / 50
![Page 2: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/2.jpg)
Symmetric-key encryption
Alice and Bob exchange the secret key through a secure channel.
DecryptionEncryption
2 / 50
![Page 3: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/3.jpg)
Symmetric-key encryption
Alice and Bob exchange the secret key through a secure channel.
DecryptionEncryption
Key-exchange problem ⇒ birth of the public-key cryptography.
2 / 50
![Page 4: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/4.jpg)
Public-key encryption
Decryption
%gTi2z*
Encryption
3 / 50
![Page 5: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/5.jpg)
Advantages and disadvantages of each system
Advantages Disadvantages
Fast systemsSecret-key Need secure key-exchange
Relatively short-keysn users: n2 keys
No key-exchange neededPublic-key Slow systems
n users: 2n keysRelatively long-keys
4 / 50
![Page 6: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/6.jpg)
Hybrid encryption
Idea: Use a combination of asymmetric and symmetric encryption tobenefit from the strengths of every system.
DecryptionEncryption
DecryptionEncryption
5 / 50
![Page 7: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/7.jpg)
Hybrid encryption
Use a public-key cryptosystem to exchange a key (session key).
Use the exchanged key to encrypt data by using a symmetric-keycryptosystem.
Advantages:
Slow public-cryptosystem is used to encrypt a short string only.
Fast symmetric-key cryptosystem is used to encrypt the longercommunication session.
Used for example in the SSL protocol.
6 / 50
![Page 8: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/8.jpg)
Block ciphers
Outline
1 Block ciphers
2 Division property
3 Propagation through an Sbox
4 Extending the division property
5 Understanding Dnk for some specific values of k
7 / 50
![Page 9: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/9.jpg)
Block ciphers
Block ciphers
Encrypt a block of message m into a block of ciphertext c under theaction of the key k.
ENC : {0, 1}n × {0, 1}κ → {0, 1}n
(m,k) 7→ ENC(m,k) = c
ENCm c
k
Given k, it must be easy to compute c from m.
Given m, c it must be hard to compute k such that ENC(m,k) = c.
8 / 50
![Page 10: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/10.jpg)
Block ciphers
Two important parameters:
block size, n
key size, κ
A block cipher generates a family of permutations indexedby a key k.
(2n)!
2κsubset
permutations
Ideal design: 2κ permutationschosen uniformly at random fromall 2n! ≈ 2(n−1)2n permutations.
9 / 50
![Page 11: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/11.jpg)
Block ciphers
Iterated block ciphers
Idea: Iterate a round function f several times. The function f r is waitedto be strong for large r.
Advantages:
Compact implementation.
Easier analysis.
f f fm c
k1 k2 kr
Key schedule
master key k
Use a key schedule to extend the user-supplied (or master) key to asequence of r subkeys.
10 / 50
![Page 12: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/12.jpg)
Block ciphers
How to build the round function?
Two major approaches:
Feistel network.
Substitution-Permutation Network (SPN).
11 / 50
![Page 13: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/13.jpg)
Block ciphers
How to build the round function?
Two major approaches:
Feistel network.
Substitution-Permutation Network (SPN).
11 / 50
![Page 14: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/14.jpg)
Block ciphers
Substitution Permutation Network (SPN)
m
k1
k2
k3
k4
k5
c
Substitution
Substitution
Substitution
Substitution
Permutation
Permutation
Permutation
Permutation
12 / 50
![Page 15: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/15.jpg)
Block ciphers
Substitution Permutation Network (SPN)
S S S S
m
k1
S S S S
k2
S S S S
k3
S S S S
k4
k5
c
12 / 50
![Page 16: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/16.jpg)
Block ciphers
Cryptanalysis of block ciphers
Problem: Design block ciphers that are fast and secure at the same time.
In symmetric key cryptography, security proofs are partial and insufficient.
Only mean of proving that a design is secure:
cryptanalysis.
An algorithm is secure as long there is no attack against it.
The more an algorithm is analysed without being broken, the morereliable it is.
13 / 50
![Page 17: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/17.jpg)
Block ciphers
What does "broken" mean?
No attack faster than exhaustive search should exist.
If a block cipher encrypts messages with a k-bit key, no attack with timecomplexity less than 2k should be known.
Otherwise, the cipher is considered as broken (even if the complexity ofthe attack is not practical).
14 / 50
![Page 18: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/18.jpg)
Division property
Outline
1 Block ciphers
2 Division property
3 Propagation through an Sbox
4 Extending the division property
5 Understanding Dnk for some specific values of k
15 / 50
![Page 19: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/19.jpg)
Division property
A new property for block ciphers
In Eurocrypt 2015, Yosuke Todo introduces a new property, called thedivision property.
Combination (in some sense) of higher-order differential andsaturation attacks.
Construction of more powerful generic distinguishers for both SPN andFeistel constructions.
Use of this new property for breaking full MISTY-1 (best paper awardat CRYPTO 2015).
16 / 50
![Page 20: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/20.jpg)
Division property
Notation
If x, u ∈ Fn2 , we denote
xu =
n∏
i=1
xui
i
Example: (n = 4)
x = (x1, x2, x3, x4) = (1, 1, 0, 1),u = (u1, u2, u3, u4) = (1, 0, 1, 0)
xu = x1u1x2
u2x3u3x4
u4 = 11100110 = 0.
17 / 50
![Page 21: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/21.jpg)
Division property
Division property
Let X be a multiset of elements in Fn2 .
For 0 ≤ k ≤ n, we say that X has the division property Dnk if
⊕
x∈X
xu = 0,
for all u ∈ Fn2 such that wt(u) < k.
18 / 50
![Page 22: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/22.jpg)
Division property
Division property - Example
X = {0x0, 0x3, 0x3, 0x3, 0x5, 0x6, 0x8, 0xB, 0xD, 0xE}.
Compute⊕
x∈X
xu for all u ∈ F42.
⊕
x∈X
xu = 1,
for u = 1011, u = 1101 and u = 1110.
So,⊕
x∈X
xu = 0 for all u with wt(u) < 3.
X has the division property D43 .
19 / 50
![Page 23: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/23.jpg)
Division property
Using the division property in practice
Prepare a set of plaintexts and evaluate its division property.
Propagate the input texts and evaluate the division property of theoutput set after one round.
Use rules to propagate the property through the different ciphercomponents (Sboxes, XOR, etc..)
Repeat the procedure and compute the division property of the set oftexts after several rounds.
If after several rounds some exploitable information is found, then weget a distinguisher.
20 / 50
![Page 24: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/24.jpg)
Division property
Distinguisher and key recovery attack
Distinguisher: A property that permits to distinguish the target blockcipher from an ideal permutation.
Division property:
⊕
y∈Y
EK(y) has the division property Dnk for k ≥ 1.
Key recovery: Exploit this property to recover the key by targeting firstthe subkey of the last round.
21 / 50
![Page 25: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/25.jpg)
Propagation through an Sbox
Outline
1 Block ciphers
2 Division property
3 Propagation through an Sbox
4 Extending the division property
5 Understanding Dnk for some specific values of k
22 / 50
![Page 26: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/26.jpg)
Propagation through an Sbox
What is an Sbox?
Main component for providing non-linearity.
Can be seen as a vectorial Boolean function S : Fn2 → F
m2 (usually
m = n).
Algebraic Normal Form (ANF) of an Sbox
y0 = x0x2 + x1 + x2 + x3
y1 = x0x1x2 + x0x1x3 + x0x2x3 + x1x2 + x0x3 + x2x3 + x0 + x2
y2 = x0x1x3 + x0x2x3 + x1x2 + x1x3 + x2x3 + x0 + x1 + x3
y3 = x0x1x2 + x1x3 + x0 + x1 + x2 + 1.
23 / 50
![Page 27: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/27.jpg)
Propagation through an Sbox
Algebraic degree of an Sbox
(y0, y1, y2, y3) = S(x0, x1, x2, x3)
y0 = x0x2 + x1 + x2 + x3
y1 = x0x1x2 + x0x1x3 + x0x2x3 + x1x2 + x0x3 + x2x3 + x0 + x2
y2 = x0x1x3 + x0x2x3 + x1x2 + x1x3 + x2x3 + x0 + x1 + x3
y3 = x0x1x2 + x1x3 + x0 + x1 + x2 + 1.
The algebraic degree of S is 3.
24 / 50
![Page 28: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/28.jpg)
Propagation through an Sbox
Propagation of the division property through an Sbox
Let S be a permutation of Fn2 of algebraic degree d.
Let X be a multiset having the division property Dnk .
Question: What is the division property of Y = S(X)?
If k = n, then Y has the division property Dnn.
Proposition (Todo):
Y has the division property Dn⌈k
d⌉.
25 / 50
![Page 29: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/29.jpg)
Propagation through an Sbox
Example - MISTY S7
MISTY’s Sbox S7 is a 7-bit Sbox of degree 3.
The input set X has the property D7k.
The output set Y has the property D7k′ , with k′ = ⌈k3⌉.
k 0 1 2 3 4 5 6 7
k′ 0 1 1 1 2 2 2 7
26 / 50
![Page 30: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/30.jpg)
Propagation through an Sbox
Proof Sketch
Let the input set X have the division property Dnk . Then,
⊕
x∈X
xu = 0, for all u ∈ Fn2 with wt(u) < k.
Goal: Evaluate for which v ∈ Fn2 ,
⊕
x∈X
S(x)v vanishes.
If deg(Sv) < k then⊕
x∈X
S(x)v = 0.
If deg(Sv) ≥ k,⊕
x∈X
S(x)v is undetermined.
Obviously, deg(Sv) ≤ wt(v)× d, so the sum becomes unknown if
wt(v)× d ≥ k.
27 / 50
![Page 31: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/31.jpg)
Propagation through an Sbox
An improvement idea
In the previous proof, the degree was bounded by
deg(Sv) ≤ wt(v) × d
This bound is not tight!
28 / 50
![Page 32: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/32.jpg)
Propagation through an Sbox
The inverse permutation influences the degree
Let S be a permutation on Fn2 .
Denote by δk(S) the max. degree of the product of k coordinates of S.
Theorem [B.–Canteaut 2013]. For any k and ℓ,
δℓ(S) < n− k if and only if δk(S−1) < n− ℓ.
29 / 50
![Page 33: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/33.jpg)
Propagation through an Sbox
Getting a tighter result
Use the previous theorem to better estimate deg(Sv):
deg(Sv) ≤ δwt(v)(S).
Then,δwt(v)(S) < k iff δn−k(S
−1) < n− wt(v).
By re-writing the second inequality we get
δwt(v)(S) < k iff wt(v) < n− δn−k(S−1).
The quantity⊕
x∈X(Sv)(x) becomes unknown when
wt(v) ≥ n− δn−k(S−1).
So Y has the division property Dnn−δn−k(S−1).
30 / 50
![Page 34: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/34.jpg)
Propagation through an Sbox
Example - Back to MISTY S7
MISTY’s inverse Sbox S−17 is a 7-bit Sbox of degree 3.
k 1 2 3 4 5 6 7
δk(S−17 ) 3 5 5 6 6 6 7
The input set X has the property D7k.
The output set Y has the property D7k′ , with
k′ = ⌈k
3⌉ (Todo’s estimation)
k′ = 7− δ7−k(S−1
7) (our estimation)
k 0 1 2 3 4 5 6 7
k′ (Todo’s) 0 1 1 1 2 2 2 7
k′ (our) 0 1 1 1 2 2 4 7
For k = 6: k′ = 7− δ7−6(S−17 ) = 7− 3 = 4
31 / 50
![Page 35: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/35.jpg)
Extending the division property
Outline
1 Block ciphers
2 Division property
3 Propagation through an Sbox
4 Extending the division property
5 Understanding Dnk for some specific values of k
32 / 50
![Page 36: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/36.jpg)
Extending the division property
Reduced set of a multiset
Let X be a multiset of elements in Fn2 .
The corresponding reduced set X̃ is the set composed of all elements in X
having an odd multiplicity.
Example: If X = {0x0, 0x3, 0x3, 0x3, 0x5, 0x7, 0x7, 0xB, 0xC} then
X̃ = {0x0, 0x3, 0x5, 0xB, 0xC}.
A multiset X fulfills Dnk if and only if X̃ fulfills Dn
k .
33 / 50
![Page 37: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/37.jpg)
Extending the division property
Parity set of a multiset
Let X be a multiset of elements in Fn2 . The set U(X) is the subset of Fn
2
defined by
U(X) = {u ∈ Fn2 :
⊕
x∈X
xu = 1},
is called the parity set of X.
Obviously U(X) = U(X̃).
The parity set provides a complete characterization of the reducedset of a multiset.
34 / 50
![Page 38: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/38.jpg)
Extending the division property
Incidence vector of U(X)
Lemma. Let G be the 2n × 2n binary matrix whose entries areindexed by n-bit vectors and defined by
Gu,a = au, a, u ∈ Fn2 .
For any subset X of Fn2 , the incidence vector of U(X) is equal to
the product of G by the incidence vector of X.
35 / 50
![Page 39: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/39.jpg)
Extending the division property
An example (n = 3)
G =
00 10 20 30 40 50 60 70
01 11 21 31 41 51 61 71
02 12 22 32 42 52 62 72
03 13 23 33 43 53 63 73
04 14 24 34 44 54 64 74
05 15 25 35 45 55 65 75
06 16 26 36 46 56 66 76
07 17 27 37 47 57 67 77
36 / 50
![Page 40: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/40.jpg)
Extending the division property
An example (n = 3)
G =
1 1 1 1 1 1 1 10 1 0 1 0 1 0 10 0 1 1 0 0 1 10 0 0 1 0 0 0 10 0 0 0 1 1 1 10 0 0 0 0 1 0 10 0 0 0 0 0 1 10 0 0 0 0 0 0 1
36 / 50
![Page 41: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/41.jpg)
Extending the division property
An example (n = 3)
X = {1, 3, 4}
U(X) =
1 1 1 1 1 1 1 10 1 0 1 0 1 0 10 0 1 1 0 0 1 10 0 0 1 0 0 0 10 0 0 0 1 1 1 10 0 0 0 0 1 0 10 0 0 0 0 0 1 10 0 0 0 0 0 0 1
01011000
=
10111000
U(X) = {0, 2, 3, 4}.
37 / 50
![Page 42: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/42.jpg)
Extending the division property
Reed-Muller codes
Fm2 = {z0, . . . , z2m−1}. Let f : Fm
2 → F2. We define
cf = (f(z0), . . . , f(z2m−1)).
The Reed-Muller code RM(d,m) of order d and length 2m is defined as
RM(d,m) := {cf : deg(f) ≤ d}.
38 / 50
![Page 43: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/43.jpg)
Extending the division property
Correspondance of X and U(X)
Corollary. For any subset U of Fn2 , there exists a unique set X ⊂ F
n2
such that U(X) = U .
Proof.
The matrix G is a generator matrix of the Reed-Muller code of length2n and order n.
Dimension of the code : 2n ⇒ G is invertible.
The mapping matching the incidence vector of a set X, vX to theincidence vector of U(X) is an isomorphism of the set of 2n vectors.
39 / 50
![Page 44: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/44.jpg)
Extending the division property
Parity set and the division property
Let Ek be a keyed permutation.
The division property is a distinguishing property of the multisetEk(X) for a given choice of the input multiset X.
We can now reformulate the division property Dnk of Ek(X) by a
simple property of U(Ek(X)). Indeed, Dnk characterizes a multiset X
by a lower bound on the weight of all elements in U(X).
40 / 50
![Page 45: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/45.jpg)
Extending the division property
Proposition. Let X be a multiset of elements in Fn2 and k be an integer
0 ≤ k ≤ n. Then,the following assertions are equivalent:
(i) X fulfills the division property Dnk .
(ii)U(X) ⊆ {u ∈ F
n2 : wt(u) ≥ k} .
(iii) The incidence vector of the corresponding reduced set X̃belongs to the Reed-Muller code of length 2n andorder (n− k).
41 / 50
![Page 46: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/46.jpg)
Understanding Dn
kfor some specific values of k
Outline
1 Block ciphers
2 Division property
3 Propagation through an Sbox
4 Extending the division property
5 Understanding Dnk for some specific values of k
42 / 50
![Page 47: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/47.jpg)
Understanding Dn
kfor some specific values of k
Some specific values of k
Question: What can be said about a multiset X that verifies a propertyDn
k , for some value of k?
The cases Dn1 , Dn
2 , Dnn, have been characterized.
[Todo 2015], [Sun et al. 2015]
The cases Dnk , for k 6= {1, 2, n} had not been exploited before.
We provide some insight on these cases here by using the aboveintroduced new vision and some well known properties of Reed-Mullercodes.
43 / 50
![Page 48: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/48.jpg)
Understanding Dn
kfor some specific values of k
The property Dn1
Let X be a multiset of elements in Fn2 .
X fulfills Dn1 if and only if its cardinality is even.
Indeed,
X has the property Dn1 : For u = (0, . . . , 0) :
⊕x∈X xu = 0
⇔⊕
x∈X
x01 . . . x0n =
⊕
x∈X
1 = #X mod 2 = 0
The inverse can be easily deduced.
44 / 50
![Page 49: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/49.jpg)
Understanding Dn
kfor some specific values of k
The property Dn2
Let X be a multiset of elements in Fn2 .
X fulfills Dn2 if and only if its cardinality is even and it has the
Balance property.
Balance property: For any i, 1 ≤ i ≤ n⊕
x∈X
xi = 0.
Indeed, if X has the property Dn2 :
⊕x∈X x01 . . . x
0n = 0 ⇒ X has even cardinality.
For all u with wt(u) = 1:⊕x∈X xu =
⊕x∈X x01 . . . x
0i−1x
1i . . . x
0n =
⊕x∈X xi = 0
⇒ X has the Balance property.
The inverse is proven easily.
45 / 50
![Page 50: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/50.jpg)
Understanding Dn
kfor some specific values of k
The property Dnn
Let X be a multiset of elements in Fn2 .
X fulfills Dnn if and only if its reduced set X̃ is
either empty or equal to Fn2 .
Let v be the incidence vector of X̃.
Proof. X satisfies Dnn iff v ∈ R(0, n). Thus, either v is the all-zero vector,
i.e., X̃ is empty or v is the all-one vector i.e. X̃ = Fn2 .
46 / 50
![Page 51: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/51.jpg)
Understanding Dn
kfor some specific values of k
The property Dnn−1
Let X be a multiset of elements in Fn2 .
Proposition. X satisfies Dnn−1 if and only if X̃ is an (affine) subspace of
dimension (n− 1).
Proof. X satisfies Dnn−1 iff v ∈ R(1, n).
R(1, n) consists of the incidence vectors of all (affine) hyperplanes of F2.Then, this equivalently means that X̃ is an (affine) hyperplane.
47 / 50
![Page 52: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/52.jpg)
Understanding Dn
kfor some specific values of k
Example [Todo, Eurocrypt 2015]
For the multiset of elements of F42
X = {0x0, 0x3, 0x3, 0x3, 0x5, 0x6, 0x8, 0xB, 0xD, 0xE},
the corresponding reduced set
X̃ = {0x0, 0x3, 0x5, 0x6, 0x8, 0xB, 0xD, 0xE}
is a linear subspace of dimension 3 spanned by {0x3, 0x5, 0x8}.
So, it can be directly deduced (without computation) that
X has the property D43.
48 / 50
![Page 53: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/53.jpg)
Understanding Dn
kfor some specific values of k
The property Dnk
Proposition. Let X be a multiset of elements in Fn2 satisfying Dn
k
such that X̃ is not empty. Then
|X̃ | ≥ 2k ,
and equality holds iff X̃ is an affine subspace of dimension k.
Proof. X satisfies Dnk iff v
X̃belongs to R(n− k, n). The minimum
distance of R(n− k, n) is 2k and that the minimum-weight codewords inthis code are the incidence vectors of the affine subspaces of dimension k.
49 / 50
![Page 54: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/54.jpg)
Understanding Dn
kfor some specific values of k
Conclusion
We have reformulated the division property to captivate moreinformation.
Complete characterisation of the property Dnk for different values of k.
More powerful distinguishers for a high number of block ciphers.
Work in progress. . .
50 / 50
![Page 55: Division Property: a New Attack Against Block Ciphers · Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function fr is waited to be strong](https://reader033.vdocuments.net/reader033/viewer/2022043011/5fa61d2cab384a12560a4a74/html5/thumbnails/55.jpg)
Understanding Dn
kfor some specific values of k
Conclusion
We have reformulated the division property to captivate moreinformation.
Complete characterisation of the property Dnk for different values of k.
More powerful distinguishers for a high number of block ciphers.
Work in progress. . .
Thanks for your attention!
50 / 50